Post: Bootloader dumped, Root key in grasp!
Options
07-02-2011, 04:10 AM
#1
lionsfan420
They call me Skeeter!
07-02-2011, 07:51 AM
#11
MateoGodlike
Who’s Jim Erased?
Originally posted by PS3
Yeah too bad ROOT KEY= Per Console Key so You would need to dump your own key in order to decrypt your bootloader and metldr. so even if they get it its only for their console.
So It will probably be made simply as a PKG were it does all the goods for you. (Ahem QA FLAG)
07-02-2011, 07:56 AM
#12
T_m_b07
I defeated!
Originally posted by PS3
Yeah too bad ROOT KEY= Per Console Key so You would need to dump your own key in order to decrypt your bootloader and metldr. so even if they get it its only for their console.
i came across a very interesting conversation between a group of devs about all this and their intentions of WHY they're going after the bootldr and yes it IS unique per console, BUT as i read on their goal is to use the bootldr key to achieve on getting the CPU key which they can then decrypt lvl0 which WILL mean CFW for 3.56 and 3.60+ and even CFW for any of the updates sony will later release... :/ here's a quote from the convo....
Originally posted by another user
But that's not worth the hassle. lv0 doesn't decrypt anything, it just setups the hardware + even IF it does anything usefull and even IF you get any keys out of it you could "only" decrypt stuff further in the bootchain. But we want to SIGN stuff ! That's why we attack the CPU to get it's key in order to decrypt bootldr, which is NOT updateable and therefore still contains the ECDSA fail, which enables us to decrypt EVERY lv0 FOREVER + SIGN custom lv0's forever == CFW forever !
So i guess the future is looking up for ALL but one group (errhurrgh COUGH sony) :bat::n00b:
07-02-2011, 09:17 AM
#14
forcer911
Space Ninja
that's great news but I am sure they cant release a new jailbreak
The following user groaned forcer911 for this awful post:
07-02-2011, 12:16 PM
#15
MCPADDINGTON
Banned
Originally posted by vexen
not to be the beare of good news but the NAND and NOR are both the same for every ps3
Just thought I would say that this piece is wrong. The ps3's with NAND are the first generations i.e ps3 with the serial range from CECHA to CECHG. The ps3's with NOR are CECHH+ and if ps3's bootloader is anything like Android's then that should mean CFW and we shouldn't need to sign anything.
07-02-2011, 03:57 PM
#16
PS3 Prodigy
(ಥ_ಥ
Originally posted by MateoGodlike
So It will probably be made simply as a PKG were it does all the goods for you. (Ahem QA FLAG)
Yeah it seems like Gitbrew can do anything so i bet they somehow make this a .pkg
07-02-2011, 04:19 PM
#17
MateoGodlike
Who’s Jim Erased?
Originally posted by forcer911
that's great news but I am sure they cant release a new jailbreak
They could at least pave the way.
07-02-2011, 06:47 PM
#19
allstargaters
Keeper
Originally posted by PS3
Im going to explain this as easy as possible for you There are 2 very different types of keys at work here... and there are multiple different values of these 2 keys for different parts of the system.
First of all, the riv/erk keys are used to symmetrically encrypt executables using a AES-CTR cipher, and the key for this on the metldr is what is referred to as the "root key", because every other key can be discovered by following down this chain and decrypting each level firmware and its loader (lv0, lv1, etc).
Secondly, the public/private keypair is used only to digitally sign the hash of the executable. Each loader effectively checks the signature of the "loader" (lv1, lv2, game, etc) to ensure that it is officially authorized by Sony. The current private components of these keys were compromised during Sony's failure to understand "randomness" allowing us to digitally sign new firmware, executables, etc.
So to answer your question We already have the metldr key, the thing is that they don’t use metldr anymore, at all.Sony removed all the loaders, no more isoldr/lv1ldr/lv2ldr/appldr they added lv0.2 which seems to have secured the ps3 for now
First of all, the riv/erk keys are used to symmetrically encrypt executables using a AES-CTR cipher, and the key for this on the metldr is what is referred to as the "root key", because every other key can be discovered by following down this chain and decrypting each level firmware and its loader (lv0, lv1, etc).
Secondly, the public/private keypair is used only to digitally sign the hash of the executable. Each loader effectively checks the signature of the "loader" (lv1, lv2, game, etc) to ensure that it is officially authorized by Sony. The current private components of these keys were compromised during Sony's failure to understand "randomness" allowing us to digitally sign new firmware, executables, etc.
So to answer your question We already have the metldr key, the thing is that they don’t use metldr anymore, at all.Sony removed all the loaders, no more isoldr/lv1ldr/lv2ldr/appldr they added lv0.2 which seems to have secured the ps3 for now
Thanks... Hope this exploit won't be patched by Sony any time soon. and thanks again.
Copyright © 2026, NextGenUpdate.
All Rights Reserved.
