[svenmullet]

Since I see this question all the time, I thought I'd do the forum a favor and explain why 4.X CFW can't be installed on OFW higher than 3.55. (at the moment)

The PS3 uses a sophisticated security measure called ECDSA (Elliptic Curve Digital Signature Algorithm), I won't go into that here, but suffice it to say, there are certain things the PS3 will not do unless the Private key is used to sign with. Installing system software is one of those things. Thanks to the Lv0 key leak, we can decrypt Lv0 and reverse it in IDA to derive the loader keys, etc, and in turn decrypt the loaders and derive other keys further down the line, allowing us to completely decrypt any firmware and modify it. However, when re-signing/repacking the files, the highest FW version for which we have Private keys is 3.55, so we must use those to encrypt/sign/package the PUP for installation. OFW higher than 3.55 looks at the PUP and says "Nope, signed with 3.55 private keys, which are revoked. Error and quit". The reason we have <=3.55 private keys is because of an incorrect implementation of ECDSA; Sony used a static value in the algorithm instead of random, which makes it trivial to derive the private key from the public key. They fixed the error and secured the console properly in 3.56+. The public keys we can get from 3.56+ work to decrypt files, but we cannot re-sign files with public keys, therefore, we can't (currently) make a PUP that will install on OFW 3.56+.

To give you an idea of what the difference is between Private and Public keys: Suppose you have a Private key 0x12345678, you can derive a Public key from that by performing an algorithm on it, for instance:

-Reverse bytes to 0x21436587
-Rotate left: 0x14365872
-XOR with an arbitrary value, (eg. 0x11111111) =0x5274963

0x5274963 is the Public key. This is what you give to people so they can decrypt your files. After all, they don't know the super-secret algorithm, so they can't easily derive the Private key. When checking the signature, you do the above steps in reverse:

-0x5274963 XOR 0x11111111 = 0x14365872
-Rotate right: 0x21436587
-Reverse bytes to 0x12345678 and voila! The Public key is valid!

That was a very basic, simple implementation of how a Private/Public key works- ECDSA is uncrackable because it is impossible to derive the Private key from the Public key using math, the only known way to break the security on it is brute force, which when dealing with 160 bit keys involves a very, very huge amount of possible keys. It would take much, much longer than the estimated age of the universe to crack it, in fact. Kinda pointless considering it's a video game console

[tjhooker73]

I'm pretty sure we had this explained with Stick figures at some point

[Wolfterro]

Yeah, Alice S2 Bob.

[mrc1978]

Holy cra..........

Thx for that, now my brain has turned to mush

[nib50005]

Ok so i don't know much about cracking keys and all that stuff, but what about brute-forcing the ECDSA algorithm? Could that do anything.

[TheWhiteTyger]

Originally Posted by nib50005 Ok so i don't know much about cracking keys and all that stuff, but what about brute-forcing the ECDSA algorithm? Could that do anything.

Unfortunatly not, due to the fact that he was saying that it is a 160 bit encryption key which would not be able to brute force because of the almost close to infinite possibilities of brute force combinations. That's why no one wishes to sit there and have 1-1000 computers all brute forcing the encryption. The amount of money involved to undergo such a task would be way past the $100 millions mark.

On a side note and I'm sure this has been thought of, why won't earlier keys work before 3.55? I'm sure $ony couldn't have blacklisted all of them. Even if they only accept keys higher than 3.55 alone, isn't there some sort of way to derive a pattern from the encryption by comparing all keys from 1.00 to 3.55 public? or is it because of so many variables calculating each set of public keys?

I'm sorry, I am yammering on, I'm sure this has all been tried or thought of before and won't work for a logical reason. Just trying to throw ideas to spark another idea.

I honestly believe that it will be up to a security flaw that will be found by decrypting the update modules in firmwares to see if the key can even be bypassed or something since we could technically find a way to install a program onto OFW. I know this can be done, it's just a matter of time before a smart dev finds a way to simplify the process.

[oPolo]

Hmm, did not know you could derive the public key from the private key.

On the other hand, I havent read about ECDSA at university yet, so haven't really looked at it. But odd.

It isn't something that can be done for instance with the RSA algorithm.

[TheWhiteTyger]

Eh, just a Theory, I didn't know if it could work or not, thought I read something that said that someone was attempting to work on reconstructing the algorithm by doing what I suggested. But IDK, just yammering useless dribble because I haven't heard about the progress since lv0 came out.

[tjhooker73]

Originally Posted by TheWhiteTyger Unfortunatly not, due to the fact that he was saying that it is a 160 bit encryption key which would not be able to brute force because of the almost close to infinite possibilities of brute force combinations. That's why no one wishes to sit there and have 1-1000 computers all brute forcing the encryption. The amount of money involved to undergo such a task would be way past the $100 millions mark. On a side note and I'm sure this has been thought of, why won't earlier keys work before 3.55? I'm sure $ony couldn't have blacklisted all of them. Even if they only accept keys higher than 3.55 alone, isn't there some sort of way to derive a pattern from the encryption by comparing all keys from 1.00 to 3.55 public? or is it because of so many variables calculating each set of public keys? I'm sorry, I am yammering on, I'm sure this has all been tried or thought of before and won't work for a logical reason. Just trying to throw ideas to spark another idea. I honestly believe that it will be up to a security flaw that will be found by decrypting the update modules in firmwares to see if the key can even be bypassed or something since we could technically find a way to install a program onto OFW. I know this can be done, it's just a matter of time before a smart dev finds a way to simplify the process.

We could brute force it if we could borrow the worlds most powerful Super computer, It would still take quite some time though...

[TheWhiteTyger]

Originally Posted by tjhooker73 We could brute force it if we could borrow the worlds most powerful Super computer, It would still take quite some time though...

Let's go after the Air Force's multi PS3 server farm, that'll just about do. Seems legit.