124w ago -
Update #2:
GeoHot has now released
GeoHot_1st.self (first signed PS3 homebrew on
Firmware 3.55) and
Lv2diag.self (also
Lv2diag.elf in ELF format) stating the following: "...and this is a real self, hello world although it's not NPDRM, so it won't run off the hard drive. shouts to the guys who did PSL1GHT. without you, I couldn't release this. first piece of homebrew you can run, put in service mode, put on usb stick, boot."
Next up,
Ifcaro has released
PUPView BETA, to quote roughly translated: "PUPView is a GUI application used to view and extract the contents of the PUP update files for the PlayStation 3. At the moment it will only permit you to extract, but I also have plans to simplify the creation of new PUP files thanks to the new keys released
"
In other PS3 hacking news today,
KaKaRoToKs has released a
PS3 PUP Packing Tool, a
PS3 OFW to CFW Script and
Fix_TAR for PS3 Packages, and
superG has released
Gpup v1.00 (Win32 PUP Extractor/Packer) (
Gpup v1.00 ELF) alongside
Gpup v1.00 (Linux PUP Extractor/Packer).
In more news,
DeViL303 announced that
TeaM-Acid1C has a PS3 Hybrid PUP WIP which installs on Retail PlayStation 3 consoles and is currently offering it to select testers,
inf1 posted a
PS3 3.15 FW UPDATE DISKDUMP on IRC,
fisacom made available a
Hedit Automated Build Script and
pojiku shared a
PS3 EBOOT Decrpyter Frontend for Unself (Includes Unself + Keys).
Finally,
fail0verflow has made available both a
PS3 SPU emulator and their
27C3 PS3 NOR flasher tweeting the following about them: "our SPU emulator, works fine on most loaders: http://git.fail0verflow.com/?p=anergistic.git. Pushed a repo with the PS3 NOR flasher stuff we used at 27C3: http://goo.gl/LTD1p (sadly you need to adapt it to your own board)" and
NORalizer with the PS3 NOR test points is available.
Update:
Veritas? and others now have
Tales of Graces F,
Need for Speed: Hot Pursuit,
Gran Turismo 5, and
Harry Potter And The Death Hallows Part1 working with
rewritten v3.50 PS3 Game EBOOT files on Firmware 3.41 for PlayStation 3 JailBreak users! To quote:
This guide requires you to have some knowledge of how the SELF and ELF file formats are laid out. I don't have a quick tool to do this for me, but it takes maybe 5 minutes of my time to do it by hand.
1. Open EBOOT.BIN in a hex editor of your preference.
2. In EBOOT.BIN, look at the SELF control info, if you see anything resembling the game titleid, it's an NPDRM SELF and this guide won't work, give up.
3. Use readself on EBOOT.BIN to get information about the encrypted metadata sections.
4. Unself EBOOT.BIN eboot.elf
5. Open eboot.elf in a hex editor of your preference.
6. In eboot.elf, go to every encrypted metadata section (now decrypted), copy its data, and replace the encrypted data in EBOOT.BIN.
7. In EBOOT.BIN, change SELF header to indicate it's FSELF.
8. In EBOOT.BIN, change SELF section headers that are marked as encrypted to say they are not encrypted.
9. If the game is a newer SDK version (like GT5, which is 3.50), in EBOOT.BIN, find the .sys_proc_param segment and change the SDK version to something earlier, such as 3.41. This will probably cause crashes in games that actually use newer SDK features that are not available in earlier SDK versions.
10. Save EBOOT.BIN
11. Cross fingers, run game, hope it works.
Since the
27C3 Conference the PS3 has been completely hacked with a variety of
PS3 decrypters and
PS3 keys made available, and today
fail0verflow has
released their Beta PS3 Tools along with
GeoHot releasing the PS3 METLDR root key and GT5 for PlayStation 3 finally being
decrypted!
Downloads:
PS3 Tools /
PS3 Tools (GIT Dump) /
PS3 Tools (MAC) by
MrKai /
PS3 Firmware Toolbox v1.0 and
PS3 Firmware Toolbox v1.1 by
Chossy /
PS3 Tools (Win32) by
user /
PS3 3.15 / 3.41 / 3.50 lv2 app/iv keys /
PS3 3.55 lv1 key /
PS3 3.55 lv1 iv /
C Arrays by
RMS /
PS3 Decryption Pack,
PS3 Decryption Pack r1,
PS3 Decryption Pack r2,
PS3 Decryption Pack r3,
PS3 Decryption Pack r4,
PS3 Decryption Pack r5, and
PS3 Decryption Pack r6 from
Xtse /
NFS Hot Pursuit PS3 3.41 Working EBOOT.BIN /
PS3 Key List.xls /
PS3 Key List SpreadSheet /
PS3 Keys /
PS3Keys GIT /
How to Decrypt PS3 EBOOT.BIN or SELF Files in Windows
AerialX also released
SCEkrit and
SCEkrit v1.01 which can be useful in obtaining the need 'private' keys for signing PS3 homebrew followed by
SCEkrit (Win32) via
Nicksasa. So, who wants to sign application SELFs?
app-priv-rev1: 00 3d e8 01 67 d2 f0 e9 d3 0f 21 45 14 4a 55 8d 11 74 f5 41 0c
SCEkrit, a tool for obtaining private Sony keys: http://pastie.org/1425653
PS3 METLDR Root Key:
erk: C0 CE FE 84 C2 27 F7 5B D0 7A 7E B8 46 50 9F 93 B2 38 E7 70 DA CB 9F F4 A3 88 F8 12 48 2B E2 1B
riv: 47 EE 74 54 E4 77 4C C9 B8 96 0C 7B 59 F4 C1 4D
pub: C2 D4 AA F3 19 35 50 19 AF 99 D4 4E 2B 58 CA 29 25 2C 89 12 3D 11 D6 21 8F 40 B1 38 CA B2 9B 71 01 F3 AE B7 2A 97 50 19
R: 80 6E 07 8F A1 52 97 90 CE 1A AE 02 BA DD 6F AA A6 AF 74 17
n: E1 3A 7E BC 3A CC EB 1C B5 6C C8 60 FC AB DB 6A 04 8C 55 E1
K: BA 90 55 91 68 61 B9 77 ED CB ED 92 00 50 92 F6 6C 7A 3D 8D
Da: C5 B2 BF A1 A4 13 DD 16 F2 6D 31 C0 F2 ED 47 20 DC FB 06 70
~geohot
props to fail0verflow for the asymmetric half. no donate link, just use this info wisely. i do not condone piracy. if you want your next console to be secure, get in touch with me. any of you 3. it'd be fun to be on the other side.
GeoHot also stated the following: "No plans for CFW, and btw PSJailbreak team already won the signed PUP contest. Or me if you believe in
3.21OO
Although I do have other plans possibly, perhaps a 3.55 hello world by the end of the day. Hell, perhaps I'll go out and buy GT5 just to show off homebrew and GT5.
Perhaps CFW isn't the way to go, we can create official apps, aside from piracy purposes (which I despise), why do we need a CFW? How about something like Cydia for the PS3?"
Summary of what each PS3 Tool does:
- makepkg: Creates PKG files
- makeself: Creates SELF files (from ELF's)
- norunpack: Extracts data from a NOR flash dump (like the PS3 Flash)
- puppack: Make Playstation Update Files (PUP)
- pupunpack: Unpacks PUP Files
- readself: Reads SELF and echos information about it
- sceverify: Check and Confirm Sony files
- unpkg: Decrypt and extract PKG files
- unself: Changes a SELF back to an ELF
From
Mathieulh, who also noted he found the PSP Master Keys on the PS3 via IRC today: here are how some start : d76aa478... (HMAC key), 428a2f98... (AES key), 004080c01b5b9b... (AES key), 9802c4e6ec... (AES key) And so on... Want kirk keys? 1. Go to /dev_flash/pspemu/release/emulator_drm.sprx, decrypt it 2. get spu_handler.isoself, decrypt, grab keys. 3. Profit
Here for the sake of it, isoldr keys:
PS3 1.00-3.30 isoldr keys:
erk: 8860D0CFF4D0DC688D3223321B96B59A777E6914961488E07048DAECB020ECA4
riv: C82D015D46CF152F1DD0C16F18B5B1E5
PS3 3.55 isoldr keys:
erk: BDB74AA6E3BA2DC10B1BD7F17198399A158DBE1FA0BEA68C90FCACBE4D04BE37
riv: 0207A479B1574F8E7F697528F05D5435
Keys I grabbed off 1.00 appldr: revision 0 keys used in from 0.80 to 0.92:
erk-rev0 95F50019E7A68E341FA72EFDF4D60ED376E25CF46BB48DFDD1F080259DC93F04
riv-ev0 4A0955D946DB70D691A640BB7FAECC4C
Revision 1 keys used from 0.95 to 3.31 and in updaters:
erk-rev1 79481839C406A632BDB4AC093D73D99AE1587F24CE7E69192C1CD0010274A8AB
riv-rev1 6F0F25E1C8C4B7AE70DF968B04521DDA
Unknown keys, seem not to be in use:
erk-unk1 4F89BE98DDD43CAD343F5BA6B1A133B0A971566F770484AAC20B5DD1DC9FA06A
riv-unk1 90C127A9B43BA9D8E89FE6529E25206F
erk-unk2 AAC20B5DD1DC9FA06A90C127A9B43BA9D8E89FE6529E25206F8CA6905F46148D
riv-unk2 7D8D84D2AFCEAE61B41E6750FC22EA43
erk-unk3 D91166973979EA8694476B011AC62C7E9F37DA26DE1E5C2EE3D66E42B8517085
riv-unk3 DC01280A6E46BC674B81A7E8801EBE6E
erk-unk4 F9EDD0301F770FABBA8863D9897F0FEA6551B09431F61312654E28F43533EA6B
riv-unk4 A551CCB4A42C37A734A2B4F9657D5540
Extra keys grabbed from 3.55 appldr:
C1E6A351FCED6A0636BFCB6801A0942DB7C28BDFC5E0A053A3F52F52FCE9754E
E0908163F457576440466ACAA443AE7C
838F5860CF97CDAD75B399CA44F4C214CDF951AC795298D71DF3C3B7E93AAEDA
B2E924D182BB0D69844ADC4ECA5B1F14
C109AB56593DE5BE8BA190578E7D8109346E86A11088B42C727E2B793FD64BDC
15D3F191295C94B09B71EBDE088A187A
6DFD7AFB470D2B2C955AB22264B1FF3C67F180983B26C01615DE9F2ECCBE7F41
24BD1C19D2A8286B8ACE39E4A37801C2
erk-rev7: 945B99C0E69CAF0558C588B95FF41B232660ECB017741F3218C12F9DFDEEDE55
riv-rev7: 1D5EFBE7C5D34AD60F9FBC46A5977FCE
2C9E8969EC44DFB6A8771DC7F7FDFBCCAF329EC3EC070900CABB23742A9A6E13
5A4CEFD5A9C3C093D0B9352376D19405
F69E4A2934F114D89F386CE766388366CDD210F1D8913E3B973257F1201D632B
F4D535069301EE888CC2A852DB654461
29805302E7C92F204009161CA93F776A072141A8C46A108E571C46D473A176A3
5D1FAB844107676ABCDFC25EAEBCB633
A4C97402CC8A71BC7748661FE9CE7DF44DCE95D0D58938A59F47B9E9DBA7BFC3
E4792F2B9DB30CB8D1596077A13FB3B5
9814EFFF67B7074D1B263BF85BDC8576CE9DEC914123971B169472A1BC2387FA
D43B1FA8BE15714B3078C23908BB2BCA
BB31DF9A6F62C0DF853075FAA65134D9CE2240306C1731D1F7DA9B5329BD699F
263057225873F83940A65C8C926AC3E4
8E737230C80E66AD0162EDDD32F1F774EE5E4E187449F19079437A508FCF9C86
7AAECC60AD12AED90C348D8C11D2BED5
F9EDD0301F770FABBA8863D9897F0FEA6551B09431F61312654E28F43533EA6B
A551CCB4A42C37A734A2B4F9657D5540
From
user on the PS3 Toolbox contents: Here is a little pre-compiled windows toolkit for your decryption needs. All yet available keys are included! credits: geohot, ooPo, mathieulh, waninkoko
This kit contains cygwin compiled versions of tools made by the above mentioned devs. Thanks for the keys, too. I did some slight changes on decrypt-self to support key files. Source code is included...
Usage:
decrypt-self.exe
decrypts self files
Usage: decrypt-self {self file} {elf file} {key file} {fix}
self file: file you want to decrypt
elf file: your output file
key file: use one of the included (e.g. "315.appkey")
all x**.appkey files are unknown fw numbers
find out on your own 
fix: 0 (zero)
read-self.exe
shows self info
Usage: read-self {self file}
self file: file you want to decrypt
rebuild-self.exe
rebuild self?
Usage: rebuild-self {self file} {elf file}
pup_unpack.exe
unpack pup files (get core_os_package.pkg, etc.)
Usage: pup_unpack {filename} {directory}
filename: your pup
directory: destination for pup contents
fwpkg.exe
decrypt pkgs (you extracted with pup_unpack)
Usage: fwpkg {mode} {input file} {output file}
Mode: - e: Encrypt PKG
- d: Decrypt PKG
input file: your crypted pkg
output file: decrypted output
coreos_tool.exe
extracts/rebuilds the decrypted CORE_OS_PACKAGE
Pack CoreOS : coreos_tool p {output pkg} {files...}
Unpack CoreOS: coreos_tool u {decrypted CORE_OS_PACKAGE.pkg}
key files:
first 32 bytes: erk
last 16 bytes: riv
From
netkas on GT5 PS3 decryption:
thx to geohot metldr keys i was able to find 3.5 - appldr key, decrypted vsh.self and pne of 3.50 keys game with it, its real!
PS3 3.50 keys:
erk: 94 5b 99 c0 e6 9c af 05 58 c5 88 b9 5f f4 1b 23 26 60 ec b0 17 74 1f 32 18 c1 2f 9d fd ee de 55
riv: 1d 5e fb e7 c5 d3 4a d6 0f 9f bc 46 a5 97 7f ce
PS3 3.41 keys:
erk: 83 8f 58 60 cf 97 cd ad 75 b3 99 ca 44 f4 c2 14 cd f9 51 ac 79 52 98 d7 1d f3 c3 b7 e9 3a ae da
riv: 7f db b2 e9 24 d1 82 bb 0d 69 84 4a dc 4e ca 5b
From
inf on IRC: I've found 3.41/3.50 keys but 3.55 not working for me, should be.
A0 9B 58 A6 12 B9 F4 C1 34 51 A1 B8 1C 94 AB F8
42 3E D7 6A 96 27 1A 72 23 94 F0 DD 04 2B A2 CA
A4 1A 56 71 77 A8 B5 00 23 5C 74 49 58 42 BF 20
From
codetwink:
PS3 3.55 keys:
PS3 Keys: extracted from appldr v3.55:
erk-000: 95F50019E7A68E341FA72EFDF4D60ED376E25CF46BB48DFDD1F080259DC93F04
iv-000: 4A0955D946DB70D691A640BB7FAECC4C
erk-001: 79481839C406A632BDB4AC093D73D99AE1587F24CE7E69192C1CD0010274A8AB
iv-001: 6F0F25E1C8C4B7AE70DF968B04521DDA
erk-002: 4F89BE98DDD43CAD343F5BA6B1A133B0A971566F770484AAC20B5DD1DC9FA06A
iv-002: 90C127A9B43BA9D8E89FE6529E25206F
erk-003: C1E6A351FCED6A0636BFCB6801A0942DB7C28BDFC5E0A053A3F52F52FCE9754E
iv-003: E0908163F457576440466ACAA443AE7C
erk-004: 838F5860CF97CDAD75B399CA44F4C214CDF951AC795298D71DF3C3B7E93AAEDA
iv-004: 7FDBB2E924D182BB0D69844ADC4ECA5B
erk-005: C109AB56593DE5BE8BA190578E7D8109346E86A11088B42C727E2B793FD64BDC
iv-005: 15D3F191295C94B09B71EBDE088A187A
erk-006: 6DFD7AFB470D2B2C955AB22264B1FF3C67F180983B26C01615DE9F2ECCBE7F41
iv-006: 24BD1C19D2A8286B8ACE39E4A37801C2
erk-007: 945B99C0E69CAF0558C588B95FF41B232660ECB017741F3218C12F9DFDEEDE55
iv-007: 1D5EFBE7C5D34AD60F9FBC46A5977FCE
erk-008: 2C9E8969EC44DFB6A8771DC7F7FDFBCCAF329EC3EC070900CABB23742A9A6E13
iv-008: 5A4CEFD5A9C3C093D0B9352376D19405
erk-009: F69E4A2934F114D89F386CE766388366CDD210F1D8913E3B973257F1201D632B
iv-009: F4D535069301EE888CC2A852DB654461
erk-010: 29805302E7C92F204009161CA93F776A072141A8C46A108E571C46D473A176A3
iv-010: 5D1FAB844107676ABCDFC25EAEBCB633
erk-011: A4C97402CC8A71BC7748661FE9CE7DF44DCE95D0D58938A59F47B9E9DBA7BFC3
iv-011: E4792F2B9DB30CB8D1596077A13FB3B5
erk-012: 9814EFFF67B7074D1B263BF85BDC8576CE9DEC914123971B169472A1BC2387FA
iv-012: D43B1FA8BE15714B3078C23908BB2BCA
erk-013: 95F50019E7A68E341FA72EFDF4D60ED376E25CF46BB48DFDD1F080259DC93F04
iv-013: 4A0955D946DB70D691A640BB7FAECC4C
erk-014: 79481839C406A632BDB4AC093D73D99AE1587F24CE7E69192C1CD0010274A8AB
iv-014: 6F0F25E1C8C4B7AE70DF968B04521DDA
erk-015: 4F89BE98DDD43CAD343F5BA6B1A133B0A971566F770484AAC20B5DD1DC9FA06A
iv-015: 90C127A9B43BA9D8E89FE6529E25206F
erk-016: C1E6A351FCED6A0636BFCB6801A0942DB7C28BDFC5E0A053A3F52F52FCE9754E
iv-016: E0908163F457576440466ACAA443AE7C
erk-017: 838F5860CF97CDAD75B399CA44F4C214CDF951AC795298D71DF3C3B7E93AAEDA
iv-017: 7FDBB2E924D182BB0D69844ADC4ECA5B
erk-018: C109AB56593DE5BE8BA190578E7D8109346E86A11088B42C727E2B793FD64BDC
iv-018: 15D3F191295C94B09B71EBDE088A187A
erk-019: 6DFD7AFB470D2B2C955AB22264B1FF3C67F180983B26C01615DE9F2ECCBE7F41
iv-019: 24BD1C19D2A8286B8ACE39E4A37801C2
erk-020: 945B99C0E69CAF0558C588B95FF41B232660ECB017741F3218C12F9DFDEEDE55
iv-020: 1D5EFBE7C5D34AD60F9FBC46A5977FCE
erk-021: 2C9E8969EC44DFB6A8771DC7F7FDFBCCAF329EC3EC070900CABB23742A9A6E13
iv-021: 5A4CEFD5A9C3C093D0B9352376D19405
erk-022: F69E4A2934F114D89F386CE766388366CDD210F1D8913E3B973257F1201D632B
iv-022: F4D535069301EE888CC2A852DB654461
erk-023: 29805302E7C92F204009161CA93F776A072141A8C46A108E571C46D473A176A3
iv-023: 5D1FAB844107676ABCDFC25EAEBCB633
erk-024: A4C97402CC8A71BC7748661FE9CE7DF44DCE95D0D58938A59F47B9E9DBA7BFC3
iv-024: E4792F2B9DB30CB8D1596077A13FB3B5
erk-025: 9814EFFF67B7074D1B263BF85BDC8576CE9DEC914123971B169472A1BC2387FA
iv-025: D43B1FA8BE15714B3078C23908BB2BCA
erk-026: BB31DF9A6F62C0DF853075FAA65134D9CE2240306C1731D1F7DA9B5329BD699F
iv-026: 263057225873F83940A65C8C926AC3E4
erk-027: 8E737230C80E66AD0162EDDD32F1F774EE5E4E187449F19079437A508FCF9C86
iv-027: 7AAECC60AD12AED90C348D8C11D2BED5
erk-028: F9EDD0301F770FABBA8863D9897F0FEA6551B09431F61312654E28F43533EA6B
iv-028: A551CCB4A42C37A734A2B4F9657D5540
PS3 Keys: extracted from appldr v3.55 (Duplicates Removed):
erk-000: 95F50019E7A68E341FA72EFDF4D60ED376E25CF46BB48DFDD1F080259DC93F04
iv-000: 4A0955D946DB70D691A640BB7FAECC4C
erk-001: 79481839C406A632BDB4AC093D73D99AE1587F24CE7E69192C1CD0010274A8AB
iv-001: 6F0F25E1C8C4B7AE70DF968B04521DDA
erk-002: 4F89BE98DDD43CAD343F5BA6B1A133B0A971566F770484AAC20B5DD1DC9FA06A
iv-002: 90C127A9B43BA9D8E89FE6529E25206F
erk-003: C1E6A351FCED6A0636BFCB6801A0942DB7C28BDFC5E0A053A3F52F52FCE9754E
iv-003: E0908163F457576440466ACAA443AE7C
erk-004: 838F5860CF97CDAD75B399CA44F4C214CDF951AC795298D71DF3C3B7E93AAEDA
iv-004: 7FDBB2E924D182BB0D69844ADC4ECA5B
erk-005: C109AB56593DE5BE8BA190578E7D8109346E86A11088B42C727E2B793FD64BDC
iv-005: 15D3F191295C94B09B71EBDE088A187A
erk-006: 6DFD7AFB470D2B2C955AB22264B1FF3C67F180983B26C01615DE9F2ECCBE7F41
iv-006: 24BD1C19D2A8286B8ACE39E4A37801C2
erk-007: 945B99C0E69CAF0558C588B95FF41B232660ECB017741F3218C12F9DFDEEDE55
iv-007: 1D5EFBE7C5D34AD60F9FBC46A5977FCE
erk-008: 2C9E8969EC44DFB6A8771DC7F7FDFBCCAF329EC3EC070900CABB23742A9A6E13
iv-008: 5A4CEFD5A9C3C093D0B9352376D19405
erk-009: F69E4A2934F114D89F386CE766388366CDD210F1D8913E3B973257F1201D632B
iv-009: F4D535069301EE888CC2A852DB654461
erk-010: 29805302E7C92F204009161CA93F776A072141A8C46A108E571C46D473A176A3
iv-010: 5D1FAB844107676ABCDFC25EAEBCB633
erk-011: A4C97402CC8A71BC7748661FE9CE7DF44DCE95D0D58938A59F47B9E9DBA7BFC3
iv-011: E4792F2B9DB30CB8D1596077A13FB3B5
erk-012: 9814EFFF67B7074D1B263BF85BDC8576CE9DEC914123971B169472A1BC2387FA
iv-012: D43B1FA8BE15714B3078C23908BB2BCA
erk-026: BB31DF9A6F62C0DF853075FAA65134D9CE2240306C1731D1F7DA9B5329BD699F
iv-026: 263057225873F83940A65C8C926AC3E4
erk-027: 8E737230C80E66AD0162EDDD32F1F774EE5E4E187449F19079437A508FCF9C86
iv-027: 7AAECC60AD12AED90C348D8C11D2BED5
erk-028: F9EDD0301F770FABBA8863D9897F0FEA6551B09431F61312654E28F43533EA6B
iv-028: A551CCB4A42C37A734A2B4F9657D5540
From
Marcan42: "We (fail0verflow) discovered and released two things:
* An exploit in the revocation list parsing, enabling us to dump a bunch of loaders, and thus their decryption keys
* A humongous screwup by Sony, enabling us to calculate their private signing keys for all of those loaders, and thus sign anything to be loaded by those loaders
We used these techniques to obtain encryption, public, and private keys for lv2ldr, isoldr, the spp verifier, the pkg verifier, and the revocation lists themselves. We could've obtained appldr, (the loader used to load games and apps), but chose not to, since we are not interested in app-level stuff and that just helps piracy. We didn't have lv1ldr, but due to the way lv1 works, we could gain control of it early in the boot process through isoldr, so effectively we also had lv1 control.
With these keys we could decrypt firmware and sign our own firmware. And since the revocation is useless and the lame "anti-downgrade" protection is also easily bypassed, this already enables hardware-based hacks and downgrades forever. Basically, homebrew/Linux on every currently manufactured PS3, through software means now, and through hardware means (flasher/modchip) forever, regardless of what Sony tries to do with future firmwares.
The root of all of the aforementioned loaders is metldr, which remained elusive. Then Geohot announced that he had broken into metldr (with an exploit, analogous to the way we exploited lv2ldr to get its keys) and was thus able to apply our techniques one level higher in the loader chain. He has released the metldr keyset (with the private key calculated using our attack), but not the exploit method that he used.
The metldr key does break the console's security even more (especially with respect to newer, future firmwares - and thus also piracy of newer games), and also makes some things require less workarounds. Geohot clearly did a good job finding an exploit in it, but considering a) he used our key recovery attack verbatim, and b) he found his exploit right after our talk, so he was clearly inspired by something we said when we explained ours, I think we deserve a little more credit than we're getting for this latest bit of news.
There's still bootldr and lv0, which are used at the earliest point during the PS3 boot process. These remain secure, but likely mean little for the PS3 security at this stage"
Well this is no good. I tried installing Rebug D-Rex 4.30.2 but kept getting an error that it's corrupt from the main update screen and from the recov...
It befuddles me as to why there is still no public clarity on this. I am all for releasing vague tools for us to learn and figure out, but when it just doesn't work like this I can only speculate what is being held back.
Those minor differences you have now are the very differences I've been crying like a 6 year old school girl, that had her lollipop stolen in the schoolyard, about.
Decrypting still doesn't work through unself
The .elf file starts after the offset named in the header length. So when copying each decrypted section (.elf), do so from the [section.header.offset]-[header.length]. The block lengths will be the same. Paste each block to the actual offsets in the EBOOT.
FOR EXAMPLE:
After reading eboot.bin, I see the header length is 0x980. Also, the first encrypted section starts at 0980 for 1033b68 blocks. In the elf file, this block is from 0 to 1033b68 (section header - header length). (It seems the elf file is slightly smaller because unselfing strips the header away) So paste block elf 0-1033b68 to eboot 980-10344e8. Now do the same for the second block. Paste elf 1040000 (1040980-header) through 109fe9c (1040000+length) to eboot 1040980. Make any better sense?
Using this, I compared my fixed nfshp to the downloladed one that I've tested as working, and I now have VERY MINOR DIFFERENCES, so I know I'm on the right track. When using my fixed eboot, the game no longer gives an error, but it just goes back to the XMB after trying to load for several seconds. By comparing the sections of the elf (adjusted for header length) to the sections of the working fixed eboots, I can now see the same data. I am so close now, but I just can't get my damn eboot to work all the way. Hope this helps.
Cause I tried it and got EBOOT.BIN is not a NPDRM SELF... so apparently not.