PS3 SYSCON Firmware key is now public (release by zecoxao) - What does it mean?

Discussion in 'THE FEED (Submit/View News)' started by STLcardsWS, Sep 2, 2019.

By STLcardsWS on Sep 2, 2019 at 5:37 PM
  1. 9,308

    STLcardsWS Administrator

    Sep 18, 2014
    Likes Received:
    Trophy Points:
    Developer @zecoxao has recently released something that the dev has been working on obtaining for 10 years now and that obstacle that has now been cleared is the SYSCON Firmware Key and zecoxao has now released it to the public. First off we must erase some misconceptions as this is not going to directly lead us to a CFW on nonCFW PS3's anytime soon. As the dev stated on twitter "needless and pointless to say that the confusion being created around these keys that they will be useful for cfw on ps3 3k and superslim is a very farfetched idea. unless we have access to the TSOP 78K0R models, we will not be able to obtain anything else" and then when @kozarovv provided a follow-up question about 3k models here the developer responded with "don't expect miracles, is all i'm saying ". Now the question (which was asked by @DeViL303) "So what can we do with this as of now, what is possible with just this key alone and current knowledge? Then @zecoxao provides an explanation seen in this post (and also seen below). So this is a great feat that has been made, but its still being investigated and something that will need to be explored in the weeks to come to fully understand what we can be uncovered,. .


    • i got the syscon firmware key, a dream i've been pursuing for the past 10 years. now that i have it i feel like i've acomplished my goal. the rest will follow naturally.

      What can developer's do with this key?

      via @zecoxao : With this key the following has happened:

      14 syscon firmwares for the BGA models (CXR) were decrypted.
      from them, keys for PATCHES and FULL FW signing and encryption, as well as decryption and validation were found. we can now sign our own patches and fws for the following models:

      • TMU-510
      • COK-001
      • COK-002
      • SEM-001
      • DIA-001
      • DIA-002 or DEB-001 (same soft id)

      Additionally we found the initialization key for eid1 as well as the process of initializing it from factory
      We also found 7 extra keys (we still don't know what they do)
      Finally, we found out there is a secret keyslot function that generates keys for
      • SNVS
      • AUTH1/AUTH2
      • Regions of EEPROM
      • PATCH keys xoring (to generate the final keys)
      • Relationship with the other 7 Keys

      What still has to be done:
      • Hack the 78K0R chips (the TSOP ones found in later models)
      • Dump the firmware of those chips
      • Get the DYN-001 patch keys
      • Find an exploit on arm firmware that works in 78k0r firmware

      Edit: and yes, you can do all that fun kinky shit of fan boosting at max speeds, led disco panic attack, and star wars theme ON A DECR-1000! THIS is a devkit, so THIS is the ONLY device that supports FULL FUCKING FIRMWARES! DO NOT CONFUSE IT with a DECR-1400, that is a HALF devkit!

    Release Source:

    Thanks to @NathanHale for the news alert
    Last edited: Sep 10, 2019
    ntodek, smikk, Louis Garry and 16 others like this.


Discussion in 'THE FEED (Submit/View News)' started by STLcardsWS, Sep 2, 2019.

    1. zecoxao
      Yes, @sandungas is right. only until CECH-L. when the TSOP versions show up, which use a 78K0R model, we also tried to attack it but we got unexpected responses. With TSOP the attack used was not a CPA/DPA attack but instead a glitch attack similar to the one fail0veflow made on RL78 models of syscon for the ps4. These were actually the first models we "attacked" but even though there was barely any progress, we still managed to gather some important info about them, which can be found on the wiki
    2. Yordi
      A lot of fake news about it
    3. MegaManX970
      So there's still a small ray of hope with the TSOP chips?
    4. zecoxao
      It'll heavily depend on what we find in the arm firmwares. the door is now semi open. we just need to open it fully.
      mysis, Fin9ersMcGee and Louis Garry like this.
    5. zecoxao
      also, if anyone could check on old sceners like @mysis or @3141card i'd really appreciate it since i have not a lot of experience with RE
      mysis likes this.
    6. sandungas

      A guy finds a secret cave, the first time he enters in it is amazed by the amount of treasures in it, but his time and the amount of weight he can carry is limited, so he needs to make a plan

      The difference here is the time is not limited, and the treasures are not for you but for the whole humanity, nobody is going to steal them, the final goal is to empty the cave completly
      You can grab some treasures today and return the next day to try to grab a few more, take your friends, and a hundred of mules... and repeat

      So you need to start by grabbing the most precious treasures with the smaller size
      Eventually you can grab a few of the big ones, just because are so easy
      The last treasures are going to be the most harder to grab, and will happen at the end when the cave is almost empty :)
    7. Joat.None
      A very significant message ... I'm curious to see what treasures are in the cave ...
      sandungas likes this.
    8. Fin9ersMcGee
      Sandungas, your metaphors are always interesting to read lol
      esc0rtd3w and sandungas like this.
    9. pinky
      ah, a thousand and one nights. that's where a lot of famous arabian tales come from including aladdin and sinbad. I haven't read it though. I took five literature classes in college, and I didn't read that in any of them. lol great use of metaphor @sandungas .
      Anthonyy817 and sandungas like this.
    10. zecoxao
      @sandungas btw, the soft id is also called syscon revision on the decr firmware and on the patch keys it's used to derive them using a decimal representation of the soft id.
      sandungas likes this.
    11. TheMadPolarBear
      Fantastic news! At the risk of getting ahead of myself, what does this mean for things like changing the PS3's region settings for PS1/PS2/DVD's? Will it allow us to modify this?

      Grateful for all the work everyone's put into the PS3 scene.
    12. Fin9ersMcGee
      I thought the ps3 played all regions already.... I might be wrong though
    13. Luisile
      For ps3 games it is region free but not for ps1 and ps2 games
    14. TheMadPolarBear
      Only region free for PS3 games. It's region locked for PS1/PS2/DVD disc based media. I'm hoping that this may allow people to change that in the future.
      Fin9ersMcGee likes this.
    15. Fin9ersMcGee
      Ahhh, specifically ps3 is region free. Learn something new everyday here. Lol.
      And disc based media also.
      I only say as I'm sure i have ps2 isos from US on my EU Ps3.
    16. essm1988
      With syscon firmware key ,is there any chance to install ofw/cfw noBD for phat CECHG directly without tools flasher?

      I want fix my phat ps3 with broken bd
      Last edited: Sep 17, 2019
    17. John1980
      Shortly yes
      essm1988 likes this.
    18. sandungas
      How ? :rolleyes:
      jacobsson and Tidjane Ly like this.
    19. erjuancho2012
      But does your console have a brick? turn the second on and off?
    20. essm1988

      My console it stuck in update loop, it update until 70% then show error because it miss blueray drive and also a slot for BD which locate on motherboard is broken.

      so the only way to fix this problem is patch nand with tool flasher then install CFW noBD, I tried it with tool flasher but it not worked because bad dump
      Last edited: Oct 5, 2019

Share This Page