Clarifying the confusion on the PS3 development
If you read my post about the LV0 keys being leaked recently then you know it could be alot to take in and hard to understand. Hopefully this will help clear up everything.
Marcan, who is a valuable asset of the Wii and PS3 hacking scene has made some posts that will help clear the air on things, it helps clarify and break things down even more than what I had previously said in the original article both in technicality and in simplicity. I’ve bolded the important parts that you should pay attention to in his answers.
More Technical Information
“The first-stage bootloader is in ROM and has a per-console key which is effectively in tamper-resistant silicon. The second-stage bootloader (bootldr) is encrypted with the per-console key, but is not upgradable and is the same for all consoles (other than the encryption wrapper around it). This second-stage bootloader verifies lv0. Sony signed lv0 using the same broken process that they used for everything else, which leaks their private key. This means that the lv0 private key was doomed from the start, ever since we demonstrated the screwup at the Chaos Communication Congress two years ago.
However, because lv0 is also encrypted, including its signature block, we need that decryption key (which is part of bootldr) before we can decrypt the signature and apply the algorithm to derive the private key. We did this for several later-stage loaders by using an exploit to dump them, and Geohot did it for metldr (the “second root” in the PS3’s bizarre boot process) using a different exploit (we replicated this, although our exploit might be different). At the time, this was enough to break the security of all released firmware to date, since everything that mattered was rooted in metldr (which is bootldr’s brother and is also decrypted by the per-console key). However, Sony took a last ditch effort after that hack and wrapped everything after metldr into lv0, effectively using the only security they had left (bootldr and lv0) to attempt to re-secure their platform.
Bootldr suffers from the same exploit as metldr, so it was also doomed. However, because bootldr is designed to run from a cold boot, it cannot be loaded into a “sandboxed” SPU like metldr can from the comfort of OS-mode code execution (which we had via the USB lv2 exploit), so the exploit is harder to pull off because you don’t have control over the rest of the software. For the exploit that we knew about, it would’ve required hardware assistance to repeatedly reboot the PS3 and some kind of flash emulator to set up the exploit with varying parameters each boot, and it probably would’ve taken several hours or days of automated attempts to hit the right combination (basically the exploit would work by executing random garbage as code, and hoping that it jumps to somewhere within a segment that we control – the probabilities are high enough that it would work out within a reasonable timeframe). We never bothered to do this after the whole lawsuit episode.
Presumably, 18 months later, some other group has finally figured this out and either used our exploit and the hardware assistance, or some other equivalent trick/exploit, to dump bootldr. Once the lv0 decryption key is known, the signing private key can be computed (thanks to Sony’s epic failure).
The effect of this is essentially the same that the metldr key release had: all existing and future firmwares can be decrypted, except Sony no longer has the lv0 trick up their sleeve. What this means is that there is no way for Sony to wrap future firmware to hide it from anyone, because old PS3s must be able to use all future firmware (assuming Sony doesn’t just decide to brick them all…), and those old PS3s now have no remaining seeds of security that aren’t known. This means that all future firmwares and all future games are decryptable, and this time around they really can’t do anything about it. By extension, this means that given the usual cat-and-mouse game of analyzing and patching firmware, every current user of vulnerable or hacked firmware should be able to maintain that state through all future updates, as all future firmwares can be decrypted and patched and resigned for old PS3s. From the homebrew side, it means that it should be possible to have hombrew/linux and current games at the same time. From the piracy side, it means that all future games can be pirated. Note that this doesn’t mean that these things will be easy (Sony can obfuscate things to annoy people as much as their want), but from the fundamental security standpoint, Sony doesn’t have any security leg to stand on now. It does not mean that current firmwares are exploitable. Firmware upgrades are still signed, so you need an exploit in your current firmware to downgrade. Also, newer PS3s presumably have fixed this (probably by using newer bootldr/metldrs as trust roots, and proper signing all along).”
They are indeed the bootldr keys (I was able to decrypt an lv0 with them). Consider this confirmation that the story is not fake.
Can this be used to sign binaries to run homebrew on OFW PS3s (ala the PSP key leak)? Are those private keys sufficient to sign homebrew software such that they will run in unmodified firmware?
No. The keys are used for two purposes: chain of trust and chain of secrecy. The compromise of the keys fully compromises the secrecy of the PS3 platform permanently, as you can just follow the links down the chain (off-line, on a PC) and decrypt any past, current, or future firmware version. Current consoles must be able to use any future firmware update, and we now have access to 100% of the common key material of current PS3s, so it follows that any future firmware decryptable by current PS3s is also decryptable by anyone on a PC.
However, the chain of trust can be re-established at any point along the line that can be updated. The chain of trust is safely rooted in hardware that is near impossible to modify (i.e. the CPU’s ROM and eFuse key). The next link down the chain has been compromised (bootldr), and this link cannot be updated as it is specific to each console, so the chain of trust now has a permanent weak second link. However, the third link, lv0, can be updated as it is located in flash memory and signed using public key crypto. This allows Sony to secure the entire chain from there onwards. Unless you find a vulnerability in these updated links, you will not be able to attack them directly (applications, e.g. homebrew software, are verified much further down the chain). The only guaranteed way to break the chain is to attack the weak link directly, which means using a flash writer to overwrite lv0. Once you do so, the entire chain collapses (well, you still need to do some work to modify every subsequent link to turn off security, but that is easy). If you have old firmware, you have at least some other weak links that, when compromised, allow you direct access to break the bootldr link (replacing lv0), but if you run up to date firmware you’re out of luck unless you can find a weakness or you use hardware.
Old PS3s are now in the same boat as an old Wii, and in fact we can draw a direct comparison of the boot process. On an old Wii, boot0 (the on-die ROM) securely loads boot1 from flash, which is securely checked against an eFuse hash, and boot1 loads boot2 but insecurely checks its signature. On an old PS3, the Cell boot ROM securely loads bootldr from flash, which is securely decrypted and checked using an eFuse key, and then bootldr loads lv0 but checks its signature against a hardcoded public key whose private counterpart is now known. In both cases, the system can be persistently compromised if you can write to flash, or if you already have code execution in system context (which lets you write to flash). However, in both cases, you need to use some kind of high-level exploit to break into the firmware initially, particularly if you have up-to-date firmware. It just happens that this is trivial on the Wii because there is no game patch system and Nintendo seems to have stopped caring, while this is significantly harder on the PS3 because the system software has more security layers and there is a game patch system.
Breaking it down into simple and easy to understand words
Since Marcan’s answers can be a bit difficult to digest, I’ve broken them up into the form of questions and answers with the special help of ViRGE on this. This will clear alot of it up for those less technical.
Q: What exactly has been recovered?
A: The keys used by bootldr to decrypt/verify lv0, and by reversing the process the private keys used by Sony to sign lv0. If we consult our handy 3.60+ chain of trust diagram, we can see that bootldr is at the very root of the chain of trust, with lv0 being the first module it loads.
Q: So what can we do with the lv0 signing key?
A: In short, we can use it to decrypt lv0, modify it to patch out any lv0 security checks, and resign it with a legitimate key that bootldr will accept. With the chain of trust broken and lv0 no longer enforcing the security of the modules that it controls, we can then start modifying lv1ldr, lv2ldr, appldr, isoldr, etc to patch out their security checks and add CFW functionality.
Q: Can Sony “fix” this like they did for the 3.55 exploit?
A: No. With 3.55 the keys metldr used to verify its dependent modules were recovered. So Sony simply stopped using the now-insecure metldr and started using bootldr (which was still secure) to load.. Sony doesn’t have any more secure modules like bootldr left so like I said in my original post they have no options and cant fix anything; without getting too technical, we now have the keys to every “common” hardware module that is able to decrypt Sony-signed modules. The only thing left are the modules that use per-console keys, which are useless for booting common firmware (which must be decryptable by every PS3)
Q: So bootldr is fixed in hardware?
A: Correct. Like metldr, bootldr cannot be software updated by Sony. It’s hard-coded in hardware. As a reminder, bootldr/metldr themselves can’t be exploited, but because of the keys we have recovered we can make them load anything we want, nullifying whatever security they provide.
Q: What about future firmwares?
A: Good news! We can decrypt those too. Sony can use various coding tricks to make the process more difficult (this is called obfuscation), but they can’t stop us by using keys. We will always be able to decrypt lv0, and as long as we can figure out how to navigate lv0 we can figure out how to decrypt and modify its dependent modules. For those of you that follow Sony hardware this is much like how the earlier PSPs were hacked. So we can always decrypt the firmware and will be able to create newer CFWs as long as we can get past any obfuscation by Sony.
Q: So the PS3 is utterly and completely broken?
A: To an extant yes, debatable but unlike the 3.55 hack we have mostly everything needed. Sony will never be able to re-secure existing consoles.
Q: What about consoles running firmware newer than 3.55?
A: Because all “old” consoles use the same keys to verify modules like lv0, at a minimum we can decrypt, patch, and resign the firmware. The problem is that we need a way to convince the PS3 to flash our modified firmware. With 3.55 and below that was easy enough to do because of the keys recovered, but 3.56 and later change that so that flashing is more complex than just using the recovered keys. This isn’t an insurmountable problem – hardware flashers will always work – but for easy software flashing we need to find new exploits in the PS3 software stack to convince OFW consoles to flash CFW.
Q: What about newer consoles?
A: So there’s the real problem. Remember how we said bootldr and metldr are fixed in hardware? Sony can create new hardware, and update those modules in the process. By using new hardware in conjunction with new firmware for that hardware, Sony could completely change the keys used to secure the system. Without getting too technical, all of this progress comes from the fact that Sony was sloppy and did a poor job of implementing their security on earlier consoles, which is what lead to the first keys being leaked. Sony could always issue new hardware with new keys and a fixed security system at which point we’d be completely locked out of that new hardware. It’s entirely possible they’ll do this (if they haven’t done so already), so much like the PSP we’re going to end up with a limited number of consoles that have hardware-based flaws that can be exploited. Of course we then found new ways of exploiting the PSP anyhow, and ultimately were able to exploit every PSP made in one way or another.
If you are on anything higher than 3.55 it doesn’t mean you are out, there are ways to downgrade if your model is one thats able, otherwise you are just not able to do anything right now until more dev work is done. So sit tight and hold on. Again stay tuned, more info and news will be definitely coming.
1st also tl;dr
I understand its long, that’s why I bolded the parts that are important in his answers. This was necessary, its a big topic 🙂
One thing I do not understand:
“but 3.56 and later change that so that flashing is more complex than just using the recovered keys.”
What changed?
And what exactly must be done for 3k/4k models?
Does this leak help them in any way?
I assume he means that Sony fixed their ECC private key generation so you can’t easily recovery the private key and use it sign an updater that the console will just run.
boo tl;dr !
NICE STUFF
I follow the ps3 scene just like i do the vita here… I just remain silent on the others. Been on 3.55 since it was current, loaded karoktos flawed cfw but got lucky and didnt brick… Stayed with that till rogeros update a few weeks ago. I encourage you to give us more updates as you can to keep me from navagating away from this site. Others would disagree, but i look for homebrew to incorporate the vita cross functions so it is valid here too.
umm kakaroto never had a flawed cfw in fact his was one the best. he even made the MFW builder unless u mean Waninkoko get ur story st8 bro.
My bad, that sounds more familiar, it was over 2 years ago, sorry.
so now we make(ps3) …..frakenstine…..
so any way one rackmontable system thinking…
you should add,what can be done if you are on 4.xx
At the moment 4.20 can be downgraded with a hardware flasher, same as it was. Cfw for 4.25 will show up pretty soon because of this.
I also think that downgrade to 3.55 will only work if the PS3 came with this from the factory. If the PS3 came with i.e firmware 3.70 to begin with, then downgrade with a hardware flasher to 3.55 will not work.
Yeah, you can only go back to the base.
Thanks for posting this, it ought to clear things up for the doomsayers. Here’s hoping that no one kicks out a way to install CFW on 3.6+ anytime soon.
nice work!i cant wait
OMG I can’t wait, that’s an incredible achievement. I’m ready for the next step… (I pray for an upcoming cfw for 4.xx wich could be installed without an hardware flasher.)
Can’t wait to get the Super Slim PS3 now!
the superslim will be factory OFW 3.6+ thus non hackable
Great article!
wait. so that means that CFW for slims is inevitable? What about lv0.2 and all that?
Thats for the new super slims coming out.
lv0.2 are used on some of the old Slim model too.
im on 4.25, i have an “old” ps3, should i stay on 4.25 and wait for CFW or would it be ok to update to 4.30? is it reasonable that there could be a way to go from 4.25-4.30 OFW to CFW without extra hardware any time soon?
not to sure. I would stay if u intend to go cfw in the near future. Sony released that literally the next day after they announced that they would be releasing 4.21 cfw
only way to exploit ps3 is to downgrade to 3.55 with a hardware flasher.
no exploit has been found for 3.6+ ,this means that any new exploit found has as much chance to run on current firmware as it does to run on older firmware.
so if you like online play then I would just update if I was you.
I saw that they were updating to 4.30 the day after the release of 4.21/4.25 so I downloaded the 4.25ofw just in case I need to be on that. Its just a matter of time till we get a new cfw that sup fit our needs.
I have a 3.55 cfw and a 4.25 ofw as my official console. I also have a 4.20 ofw, 3.56 ofw and a 3.67 ofw with broken disk drives just for *** and giggles. I cant wait to use a new cfw to and with my vita via remote play. It has to be better than using it via mobile phone
Want to sell the one without a drive? Thats all im using right now and i need another to put in my blockbuster kiosk i got when they went out of business.
Thank you! I’m wondering though…if I want to get a PS3 that is vulnerable to this, should I get one now before Sony releases new PS3s with different lv0 keys?
/facepalm
I left the ps3 scene a long time ago , my ps3 is still on 3.55 kmeaw cfw, it’s a slim, anyone in UK is interested? I only used it to emulator snes and stuff – piracy was never an interest to me, I’m selling it for £150 with 250gb , and all accessories ,in a perfect condition, iI don’t need the money or the console, I’m no longer a gamer, video games are simply too boring for me now – snes was to me the best console and that’s what I used my ps3 for(snes emulator).
My bad I didn’t realise that snes is also piracy lol, but yeah I never played any pirated ps3 games on it or intend to do so in the future.
I’d buy it, but I live in the states.
how much you want for it? .. i live in the uk
oh £150 … whats your skype?
ok £150 .. whats your skype mate ?
Hi I’m interested in your console my Skype is brad.barlow14 my psn is X—BradB—X please contact me as I would like to purchase your console
being new to the PS3 scene and reading this just made my head hurt lol what I understood is I need to downgrade my current firmware first before I can make it a CFW..
I wish we had a FAQ about this topic…
“Bootldr suffers from the same exploit as metldr”…
That’s not true!
I would like to know how it was possible to get the lv0 Keys?
Nobody is talking of that.
Also I never read how the dongle fraction could get games run 3.55+
Woulf be gr8 if somebody could write understandable like here about the past and how it came to this right now 😉
thx
Marcan postulated on one possible method: using a hardware device to provide bootldr with bad data (fuzz testing) until it gave up control to the hackers.
“For the exploit that we knew about, it would’ve required hardware assistance to repeatedly reboot the PS3 and some kind of flash emulator to set up the exploit with varying parameters each boot, and it probably would’ve taken several hours or days of automated attempts to hit the right combination (basically the exploit would work by executing random garbage as code, and hoping that it jumps to somewhere within a segment that we control – the probabilities are high enough that it would work out within a reasonable timeframe). We never bothered to do this after the whole lawsuit episode.”
Oh cool. I didn’t think anyone outside the Wololo forums would ever see this, so I’m glad to see this is helping more PS3 owners.
Hi @ all,
I have a SlIM CECH-2504A with 4.25 on it. Does i have to downgrade these ps3 to 3.55 for using future cfw´s, or can i install these future cfws, on my ofw 4.25 ?
thx in advance,
j0k3r.
Right now you would have to downgrade, but read the last alinea and you see your answer.
uhhh.. i saw a report about the leak on bbc world news
So is this ‘compatible’ with the old fat ps3’s ?
stupid work
R.I.P Sony 🙁
Actually this is good news for Sony (good news concidering the situation). That you need to be on firmware 3.55 or use a flasher to be able to do this will limit how much this is used. A lot of people don’t want to open their PS3 to flash it, and a lot of people are on firmware 3.60+.
Interesting news. However, I don’t see a lot of people are willing to risk their expensive PS3 for opening and downgrading it. In addition, there is the PS Plus membership to consider.
If signing homebrews would be possible, even for a particular firmware (firmware by firmware), that would be great. Note: one could possible write an article about PS3 homebrews.
what about psn? will that be available to cfw users?
Yes it will, for now.
so i am on 4.25 ofw can i stay there and wait for cfw or do i have to downgrade my ps3 and with what
that feel when lv0.2
I know that feel
So let me make sure I get this right if I should wait I may be able to go from my current 4.25 OFW to a CFW as though I were installing an OFW without having to open and modify my console? I dont care bout the modding itself I hate the way it looks like my PS3 just shat its innards all over my tv stand. like wise I do have a PS+ subscription and I’m not overly worried bout losing it but I do still buy games from the PSN. Is it safe to assume provided the right console one can run a custom without fail that will be PSN able and the new cat and mouse game will be keeping it PSN able? Big Borderlands 2 player and loathe to leave the multiplayer online behind just yet…
soy is not gona work on PS3 Slim Models CECH-3001A/B 4.25 OFW i shod jast update 4.30 OFW?
Will this make it possible to run backups and play on the psn without a possible bann or brick?? Or is the only way still duo boat loader true the dongel??
I want that PS3 at the top of the screen… (It’s probably photoshopped, but I don’t know.) Would be the best PS3 for putting CFW on. It just screams “Pirate”.
Wololo…. What in the world happened to you? Your beliefs seem to waver in the wind? At one time you were all for giving users control of their hardware, now you’re calling firmware hackers “jerks”?
I don’t get it? How can a persons beliefs change so radically overnight?
I mostly overlooked the fact that you reneged on your boycott of sony by going right out and buying a PS vita… after all geeks love tech….. but with this…….. it’s getting harder and harder to respect you, or even take you seriously.
Wololo, there’s an old saying… it goes something like this “If you don’t stand for something, you’ll fall for anything.”
*oops* I retract my previous statement, i see the two PS3 articles were not written by wololo.
Even still…. more power to the hackers!!!! BURN SONY BURN!!!!!
Just to be clear, my view isnt on firmware hackers, its the dongle teams that decide to charge for exploits and hacks. Especially this one, who stole another teams work and wanted to profit from it.
Ok, on that point i agree, stealing someones work and then profitting from it… yeah, there’s not much more of an insult than that.
I apologize for reading more into your statement than was actually there.
If sony update Hardware even will be able to launch games or eboot signed to run on theses new hardware then.
Sorry but sony will and no would launch another new revision of Super slim at time just have one unique option.
Acelerate new PS4.
And try update system update all time.
Maybe if the 8d CPU inside PS3 be used to security well all history can change but i can’t imagine this happens because these is a CPU for backup like RAID 5 is for HDDs on PC.
Quick question, is this structure from an old PS3 FAT? Like the first ones that came out with PS2 emulator built in. Im just asking cause (and dont chop my head) I was looking at lv2_kernel.self and notice root ps2_ (emu.self, gxemu.self, softemu.self) is this anything to do with the PS2 emulator. Would the layout look different on newer fat and slims who don’t have the PS2 emulators. Like would their be just Lv0 and Lv1? Noob question but was curious.
Hi @Jd8531, I liked your article but I think you forget to explain better which models the hack works because there a dude that read your article and didn’t understood it after all.
The new PS3 that come with factory OFW bigger than 3.60 have a new lv0.2 without know keys (yet)… so these model can’t be hacked neither with lv0 keys or metldr method… the model are these shipped by Sony after July, 2011… the Slim CECH-30* (and some CECH-20*) and all Super Slim.
Can you just confirm if I’m right/wrong or just update your article for better clarification just for that dude understand how the hack works.
Thanks so much.
yes i rely need know if my CECH-3001a/b gona work CFW in fucher
i have cech-3001 a
does it work
i jast got info on ps3 CECH-3001a/b 4.25 OFW u need 0.2 lvl keys soy jast update 4.30 OFW. CECH-3001a/b 4k not gona be CFW foret