LinkBack URL
About LinkBacks
3.56 Firmware Encryption Keys Found! UPDATE: Possible 3.56 Downgrade!
Register To Reply
0
It seems as though PS3 Dev's KakaRoTo, Rms and Adrianc have already located the new encryption keys Sony implemented in an attempt to combat Homebrew.
UPDATE 1 (1/26): The keys have been pushed to KaKaRoTo's git repository and are now available for download.
UPDATE 2 (1/27): More Good News; It looks as though PS3 Dev Mathieulh has began work on the new FW and gives insight into downgrading back to 3.55!
Here's a snippit of their IRC converstion:
KaKaRoTo: nice... it's full of spkg files now .. probably a new crypted pkg format
KaKaRoTo: possibly with a new signature that only ps3swu.self can read, but without the ecdsa fail
KaKaRoTo: humm.. seems I was misled, there's no spkg files in 3.56
KaKaRoTo: ok, so they added a new .self file in the PUP
KaKaRoTo: and it seems it contains a key that we don't know about
KaKaRoTo: yeah, probably a newer ps3swu.self that is more secure
KaKaRoTo: but they kept the old one for people upgrading from older firmwares
KaKaRoTo: the new ps3swu.self probably decrypts and uses the new self
KaKaRoTo: ok, so we need new keys for everything now
KaKaRoTo: I just pushed to ps3tools and ps3utils, fixes to allow pup/puppack/pupunpack to identify the new files in the pup
rms: 000130e0 22 62 8a 9e c4 c4 14 d5 b3 2f 2b 4b a4 92 60 89 |"b......./+K..`.|
rms: 000130f0 de 9a 46 1b 19 0f b3 e4 39 2d 05 7c 52 55 35 de |..F.....9-.|RU5.|
rms: 00013100 d5 d4 b8 ed 62 b6 cc a0 24 9a 79 77 6e 13 69 75 |....b...$.ywn.iu|
rms: 00013110 51 75 1b 9f 1d a5 86 38 d2 d9 9f 67 e2 0a 1d 4a |Qu.....8...g...J|
rms: 00013120 45 4c 5b 04 2c d1 d0 a4 49 a2 98 98 08 00 2b a6 |EL[.,...I.....+.|
rms: 00013130 8f b5 b7 f4 b5 b4 e6 3b 00 00 00 00 00 00 00 00 |.......;........|
rms: try it.
KaKaRoTo: rms, what's that blob you pasted ?
adrianc: the new key
KaKaRoTo: ha, cool
KaKaRoTo: rms, if you know how and can extract all the new keys, please do and send them to me so I can upload to my ps3keys repo
adrianc: the new keys are all in there
rms: KaKaRoTo: i believe it's a lv2ldr key
rms: erk/riv/pub its all in one block
rms: i forgot the order its in though, it should be in that, its been a while
KaKaRoTo: I don't even know how you did to find those keys
adrianc: its in the data section of the elf usually
rms: its really simple
adrianc: after that look for references for blocks of data
rms: really KaKaRoTo, i think even you could do it
rms: adrianc: or something out of place
adrianc: helps to compare to older versions where you already know the key position
rms: and has a set of 8 00s
adrianc: KaKaRoTo 3.56 key works?
KaKaRoTo: adrianc, didn't try, not planning on trying atm
KaKaRoTo: not until I have ~/.ps3/ files prepared for me by someone
KaKaRoTo: lv2 3.56 decrypted
rms: keyset?
KaKaRoTo: pushing to github.com/kakaroto/ps3keys
KaKaRoTo: pushed
rms: ok
rms lv1 is also new
rms lv0 also
rms and also the spu stuff apparently
KaKaRoTo: humm.. I wonder who has the lv0 key
adrianc: i dont think lv0 is available
KaKaRoTo: iso keys are now pushedadrianc: apparently sony removed recovery mode
KaKaRoTo: also, now, if we want to repackage things (unless they screwed up the ecdsa *again*), we'd have to change the keys in all the loaders... which means repackaging all the *ldr and iso selfs...
KaKaRoTo: so even more risk of bricking :tongue:
KaKaRoTo: pushed spp keys
KaKaRoTo: the missing keys are for 'app', 'ldr' and 'rvk'
KaKaRoTo: btw.. where is that 'ldr' coming from ?
KaKaRoTo: and I can't figure out who decrypts lv0
KaKaRoTo: it can't be metldr since that one can't be changed
KaKaRoTo: and there's no lv0ldr
eussNL: bootldr decrypts lv0 afaik
KaKaRoTo: there's no bootldr either
adrianc: bootldr and lv0ldr arent in the pup
Matt_P: not part of coreos
Matt_P: and theres no such thing is lv0ldr
UPDATE:
Mathieulh: Sorrowuk I suppose modchip manufacturers will start shipping nor/nand programmer soon..
IceKiller: Mathieulh why? just get a at90 based thing
IceKiller: i already told you about that Mathieulh :tongue:
Mathieulh: SLC the bootchain is pwned, no matter what
Mathieulh: you can always downgrade the coreos
Mathieulh: 3.56 has nice new stuffs in there :P
Mathieulh: like remote code execution upon login
Mathieulh: I assume they probably added some syscalls for lv2 integrity checks
Sorrowuk: Who wants to resign lv2diag.self for 3.56 so it works again ? I would do it but I dont know how to rebuild the signature after I change the authid . Some people are stuck in service mode in 3.56 :P lol
Mathieulh: Sorrowuk you can't
Sorrowuk: so people are stuck in service mode?
Mathieulh: they force updaters and lv2diags to be signed with the new 3.56+ app key
Mathieulh: and of course we don't have the private key for that
Mathieulh: if they want to get out of service mode they have to downgrade first by reflashing the nor externally
Sorrowuk: Sony should release a new lv2diag.self for everyone to get out of service mode. thats not very nice of them XD
Mathieulh: btw interestingly enough
Mathieulh: it seems the new signature check for the updater (and supposedly lv2diag) is skipped on DEX consoles
Mathieulh: I assume that's to allow debugs to downgrade
Sorrowuk: so if you used a nand flasher and flashed the nand of a retail with a debug nand, you would have a debug console
IceKiller: Sorrowuk no
IceKiller: won't work.
Mathieulh:
About 3.56 if the updater/lv2diag application keyset revision is lower than 0x0D, lv2 will refuse to run it.
Mathieulh: the fail is the following anyway, decrypt your hdd cache partition /dev_hdd1 using the hdd decryption trick right after the 3.56+ updater starts (but before it updates) (just use the back switch), then replace the coreos package, with one you resigned which has 3.55 coreos but 3.56+ in info0 (or the value 0xA0 at offset 0x2C) then reencrypt the hdd partition and put the hdd back, because the
Mathieulh: update status flag will be set, the updater will start and flash the resigned 3.55 coreos package (the fail works because they haven't changed the packages signatures, not like they can)
Mathieulh: then you can use service mode again and flash whatever crap
Mathieulh: doesn't work on slims cause the hdd decryption trick is fixed there
Mathieulh: they btw can't fix it in the fat ones because it's hardware related
Mathieulh: (encdec device)
Mathieulh: also it's not the decryption that's the issue
Mathieulh: appldr decrypts those selfs fine
Mathieulh: the problem is lv2 wont run them
Mathieulh: lv2 checks the app revision
Mathieulh: if it's lower than 0x0D it wont run it
Mathieulh: and of course you can't change an old one to 0x0D or higher
Mathieulh: cause then appldr will check the signature with the new pub key
Mathieulh: and you lack the private key
Mathieulh: of course if anyone manages to pack a new PUP properly, then you don't need to do the hdd crypto shit to
Mathieulh: but I haven't looked at the new pup format
Mathieulh: rofl I am looking at the new appldr
Mathieulh: and they hardcoded/revoked tons of new auth_ids in there
Mathieulh: how much do you want to guess that those are the ones of the previously signed homebrews ? xD
Mathieulh: oh ! wait
Mathieulh: those aren't auth_id
Mathieulh: those are hashes
Mathieulh: 20 bytes each
Mathieulh: sha1 considering the lenght
Mathieulh: selfs
Mathieulh: that has defintely something to do with why npdrm homebrews stopped working
Mathieulh: in fact I am running the new appldr in
Mathieulh: and it wont decrypt these demos
Mathieulh: I mean homebrews
Mathieulh: well you get the idea
naehrwert: so new demos need new firmware version then, but what if they want to release a new demo and don't want to update fw?
Mathieulh: naehrwert they just have to encrypt/sign it with new keys
Looks like the Dev's win again. Ill try to keep this thread up to date as I find more news.
Originally Posted by The15thPrestige
Good Good
Copyright © 2008-2013, NextGenUpdate. All Rights Reserved. -