PS3Key – A Brief Hisotry of the PS3 Jailbreak Device by the famous Wiikey Team

Posted on October 20, 2010 by John

Shortly after the ground breaking introduction of PSJailbreak by www.psjailbreak.com at the end of Jul 2010, the gaming communities around the world were excited by the amazing device which opened up the Pandora box for the Playstation 3 which had been immune to hacking for over four years.  While all the gamers were all eagerly waiting for the actual release of the PS3 Jailbreak device into the market, the debut price announced by the manufacture sent a tsunami shock to the global gaming community.  The debut retail unit price for the psjaibreak was at an unbelievable high mark of USD 150, which was more than one half of the PS3 console.

Although gamers appreciated that the hard work and initial investment by the psjailbreak team to develop the jailbreak device for the Playstation 3 console, most were put off by the unreasonably high price. Although buyers were hesitant on digging into their pockets deeply, for a PS Jailbreak for their PS3, many were hyped up at the thought of jailbreaking their PS3 in the similar way to jailbreak thei r iPhone & iPad.

As the hype of the PS Jaibreak went on and more samples were received by various gaming forum webmasters around the world, the mysterious PS Jailbreak in the form of a simple USB  dongle were dismantled apart by many experts, among them was the Wiikey team.  It did not take long for hackers around the world to reverse-engineer the PSJailbreak dongle and it certainly took even shorter for the Wiikey team to do it as they had been in the modchip scence with Wiikey, Wiikey 3, Wiikey Fusion & Drivekey under their belt.

According to the Wiikey team, the hardware of the PSJaibreak dongle did not cost much more than what a normal USB pendrive was.  The reason that the psjailbreak team set such a high debut price was because they believed it would take over 2 months for other hackers to hack their psjailbreak device to product another product with similar function.  Within the short period of 2 months, they would monopolise the supply side of the market and have all the power to set the price.

Unfortunately, their belief turned out to be short-lived. The Wiikey team took 3 weeks to reverse engineer the product and launched their first product for the PS3:  the PS3KEY. There are some outstanding features about the PS3KEY. In terms of design, the PS3KEY inherited the original PSJailbreak design with the device being covered by the stainless steel shell and changed the cap of the device to a blue plastic cap. The bright blue colour is inline with the main product colour used by the Wiikey 2 & Wiikey Fusion. The elegant laser printed logo makes the device stand out among all the other psjailbreak variants.  As the name suggests, the PS3Key provides the best key to the Playstation 3 gaming world.

The Wiikey team is also fully aware of the copies of their PS3KEY in the markets and has introduced an online product verification mechanism for users to find out if their PS3KEYs are genuine.  The validation is simple and straightforward. It requires the users to enter their PS3Key serial number and validation string below to check that they have an authentic PS3Key. The whole process of PS3key validation only takes less then 1 minute.

In Nov 2010, the original Psjailbreak Team announced yet another ground breaking product PSDowngrade and charged another shocking amount USD 100+ for the PSDowngrade USB Dongle. In addition, the user can only use the PSDowngrade to perform a firmware downgrade ONCE. After that, the DSDowngrade dongle will be rendered useless. That is shocking enough.

On 6th Dec 201o, the PS3Key Team announced their answer to the PS3 3.5 firmware by completing a firmware for PS3Key that allows users to downgrade their PS3 firmware from 3.50 to 3.41. For those of you that are unfamiliar with the process, this basically means that newer PS3s with 3.42 and 3.50 firmwares can be downgraded to 3.41 and jailbroken.

At the same time they also announced the 64KB version of PS3Key. This version has a 64k flash, unlike the standard version that has 32k. This allows for larger payloads, including the AsbestOS linux payload. It also supports enabling and disabling encryption, which makes it possible to update with custom payloads. A software for extracting payloads and converting them to Open PS3Key format is in the works.

Like all SiLabs based PS3Key, this new version shows up as a mass storage device on a computer and update can be dragged and dropped onto it!

The actual usage of the PS3key proves to be as efficient as the PS3key office website. The PS3key does not come with the firmware pre-loaded and has the following features:

  • USB Plug and Play solution that installs in seconds without any need to open up the PS3.
  • Does not break your warranty seal.
  • Compatible with all PS3 models*, both Fat and Slim.
  • Supports all regions: USA, JAP, PAL and KOREA.
  • Fully updatable via USB on your PC using an encrypted bootloader
  • 32KB onboard flash (most competing products only have 16KB flash)
  • Disables forced software updates and will never brick your console.
  • Supports most games and homebrew applications.
  • Easy-to-use software for backing up, managing, and playing games from external USB Hard Drive.
  • Playing games from HDD is much more enjoyable, benefiting from greatly enhanced seek and loading times.
  • Supports installing homebrew application on PS3 and external USB media.
  • Optionally PS3Key can be supplied with an “open” firmware which does not support backup loading. Users would then have to download a firmware update for PS3Key to get full functionality.

* Currently not compatible with 3.42 firmware

Continue reading

Posted in PS3Key | Tagged , , , , , , | Leave a comment

PS3 USER CHEAT CHT Dongle from PS3BREAK TEAM

Posted on March 27, 2011 by John

Is PS3 User Cheat CHT Dongle another revolutionary product for the PS3?

The PS3 User Cheat CHT Dongle is primarily for using AR cheat on PS3 and is manufactured by the PS3BREAK TEAM. PS3Break is the affordable version of PSJailbreak. PS3Break retail price is about one quarter of the that for the PSJailbreak. The PS3Break team has earned a good reputation for their PS3Break not just for the price but also for the quality. The PS3 User Cheat CHT Dongle is believed to be a reliable successor of the PS3Break.

The most outstanding feature of the PS3 User Cheat CHT Dongle is its AR Cheat, the first of its kind for PS3. Many gamers will be thrilled by the AR cheats and effects such as “infinite energy, the strongest equipment, never game over”.  On top of the AR cheat function, the PS3 User Cheat CHT Dongle also inherits the following functions of the PS3break:
1, 100% upgradeable, Compatible with all PS3 models – Fat and Slim.
2, Onboard SLC NANDFLASH Memory of 128MB
3, Boot from SD, HHD & external hard drives

The PS3 User Cheat is believed to utilising the decryption keys released by Fail0verflow & geohot.

Posted in PS3 USER CHEAT, PSJailbreak | Tagged , , , , , | 2 Comments

How hackers, Fail0verflow & geohot, leave PS3 security in tatters

Posted on January 19, 2011 by John

The following well written article is from Eurogamer:

PlayStation 3′s internal security scheme is a shambles, with all of its major anti-piracy features failing abysmally. The system is so vulnerable that hackers now have the exact same privileges as Sony in deciding what code can run on the console.

So says the self-styled “Fail0verflow” team, hackers with a successful track record in opening up closed devices such as the Nintendo Wii for running homebrew code and – of course – perennial favourite, Linux. Yes, despite the removal of OtherOS, Linux is coming back to PS3.

Fail0verflow’s comments, presented at the 27th Chaos Communication Conference (27c3) might seem somewhat at odds with reality. PlayStation 3 launched in NTSC territories in November 2006 and yet the first widespread piracy only kicked in this summer with the release of PSJailbreak.

IBM’s Cell Broadband Engine has been widely praised for its tough on-die security features which ensure that none of the essential decryption keys ever leave the main CPU, and so can’t be accessed via RAM dumps. The protection has certainly lasted longer than that of the Wii and Xbox 360, both of which have been running pirate games for years now.

Fail0verflow’s explanation? Hackers want to run their own code on the hardware they buy and PS3 allowed them to do that from day one. Only when the Linux-stripped PS3 Slim appeared – which they say can run the OS just as well at the older model – and when OtherOS was removed from the “fat” console, were the hackers suitably motivated to expose the security shortcomings of the system.

The team also believe that piracy is a consequential effect of such hacks, and that the PS3 remained secure for as long as it did simply because hackers weren’t interested in opening up a system that was already open enough, with Linux implementations supported vigorously at launch by the platform holder.

'Hackers leave PS3 security in tatters' Screenshot table3

Fail0ver’s presentation at 27c3 makes the case that hackers open a platform and pirates exploit their work. They say that PS3′s OtherOS staved off interest in hacking it, postponing piracy for years. They reckon that PS3 security was only attacked when OtherOS was removed, and piracy followed.

Across a 45-minute presentation, the team revealed the methodology that made the on-die security an irrelevance and proved beyond doubt that the Hypervisor tech – the CPU guardian that is supposed to stop unauthorised code running – was almost completely pointless.

According to the Fail0verflow team, the PS3′s architecture appears to allow the execution of rogue “unsigned” code with only the minimum of effort required from a determined hacker – which seems to explain in part how the PSJailbreak exploit was able to run pirate games even though the Hypervisor was not touched at all.

Based on their presentation, it looks as though the team has not cracked the Hypervisor even with the new hack, but their contention is that its application is an irrelevance anyway. Even specific code that Sony revokes and bans from use within the PS3 isn’t actually being checked when it is run, so after the Hypervisor’s cursory check, rogue code can be patched back in and run as per normal.

However, the Fail0verflow team’s work goes way beyond this traditional style of hacking. They have released the technique by which any kind of unauthorised code can be run on any PS3. Every PS3 executable file is encrypted, or signed, using private ciphers only available (in theory) to Sony itself. It has long been established that brute-forcing the keys would take hundreds of thousands of computers hundreds of thousands of years to complete.

However, despite this mathematical reality, Fail0verflow are now in possession of all of the encryption keys Sony uses. They can create DLC-style packages that will run on any PlayStation 3, and yes, they can create their own custom firmware upgrades. Their stated aim is to produce their own firmware update that boots directly into Linux on any PS3, but the methodology allows for any kind of custom firmware to be produced – and we all know what that means.

So how did Fail0verflow get the keys so quickly? Well, in creating the encrypted files, an important element of the mathematical formula is the use of a random number. The PS3 encryption scheme uses just a single random number that never varies between each signed file, while the proper way of carrying out the signing process is to use a different random number every time a file is signed. Armed with just two signatures, it is possible to mathematically reconstruct the encryption key thanks to this constant variable. In theory, it’s as simple as that. In practice, some simple equation work is required.

'Hackers leave PS3 security in tatters' Screenshot equation1
'Hackers leave PS3 security in tatters' Screenshot equation2

Fairly simple mathematics brings about the ability for anyone to encrypt and sign PS3 software – something that up until now only Sony has been capable of doing. These slides from Fail0verflow’s 27c3 presentation show just how simple it is.

There are many different keys used by Sony – keys for game code, firmware components, and the isolated SPU decryption system, for example. All of them have been encrypted with the same random number faux pas, meaning that all of them can be reversed. In a stroke, hackers now have the exact same privilege level for running code as Sony itself, and this encompasses all file-types the console uses.

It’s a monumental error made by the platform holder that has serious repercussions for the future of the PlayStation 3. Hardware hacks like flashed Xbox 360 DVD drives and modchipped Wiis seem to introduce an inherent limitation that stops a majority of devices from being modified: maybe people just don’t have the skill or the willingness to toss away their warranties. But a full software hack like this one, compatible with all machines currently on the market, can spread like wildfire.

Recently, hackers have been able to reverse-engineer PS3 firmware updates by decrypting the contents using currently available exploits. But once the code had been decrypted, they could never re-encrypt it and pack it into the format the PS3 requires to install an updated system software. The secrets of the console could be revealed, but no changes could ever be made to the console. Custom firmware was impossible, and the console effectively remained secure.

Now all bets are off. Modules within the firmware can be patched, re-signed and repacked into an update file that any PS3 – jailbroken or not – can read. The patches made by the PSJailbreak USB dongles could be hard-coded into custom firmware, meaning dongle-less piracy that encompasses current and future firmwares. In effect, the PlayStation 3 is now the most vulnerable console on the market, even more exposed to hackers than the Wii and Xbox 360.

So what can Sony do? It can easily move on to new keys that do indeed use the random number element correctly, and these keys cannot be easily reversed. However, it cannot revoke the keys already used without invalidating every game and every piece of DLC released to date – and while those compromised keys remain valid, so does everything else signed by the hackers. Just about the only option available is to create a mammoth “white list” of executable code encompassing every single game and DLC patch released in the last four years and then blacklist anything else using the current keys.

However, the scale of this task is monumental – and ultimately pointless – as the Fail0verflow team have already demonstrated that revocation lists in the PS3 can be patched and that there is complete access to the system throughout its now-broken “chain of trust”. New loaders using the new keys can simply be patched to accept the revoked older keys too. Making matters worse for Sony is the fact that the “master keys” for the PS3′s initial bootloader – which can never be revoked and only changed with revised hardware – were uploaded onto the internet last night by iPhone hacker George Hotz (aka Geohot), using an exploit unknown even to the Fail0verflow team. This is system access at the very root of the system, a “master key” to the whole architecture.

'Hackers leave PS3 security in tatters' Screenshot gt5
'Hackers leave PS3 security in tatters' Screenshot nfs

Most – if not all – PS3 titles out now were created with Sony tools that pre-date the 3.41 firmware exploited by PSJailbreak. Sony locked out the pirates from titles like Gran Turismo 5 and Need for Speed: Hot Pursuit by introducing new encryption not found in the older firmwares. The new hack means that these titles will now be vulnerable to piracy.

At the time of writing, the Fail0verflow team have only just released their tools, but the methodology the team released has already brought about rapid progress in completely unlocking the PlayStation 3′s internal workings. The principles behind making updates that can be unpacked, decrypted, patched, re-encrypted and recompiled into PUP files just like Sony’s own firmware are right out there in the open, meaning that there’s a good chance that a firmware 3.55 Jailbreak will be available very soon.

In the meantime, it must surely be panic stations at Sony and there must be some degree of introspection at the platform holder’s HQ about why this has happened. The fundamental flaws in PS3′s security model should have been exposed years ago – piracy is after all a big business in its own right. It’s no mistake that PSJailbreak only appeared after Geohot publicly released his original hack – it was the toolkit that pirates required in order to understood how the system worked (though rumours persist that Hotz himself was in some way responsible for the Jailbreak, a technologically ingenious exploit he probably would have been very proud to uncover).

The Fail0verflow team says that hackers do the hard work in compromising a system to run Linux and homebrew code, while the pirates exploit that for their own ends. They suggest that the pirates themselves lack the skill to come up with the exploits, and that the PS3 was left unmolested for so long because Sony gave paying customers a way to run their own code on the system. In short, the real hackers weren’t interested in opening up a system that was already open enough.

Fail0verflow says that removing OtherOS first from the Slim, and then from the original “fat” PlayStation 3 was the catalyst that brought this hack about and their own presentation tacitly acknowledges that piracy will be an inevitable consequence. As this article is being written, previously pirate-proof firmware 3.50 PS3 titles are being decrypted and re-packed for the existing firmware 3.41 Jailbreak – a stopgap solution for piracy until full-on custom firmware appears.

“There is absolutely no doubt in our mind that the PS3 lasted as much as it did due to OtherOS. The security really is terribly broken,” the team posted on their Twitter page.

The battle between users wanting the right to run their own code on their own hardware, up against platform holders who want to rigidly retain those rights for themselves looks set to rage on well into the foreseeable future. Fail0verflow suggests that OtherOS/PS3 Linux was a compromise that kept most parties happy and piracy at bay, but the technical ingenuity of the PSJailbreak suggests that sooner or later, copied software will always become a problem for any console platform holder.

Source: Eurogamer

Posted in PS3Key, PSJailbreak | Tagged , , , , , , , , , | 2 Comments

PS3Key Firmware (Atmel)

Posted on January 10, 2011 by Nelson

PS3Key v4.5 Firmware

Spoof firmware, tricks the PS3 system into believing you are running 3.55 firmware so no accidental updates can occur.

Get this file »

PS3Key PS3 Downgrade-JIG firmware

This firmware turns PS3Key into a so-called service JIG that allows you to downgrade the PS3 firmware from 3.50 to previous versions. Archive contains instructions and firmware for all versions of PS3Key, but not the modified 3.41 PUP or other files containing copyrighted material.

Get this file »

PS3Key v4.3 Firmware

On popular request we have added the workaround recently published that allows 3.41 firmware users to log in to PSN. We would like to emphasize that there is no guarantee that while it does allow you to log in and play games online with a jailbroken PS3, there is no guarantee that your PS3 will not be banned. Use this feature at your own risk, and go for v4.0 if you want to play it safe!

Get this file »

PS3Key v4.0 Firmware

A general update based on the Hermes v4 payload to add the associated features.

Get this file »

PS3Key v3.0 Firmware

A general update based on the Hermes v3 payload to add the associated features.

Get this file »

PS3Key v2.3 Firmware

This update can be applied using any Windows PC with a USB port. This update addresses a critical issue with the PS3 USB power supply and also works with fat PS3 models. We recommend that everyone updates their PS3Key with this or the v1.3 update immediately.

Get this file »

PS3Key v1.3 Firmware

This update can be applied using any Windows PC with a USB port. This firmware provides the “original” v1 PS3Key firmware without the new features added in v2. This update also addresses a critical issue with the PS3 USB power supply and also works with fat PS3 models. We recommend that everyone updates their PS3Key with this or the v2.3 update immediately.

Get this file »

Posted in PS3Key | Tagged , , , | Leave a comment

PS3Key Firmware (Silabs)

Posted on January 10, 2011 by Nelson

PS3Key v4.5 Firmware

Spoof firmware, tricks the PS3 system into believing you are running 3.55 firmware so no accidental updates can occur.

Get this file »

PS3Key PS3 Downgrade-JIG firmware

This firmware turns PS3Key into a so-called service JIG that allows you to downgrade the PS3 firmware from 3.50 to previous versions. Archive contains instructions and firmware for all versions of PS3Key, but not the modified 3.41 PUP or other files containing copyrighted material.

Get this file »

PS3Key v4.3 Firmware

On popular request we have added the workaround recently published that allows 3.41 firmware users to log in to PSN. We would like to emphasize that there is no guarantee that while it does allow you to log in and play games online with a jailbroken PS3, there is no guarantee that your PS3 will not be banned. Use this feature at your own risk, and go for v4.0 if you want to play it safe!

Get this file »

PS3Key v4.0 Firmware

A general update based on the Hermes v4 payload to add the associated features.

Get this file »

PS3Key v3.0 Firmware

A general update based on the Hermes v3 payload to add the associated features.

Get this file »

Posted in PS3Key | Tagged , , , | 1 Comment

The private keys for the PS3 (and PSP) have been found – PS3Key & PSJailbreak

Posted on January 4, 2011 by John

The private keys for the PS3 (and PSP) have been found. This opens the doors for anybody with a PS3 to develop content (not just hackers), and you don’t need a hacked PS3 to run anything they make. This blows the PS3 wide open. The PS3 is even more open than the Wii now.

Who did it?

A hole in the encryption scheme of the PS3 was found by team fail0verflow. Geohot used the information to find and publicly post the keys. Mathieulh then did some digging in the PS3 and found the encryption keys for the PSP as well (the PS3 and PSP interchange content under certain situations).

What are keys?

The reason game systems will only run official content is because the company in question (e.g. Sony, Nintendo, or Microsoft) builds the system so that it will only accept digitally “signed” content. This “signature” basically takes the form of a key used to encrypt/lock the game/program. If the system is presented with a program that doesn’t have the key incorporated into it, it refuses to run it.

This is how game companies keep people from running pirated games (when copied, part of the signature/lock is destroyed, so to speak), and it’s also how they keep a tight control over what content their system plays. If you’re a game designer and you want to make a pornographic game for the Wii, you can’t unless Nintendo specifically allows you to by signing your content, which of course they won’t. This makes sure that the system isn’t ruined by an influx of crappy games, as happened with systems before the NES’s age. A game company uses this to make sure only “quality” games make it through… and it’s a way of making sure they get a cut of the profits of each game, of course.

How does this relate to current hacks?

This content authentication I described is present in every modern game system.
All the hacks/mods we’re used to target these protection systems in order to disable them.

Softmodding a Wii?
A flash cart for the DS/i?
FreeMCBoot for the PS2?
A jailbreak dongle for the PS3?
Custom firmware for the PSP?

The purpose of each of those mods is to stop the system from checking for the signature.

What can we do with the keys?

With the keys, we can sign our own programs. We no longer have to hack the PS3 in order to run custom content, because our programs will have the signature that the system checks for. This means that now, somebody can make a program that will run on ANY PS3, regardless of it’s firmware version or whether it’s been modded or not. This opens the doors for anybody with a PS3 to develop content (not just hackers), and you don’t need a hacked PS3 to run anything they make. This blows the PS3 wide open.

Some of you may ask about the Wii’s key we have. That is the common key, which is not the key used to sign content (that’s the private key). Yes, this means that the PS3 is even more open than the Wii now.

How can Sony stop this?

Unfortunately, their options are extremely limited, for the following reasons.

  1. Everything for the PS3 is signed with the keys.
    If Sony was to release a firmware update to simply block things signed with these keys, it would block every PS3 game that currently exists.
  2. Sony has no legal way to force people to not develop for their system in the first place.
    There are various laws in place allowing interoperability and compatibility. This is part of the reason that game systems use this type of security. Since game companies have no way to sue people or prevent them from developing for the system through laws, they require that the system only run things signed with a key, and then they simply refuse to give the key to anybody else. Unfortunately for them, the keys have been found by outsiders.
  3. Sony could attempt to claim that possession or use of the keys are illegal, but that’s on shaky ground.
    A “key” is really just a number (a really big one). Sony would have to convince the courts that knowledge of a certain number is illegal. While something like that might happen when it deals with national security or protecting citizens during a war, Sony’s going to have a hard time convincing the courts to do it for a video game system. tongue.gif

For some background on the legal aspects… this same sort of thing happened with the encryption key for the HD DVD format, and while companies sent out many threat letters, no site was actually sued or taken to court over posting the key (even those like digg that did so defiantly). I’m not sure Sony has a legal way to stop people from using the key, at least in the US.

Posted in PS3Key | Tagged , , , | Leave a comment

PS3Key Firmware 4.5 – Does it work on PS3KEY with Silab chip?

Posted on December 31, 2010 by John

The PS3Key team, have updated their PS3Key firmware to version 4.5 The latest version brings, the 3.55 spoof which we reported other chips adding last week. A quick reminder, the spoof does not allow online access or the ability to play 3.55 games.

Quotes from PS3KEY.com:

A new firmware is now available for download from the Members Area.
On popular requests we have added the “3.55 spoof”, which makes the System Menu appear as v3.55.

Some users have reported the following issues with the new firmware:

  • I have updated my silabs based ps3key with this firmware and it doesnt work.
    When i press power and eject it imediately turns to blue and i cant start homebrew apps.
    I’m now with 4.3 firmware and it works fine.
  • i just updated too, i notice that it’s not blue light no more, when it’s red it means it works. When it’s blue it’s not working. When it’s blue it’s on 3.41 but when it’s red it’s on 3.55 and i tried open manager and it works. Try it when the ps3key is glowing red.
  • it’s not really upgrade your firmware , if you plug the ps3key out , you will see 3.41 on system information.
    it’s just to make sure that you won’t upgrade by mistake, the system will say:” not need to upgrade…”
    btw: for me it works well. the led is blue ,working the same as it was on the last version, just shown as 3.55FW (i have the Silab chip)
  • I have a silabs ps3key and the 4.5 also doesn’t work.
    When i plugged it normally the two items in the games section to install packages don’t appear.
    If i use the version 4.3 it’s working ok. The only problem is the games that ask 3.50.

Posted in PS3Key | 2 Comments

PS3Key PS3 Firmware Downgrader For Downgrading PS3 Firmware From 3.50 To 3.41

Posted on December 7, 2010 by John

On 6th Dec 201o, the PS3Key Team announced their answer to the PS3 3.5 firmware by completing a firmware for PS3Key that allows users to downgrade their PS3 firmware from 3.50 to 3.41. For those of you that are unfamiliar with the process, this basically means that newer PS3s with 3.42 and 3.50 firmwares can be downgraded to 3.41 and jailbroken.

At the same time they also announced the 64KB version of PS3Key. This version has a 64k flash, unlike the standard version that has 32k. This allows for larger payloads, including the AsbestOS linux payload. It also supports enabling and disabling encryption, which makes it possible to update with custom payloads. A software for extracting payloads and converting them to Open PS3Key format is in the works.

Like all SiLabs based PS3Key, this new version shows up as a mass storage device on a computer and update can be dragged and dropped onto it!

If you need to downgrade a PS3 with firmware version 3.50 or below you can now grab the PS3KEY JIG firmware from the downloads section available on the PS3KEY official website! Please note that they do not host the modified PUP file or any other file that may contain copyrighted code, which need to be downloaded elsewhere.

Posted in PS3Key | Tagged , , | 1 Comment