PS3 Firmware 3.50 Decrypted, Free Public PS3 Downgrader WIP

135w ago - Just a few days back we saw a video of PS Downgrade software by the PSJailBreak Team in action, and today graf_chokolo has posted on xorloser's blog (linked above) that he has decrypted PS3 Firmware 3.50 and while it's still a WIP it could very well lead to a free public PlayStation 3 downgrader alternative.

To quote: I am able now to decrypt and decompress CORE_OS_PACKAGE.pkg from PS3 PUP-Files. The decrypted and decompressed package is a copy of FLASH region where all the important SELFs and isolated SPUs stored, e.g. lv1.self or isoldr.

So, now i could downgrade PS3 by writing this decrypted image to FLASH manually, without Update Manager from HV. In fact, Update Manager just do this But the problem is, that the SHA-1 hash values for these files are stored not in flash but in SC EEPROM and i don't have access to it yet

Here is a snippet from CORE_OS_PACKAGE.pkg 3.15:

Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

00000000 00 00 00 01 00 00 00 17 00 00 00 00 00 6F FF E0 .............oÿà
00000010 00 00 00 00 00 00 04 60 00 00 00 00 00 04 00 00 .......`........
00000020 63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00 creserved_0.....
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 04 04 60 00 00 00 00 00 00 00 08 .......`........
00000050 73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00 sdk_version.....
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000070 00 00 00 00 00 04 04 80 00 00 00 00 00 01 E5 CC .......€......åÌ
00000080 6C 76 31 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv1ldr..........
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000A0 00 00 00 00 00 05 EA 80 00 00 00 00 00 01 6D A0 ......ê€......m
000000B0 6C 76 32 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv2ldr..........
000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000D0 00 00 00 00 00 07 58 80 00 00 00 00 00 01 2E 44 ......X€.......D
000000E0 69 73 6F 6C 64 72 00 00 00 00 00 00 00 00 00 00 isoldr..........
000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000100 00 00 00 00 00 08 87 00 00 00 00 00 00 01 DA E4 ......‡.......Úä
00000110 61 70 70 6C 64 72 00 00 00 00 00 00 00 00 00 00 appldr..........
00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000130 00 00 00 00 00 0A 61 E4 00 00 00 00 00 00 FA CC ......aä......úÌ
00000140 73 70 75 5F 70 6B 67 5F 72 76 6B 5F 76 65 72 69 spu_pkg_rvk_veri
00000150 66 69 65 72 2E 73 65 6C 66 00 00 00 00 00 00 00 fier.self.......
00000160 00 00 00 00 00 0B 5C B0 00 00 00 00 00 00 5C 94 ......°......"
00000170 73 70 75 5F 74 6F 6B 65 6E 5F 70 72 6F 63 65 73 spu_token_proces
00000180 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 00 sor.self........
00000190 00 00 00 00 00 0B B9 44 00 00 00 00 00 00 65 D0 ......¹D......eÐ
000001A0 73 70 75 5F 75 74 6F 6B 65 6E 5F 70 72 6F 63 65 spu_utoken_proce
000001B0 73 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 ssor.self.......
000001C0 00 00 00 00 00 0C 1F 14 00 00 00 00 00 01 53 2C ..............S,
000001D0 73 63 5F 69 73 6F 2E 73 65 6C 66 00 00 00 00 00 sc_iso.self.....
000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001F0 00 00 00 00 00 0D 72 40 00 00 00 00 00 00 44 98 ......r@......D˜
00000200 61 69 6D 5F 73 70 75 5F 6D 6F 64 75 6C 65 2E 73 aim_spu_module.s
00000210 65 6C 66 00 00 00 00 00 00 00 00 00 00 00 00 00 elf.............
00000220 00 00 00 00 00 0D B6 D8 00 00 00 00 00 00 D7 F0 ......¶Ø......Ã--ð
00000230 73 70 70 5F 76 65 72 69 66 69 65 72 2E 73 65 6C spp_verifier.sel
00000240 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f...............
00000250 00 00 00 00 00 0E 8E C8 00 00 00 00 00 00 80 8C ......ŽÈ......€Å'
00000260 6D 63 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C mc_iso_spu_modul
00000270 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self..........
00000280 00 00 00 00 00 0F 0F 54 00 00 00 00 00 00 88 B8 .......T......ˆ¸
00000290 6D 65 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C me_iso_spu_modul
000002A0 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self..........
000002B0 00 00 00 00 00 0F 98 0C 00 00 00 00 00 00 C0 78 ......˜.......Àx
000002C0 73 76 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C sv_iso_spu_modul
000002D0 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self..........
000002E0 00 00 00 00 00 10 58 84 00 00 00 00 00 00 5D B0 ......X„......]°
000002F0 73 62 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C sb_iso_spu_modul
00000300 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self..........
00000310 00 00 00 00 00 10 B6 34 00 00 00 00 00 00 22 A0 ......¶4......"
00000320 64 65 66 61 75 6C 74 2E 73 70 70 00 00 00 00 00 default.spp.....
00000330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000340 00 00 00 00 00 10 D9 00 00 00 00 00 00 12 B1 70 ......Ù.......±p
00000350 6C 76 31 2E 73 65 6C 66 00 00 00 00 00 00 00 00 lv1.self........
00000360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000370 00 00 00 00 00 23 8A 80 00 00 00 00 00 03 E8 28 .....#Š€......è(
00000380 6C 76 30 00 00 00 00 00 00 00 00 00 00 00 00 00 lv0.............
00000390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000003A0 00 00 00 00 00 27 72 A8 00 00 00 00 00 16 EE B8 .....'r¨......î¸
000003B0 6C 76 32 5F 6B 65 72 6E 65 6C 2E 73 65 6C 66 00 lv2_kernel.self.
000003C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000003D0 00 00 00 00 00 3E 61 60 00 00 00 00 00 07 0F 94 .....>a`......."
000003E0 65 75 72 75 73 5F 66 77 2E 62 69 6E 00 00 00 00 eurus_fw.bin....
000003F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000400 00 00 00 00 00 45 70 F4 00 00 00 00 00 07 FC 48 .....EpÃ'......üH
00000410 65 6D 65 72 5F 69 6E 69 74 2E 73 65 6C 66 00 00 emer_init.self..
00000420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000430 00 00 00 00 00 4D 6D 3C 00 00 00 00 00 06 16 00 .....Mm........
00000440 68 64 64 5F 63 6F 70 79 2E 73 65 6C 66 00 00 00 hdd_copy.self...
00000450 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00263264 33 31 35 2E 30 30 30 0A 00 00 00 00 00 00 00 00 315.000.........
00263280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

I have already decrypted Core OS Packages from 3.15, 3.41 and 3.50 PUP-Files. Also decrypted Revoke List for Packages and Programs which can be also found in PUP-Files. And also SYSCON firmware was decrypted by me.

Sony uses zlib to compress Core OS Packages. But not all packages are compressed, e.g. SYSCON firmwares are not compressed, just crypted. Packages are first compressed and then decrypted. So first they have to be decrypted and then decompressed with zlib on Linux e.g.

I have also decrypted profile file DEFAULT.SPP. There are stored e.g. System manager configuration and other things like ACLs.

Today decrypted Core OS Package 2.80, BlueRay Drive Firmware, Bluetooth Firmware and System Controller Firmware.

Bluetooth/WLAN is a Marvell chip.

Some interesting strings from Bluetooth Firmware 3.41:

Marvell Firmware SDK Version 2.3.0

Eurus_Primary_Phy Marvell_AP

DoSharedKeySeq1

mlmeAuthDoSharedKeySeq3

There is a new isolated SPU module in Firmware 3.50 which is not contained in older firmwares.

manu_info_spu_module.self (it stands for "manufacture information")

Just decrypted 1.80 debug firmware.
Contents of DEFAULT.SPP file are a little bit different.

In DEFAULT.SPP are stored different configuratons which are e.g. read by system manager during boot, e.g. LPAR parameters for LINUX, GameOS, PS2 Emulation. This file is managed by SPL (Secure Profile Loader).

CORE_OS_PACKAGE.pkg from 3.42 Firmware is now also decrypted :-)
And 1.10, the first firmware, also :-)

Here is a small snippet: http://pastie.org/1297704

Here is a snippet from 1.10: http://pastie.org/1297722

Here is a snippet from 3.50: http://pastie.org/1297727

Here is a snippet of BD Firmware 301R from Firmware 3.50: http://pastie.org/1297732

Finally, according to Sony PlayStation 3 hacker Mathieulh, from PS3 Firmware 3.50 onward a new additional root key of 0x30 bytes (3 times the same 0x10 bytes chunk) copied by metldr right to offset 0.