Everyone has been eagerly anticipating for the 3.6x keys, and many of you probably are wondering why there have they not been released yet. Well obviously its a difficult process, but S0uL and DemonHades have outlined on how to get the 3.60 keys. Keep in mind that this is not newb friendly. I post this because hopefully this may be useful to the next “Dark Alex” of the PS3 scene looking for the right path.

To quote (translated):

Hi demons,

this is a tutorial on how to obtain the 3.6+ keys, and it’s been made by S0ul and DemonHades (thanks to Demon for the info and for revising it). This is for all those people out there that think that finding the keys is easy.

Requirements:
- a brain
- expensive hardware
- Knowledge of motherboard designs (this is if you wanna obtain data from sockets)
- SMD and BGA knowledge (to desolder and solder smd and bga components)
- High Frequency Oscilloscopes (to log frequencies)
- PPC ASM knowledge (to modify lvs to be able to implement new functions)
- Knowledge of the PS3′s architecture (to know what’s an lv)
- a lot of patience

Let’s see how this rolls out:
To obtain the keys, we’ll need lv0 decrypted. Lv0 will unpack itself unto the RAM, and is decrypted with the bld key. There, the keys will already be in the SPU, which is like a safe, an impossible area to enter (isolated from the exterior).

When the loaders and the lvs are loaded unto the SPU, lv1 will clean any traces of the decrypted lvs and loaders from the memory. But who’s the one giving orders to clean? Lv1, therefore, it can be accessed with an exploited version.

To solve this problem, we’d need to make a modified lv1 that’ll copy the data we wanna get, the decrypted lv0 in memory, and then make it put that info aside, so we can then extract it, and after that, leave it continue its normal cleaning and mapping routines.
This way, we’ll have the part of the memory with lv0 safe for us to get, exposing lv0 to all its content.
From there, we’ll have appldr, that’ll be decrypted with lv0, and with it, we’ll have our “keys warehouse” available to us.

Do you still think it’s easy to obtain the keys? I don’t think so…

Greetings to everyone,
S0ul.

Thanks to jean945 for the translation.

There you have it, as said earlier it is no easy feat and hopefully shed some light to what it takes to get the keys.

[VIA Demonhades]

Usenet user, JoHNAaRoN, has released the FULL 3.60 PS3 SDK shortly after the 3.40 full SDK was leaked a few days ago. The leak also inculdes the PS3 3.55 downgrade PUP file for FW 3.56+ test kits.

NFO Below:

sonyhatesme-ja.nfo

 PS3 3.60 FULL SDK (c) SONY            

Date     : Sept 2011
Languages: -
Platform : PS3
Genre    : Development
filename : sonyhatesme-jr.part**.rar
filecount: 92

  Release Info:
  ~~~~~~~~~~~~~

3.60 SDK by S0ny.

  Notes:
  ~~~~~~

Enjoy

A VERY big leak indeed, it will be interesting to see where this propels the PS3 scene, and maybe 3.6+ support for the new games this holiday season

And if you haven't figured it out already, this is mainly for DEVS to further research and create goodies for you on the PS3.

Full list of what is included in the leak, and what is missing can be found HERE.

Release: S0nyHatesMe-PS3.FULL.3.60.SDK.PS3-JoHNAaRoN
NFO: *NZBIndex - We index, you search*

We wont link the download files, but you can grab em at source below. Please note that you will know how to download form usenet (and it sucks -.-).

[VIA PS3ISO]

More updates from the Gitbrew team, via Twitter. They have recently tweeted this interesting bit of news:

Bootloader has been dumped from a nand successfully. Nor is going to be dumped next. Rootkey, you’re now in our grasp.

CFW we will not release for 3.56+ unless the PS3MFW team finds a way to do that again . an exploit for other developers to work

Rootkey = per console key. You would need to dump your own key in order to decrypt your bootloader and metldr as far as i know.

In layman terms, we are one step closer to a ‘hacked’ PS3 consoles on newer firmwares. Although they don’t plan on making an actual firmware, finding the exploit is the toughest step…its all a cake walk from there. If downgrading isn’t your style (or you own a slim), have patience, things are looking pretty good.

[VIA Gitbrew Twitter] – Thanks to marack112 for news tip.

The first firmware 3.60 required game is out, known as Portal 2. This game is currently not playable on CFW PS3′s and none of the previous methods have been reported working (such as PARAM.SFO editing, Dean Eboot decrypter).  Portal 2 is encrypted using the new FW 3.60 keys and as we know those have not been released/discovered yet (publicly anyways).

Many of you have been asking why does Dragon Age 2 work – the reason is because DA2 was a FW 3.56 required, not FW 3.60.

Before there was no need really to find a solution for CFW 3.60, but now that new games being released are demanding the new firmware requirement you can be hopeful that a solution will be out soon.

Let us know your thoughts, ideas and any personal tests you have ran here in attempts to get Portal 2 to run.

Mathieulh recent tweets have basically outlined new information relating to dumping of LV0 for PS3 FW 3.60 and obtaining the new firmwares keys. He has not released the full method on how to do this, but at this point has given enough for someone to figure out the rest. There also a team by the name of “Ps3WeOwnYoU” on Twitter claiming to have cracked the new firmware VIA Mathieulth’s tweets.

Below are the recent Mathieulh tweets:

“You can’t overflow user processes, the NX bit applies here, you can only overflow lv2 or a process with higher privileges.”

“You can update from your pwn pup only from 3.55 or lower, unless you have an exploit.”

“Of course that should be fixed in upcoming lv0 revisions anyway (By moving the ldrs to the top of lv0)”

“You run the 3.60 lv0, then you switch the nor, and pull the cell reset line, and you dump the extra KBs where the loaders are.”

“Basically you have a nor with 3.55 (or lower) lv0 and your own small lv1 code that does the dump, and 3.60 lv0 on the other.”

” You wont get all of lv0 but the part with the loaders shouldn’t be overwritten.”

“You can actually get all the 3.60 keys/loaders without knowing lv0 keys by dumping lv0 from ram with dual nor and signed lv1.”

“That’s from an older lv0, the method to get the data isn’t the same, the one I posted was a dump, this one is a decryption ”

“There is a nice way to dump pre 3.55 lv0 as well by using a small lv1 binary, it’s a risky process though.”

“Oh! You mean my pm ? congrats, you just figured I have had lv0 dumped/decrypted for quite some time xD”

“Reminds me of those stupid lv2 overflows I spotted ages ago in the bdemu code, which are useless now on 3.55+ anyway.”

“To those planning on building a 3.56+ pup for whatever reason, the files attributes changed, the group and user ids for the files as well.”

“The new 3.56+ values for tarballs are the following: owner_id, “0000764″ group_id, “0000764″ owner, “tetsu” group, “tetsu” ustar, “ustar ”
”
“You can use fix_tar to use those new values. Use with caution.”

“By comparison, those are the pre-3.56 values. owner_id, “0001752″ group_id, “0001274″ owner, “pup_tool” group, “psnes” ustar, “ustar “

To quote a bit more information about LV0:

So, to decrypt this LV0 thing, we need to get to know it better. In the latest blog post by rms, he has explained briefly what LV0 is in the console’s security.

Anyway, let’s really discuss something PS3 instead of my PC xD, let’s start with Lv0, the most unknown level of the PS3. Lv0 initializes PS3 base hardware such as PowerPC/PPU portion of Cell/BE, SPU isolation for asecure_loader, and gelic ethernet/WLAN device. Lv0 also proudly proclaims itself as the “Cell OS Bootloader”. In older firmwares, 0.80-ish to 3.56, Lv0 initialized SPU isolation on one of the SPUs, then it loaded and decrypted asecure_loader. Asecure_loader or metldr then decrypts the isolated loader, in this case, lv1ldr, then lv1ldr decrypts lv1.self. In 3.60 this changed. Lv0 now has all of the loaders integrated into it as one large fat binary. All the keys one needs such as Public ECDSA key/AES CBC key and Initialization Vector and ECDSA curve type are in there. Just go ahead and grab them if you can get the ldrs out of the binary.

So, unless you can decrypt Lv0, no 3.60 “CFW” for you . Is there any need for it anyway?

Mathieulh also has some facts to clarify about LV0.

1. lv0 isn’t a loader it’s a ppu binary

2. Lv0 isn’t encrypted per console and can be updated with the rest of the coreos

3. Lv0 is decrypted by the bootloader, there is no such thing as a lv0ldr.

4. The bootloader keys cannot be updated/modified on EXISTING hardware

5. lv0.2 is NOT a binary, it’s a new metadata for lv0 which is to be decrypted and verified by a new bootloader (which is to be available on future ps3s), it is NOT used by the current bootloader (and thus in current playstation 3 consoles)

Time will tell, hopefully PS3 FW 3.60′s “defense” is wearing out

[VIA PS3Crunch]

If you use the FW 3.60 Spoofer, F*ck PSN, or DNS Bypass you should have noticed they no longer work anymore. The reason is that Sony have today changes their firmware 3.60 authentication. However according to Mathieulh the new firmware is not hard to spoof, and tells devs how to spoof it. (more…)

This has been spreading fire quickly over various forums so we thought it would be appropriate to bring it to attention here before it gets out of hand. A Youtube user Winocm claims to have jailbroken PS3 firmware 3.60 with a proof of concept video. The video that has been causing the stir can be seen below:

Looks pretty “clean” so far, but only time will tell if this is true or not.

In addition news, well known hacker who brought your F*ck PSN, Drizzt, has Tweeted an IRC log of Mathieulh claiming to have code running on PS3 FW 3.60 making the video above raise some eyebrows.

[03:15] while you are insulting me like morons, I already have code running on 3.60, and I am laughing, and guess what ? I am happy I stopped sharing, you can hate me for it, I don’t care.

We are marking this as a rumor until something is released (it could very well just be a simple firmware spoof!)but till then let us know if you think this is real or fake.

Dean wasted no time in updating MultiMan, bringing the latest version to 1.16.08 which brings FW 3.60 spoofing. Full changelog below: (more…)

Well PS3 Firmware 3.60 is now live. The biggest update added was a Cloud Storage System, allowing you to save your save games online. However this feature is only for Playstation Plus members (for now). You can read more about the Cloud Storage system HERE. The new firmware also brings a better management for the powering of your PS3 controllers, allowing you to control the time they stay on via XMB options.

That is currently all the information we have on the new FW 3.60.

F*ck PSN and Charles are confirmed working (no confirmations on the PS3ita CFW yet). We will keep you updated on the full changelog and analysis of the OFW soon.

[Download PS3 FW 3.60 FW Update]

Update:

According to KaKaRoToKS Twitter the new firmware seems to have updated security:

Sony removed all the loaders, no more isoldr/lv1ldr/lv2ldr/appldr.. but they added lv0.2!

looks like lv0.2 is just the SCE header of lv0, just like the spkg, it doesn’t contain code in itself… just resigned with securely..

Currently KaKaRoToKS has no plan on cracking the new firmware.