Per Console Keys: Difference between revisions
Jump to navigation
Jump to search
(you have all you need already ;-) just read carefully (compare option2 code with the kernel module code)) |
|||
| Line 4: | Line 4: | ||
*metldr is decrypted with this key | *metldr is decrypted with this key | ||
*bootldr is decrypted with this key | *bootldr is decrypted with this key | ||
*might be obtained with per_console_root_key_1'''?''' ''( | *might be obtained with per_console_root_key_1'''?''' ''(largely speculative, not nec. true - need more looked into, only based on the behavior of the other derivatives known to be obtained through AES)'' | ||
==per_console_root_key_1 / EID_root_key== | ==per_console_root_key_1 / EID_root_key== | ||
| Line 14: | Line 14: | ||
*Used to decrypt part of the EID | *Used to decrypt part of the EID | ||
*Used to derive further keys | *Used to derive further keys | ||
*can be obtained with a | *can be obtained with a modified isoldr that dumps it | ||
*can be obtained with a derivation of this key going backwards | *can be obtained with a derivation of this key going backwards | ||
| Line 21: | Line 21: | ||
launch the patched isoldr with your prefered method | launch the patched isoldr with your prefered method | ||
==== Option 1 - | ==== Option 1 - dumper kernel module ==== | ||
*modify glevands spp_verifier_direct to dump the mbox to wherever_you_want and then '''(use the payload below as an example)''' | |||
*the example code on how to dump the mbox can be found on the Option 2 - dumper payload below | |||
<pre> | <pre> | ||
insmod ./spp_verifier_direct.ko | insmod ./spp_verifier_direct.ko | ||
| Line 39: | Line 41: | ||
*DO NOT CREATE AN MFW USING THIS IT WOULD BRICK | *DO NOT CREATE AN MFW USING THIS IT WOULD BRICK | ||
*patched isoldr: http://www.multiupload.com/2MP5KY28EZ | *patched isoldr: http://www.multiupload.com/2MP5KY28EZ | ||
*this can be loaded as the payload stage2 in the payload marcan used to load linux | |||
** http://marcansoft.com/blog/2010/10/asbestos-running-linux-as-gameos/ | |||
** http://git.marcansoft.com/?p=asbestos.git | |||
*this can also be loaded as with lv2patcher and payloader3 | |||
**https://github.com/euss/payloader3.git | |||
==== Comments ==== | ==== Comments ==== | ||
*What this selfs do is dump your '''ISOLATED SPU''' LS through your mbox, so you only need a way to cach this info with '''PPU code in lv2 enviroment''' aka a '''dongle payload''' or '''linux kernel''' | |||
*This has been tested and proven to work on 3.55 MFW | |||
*In the dump the remaining dump is the metldr clear code. metldr clears itself and all the registers an jumps to isoldr. | *In the dump the remaining dump is the metldr clear code. metldr clears itself and all the registers an jumps to isoldr. | ||
*Overwritting that code lets you dump your key + metldr | *Overwritting that code lets you dump your key + metldr | ||
| Line 50: | Line 61: | ||
*EID can be partially decrypted by setting this key in anergistics and fireing aim_spu_module.self | *EID can be partially decrypted by setting this key in anergistics and fireing aim_spu_module.self | ||
*Load aim_spu_module.self + EID0 + EID0_key in anegistics = decrypted EID0 | *Load aim_spu_module.self + EID0 + EID0_key in anegistics = decrypted EID0 | ||
*http://pastie.org/2000330 | *This code is to decrypt your EID0 on your PC http://pastie.org/2000330 | ||
**The prerequisites are: | |||
***dump your EID0 from your ps3 and save it in the same folder as EID0 | |||
***dump your EID0_key from your ps3 and put it on the code above where the key is needed | |||
***load all of them in anergistic | |||
*EID0_key could also be obtained with '''EID_root_key''' directly in the following manners: | |||
**knowing the algorithm (located in isoldr)and applying it to the EID_root_key | |||
**leting isoldr apply that algorithm directly in anergistic | |||
***the process is exactly as the one above (modifing anergistic to feed isoldr with EID_root_key | |||
Revision as of 21:28, 26 October 2011
per_console_root_key_0
- metldr is decrypted with this key
- bootldr is decrypted with this key
- might be obtained with per_console_root_key_1? (largely speculative, not nec. true - need more looked into, only based on the behavior of the other derivatives known to be obtained through AES)
per_console_root_key_1 / EID_root_key
- derived from per_console_key_0
- stored inside metldr
- copied to sector 0 by metldr
- cleared by isoldr
- Used to decrypt part of the EID
- Used to derive further keys
- can be obtained with a modified isoldr that dumps it
- can be obtained with a derivation of this key going backwards
obtaining it
launch the patched isoldr with your prefered method
Option 1 - dumper kernel module
- modify glevands spp_verifier_direct to dump the mbox to wherever_you_want and then (use the payload below as an example)
- the example code on how to dump the mbox can be found on the Option 2 - dumper payload below
insmod ./spp_verifier_direct.ko cat metldr > /proc/spp_verifier_direct/metldr cat isoldr_PATCHED > /proc/spp_verifier_direct/isoldr echo 1 > /proc/spp_verifier_direct/run cat /proc/spp_verifier_direct/debug cat /proc/spp_verifier_direct/wherever_you_want
Option 2 - dumper payload
- patched isoldr to dump it
- DO NOT CREATE AN MFW USING THIS IT WOULD BRICK
- patched isoldr: http://www.multiupload.com/2MP5KY28EZ
- this can be loaded as the payload stage2 in the payload marcan used to load linux
- this can also be loaded as with lv2patcher and payloader3
Comments
- What this selfs do is dump your ISOLATED SPU LS through your mbox, so you only need a way to cach this info with PPU code in lv2 enviroment aka a dongle payload or linux kernel
- This has been tested and proven to work on 3.55 MFW
- In the dump the remaining dump is the metldr clear code. metldr clears itself and all the registers an jumps to isoldr.
- Overwritting that code lets you dump your key + metldr
per_console_root_key_2 / EID0_key
- this key can be obtained through AES from EID_root_key
- EID can be partially decrypted by setting this key in anergistics and fireing aim_spu_module.self
- Load aim_spu_module.self + EID0 + EID0_key in anegistics = decrypted EID0
- This code is to decrypt your EID0 on your PC http://pastie.org/2000330
- The prerequisites are:
- dump your EID0 from your ps3 and save it in the same folder as EID0
- dump your EID0_key from your ps3 and put it on the code above where the key is needed
- load all of them in anergistic
- The prerequisites are:
- EID0_key could also be obtained with EID_root_key directly in the following manners:
- knowing the algorithm (located in isoldr)and applying it to the EID_root_key
- leting isoldr apply that algorithm directly in anergistic
- the process is exactly as the one above (modifing anergistic to feed isoldr with EID_root_key
obtaining it
- patched aim_spu_module to dump it
- DO NOT CREATE AN MFW USING THIS IT WOULD BRICK
- http://www.multiupload.com/1XUOOYS9I0
per_console_root_key_n
these are further derivations of the per_console_key_1/EID_root_key
Documentation
polarssl.org/trac/browser/trunk/library/aes.c