Per Console Keys: Difference between revisions
Jump to navigation
Jump to search
Line 63: | Line 63: | ||
*this key can be obtained through AES from EID_root_key | *this key can be obtained through AES from EID_root_key | ||
**EID0_key can be gotten this way through a program such as openssl, using the following command once installed: | **EID0_key can be gotten this way through a program such as openssl, using the following command once installed: | ||
<pre> | |||
openssl aes-256-cbc -e -in EID0_Key_Seed.txt -out EID0IV.txt -nosalt -K (isoldr key) -iv (isoldr RIV) -p -nopad | |||
</pre> | |||
EID0_Key_Seed is the following: | EID0_Key_Seed is the following: | ||
<pre> | <pre> | ||
AB CA AD 17 71 EF AB FC 2B 92 12 76 FA C2 13 0C | AB CA AD 17 71 EF AB FC 2B 92 12 76 FA C2 13 0C |
Revision as of 13:00, 19 October 2012
per_console_root_key_0
- metldr is decrypted with this key
- bootldr is decrypted with this key
- might be obtained with per_console_root_key_1? (largely speculative, not nec. true - need more looked into, only based on the behavior of the other derivatives known to be obtained through AES)
See also Bootorder::Boot Sequence
per_console_root_key_1 / EID_root_key
- derived from per_console_key_0
- stored inside metldr
- copied to sector 0 by metldr
- cleared by isoldr
- Used to decrypt part of the EID
- Used to derive further keys (per_console_key_0 is not the key which will be derived, but is the key which has derived per_console_key_1)
- can be obtained with a modified isoldr that dumps it
- can be obtained with a derivation of this key going backwards
Obtaining It
Launch the patched isoldr with your prefered method, let it be Option 1, or Option 2...
Option 1 - Dumper Kernel Module
- modify glevands spp_verifier_direct to dump the mbox to wherever_you_want
http://pastebin.com/uTBbnC9B<-needs to be edited further
insmod ./spp_verifier_direct.ko cat metldr > /proc/spp_verifier_direct/metldr cat dump_eid_root_key.self > /proc/spp_verifier_direct/isoldr echo 1 > /proc/spp_verifier_direct/run cat /proc/spp_verifier_direct/debug hd /ls.bin | less
Option 2 - Dumper Payload
- patched isoldr to dump it
*DO NOT CREATE AN MFW USING THIS IT WOULD BRICK PS3
- patched isoldr: http://www.wupload.com/file/1153650416/dump_eid_root_key.self
- this can be loaded as the payload stage2 in the payload marcan used to load linux
- this can also be loaded as with lv2patcher and payloader3
- payloader3.git
Comments
- What this selfs do is dump your ISOLATED SPU LS through your mbox, so you only need a way to cach this info with PPU code in lv2 enviroment aka a dongle payload or linux kernel
- This has been tested and proven to work on 3.55 MFW
- In the dump the remaining dump is the metldr clear code. metldr clears itself and all the registers an jumps to isoldr.
- Overwritting that code lets you dump your key + metldr
- Consider that per_console_key_1 and per_console_key_n are in fact still in need decryption.
- per_console_key_0 particularly needs to be dumped once revived from per_console_key_1.
per_console_root_key_2 / EID0_key
- this key can be obtained through AES from EID_root_key
- EID0_key can be gotten this way through a program such as openssl, using the following command once installed:
openssl aes-256-cbc -e -in EID0_Key_Seed.txt -out EID0IV.txt -nosalt -K (isoldr key) -iv (isoldr RIV) -p -nopad
EID0_Key_Seed is the following:
AB CA AD 17 71 EF AB FC 2B 92 12 76 FA C2 13 0C 37 A6 BE 3F EF 82 C7 9F 3B A5 73 3F C3 5A 69 0B 08 B3 58 F9 70 FA 16 A3 D2 FF E2 29 9E 84 1E E4 D3 DB 0E 0C 9B AE B5 1B C7 DF F1 04 67 47 2F 85
- EID can be partially decrypted by setting this key in anergistics and fireing aim_spu_module.self
- Load aim_spu_module.self + EID0 + EID0_key in anegistics = decrypted EID0
- This code is to decrypt your EID0 on your PC http://pastebin.com/xdPYgqXG
- The prerequisites are:
- dump your EID0 from your ps3 and save it in the same folder as EID0
- dump your EID0_key from your ps3 and put it on the code above where the key is needed
- load all of them in anergistic
- The prerequisites are:
- EID0_key could also be obtained with EID_root_key directly in the following manners:
- knowing the algorithm (located in isoldr) and applying it to the EID_root_key
- let isoldr apply that algorithm directly in anergistic
- the process is exactly as the one above (modifing anergistic to feed isoldr with EID_root_key
Obtaining It
- patched aim_spu_module to dump it
*DO NOT CREATE AN MFW USING THIS IT WOULD BRICK
- http://www.multiupload.com/1XUOOYS9I0
- http://dl.dropbox.com/u/35197530/aim.self (to be verified. if it is the same file, i'll upload it again to mediafire
- http://www.ps3devwiki.com/files/devtools/PerConsoleKeys/aim.self
per_console_root_key_n
These are further derivations of the per_console_key_1/EID_root_key