Per Console Keys: Difference between revisions
Jump to navigation
Jump to search
(eid0 key) |
(have fun!) |
||
| Line 20: | Line 20: | ||
launch the patched isoldr with your prefered method | launch the patched isoldr with your prefered method | ||
==== Option 1 - modified kernel module ==== | |||
modify glevands spp_verifier_direct to dump the mbox to wherever_you_want and then | |||
<pre> | |||
insmod ./spp_verifier_direct.ko | |||
cat metldr > /proc/spp_verifier_direct/metldr | |||
cat isoldr_PATCHED > /proc/spp_verifier_direct/isoldr | |||
echo 1 > /proc/spp_verifier_direct/run | |||
cat /proc/spp_verifier_direct/debug | |||
cat /proc/spp_verifier_direct/wherever_you_want | |||
</pre> | |||
==== Option 2 - dumper payload ==== | |||
*http://pastie.org/pastes/2101977 | |||
*patched isoldr to dump it | *patched isoldr to dump it | ||
| Line 28: | Line 40: | ||
*http://www.multiupload.com/2MP5KY28EZ | *http://www.multiupload.com/2MP5KY28EZ | ||
==per_console_root_key_2 / | ==per_console_root_key_2 / EID0_key == | ||
*this key can be obtained through AES from EID_root_key | *this key can be obtained through AES from EID_root_key | ||
*EID can be partially decrypted by setting this key in anergistics and fireing aim_spu_module.self | *EID can be partially decrypted by setting this key in anergistics and fireing aim_spu_module.self | ||
*Load aim_spu_module.self + EID0 + EID0_key in anegistics = decrypted EID0 | |||
*http://pastie.org/2000330 | |||
=== obtaining it === | === obtaining it === | ||
Revision as of 15:45, 26 October 2011
per_console_root_key_0
- metldr is decrypted with this key
- bootldr is decrypted with this key
- might be obtained with per_console_root_key_1?
per_console_root_key_1 / EID_root_key
- derived from per_console_key_0
- stored inside metldr
- copied to sector 0 by metldr
- cleared by isoldr
- Used to decrypt part of the EID
- Used to derive further keys
- can be obtained with a modifyed isoldr that dumps it
- can be obtained with a derivation of this key going backwards
obtaining it
launch the patched isoldr with your prefered method
Option 1 - modified kernel module
modify glevands spp_verifier_direct to dump the mbox to wherever_you_want and then
insmod ./spp_verifier_direct.ko cat metldr > /proc/spp_verifier_direct/metldr cat isoldr_PATCHED > /proc/spp_verifier_direct/isoldr echo 1 > /proc/spp_verifier_direct/run cat /proc/spp_verifier_direct/debug cat /proc/spp_verifier_direct/wherever_you_want
Option 2 - dumper payload
- patched isoldr to dump it
- DO NOT CREATE AN MFW USING THIS IT WOULD BRICK
- http://www.multiupload.com/2MP5KY28EZ
per_console_root_key_2 / EID0_key
- this key can be obtained through AES from EID_root_key
- EID can be partially decrypted by setting this key in anergistics and fireing aim_spu_module.self
- Load aim_spu_module.self + EID0 + EID0_key in anegistics = decrypted EID0
- http://pastie.org/2000330
obtaining it
- patched aim_spu_module to dump it
- DO NOT CREATE AN MFW USING THIS IT WOULD BRICK
- http://www.multiupload.com/1XUOOYS9I0
per_console_root_key_n
these are further derivations of the per_console_key_1/EID_root_key