PS3 HDD Decryption Helper

Main purpose of this toolkit is helping with internal HDD decryption and mounting. Of course You can find here few more magical scripts but mainly it was designed to calculate decryption keys and automate whole painful process of mounting ALL partitions with read & write.

Those who wants know how to do it manually without any scripts, should read my tutorial, and those smart asses who don’t need tutorials, should just look for attached quick guide in above forum thread.

If You are interesting only to read data, and do not care about access to some raw partitions, just use PS3 HDD Reader written by 3141card (aka Picard). It is far way easier to use!

Unicorns: ;)

PS3 HDD & NAND Keygen.sh allows to calculate ATA, VFLASH and FLASH keys from ERK.
PS3 HDD Mounter.sh allows to create mappers and mount filesystems.
PS3 HDD Mounter Micro.sh - like above but UFS2 only.
PS3 HDD Umounter.sh allows to unmount filesystems and remove mappers.
PS3 HDD Reporter.sh helping troubleshooting in case You have problems to mount stuff.
PS3 HDD Tasker.sh allows to various tasks HDD related.
PS3 NAND Mounter.sh allows to create mappers and mount filesystems from eFlash.
PS3 NAND Umounter.shallows to unmount filesystems and remove mappers.
PS3 ODD Keygen.sh allows to create Drive Key or extract EID Root Key from Drive Key.
PS3 LV1 & LV2 Crawler.sh allows to extract Open PSID key from LV1 or LV2 memory dump.
PS3 KO Compiler.sh allows to automate kernel modules compiling.

EID Root Key:

You need EID Root Key (or ERK in short) for most of operations. It is one of two most important keys which You can get from Your console and the one which is very tightly secured by console itself. You see, ERK is first 48 bytes in metldr. The problem here is that meta loader is encrypted by some unknown key (probably by hypothetically Cell key) so not only cannot be decrypted outside PS3 but also cannot be retrieved without tricking PS3 to expose it in already decrypted form from SPU (and this is what metldrpwn doing and all GameOS level exploits).

So for now to get this precious, You need LV1 access and working console - in other words, You need CFW installed (HAN or HEN in current forms doesn’t exploiting HV) and fully functional PS3 (no luck for dead one). ERK can be dumped on OtherOS via metldrpwn (to be precise, dumped whole metldr) or on GameOS via Rebug Toolbox on Rebug CFW (Rex/D-Rex/Lite) or Evilnat toolbox on Evilnat CFW.

Guide:

All above listed scripts needs some dumps, keys and kernel modules to operate. Depend of task, You need put different files in specified directories.

Preparations:

Put EID Root Key (ERK) into ~/ps3/keys/ dir under eid_root_key.bin filename.
Run PS3 HDD Keygen script and wisely choose from which model came from along with HDD which You want to decrypt. You CANNOT use different ERK with different HDD because each PS3 motherboard have unique ERK (and this is exactly the reason why You cannot put HDD from one PS3 to another without formatting - simply because it is encrypted by different keys, so different console don’t know how to decrypt its sectors). Also You CANNOT use wrong algorithm used for HDD keys generation because different models using differently generated keys.
Put Byte Swap 16 and UFS kernel modules into ~/ps3/apps/ dir under bswap16-ecb.ko and ufs.ko filenames. Both You must compile yourself to match kernel version in Your Linux distribution. Version mismatching results in unable of load them. bswap16 is MANDATORY for HDD decryption; ufs is OPTIONAL, providing only write permissions on UFS2 partition (dev_hdd0/).
Put NAND or NOR dump into ~/ps3/storage/flash/ dir under nand.bin, nand_decr.bin or nor.bin filenames.
Put LV1 and LV2 dumps into ~/ps3/storage/ram/ dir under lv1.bin or lv2.bin filenames.

Tasks:

Reading HDD contents

Run PS3 HDD Mounter and “follow the damn train CJ”. ;) After You are done, remember to run PS3 HDD Umounter if You don’t want format HDD after back to the console. :P

If for some reason You cannot mount, run PS3 HDD Reporter and paste under some forums whole output. This will show the others what was decrypted etc. and where the script didn’t do magic for You.

Various of HDD operations

If You want remove OtherOS bootloader (in case You cannot for various of reasons boot to GameOS); if You want increase available space on dev_hdd0/ (this operation will break all restoring options in Factory Mode (aka Recovery)); if You want change maximum size of HDD (in case when Your HDD exceed supported size like i.e. 2TB); if You want backup PS3PT to be prepared for Windows disk initialization. Then run PS3 HDD Tasker.

Reading NAND contents

Run PS3 NAND Mounter and… well, You can for now decrypt eFlash and dump it to a file for data recovery and forensic tools (like e.g. DMDE). The problem here is on NANDs eFlash, using not standard FAT12 and FAT16 (instead to NORs VLASH) which are unsupported by most of known to me tools, including Linux kernel vfat module. Eventually there is a factor which about I don’t know, so enlighten me if You have some more informations about it!

For cleaning loop and mapper, run PS3 NAND Umounter.

ODD Stuff

Drive key is in use for ODDE and 1:1 BD-ROM disc images decryption on PC. Rather not very useful today, however it contains ERK which can be extracted, so still can be useful while someone has dumped it on CFW 3.55, later his console died, he wanted data back but didn’t read ERK when he have still chance. In such case, Drive Key will be his salvation.

Run PS3 ODD Keygen.

LV1/LV2 Memory Stuff

Open PSID is in use to secure System Backup unprotected archives (those which are protected, using IDPS and this is the reason why data from them cannot be restored on different PS3).

Run PS3 LV1 & LV2 Crawler.

Models:

What are Fat, Slim and Super Slim models and what NAND, NOR and eMMC means? Fat models are those huge PS3s. First series have 256MB NAND Flash memory, while newer have 16MB NOR Flash memory. Slims are the newer and they were shipped only with NOR chips. Newest models are Super Slim and they can be with NOR chip as older or 16GB eMMC. It is important to chose proper model to both: keys generating and mounting.

Fat with NAND: CECHAxx up and include CECHGxx.
Fat with NOR: CECHHxx up and include to CECHQxx.
Slim: CECH-20xx up and include to CECH-30xx.
Super Slim with eMMC: CECH-40xxA.
Super Slim with NOR: CECH-40xxB/C.

FAQ:

Q: Are You the author of the method, tools and shit?
A: Obviously NO. I’m humble Graphic Artist and IT Specialist, not a Programmer, Reverse Engineer or even Linux master hiding in basement. I’m a Prometheus who brings You the fire, just remember to not burn someone else with it. ;)

Q: Can I use toolkit for pirating games?
A: No…

Q: Can I use it in WSL2?
A: Only if You are able to compile bswap16-ecb (needed only of course in HDD decryption). Last time I checked available kernels sources, it wasn’t possible.

Q: Can I use it on FreeBSD?
A: I’m not familiar with BSD family. If You can find there equivalent of loading kernel modules, multipath-tools with support PS3PT (PS3 using custom partition table), kpartx, lsblk, mappers and dmcrypt (Geli?) - only then You can port and use the scripts. However, last time when I exposed decrypted UFS2 partition, I wasn’t able to mount this filesystem (tried on GhostBSD). So it is really hard to judge for me, ask someone experienced with FreeBSD.

Special Thanks:

To Graf Chocolo who first dealt with Linux stuff, including ATA/ENCDEC decryption and many invaluable contributions for Linux tools.
To 3141card for the HDD Reader and a number of comments on the algorithms used.
To Mathieulh for metldrpwn exploit.
To Decaf Code for bswap16-ecb kernel module, compatible with the current kernel.
To Sguerrini97 for correcting my old script.
To Einsteinx2 for making bash form of UFS2 space unlocker from which I rip off the script.
To DUDUŚ for script mod which allows WSL2 users to use it.
To Yugonibblit and Haxxxen for NAND dumps.
To Gmipf for compiling UFS module for Ubuntu 19.10.
To Olokoks for script help making it compatible with pure Debian.

Berion
2023-01-28