Hey there.

So... you use an ad blocker. That's cool. Sometimes we do too.

But without ad revenue, we wouldn't even be here. And we might not be here much longer.

Please disable your ad blocker and click to continue.

Page 17 of 26 First ... 7161718 ... Last
  1. #161
    jhonny82 Guest
    why decrypt eboot 3.66 not work?? is< of 3.70... i get error in decrypt .self... you can post key file from 3.60 to 3.73? thanks in advance

  2. #162
    JW117 Guest
    can someone compile scetool with the keys? i need to decrypt a 4.10 eboot

  3. #163
    Foo Guest
    The only keys we have are 3.70 keys so you can't decrypt a 4.10 eboot. That was the point of the 4.21 CFW because it can run games up to that firmware.

  4. #164
    SoraKing11 Guest
    wait... so, was the key real?

  5. #165
    ConsoleDev Guest

    PS3 Keys 3.65 to 4.30 Including Appldr and NPDRM (PSN) Surface

    Following up on the previous PS3 Keys leak and PS3 4.30 Decryption, on this Halloween Day even more PS3 Keys ranging from 3.65 to 4.30 including Appldr and NPDRM (PSN) have now surfaced with details below!

    Download: PS3 Keys 3.65 to 4.30 / PS3 Keys 3.65 to 4.30 (Mirror) / SCETool v0.2.9 with PS3 Keys by Brenza / True Ancestor + Haz367's Resigner.bat + PS3 Keys by DEFAULTDNB (run resigner.bat only, hit "0" to decrypt and hit "5" to sign for oldskool 3.55) / multiMAN 3.15-4.20+ [EBOOT_FIX].rar by slarty1408 / PS3 Downgrade 3.60++ (Lv2diag.421.self) from r3pek / VSH.elf (Rogero CFW 4.30) Patched for ReActPSN 2.xx by StealthLord / PS3 Keys for Deank ebootFIX / mMKeys v1.0 Alpha + multiMAN [EBOOT_FIX] testing App-Keys by romhunter / PS3 Keys Up To 4.31 Pack by razorx / PS3 SDAT/EDAT v3 and v4 Keys

    From danixleet: VSH.self can be decrypted, as its signed with appldr keys for this firmware version.. With this recent leak of Appldr / NPDRM keys we can now make SEN/Spoofer's for when a new OFW is released.. Here is OFW 4.30 VSH.self & VSH.elf.

    From IRC:

    [itwong] just came across lv2diag.421.self? is this for downgrading 3.60++ ps3s?
    [Rare] no
    [itwong] what is this for ?
    [itwong] euss, any idea what that lv2diag.421.self does?
    [euss|_] itwong, you have the file, you tell me
    [itwong] im wondering if it will kick the console out of factory mode
    [itwong] cuz for 3.56+, before once it enters factory mode, i will be stuck in that mode
    [r3pek] on a side note: http://www.multiupload.nl/3CHY6IQVXU
    [r3pek] it's the file itwong was talking about

    From tny.cz/72b4c5a7 (and pastebin.com/HciwadTZ / pastebin.com/9FVX1p5p / pastie.org/5144289) comes some PS3 NPDRM (PSN) and Appldr Keys up to 4.30:

    [Register or Login to view code]

    From anonymous (via pastie.org/5169661): This to finish the previously leaked keys. To the other team, we are on our way to pck0. Want a race?

    [Register or Login to view code]

    From aldostools on these keys: bad revision... they should be revision=0000 (corrected above now). Indeed they work for 4.20, 4.21, 4.25, 4.30 and 4.31.

    From Brenza: Here's LV1 keys for 4.30 and 4.31

    [Register or Login to view code]

    From slarty1408 on the multiMAN 3.15-4.20+ [EBOOT_FIX]: Hi ppl I've added 2 more sets of keys FW 4.00-4.11 and FW 4.11-4.20+ (4.00-4.30 keys added) it should fix most retail eboots now i think I've only tested it with:
    • Transformers Fall of Cybertron = FW 4.11
    • XCOM Enemy Unknown = FW 4.21

    Both went through fine have not got time to test as for kids and work good luck ppl let me know if i missed anything ? Thanks...

    PS: Please say thanks to deank for this tool as he done all the hard work... I've just done hex code to file.

    From CaptainCPS-X: Advice for those decrypting EBOOT.BIN's, and expecting the game to run without problems. Games don't only use encrypted EBOOT.BIN, there are encrypted .SPRX / .SELF / .SDAT as well, so only patching EBOOT.BIN will not work on all game backups, maybe some games don't make use of secondary encrypted files, but there are many that do.

    From aldostools: To decrypt/resign the EBOOT you always should provide the klicensee as parameter (if the SELF use klicensee):

    To decrypt:

    [Register or Login to view code]

    To resign add to the command line parameters:

    [Register or Login to view code]

    From PatrickBatman: Here just fix your own games: Put scetool (ver 0.2.9), data folder with added new keys, EBOOT.BIN and .bat below in a folder.

    [Register or Login to view code]

    You can use the batch above just for updates with eboot, when the command window pauses after it makes .elf you then edit the elf sys_proc_param at hex 13 BC C5 F6 from 41 to 34, or this new hex that was mentioned. Save .elf then let command window continue.

    "--np-content-id=UP0082-BLUS30927_00-SDPATCH000000002" in the batch needs to be changed to whatever the name of the sony update is without A102-V100-PE.pkg part for example.. you can get rid of all the np stuff, content id, & change self type to APP, for disc eboots.

    For NPDRM sprx/self bruteforce or use IDA and and follow calls on NP_exit_spawn to the parameter for Klicensee key on the EBOOT.elf
    then in the batch change --np-app-type=USPRX & add --encrypt "self/SPRXname.elf" "self/SPRXname.self" -l "klickey" in place off --encrypt EBOOT.ELF EBOOT.BIN then if .sprx rename .self to .sprx

    You can use the "free" klic on EBOOT.BIN w/ sprx/self "-l 72F990788F9CFF745725F08E4C128387" and if you want make SCE Version TRUE in HEX at offset 397 changing 00 to 01 on EBOOT.BIN. This should basically be it, although I am tired so you'll figure out if you cant then just wait.

    From zadow28: i actuallly managed to dump the sysrom also. Don't know much about it though, but here it is.

    Download: sysrom.bin

    Also the hypervisor is found in the dump.. use the PS3_HV_Dump.idc in ida pro it finds it.

    [Register or Login to view code]

    From zecoxao: Just figured it out: 20090102-111352-LV1-FW4.21.7z

    i dumped it from Rebug Toolbox. and yes, it was on 4.21 REX

    From zadow28: i have various dumps this is from rex: LV1-FW4.21.BIN another one from
    xmb rogero, yeah i patch the lv1: lv1.bin

    More important its how we use this. Also i dumped the sysrom, not sure if thats the same, as sycon. If it is then its what we need, on QA.

    From zecoxao: i'll provide the link for you to analyze. also this dump contains both kernels, DEX kernel and CEX kernel, on 4.21 REX ros0 and 1. sysrom is probably SYS(CON EEP)ROM. Download: 20090102-121542-FLASH-NOR-FW4.21.7z

    From PatrickBatman comes an NPDRM Batch File, to use: Drag and drop eboot on to it (--np-content-id=SET074-NPUB30409_00-BTTF10200000GAME. Change this to the game content id your doing --np-app-type=EXEC change this in NPDRM .bat to UEXEC only if the game is an update)

    From sorg: according to LV1loader, ch73 should contain version value. so for v4.21 it looks:

    [Register or Login to view code]

    for v4.25:

    [Register or Login to view code]

    etc... But! for appldr v4.21, 4.25, 4.30 erk_hkey/iv iv_hkey/iv are the same. encrypted EDATKEY/HASH are also the same. so, ch73 should not contain FW version, IMHO.

    From anonymous (via pastie.org/private/avbxlh6jg7089sh5m4bg) also comes the PS3 4.31 isoldr and lv2ldr keys below as well:

    [Register or Login to view code]

    From zadow28: Well the lv0.2 is simply the header(metadata) for the lv0 so if you cut the header of the normal lv0 and replace it with the lv0.2.

    [Register or Login to view code]

    So conclusion. You need to dump the bootloader 2 to get the keys for the lv0 version 2 its the same files just different headers aka keys. they secured the new consoles so good, that they dont work with flashers. don't hang me up on that.
    but guess that's the problem. So unless someone finds an way, to read strait from the motherboard.

    From zecoxao: cool, ps2_netemu gets decrypted. i suppose now it'll be possible to get the ps2 klicensee and try to achieve ps2 emulation on ps3 by iso loading.

    From aldostools: As leaked lv1ldr keys, these lv2ldr and isoldr keys can be used to decrypt the lv2 and iso selfs for 4.20-4.31 (4.20, 4.21, 4.23, 4.25, ... 4.30, 4.31) And as far as I know the revision for [lv2ldr] is revision=0000 (not revision=001F)

    Here is an updated KEYS file: aldostools.org/temp/keys My "ps3keys" app can be used to convert the keys from scetool format to .ps3 format for MFW Builder, deank's [EBOOT_FIX], etc.

    [Register or Login to view code]

    From zecoxao: Unless there's a fail in the ECDSA code, i hardly think it's possible to get any more private keys. There was one, it was fixed. Now everything must be signed 3.55 and below. regarding 3.56 and above, you can see true ECDSA working, and thus the concept of private public key criptografy is shown. you can know the public key but you can't know the private key, because only some people know about it, and i'm talking the ones who make the firmware, so the decision to get private keys is pointless now.

    From zadow28: private keys are out off the question thats for sure. But if you really examine the lv0 and lv0.2 it makes sense bootldr2 is just like the normal bootldr. just without the randomfall exploit, so no calculation. the new consoles uses the same lv0 as we know it just with header lv0.2. pretty easy to test cut hex at offset 0x0000000000000500 in the lv0 (old) copy the lv0.2 thats 0x00000000000004F0 long so fits perfect. Run throw scetool

    [Register or Login to view code]

    of course we cant decrypt it, since we dont have the new bootldr keys. (bootldr2) Now for the lv0.. inside are 4 isolated headers. after a lot of hex editing you would find that they belong to appldr/lv1ldr/lv2ldr/isoldr. thats strictly for the new version. funny thing is, that they didn't made new files at all, just new headers, with the same result.

    So on new consoles, example the decrypted lv1ldr would, look 100% the same, as the one we can decrypt. Also the loader headers are different length, than the old version.So that suggestion that they change the algorithm, no crypto expert, but still.

    Actually there are two files, hidden inside the ps3tmgui.exe lv2diagnose ones signed with 3.60 keys. of course it would be console suicide to use them, still wonder no one have found that out yet.

    Download: BINARY.rar

    [Register or Login to view code]

    yes i know it was there, but the possibillty that it would brick someones console is very high, and i dont know that much about, the lv2diagnose. this is from sdk 4.0 (prodg) so guess its used when the dex have an softbrick, when debugging. happens a lot when using prodg. you can get into FSM just not out most likely nothing at all is gonna happen.. still you never know.

    From aldostools: lv1ldr 4.20-? -> these are the same keys for lv1ldr 4.30-? lv2ldr 4.20-? -> these are the same keys for lv2ldr 4.30-? isoldr 4.20-? -> these are the same keys for isoldr 4.30-?

    And the selfs with the the following names are also decrypted with the isoldr keys for 4.20-4.30: spp_verifier 4.20-? spp_verifier 4.30-? spu_pkg_rvk_verifier 4.20-? spu_pkg_rvk_verifier 4.30-? I would appreciate if someone could explain me how to decrypt sv_iso_for_ps2emu.self and me_iso_for_ps2emu.self

    Regarding the Appldr table, I believe that the key *not "0x1E"*, it is not even an appldr key. It could be a key for some other purpose.

    The keys for 4.20-? were added to the wiki... IMO the version should be 4.20-4.26 (4.26 SEX is the latest 4.2x) or simply 4.20-4.31
    The spp_verifier/spu_pkg_rvk_verifier were not added... they decrypt with isoldr keys for versions 4.20-4.31
    The "appldr" that I think are not appldr "4.31" keys are the erk=46BD089122... IMO, appldr keys revisions 1C, 1D, 1E are 4.20-4.31

    From zadow28: yes they work for all , they follow the hexidimal letters so so after 0x1F its should be 0x20 4.31 = 0x20, you can count back from there.

    From Mustapha: Interesting string in the decrypted ps2_netemu.elf caution: image counts exceeded, %d maximum to show/SELECT IMAGE TO BOOT. Up/Down to select, Cross to boot, Triangle to exit... Hmm, Sony has a PS2 disc image front end ready to go?!

    From Abkarino: Here it is just for you Zadow from your old friend Abkarino. There is 2 dumps i had uploaded for you or for any body else willing to play with it. This is a dump from metldr.2 console and from updated metldr console (3.6x) that both can not be downgraded. Hope to hear good news from you.

    From zxz0O0 (Adrahil) comes PS3 SPP and RVK 4.25 Keys for decrypting the default.spp, prog.srvk and pkg.srvk from 4.xx Firmware below with additional details HERE:

    spp_verifier 4.25 (probably 4.20 - 4.31):

    [Register or Login to view code]

    If you want to use with scetool you have to use manual keyset (scetool is confused because both keysets 3.55 and 4.25 have revision 0)

    rvklist 4.25 (probably 4.20 - 4.31):

    [Register or Login to view code]

    scetool format:

    [Register or Login to view code]

    As always all of the current PlayStation 3 Keys decrypted can be found archived on the PS3 Wiki (ps3devwiki.com/wiki/Keys) for those seeking them.

    Finally, from zecoxao comes one more crypto fail, PS3 selfs without npdrm footer as follows:

    This pkg contains a self, that doesn't contain an npdrm footer.

    Download: http://ares.dl.playstation.net/cdn/E...zcKgONTTGV.pkg

    [21:20:11] flatz: there is a package which have NPDRM eboot.bin
    [21:20:19] flatz: and non-NPDRM self
    [21:20:30] flatz: self doesn't have footer signature
    [21:20:34] flatz: so you can replace it with custom one
    [21:20:46] flatz: and app will load it

    And there you have it. the so called argument between math and kakaroto was over this specific thing (the NPDRM footer).

    There might be more packages like this one


    We need to know in which version this was patched, credit to flatz for the finding, i'm just reporting back. How to test:

    Download: cachemgr.self / cachemgr.self (Mirror)

    Replace cachemgr.self with that, and use ps3xport to put game on PS3.

    More apps and patches:

    [22:28:13] flatz: app:

    [Register or Login to view code]


    [Register or Login to view code]


    [Register or Login to view code]


    [Register or Login to view code]

    From IronMAN: This is ability to run your own self files on OFW but not on latest ofw, because it patched already.

    4.46 - working.
    4.65 - not working.

    From zecoxao: lol, we tested again. IT VOOOOOOOOOOOOOOOOOOOOOOOOOOOORKS. ON FCKING LATEST FIRMWARE The code runs but the app crashes New cachemgr.self, shouldn't hang now...

    From mysis: Sony seemed to forgot to implement an api for spawning npdrm child-processes, thats why those apps do use non-npdrm signed selfs.

    [19:43:21] [flatz]: doesn't work at all on 4.66 OFW
    [19:43:25] [flatz]: we can close thread

    More PlayStation 3 News...

  6. #166
    windrider42 Guest
    I have heard they are the real deal, and guys already fixed Borderlands 2 for 3.55.

    Also from Abkarino: Revokation List key are confirmed by me with 4.31 prog.srvk using scetool:

    [Register or Login to view code]

    Also here it it SPP keys in scetool format tested and working (4.31) also confirmed by me:

    [Register or Login to view code]

    From zxz0O0: spu_pkg_rvk_verifier 4.25 (untested)

    [Register or Login to view code]

    From aldostools: Indeed these last keys are for type=PKG revision=01 version=0003005600000000.

    But the others (type=SPP/type=RVK) are confirmed working for 4.20-4.31

    The spu_pkg_rvk_verifier uses the isoldr keys (erk=63565DBE98C3B1A52AADC907C47130FE57A10734E84F2 2592670F86ED2B0A086 / riv=953F6A99891B4739358F5363A00C08B9)

    I see that in the wiki, the keys for rvklist and spp_verifier 4.00-4.11 were posted (but these key are wrong). They don't use the keys for rvk/spp 4.20-4.31.

    The code below are the public keys/ctype/revision/self_type for some still missing appldr keys 3.65-4.00. The erk/riv values posted below are *ENCRYPTED* and cannot be used in the current state. I hope that this help at least to complete some fields in the wiki (upon verification) Note: the revisions still need confirmation.

    [Register or Login to view code]

    I find interesting that these keys are available in appldr 4.00 (and below), but they are not present in the appldr 4.20-4.31.

    From arwynj55 also comes PS3 3.56 keys hmac 3.56 key included:

    [Register or Login to view code]

  7. #167
    G Sus Guest
    yup can't confirm there real, lol

    Also from oakhead69:

    OK here is the process I used to reverse the V4 Keys, EDATKEY1 and EDATHASH1 from my PS3. 99% of what I will post here is already public domain, I will just pull it together in one place here. I used IDA and a customised version of KDS Best's SPU Emulator

    JuanNadie posted here the SH1 hashes of the EDAT keys and hashes and I can confirm that these are correct. The encrypted EDAT hashes and keys can be found in the 4.xx appldr.elf. sorg posted these. So the 3 keys you are missing are the KEY, the IV and the ERK.

    The KEY and the IV are in the appldr and are un-encrypted. You can use the IDA or an SPU emulator to figure it out, just work backwards from the below spu code at 28BE4 (I think this offset is for F/W version 4.27 if I remember correctly)

    The ERK is generated from the contents returned by channel 73. The appldr reads channel 73, 3 times which is the FW version check channel. So in FW 4.30 it will return 0xkk04kk30 0xkkkkkkkk 0xkkkkkkkk where k is the hash initilisation for generating the ERK. 04 30 is F/W version number.

    The appldr strips out the F/W version leaving you with the 0xkkkkkkkkkkkkkkkkkkkk 10 byte hash initialisation (ch73 in the code below).

    To get the values from channel 73 and you will have to write an isolated SPU to read these values. It has to be an isolated SPU as channel 64 controls the access to channel 73 and one of the last things the appldr does it to isolate channel 73 by writing 0x60000 to channel 64. This information was posted one forum somewhere, just can't remember where. Just Google it (may edit my post later when I find it).

    I wrote my spu isolated module based on the dump_encdec_keys by glevand. Just Google and you will find the associated wikis and gits. ps3devwiki.com/wiki/Making_Isolated_SPU_Modules_and_Loaders is a good starting point. You will have to do a bit of hand calculation for the branch offsets to shoehorn in some code something like this to read ch73 3 times.

    [Register or Login to view code]

    OK so you should now have the encrypted keys (sorg posted) the KEY, the IV and the hash seed for the ERK. When you find the encrypted keys based on the post from sorg this will lead you as it did me to the following code in the appldr.

    [Register or Login to view code]

    Independently of me redcfw also found the same SPU code and generated C code from it and posted it. I had already generated the following C# code from the SPU code and below is an example for edathash1, it was good to see him confirm the same code as at the time I had still had not figured out how to read ch73.

    [Register or Login to view code]

    There you have it how to reverse the EDATKEY1 and EDATHASH1 from your CFW 4.xx PS3. Sorry bit of a brain dump, will tidy the post up later if I get the time and add more links to the information sources. I am sure I should credit more people than I have here. If and when I add the source links I will add credits.

    Please do not ask me for any of the keys needed here or for the final EDAT keys as I will not post them for obvious reason. As I have already said 99% of this information is already available in forums and wikis. I have just pulled the information together here. Hope you have as much fun as I did playing with the SPU code.

  8. #168
    PS3GAMER20111 Guest
    Keys are confirmed true by pr0p0sitionjoe and he said we are going to see many new psn games working on 3.55.

    salute to pr0p0sitionjoe.

  9. #169
    ConsoleDev Guest
    Nice to hear these things, but too bad that the private keys are missing

  10. #170
    niwakun Guest
    Keysets that dont work from the recent PS3 keys release

    APP Type Key set
    001C, 001D, 001E

    NPDRM Type Key set

    keys work from 3.61 - 4.21 .............. 4.25 - 4.30 keys are not valid

Page 17 of 26 First ... 7161718 ... Last

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Log in