PS3 全裸了嗎? - 改機
By Dora
at 2011-10-27T16:25
at 2011-10-27T16:25
Table of Contents
ps3hax那篇重點以外的東西太多,PS3DevWiki上有比較詳細的解釋
http://ps3devwiki.com/index.php?title=Per_Console_Keys
per_console_root_key_0 絕對管理員金鑰 0
〔所謂絕對是指世界上就只有這麼一把,不會有第二把相同的金鑰了,跟絕對座
標的絕對意義相同〕
metldr is decrypted with this key
metldr靠這把金鑰解密
bootldr is decrypted with this key
bootldr 靠這把金鑰解密〔是故,取得此一金鑰即可改寫bootloader,如果
bootloader不是燒死在唯讀記憶體中的話〕
might be obtained with per_console_root_key_1? (largely
speculative, not nec. true - need more looked into, only based on the
behavior of the other derivatives known to be obtained through AES)
或許可以藉由絕對管理員金鑰 1號回推?(有很大的猜測成份,證據不足還
需再要深入研究,猜測的基礎是 AES加密演算法的運作原理)
per_console_root_key_1/EID_root_key 絕對管理員金鑰 1/ EID管理員金鑰
derived from per_console_key_0
源自絕對管理員金鑰 0號
stored inside metldr
儲存在metldr裡頭
copied to sector 0 by metldr
稍後被metldr複製到第 0區間〔雖然sector也有磁區的意思,但此處應該不
是〕
cleared by isoldr
接著被isoldr清除
Used to decrypt part of the EID
可用來解密部份的 EID資訊
Used to derive further keys (per_console_key_0 is not the key
which will be derived, but is the key which has derived
per_console_key_1)
可用來計算其他的金鑰(除了絕對管理員金鑰 0號之外,因為金鑰 1號是由
0號導出的)
can be obtained with a modified isoldr that dumps it
可藉由修改isoldr取得
can be obtained with a derivation of this key going backwards
也可自由它導出的金鑰來回推〔理論上可以這麼做,但不實際〕
Obtaining It 該如何取得
Launch the patched isoldr with your prefered method, let it be Option
1, or Option 2...
要載入修改過的isoldr總共有兩種方式,隨你喜歡,以下稍做解釋:
Option 1 - Dumper Kernel Module 方法一:在 Linux核心上附加讀取模組
modify glevands spp_verifier_direct to dump the mbox to
wherever_you_want and then (use the payload below as an example)
將glevands的spp_verifier_direct 掛載成為核心模組(底下使用酬載的方
式原理相同)
the example code on how to dump the mbox can be found on 'Option
2 -Dumper Payload' below
範例程式碼可自底下Dumper Payload的部份取得
host $ insmod ./spp_verifier_direct.ko
host $ cat metldr > /proc/spp_verifier_direct/metldr
host $ cat dump_eid_root_key.self > /proc/spp_verifier_direct/isoldr
host $ echo 1 > /proc/spp_verifier_direct/run
host $ cat /proc/spp_verifier_direct/debug
host $ cat /proc/spp_verifier_direct/wherever_you_want
Option 2 - Dumper Payload 方法二:直接送入酬載
http://pastie.org/pastes/2101977
patched isoldr to dump it
以上方法皆須搭配修改過的isoldr使用
*DO NOT CREATE AN MFW USING THIS IT WOULD BRICK PS3
警告:請勿將此檔包入自製韌體中,否則會變磚
patched isoldr: http://www.multiupload.com/2MP5KY28EZ
this can be loaded as the payload stage2 in the payload marcan
used to load linux
可利用marcan的方式在stage2載入酬載
http://marcansoft.com/blog/2010/10/asbestos-running-linux-as-gameos/
http://git.marcansoft.com/?p=asbestos.git
this can also be loaded as with lv2patcher and payloader3
亦可透過lv2patcher與payloader3送入酬載〔推薦之,簡單很多〕
Comments
What this selfs do is dump your ISOLATED SPU LS through your
mbox, so you only need a way to cach this info with PPU code in lv2
enviroment aka a dongle payload or linux kernel.
這個self程式的功能是把 SPU裡頭的東西讀出來,稍後可以透過能在 lv2
上執行的程式,例如 Linux和新貨是電子狗酬載來讀取。
This has been tested and proven to work on 3.55 MFW.
此一原理已於3.55-MFW上測試成功
In the dump the remaining dump is the metldr clear code. metldr
clears itself and all the registers an jumps to isoldr.
現在還差臨門一腳的是metldr的程式,因為metldr會把自己刪除,同時把暫
存器清空,然後跳到isoldr
Overwritting that code lets you dump your key + metldr.
修改這些程式就能得到金鑰跟metldr程式
Consider that per_console_key_1 and per_console_key_n are in fact
still in need decryption.
必須考慮絕對金鑰 0與絕對金鑰 1取出時仍然是加密的狀態
per_console_key_0 particularly needs to be dumped once revived
from per_console_key_1.
絕對金鑰 0在金鑰 1生成的時候就要讀出,是唯一機會。
per_console_root_key_2/EID0_key 絕對管理員金鑰 2/ EID金鑰
this key can be obtained through AES from EID_root_key
可利用 AES演算法配合 EID管理員金鑰導出
EID can be partially decrypted by setting this key in anergistics
and fireing aim_spu_module.self
利用本金鑰搭配aim_spu_module.self 模組可以解出部份的 EID內容
Load aim_spu_module.self + EID0 + EID0_key in anegistics =
decrypted EID0
This code is to decrypt your EID0 on your PC
http://pastie.org/2000330
解碼用的範例程式
The prerequisites are:
前置作業:
dump your EID0 from your ps3 and save it in the same
folder as EID0
將EID0自主機讀出,並存放在電腦上某個目錄
dump your EID0_key from your ps3 and put it on the code
above where the key is needed
將EID0金鑰讀出,並放在程式碼所指定的目錄中
load all of them in anergistic
全部塞入anergistic程式中
EID0_key could also be obtained with EID_root_key directly in the
following manners:
EID0金鑰可與 EID管理員金鑰用以下方法同時取得:
knowing the algorithm (located in isoldr) and applying it to
the EID_root_key
知道演算法(存在isoldr中)與 EID管理員金鑰,用電腦解碼
leting isoldr apply that algorithm directly in anergistic
the process is exactly as the one above (modifing
anergistic to feed isoldr with EID_root_key
交給isoldr來辦,修改anergistic程式,讓isoldr解出後直接吐出金鑰
Obtaining It 該如何取得
patched aim_spu_module to dump it
利用修改過的aim_spu_module讀出
*DO NOT CREATE AN MFW USING THIS IT WOULD BRICK
警告:請勿將此一檔案包入自製韌體中,否則會變磚
http://www.multiupload.com/1XUOOYS9I0
per_console_root_key_n 絕對管理員金鑰第 n
These are further derivations of the per_console_key_1/EID_root_key
由絕對管理員金鑰 1/ EID管理員金鑰導出
******
就等吧,現在這些工具還不大好用,聖誕節前應該會有新消息,拿到rootkey 後
SONY不推新主機,最壞的情況就只能退守 PSN防線。
--
○ ____ _ _ _ _ ____ _ _ ____ _____ ____
。 ★(_ _)( \( )( \/ )( ___)( \( )(_ _)( _ )( _ \
o _)(_ ) ( \ / )__) ) ( )( )(_)( ) / ● ‧
(____)(_)\_) \/ (____)(_)\_) (__) (_____)(_)\_) ★
o
--
http://ps3devwiki.com/index.php?title=Per_Console_Keys
per_console_root_key_0 絕對管理員金鑰 0
〔所謂絕對是指世界上就只有這麼一把,不會有第二把相同的金鑰了,跟絕對座
標的絕對意義相同〕
metldr is decrypted with this key
metldr靠這把金鑰解密
bootldr is decrypted with this key
bootldr 靠這把金鑰解密〔是故,取得此一金鑰即可改寫bootloader,如果
bootloader不是燒死在唯讀記憶體中的話〕
might be obtained with per_console_root_key_1? (largely
speculative, not nec. true - need more looked into, only based on the
behavior of the other derivatives known to be obtained through AES)
或許可以藉由絕對管理員金鑰 1號回推?(有很大的猜測成份,證據不足還
需再要深入研究,猜測的基礎是 AES加密演算法的運作原理)
per_console_root_key_1/EID_root_key 絕對管理員金鑰 1/ EID管理員金鑰
derived from per_console_key_0
源自絕對管理員金鑰 0號
stored inside metldr
儲存在metldr裡頭
copied to sector 0 by metldr
稍後被metldr複製到第 0區間〔雖然sector也有磁區的意思,但此處應該不
是〕
cleared by isoldr
接著被isoldr清除
Used to decrypt part of the EID
可用來解密部份的 EID資訊
Used to derive further keys (per_console_key_0 is not the key
which will be derived, but is the key which has derived
per_console_key_1)
可用來計算其他的金鑰(除了絕對管理員金鑰 0號之外,因為金鑰 1號是由
0號導出的)
can be obtained with a modified isoldr that dumps it
可藉由修改isoldr取得
can be obtained with a derivation of this key going backwards
也可自由它導出的金鑰來回推〔理論上可以這麼做,但不實際〕
Obtaining It 該如何取得
Launch the patched isoldr with your prefered method, let it be Option
1, or Option 2...
要載入修改過的isoldr總共有兩種方式,隨你喜歡,以下稍做解釋:
Option 1 - Dumper Kernel Module 方法一:在 Linux核心上附加讀取模組
modify glevands spp_verifier_direct to dump the mbox to
wherever_you_want and then (use the payload below as an example)
將glevands的spp_verifier_direct 掛載成為核心模組(底下使用酬載的方
式原理相同)
the example code on how to dump the mbox can be found on 'Option
2 -Dumper Payload' below
範例程式碼可自底下Dumper Payload的部份取得
host $ insmod ./spp_verifier_direct.ko
host $ cat metldr > /proc/spp_verifier_direct/metldr
host $ cat dump_eid_root_key.self > /proc/spp_verifier_direct/isoldr
host $ echo 1 > /proc/spp_verifier_direct/run
host $ cat /proc/spp_verifier_direct/debug
host $ cat /proc/spp_verifier_direct/wherever_you_want
Option 2 - Dumper Payload 方法二:直接送入酬載
http://pastie.org/pastes/2101977
patched isoldr to dump it
以上方法皆須搭配修改過的isoldr使用
*DO NOT CREATE AN MFW USING THIS IT WOULD BRICK PS3
警告:請勿將此檔包入自製韌體中,否則會變磚
patched isoldr: http://www.multiupload.com/2MP5KY28EZ
this can be loaded as the payload stage2 in the payload marcan
used to load linux
可利用marcan的方式在stage2載入酬載
http://marcansoft.com/blog/2010/10/asbestos-running-linux-as-gameos/
http://git.marcansoft.com/?p=asbestos.git
this can also be loaded as with lv2patcher and payloader3
亦可透過lv2patcher與payloader3送入酬載〔推薦之,簡單很多〕
Comments
What this selfs do is dump your ISOLATED SPU LS through your
mbox, so you only need a way to cach this info with PPU code in lv2
enviroment aka a dongle payload or linux kernel.
這個self程式的功能是把 SPU裡頭的東西讀出來,稍後可以透過能在 lv2
上執行的程式,例如 Linux和新貨是電子狗酬載來讀取。
This has been tested and proven to work on 3.55 MFW.
此一原理已於3.55-MFW上測試成功
In the dump the remaining dump is the metldr clear code. metldr
clears itself and all the registers an jumps to isoldr.
現在還差臨門一腳的是metldr的程式,因為metldr會把自己刪除,同時把暫
存器清空,然後跳到isoldr
Overwritting that code lets you dump your key + metldr.
修改這些程式就能得到金鑰跟metldr程式
Consider that per_console_key_1 and per_console_key_n are in fact
still in need decryption.
必須考慮絕對金鑰 0與絕對金鑰 1取出時仍然是加密的狀態
per_console_key_0 particularly needs to be dumped once revived
from per_console_key_1.
絕對金鑰 0在金鑰 1生成的時候就要讀出,是唯一機會。
per_console_root_key_2/EID0_key 絕對管理員金鑰 2/ EID金鑰
this key can be obtained through AES from EID_root_key
可利用 AES演算法配合 EID管理員金鑰導出
EID can be partially decrypted by setting this key in anergistics
and fireing aim_spu_module.self
利用本金鑰搭配aim_spu_module.self 模組可以解出部份的 EID內容
Load aim_spu_module.self + EID0 + EID0_key in anegistics =
decrypted EID0
This code is to decrypt your EID0 on your PC
http://pastie.org/2000330
解碼用的範例程式
The prerequisites are:
前置作業:
dump your EID0 from your ps3 and save it in the same
folder as EID0
將EID0自主機讀出,並存放在電腦上某個目錄
dump your EID0_key from your ps3 and put it on the code
above where the key is needed
將EID0金鑰讀出,並放在程式碼所指定的目錄中
load all of them in anergistic
全部塞入anergistic程式中
EID0_key could also be obtained with EID_root_key directly in the
following manners:
EID0金鑰可與 EID管理員金鑰用以下方法同時取得:
knowing the algorithm (located in isoldr) and applying it to
the EID_root_key
知道演算法(存在isoldr中)與 EID管理員金鑰,用電腦解碼
leting isoldr apply that algorithm directly in anergistic
the process is exactly as the one above (modifing
anergistic to feed isoldr with EID_root_key
交給isoldr來辦,修改anergistic程式,讓isoldr解出後直接吐出金鑰
Obtaining It 該如何取得
patched aim_spu_module to dump it
利用修改過的aim_spu_module讀出
*DO NOT CREATE AN MFW USING THIS IT WOULD BRICK
警告:請勿將此一檔案包入自製韌體中,否則會變磚
http://www.multiupload.com/1XUOOYS9I0
per_console_root_key_n 絕對管理員金鑰第 n
These are further derivations of the per_console_key_1/EID_root_key
由絕對管理員金鑰 1/ EID管理員金鑰導出
******
就等吧,現在這些工具還不大好用,聖誕節前應該會有新消息,拿到rootkey 後
SONY不推新主機,最壞的情況就只能退守 PSN防線。
--
○ ____ _ _ _ _ ____ _ _ ____ _____ ____
。 ★(_ _)( \( )( \/ )( ___)( \( )(_ _)( _ )( _ \
o _)(_ ) ( \ / )__) ) ( )( )(_)( ) / ● ‧
(____)(_)\_) \/ (____)(_)\_) (__) (_____)(_)\_) ★
o
--
Tags:
改機
All Comments
By Skylar Davis
at 2011-10-29T18:39
at 2011-10-29T18:39
By Joseph
at 2011-10-31T13:40
at 2011-10-31T13:40
By Thomas
at 2011-11-02T08:28
at 2011-11-02T08:28
By Daph Bay
at 2011-11-03T07:03
at 2011-11-03T07:03
By Olga
at 2011-11-04T05:58
at 2011-11-04T05:58
By Anonymous
at 2011-11-08T23:27
at 2011-11-08T23:27
By Hedy
at 2011-11-12T22:56
at 2011-11-12T22:56
By Odelette
at 2011-11-16T06:50
at 2011-11-16T06:50
By Ursula
at 2011-11-20T17:43
at 2011-11-20T17:43
By Dorothy
at 2011-11-21T22:07
at 2011-11-21T22:07
By Robert
at 2011-11-22T11:21
at 2011-11-22T11:21
By Brianna
at 2011-11-23T23:20
at 2011-11-23T23:20
By Erin
at 2011-11-27T13:56
at 2011-11-27T13:56
By Necoo
at 2011-11-30T14:54
at 2011-11-30T14:54
By Emily
at 2011-12-05T10:12
at 2011-12-05T10:12
By Daniel
at 2011-12-06T18:40
at 2011-12-06T18:40
By Leila
at 2011-12-07T05:28
at 2011-12-07T05:28
By Susan
at 2011-12-11T05:04
at 2011-12-11T05:04
By Isla
at 2011-12-14T10:22
at 2011-12-14T10:22
By David
at 2011-12-15T17:27
at 2011-12-15T17:27
By Madame
at 2011-12-19T23:36
at 2011-12-19T23:36
By William
at 2011-12-24T07:20
at 2011-12-24T07:20
By Rosalind
at 2011-12-25T00:53
at 2011-12-25T00:53
By Victoria
at 2011-12-25T06:54
at 2011-12-25T06:54
By Edward Lewis
at 2011-12-28T09:59
at 2011-12-28T09:59
By Una
at 2011-12-28T19:28
at 2011-12-28T19:28
By Eden
at 2011-12-31T19:36
at 2011-12-31T19:36
By Sarah
at 2012-01-04T08:23
at 2012-01-04T08:23
By Sandy
at 2012-01-05T05:17
at 2012-01-05T05:17
By Jessica
at 2012-01-05T21:12
at 2012-01-05T21:12
By John
at 2012-01-09T00:25
at 2012-01-09T00:25
By Frederica
at 2012-01-11T03:40
at 2012-01-11T03:40
By Quintina
at 2012-01-12T08:48
at 2012-01-12T08:48
By Regina
at 2012-01-14T12:04
at 2012-01-14T12:04
By Kelly
at 2012-01-15T08:23
at 2012-01-15T08:23
Related Posts
PS3 全裸了嗎?
By Andy
at 2011-10-27T11:24
at 2011-10-27T11:24
PS3 全裸了嗎?
By Robert
at 2011-10-27T09:24
at 2011-10-27T09:24
想問個很廢的問題 關於改機與升級
By Carol
at 2011-10-27T00:44
at 2011-10-27T00:44
請問showtime目前是否有支援BD iso
By George
at 2011-10-26T21:30
at 2011-10-26T21:30
Showtime-3.3.181: gu theme updates
By Mason
at 2011-10-26T10:03
at 2011-10-26T10:03