Originally Posted by Waninkoko
1. Private keys can not be calculated for any firmware> = 3.56, and are NOT in any site, which for some are private (only the Sony has, and if we make a mistake it was thanks to them which they applied the algorithm So encryption of data and a few mathematical operations could calculate the private keys).
2. IF you can create a CFW 3.61, the only obstacle is to get the public keys, which can be drawn SI, with varying degrees of difficulty but you can. Each loader is encrypted with a private key and decrypted with the corresponding public key. But the lowest level loader in a FW is encrypted and decrypted with the root key, which is invariably because the root public key used to decrypt the loader is located in the metldr (obviously, the metldr will have to have the public key to decrypt the loader) and metldr NOT be updated in any way, so that the root key can not be changed from one version to another firmware because it is sad if any.
So if you want to create a CFW of 3.61, changing the LV2 to add new features, we have to go hacking the chain of loaders to get on. Example:
METLDR -> LV0LDR -> LV0 -> LV1LDR -> LV1 -> LV2LDR -> LV2
More or less this is the chain of loaders (do not know if there is some small variation in FW 3.61).
METLDR, as I said, NO you can update.
METLDR LV0LDR decode the root key (LV0LDR loader is the lowest level, if we do not have to METLDR) and executes it.
LV0LDR LV0 decode the LV0-key (this key if you can change between versions of firmware as LV0LDR SI is upgradeable and can therefore LV0 encrypt a private key and update LV0LDR to decode it with the new corresponding public key) and runs.
Decrypts LV0 LV1LDR ….
LV2 LV2LDR decrypts the lv2-key and executes it.
Therefore, if you want a CFW, we need to decipher LV0LDR (with the root key, which geohot public and will never change), change LV0LDR change LV0 decryption key (the change of a key that is capable of decoding a LV0 encrypted with a private key that we DO know … that private key? anyone, as if we generate a key), encrypt LV0LDR with the root key, and we can modify LV0 to our liking and is now LV0 deciphered with a different public key, which we know the private key. And so we change the whole chain to LV2, modify and recifrarlo with the new key we’ve chosen.
Well, that’s the way broadly told (when I say encrypt / decrypt, I do not mean the contents of the loaders, because it works with AES encryption and symmetric and there is no question of public / private key, but I mean really at the head of such loaders, for signature, which uses RSA keys is where public / private partnerships, with the sole purpose of checking that these loaders have NOT been changed).
In the case of FW 3.61 the track is a bit more complex as there are RSA public key and AES keys that are easy to obtain, but hey, there are methods to obtain, there are people who have them, and therefore it is not impossible .
Now, we must take into account that a CFW can be installed only if the console is in a FW 3.55 or lower, because higher versions will make use of a new updater, which verifies the upgrade package (internal data the PUP, so I understand) by checking with new firms (which had not previously existed and are now mandatory) which we have neither the public nor the private key (the public can take, but privately we can forget and here no no chain so we can prevent this … the updater is a separate application of FW and no longer has to do with the above explained).
Said this last, some will think that if the upgrade to a CFW 3.56/3.60/3.61 and thou mayest not reinstall any other CFW (that is, you stay forever in that CFW or FW actualizais an official). The answer is yes, but hey, is not inevitable and that, in creating this CFW, we can modify the VSH (or one) to use the old updater (which does not check new firms and therefore we have no obstacle to install new CFW), or modify the APPLDR to allow us to load the new updater but modified to not check signatures (the new updater can be changed, of course, but also need to modify our FW APPLDR currently installed to the recifrar updater with a private key known and APPLDR then be able to decrypt and run).
And that’s all.
This may be useful for some people out there, who are working – or trying to work – on a new CFW.