Sponsored Links

Sponsored Links

PS3 3.60+ Loader Keys & Phat HDD Encryption Tools Now Available


Sponsored Links
65w ago - Following up on the previous PS3 SDAT / EDAT v3 and v4 Keys, today PlayStation 3 developers flat_z and naehrwert have shared some PS3 3.60+ Loader Keys and Phat HDD Encryption tools (including a full EncDec Emulator to encrypt or decrypt game discs) with details below followed by the Lv1ldr Crypto Keys as well.

Download: [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links] (Mirror) / [Register or Login to view links] by Abkarino / [Register or Login to view links] by NiceShot / [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links] by zecoxao / [Register or Login to view links] / [Register or Login to view links] (Mirror) / [Register or Login to view links] (Mirror #2) / [Register or Login to view links] by TehUnkn0wn / PS3 4.46 Keys by Acid Burn1 / franzes80

Key Scrambling

Starting with firmware version 3.60 loader keys have been encrypted. Look [Register or Login to view links] for a tool that decrypts them. Besides that, [Register or Login to view links] an implementation of the cryptographic algorithm which is used to encrypt/decrypt lv1ldr from lv0 and root scramble key at the SPU side.

Root scramble keys

[Register or Login to view code]

Scramble keys

[Register or Login to view code]

Scrambled keysets

[Register or Login to view code]

EDAT keys

[Register or Login to view code]

From flat_z (via ps3devwiki.com/index.php?title=HDD_Encryption):

Phat Consoles

  • On the PHAT consoles AES-CBC-192 is used for HDD encryption and AES-CBC-128 for VFLASH encryption.
  • So no tweak and tweak key here. Each sector is encrypted with the same zeroed IV.
  • VFLASH is encrypted once with ENCDEC key and zeroed IV!
  • Data key is of size 32 bytes but only the first 24 bytes are used for HDD and 16 bytes for VFLASH.
  • See also [Register or Login to view links] (contains scripts of ENCDEC emulator for both types of consoles).

From naehrwert (cdn0.meme.li/instances/600x600/39151418.jpg): The "Y U NO" picture I posted before

Btw. this means we might know now how cobra and 3k3y got their drive emulators working on latest consoles..

From zecoxao: First thing are the scrambled keys. Sony obfuscated the keys in order to make hard our access to them. those are called scrambled keys. Second thing is hdd encryption by glevand was incomplete. partially because he only had a slim and not a phat. now it's complete. Third thing is supposedly how cobra and 3k3y takes care of the drive keys on newer consoles. they basically don't even grab the keys, and all that's needed are sv_iso keys.

naehrwert already knows how that works. hence that meme. all you need is sv_iso keys lol

The keys should be these ones:

[Register or Login to view code]

for 3.70 appldr

[Register or Login to view code]

for 3.70 isoldr

[Register or Login to view code]

for 3.70 lv2ldr, following the same scheme as before (key 1 and 2 then iv 1 and 2)

[Register or Login to view code]

appldr 3.65

[Register or Login to view code]

isoldr 3.65

[Register or Login to view code]

lv2ldr 3.65, same scheme

[Register or Login to view code]

appldr 4.11

[Register or Login to view code]

isoldr 4.11

[Register or Login to view code]

lv2ldr 4.11

[Register or Login to view code]

isoldr key set (2 erks 1 riv)

[Register or Login to view code]

lv2ldr keyset (same scheme) 3.70 iso keyset

[Register or Login to view code]

3.70 lv2ldr keyset

[Register or Login to view code]

3.65 iso keyset

[Register or Login to view code]

3.65 lv2ldr keyset

[Register or Login to view code]

And finally, a real decryption key. 3.65-3.66 isoldr key and 3.65-66 lv2ldr key

[Register or Login to view code]

3.70 isoldr and lv2ldr keys

[Register or Login to view code]

a couple more

[Register or Login to view code]

appldr keys for maximum version 4.21 (it's a simple comment out of the code, anyone can spit out the text)

Download: [Register or Login to view links]

[Register or Login to view code]

I don't know if there's still any interest in this but just in case there is I'll leave a zip file showing how to properly patch lv0 and its inside loaders.. just a warning: this takes a LOT of work to be done.

Download: [Register or Login to view links]

From eussNL: It will help others to deobfuscate the real keys that in the end are used for making MFWs. Basicly anyone can now decrypt them and with the algo documented publicly that makes it time for Sony to change it or let it rest while giving PS4 attention. And no, we will never be able to get private keys - forget that ever happened in 3.55pre era.

As to the hdd crypto: well, it is about time that not only NOR consoles, but also NAND consoles can benefit from documentation about their encryption. In the longrun that means you could be able to dump your drivekeys and decrypt the hdd on the PC. Of course without keys you cannot get far, to give you an idea:

1. Suppose you can test one key every second
2. for simplicity sake lets pretend the keysize is 0x10

1 byte = 0x100 variants
0x10 bytes would have
0x100^10 or
0x100*0x100*0x100*0x100*0x100*0x100*0x100*0x100*0x100*0x100*0x100*0x100*0x100*0x100*0x100*0x100 or
3.4028237e+38 variants

or if you rather count in base10:
1 byte = 256 variants
16 bytes would have
256^16 or
256*256*256*256*256*256*256*256*256*256*256*256*256*256*256*256 or
3.4028237e+38 variants

There are 31556926 seconds in a year taking you 10783127828133147806075110339701 years to check each key variant possible with 0x10 keysize and 1 key per second.

From aldostools: That's correct, but remember that that time is the worst scenario. The same analysis applies for the (dev) klicensee keys used to encrypt EDAT and SELF/SPRX (which have a keysize of 0x10), and the practice shows that it can be bruteforced in less than 1 minute in many cases if a reduced universe of possible keys is available.

I updated the keys file for scetool: ps3tools.aldostools.org/keys

[Register or Login to view code]

A couple more keys: [Register or Login to view links]

inside you can find decrypted lv1ldr, scramble keysets and scramble keys for 365 370 411 firmwares. i'm gonna take care of the lv1ldr keys after i eat.

[Register or Login to view code]

As for appldr check the keys here: [Register or Login to view links]

[Register or Login to view code]

From Asure: I guess, you can calculate i.e. brute force the drive key. A device pretends to be the drive, but it can tell when it's not authed. Plugged into your BDROM port, it sits and tries keys until it finds the right one.

I also guess there's not only AUTH_DRIVE_USER but also AUTH_DRIVE_BDROM or similar, and the BDROM AUTH is being abused here

This would also mean you could do the key extraction with a PC or dev board like Arduino, but would require some skilled programmers to whip up a solution. Both available solutions should probably have done it that way. Complete BD drive emulation is not something a programmer just whips up in a day. (Unless everything besides the drive auth&crypt is just standard SATA commands..)

From Abkarino comes the Lv1ldr Crypto Keys and Test Files, as follows:

Hi all, Last night, a lot of great release had been released for public like 3.60+ loader keys and crypto tools that will enable any body to decrypt/encrypt lv1ldr extracted from decrypted lv0. But since this tools still need some keys to work and no body had released this keys yet or it does not published in ps3 dev wiki also, a lovely bird (thanks and credit goes to him) had hinted me about this keys, to allow us to decrypt/re-encrypt the lv1ldr our self like Rebug team for example to make our own CFW.

So i had figured how to use this great tool to decrypt/re-encrypt extracted scrambled and encrypted lv1ldr from lv0 my self. So i had decided to release this keys to help the public to do it them self also. This keys is consist of two sets one for PPU and the other one for SPU.

Lv1ldr crypto keys

[Register or Login to view code]

Also i had created a test files package that include this keys to test it yourself.

Download: [Register or Login to view links]

This file contain an encrypted lv1ldr.self named as lv1ldr-enc extracted from decrypted lv0, this will be decrypted using PPU keys.. and encrypted root scrambling key named as root-key-enc extracted from decrypted lv1ldr.self, this will be decrypted using SPU keys. Just feel free to test it your self and add them to the wiki

Finally, from TehUnkn0wn: I've made a LV0 loader extractor/injector (linked above). The code could be better, but it does its job.








Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 244 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

ConsoleDev's Avatar
#214 - ConsoleDev - 97w ago
Maybe someone more experienced than me could help to clarify this thing.. It seems that zadow28 managed to find a lv2diag.self file signed with the 3.60/3.61 keys in the ps3tmgui program that was a part of the official SDK.

If possible can someone tell me more about that?

DO NOT TRY THIS!


[Register or Login to view code]


G Sus's Avatar
#213 - G Sus - 97w ago
i'd keep hope too, theres always some up and coming smartass that looks at things differently or just spots something others have missed. 1 little thing can suddenly change the game completely. the algorithym used to calculate per console keys has to be hidden somewhere within the cfw, and all parts the fw is now readable. so its technically just a case of finding it and undestanding how to exploit it.

sadly that don't just take a clever person, that takes a clever person that is actually interested in doing it, and not afraid of any consequences. for all we know it could have already been done.

Hope is a great thing, its free and you can have as much of it as you want.

UrKoS's Avatar
#212 - UrKoS - 97w ago
I hold hope for a 4.31 installable cfw.

Sent from my GT-I9100 using Tapatalk 2.

G Sus's Avatar
#211 - G Sus - 97w ago
i believe that now all keys are known , it means you could technically make a cfw that could be installed on any ps3 ofw. however. its not really as simple as that. the keys only mean you can decrypt it all. it dont mean you will understand what your seing or even be able to find a flaw or weakness in it. (per console keys)

What it effectively means is now that it can all be decrypted there is the possibility that someone will find out how the fw and ps3 gos about the verification of per console keys etc. and then copy the process, and make a new cfw that will update on ofw above 3.55.

it don't mean it will happen , it just means it could be possible if someone is smart enough to work it out. or at least thats how i understood it, ive been wrong before though. what is more likely is. now you'll just get a 4.31 cfw that installs only on 3.55 or below.

I bet theres a hell of a lot of code to read for devs. look how many files theyve been given access too in just a few months. The PS3s life will have ended before anyone gets round to making cfw install above 3.55 ofw. I reckon the few people that probably could do it aint even working on it, (they have no need) and the rest wouldn't know where to start.

but like i say, I'm often wrong, and this is highly likely to be one of those times.

Blade86's Avatar
#210 - Blade86 - 97w ago
Installable CFW 4.31 on OFW4.30- ? Or did I missunderstood it?

Please could someone enlighten me what you can do with this two? And priv-key is still missing? Or Could we we "just" decrypt the 4.31 update and make a new 4.31cfw installable on 3.55?

Thank you soo much

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Advertising - Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News