DemonHades on Discovering the PS3 Firmware 3.6+ Keys

88w ago - Today Spanish PlayStation 3 developer S0uL of DemonHades has shared details on discovering the PS3 Firmware 3.6+ Keys, which comes a few days after Sony PS3 hacker Mathieulh leaked the 3.6 X-Platform-Passphrase stating that the PSN passphrase changed in version 3.70.

To quote, roughly translated: Hello demons,

Well, this is a tutorial for discovering the keys of 3.6 + made ​​by S0uL and DemonHades (thanks for the info and review Demon) for all guys who think it is easy to discover the keys.

Requirements:

• A brain;
  
• Electronic Hardware expensive:
  
• KNOWLEDGE plate design;
  
• KNOWLEDGE SMD and BGA;
  
• Oscilloscopes High Frequency;
  
• KNOWLEDGE ASM CFP
  
• KNOWLEDGE in the Architecture of the PS3;
  
• Patience.
  

Let's go see the whole process:

To have the keys, we need to have the decryption LV0. The desempaquetea LV0 is in RAM, and is decrypted with the key bld. There, the keys are already in the SPU, which is like a safe, impossible to enter (are isolated from the outside).

When the loaders and lv are already loaded in the SPU, the lv1 clean all traces of the lv and loaders decompressed in memory. But who gives the order to clean? The lv1, so it is playable in an exploitable version!

To solve the problem, you need to make a lv1 modified to copy the area of ​​interest, the memory of LV0 and put it somewhere else, to then remove it, thereupon continue its routine cleaning and mapping. Thus, we have the memory LV0 safe. And so the LV0 gets exposed to everything.

From there, we have the appldr, which needs to be decrypted with the LV0, and with that we have "keystore".

Well, it's so simple to discover the keys? I do not think so

1Saludo all
S0ul