PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

October 26, 2012 // 12:02 am - Similar to Shark Week, this appears to be PS3 Key week with the latest additions being the PS3 3.70 Appldr (VSH.elf) Keys surfacing while a list of the PlayStation 3 version 3.65 to 4.30 Appldr Keys in SCETool format is also in development.

Download: PS3 3.70 Appldr Keys (VSH.elf) Decrypted by ItsKamel / PS3 3.70 Appldr Keys (VSH.elf) Decrypted (Mirror) / PS3 3.70 Appldr Keys (Mirror #2) / PS3 3.70 Appldr Keys (Mirror #3) / PS3 4.25 Keys by razorx / PS3 lv0 key + 3.60 + 3.70 key by Mistawes / Battlefield 3 EBOOT Decrypted by lewy20041 / Resident Evil Operation Raccoon City (REORC) Decrypted by windrider (Password: SupLeechers) / multiMAN 3.70 [EBOOT_FIX] by slarty1408

This adds to the recent PS3 LV0 (Bootldr) Keys leak, the PS3 4.25 / 4.30 Decrypted APPLDR Keys, the PS3 LV0 and Encapsulated CEX 4.30 Loaders, the PS3 4.21 LV1 and lv2_dump from 4.21 acquired by zadow28 when the Sycall table was found at offset 0x346390, the PS3 LV0 4.25 / LV2 4.25 / LV0 4.30 dumps decrypted and the PS3 4.25 Keys for MFW Builder.

Today's update begins with dosjuanes posting the PS3 3.70 Appldr Keys on Spanish site Elotrolado (linked above), followed by Chinese hacker Luckystar (via bbs.duowan.com/thread-29248664-1-1.html) developing a PS3 Appldr Keys 3.65 to 4.30 list in SCETool format as outlined below.

From dosjuanes on the PS3 3.70 Appldr Keys, roughly translated:

[Register or Login to view code]

From razorx: Here's the .ps3 keys i've put together (linked above) for you all just extract the zip into your .ps3 folder and your done the zip contains:

  • lv0-ctype-425
  • lv0-iv-425
  • lv0-key-425
  • lv0-priv-425
  • lv0-pub-425

From slarty1408: Hi ppl, Just thought i'd add the 3.70 keys to deank's multiMAN[EBOOT_FIX] tool (linked above) so you can fix your own eboots/games. i will add more keys as i get hold them... I have only only tested it with 1 game by the way so any feed back would be great.

From cory1492: None of the keys are decrypted. The ERK/RIV of all keys (app/npdrm/spp) in the raw decrypted appldr are decrypted before use by appldr at runtime. Look at the working 3.70 posted earlier (or any of the previous keys) pub and search it out.

From Luckystar comes a PS3 3.65-4.30 Appldr Keys WIP, roughly translated: Appldr 4.30

[Register or Login to view code]

The extracted from appldr 4.3 from 000248A0-000260F0. The PUB is right. erk and riv incorrect. The estimated or anergistic, send a sce header to the ok.

From aldostools on Mistawes keys dump (above): 1. make sure you have this added to keys file:

[Register or Login to view code]


2. make sure that the key revision of your SELF is 0x0016 and that it is not a NPDRM self.

I tested the keys with Saints Row The Third, and it decrypted the ELF... shift+Enter.

[Register or Login to view code]

Key Revision [DEBUG] means that your file is a FSELF. You just need to unfself it and sign the ELF with the keys that you want (eg. 0x01)

These 3.70-3.73 keys are just for retail SELF files signed with keys 0x0016. SELF files from PKG use NPDRM keys (unless they are custom made PKG created using make_package_npdrm). Yes... there used to be a tool that resigned your FSELF just pressing Ctrl+Enter on the eboot.

The current "3.70 keys" are only for key revision 0x0016 and self type = APP (retail eboot). If you have an "update/patch" eboot 3.70, it will not be decrypted with these keys, because they are self type = NPDRM and use a different key. Key revision 0x0016 is used by apps signed for 3.70, 3.72, 3.73 and 3.74.

Most of these have been confirmed by users including EussNL and ItsKamel and added to the PS3 wiki here: ps3devwiki.com/wiki/Keys. As always, we will update this article as new PlayStation 3 Keys are discovered and posted publicly.


PS3 3.70 Appldr Keys Surface, 3.65-4.30 Appldr Keys in Development

Follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 CFW forums for the latest PlayStation 3 scene and PS4 Hacks & JailBreak updates with PlayStation 4 homebrew PS4 Downloads.



#175 - GotNoUsername - October 31, 2012 // 9:15 pm
GotNoUsername's Avatar
It is possible to create a CFW that can be installed on the non down gradable PS3's but y need a HW - Flasher to "install" it. But you will need good dev's for that ! There is nearly no chance in getting the private keys again Sony fixed their random number Problem after 3.55++. So Privat keys are calculated correctly and so we can't get them

#174 - Foo - October 31, 2012 // 9:15 pm
Foo's Avatar
What is this downgrade thing I see?

#173 - StanSmith - October 31, 2012 // 9:13 pm
StanSmith's Avatar
Quote Originally Posted by windrider42 View Post
I have heard they are the real deal, and guys already fixed Borderlands 2 for 3.55

Yep. They do work and I did patch Borderlands 2 to work in 3.55 myself.

#172 - Ps3scener - October 31, 2012 // 9:04 pm
Ps3scener's Avatar
in regards to the keys and the fw updates coming, it is possible to create a 4.30 jailbreak that does not require 3.55 installation. i have some files to leak which could help a experienced dev team create the jailbreak that we are all waiting for. all i ask is for a reply.

#171 - technodon - October 31, 2012 // 9:01 pm
technodon's Avatar
key works on 4.31 too, checked the psn passphrase and they are both the same

#170 - Hernaner28 - October 31, 2012 // 8:34 pm
Hernaner28's Avatar
Well, come on now, chuchi chuchi, we want Worms Revolution fixed I would buy it, it's really cheap, but firstly I don't have PSN access, and secondly I don't own a credit card and PSN cards are expensive.

Wouldn't you love drinking bear and playing it 4-player with friends?? Hmm yeah it sounds weird but it'd be cool .. lol

#169 - niwakun - October 31, 2012 // 2:26 pm
niwakun's Avatar
Keysets that dont work from the recent PS3 keys release

APP Type Key set
001C, 001D, 001E

NPDRM Type Key set
001C

keys work from 3.61 - 4.21 .............. 4.25 - 4.30 keys are not valid

#168 - ConsoleDev - October 31, 2012 // 12:14 pm
ConsoleDev's Avatar
Nice to hear these things, but too bad that the private keys are missing

#167 - PS3GAMER20111 - October 31, 2012 // 12:05 pm
PS3GAMER20111's Avatar
Keys are confirmed true by pr0p0sitionjoe and he said we are going to see many new psn games working on 3.55.

salute to pr0p0sitionjoe.

#166 - G Sus - October 31, 2012 // 12:01 pm
G Sus's Avatar
yup can't confirm there real, lol

Also from oakhead69:

OK here is the process I used to reverse the V4 Keys, EDATKEY1 and EDATHASH1 from my PS3. 99% of what I will post here is already public domain, I will just pull it together in one place here. I used IDA and a customised version of KDS Best's SPU Emulator

JuanNadie posted here the SH1 hashes of the EDAT keys and hashes and I can confirm that these are correct. The encrypted EDAT hashes and keys can be found in the 4.xx appldr.elf. sorg posted these. So the 3 keys you are missing are the KEY, the IV and the ERK.

The KEY and the IV are in the appldr and are un-encrypted. You can use the IDA or an SPU emulator to figure it out, just work backwards from the below spu code at 28BE4 (I think this offset is for F/W version 4.27 if I remember correctly)

The ERK is generated from the contents returned by channel 73. The appldr reads channel 73, 3 times which is the FW version check channel. So in FW 4.30 it will return 0xkk04kk30 0xkkkkkkkk 0xkkkkkkkk where k is the hash initilisation for generating the ERK. 04 30 is F/W version number.

The appldr strips out the F/W version leaving you with the 0xkkkkkkkkkkkkkkkkkkkk 10 byte hash initialisation (ch73 in the code below).

To get the values from channel 73 and you will have to write an isolated SPU to read these values. It has to be an isolated SPU as channel 64 controls the access to channel 73 and one of the last things the appldr does it to isolate channel 73 by writing 0x60000 to channel 64. This information was posted one forum somewhere, just can't remember where. Just Google it (may edit my post later when I find it).

I wrote my spu isolated module based on the dump_encdec_keys by glevand. Just Google and you will find the associated wikis and gits. ps3devwiki.com/wiki/Making_Isolated_SPU_Modules_and_Loaders is a good starting point. You will have to do a bit of hand calculation for the branch offsets to shoehorn in some code something like this to read ch73 3 times.

[Register or Login to view code]

OK so you should now have the encrypted keys (sorg posted) the KEY, the IV and the hash seed for the ERK. When you find the encrypted keys based on the post from sorg this will lead you as it did me to the following code in the appldr.

[Register or Login to view code]

Independently of me redcfw also found the same SPU code and generated C code from it and posted it. I had already generated the following C# code from the SPU code and below is an example for edathash1, it was good to see him confirm the same code as at the time I had still had not figured out how to read ch73.

[Register or Login to view code]

There you have it how to reverse the EDATKEY1 and EDATHASH1 from your CFW 4.xx PS3. Sorry bit of a brain dump, will tidy the post up later if I get the time and add more links to the information sources. I am sure I should credit more people than I have here. If and when I add the source links I will add credits.

Please do not ask me for any of the keys needed here or for the final EDAT keys as I will not post them for obvious reason. As I have already said 99% of this information is already available in forums and wikis. I have just pulled the information together here. Hope you have as much fun as I did playing with the SPU code.