Dump ClCert+Privk

dump.js

var bufPrivk = sc.malloc(0x134); 
var bufCert = sc.malloc(0x804);
var bufOut = sc.malloc(0x100);

sc.ipcMsg(16).bDescriptor(bufPrivk, 0x134, 0).sendTo('set:cal').assertOk();   //set:cal#GetSslKey
utils.log('Obtained SSL key.');

sc.ipcMsg(17).bDescriptor(bufCert, 0x804, 0).sendTo('set:cal').assertOk();  //set:cal#GetSslCert
utils.log('Obtained SSL cert.');
sc.memdump(utils.add2(bufCert, 4), 0x800, 'clcert.der');

var keyx = sc.ipcMsg(2).data([0x84b05b7f, 0x67aa257b], [0xe24bc8fa, 0x03697b3d], [0, 0x20]).sendTo('spl:').assertOk().dataBuffer; //spl:#GenerateAesKek
utils.log('Generated KEK (KeyX)');

var dec = sc.ipcMsg(13).xDescriptor(utils.add2(bufPrivk, 4), 0x130, 1).cDescriptor(bufOut, 0x100).data([keyx[0], keyx[1]], [keyx[2], keyx[3]], [0xF43B389A, 0x81BDD031], [0xA94B5332, 0xE37D3964], [1]);  //spl:#DecryptPrivk
dec.packed = dec.pack();
dec.packed[0x4 >> 2] = 0xC12;
dec.packed[0x48 >> 2] = 0;
dec.packed[0x4C >> 2] = 0;
dec.packed[0x54 >> 2] = 0x100;
dec.packed[0x58 >> 2] = (bufOut[0])
dec.packed[0x5C >> 2] = (bufOut[1] & 0xFFFF) | (0x100 << 16)
sc.ipcBuf.set(dec.packed);  //Thanks to SciresM for help with cDescriptor meme hell
dec = dec.sendTo('spl:');
dec.show();
utils.log('Decrypted key!');
sc.memdump(bufOut, 0x130, 'privk.bin');

sc.free(bufPrivk);
sc.free(bufCert);
sc.free(bufOut);