Per Console Keys

From PS3 Developer wiki
Jump to navigation Jump to search

per_console_root_key_0

  • metldr is decrypted with this key
  • bootldr is decrypted with this key
  • might be obtained with per_console_root_key_1? (largely speculative, not nec. true - need more looked into, only based on the behavior of the other derivatives known to be obtained through AES)

See also Bootorder::Boot Sequence

per_console_root_key_1 / EID_root_key

  • derived from per_console_key_0
  • stored inside metldr
  • copied to sector 0 by metldr
  • cleared by isoldr
  • Used to decrypt part of the EID
  • Used to derive further keys (per_console_key_0 is not the key which will be derived, but is the key which has derived per_console_key_1)
  • can be obtained with a modified isoldr that dumps it
  • can be obtained with a derivation of this key going backwards

Obtaining It

Launch the patched isoldr with your prefered method, let it be Option 1, or Option 2...

Option 1 - Dumper Kernel Module

  • modify glevands spp_verifier_direct to dump the mbox to wherever_you_want

http://pastebin.com/uTBbnC9B<-needs to be edited further

insmod ./spp_verifier_direct.ko
cat metldr > /proc/spp_verifier_direct/metldr
cat dump_eid_root_key.self > /proc/spp_verifier_direct/isoldr
echo 1 > /proc/spp_verifier_direct/run
cat /proc/spp_verifier_direct/debug
hd /ls.bin | less

Option 2 - Dumper Payload

  • patched isoldr to dump it

*DO NOT CREATE AN MFW USING THIS IT WOULD BRICK PS3

  • this can also be loaded as with lv2patcher and payloader3
    • payloader3.git

Comments

  • What this selfs do is dump your ISOLATED SPU LS through your mbox, so you only need a way to cach this info with PPU code in lv2 enviroment aka a dongle payload or linux kernel
  • This has been tested and proven to work on 3.55 MFW
  • In the dump the remaining dump is the metldr clear code. metldr clears itself and all the registers an jumps to isoldr.
  • Overwritting that code lets you dump your key + metldr
  • Consider that per_console_key_1 and per_console_key_n are in fact still in need decryption.
  • per_console_key_0 particularly needs to be dumped once revived from per_console_key_1.

per_console_root_key_2 / EID0_key

  • this key can be obtained through AES from EID_root_key
  • EID can be partially decrypted by setting this key in anergistics and fireing aim_spu_module.self
  • Load aim_spu_module.self + EID0 + EID0_key in anegistics = decrypted EID0
  • This code is to decrypt your EID0 on your PC http://pastie.org/2000330
    • The prerequisites are:
      • dump your EID0 from your ps3 and save it in the same folder as EID0
      • dump your EID0_key from your ps3 and put it on the code above where the key is needed
      • load all of them in anergistic
  • EID0_key could also be obtained with EID_root_key directly in the following manners:
    • knowing the algorithm (located in isoldr) and applying it to the EID_root_key
    • let isoldr apply that algorithm directly in anergistic
      • the process is exactly as the one above (modifing anergistic to feed isoldr with EID_root_key


Obtaining It

  • patched aim_spu_module to dump it

*DO NOT CREATE AN MFW USING THIS IT WOULD BRICK

per_console_root_key_n

These are further derivations of the per_console_key_1/EID_root_key

Documentation

http://polarssl.org/trac/browser/trunk/library/aes.c