HDD Keys generating scripts

Discussion in 'General PS3 Discussion' started by Berion, Sep 14, 2016.

  1. 2,905
    2,771
    372
    Berion

    Berion Developer

    Joined:
    Feb 3, 2015
    Messages:
    2,905
    Likes Received:
    2,771
    Trophy Points:
    372
    Gender:
    Male
    Location:
    Poland
    Success. :D Fats defeated.

    Keys generation method for Fat and Slims is a little bit different. Problem was input length in ADK which is 24, not 16 (so the hdd key end with 48B not 32).
    And of course cryptosetup must be feed by aes-cbc-null with 192.
     
    DeViL303, aldostools, Algol and 3 others like this.
  2. 91
    26
    37
    fresh

    fresh Member

    Joined:
    Sep 7, 2018
    Messages:
    91
    Likes Received:
    26
    Trophy Points:
    37
    Yeah! Cool, touchdown!
    ^^
     
  3. 2,905
    2,771
    372
    Berion

    Berion Developer

    Joined:
    Feb 3, 2015
    Messages:
    2,905
    Likes Received:
    2,771
    Trophy Points:
    372
    Gender:
    Male
    Location:
    Poland
    @fresh Thanks. Finally works. Jezus, this was tricky for me.

    - - -
    So... if someone is curious, this is partition list from CECHL04:

    ps3hdd_norfat_decrypted.png

    - - -
    And this is final version (?) of the script. If someone maintain the wiki, please add to it (maybe in HDD encryption section as attachment?). Procedure is in commented section if someone need step by step, yet condensed tutorial. Script can generate mass storage keys for FATs (both NAND and NOR) and Slims (CECH-2xxx only). As additional feature, can check if installed software properly generating keys (not much useful but oh, well, maybe someone find it handy).

    ps3hdd_keygen_1.3.png

    //attachment was removed, newest version in first post
     
    Last edited: Apr 26, 2020
    DeViL303, aldostools and fresh like this.
  4. 2,905
    2,771
    372
    Berion

    Berion Developer

    Joined:
    Feb 3, 2015
    Messages:
    2,905
    Likes Received:
    2,771
    Trophy Points:
    372
    Gender:
    Male
    Location:
    Poland
    Version 1.4:
    • added Arcade (GECR-xxxxx) support (at least for GECR-1500/System 357C)
    • added "hidden" mode to delete all key files (excluded ERK) by pressing "x" instead of number
    Thanks for @3141card for help and samples.

    - - -

    So, there are left (true)DEX and DECR stations. Is ERK dumping method on them is known? There is CFW Rebug DECR - is Rebug Toolbox works on them, especially this feature? I would experiment with pleasure with them if someone could provide me some samples (ERK+2MiB HDD dumps). For various models if possible.

    Have someone access to prototypes?

    @Joonie @habib

    //attachment was removed, newest version in first post
     
    Last edited: Apr 26, 2020
  5. 80
    30
    42
    gmipf

    gmipf Member

    Joined:
    Jan 11, 2015
    Messages:
    80
    Likes Received:
    30
    Trophy Points:
    42
    @Berion I have a DECHSA00A and a DECHA00A. Can I provide the internal encryption key for your script? My main question is: Can I mount /dev_hdd0/ on a Linux PC in read-write mode?
     
    Last edited: Jan 24, 2020
  6. 2,905
    2,771
    372
    Berion

    Berion Developer

    Joined:
    Feb 3, 2015
    Messages:
    2,905
    Likes Received:
    2,771
    Trophy Points:
    372
    Gender:
    Male
    Location:
    Poland
    @gmipf If You are be able to get EID Root Key, then probably yes (this depend of used seeds and algorithms but highly possible they are the same as on CEX and DEX). Just to be precise: ERK is unique per unit (except Arcade models).

    Write support depend of used kernel (UFS2 write must be turned on because main partition using UFS2, default setting is read only).

    Would You kindly send me first 2MiB of theirs HDD and theirs ERK? They doesn't contain any private data. I would like to check decryption. Especially I'm curious about Test model (maybe they using also static ERK like Arcades?).
     
    Last edited: Aug 11, 2019
  7. 80
    30
    42
    gmipf

    gmipf Member

    Joined:
    Jan 11, 2015
    Messages:
    80
    Likes Received:
    30
    Trophy Points:
    42
    Sent you a PM with the HDD&ERK dumps. UFS2 write support is unstable on Linux. I think I will try the decryption on FreeBSD.
     
    jcorrea and Berion like this.
  8. 2,905
    2,771
    372
    Berion

    Berion Developer

    Joined:
    Feb 3, 2015
    Messages:
    2,905
    Likes Received:
    2,771
    Trophy Points:
    372
    Gender:
    Male
    Location:
    Poland
    In theory yes but I don't really follow the changes in kernel fs so maybe it is just not tested well enough. UFS2 is default turned on in Psxitarch for PS4 with easy pre-setup mount point (loader doing dump EAP Key which is used to some partitions decryption on PS4HDD) so maybe it is not untrusty as warnings says.

    On BSD family we have Geom and Geli but the problem is that there is no tool to convert LE to BE on the fly. FreeBSD would be perfect for this task but that's the flaw here. Grafchocolo has wrote bswap16.ko for this task, later it was rewrite to userland app which talking with nbd-client/server. If we could get the same functionality on BSD, decryption should be easy and write trusted as UFS family are native for BSD systems.


    PS: Thank You very much for the dumps, I'll try them and let You know about the results.
     
    gmipf and jcorrea like this.
  9. 2,905
    2,771
    372
    Berion

    Berion Developer

    Joined:
    Feb 3, 2015
    Messages:
    2,905
    Likes Received:
    2,771
    Trophy Points:
    372
    Gender:
    Male
    Location:
    Poland
    Version 1.6

    changes since v1.4:
    - removed unsupported models from script
    + new menu with more details supported units
    + new units added
    f re-factorized menu
    f changed filename from "hdd_key.bin" to "ata_key.bin"

    ps3keygen_scr_16a.png
    ps3keygen_scr_16b.png

    - - -
    mentions: @gmipf @justanyone @sandungas

    //attachment was removed, newest version in first post
     
    Last edited: Apr 26, 2020
    jolek, gmipf, sandungas and 3 others like this.
  10. 13,070
    5,234
    647
    pinky

    pinky Retired Developer

    Joined:
    Mar 8, 2015
    Messages:
    13,070
    Likes Received:
    5,234
    Trophy Points:
    647
    Gender:
    Male
    Location:
    The Great Gig in the Sky
    I like the shout out to John Snow. I've watched up to season 6 I believe.
     
    Berion likes this.
  11. 1,245
    1,317
    272
    littlebalup

    littlebalup Developer PSX-Place Supporter

    Joined:
    Oct 16, 2014
    Messages:
    1,245
    Likes Received:
    1,317
    Trophy Points:
    272
    Location:
    43°36'16.0"N 1°26'36.1"E
    What about CECH-21xxx ?
    ;)

    maybe better to say CECH-20xxx and CECH-21xxx than CECH-2xxxx
     
  12. 2,905
    2,771
    372
    Berion

    Berion Developer

    Joined:
    Feb 3, 2015
    Messages:
    2,905
    Likes Received:
    2,771
    Trophy Points:
    372
    Gender:
    Male
    Location:
    Poland
    @littlebalup Are You imply that there was 20xx or 21xx which have stock fw 3.60? Because if not, 2xxx is ok as covering up whole 2xxx line (20xx, 21xx, 25xx), from which ERK can be retrieved.


    BTW: I'll be glad if someone could point me spelling/grammar errors in above screenshots (if there are any, but high probably there are many :D).
     
  13. 22
    2
    7
    justanyone

    justanyone Forum Noob

    Joined:
    Aug 11, 2019
    Messages:
    22
    Likes Received:
    2
    Trophy Points:
    7
    i am getting this error for some reason, however i have ERK.bin file in directory
     

    Attached Files:

    • hmmm.png
      hmmm.png
      File size:
      100.4 KB
      Views:
      110
  14. 13,070
    5,234
    647
    pinky

    pinky Retired Developer

    Joined:
    Mar 8, 2015
    Messages:
    13,070
    Likes Received:
    5,234
    Trophy Points:
    647
    Gender:
    Male
    Location:
    The Great Gig in the Sky
    do you have known extensions hidden? you might have eid_root_key.bin.bin. also, I found a bug with openssl when using c2d (not sure if it's like that here), but openssl.exe needs to have "run as administrator" checkmarked otherwise it will look in the wrong location for the cfg. I think it's a windows 10 bug (not sure).
     
    Last edited: Aug 12, 2019
  15. 2,905
    2,771
    372
    Berion

    Berion Developer

    Joined:
    Feb 3, 2015
    Messages:
    2,905
    Likes Received:
    2,771
    Trophy Points:
    372
    Gender:
    Male
    Location:
    Poland
    @pinky Pinky, he using "Ubuntu", not "Ubuntu on WSL" and such problems as You mentioned in Linux word doesn't exist. ;p

    @justanyone That's strange. I have uploaded new version. Changes are:
    + new option (please choose "7" and paste the results)
    + added clearing constants on script ending (maybe that was the problem? I never experienced it)

    Jesus! Almost 4:00 am for me now. I'm dying. But this should works now. ;p

    //attachment was removed, newest version in first post
     
    Last edited: Apr 26, 2020
  16. 13,070
    5,234
    647
    pinky

    pinky Retired Developer

    Joined:
    Mar 8, 2015
    Messages:
    13,070
    Likes Received:
    5,234
    Trophy Points:
    647
    Gender:
    Male
    Location:
    The Great Gig in the Sky
    oh, I didn't notice, sorry. I was just remembering some of the stuff from c2d with the eid_root_key.
     
  17. 22
    2
    7
    justanyone

    justanyone Forum Noob

    Joined:
    Aug 11, 2019
    Messages:
    22
    Likes Received:
    2
    Trophy Points:
    7
    here are my results.
    maybe there is a problem with my linux distro? which linux do you use?
    or someone could teach me how to use this tool in windows 10 ubuntu because i haven't found how to make openssl work
     

    Attached Files:

    • hmmm.png
      hmmm.png
      File size:
      115.7 KB
      Views:
      127
  18. 22
    2
    7
    justanyone

    justanyone Forum Noob

    Joined:
    Aug 11, 2019
    Messages:
    22
    Likes Received:
    2
    Trophy Points:
    7
    tried again with ubuntu on windows, openssl is found but doesnt work and ERK.bin is not found too.
    maybe i can send over my file and you will make keys for it?
    .
     
  19. 2,905
    2,771
    372
    Berion

    Berion Developer

    Joined:
    Feb 3, 2015
    Messages:
    2,905
    Likes Received:
    2,771
    Trophy Points:
    372
    Gender:
    Male
    Location:
    Poland
    What? How is that possible? Well, the default environment path when user doesn't specify direct path should be "app dir" but in Your case it looks like is not, and that's why I suppose he doesn't finding the ERK. I have no idea how to "fix" it. For me, it works (Linux Mint across 17.x to 19.2).

    Sure, I can. But Your case is interesting. Could You make another test and add # at the beginning of line no.170 ("rm *.fake"), save changes and choose option 6 (test keys generating)? This will (should) make fake ERK and testing my theory from above (if there is something wrong with system environment variables, script wouldn't create any generated fake keys in this path).

    And do not choose option for Arcades because it will overwrite Your ERK by the static one for arcade units (if appdir would work) without question.

    BTW I see on screenshots file named "decrypted.img". Is this Your HDD dump? If it is already decrypted (not just a SBS copy from PS3HDD), You don't need any keys to mount You know. ;)
     
    Last edited: Aug 13, 2019
  20. 22
    2
    7
    justanyone

    justanyone Forum Noob

    Joined:
    Aug 11, 2019
    Messages:
    22
    Likes Received:
    2
    Trophy Points:
    7
    yeah i do have a decrypted image, i also have an encrypted one too but i can't mount both of them as a explore able device (too hard to understand what to do lol, currently i'm only able to mount it as loop device).
    currently downloading linux mint to try with it.
    also, added that # at line 170 and when launching script via windows, lots of .fake files are generated, however launching same script on ubuntu does not make any files.
    adding my ERK file too
     

    Attached Files:

Share This Page