Update: It appears Mathieulh is incorrect as GFI Security's Chris Boyd has confirmed Sony wrote the ability for remote updates into its terms and conditions since at least 2006 stating the 3.56 rootkit is not new.
Just under two months since the previous PlayStation 3 system software update has passed, and today Sony has released PS3 Firmware version 3.56.
For those wondering, PS3 JailBreak and Custom Firmware users can still access PSN via the bypass methods but read the IRC log below as a "rootkit" was found in PS3 Firmware 3.56 which reportedly allows Sony to scan for PlayStation 3 Custom Firmware or any unofficial homebrew software.
Download: PS3 Firmware 3.56 Update (US) / PS3 Firmware 3.56 Update (EU) / PS3 Firmware 3.56 Keys / PS3 Keylist (.xls) / PS3 Tools
According to VP of Network Operations Americas Eric Lempel via Sony's official blog on the update, to quote: "A new PS3 system software update, v3.56, will be released soon. This is a minor update that adds a security patch."
Needless to say, if you value PS3 homebrew, jailbreaking, downgrading or accessing PSN on a hacked PS3 it would probably be wise to hold off updating until PlayStation 3 developers can examine the 3.56 update.
As always, more details to come as they are available and below are some preliminary 3.56 Firmware examination details from PlayStation 3 developers via IRC:
KaKaRoTo: nice... it's full of spkg files now .. probably a new crypted pkg format
KaKaRoTo: possibly with a new signature that only ps3swu.self can read, but without the ecdsa fail
KaKaRoTo: humm.. seems I was misled, there's no spkg files in 3.56
KaKaRoTo: ok, so they added a new .self file in the PUP
KaKaRoTo: and it seems it contains a key that we don't know about
KaKaRoTo: yeah, probably a newer ps3swu.self that is more secure
KaKaRoTo: but they kept the old one for people upgrading from older firmwares
KaKaRoTo: the new ps3swu.self probably decrypts and uses the new self
KaKaRoTo: ok, so we need new keys for everything now :p
KaKaRoTo: I just pushed to ps3tools and ps3utils, fixes to allow pup/puppack/pupunpack to identify the new files in the pup
rms: 000130e0 22 62 8a 9e c4 c4 14 d5 b3 2f 2b 4b a4 92 60 89 |"b......./+K..`.|
rms: 000130f0 de 9a 46 1b 19 0f b3 e4 39 2d 05 7c 52 55 35 de |..F.....9-.|RU5.|
rms: 00013100 d5 d4 b8 ed 62 b6 cc a0 24 9a 79 77 6e 13 69 75 |....b...$.ywn.iu|
rms: 00013110 51 75 1b 9f 1d a5 86 38 d2 d9 9f 67 e2 0a 1d 4a |Qu.....8...g...J|
rms: 00013120 45 4c 5b 04 2c d1 d0 a4 49 a2 98 98 08 00 2b a6 |EL[.,...I.....+.|
rms: 00013130 8f b5 b7 f4 b5 b4 e6 3b 00 00 00 00 00 00 00 00 |.......;........|
rms: try it.
KaKaRoTo: rms, what's that blob you pasted ?
adrianc: the new key
KaKaRoTo: ha, cool
KaKaRoTo: rms, if you know how and can extract all the new keys, please do and send them to me so I can upload to my ps3keys repo
adrianc: the new keys are all in there
rms: KaKaRoTo: i believe it's a lv2ldr key
rms: erk/riv/pub its all in one block
rms: i forgot the order its in though, it should be in that, its been a while
KaKaRoTo: I don't even know how you did to find those keys :p
adrianc: its in the data section of the elf usually
rms: its really simple
adrianc: after that look for references for blocks of data
rms: really KaKaRoTo, i think even you could do it
rms: adrianc: or something out of place
adrianc: helps to compare to older versions where you already know the key position
rms: and has a set of 8 00s
adrianc: KaKaRoTo 3.56 key works?
KaKaRoTo: adrianc, didn't try, not planning on trying atm
KaKaRoTo: not until I have ~/.ps3/ files prepared for me by someone :)
KaKaRoTo: lv2 3.56 decrypted :)
KaKaRoTo: pushing to github.com/kakaroto/ps3keys
rms lv1 is also new
rms lv0 also
rms and also the spu stuff apparently
KaKaRoTo: humm.. I wonder who has the lv0 key
adrianc: i dont think lv0 is available
KaKaRoTo: iso keys are now pushed
KaKaRoTo: also, now, if we want to repackage things (unless they screwed up the ecdsa *again*), we'd have to change the keys in all the loaders... which means repackaging all the *ldr and iso selfs...
KaKaRoTo: so even more risk of bricking :p
KaKaRoTo: pushed spp keys
KaKaRoTo: the missing keys are for 'app', 'ldr' and 'rvk'
KaKaRoTo: btw.. where is that 'ldr' coming from ?
KaKaRoTo: and I can't figure out who decrypts lv0
KaKaRoTo: it can't be metldr since that one can't be changed
KaKaRoTo: and there's no lv0ldr
eussNL: bootldr decrypts lv0 afaik
KaKaRoTo: there's no bootldr either
adrianc: bootldr and lv0ldr arent in the pup
Matt_P: not part of coreos
Matt_P: and theres no such thing is lv0ldr
Mathieulh: Sorrowuk I suppose modchip manufacturers will start shipping nor/nand programmer soon..
IceKiller: Mathieulh why? just get a at90 based thing
IceKiller: i already told you about that Mathieulh :p
Mathieulh: SLC the bootchain is pwned, no matter what
Mathieulh: you can always downgrade the coreos
Mathieulh: 3.56 has nice new stuffs in there :P
Mathieulh: like remote code execution upon login
Mathieulh: I assume they probably added some syscalls for lv2 integrity checks
Sorrowuk: Who wants to resign lv2diag.self for 3.56 so it works again ? I would do it but I dont know how to rebuild the signature after I change the authid . Some people are stuck in service mode in 3.56 :P lol
Mathieulh: Sorrowuk you can't
Mathieulh: 3.56 pretty much has a built in psn rootkit
Sorrowuk: psn rootkit ?
noone: but if we could rip-off the fw that shit would be erased
noone: that was the only thing stopped sony to _auto_ update your fw
Mathieulh: noone it's not that simple
Mathieulh: the server awaits a proper reply
Mathieulh: and that reply isn't in the firmware
Sorrowuk: so people are stuck in service mode?
Mathieulh: they force updaters and lv2diags to be signed with the new 3.56+ app key
Mathieulh: and of course we don't have the private key for that
Mathieulh: if they want to get out of service mode they have to downgrade first by reflashing the nor externally
Sorrowuk: Sony should release a new lv2diag.self for everyone to get out of service mode. thats not very nice of them XD
Mathieulh: btw interestingly enough
Mathieulh: it seems the new signature check for the updater (and supposedly lv2diag) is skipped on DEX consoles
Mathieulh: I assume that's to allow debugs to downgrade
Sorrowuk: so if you used a nand flasher and flashed the nand of a retail with a debug nand, you would have a debug console
IceKiller: Sorrowuk no
IceKiller: won't work.
About 3.56 if the updater/lv2diag application keyset revision is lower than 0x0D, lv2 will refuse to run it.
Mathieulh: the fail is the following anyway, decrypt your hdd cache partition /dev_hdd1 using the hdd decryption trick right after the 3.56+ updater starts (but before it updates) (just use the back switch), then replace the coreos package, with one you resigned which has 3.55 coreos but 3.56+ in info0 (or the value 0xA0 at offset 0x2C) then reencrypt the hdd partition and put the hdd back, because the
Mathieulh: update status flag will be set, the updater will start and flash the resigned 3.55 coreos package (the fail works because they haven't changed the packages signatures, not like they can)
Mathieulh: then you can use service mode again and flash whatever crap
Mathieulh: doesn't work on slims cause the hdd decryption trick is fixed there
Mathieulh: they btw can't fix it in the fat ones because it's hardware related
Mathieulh: (encdec device)
Mathieulh: also it's not the decryption that's the issue
Mathieulh: appldr decrypts those selfs fine
Mathieulh: the problem is lv2 wont run them
Mathieulh: lv2 checks the app revision
Mathieulh: if it's lower than 0x0D it wont run it
Mathieulh: and of course you can't change an old one to 0x0D or higher
Mathieulh: cause then appldr will check the signature with the new pub key
Mathieulh: and you lack the private key
Mathieulh: of course if anyone manages to pack a new PUP properly, then you don't need to do the hdd crypto shit to
Mathieulh: but I haven't looked at the new pup format
Mathieulh: rofl I am looking at the new appldr
Mathieulh: and they hardcoded/revoked tons of new auth_ids in there
Mathieulh: how much do you want to guess that those are the ones of the previously signed homebrews ? xD
Mathieulh: oh ! wait
Mathieulh: those aren't auth_id
Mathieulh: those are hashes
Mathieulh: 20 bytes each
Mathieulh: sha1 considering the lenght
Mathieulh: that has defintely something to do with why npdrm homebrews stopped working
Mathieulh: in fact I am running the new appldr in anergistic
Mathieulh: and it wont decrypt these demos
Mathieulh: I mean homebrews
Mathieulh: well you get the idea
naehrwert: so new demos need new firmware version then, but what if they want to release a new demo and don't want to update fw?
Mathieulh: naehrwert they just have to encrypt/sign it with new keys
n00b517: PS3 3.56 _Private_ key: 7d583155485c3c7e3e6f626a4a4d4351322c444136 [!!!]
an0nym0us: well it works
an0nym0us: not sure how it was obtained
misteriou: 7d 58 31 55 48 5c 3c 7e 3e 6f 62 6a 4a 4d 43 51 32 2c 44 41 36
Djinn: this is being posted all over the place
rms: $ printf "Private Key: 0x00"; cat /dev/random | head -c 20 | xxd -ps
rms: Private Key: 0x00fe7027da6ce683aa111b3ebbe06b43ddf15bf7c3
rms: remember that
MonkeyBoy: we got all the 3.56 Public keys
Finally, Becus25 has released several PS3 tools recently as follows: GeoHot's PS3 3.55 Category_Game.xml File, PS3 Public Tools GUI Rev. B, PS3 Nas_Plugin Extractor 3.55, PS3 3.56 Lv12 Decrypt, and PS3 Nas_Plugin Extractor 3.56. Details on each are below:
GeoHot's PS3 3.55 Category_Game.xml File:
This is GeoHot's category_game.xml file which is written in dev_flash/vsh/resource/explore folder when you install PSJailbreak. This file is added to the existing one and not replaced at all. Also he writes a new nas_plugin.sprx to dev_flash/vsh/module.
PS3 Public Tools GUI Rev. B:
There are two modes (developers who have installed the SDK) and non-developers)
For the first one (developers) these are the instructions:
1) Open PS3 Public Tools GUI.
2) Browse the MAKEFILE of your project.
3) After find the makefile (without closing PS3 Public Tools GUI), open your Windows cmd and go to the folder where there are the files you want to sign.
4) With the root set on cmd, type: make & make pkg
5) Open the window of PS3 Public Tools GUI and moving the mouse on the window you will see how the make button will be activated. Push it, and your self and pkg files will be signed!
For the second one (non-developers) these are the instructions (use this mode if you already have the elf, self and pkg files unsigned but compiled):
1) Open PS3 Public Tools GUI.
2) Uncheck developers option.
3) Browse your ELF file.
4) Push on the MAKE button.
NOTE: The application only will sign the self and pkgs files if they already exists. If not, the process won't be done.
PS3 Nas_Plugin Extractor 3.55:
This tool allows you to extract nas_plugin.sprx from a 3.55 (now, only 3.55...) pup sony update. After extract this module, you can decrypt the module using fail0verflow's unself tool.
To extract the module just run my app and browse the 3.55 pup file. You will find the file in C:\depkg after the extraction.
PS3 3.56 Lv12 Decrypt:
This tool allows you to decrypt CORE_OS_PACKAGE.pkg, lv1.self and lv2_kernel.self of 3.56 official firmware.
1) Download 3.56 official firmware pup file.
2) Run the app and browse the file.
3) Push the button. The files will be decrypted and saved in C:\BPS3Dec
PS3 Nas_Plugin Extractor 3.56:
This tool allows you to extract nas_plugin.sprx from a 3.56 (now, only 3.56...) pup sony update. After extract this module, you can decrypt the module using fail0verflow's unself tool.
To extract the module just run my app and browse the 3.56 pup file. You will find the file in C:\depkg after the extraction.
Then, if you want to decrypt the file extracted, open fail0verflow.rar included with this package and extract the folder called fail0verflow to C:\.
After that, copy your nas_plugin.sprx inside this folder and run the bat file that will be in C:\fail0verflow. Now you will already have your nas_plugin decrypted also!! (ALL THANKS TO FAIL0VERFLOW FOR THIS GREAT TOOL!)
More PlayStation 3 News...