Kill3r's PS3 Key Finder Proof Of Concept (POC) is Now Available
Following up on all the recent PlayStation 3 Keys leaked, today French developers [Register or Login to view links] and [Register or Login to view links] have made available a POC tool they call Kill3r's PS3 Keys Finder with details outlined below.
Many of you have questioned the ability of the tools to detect the correct pairs key / iv is why, following the leak of key appldr of these days, I release today bat files related keyset 0x13, 0x16, 0x19 and 0x1c for the 182 people who downloaded my PoC before the leak can realize this by themselves the proper functioning of this tool!
Finally, I would like to thank the two unique donors who have supported me in my project PS3 KEYS FINDER and show them all my gratitude: Thank you all 2!
launch the application to know the keyset (unless a big stroke of luck, you'll get a FAIL);
run the script equivalent to keyset;
This is a small PoC (Proof of Concept – proof that it is possible) that allows, among other things find the pair key / iv for EBOOTs games sold commercially (and thus the output patch 3.55). I release this PoC end of July and a few days later the keyset 3.60 was leaked showing that my PoC was indeed functional! After 3 months of silence, I take the release of key appldr to unite many people as possible about this project to no longer depend on a leak!
Kill3r administrator of PS-Addict, a french PS3 Hack Site, is developing PS3 Keys Finder, a project to find 3.60 + Keys, it is like Seti or Folding@Home, it uses computing power in NetWork, therefore, all people can help to find these Holy Keys, even if you know nothing about PS3 Hack...
Currently, the project is only a PoC. He only developed the first part of his project (Client Side).
Here is an interview in order to understand this PoC :
Winch03200 : Can you tell me more about this PoC, what is its function ?
Kill3r : This PoC serves to demonstrate that my PS3 Keys Finder project is viable. Indeed, it determines whether the couples of <key> and <iv> passed as parameters, will be allowed or not to decrypt a given EBOOT.BIN. This is the first part - the client side - of my PS3 Keys Finder project. This PoC allows a brute force attack on the last 5 characters of the key so it will test exactly 1048576 key in a few seconds.
Winch03200 : You said that this PoC is only the first part (the client part), what is the second part and can you tell me more ?
Kill3r : The second part - the server side - will host the intelligence of my program. Rather than resorting to a brute force attack that will testing stupidly all possible keys, I prefer generate certain probable keys that will answer more than two dozen different criteria ! Currently I work in parallel on a standalone version - and that will include client & server - and that will be more intended for very large configurations and other super-calculator !
I do not rule out the likely use of cloud computing even though financially I could not take this expense at my charge (I already paid about 300 € to make sure that i can access a supercomputer for the month of August). If patrons or donors wish to me (although it is only 2 €) thank you to contact me by MP - again I do not force anyone !
Winch03200 : We know that in the past you have been criticized a lot... So why you release your POC now ? Any particular reason ?
Kill3r : For more than a year, my idea for that project was a lot present in my mind without doing nothing. By this time, I never had the support expected ! I keep it for me and then what? But I prefer to show the direction and try to breathe new life to the scene... (PS3). Some people criticized me for my project even before I've had time to explain how it works, others have told me that I was not a true dev: this PoC is also a response to their criticism.
Winch03200 : Can you find all the 3.60 + keys with the second part ? If so can we expect a release of a cfw 3.60 + (maybe 4.11 CFW or 4.2X for being up to date) or a possible release of the keys ?
Kill3r : I think with the method I want to use, it will be possible to find all the keys in a SELF (key, iv, priv, pub ...) but not only this, it is also possible to obtain those of the LV1 / LV2 / SELF NPDRM ... You just have to be patient and hope that I will have enough time - and motivation - to continue to evolve this project and it will depend exclusively on the support that the readers bring !
Winch03200 : When does that last part of this project will be available and functional ?
Kill3r : To quote George Broussard: "when it's done". For the Standalone version (only for a handful of privileged): early August.
Using the PoC
Place the EBOOT.BIN of your Original Game next to PS3 Keys Finder.exe.
Click on Orginal FirmWare corresponding .bat of your EBOOT.BIN.
".bat" Correspondences :
0x01 : FirmWare 0.92-3.30
0x04 : FirmWare 3.40-3.42
0x07 : FirmWare 3.50
0x0a : FirmWare 3.55
0x0d : FirmWare 3.56
Finally, in related PS3 homebrew news today Mutagen (via ps3haxcz.com/viewtopic.php?f=15&t=1975#p8199) has released a [Register or Login to view links] ([Register or Login to view links]) with details below, as follows:
This is my program, where finding oficial update for game. Just put GameID and push button. Then just select the update and downloaded over the button.
Finally, from anonymous (via pastebin.com/M8tcNJG1), to quote: OK because i heard enough stupidity about a certain PS3 KeyFinder POC (making money with garbage and fishing fool). I understand many different language including Jap/French/KR (no i'm not MHL, not at all), now let's talk about the PS3 KeyFinder POC that is release.
It was a based work from another dev that release the source code (the guy who made the fake PS3 KeyFinder just rewrite the name of the c/h point, replacing words) using a cygwin base but anyway this poc is pretty useless as it doesn't work correctly (the kv point is completely wrong and will return a fake valid/error result)
As you know to find the private RSA Key you need to know how to manage the factor of a 1024Bit PKey (let's say more than billions different combinaison or even more)
Even with the best computer, it would be so difficult, remember that the private key used on the PS3 = army security...that's why is better to reverse-enginering/sniffing than
Brute forcing, remember that a lot of hacking help was from Sony JIG... and most of the free work came from graff.
Now let's talk about the real reason.
Here is the part of a commom project, just need to be compiled on a Linux Distro on the PS3 and it should be more useful than the small POC (also check the date of the exe file and you can debug/dissasemble with VS or Co, you should see many interesting information about the lier)
Ok back to the the MD5 Password brute force PS3, like i said it was part of a commom project (DaniŽl was working more on it, also Nick, Sam, Jess and me)but the problem came from Sony that remove the OtherOS (the brute force MD5 PS3 was useless) but as you know over year ago we discover how to put back the OtherOS, you should find the source code of the work we did
But anyway better to thanks DaniŽl for the big part of the job. The link of the source code MD5 Brute Force PS3 (you clearly need to compile this one with a linux distro installed on your PS3)
Now i'm going to finish with a revelation about the CFW 4.xx under a PS3 3K/4K (that a recent rumor saying you can install a certain cfw with a flasher) i don't really want to talk about it as is better safe to reproduce a 1:1 lvl sign (software direction) than use a flasher (hardware flash).
You can use a CFW on a PS3 3K/4K i already explain last time that you need to bypass the update checker (that is linked to the lv0.2 and some new loader security) for that you need to have a strong access to the Bootldr, we actually have this one but now we need to exploit it and we this one we will be able to make a 1:1 lvl sign that let us to bypass the security check and execute every pup we want on every version whatever about the new metldr/bootldr revision.
We have the access to the LV0 think about... the lV0 is next to the bootldr, the PS3 2K can help a lot to discover the booting point of the PS3 3K/4K because at the end is the same sequence (bootldr -> level loader) bootldr (bootldr2 is just the bootldr we know + lv0.2)
Yes have a factory mode on up than 4.xx/PS3 3K/4K but you need 2 different jig (sony have a new one not too different than the older one) (Presecure diag loader) and it works with a difficult method. Boot into safe mode, load the first jig, reboot, load the second jig... i have no more info about it.
Don't flash the PS3 3K/4K (anyway you can't dump it correctly, you will have a fake dump and it would give you false information with many zerobyte on it) remember that both of the 2 revision PS3 have a new motherboard, have no flasher that can dump... don't know why the people lie about it and say it works when is not, you need a new flasher and new fix point, also if you try to do it, it would return a internal error during the boot.
Yes i was working with graf in the past (but only for few stuff, i'm not a friend of him) i did my own part, but respect for him, can you please now recognize the hard work that graf did ? apparently not... i saw that good dev PS3 from the past leave good for bad (star fck ?) sorry for my bad word but is a fact, they make money with free work and that is too bad, as they really did some good job in the past and start to hide everything, well about hide i can understand but about hide open source stuff, still don't understand, like gitorious who make a repo (can be useful for many other dev or to help them to improve the code) that they only use in private
Be patient, be careful, be proud, watch this: youtube.com/watch?v=dsXp0JhyPZk
So i tried this.. and it fails every single time.. Even though I know the key for the eboot i am trying.. for some reason the last 4 bytes in the Key field are * unlike the pic above.. which i believe is causing this issue. not sure what the fix is for that. but clearly the app is not working or missing something.