Per Console Keys: Difference between revisions

per_console_root_key_0

• metldr is decrypted with this key
• bootldr is decrypted with this key
• might be obtained with per_console_root_key_1?

per_console_root_key_1 / EID_root_key

• derived from per_console_key_0
• stored inside metldr
• copied to sector 0 by metldr
• cleared by isoldr
• Used to decrypt part of the EID
• Used to derive further keys
• can be obtained with a modifyed isoldr that dumps it
• can be obtained with a derivation of this key going backwards

obtaining it

launch the patched isoldr with your prefered method

Option 1 - modified kernel module

modify glevands spp_verifier_direct to dump the mbox to wherever_you_want and then (use the payload below as an example)

insmod ./spp_verifier_direct.ko
cat metldr > /proc/spp_verifier_direct/metldr
cat isoldr_PATCHED > /proc/spp_verifier_direct/isoldr
echo 1 > /proc/spp_verifier_direct/run
cat /proc/spp_verifier_direct/debug
cat /proc/spp_verifier_direct/wherever_you_want

Option 2 - dumper payload

• http://pastie.org/pastes/2101977

• patched isoldr to dump it
• DO NOT CREATE AN MFW USING THIS IT WOULD BRICK
• patched isoldr: http://www.multiupload.com/2MP5KY28EZ

Comments

• In the dump the remaining dump is the metldr clear code. metldr clears itself and all the registers an jumps to isoldr.
• Overwritting that code lets you dump your key + metldr

per_console_root_key_2 / EID0_key

• this key can be obtained through AES from EID_root_key

• EID can be partially decrypted by setting this key in anergistics and fireing aim_spu_module.self
• Load aim_spu_module.self + EID0 + EID0_key in anegistics = decrypted EID0
• http://pastie.org/2000330

obtaining it

• patched aim_spu_module to dump it
• DO NOT CREATE AN MFW USING THIS IT WOULD BRICK
• http://www.multiupload.com/1XUOOYS9I0

per_console_root_key_n

these are further derivations of the per_console_key_1/EID_root_key

Documentation

polarssl.org/trac/browser/trunk/library/aes.c