Main purpose of this toolkit is helping with internal HDD decryption and mounting. Of course You can find here few more magical scripts but mainly it was designed to calculate decryption keys and automate whole painful process of mounting ALL partitions with read & write permissions.
Those who wants know how to do it manually or those who needs complete guide, should read my tutorial.
If You are interesting only to read data, and do not care about access to some raw partitions or service tasks, just use PS3 HDD Reader written by 3141card (aka Picard). It is far way easier to use!
PS3 HDD & NAND Keygen: allows to calculate ATA, VFLASH and FLASH keys from ERK.PS3 HDD Mounter: allows to create mappers and mount filesystems.PS3 HDD Mounter (Read Only): like above but read only, as name suggest. ;)PS3 HDD Mounter (Missing PS3PT): like above but for drives initialized by Windows.PS3 HDD Umounter: allows to unmount filesystems and remove mappers.PS3 HDD Umounter (Missing PS3PT): like above but for drives initialized by Windows.PS3 HDD Tasker: allows to various tasks HDD related.PS3 HDD Backuper: allows to backup important data from HDD.PS3 HDD Dumper: allows to dump HDD, partitions or sub-partitions.PS3 HDD Expander: allows to expand UserData partition on cloned drives (currently unsafe to use).PS3 NAND Mounter: allows to create mappers and mount filesystems from eFlash.PS3 NAND Umounter:allows to unmount filesystems and remove mappers.PS3 ODD Keygen: allows to create Drive Key or extract EID Root Key from Drive Key.PS3 LV1 & LV2 Crawler: allows to extract Open PSID key from LV1 or LV2 memory dump.PS3 KO Manager: allows to automate kernel modules compiling and loading.Unattended*: are scripts for people who knows what they doing. :PPS3 Reporter: helping troubleshooting in case You have problems to mount stuff.You need EID Root Key (or ERK in short) for most of operations. It is one of two most important keys which You can get from Your console and the one which is very tightly secured by console itself. You see, ERK is first 48 bytes in metldr. The problem here is that meta loader is encrypted by some unknown key (probably by hypothetically Cell key) so not only cannot be decrypted outside PS3 but also cannot be retrieved without tricking PS3 to expose it in already decrypted form from SPU (and this is what metldrpwn doing and all GameOS level exploits).
So for now to get this precious, You need LV1 access and working console - in other words, You need CFW installed (HAN or HEN in current forms doesn’t exploiting HV) and fully functional PS3 (no luck for dead one). ERK can be dumped on OtherOS via metldrpwn (to be precise, dumped whole metldr) or on GameOS via Rebug Toolbox on Rebug CFW (Rex/D-Rex/Lite) or Evilnat toolbox on Evilnat CFW.
All above listed scripts needs some dumps, keys and kernel modules to operate. Depend of task, You need put different files in specified directories.
eid_root_key.bin filename.nand.bin, nand_decr.bin or nor.bin filenames.lv1.bin or lv2.bin filenames.Run PS3 KO Manager, compile and load modules. Then PS3 HDD Mounter and “follow the damn train CJ”. ;) After You are done, remember to run PS3 HDD Umounter if You don’t want format HDD after back to the console. :P
If for some reason You cannot mount stuff, run PS3 HDD Reporter and paste under some forums whole output. This will show the others what was decrypted etc. and where the script didn’t do magic for You.
If You want remove OtherOS bootloader (in case You cannot for various of reasons boot to GameOS); if You want increase available space on dev_hdd0/ (this operation will break all restoring options in Factory Mode (aka Recovery)); if You want change maximum size of HDD (in case when Your HDD exceed supported size like i.e. 2TB); if You want backup PS3PT to be prepared for Windows disk initialization. Then run PS3 HDD Tasker.
Run PS3 KO Manager, compile and load modules. Then PS3 NAND Mounter and… well, You can for now decrypt eFlash and dump it to a file for data recovery and forensic tools (like e.g.IsoBuster or DMDE). The problem here is on NANDs eFlash, using not standard FAT12 and FAT16 (instead to NORs VLASH) which are unsupported by most of known to me tools, including Linux kernel vfat module. Eventually there is a factor which about I don’t know, so enlighten me if You have some more informations about it!
For cleaning loop and mapper, run PS3 NAND Umounter.
Drive key is in use for ODDE and 1:1 BD-ROM disc images decryption on PC. Rather not very useful today, however it contains ERK which can be extracted, so still can be useful while someone has dumped it on CFW 3.55, later his console died, he wanted data back but didn’t read ERK when he have still chance. In such case, Drive Key will be his salvation.
Run PS3 ODD Keygen.
Open PSID is in use to secure System Backup unprotected archives (those which are protected, using IDPS and this is the reason why data from them cannot be restored on different PS3).
Run PS3 LV1 & LV2 Crawler.
What are Fat, Slim and Super Slim models and what NAND, NOR and eMMC means? Fat models are those huge PS3s. First series have 256MB NAND Flash memory, while newer have 16MB NOR Flash memory. Slims are the newer and they were shipped only with NOR chips. Newest models are Super Slim and they can be with NOR chip as older or 16GB eMMC. It is important to chose proper model to both: keys generating and mounting.
Q: Are You the author of the method, tools and shit?
A: Obviously NO. I’m humble Graphic Artist and IT Specialist, not a Programmer, Reverse Engineer or even Linux master hiding in basement. I’m a Prometheus who brings You the fire, just remember to not burn someone else with it. ;)
Q: Can I use toolkit for pirating games?
A: No…
Q: Can I use it in WSL2?
A: Yes.
Q: Can I use it on FreeBSD?
A: I’m not familiar with BSD family. If You can find there equivalent of loading kernel modules, multipath-tools with support PS3PT (PS3 using custom partition table), kpartx, lsblk, mappers and dmcrypt (Geli?) - only then You can port and use the scripts. However, You can expose mappers to QEMU on which FreeBSD can run.
To Graf Chocolo for his invaluable contribution to PS3 reverse engineering and Linux support (it’s thanks to him that kpartx supports PS3 partition table and it’s thanks to him that we know how to decrypt data).
To Mathieulh for the meldrpwn exploit (it’s thanks to him that the easy-to-use ERK dumper was created).
To 3141card for HDD Reader and a number of comments on the algorithms used.
To Decaf Code for rewriting dmbswap16 and adapting it to current kernels.
To Sguerrini97 for correcting my old script and rewriting bswap16 from the original kernel module (incompatible with current kernels) to a program that communicates with the nbd-client (on which I based the first version of the tutorial).
To Gmipf for compiling the UFS module for Ubuntu 19.10, for the bswap16-ecb patch for Linux 6.4.x and for PS3PT dumps.
To Duduś for the script that compiles the modules for WSL2.
To Olokos for helping to customize KO Manager for Debian.
To Andshrew for helping with script and QA of Expander.
To Einsteinx2 for the tutorial describing the unlocking of 8% free space on the hard drive.
To GuilloteTesla for continued help with bash troubleshooting. :}
To Iridule for QA testing of the scripts.
To Yugonibblit and Haxxxen for HDD and NAND dumps to validate the algorithms used to generate ATA and Flash Key for consoles with NAND.
To Bleepbleep for PS3PT dumps.
To Mlody95pl for pointing out an error in the tutorial and compiling the UFS module.
Berion
2023-12-07