[Question] - PS4 CFW Rebug & key LV0

samet2012

samet2012

Member
Dear @Joonie, everyone.

I would like to know rebug developer are on-going to work CFW PUP or SAMU need to be decrypted? Or maybe something 'Encryption Keys LV0' release?

Everyone did say that many times from another site.

PS3 was released in 2006 until released CFW in 5 years later than 2011. CFW Original released was by geohot.
PS4 was released in 2013 until released kernel exploit and without CFW in 1 years later than 2014. Kexploit was released by fail0verflow.
It's been 5 years. Isn't release CFW yet.
 
I'm not sure what is Your question.

True CFW You can find *only* on PS3. We have not any "true CFW" on any other Sony console because we don't have, and probably will never get, private keys (at least until era with quantum modules). CFW (sort of) on other platforms like on PSP or PSV are achievable by chain of vulnerabilities which wise heads founds and used. Is it possible also on PS4? Who knows, we can assume: yes. We will ever see it? No one knows. For now we have exploited some older versions with web entry point (like HENkaku without Enso, quite good start TBH ;)).

Just wait. Very long and very patience. ;)
 
Berion said:
I'm not sure what is Your question.

True CFW You can find *only* on PS3. We have not any "true CFW" on any other Sony console because we don't have, and probably will never get, private keys (at least until era with quantum modules). CFW (sort of) on other platforms like on PSP or PSV are achievable by chain of vulnerabilities which wise heads founds and used. Is it possible also on PS4? Who knows, we can assume: yes. We will ever see it? No one knows. For now we have exploited some older versions with web entry point (like HENkaku without Enso, quite good start TBH ;)).

Just wait. Very long and very patience. ;)
Click to expand...
Indeed, you are right, Everyone knows couple years will release CFW in future. :)
 
Berion said:
I'm not sure what is Your question.

True CFW You can find *only* on PS3. We have not any "true CFW" on any other Sony console because we don't have, and probably will never get, private keys (at least until era with quantum modules). CFW (sort of) on other platforms like on PSP or PSV are achievable by chain of vulnerabilities which wise heads founds and used. Is it possible also on PS4? Who knows, we can assume: yes. We will ever see it? No one knows. For now we have exploited some older versions with web entry point (like HENkaku without Enso, quite good start TBH ;)).

Just wait. Very long and very patience. ;)
Click to expand...

the psp it's one of the best handhelds with cfw
 
@KILLER_SEVEN First time when I have contact with definition: CFW, was on PSP. But... the PS3 "fair dice roll" redefined it. :) For me (which means this is my personal opinion), we can saying about CFW only when we have fully control over update package (which means also fully control over all contents inside). And we have this only on PS3 *.pup packages. Not on PSP *.pbp updates packages and not on PS4 and PSV pups packages. AFAIK.

That's why I used sentence: "true CFW". What this mean to end user? Absolutely nothing important because at the end, user get everything on his "semi CFW" as "true" one on PS3. It matters only for some scene enthusiasts like me. ;) Anyone else will stick to CFW term of scene achievements on PSP, PS3 and even PSV.
 
Well geohot cracked the keys and made his own jailbreak,but then came 3.55 kmeaw because the keys where out in the open,which was the first cfw to allow backups.Geohots cfw only allowed homebrew.
 
Berion said:
@KILLER_SEVEN First time when I have contact with definition: CFW, was on PSP. But... the PS3 "fair dice roll" redefined it. :) For me (which means this is my personal opinion), we can saying about CFW only when we have fully control over update package (which means also fully control over all contents inside). And we have this only on PS3 *.pup packages. Not on PSP *.pbp updates packages and not on PS4 and PSV pups packages. AFAIK.

That's why I used sentence: "true CFW". What this mean to end user? Absolutely nothing important because at the end, user get everything on his "semi CFW" as "true" one on PS3. It matters only for some scene enthusiasts like me. ;) Anyone else will stick to CFW term of scene achievements on PSP, PS3 and even PSV.
Click to expand...

you are right i know what you mean the cfw on psp it's only a combination of some 1.50 modules (needed for homebrew) + some custom modules(like recovery and umd emu and ps1 emu files) and modules from newer ofw's
 
the only thing we need to install cfw on newer ps3 consoles is the private key to sign the files like sony does?

but it's not easy to crack these key's

i think a hardware mod is easyer to do as finding the private key's
 
Oh, not only. Read about IPL/Kirk.

It is not possible. There is nothing to crack, just missing keys which no longer be calculated as ECDSA implementation was fixed and old keys which could be change was changed. We need bruteforce environment on PC, but with current hardware sooner universe will end than we bruteforce even single one key. ;) The only hope are quantum (well, far future) or optic (much more far future) CPU/GPUs. But... sooner we will get good emulator (RPCS3?) which can patching on the fly several parts of the system/intentionally not emulate them correctly or just another exploits which gave the same functionality as CFW. Time will tell and I always paste quote in such situations, from one of my favourite games Overlord: "Because evil, always find a way...". :D

You think wrong. Hardware modchips end with cryptology ecosystems in consoles (or You have in mind something like RSX glitcher or RGH). Anyway. It's not easier or harder, it's different way, and in current state nothing is know about any hardware vulnerabilities which can help with anything in PS3 or PS4 hacking. ;]
 
Is this private key in the NOR of ps3?

And could not that key be in Sony's own applications? Example: YouTube, Clackle. To make the comparison and see if the application is official from Sony?

EMLTRD2
 
Last edited by a moderator:
Raffael07 said:
Is this private key in the NOR of ps3?

And could not that key be in Sony's own applications? Example: YouTube, Clackle. To make the comparison and see if the application is official from Sony?

EMLTRD2
Click to expand...
It doesn't work that way.
Private keys are never included in files otherwise it would be too easy to hack.
Modern encryption like ECDSA rely on a pair of keys, one public & one private.
The private key is used by s#ny to encrypt the files & the public key is used by the console to validate that the files were not tampered with & decrypt.

In theory it would be possible to 'calculate' the private key however it would require much computing power, years of calculations for a distributed job on a small network of modern pc. Quantum cpus could do the job of course but currently only experimental quantum cpus exist in very few labs over the planet.
Those experimental CPUs which need to be kept extremely close to absolute zero (-273C) to function already produce amazing results but they are a work in progress & obviously not accessible to anyone. In the future one might be able to rent quantum calculation time & things may change but for now ecdsa still rules.
 
Last edited:
Raffael07 said:
And how did George Hotz get that key? Could not he do the same thing?
Click to expand...
Technically I don't think geohot was the first to get the keys tbh but anyway the pre 3.55 keys were found because s#ny made a huge mistake in their ecdsa implementation.
The 'random' number used for key creation turned out not to be random at all, it was always the same ie a constant = 4. Consequently the private ECDSA key could be "calculated".
I doubt they will ever make that mistake again.

Anyway think about it, if it were possible to generate the private keys like it was done on pre 3.55, we would never have needed to create ps3xploit & we would have had CFW on late slim & superslim consoles for years.
 
Last edited:
iirc, geohot got the key via the usb ports; the ports had more privileges than they should have, so they were an easy target. :-P sony really isn't the brightest bunch. ;)
 
pinky said:
iirc, geohot got the key via the usb ports; the ports had more privileges than they should have, so they were an easy target. :-P sony really isn't the brightest bunch. ;)
Click to expand...
Hmmm.. I don't think he dumped any keys, if I am not mistaken what he did was dump lv0/lv1/lv2 as he got RW hypervisor level access to the entire system memory.
He also dumped metldr & other loaders after decryption by the isolated SPU.
 
yes, I remember him dumping content from the isolated spu. I believe that was via the usb ports. the reason I think it was a key is that he dumped the content a few characters at a time. I'm assuming it was a key.

also, I once read an interview with geohot who claimed that the ps3 was actually hacked in 5 weeks, not several years. it wasn't even being worked on for much of that time.
 
pinky said:
yes, I remember him dumping content from the isolated spu. I believe that was via the usb ports. the reason I think it was a key is that he dumped the content a few characters at a time. I'm assuming it was a key.

also, I once read an interview with geohot who claimed that the ps3 was actually hacked in 5 weeks, not several years. it wasn't even being worked on for much of that time.
Click to expand...
There are many keys. He could have dumped a key like the eid_root_key for instance as he controlled lv1 but the principle behind ecdsa private keys is that they don't get distributed. In any case, the pre 3.55 ps3 private keys were not dumped, they were simply calculated thanks to s#ny"s blunder using a constant instead of a "cryptographically sound" random number to be used in the elliptical curve equation. .
When you try to bruteforce ecdsa, you have to solve an equation with 2 unknown variables, the random number & the private key. That equation takes years to solve however if you have the random number, there is only one unknown left in the equation & it can be solved quickly & easily.
Since 3.56, s#ny uses a proper random number, that's why post 3.55 keys cannot be obtained!

And in terms of hardware, he relied on interrupts to exploit a memory leak. The idea was to halt the system after a system routine is called but before that routine wrote a certain value to RAM. A hardware interrupt is one of the very few ways to halt code execution.
To simulate a hardware interrupt cheaply & easily, he just set up a system that could ground control lines, over which the value to write to RAM gets transferred, just after calling the function.
His setup kept repeating this action again & again, until the grounding happened at the exact right time. The system recognised the grounding as a legitimate hardware interrupt & halted execution, leaving the system in a vulnerable state.
 
Last edited:
afaik, ECDSA uses a carrier (think that's the term for it) to randomize keys. I don't really know how that works though considering the system would have to know the new random key. also, I'm pretty sure the key discovered was a public key. ;)
 
pinky said:
afaik, ECDSA uses a carrier (think that's the term for it) to randomize keys. I don't really know how that works though considering the system would have to know the new random key. also, I'm pretty sure the key discovered was a public key. ;)
Click to expand...
Yes sure, he would have got the ecdsa public keys that way. Those keys are located in the loaders that he decrypted & dumped, the loaders need them to validate/decrypt files.
It's only private keys that cannot be dumped.. ;)
 
You must log in or register to reply here.

Similar threads

Back
Top