Internal Ebootroms
Description
Through access to sony's scedevnet area, once someone was able to obtain files that had symbolic information on them. those files were the internal ebootroms. This page describes what was used to obtain partial access to the plaintext of those roms.
ebootrom 2_I
2_I doesn't have a layer of encryption over it, besides pkgs and selfs layer. so you can just cosunpack everything in one go and decrypt it (provided you have access to the keys)
keys
keys were obtained through xoring and dexoring ebootrom mini_I and I_spu_to_6 (or to_8) until the plain section metadata was obtained (thanks to CTR trick)
mini_I
mini_I is just 2_I, but instead it has a layer of crypto (CTR) over it, and 39 aditional metldrs, the largest ever found, packed up in 39 individual blocks (which make for the size of the ebootrom). os is the same (4MB exact size) and each individual block has 0xA3CC6 block size (header included)
I_spu_to_6(8)
spu_to_X contains another giant table of lv1ldrs, packed together with lv1.self and hypr.bin.with-sig. it was obtained by xoring forged mini_I partial plaintext (just enough size) and mini_I encrypted, xored with spu_to_X cyphertext, thus obtaining partial plaintext.
New things
- lv1.self with 5252525209090909 reverse sbox
- hypr.bin.with-sig
- sc_iso individual seed changes / aim_spu_module (maybe others)