Per Console Keys: Difference between revisions
Jump to navigation
Jump to search
(you have all you need already ;-) just read carefully (compare option2 code with the kernel module code)) |
|||
| Line 73: | Line 73: | ||
=== | === Obtaining It === | ||
*patched aim_spu_module to dump it | *patched aim_spu_module to dump it | ||
*DO NOT CREATE AN MFW USING THIS IT WOULD BRICK | *DO NOT CREATE AN MFW USING THIS IT WOULD BRICK | ||
*http://www.multiupload.com/1XUOOYS9I0 | *http://www.multiupload.com/1XUOOYS9I0 | ||
==per_console_root_key_n== | ==per_console_root_key_n== | ||
Revision as of 01:33, 27 October 2011
per_console_root_key_0
- metldr is decrypted with this key
- bootldr is decrypted with this key
- might be obtained with per_console_root_key_1? (largely speculative, not nec. true - need more looked into, only based on the behavior of the other derivatives known to be obtained through AES)
per_console_root_key_1 / EID_root_key
- derived from per_console_key_0
- stored inside metldr
- copied to sector 0 by metldr
- cleared by isoldr
- Used to decrypt part of the EID
- Used to derive further keys
- can be obtained with a modified isoldr that dumps it
- can be obtained with a derivation of this key going backwards
obtaining it
launch the patched isoldr with your prefered method
Option 1 - dumper kernel module
- modify glevands spp_verifier_direct to dump the mbox to wherever_you_want and then (use the payload below as an example)
- the example code on how to dump the mbox can be found on the Option 2 - dumper payload below
insmod ./spp_verifier_direct.ko cat metldr > /proc/spp_verifier_direct/metldr cat isoldr_PATCHED > /proc/spp_verifier_direct/isoldr echo 1 > /proc/spp_verifier_direct/run cat /proc/spp_verifier_direct/debug cat /proc/spp_verifier_direct/wherever_you_want
Option 2 - dumper payload
- patched isoldr to dump it
- DO NOT CREATE AN MFW USING THIS IT WOULD BRICK
- patched isoldr: http://www.multiupload.com/2MP5KY28EZ
- this can be loaded as the payload stage2 in the payload marcan used to load linux
- this can also be loaded as with lv2patcher and payloader3
Comments
- What this selfs do is dump your ISOLATED SPU LS through your mbox, so you only need a way to cach this info with PPU code in lv2 enviroment aka a dongle payload or linux kernel
- This has been tested and proven to work on 3.55 MFW
- In the dump the remaining dump is the metldr clear code. metldr clears itself and all the registers an jumps to isoldr.
- Overwritting that code lets you dump your key + metldr
per_console_root_key_2 / EID0_key
- this key can be obtained through AES from EID_root_key
- EID can be partially decrypted by setting this key in anergistics and fireing aim_spu_module.self
- Load aim_spu_module.self + EID0 + EID0_key in anegistics = decrypted EID0
- This code is to decrypt your EID0 on your PC http://pastie.org/2000330
- The prerequisites are:
- dump your EID0 from your ps3 and save it in the same folder as EID0
- dump your EID0_key from your ps3 and put it on the code above where the key is needed
- load all of them in anergistic
- The prerequisites are:
- EID0_key could also be obtained with EID_root_key directly in the following manners:
- knowing the algorithm (located in isoldr)and applying it to the EID_root_key
- leting isoldr apply that algorithm directly in anergistic
- the process is exactly as the one above (modifing anergistic to feed isoldr with EID_root_key
Obtaining It
- patched aim_spu_module to dump it
- DO NOT CREATE AN MFW USING THIS IT WOULD BRICK
- http://www.multiupload.com/1XUOOYS9I0
per_console_root_key_n
these are further derivations of the per_console_key_1/EID_root_key
Documentation
polarssl.org/trac/browser/trunk/library/aes.c