Per Console Keys

per_console_root_key_0

• metldr is decrypted with this key
• bootldr is decrypted with this key
• might be obtained with per_console_root_key_1? (largely speculative, not nec. true - need more looked into, only based on the behavior of the other derivatives known to be obtained through AES)

See also Bootorder::Boot Sequence

per_console_root_key_1 / EID_root_key

• derived from per_console_key_0
• stored inside metldr
• copied to sector 0 by metldr
• cleared by isoldr
• Used to decrypt part of the EID
• Used to derive further keys (per_console_key_0 is not the key which will be derived, but is the key which has derived per_console_key_1)
• can be obtained with a modified isoldr that dumps it
• can be obtained with a derivation of this key going backwards

Obtaining It

Launch the patched isoldr with your prefered method, let it be Option 1, or Option 2...

Option 1 - Dumper Kernel Module

• modify glevands spp_verifier_direct to dump the mbox to wherever_you_want and then (use the payload below as an example)
• the example code on how to dump the mbox can be found on 'Option 2 -Dumper Payload' below

insmod ./spp_verifier_direct.ko
cat metldr > /proc/spp_verifier_direct/metldr
cat dump_eid_root_key.self > /proc/spp_verifier_direct/isoldr
echo 1 > /proc/spp_verifier_direct/run
cat /proc/spp_verifier_direct/debug
cat /proc/spp_verifier_direct/wherever_you_want

Option 2 - Dumper Payload

• http://pastie.org/pastes/2101977

• patched isoldr to dump it

*DO NOT CREATE AN MFW USING THIS IT WOULD BRICK PS3

• patched isoldr: http://www.multiupload.com/2MP5KY28EZ

• this can be loaded as the payload stage2 in the payload marcan used to load linux
  • http://marcansoft.com/blog/2010/10/asbestos-running-linux-as-gameos/
  • http://git.marcansoft.com/?p=asbestos.git

• this can also be loaded as with lv2patcher and payloader3
  • payloader3.git

Comments

• What this selfs do is dump your ISOLATED SPU LS through your mbox, so you only need a way to cach this info with PPU code in lv2 enviroment aka a dongle payload or linux kernel
• This has been tested and proven to work on 3.55 MFW
• In the dump the remaining dump is the metldr clear code. metldr clears itself and all the registers an jumps to isoldr.
• Overwritting that code lets you dump your key + metldr
• Consider that per_console_key_1 and per_console_key_n are in fact still in need decryption.
• per_console_key_0 particularly needs to be dumped once revived from per_console_key_1.

per_console_root_key_2 / EID0_key

• this key can be obtained through AES from EID_root_key

• EID can be partially decrypted by setting this key in anergistics and fireing aim_spu_module.self
• Load aim_spu_module.self + EID0 + EID0_key in anegistics = decrypted EID0
• This code is to decrypt your EID0 on your PC http://pastie.org/2000330
  • The prerequisites are:
    • dump your EID0 from your ps3 and save it in the same folder as EID0
    • dump your EID0_key from your ps3 and put it on the code above where the key is needed
    • load all of them in anergistic

• EID0_key could also be obtained with EID_root_key directly in the following manners:
  • knowing the algorithm (located in isoldr) and applying it to the EID_root_key
  • let isoldr apply that algorithm directly in anergistic
    • the process is exactly as the one above (modifing anergistic to feed isoldr with EID_root_key

Obtaining It

• patched aim_spu_module to dump it

*DO NOT CREATE AN MFW USING THIS IT WOULD BRICK

• http://www.multiupload.com/1XUOOYS9I0

per_console_root_key_n

These are further derivations of the per_console_key_1/EID_root_key

Documentation

http://polarssl.org/trac/browser/trunk/library/aes.c