@misk@Creat It is so terrible. But I believe, hardware jailbreaking should long exist, for example by using raspberry pi-s to attach to the wires of the evil hardware on tricky ways. For example, by attaching pins of the memory chips, their bus could be probably locked for a short time (which is not enough yet for the main OS to crash), and their content could be manipulated. The data structures in the RAM are absolutely not protected against anything. On a Unix-related OS, you can easily find a process data structure by its characteristic signatures, and then you can simply change its UID to 0, voila you are root.
Alternatively, you can simply find the keys used to encrypt the disk content.
Alternatively, also finding the cached blocks in the block cache could be possible. By finding a block, you have access to the decrypted disk blocks, and there you can overwrite against anything, for example by giving a +s to your “su” binary.
That’s how modchips work in general but after many years of failures PlayStation security mechanisms are quite sophisticated. Jailbreaks in such cases involve chains of multiple exploits of different kinds. Hardware is often involved but software based exploits will be the most sought after as they’re easiest to for the end user.
@misk I think these modchip are exactly what would also really need in the android or iEvil world. Although I am not very sure, how could they be attached into a machine.
@misk @Creat It is so terrible. But I believe, hardware jailbreaking should long exist, for example by using raspberry pi-s to attach to the wires of the evil hardware on tricky ways. For example, by attaching pins of the memory chips, their bus could be probably locked for a short time (which is not enough yet for the main OS to crash), and their content could be manipulated. The data structures in the RAM are absolutely not protected against anything. On a Unix-related OS, you can easily find a process data structure by its characteristic signatures, and then you can simply change its UID to 0, voila you are root.
Alternatively, you can simply find the keys used to encrypt the disk content.
Alternatively, also finding the cached blocks in the block cache could be possible. By finding a block, you have access to the decrypted disk blocks, and there you can overwrite against anything, for example by giving a +s to your “su” binary.
That’s how modchips work in general but after many years of failures PlayStation security mechanisms are quite sophisticated. Jailbreaks in such cases involve chains of multiple exploits of different kinds. Hardware is often involved but software based exploits will be the most sought after as they’re easiest to for the end user.
@misk I think these modchip are exactly what would also really need in the android or iEvil world. Although I am not very sure, how could they be attached into a machine.