PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

November 20, 2012 // 10:23 pm - Following up on the previous PS3 Lv0ldr / Bootldr clarifications by marcan42 and wololo, today PlayStation 3 hacker naehrwert has shared some details based on reverse-engineering the exploit used to dump it.

To quote from his blog: The Exploit

As the exploit that was used to dump lv0ldr/bootldr/howeveryouliketocallit is public now, let's have a closer look at it to understand what's going on. Here is what I have reversed from lv0 (it shares the syscon portion of the code with its SPU counterpart):

[Register or Login to view code]

The syscon library implements some high level functions, e.g. to shutdown the console on panic or to read certain configuration values. Every of this functions internally uses another function to exchange packets with syscon and the exchange function uses the read_cmpl_msg one to get the answer packet. The top-level function will pass a fixed size buffer to the exchange function.

So if we are able to control syscon packets, e.g. by emulating MMIO (and thanks to IBM we are), we can change the packet size between the two packet readings and overwrite the caller stack. And if we first copy a little stub to shared LS and let the return address point to it, we can easily dump the whole 256 kB.

Nothing more left to say now, let's wait and see if this is going to be fixed in future firmware versions (we just have to check lv0 fortunately).

PS3 Lv0ldr / Bootldr Exploit Reverse-Engineering Details by Naehrwert

PlayStation Follow us on Twitter, Facebook and join us at our new site WWW.PSXHAX.COM!

#235 - natex - June 27, 2013 // 12:36 am
natex's Avatar
Hi, i have a PS3 Fat CECHL-01 board VER-001, it is Full Bricked, nor erased...

It is possible to recover the LV2 from HDD with this tool and rebuild the NOR?

#234 - PS4 News - June 26, 2013 // 1:36 pm
PS4 News's Avatar
Following up on the previous PS3 SDAT / EDAT v3 and v4 Keys, today PlayStation 3 developers flat_z and naehrwert have shared some PS3 3.60+ Loader Keys and Phat HDD Encryption tools (including a full EncDec Emulator to encrypt or decrypt game discs) with details below followed by the Lv1ldr Crypto Keys as well.

Download: fckscramble_421.7z / lv1ldr_rsk_crypto.7z / slim_phat_encdec.7z / slim_phat_encdec.7z (Mirror) / Lv1ldr Crypto Test Files by Abkarino / ps3hdd_poc.7z by NiceShot / ppu erks and / / by zecoxao / LV0 Extractor/Injector / LV0 Extractor/Injector (Mirror) / LV0 Extractor/Injector (Mirror #2) / LV0 Extractor/Injector Source Code by TehUnkn0wn / PS3 4.46 Keys by Acid Burn1 / franzes80

Key Scrambling

Starting with firmware version 3.60 loader keys have been encrypted. Look here for a tool that decrypts them. Besides that, there is an implementation of the cryptographic algorithm which is used to encrypt/decrypt lv1ldr from lv0 and root scramble key at the SPU side.

Root scramble keys

[Register or Login to view code]

Scramble keys

[Register or Login to view code]

Scrambled keysets

[Register or Login to view code]

EDAT keys

[Register or Login to view code]

From flat_z (via

Phat Consoles

  • On the PHAT consoles AES-CBC-192 is used for HDD encryption and AES-CBC-128 for VFLASH encryption.
  • So no tweak and tweak key here. Each sector is encrypted with the same zeroed IV.
  • VFLASH is encrypted once with ENCDEC key and zeroed IV!
  • Data key is of size 32 bytes but only the first 24 bytes are used for HDD and 16 bytes for VFLASH.
  • See also (contains scripts of ENCDEC emulator for both types of consoles).

From naehrwert ( The "Y U NO" picture I posted before

Btw. this means we might know now how cobra and 3k3y got their drive emulators working on latest consoles..

From zecoxao: First thing are the scrambled keys. Sony obfuscated the keys in order to make hard our access to them. those are called scrambled keys. Second thing is hdd encryption by glevand was incomplete. partially because he only had a slim and not a phat. now it's complete. Third thing is supposedly how cobra and 3k3y takes care of the drive keys on newer consoles. they basically don't even grab the keys, and all that's needed are sv_iso keys.

naehrwert already knows how that works. hence that meme. all you need is sv_iso keys lol

The keys should be these ones:
2A F9 18 23 CE 38 59 8E 8D 66 24 5F 69 8A B5 72

#233 - Ps3scener - June 7, 2013 // 6:13 pm
Ps3scener's Avatar
found these but not sure, 3.60 and 3.61 Private keys

if you grabbed all the keys from gitorious. including 4.40 and 4.41 you should be able to make some sort of a jailbreak. unfortunately i can't patch lv 1 on 4.41. so anyone who can, feel free to try.

dunno why its a little bit bigger in size but these are lv 1 private keys by the way

#232 - PS4 News - June 7, 2013 // 6:13 pm
PS4 News's Avatar
Here are some more PS3 SDAT/EDAT v3 and v4 Keys from kongen12 (via

[Register or Login to view code]

From aldostools: According to ( the "keys" above are edat-key-0, edat-key-1, and edat-hash-0, edat-hash-1. sdat-key is different.


edat-key-0: BE959CA8308DEFA2E5E180C63712A9AE (SHA1: 84E9FC3574EAA11A9462FFA53D5EA46B4D0003BF)
edat-hash-0: EFFE5BD1652EEBC11918CF7C04D4F011 (SHA1: 8A721A06ABC7BB9BF398C5EF5D6F1FD997BC0A56)
edat-key-1: 4CA9C14B01C95309969BEC68AA0BC081 (SHA1: 6ECDFEC0A11890C1F2A689062D3EFE562317B2FB)
edat-hash-1: 3D92699B705B073854D8FCC6C7672747 (SHA1: F7B2917B1FA260FD51D37716A91036651F6F42F2)


sdat-key: 0D655EF8E674A98AB8505CFA7D012933

#231 - kaito kid - June 7, 2013 // 9:03 am
kaito kid's Avatar
Hi everyone, I want ps3keys up to 4.41 or 4.40 because I have 4.31 keys.

#230 - GlobalTroll - April 15, 2013 // 7:04 pm
GlobalTroll's Avatar
Scrambling and unscrambling obfuscated keys from loader (PS3 FW 3.60 - 3.61)

from LV1LDR.ELF FW3.61

[Register or Login to view code]

Unscrambling script:

[Register or Login to view code]

Scramling script:

[Register or Login to view code]

#229 - nintendo1516 - March 29, 2013 // 5:11 pm
nintendo1516's Avatar
very cool news

#228 - PS4 News - February 21, 2013 // 7:17 am
PS4 News's Avatar
Here are some more purported PS3 keys for Firmware 4.31 from MARKUS++:

[Register or Login to view code]

Also below are unconfirmed PS3 RSA KEYS from haleskinn and via

[Register or Login to view code]

[Register or Login to view code]

#227 - phuqt - December 25, 2012 // 7:58 pm
phuqt's Avatar
What are these keys?

#226 - cfwmark - December 24, 2012 // 11:01 pm
cfwmark's Avatar

FILE NAME: ps3key.txt