Rumor: PS3 Masterkey for downgrade found

[DarkCrudus]

Originally Posted by Estx
December 4, 2010 at 1:34 pm

I’ve found the Masterkey from bruteforcing dumps from my system.

Took 27 minutes, over 8,100,000 possible keys. Lol – could’ve waited but ah well.

If anyone is interested in doing the same, you can find it on 3.41.

for(int i = 0; i < list.length; i++)
if(HMAC-SHA-1(key).ComputeHash(encryptChallengeBody) == matchResponseBody)
{
Success;
}

Challenge and response I took from the dumps reported on PSX-Scene.

If graf doesn't find it by tomorrow – I'll release the key.

Only reason I'm holding it back – is because no one helped me when I asked for it. (;

It’s just psuedo code. Actual code has a few more lines than this.

Inclusive of byte conversion, list generating from binary dumps and other trivial functions.

I have no way to dump the data between my at90usb192 and PS3 so I can’t post any challenge/response logs.

And it’s not a magic key – it is the master key.

I have tried it so far from 3.41 and 3.50 on my slim and fat.

That’s the actual loop there: #1346409 - Pastie

Prior to this is generation of the list etcetera.

Originally Posted by phiren
December 4, 2010 at 3:55 pm

I’m thinking more of the code which does an SHA1-HMAC between the master key and the dongle ID to generate the device key which is finally SHA1-HMACed with the challenge.

A single device key will work on all firmware versions, which makes it just as useful as the master key for our purposes.

It just means that Sony can revoke that single device and you can’t possibly generate another device key. But since Sony will probably revoke every single device and start again with a new master key with the next firmware version, having the master key isn’t that useful.

QUOTE

Originally Posted by Estx
December 4, 2010 at 4:02 pm

@phiren: That’s what I was thinking as I was learning how to generate the correct response before constructing a quick loop. The expected response is 20 bytes of what you suggested above.

I’ve found no other use of the master key yet.. so you’re quite right.

Mind you, I’m not as talented as some of the other developers here, I’m still playing around with new things I’m finding in the firmware’s. And thank’s to graf’s work – there’s even more to play around with.

Source

Hopefully it is found, we shall know tomorrow =D got me a ps3 on 3.5 and a jailbreak device soo i hope so =]

 

[al5911]

YAY ...

Is this what can lead to CFW? Or only for downgrading FW for free (open source)?

 

[DarkCrudus]

for now i believe its for open source downgrading FW but who knows the ps3 scene has been exploding with activity maybe a CFW will roll around

 

[Maz7006]

YAY ...

Is this what can lead to CFW? Or only for downgrading FW for free (open source)?

Downgrading for now i believe so people can run their exploits and play their backups

CFW will probably be a future thing however - just speculating; i wonder when we can start to play PSP games and PSN games - then ill invest in a PS3 for just Jailbreaking.

regardless, this is a major step.

 

[redact]

great news.. was getting a little annoyed that the e3 card reader team had managed to clone it before homebrewers had

 

[OrGoN3]

great news.. was getting a little annoyed that the e3 card reader team had managed to clone it before homebrewers had

You're annoyed that a team of people that are getting paid to do something, did it before a bunch of individuals, thousands of miles apart, who have full-time lives and are receiving no compensation? Really?????????????????

 

[redact]

great news.. was getting a little annoyed that the e3 card reader team had managed to clone it before homebrewers had

You're annoyed that a team of people that are getting paid to do something, did it before a bunch of individuals, thousands of miles apart, who have full-time lives and are receiving no compensation? Really?????????????????

not in a whiny way, i don't even need a downgrade.


more in a "homebrew scene > big companies" way

 

[Sephxus]

From

We were talking this morning in the news that a ETSX have managed to decipher the Master Key of the PS3 (It's just a universal decryption key that will allow the downgrade to another, so it is compatible with all firmwares PS3 and even future versions). Well ETSX has not been silent too long, it has indeed the MasterKey post on the blog XorLoser, let's see now if it is authentic.

68 65 79 20 79 75 20 6f 6c 6c 69 74 74 65 20 63 6f 63 6b 6b 73 75 63 65 72 73 2E 0D 0A 73 74 70 20 66 75 6f 63 6b 69 6e 67 20 63 72 79 69 6e 67 20 61 6e 64 20 61 6e 64 20 74 61 65 6b 20 79 6f 75 72 20 64 69 63 6b 20 6f 75 74 20 66 72 6f 6d 20 62 65 74 77 65 65 6e 20 79 6f 6c 75 72 20 65 67 73 0d second 0a 74 75 63 6b 69 6e 67 6f 20 79 75 72 20 66 75 63 6b 65 72 20 61 6e 64 20 63 72 79 69 6e 67 20 64 6f 65 73 6e 27 74 20 6b 6d 61 65 20 74 68 69 73 20 70 61 72 74 20 6f 66 20 68 69 73 74 72 79 20 6f 6c 6f 6f 6b 20 67 6f 6f 64 0d 0a 0d 0a second 4d 61 73 74 65 72 2e 0d 0a 65 79 4b 0d 0a 41 35 42 32 30 41 39 38 45 33 34 44 31 32 30 43 33 45 44 37 41 31 36 35 33 38 37 31 32 45 43 45 30 41 39 33 43 38 36 31 46 32 46 46 30 39 37 33 36 31 41 45 46 30 32 38 37 33 43 31 35 30 34 33 32 32 33 32 38 33 34 37 32 39 33 38

CHKSM

MD2: 4024b793977351b99c5f34b652ea814e
MD4: 23fff219f2763bc4a0a96a70cf66830b
MD5: 0fc07387619a56079f3b43310774807d
CRC 8, ccitt, 16, 32:

CRYPT (form: $ MD5? $ SALT $ CRYPT):
$ 1 $ / $ WFjFOl0 PrJDWIBACC0QVOPM7/fVd0
(Form: SALT [2] CRYPT [11]):
PSME / LI / XuqIw

SHA1: 7281ee9342066f13cf9b3b08f206ab70054d0820
RIPEMD-160:
ee5c7e333fc1e57041b5ccedc7ab1bfc878fb4f7

btw
4d 49 20 41 20 41 20 46 55 43 4b 49 4e 47 20 54 52 4f 4c 4f 20 4c 4c 4c 0d 0a 41 4e 44 20 59 4f 55 20 4a 55 53 54 20 53 55 43 4b

Edit: Confirmed troll.

Source

 

[TLSS_N]

well, looks like it's been confirmed that the master key has been dumped, I am not going to go post a news story on this as I am sure you guys are probably getting sick of it

I have dumped the key but will not make it public for now. I don’t want people developing more dongles and making more money off it

Don’t worry, I have contacted zAxis and he will use it for his PSGrade.

@beavis

I know where you’re coming from and feel the same way but to be honest figuring this whole key thing out was interesting and that’s what motivated me.

As for the 3.50 jailbreak, I have been working on any possible exploits or methods using one my original 3.15 and I have made some interesting progress.

source

edit: nevermind about the key.

 

[DarkCrudus]

haha yeah that was determined as some troll using graf's name, him and a couple others at that blog arent posting there anymore b/c of that

 

[431unknown]

That blows big time that they was just tollz.