Update #2: GeoHot has now released GeoHot_1st.self (first signed PS3 homebrew on Firmware 3.55) and Lv2diag.self (also Lv2diag.elf in ELF format) stating the following: "...and this is a real self, hello world although it's not NPDRM, so it won't run off the hard drive. shouts to the guys who did PSL1GHT. without you, I couldn't release this. first piece of homebrew you can run, put in service mode, put on usb stick, boot."
Next up, Ifcaro has released PUPView BETA, to quote roughly translated: "PUPView is a GUI application used to view and extract the contents of the PUP update files for the PlayStation 3. At the moment it will only permit you to extract, but I also have plans to simplify the creation of new PUP files thanks to the new keys released "
In other PS3 hacking news today, KaKaRoToKs has released a PS3 PUP Packing Tool, a PS3 OFW to CFW Script and Fix_TAR for PS3 Packages, and superG has released Gpup v1.00 (Win32 PUP Extractor/Packer) (Gpup v1.00 ELF) alongside Gpup v1.00 (Linux PUP Extractor/Packer).
Update: Veritas? and others now have Tales of Graces F, Need for Speed: Hot Pursuit, Gran Turismo 5, and Harry Potter And The Death Hallows Part1 working with rewritten v3.50 PS3 Game EBOOT files on Firmware 3.41 for PlayStation 3 JailBreak users! To quote:
This guide requires you to have some knowledge of how the SELF and ELF file formats are laid out. I don't have a quick tool to do this for me, but it takes maybe 5 minutes of my time to do it by hand.
1. Open EBOOT.BIN in a hex editor of your preference.
2. In EBOOT.BIN, look at the SELF control info, if you see anything resembling the game titleid, it's an NPDRM SELF and this guide won't work, give up.
3. Use readself on EBOOT.BIN to get information about the encrypted metadata sections.
4. Unself EBOOT.BIN eboot.elf
5. Open eboot.elf in a hex editor of your preference.
6. In eboot.elf, go to every encrypted metadata section (now decrypted), copy its data, and replace the encrypted data in EBOOT.BIN.
7. In EBOOT.BIN, change SELF header to indicate it's FSELF.
8. In EBOOT.BIN, change SELF section headers that are marked as encrypted to say they are not encrypted.
9. If the game is a newer SDK version (like GT5, which is 3.50), in EBOOT.BIN, find the .sys_proc_param segment and change the SDK version to something earlier, such as 3.41. This will probably cause crashes in games that actually use newer SDK features that are not available in earlier SDK versions.
10. Save EBOOT.BIN
11. Cross fingers, run game, hope it works.
AerialX also released SCEkrit and SCEkrit v1.01 which can be useful in obtaining the need 'private' keys for signing PS3 homebrew followed by SCEkrit (Win32) via Nicksasa. So, who wants to sign application SELFs?
erk: C0 CE FE 84 C2 27 F7 5B D0 7A 7E B8 46 50 9F 93 B2 38 E7 70 DA CB 9F F4 A3 88 F8 12 48 2B E2 1B
riv: 47 EE 74 54 E4 77 4C C9 B8 96 0C 7B 59 F4 C1 4D
pub: C2 D4 AA F3 19 35 50 19 AF 99 D4 4E 2B 58 CA 29 25 2C 89 12 3D 11 D6 21 8F 40 B1 38 CA B2 9B 71 01 F3 AE B7 2A 97 50 19
R: 80 6E 07 8F A1 52 97 90 CE 1A AE 02 BA DD 6F AA A6 AF 74 17
n: E1 3A 7E BC 3A CC EB 1C B5 6C C8 60 FC AB DB 6A 04 8C 55 E1
K: BA 90 55 91 68 61 B9 77 ED CB ED 92 00 50 92 F6 6C 7A 3D 8D
Da: C5 B2 BF A1 A4 13 DD 16 F2 6D 31 C0 F2 ED 47 20 DC FB 06 70
props to fail0verflow for the asymmetric half. no donate link, just use this info wisely. i do not condone piracy. if you want your next console to be secure, get in touch with me. any of you 3. it'd be fun to be on the other side.
GeoHot also stated the following: "No plans for CFW, and btw PSJailbreak team already won the signed PUP contest. Or me if you believe in 3.21OO
Although I do have other plans possibly, perhaps a 3.55 hello world by the end of the day. Hell, perhaps I'll go out and buy GT5 just to show off homebrew and GT5.
Perhaps CFW isn't the way to go, we can create official apps, aside from piracy purposes (which I despise), why do we need a CFW? How about something like Cydia for the PS3?"
Summary of what each PS3 Tool does:
makepkg: Creates PKG files
makeself: Creates SELF files (from ELF's)
norunpack: Extracts data from a NOR flash dump (like the PS3 Flash)
puppack: Make Playstation Update Files (PUP)
pupunpack: Unpacks PUP Files
readself: Reads SELF and echos information about it
sceverify: Check and Confirm Sony files
unpkg: Decrypt and extract PKG files
unself: Changes a SELF back to an ELF
From Mathieulh, who also noted he found the PSP Master Keys on the PS3 via IRC today: here are how some start : d76aa478... (HMAC key), 428a2f98... (AES key), 004080c01b5b9b... (AES key), 9802c4e6ec... (AES key) And so on... Want kirk keys? 1. Go to /dev_flash/pspemu/release/emulator_drm.sprx, decrypt it 2. get spu_handler.isoself, decrypt, grab keys. 3. Profit
From user on the PS3 Toolbox contents: Here is a little pre-compiled windows toolkit for your decryption needs. All yet available keys are included! credits: geohot, ooPo, mathieulh, waninkoko
This kit contains cygwin compiled versions of tools made by the above mentioned devs. Thanks for the keys, too. I did some slight changes on decrypt-self to support key files. Source code is included...
From Marcan42: "We (fail0verflow) discovered and released two things:
* An exploit in the revocation list parsing, enabling us to dump a bunch of loaders, and thus their decryption keys
* A humongous screwup by Sony, enabling us to calculate their private signing keys for all of those loaders, and thus sign anything to be loaded by those loaders
We used these techniques to obtain encryption, public, and private keys for lv2ldr, isoldr, the spp verifier, the pkg verifier, and the revocation lists themselves. We could've obtained appldr, (the loader used to load games and apps), but chose not to, since we are not interested in app-level stuff and that just helps piracy. We didn't have lv1ldr, but due to the way lv1 works, we could gain control of it early in the boot process through isoldr, so effectively we also had lv1 control.
With these keys we could decrypt firmware and sign our own firmware. And since the revocation is useless and the lame "anti-downgrade" protection is also easily bypassed, this already enables hardware-based hacks and downgrades forever. Basically, homebrew/Linux on every currently manufactured PS3, through software means now, and through hardware means (flasher/modchip) forever, regardless of what Sony tries to do with future firmwares.
The root of all of the aforementioned loaders is metldr, which remained elusive. Then Geohot announced that he had broken into metldr (with an exploit, analogous to the way we exploited lv2ldr to get its keys) and was thus able to apply our techniques one level higher in the loader chain. He has released the metldr keyset (with the private key calculated using our attack), but not the exploit method that he used.
The metldr key does break the console's security even more (especially with respect to newer, future firmwares - and thus also piracy of newer games), and also makes some things require less workarounds. Geohot clearly did a good job finding an exploit in it, but considering a) he used our key recovery attack verbatim, and b) he found his exploit right after our talk, so he was clearly inspired by something we said when we explained ours, I think we deserve a little more credit than we're getting for this latest bit of news.
There's still bootldr and lv0, which are used at the earliest point during the PS3 boot process. These remain secure, but likely mean little for the PS3 security at this stage"
So, before this starts, I apologize in advance for offending anyone.
We've had quite the year.
Let's veer away from all the commotion about fail0verflow for now. First, the games. The PS3 had MANY good games this year, including the end of one of Sony's major franchises, God of War (which may be debatable). They made a sum of money, increased sales, and released the PS3 move. Overall, Sony did something that they should've: focused. They increased the size of their market, and to whom they are selling games to. It should have been a sure thing, right?
Of course not. They began to take advantage of the buyers. They began to devise new terms of agreements that were so despicably controlling that every time they gave a new update, more and more freedoms that came with the PS3 were stripped away, and left with a skeleton of the PS3's former self. But what caused Sony's constant barrage of updates and 'security patches' was caused by us. The users. The base of PS3News, PS3Hacks, and any other site focusing on the hacking of the PS3. Don't get me wrong, I am ridiculously excited about everything that is going to happen. I am an enthusiast myself. But I understand what I am doing and take full responsibility for it, regardless of what others say. I'll get back to what I mean by this in time.
We had almost lost all hope for hacking the PS3. Almost nothing was properly understood about how the system worked, but only because the best minds didn't look at it. `Then, for no apparent reason other than fame, GeoHot came into the scene and vowed to hack the PS3. And he did. He unlocked the ability to get all of the data needed to find a way to run unsigned code. As soon as he did this, Sony released an update to block OtherOS. Which was wrong. One hundred percent WRONG. But tell me, would you have any other choice to protect the security of your device if only a fraction of your buyers use that feature. It's true, you promised that when you sold it to them, but you also promised utmost quality and volume of games. Pirating a system takes that away. So in reality, Sony had very few options.
Now, all of a sudden, people get up in arms about Sony (or $ony, as so many of you love to put it) just wanting to take your money and never care about what you really want. Allow me to readjust that point of view. When my PS3's laser died, I called Sony and got a hold of a member in a matter of minutes. I told them what was happening, and all they did was ask for my information. Then, I got a box in the mail where I was supposed to send my PS3 to them. Within a week, I got a brand new, fully functioning PS3. The ordeal took 2 weeks in total. But of course, this was before GeoHot.
Then came the PSJailbreak. An exploit that used GeoHot's exploit to run unsigned code. It came with the promise to run games off of an external and it delivered. But then came the flurry of updates to seal the exploit, and remove users of PSJailbreak from PSN. Again, people felt offended that they weren't allowed to break the law and accused Sony of 'take take take and never give,' to put it bluntly. This is stupid. Am I to believe that if I am to come into your house, screw your wife, you wouldn't get angry and get me out (and off)?
From then, the scene looked as if it was going to die. But, a hacker's conference was coming up, which was supposed to bring a heavy amount of news. And it did. It brought hope of running unsigned code in new updates. It promised complete control of the PS3, more control than before Sony took away OtherOS. And when all this information came out, everyone, and I mean EVERYONE, claimed that Sony has 'lost'. This makes me laugh. What is it that Sony lost? The battle against piracy? Because they lost that long ago. The battle against taking away the user's freedoms? We put that on ourselves.
The point of this entire written piece is this: Sony never 'lost' anything. In order for them to lose something, they had to have it in the first place. And the only thing I can think of Sony losing is loyalty. But let's be honest. None of us ever gave Sony that when buying the PS3. We were waiting every day to hear news that someone had hacked the PS3. We would hope it would be quicker than the 360, simply because the security was supposed to be the same. But it took longer than expected. Fanboyism doesn't count in this case.
"Sony took away freedoms of the PS3"
To some of you, this might apply. But fewer than you might think. If you're on this site, you were expecting piracy. With OtherOS, you had the ability to install Linux, and do almost everything you ever needed. But like I said, I am one hundred percent responsible for my actions. I came to this site to look for news about piracy, but also interesting tidbits of news regarding everything PS3. But some of you wanted to hack the PS3 for other reasons that I can't even begin to comprehend. And I'm okay with that. But don't change your tune.
All that being said, I'm extremely excited for what's to come from Fail0verflow.
But that's because I'm getting news I'm expecting.