Below are details from
sphinxkoma and the PS3 Wiki (ps3devwiki.com/index.php?title=Talk:Per_Console_Keys) on
dumping
the per_console_key_1 via
Kaz... it's only a matter of time for per_console_key_0 which unlocks everything we need.
To quote:
PS3 Per Console KeysEID crypto is very complicated, it is done so on purpose. first of all EID0 isn't decrypted with one key, and one algorithm alone. it is decrypted in several parts which use different algos and keys.
the keys are all derivations of a per console key (per_console_key_1) which is stored inside metldr and copied by it to sector 0 and never leaves isolation. that same key is a derivation of the per console key (per_console_key_0) used to encrypt metldr and the bl in the first place as well.
isoldr clears that key from sector 0 before jumping to the isolated module. but before doing so it encrypts it with another keyset and
stores it in a buffer so that the isolated module can use the new crafted key. since the operation is AES, if you know that keyset you can decrypt the crafted key and get the eid root key without pwning a loader or metldr through an isolated module.
that is not like you really need it because you can already use the crafted key to decrypt some of eid0, but not all of it. and the crafted key also uses the first elf section to be built as in your isolated module will have a small section which only contains a key. and that key is used as another layer by isoldr to encrypt the buffer with it. so basically you have 2 encryption layers over the root key. the final key then decrypts a specific part of the EID.
eid crypto is actually done smart. that is because most of it originally comes from the cell bootrom, as in they reuse the same algo used for metldr
binaries and bl in the eid crypto, including some of
the keys
and the steps. and you cannot decrypt all of the eid sections unless you gathered every
single keys and steps. and there are a lot then you still have to figure out wtf it is you decrypted because eid is actually full of keys.
1. payloader3 create new possible source of or precompiled:
payloader3-341.pkg: http://www.multiupload.com/MB7NE5AJYC
payloader3-315.pkg: http://www.multiupload.com/JKKZG58NOR
2.
Install payloader3 pkg on the ps3
3.
export in the terminal set
a.
export
PS3LOAD = tcp: ipaddress.of.ps3
b. start socat (socat tcp-recv: 18194 stdout)
4. payloader3 pkg start on ps3
5. It is quite likely to see is not the
picture (black screen) but you will hear a distinct sound (like C64) Now things are different feasible:
a. X 4eck then starts with ps3load ethdebug
b. then you will want to circle back to the xmb and invites ethdebug (for Debuging pkg files)
6. Use your ps3load the mode used to send your ps3 dump_eid_root_key.self (ps3load dump_eid_root_key.self) Now you should see debug Terminal in your debugging and then hopefully you'll find the PCK .. (theoretically)
The per console key is used to derive other keys, some of which Sony can't change as this appears to be the bottom of their encryption chain. It's also important to note that this method is intended for
dumping
per_console_key_1 and per_console_key_n while per_console_key_0 is currently still required.
However to speculate, in future PS3 CFW updates users may need to be on a Custom
Firmware to begin with (or downgrade to one first) and then run a .PKG to get their per console encryption key, followed by using it in a PS3 MFW Builder and
installing the resulting modified PS3
Firmware
on their PlayStation 3 console.