PS3 Firmware 3.56 Update is Now Available, Details Incoming
Update: It appears Mathieulh is incorrect as GFI Security's Chris Boyd has confirmed Sony wrote the ability for remote updates into its terms and conditions since at least 2006 stating the 3.56 rootkit is not new.
Just under two months since the previous PlayStation 3 system software update has passed, and today Sony has released PS3 Firmware version 3.56.
For those wondering, PS3 JailBreak and Custom Firmware users can still access PSN via the bypass methods but read the IRC log below as a "rootkit" was found in PS3 Firmware 3.56 which reportedly allows Sony to scan for PlayStation 3 Custom Firmware or any unofficial homebrew software.
According to VP of Network Operations Americas Eric Lempel via Sony's official blog on the update, to quote: "A new PS3 system software update, v3.56, will be released soon. This is a minor update that adds a security patch."
Needless to say, if you value PS3 homebrew, jailbreaking, downgrading or accessing PSN on a hacked PS3 it would probably be wise to hold off updating until PlayStation 3 developers can examine the 3.56 update.
As always, more details to come as they are available and below are some preliminary 3.56 Firmware examination details from PlayStation 3 developers via IRC:
KaKaRoTo: nice... it's full of spkg files now .. probably a new crypted pkg format KaKaRoTo: possibly with a new signature that only ps3swu.self can read, but without the ecdsa fail KaKaRoTo: humm.. seems I was misled, there's no spkg files in 3.56 KaKaRoTo: ok, so they added a new .self file in the PUP KaKaRoTo: and it seems it contains a key that we don't know about KaKaRoTo: yeah, probably a newer ps3swu.self that is more secure KaKaRoTo: but they kept the old one for people upgrading from older firmwares KaKaRoTo: the new ps3swu.self probably decrypts and uses the new self KaKaRoTo: ok, so we need new keys for everything now :p KaKaRoTo: I just pushed to ps3tools and ps3utils, fixes to allow pup/puppack/pupunpack to identify the new files in the pup rms: 000130e0 22 62 8a 9e c4 c4 14 d5 b3 2f 2b 4b a4 92 60 89 |"b......./+K..`.| rms: 000130f0 de 9a 46 1b 19 0f b3 e4 39 2d 05 7c 52 55 35 de |..F.....9-.|RU5.| rms: 00013100 d5 d4 b8 ed 62 b6 cc a0 24 9a 79 77 6e 13 69 75 |....b...$.ywn.iu| rms: 00013110 51 75 1b 9f 1d a5 86 38 d2 d9 9f 67 e2 0a 1d 4a |Qu.....8...g...J| rms: 00013120 45 4c 5b 04 2c d1 d0 a4 49 a2 98 98 08 00 2b a6 |EL[.,...I.....+.| rms: 00013130 8f b5 b7 f4 b5 b4 e6 3b 00 00 00 00 00 00 00 00 |.......;........| rms: try it. KaKaRoTo: rms, what's that blob you pasted ? adrianc: the new key KaKaRoTo: ha, cool KaKaRoTo: rms, if you know how and can extract all the new keys, please do and send them to me so I can upload to my ps3keys repo adrianc: the new keys are all in there rms: KaKaRoTo: i believe it's a lv2ldr key rms: erk/riv/pub its all in one block rms: i forgot the order its in though, it should be in that, its been a while KaKaRoTo: I don't even know how you did to find those keys :p adrianc: its in the data section of the elf usually rms: its really simple adrianc: after that look for references for blocks of data rms: really KaKaRoTo, i think even you could do it rms: adrianc: or something out of place adrianc: helps to compare to older versions where you already know the key position rms: and has a set of 8 00s adrianc: KaKaRoTo 3.56 key works? KaKaRoTo: adrianc, didn't try, not planning on trying atm KaKaRoTo: not until I have ~/.ps3/ files prepared for me by someone :) KaKaRoTo: lv2 3.56 decrypted :) rms: keyset? KaKaRoTo: pushing to github.com/kakaroto/ps3keys KaKaRoTo: pushed rms: ok rms lv1 is also new rms lv0 also rms and also the spu stuff apparently KaKaRoTo: humm.. I wonder who has the lv0 key adrianc: i dont think lv0 is available KaKaRoTo: iso keys are now pushed KaKaRoTo: also, now, if we want to repackage things (unless they screwed up the ecdsa *again*), we'd have to change the keys in all the loaders... which means repackaging all the *ldr and iso selfs... KaKaRoTo: so even more risk of bricking :p KaKaRoTo: pushed spp keys KaKaRoTo: the missing keys are for 'app', 'ldr' and 'rvk' KaKaRoTo: btw.. where is that 'ldr' coming from ? KaKaRoTo: and I can't figure out who decrypts lv0 KaKaRoTo: it can't be metldr since that one can't be changed KaKaRoTo: and there's no lv0ldr eussNL: bootldr decrypts lv0 afaik KaKaRoTo: there's no bootldr either adrianc: bootldr and lv0ldr arent in the pup Matt_P: not part of coreos Matt_P: and theres no such thing is lv0ldr Mathieulh: Sorrowuk I suppose modchip manufacturers will start shipping nor/nand programmer soon.. IceKiller: Mathieulh why? just get a at90 based thing IceKiller: i already told you about that Mathieulh :p Mathieulh: SLC the bootchain is pwned, no matter what Mathieulh: you can always downgrade the coreos Mathieulh: 3.56 has nice new stuffs in there :P Mathieulh: like remote code execution upon login Mathieulh: I assume they probably added some syscalls for lv2 integrity checks Sorrowuk: Who wants to resign lv2diag.self for 3.56 so it works again ? I would do it but I dont know how to rebuild the signature after I change the authid . Some people are stuck in service mode in 3.56 :P lol Mathieulh: Sorrowuk you can't Mathieulh: 3.56 pretty much has a built in psn rootkit Sorrowuk: psn rootkit ? noone: but if we could rip-off the fw that shit would be erased noone: that was the only thing stopped sony to _auto_ update your fw Mathieulh: noone it's not that simple Mathieulh: the server awaits a proper reply Mathieulh: and that reply isn't in the firmware Sorrowuk: so people are stuck in service mode? Mathieulh: they force updaters and lv2diags to be signed with the new 3.56+ app key Mathieulh: and of course we don't have the private key for that Mathieulh: if they want to get out of service mode they have to downgrade first by reflashing the nor externally Sorrowuk: Sony should release a new lv2diag.self for everyone to get out of service mode. thats not very nice of them XD Mathieulh: btw interestingly enough Mathieulh: it seems the new signature check for the updater (and supposedly lv2diag) is skipped on DEX consoles Mathieulh: I assume that's to allow debugs to downgrade Sorrowuk: so if you used a nand flasher and flashed the nand of a retail with a debug nand, you would have a debug console IceKiller: Sorrowuk no IceKiller: won't work. Mathieulh:http://twitter.com/#!/Mathieulh/stat...62433685110784
About 3.56 if the updater/lv2diag application keyset revision is lower than 0x0D, lv2 will refuse to run it. Mathieulh: the fail is the following anyway, decrypt your hdd cache partition /dev_hdd1 using the hdd decryption trick right after the 3.56+ updater starts (but before it updates) (just use the back switch), then replace the coreos package, with one you resigned which has 3.55 coreos but 3.56+ in info0 (or the value 0xA0 at offset 0x2C) then reencrypt the hdd partition and put the hdd back, because the Mathieulh: update status flag will be set, the updater will start and flash the resigned 3.55 coreos package (the fail works because they haven't changed the packages signatures, not like they can) Mathieulh: then you can use service mode again and flash whatever crap Mathieulh: doesn't work on slims cause the hdd decryption trick is fixed there Mathieulh: they btw can't fix it in the fat ones because it's hardware related Mathieulh: (encdec device) Mathieulh: also it's not the decryption that's the issue Mathieulh: appldr decrypts those selfs fine Mathieulh: the problem is lv2 wont run them Mathieulh: lv2 checks the app revision Mathieulh: if it's lower than 0x0D it wont run it Mathieulh: and of course you can't change an old one to 0x0D or higher Mathieulh: cause then appldr will check the signature with the new pub key Mathieulh: and you lack the private key Mathieulh: of course if anyone manages to pack a new PUP properly, then you don't need to do the hdd crypto shit to Mathieulh: but I haven't looked at the new pup format Mathieulh: rofl I am looking at the new appldr Mathieulh: and they hardcoded/revoked tons of new auth_ids in there Mathieulh: how much do you want to guess that those are the ones of the previously signed homebrews ? xD Mathieulh: oh ! wait Mathieulh: those aren't auth_id Mathieulh: those are hashes Mathieulh: 20 bytes each Mathieulh: sha1 considering the lenght Mathieulh: selfs Mathieulh: that has defintely something to do with why npdrm homebrews stopped working Mathieulh: in fact I am running the new appldr in anergistic Mathieulh: and it wont decrypt these demos Mathieulh: I mean homebrews Mathieulh: well you get the idea naehrwert: so new demos need new firmware version then, but what if they want to release a new demo and don't want to update fw? Mathieulh: naehrwert they just have to encrypt/sign it with new keys n00b517: PS3 3.56 _Private_ key: 7d583155485c3c7e3e6f626a4a4d4351322c444136 [!!!] an0nym0us: well it works an0nym0us: not sure how it was obtained DPxD3v: nice misteriou: 7d 58 31 55 48 5c 3c 7e 3e 6f 62 6a 4a 4d 43 51 32 2c 44 41 36 Djinn: this is being posted all over the place rms: $ printf "Private Key: 0x00"; cat /dev/random | head -c 20 | xxd -ps rms: Private Key: 0x00fe7027da6ce683aa111b3ebbe06b43ddf15bf7c3 rms: remember that MonkeyBoy: we got all the 3.56 Public keys hi3:http://pastie.org/private/zgfqskjthrphpmcho99hg
This is GeoHot's category_game.xml file which is written in dev_flash/vsh/resource/explore folder when you install PSJailbreak. This file is added to the existing one and not replaced at all. Also he writes a new nas_plugin.sprx to dev_flash/vsh/module.
There are two modes (developers who have installed the SDK) and non-developers)
For the first one (developers) these are the instructions:
1) Open PS3 Public Tools GUI.
2) Browse the MAKEFILE of your project.
3) After find the makefile (without closing PS3 Public Tools GUI), open your Windows cmd and go to the folder where there are the files you want to sign.
4) With the root set on cmd, type: make & make pkg
5) Open the window of PS3 Public Tools GUI and moving the mouse on the window you will see how the make button will be activated. Push it, and your self and pkg files will be signed!
For the second one (non-developers) these are the instructions (use this mode if you already have the elf, self and pkg files unsigned but compiled):
1) Open PS3 Public Tools GUI.
2) Uncheck developers option.
3) Browse your ELF file.
4) Push on the MAKE button.
NOTE: The application only will sign the self and pkgs files if they already exists. If not, the process won't be done.
PS3 Nas_Plugin Extractor 3.55:
This tool allows you to extract nas_plugin.sprx from a 3.55 (now, only 3.55...) pup sony update. After extract this module, you can decrypt the module using fail0verflow's unself tool.
To extract the module just run my app and browse the 3.55 pup file. You will find the file in C:\depkg after the extraction.
PS3 3.56 Lv12 Decrypt:
This tool allows you to decrypt CORE_OS_PACKAGE.pkg, lv1.self and lv2_kernel.self of 3.56 official firmware.
1) Download 3.56 official firmware pup file.
2) Run the app and browse the file.
3) Push the button. The files will be decrypted and saved in C:\BPS3Dec
PS3 Nas_Plugin Extractor 3.56:
This tool allows you to extract nas_plugin.sprx from a 3.56 (now, only 3.56...) pup sony update. After extract this module, you can decrypt the module using fail0verflow's unself tool.
To extract the module just run my app and browse the 3.56 pup file. You will find the file in C:\depkg after the extraction.
Then, if you want to decrypt the file extracted, open fail0verflow.rar included with this package and extract the folder called fail0verflow to C:\.
After that, copy your nas_plugin.sprx inside this folder and run the bat file that will be in C:\fail0verflow. Now you will already have your nas_plugin decrypted also!! (ALL THANKS TO FAIL0VERFLOW FOR THIS GREAT TOOL!)
Knowing somebody has a PS+ sub and 4got to turn off automatic updating, they will tell us if the installed apps (ftp, multiman) still works. If so it may be as simple as patching the update. But that also can be not so simple. Best of luck.
And I was just enjoying playing online again... At least the DNS patch still works for now.
"A security patch" LOL, do they really think they can stop CFW? $ony really have no clue do they? Why don't they stop trying to patch holes they can never fix and just fix the bugs and add the features everyone is asking for... I'm really surprised the firmware updates get bigger with less features.
Shouldn't they be getting smaller? I think we need a PSNLOVER for PS3 then they will never stop us getting online.