Rumor: PS3 Master Key / Device Key Finally Uncovered?

[PS3 News]

Update #2: Now zAxis reports that the news of the PS3 Master Key was not legitimate after all.

Update: graf_chokolo has now confirmed he found the PS3 Master Key, and plans to release it publicly after PSGrade is updated with it and is spread!

Today Estx on xorloser's blog (linked above) has announced that he has uncovered the PS3 Master Key and will post it shortly, however, some users including phiren believe it is really the Device Key and are awaiting more details.

Below are some comment and code excerpts, as follows:

Estx: I’ve found the Masterkey from bruteforcing dumps from my system.

Took 27 minutes, over 8,100,000 possible keys. Lol – could’ve waited but ah well.

If anyone is interested in doing the same, you can find it on 3.41.

Code:

for(int i = 0; i < list.length; i++)
if(HMAC-SHA-1(key[i]).ComputeHash(encryptChallengeBody) == matchResponseBody)
{
Success;
}

Challenge and response I took from the dumps reported on psx-scene. If graf doesn't find it by tomorrow – I'll release the key. Only reason I'm holding it back – is because no one helped me when I asked for it. (;

phiren: Either your code you supplied is nothing like the actual code you used, or you managed to fluke the correct device key for the device that was used to generate that response, not the master key.

Estx: It’s just psuedo code. Actual code has a few more lines than this. Inclusive of byte conversion, list generating from binary dumps and other trivial functions.

I have no way to dump the data between my at90usb192 and PS3 so I can’t post any challenge/response logs.

And it’s not a magic key – it is the master key. I have tried it so far from 3.41 and 3.50 on my slim and fat.

That’s the actual loop there: http://www.pastie.org/1346409

Code:

for(int i = 0; i < lineArray.Length; i++)
			{
				Console.WriteLine("Trying {0}", lineArray[i]);
				dummyKey = strToByt(lineArray[i]);
				hSha1 = new HMACSHA1(dummyKey);
				
				rcv = hSha1.ComputeHash(encryptMe);
				
				if(rcv == matchMe)
				{
					Console.WriteLine("Success is mine.");
					Console.WriteLine("\nMaster Key\n");
					Console.WriteLine("HEX: (" + rcv.Length.ToString() + " bytes)\n" + formatString(BitConverter.ToString(rcv).Replace("-"," ")));
					return;
				}
			}

Prior to this is generation of the list etcetera.

phiren: I’m thinking more of the code which does an SHA1-HMAC between the master key and the dongle ID to generate the device key which is finally SHA1-HMACed with the challenge. A single device key will work on all firmware versions, which makes it just as useful as the master key for our purposes.

It just means that Sony can revoke that single device and you can’t possibly generate another device key. But since Sony will probably revoke every single device and start again with a new master key with the next firmware version, having the master key isn’t that useful.

Estx: That’s what I was thinking as I was learning how to generate the correct response before constructing a quick loop. The expected response is 20 bytes of what you suggested above.

I’ve found no other use of the master key yet.. so you’re quite right. Mind you, I’m not as talented as some of the other developers here, I’m still playing around with new things I’m finding in the firmware’s. And thank’s to graf’s work – there’s even more to play around with.


More PlayStation 3 News...

[evilsperm]

Calling BS 27 mins... lmfao this is just too damn funny, someone can go ahead and do the math on how long it would actually take to brute force a key and by all means you can factor in luck if you really want because I would love to see 27 mins.

[DeViL303]

Wow, If this is really true then this has been an extra busy productive week for PS3 hackers, great progress, keep up the good work guys but ill wait for conclusive proof too! The layers of Sony's security do just keep falling though, what next I wonder! I wouldnt be surprised if a full-on open source downgrader is on the way before next week!

[al5911]

Damn it!!! If this is real then CFW is on da' way. You're such one lucky dude... but why not just sharing it for a proof??

[PS3 News]

I guess we'll know soon enough, eh? Estx stated: "If graf doesn't find it by tomorrow – I'll release the key."

Damn it!!! If this is real then CFW is on da' way. You're such one lucky dude... but why not just sharing it for a proof??

This was his explanation on why, for what it's worth: "Only reason I'm holding it back – is because no one helped me when I asked for it. (;"

[spark32]

Calling BS 27 mins... lmfao this is just too damn funny, someone can go ahead and do the math on how long it would actually take to brute force a key and by all means you can factor in luck if you really want because I would love to see 27 mins.

8,100,000posibilities/27mins/300,000% Luck
=
3

Which means it's a 1 in 3 chance of getting it when you factor in the 300,000% BS.

[Bishoff]

well, the guy will either lose all credibility or gain a lot of fame shortly... let's wait and see.

[DeViL303]

Ya he must have been real lucky , to test half that amount of keys he would need to be doing 2500 a second!

[al5911]

Let's hope he is telling the truth or he'll RIP. If it is true then S.C.E will RIP and to S.C.E, you guy can start working on your PS4...

[xMotorhead]

Come on man, make my day~!