Marcan says somthing - 改機
By Isla
at 2012-10-26T00:06
at 2012-10-26T00:06
Table of Contents
http://www.ps3hax.net/2012/10/marcan-fail0verflow-about-lv0/
by marcansoft (727665) on Tuesday October 23, @09:04PM (#41747075)
Homepage
The first-stage bootloader is in ROM and has a per-console key which is
effectively in tamper-resistant silicon. The second-stage bootloader
(bootldr) is encrypted with the per-console key, but is not upgradable and is
the same for all consoles (other than the encryption wrapper around it). This
second-stage bootloader verifies lv0. Sony signed lv0 using the same broken
process that they used for everything else, which leaks their private key.
This means that the lv0 private key was doomed from the start, ever since we
demonstrated the screwup at the Chaos Communication Congress two years ago.
譯註:所以又是 SONY 自己耍笨,用了錯誤的加密方式導致 2nd-stage lv0金鑰
外流。
However, because lv0 is also encrypted, including its signature block, we
need that decryption key (which is part of bootldr) before we can decrypt the
signature and apply the algorithm to derive the private key. We did this for
several later-stage loaders by using an exploit to dump them, and Geohot did
it for metldr (the “second root” in the PS3′s bizarre boot process) using
a different exploit (we replicated this, although our exploit might be
different). At the time, this was enough to break the security of all
released firmware to date, since everything that mattered was rooted in
metldr (which is bootldr’s brother and is also decrypted by the per-console
key). However, Sony took a last ditch effort after that hack and wrapped
everything after metldr into lv0, effectively using the only security they
had left (bootldr and lv0) to attempt to re-secure their platform.
譯註:依據 marcan 的說法,整個 PS3 在主機上頭的加密機制可以說是已經被
突破了,之前破解陣營突破了 metldr ,所以 SONY 把最後防線全部蓋到 bootldr
上頭,現在最後防線 bootldr 外圍也被突破,只剩本丸而已。
Bootldr suffers from the same exploit as metldr, so it was also doomed.
However, because bootldr is designed to run from a cold boot, it cannot be
loaded into a “sandboxed” SPU like metldr can from the comfort of OS-mode
code execution (which we had via the USB lv2 exploit), so the exploit is
harder to pull off because you don’t have control over the rest of the
software. For the exploit that we knew about, it would’ve required hardware
assistance to repeatedly reboot the PS3 and some kind of flash emulator to
set up the exploit with varying parameters each boot, and it probably would’
ve taken several hours or days of automated attempts to hit the right
combination (basically the exploit would work by executing random garbage as
code, and hoping that it jumps to somewhere within a segment that we control
– the probabilities are high enough that it would work out within a
reasonable timeframe). We never bothered to do this after the whole lawsuit
episode.
但 bootldr 跟 metldr 在本質上不同的地方是, bootldr 是拿來做冷開機的,
不能像 metldr 一樣,得到沙盒的防護,因此 bootldr 要是加密機制有漏洞,
就慘了。這說明了為何我們單憑 3.41 版韌體的 USB 驅動程式漏洞還不足以拿
下 metldr ,還得仰賴其他的漏洞才有辦法破解到 metldr 。但已知的漏洞,
要拿來執行未授權的程式還是有困難,因為缺少程式指標,所以只能希望運氣夠
好,開完機後程式指標能夠恰好跳到我們擺放程式的開頭,然後執行到我們要的
程式片段,這個機率很低,所以需要大量的時間去嘗試,反正在他們打官司的期
間,這個剛好可以拿來殺時間
Presumably, 18 months later, some other group has finally figured this
out and either used our exploit and the hardware assistance, or some other
equivalent trick/exploit, to dump bootldr. Once the lv0 decryption key is
known, the signing private key can be computed (thanks to Sony’s epic
failure).
結果 18 個月過去了,終於有人借助硬體支援,突破了最後一道防線,把 lv0
給解密了,然後私鑰也能夠算出來了。
The effect of this is essentially the same that the metldr key release
had: all existing and future firmwares can be decrypted, except Sony no
longer has the lv0 trick up their sleeve. What this means is that there is no
way for Sony to wrap future firmware to hide it from anyone, because old PS3s
must be able to use all future firmware (assuming Sony doesn’t just decide
to brick them all…), and those old PS3s now have no remaining seeds of
security that aren’t known. This means that all future firmwares and all
future games are decryptable, and this time around they really can’t do
anything about it. By extension, this means that given the usual
cat-and-mouse game of analyzing and patching firmware, every current user of
vulnerable or hacked firmware should be able to maintain that state through
all future updates, as all future firmwares can be decrypted and patched and
resigned for old PS3s. From the homebrew side, it means that it should be
possible to have hombrew/linux and current games at the same time. From the
piracy side, it means that all future games can be pirated. Note that this
doesn’t mean that these things will be easy (Sony can obfuscate things to
annoy people as much as their want), but from the fundamental security
standpoint, Sony doesn’t have any security leg to stand on now.
這道防線帶來的後果,可說是跟上次 metldr 被破解一樣,截至目前為止所有的
韌體版本都會遭殃,除非 SONY 在 lv0 後面還有 lv-1 ,不然未來所有更新版本
的韌體, SONY 都別想在偷藏什麼在裡面,因為這些韌體必須「向下相容」所有
版本的主機(其實也可以像 iOS 一樣不同型號的下載同一版本但適用不同機型的
韌體), 而舊版本的主機已經全部攤在陽光下了,這代表未來只要在舊版本主機
上發現軟體漏洞,在新版主機上一樣也可以故技重施。
對於自製軟體陣營來講當然是大好得消息,這代表可以光明正大執行 Linux 了,
對於盜版陣營來說一樣是個好消息,這代表未來沒有無法破解的遊戲了(我猜
SONY 會要求接下來所有的遊戲都必須要線上啟動才能玩)
It does not mean that current firmwares are exploitable. Firmware
upgrades are still signed, so you need an exploit in your current firmware to
downgrade. Also, newer PS3s presumably have fixed this (probably by using
newer bootldr/metldrs as trust roots, and proper signing all along).
但是還有一些事情要注意,就是這不代表所有的韌體都能破解,更新版的韌體一
樣有數位簽證,所以目前版本的韌體必須有漏洞,才能夠隨意升級降級,新版的
主機在 bootldr/metldr 有做了修正(3007以上,2507以下都是舊版有漏洞的)
The keys are used for two purposes: chain of trust and chain of secrecy.
The compromise of the keys fully compromises the secrecy of the PS3 platform
permanently, as you can just follow the links down the chain (off-line, on a
PC) and decrypt any past, current, or future firmware version. Current
consoles must be able to use any future firmware update, and we now have
access to 100% of the common key material of current PS3s, so it follows that
any future firmware decryptable by current PS3s is also decryptable by anyone
on a PC.
However, the chain of trust can be re-established at any point along the
line that can be updated. The chain of trust is safely rooted in hardware
that is near impossible to modify (i.e. the CPU’s ROM and eFuse key). The
next link down the chain has been compromised (bootldr), and this link cannot
be updated as it is specific to each console, so the chain of trust now has a
permanent weak second link. However, the third link, lv0, can be updated as
it is located in flash memory and signed using public key crypto. This allows
Sony to secure the entire chain from there onwards. Unless you find a
vulnerability in these updated links, you will not be able to attack them
directly (applications, e.g. homebrew software, are verified much further
down the chain). The only guaranteed way to break the chain is to attack the
weak link directly, which means using a flash writer to overwrite lv0. Once
you do so, the entire chain collapses (well, you still need to do some work
to modify every subsequent link to turn off security, but that is easy). If
you have old firmware, you have at least some other weak links that, when
compromised, allow you direct access to break the bootldr link (replacing
lv0), but if you run up to date firmware you’re out of luck unless you can
find a weakness or you use hardware.
連鎖認證的機制本來很安全,但弱點就是「不能有任何弱點」,有一個弱點,會
因為連鎖的關係導致全部的安全機制都無效。認證的起點在 CPU 裡面的 eFuse
金鑰,這個部份的安全性很夠,但才走到第二步 bootldr/metldr 這裡就失敗了
。連鎖的其他地方都是做在軟體上,所以有洞可以修,偏偏這 metldr/bootldr
是燒死的,所以沒救了。連鎖的第三步在 lv0 ,存在 flash 上頭,有洞可以修
,所以 SONY 恐怕必須改寫整個連鎖認證的機制,把 bootldr 也排除在外才行。
這樣做還是不保險,因為 bootldr 被排除在連鎖之外,因此 lv0 加不加密都沒
用,破解陣營可以拿晶片燒錄器把自己改寫的 lv0 燒進 flash 裡面,然後照樣
歡樂地執行自己的程式。
Old PS3s are now in the same boat as an old Wii, and in fact we can draw
a direct comparison of the boot process. On an old Wii, boot0 (the on-die
ROM) securely loads boot1 from flash, which is securely checked against an
eFuse hash, and boot1 loads boot2 but insecurely checks its signature. On an
old PS3, the Cell boot ROM securely loads bootldr from flash, which is
securely decrypted and checked using an eFuse key, and then bootldr loads lv0
but checks its signature against a hardcoded public key whose private
counterpart is now known. In both cases, the system can be persistently
compromised if you can write to flash, or if you already have code execution
in system context (which lets you write to flash). However, in both cases,
you need to use some kind of high-level exploit to break into the firmware
initially, particularly if you have up-to-date firmware. It just happens that
this is trivial on the Wii because there is no game patch system and Nintendo
seems to have stopped caring, while this is significantly harder on the PS3
because the system software has more security layers and there is a game
patch system.
….
The name is presumably wrong – they would be the bootldr keys, as the
keyset is considered to “belong” to the entity that uses those keys to
check and decrypt the next thing down the chain – just like the metldr keys
are the keys metldr uses to decrypt and verify other *ldrs, the bootldr keys
are the keys bootldr uses to decrypt and verify lv0.
Anyway, you’re confusing secrecy with trust. These keys let you decrypt
any future firmware; as you say, if they were to “fix” that, that would
mean new updates would not work on older machines. However, decrypting
firmware doesn’t imply that you can run homebrew or anything else. It just
means you can see the firmware, not actually exploit it if you’re running it.
要讓新韌體向下相容舊主機就得容忍漏洞存在,否則舊主機就不能玩新遊戲,我覺得
SONY 應該不敢這樣搞消費者。
The only trust that is broken by this keyset (assuming they are the
bootldr keys) is the trust in lv0, the first upgradable component in the boot
process (and both it and bootldr are definitely software, not hardware, but
bootldr is not upgradable/replaceable so this cannot be fixed). This means
that you can use them to sign lv0. Period. Nothing more, nothing less. The
only things that these keys let you modify is lv0. In order to modify
anything else, you have to modify everything between it and lv0 first. This
means that these keys are only useful if you have write access to lv0, which
means a hardware flasher, or an already exploited console, or a system
exploit that lets you do so.
….
Oh, one more thing. I’m assuming that these keys actually should be
called the bootldr keys (as in the keys that bootldr uses to verify lv0), and
that the name “lv0〃 is just a misnomer (because lv0 is, itself, signed
using these keys).
If this keyset is just what Sony introduced in lv0 after the original
hack, and they are used to sign everything *under* lv0 and that is loaded
*by* lv0, then this whole thing is not newsworthy and none of what I said
applies. It just means that all firmwares *to date* can be decrypted. Sony
will replace this keyset and update lv0 and everything will be back at step 1
again. lv0 is updatable, unlike bootldr, and is most definitely not a fixed
root of trust (unlike metldr, which was, until the architecture hack/change
wrapped everything in lv0). If this is the case, color me unimpressed.
…..
by marcansoft on Wednesday October 24, @01:04AM (#41748707) Attached to:
PS3 Encryption Keys Leaked
Nevermind, I just checked. They are indeed the bootldr keys (I was able
to decrypt an lv0 with them). Consider this confirmation that the story is
not fake.
--
○ ____ _ _ _ _ ____ _ _ ____ _____ ____
。 ★(_ _)( \( )( \/ )( ___)( \( )(_ _)( _ )( _ \
o _)(_ ) ( \ / )__) ) ( )( )(_)( ) / ● ‧
(____)(_)\_) \/ (____)(_)\_) (__) (_____)(_)\_) ★
o
--
by marcansoft (727665) on Tuesday October 23, @09:04PM (#41747075)
Homepage
The first-stage bootloader is in ROM and has a per-console key which is
effectively in tamper-resistant silicon. The second-stage bootloader
(bootldr) is encrypted with the per-console key, but is not upgradable and is
the same for all consoles (other than the encryption wrapper around it). This
second-stage bootloader verifies lv0. Sony signed lv0 using the same broken
process that they used for everything else, which leaks their private key.
This means that the lv0 private key was doomed from the start, ever since we
demonstrated the screwup at the Chaos Communication Congress two years ago.
譯註:所以又是 SONY 自己耍笨,用了錯誤的加密方式導致 2nd-stage lv0金鑰
外流。
However, because lv0 is also encrypted, including its signature block, we
need that decryption key (which is part of bootldr) before we can decrypt the
signature and apply the algorithm to derive the private key. We did this for
several later-stage loaders by using an exploit to dump them, and Geohot did
it for metldr (the “second root” in the PS3′s bizarre boot process) using
a different exploit (we replicated this, although our exploit might be
different). At the time, this was enough to break the security of all
released firmware to date, since everything that mattered was rooted in
metldr (which is bootldr’s brother and is also decrypted by the per-console
key). However, Sony took a last ditch effort after that hack and wrapped
everything after metldr into lv0, effectively using the only security they
had left (bootldr and lv0) to attempt to re-secure their platform.
譯註:依據 marcan 的說法,整個 PS3 在主機上頭的加密機制可以說是已經被
突破了,之前破解陣營突破了 metldr ,所以 SONY 把最後防線全部蓋到 bootldr
上頭,現在最後防線 bootldr 外圍也被突破,只剩本丸而已。
Bootldr suffers from the same exploit as metldr, so it was also doomed.
However, because bootldr is designed to run from a cold boot, it cannot be
loaded into a “sandboxed” SPU like metldr can from the comfort of OS-mode
code execution (which we had via the USB lv2 exploit), so the exploit is
harder to pull off because you don’t have control over the rest of the
software. For the exploit that we knew about, it would’ve required hardware
assistance to repeatedly reboot the PS3 and some kind of flash emulator to
set up the exploit with varying parameters each boot, and it probably would’
ve taken several hours or days of automated attempts to hit the right
combination (basically the exploit would work by executing random garbage as
code, and hoping that it jumps to somewhere within a segment that we control
– the probabilities are high enough that it would work out within a
reasonable timeframe). We never bothered to do this after the whole lawsuit
episode.
但 bootldr 跟 metldr 在本質上不同的地方是, bootldr 是拿來做冷開機的,
不能像 metldr 一樣,得到沙盒的防護,因此 bootldr 要是加密機制有漏洞,
就慘了。這說明了為何我們單憑 3.41 版韌體的 USB 驅動程式漏洞還不足以拿
下 metldr ,還得仰賴其他的漏洞才有辦法破解到 metldr 。但已知的漏洞,
要拿來執行未授權的程式還是有困難,因為缺少程式指標,所以只能希望運氣夠
好,開完機後程式指標能夠恰好跳到我們擺放程式的開頭,然後執行到我們要的
程式片段,這個機率很低,所以需要大量的時間去嘗試,反正在他們打官司的期
間,這個剛好可以拿來殺時間
Presumably, 18 months later, some other group has finally figured this
out and either used our exploit and the hardware assistance, or some other
equivalent trick/exploit, to dump bootldr. Once the lv0 decryption key is
known, the signing private key can be computed (thanks to Sony’s epic
failure).
結果 18 個月過去了,終於有人借助硬體支援,突破了最後一道防線,把 lv0
給解密了,然後私鑰也能夠算出來了。
The effect of this is essentially the same that the metldr key release
had: all existing and future firmwares can be decrypted, except Sony no
longer has the lv0 trick up their sleeve. What this means is that there is no
way for Sony to wrap future firmware to hide it from anyone, because old PS3s
must be able to use all future firmware (assuming Sony doesn’t just decide
to brick them all…), and those old PS3s now have no remaining seeds of
security that aren’t known. This means that all future firmwares and all
future games are decryptable, and this time around they really can’t do
anything about it. By extension, this means that given the usual
cat-and-mouse game of analyzing and patching firmware, every current user of
vulnerable or hacked firmware should be able to maintain that state through
all future updates, as all future firmwares can be decrypted and patched and
resigned for old PS3s. From the homebrew side, it means that it should be
possible to have hombrew/linux and current games at the same time. From the
piracy side, it means that all future games can be pirated. Note that this
doesn’t mean that these things will be easy (Sony can obfuscate things to
annoy people as much as their want), but from the fundamental security
standpoint, Sony doesn’t have any security leg to stand on now.
這道防線帶來的後果,可說是跟上次 metldr 被破解一樣,截至目前為止所有的
韌體版本都會遭殃,除非 SONY 在 lv0 後面還有 lv-1 ,不然未來所有更新版本
的韌體, SONY 都別想在偷藏什麼在裡面,因為這些韌體必須「向下相容」所有
版本的主機(其實也可以像 iOS 一樣不同型號的下載同一版本但適用不同機型的
韌體), 而舊版本的主機已經全部攤在陽光下了,這代表未來只要在舊版本主機
上發現軟體漏洞,在新版主機上一樣也可以故技重施。
對於自製軟體陣營來講當然是大好得消息,這代表可以光明正大執行 Linux 了,
對於盜版陣營來說一樣是個好消息,這代表未來沒有無法破解的遊戲了(我猜
SONY 會要求接下來所有的遊戲都必須要線上啟動才能玩)
It does not mean that current firmwares are exploitable. Firmware
upgrades are still signed, so you need an exploit in your current firmware to
downgrade. Also, newer PS3s presumably have fixed this (probably by using
newer bootldr/metldrs as trust roots, and proper signing all along).
但是還有一些事情要注意,就是這不代表所有的韌體都能破解,更新版的韌體一
樣有數位簽證,所以目前版本的韌體必須有漏洞,才能夠隨意升級降級,新版的
主機在 bootldr/metldr 有做了修正(3007以上,2507以下都是舊版有漏洞的)
The keys are used for two purposes: chain of trust and chain of secrecy.
The compromise of the keys fully compromises the secrecy of the PS3 platform
permanently, as you can just follow the links down the chain (off-line, on a
PC) and decrypt any past, current, or future firmware version. Current
consoles must be able to use any future firmware update, and we now have
access to 100% of the common key material of current PS3s, so it follows that
any future firmware decryptable by current PS3s is also decryptable by anyone
on a PC.
However, the chain of trust can be re-established at any point along the
line that can be updated. The chain of trust is safely rooted in hardware
that is near impossible to modify (i.e. the CPU’s ROM and eFuse key). The
next link down the chain has been compromised (bootldr), and this link cannot
be updated as it is specific to each console, so the chain of trust now has a
permanent weak second link. However, the third link, lv0, can be updated as
it is located in flash memory and signed using public key crypto. This allows
Sony to secure the entire chain from there onwards. Unless you find a
vulnerability in these updated links, you will not be able to attack them
directly (applications, e.g. homebrew software, are verified much further
down the chain). The only guaranteed way to break the chain is to attack the
weak link directly, which means using a flash writer to overwrite lv0. Once
you do so, the entire chain collapses (well, you still need to do some work
to modify every subsequent link to turn off security, but that is easy). If
you have old firmware, you have at least some other weak links that, when
compromised, allow you direct access to break the bootldr link (replacing
lv0), but if you run up to date firmware you’re out of luck unless you can
find a weakness or you use hardware.
連鎖認證的機制本來很安全,但弱點就是「不能有任何弱點」,有一個弱點,會
因為連鎖的關係導致全部的安全機制都無效。認證的起點在 CPU 裡面的 eFuse
金鑰,這個部份的安全性很夠,但才走到第二步 bootldr/metldr 這裡就失敗了
。連鎖的其他地方都是做在軟體上,所以有洞可以修,偏偏這 metldr/bootldr
是燒死的,所以沒救了。連鎖的第三步在 lv0 ,存在 flash 上頭,有洞可以修
,所以 SONY 恐怕必須改寫整個連鎖認證的機制,把 bootldr 也排除在外才行。
這樣做還是不保險,因為 bootldr 被排除在連鎖之外,因此 lv0 加不加密都沒
用,破解陣營可以拿晶片燒錄器把自己改寫的 lv0 燒進 flash 裡面,然後照樣
歡樂地執行自己的程式。
Old PS3s are now in the same boat as an old Wii, and in fact we can draw
a direct comparison of the boot process. On an old Wii, boot0 (the on-die
ROM) securely loads boot1 from flash, which is securely checked against an
eFuse hash, and boot1 loads boot2 but insecurely checks its signature. On an
old PS3, the Cell boot ROM securely loads bootldr from flash, which is
securely decrypted and checked using an eFuse key, and then bootldr loads lv0
but checks its signature against a hardcoded public key whose private
counterpart is now known. In both cases, the system can be persistently
compromised if you can write to flash, or if you already have code execution
in system context (which lets you write to flash). However, in both cases,
you need to use some kind of high-level exploit to break into the firmware
initially, particularly if you have up-to-date firmware. It just happens that
this is trivial on the Wii because there is no game patch system and Nintendo
seems to have stopped caring, while this is significantly harder on the PS3
because the system software has more security layers and there is a game
patch system.
….
The name is presumably wrong – they would be the bootldr keys, as the
keyset is considered to “belong” to the entity that uses those keys to
check and decrypt the next thing down the chain – just like the metldr keys
are the keys metldr uses to decrypt and verify other *ldrs, the bootldr keys
are the keys bootldr uses to decrypt and verify lv0.
Anyway, you’re confusing secrecy with trust. These keys let you decrypt
any future firmware; as you say, if they were to “fix” that, that would
mean new updates would not work on older machines. However, decrypting
firmware doesn’t imply that you can run homebrew or anything else. It just
means you can see the firmware, not actually exploit it if you’re running it.
要讓新韌體向下相容舊主機就得容忍漏洞存在,否則舊主機就不能玩新遊戲,我覺得
SONY 應該不敢這樣搞消費者。
The only trust that is broken by this keyset (assuming they are the
bootldr keys) is the trust in lv0, the first upgradable component in the boot
process (and both it and bootldr are definitely software, not hardware, but
bootldr is not upgradable/replaceable so this cannot be fixed). This means
that you can use them to sign lv0. Period. Nothing more, nothing less. The
only things that these keys let you modify is lv0. In order to modify
anything else, you have to modify everything between it and lv0 first. This
means that these keys are only useful if you have write access to lv0, which
means a hardware flasher, or an already exploited console, or a system
exploit that lets you do so.
….
Oh, one more thing. I’m assuming that these keys actually should be
called the bootldr keys (as in the keys that bootldr uses to verify lv0), and
that the name “lv0〃 is just a misnomer (because lv0 is, itself, signed
using these keys).
If this keyset is just what Sony introduced in lv0 after the original
hack, and they are used to sign everything *under* lv0 and that is loaded
*by* lv0, then this whole thing is not newsworthy and none of what I said
applies. It just means that all firmwares *to date* can be decrypted. Sony
will replace this keyset and update lv0 and everything will be back at step 1
again. lv0 is updatable, unlike bootldr, and is most definitely not a fixed
root of trust (unlike metldr, which was, until the architecture hack/change
wrapped everything in lv0). If this is the case, color me unimpressed.
…..
by marcansoft on Wednesday October 24, @01:04AM (#41748707) Attached to:
PS3 Encryption Keys Leaked
Nevermind, I just checked. They are indeed the bootldr keys (I was able
to decrypt an lv0 with them). Consider this confirmation that the story is
not fake.
--
○ ____ _ _ _ _ ____ _ _ ____ _____ ____
。 ★(_ _)( \( )( \/ )( ___)( \( )(_ _)( _ )( _ \
o _)(_ ) ( \ / )__) ) ( )( )(_)( ) / ● ‧
(____)(_)\_) \/ (____)(_)\_) (__) (_____)(_)\_) ★
o
--
Tags:
改機
All Comments
By Edith
at 2012-10-29T21:02
at 2012-10-29T21:02
By Adele
at 2012-11-01T20:14
at 2012-11-01T20:14
By Damian
at 2012-11-05T02:25
at 2012-11-05T02:25
By Xanthe
at 2012-11-10T00:19
at 2012-11-10T00:19
By Heather
at 2012-11-14T23:05
at 2012-11-14T23:05
By Rae
at 2012-11-19T08:12
at 2012-11-19T08:12
By Dora
at 2012-11-23T11:39
at 2012-11-23T11:39
By Irma
at 2012-11-24T22:20
at 2012-11-24T22:20
Related Posts
要注意改機的店家
By Leila
at 2012-10-24T23:14
at 2012-10-24T23:14
KaKaRoTo says something
By Kumar
at 2012-10-24T02:51
at 2012-10-24T02:51
Rogero 4.21 CFW
By Ivy
at 2012-10-23T21:09
at 2012-10-23T21:09
Lv0 Key leaked..
By Yuri
at 2012-10-23T09:21
at 2012-10-23T09:21
中壢哪裡買PS3+改機
By Catherine
at 2012-10-20T21:03
at 2012-10-20T21:03