PS3 SYSCON Firmware key is now public (release by zecoxao) - What does it mean?

Developer @zecoxao has recently released something that the dev has been working on obtaining for 10 years now and that obstacle that has now been cleared is the SYSCON Firmware Key and zecoxao has now released it to the public. First off we must erase some misconceptions as this is not going to directly lead us to a CFW on nonCFW PS3's anytime soon. As the dev stated on twitter "needless and pointless to say that the confusion being created around these keys that they will be useful for cfw on ps3 3k and superslim is a very farfetched idea. unless we have access to the TSOP 78K0R models, we will not be able to obtain anything else" and then when @kozarovv provided a follow-up question about 3k models here the developer responded with "don't expect miracles, is all i'm saying ". Now the question (which was asked by @DeViL303) "So what can we do with this as of now, what is possible with just this key alone and current knowledge? Then @zecoxao provides an explanation seen in this post (and also seen below). So this is a great feat that has been made, but its still being investigated and something that will need to be explored in the weeks to come to fully understand what we can be uncovered,. .

1200px-SYSCON_GEN1.JPG
Release

  • i got the syscon firmware key, a dream i've been pursuing for the past 10 years. now that i have it i feel like i've acomplished my goal. the rest will follow naturally.
    - https://twitter.com/notzecoxao/status/1168954036541935616

    What can developer's do with this key?
    DeViL303 said:
    So what can we do with this as of now, what is possible with just this key alone and current knowledge? Custom fan speed profiles? Multiple boot sequences depending on flags or something, or does everything need more work?
    Click to expand...

    via @zecoxao : With this key the following has happened:

    14 syscon firmwares for the BGA models (CXR) were decrypted.
    from them, keys for PATCHES and FULL FW signing and encryption, as well as decryption and validation were found. we can now sign our own patches and fws for the following models:

    • TMU-510
    • COK-001
    • COK-002
    • SEM-001
    • DIA-001
    • DIA-002 or DEB-001 (same soft id)

    Additionally we found the initialization key for eid1 as well as the process of initializing it from factory
    We also found 7 extra keys (we still don't know what they do)
    Finally, we found out there is a secret keyslot function that generates keys for
    • SNVS
    • AUTH1/AUTH2
    • Regions of EEPROM
    • PATCH keys xoring (to generate the final keys)
    • Relationship with the other 7 Keys

    What still has to be done:
    • Hack the 78K0R chips (the TSOP ones found in later models)
    • Dump the firmware of those chips
    • Get the DYN-001 patch keys
    • Find an exploit on arm firmware that works in 78k0r firmware

    Edit: and yes, you can do all that fun kinky shit of fan boosting at max speeds, led disco panic attack, and star wars theme ON A DECR-1000! THIS is a devkit, so THIS is the ONLY device that supports FULL FUCKING FIRMWARES! DO NOT CONFUSE IT with a DECR-1400, that is a HALF devkit!


Release Source: twitter.com/notzecoxao
Discussion: psx-place.com

Thanks to @NathanHale for the news alert
 
Last edited:
Click to expand...
sandungas
zecoxao said:
One more, SW3-304 Full dump.
@sandungas @bguerville @STLcardsWS @littlebalup @vyktormvmpay25 @mysis
Click to expand...
Nice :encouragement:
zecoxao said:
Only missing SW3-301 and SW3-302.
Click to expand...
I have a FLASH dump (768KB size) of a SW3-301, you shared it in 06 october 2021
For curiosity sake... in the way im labeling this files in my personal collection this one is named "CokK10, KTE-001, SW3-301 (FLASH v2.3.0).bin"
Is just it had the first 0x800 bytes missing so is not complete... i wonder if this is the reason why is still labeled in wiki as "partially dumped" and colored in orange in the syscon firmware page... or maybe is because you forgot to delete this warning in orange to change his status ? (to fully dumped)

Btw, the syscon model that is always causing me some confussion is the SW-302 (used in VER-001 motherboards from PS3 models CECHLxx, CECHMxx, CECHPxx, or CECHQxx)
I dont remember if there are photos of it but is dodging us completly, lol, we dont even have his SoftID (the output of "revision" command, or displayed in the "more system information" screen)
 
zecoxao
sandungas said:
Nice :encouragement:

I have a FLASH dump (768KB size) of a SW3-301, you shared it in 06 october 2021
For curiosity sake... in the way im labeling this files in my personal collection this one is named "CokK10, KTE-001, SW3-301 (FLASH v2.3.0).bin"
Is just it had the first 0x800 bytes missing so is not complete... i wonder if this is the reason why is still labeled in wiki as "partially dumped" and colored in orange in the syscon firmware page... or maybe is because you forgot to delete this warning in orange to change his status ? (to fully dumped)

Btw, the syscon model that is always causing me some confussion is the SW-302 (used in VER-001 motherboards from PS3 models CECHLxx, CECHMxx, CECHPxx, or CECHQxx)
I dont remember if there are photos of it but is dodging us completly, lol, we dont even have his SoftID (the output of "revision" command, or displayed in the "more system information" screen)
Click to expand...

SW3-301 is just SW3-301, missing first block (0x800 bytes)
 
sandungas
zecoxao said:
SW3-301 is just SW3-301, missing first block (0x800 bytes)
Click to expand...
What i mean is that im not sure why is still marked as "partially dumped" in wiki, see this edit i did right now, is just a note to show you what i mean
https://www.psdevwiki.com/ps3/index.php?title=Syscon_Firmware&diff=65914&oldid=65856
If we consider is fully dumped... then we need to delete that text in orange color telling "partially dumped"

I realized about it since the day it was shared, but i decided to not delete it because is either @M4j0r or you who uses to keep a record of that list or "work in progress", and because im not sure if you are keeping it on purpose (maybe waiting for someone else to share another SW3-301 full dump with the first 0x800 ?, in that case yeah, im interested in it too)

Im a completionist like you, so everytime i see that warnings they really "bleeds my eyes" lol (that effect is made on purpose to encourage people to help us into completing the collection)... but yeah... i would like to delete all them too because it would mean the collection is completed :D
 
zecoxao
sandungas said:
What i mean is that im not sure why is still marked as "partially dumped" in wiki, see this edit i did right now, is just a note to show you what i mean
https://www.psdevwiki.com/ps3/index.php?title=Syscon_Firmware&diff=65914&oldid=65856
If we consider is fully dumped... then we need to delete that text in orange color telling "partially dumped"

I realized about it since the day it was shared, but i decided to not delete it because is either @M4j0r or you who uses to keep a record of that list or "work in progress", and because im not sure if you are keeping it on purpose (maybe waiting for someone else to share another SW3-301 full dump with the first 0x800 ?, in that case yeah, im interested in it too)

Im a completionist like you, so everytime i see that warnings they really "bleeds my eyes" lol (that effect is made on purpose to encourage people to help us into completing the collection)... but yeah... i would like to delete all them too because it would mean the collection is completed :D
Click to expand...

why is something partially dumped marked as partially dumped? :)
 
sandungas
I was asking that because i always thought wildcard made the full dump months ago (and maybe shared the dump with some of you in private), but some of you deleted the first 0x800 to share it in public... just incase that 0x800 bytes had some unique identifyer, etc...
That was what made me wonder if the notes in wiki with the "partially dumped" was refered to private or to public
But if you are telling that 0x800 bytes was dumped today then i got the answer

Anyway... it seems the parroting did work and made you drop the chicken, SW3-302 ETA wen ? :P
 
zecoxao
sandungas said:
I was asking that because i always thought wildcard made the full dump months ago (and maybe shared the dump with some of you in private), but some of you deleted the first 0x800 to share it in public... just incase that 0x800 bytes had some unique identifyer, etc...
That was what made me wonder if the notes in wiki with the "partially dumped" was refered to private or to public
But if you are telling that 0x800 bytes was dumped today then i got the answer

Anyway... it seems the parroting did work and made you drop the chicken, SW3-302 ETA wen ? :P
Click to expand...
In order to dump almost everything a custom payload is created. then, the first block gets erased and then programmed with that payload (hence the missing 0x800 bytes, which is the block size in 78K0R)
then, to retrieve the missing block, another chip is used and thus the missing 0x800 bytes are dumped
 
vyktormvmpay25
David Rainer said:
I'm guessing it needs to be a working console? Which ones have SW3-302?


Sent from my iPhone using Tapatalk
Click to expand...
Could be kte001 or very first of super slim models 400x series, or look on them when you harvest part. It is bit hard to get dump, pretty sure I'll give headache to zecoxao if we'll find it ;)
 
sandungas
David Rainer said:
I'm guessing it needs to be a working console? Which ones have SW3-302?
Click to expand...
It can be seen in this table https://www.psdevwiki.com/ps3/Syscon_Hardware#PS3_Syscon_models
Was used in the first superslim PS3 models CECH-40xx (with motherboards: MSX-001, MPX-001, NPX-001) so we could be optimistic about it because there are a lot

The tricky one to find is the SW-302, there is a photo in wiki with the comment "as seen on CECHL". This means it was used in VER-001 motherboards
https://www.psdevwiki.com/ps3/File:Syscon-sw302.jpg

The photo is a proof that the SW-302 exists and was used in retail PS3 models, and we can get a confirmation of the motherboard by comparing the surrounding components with this photo of a VER-001 motherboard. The image is rotated (with syscon at top-left corner) but it can be seen it matches
https://www.psdevwiki.com/ps3/File:VER-001-1-878-196-21-main-componentside.JPG
 
Last edited:
You must log in or register to reply here.

Similar threads

Featured content

Trending content

Latest posts

Back
Top