PS4 Syscon keys allegedly disclosed, could ultimately mean PS4 downgrade is possible

The PS4 Syscon Chip (source Fail0verflow)
Scene member LightningMods has disclosed a series of encryption keys yesterday, that are claimed to be the PS4 Syscon keys. This happens a few weeks after team Fail0verflow provided a lengthy explanation on how they hacked into the PS4 syscon, with accompanying software tools. Knowledge of some of the Syscon secrets could lead to PS4 downgrades down the road.
What is PS4 Syscon, and why is it interesting for you?
The System Controller is a chip on the PS4, which is in charge of powering up other components of the system and communicating with them. According to hackers, it also happens to be storing some data on behalf of SAMU, the PS4 security processor.
As ps4_enthusiast from Fail0verflow puts it:
flash internal to syscon is used as a small region of nonvolatile storage for other components on the system. The syscon-internal flash contains nvs and snvs regions which are accessible via icc.[…] snvs is used expressly by the security processor (SAMU) inside the APU.
Because of its interaction with the SAMU processor, Fail0verflow believe that access to some of syscon’s data could help with further hacking of the PS4, including possible downgrades. They state (emphasis mine):
This data is arranged in 0x20 byte “sectors”, upon which XTS is used by SAMU (with XTS sector size = 0x200 bytes…), with a key only accessible by SAMU. So the actual data is opaque to pretty much everything outside SAMU. The communication between SAMU and snvs is additionally CMAC’d, so even though the traffic flows over icc and is thus easy to man-in-the-middle, any changes to requests to snvs or replies to SAMU will result in failed transfers. To protect against replay attacks at the icc level, nonces are used.
Clearly there is some interesting data being stored in snvs, and SAMU must trust this data to some extent. Since the use of CMAC entails there’s a shared secret in both SAMU and syscon, it becomes possible to at least replay old traffic, if the CMAC key can be extracted from syscon. From reversing x86 FreeBSD, we knew that SAMU stores system firmware version and manufacturing mode information in snvs (among other things). Therefore, being able to replay old snvs replies should allow downgrading firmware – a capability normally prohibited.
What are the keys that were revealed today?
The keys disclosed by LightningMod could help the scene build update patches, that any PS4 would believe to be official patches, and install without a problem. Furthermore, downgrades could even be possible down the way.
Here again, quoting from Fail0verflow:
The RL78 security key is global across syscons, so once it’s known only the initial simple glitch is needed to get full OCD access. Knowledge of the firmware updates keys means we can encrypt and sign our own patch files (it’s not explained in depth in this blog post – but syscon on retail PS4s is locked down to only support patching, not full update images). Custom patches are still enough to introduce permanent code changes to syscon firmware without mucking around with glitching at all. Lastly, the snvs keys do allow downgrading the system firmware version (although there are some complexities involved).
Some of the keys described above, as disclosed by lightningmods, can be found below:
FW_AES 5301C28824B57137A819C042FC119E3F FW_CMAC 8F215691AC7EF6510239DD32CC6A2394 PTCH_AES EF90B21B31452379068E3041AAD8281E PTCH_CMAC 95B1AAF20C16D46FC816DF32551DE032 RL78_ID 3A4E6F743A557365643A
Are these keys permanatly hard coded or could sony just update them in a future firmware uograde ?
this is what i wanna know 2 so i can finally try PSN till 50NY will patch it so i can go back to 5.05
I like keys
I put “keys” inside you
ಠ_ಠ
Based on how the PS3 is downgraded nowadays, it might be the same scenario here where it’s limited to how low the base firmware the PS4 is shipped with, if it is shipped with 5.50, then it can’t be downgraded to 5.05
That’s almost certainly true.
Oooooh.
Sweet, finally the ps4 scene will be revived again.
The keys mason that’s all we ever wanted was the keys
do we need some hardware programmer or it would be just like ps3xploit.
well hopefully it’s like ps3 and doesn’t need torn apart and soldered cuz if it does ull see alot of “I bricked my ps4 bcuz of u not explaining it well” and it’ll be becuz they suck at soldering
Super czekam na przeróbkę
me interesa saber mas sobre el hackeo de las consola.
The best info! Woow!!!! Thank you Wololo! Thank you Fail0verflow. By Jonny Brek I will do a video on youtube!
Syscon has functions with the BD as well, meaning possible remarry for those who have lost their drive boards.
hello guys, this work is based on my contributions in 2016, only that some people supposedly close to me have denied all my work, the downgrade if possible! there are some hidden interests that did not want this to be known, I can confirm that the downgrade is possible until the version 4.55 higher versions may be in the future, I am happy that time has given me the reason
https://www.psxhax.com/threads/playstation-4-glitch-pinout-ps4-slim-pro-downgrading-update.1398/page-4
It’s still possible for consoles shipped with the latest firmware?
crazy how much work they put into security… just to prevent people from stealing knowledge… knowledge that is readily available everywhere… just to prevent people to install what they want on their devices, that they bought with their hard earned money… makes me sad that no mainstream Open device broke through yet… well except PC… This home console market will not last long… there is too much crippling going on.. it kills the value of a device by many folds… any decently spec’ed PC with a USB controller such as the Logitech F510 has the same power if not more … Don`t be fooled I`m not for the PC lovers RACE.. but I was thrown into this because my home console was too expensive for the feature set I had… years after it`s release it`s not possible to install what you want on a device that costs half a grand… what a shame….to my opinion. is it worth the time we spend trying to crack that ??? We all say it`s not for pirating and installing emulators .. but we all *****g do it… just use a pc and stop wasting your time… maybe fail`s primary goal is to prove himself he is able to crack it.. but then what… the same poor feature set.. or crappy russian groups that will resell the exploit to make their life better.. lol
When the downgrade will be coming??