PS3 SYSCON Firmware key is now public (release by zecoxao) - What does it mean?

Discussion in 'THE FEED (Submit/View News)' started by STLcardsWS, Sep 2, 2019.

By STLcardsWS on Sep 2, 2019 at 5:37 PM
  1. 9,043

    STLcardsWS Administrator

    Sep 18, 2014
    Likes Received:
    Trophy Points:
    Developer @zecoxao has recently released something that the dev has been working on obtaining for 10 years now and that obstacle that has now been cleared is the SYSCON Firmware Key and zecoxao has now released it to the public. First off we must erase some misconceptions as this is not going to directly lead us to a CFW on nonCFW PS3's anytime soon. As the dev stated on twitter "needless and pointless to say that the confusion being created around these keys that they will be useful for cfw on ps3 3k and superslim is a very farfetched idea. unless we have access to the TSOP 78K0R models, we will not be able to obtain anything else" and then when @kozarovv provided a follow-up question about 3k models here the developer responded with "don't expect miracles, is all i'm saying ". Now the question (which was asked by @DeViL303) "So what can we do with this as of now, what is possible with just this key alone and current knowledge? Then @zecoxao provides an explanation seen in this post (and also seen below). So this is a great feat that has been made, but its still being investigated and something that will need to be explored in the weeks to come to fully understand what we can be uncovered,. .


    • i got the syscon firmware key, a dream i've been pursuing for the past 10 years. now that i have it i feel like i've acomplished my goal. the rest will follow naturally.

      What can developer's do with this key?

      via @zecoxao : With this key the following has happened:

      14 syscon firmwares for the BGA models (CXR) were decrypted.
      from them, keys for PATCHES and FULL FW signing and encryption, as well as decryption and validation were found. we can now sign our own patches and fws for the following models:

      • TMU-510
      • COK-001
      • COK-002
      • SEM-001
      • DIA-001
      • DIA-002 or DEB-001 (same soft id)

      Additionally we found the initialization key for eid1 as well as the process of initializing it from factory
      We also found 7 extra keys (we still don't know what they do)
      Finally, we found out there is a secret keyslot function that generates keys for
      • SNVS
      • AUTH1/AUTH2
      • Regions of EEPROM
      • PATCH keys xoring (to generate the final keys)
      • Relationship with the other 7 Keys

      What still has to be done:
      • Hack the 78K0R chips (the TSOP ones found in later models)
      • Dump the firmware of those chips
      • Get the DYN-001 patch keys
      • Find an exploit on arm firmware that works in 78k0r firmware

      Edit: and yes, you can do all that fun kinky shit of fan boosting at max speeds, led disco panic attack, and star wars theme ON A DECR-1000! THIS is a devkit, so THIS is the ONLY device that supports FULL FUCKING FIRMWARES! DO NOT CONFUSE IT with a DECR-1400, that is a HALF devkit!

    Release Source:

    Thanks to @NathanHale for the news alert
    Last edited: Sep 10, 2019
    ntodek, smikk, Louis Garry and 16 others like this.


Discussion in 'THE FEED (Submit/View News)' started by STLcardsWS, Sep 2, 2019.

    1. sandungas
      There is nothing to install, the fact that a key has been published doesnt means that we can make use of it, because doesnt exists any tool, program, or exploit taking advantage of it... yet

      Yes, to simplify it i use to say syscon is the "boss" of the PS3 motherboard
      The ON/OFF buttons of the PS3 are connected to syscon, when you press the button you are interacting with syscon, and is syscon who sends the signal to boot CELL processor... so it can be said CELL is a "slave" of syscon

      A friend of me uses to say the PS3 is like a mediaval fortress, the external wall is the userland, the secondary internal wall is the kernel, CELL is the citadel with the hypervisor that is the king's personal guard
      And syscon... is like the armoury (connected with the citadel by some dungeons)

      In the PS3's with CFW all the securities are breached... except the citadel (CELL) and the armoury (SYSCON)

      Technically... the only way to attack the citadel (made by IBM) is by hacking syscon and using it against the citadel :D
      Basically... is needed to take control of syscon and add some exploit to it... so in this first communications in between syscon and CELL that happens at boot our hacked syscon needs to tell... "hi CELL, its me the syscon, your friend, please let me in"... and CELL will reply with... "ok access granted"
      And after that is when syscon tells... "muahahahaha i cheated you im a traitor trololol lol" :D
    2. Berion
      After that Cell will say:
      BTW: This would be awesome name for exploit or ROP. :D
      Last edited: Sep 5, 2019
    3. littlebalup
      So: Tu quoque mi syscon !
      Berion likes this.
    4. sandungas
      But without bruteforce, all needs to be made by diplomacy in a shaddy way, until the last second when brutus does the final stabbing :D
      mr_ota, jeka26, Berion and 1 other person like this.
    5. Danxx444
      How long will it take to start exploration in the Kingdom area? How long will it take To prepare the soldiers for this fight?:D
    6. Berion
      @sandungas One diplomacy push of dagger.
      @Danxx444 Currently none of the known neighbour kingdoms declaring a war.
      Danxx444 likes this.
    7. sandungas
      No clue, is needed to study what can be made with syscon to try to find a way to use it as a weapon... also is needed to keep open mind incase is needed to use a combination of software hacks + hardware hacks
      Danxx444 likes this.
    8. Danxx444
      I see, There are a lot of things to explore, this should take a while, but as you guys programmers are some machines to program, I don't think it will take that long either.
    9. Berion
      There is only few programmers and kernel hackers in the wild on PS3 scene. You could wait endlessly to be honest. But I'm with You. I have hope that one day we have access parallel to eMMC and HDD on those CECH-4xxx. That would be very cool as safe harbour. Never mind, loudly thinking. ;p
      esc0rtd3w, jeka26 and Danxx444 like this.
    10. sandungas
      There is also a potential pretty cool hack that could be made by using a modifyed syscon firmware, i was talking about it some weeks ago but i dont remember the thread, anyway...

      In the PS3 the fan control is made by syscon, we know it uses some values for speeds and temperatures that are very well defined (always the same exactly)
      There are a couple of ways to do it... one of them is by storing that values inside syscon in a small table

      If that table exists (we are not completly sure, but is probable), and if we can change that values, then is going to be posible to configure the fan profiles
      In other words... we will not need to use fancontrol softwares anymore :)
    11. Major_Pothead92
      If this leads to CFW down the road on the 3k & 4k models, that'd be pretty damn beast. Something I recall lots of different randoms years ago saying would never happen lol.
      ntodek likes this.
    12. TheBlackHat
      Jjajajaja, like this much!!!! XD
      Very good news!
      Like Chewbacca when they realize the death star hole :chewie: jajajaja
      ntodek and sandungas like this.
    13. DADi590
      Very bad idea to say things will never happen haha. Everything is possible... (just may take MUCH time to be done, but it's possible).
      Major_Pothead92 likes this.
    14. TheBlackHat
      Sometimes never, it's a few years ;)
      DADi590 and Major_Pothead92 like this.
    15. MegaManX970
      SYSCON is a terrain yet to know. Give some time to our awesome developers to start creating debugging tools for SYSCON and analyze its powers
    16. Drkpt
      Yordi likes this.
    17. sandungas
      Dont count on me to hack syscon, im not so skilled
      Im good with hardware (i identifyed a bunch of pins from some syscon models), made some pages in wiki about syscon firmwares and things like that, and with hexeditor reversing internal structures of data (but to be honest i never understood well the info about syscon eeprom in wiki, i think is confusing)
      Yordi and Danxx444 like this.
    18. neo88
      apparently notzecoxao cannot leave the scene so easily and has left things related to syscon on his twitter nothing that a common human can understand, but it can mean something to those who do understand this.
      Danxx444 likes this.
    19. sandungas
      You can post the link to his tweets btw, i guess is this one
      Hmm, some py sauce to play, thx keycoxao ;) and @SocraticBliss

      And this
      esc0rtd3w, Louis Garry and Danxx444 like this.
    20. sandungas
      Hmm, just noticed something supercool

      All this commands are related with the fan control... and the command named fantbl looks like...
      fanconpolicy         0xc9bb0000L  0xDD0C0000
      fanconmode           0x35bf0000   0xDD0C0000
      fanconautotype       0x75c00000   0xDD0C0000
      fantbl               0x87c00000L  0xDD0C0000
      If someone is looking at this fan table, please take some time to compare with the values of this table in wiki
      I made that table in wiki because i thought one day could be handy to compare with the values stored inside syscon... and thats exactly what it seems to be happening, now is posible to do it :chewie:
      Last edited: Sep 6, 2019

Share This Page