PS3 SYSCON Firmware key is now public (release by zecoxao) - What does it mean?

Developer @zecoxao has recently released something that the dev has been working on obtaining for 10 years now and that obstacle that has now been cleared is the SYSCON Firmware Key and zecoxao has now released it to the public. First off we must erase some misconceptions as this is not going to directly lead us to a CFW on nonCFW PS3's anytime soon. As the dev stated on twitter "needless and pointless to say that the confusion being created around these keys that they will be useful for cfw on ps3 3k and superslim is a very farfetched idea. unless we have access to the TSOP 78K0R models, we will not be able to obtain anything else" and then when @kozarovv provided a follow-up question about 3k models here the developer responded with "don't expect miracles, is all i'm saying ". Now the question (which was asked by @DeViL303) "So what can we do with this as of now, what is possible with just this key alone and current knowledge? Then @zecoxao provides an explanation seen in this post (and also seen below). So this is a great feat that has been made, but its still being investigated and something that will need to be explored in the weeks to come to fully understand what we can be uncovered,. .

​

Release

• 
  
  i got the syscon firmware key, a dream i've been pursuing for the past 10 years. now that i have it i feel like i've acomplished my goal. the rest will follow naturally.
  - https://twitter.com/notzecoxao/status/1168954036541935616​
  
  What can developer's do with this key?
  

  So what can we do with this as of now, what is possible with just this key alone and current knowledge? Custom fan speed profiles? Multiple boot sequences depending on flags or something, or does everything need more work?

  
  via @zecoxao : With this key the following has happened:
  
  14 syscon firmwares for the BGA models (CXR) were decrypted.
  from them, keys for PATCHES and FULL FW signing and encryption, as well as decryption and validation were found. we can now sign our own patches and fws for the following models:
  
  
  • TMU-510
  • COK-001
  • COK-002
  • SEM-001
  • DIA-001
  • DIA-002 or DEB-001 (same soft id)
  
  Additionally we found the initialization key for eid1 as well as the process of initializing it from factory
  We also found 7 extra keys (we still don't know what they do)
  Finally, we found out there is a secret keyslot function that generates keys for
  
  • SNVS
  • AUTH1/AUTH2
  • Regions of EEPROM
  • PATCH keys xoring (to generate the final keys)
  • Relationship with the other 7 Keys
  
  What still has to be done:
  
  • Hack the 78K0R chips (the TSOP ones found in later models)
  • Dump the firmware of those chips
  • Get the DYN-001 patch keys
  • Find an exploit on arm firmware that works in 78k0r firmware
  
  Edit: and yes, you can do all that fun kinky shit of fan boosting at max speeds, led disco panic attack, and star wars theme ON A DECR-1000! THIS is a devkit, so THIS is the ONLY device that supports FULL FUCKING FIRMWARES! DO NOT CONFUSE IT with a DECR-1400, that is a HALF devkit!
  
  

Release Source: twitter.com/notzecoxao
Discussion: psx-place.com

Thanks to @NathanHale for the news alert ​

 

It was under the mat

Close but it was the fake rock it was in...

Nice work @zecoxao

 

It was under the mat

They took the key under the mat, made a imprint of the key shape by pushing it into a chewing gum, then leave the key under the mat again to dont trigger the alarms, finally they escaped in stealth mode

Is the classic secret agent haxoring techniques

 

I would like to know if it is possible cfw in super slim 4000 series?

 

I would like to know if it is possible cfw in super slim 4000 series?

No,

---

.
Front paged and wrote news. Merged original discussion thread and news.. All post after this are after news went on mainpage. (mention that as the news itself has mentions and links within this thread)

 

my colleague sent a cfw to test on my super slim 4000 series i installed cfw on super slim and now it turns on and then off.how do i get my super slim for ow to run again?

 

my colleague sent a cfw to test on my super slim 4000 series i installed cfw on super slim and now it turns on and then off.how do i get my super slim for ow to run again?

Ask to your colleague, sorry but this is offtopic in this thread

 

Good job Mr. zecoxao! Could I ask you how you found the key? For me it's more interesting than the key itself

CPA/DPA from a friend of mine. i bought him a chip whisperer, a bottle of wine and an ssd. he did the rest lol

 

Devs had been working on for this for more than 10 years and only one guy has got it.May this be the beginning of CFW so that i could load linux on my ps3

 

Lord, please let this be the beginning of CFW on 3k and 4k

We can play PS3 games in 4k?

 

We can play PS3 games in 4k?

No,we can't.It means PS3 with model 3000 and 4000 not 3k or 4k resolution.These models are non-jailbreakable at this time.

 

No,we can't.It means PS3 with model 3000 and 4000 not 3k or 4k resolution.These models are non-jailbreakable at this time.

only super slim 3k and 4k can not cfw? and the common super slim is possible cfw?

 

only super slim 3k and 4k can not cfw? and the common super slim is possible cfw?

3k and 4k models are not cfw compatible and previous models are cfw compatible.Non-cfw compatible models can use HEN.

 

only super slim 3k and 4k can not cfw? and the common super slim is possible cfw?

The Super Slim is the 4k model. And as stated this most likely will NOT lead to CFW.

 

I'd really like to see Bricked Flash Recovery from USB I've heard that may be possible.

 

Thanks for the info @zecoxao.

So this means we can create these syscon pkgs properly so they are accepted on OFW, BUT only on phat PS3s with the current key?

If that is the case, I wonder can we use some kind of a directory traversal attack on files inside the pkg, so that there are a few extra files in there that get installed to dev_flash? Maybe it might be possible to have the HEN files built into the HFW PUP using some kind of trick like this?

I know HEN is not much use on phats, it would still be interesting if something like the above hack was possible.

 

Thanks for the info @zecoxao.

So this means we can create these syscon pkgs properly so they are accepted on OFW, BUT only on phat PS3s with the current key?

View attachment 20000

If that is the case, I wonder can we use some kind of a directory traversal attack on files inside the pkg, so that there are a few extra files in there that get installed to dev_flash? Maybe it might be possible to have the HEN files built into the HFW PUP using some kind of trick like this?

I know HEN is not much use on phats, it would still be interesting if something like the above hack was possible.

That is correct. ONLY for BGA models

 

That is correct. ONLY for BGA models

Thats great. I notice that the syscon firmwware installs last in the update process, at least via FSM logs it does. So as it installs last, do you think there is any chance of abusing the syscon FW pkg so that it install files to dev_flash?

 

That is correct. ONLY for BGA models

So only those we know how to fully dump them with extra hardware. Need to find a way to fully dump the TSOP ones to go further on slim and superslim. Right?

 

So only those we know how to fully dump them with extra hardware. Need to find a way to fully dump the TSOP ones to go further on slim and superslim. Right?

The problem with the slim and superslim models is that the eeprom is internal. we cannot dump the patch key for DYN like we could dump the ones for COK/SEM/DIA because with those we have access to the eeprom and with the TMU the sys update process happens immediately after the first blob is sent, so we found the key for those fairly easily (as well as the other ones for the BGA patch cipher and hasher)

 

we want cfw in super slim 4k please work it out

My dad used to tell me "Wish in one hand and **** in the other".

But seriously, you guys gotta stop asking for this.