PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

183w ago - PlayStation 3 developers have been busy recently working on payloads for dumping the PS3 per console keys, as once the per_console_key_0 is obtained with full EID decryption dongles and burned BR-D's may be a thing of the past.

Below are details from sphinxkoma and the PS3 Wiki (ps3devwiki.com/index.php?title=Talk:Per_Console_Keys) on dumping the per_console_key_1 via Kaz... it's only a matter of time for per_console_key_0 which unlocks everything we need.

To quote: PS3 Per Console Keys

EID crypto is very complicated, it is done so on purpose. first of all EID0 isn't decrypted with one key, and one algorithm alone. it is decrypted in several parts which use different algos and keys. the keys are all derivations of a per console key (per_console_key_1) which is stored inside metldr and copied by it to sector 0 and never leaves isolation. that same key is a derivation of the per console key (per_console_key_0) used to encrypt metldr and the bl in the first place as well.

isoldr clears that key from sector 0 before jumping to the isolated module. but before doing so it encrypts it with another keyset and stores it in a buffer so that the isolated module can use the new crafted key. since the operation is AES, if you know that keyset you can decrypt the crafted key and get the eid root key without pwning a loader or metldr through an isolated module.

that is not like you really need it because you can already use the crafted key to decrypt some of eid0, but not all of it. and the crafted key also uses the first elf section to be built as in your isolated module will have a small section which only contains a key. and that key is used as another layer by isoldr to encrypt the buffer with it. so basically you have 2 encryption layers over the root key. the final key then decrypts a specific part of the EID.

eid crypto is actually done smart. that is because most of it originally comes from the cell bootrom, as in they reuse the same algo used for metldr binaries and bl in the eid crypto, including some of the keys and the steps. and you cannot decrypt all of the eid sections unless you gathered every single keys and steps. and there are a lot then you still have to figure out wtf it is you decrypted because eid is actually full of keys.

1. payloader3 create new possible source of or precompiled:

payloader3-341.pkg: http://www.multiupload.com/JKKZG58NOR
payloader3-315.pkg: http://www.multiupload.com/MB7NE5AJYC

2. Install payloader3 pkg on the ps3

3. export in the terminal set
a. export PS3LOAD = tcp: ipaddress.of.ps3
b. start socat (socat tcp-recv: 18194 stdout)

4. payloader3 pkg start on ps3

5. It is quite likely to see is not the picture (black screen) but you will hear a distinct sound (like C64) Now things are different feasible:

a. X 4eck then starts with ps3load ethdebug
b. then you will want to circle back to the xmb and invites ethdebug (for Debuging pkg files)

6. Use your ps3load the mode used to send your ps3 dump_eid_root_key.self (ps3load dump_eid_root_key.self) Now you should see debug Terminal in your debugging and then hopefully you'll find the PCK .. (theoretically)

The per console key is used to derive other keys, some of which Sony can't change as this appears to be the bottom of their encryption chain. It's also important to note that this method is intended for dumping per_console_key_1 and per_console_key_n while per_console_key_0 is currently still required.

However to speculate, in future PS3 CFW updates users may need to be on a Custom Firmware to begin with (or downgrade to one first) and then run a .PKG to get their per console encryption key, followed by using it in a PS3 MFW Builder and installing the resulting modified PS3 Firmware on their PlayStation 3 console.

From ps3devwiki.com/index.php?title=Per_Console_Keys#per_console_root_key_0:

  • metldr is decrypted with this key
  • bootldr is decrypted with this key
  • might be obtained with per_console_root_key_1? (largely speculative, not nec. true - need more looked into, only based on the behavior of the other derivatives known to be obtained through AES)

Finally, from the PlayStation 3 Wiki (ps3devwiki.com/index.php?title=Per_Console_Keys and ps3devwiki.com/index.php?title=Boot_Order#Chain_of_Trust for the PS3 boot order) pages:

Per Console Keys

per_console_root_key_0

  • metldr is decrypted with this key
  • bootldr is decrypted with this key
  • might be obtained with per_console_root_key_1? (largely speculative, not nec. true - need more looked into, only based on the behavior of the other derivatives known to be obtained through AES)

per_console_root_key_1 / EID_root_key

  • derived from per_console_key_0
  • stored inside metldr
  • copied to sector 0 by metldr
  • cleared by isoldr
  • Used to decrypt part of the EID
  • Used to derive further keys
  • can be obtained with a modified isoldr that dumps it
  • can be obtained with a derivation of this key going backwards

obtaining it

launch the patched isoldr with your prefered method

Option 1 - dumper kernel module

  • modify glevands spp_verifier_direct to dump the mbox to wherever_you_want and then (use the payload below as an example)
  • the example code on how to dump the mbox can be found on the Option 2 - dumper payload below

[Register or Login to view code]

Option 2 - dumper payload

http://pastie.org/pastes/2101977

[Register or Login to view code]



Comments

  • What this selfs do is dump your ISOLATED SPU LS through your mbox, so you only need a way to cach this info with PPU code in lv2 enviroment aka a dongle payload or linux kernel
  • This has been tested and proven to work on 3.55 MFW
  • In the dump the remaining dump is the metldr clear code. metldr clears itself and all the registers an jumps to isoldr.
  • Overwriting that code lets you dump your key + metldr
  • Consider that per_console_key_1 and per_console_key_n are in fact still in need decryption.
  • per_console_key_0 particularly needs to be dumped once revived from per_console_key_1.

per_console_root_key_2 / EID0_key

  • this key can be obtained through AES from EID_root_key
  • EID can be partially decrypted by setting this key in anergistics and fireing aim_spu_module.self
  • Load aim_spu_module.self + EID0 + EID0_key in anegistics = decrypted EID0
  • This code is to decrypt your EID0 on your PC http://pastie.org/2000330

    [Register or Login to view code]

  • The prerequisites are:
  • dump your EID0 from your ps3 and save it in the same folder as EID0
  • dump your EID0_key from your ps3 and put it on the code above where the key is needed
  • load all of them in anergistic
  • EID0_key could also be obtained with EID_root_key directly in the following manners:
  • knowing the algorithm (located in isoldr)and applying it to the EID_root_key
  • letting isoldr apply that algorithm directly in anergistic
  • the process is exactly as the one above (modifing anergistic to feed isoldr with EID_root_key

obtaining it


per_console_root_key_n

  • these are further derivations of the per_console_key_1/EID_root_key

Documentation

  • polarssl.org/trac/browser/trunk/library/aes.c

From VenomousX: How to obtain this EID_root_key?

  • Patch isoldr to dump the local storage of sector 0
  • Load the patched isoldr
  • Dump the local storage
  • You will find eid_root_key
  • Use it to decrypt the eid0.

How to load back the isoldr:

  • Use glevand's tools, spp_verifier_direct to be specific: "spp_verifier_direct is a kernel module which shows you how to run isolated SPE modules on OtherOS++ Linux by using metldr directly.
  • It decrypts default.spp profile.
  • Once you get the eid rootkey, load aim_spu_module.self with eid0 and the eid root key within anergistics it will decrypt it.
  • You can modify it easily to run other SPE modules.
  • Has been done and tested on 3.41 and 3.55 (not by myself)

So yes, you can obtain the eid rootkey and partially decrypt the eid0, but the problem if you want to modify the eid0 (say... to get a DEX idps to convert CEX=>DEX (which doesnt have much got use for end-users, only devs)) then you'd need to re-encrypt the EID0, which you can't. Not with those keys at least.

Oh, and while PS3 rootkeys are per console, and usually FW independent. However I dont know about 3.6+ because I didn't test it on it. But it might be true that 3.6+ eid rootkey have changed since $ony changed a load of keys with 3.6+. So using the 3.55 eid_root_key on 3.6+ to decrypt anything probably wont work.

Sony PlayStation 3 hacker moogie301 states the following on this via Twitter: "There are 3 per console keys. it tells you how to obtain 2 (per console key 1 and per console key n) not THE root key. It will not lead to a new CFW, it is fun for devs, you can decrypt a lot of eid and reverse it.. it is not newb friendly at all."

PlayStation 3 hacker defyboy has also added the following: "I don't think this is a step closer to discovering the per-console root key. The EID root key is generated at factory and incorporated into metldr. metldr is encrypted with your per-console root key and stored on flash. Please note that while it is speculated that the EID root key is a derivative of the root key, that does not mean that it can be used to calculate the root key. Infact, being able to do so is idiotically counter-intuitive of the purpose of having two separate keys.

The per-console root key is likely burnt into the CPU via One Time Programming over the JTAG port, of which is disabled after programming. There is a hardware decryption routine that uses this key called Runtime Secure Boot, you cannot access or invoke this routine because it only runs when you load an encrypted image into an isolated SPU.

This is IBM's design, not sony's. This was designed to be a very secure multi-purpose processor and it was designed by a company that designs security and military systems for governments and large organizations, not a company that mostly makes consumer grade TV's and DVD Players. It was Sony's implementation of the secure chain of trust that failed but I don't see IBM's part failing anytime soon.

This paper explains everything: http://www.ibm.com/developerworks/power/library/pa-cellsecurity/

Anyway, Sony cannot change metldr or bootldr on current hardware so they no longer have control of those, we only need to dump bootldr to get the lv0 key, this is the highest level sony can change. If we get the lv0 key we can generate a private key where we will be able to decrypt/re-encrypt the entire chain of firmware for current/future firmware."

The Per Console Key in the Cell decrypts bootldr, which is encrypted with the PCK. Bootldr decrypted is the same in EVERY console to date (except possibly the 3K series). When bootldr decrypts lv0, bootldr will be as if it were nowhere to be found. Then you go from there to the Chain of Trust.

Below is Gitbrew's feedback on the PS3 Per Console Key and future developments from them, as follows:

what do you think about the new method of getting the per_console_key?

Durandal: Glevand and many others have been working feverishly to develop methods of obtaining this key. It's nice to see it's paid off. I'm looking forward to a day when the PS3 is as open a development as the PSP.

Snowy: One step closer, sooner or later ibm is going to finally send a cease and desist. We'll put that right up next to dasmoovers sign.

Do you have anyone working on an easy to use tool for the key? we are already used to gitbrew pkgs

Durandal: If we weren't, we'd have to quit gitbrew and join PS360...

Snowy: I'm pretty sure anything related to the rootkey, we might leave out just so that people actually learn how to get their own keys. As a sort of accomplishment type thing, but eventually there will be simple pkg files released to do it.

What next projects are we going to see from gitbrew regarding the ps3 scene? can we see some sort of "one day one announcement", like you did a couple of weeks ago?

Durandal: Well RSX is taken care of, NPDRM is getting very close to being irrelevant, and I've heard there's almost usable versions of psl1ght floating around. I guess the next really big thing you'll see is the release of the gitSkeet flasher.

We teamed up with progskeet and rebug to create a special edition of the progskeet2 that will have solderless clips and the kind of support and documentation only gitbrew is capable of providing. It also gives us an opportunity to branch out into the actual hardware exploitation as well. As far as having announcement a day weeks, expect to see more of them in the not so distant future.

What is your thought on the recent discoveries on the ps3 scene?

The new jb2 dongle AKA true blue.

Durandal: I'm always very wary of dongles. Usually they're just a ploy to make a buck, and these days it doesn't take long for someone to reverse what the software they're trying to hide does. Expect to see the same happen here. If we want to deter others from trying to peddle their software in a dongle form, we should make a point of reversing a dongle's functionality
and implementing it in a package. I'm sure that group paid a lot of money to get all those dongles made, and they'd hate to see that money go to waste.

Snowy: Yet again as durandal said, dongles are dongles, regardless someone is going to take a crack at them and release a free version of it. Cobra hasn't even been touched by most of the developers, and those who have touched it don't really care for piracy. I would like to thank dean for taking the first step in making psx backups working though, a small step but none the less towards the proper direction for the scene.

Finally, FiniteElement via ps3devwiki.com/index.php?title=Special:Contributions/FiniteElement states the following hint for those interested, to quote: "(you have all you need already just read carefully (compare option2 code with the kernel module code))

He also updated the PS3 SPU Isolated Modules Reverse Engineering page with the changes documented here: ps3devwiki.com/index.php?title=SPU_Isolated_Modules_Reverse_Engineering&diff=prev&oldid=6328



Details and Payloads for Dumping PS3 Per Console Keys Surface

Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene and PlayStation 4 scene updates and fresh homebrew PS3 Downloads. Enjoy!


  • Sponsored Links




#812 - Youkia - 141w ago
Youkia's Avatar
I want to request something for most of the japanime guys and people who LOVE Dragonball Z Please do DragonballZ Ultimate Tenkaichi or BLUS-30823

#811 - lolong - 141w ago
lolong's Avatar
TB is TAKING TOO LONG, for releasing their NEW GAMES EBOOT and NEW PATCH for their dongle. This is a stupid method, WHY ?

Because DUPLEX get the first to CRACK new GAMES such as DARKSIDERS2 and SLEEPING DOGS.

Honesty, I hate with TB, they should work together to make new games with mod eboot so it can play it with their dongle.

NOW it's too late, DUPLEX beats DONGLE!

#810 - Neo Cyrus - 141w ago
Neo Cyrus's Avatar
I thought this would have happened a lot sooner... oh well, better late than never.

#809 - PS4 News - 141w ago
PS4 News's Avatar
Currently the ones that get re-released with the DRM removed, whether this will change only time will tell... at the moment there are 2 games released above and most likely a slew more incoming from various scene release groups.

#808 - tickford - 141w ago
tickford's Avatar
Does this mean if your ps3 is on kmeaw cfw 3.55 you can play ALL the TB cracked games, or only the ones that get cracked (eg max payne 3)?

#807 - stingray1059 - 141w ago
stingray1059's Avatar
i'm glad i sold my dongle.

i hope all unfixed trueblue games will be patched tomorrow. like ghost recon FS, dragons dogma, mass effect 3 and tales of graces f.

#806 - master32820 - 141w ago
master32820's Avatar
I have a TB but i'm happy that duplex fcked them up

I got a question though! can we go back from TB CFW 2 to normal kmeaw 3.55 just they way we went to tb cfw 2?

#805 - spark32 - 141w ago
spark32's Avatar
This is awesome! Now all I need to wait for is a fixed eboot for Jak and Daxter collection, Twisted Metal, and Mass Effect 3.

#804 - PS4 News - 141w ago
PS4 News's Avatar
Not long after the release of the PS3 3.60 Keys comes the first of several PlayStation 3 releases with the TrueBlue PS3 USB dongle DRM-infected protection now removed by scene group DUPLEX!

Download: DUPLEX PS3 Releases - Ongoing thread, add new game releases here guys!

Below is the release information, from their Max Payne 3 Eboot Patch READNFO PS3 DUPLEX PS3 NFO as follows:

Release Name: Max.Payne.3.Eboot.Patch.READNFO.PS3-DUPLEX
Date: August 2012
Languages: English
Platform: PS3 CFW 3.55
Genre: Action

[Register or Login to view code]

Max Payne 3 TB Eboot Patch *CRACKED*

Release Info:

When we first read about the TrueBlue USB Dongle we were excited about it. Finally having a way to play FW 3.60+ games on CFW 3.55 again. What a great asset to the scene everyone thought .. until people found out that this USB Dongle was solely made for cashing in! Its only purpose was to check on the DRM the TrueBlue Team added to their 3.55 Eboots. What a shame!

DUPLEX to the rescue! Finally bury your TB dongle because we removed their unnecessary DRM and their Patches will now work on Cfw 3.55 without any dongle or special TB CFW.

Notes:

Copy the files inside the rars into your games usrdir and replace existing ones Tested on Kmeaw CFW 3.55 with Max.Payne.3.PROPER.PS3-DUPLEX more to come ...

Enjoy This Fine DUPLEX Release

From anonymous also comes another Max Payne 3 Update v1.05 [FW 4.0] Patched for CFW 3.40+ workaround as follows:

Max Payne 3 BLES / BLUS Test EBOOT and Param.sfo:

Download: http://www.mirrorcreator.com/files/RQWCQLZ7/max_payne3_patched_eboots.rar_links

  • Max Payne 3 BLES / BLUS Test EBOOT and param.sfo
  • The rar has an embedded readme with the pkg links
  • Its probably best if they have the common.sdat from the duplex release, though I am not positive.
  • They need to backup files, preferable that person has spoofing
  • Game update sfo's, don’t replace the Game sfo!!!!

From CaptainCPS-X: Here you have the PKG files for easy install of this awesome “Anonymous” collaboration! (thanks to hellsing9 to for providing with the files) This is really cool since maybe more 4.0 FW games will be patched in the future by this Anonymous person! Thanks!

US Patch [BLUS-30557]

FIX_340_UP1004-BLUS30557_00-MP3PATCH00000003-A0104-V0100-PE.pkg (51 MB)

Europe Patch [ BLES-00942 ]

FIX_340_EP1004-BLES00942_00-MP3PATCH00000004-A0105-V0100-PE.pkg (51 MB)

Installation instructions:

1- Download your specific PKG (US / EU)
2- Install normally from XMB.
3- Replace the original “common.sdat” from your untouched backup with DUPLEX’s one (duplex-mp3ebootpatch.part1.rar / duplex-mp3ebootpatch.part2.rar).
4- Load with multiMAN normally.

Enjoy! SeeYa!

In related PS3 news today, pr0p0sitionJOE has released several new PlayStation 3 fixes both HERE and HERE for those interested.

Update: A second PlayStation 3 scene group named NRP has also followed suit and released Kidou Senshi Gundam Extreme VS EBOOT PATCH READNFO JPN PS3 NRP. Below are the details from the PS3 NFO to the release as well:

Release Name: Kidou_Senshi_Gundam_-_Extreme_VS_EBOOT_PATCH_READNFO_JPN_PS3-NRP

NoRePack Presents. It's NoT a repack !

FiLENaME ------ nrp-exvsp
PlaTForM ------ PS3 CFW 3.55
Region ------ Japan
Language ------ Japanese
Supplier ------ Team NoRePack
rlz.Date ------ 2o12-o8-15
Serial ------ BLJS10131

Finally, a hero comes to kick the fcking TB'sass, cheers! And now we want to support dear DUPLEX with this release. Gundam stands on the ground without any dongle or special TB CFW. Works with our release: Kidou_Senshi_Gundam_-_Extreme_VS_JPN_REPACK_JB_PS3-NRP

Let's be the witness of the ruin of TB dynasty. Love & Peace! Enjoy! iF u LOvE or HATe THiS GAmE, BuY iT ;]

Other related PS3 releases from today:

  • Neverdead.Eboot.Patch.DirFix.PS3-DUPLEX
  • Tiger.Woods.PGA.Tour.13.Eboot.Patch.PS3-DUPLEX
  • Dirt.Showdown.Eboot.Patch.PS3-DUPLEX
  • Devil.May.Cry.HD.Collection.Eboot.Patch.PS3-DUPLEX
  • Sniper.Elite.V2.Eboot.Patch.PS3-DUPLEX
  • Syndicate.Eboot.Patch.PS3-DUPLEX
  • Twisted.Metal.Eboot.Patch.PS3-DUPLEX
  • Snipers.Invisible.Silent.Deadly.Eboot.Patch.PS3-DUPLEX
  • Puss.in.Boots.Eboot.Patch.PS3-DUPLEX
  • Assassins.Creed.Revelations.Eboot.Patch.PS3-DUPLEX
  • Kidou_Senshi_Gundam_-_Extreme_VS_EBOOT_PATCH_READNFO_JPN_PS3-NRP
  • Max.Payne.3.Eboot.Patch.READNFO.PS3-DUPLEX
  • Kidou_Senshi_Gundam_UC_EBOOT_PATCH_JPN_PS3-NRP

Here is a list of the TB releases for those who need to remove the dongle patched games and overwrite them with the PS3 scene release (Duplex, NRP, etc) fixes as they become available.

In related PS3 hacking news SGuerrini97 made available a CoreDump BLES00025 NBA2K7 (Password: BySGuerrini97) stating: Here is the Core Dump + Original self of NBA 2K7 (BLES00025). I made the dump from the original disk, i think that i can dump ALL the originals games.

Also below harryoke has outlined how he did a PS3 full core dump, as follows:

Download: PS3 Core Dump / PS3 Core Dump (Mirror)

Hello there my friends... as you may or may not know i have been looking into the possibility to get a full core dump from my ps3... a few hours ago i was sent a pm from ANON ... here it is....

Hey mate, yeh cfwprophet told something about the ram dump too. you can make a core dump on a dex. here is a quote from him:

'I say it now for the last time: There is NO fself for new games !! TrueBlue use the CoreDump function and a RSX exception to dump the games like i told the scene for over a half year.'

'Take MultiMan 04.02 which is a Retail NPDRM >> enable core dump function >> start MultiMan >> exit to XMB and be surprised'

'The Coredump function is a embended system of the debug FW and get handled of liblv2dbg. The send signal call aka send_signal_to_coredump_handler() and the trigger function are always running and CAN NOT be deactivated.'

He also said that you will get one 250MB file. there you have to search the decrypted file(s). it would be pretty sure that they use this method, because newer games wouldnt have debug eboots or fselfs.

If you open a tb eboot with a hex editor, you will see near at the end , that they stand right after the codes some passages with 'liblv2'. if you open a original eboot , you cant find passages with 'liblv2'. like cfwprophet said, the core dump get handled of 'liblv2dbg' and you can find 'liblv2' passages in tb eboots. so they use coredump pretty sure.

But the problem is to trigger a crash or so. i really dont know. i'm not a dev and dont have an idea. i just wanted to tell you this infos because i saw your post about coredump.

Here you can read more infos: ps3devwiki.com/files/documents/-SONY%20PS3%20SDK%20Documentation/360.01/cell/en/pdf/debug_support/Core_Dump-Overview_e.pdf

And here about liblv2dbg: ps3devwiki.com/files/documents/-SONY%20PS3%20SDK%20Documentation/RTL2.3.0/debug_support/liblv2dbg-Overview_e.pdf

Well i now have a few core dumps ...some were 250mb and a 500mb dump which i have uploaded including the log file...it is in rar format & compressed to 45mb

Hopefully this will lead us to the magic decrypted eboots that we all want. i hope someone with a bit more knowledge than me can use this info.

Just done a quick search of dump for USRDIR found this at address 002530E0

[Register or Login to view code]


And at 05D87600
[code]
00 00 00 3C 00 00 03 86 2F 64 65 76 5F 62 64 76 64 2F 50 53 33 5F 47 41 4D 45 2F 55 53 52 44 49 52 2F 45 42 4F 4F 54 2E 42 49 4E 00 33 B0 37 60 33 B0 37 F0 33 B0 38 70 33 B0 38 F0 33 B0 39 80 33 B0 3A 10 33 B0 3A 90 33 B0 22 B0 33 B2 A5 80
...

#803 - Daveyshamble501 - 141w ago
Daveyshamble501's Avatar
The video explains how to open the dongle by grabbing the plastic lip behind the usb connector with pliers an pulling towards you, Thus exposing the plastic casing... Check out the video.

How to take apart your True Blue dongle to see if you have a real or a fake one. Real easy guide to make sure is worth it. Fake dongles have a green pcb with medium size LEDs at the bottom, we're as a Real TB has a blue pcb with tiny LEDs an a actel chip (like the one in the video, if yours resembles that then its real.)