Here is jaicrab's key finder hexedited in english. I just don't know spanish and I used google translate..
Everything makes sense except this "Mensaje" thing which translates to "Message".. I guess this means something else huh?
Quotes from twitter:
@Mathieulh I have a hard time believing they'd use only HMAC to sign PUPs. Unless they're totally retarded. Which could be, for all I know.
@marcan42 It's not actually, but I have no idea why geohot isn't showing up. The hmac key to resign pups is in software_update_plugin.sprx
@marcan you can swap the pup's tarballs to have the 3.21 vsh on top of the 3.15 coreos, then swap the tarball with sysconf_plugin.sprx.
@marcan42 that's how geohot's "cfw" is done, though I have never seen the point in such a hack, it could be stopped by sony in next updates.
@marcan42 they are, the pups are just containers, the files in them are then signed but you can swap one signed file for another
@marcan42 what was much more stupid of them was to put the key in a vsh's prx rather than in the application loader.
@marcan42 of course the tarballs and the updater self inside the pups are all encrypted with the self crypto and have a stronger signature.
Does this file also reside inside the update PUPs? And if so, inside which .pkg (from the tar) is it in?
Well, I guess using the memory exploit you can have access to these files and from what I understand they are decoded (or are able to be decoded by using metldr or coldboot attack on lv2).
@marcan42 I agree with you, and I predict that the hybrid fw was premature... flashing nand with mem patched hv, rather than a pup.
@RichDevX But, couldn't we change the pup that detects it?
@Omega191 it's also very simple to detect hybrid fw...
@Omega191 it's not a pup issue, the hard coded version numbers would be different. VSH/PRXs would be much newer than the kernel/hv
@Omega191 it can be checked with a single syscall, which is also available to games
Hopefully those twitter messages will help and hopefully something will be found out soon.