PS3 SYSCON Firmware key is now public (release by zecoxao) - What does it mean?

Discussion in 'THE FEED (Submit/View News)' started by STLcardsWS, Sep 2, 2019.

By STLcardsWS on Sep 2, 2019 at 5:37 PM
  1. 9,038
    9,243
    1,172
    STLcardsWS

    STLcardsWS Administrator

    Joined:
    Sep 18, 2014
    Messages:
    9,038
    Likes Received:
    9,243
    Trophy Points:
    1,172
    Developer @zecoxao has recently released something that the dev has been working on obtaining for 10 years now and that obstacle that has now been cleared is the SYSCON Firmware Key and zecoxao has now released it to the public. First off we must erase some misconceptions as this is not going to directly lead us to a CFW on nonCFW PS3's anytime soon. As the dev stated on twitter "needless and pointless to say that the confusion being created around these keys that they will be useful for cfw on ps3 3k and superslim is a very farfetched idea. unless we have access to the TSOP 78K0R models, we will not be able to obtain anything else" and then when @kozarovv provided a follow-up question about 3k models here the developer responded with "don't expect miracles, is all i'm saying ". Now the question (which was asked by @DeViL303) "So what can we do with this as of now, what is possible with just this key alone and current knowledge? Then @zecoxao provides an explanation seen in this post (and also seen below). So this is a great feat that has been made, but its still being investigated and something that will need to be explored in the weeks to come to fully understand what we can be uncovered,. .

    1200px-SYSCON_GEN1.JPG

    • i got the syscon firmware key, a dream i've been pursuing for the past 10 years. now that i have it i feel like i've acomplished my goal. the rest will follow naturally.
      - https://twitter.com/notzecoxao/status/1168954036541935616

      What can developer's do with this key?

      via @zecoxao : With this key the following has happened:


      14 syscon firmwares for the BGA models (CXR) were decrypted.
      from them, keys for PATCHES and FULL FW signing and encryption, as well as decryption and validation were found. we can now sign our own patches and fws for the following models:

      • TMU-510
      • COK-001
      • COK-002
      • SEM-001
      • DIA-001
      • DIA-002 or DEB-001 (same soft id)

      Additionally we found the initialization key for eid1 as well as the process of initializing it from factory
      We also found 7 extra keys (we still don't know what they do)
      Finally, we found out there is a secret keyslot function that generates keys for
      • SNVS
      • AUTH1/AUTH2
      • Regions of EEPROM
      • PATCH keys xoring (to generate the final keys)
      • Relationship with the other 7 Keys

      What still has to be done:
      • Hack the 78K0R chips (the TSOP ones found in later models)
      • Dump the firmware of those chips
      • Get the DYN-001 patch keys
      • Find an exploit on arm firmware that works in 78k0r firmware

      Edit: and yes, you can do all that fun kinky shit of fan boosting at max speeds, led disco panic attack, and star wars theme ON A DECR-1000! THIS is a devkit, so THIS is the ONLY device that supports FULL FUCKING FIRMWARES! DO NOT CONFUSE IT with a DECR-1400, that is a HALF devkit!


    Release Source: twitter.com/notzecoxao
    Discussion: psx-place.com

    Thanks to @NathanHale for the news alert
     
    Last edited: Sep 10, 2019

Comments

Discussion in 'THE FEED (Submit/View News)' started by STLcardsWS, Sep 2, 2019.

    1. NathanHale
      NathanHale
      So now the full syscon key is public. Obtained by zecoxao (probably with some help from wildcard). He also decided to quit console scene (dunno why, but is becoming popular to quit your hobbies when you make some significant progress or get some nice results).

      Zeco, if you are reading, i followed all your progress since 10 years ago. In just two words: Thank you!:)


      So, now the big question: what can be done with this key?
      Yordi, NepJr, STLcardsWS and 9 others like this.
    2. sandungas
      sandungas
      Zazenora, Yordi, STLcardsWS and 9 others like this.
    3. nCadeRegal
      nCadeRegal
      So awesome. Can’t wait for all the goodies that come from this
      Fin9ersMcGee likes this.
    4. sandungas
      sandungas
      There is something i forgot to mention... when the PS3 boots the first thing it does is a communication in between SYSCON, CELL, and FLASH
      Syscon sends the "config ring" to CELL, this way syscon configures CELL, then syscon boots CELL
      https://www.psdevwiki.com/ps3/Boot_Order
      https://www.psdevwiki.com/ps3/Cell_Configuration_Ring

      As you can imagine there are some important keys involved in this initial stages of the boot process :)
      One of the keys is the almighty "CELL KEY", unique for every PS3, used to encrypt/decrypt bootldr & metldr
      And inside bootldr & metldr is stored the "EID root key"

      So... yeah... this is opening a door very interesting to explore, it could be a potential vector attack to hack the PS3 fully
      Is going to be needed some reverse engineers with skills to exploit it and dump the shit out of it
      Last edited: Sep 4, 2019
      afrv, jcorrea, Zazenora and 13 others like this.
    5. habib
      habib
      AFAIK the bootldr and metldr aren’t ecdsa signed so if supposedly we get the keys using config ring we can effectively patch the highest chain on the nor to allow cfw on 3k/4k
    6. sandungas
      sandungas
      Im not sure if is going to be posible, but i would love to have full control of flash contents (in other words, being able to rebuild bootldr and metldr)

      Not for any special reason... but mostly because this way we could have a real "recovery" with anti-brick features. Imagine... just a couple of lines of code that does something like this:

      if (bootldr_flash = incorrect) {
      load_bootldr from USB; // this is the antibrick
      }
      else (bootldr_flash = correct) {
      load_bootldr from FLASH; // the standard way
      }
      Last edited: Sep 4, 2019
    7. Fin9ersMcGee
      Fin9ersMcGee
      Lord, please let this be the beginning of CFW on 3k and 4k
      :applause::angel::cheese::chicken::chewie:

      EDIT - OK... I jumped on the 3k 4k CFW train too early lol...
      Last edited: Sep 12, 2019
      Zazenora, Yordi, 13fenix and 8 others like this.
    8. Fin9ersMcGee
      Fin9ersMcGee
      If someone in the scene pulls this off, I'll sit down and write an all in one guide for all ps3 models. Nothing omitted. Super tut
      kaluas, Zazenora, SteveGW and 5 others like this.
    9. RotateMotor
      RotateMotor
      Can this key be revoked or changed? Can $ony patch the key with firm updates?
    10. Fin9ersMcGee
      Fin9ersMcGee
      Probably. Just stay on current firmware. I can't imagine we'll see a 3k 4k CFW super soon. Patients is a vertue
      Danxx444, Louis Garry and ntodek like this.
    11. RotateMotor
      RotateMotor
      If we have syscon key, we can decrypt whole system and, if they change the key, it doesn't matter, cuz we already have bootldr key. Isn't it?
      Yordi likes this.
    12. Fin9ersMcGee
      Fin9ersMcGee
      I'm not sure....
      But when 3.55 keys were found, Sony updated to block that hole for software but hardware flashers still worked... I'm not sure how this works... I came into the scene only beggining of last year.
      ntodek and Danxx444 like this.
    13. nCadeRegal
      nCadeRegal
      I was hopeful this would lead to bootldr and metldr stuff but not knowing much about it didn’t want to insert my foot in my own mouth. This would be insanely good if someone can glitch or access those areas to write and modify them. It’s awesome these last few things are finally getting looked into. Exciting times
      ntodek, DADi590 and Danxx444 like this.
    14. Bloodmoons366466
      Bloodmoons366466
      That amazing news
      iesus gamer and Danxx444 like this.
    15. iesus gamer
      iesus gamer
      Hello everyone great news for the ps3 scene My question is whether it can be installed on ps3 3k 4k cfw? Thank you for this great news. Regards.
    16. DADi590
      DADi590
      Hey. The fifth comment (habib's comment) answers you question ;-) .
      Yordi and iesus gamer like this.
    17. Danxx444
      Danxx444
      Not at the moment bro.....maybe in the near future.
      Last edited: Sep 5, 2019
      Yordi, DeViL303 and iesus gamer like this.
    18. Danxx444
      Danxx444
      :rolleyes new:
      Yordi likes this.
    19. neo88
      neo88
      So I read Syscon is like the commander of the ps3 guardians if they control him, there would be no opponents to tame the rest of the system. It is impressive all the data that the sceners have collected all these years I do not think that it finds another console with that level of investigation by them.

Share This Page