Per Console Keys

per_console_root_key_0

• bootldr and metldr are decrypted with this key. See also Boot Order.
• Might it be obtained with per_console_root_key_1 ? It need more looked into. It might be the case, based on the behavior of the other derivatives known to be obtained through AES.

per_console_root_key_1 (EID_root_key)

• Derived from per_console_key_0
• Stored inside metldr
• Copied to sector 0 by metldr
• Cleared by isoldr
• Used to decrypt part of the EID
• Used to derive further keys
• Can be obtained with a modified isoldr that dumps it

Obtaining It

Launch the patched isoldr with your preferred method, let it be Option 1, or Option 2...

Option 1 - Dumper Kernel Module

• Modify glevand's spp_verifier_direct to dump the mbox to wherever_you_want.
• http://pastebin.com/uTBbnC9B <- needs to be edited further

insmod ./spp_verifier_direct.ko
cat metldr > /proc/spp_verifier_direct/metldr
cat dump_eid_root_key.self > /proc/spp_verifier_direct/isoldr
echo 1 > /proc/spp_verifier_direct/run
cat /proc/spp_verifier_direct/debug
hd /ls.bin | less

Option 2 - Dumper Payload

• http://pastebin.com/YwDKqgTj

*DO NOT CREATE AN MFW USING THIS IT WOULD BRICK

• Patched isoldr to dump it: http://www.wupload.com/file/1153650416/dump_eid_root_key.self <- dead link

• This can be loaded as the payload stage2 in the payload marcan used to load linux.
  • http://marcansoft.com/blog/2010/10/asbestos-running-linux-as-gameos/
  • http://git.marcansoft.com/?p=asbestos.git

• This can also be loaded as with lv2patcher and payloader3.
  • payloader3.git <- ?dead link ?

Comments

• What these SELFs do is dump the PS3 ISOLATED SPU LS through mbox, so you only need a way to catch this data with PPU code in lv2 environment aka a dongle payload or linux kernel.
• This has been tested and proven to work on 3.55 MFW.
• In the dump the remaining dump is the metldr clear code. metldr clears itself and all the registers then jumps to isoldr.
• Overwritting that code lets you dump your key + metldr.

per_console_root_key_2 (EID0_key)

Obtaining It

Using the reversed code

• This key can be obtained through AES from eid_root_key.
• The algorithm is located in isoldr.
• EID0_key can be gotten through a program such as openssl, using the following command (once installed):

openssl aes-256-cbc -e -in eid0_key_seed -out eid0_enc_seed -nosalt -K (isoldr key) -iv (isoldr RIV) -p -nopad

See Seeds.

Using anergistics (advanced users)

EID0 can be decrypted by setting EID0_key in anergistics and fireing aim_spu_module.self:

• Load aim_spu_module.self + EID0 + EID0_key in anergistics -> decrypted EID0.
• This code decrypts EID0 on PC.
• The prerequisites are:
  • Dump EID0 from your PS3.
  • Dump EID0_key from your PS3 and put it in the code above where the key (eid_mkey?) is needed.
  • Load all of them in anergistic.

Using similar steps, you can provide eid_root_key and obtain EID0_key:

• EID0_key can be obtained with eid_root_key directly by letting isoldr apply the algorithm in anergistic.
• It needs modifing anergistic to feed isoldr with eid_root_key.
• Patched aim_spu_module to dump EID0_Key:

*DO NOT CREATE AN MFW USING THIS IT WOULD BRICK

• • http://dl.dropbox.com/u/35197530/aim.self <- dead link

per_console_root_key_n

These are further derivations of the per_console_key_1 (EID_root_key).

See ps3_decrypt_tools by naehrwert, zecoxao and al..

cVTRM

SRK (Secret or Syscon Root Key - root hash secret (hsec)) (derivation from per console key?) is stored in Syscon along with SRH (Secret or Syscon Root Hash). SRK is used as HMAC hash to authenticate cVTRM data from flash. SRH is a hash of cVTRM data. SRH is computed at runtime and compared with SRH from Syscon.

You can fetch SRH with VTRM or SCM utilities from glevand's ps3-vuart-tools (you need to add the function to the tools to do so) or from GameOS directly if you do some patches at hypervisor level.

cVTRM uses SysCon Isolated Module to do all the cryptographic operations. It uses AES-CBC-128 to encrypt data. It seems like key is fetched from encrypted key table in Syscon (related to EID1?). Also this key can be computed using AES-XTS-128. IV contains all zeroes. Data and tweak keys for XTS are computed from eid_root_key using seeds from SysCon Isolated Module.

Here is an example of decrypted cVTRM blocks:

1B68B7B67048454E863ECA0665EFB086  1B68B7B67048454E863ECA0665EFB08670F3EADB (Drive Revocation List Hash)
70F3EADB96791F41F9A76F4D895DD582  96791F41F9A76F4D895DD5820DB108EC03D19250 (Content Revocation List Hash)
0DB108EC03D192500000000000000000
00000000000000000000000000000000

00000001000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000

087E91AEFFB8E66A0000000000000000  6AE6B8FFAE917E08 (PSN) Account ID
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000

00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000

• DEAD LINK Here's a link with the added functions. Please test it and report if it works :)

v e Reverse engineering General Bluedisk EID0 reDRM · Boot Order · Boot Memory Type · Bugs & Vulnerabilities · Dumping Bootldr · Dumping Metldr · Files on the PS3 · KaKaRoTo_Kind_of_´Jailbreak´ · PS3Cobra Payload Reverse Engineering · PS3UserCheat · QA Flagging · ReDRM / Piracy dongles · Revoke List · RSOD Fix‎ · rtcalarm.dat · Whitelisting · VTRM Hypervisor Hypervisor Reverse Engineering · Repository Nodes Services Appliance Information Manager · AV Manager · Dispatcher Manager · Factory Data Manager · Indi Info Manager · SB Manager · SC Manager · Secure LPAR Loader · Secure Profile Loader · Secure RTC Manager · Security Policy Manager · Storage Manager · Update Manager · Updater Frontend · USB Dongle Authenticator · User Token Manager · Virtual TRM Manager Plugin Interfaces ap_plugin · audioplayer_plugin · audiop_plugin_dummy · audiop_plugin_mini · auth_plugin · autodownload_plugin · autoupdateconf_plugin · avc_plugin · avc_util · avc2_game_plugin · avc2_game_video_plugin · avc2_text_plugin · bdp_disccheck_plugin · bdp_plugin · bdp_storage_plugin · campaign_plugin · category_setting_plugin · comboplay_plugin · custom_render_plugin · data_copy_plugin · deviceconf_plugin · dlna_plugin · download_plugin · dtcpip_util · edy_plugin · esehttp · eseibrd · eseidle · eselock · eula_cddb_plugin · eula_hcopy_plugin · eula_net_plugin · explore_plugin · explore_plugin_ft · explore_plugin_game · explore_plugin_np · filecopy_plugin · friendim_plugin · friendml_plugin · friendtrophy_plugin · game_ext_plugin · game_indicator_plugin · game_plugin · gamedata_plugin · gamelib_plugin · gameupdate_plugin · hknw_plugin · idle_plugin · impose_plugin · kensaku_plugin · msgdialog_plugin · mtpinitiator_plugin · musicbrowser_plugin · nas_plugin · netconf_plugin · newstore_plugin · np_eula_plugin · np_matching_plugin · np_multisignin_plugin · np_sns_plugin · npsignin_plugin · np_trophy_ingame · np_trophy_plugin · osk · oskfullkeypanel · oskpanel · pesm_plugin · photo_network_sharing_plugin · photolist_plugin · photoviewer_plugin · playlist_plugin · poweroff_plugin · premo_plugin · premo_game_plugin · print_plugin · profile_plugin · ps3_savedata_plugin · ps3_savedata_plugin_game · ps3_savedata_plugin_psp · rec_plugin · regcam_plugin · remotedownload_plugin · sacd_plugin · scenefolder_plugin · screenshot_plugin · software_update_plugin · soundvisualizer_plugin · strviewer_plugin · sysconf_plugin · system_plugin · thumthum_plugin · upload_util · user_info_plugin · user_plugin · videodownloader_plugin · videoeditor_plugin · videoplayer_util · videoplayer_plugin · vmc_savedata_plugin · wboard_plugin · webbrowser_plugin · webbrowser_service · webrender_plugin · xai_plugin · xmb_ingame · xmb_plugin Emulation PS1 Emulation · PS2 Emulation · PSP Emulation Extended features Printer support · Remote Play · String Viewer · Web Browser · XMB In-game background music · PS3 and PSVita Cross Functions · Widgets · Life with PlayStation · PlayView · XMB Manuals Online Consoleban · Environments · Online Connections · PSN · PSN Handshake Signup · X-I-5-Ticket Hardware SC SC Communication · SC EEPROM · Remarry Syscon · Syscon Thermal Configs · Syscon SPI CELL Cell Configuration Ring · CELL Reset Exploit · CellBE Hardware Implementation Registers · Unlocking the 8th SPE · SPU Isolated Modules Reverse Engineering · SPU LS Overflow Exploit RAM XDR Configuration · Rambus Registers SB ENCDEC Device Reverse Engineering HDD HDD Encryption BD Bluray disc · Basic Bluray disc authentication procedure · BD Drive Reverse Engineering · Disc Identification/Serialization Data · ODE · Remarry Bluray Drive Tools IDA pro disassembler and debugger · CCAPI · 0x000EAEB0 · Ps3.xml · Nids.txt · Nids all.txt · Unknown nids.txt · Fnids.idh Strings files emer_init · aim spu module‎ · lv1‎ · hdd_copy · eurus_fw · lv0 · factory data mngr dumps lv2 dump (Rebug 4.46) · lv1 dump (Rebug 4.46) · bootldr dump (2.70) · Network Loading of lv1ldr and above executables Reference Archaic · Drk_notes · Canaries Keys & Seeds Keys · Per Console Keys · Fail Keys · Seeds · ECDSA binaries · AES binaries · DES binaries · Cryptography Tricks