Editing Per Console Keys
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
= | [[Category:Software]] | ||
==per_console_root_key_0== | |||
*metldr is decrypted with this key | |||
*bootldr is decrypted with this key | |||
*might be obtained with per_console_root_key_1'''?''' ''(largely speculative, not nec. true - need more looked into, only based on the behavior of the other derivatives known to be obtained through AES)'' | |||
'''could be located:''' | |||
http://screensnapr.com/e/mE1vmY.png | |||
==per_console_root_key_1 / EID_root_key== | |||
*derived from per_console_key_0 | |||
*stored inside metldr | |||
*copied to sector 0 by metldr | |||
*cleared by isoldr | |||
*Used to decrypt part of the EID | |||
*Used to derive further keys ''(per_console_key_0 is not the key which will be derived, but is the key which has derived per_console_key_1)'' | |||
*can be obtained with a modified isoldr that dumps it | |||
*can be obtained with a derivation of this key going backwards | |||
* | |||
* | |||
* Used to decrypt part of the EID | |||
* Used to derive further keys | |||
* | |||
=== Obtaining It === | === Obtaining It === | ||
Launch the patched isoldr with your | Launch the patched isoldr with your prefered method, let it be Option 1, or Option 2... | ||
==== Option 1 - Dumper Kernel Module ==== | ==== Option 1 - Dumper Kernel Module ==== | ||
* | *modify glevands spp_verifier_direct to dump the mbox to wherever_you_want and then '''(use the payload below as an example)''' | ||
* | *the example code on how to dump the mbox can be found on 'Option 2 -Dumper Payload' below | ||
<pre> | <pre> | ||
Line 86: | Line 34: | ||
echo 1 > /proc/spp_verifier_direct/run | echo 1 > /proc/spp_verifier_direct/run | ||
cat /proc/spp_verifier_direct/debug | cat /proc/spp_verifier_direct/debug | ||
cat /proc/spp_verifier_direct/wherever_you_want | |||
</pre> | </pre> | ||
==== Option 2 - Dumper Payload ==== | ==== Option 2 - Dumper Payload ==== | ||
*http://pastie.org/pastes/2101977 | |||
* | *patched isoldr to dump it | ||
'''*DO NOT CREATE AN MFW USING THIS IT WOULD BRICK PS3''' | |||
'''*DO NOT CREATE AN MFW USING THIS IT WOULD BRICK''' | *patched isoldr: http://www.multiupload.com/2MP5KY28EZ | ||
* | |||
* | *this can be loaded as the payload stage2 in the payload marcan used to load linux | ||
** http://marcansoft.com/blog/2010/10/asbestos-running-linux-as-gameos/ | ** http://marcansoft.com/blog/2010/10/asbestos-running-linux-as-gameos/ | ||
** http://git.marcansoft.com/?p=asbestos.git | ** http://git.marcansoft.com/?p=asbestos.git | ||
* | *this can also be loaded as with lv2patcher and payloader3 | ||
** payloader3.git | **payloader3.git | ||
==== Comments ==== | ==== Comments ==== | ||
*What this selfs do is dump your '''ISOLATED SPU''' LS through your mbox, so you only need a way to cach this info with '''PPU code in lv2 enviroment''' aka a '''dongle payload''' or '''linux kernel''' | |||
*This has been tested and proven to work on 3.55 MFW | |||
*In the dump the remaining dump is the metldr clear code. metldr clears itself and all the registers an jumps to isoldr. | |||
*Overwritting that code lets you dump your key + metldr | |||
*Consider that per_console_key_1 and per_console_key_n are in fact still in need decryption. | |||
*per_console_key_0 particularly needs to be dumped once revived from per_console_key_1. | |||
==per_console_root_key_2 / EID0_key == | |||
*this key can be obtained through AES from EID_root_key | |||
= | *EID can be partially decrypted by setting this key in anergistics and fireing aim_spu_module.self | ||
*Load aim_spu_module.self + EID0 + EID0_key in anegistics = decrypted EID0 | |||
*This code is to decrypt your EID0 on your PC http://pastie.org/2000330 | |||
**The prerequisites are: | |||
***dump your EID0 from your ps3 and save it in the same folder as EID0 | |||
***dump your EID0_key from your ps3 and put it on the code above where the key is needed | |||
***load all of them in anergistic | |||
*EID0_key could also be obtained with '''EID_root_key''' directly in the following manners: | |||
**knowing the algorithm (located in isoldr) and applying it to the EID_root_key | |||
**let isoldr apply that algorithm directly in anergistic | |||
***the process is exactly as the one above (modifing anergistic to feed isoldr with EID_root_key | |||
=== Obtaining It === | |||
*patched aim_spu_module to dump it | |||
* | |||
'''*DO NOT CREATE AN MFW USING THIS IT WOULD BRICK''' | '''*DO NOT CREATE AN MFW USING THIS IT WOULD BRICK''' | ||
*http://www.multiupload.com/1XUOOYS9I0 | |||
==per_console_root_key_n== | |||
These are further derivations of the per_console_key_1/EID_root_key | |||
==Documentation== | |||
http://polarssl.org/trac/browser/trunk/library/aes.c |