But isn't it likely that the bd+ module just asks the aacsmodule to perform some AES calculation with bd+ keys just like the bdplayer does for the regular aacs? Then it would make sense to store bd+ keys also in the aacs module. There's a list of commands on
ps3devwiki. Although it does say it's not a complete list I'm wondering why there are no commands like "get volume unique/unit key" or would the aacsmodule decrypt the video streams internally? Anyway, array1 is present since FW4.00 and is still the same in FW4.82. If we assume it's in the same relative location to the host certificate in FW3.50, we can find a different array1 in FW1.02-3.76. So I don't think it's going to help getting device keys from FW4.50.
My AES knowledge is extremely limited but I keep reading that for AES-CTR using the same IV multiple times is unsafe. Can we exploit this somehow if we assume:
- FW4.50 still uses aes-ctr to encrypt the device keys (but with unknown aes-ctr-key/iv)
- FW4.50 has the same device keys as FW4.46 (because the device key masks are the same)
- FW4.50, FW4.53, FW4.70 use the same aes-ctr-key/iv to encrypt the device keys (because we can see some identical encrypted device keys if we compare the 4048 byte block)
The main hint on ps3dewiki is still the "private key enc/dec" which only appears since FW4.50.