Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Encryption PlayStation (Games) Sony Games

PS3 Root Key Found 380

An anonymous reader writes "The PlayStation 3 'root key' used for code signing has been found by GeoHot. This enables running homebrew without the need for psjailbreak-style USB-devices, and also provides hope for those at firmware version 3.55 that currently cannot be downgraded. The key also cannot be changed without hardware modifications. Oops."
This discussion has been archived. No new comments can be posted.

PS3 Root Key Found

Comments Filter:
  • by imamac ( 1083405 ) on Monday January 03, 2011 @03:42PM (#34746536)
    I wonder how many job offers that kid has received.
  • Same private key? (Score:5, Informative)

    by VGPowerlord ( 621254 ) on Monday January 03, 2011 @03:43PM (#34746540)

    Is this the same private key that was discovered last week [slashdot.org]?

    • Re:Same private key? (Score:5, Informative)

      by Anonymous Coward on Monday January 03, 2011 @03:46PM (#34746598)

      No, this is the metldr private key. fail0verflow wasn't able to find that one as it required a metldr exploit

      • by Khyber ( 864651 )

        the metldr key is based from the exact same broken algorithm.

        Uh, duh. How do you think it was found in the first place?

      • Re:Same private key? (Score:5, Informative)

        by sexconker ( 1179573 ) on Monday January 03, 2011 @04:52PM (#34747306)

        No, this is the metldr private key. fail0verflow wasn't able to find that one as it required a metldr exploit

        No. fail0verflow had no interest in getting that key. Why? Because they're about homebrew, which they can already do, and they're (officially, at least) against piracy, which the metldr key would simplify.

        There was a question asked about this at the end of their presentation. They basically said "Yeah, we don't have that key - we don't give a shit about it. Of course you can get it using the same method we just told you about.".

    • by mcgrew ( 92797 ) *

      As long as it wan't this [wikipedia.org] root "key".

    • by waffle zero ( 322430 ) on Monday January 03, 2011 @03:54PM (#34746692) Journal
      From what I understand it looks like he used the work from fail0verflow to calculate the private key. If anything he's probably the first person to publish the private signing key. The fail0verflow guys appear to be working to push out the documentation and code for others to reproduce and continue their work. I would guess they'll never actually post the keys they found on their own, just to save the hassle of being sued.
    • by BLKMGK ( 34057 )

      No, I don't think so. What was released before wouldn't allow gamecode to be run but in this case he seems to have also released a Hello World app - if the GameLauncher recognizes it and runs then this is completely NOT the same key. The guys releasing code last week refused to touch the GameLauncher code because they wanted to run Linux etc. at a level lower, IF this is what I thik it is it can be used to sign actual code to be launched. If you listen to the 4th movie released from CCC you can hear a quest

      • by afidel ( 530433 )
        I have to say that while everyone is jumping on this as being about piracy if I was working on a homebrew app I would definitely want it to run from the launcher instead of requiring a complete reboot into my own loader environment. For instance a version of MAME that run from the launcher would be very cool.
    • Re:Same private key? (Score:5, Informative)

      by marcansoft ( 727665 ) <{moc.tfosnacram} {ta} {rotceh}> on Monday January 03, 2011 @08:00PM (#34749208) Homepage

      We (fail0verflow) discovered and released two things:

      • An exploit in the revocation list parsing, enabling us to dump a bunch of loaders, and thus their decryption keys
      • A humongous screwup by Sony, enabling us to calculate their private signing keys for all of those loaders, and thus sign anything to be loaded by those loaders

      We used these techniques to obtain encryption, public, and private keys for lv2ldr, isoldr, the spp verifier, the pkg verifier, and the revocation lists themselves. We could've obtained appldr, (the loader used to load games and apps), but chose not to, since we are not interested in app-level stuff and that just helps piracy. We didn't have lv1ldr, but due to the way lv1 works, we could gain control of it early in the boot process through isoldr, so effectively we also had lv1 control.

      With these keys we could decrypt firmware and sign our own firmware. And since the revocation is useless and the lame "anti-downgrade" protection is also easily bypassed, this already enables hardware-based hacks and downgrades forever. Basically, homebrew/Linux on every currently manufactured PS3, through software means now, and through hardware means (flasher/modchip) forever, regardless of what Sony tries to do with future firmwares.

      The root of all of the aforementioned loaders is metldr, which remained elusive. Then Geohot announced that he had broken into metldr (with an exploit, analogous to the way we exploited lv2ldr to get its keys) and was thus able to apply our techniques one level higher in the loader chain. He has released the metldr keyset (with the private key calculated using our attack), but not the exploit method that he used.

      The metldr key does break the console's security even more (especially with respect to newer, future firmwares - and thus also piracy of newer games), and also makes some things require less workarounds. Geohot clearly did a good job finding an exploit in it, but considering a) he used our key recovery attack verbatim, and b) he found his exploit right after our talk, so he was clearly inspired by something we said when we explained ours, I think we deserve a little more credit than we're getting for this latest bit of news.

      There's still bootldr and lv0, which are used at the earliest point during the PS3 boot process. These remain secure, but likely mean little for the PS3 security at this stage.

      • by rastoboy29 ( 807168 ) on Tuesday January 04, 2011 @01:09AM (#34751032) Homepage
        Dude, I think everyone understands the roll y'all played in this :-)

        Next time, release everything of interest yourselves, first, and you won't have to worry about it.  Lawsuits be damned---you guys being the actual hackers, maybe you have the wherewithal to take the Right To Tinker With Shit We Own all the way up to the Supreme Court so we can all have fun again.

        I've got a few bucks I would throw your way if you needed it.

        Nice job, though.
  • by Anonymous Coward on Monday January 03, 2011 @03:45PM (#34746576)

    Did you guys hear about the next firmware update that bricks the console? It's fine, they offer free replacements for anyone affected by it.

    • by jonabbey ( 2498 ) *
      There are 40 million PS3s out there. Even if they can swap them for $50 a unit, that's 2 billion dollars to get them off the market. ;-(
      • There are 40 million PS3s out there. Even if they can swap them for $50 a unit, that's 2 billion dollars to get them off the market. ;-(

        For a 2 billion dollar hit to Sony, It'd almost be worth the inconvenience hoping they'll try it!

        • by McNihil ( 612243 )

          Easier and cheaper to release a PS4 with 4 times the processing power including the "security" fix ;-)

  • Acid and a very powerful microscope? Or leaked information from a Sony insider?

  • by Anonymous Coward on Monday January 03, 2011 @03:49PM (#34746628)
    Mathieulh Has Found The PSP Master Keys [dukio.com], and now says

    I can encrypt/sign anything on psp now.

  • It'd be cool if this finally gained us access to the RSX....
  • No sympathy for Sony (Score:5, Informative)

    by Ben4jammin ( 1233084 ) on Monday January 03, 2011 @03:59PM (#34746746)
    Since they basically did a "bait and switch" with the PS3.

    When I bought it, it had the OtherOS feather AND I could do all the online stuff...not now
    When I bought it, it had backwards comparability for almost all PS2 games...not now

    So it appears to me that in a sense the "hackers" have returned my property that was stolen from me by the "legitimate corporation"
    I doubt that Sony will learn anything from this, and after our family owning a PS2 and 3, the next console I buy will be Xbox...I had no idea a company could be dysfunctional enough to make me regret not buying a MS product.
    • What? When did they take away already existing PS2 backwards compatibility? I don't recall seeing anything about this. My launch 60gb still does it...did they remove the one for the few PS3s that had software BC? o_O
      • Re: (Score:2, Informative)

        by Lifyre ( 960576 )

        Design change, the first gen ones still have it. The ones after had to emulate the PS2 and even that ability has been removed.

      • by greg1104 ( 461138 ) <gsmith@gregsmith.com> on Monday January 03, 2011 @04:40PM (#34747204) Homepage

        One problem is that because the capability has been removed from all current models, if your early model breaks you could easily find yourself in a situation where it's not feasible to replace. Another is that since they dropped the feature, work on adding support for more games stopped too.

        Another thing on the bait and switch pile is Sony's support for SACD. That was also available in the early models, then cut from the later ones. While it theoretically still works for people who have older units, the firmware isn't very good, and because they dropped the feature they also stopped development on improvements to that. So people who bought their PS3 expecting that to work right as a long-term capability have also been screwed.

        • SACD was not removed. It works and it works the same as it ever did. And there's no reason to think it won't work the same long-term as it has so far.

          It's not a bait and switch if you simply didn't get a feature because the device you bought never had it.

          No one uses SACD anyway. It's the height of hyperbole to try to make a mountain out of this molehill.

          • by greg1104 ( 461138 ) <gsmith@gregsmith.com> on Monday January 03, 2011 @07:16PM (#34748850) Homepage

            To quote someone who said one correct thing today, "you really should consider making posts based upon facts". Read What difference does the firmware version make for CD and SA-CD? [ps3sacd.com] for an intro to the firmware issues I was speaking of. I know people who purchased the PS3 when firmware V2.00 added optical output for the format, only to find that capability taken away in the next revision. Since firmware upgrades are not optional if you want to stay on PSN, that's a clear bait and switch move. And if you read through the whole FAQ you can see some of the other limitations that come from Sony giving up on development here before the feature ever really worked perfectly.

            I purchased about 20 new SACDs in 2010, from companies like Mobile Fidelity and via the SHM-SACD [cdjapan.co.jp] remasters. That gives me about 80 of them total. Since some of these are the highest quality recordings available, they get an inordinate amount of playtime here relative to the rest of my music collection.

            See activity on SA-CD.net [sa-cd.net] to see that many people are still actively using the format, and how many titles are available. Yes, there are probably only a few hundred people in the world impacted by Sony's SACD on PS3 decisions. That doesn't mean those people were not misled about Sony's commitment to supporting the format well in the PS3. I never claimed there were a "mountain" of such people, merely that the mechanics of how they were treated is similar to the situation with both backward compatibility and the Other OS features. This is a regularly recurring behavior from Sony.

    • When I bought it, it had backwards comparability for almost all PS2 games...not now

      If you purchased it with PS2 compat, it still has it.

      And it introduced a host of other features, and is far more open than Xbox ever was.

      If you're really going to be that upset over a feature I'm sure you "family" used regularly, then good luck being satisfied owning anything.

    • Backwards compatibility was never removed from any PS3. If you had it before, you have it now.

      I have a 1st gen PS3 and the latest firmware and I still have my near 100% PS2 BC.

      You really should consider making posts based upon facts instead of vitriol.

  • Dear Sony.... (Score:5, Insightful)

    by Lumpy ( 12016 ) on Monday January 03, 2011 @04:01PM (#34746762) Homepage

    Still think revoking the "Other OS" function was a good idea?

  • Will this awesome bit of back-hackery enable PS2 backwards compatibility again?
    • Re:PS2? (Score:4, Informative)

      by tuffy ( 10202 ) on Monday January 03, 2011 @04:06PM (#34746818) Homepage Journal

      No. PS2 backwards compatibility required additional chips that aren't in the newer PS3s.

      • by splerdu ( 187709 )

        The embedded chip was taken out after the first generation, but even second generation PS3s could run PS2 games in emulation mode.
        I guess the emulator just isn't installed on the newer models, but with the key hacked it might be possible to. Of course you'd still need to find the emulator somewhere...

        • by tuffy ( 10202 )

          It wasn't full software emulation. As I recall, the original PS3s had both a PS2 CPU and PS2 video chip. A later revision performed CPU emulation in software but kept the video chip. Finally, Sony removed both chips and all backwards compatibility entirely.

        • Re:PS2? (Score:5, Informative)

          by jonabbey ( 2498 ) * <jonabbey@ganymeta.org> on Monday January 03, 2011 @04:18PM (#34746956) Homepage

          The second generation PS3s had the PS2 graphics chip in them, but took out the Emotion Engine CPU which was run in emulation.

          Later PS3s have neither the PS2 graphics chip nor the Emotion Engine CPU, and are not able to run PS2 games in emulation at all, regardless of what the firmware says.

      • Is it infeasible to think that someone couldn't emulate/virtualize the PS2 environment in the PS3's hardware? I know the PS3 is no dog when it comes to available firepower. Not sure how it compares to the PS2 overall. It'd be nice to think.
    • It was never disabled so there's nothing to enable again. It was only available on the first few models of the PS3 because they included PS2 hardware inside them. Hardware which was removed in later models.

  • Missing key (Score:5, Informative)

    by Anonymous Coward on Monday January 03, 2011 @05:04PM (#34747438)

    Since the lame submission doesn't bother to link to the /very/ source that the article is about, I'll paste it here.

    erk: C0 CE FE 84 C2 27 F7 5B D0 7A 7E B8 46 50 9F 93 B2 38 E7 70 DA CB 9F F4 A3 88 F8 12 48 2B E2 1B
    riv: 47 EE 74 54 E4 77 4C C9 B8 96 0C 7B 59 F4 C1 4D
    pub: C2 D4 AA F3 19 35 50 19 AF 99 D4 4E 2B 58 CA 29 25 2C 89 12 3D 11 D6 21 8F 40 B1 38 CA B2 9B 71 01 F3 AE B7 2A 97 50 19
        R: 80 6E 07 8F A1 52 97 90 CE 1A AE 02 BA DD 6F AA A6 AF 74 17
        n: E1 3A 7E BC 3A CC EB 1C B5 6C C8 60 FC AB DB 6A 04 8C 55 E1
        K: BA 90 55 91 68 61 B9 77 ED CB ED 92 00 50 92 F6 6C 7A 3D 8D
      Da: C5 B2 BF A1 A4 13 DD 16 F2 6D 31 C0 F2 ED 47 20 DC FB 06 70


    props to fail0verflow for the asymmetric half
    no donate link, just use this info wisely
    i do not condone piracy

    if you want your next console to be secure, get in touch with me. any of you 3.
    it'd be fun to be on the other side. ...and this is a real self, hello world
    although it's not NPDRM, so it won't run off the hard drive
    shouts to the guys who did PSL1GHT
    without you, I couldn't release this

  • Hey (Score:4, Funny)

    by SnarfQuest ( 469614 ) on Monday January 03, 2011 @05:06PM (#34747466)

    Hey, that's the same combination that I have on my luggage!

Karl's version of Parkinson's Law: Work expands to exceed the time alloted it.