The 36th annual Chaos Communication Congress (36c3) is currently underway in Leipzig Germany, and following last year's PS4 Video Apps (All FW) Exploitation lecture the Sony PlayStation discussion topic of #36c3 is Hacking PS4 / PS3 Blu-ray Drives given by @Octopus (aka oct0xor on Twitter) at 4:10 PM Eastern Time in the Saal Borg Lecture Hall 36c3 Live Streaming. 
Other event coverage options include Live Streams: 36c3 Streaming, Direct A/V Stream Feeds, ReLive Recordings, a Recording Full Playlist archive as part of their 36c3 Resource Exhaustion and YouTube Channel coverage uploaded after the live events as well.
Download: Hacking Sony PlayStation Blu-ray Drives.pdf (7.13 MB)
For those who missed our previous articles, feel free to check out the initial announcement of this year's PlayStation 36c3 event alongside Oct0xor 36c3 Talk Details of what will be discussed during his presentation.
We'll update this article throughout the event as new media including YouTube video embeds and related Slide Shows become available... and if anyone has further details on the PS4 application (NPXS24001) source code that surfaced awhile back feel free to share!
Hacking Sony PlayStation Blu-ray Drives Relive Stream & Oct0xor Slides
Download: all dumps.7z (9.45 MB - in case anyone is interesting in using the xor trick in PS3 bd drive dumps, comes also with the emboot plaintext firmware of some models)
36C3 - Hacking Sony PlayStation Blu-ray Drives
PS4 Blu-ray Optical Drive Chip Swap Re-marry by NorthRidgeFix.com
oct0xor himself, was regarding ps3 sony drives having xorstream trick to be able to send crafted payload and run our own code. it baffled me how this was possible when it was not so on the renesas drives, that had similar crypto xorstream ctr bug. well, now I know the answer for such thing.
it seems that sony did not protect their own emboot code, by leaving some sort of signature back then (ecdsa was very famous and was secure, of course if properly implemented). renesas however did this by leaving R,S pair at the bottom of the emboot firmware to protect tampering
as a result, you can happily craft payloads if you possess an old drive (say, of a CECHA, for example, model 302R), and apply xor stream of emboot to it and run it when the bluray drive is either bricked or in state when it requires firmware flash. this is however not the case for renesas models (say 304R) where the R,S pair prevents u from doing so
as such, the mystery of why the xorstream size is exactly 0x10000 bytes is finally solved (this is because both sony and renesas have emboot of exactly 0x10000 bytes and both use aes-ctr to apply it in order to decrypt it)
Other event coverage options include Live Streams: 36c3 Streaming, Direct A/V Stream Feeds, ReLive Recordings, a Recording Full Playlist archive as part of their 36c3 Resource Exhaustion and YouTube Channel coverage uploaded after the live events as well.
Download: Hacking Sony PlayStation Blu-ray Drives.pdf (7.13 MB)
For those who missed our previous articles, feel free to check out the initial announcement of this year's PlayStation 36c3 event alongside Oct0xor 36c3 Talk Details of what will be discussed during his presentation.We'll update this article throughout the event as new media including YouTube video embeds and related Slide Shows become available... and if anyone has further details on the PS4 application (NPXS24001) source code that surfaced awhile back feel free to share!
Hacking Sony PlayStation Blu-ray Drives Relive Stream & Oct0xor SlidesDownload: all dumps.7z (9.45 MB - in case anyone is interesting in using the xor trick in PS3 bd drive dumps, comes also with the emboot plaintext firmware of some models)
36C3 - Hacking Sony PlayStation Blu-ray Drives
PS4 Blu-ray Optical Drive Chip Swap Re-marry by NorthRidgeFix.com
- Hacking microcontroller firmware through a USB (Protection scheme of DualShock 4)
oct0xor himself, was regarding ps3 sony drives having xorstream trick to be able to send crafted payload and run our own code. it baffled me how this was possible when it was not so on the renesas drives, that had similar crypto xorstream ctr bug. well, now I know the answer for such thing.
it seems that sony did not protect their own emboot code, by leaving some sort of signature back then (ecdsa was very famous and was secure, of course if properly implemented). renesas however did this by leaving R,S pair at the bottom of the emboot firmware to protect tampering
as a result, you can happily craft payloads if you possess an old drive (say, of a CECHA, for example, model 302R), and apply xor stream of emboot to it and run it when the bluray drive is either bricked or in state when it requires firmware flash. this is however not the case for renesas models (say 304R) where the R,S pair prevents u from doing so
as such, the mystery of why the xorstream size is exactly 0x10000 bytes is finally solved (this is because both sony and renesas have emboot of exactly 0x10000 bytes and both use aes-ctr to apply it in order to decrypt it)
