56w ago - Today we received word from Dutch site
OmbouWnederland.nl (
ConsoleWinkel) of a rumor that a Sony PS3 Blu-ray drive emulation PCB is currently in development which will allow users to unlock their PlayStation 3 console without the use of Custom Firmware or dongles.
Reportedly they have been in contact with
ChinaDistrib.com who stated a team (possibly the Wasabi or Drivekey team) is working on the PS3 Blu-ray drive emulation PCB that is slated for release later this year.
They have also speculated via e-mail that the project has been kept under tight wraps due to Sony being unable to stop this new PS3 hack via Firmware updates, meaning once it becomes public Sony's legal team will be on the warpath in full force.
Below are some concept pictures (not actual finished product pictures) from their site and the details, roughly translated as follows:
"
PlayStation 3 drive emulation
No hacking, no flashing, no modding. Emulation is the future. A team is currently working on a new hack for the PlayStation 3.
The Blu-ray player, Sony's PCB has been cracked and costs can thus be gekloont. The team probably Wasabi or Wiikey team is currently working on this for the board to connect to an external HDD.
This can be downloaded games played as Wasabi360 and Xkey for the XBox 360.
A major retailer in China has also indicated that this year is released."
Finally, China Distribution has replied to an e-mail from
hitman43 (via modcontrol.com/Board/187984-post1.html) as follows:
"Zitat: Hi,
i didn't know anything about this product, i don't know why people ARE thinking we are behind this device,
regards
ChinaDistribution"
It is unknown whether the person responding is unaware of the rumored PS3 Blu-ray drive emulation PCB in development, or if they are simply attempting to keep things quiet and avoid any legal hassles from Sony... only time will tell for sure.
No
Are you Depressed?...
...
We have just assembled the first 'production status' 3k3y SATA motherboards and 20xx daughter boards.
The 3k3y SATA motherboard is compatible with all PS3 models with a SATA interface for the BDROM through a series of different daughterboards. The first board to be released is the 20xx series board.
We hope the hardware can be sent out to testers in the beginning of next week, and we do not anticipate any issues.
Also from bubba come some 3KS Slim Ver (3k3y) Pics below, who states the following: My good friend's at 3K3Y AND XKEY Sent me a Testing Unit.. Here is the Pics.. I just Install it on A Slim model.. Everything is Working HAS it should be.. I am Online Woot..
You will still to have your drive key... I am on 20/21xx Model. This 3kS 3K3Y is Not Out Yet... Im just testing it for them.. Past Week. If i get time i will show a video how to install it and get the drive key and run games.. or maybe my good friend brakk3n will do a Better one.
3KS & XK are now running on the same main PCB. Just add the correct adapter. More to come.. I got bigger news coming soon.
3k3y microSD image v1.01 (via k3yforums.com/viewtopic.php?p=65764#p65764)
Download: 3k3y101FW.rar / FPGA.rar
This is a recovery factory image (firmware v1.01) by Team xKey for the 3k3y (PATA) microSD card to be used if the original card is corrupt (or if formatted by mistake). Use USB Image Tool to write the image in Windows (in Linux, use 'dd'). NOTE: If you want to upgrade 3k3y use USB stick or hard drive, don't copy stuff directly to the microSD card. WARNING: This firmware version contains bugs which makes 3k3y crash some of the old fat PS3 models, so only use this to restore microSD card, then update to latest version.
Update: 3k3y SATA is now ready! After months of testing 3k3y SATA is now in production. All SATA models can be supported by various daughter boards. At this time the first daughterboard supports the following models: (via facebook.com/x360key/posts/579022432130306)
• Fat PS3s, CECHL onwards
• 20xx/21xx Slims
3.55 is still required for key extraction but we have made some interesting finds which may eventually lead to key extraction directly from the drive.
Download: http://www.sendspace.com/file/le7dlf (72.32 KB) / http://www.sendspace.com/file/l5f7sr (76.10 KB)
Here's an alternative encryptor / decryptor (can be used in place of 3k3y ripper's ISO Crypto function). Features:
• Commandline
• Multi-threaded decryption/encryption
• Compiles on linux and windows (should compile on anything with openmp and polarssl)
• No dependency on .NET
Source, windows 32 bit and linux 64 bit binaries are included. Can whoever's interested please compile it for other environments (mac, linux 32 bit, others), and put a link to the binary in this thread? Also no plans for a gui, but a simple one shouldn't be hard to make if anyone's interested in doing so.
Decrypt:
Encrypt:
Note:
The multi-threading is not optimal (the encryption/decryption is multi-threaded, but not the io), but for an initial release it's fine. Not heavily tested. Please compare output to 3k3y ripper, and check that a decrypt-encrypt cycle produces the same iso you started with.
Increasing efficiency and adding features are planned later. The next version will at least have optional sha-1 hashing of input and output. Any feedback, bugs and feature requests please mention them in this thread.
Update: New version (r4), speed improvements (on relatively new hardware with HDDs this is io bound, and about as quick as it's going to get).
New features:
• Fully multi-threaded (io happens simultaneously to processing)
• Read from stdin and write to stdout (write '-' in place of a path)
Haven't implemented sha1-1 hashing as it complicates the multi-threading. As a compromise, you can pipe to stdout to do any post-processing you want. As a bonus, if someone makes a (piped) commandline ripper decrypted isos can be created directly.
Below are some 3K3y videos as follows for those interested and an official 3K3y Firmware v1.04 revision:
3K3y Firmware v1.04
Download: 3K3y Firmware v1.04
This firmware update fixes freezing issues on certain older PS3s, adds support for BLD/BLF ISO files, and offers enhanced stealth features.
2013-03-05: 3k3y Firmware v1.04 released!
This firmware update fixes freezing issues on certain older PS3s, adds support for BLD/BLF ISO files, and offers enhanced stealth features. Get it now!
2013-03-14: Ripper App now rebuilds 'jailbreak rips'!
The Ripper app can now rebuild a complete ISO from so-called 'scene' or 'jailbreak' rips (decrypted game data without ISO header and other metadata). We are now very proud to announce that you can recreate the ISO file using our Ripper app. To do so you need to download the corresponding Iso Rebuild Data, or IRD, file. These files can be downloaded and redistributed freely as they only contain metadata an other non-copyrighted data.
Finally, from bubba: 3K3y Public beta Ripp3r 1.18
Download: 3K3y Public beta Ripp3r 1.18 Setup.rar
We're proud to announce the public beta of the Ripp3r application 1.18. We ask you all to test this application for every possible aspect. Also test the IRD site: 3k3y.com/ird_files. Features of the new Ripp3r application include:
• Rip PS3 game to ISO
• Encrypt/decrypt ISO (decrypted ISO's can be zipped, but are NOT playable)
• Decrypt ISO directly to zip or multipart zip (define size in the settings (Tools->Settings))
• Encrypt ISO directly from zip
• Create IRD (ISO Rebuild Data) file from ISO (this requires an 3k3y ISO)
• Anonymizes specific information in the IRD (like the D2)
• Completely anonymous upload of IRD files. Uploading uses a public/private key pair, which encrypts the payload before sending it to the server. We NEVER save who (not even IP) submitted which IRD file.
• Identify JB Rip: gives you information about the JB rip, and tries to find the correct IRD file
• Create ISO from JB rip: rebuilds an exact copy of the original ISO. This requires that a correct IRD file has been submitted to the database
• Submit IRD file to the database: after you've ripped a game to your computer, also create an IRD file for it and upload it to the database. This will help us with more content, and helps others to rebuild the ISO
• Automatic determines the correct version of PS3UPDAT.PUP file for the JB rip and downloads it
• Automatic joins splitted JB rip files
• Both GUI and (limited) console version available
Things that are NOT in this version:
• Mono compatibility, due to the compression and packing algoritm we use, this software does not work under Mono (yet). We may look into this.
• Automatic IRD download
• Rebuild PsArc
Of course, you can assume that I've forgotten a few things. You can find those things out yourself. As always, post your findings here. Both good and bad. If you find issues, post them here. If you see weird Chinese characters, definitely copy them as text and post them here, or as a pastie. If you need a logfile, the last 5 sessions are saved to a logfile in your temp directory (type %TEMP% in the addressbar in Explorer).
Have fun, and please, please, upload those IRD files. We need a lot! Get the goodies here, and have fun!
Public beta Ripp3r 1.19 / 3k3y Ripper App v1.19 by r-win
New and fixed in this release:
• Cancel while ripping fixed
• Windows XP support (yes, for real, .NET 4.5 has been dropped, now .NET 4.0 is required)
• Save the last choosen paths on all dialogs
• Ird creation from disc
• Ird creation while ripping
We're proud to announce the public beta of the Ripp3r application 1.19. We ask you all to test this application for every possible aspect. Also test the IRD site (above) This version has some new features, which include:
• Ird creation from disc
• When ripping an iso, the IRD will automatically be created (enable/disable in settings)
• Windows XP support (.NET 4.0 required)
• Save last used paths in all dialogs
Also, a few bugs are fixed, including:
• Fixed bug when pressing cancel while ripping
• Prevents crash on Windows XP
Of course, you can assume that I've forgotten a few things. You can find those things out yourself. As always, post your findings here. Both good and bad. If you find issues, post them here. If you see weird Chinese characters, definitely copy them as text and post them here, or as a pastie.
If you need a logfile, the last 5 sessions are saved to a logfile in your temp directory (type %TEMP% in the addressbar in Explorer). This application REQUIRES the .NET 4.0 runtime.
Also here is a link to the http://www.sendspace.com/file/5ccict as well.
Finally, the main article has been updated recently for those who missed it alongside the PS3 3K3y Keydumper v1.00 / v1.01 for PS3 3.55-4.31 CFW post and attachments.
Download: http://www.mirrorcreator.com/files/2DGE45CY/3k3y-keydumper-v1.rar_links / http://www.mediafire.com/?4l27o19ockqlg6l by jarmster (Note: Leave a USB stick installed when you run the app, it puts a 1kb file called 3dump.bin on the stick containing the decrypted drive keys)
3k3y Ripp3r v1.01 Setup and User Guide: Windows software for ripping/decrypting/reencrypting PS3 disks. The user manual is included in the archive.
Changelog [2013-02-01]:
• Fixed a bug that affected encryption/decryption of very large files.
People, if you're that desperate to get the drive key (which is in eid4) just memdump eEID, get your eid_root_key with flatz's package and use my program which is adapted from naehrwert's code. you can even see for yourselves what's happening in the code. Don't forget to rename the eEID you get from your console's NOR/NAND to eid (without an extension) and place it on eid folder. same as key and iv (split them up with a hex editor).
You can then try that program and compare your decrypted eid4 with the pkg's dump, and realize it's the same crap.
Here we can see the keys used by the ripper (taken from: ps3devwiki.com/wiki/BD_Drive_Reverse_Engineering#Program and ps3devwiki.com/wiki/BD_Drive_Reverse_Engineering#Information_about_EID4):
private byte[] IV1 = new byte[] { 0x22, 0x26, 0x92, 0x8d, 0x44, 3, 0x2f, 0x43, 0x6a, 0xfd, 0x26, 0x7e, 0x74, 0x8b, 0x23, 0x93 };
private byte[] IV2 = new byte[] { 0xe8, 11, 0x3f, 12, 0xd6, 0x56, 0x6d, 0xd0 };
private byte[] IV3 = new byte[] { 0x3b, 0xd6, 0x24, 2, 11, 0xd3, 0xf8, 0x65, 0xe8, 11, 0x3f, 12, 0xd6, 0x56, 0x6d, 0xd0 };
private static byte[] Key1 = new byte[0x10];
private static byte[] Key2 = new byte[0x10];
private byte[] Key3 = new byte[] { 0x12, 0x6c, 0x6b, 0x59, 0x45, 0x37, 14, 0xee, 0xca, 0x68, 0x26, 0x2d, 2, 0xdd, 0x12, 210 };
private byte[] Key4 = new byte[] { 0xd9, 0xa2, 10, 0x79, 0x66, 0x6c, 0x27, 0xd1, 0x10, 50, 0xac, 0xcf, 13, 0x7f, 0xb5, 1 };
private byte[] Key5 = new byte[] { 0x19, 0x76, 0x6f, 0xbc, 0x77, 0xe4, 0xe7, 0x5c, 0xf4, 0x41, 0xe4, 0x8b, 0x94, 0x2c, 0x5b, 0xd9 };
private byte[] Key6 = new byte[] { 80, 0xcb, 0xa7, 240, 0xc2, 0xa7, 0xc0, 0xf6, 0xf3, 0x3a, 0x21, 0x43, 0x26, 0xac, 0x4e, 0xf3 };
private static byte[] Key7 = new byte[0x10];
private static byte[] Key8 = new byte[0x10];
void aes_omac1(u8* output, u8* input, int len, u8* aes_key_data, int aes_key_bits)
aes_omac1(digest, eid4, 0x20, indiv + INDIV_EID4_KEY_OFFSET, 0x100);
if(memcmp(digest, eid4 + 0x20, AES_OMAC1_DIGEST_SIZE) != 0)
printf("warning: eid4 hash check failed!\n");
Corrected some info. and apparently i was mistaken when i thought that 3Dump.bin contained the eid4 ENcrypted. it contains in fact eid4 DEcrypted. You still need to auth with the bd drive. that's the part Cobra/E3 figured out. we can do this normally with hacked consoles, but not with unhacked consoles.
So the ODE dumper package dumps the DEcrypted eid4, correct? now i understand. i was confused because i thought you said the eid4 ENcrypted was the same as 3Dump.bin.
From jarmster: The eid4 from running libeeid is a decrypted dump. The 3dump.bin is exactly the same. The eEID_Dumper.pkg dumps the encrypted eid4. And from the wiki: EID4 is of size 0x30 bytes: 0x0-0xf bytes = 1st key, 0x10-0x1f - 2nd key, 0x20-0x2f - CMAC-OMAC1 of EID4.
From haz367:
eid4 offset 303A0 - 303CF full nordump
eid4 only:
first key = 0-f (key1?)
sec key = 20-2f omac hash(required just as cex2dex convert to calculate usin omac's)
now for 3dump.bin: (= encrypted eid4(0-2f)+eid_root_key(30-5f)
3dump.bin
offset 0-1f = match original full nordump = offset 303a0-303bf (encrypted eid4)
offset 20-2f = sec key = match full nordump-encrypted eid4 = omac hash key
offset 30-5f = root_key per console key (also required to calculate+omac hash... real bdkey?
then we have zecoxao's program, it gives an erro on eid3 of missing stuff but it dumps also an "eid4d.bin"
offset 0-1f = decrypted eid4?! >>omac hash is match original nordump/encrypted eid4/3Dump.bin
From zadow28 on the 3K3y PKG file: pastebin.com/79V2KdTK
I'm not into VS very much, maybe the devs can have an look. It's the visual source/assembly code for the x3key ps3 software for pc. got there keys and even shows there iso disc codes, plus a lot more. I'm not an visual expert, so maybe there are some visual experts here. shows how the x3key acts like an Bulk. etc
The iso for x3key are crypted, so they only play with there tool.. the source for encrypting the iso are in there too.
From Abkarino (via Zadow28) comes the 3K3y Ripper (PC Software) hacked source code recovered, as follows:
Download: http://db.tt/0IfzsiN4 (Password: Abkarino) / http://www.mirrorcreator.com/files/1ISNZZ5A/3K3Y_Ripper_Hacked.rar_links (Mirror: Password Removed)
This is a quick and dirty release for 3K3Y Ripper application including the full recovered source code. So you can build/modify your own version. All you will need is: .Net Framework Runtime v4.0
Message to 3K3Y Team: Do not steal glevand's work again
Regards.
Abkarino (Mohammed Hassan)
Finally, from 3Key: 3k3y IRD files 2013-03-15 is a collection of IRD (Iso Rebuild Data) files for 3k3y. Use them to convert PSJB game dumps to full PS3 ISO.