Join Date: Oct 2011
Liked 708 Times in 276 Posts
Mentioned: 115 Post(s)
Tagged: 0 Thread(s)
Originally Posted by moogie
depends on what you convert the console to. I am assuming to a debug unit. you would be able to use the features of a debug unit (obviously) such as RSX Profiling Debug, Target Manager etc, debug's are able to execute FSELF's, (fake-signed) an FSELF is neither signed nor encrypted, you do not need keys to FSELF an executable.
There are a number of way's of doing CEX-DEX, the one you are attempting, is editing the target id in the IDPS field of EID0 and EID5, to decrypt eEID, you will need to get the per console keys: eid_root_key, eid0_key
You can get eid_root_key from either dumping metldr, or dumping the local storage of sector 0 when said key get's copied to it, you can achieve that by patching isoldr to do so.
You can obtain eid0_key through AES from eid_root_key.
You will also need some static keys that can be found in aim_spu_module.self and appldr.
Once you have all that, you will also need the EID algorithm to correctly re-encrypt eEID.
Per Console Keys - PS3 Development Wiki
Dumping Metldr - PS3 Development Wiki
Patched isoldr.self to dump the local storage of sector 0
and thanks for fueling this up, i thought people forgot about this option, turns out they didn't know how valuable it is xD
"Whoever has ears, let them hear."