PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

June 26, 2013 // 6:57 pm - Following up on the previous PS3 SDAT / EDAT v3 and v4 Keys, today PlayStation 3 developers flat_z and naehrwert have shared some PS3 3.60+ Loader Keys and Phat HDD Encryption tools (including a full EncDec Emulator to encrypt or decrypt game discs) with details below followed by the Lv1ldr Crypto Keys as well.

Download: fckscramble_421.7z / lv1ldr_rsk_crypto.7z / slim_phat_encdec.7z / slim_phat_encdec.7z (Mirror) / Lv1ldr Crypto Test Files by Abkarino / ps3hdd_poc.7z by NiceShot / ppu erks and rivs.zip / tables.zip / lv0_patch.zip by zecoxao / LV0 Extractor/Injector / LV0 Extractor/Injector (Mirror) / LV0 Extractor/Injector (Mirror #2) / LV0 Extractor/Injector Source Code by TehUnkn0wn / PS3 4.46 Keys by Acid Burn1 / franzes80

Key Scrambling

Starting with firmware version 3.60 loader keys have been encrypted. Look here for a tool that decrypts them. Besides that, there is an implementation of the cryptographic algorithm which is used to encrypt/decrypt lv1ldr from lv0 and root scramble key at the SPU side.

Root scramble keys

[Register or Login to view code]

Scramble keys

[Register or Login to view code]

Scrambled keysets

[Register or Login to view code]

EDAT keys

[Register or Login to view code]

From flat_z (via ps3devwiki.com/index.php?title=HDD_Encryption):

Phat Consoles

  • On the PHAT consoles AES-CBC-192 is used for HDD encryption and AES-CBC-128 for VFLASH encryption.
  • So no tweak and tweak key here. Each sector is encrypted with the same zeroed IV.
  • VFLASH is encrypted once with ENCDEC key and zeroed IV!
  • Data key is of size 32 bytes but only the first 24 bytes are used for HDD and 16 bytes for VFLASH.
  • See also http://www.multiupload.nl/6PIFV4GKSH (contains scripts of ENCDEC emulator for both types of consoles).

From naehrwert (cdn0.meme.li/instances/600x600/39151418.jpg): The "Y U NO" picture I posted before

Btw. this means we might know now how cobra and 3k3y got their drive emulators working on latest consoles..

From zecoxao: First thing are the scrambled keys. Sony obfuscated the keys in order to make hard our access to them. those are called scrambled keys. Second thing is hdd encryption by glevand was incomplete. partially because he only had a slim and not a phat. now it's complete. Third thing is supposedly how cobra and 3k3y takes care of the drive keys on newer consoles. they basically don't even grab the keys, and all that's needed are sv_iso keys.

naehrwert already knows how that works. hence that meme. all you need is sv_iso keys lol

The keys should be these ones:

[Register or Login to view code]

for 3.70 appldr

[Register or Login to view code]

for 3.70 isoldr

[Register or Login to view code]

for 3.70 lv2ldr, following the same scheme as before (key 1 and 2 then iv 1 and 2)

[Register or Login to view code]

appldr 3.65

[Register or Login to view code]

isoldr 3.65

[Register or Login to view code]

lv2ldr 3.65, same scheme

[Register or Login to view code]

appldr 4.11

[Register or Login to view code]

isoldr 4.11

[Register or Login to view code]

lv2ldr 4.11

[Register or Login to view code]

isoldr key set (2 erks 1 riv)

[Register or Login to view code]

lv2ldr keyset (same scheme) 3.70 iso keyset

[Register or Login to view code]

3.70 lv2ldr keyset

[Register or Login to view code]

3.65 iso keyset

[Register or Login to view code]

3.65 lv2ldr keyset

[Register or Login to view code]

And finally, a real decryption key. 3.65-3.66 isoldr key and 3.65-66 lv2ldr key

[Register or Login to view code]

3.70 isoldr and lv2ldr keys

[Register or Login to view code]

a couple more

[Register or Login to view code]

appldr keys for maximum version 4.21 (it's a simple comment out of the code, anyone can spit out the text)

Download: https://dl.dropboxusercontent.com/u/35197530/appldr.txt

[Register or Login to view code]

I don't know if there's still any interest in this but just in case there is I'll leave a zip file showing how to properly patch lv0 and its inside loaders.. just a warning: this takes a LOT of work to be done.

Download: lv0_patch.zip

From eussNL: It will help others to deobfuscate the real keys that in the end are used for making MFWs. Basicly anyone can now decrypt them and with the algo documented publicly that makes it time for Sony to change it or let it rest while giving PS4 attention. And no, we will never be able to get private keys - forget that ever happened in 3.55pre era.

As to the hdd crypto: well, it is about time that not only NOR consoles, but also NAND consoles can benefit from documentation about their encryption. In the longrun that means you could be able to dump your drivekeys and decrypt the hdd on the PC. Of course without keys you cannot get far, to give you an idea:

1. Suppose you can test one key every second
2. for simplicity sake lets pretend the keysize is 0x10

1 byte = 0x100 variants
0x10 bytes would have
0x100^10 or
0x100*0x100*0x100*0x100*0x100*0x100*0x100*0x100*0x100*0x100*0x100*0x100*0x100*0x100*0x100*0x100 or
3.4028237e+38 variants

or if you rather count in base10:
1 byte = 256 variants
16 bytes would have
256^16 or
256*256*256*256*256*256*256*256*256*256*256*256*256*256*256*256 or
3.4028237e+38 variants

There are 31556926 seconds in a year taking you 10783127828133147806075110339701 years to check each key variant possible with 0x10 keysize and 1 key per second.

From aldostools: That's correct, but remember that that time is the worst scenario. The same analysis applies for the (dev) klicensee keys used to encrypt EDAT and SELF/SPRX (which have a keysize of 0x10), and the practice shows that it can be bruteforced in less than 1 minute in many cases if a reduced universe of possible keys is available.

I updated the keys file for scetool: ps3tools.aldostools.org/keys

[Register or Login to view code]

A couple more keys: https://dl.dropboxusercontent.com/u/35197530/stuff.zip

inside you can find decrypted lv1ldr, scramble keysets and scramble keys for 365 370 411 firmwares. i'm gonna take care of the lv1ldr keys after i eat.

[Register or Login to view code]

As for appldr check the keys here: https://dl.dropboxusercontent.com/u/35197530/appldr.txt

[Register or Login to view code]

From Asure: I guess, you can calculate i.e. brute force the drive key. A device pretends to be the drive, but it can tell when it's not authed. Plugged into your BDROM port, it sits and tries keys until it finds the right one.

I also guess there's not only AUTH_DRIVE_USER but also AUTH_DRIVE_BDROM or similar, and the BDROM AUTH is being abused here

This would also mean you could do the key extraction with a PC or dev board like Arduino, but would require some skilled programmers to whip up a solution. Both available solutions should probably have done it that way. Complete BD drive emulation is not something a programmer just whips up in a day. (Unless everything besides the drive auth&crypt is just standard SATA commands..)

From Abkarino comes the Lv1ldr Crypto Keys and Test Files, as follows:

Hi all, Last night, a lot of great release had been released for public like 3.60+ loader keys and crypto tools that will enable any body to decrypt/encrypt lv1ldr extracted from decrypted lv0. But since this tools still need some keys to work and no body had released this keys yet or it does not published in ps3 dev wiki also, a lovely bird (thanks and credit goes to him) had hinted me about this keys, to allow us to decrypt/re-encrypt the lv1ldr our self like Rebug team for example to make our own CFW.

So i had figured how to use this great tool to decrypt/re-encrypt extracted scrambled and encrypted lv1ldr from lv0 my self. So i had decided to release this keys to help the public to do it them self also. This keys is consist of two sets one for PPU and the other one for SPU.

Lv1ldr crypto keys

[Register or Login to view code]

Also i had created a test files package that include this keys to test it yourself.

Download: Lv1ldr Crypto Test Files

This file contain an encrypted lv1ldr.self named as lv1ldr-enc extracted from decrypted lv0, this will be decrypted using PPU keys.. and encrypted root scrambling key named as root-key-enc extracted from decrypted lv1ldr.self, this will be decrypted using SPU keys. Just feel free to test it your self and add them to the wiki

Finally, from TehUnkn0wn: I've made a LV0 loader extractor/injector (linked above). The code could be better, but it does its job.


PS3 3.60+ Loader Keys & Phat HDD Encryption Tools Now Available

PS3 3.60+ Loader Keys & Phat HDD Encryption Tools Now Available

PS3 3.60+ Loader Keys & Phat HDD Encryption Tools Now Available

Follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 CFW forums for the latest PlayStation 3 scene and PS4 Hacks & JailBreak updates with PlayStation 4 homebrew PS4 Downloads.



#175 - Foo - October 31, 2012 // 9:15 pm
Foo's Avatar
What is this downgrade thing I see?

#174 - StanSmith - October 31, 2012 // 9:13 pm
StanSmith's Avatar
Quote Originally Posted by windrider42 View Post
I have heard they are the real deal, and guys already fixed Borderlands 2 for 3.55

Yep. They do work and I did patch Borderlands 2 to work in 3.55 myself.

#173 - Ps3scener - October 31, 2012 // 9:04 pm
Ps3scener's Avatar
in regards to the keys and the fw updates coming, it is possible to create a 4.30 jailbreak that does not require 3.55 installation. i have some files to leak which could help a experienced dev team create the jailbreak that we are all waiting for. all i ask is for a reply.

#172 - technodon - October 31, 2012 // 9:01 pm
technodon's Avatar
key works on 4.31 too, checked the psn passphrase and they are both the same

#171 - Hernaner28 - October 31, 2012 // 8:34 pm
Hernaner28's Avatar
Well, come on now, chuchi chuchi, we want Worms Revolution fixed I would buy it, it's really cheap, but firstly I don't have PSN access, and secondly I don't own a credit card and PSN cards are expensive.

Wouldn't you love drinking bear and playing it 4-player with friends?? Hmm yeah it sounds weird but it'd be cool .. lol

#170 - niwakun - October 31, 2012 // 2:26 pm
niwakun's Avatar
Keysets that dont work from the recent PS3 keys release

APP Type Key set
001C, 001D, 001E

NPDRM Type Key set
001C

keys work from 3.61 - 4.21 .............. 4.25 - 4.30 keys are not valid

#169 - ConsoleDev - October 31, 2012 // 12:14 pm
ConsoleDev's Avatar
Nice to hear these things, but too bad that the private keys are missing

#168 - PS3GAMER20111 - October 31, 2012 // 12:05 pm
PS3GAMER20111's Avatar
Keys are confirmed true by pr0p0sitionjoe and he said we are going to see many new psn games working on 3.55.

salute to pr0p0sitionjoe.

#167 - G Sus - October 31, 2012 // 12:01 pm
G Sus's Avatar
yup can't confirm there real, lol

Also from oakhead69:

OK here is the process I used to reverse the V4 Keys, EDATKEY1 and EDATHASH1 from my PS3. 99% of what I will post here is already public domain, I will just pull it together in one place here. I used IDA and a customised version of KDS Best's SPU Emulator

JuanNadie posted here the SH1 hashes of the EDAT keys and hashes and I can confirm that these are correct. The encrypted EDAT hashes and keys can be found in the 4.xx appldr.elf. sorg posted these. So the 3 keys you are missing are the KEY, the IV and the ERK.

The KEY and the IV are in the appldr and are un-encrypted. You can use the IDA or an SPU emulator to figure it out, just work backwards from the below spu code at 28BE4 (I think this offset is for F/W version 4.27 if I remember correctly)

The ERK is generated from the contents returned by channel 73. The appldr reads channel 73, 3 times which is the FW version check channel. So in FW 4.30 it will return 0xkk04kk30 0xkkkkkkkk 0xkkkkkkkk where k is the hash initilisation for generating the ERK. 04 30 is F/W version number.

The appldr strips out the F/W version leaving you with the 0xkkkkkkkkkkkkkkkkkkkk 10 byte hash initialisation (ch73 in the code below).

To get the values from channel 73 and you will have to write an isolated SPU to read these values. It has to be an isolated SPU as channel 64 controls the access to channel 73 and one of the last things the appldr does it to isolate channel 73 by writing 0x60000 to channel 64. This information was posted one forum somewhere, just can't remember where. Just Google it (may edit my post later when I find it).

I wrote my spu isolated module based on the dump_encdec_keys by glevand. Just Google and you will find the associated wikis and gits. ps3devwiki.com/wiki/Making_Isolated_SPU_Modules_and_Loaders is a good starting point. You will have to do a bit of hand calculation for the branch offsets to shoehorn in some code something like this to read ch73 3 times.

[Register or Login to view code]

OK so you should now have the encrypted keys (sorg posted) the KEY, the IV and the hash seed for the ERK. When you find the encrypted keys based on the post from sorg this will lead you as it did me to the following code in the appldr.

[Register or Login to view code]

Independently of me redcfw also found the same SPU code and generated C code from it and posted it. I had already generated the following C# code from the SPU code and below is an example for edathash1, it was good to see him confirm the same code as at the time I had still had not figured out how to read ch73.

[Register or Login to view code]

There you have it how to reverse the EDATKEY1 and EDATHASH1 from your CFW 4.xx PS3. Sorry bit of a brain dump, will tidy the post up later if I get the time and add more links to the information sources. I am sure I should credit more people than I have here. If and when I add the source links I will add credits.

Please do not ask me for any of the keys needed here or for the final EDAT keys as I will not post them for obvious reason. As I have already said 99% of this information is already available in forums and wikis. I have just pulled the information together here. Hope you have as much fun as I did playing with the SPU code.

#166 - windrider42 - October 31, 2012 // 11:57 am
windrider42's Avatar
I have heard they are the real deal, and guys already fixed Borderlands 2 for 3.55.

Also from Abkarino: Revokation List key are confirmed by me with 4.31 prog.srvk using scetool:
[code]
C:\Users\MHassan\Desktop\SCETools>scetool -i C:\Users\MHassan\Desktop\SCETools\p
rog.srvk
scetool 0.2.9 (C) 2011-2012 by naehrwert
NP local license handling (C) 2012 by flatz
[*] SCE Header:
Magic 0x53434500 [OK]
Version 0x00000002
Key Revision 0x0000
Header Type [RVK]
Metadata Offset 0x00000000
Header Length 0x0000000000000200
Data Length 0x00000000000000E0[*] Metadata Info:
Key 05 51 4A D4 82 CD 77 0C C0 58 C1 53 3C B0 92 1B
IV B2 4E ED 49 39 2A 0D CB 03 58 15 9A F1 67 DD BD[*] Metadata Header:
Signature Input Length 0x00000000000001C0
unknown_0 0x00000001
Section Count 0x00000002
Key Count 0x0000000E
Optional Header Size 0x00000000
unknown_1 0x00000000
unknown_2 0x00000000[*] Metadata Section Headers:
Idx Offset Size Type Index Hashed SHA1 Encrypted Key IV Compressed
000 00000200 00000020 01 01 [YES] 00 [NO ] -- -- [NO ]
001 00000220 000000C0 02 02 [YES] 06 [YES] 0C 0D [NO ][*] SCE File Keys:
00: 80 B6 91 44 54 B7 D1 C1 8D 1A ED 39 81 7E E5 2F
01: 84 21 9F 5E 00 00 00 00 00 00 00 00 00 00 00 00
02: D0 BC 27 84 22 30 34 C8 21 DA 58 B6 F0 F7 4A E0
03: C9 FC BC 30 9C A2 15 06 D5 BA 02 F6 FF CC 13 2A
04: 63 BB 9C EF F8 D7 26 45 68 77 94 4C 66 9E A2 1B
05: 87 09 C6 27 3C B7 79 2D 62 6E 14 90 66 F5 BD 86
06: 4B B8 B8 38 51 20 BD 76 9F BA 83 66 04 75 EC 47
07: 6C 84 1D D2 00 00 00 00 00 00 00 00 00 00 00 00
08: D0 BC 27 84 22 30 34 C8 21 DA 58 B6 F0 F7 4A E0
09: C9 FC BC 30 9C A2 15 06 D5 BA 02 F6 FF CC 13 2A
0A: 63 BB 9C EF F8 D7 26 45 68 77 94 4C 66 9E A2 1B
0B: 87 09 C6 27 3C B7 79 2D 62 6E 14 90 66 F5 BD 86
0C: 5B D0 37 88 54 91 80 4C C1 F3 1F 70 AA 9D 0A B5
0D: 17 CA FB 25 69 19 85 85 D1 3A E4 37 00 00 00 00[*] Revoke List Header:
type_0 0x00000004
type_1 0x00000001
Version 04.31
Entry Count 0x00000006[*] Program Revoke List Entries:
Type Check Version Auth-ID/unk_3 Mask
lv2 == 04.31 0000000000000002 FFFFFFFFFFFFFFFF
Application == 04.31 vsh FFFFFFFFFFFFFFFF
Application == 04.31 10700005FE000001 FFFFFFFFFFFFFFFF
Application == 04.31 sys_init_osd FFFFFFFFFFFFFFFF
Application == 04.31 sys_audio FFFFFFFFFFFFFFFF
Application