PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

97w ago - Following up on the previous PS3 SDAT / EDAT v3 and v4 Keys, today PlayStation 3 developers flat_z and naehrwert have shared some PS3 3.60+ Loader Keys and Phat HDD Encryption tools (including a full EncDec Emulator to encrypt or decrypt game discs) with details below followed by the Lv1ldr Crypto Keys as well.

Download: fckscramble_421.7z / lv1ldr_rsk_crypto.7z / slim_phat_encdec.7z / slim_phat_encdec.7z (Mirror) / Lv1ldr Crypto Test Files by Abkarino / ps3hdd_poc.7z by NiceShot / ppu erks and rivs.zip / tables.zip / lv0_patch.zip by zecoxao / LV0 Extractor/Injector / LV0 Extractor/Injector (Mirror) / LV0 Extractor/Injector (Mirror #2) / LV0 Extractor/Injector Source Code by TehUnkn0wn / PS3 4.46 Keys by Acid Burn1 / franzes80

Key Scrambling

Starting with firmware version 3.60 loader keys have been encrypted. Look here for a tool that decrypts them. Besides that, there is an implementation of the cryptographic algorithm which is used to encrypt/decrypt lv1ldr from lv0 and root scramble key at the SPU side.

Root scramble keys

[Register or Login to view code]

Scramble keys

[Register or Login to view code]

Scrambled keysets

[Register or Login to view code]

EDAT keys

[Register or Login to view code]

From flat_z (via ps3devwiki.com/index.php?title=HDD_Encryption):

Phat Consoles

  • On the PHAT consoles AES-CBC-192 is used for HDD encryption and AES-CBC-128 for VFLASH encryption.
  • So no tweak and tweak key here. Each sector is encrypted with the same zeroed IV.
  • VFLASH is encrypted once with ENCDEC key and zeroed IV!
  • Data key is of size 32 bytes but only the first 24 bytes are used for HDD and 16 bytes for VFLASH.
  • See also http://www.multiupload.nl/6PIFV4GKSH (contains scripts of ENCDEC emulator for both types of consoles).

From naehrwert (cdn0.meme.li/instances/600x600/39151418.jpg): The "Y U NO" picture I posted before

Btw. this means we might know now how cobra and 3k3y got their drive emulators working on latest consoles..

From zecoxao: First thing are the scrambled keys. Sony obfuscated the keys in order to make hard our access to them. those are called scrambled keys. Second thing is hdd encryption by glevand was incomplete. partially because he only had a slim and not a phat. now it's complete. Third thing is supposedly how cobra and 3k3y takes care of the drive keys on newer consoles. they basically don't even grab the keys, and all that's needed are sv_iso keys.

naehrwert already knows how that works. hence that meme. all you need is sv_iso keys lol

The keys should be these ones:

[Register or Login to view code]

for 3.70 appldr

[Register or Login to view code]

for 3.70 isoldr

[Register or Login to view code]

for 3.70 lv2ldr, following the same scheme as before (key 1 and 2 then iv 1 and 2)

[Register or Login to view code]

appldr 3.65

[Register or Login to view code]

isoldr 3.65

[Register or Login to view code]

lv2ldr 3.65, same scheme

[Register or Login to view code]

appldr 4.11

[Register or Login to view code]

isoldr 4.11

[Register or Login to view code]

lv2ldr 4.11

[Register or Login to view code]

isoldr key set (2 erks 1 riv)

[Register or Login to view code]

lv2ldr keyset (same scheme) 3.70 iso keyset

[Register or Login to view code]

3.70 lv2ldr keyset

[Register or Login to view code]

3.65 iso keyset

[Register or Login to view code]

3.65 lv2ldr keyset

[Register or Login to view code]

And finally, a real decryption key. 3.65-3.66 isoldr key and 3.65-66 lv2ldr key

[Register or Login to view code]

3.70 isoldr and lv2ldr keys

[Register or Login to view code]

a couple more

[Register or Login to view code]

appldr keys for maximum version 4.21 (it's a simple comment out of the code, anyone can spit out the text)

Download: https://dl.dropboxusercontent.com/u/35197530/appldr.txt

[Register or Login to view code]

I don't know if there's still any interest in this but just in case there is I'll leave a zip file showing how to properly patch lv0 and its inside loaders.. just a warning: this takes a LOT of work to be done.

Download: lv0_patch.zip

From eussNL: It will help others to deobfuscate the real keys that in the end are used for making MFWs. Basicly anyone can now decrypt them and with the algo documented publicly that makes it time for Sony to change it or let it rest while giving PS4 attention. And no, we will never be able to get private keys - forget that ever happened in 3.55pre era.

As to the hdd crypto: well, it is about time that not only NOR consoles, but also NAND consoles can benefit from documentation about their encryption. In the longrun that means you could be able to dump your drivekeys and decrypt the hdd on the PC. Of course without keys you cannot get far, to give you an idea:

1. Suppose you can test one key every second
2. for simplicity sake lets pretend the keysize is 0x10

1 byte = 0x100 variants
0x10 bytes would have
0x100^10 or
0x100*0x100*0x100*0x100*0x100*0x100*0x100*0x100*0x100*0x100*0x100*0x100*0x100*0x100*0x100*0x100 or
3.4028237e+38 variants

or if you rather count in base10:
1 byte = 256 variants
16 bytes would have
256^16 or
256*256*256*256*256*256*256*256*256*256*256*256*256*256*256*256 or
3.4028237e+38 variants

There are 31556926 seconds in a year taking you 10783127828133147806075110339701 years to check each key variant possible with 0x10 keysize and 1 key per second.

From aldostools: That's correct, but remember that that time is the worst scenario. The same analysis applies for the (dev) klicensee keys used to encrypt EDAT and SELF/SPRX (which have a keysize of 0x10), and the practice shows that it can be bruteforced in less than 1 minute in many cases if a reduced universe of possible keys is available.

I updated the keys file for scetool: ps3tools.aldostools.org/keys

[Register or Login to view code]

A couple more keys: https://dl.dropboxusercontent.com/u/35197530/stuff.zip

inside you can find decrypted lv1ldr, scramble keysets and scramble keys for 365 370 411 firmwares. i'm gonna take care of the lv1ldr keys after i eat.

[Register or Login to view code]

As for appldr check the keys here: https://dl.dropboxusercontent.com/u/35197530/appldr.txt

[Register or Login to view code]

From Asure: I guess, you can calculate i.e. brute force the drive key. A device pretends to be the drive, but it can tell when it's not authed. Plugged into your BDROM port, it sits and tries keys until it finds the right one.

I also guess there's not only AUTH_DRIVE_USER but also AUTH_DRIVE_BDROM or similar, and the BDROM AUTH is being abused here

This would also mean you could do the key extraction with a PC or dev board like Arduino, but would require some skilled programmers to whip up a solution. Both available solutions should probably have done it that way. Complete BD drive emulation is not something a programmer just whips up in a day. (Unless everything besides the drive auth&crypt is just standard SATA commands..)

From Abkarino comes the Lv1ldr Crypto Keys and Test Files, as follows:

Hi all, Last night, a lot of great release had been released for public like 3.60+ loader keys and crypto tools that will enable any body to decrypt/encrypt lv1ldr extracted from decrypted lv0. But since this tools still need some keys to work and no body had released this keys yet or it does not published in ps3 dev wiki also, a lovely bird (thanks and credit goes to him) had hinted me about this keys, to allow us to decrypt/re-encrypt the lv1ldr our self like Rebug team for example to make our own CFW.

So i had figured how to use this great tool to decrypt/re-encrypt extracted scrambled and encrypted lv1ldr from lv0 my self. So i had decided to release this keys to help the public to do it them self also. This keys is consist of two sets one for PPU and the other one for SPU.

Lv1ldr crypto keys

[Register or Login to view code]

Also i had created a test files package that include this keys to test it yourself.

Download: Lv1ldr Crypto Test Files

This file contain an encrypted lv1ldr.self named as lv1ldr-enc extracted from decrypted lv0, this will be decrypted using PPU keys.. and encrypted root scrambling key named as root-key-enc extracted from decrypted lv1ldr.self, this will be decrypted using SPU keys. Just feel free to test it your self and add them to the wiki

Finally, from TehUnkn0wn: I've made a LV0 loader extractor/injector (linked above). The code could be better, but it does its job.


PS3 3.60+ Loader Keys & Phat HDD Encryption Tools Now Available

PS3 3.60+ Loader Keys & Phat HDD Encryption Tools Now Available

PS3 3.60+ Loader Keys & Phat HDD Encryption Tools Now Available

Follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 CFW forums for the latest PlayStation 3 scene and PS4 Hacks & JailBreak updates with PlayStation 4 homebrew PS4 Downloads.


  • Sponsored Links




#172 - technodon - 131w ago
technodon's Avatar
key works on 4.31 too, checked the psn passphrase and they are both the same

#171 - Hernaner28 - 131w ago
Hernaner28's Avatar
Well, come on now, chuchi chuchi, we want Worms Revolution fixed I would buy it, it's really cheap, but firstly I don't have PSN access, and secondly I don't own a credit card and PSN cards are expensive.

Wouldn't you love drinking bear and playing it 4-player with friends?? Hmm yeah it sounds weird but it'd be cool .. lol

#170 - niwakun - 131w ago
niwakun's Avatar
Keysets that dont work from the recent PS3 keys release

APP Type Key set
001C, 001D, 001E

NPDRM Type Key set
001C

keys work from 3.61 - 4.21 .............. 4.25 - 4.30 keys are not valid

#169 - ConsoleDev - 131w ago
ConsoleDev's Avatar
Nice to hear these things, but too bad that the private keys are missing

#168 - PS3GAMER20111 - 131w ago
PS3GAMER20111's Avatar
Keys are confirmed true by pr0p0sitionjoe and he said we are going to see many new psn games working on 3.55.

salute to pr0p0sitionjoe.

#167 - G Sus - 131w ago
G Sus's Avatar
yup can't confirm there real, lol

Also from oakhead69:

OK here is the process I used to reverse the V4 Keys, EDATKEY1 and EDATHASH1 from my PS3. 99% of what I will post here is already public domain, I will just pull it together in one place here. I used IDA and a customised version of KDS Best's SPU Emulator

JuanNadie posted here the SH1 hashes of the EDAT keys and hashes and I can confirm that these are correct. The encrypted EDAT hashes and keys can be found in the 4.xx appldr.elf. sorg posted these. So the 3 keys you are missing are the KEY, the IV and the ERK.

The KEY and the IV are in the appldr and are un-encrypted. You can use the IDA or an SPU emulator to figure it out, just work backwards from the below spu code at 28BE4 (I think this offset is for F/W version 4.27 if I remember correctly)

The ERK is generated from the contents returned by channel 73. The appldr reads channel 73, 3 times which is the FW version check channel. So in FW 4.30 it will return 0xkk04kk30 0xkkkkkkkk 0xkkkkkkkk where k is the hash initilisation for generating the ERK. 04 30 is F/W version number.

The appldr strips out the F/W version leaving you with the 0xkkkkkkkkkkkkkkkkkkkk 10 byte hash initialisation (ch73 in the code below).

To get the values from channel 73 and you will have to write an isolated SPU to read these values. It has to be an isolated SPU as channel 64 controls the access to channel 73 and one of the last things the appldr does it to isolate channel 73 by writing 0x60000 to channel 64. This information was posted one forum somewhere, just can't remember where. Just Google it (may edit my post later when I find it).

I wrote my spu isolated module based on the dump_encdec_keys by glevand. Just Google and you will find the associated wikis and gits. ps3devwiki.com/wiki/Making_Isolated_SPU_Modules_and_Loaders is a good starting point. You will have to do a bit of hand calculation for the branch offsets to shoehorn in some code something like this to read ch73 3 times.

[Register or Login to view code]

OK so you should now have the encrypted keys (sorg posted) the KEY, the IV and the hash seed for the ERK. When you find the encrypted keys based on the post from sorg this will lead you as it did me to the following code in the appldr.

[Register or Login to view code]

Independently of me redcfw also found the same SPU code and generated C code from it and posted it. I had already generated the following C# code from the SPU code and below is an example for edathash1, it was good to see him confirm the same code as at the time I had still had not figured out how to read ch73.

[Register or Login to view code]

There you have it how to reverse the EDATKEY1 and EDATHASH1 from your CFW 4.xx PS3. Sorry bit of a brain dump, will tidy the post up later if I get the time and add more links to the information sources. I am sure I should credit more people than I have here. If and when I add the source links I will add credits.

Please do not ask me for any of the keys needed here or for the final EDAT keys as I will not post them for obvious reason. As I have already said 99% of this information is already available in forums and wikis. I have just pulled the information together here. Hope you have as much fun as I did playing with the SPU code.

#166 - windrider42 - 131w ago
windrider42's Avatar
I have heard they are the real deal, and guys already fixed Borderlands 2 for 3.55.

Also from Abkarino: Revokation List key are confirmed by me with 4.31 prog.srvk using scetool:
[code]
C:\Users\MHassan\Desktop\SCETools>scetool -i C:\Users\MHassan\Desktop\SCETools\p
rog.srvk
scetool 0.2.9 (C) 2011-2012 by naehrwert
NP local license handling (C) 2012 by flatz
[*] SCE Header:
Magic 0x53434500 [OK]
Version 0x00000002
Key Revision 0x0000
Header Type [RVK]
Metadata Offset 0x00000000
Header Length 0x0000000000000200
Data Length 0x00000000000000E0[*] Metadata Info:
Key 05 51 4A D4 82 CD 77 0C C0 58 C1 53 3C B0 92 1B
IV B2 4E ED 49 39 2A 0D CB 03 58 15 9A F1 67 DD BD[*] Metadata Header:
Signature Input Length 0x00000000000001C0
unknown_0 0x00000001
Section Count 0x00000002
Key Count 0x0000000E
Optional Header Size 0x00000000
unknown_1 0x00000000
unknown_2 0x00000000[*] Metadata Section Headers:
Idx Offset Size Type Index Hashed SHA1 Encrypted Key IV Compressed
000 00000200 00000020 01 01 [YES] 00 [NO ] -- -- [NO ]
001 00000220 000000C0 02 02 [YES] 06 [YES] 0C 0D [NO ][*] SCE File Keys:
00: 80 B6 91 44 54 B7 D1 C1 8D 1A ED 39 81 7E E5 2F
01: 84 21 9F 5E 00 00 00 00 00 00 00 00 00 00 00 00
02: D0 BC 27 84 22 30 34 C8 21 DA 58 B6 F0 F7 4A E0
03: C9 FC BC 30 9C A2 15 06 D5 BA 02 F6 FF CC 13 2A
04: 63 BB 9C EF F8 D7 26 45 68 77 94 4C 66 9E A2 1B
05: 87 09 C6 27 3C B7 79 2D 62 6E 14 90 66 F5 BD 86
06: 4B B8 B8 38 51 20 BD 76 9F BA 83 66 04 75 EC 47
07: 6C 84 1D D2 00 00 00 00 00 00 00 00 00 00 00 00
08: D0 BC 27 84 22 30 34 C8 21 DA 58 B6 F0 F7 4A E0
09: C9 FC BC 30 9C A2 15 06 D5 BA 02 F6 FF CC 13 2A
0A: 63 BB 9C EF F8 D7 26 45 68 77 94 4C 66 9E A2 1B
0B: 87 09 C6 27 3C B7 79 2D 62 6E 14 90 66 F5 BD 86
0C: 5B D0 37 88 54 91 80 4C C1 F3 1F 70 AA 9D 0A B5
0D: 17 CA FB 25 69 19 85 85 D1 3A E4 37 00 00 00 00[*] Revoke List Header:
type_0 0x00000004
type_1 0x00000001
Version 04.31
Entry Count 0x00000006[*] Program Revoke List Entries:
Type Check Version Auth-ID/unk_3 Mask
lv2 == 04.31 0000000000000002 FFFFFFFFFFFFFFFF
Application == 04.31 vsh FFFFFFFFFFFFFFFF
Application == 04.31 10700005FE000001 FFFFFFFFFFFFFFFF
Application == 04.31 sys_init_osd FFFFFFFFFFFFFFFF
Application == 04.31 sys_audio FFFFFFFFFFFFFFFF
Application

#165 - ConsoleDev - 131w ago
ConsoleDev's Avatar
Following up on the previous PS3 Keys leak and PS3 4.30 Decryption, on this Halloween Day even more PS3 Keys ranging from 3.65 to 4.30 including Appldr and NPDRM (PSN) have now surfaced with details below!

Download: PS3 Keys 3.65 to 4.30 / PS3 Keys 3.65 to 4.30 (Mirror) / SCETool v0.2.9 with PS3 Keys by Brenza / True Ancestor + Haz367's Resigner.bat + PS3 Keys by DEFAULTDNB (run resigner.bat only, hit "0" to decrypt and hit "5" to sign for oldskool 3.55) / multiMAN 3.15-4.20+ [EBOOT_FIX].rar by slarty1408 / PS3 Downgrade 3.60++ (Lv2diag.421.self) from r3pek / VSH.elf (Rogero CFW 4.30) Patched for ReActPSN 2.xx by StealthLord / PS3 Keys for Deank ebootFIX / mMKeys v1.0 Alpha + multiMAN [EBOOT_FIX] testing App-Keys by romhunter / PS3 Keys Up To 4.31 Pack by razorx / PS3 SDAT/EDAT v3 and v4 Keys

From danixleet: VSH.self can be decrypted, as its signed with appldr keys for this firmware version.. With this recent leak of Appldr / NPDRM keys we can now make SEN/Spoofer's for when a new OFW is released.. Here is OFW 4.30 VSH.self & VSH.elf.

From IRC:

[itwong] just came across lv2diag.421.self? is this for downgrading 3.60++ ps3s?
[Rare] no
[itwong] what is this for ?
[itwong] euss, any idea what that lv2diag.421.self does?
[euss|_] itwong, you have the file, you tell me
[itwong] im wondering if it will kick the console out of factory mode
[itwong] cuz for 3.56+, before once it enters factory mode, i will be stuck in that mode
[r3pek] on a side note: http://www.multiupload.nl/3CHY6IQVXU
[r3pek] it's the file itwong was talking about

From tny.cz/72b4c5a7 (and pastebin.com/HciwadTZ / pastebin.com/9FVX1p5p / pastie.org/5144289) comes some PS3 NPDRM (PSN) and Appldr Keys up to 4.30:

[Register or Login to view code]

From anonymous (via pastie.org/5169661): This to finish the previously leaked keys. To the other team, we are on our way to pck0. Want a race?

[Register or Login to view code]

From aldostools on these keys: bad revision... they should be revision=0000 (corrected above now). Indeed they work for 4.20, 4.21, 4.25, 4.30 and 4.31.

From Brenza: Here's LV1 keys for 4.30 and 4.31

[Register or Login to view code]

From slarty1408 on the multiMAN 3.15-4.20+ [EBOOT_FIX]: Hi ppl I've added 2 more sets of keys FW 4.00-4.11 and FW 4.11-4.20+ (4.00-4.30 keys added) it should fix most retail eboots now i think I've only tested it with:

  • Transformers Fall of Cybertron = FW 4.11
  • XCOM Enemy Unknown = FW 4.21

Both went through fine have not got time to test as for kids and work good luck ppl let me know if i missed anything ? Thanks...

PS: Please say thanks to deank for this tool as he done all the hard work... I've just done hex code to file.

From CaptainCPS-X: Advice for those decrypting EBOOT.BIN's, and expecting the game to run without problems. Games don't only use encrypted EBOOT.BIN, there are encrypted .SPRX / .SELF / .SDAT as well, so only patching EBOOT.BIN will not work on all game backups, maybe some games don't make use of secondary encrypted files, but there are many that do.

From aldostools: To decrypt/resign the EBOOT you always should provide the klicensee as parameter (if the SELF use klicensee):

To decrypt:

[Register or Login to view code]



To resign add to the command line parameters:

[Register or Login to view code]



From PatrickBatman: Here just fix your own games: Put scetool (ver 0.2.9), data folder with added new keys, EBOOT.BIN and .bat below in a folder.

[Register or Login to view code]

You can use the batch above just for updates with eboot, when the command window pauses after it makes .elf you then edit the elf sys_proc_param at hex 13 BC C5 F6 from 41 to 34, or this new hex that was mentioned. Save .elf then let command window continue.

"--np-content-id=UP0082-BLUS30927_00-SDPATCH000000002" in the batch needs to be changed to whatever the name of the sony update is without A102-V100-PE.pkg part for example.. you can get rid of all the np stuff, content id, & change self type to APP, for disc eboots.

For NPDRM sprx/self bruteforce or use IDA and and follow calls on NP_exit_spawn to the parameter for Klicensee key on the EBOOT.elf
then in the batch change --np-app-type=USPRX & add --encrypt "self/SPRXname.elf" "self/SPRXname.self" -l "klickey" in place off --encrypt EBOOT.ELF EBOOT.BIN then if .sprx rename .self to .sprx

You can use the "free" klic on EBOOT.BIN w/ sprx/self "-l 72F990788F9CFF745725F08E4C128387" and if you want make SCE Version TRUE in HEX at offset 397 changing 00 to 01 on EBOOT.BIN. This should basically be it, although I am tired so you'll figure out if you cant then just wait.

From zadow28: i actuallly managed to dump the sysrom also. Don't know much about it though, but here it is.

Download: sysrom.bin

Also the hypervisor is found in the dump.. use the PS3_HV_Dump.idc in ida pro it finds it.

[Register or Login to view code]

From zecoxao: Just figured it out: 20090102-111352-LV1-FW4.21.7z

i dumped it from Rebug Toolbox. and yes, it was on 4.21 REX

From zadow28: i have various dumps this is from rex: LV1-FW4.21.BIN another one from
xmb rogero, yeah i patch the lv1: lv1.bin

More important its how we use this. Also i dumped the sysrom, not sure if thats the same, as sycon. If it is then its what we need, on QA.

From zecoxao: i'll provide the link for you to analyze. also this dump contains both kernels, DEX kernel and CEX kernel, on 4.21 REX ros0 and 1. sysrom is probably SYS(CON EEP)ROM. Download: 20090102-121542-FLASH-NOR-FW4.21.7z

From PatrickBatman comes an NPDRM Batch File, to use: Drag and drop eboot on to it (--np-content-id=SET074-NPUB30409_00-BTTF10200000GAME. Change this to the game content id your doing --np-app-type=EXEC change this in NPDRM .bat to UEXEC only if the game is an update)

From sorg: according to LV1loader, ch73 should contain version value. so for v4.21 it looks:

[Register or Login to view code]

for v4.25:

[Register or Login to view code]

etc... But! for appldr v4.21, 4.25, 4.30 erk_hkey/iv iv_hkey/iv are the same. encrypted EDATKEY/HASH are also the same. so, ch73 should not contain FW version, IMHO.

From anonymous (via pastie.org/private/avbxlh6jg7089sh5m4bg) also comes the PS3 4.31 isoldr and lv2ldr keys below as well:

[Register or Login to view code]

From zadow28: Well the lv0.2 is simply the header(metadata) for the lv0 so if you cut the header of the normal lv0 and replace it with the lv0.2.

[Register or Login to view code]

So conclusion. You need to dump the bootloader 2 to get the keys for the lv0 version 2 its the same files just different headers aka keys. they secured the new consoles so good, that they dont work with flashers. don't hang me up on that.
but guess that's the problem. So unless someone finds an way, to read strait from the motherboard.

From zecoxao: cool, ps2_netemu gets decrypted. i suppose now it'll be possible to get the ps2 klicensee and try to achieve ps2 emulation on ps3 by iso loading.

From aldostools: As leaked lv1ldr keys, these lv2ldr and isoldr keys can be used to decrypt the lv2 and iso selfs for 4.20-4.31 (4.20, 4.21, 4.23, 4.25, ... 4.30, 4.31) And as far as I know the revision for [lv2ldr] is revision=0000 (not revision=001F)

Here is an updated KEYS file: aldostools.org/temp/keys My "ps3keys" app can be used to convert the keys from scetool format to .ps3 format for MFW Builder, deank's [EBOOT_FIX], etc.

[Register or Login to view code]

From zecoxao: Unless there's a fail in the ECDSA code, i hardly think it's possible to get any more private keys. There was one, it was fixed. Now everything must be signed 3.55 and below. regarding 3.56 and above, you can see true ECDSA working, and thus the concept of private public key criptografy is shown. you can know the public key but you can't know the private key, because only some people know about it, and i'm talking the ones who make the firmware, so the decision to get private keys is pointless now.

From zadow28: private keys are out off the question thats for sure. But if you really examine the lv0 and lv0.2 it makes sense bootldr2 is just like the normal bootldr. just without the randomfall exploit, so no calculation. the new consoles uses the same lv0 as we know it just with header lv0.2. pretty easy to test cut hex at offset 0x0000000000000500 in the lv0 (old) copy the lv0.2 thats 0x00000000000004F0 long so fits perfect. Run throw scetool

[Register or Login to view code]

of course we cant decrypt it, since we dont have the new bootldr keys. (bootldr2) Now for the lv0.. inside are 4 isolated headers. after a lot of hex editing you would find that they belong to appldr/lv1ldr/lv2ldr/isoldr. thats strictly for the new version. funny thing is, that they didn't made new files at all, just new headers, with the same result.

So on new consoles, example the decrypted lv1ldr would, look 100% the same, as the one we can decrypt. Also the loader headers are different length, than the old version.So that suggestion that they change the algorithm, no crypto expert, but still.

Actually there are two files, hidden inside the ps3tmgui.exe lv2diagnose ones signed with 3.60 keys. of course it would be console suicide to use them, still wonder no one have found that out yet.

Download: BINARY.rar

[Register or Login to view code]

yes i know it was there, but the possibillty that it would brick someones console is very high, and i dont know that much about, the lv2diagnose. this is from sdk 4.0 (prodg) so guess its used when the dex have an softbrick, when debugging. happens a lot when using prodg. you can get into FSM just not out most likely nothing at all is gonna happen.. still you never know.

From aldostools: lv1ldr 4.20-? -> these are the same keys for lv1ldr 4.30-? lv2ldr 4.20-? -> these are the same keys for lv2ldr 4.30-? isoldr 4.20-? -> these are the same keys for isoldr 4.30-?

And the selfs with the the following names are also decrypted with the isoldr keys for 4.20-4.30: spp_verifier 4.20-? spp_verifier 4.30-? spu_pkg_rvk_verifier 4.20-? spu_pkg_rvk_verifier 4.30-? I would appreciate if someone could explain me how to decrypt sv_iso_for_ps2emu.self and me_iso_for_ps2emu.self

Regarding the Appldr table, I believe that the key *not "0x1E"*, it is not even an appldr key. It could be a key for some other purpose.

The keys for 4.20-? were added to the wiki... IMO the version should be 4.20-4.26 (4.26 SEX is the latest 4.2x) or simply 4.20-4.31
The spp_verifier/spu_pkg_rvk_verifier were not added... they decrypt with isoldr keys for versions 4.20-4.31
The "appldr" that I think are not appldr "4.31" keys are the erk=46BD089122... IMO, appldr keys revisions 1C, 1D, 1E are 4.20-4.31

From zadow28: yes they work for all , they follow the hexidimal letters so so after 0x1F its should be 0x20 4.31 = 0x20, you can count back from there.

From Mustapha: Interesting string in the decrypted ps2_netemu.elf caution: image counts exceeded, %d maximum to show/SELECT IMAGE TO BOOT. Up/Down to select, Cross to boot, Triangle to exit... Hmm, Sony has a PS2 disc image front end ready to go?!

From Abkarino: Here it is just for you Zadow from your old friend Abkarino. There is 2 dumps i had uploaded for you or for any body else willing to play with it. This is a dump from metldr.2 console and from updated metldr console (3.6x) that both can not be downgraded. Hope to hear good news from you.

From zxz0O0 (Adrahil) comes PS3 SPP and RVK 4.25 Keys for decrypting the default.spp, prog.srvk and pkg.srvk from 4.xx Firmware below with additional details HERE:

spp_verifier 4.25 (probably 4.20 - 4.31):

[Register or Login to view code]

If you want to use with scetool you have to use manual keyset (scetool is confused because both keysets 3.55 and 4.25 have revision 0)

rvklist 4.25 (probably 4.20 - 4.31):

[Register or Login to view code]

scetool format:

[Register or Login to view code]

As always all of the current PlayStation 3 Keys decrypted can be found archived on the PS3 Wiki (ps3devwiki.com/wiki/Keys) for those seeking them.

Finally, from zecoxao comes one more crypto fail, PS3 selfs without npdrm footer as follows:

This pkg contains a self, that doesn't contain an npdrm footer.

Download: http://ares.dl.playstation.net/cdn/EP4345/NPEB00863_00/boMeZZKzGeQgZaUOIFJyVwxcPllEGyBkGYTIiDULXtjwOJZjZQXvytAflhKaWtJurFlnXtaFPYLiYxyGLvyTUoVeEPAzcKgONTTGV.pkg

[21:20:11] flatz: there is a package which have NPDRM eboot.bin
[21:20:19] flatz: and non-NPDRM self
[21:20:30] flatz: self doesn't have footer signature
[21:20:34] flatz: so you can replace it with custom one
[21:20:46] flatz: and app will load it

And there you have it. the so called argument between math and kakaroto was over this specific thing (the NPDRM footer).

There might be more packages like this one

WORKS ON ALL FIRMWARE VERSIONS! IF YOU WANT A HEN, DO NOT UPDATE IF YOU'RE ON OFW!

We need to know in which version this was patched, credit to flatz for the finding, i'm just reporting back. How to test:

Download: cachemgr.self / cachemgr.self (Mirror)

Replace cachemgr.self with that, and use ps3xport to put game on PS3.

More apps and patches:

[22:28:13] flatz: app:

[Register or Login to view code]

patch:

[Register or Login to view code]



app:

[Register or Login to view code]

patch:

[Register or Login to view code]

From IronMAN: This is ability to run your own self files on OFW but not on latest ofw, because it patched already.

4.46 - working.
4.65 - not working.

From zecoxao: lol, we tested again. IT VOOOOOOOOOOOOOOOOOOOOOOOOOOOORKS. ON FCKING LATEST FIRMWARE The code runs but the app crashes New cachemgr.self, shouldn't hang now...

From mysis: Sony seemed to forgot to implement an api for spawning npdrm child-processes, thats why those apps do use non-npdrm signed selfs.

[19:43:21] [flatz]: doesn't work at all on 4.66 OFW
[19:43:25] [flatz]: we can close thread

More PlayStation 3 News...

#164 - SoraKing11 - 131w ago
SoraKing11's Avatar
wait... so, was the key real?

#163 - Foo - 131w ago
Foo's Avatar
The only keys we have are 3.70 keys so you can't decrypt a 4.10 eboot. That was the point of the 4.21 CFW because it can run games up to that firmware.