Status update on the PS3 4.0 HEN

Here’s a “quick” status update on the 4.00 HEN (Homebrew ENabler) for PS3.

Following my clarifications from almost 2 months ago here, there has been a lot of progress. We have not been slacking off, we’re a group of about 10 developers working together for the last 2 months, for sometimes 15 hours everyday in order to bring back homebrew support to the latest version of the PS3.

There are three major parts to the HEN, first, getting the packages to install on the PS3, that part is done, completed, tested, debugged, etc.. the second part is to get the apps to run, that one still has major issues… the last part is something I will not discuss for now (it’s a surprise) but it’s about 60% to 70% done (and it has nothing to do with peek&poke and has nothing to do with backup managers or anything like that. This is and will stay a piracy-free solution for the PS3).

Now, running apps is the biggest challenge that we’ve been working on for the past 2 months. As some of you know, if you’ve been following me on Twitter, we originally had hoped for Mathieulh to give us the “npdrm hash algorithm” that was necessary to run the apps, but he was reluctant, he kept doing his usual whore so people would kiss his feet (or something else) so he’d feel good about himself. But in the end, he said that he refuses to give us the needed “npdrm hash algorithm” to make it work… So what I initially thought would be “this will be released next week” ended up taking a lot more time than expected, and we’re still nowhere near ready to make it work.

Mathieulh kept tossing his usual “riddles” which he thinks are “very helpful for those who have a brain”, and which pisses off anyone who actually does… so he told us that the solution to all our problems was to look in appldr of the 3.56 firmware.. and that it was something lv1 was sending appldr which made the “hash check” verified or not… so we spent one month and a lot of sweat and after killing a few of our brain cells out of exhaustion, we finally concluded that it was all bullshit. After one month of reading assembly code and checking and double-checking our results, we finally were able to confirm that that hash algorithm was NOT in the 3.56 firmware like he told us (at all).

He said  that it was an AES OMAC hash, but after tracking all the uses of the OMAC functions in appldr, we found that it was not used for the “hash”…  he then said “oh, I meant HMAC“, so we do that again and again come up with the same conclusion, then we’re sure it’s not in appldr, and then he says “ah no, it’s in lv1“.. have a look for yourself to what he decided to write : http://www.ps3devwiki.com/index.php?title=Talk:KaKaRoTo_Kind_of_%C2%B4Jailbreak%C2%B4

That happened after the huge twitter fight I had with him for being his usual arrogant ass and claiming that he “shared” something (For your information, the code that he shared was not his own, I have proof of that too (can’t show you the proof because even if I don’t respect him, I gave him my word to not share what he gave me, and I respect my word) since he forgot to remove the name of the original developer from one of the files… also it was completely useless and was not used at all, just made me waste a day reading the crappy undocumented code. So why is he still trying to force his “advice” through these riddles even after we had that fight? Well to sabotage us and make us lose all those months of hard work!

So anyways, we had all accepted that Mathieulh was full of shit (we knew before, but we gave him the benefit of the doubt) and decided to continue working without considering any of his useless riddles. So we then tried to exploit/decrypt the 3.60+ firmware in order to get the algorithm from there.

Now, a few more weeks later, we finally have succeeded in fully understanding that missing piece from the “npdrm hash algorithm”,  and here it is for everyone’s pleasure with some prerequisite explanation :

A game on the PS3 is an executable file in a format called a “SELF“file (kind of like .exe on windows), those “self” files are cryptographically signed and encrypted.. For PSN games (games that do not run from a bluray disc), they need to have an additional security layer called “NPDRM”. So a “npdrm self” is basically an executable that is encrypted and signed, then re-encrypetd again with some additional information. On 3.55 and lower, we were able to encrypt and sign our own self files so they would look like original (made by sony) “npdrm self” files, and the PS3 would run them without problem. However, it wasn’t really like an original file.. a real NPDRM self file had some additional information that the PS3 simply ignored, it did not check for that information, so we could put anything in it, and it worked. Since the 3.60 version, the PS3 now also validates this additional information, so it can now differentiate between NPDRM self files created by sony and the ones that we create ourselves for homebrew. That’s the “npdrm hash algorithm” that we have been trying to figure out, because once we can duplicate that information in the proper manner, then the PS3 will again think that those files are authentic and will let us play them.

Another important point to explain, I said a few times that the files are “signed”.. this means that there is an “ECDSA signature” in the file which the PS3 can verify. The ECDSA signature is something that allows the PS3 to verify if the file has been modified or not.. it is easy to validate the signature, but impossible to create one without having access to the “private keys” (think of it like a real signature, you can see your dad’s signature and recognize it, but you can’t sign it exactly like him, and you can recognize if your brother tried to forge his signature). So how were we able to sign the self files that were properly authenticated on 3.55? That’s because this “ECDSA signature” is just a very complicated mathematical equation (my head still hurts trying to fully understand it, but I might blog about it in the future and try to explain it in simple terms if people are interested you can learn about it here), and one very important part of this mathematical equation is that you need to use a random number to generate the signature, but Sony had failed and used the same number every time.. by doing that, it was easy to just find the private key (which allows us to forge perfectly the signature) by doing some mathematical equation on it. So to summarize, a “signed file” is a file which is digitally signed with an “ECDSA signature” that cannot be forged, unless you have the “private key” for it, which is impossible to obtain usually, but we were able to obtain it because Sony failed in implementing it properly.

Now, back on topic.. so what is this missing “npdrm hash algorithm” that we need? well it turns out that the “npdrm self” has a second signature, so it’s a “encrypted and signed self file” with an additional layer of security (the NPDRM layer) which re-encrypts it and re-signs it again. That second signature was not verified in 3.55 and is now verified since the 3.60 version of the PS3 firmware.

One important thing to note is that Sony did NOT make the same mistake with this signature, they always used a random number, so it it technically impossible to figure out the private key for it. To be more exact, this is the exact same case as the .pkg packages you install on the PS3, you need to patch the firmware (making it cfw) so that those .pkg files can be installed, and that’s because the .pkg files are signed with an ECDSA signature for which no one was able to get the private key. That’s why we call them “pseudo-retail packages” or “unsigned packages”.

The signature on the NPDRM self file uses the exact same ECDSA curve and the same key as the one used in PS3 .pkg files, so no one has (or could have) the private key for it. What this means is that, even though we finally figured out the missing piece and we now know how the NPDRM self is built, we simply cannot duplicate it.

The reason we wasted 2 months on this is because Mathieulh lied by saying that he can do it.. remember when the 4.0 was out and I said “I can confirm that my method still works” then he also confirmed that his “npdrm hash algorithm” still works too? well he didn’t do anything to confirm, he just lied about it because there is no way that he could have verified it because he doesn’t have the private key.

I said I will provide proof of the lies that Mathieulh gave us, so here they are : he said it’s in 3.56, that was a lie, he said it’s an AES OMAC, that was a lie,  he said it’s an HMAC, that was a lie, he said it’s in appldr, that was a lie, he said it’s in lv1, that was a lie, he said that he can do it, that was a lie, he said that “it takes one hour to figure it out if you have a brain”, that was a lie, he said that he verified it to work on 4.0, that was a lie, he said that he had the algorithm/keys, that was a lie, he said that once we know the algorithm used, we can reproduce it, that was a lie, he kept referring to it as “the hash”, that was wrong. The proof ? It’s an ECDSA signature, it’s not a hash (two very different terms for different things), it was verified by vsh.self, it was not in lv2, or lv1, or appldr, and the private key is unaccessible, so there is no way he could build his own npdrm self files. Now you know the real reason why he refused to “share” what he had.. it’s because he didn’t have it…

So why do all this? was it because his arrogance didn’t allow him to admit not knowing something? or was it because he wanted to make us lose all this time? To me, it looks like pure sabotage, it was misleading information to steer us away from the real part of the code that holds the solution…. That is of course, if we are kind enough to assume that he knew what/where it was in the first place.  In the end, he wasn’t smart enough to only lie about things that we could not verify.. now we know (we always knew, but now we have proof to back it) that he’s a liar, and I do not think that anyone will believe his lies anymore.

 

Enough talking about liars and drama queens, back to the 4.0 HEN solution… so what next? well, we now know that we can’t sign the file, so we can’t run our apps on 3.60+ (it can work on 3.56 though). What we will do is look for a different way, a completely new exploit that would allow the files we install to actual run on the PS3. We will also be looking for possible “signature collisions” and for that we will need the help of the community, hopefully there is a collision (same random number used twice) which will allow us to calculate the private key, and if that happens, then we can move forward with a release.

When will the “jailbreak” be released? If I knew, I’d tell you, but I don’t know.. I would have said in last november, then december, then before christmas, then before new year, etc… but as you can see, it’s impossible to predict what we will find.. we might get lucky and have it ready in a couple of days, or we may not and it will not be ready for another couple of months.. so all you need to do is : BE PATIENT (and please stop asking me about an estimated release date)!

I would like to thank the team who helped on this task for all this time and who never got discouraged, and I’d like to thank an anonymous contributor who recently joined us and who was instrumental in figuring it all out. We all believe that freedom starts with knowledge, and that knowledge should be open and available to all, that is why we are sharing this information with the world. We got the confirmation (by finding the public key used and verifying the signatures) yesterday and since sharing this information will not help Sony in any way to block our efforts in a future release, we have decided to share it with you.  We believe in transparency, we believe in openness, we believe in a free world, and we want you to be part of it.

If you want to know more about this ECDSA signature algorithm, I tried to explain it in a blog post here, also, you can read this interesting paper that explains it in detail, and you can also watch Team Fail0verflow’s CCC presentation that first explained Sony’s mistake in their implementation, which made custom firmwares possible.

 

Thanks for reading,

KaKaRoTo

 

297 thoughts on “Status update on the PS3 4.0 HEN

  1. hey KaKaRoTo,
    Do you have any rough ide/ estimate when the firmware will be realeased?
    Thankyou

    • KAKAROTTTTT…. i was so sad when the stauts bar was removed cause everyday i would look at it and loved the fact that u were allowing us to keep up to date :). Kakaroto u shouldn’t let those people get to u as they are just not reading what u are saying as they are probably noobs to the ps3 scene. i would be so great full as would many others if u would put it back up as it gives me and many others something to do at work lol and also know how u guys are doing.

      much love

      BORLY!!!!!!!!

    • PAUL CAN YOU NOT FUCKING READ?!?!?!?!

      The status update clearly says that there is no estimated release date. They are working on it. EVERY time i look at this post some dipshit like yourself posts the same question.

      FFS

      Read the entire post then post something helpful/appreciative or just shut the hell up.

      The same goes for every other whining little shit out there.

      To Quote Kakaroto:

      When will the “jailbreak” be released? If I knew, I’d tell you, but I don’t know.. I would have said in last november, then december, then before christmas, then before new year, etc… but as you can see, it’s impossible to predict what we will find.. we might get lucky and have it ready in a couple of days, or we may not and it will not be ready for another couple of months.. so all you need to do is : BE PATIENT (and please stop asking me about an estimated release date)!

  2. hey kakaroto,
    first of all thanks that you are working so hard
    i have some questions that i wanted to ask you(sorry if the questions were already asked because i am a total newbie):
    1. i have a ps3 slim cech-3004b can i downgrade it with e3 flasher?
    2. where is the firmware in the playstation, because if its on the hard drive cant i just put a new one in it or formate the old one and put the 3.55 cfw on it?
    that were my questions
    please reply because i want to jailbreake my ps3
    THANKS

  3. Okay,can we just know what’s happening with the 4.00 jailbreak ? It’s been a week and kakaroto haven’t said anything about it! We are all curious about what’s going on! Thanks for doing this for the PS3 Universe but at lest lets be in touch,shall we ? I’ll be happy if u respond to this massage! Bye for now!

    • So, Its His Obligation to Tell you Whats Going on? Are you paying him in cash? What are you giving to kakaroto, he doesnt even hav time to read this, if he had not advance in anything he has to tell us no shit, and if he doesnt want to share what he has done is his problem too, he has a life too you know sry but i just find ur comment disrespectful,, whats the difference if he doesnt tell us the progress, he will release it soon or later, i am not that impatient, and i am waiting for it too, but ur “Curiosity” its just not justfied, “Its been a Week”, yes and perhaps months, but what are u asking its just pointless and lack in real progress.

      • aaa nope man 😀 Yes I respect what he is doing for the community,and i know that it’s not his duty to jailbreak it for us but he wants to!And I think it’ll be a good idea if he shares what’s happening with the jailbreak. And i’m not paying him and i’m not giving kakaroto anything…so do you.If I could i would give him cash or something for what he is doing for us. And i’m not disrespectfull i only asked what’s happening.. u don’t have to judge me man :D..

  4. http://ps3jailbreakteam.com/
    ^^This website claims to have the download to your latest jailbreak. Upon trying to download, I was asked to “complete surveys” to eventually download the file to jailbreak 4.0 supposedly using your method. As most of us who have been trying via YouTube and other internet websites, we have been scammed into completing surveys to download fake PS3 jailbreaking files. My question is if this site above is legit as well as their download link. The fact that they ask for us to complete surveys is one thing that pops up to me and the second is the fact that you nor any reliable PS3 jailbreaking forum has announced that you’ve released your final and finished jailbreak. Thanks for your hard work! Backing you up 100% and much thanks for your hard work for us out there in the community. Hopefully people begin to understand that you are not one of the bad guys.

  5. kaka rot kunt wen iz it gona b out man fukn hell ppl just being nice to you so u can release it and your falling 4 it thay are just gonna say fuk you bye wen thay get it you idiot hahahahaha fukn geek

  6. this will help sony sell more consoles.(like ps2 and 360). even outsell 360. So you are doing sony a favour. So keep up! Kakaroto.

  7. Please, don’t take stupid q for kakaroto he is working hard ant he wants serious q, like ,,. i have a ps3 slim cech-3004b can i downgrade it with e3 flasher?”,., pff for love of god USE GOOGLE..,. here is your aswer http://www.ps3hax.net/wp-content/uploads/2011/10/Screen-Shot-2011-10-27-at-1.04.11-PM1.png http://www.ps3hax.net/wp-content/uploads/2011/10/Screen-Shot-2011-10-27-at-1.04.36-PM1.png. And do not take question for Kakaroto like when jailbreak will be realeased..,. when ti will be made tehn it will be realeased so wait and trust this new age robin hood 😀

    Respect for u kakaroto

  8. in the last blog of 19 january head; Status update on the PS3 4.0 HEN
    you also speak of. signature collisions. i am new but is there something as home user
    i can do to see if my console has that signature you are looking for? sorry for bad english
    and keep up the good work!! ps cant you set the math problem online for some wizzkid to solve? i dont know just a sugestion.

    • wow,so damn good…you are good… thanks kakaroto and your team! What time tomorrow? it’s tomorrow for me cuz im in europe! How can I donate?

  9. I cant wait i’m so frustrated and cant wait iv been waiting to jailbreak for ever……………………….

  10. Kakaroto,how are you doing with the jb so far? is it the same as 10 days ago or better? Hope u answer!!!

  11. Thanks you kakaroto you the sh*t when i get bigger on youtube im giving u a shout out keep doing yah thing

  12. If this gets posted then im checking to see if this works using his name if it does that comment saying he’ll release it tomorrow is a fake

  13. omgggg i was actually excited for a sec i guess its a fake kakaroto please tell me whats going on

  14. I figure it was a fake because who ever typed that cant spell epic fail and i bet it was emerson

  15. THANKS KAKAROTO, If u’ and your team got this private Keys or whatever and get your PS3 4.00 HEN can works,, you all will get a piece of land in the sky, forever we’ll keep you all in our minds like the best of best, thanks mr. KAKAROTO from PERU, we appreciate your excelent job…

    psta: Mathieulh SUCKS… the big lier… XD

  16. OFW 4.00 sucked. so im never ever going to update again!
    so i’m definitely gonna jailbreak after kakaroto release this…

  17. hi,1st,thank u for doing this kakaroto,i appreciate a lot…so anyone out there know how to jailbreak 3.73 firmware??

  18. kakaroto can you please reply to this 1: can we do call of duty modern warefare 2 challenge lobbies.2: can we use comgenies awesome file manager. p.s keep up the good work and many thanks to you and the rest of the team can you tell them kyle said good luck you will get far in life 🙂

  19. urrrrrrrrrrrrrrr sooooooooooooooooooooooooooooooooooooooo awesome could u give us a small status update on it when ever?

  20. COULD YOU PLEASE RELEASE A BETA LIKE WITH INSTALL PACKAGE FILES AND ALL THAT WITH OR WITHOUT ONLINE I JUST WANT TO MOD GTA

  21. I realize KaKaRoTo has his own reasons for not releasing the 4.00 JB at this time. Whether it be not finished, fear of Sony blocking it (Guess, but i’m certain 4.00 isn’t the last firmware update they’ll ever make for PS3 anyway.), OR fear of someone else taking credit for it (Another guess, Just add an author page on the thing, and hope followers know trusted sources),at least release a public beta version or something.

  22. Hey, sorry to boder you but a read all your post, and i understood some of it about the signature keys and stuff, but wouldn’t have anyway around? maybe the solution is in front of you guys, and u just don’t see it couse its so simply!

    People are already running unsigned files in ps3 using the true blue, i know its completely diferent method but couldn’t some of this be helpfull.

    Please ignore all of this if its too stupid, i really dont know anything about it im just trying to help, really. oh and sorry about bad english too…

  23. I’d be very interested in reading about the way things on the PS3 are verified, secured, encrypted signed etc in simple terms. All this ECDSA, NPDRM is killing my brain cells haha

  24. I didn’t know Mathieulh was that stupid, man ! What a jealous dumbass!
    I mean, 2 months on the wrong way just because he acted like a kid !
    At least, maybe you’ve unveiled a lot of information on sony’s programatics
    strategies that can be useful in the near future… It’s never a total loss of time !
    Thank you for all you’ve done so far for the scene!

  25. read Kakaroto’s blog… won’t be any jb.. we’re fucked up… i must sell my fucking console now…it’s a peace of crap now…thanks for trying Kakaroto and wish u luck with everything!…

  26. I have a question: So the ECDSA signature is generated using the “private key”, and the “private key” is the same key, but was generated using an algorithm (pseudo-random number generator, idk?). But even if you find the algorithm for the private key, it will generate a different one every time, right?

    I’m very interested in this, just very confused. Can you help me KaKaRoTo?

    Also: I’m very interested in the math equation that Fail0verflow used, If you posted those updates to your blog I would be forever grateful.

    • not exactly, it’s much more complicated than that, but I already started writing a blog post to explain all about how ECDSA works, so you’ll understand the concept, the mathematics/algorithm behind it, and how the signature can be verified but not reproduced.

  27. on the final jailbreak 4.00 will we be able to use backup managers and .pkg files or will it be like an original firmware

    • we will not be able to run backup managers with Youness’ release…
      His solution is piracy-free !
      To boot backups, we are gonna need peek&poke (build a CFW)…
      Someone will have to uncover those bootldr keys.. it’s not impossible,
      but very hard…

      • yerp people dont get dishearted cause the firmware doesnt enable peek and poke as someone else will hopfully come around once the firmware is realsed and get there magic fingers working lol.

        keep up the good work cant wait till its out cause never had cfw or hen on my ps3. All the rest of my sony does so cant wait

        thanks

        KAKAROOOOOT 😛

  28. antes de nada solo decir gracias por todo Kakaroto, una pregunta de un supernovato.
    desde la pagina oficial de ps3 se pueden descargar los juegos online y quedan instalados en el disco duro interno de la ps3,no puede ser una solución por ftp del pc a ps3 , ya le digo que soy supernovato que no tengo ni idea pero tengo esta duda, la ignorancia es muy atrevida.

  29. If I understand well, you want to signed your pkg with a good key, but is it possible to know where the validation of ecdsa is performed, or where the public key is stored, and just adde a “developpement” key ?
    (or, more simple, to use the “validation part” of 3.56- firmware inside a 3.6+ firmware)?

    It’s too simple to be this easy, but I don’t really see where the difficulty* is if you can modify the binary inside the firmware.

    Does the encrypt key is linked to the “private key” ?

    *: well except the reverse engineering that must be done;)

  30. hi KaKarOtO will you answer this simple question for me please is it possible to jailbreak 120GB slimline ps3 on OFW 3.73? because i got a supposedly PS3UPDAT.PUP jailbreak off of mediafire.com but dont want to brick my ps3 thanks so much for all ur hard work. thanks

  31. @renderboiii dont do it! if there was a jailbreak out you would now follow this awesome people they will tell you @KaKaRoToKS @psx_scene

  32. Too Bad too hear this man!, i was really looking forward to this.
    But as you say, we should have known this a long time ago if Mathieulh just told the truth…

    But Keep your head up, we all know u will find a way!
    I wish u all the best!

    P.S. sorry for my english… i am Dutch

  33. Hi kakaroto I do not speak good English but this is my doubt Translates
    Can you say jailbreak 4.00 on the PS3 version?
    either true blue or a USB Cobra frimware bone you have at ahy play downloaded games such as Uncharted 3 and play it on ps3 hard drive only offer that’s my question thanks
    Put him if if then I see your response please answer

  34. Now this is very interesting!

    I’m really sorry to hear about what Math did to you guys. Seriously though, it must’ve felt like being stabbed in the back when you finally knew that he was lying the entire time. But he wasn’t just lying to you, he was lying to everyone else as well. Not to mention that you wasted 2 months just trying to confirm his random riddles. But I guess you also learned some new stuff and gained a lot of knowledge by doing all those readings, so it’s not entirely time wasted (I guess?).

    I liked the fact that you tried your best to explain whats going on in simple terms and analogies. I’m not a techie person but I think I know the gist of it now. Gee, it sounds very difficult. I read that you need the help of the community to find a “signature collision”. I dunno if there is anything I can do to help out, but if there is, just post some simple instructions (like, check the recovery menu for some numbers or something) and I’ll be able to do it 😀

    Last but not least, good job you guys! Even though it’s not released yet, you guys are doing great progress! I’ll be rooting for you!

    • PEOPLE. Kakaroto stoper working on 4.00…read his fucking twitter..no jb..we must downgrade with that stupid Eflasher and stuf…4,00jb is dead…

  35. can anybody tell me where i can get an E3 Flasher to downgrade and how much it will cost here in england?? all i want to do is host a modern warfare 2 game and play homebrew games thanks everyone for the help you have gave me. thanks

  36. also to @AshhMorgan i follow kakaroto on twitter but never says anything about jailbreak for ps3 but thats not anyones problem i guess i just have to wait like everybody else xD

    • or downgrade it.. it hink kakaroto is missing something stupid realy 😀 i it’s about one step of jailbreaking the 4.00…i hope Geohot returns to PS3 jb… realy..

      • does anyone know how much the E£ flasher cost is so i can downgrade to 3.55 also will a cobra work xD

  37. hey plz plz plz reply

    i think iknow one of ur develepers that helped u work on the jailbreak and he said that u guys finished and he was going to email me the jailbreak cuzz i paid him 40$ and he got your permisson butt he delleted that email so hes trying to contant u or can u just email it to me

    PLZ REPLY
    ps.his ps3 id is dushributs

    • you just got scammed. I suggest you contact sony and report that user because scamming people for money over PSN is probably against the terms of service.

Comments are closed.