PS3 SYSCON Firmware key is now public (release by zecoxao) - What does it mean?

Discussion in 'THE FEED (Submit/View News)' started by STLcardsWS, Sep 2, 2019.

By STLcardsWS on Sep 2, 2019 at 5:37 PM
  1. 9,642

    STLcardsWS Administrator

    Sep 18, 2014
    Likes Received:
    Trophy Points:
    Developer @zecoxao has recently released something that the dev has been working on obtaining for 10 years now and that obstacle that has now been cleared is the SYSCON Firmware Key and zecoxao has now released it to the public. First off we must erase some misconceptions as this is not going to directly lead us to a CFW on nonCFW PS3's anytime soon. As the dev stated on twitter "needless and pointless to say that the confusion being created around these keys that they will be useful for cfw on ps3 3k and superslim is a very farfetched idea. unless we have access to the TSOP 78K0R models, we will not be able to obtain anything else" and then when @kozarovv provided a follow-up question about 3k models here the developer responded with "don't expect miracles, is all i'm saying ". Now the question (which was asked by @DeViL303) "So what can we do with this as of now, what is possible with just this key alone and current knowledge? Then @zecoxao provides an explanation seen in this post (and also seen below). So this is a great feat that has been made, but its still being investigated and something that will need to be explored in the weeks to come to fully understand what we can be uncovered,. .


    • i got the syscon firmware key, a dream i've been pursuing for the past 10 years. now that i have it i feel like i've acomplished my goal. the rest will follow naturally.

      What can developer's do with this key?

      via @zecoxao : With this key the following has happened:

      14 syscon firmwares for the BGA models (CXR) were decrypted.
      from them, keys for PATCHES and FULL FW signing and encryption, as well as decryption and validation were found. we can now sign our own patches and fws for the following models:

      • TMU-510
      • COK-001
      • COK-002
      • SEM-001
      • DIA-001
      • DIA-002 or DEB-001 (same soft id)

      Additionally we found the initialization key for eid1 as well as the process of initializing it from factory
      We also found 7 extra keys (we still don't know what they do)
      Finally, we found out there is a secret keyslot function that generates keys for
      • SNVS
      • AUTH1/AUTH2
      • Regions of EEPROM
      • PATCH keys xoring (to generate the final keys)
      • Relationship with the other 7 Keys

      What still has to be done:
      • Hack the 78K0R chips (the TSOP ones found in later models)
      • Dump the firmware of those chips
      • Get the DYN-001 patch keys
      • Find an exploit on arm firmware that works in 78k0r firmware

      Edit: and yes, you can do all that fun kinky shit of fan boosting at max speeds, led disco panic attack, and star wars theme ON A DECR-1000! THIS is a devkit, so THIS is the ONLY device that supports FULL FUCKING FIRMWARES! DO NOT CONFUSE IT with a DECR-1400, that is a HALF devkit!

    Release Source:

    Thanks to @NathanHale for the news alert
    Last edited: Sep 10, 2019
    ntodek, smikk, Louis Garry and 16 others like this.


Discussion in 'THE FEED (Submit/View News)' started by STLcardsWS, Sep 2, 2019.

    1. neo88
      I can see that you are excited that this is happening, so independent is syscon that is handled with its own firmware?
    2. sandungas
      Yes, syscon have his own firmware. Inside a standard PS3UPDAT.PUP there are a few PKG's to update the firmware of some components of the motherboard (syscon, bluray, the bt/wifi module, and the multicard reader of the first retail PS3 model)
      For the syscon are this PKG's:

      You can check the syscon firmware/patch version you have installed in your PS3 in this screen (available with a secret button combo)

      When you install a PS3UPDAT.PUP the installer does a check to this chips to know his revision and firmware versions, and incase one of the PKG's is "applicable" to your syscon is installed... otherway (if your syscon firmware is updated) then is not installed

      This is why some people with a damaged bt/wifi module, or without the bluray daughterboard are trapped in a infinite blackscreen loop when they tryed to install a PS3 firmware... the installer cant pass that point of the check
      In plain words... the installer asks to the chip "tell me your revision and version", and the chips doesnt replyes... so the PS3 firmware installer stops the installation with an error
      And syscon have a dual data bank btw, it stores 2 firmwares... the actual and the previous syscon firmwares installed in it

      Now that the key to decrypt the syscon PKG's is public, it allows to rebuild the syscon PKG with some custom changes... then build a PS3UPDAT.PUP with the custom syscon firmware PKG inside it... then install the PS3UPDAT.PUP as a normal PS3 firmware
      Algol, VTSTech, neo88 and 1 other person like this.
    3. Danxx444
    4. Danxx444
      I have a little doubt ... sorry if she looks stupid, but I was wondering ... this would allow us a CFW on the 3k and 4k models right? okay ... have you said yes ... so ... what will the downgrade look like? why on 4k models the minimum version is up to 4.20 and 3k models is up to 3.60 if I'm not mistaken, or will not have a downgrade? since the syscon keys were discovered in the current firmware (I think).
    5. pinky
      it's not the downgrading that's the problem exactly. the original metldr 's key was found, and that's older slims and phats. 3x and 4x use different keys.
      Algol and Danxx444 like this.
    6. neo88
      Wow friend, I've been reading things related to the type of memory [email protected] chose (EEPROM) and I found that this memory can be read unlimitedly while if it has a writing limit and its programming process is very complex,the work that they have done to collect syscon data is great.
    7. Danxx444
      okay ... thanks..because for a moment I had not thought of that, of course the keys are different lol .... sorry I had not even remembered that lol.
    8. sandungas
      Everything related with the new syscon hacks is like opening a can of worms, there are many experiments that can be tryed now, and all of them are risky, lol

      But what i mentioned in this thread would not allow to install a CFW in a PS3 30xx or 40xx in 4.85... at least not with what i said... if someone adds some hacks to the recipe... maybe... who knows
      Danxx444 likes this.
    9. pinky
      3.56 was hackable as well, but you needed a flasher to do it. 3.55 is just the highest firmware you could install to where you needed nothing else. I think the flasher thing is mentioned with 3.56 on the sku page of psdevwiki.
      Danxx444 likes this.
    10. sandungas
      Rought explain (im ignoring some steps of the boot process)

      When PS3 boots syscon "wakes up" CELL... then CELL takes the "metldr" and copyes it into one of his co-processors (one of the 7 SPUs enabled inside CELL), then decrypts metldr, and since that point metldr decrypts the next stages of the bootchain

      That process of copying metldr into a SPU and decrypt it inside it is named "isolation" because in theory is imposible to access metldr in his decrypted form (CELL doesnt allow to read the SPU contents for security reasons)

      The metldr exploit dumps the metldr from a SPU in his derypted form... and by opening it in a hexeditor they got the key used to decrypt the next stages of the boot process
      So... from that point all the next stages of the boot process was breached (is posible to decrypt the whole firmware, because every stage contains the keys needed to decrypt the next stage)

      To fix that problem sony starting manufacturing the PS3 at factory with a new metldr (containing other different key)... thats the key needed to build a CFW... and is unknown

      Btw, notice the egg-and-chicken of what i explained of the original metldr exploit ?... in CFW we can dump metldr decrypted... but we dont know the key do decrypt it (is CELL who decrypts it while is inside a SPU and we dont know the key)
      So... in CFW we are making a copy of the contents of the egg... but we dont know how to open the egg ;)
      STLcardsWS, DADi590, Algol and 2 others like this.
    11. neo88
      There are many people hopeful that with this you can open a door to CFW but experimenting with syscon can be a suicidal process, as some developer would do to revive a console with corrupted syscon data if he is the one who starts the boot chain.
      Danxx444 likes this.
    12. sandungas
      There are some non-retail PS3 models with an additional daughterboard named the Communication Processor (usually shorted as "CP"), that board have an additional syscon chip, a bit different than the syscon soldered in the motherboard, that syscon have some functions unlocked, and the board runs an small linux
      Is like the PC motherboards with 2 BIOS... if you brick BIOS_1 you can use BIOS_2 to unbrick BIOS_1

      The people researching all this are using that PS3 models, is a lot more safer than using a retail PS3... but i guess some experiments could be dangeros even for that PS3 models
      Yordi, DADi590, Algol and 1 other person like this.
    13. Louis Garry
      Louis Garry
      ros0 and ros1?
    14. sandungas
      No, ros0 and ros1 are inside flash chip
      And syscon have 2 banks inside his eeprom
      I guess are related but i dont know how. The interesting thing is the PS3 have dual boot at several levels

      2 syscon firmwares
      2 ros areas
      2 boot modes (gameOS or otherOS)

      Maybe someone will find a way to use this dual boots with some custom features for something handy. This is one of the reasons why i mentioned the "antibrick" feature in one of my first posts of this thread
      Yordi, DADi590, Louis Garry and 2 others like this.
    15. Fin9ersMcGee
      I like the anti brick ideas.
      The wii had something similar with a different boot partition which could be used to boot before anything else, so you could install onto that to be able to boot into a type of recovery and reflash a backup taken at the start of the hacking process.

      I hope this does become a feature...

      I'm excited to see the possibilities
      DADi590 likes this.
    16. littlebalup
      If we can switch the active ROS in the syscon "manually", we can have a real dualboot system in a single flash chip. Need to swap the hdd too.
      Louis Garry and sandungas like this.
    17. atreyu187

      Well it seems he certainly hasn't left the scene and continues to work on it. Exciting stuff being done.

    18. Vishera
      I wonder if it will be possible to pair a CELL BE from one motherboard to another,
      I heard the pairing is in the syscon.
      Louis Garry likes this.
    19. zecoxao
      nCadeRegal and Danxx444 like this.
    20. sandungas
      For the same reason i stopped login in psdevwiki, it wakes up my homicidal instincts ;(

Share This Page