Glitches, Cheats, Reviews, Discussions for the Latest and Hottest Video Games

Welcome to our forums Guest. We hope you have a nice stay Smile || New Better

    3.56 Firmware Encryption Keys Found! UPDATE: Possible 3.56 Downgrade!


    Posts : 309
    Points : 21267
    Reputation : 53
    Join date : 2011-03-22
    Location : iPROFamily World

    3.56 Firmware Encryption Keys Found! UPDATE: Possible 3.56 Downgrade!

    Post by iPROFamily on Thu Apr 07, 2011 8:25 pm

    It seems as
    though PS3 Dev's KakaRoTo, Rms and Adrianc have already located the new
    encryption keys Sony implemented in an attempt to combat Homebrew.

    UPDATE 1 (1/26): The keys have been pushed to KaKaRoTo's git repository and are now available for download.

    Download here: [You must be registered and logged in to see this link.]

    UPDATE 2 (1/27): More Good News; It looks as though PS3 Dev Mathieulh has began work on the new FW and gives insight into downgrading back to 3.55!

    Here's a snippit of their IRC converstion:

    KaKaRoTo: nice... it's full of spkg files now .. probably a new crypted pkg format
    KaKaRoTo: possibly with a new signature that only ps3swu.self can read, but without the ecdsa fail
    KaKaRoTo: humm.. seems I was misled, there's no spkg files in 3.56
    KaKaRoTo: ok, so they added a new .self file in the PUP
    KaKaRoTo: and it seems it contains a key that we don't know about
    KaKaRoTo: yeah, probably a newer ps3swu.self that is more secure
    KaKaRoTo: but they kept the old one for people upgrading from older firmwares
    KaKaRoTo: the new ps3swu.self probably decrypts and uses the new self
    KaKaRoTo: ok, so we need new keys for everything now [You must be registered and logged in to see this image.]
    KaKaRoTo: I just pushed to ps3tools and ps3utils, fixes to allow pup/puppack/pupunpack to identify the new files in the pup
    rms: 000130e0 22 62 8a 9e c4 c4 14 d5 b3 2f 2b 4b a4 92 60 89 |"b......./+K..`.|
    rms: 000130f0 de 9a 46 1b 19 0f b3 e4 39 2d 05 7c 52 55 35 de |..F.....9-.|RU5.|
    rms: 00013100 d5 d4 b8 ed 62 b6 cc a0 24 9a 79 77 6e 13 69 75 |....b...$.ywn.iu|
    rms: 00013110 51 75 1b 9f 1d a5 86 38 d2 d9 9f 67 e2 0a 1d 4a |Qu.....8...g...J|
    rms: 00013120 45 4c 5b 04 2c d1 d0 a4 49 a2 98 98 08 00 2b a6 |EL[.,...I.....+.|
    rms: 00013130 8f b5 b7 f4 b5 b4 e6 3b 00 00 00 00 00 00 00 00 |.......;........|
    rms: try it.
    KaKaRoTo: rms, what's that blob you pasted ?
    adrianc: the new key
    KaKaRoTo: ha, cool
    KaKaRoTo: rms, if you know how and can extract all the new keys, please do and send them to me so I can upload to my ps3keys repo
    adrianc: the new keys are all in there
    rms: KaKaRoTo: i believe it's a lv2ldr key
    rms: erk/riv/pub its all in one block
    rms: i forgot the order its in though, it should be in that, its been a while
    KaKaRoTo: I don't even know how you did to find those keys [You must be registered and logged in to see this image.]
    adrianc: its in the data section of the elf usually
    rms: its really simple
    adrianc: after that look for references for blocks of data
    rms: really KaKaRoTo, i think even you could do it
    rms: adrianc: or something out of place
    adrianc: helps to compare to older versions where you already know the key position
    rms: and has a set of 8 00s
    adrianc: KaKaRoTo 3.56 key works?
    KaKaRoTo: adrianc, didn't try, not planning on trying atm
    KaKaRoTo: not until I have ~/.ps3/ files prepared for me by someone
    KaKaRoTo: lv2 3.56 decrypted [You must be registered and logged in to see this image.]
    rms: keyset?
    KaKaRoTo: pushing to
    KaKaRoTo: pushed
    rms: ok
    rms lv1 is also new
    rms lv0 also
    rms and also the spu stuff apparently
    KaKaRoTo: humm.. I wonder who has the lv0 key
    adrianc: i dont think lv0 is available
    KaKaRoTo: iso keys are now pushed
    KaKaRoTo: also, now, if we want to
    repackage things (unless they screwed up the ecdsa *again*), we'd have
    to change the keys in all the loaders... which means repackaging all the
    *ldr and iso selfs...

    KaKaRoTo: so even more risk of bricking [You must be registered and logged in to see this image.]
    KaKaRoTo: pushed spp keys
    KaKaRoTo: the missing keys are for 'app', 'ldr' and 'rvk'
    KaKaRoTo: btw.. where is that 'ldr' coming from ?
    KaKaRoTo: and I can't figure out who decrypts lv0
    KaKaRoTo: it can't be metldr since that one can't be changed
    KaKaRoTo: and there's no lv0ldr
    eussNL: bootldr decrypts lv0 afaik
    KaKaRoTo: there's no bootldr either
    adrianc: bootldr and lv0ldr arent in the pup
    Matt_P: not part of coreos
    Matt_P: and theres no such thing is lv0ldr
    adrianc: apparently sony removed recovery mode
    Mathieulh: Sorrowuk I suppose modchip manufacturers will start shipping nor/nand programmer soon..
    IceKiller: Mathieulh why? just get a at90 based thing
    IceKiller: i already told you about that Mathieulh [You must be registered and logged in to see this image.]
    Mathieulh: SLC the bootchain is pwned, no matter what
    Mathieulh: you can always downgrade the coreos
    Mathieulh: 3.56 has nice new stuffs in there [You must be registered and logged in to see this image.]
    Mathieulh: like remote code execution upon login
    Mathieulh: I assume they probably added some syscalls for lv2 integrity checks
    Sorrowuk: Who wants to resign lv2diag.self
    for 3.56 so it works again ? I would do it but I dont know how to
    rebuild the signature after I change the authid . Some people are stuck
    in service mode in 3.56 [You must be registered and logged in to see this image.] lol

    Mathieulh: Sorrowuk you can't
    Sorrowuk: so people are stuck in service mode?
    Mathieulh: they force updaters and lv2diags to be signed with the new 3.56+ app key
    Mathieulh: and of course we don't have the private key for that
    Mathieulh: if they want to get out of service mode they have to downgrade first by reflashing the nor externally
    Sorrowuk: Sony should release a new lv2diag.self for everyone to get out of service mode. thats not very nice of them XD
    Mathieulh: btw interestingly enough
    Mathieulh: it seems the new signature check for the updater (and supposedly lv2diag) is skipped on DEX consoles
    Mathieulh: I assume that's to allow debugs to downgrade
    Sorrowuk: so if you used a nand flasher and flashed the nand of a retail with a debug nand, you would have a debug console
    IceKiller: Sorrowuk no
    IceKiller: won't work.
    Mathieulh: [You must be registered and logged in to see this link.]

    About 3.56 if the updater/lv2diag application keyset revision is lower than 0x0D, lv2 will refuse to run it.

    Mathieulh: the fail is the following
    anyway, decrypt your hdd cache partition /dev_hdd1 using the hdd
    decryption trick right after the 3.56+ updater starts (but before it
    updates) (just use the back switch), then replace the coreos package,
    with one you resigned which has 3.55 coreos but 3.56+ in info0 (or the
    value 0xA0 at offset 0x2C) then reencrypt the hdd partition and put the
    hdd back, because the

    Mathieulh: update status flag will be set,
    the updater will start and flash the resigned 3.55 coreos package (the
    fail works because they haven't changed the packages signatures, not like they can)

    Mathieulh: then you can use service mode again and flash whatever crap

    Mathieulh: doesn't work on slims cause the hdd decryption trick is fixed there

    Mathieulh: they btw can't fix it in the fat ones because it's hardware related

    Mathieulh: (encdec device)

    Mathieulh: also it's not the decryption that's the issue

    Mathieulh: appldr decrypts those selfs fine

    Mathieulh: the problem is lv2 wont run them

    Mathieulh: lv2 checks the app revision

    Mathieulh: if it's lower than 0x0D it wont run it

    Mathieulh: and of course you can't change an old one to 0x0D or higher

    Mathieulh: cause then appldr will check the signature with the new pub key

    Mathieulh: and you lack the private key

    Mathieulh: of course if anyone manages to pack a new PUP properly, then you don't need to do the hdd crypto shit to

    Mathieulh: but I haven't looked at the new pup format

    Mathieulh: rofl I am looking at the new appldr

    Mathieulh: and they hardcoded/revoked tons of new auth_ids in there

    Mathieulh: how much do you want to guess that those are the ones of the previously signed homebrews ? xD

    Mathieulh: oh ! wait

    Mathieulh: those aren't auth_id

    Mathieulh: those are hashes

    Mathieulh: 20 bytes each

    Mathieulh: sha1 considering the lenght

    Mathieulh: selfs

    Mathieulh: that has defintely something to do with why npdrm homebrews stopped working

    Mathieulh: in fact I am running the new appldr in [You must be registered and logged in to see this link.]
    Mathieulh: and it wont decrypt these demos
    Mathieulh: I mean homebrews
    Mathieulh: well you get the idea
    naehrwert: so new demos need new firmware version then, but what if they want to release a new demo and don't want to update fw?
    Mathieulh: naehrwert they just have to encrypt/sign it with new keys

    Looks like the Dev's win again. Ill try to keep this thread up to date as I find more news.

      Current date/time is Tue Jan 22, 2019 1:55 pm