PS3 re-secured with Firmware 3.60?

By Richard Leadbetter Published 10 March, 2011

Hacker says "epic fail" security holes now fixed.

A leading PlayStation 3 hacker says that today's firmware 3.60 update re-secures the system from hackers and by extension, should lock out piracy.

Youness Alaoui (hacker alias: KaKaRoToKS) knows what he's talking about. He developed PSFreedom - an open source Jailbreak alternative, and devised the PL3 payload for the USB dongles that attacked the PS3's security system on firmware 3.41 and lower.

According to his swift analysis of the new system update posted on his Twitter feed, Sony has come up with an ingenious method of side-stepping its existing security protocols:

"For now, it looks to me (at first glance) that the PS3 has been re-secured, but it doesn't mean it can't be broken again from scratch," he says, qualifying his findings by adding that he didn't spend more than a couple of minutes looking at the new update.

The PS3's existing security system is based on a "chain of trust" - different layers of the console are protected by individual levels of encryption, one opening up access to the next. This chain of trust was annihilated when Geohot revealed the "mtldr" key, the root decryption cipher that can unlock all of the others.

According to Alaoui's quick analysis, Sony simply doesn't use mtldr any more, opting for a new security system that could possibly require a completely new exploit to be uncovered - something hackers would be unlikely to take on bearing in mind the legal blitzkrieg Sony has unleashed in recent weeks.

"The epic fail was epic," Alaoui says. "It doesn't mean they can't come [up] with an epic save."

Picture of Richard.

About Richard Leadbetter

Rich has been a games journalist since the days of 16-bit and specialises in technical analysis. Commonly known around Eurogamer as the Blacksmith of the Future.

Read more articles from Richard by visiting the Richard Leadbetter archive page.

You may also like...

Comments (72) Latest comment 1 year ago

Comments for this article are now closed, but please feel free to continue chatting on the forum!

  • captain_Carl #1 1 year ago

    Gotta hand it to them, they've done a good job of patching the mess they made of security

  • randompanda #2 1 year ago

    Every time someone uses the term 'epic fail' a little bit of me wishes for a zombie apocalypse just to purge the human race a bit.

  • pantherjag #3 1 year ago

    well if this true then it makes the hackers who said that sony could do nothing about the exploit look pretty stupid..............i always suspected that sony could fix the hack in some sort off way , they do afterall know their system better than anyone else.

    No doubt over the next few days/weeks/months stories will crop up on how hackers have re-hacked the system but thats life. I dare say it wont be a simple process either which will shut out all but the more "hardcore" hackers out their.

    Regardless id like to applaud sony for the fightback, its been a tough few months but iv liked the way they have conducted the fight against hackers.
    Edited by pantherjag at 10/03/11 @ 08:49

  • Goodfella #4 1 year ago

    @randompanda

    That comment was epic win!

  • wizlon #5 1 year ago

    Now everyone be nice to the PS3 and not try to hack it!

  • weejok #6 1 year ago

    Yawn......so all the dramatic stories Eurogamer posted over the last few weeks turn out to be bullshit?? "PS3 security in tatters...no way to fix with firmware...need a complete hardware revision...."

  • DavidBoring #7 1 year ago

    hey internet gaming journalism, didnt you tell me that ps3's security was beyond repair?

  • jumpdeveraux #8 1 year ago

    I imagine there's only so much you can do in software once your general security architecture is holed (given the hardware/chipset is fixed).

    What Sony really need is to convincingly win the Geohot court case to make an example of him such that he's bankrupted and/or receives a prohibitive sentence to effectively deter (for as long as is possible) anyone else distributing tools that compromise the console until it's nearing the end of its lifecycle.

  • abdo #9 1 year ago

    "Epic fail" ?

    These hackers really are 14 year olds.

  • AbracadaverAK #10 1 year ago

    @randompanda I think of this and laugh to myself. Then I wish for a zombie apocalypse.

  • X201 #11 1 year ago

    Wish I could find the link for the following story.

    There was a US pay TV company who's decoder boxes had been hacked so that people could use counterfeit access cards. Over a period of months the company issued updates that made minor changes, each update also contained a small chunk of garbled text as padding, so that the update was always the same size. After a number of these updates, there was one final update that decoded all of the garbled text into executable code that re-secured the decoder. They also programmed it to show a message on screen when a counterfeit card was used - "The free show is over" :)

  • davisorle #12 1 year ago

    Post deleted at 15:13:14 09-05-2012

  • george1976 #13 1 year ago

    Do you guys really believe what this hacker said?

  • Murton #14 1 year ago

    I think all but the most stupid people knew that Sony would restore the security one way or another. Anyone who was following the hack story from way back in the beginning will remember that George Hotz described a multiple layered system, but the discovery of the key meant you no longer had to defeat all of those layers, you just walked straight in. It was beyond the imagination of most that Sony could fix it with something as simple as telling the console not to look at the keys anymore but rely on the other layers to verify the code.

    Or to bring in the first analogy (and the only one we'll need here) they changed the lock on the door.

  • womble #15 1 year ago

    epic fail = ending up in a lawsuit that will cost you hundreds of thousands of dollars, months or years of your time, great stress, and possibly a prison term

  • MonkeyMagik #16 1 year ago

    Surely they should have skipped v3.60 of the firmware, and it now looks as though the PS3 has finally improved to the level of the 360, hence the firmware as it is now the PS3 v3.60

    Only a bit of fun, but loads of website forums have picked up on this....

  • HL706 #17 1 year ago

    "Yawn......so all the dramatic stories Eurogamer posted over the last few weeks turn out to be bullshit?? "PS3 security in tatters...no way to fix with firmware...need a complete hardware revision...."

    So how are you qualifying that statement? That's right, you're using a Eurogamer article. Furthermore, you're using a comment from a hacker who admittedly spent "a couple of minutes" with the update. Well done.

  • Cronan #18 1 year ago

    Only time will reveal whether Sony have got it right this time. Speculation by those of us outside of "the scene" is worthless.

  • jablonski #19 1 year ago

    Great. Another update when I next turn my PS3 on.

    Went to download the Motorstorm demo last night.
    I couldn't, PSN down for maintenance.

    Remind me again why I have this big black box in the corner of my room.

  • deano2099 #20 1 year ago

    To be fair it was clear all that "system is blown wide open" talk was rubbish as we're now 6 weeks on from 3.56 and that still isn't even cracked yet (nor is there a working 3.55 downgrade). The only flaw with it is that if you're on the 3.55 CFW you can 'spoof' 3.56 and still get online.

  • ral_b #21 1 year ago

    I think sony should come up with a way of making cfw updates only available throuh playstation network, That way hackers have no way of downloading it and hacking it , this will force everyone who has a ps3 offline to be forced to connect their console online in order to obtain these updates and make your system up to date. Either you do that or you are forced to update whenever a new game disc with the latest firmware is up for play. Hope i am making sense here.....how else can hackers isolate a firmware update and hack it ,except throug downlading it from psn on their computers. Such a method will seriously force a lot of console owners to appreciate the need not to be kicked out of psn.
    Edited by ral_b at 10/03/11 @ 09:52

  • kirankara #22 1 year ago

    jablonski
    10/03/11 @ 09:38
    ignore poster | #19
    0
    "Great. Another update when I next turn my PS3 on.

    Went to download the Motorstorm demo last night.
    I couldn't, PSN down for maintenance.

    Remind me again why I have this big black box in the corner of my room."

    Tbf dude, maintenance happens on live too, so not like u getting away from it , unless u go pc gaming ( not pc gamer so can't verify this) , but surely even then if gme servers go down, and they do, there will be frustration there too.


  • drumbaby #23 1 year ago

    "Remind me again why I have this big black box in the corner of my room. "

    Does it sing when you touch its teeth?

  • winter #24 1 year ago

    @jablonski

    stop whining. do you pay for your PSN service? probably not i think.

    if it means that my PS3 is safe from idiots who think it's "fun" to ruin
    everyone else's online experience, then i'm more than happy to have
    an update every now and then.

  • bluetoothion #25 1 year ago

    regardless of the source i just hope its true.

    i ve grown tired of wankers claiming victories and using verbal fireworks of their illegal actions.
    there may be a key for every lock but not every door should be opened by anyone right?

  • ZizouFC #26 1 year ago

    I never doubted for a minute that Sony knew their system better than the hackers did. All the calls for Geocock getting a job at Sony were laughable. They clearly have people just as (if not more) talented than him working for them already.... people who aren't smug wannabe rappers.

  • morriss #27 1 year ago

    Shame. Sony just lost itself a sale. :(

  • irve77 #28 1 year ago

    Now if only sony could come up with a solution that said .. ok we've secured the system so that it's 100% secure against playing pirate games ... but we're unable to prevent the running of Linux.

    do that and it's game set and match.

    Any further hacking work is clearly just for piracy and therefore the whole of the gaming comunity will back sony in further legal battles
    And people get to use their PS3's and fully fuctioning media centres in their living room

    win F'ing Win !

  • Notorious_LRO #29 1 year ago

    "What Sony really need is to convincingly win the Geohot court case to make an example of him such that he's bankrupted and/or receives a prohibitive sentence to effectively deter (for as long as is possible) anyone else distributing tools that compromise the console until it's nearing the end of its lifecycle. "

    You are just so uncool. Bankrupt? WTF.

  • drxym #30 1 year ago

    Even if this were cracked again I expect Sony have a plan B which is additional checks around PSN and elsewhere which would limit the attraction of modding a box when it would deny access to patches, trophies, multiplayer etc. It's also likely Sony have plans to bloat out game sizes on disks to make P2P downloads enormous.

    Further along they could even implement anti-hacking checks within games themselves so that games require a PSN signon and implement various surreptitious checks that cripple the game or make it fail in non-obvious ways on modded firmware.

  • deano2099 #31 1 year ago

    @ral_b

    Problem is, a large percentage of PS3 users aren't online. So you need to put the updates on the game discs too. And once you do that, they're accessible.

  • Bonders99 #32 1 year ago

    "Shame. Sony just lost itself a sale. :( "

    ..and it's such a shame we have lost another tosser to deal with on PSN.

  • Lemming81 #33 1 year ago

    "Every time someone uses the term 'epic fail' a little bit of me wishes for a zombie apocalypse just to purge the human race a bit."

    The irony is that every time someone mentions zombies/ninjas/pirates I feel the same way! ;-)
    Edited by Lemming81 at 10/03/11 @ 13:46

  • mingster #34 1 year ago

    Well i've got linux running on mine. And emulators and i can spoof it to go on PSN so i have no need to upgrade to 3.60.
    I will just stay on 3.55 and carry on using it however i want. Never even accepted the PSN new TOC and can still access it.

  • 3william56 #35 1 year ago

    I hope it's true, although this screams "PLEEAAAASSSEEE DON'T SUE MEEEEEE" more than a considered analysis.

  • oupe #36 1 year ago

    3.60 Version Spoofer V1.1 is out and it allows psn access. If you install this you don't need to install the PS3ita CFW. It works online even now, here is a quote from the source: ***** THIS ALLOWS PSN ACCESS ***** USE AT YOUR OWN RISK ***** ***** FOR [...]

    @randompanda: FAIL

  • Darren #37 1 year ago

    I wonder how long it will be before we get firmware 3.61... you know... to fix whatever it is Sony managed to break with this one? ;)

  • blarty #38 1 year ago

    @ #12 - Yes Sony could have just kept quiet whilst all the hackers were celebrating, however, I do think that legal recourse would have been taken against the likes of George Hotz, sooner or later if not by Sony, by someone else. Irrespective of the it's my hardware argument, there is still the issue over, the potential to affect other users outside your hardware.

    But the key thing is, the hackers believe in opening closed systems, which I think is all well and good, but they know full well what the repercussions are, and where the majority of the use of their tools and utilities will be. To claim that the internet means they cannot be stopped doesn't help them, and for them to believe they can act with impunity and that their stand is beyond reproach is frankly naive, particularly in the US where litigation can be dropped on someone in the blink of an eye for trivial things.

    If the hackers had found a way to completely replace the PS3 OS, rather than augment it with unauthorised code, then I doubt this case would have any merit and I doubt that Sony would've even bothered about it.

    They really should've known that someone would have come after them sooner or later, and be dragging around a cackle of lawyers behind them, when they did so.

  • Murton #39 1 year ago

    @drxym - or alternatively go back to increasing functionality through firmware updates, they've used the stick and gotten things under control, best thing to do now is to offer carrots to keep everyone on the straight and narrow.

    The official forums suggestions list has loads of great ideas for new features, now would be a great time to start implementing some of them.

  • man.the.king #40 1 year ago

    @randompanda

    "Every time someone uses the term 'epic fail' a little bit of me wishes for a zombie apocalypse just to purge the human race a bit."

    As long as I stay alive, that's fine with me ;)

  • weebl #41 1 year ago

    People above complain about themselves taking news at face value and it being contradicted, yet they read this and believe it to be completely accurate? I'm as against this as anyone else but one person saying they've fixed the problem doesn't mean that it will all be roses from now on.

  • edhe #42 1 year ago

    Doesn't matter if LG wins :D

  • Bealsy #43 1 year ago

    so putting 360 on the PS3 fixed it?

    edit - sorry 3.60. Arf.

  • 32768Colours #44 1 year ago

    I love how this hacker considers the PS3's security breach an "epic fail". Sure, it would've been egg-on-face time for Sony had they blown the PS3 wide open within 6 months.

    However, the hacking community has spent years of what now appears to be entirely wasted effort, doing little more than incur the wrath of an enormous litigation-hungry corporation.

    If such puerile phrases as "epic fail" must be used at all, they are far more suitably aimed in the direction of the hackers who could've spent all their wasted time and energy actually enjoying consoles for their intended purpose.

    Good on you Sony!

  • randompanda #45 1 year ago

    Lemming81 - Don't make me wish a zombie pirate ninja apocalypse on your ass ;)

  • azix2 #46 1 year ago

    there is already a 3.60 spoof that lets you on PSN I think. Anyway, with this I don't feel like getting a new PS3. bah. I hope the NGP is hacked so I am OK buying it

  • Lucodeath #47 1 year ago

    Im updating now, taking ages it is an I hope it doesnt brick at the end but you never know with sony.

    It worked
    Edited by Lucodeath at 10/03/11 @ 20:42

  • Denny #48 1 year ago

    How big is this patch?
    I'm just trying to work out whether to leave this until after midnight when my unlimited download limit kicks in.

  • kirankara #49 1 year ago

    @Denny it's not too big, it's about 170 mb, but seemed to be slow download for some reason for me.
    Dunno why

  • kirankara #50 1 year ago

    Quick question for u tech heads, basically to sum up, how will this patch affect hacking in games like mw2???
    Are people who use 3.55 and spoofer still able to go on mw2 and use hacks like previously??
    Does this basically only really affect new consoles and those who update by choice??
    Sorry for being thick lol

  • IneptPercy #51 1 year ago

    It would seem this is much like jtagging a 360, once updated so far you can't do it, but those of us of stuck our foot in the door still have an open console and can update to more recent dashes etc while remaining open.

    So I guess the already open consoles won't update and find a way round it and stay open, by all means this stops it going mass market as such.

    Edit:
    Seriously who marked me down, thought it was a decent point.
    Edited by IneptPercy at 11/03/11 @ 01:02

  • rykars #52 1 year ago

    Adjective noun is adjective is the goddamn plague, the Internet used to know when to let stuff go but I guess it's turned into a shithole of festering memes now.

  • kirankara #53 1 year ago

    @inept,

    so hacker fest still going to be going down in mw2 etc I'm guessing then.??

  • IneptPercy #54 1 year ago

    I would guess so, not into the PS3 modding business myself but in short I guess those who have opened the console up will keep it open and just use different spoofs and hacks to keep them working.

    I don't see the point in cheating on games online, where is the fun?

  • orangpelupa #55 1 year ago

    @kiranka

    in i understandcorrect the way the mw2 hack work, this OFW update wont fix it.

    the MW2 hack already done <strong>before</strong> the advent of CFW

  • kirankara #56 1 year ago

    Thanks for clarification. Gotta agree, it is most pointless thing I can think of, going into a competitive event that is based upon having more skill than the other person, and then using a cheat to beat them which requires no skill at all.
    May as well not play the game.

  • womble #57 1 year ago

    "Shame. Sony just lost itself a sale. :("

    Given Sony's near-negligible profitability per unit sale, I doubt they'll be crying in their sleep.

    Developers, however, will be happier. And since they're the people who provide us with our games...

  • mgillespie #58 1 year ago

    Jez, pirates/hackers really piss me off.

    Epic Fail is not security that took 4+ years to break. (PS3)
    Epic Fail IS 3DS security that was broken withing minutes of release.

    Get some fucking perspective.

  • Phredreeke #59 1 year ago

    It's epic fail because of the severity of the bugs involved. Sony compromised their private key which is just about the worst thing you could possibly do from a security standpoint.

  • gandhimaster #60 1 year ago

    so, the new FW cant be hacked BUT if you already have a hacked machine you're fine if you dont update?

    how is that anything useful to Sony? people who have already hacked wont ever update anyways?

  • NotSoSlim #61 1 year ago

    @gandhimaster

    Its useful for on reason, currently you buy a console new it starts at 3.30 firmware, i guaranteed that any new console start with minimum 3.56

    Also games now are needing 3.56 watch that change also. Sony dont game about the people who have chosen not to update its the potential new buyers who they care about

  • TopKatt #62 1 year ago

    Am I rght in thinking that you can't go online unless you update?

  • Moxyz1 #63 1 year ago

    Sony should make an example of these hackers to put off people from stealing games, as it is you can risk it and get free games etc and not have to worry about getting caught, if it was clear that you would be severely penalised if you was caught hacking it would put people off doing it. You can go out and take things for free in shops but we dont (most of us) because besides being morally wrong we know we would be prosecuted and get a criminal record etc so it doesnt seem worth it.. We can BUT we dont. They need to send a big message out to hackers of clearly what the Severe consequences are and most of them just wont bother.

  • Moxyz1 #64 1 year ago

    Developers of PS3 games should put the system update on all future game discs and if you dont accept it then the game will not play. Problem solved. :)

  • oupe #65 1 year ago

    @moxyz1

    post 1. No. There still is a difference between hacking and pirating. Even if most people don't want to see it.

    post 2. No. These games will be cracked (to use the correct terminology) or misguided by bogus FW and will still be offered on-line.
    Edited by oupe at 14/03/11 @ 13:40

  • Bumadan #66 1 year ago

    Im not really pro-hacking but if someone does it just to prove it can be done I honestly dont have a problem with it.

    On PC I could easily find cracked/pirated software but I dont do it. But my primary reason for NOT doing it is not that its morally wrong. Its that I dont have time to weed out all the crap. And I think that the amount of low-quality software is the major problem behind lack of sales and not so much piracy. I have in a few cases actually downloaded a cracked version of a game i BOUGHT just to avoid the hassle of the piracy-protection they put in. If that isnt a sign that something needs fixing I dont know what is.

    Make decent quality games and if they are new IPs back them up with a resonable amount of advertising (and dont waste money advertising for the new FIFAs and NHLs, people are gonna buy them anyway). And maybe consider lowering the price because I am sure there are people that would buy more if they could afford it. Apples App-store seems to be a good example of how many potential customers there are for lower priced games (but I bet the rate-of-crap-to-good-stuff is even worse there so thats another problem).

    I think Sony should just stop spending enormous amounts of money making things less accessible and instead "locking" out pirates by charging a fee to use PSN...oh wait they started that already didnt they?

    Its a case of "you get what you pay for" but the other important side of it is "you pay for what you feel you get".

  • BlinkeredAxis #67 1 year ago

    I assume the patch is mandatory, otherwise you could just retain a hacked system and carry on being a bad boy.

    It's good news anyway.

  • hesido #68 1 year ago

    I know a friend, who has limited knowledge about ps3 hacking, had his ps3 jailbroken by a store, and is now playing terrabytes worth of games (not kidding, the store sells terrabyte harddisk full of games). The damage is done, I say. (Although this friend wouldn't buy 95% of those games he is now playing if piracy wasn't possible, it's still a bad thing)

  • orangpelupa #69 1 year ago

    DF will you make analysis of this news
    [link url=http://psx-scene.com/forums/f6/mathieulh-jailbreaks-3-60-a-83423/
    ]http://psx-scene.com/forums/f6/mathieulh...[/link]
    analysis how what they do?
    and how what sony can do to fix it?

  • gandhimaster #70 1 year ago

    @notsoslim thats fair enough for new consoles, but the hackers can run custom fw and spoof versions etc at present to allow psn access etc.

    so they will still be able to do what they are doing, so the main problem has not been fixed, only changed for future consoles. if the hackers can spoof fw numbers then the new games will think their consoles are running said newest version and run as normal wont they?

  • jtodroc #71 1 year ago

    Infinity Ward released a patch on 8th March for MW2 that has gotten rid of all of the b*%tard hackers. I've been playin again since Monday without a sign of any of the scumbags.
    Edited by jtodroc at 17/03/11 @ 13:30

  • bemaniac #72 1 year ago

    lol @ what happened next