PS3 SYSCON Firmware key is now public (release by zecoxao) - What does it mean?

Developer @zecoxao has recently released something that the dev has been working on obtaining for 10 years now and that obstacle that has now been cleared is the SYSCON Firmware Key and zecoxao has now released it to the public. First off we must erase some misconceptions as this is not going to directly lead us to a CFW on nonCFW PS3's anytime soon. As the dev stated on twitter "needless and pointless to say that the confusion being created around these keys that they will be useful for cfw on ps3 3k and superslim is a very farfetched idea. unless we have access to the TSOP 78K0R models, we will not be able to obtain anything else" and then when @kozarovv provided a follow-up question about 3k models here the developer responded with "don't expect miracles, is all i'm saying ". Now the question (which was asked by @DeViL303) "So what can we do with this as of now, what is possible with just this key alone and current knowledge? Then @zecoxao provides an explanation seen in this post (and also seen below). So this is a great feat that has been made, but its still being investigated and something that will need to be explored in the weeks to come to fully understand what we can be uncovered,. .

​

Release

• 
  
  i got the syscon firmware key, a dream i've been pursuing for the past 10 years. now that i have it i feel like i've acomplished my goal. the rest will follow naturally.
  - https://twitter.com/notzecoxao/status/1168954036541935616​
  
  What can developer's do with this key?
  

  So what can we do with this as of now, what is possible with just this key alone and current knowledge? Custom fan speed profiles? Multiple boot sequences depending on flags or something, or does everything need more work?

  
  via @zecoxao : With this key the following has happened:
  
  14 syscon firmwares for the BGA models (CXR) were decrypted.
  from them, keys for PATCHES and FULL FW signing and encryption, as well as decryption and validation were found. we can now sign our own patches and fws for the following models:
  
  
  • TMU-510
  • COK-001
  • COK-002
  • SEM-001
  • DIA-001
  • DIA-002 or DEB-001 (same soft id)
  
  Additionally we found the initialization key for eid1 as well as the process of initializing it from factory
  We also found 7 extra keys (we still don't know what they do)
  Finally, we found out there is a secret keyslot function that generates keys for
  
  • SNVS
  • AUTH1/AUTH2
  • Regions of EEPROM
  • PATCH keys xoring (to generate the final keys)
  • Relationship with the other 7 Keys
  
  What still has to be done:
  
  • Hack the 78K0R chips (the TSOP ones found in later models)
  • Dump the firmware of those chips
  • Get the DYN-001 patch keys
  • Find an exploit on arm firmware that works in 78k0r firmware
  
  Edit: and yes, you can do all that fun kinky shit of fan boosting at max speeds, led disco panic attack, and star wars theme ON A DECR-1000! THIS is a devkit, so THIS is the ONLY device that supports FULL FUCKING FIRMWARES! DO NOT CONFUSE IT with a DECR-1400, that is a HALF devkit!
  
  

Release Source: twitter.com/notzecoxao
Discussion: psx-place.com

Thanks to @NathanHale for the news alert ​

 

https://www.sendspace.com/file/5d5mq4
DECR Backup ROM, used for emergency syscon rom updates. Dumped by M4j0r

Edit: CC @sandungas @3141card @kozarovv

First thing that called my attention, at 0x173F0 there is a table with the Platform ID's
https://www.psdevwiki.com/ps3/Platform_ID
https://www.psdevwiki.com/ps3/Talk:Platform_ID

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

000173F0  FF FF FF FF 00 00 00 00 00 6E 77 6F 6E 6B 6E 75  ÿÿÿÿ.....nwonknu
00017400  10 00 00 00 00 00 00 00 00 00 30 2E 31 72 68 53  ..........0.1rhS
00017410  11 00 00 00 00 00 00 00 00 00 31 2E 31 72 68 53  ..........1.1rhS
00017420  12 00 00 00 00 00 00 00 00 00 32 2E 31 72 68 53  ..........2.1rhS
00017430  13 00 00 00 00 00 00 00 00 00 44 34 2D 72 68 53  ..........D4-rhS
00017440  14 00 00 00 00 00 00 00 00 00 33 2E 31 72 68 53  ..........3.1rhS
00017450  15 00 00 00 00 00 00 00 00 00 43 4C 2D 72 68 53  ..........CL-rhS
00017460  16 00 00 00 00 00 00 00 00 00 34 2E 31 72 68 53  ..........4.1rhS
00017470  17 00 00 00 00 00 00 00 00 00 35 2E 31 72 68 53  ..........5.1rhS
00017480  20 00 00 00 00 00 00 00 00 00 30 2E 32 72 68 53   .........0.2rhS
00017490  21 00 00 00 00 00 00 00 00 00 31 2E 32 72 68 53  !.........1.2rhS
000174A0  22 00 00 00 00 00 00 00 00 00 32 2E 32 72 68 53  ".........2.2rhS
000174B0  23 00 00 00 00 00 00 00 00 00 33 2E 32 72 68 53  #.........3.2rhS
000174C0  10 00 00 10 00 00 00 00 00 00 00 31 30 6B 6F 43  ...........10koC
000174D0  10 00 00 20 00 00 00 00 00 00 30 2E 31 74 79 43  ... ......0.1tyC
000174E0  11 00 00 20 00 00 00 00 00 00 31 2E 31 74 79 43  ... ......1.1tyC
000174F0  12 00 00 20 00 00 00 00 00 00 32 2E 31 74 79 43  ... ......2.1tyC

 

First thing that called my attention, at 0x173F0 there is a table with the Platform ID's
https://www.psdevwiki.com/ps3/Platform_ID
https://www.psdevwiki.com/ps3/Talk:Platform_ID

I already worked on a comparison: https://twitter.com/MinaRalwasser/status/1204477438270541826

 

Hi Guys, need help.
I've been following the theme for a long time .
You have found the keys AUTH1 AUTH 2 Keys.
Will I get ERRLOG OR OTHER DIAGNOSTICS COMMANDS VIA SYSCON HARDWARE UART ?
It is necessary for YLOD diagnostics of boards COK-002 and SEM-001.
Thanks!

 

You have found the AUTH1 AUTH2 keys.

These keys are perconsole, the keys which are used to derive these keys are known but not the full algorithm - still w.i.p. The CELL<->SC algorithm is known though.

The AUTH1 function is at 0x26E8 and AUTH2 at 0x283E in the latest DECR syscon firmware., they are used by the UART command scopen which combines them (0xE120).

You can't unlock all commands using AUTH1/AUTH2, some need a patched firmware.

Will I get ERRLOG OR OTHER DIAGNOSTICS COMMANDS VIA SYSCON HARDWARE UART ?

Yes, after using AUTH1/AUTH2.

 

the keys which are used to derive these keys are known but not the full algorithm

what the algorithm?

The AUTH1 and AUTH2 keys are 128 bytes long,
for example:

C:FD:AUTH1 0000802000000000003000309C0EDB3FE603EDB98A38DDC09400A2AB2DDE8CAB0AECFE951FF7E2E8D8A7CF2202719F812F36DE83B424C27063C274CB0000E46B

SYSCON returned error E:5D:NG E00000C0 ( Maybe BAD AUTH1 KEY )
how can generate AUTH1 AUTH 2 keys from perconsole data (I dumped them from NAND memory) use algorithm? (use AUTH1/2 functions, it's very difficult )

 

@3141card @kozarovv @sandungas
Dumped by @M4j0r

 

Awesome

 

@3141card @kozarovv @sandungas
Dumped by @M4j0r

I just checked around a quarter of the file in a hexeditor, just to see how much things are "human readable", and there is a loooot of stuff related with fancontrol and thermal, there are even a couple of examples of how the command/syscall works

I had doubts, but after taking a look at that im even more convinced that there is a table with the temperatures and speeds, actually his codename is "fantbl", and the service seems to be named "fancon"

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

0000BEE0  2D 20 46 61 6E 20 54 61 62 6C 65 20 73 65 74 2F  - Fan Table set/
0000BEF0  67 65 74 20 63 6F 6D 6D 61 6E 64 0A 00 00 00 00  get command.....
0000BF00  20 55 73 61 67 65 3A 20 66 61 6E 74 62 6C 20 73   Usage: fantbl s
0000BF10  65 74 20 66 61 6E 63 6F 6E 4E 6F 20 70 4E 6F 20  et fanconNo pNo 
0000BF20  74 65 6D 70 44 20 74 65 6D 70 55 20 64 75 74 79  tempD tempU duty
0000BF30  0A 00 00 00 20 20 20 20 65 78 2E 20 66 61 6E 74  ....    ex. fant
0000BF40  62 6C 20 73 65 74 20 30 20 70 31 20 30 78 31 34  bl set 0 p1 0x14
0000BF50  30 30 20 30 78 31 45 34 30 20 30 78 43 30 0A 00  00 0x1E40 0xC0..
0000BF60  20 20 20 20 65 78 2E 20 66 61 6E 74 62 6C 20 73      ex. fantbl s
0000BF70  65 74 20 30 20 70 31 20 32 30 2E 30 20 33 30 2E  et 0 p1 20.0 30.
0000BF80  32 35 20 37 35 0A 00 00 20 55 73 61 67 65 3A 20  25 75... Usage: 
0000BF90  66 61 6E 74 62 6C 20 67 65 74 20 66 61 6E 63 6F  fantbl get fanco
0000BFA0  6E 4E 6F 0A 00 00 00 00 20 20 20 20 65 78 2E 20  nNo.....    ex. 
0000BFB0  66 61 6E 74 62 6C 20 67 65 74 20 31 0A 00 00 00  fantbl get 1....

 

https://pastebin.com/5sTdsVMZ external commands
https://pastebin.com/zEznkQiq internal commands

 

Question: You know the way we can repack a OFW PUP without changing anything and it will install on OFW 4.85, like HFW for example, Well now we can create a syscon pkg that will pass OFW checks too right? (only for phats)

So does this mean we can pack a OFW PUP with a modified syscon that will install on a OFW phat ps3?

 

Question: You know the way we can repack a OFW PUP without changing anything and it will install on OFW 4.85, like HFW for example, Well now we can create a syscon pkg that will pass OFW checks too right? (only for phats)

So does this mean we can pack a OFW PUP with a modified syscon that will install on a OFW phat ps3?

We can install something that can dump the rom, so similarly we can install something that can flash it

 

https://imgur.com/LTjBe3O.png Bootmodi

 

We can install something that can dump the rom, so similarly we can install something that can flash it

Ok,

I was thinking/hoping maybe we could create some of these pkgs now but I guess that is a different key.

 

Ok,

I was thinking/hoping maybe we could create some of these pkgs now but I guess that is a different key.

View attachment 21557

except for the last package, you can install all others

 

is near a cfw for 4k series? how is the scene?

 

https://imgur.com/LTjBe3O.png Bootmodi

I made an error there, correction:
0x2000C40 = 0 internal mode diag mode pin low && eeprom 0x3960 == 0
0x2000C40 = 1 external mode diag mode pin high
0x2000C40 = 2 diag mode diag mode pin low && eeprom 0x3960 != 0


With the right patch you can use all internal commands granting you full access to the CXR Syscon: https://twitter.com/MinaRalwasser/status/1208072495951228928

 

So how long would it take to get cfw??..

My estimate - 2 to 3yrs
Anyone else?

 

dump of COK-001

 

Thanks to @M4j0r we can now AUTH1/2 our way out https://twitter.com/MinaRalwasser/status/1209151208453287938

 

Go on !