(adsbygoogle = window.adsbygoogle || []).push({}); Here are all of the PS3 console keys :p


per_console_root_key_0

metldr is decrypted with this key
bootldr is decrypted with this key
might be obtained with per_console_root_key_1? (largely speculative, not nec. true - need more looked into, only based on the behavior of the other derivatives known to be obtained through AES)
See also You must login or register to view this content.

per_console_root_key_1 / EID_root_key

derived from per_console_key_0
stored inside metldr
copied to sector 0 by metldr
cleared by isoldr
Used to decrypt part of the EID
Used to derive further keys (per_console_key_0 is not the key which will be derived, but is the key which has derived per_console_key_1)
can be obtained with a modified isoldr that dumps it
can be obtained with a derivation of this key going backwards

Obtaining It
Launch the patched isoldr with your prefered method, let it be Option 1, or Option 2...

Option 1 - Dumper Kernel Module
modify glevands spp_verifier_direct to dump the mbox to wherever_you_want
https://pastebin.com/uTBbnC9B<-needs to be edited further

    insmod ./spp_verifier_direct.ko

cat metldr > /proc/spp_verifier_direct/metldr

cat dump_eid_root_key.self > /proc/spp_verifier_direct/isoldr

echo 1 > /proc/spp_verifier_direct/run

cat /proc/spp_verifier_direct/debug

hd /ls.bin | less 

Option 2 - Dumper Payload
You must login or register to view this content.

Copy paste much? Anyway, nice explanation.

nice job bro!