PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

November 20, 2012 // 11:23 pm - Following up on the previous PS3 Lv0ldr / Bootldr clarifications by marcan42 and wololo, today PlayStation 3 hacker naehrwert has shared some details based on reverse-engineering the exploit used to dump it.

To quote from his blog: The Exploit

As the exploit that was used to dump lv0ldr/bootldr/howeveryouliketocallit is public now, let's have a closer look at it to understand what's going on. Here is what I have reversed from lv0 (it shares the syscon portion of the code with its SPU counterpart):

[Register or Login to view code]

The syscon library implements some high level functions, e.g. to shutdown the console on panic or to read certain configuration values. Every of this functions internally uses another function to exchange packets with syscon and the exchange function uses the read_cmpl_msg one to get the answer packet. The top-level function will pass a fixed size buffer to the exchange function.

So if we are able to control syscon packets, e.g. by emulating MMIO (and thanks to IBM we are), we can change the packet size between the two packet readings and overwrite the caller stack. And if we first copy a little stub to shared LS and let the return address point to it, we can easily dump the whole 256 kB.

Nothing more left to say now, let's wait and see if this is going to be fixed in future firmware versions (we just have to check lv0 fortunately).


PS3 Lv0ldr / Bootldr Exploit Reverse-Engineering Details by Naehrwert

Follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 CFW forums for the latest PlayStation 3 scene and PS4 Hacks & JailBreak updates with PlayStation 4 homebrew PS4 Downloads.



#175 - Foo - October 31, 2012 // 9:15 pm
Foo's Avatar
What is this downgrade thing I see?

#174 - StanSmith - October 31, 2012 // 9:13 pm
StanSmith's Avatar
Quote Originally Posted by windrider42 View Post
I have heard they are the real deal, and guys already fixed Borderlands 2 for 3.55

Yep. They do work and I did patch Borderlands 2 to work in 3.55 myself.

#173 - Ps3scener - October 31, 2012 // 9:04 pm
Ps3scener's Avatar
in regards to the keys and the fw updates coming, it is possible to create a 4.30 jailbreak that does not require 3.55 installation. i have some files to leak which could help a experienced dev team create the jailbreak that we are all waiting for. all i ask is for a reply.

#172 - technodon - October 31, 2012 // 9:01 pm
technodon's Avatar
key works on 4.31 too, checked the psn passphrase and they are both the same

#171 - Hernaner28 - October 31, 2012 // 8:34 pm
Hernaner28's Avatar
Well, come on now, chuchi chuchi, we want Worms Revolution fixed I would buy it, it's really cheap, but firstly I don't have PSN access, and secondly I don't own a credit card and PSN cards are expensive.

Wouldn't you love drinking bear and playing it 4-player with friends?? Hmm yeah it sounds weird but it'd be cool .. lol

#170 - niwakun - October 31, 2012 // 2:26 pm
niwakun's Avatar
Keysets that dont work from the recent PS3 keys release

APP Type Key set
001C, 001D, 001E

NPDRM Type Key set
001C

keys work from 3.61 - 4.21 .............. 4.25 - 4.30 keys are not valid

#169 - ConsoleDev - October 31, 2012 // 12:14 pm
ConsoleDev's Avatar
Nice to hear these things, but too bad that the private keys are missing

#168 - PS3GAMER20111 - October 31, 2012 // 12:05 pm
PS3GAMER20111's Avatar
Keys are confirmed true by pr0p0sitionjoe and he said we are going to see many new psn games working on 3.55.

salute to pr0p0sitionjoe.

#167 - G Sus - October 31, 2012 // 12:01 pm
G Sus's Avatar
yup can't confirm there real, lol

Also from oakhead69:

OK here is the process I used to reverse the V4 Keys, EDATKEY1 and EDATHASH1 from my PS3. 99% of what I will post here is already public domain, I will just pull it together in one place here. I used IDA and a customised version of KDS Best's SPU Emulator

JuanNadie posted here the SH1 hashes of the EDAT keys and hashes and I can confirm that these are correct. The encrypted EDAT hashes and keys can be found in the 4.xx appldr.elf. sorg posted these. So the 3 keys you are missing are the KEY, the IV and the ERK.

The KEY and the IV are in the appldr and are un-encrypted. You can use the IDA or an SPU emulator to figure it out, just work backwards from the below spu code at 28BE4 (I think this offset is for F/W version 4.27 if I remember correctly)

The ERK is generated from the contents returned by channel 73. The appldr reads channel 73, 3 times which is the FW version check channel. So in FW 4.30 it will return 0xkk04kk30 0xkkkkkkkk 0xkkkkkkkk where k is the hash initilisation for generating the ERK. 04 30 is F/W version number.

The appldr strips out the F/W version leaving you with the 0xkkkkkkkkkkkkkkkkkkkk 10 byte hash initialisation (ch73 in the code below).

To get the values from channel 73 and you will have to write an isolated SPU to read these values. It has to be an isolated SPU as channel 64 controls the access to channel 73 and one of the last things the appldr does it to isolate channel 73 by writing 0x60000 to channel 64. This information was posted one forum somewhere, just can't remember where. Just Google it (may edit my post later when I find it).

I wrote my spu isolated module based on the dump_encdec_keys by glevand. Just Google and you will find the associated wikis and gits. ps3devwiki.com/wiki/Making_Isolated_SPU_Modules_and_Loaders is a good starting point. You will have to do a bit of hand calculation for the branch offsets to shoehorn in some code something like this to read ch73 3 times.

[Register or Login to view code]

OK so you should now have the encrypted keys (sorg posted) the KEY, the IV and the hash seed for the ERK. When you find the encrypted keys based on the post from sorg this will lead you as it did me to the following code in the appldr.

[Register or Login to view code]

Independently of me redcfw also found the same SPU code and generated C code from it and posted it. I had already generated the following C# code from the SPU code and below is an example for edathash1, it was good to see him confirm the same code as at the time I had still had not figured out how to read ch73.

[Register or Login to view code]

There you have it how to reverse the EDATKEY1 and EDATHASH1 from your CFW 4.xx PS3. Sorry bit of a brain dump, will tidy the post up later if I get the time and add more links to the information sources. I am sure I should credit more people than I have here. If and when I add the source links I will add credits.

Please do not ask me for any of the keys needed here or for the final EDAT keys as I will not post them for obvious reason. As I have already said 99% of this information is already available in forums and wikis. I have just pulled the information together here. Hope you have as much fun as I did playing with the SPU code.

#166 - windrider42 - October 31, 2012 // 11:57 am
windrider42's Avatar
I have heard they are the real deal, and guys already fixed Borderlands 2 for 3.55.

Also from Abkarino: Revokation List key are confirmed by me with 4.31 prog.srvk using scetool:
[code]
C:\Users\MHassan\Desktop\SCETools>scetool -i C:\Users\MHassan\Desktop\SCETools\p
rog.srvk
scetool 0.2.9 (C) 2011-2012 by naehrwert
NP local license handling (C) 2012 by flatz
[*] SCE Header:
Magic 0x53434500 [OK]
Version 0x00000002
Key Revision 0x0000
Header Type [RVK]
Metadata Offset 0x00000000
Header Length 0x0000000000000200
Data Length 0x00000000000000E0[*] Metadata Info:
Key 05 51 4A D4 82 CD 77 0C C0 58 C1 53 3C B0 92 1B
IV B2 4E ED 49 39 2A 0D CB 03 58 15 9A F1 67 DD BD[*] Metadata Header:
Signature Input Length 0x00000000000001C0
unknown_0 0x00000001
Section Count 0x00000002
Key Count 0x0000000E
Optional Header Size 0x00000000
unknown_1 0x00000000
unknown_2 0x00000000[*] Metadata Section Headers:
Idx Offset Size Type Index Hashed SHA1 Encrypted Key IV Compressed
000 00000200 00000020 01 01 [YES] 00 [NO ] -- -- [NO ]
001 00000220 000000C0 02 02 [YES] 06 [YES] 0C 0D [NO ][*] SCE File Keys:
00: 80 B6 91 44 54 B7 D1 C1 8D 1A ED 39 81 7E E5 2F
01: 84 21 9F 5E 00 00 00 00 00 00 00 00 00 00 00 00
02: D0 BC 27 84 22 30 34 C8 21 DA 58 B6 F0 F7 4A E0
03: C9 FC BC 30 9C A2 15 06 D5 BA 02 F6 FF CC 13 2A
04: 63 BB 9C EF F8 D7 26 45 68 77 94 4C 66 9E A2 1B
05: 87 09 C6 27 3C B7 79 2D 62 6E 14 90 66 F5 BD 86
06: 4B B8 B8 38 51 20 BD 76 9F BA 83 66 04 75 EC 47
07: 6C 84 1D D2 00 00 00 00 00 00 00 00 00 00 00 00
08: D0 BC 27 84 22 30 34 C8 21 DA 58 B6 F0 F7 4A E0
09: C9 FC BC 30 9C A2 15 06 D5 BA 02 F6 FF CC 13 2A
0A: 63 BB 9C EF F8 D7 26 45 68 77 94 4C 66 9E A2 1B
0B: 87 09 C6 27 3C B7 79 2D 62 6E 14 90 66 F5 BD 86
0C: 5B D0 37 88 54 91 80 4C C1 F3 1F 70 AA 9D 0A B5
0D: 17 CA FB 25 69 19 85 85 D1 3A E4 37 00 00 00 00[*] Revoke List Header:
type_0 0x00000004
type_1 0x00000001
Version 04.31
Entry Count 0x00000006[*] Program Revoke List Entries:
Type Check Version Auth-ID/unk_3 Mask
lv2 == 04.31 0000000000000002 FFFFFFFFFFFFFFFF
Application == 04.31 vsh FFFFFFFFFFFFFFFF
Application == 04.31 10700005FE000001 FFFFFFFFFFFFFFFF
Application == 04.31 sys_init_osd FFFFFFFFFFFFFFFF
Application == 04.31 sys_audio FFFFFFFFFFFFFFFF
Application