well no, and actually my last comment was incorrect i forgot the whole 3.55 comparison factor so that should narrow it down to just the locking protocol. but as far as the encryption scheme the only thing is no encryption is safe if you can pick apart the decryption program. think of it like wifi security, try cracking a wpa2 password in 5 minutes, not gonna happen, and even with access to a computer that has the access code, that access code is encrypted, but if you decrypt the access code from the computer, then you have the key handed to you. you dont have to go after the wpa encryption, you just have to break the encryption of the receiving end. we have access to the receiving end of these encrypted packages, so if we can find out what its looking for to spot a good update, then we can give it what it wants. send in a trojan horse(not like the virus type, like the actual wooden horse)
id like to ask you to check and see if the alternator in my car is running at peak efficiency. can you do that? probably not because you would have to know what peak efficiency is in order to check for it. checking something no matter how you do it or what it is cannot be done without knowing what you are checking and what you are looking for. think of a way to check something without knowing where to look or how to tell if its wrong, i challenge you to do that and prove me wrong
I'm not sure what point you are trying to make when you speak about tumblers and your car's alternator. What does that have to do with ECDSA? Are you trying to make an analogy?
yes, im trying to make the point that you cant find what you arent looking for. the ps3 is looking for something that it does find in official pups, and not finding in unofficial pups. and the description of what its looking for(the checking algorithm) is in those firmware files, it has to be or else how did the update to 3.56 change what it was looking for? theres not gonna be a map all layed out for us, no gps coordinates, but there are breadcrumbs and if we follow them we can at the very least make a passable signature if not a real one
Originally Posted by indirect76
if there isnt some formula built into the ps3 itself to tell whether an update is real or not, then it would just be guessing, blind shots in the dark at whether or not a firmware is genuine or not. it has to have some reference point to check against, and whether its as exact as to have the whole key implanted in it or not i dont know but even if it doesnt we can take the parts we get and manufacture something that looks right in the check. if its looking for a 1 for the third number, and a 4 for the 5th number and we know thats all its checking who gives a shit what the rest of them are, no it wont be the actual official signature but it will pass the check and the ps3 will let it slide. and if its a mutating encryption built into the file system then it has to have the key somewhere or the ps3 would never be able to read itself
The big change for firmware 3.60 was that all loaders were moved to lv0. In addition, they started using new private/public keys for signing firmware as well as appldr keys. Now, when that happened, the new public keys were sent along with the update, so the PS3 could use them when verifying new firmware PUPs.
So then 3.66 comes out. The 3.66 firmware contains a chunk of data that is it's signature. The PS3 uses the new public keys on the data portion of the update using the ECDSA algorithm. Through the miracle of mathematics the PS3 takes the result of that operation and matches it to the signature sent. It's verified and installs.
I misspoke earlier when I said there maybe wasn't a check, but after some thinking I realized there must be.
So all of this has since been reverse engineered. All the analysis that you speak of has already been done. We have the public keys, hooray. We can decrypt and verify signed firmwares. We know exacly how the PS3 is doing it too.
However, this does not allow us to sign firmwares. If you manage to somehow do that, and show your work, then you are going to become very famous, the security world would go nuts, and bank accounts around the world would be compromised.
untrue, because the banks use that encryption between branches, not between us and the bank, if they used it between us and the bank we could reverse engineer it the same way, but seeing as we cant exactly just stroll into the bank and tinker around with the software code on their servers its not gonna happen. but we can tinker around with the software code of the ps3 all we want, and no the work has not all been done. we have the keys because there is a file that spells them all out for us just beneath the first layer of protection, they arent well hidden. they buried the private key checks much deeper and spread them out im sure so it would be harder for us to find even if we got this far
and though i cant say id be able to do it myself, i am not gonna say i cant either, i wont know because i dont have access to the proper files. that was my main goal of this thread, to get my hands on the files so i could take a look at them myself. but id need a full flash dump of a few different firmwares, a handfull of ofws, both encrypted and decrypted, and all ive got for internet is a tethered android phone since i lost my job so starting from scratch is not really an option for me, by the time i downloaded all of that stuff a fix will have already been out for months lol. i was just trying to take a stab at it and get one small file to look at hoping it was the right place to look
The private keys are something that nobody will obtain. (No the keys are not in Sony's headquarters) They are in the ps3 just like the public keys because at a time Geohot/Failoverflow gained access to them.
(Logic behind the private key)
Sony intended for the key to be random its just the developers overlooked it. It's like a pass code that you have stored but it can be found out. That was the same concept. Thanks to the help of Geohot/Failoverflow by telling Sony how stupid they were for using that key "which was very old" they gave Sony the thing to fix the problem.
Question of the day: How can you break into a security vault that will always have a random password?
You cant. There IS no way around this and there is no way of cracking something that is random. It's the same concept as the lottery you will never see all 6 winning numbers drawn twice and over 20-30 years that has never been done. So your odds are -4 out of a Trillion
Nobody on the face of the earth can figure out something like that. Which is why all future advancements need the same key from 3.55 to even gain public keys and the lv0 key.
Don't waste your time trying to figure out the impossible
actually i did some research on the algorithm, and the public key is derived from the private key. using the equasion (private key * reference point on the curve = public key)
the curve parameters have to be shared between both parties so they are in the ps3, and we have the public key now
to quote kakaroto
"So first of all, you will have a private and a public key.. the private key is a random number (of 20 bytes) that is generated, and the public key is a point on the curve generated from the point multiplication of G with the private key. We set ‘dA‘ as the private key (random number) and ‘Qa‘ as the public key (a point), so we have : Qa = dA * G (where G is the point of reference in the curve parameters)."
sorry i was so excited about this i forgot my point...
point is you reverse it, devide the public key by the given parameter and there is your private key. if im not mistaken i just completely destroyed the entire encryption algorithm lol