News Hack Console Sony

I tested the jailbreak on the latest firmware 4.0 since it was released and I can confirm that it still works. Mathieulh also confirmed that the NPDRM algo that he has still allows applications to run on 4.0, although he still doesn’t want to share that with us/me at the moment.
Mathieulh is still thinking about whether or not to share it, so I’m hopeful he’ll help us move forward with the release.

He has however received so many hate messages and so many flaming that he is completely disgusted with the scene and the way it treated him. He is so disgusted that he does not want to share or help anymore. He thinks that all those haters do not deserve to be given something that they are so ungrateful for, and I perfectly understand his position. Receiving all that hate towards me a while back also made me depressed to the point I stopped looking at the PS3 entirely.

Next time you want to insult a dev, thinking it’s “fun” or that he deserved it, think about it some more, you are poisoning the scene without even realizing it. We are all doing this for fun, the only reward we get is people’s gratitude, and all you do is hate and disrespect us, so why continue to do what we do?

For those who hate and insult : Mathieulh may not be acting the way you want him to, you may think he’s a jerk or hate him for teasing without releasing, but the simple fact remains that he has done more to the scene that you did, so you should just shut up and show him respect. When you have your little ‘hate fun’, you are actually contributing to the scene, but in the wrong way, you are killing it by killing the developer’s motivation.

For now, Mathieulh doesn’t want to share his work with me, and I’m not mad or disappointed at all at him, I am mad and disgusted at those who made him make that decision. So please, if you are just as mad as I am, do NOT make this an opportunity to hate even more on Mathieulh for not sharing, make this an opportunity to show gratitude where it’s due and educate those who are ungrateful on what their role is/was in this scene.

@Mathieulh shared a file with me (not npdrm algo), but he doesn't want to be involved with the ps3 anymore.

@KaKaRoToKS actually I did share the whole algo minus the part you need to run the npdrm on 3.56+ that's as far as I am willing to go.

@Mathieulh yeah, but like I told you, the "algo" you shared is already known and documented, the actual "npdrm algo" needed (the hash), you

@Mathieulh .. didn't share it.. so I consider that you "helped" but you didn't "share the npdrm algo" because that's a metaphor for the hash

@Mathieulh I just finished reading all your code yesterday, there's honestly nothing new in it (other than .sceversion) that we didn't know

@Mathieulh we had even already reversed some stuff that you still had marked as 'unknown' in your own code

@Mathieulh I still appreciate the code you sent (it still helps), but no offense, I don't consider it as the part we need or the npdrm algo

For those who own PS3 Debug / Test consoles or are simply into collecting PlayStation 3 file leaks, recently PS3 Debug / Test Firmware 3.74 surfaced alongside version 4.00 from Sony's North American Press Web site.

If you didn't know, the address to their Press site is http://PressCenter.PlayStation.com/ and Sony offers free access to all members of the press there using SCEA / SC3APR to login and obtain the latest press releases and related files.

Finally, keep in mind these PUP updates will currently NOT install on a retail PS3, and so they are intended for examination and comparison purposes only.

We have 100% confirmed that running this updater on a retail PS3 will not damage it, however, it will give the following error before the installation completes: The data type is not supported. (8002F029)

Special Thanks to ConsoleDev for the heads-up on the news tip!

Hello!

Added support for jpg/png covers for BD/DVD ISO files in "Coverflow" mode
Added PIC1.PNG/SND0.AT3 (background image and music) support to lastGAME and "PSP Launcher" for PSP ISO files
Improved performance when extracting CSO to ISO and when creating ISO files from folders
SIXAXIS gyroscope affects screensaver mode (wave/tilt the controller to navigate the starfield)
Improved "Coverflow" display mode
Added preparations for experimental support for multi-disc PSX games in CUE+BIN or ISO format for up to 4 discs ("Required Cobra USB/FW update will be announced when PSX multidisc support is available")
mmCM 04.00.00 will work without CobraUSB dongle connected (See the 'Second Quote' below for more information).

New mmCM users will have to install mmCM 04.00.00 FULL version.

Cobra USB

Added function "Create ISO from folder"
Support for *.0/.31, *.001/.032, *.66600/.66631 split file formats
Join split files in file manager (select and copy the first file to get the rest joined)
New display mode "XBDM" - XBOX Dash Clone
Added option "Detect Game Title in ISO Images" to allow using ISO filenames and *not* scan for game names in local database
Improved scanning for retro roms/iso and covers (populating the Retro column)
New THEME format (.thm). One theme - one file. Easy installation within multiMAN/mmCM without going to XMB to install theme pkg files.
mmTM - Easy to use PC application to create thm files from folders (separate download).
multiMAN/mmCM will try to read disc volume labels and display in VIDEO column (BD/DVD entry) and in other display modes.
Added indication (rotating refresh icon next to the column icon) when multiMAN/mmCM is loading/extracting title thumbnails (XMMB [mode)*]Added pop-up notifications when new versions of multiMAN/mmCM and Showtime are available for download
Added pop-up notification when running low on disc space (less than 1GB on internal HDD)
Added pop-up notification when multiMAN/mmCM successfully connects to nethost folders during startup (/net_host# in File Manager)
Added support for downloading themes in a background thread (pop-up messages will notify user when download starts and completes)
Added support for copying big (4+GB) files in File Manager to USB drives. multiMAN/mmCM will split source file when copying to USB.
Changed option "Link Video Library to Showtime" - it will only create links for XMB Video files, but will not start Showtime
Added shortcut (virtual folder) "XMB Video Files" when browsing HDD/USB drives in VIDEO column
Added "Showtime Font Preference" option to select 10 different fonts for SHOWTIME media player (GUI and Subtitles)
Added support to extract PSP CSO (compressed ISO) files in XMMB/XBDM display modes and File Manager (extracted image is saved in /dev_hdd0/PSPISO)
Added shortcut to ISO folder when browsing external USB devices (PSP connected with memory stick /ISO folder, containing CSO and ISO files)
Added music playback fade-out when leaving multiMAN/mmCM
Added download progress indication in XMMB/XBDM modes - Web column. An entry will show current download filename and percentage of completion.
Added TextViewer in File Manager (supported files colored in light blue). Supports viewing of ANSI/UTF plain text files.
TextViewer controls: L1/R1 - PageUp/PageDown, L2/R2 - zoom out/in (50%-250%), R3 - change font, UP/DOWN/LEFT/RIGHT - scroll/pan, L1/R1+SELECT - skip to start/end of file
Added support for browsing Video, Games, Favorites and Retro (ROMS/PS1/PS2/PSP) in "Coverflow" display mode. Change content mode with UP/DOWN.
Improved performance when extracting CSO to ISO and when creating ISO files from folders
SIXAXIS gyroscope affects screensaver mode (wave/tilt the controller to navigate the starfield)* Improved "Coverflow" display mode

Here’s a “quick” status update on the 4.00 HEN (Homebrew ENabler) for PS3.

Following my clarifications from almost 2 months ago here, there has been a lot of progress. We have not been slacking off, we’re a group of about 10 developers working together for the last 2 months, for sometimes 15 hours everyday in order to bring back homebrew support to the latest version of the PS3.

There are three major parts to the HEN, first, getting the packages to install on the PS3, that part is done, completed, tested, debugged, etc.. the second part is to get the apps to run, that one still has major issues… the last part is something I will not discuss for now (it’s a surprise) but it’s about 60% to 70% done (and it has nothing to do with peek&poke and has nothing to do with backup managers or anything like that. This is and will stay a piracy-free solution for the PS3).

Now, running apps is the biggest challenge that we’ve been working on for the past 2 months. As some of you know, if you’ve been following me on Twitter, we originally had hoped for Mathieulh to give us the “npdrm hash algorithm” that was necessary to run the apps, but he was reluctant, he kept doing his usual whore so people would kiss his feet (or something else) so he’d feel good about himself. But in the end, he said that he refuses to give us the needed “npdrm hash algorithm” to make it work… So what I initially thought would be “this will be released next week” ended up taking a lot more time than expected, and we’re still nowhere near ready to make it work.

Mathieulh kept tossing his usual “riddles” which he thinks are “very helpful for those who have a brain”, and which pisses off anyone who actually does… so he told us that the solution to all our problems was to look in appldr of the 3.56 firmware.. and that it was something lv1 was sending appldr which made the “hash check” verified or not… so we spent one month and a lot of sweat and after killing a few of our brain cells out of exhaustion, we finally concluded that it was all bullshit. After one month of reading assembly code and checking and double-checking our results, we finally were able to confirm that that hash algorithm was NOT in the 3.56 firmware like he told us (at all).

He said that it was an AES OMAC hash, but after tracking all the uses of the OMAC functions in appldr, we found that it was not used for the “hash”… he then said “oh, I meant HMAC“, so we do that again and again come up with the same conclusion, then we’re sure it’s not in appldr, and then he says “ah no, it’s in lv1“.. have a look for yourself to what he decided to write : ps3devwiki.com/index.php?title=Talk:KaKaRoTo_Kind_of_%C2%B4Jailbr eak%C2%B4

That happened after the huge twitter fight I had with him for being his usual arrogant ass and claiming that he “shared” something (For your information, the code that he shared was not his own, I have proof of that too (can’t show you the proof because even if I don’t respect him, I gave him my word to not share what he gave me, and I respect my word) since he forgot to remove the name of the original developer from one of the files… also it was completely useless and was not used at all, just made me waste a day reading the crappy undocumented code. So why is he still trying to force his “advice” through these riddles even after we had that fight? Well to sabotage us and make us lose all those months of hard work!

So anyways, we had all accepted that Mathieulh was full of shit (we knew before, but we gave him the benefit of the doubt) and decided to continue working without considering any of his useless riddles. So we then tried to exploit/decrypt the 3.60+ firmware in order to get the algorithm from there.

Now, a few more weeks later, we finally have succeeded in fully understanding that missing piece from the “npdrm hash algorithm”, and here it is for everyone’s pleasure with some prerequisite explanation :

A game on the PS3 is an executable file in a format called a “SELF“file (kind of like .exe on windows), those “self” files are cryptographically signed and encrypted.. For PSN games (games that do not run from a bluray disc), they need to have an additional security layer called “NPDRM”. So a “npdrm self” is basically an executable that is encrypted and signed, then re-encrypetd again with some additional information. On 3.55 and lower, we were able to encrypt and sign our own self files so they would look like original (made by sony) “npdrm self” files, and the PS3 would run them without problem. However, it wasn’t really like an original file.. a real NPDRM self file had some additional information that the PS3 simply ignored, it did not check for that information, so we could put anything in it, and it worked. Since the 3.60 version, the PS3 now also validates this additional information, so it can now differentiate between NPDRM self files created by sony and the ones that we create ourselves for homebrew. That’s the “npdrm hash algorithm” that we have been trying to figure out, because once we can duplicate that information in the proper manner, then the PS3 will again think that those files are authentic and will let us play them.

Another important point to explain, I said a few times that the files are “signed”.. this means that there is an “ECDSA signature” in the file which the PS3 can verify. The ECDSA signature is something that allows the PS3 to verify if the file has been modified or not.. it is easy to validate the signature, but impossible to create one without having access to the “private keys” (think of it like a real signature, you can see your dad’s signature and recognize it, but you can’t sign it exactly like him, and you can recognize if your brother tried to forge his signature). So how were we able to sign the self files that were properly authenticated on 3.55? That’s because this “ECDSA signature” is just a very complicated mathematical equation (my head still hurts trying to fully understand it, but I might blog about it in the future and try to explain it in simple terms if people are interested), and one very important part of this mathematical equation is that you need to use a random number to generate the signature, but Sony had failed and used the same number every time.. by doing that, it was easy to just find the private key (which allows us to forge perfectly the signature) by doing some mathematical equation on it. So to summarize, a “signed file” is a file which is digitally signed with an “ECDSA signature” that cannot be forged, unless you have the “private key” for it, which is impossible to obtain usually, but we were able to obtain it because Sony failed in implementing it properly.

Now, back on topic.. so what is this missing “npdrm hash algorithm” that we need? well it turns out that the “npdrm self” has a second signature, so it’s a “encrypted and signed self file” with an additional layer of security (the NPDRM layer) which re-encrypts it and re-signs it again. That second signature was not verified in 3.55 and is now verified since the 3.60 version of the PS3 firmware.

One important thing to note is that Sony did NOT make the same mistake with this signature, they always used a random number, so it it technically impossible to figure out the private key for it. To be more exact, this is the exact same case as the .pkg packages you install on the PS3, you need to patch the firmware (making it cfw) so that those .pkg files can be installed, and that’s because the .pkg files are signed with an ECDSA signature for which no one was able to get the private key. That’s why we call them “pseudo-retail packages” or “unsigned packages”.

The signature on the NPDRM self file uses the exact same ECDSA curve and the same key as the one used in PS3 .pkg files, so no one has (or could have) the private key for it. What this means is that, even though we finally figured out the missing piece and we now know how the NPDRM self is built, we simply cannot duplicate it.

The reason we wasted 2 months on this is because Mathieulh lied by saying that he can do it.. remember when the 4.0 was out and I said “I can confirm that my method still works” then he also confirmed that his “npdrm hash algorithm” still works too? well he didn’t do anything to confirm, he just lied about it because there is no way that he could have verified it because he doesn’t have the private key.

I said I will provide proof of the lies that Mathieulh gave us, so here they are : he said it’s in 3.56, that was a lie, he said it’s an AES OMAC, that was a lie, he said it’s an HMAC, that was a lie, he said it’s in appldr, that was a lie, he said it’s in lv1, that was a lie, he said that he can do it, that was a lie, he said that “it takes one hour to figure it out if you have a brain”, that was a lie, he said that he verified it to work on 4.0, that was a lie, he said that he had the algorithm/keys, that was a lie, he said that once we know the algorithm used, we can reproduce it, that was a lie, he kept referring to it as “the hash”, that was wrong. The proof ? It’s an ECDSA signature, it’s not a hash (two very different terms for different things), it was verified by vsh.self, it was not in lv2, or lv1, or appldr, and the private key is unaccessible, so there is no way he could build his own npdrm self files. Now you know the real reason why he refused to “share” what he had.. it’s because he didn’t have it…

So why do all this? was it because his arrogance didn’t allow him to admit not knowing something? or was it because he wanted to make us lose all this time? To me, it looks like pure sabotage, it was misleading information to steer us away from the real part of the code that holds the solution…. That is of course, if we are kind enough to assume that he knew what/where it was in the first place. In the end, he wasn’t smart enough to only lie about things that we could not verify.. now we know (we always knew, but now we have proof to back it) that he’s a liar, and I do not think that anyone will believe his lies anymore.

...

Enough talking about liars and drama queens, back to the 4.0 HEN solution… so what next? well, we now know that we can’t sign the file, so we can’t run our apps on 3.60+ (it can work on 3.56 though). What we will do is look for a different way, a completely new exploit that would allow the files we install to actual run on the PS3. We will also be looking for possible “signature collisions” and for that we will need the help of the community, hopefully there is a collision (same random number used twice) which will allow us to calculate the private key, and if that happens, then we can move forward with a release.

When will the “jailbreak” be released? If I knew, I’d tell you, but I don’t know.. I would have said in last november, then december, then before christmas, then before new year, etc… but as you can see, it’s impossible to predict what we will find.. we might get lucky and have it ready in a couple of days, or we may not and it will not be ready for another couple of months.. so all you need to do is : BE PATIENT (and please stop asking me about an estimated release date)!

I would like to thank the team who helped on this task for all this time and who never got discouraged, and I’d like to thank an anonymous contributor who recently joined us and who was instrumental in figuring it all out. We all believe that freedom starts with knowledge, and that knowledge should be open and available to all, that is why we are sharing this information with the world. We got the confirmation (by finding the public key used and verifying the signatures) yesterday and since sharing this information will not help Sony in any way to block our efforts in a future release, we have decided to share it with you. We believe in transparency, we believe in openness, we believe in a free world, and we want you to be part of it.

If you want to know more about this ECDSA signature algorithm, read this interesting paper that explains it in detail, and you can also watch Team Fail0verflow’s youtube.com/watch?v=5E0DkoQjCmI that first explained Sony’s mistake in their implementation, which made custom firmwares possible.

Thanks for reading,

KaKaRoTo

Note: This modification does not allow the installation / usage of unsigned content / PS3 homebrew etc. This is purely a convenience hack and is aimed for use by those who have hardware flashers which allow dual boot.

After technodon's work creating a modified kiosk dev_flash which lets you install retail signed package files. The restrictions of having to use kiosk firmware inspired me to find a way to add "Install Package Files" for retail firmware.

This is hack does the following things:

adds "★ Install Package Files" and "★ /app_home/PS3_GAME/" to "GAME" on the XMB (allowing the user to install retail package files anytime they want)
adds other debug functions which are small but still there
does not give access to "★ Debug Setting" (reasons for this are explained below)

Installation instructions:

This installation procedure is the similar to technodon's original dev_flash hdd swap procedure

For this you will need two hard drives a e3 flasher or similar device to downgrade your PS3 (assuming that you're on firmware 4.00 and you have an e3 flasher)

downgrade to 3.55 using the downgrade tools from e3 (Of course when downgrading to 3.55 make sure you use a different hdd than the hdd which you were using 4.00)
once booted back into the xmb turn off the console
swap hard drives turn on the system, press the PS button and you will be asked to reinstall the firmware
place the pup file from the e3 downgrade tools in the normal PS3/UPDATE usb folder and follow the on-screen instructions to reinstall the firmware
then install dev_blind.pkg & Blackb0x FTP from install packages
run dev_blind then BlackB0x and FTP into the console
goto /dev_blind delete everything and replace them with the customised dev_flash
press the ps button and the console should reboot and and ask to reinstall the firmware again, switch off the console and swap the hard drive back
turn on the console press the ps button twice
the console should boot back into 3.55 Rogero
goto system update and install 4.00 OFW
once installed turn the console off again and swap hard drives back and you should boot into a modified 4.00 retail firmware.

My package (downloadable at Link Rimosso) includes:

My modded dev_flash
OFW 4.00 PS3UPDAT.PUP



Sorry about the camera quality, it's the best I can manage.

P.S. BTW the "nas_plugin.sprx" in this dev_flash has not been altered to achieve "Install Package Files". Also for those who will analyze my modded dev_flash, you will find that I have used debug .sprx files from the a debug 4.00 pup.

P.P.S. I originally intended to get "★ Debug Settings" to work with this. But usage of "debug settings" required the ps3 to use a debug vsh.self, and that crashes the ps3 when trying to load applications (I did some other things as well to prevent the PS3 from giving me a RSOD when I swapped the vsh.self files, I'm not detailing it in public because I don't want Sony to patch it).

So the lv2ldr verifys decrypts the lv2_kernal.self. we can get the address of this happening. inside Parameters Layout there are arguments, they are used as commands basically to load a function you want to use. they start in the lv2 @ 0x3E800(seems to be same for other ldrs) that address. There is a argument that is called lv2_in and lv2_out (we have know about these) basically we can use lv2_in to map out the address and lv2_out to map out the address for where the lv2ldr decryptes the self file. We can make a program like readself basically and get the offset, u8* means read one byte from the address. use that and we can actually be get the exact offset where it all happens at. once we have the location grabbing this decrypted self should be the easy task. Like I said some info we had and some we did not know about can be obtained like this and used to get keys.
exploiting 4.00 with this method would work most likely because I doubt sony changed all the locations where the loaders do there thing, sure there encapsulated in the bootloader but they still pass over into the ram at one point before being fed over to the metldr which loads ldrs and if all that is still happening then Sony didn't change nothing

@Mathieulh shared a file with me (not npdrm algo), but he doesn't want to be involved with the ps3 anymore.

@KaKaRoToKS actually I did share the whole algo minus the part you need to run the npdrm on 3.56+ that's as far as I am willing to go.

@Mathieulh yeah, but like I told you, the "algo" you shared is already known and documented, the actual "npdrm algo" needed (the hash), you

@Mathieulh .. didn't share it.. so I consider that you "helped" but you didn't "share the npdrm algo" because that's a metaphor for the hash

@Mathieulh I just finished reading all your code yesterday, there's honestly nothing new in it (other than .sceversion) that we didn't know

@Mathieulh we had even already reversed some stuff that you still had marked as 'unknown' in your own code

@Mathieulh I still appreciate the code you sent (it still helps), but no offense, I don't consider it as the part we need or the npdrm algo

Hello!

Added support for jpg/png covers for BD/DVD ISO files in "Coverflow" mode
Added PIC1.PNG/SND0.AT3 (background image and music) support to lastGAME and "PSP Launcher" for PSP ISO files
Improved performance when extracting CSO to ISO and when creating ISO files from folders
SIXAXIS gyroscope affects screensaver mode (wave/tilt the controller to navigate the starfield)
Improved "Coverflow" display mode
Added preparations for experimental support for multi-disc PSX games in CUE+BIN or ISO format for up to 4 discs ("Required Cobra USB/FW update will be announced when PSX multidisc support is available")
mmCM 04.00.00 will work without CobraUSB dongle connected (See the 'Second Quote' below for more information).

New mmCM users will have to install mmCM 04.00.00 FULL version.

Cobra USB

Added function "Create ISO from folder"
Support for *.0/.31, *.001/.032, *.66600/.66631 split file formats
Join split files in file manager (select and copy the first file to get the rest joined)
New display mode "XBDM" - XBOX Dash Clone
Added option "Detect Game Title in ISO Images" to allow using ISO filenames and *not* scan for game names in local database
Improved scanning for retro roms/iso and covers (populating the Retro column)
New THEME format (.thm). One theme - one file. Easy installation within multiMAN/mmCM without going to XMB to install theme pkg files.
mmTM - Easy to use PC application to create thm files from folders (separate download).
multiMAN/mmCM will try to read disc volume labels and display in VIDEO column (BD/DVD entry) and in other display modes.
Added indication (rotating refresh icon next to the column icon) when multiMAN/mmCM is loading/extracting title thumbnails (XMMB [mode)*]Added pop-up notifications when new versions of multiMAN/mmCM and Showtime are available for download
Added pop-up notification when running low on disc space (less than 1GB on internal HDD)
Added pop-up notification when multiMAN/mmCM successfully connects to nethost folders during startup (/net_host# in File Manager)
Added support for downloading themes in a background thread (pop-up messages will notify user when download starts and completes)
Added support for copying big (4+GB) files in File Manager to USB drives. multiMAN/mmCM will split source file when copying to USB.
Changed option "Link Video Library to Showtime" - it will only create links for XMB Video files, but will not start Showtime
Added shortcut (virtual folder) "XMB Video Files" when browsing HDD/USB drives in VIDEO column
Added "Showtime Font Preference" option to select 10 different fonts for SHOWTIME media player (GUI and Subtitles)
Added support to extract PSP CSO (compressed ISO) files in XMMB/XBDM display modes and File Manager (extracted image is saved in /dev_hdd0/PSPISO)
Added shortcut to ISO folder when browsing external USB devices (PSP connected with memory stick /ISO folder, containing CSO and ISO files)
Added music playback fade-out when leaving multiMAN/mmCM
Added download progress indication in XMMB/XBDM modes - Web column. An entry will show current download filename and percentage of completion.
Added TextViewer in File Manager (supported files colored in light blue). Supports viewing of ANSI/UTF plain text files.
TextViewer controls: L1/R1 - PageUp/PageDown, L2/R2 - zoom out/in (50%-250%), R3 - change font, UP/DOWN/LEFT/RIGHT - scroll/pan, L1/R1+SELECT - skip to start/end of file
Added support for browsing Video, Games, Favorites and Retro (ROMS/PS1/PS2/PSP) in "Coverflow" display mode. Change content mode with UP/DOWN.
Improved performance when extracting CSO to ISO and when creating ISO files from folders
SIXAXIS gyroscope affects screensaver mode (wave/tilt the controller to navigate the starfield)* Improved "Coverflow" display mode

Here’s a “quick” status update on the 4.00 HEN (Homebrew ENabler) for PS3.

Following my clarifications from almost 2 months ago here, there has been a lot of progress. We have not been slacking off, we’re a group of about 10 developers working together for the last 2 months, for sometimes 15 hours everyday in order to bring back homebrew support to the latest version of the PS3.

There are three major parts to the HEN, first, getting the packages to install on the PS3, that part is done, completed, tested, debugged, etc.. the second part is to get the apps to run, that one still has major issues… the last part is something I will not discuss for now (it’s a surprise) but it’s about 60% to 70% done (and it has nothing to do with peek&poke and has nothing to do with backup managers or anything like that. This is and will stay a piracy-free solution for the PS3).

Now, running apps is the biggest challenge that we’ve been working on for the past 2 months. As some of you know, if you’ve been following me on Twitter, we originally had hoped for Mathieulh to give us the “npdrm hash algorithm” that was necessary to run the apps, but he was reluctant, he kept doing his usual whore so people would kiss his feet (or something else) so he’d feel good about himself. But in the end, he said that he refuses to give us the needed “npdrm hash algorithm” to make it work… So what I initially thought would be “this will be released next week” ended up taking a lot more time than expected, and we’re still nowhere near ready to make it work.

Mathieulh kept tossing his usual “riddles” which he thinks are “very helpful for those who have a brain”, and which pisses off anyone who actually does… so he told us that the solution to all our problems was to look in appldr of the 3.56 firmware.. and that it was something lv1 was sending appldr which made the “hash check” verified or not… so we spent one month and a lot of sweat and after killing a few of our brain cells out of exhaustion, we finally concluded that it was all bullshit. After one month of reading assembly code and checking and double-checking our results, we finally were able to confirm that that hash algorithm was NOT in the 3.56 firmware like he told us (at all).

He said that it was an AES OMAC hash, but after tracking all the uses of the OMAC functions in appldr, we found that it was not used for the “hash”… he then said “oh, I meant HMAC“, so we do that again and again come up with the same conclusion, then we’re sure it’s not in appldr, and then he says “ah no, it’s in lv1“.. have a look for yourself to what he decided to write : ps3devwiki.com/index.php?title=Talk:KaKaRoTo_Kind_of_%C2%B4Jailbr eak%C2%B4

That happened after the huge twitter fight I had with him for being his usual arrogant ass and claiming that he “shared” something (For your information, the code that he shared was not his own, I have proof of that too (can’t show you the proof because even if I don’t respect him, I gave him my word to not share what he gave me, and I respect my word) since he forgot to remove the name of the original developer from one of the files… also it was completely useless and was not used at all, just made me waste a day reading the crappy undocumented code. So why is he still trying to force his “advice” through these riddles even after we had that fight? Well to sabotage us and make us lose all those months of hard work!

So anyways, we had all accepted that Mathieulh was full of shit (we knew before, but we gave him the benefit of the doubt) and decided to continue working without considering any of his useless riddles. So we then tried to exploit/decrypt the 3.60+ firmware in order to get the algorithm from there.

Now, a few more weeks later, we finally have succeeded in fully understanding that missing piece from the “npdrm hash algorithm”, and here it is for everyone’s pleasure with some prerequisite explanation :

A game on the PS3 is an executable file in a format called a “SELF“file (kind of like .exe on windows), those “self” files are cryptographically signed and encrypted.. For PSN games (games that do not run from a bluray disc), they need to have an additional security layer called “NPDRM”. So a “npdrm self” is basically an executable that is encrypted and signed, then re-encrypetd again with some additional information. On 3.55 and lower, we were able to encrypt and sign our own self files so they would look like original (made by sony) “npdrm self” files, and the PS3 would run them without problem. However, it wasn’t really like an original file.. a real NPDRM self file had some additional information that the PS3 simply ignored, it did not check for that information, so we could put anything in it, and it worked. Since the 3.60 version, the PS3 now also validates this additional information, so it can now differentiate between NPDRM self files created by sony and the ones that we create ourselves for homebrew. That’s the “npdrm hash algorithm” that we have been trying to figure out, because once we can duplicate that information in the proper manner, then the PS3 will again think that those files are authentic and will let us play them.

Another important point to explain, I said a few times that the files are “signed”.. this means that there is an “ECDSA signature” in the file which the PS3 can verify. The ECDSA signature is something that allows the PS3 to verify if the file has been modified or not.. it is easy to validate the signature, but impossible to create one without having access to the “private keys” (think of it like a real signature, you can see your dad’s signature and recognize it, but you can’t sign it exactly like him, and you can recognize if your brother tried to forge his signature). So how were we able to sign the self files that were properly authenticated on 3.55? That’s because this “ECDSA signature” is just a very complicated mathematical equation (my head still hurts trying to fully understand it, but I might blog about it in the future and try to explain it in simple terms if people are interested), and one very important part of this mathematical equation is that you need to use a random number to generate the signature, but Sony had failed and used the same number every time.. by doing that, it was easy to just find the private key (which allows us to forge perfectly the signature) by doing some mathematical equation on it. So to summarize, a “signed file” is a file which is digitally signed with an “ECDSA signature” that cannot be forged, unless you have the “private key” for it, which is impossible to obtain usually, but we were able to obtain it because Sony failed in implementing it properly.

Now, back on topic.. so what is this missing “npdrm hash algorithm” that we need? well it turns out that the “npdrm self” has a second signature, so it’s a “encrypted and signed self file” with an additional layer of security (the NPDRM layer) which re-encrypts it and re-signs it again. That second signature was not verified in 3.55 and is now verified since the 3.60 version of the PS3 firmware.

One important thing to note is that Sony did NOT make the same mistake with this signature, they always used a random number, so it it technically impossible to figure out the private key for it. To be more exact, this is the exact same case as the .pkg packages you install on the PS3, you need to patch the firmware (making it cfw) so that those .pkg files can be installed, and that’s because the .pkg files are signed with an ECDSA signature for which no one was able to get the private key. That’s why we call them “pseudo-retail packages” or “unsigned packages”.

The signature on the NPDRM self file uses the exact same ECDSA curve and the same key as the one used in PS3 .pkg files, so no one has (or could have) the private key for it. What this means is that, even though we finally figured out the missing piece and we now know how the NPDRM self is built, we simply cannot duplicate it.

The reason we wasted 2 months on this is because Mathieulh lied by saying that he can do it.. remember when the 4.0 was out and I said “I can confirm that my method still works” then he also confirmed that his “npdrm hash algorithm” still works too? well he didn’t do anything to confirm, he just lied about it because there is no way that he could have verified it because he doesn’t have the private key.

I said I will provide proof of the lies that Mathieulh gave us, so here they are : he said it’s in 3.56, that was a lie, he said it’s an AES OMAC, that was a lie, he said it’s an HMAC, that was a lie, he said it’s in appldr, that was a lie, he said it’s in lv1, that was a lie, he said that he can do it, that was a lie, he said that “it takes one hour to figure it out if you have a brain”, that was a lie, he said that he verified it to work on 4.0, that was a lie, he said that he had the algorithm/keys, that was a lie, he said that once we know the algorithm used, we can reproduce it, that was a lie, he kept referring to it as “the hash”, that was wrong. The proof ? It’s an ECDSA signature, it’s not a hash (two very different terms for different things), it was verified by vsh.self, it was not in lv2, or lv1, or appldr, and the private key is unaccessible, so there is no way he could build his own npdrm self files. Now you know the real reason why he refused to “share” what he had.. it’s because he didn’t have it…

So why do all this? was it because his arrogance didn’t allow him to admit not knowing something? or was it because he wanted to make us lose all this time? To me, it looks like pure sabotage, it was misleading information to steer us away from the real part of the code that holds the solution…. That is of course, if we are kind enough to assume that he knew what/where it was in the first place. In the end, he wasn’t smart enough to only lie about things that we could not verify.. now we know (we always knew, but now we have proof to back it) that he’s a liar, and I do not think that anyone will believe his lies anymore.

...

Enough talking about liars and drama queens, back to the 4.0 HEN solution… so what next? well, we now know that we can’t sign the file, so we can’t run our apps on 3.60+ (it can work on 3.56 though). What we will do is look for a different way, a completely new exploit that would allow the files we install to actual run on the PS3. We will also be looking for possible “signature collisions” and for that we will need the help of the community, hopefully there is a collision (same random number used twice) which will allow us to calculate the private key, and if that happens, then we can move forward with a release.

When will the “jailbreak” be released? If I knew, I’d tell you, but I don’t know.. I would have said in last november, then december, then before christmas, then before new year, etc… but as you can see, it’s impossible to predict what we will find.. we might get lucky and have it ready in a couple of days, or we may not and it will not be ready for another couple of months.. so all you need to do is : BE PATIENT (and please stop asking me about an estimated release date)!

I would like to thank the team who helped on this task for all this time and who never got discouraged, and I’d like to thank an anonymous contributor who recently joined us and who was instrumental in figuring it all out. We all believe that freedom starts with knowledge, and that knowledge should be open and available to all, that is why we are sharing this information with the world. We got the confirmation (by finding the public key used and verifying the signatures) yesterday and since sharing this information will not help Sony in any way to block our efforts in a future release, we have decided to share it with you. We believe in transparency, we believe in openness, we believe in a free world, and we want you to be part of it.

If you want to know more about this ECDSA signature algorithm, read this interesting paper that explains it in detail, and you can also watch Team Fail0verflow’s youtube.com/watch?v=5E0DkoQjCmI that first explained Sony’s mistake in their implementation, which made custom firmwares possible.

Thanks for reading,

KaKaRoTo

Note: This modification does not allow the installation / usage of unsigned content / PS3 homebrew etc. This is purely a convenience hack and is aimed for use by those who have hardware flashers which allow dual boot.

After technodon's work creating a modified kiosk dev_flash which lets you install retail signed package files. The restrictions of having to use kiosk firmware inspired me to find a way to add "Install Package Files" for retail firmware.

This is hack does the following things:

adds "★ Install Package Files" and "★ /app_home/PS3_GAME/" to "GAME" on the XMB (allowing the user to install retail package files anytime they want)
adds other debug functions which are small but still there
does not give access to "★ Debug Setting" (reasons for this are explained below)

Installation instructions:

This installation procedure is the similar to technodon's original dev_flash hdd swap procedure

For this you will need two hard drives a e3 flasher or similar device to downgrade your PS3 (assuming that you're on firmware 4.00 and you have an e3 flasher)

downgrade to 3.55 using the downgrade tools from e3 (Of course when downgrading to 3.55 make sure you use a different hdd than the hdd which you were using 4.00)
once booted back into the xmb turn off the console
swap hard drives turn on the system, press the PS button and you will be asked to reinstall the firmware
place the pup file from the e3 downgrade tools in the normal PS3/UPDATE usb folder and follow the on-screen instructions to reinstall the firmware
then install dev_blind.pkg & Blackb0x FTP from install packages
run dev_blind then BlackB0x and FTP into the console
goto /dev_blind delete everything and replace them with the customised dev_flash
press the ps button and the console should reboot and and ask to reinstall the firmware again, switch off the console and swap the hard drive back
turn on the console press the ps button twice
the console should boot back into 3.55 Rogero
goto system update and install 4.00 OFW
once installed turn the console off again and swap hard drives back and you should boot into a modified 4.00 retail firmware.

My package (downloadable at Link Rimosso) includes:

My modded dev_flash
OFW 4.00 PS3UPDAT.PUP



Sorry about the camera quality, it's the best I can manage.

P.S. BTW the "nas_plugin.sprx" in this dev_flash has not been altered to achieve "Install Package Files". Also for those who will analyze my modded dev_flash, you will find that I have used debug .sprx files from the a debug 4.00 pup.

P.P.S. I originally intended to get "★ Debug Settings" to work with this. But usage of "debug settings" required the ps3 to use a debug vsh.self, and that crashes the ps3 when trying to load applications (I did some other things as well to prevent the PS3 from giving me a RSOD when I swapped the vsh.self files, I'm not detailing it in public because I don't want Sony to patch it).

So the lv2ldr verifys decrypts the lv2_kernal.self. we can get the address of this happening. inside Parameters Layout there are arguments, they are used as commands basically to load a function you want to use. they start in the lv2 @ 0x3E800(seems to be same for other ldrs) that address. There is a argument that is called lv2_in and lv2_out (we have know about these) basically we can use lv2_in to map out the address and lv2_out to map out the address for where the lv2ldr decryptes the self file. We can make a program like readself basically and get the offset, u8* means read one byte from the address. use that and we can actually be get the exact offset where it all happens at. once we have the location grabbing this decrypted self should be the easy task. Like I said some info we had and some we did not know about can be obtained like this and used to get keys.
exploiting 4.00 with this method would work most likely because I doubt sony changed all the locations where the loaders do there thing, sure there encapsulated in the bootloader but they still pass over into the ram at one point before being fed over to the metldr which loads ldrs and if all that is still happening then Sony didn't change nothing