Just a few days back we saw a video of PS Downgrade software by the PSJailBreak Team in action, and today graf_chokolo has posted on xorloser's blog (linked above) that he has decrypted PS3 Firmware 3.50 and while it's still a WIP it could very well lead to a free public PlayStation 3 downgrader alternative.
To quote: I am able now to decrypt and decompress CORE_OS_PACKAGE.pkg from PS3 PUP-Files. The decrypted and decompressed package is a copy of FLASH region where all the important SELFs and isolated SPUs stored, e.g. lv1.self or isoldr.
So, now i could downgrade PS3 by writing this decrypted image to FLASH manually, without Update Manager from HV. In fact, Update Manager just do this But the problem is, that the SHA-1 hash values for these files are stored not in flash but in SC EEPROM and i don't have access to it yet
Here is a snippet from CORE_OS_PACKAGE.pkg 3.15:
[Register or Login to view code]
I have already decrypted Core OS Packages from 3.15, 3.41 and 3.50 PUP-Files. Also decrypted Revoke List for Packages and Programs which can be also found in PUP-Files. And also SYSCON firmware was decrypted by me.
Sony uses zlib to compress Core OS Packages. But not all packages are compressed, e.g. SYSCON firmwares are not compressed, just crypted. Packages are first compressed and then decrypted. So first they have to be decrypted and then decompressed with zlib on Linux e.g.
I have also decrypted profile file DEFAULT.SPP. There are stored e.g. System manager configuration and other things like ACLs.
Today decrypted Core OS Package 2.80, BlueRay Drive Firmware, Bluetooth Firmware and System Controller Firmware.
Bluetooth/WLAN is a Marvell chip.
Some interesting strings from Bluetooth Firmware 3.41:
Marvell Firmware SDK Version 2.3.0
There is a new isolated SPU module in Firmware 3.50 which is not contained in older firmwares.
manu_info_spu_module.self (it stands for "manufacture information")
Just decrypted 1.80 debug firmware.
Contents of DEFAULT.SPP file are a little bit different.
In DEFAULT.SPP are stored different configuratons which are e.g. read by system manager during boot, e.g. LPAR parameters for LINUX, GameOS, PS2 Emulation. This file is managed by SPL (Secure Profile Loader).
CORE_OS_PACKAGE.pkg from 3.42 Firmware is now also decrypted :-)
And 1.10, the first firmware, also :-)
Here is a small snippet: http://pastie.org/1297704
Here is a snippet from 1.10: http://pastie.org/1297722
Here is a snippet from 3.50: http://pastie.org/1297727
Here is a snippet of BD Firmware 301R from Firmware 3.50: http://pastie.org/1297732
Finally, according to Sony PlayStation 3 hacker Mathieulh, from PS3 Firmware 3.50 onward a new additional root key of 0x30 bytes (3 times the same 0x10 bytes chunk) copied by metldr right to offset 0.
More PlayStation 3 News...