Rumor: Sony PS3 Blu-ray Drive Emulation PCB in Development

[OGFRAKISTAN]

my question as always, any advatage to OFW 4.31 users on 3k slim consoles?

[PS3 News]

They are marketing it as being able to "run all your PS3 game backups in ISO format directly from any USB HDD no matter what PS3 firmware you have" according to the YouTube video, however, currently the required key extraction is limited to 3.55 or below models so if/when this materializes for 3.55+ consoles it may be useful to PlayStation 3 scene developers to examine.

Of course I'd hold off until the suckers blow their cash on it, then history will repeat itself once again with a free PS3 scene solution surfacing just like was done to the TB fixes, etc.

Their claim is that it can't be done without hardware (just like was stated and later debunked about the dongle), so why not release all the related diagrams, pin-outs/schematics, and a DIY parts list to an open source alternative for free if this is the case? They want to cash in once again is the most likely answer, however, as always good things come to those who wait.

[racer0018]

I would like to get a hold of them to see if i could test this and do a review on this. However when you go to their contact page nothing shows up when you type it in the areas. Oh well i guess we will have to wait and see. thanks

[elser1]

at least something new is around. i dont like the greed of these people, so i will wait for a diy solution. thanks!

[dsavage]

lol at this. screw these people, always looking to profit off the scene.

thank god for cfw.

[NTA]

haha. there has to be some bad for the good

[elser1]

don't you think its wrong for toids like this to profit from the piracy of legit game developers etc?

makes my skin crawl..

[kalberto]

video has been remove by user ? LOL

so we must select the games title from the display lcd BLACKBOX not from TV, so difficult not simple.. better to keep my CFW 355 as Duplex's suggestion

so the function of the 3k3y BLACKBOX is the same as Multiman's function for the choosing the games title. and the 3k3y PCB was the same function as a DISC to boot the games. WTF !!!

[PS3 News]

I have now added the PS3 3K3y Keydumper v1.00 / v1.01 for PS3 3.55-4.31 CFW to the main article for those interested alongside a note from zecoxao as follows:

Download: PS3 3K3y Keydumper v1.00 for PS3 3.55 CFW / PS3 3K3y Keydumper v1.00 Resigned for PS3 4.31 CFW by jarmster (Note: Leave a USB stick installed when you run the app, it puts a 1kb file called 3dump.bin on the stick containing the decrypted drive keys)

3k3y Ripp3r v1.01 Setup and User Guide: Windows software for ripping/decrypting/reencrypting PS3 disks. The user manual is included in the archive.

Changelog [2013-02-01]:

• Fixed a bug that affected encryption/decryption of very large files.

From zecoxao: I bet people didn't even touch the implementation of libeeid that naehrwert left us, and then these guys come, use flat_z's code to get the eid_root_key on hackables, and grab the necessary part of the code from libeeid to generate the eid4_key from it and decrypt the eid4. Bunch of freaking losers.

People, if you're that desperate to get the drive key (which is in eid4) just memdump eEID, get your eid_root_key with flatz's package and use my program which is adapted from naehrwert's code. you can even see for yourselves what's happening in the code. Don't forget to rename the eEID you get from your console's NOR/NAND to eid (without an extension) and place it on eid folder. same as key and iv (split them up with a hex editor).

You can then try that program and compare your decrypted eid4 with the pkg's dump, and realize it's the same crap.

Here we can see the keys used by the ripper (taken from: ps3devwiki.com/wiki/BD_Drive_Reverse_Engineering#Program and ps3devwiki.com/wiki/BD_Drive_Reverse_Engineering#Information_about_EID 4):

Code:

private byte[] IV1 = new byte[] { 0x22, 0x26, 0x92, 0x8d, 0x44, 3, 0x2f, 0x43, 0x6a, 0xfd, 0x26, 0x7e, 0x74, 0x8b, 0x23, 0x93 };
 private byte[] IV2 = new byte[] { 0xe8, 11, 0x3f, 12, 0xd6, 0x56, 0x6d, 0xd0 };
 private byte[] IV3 = new byte[] { 0x3b, 0xd6, 0x24, 2, 11, 0xd3, 0xf8, 0x65, 0xe8, 11, 0x3f, 12, 0xd6, 0x56, 0x6d, 0xd0 };
 private static byte[] Key1 = new byte[0x10];
 private static byte[] Key2 = new byte[0x10];
 private byte[] Key3 = new byte[] { 0x12, 0x6c, 0x6b, 0x59, 0x45, 0x37, 14, 0xee, 0xca, 0x68, 0x26, 0x2d, 2, 0xdd, 0x12, 210 };
 private byte[] Key4 = new byte[] { 0xd9, 0xa2, 10, 0x79, 0x66, 0x6c, 0x27, 0xd1, 0x10, 50, 0xac, 0xcf, 13, 0x7f, 0xb5, 1 };
 private byte[] Key5 = new byte[] { 0x19, 0x76, 0x6f, 0xbc, 0x77, 0xe4, 0xe7, 0x5c, 0xf4, 0x41, 0xe4, 0x8b, 0x94, 0x2c, 0x5b, 0xd9 };
 private byte[] Key6 = new byte[] { 80, 0xcb, 0xa7, 240, 0xc2, 0xa7, 0xc0, 0xf6, 0xf3, 0x3a, 0x21, 0x43, 0x26, 0xac, 0x4e, 0xf3 };
 private static byte[] Key7 = new byte[0x10];
 private static byte[] Key8 = new byte[0x10];

The keys are in eid4, and yes, we DO need to decrypt it, or else Sony would be the biggest bunch of retards.. the eid4 key is used to verify the cmac hash of the first 0x20 bytes. Naehrwert's code seems to prove this:

Code:

void aes_omac1(u8* output, u8* input, int len, u8* aes_key_data, int aes_key_bits)
      aes_omac1(digest, eid4, 0x20, indiv + INDIV_EID4_KEY_OFFSET, 0x100);
      if(memcmp(digest, eid4 + 0x20, AES_OMAC1_DIGEST_SIZE) != 0)
		printf("warning: eid4 hash check failed!\n");

omac1 basically spits out the digest of the secure communication channel keys. if you compare the digest with the last 16 bytes of eid4, it should match

Corrected some info. and apparently i was mistaken when i thought that 3Dump.bin contained the eid4 ENcrypted. it contains in fact eid4 DEcrypted. You still need to auth with the bd drive. that's the part Cobra/E3 figured out. we can do this normally with hacked consoles, but not with unhacked consoles.

So the ODE dumper package dumps the DEcrypted eid4, correct? now i understand. i was confused because i thought you said the eid4 ENcrypted was the same as 3Dump.bin.

From jarmster: The eid4 from running libeeid is a decrypted dump. The 3dump.bin is exactly the same. The eEID_Dumper.pkg dumps the encrypted eid4. And from the wiki: EID4 is of size 0x30 bytes: 0x0-0xf bytes = 1st key, 0x10-0x1f - 2nd key, 0x20-0x2f - CMAC-OMAC1 of EID4.

From haz367:

Code:

eid4 offset 303A0 - 303CF full nordump

eid4 only:

first key = 0-f (key1?)
sec key = 20-2f omac hash(required just as cex2dex convert to calculate usin omac's)

now for 3dump.bin: (= encrypted eid4(0-2f)+eid_root_key(30-5f)

3dump.bin

offset 0-1f = match original full nordump = offset 303a0-303bf (encrypted eid4)
offset 20-2f = sec key = match full nordump-encrypted eid4 = omac hash key
offset 30-5f = root_key per console key (also required to calculate+omac hash... real bdkey?

then we have zecoxao's program, it gives an erro on eid3 of missing stuff but it dumps also an "eid4d.bin"

offset 0-1f = decrypted eid4?! >>omac hash is match original nordump/encrypted eid4/3Dump.bin

should be different.. correct..?

From zadow28 on the 3K3y PKG file: pastebin.com/79V2KdTK

I'm not into VS very much, maybe the devs can have an look. It's the visual source/assembly code for the x3key ps3 software for pc. got there keys and even shows there iso disc codes, plus a lot more. I'm not an visual expert, so maybe there are some visual experts here. shows how the x3key acts like an Bulk. etc

The iso for x3key are crypted, so they only play with there tool.. the source for encrypting the iso are in there too.

From Abkarino (via Zadow28) comes the 3K3y Ripper (PC Software) hacked source code recovered, as follows:

Download: http://db.tt/0IfzsiN4 (Password: Abkarino) / 3K3y Ripper (PC Software) Binary and Source (Mirror: Password Removed)

This is a quick and dirty release for 3K3Y Ripper application including the full recovered source code. So you can build/modify your own version. All you will need is: .Net Framework Runtime v4.0

Message to 3K3Y Team: Do not steal glevand's work again Also do not forget to protect you applications using a good .Net protector like .Net Reactor to prevent me or any body else from recovering your codes. Hope that will help someone to do something useful in the future.

Regards.
Abkarino (Mohammed Hassan)

Finally, from 3Key: 3k3y IRD files 2013-03-15 is a collection of IRD (Iso Rebuild Data) files for 3k3y. Use them to convert PSJB game dumps to full PS3 ISO.

[PS3 News]

Below are some PS3 3K3y installation pictures for those interested.