I had a few questions, and a thought regarding a tactic to gain access to the isolated SPE. Maybe the more knowledgeable devs can clarify if I'm just talking out of my a$$ here...
We know the Jailbreak allows for the running of unsigned code in game/user mode. But I have a few questions...
A) When the Jailbreak is activated upon system boot, is the code loaded during this, the runtime secure boot phase, or is it ran after the fact?
B) If the answer is yes to loading during RSB, would it be possible to execute a program to make brute force calls repeatedly to the isolated SPE to try to break the encryption in normal game mode, or would it need to be elevated to LV2 to execute code against the SPE?
C) Would that software be able to make repeated hits against the "door" of the isolated SPE, or would the system lock out the application upon the first knock?
D) Are we yet aware of exactly what encryption schema the SPE utilizes (SHA1, MD5, etc)?
The idea I'm getting at here is, now that we can run unsigned code, I'm wondering if there might be a way we can use a combination of cloud computing and brute force methods to determine the encryption keys, by having the application make validation requests to the isolated SPE. If we could have hundreds of PS3s with Jailbreaks attempting to brute force the isolated SPE by throwing hashes at it, I'm curious how long it may take before one of them got lucky and found the correct key against said SPE.
Again, if my understanding of how the PS3's security works in regards to running in isolation mode and encryption is incorrect, feel free to correct me.