Re: [PS3 ] PS3 全裸了嗎？

看板Modchip (改機)作者cassine (Savannah)時間13年前 (2011/10/27 16:25)推噓25(25推 0噓 12→)

留言37則, 27人參與討論串3/7 (看更多)

ps3hax那篇重點以外的東西太多，PS3DevWiki上有比較詳細的解釋 http://ps3devwiki.com/index.php?title=Per_Console_Keys per_console_root_key_0 絕對管理員金鑰 0 〔所謂絕對是指世界上就只有這麼一把，不會有第二把相同的金鑰了，跟絕對座標的絕對意義相同〕 metldr is decrypted with this key metldr靠這把金鑰解密 bootldr is decrypted with this key bootldr 靠這把金鑰解密〔是故，取得此一金鑰即可改寫bootloader，如果 bootloader不是燒死在唯讀記憶體中的話〕 might be obtained with per_console_root_key_1? (largely speculative, not nec. true - need more looked into, only based on the behavior of the other derivatives known to be obtained through AES) 或許可以藉由絕對管理員金鑰 1號回推？（有很大的猜測成份，證據不足還需再要深入研究，猜測的基礎是 AES加密演算法的運作原理） per_console_root_key_1/EID_root_key 絕對管理員金鑰 1／ EID管理員金鑰 derived from per_console_key_0 源自絕對管理員金鑰 0號 stored inside metldr 儲存在metldr裡頭 copied to sector 0 by metldr 稍後被metldr複製到第 0區間〔雖然sector也有磁區的意思，但此處應該不是〕 cleared by isoldr 接著被isoldr清除 Used to decrypt part of the EID 可用來解密部份的 EID資訊 Used to derive further keys (per_console_key_0 is not the key which will be derived, but is the key which has derived per_console_key_1) 可用來計算其他的金鑰（除了絕對管理員金鑰 0號之外，因為金鑰 1號是由 0號導出的） can be obtained with a modified isoldr that dumps it 可藉由修改isoldr取得 can be obtained with a derivation of this key going backwards 也可自由它導出的金鑰來回推〔理論上可以這麼做，但不實際〕 Obtaining It 該如何取得 Launch the patched isoldr with your prefered method, let it be Option 1, or Option 2... 要載入修改過的isoldr總共有兩種方式，隨你喜歡，以下稍做解釋： Option 1 - Dumper Kernel Module 方法一：在 Linux核心上附加讀取模組 modify glevands spp_verifier_direct to dump the mbox to wherever_you_want and then (use the payload below as an example) 將glevands的spp_verifier_direct 掛載成為核心模組（底下使用酬載的方式原理相同） the example code on how to dump the mbox can be found on 'Option 2 -Dumper Payload' below 範例程式碼可自底下Dumper Payload的部份取得 host $ insmod ./spp_verifier_direct.ko host $ cat metldr > /proc/spp_verifier_direct/metldr host $ cat dump_eid_root_key.self > /proc/spp_verifier_direct/isoldr host $ echo 1 > /proc/spp_verifier_direct/run host $ cat /proc/spp_verifier_direct/debug host $ cat /proc/spp_verifier_direct/wherever_you_want Option 2 - Dumper Payload 方法二：直接送入酬載 http://pastie.org/pastes/2101977 patched isoldr to dump it 以上方法皆須搭配修改過的isoldr使用 *DO NOT CREATE AN MFW USING THIS IT WOULD BRICK PS3 警告：請勿將此檔包入自製韌體中，否則會變磚 patched isoldr: http://www.multiupload.com/2MP5KY28EZ this can be loaded as the payload stage2 in the payload marcan used to load linux 可利用marcan的方式在stage2載入酬載 http://marcansoft.com/blog/2010/10/asbestos-running-linux-as-gameos/ http://git.marcansoft.com/?p=asbestos.git this can also be loaded as with lv2patcher and payloader3 亦可透過lv2patcher與payloader3送入酬載〔推薦之，簡單很多〕 Comments What this selfs do is dump your ISOLATED SPU LS through your mbox, so you only need a way to cach this info with PPU code in lv2 enviroment aka a dongle payload or linux kernel. 這個self程式的功能是把 SPU裡頭的東西讀出來，稍後可以透過能在 lv2 上執行的程式，例如 Linux和新貨是電子狗酬載來讀取。 This has been tested and proven to work on 3.55 MFW. 此一原理已於3.55-MFW上測試成功 In the dump the remaining dump is the metldr clear code. metldr clears itself and all the registers an jumps to isoldr. 現在還差臨門一腳的是metldr的程式，因為metldr會把自己刪除，同時把暫存器清空，然後跳到isoldr Overwritting that code lets you dump your key + metldr. 修改這些程式就能得到金鑰跟metldr程式 Consider that per_console_key_1 and per_console_key_n are in fact still in need decryption. 必須考慮絕對金鑰 0與絕對金鑰 1取出時仍然是加密的狀態 per_console_key_0 particularly needs to be dumped once revived from per_console_key_1. 絕對金鑰 0在金鑰 1生成的時候就要讀出，是唯一機會。 per_console_root_key_2/EID0_key 絕對管理員金鑰 2／ EID金鑰 this key can be obtained through AES from EID_root_key 可利用 AES演算法配合 EID管理員金鑰導出 EID can be partially decrypted by setting this key in anergistics and fireing aim_spu_module.self 利用本金鑰搭配aim_spu_module.self 模組可以解出部份的 EID內容 Load aim_spu_module.self + EID0 + EID0_key in anegistics = decrypted EID0 This code is to decrypt your EID0 on your PC http://pastie.org/2000330 解碼用的範例程式 The prerequisites are: 前置作業： dump your EID0 from your ps3 and save it in the same folder as EID0 將EID0自主機讀出，並存放在電腦上某個目錄 dump your EID0_key from your ps3 and put it on the code above where the key is needed 將EID0金鑰讀出，並放在程式碼所指定的目錄中 load all of them in anergistic 全部塞入anergistic程式中 EID0_key could also be obtained with EID_root_key directly in the following manners: EID0金鑰可與 EID管理員金鑰用以下方法同時取得： knowing the algorithm (located in isoldr) and applying it to the EID_root_key 知道演算法（存在isoldr中）與 EID管理員金鑰，用電腦解碼 leting isoldr apply that algorithm directly in anergistic the process is exactly as the one above (modifing anergistic to feed isoldr with EID_root_key 交給isoldr來辦，修改anergistic程式，讓isoldr解出後直接吐出金鑰 Obtaining It 該如何取得 patched aim_spu_module to dump it 利用修改過的aim_spu_module讀出 *DO NOT CREATE AN MFW USING THIS IT WOULD BRICK 警告：請勿將此一檔案包入自製韌體中，否則會變磚 http://www.multiupload.com/1XUOOYS9I0 per_console_root_key_n 絕對管理員金鑰第 n These are further derivations of the per_console_key_1/EID_root_key 由絕對管理員金鑰 1／ EID管理員金鑰導出 ****** 就等吧，現在這些工具還不大好用，聖誕節前應該會有新消息，拿到rootkey 後 SONY不推新主機，最壞的情況就只能退守 PSN防線。 -- ○ ____ _ _ _ _ ____ _ _ ____ _____ ____ 。 ★(_ _)( \( )( \/ )( ___)( \( )(_ _)( _ )( _ \ ｏ _)(_ ) ( \ / )__) ) ( )( )(_)( ) / ● ‧ (____)(_)\_) \/ (____)(_)\_) (__) (_____)(_)\_) ★ ｏ -- ※ 發信站: 批踢踢實業坊(ptt.cc) ◆ From: 140.120.31.137

推

rabbit83035

10/27 17:24, , 1^F

10/27 17:24, 1^F

推

cloudsub

10/27 17:56, , 2^F

10/27 17:56, 2^F

推

chiyosuke

10/27 18:31, , 3^F

10/27 18:31, 3^F