PS3 SYSCON Firmware key is now public (release by zecoxao) - What does it mean?

Discussion in 'THE FEED (Submit/View News)' started by STLcardsWS, Sep 2, 2019.

By STLcardsWS on Sep 2, 2019 at 5:37 PM
  1. 9,043

    STLcardsWS Administrator

    Sep 18, 2014
    Likes Received:
    Trophy Points:
    Developer @zecoxao has recently released something that the dev has been working on obtaining for 10 years now and that obstacle that has now been cleared is the SYSCON Firmware Key and zecoxao has now released it to the public. First off we must erase some misconceptions as this is not going to directly lead us to a CFW on nonCFW PS3's anytime soon. As the dev stated on twitter "needless and pointless to say that the confusion being created around these keys that they will be useful for cfw on ps3 3k and superslim is a very farfetched idea. unless we have access to the TSOP 78K0R models, we will not be able to obtain anything else" and then when @kozarovv provided a follow-up question about 3k models here the developer responded with "don't expect miracles, is all i'm saying ". Now the question (which was asked by @DeViL303) "So what can we do with this as of now, what is possible with just this key alone and current knowledge? Then @zecoxao provides an explanation seen in this post (and also seen below). So this is a great feat that has been made, but its still being investigated and something that will need to be explored in the weeks to come to fully understand what we can be uncovered,. .


    • i got the syscon firmware key, a dream i've been pursuing for the past 10 years. now that i have it i feel like i've acomplished my goal. the rest will follow naturally.

      What can developer's do with this key?

      via @zecoxao : With this key the following has happened:

      14 syscon firmwares for the BGA models (CXR) were decrypted.
      from them, keys for PATCHES and FULL FW signing and encryption, as well as decryption and validation were found. we can now sign our own patches and fws for the following models:

      • TMU-510
      • COK-001
      • COK-002
      • SEM-001
      • DIA-001
      • DIA-002 or DEB-001 (same soft id)

      Additionally we found the initialization key for eid1 as well as the process of initializing it from factory
      We also found 7 extra keys (we still don't know what they do)
      Finally, we found out there is a secret keyslot function that generates keys for
      • SNVS
      • AUTH1/AUTH2
      • Regions of EEPROM
      • PATCH keys xoring (to generate the final keys)
      • Relationship with the other 7 Keys

      What still has to be done:
      • Hack the 78K0R chips (the TSOP ones found in later models)
      • Dump the firmware of those chips
      • Get the DYN-001 patch keys
      • Find an exploit on arm firmware that works in 78k0r firmware

      Edit: and yes, you can do all that fun kinky shit of fan boosting at max speeds, led disco panic attack, and star wars theme ON A DECR-1000! THIS is a devkit, so THIS is the ONLY device that supports FULL FUCKING FIRMWARES! DO NOT CONFUSE IT with a DECR-1400, that is a HALF devkit!

    Release Source:

    Thanks to @NathanHale for the news alert
    Last edited: Sep 10, 2019
    ntodek, smikk, Louis Garry and 16 others like this.


Discussion in 'THE FEED (Submit/View News)' started by STLcardsWS, Sep 2, 2019.

    1. STLcardsWS
      Close but it was the fake rock it was in... ;)

      Nice work @zecoxao
    2. sandungas
      They took the key under the mat, made a imprint of the key shape by pushing it into a chewing gum, then leave the key under the mat again to dont trigger the alarms, finally they escaped in stealth mode

      Is the classic secret agent haxoring techniques :D
      Thekiit likes this.
    3. Zeloko
      I would like to know if it is possible cfw in super slim 4000 series?
    4. STLcardsWS

      Front paged and wrote news. Merged original discussion thread and news.. All post after this are after news went on mainpage. (mention that as the news itself has mentions and links within this thread)
    5. Zeloko
      my colleague sent a cfw to test on my super slim 4000 series i installed cfw on super slim and now it turns on and then do i get my super slim for ow to run again?
    6. sandungas
      Ask to your colleague, sorry but this is offtopic in this thread
      Danxx444 likes this.
    7. zecoxao
      CPA/DPA from a friend of mine. i bought him a chip whisperer, a bottle of wine and an ssd. he did the rest lol
    8. n00b
      Devs had been working on for this for more than 10 years and only one guy has got it.May this be the beginning of CFW so that i could load linux on my ps3:-p
      DeViL303 likes this.
    9. BeaterEngineering
      We can play PS3 games in 4k?
    10. n00b
      No,we can't.It means PS3 with model 3000 and 4000 not 3k or 4k resolution.These models are non-jailbreakable at this time.
      BeaterEngineering and DeViL303 like this.
    11. Zeloko
      only super slim 3k and 4k can not cfw? and the common super slim is possible cfw?
    12. n00b
      3k and 4k models are not cfw compatible and previous models are cfw compatible.Non-cfw compatible models can use HEN.
      DeViL303 likes this.
    13. atreyu187

      The Super Slim is the 4k model. And as stated this most likely will NOT lead to CFW.
    14. VTSTech
      I'd really like to see Bricked Flash Recovery from USB :) I've heard that may be possible.
      Tidjane Ly likes this.
    15. DeViL303
      Thanks for the info @zecoxao.

      So this means we can create these syscon pkgs properly so they are accepted on OFW, BUT only on phat PS3s with the current key?


      If that is the case, I wonder can we use some kind of a directory traversal attack on files inside the pkg, so that there are a few extra files in there that get installed to dev_flash? Maybe it might be possible to have the HEN files built into the HFW PUP using some kind of trick like this?

      I know HEN is not much use on phats, it would still be interesting if something like the above hack was possible.
      Last edited: Sep 11, 2019
    16. zecoxao
      That is correct. ONLY for BGA models :)
    17. DeViL303
      Thats great. I notice that the syscon firmwware installs last in the update process, at least via FSM logs it does. So as it installs last, do you think there is any chance of abusing the syscon FW pkg so that it install files to dev_flash?
    18. littlebalup
      So only those we know how to fully dump them with extra hardware. Need to find a way to fully dump the TSOP ones to go further on slim and superslim. Right?
      Louis Garry and sandungas like this.
    19. zecoxao
      The problem with the slim and superslim models is that the eeprom is internal. we cannot dump the patch key for DYN like we could dump the ones for COK/SEM/DIA because with those we have access to the eeprom and with the TMU the sys update process happens immediately after the first blob is sent, so we found the key for those fairly easily (as well as the other ones for the BGA patch cipher and hasher)
      nCadeRegal and DeViL303 like this.
    20. sb00
      My dad used to tell me "Wish in one hand and **** in the other".

      But seriously, you guys gotta stop asking for this.

Share This Page