PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

January 26, 2011 // 7:09 pm - Update: It appears Mathieulh is incorrect as GFI Security's Chris Boyd has confirmed Sony wrote the ability for remote updates into its terms and conditions since at least 2006 stating the 3.56 rootkit is not new.

Just under two months since the previous PlayStation 3 system software update has passed, and today Sony has released PS3 Firmware version 3.56.

For those wondering, PS3 JailBreak and Custom Firmware users can still access PSN via the bypass methods but read the IRC log below as a "rootkit" was found in PS3 Firmware 3.56 which reportedly allows Sony to scan for PlayStation 3 Custom Firmware or any unofficial homebrew software.

Download: PS3 Firmware 3.56 Update (US) / PS3 Firmware 3.56 Update (EU) / PS3 Firmware 3.56 Keys / PS3 Keylist (.xls) / PS3 Tools

According to VP of Network Operations Americas Eric Lempel via Sony's official blog on the update, to quote: "A new PS3 system software update, v3.56, will be released soon. This is a minor update that adds a security patch."

Needless to say, if you value PS3 homebrew, jailbreaking, downgrading or accessing PSN on a hacked PS3 it would probably be wise to hold off updating until PlayStation 3 developers can examine the 3.56 update.

As always, more details to come as they are available and below are some preliminary 3.56 Firmware examination details from PlayStation 3 developers via IRC:

KaKaRoTo: nice... it's full of spkg files now .. probably a new crypted pkg format
KaKaRoTo: possibly with a new signature that only ps3swu.self can read, but without the ecdsa fail
KaKaRoTo: humm.. seems I was misled, there's no spkg files in 3.56
KaKaRoTo: ok, so they added a new .self file in the PUP
KaKaRoTo: and it seems it contains a key that we don't know about
KaKaRoTo: yeah, probably a newer ps3swu.self that is more secure
KaKaRoTo: but they kept the old one for people upgrading from older firmwares
KaKaRoTo: the new ps3swu.self probably decrypts and uses the new self
KaKaRoTo: ok, so we need new keys for everything now
KaKaRoTo: I just pushed to ps3tools and ps3utils, fixes to allow pup/puppack/pupunpack to identify the new files in the pup
rms: 000130e0 22 62 8a 9e c4 c4 14 d5 b3 2f 2b 4b a4 92 60 89 |"b......./+K..`.|
rms: 000130f0 de 9a 46 1b 19 0f b3 e4 39 2d 05 7c 52 55 35 de |..F.....9-.|RU5.|
rms: 00013100 d5 d4 b8 ed 62 b6 cc a0 24 9a 79 77 6e 13 69 75 |....b...$.ywn.iu|
rms: 00013110 51 75 1b 9f 1d a5 86 38 d2 d9 9f 67 e2 0a 1d 4a |Qu.....8...g...J|
rms: 00013120 45 4c 5b 04 2c d1 d0 a4 49 a2 98 98 08 00 2b a6 |EL[.,...I.....+.|
rms: 00013130 8f b5 b7 f4 b5 b4 e6 3b 00 00 00 00 00 00 00 00 |.......;........|
rms: try it.
KaKaRoTo: rms, what's that blob you pasted ?
adrianc: the new key
KaKaRoTo: ha, cool
KaKaRoTo: rms, if you know how and can extract all the new keys, please do and send them to me so I can upload to my ps3keys repo
adrianc: the new keys are all in there
rms: KaKaRoTo: i believe it's a lv2ldr key
rms: erk/riv/pub its all in one block
rms: i forgot the order its in though, it should be in that, its been a while
KaKaRoTo: I don't even know how you did to find those keys
adrianc: its in the data section of the elf usually
rms: its really simple
adrianc: after that look for references for blocks of data
rms: really KaKaRoTo, i think even you could do it
rms: adrianc: or something out of place
adrianc: helps to compare to older versions where you already know the key position
rms: and has a set of 8 00s
adrianc: KaKaRoTo 3.56 key works?
KaKaRoTo: adrianc, didn't try, not planning on trying atm
KaKaRoTo: not until I have ~/.ps3/ files prepared for me by someone
KaKaRoTo: lv2 3.56 decrypted
rms: keyset?
KaKaRoTo: pushing to
KaKaRoTo: pushed
rms: ok
rms lv1 is also new
rms lv0 also
rms and also the spu stuff apparently
KaKaRoTo: humm.. I wonder who has the lv0 key
adrianc: i dont think lv0 is available
KaKaRoTo: iso keys are now pushed
KaKaRoTo: also, now, if we want to repackage things (unless they screwed up the ecdsa *again*), we'd have to change the keys in all the loaders... which means repackaging all the *ldr and iso selfs...
KaKaRoTo: so even more risk of bricking
KaKaRoTo: pushed spp keys
KaKaRoTo: the missing keys are for 'app', 'ldr' and 'rvk'
KaKaRoTo: btw.. where is that 'ldr' coming from ?
KaKaRoTo: and I can't figure out who decrypts lv0
KaKaRoTo: it can't be metldr since that one can't be changed
KaKaRoTo: and there's no lv0ldr
eussNL: bootldr decrypts lv0 afaik
KaKaRoTo: there's no bootldr either
adrianc: bootldr and lv0ldr arent in the pup
Matt_P: not part of coreos
Matt_P: and theres no such thing is lv0ldr
Mathieulh: Sorrowuk I suppose modchip manufacturers will start shipping nor/nand programmer soon..
IceKiller: Mathieulh why? just get a at90 based thing
IceKiller: i already told you about that Mathieulh
Mathieulh: SLC the bootchain is pwned, no matter what
Mathieulh: you can always downgrade the coreos
Mathieulh: 3.56 has nice new stuffs in there :P
Mathieulh: like remote code execution upon login
Mathieulh: I assume they probably added some syscalls for lv2 integrity checks
Sorrowuk: Who wants to resign lv2diag.self for 3.56 so it works again ? I would do it but I dont know how to rebuild the signature after I change the authid . Some people are stuck in service mode in 3.56 :P lol
Mathieulh: Sorrowuk you can't
Mathieulh: 3.56 pretty much has a built in psn rootkit
Sorrowuk: psn rootkit ?
noone: but if we could rip-off the fw that shit would be erased
noone: that was the only thing stopped sony to _auto_ update your fw
Mathieulh: noone it's not that simple
Mathieulh: the server awaits a proper reply
Mathieulh: and that reply isn't in the firmware
Sorrowuk: so people are stuck in service mode?
Mathieulh: they force updaters and lv2diags to be signed with the new 3.56+ app key
Mathieulh: and of course we don't have the private key for that
Mathieulh: if they want to get out of service mode they have to downgrade first by reflashing the nor externally
Sorrowuk: Sony should release a new lv2diag.self for everyone to get out of service mode. thats not very nice of them XD
Mathieulh: btw interestingly enough
Mathieulh: it seems the new signature check for the updater (and supposedly lv2diag) is skipped on DEX consoles
Mathieulh: I assume that's to allow debugs to downgrade
Sorrowuk: so if you used a nand flasher and flashed the nand of a retail with a debug nand, you would have a debug console
IceKiller: Sorrowuk no
IceKiller: won't work.
About 3.56 if the updater/lv2diag application keyset revision is lower than 0x0D, lv2 will refuse to run it.
Mathieulh: the fail is the following anyway, decrypt your hdd cache partition /dev_hdd1 using the hdd decryption trick right after the 3.56+ updater starts (but before it updates) (just use the back switch), then replace the coreos package, with one you resigned which has 3.55 coreos but 3.56+ in info0 (or the value 0xA0 at offset 0x2C) then reencrypt the hdd partition and put the hdd back, because the
Mathieulh: update status flag will be set, the updater will start and flash the resigned 3.55 coreos package (the fail works because they haven't changed the packages signatures, not like they can)
Mathieulh: then you can use service mode again and flash whatever crap
Mathieulh: doesn't work on slims cause the hdd decryption trick is fixed there
Mathieulh: they btw can't fix it in the fat ones because it's hardware related
Mathieulh: (encdec device)
Mathieulh: also it's not the decryption that's the issue
Mathieulh: appldr decrypts those selfs fine
Mathieulh: the problem is lv2 wont run them
Mathieulh: lv2 checks the app revision
Mathieulh: if it's lower than 0x0D it wont run it
Mathieulh: and of course you can't change an old one to 0x0D or higher
Mathieulh: cause then appldr will check the signature with the new pub key
Mathieulh: and you lack the private key
Mathieulh: of course if anyone manages to pack a new PUP properly, then you don't need to do the hdd crypto shit to
Mathieulh: but I haven't looked at the new pup format
Mathieulh: rofl I am looking at the new appldr
Mathieulh: and they hardcoded/revoked tons of new auth_ids in there
Mathieulh: how much do you want to guess that those are the ones of the previously signed homebrews ? xD
Mathieulh: oh ! wait
Mathieulh: those aren't auth_id
Mathieulh: those are hashes
Mathieulh: 20 bytes each
Mathieulh: sha1 considering the lenght
Mathieulh: selfs
Mathieulh: that has defintely something to do with why npdrm homebrews stopped working
Mathieulh: in fact I am running the new appldr in anergistic
Mathieulh: and it wont decrypt these demos
Mathieulh: I mean homebrews
Mathieulh: well you get the idea
naehrwert: so new demos need new firmware version then, but what if they want to release a new demo and don't want to update fw?
Mathieulh: naehrwert they just have to encrypt/sign it with new keys
n00b517: PS3 3.56 _Private_ key: 7d583155485c3c7e3e6f626a4a4d4351322c444136 [!!!]
an0nym0us: well it works
an0nym0us: not sure how it was obtained
DPxD3v: nice
misteriou: 7d 58 31 55 48 5c 3c 7e 3e 6f 62 6a 4a 4d 43 51 32 2c 44 41 36
Djinn: this is being posted all over the place
rms: $ printf "Private Key: 0x00"; cat /dev/random | head -c 20 | xxd -ps
rms: Private Key: 0x00fe7027da6ce683aa111b3ebbe06b43ddf15bf7c3
rms: remember that
MonkeyBoy: we got all the 3.56 Public keys

Finally, Becus25 has released several PS3 tools recently as follows: GeoHot's PS3 3.55 Category_Game.xml File, PS3 Public Tools GUI Rev. B, PS3 Nas_Plugin Extractor 3.55, PS3 3.56 Lv12 Decrypt, and PS3 Nas_Plugin Extractor 3.56. Details on each are below:

GeoHot's PS3 3.55 Category_Game.xml File:

This is GeoHot's category_game.xml file which is written in dev_flash/vsh/resource/explore folder when you install PSJailbreak. This file is added to the existing one and not replaced at all. Also he writes a new nas_plugin.sprx to dev_flash/vsh/module.


PS3 Public Tools GUI Rev. B:

There are two modes (developers who have installed the SDK) and non-developers)
For the first one (developers) these are the instructions:

1) Open PS3 Public Tools GUI.
2) Browse the MAKEFILE of your project.
3) After find the makefile (without closing PS3 Public Tools GUI), open your Windows cmd and go to the folder where there are the files you want to sign.
4) With the root set on cmd, type: make & make pkg
5) Open the window of PS3 Public Tools GUI and moving the mouse on the window you will see how the make button will be activated. Push it, and your self and pkg files will be signed!

For the second one (non-developers) these are the instructions (use this mode if you already have the elf, self and pkg files unsigned but compiled):

1) Open PS3 Public Tools GUI.
2) Uncheck developers option.
3) Browse your ELF file.
4) Push on the MAKE button.

NOTE: The application only will sign the self and pkgs files if they already exists. If not, the process won't be done.

PS3 Nas_Plugin Extractor 3.55:

This tool allows you to extract nas_plugin.sprx from a 3.55 (now, only 3.55...) pup sony update. After extract this module, you can decrypt the module using fail0verflow's unself tool.

To extract the module just run my app and browse the 3.55 pup file. You will find the file in C:depkg after the extraction.

PS3 3.56 Lv12 Decrypt:

This tool allows you to decrypt CORE_OS_PACKAGE.pkg, lv1.self and lv2_kernel.self of 3.56 official firmware.


1) Download 3.56 official firmware pup file.
2) Run the app and browse the file.
3) Push the button. The files will be decrypted and saved in C:BPS3Dec

PS3 Nas_Plugin Extractor 3.56:

This tool allows you to extract nas_plugin.sprx from a 3.56 (now, only 3.56...) pup sony update. After extract this module, you can decrypt the module using fail0verflow's unself tool.

To extract the module just run my app and browse the 3.56 pup file. You will find the file in C:depkg after the extraction.

Then, if you want to decrypt the file extracted, open fail0verflow.rar included with this package and extract the folder called fail0verflow to C:.

After that, copy your nas_plugin.sprx inside this folder and run the bat file that will be in C:fail0verflow. Now you will already have your nas_plugin decrypted also!! (ALL THANKS TO FAIL0VERFLOW FOR THIS GREAT TOOL!)

PS3 Firmware 3.56 Update is Now Available, Details Incoming

PS3 Firmware 3.56 Update is Now Available, Details Incoming

PS3 Firmware 3.56 Update is Now Available, Details Incoming

Follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 CFW forums for the latest PlayStation 3 scene and PS4 Hacks & JailBreak updates with PlayStation 4 homebrew.

#92 - B4rtj4h - January 28, 2011 // 12:20 am
B4rtj4h's Avatar
It's the FLOWER Dynamic theme And to the rest. WHY does noone read?

-> Recovery seems to be there, but i am not able to get it succesfully in recovery menu. Don't know what i am doing wrong but i just don't get it. (might also be me that is pushing the wrong button )

-> i tried to downgrade with a Jaibreak stick... no luck there.

#91 - blueclouduk - January 27, 2011 // 11:54 pm
blueclouduk's Avatar
A couple of points to ponder: A firmware update must be compatible with lots of existing firmware versions. In the event a PS3 owner is not connected via DSL/cable and has lots of download bandwidth, the only upgrade route is via a released game or demo disc. There will always be a delay in user uptake as only the most recent discs will contain the latest firmware. Even the latest 3.56FW needs to be able to upgrade 1.0FW for this reason alone. This backwards compatibility will always give hackers a starting point.

All of the games I play do not need PSN access. So I lose nothing from my gaming experience by not having PSN access. It can be a little frustrating when I get asked 2 or 3 times to connect to PSN in order to check for updates but that's as far as my annoyance reaches. PSN has never been the most reliable service in my experience, so complaining that it has gone or may be withdrawn on a user by user basis is a waste of time and effort.

Come on everyone, enjoy your PS3 and what it provides rather than dissing Sony.

#90 - BlaZingPenguin - January 27, 2011 // 11:35 pm
BlaZingPenguin's Avatar
What theme is being used in this video? It looks pretty sweet.

#89 - SinnerShanky - January 27, 2011 // 9:36 pm
SinnerShanky's Avatar
why doesn't sony accept that it cant do anything now... Its out of their hands...! They need to employ better programmers for their NGP and the ps4...

Quote Originally Posted by HieiYYH View Post
anyone has compiled ps3tools and 3.56 keys?

Not yet. The keys have been extracted but are yet to be driven into a program to enable homebrew and your backups. Which i suspect won't happen right now due to sony getting a restraining order chains failoverflow and geohot.. But just wait maybe it'll be released by someone anonymously.. Rep me if i helped...
Quote Originally Posted by kally12 View Post
You probably edited the DNS and forgot about it.

Don't be sure about it as if they are roommates then they probably are using the same internet connection so if it doesn't ask one to update then it wont ask the other to update too!!

#88 - zoh321 - January 27, 2011 // 9:29 pm
zoh321's Avatar
First, Thanks for the video. If possible give me the ps3 theme that you have and thank you!

#87 - bl4cXh4td3m0n - January 27, 2011 // 9:11 pm
bl4cXh4td3m0n's Avatar
Quote Originally Posted by kally12 View Post
Remember Jes03, that all of your points are pure speculation.

dude speculation? it's friggin common sense... duh. Jes03, you are absolutely 1005 correct sir, I'll speculate all the way to the bank with you... $ony's bank (and then lets hold them up at gun point like they do us... suppose that's speculation too huh?

#86 - Mbb - January 27, 2011 // 8:57 pm
Mbb's Avatar
Well this was expected to be happen, enjoying the dns trick for 1 week (as it last that long as usual) then its time for some 3.56 CFW

#85 - HieiYYH - January 27, 2011 // 8:27 pm
HieiYYH's Avatar
anyone has compiled ps3tools and 3.56 keys?

#84 - UnXuthoriXeD - January 27, 2011 // 7:47 pm
UnXuthoriXeD's Avatar
Quote Originally Posted by Kaoshin View Post
So from my understanding we can go into recovery mode, we can also get into service mode as well. Has anybody tried to downgrade using the 3.55 downgrade method where u upgrade to a modified 3.56 firmware (3.41), then downgrade to firmware 3.15, then manually upgrade to OFW 3.41? It sounds like it should work in theory.

Do not try and downgrade you will get stuck in service mode and there are some saying there will be no way to get out of it. 1 of my ps3s is stuck now so I guess I have a simi brick.

#83 - magneto198 - January 27, 2011 // 4:30 pm
magneto198's Avatar
Ok, my version of CFW is kmeaw. I got it the hour it came out; back then it was called wutangrza-kmeaw because kmeaw just modified wutangrza's code and hence thats what my rar file is called. Anyway its just called kmeaw now. There is no DNS going on on my PS3. I just did an auto setup just to make sure no gnomes came in and changed anything on my ps3. Everything is legit; no DNS.

Like i said i just did recovery for both firmware installs and it worked. For some reason when i was installing kmeaw through XMB, it would always say my firmware was up to date so to install it on top of OFW 3.55 i had to go into recovery mode. I first tried it on my roommate's slim and it installed striaght from the XMB, go figure. I tried it on mine and it was a no go.

After i stop being lazy i will try my method on my roommate's ps3 and see if i can duplicate my findings through recovery OFW 3.55 and recovery CFW 3.55. Maybe its just my original wutangrza-kmeaw version; who knows. keep you posted.

well... i was unable to replicate my findings. too many variables. his is a slim 120GB ps3, mines is a fat backwards compatible metal gear solid 80gb one. like i said, i was forced to use recovery mode to install cfw but the slim wasn't. i think there's a lot that's changed in the ps3. maybe someone else can figure out something besides DNS.