HDD Keys generating scripts

Discussion in 'General PS3 Discussion' started by Berion, Sep 14, 2016.

  1. 2,183
    2,065
    372
    Berion

    Berion Developer

    Joined:
    Feb 3, 2015
    Messages:
    2,183
    Likes Received:
    2,065
    Trophy Points:
    372
    Gender:
    Male
    Location:
    rom0:/
    Success. :D Fats defeated.

    Keys generation method for Fat and Slims is a little bit different. Problem was input length in ADK which is 24, not 16 (so the hdd key end with 48B not 32).
    And of course cryptosetup must be feed by aes-cbc-null with 192.
     
    DeViL303, aldostools, Algol and 3 others like this.
  2. 91
    26
    37
    fresh

    fresh Member

    Joined:
    Sep 7, 2018
    Messages:
    91
    Likes Received:
    26
    Trophy Points:
    37
    Yeah! Cool, touchdown!
    ^^
     
  3. 2,183
    2,065
    372
    Berion

    Berion Developer

    Joined:
    Feb 3, 2015
    Messages:
    2,183
    Likes Received:
    2,065
    Trophy Points:
    372
    Gender:
    Male
    Location:
    rom0:/
    @fresh Thanks. Finally works. Jezus, this was tricky for me.

    - - -
    So... if someone is curious, this is partition list from CECHL04:

    ps3hdd_norfat_decrypted.png

    - - -
    And this is final version (?) of the script. If someone maintain the wiki, please add to it (maybe in HDD encryption section as attachment?). Procedure is in commented section if someone need step by step, yet condensed tutorial. Script can generate mass storage keys for FATs (both NAND and NOR) and Slims (CECH-2xxx only). As additional feature, can check if installed software properly generating keys (not much useful but oh, well, maybe someone find it handy).

    ps3hdd_keygen_1.3.png
     

    Attached Files:

    DeViL303, aldostools and fresh like this.
  4. 2,183
    2,065
    372
    Berion

    Berion Developer

    Joined:
    Feb 3, 2015
    Messages:
    2,183
    Likes Received:
    2,065
    Trophy Points:
    372
    Gender:
    Male
    Location:
    rom0:/
    Version 1.4:
    • added Arcade (GECR-xxxxx) support (at least for GECR-1500/System 357C)
    • added "hidden" mode to delete all key files (excluded ERK) by pressing "x" instead of number
    Thanks for @3141card for help and samples.

    - - -

    So, there are left (true)DEX and DECR stations. Is ERK dumping method on them is known? There is CFW Rebug DECR - is Rebug Toolbox works on them, especially this feature? I would experiment with pleasure with them if someone could provide me some samples (ERK+2MiB HDD dumps). For various models if possible.

    Have someone access to prototypes?

    @Joonie @habib
     

    Attached Files:

    Last edited: Jun 13, 2019
  5. 23
    4
    32
    gmipf

    gmipf Member

    Joined:
    Jan 11, 2015
    Messages:
    23
    Likes Received:
    4
    Trophy Points:
    32
    @Berion I have a DECHSA00A and a DECHA00A. Can I provide the internal encryption key for your script? My main question is: Can I mount /dev_hdd0/ on a Linux PC in read-write mode? I would like to copy files to the HDD of a clean OFW PS3. Obtaining the eid_root_key.bin is no problem.
     
  6. 2,183
    2,065
    372
    Berion

    Berion Developer

    Joined:
    Feb 3, 2015
    Messages:
    2,183
    Likes Received:
    2,065
    Trophy Points:
    372
    Gender:
    Male
    Location:
    rom0:/
    @gmipf If You are be able to get EID Root Key, then probably yes (this depend of used seeds and algorithms but highly possible they are the same as on CEX and DEX). Just to be precise: ERK is unique per unit (except Arcade models).

    Write support depend of used kernel (UFS2 write must be turned on because main partition using UFS2, default setting is read only).

    Would You kindly send me first 2MiB of theirs HDD and theirs ERK? They doesn't contain any private data. I would like to check decryption. Especially I'm curious about Test model (maybe they using also static ERK like Arcades?).
     
    Last edited: Aug 11, 2019
  7. 23
    4
    32
    gmipf

    gmipf Member

    Joined:
    Jan 11, 2015
    Messages:
    23
    Likes Received:
    4
    Trophy Points:
    32
    Sent you a PM with the HDD&ERK dumps. UFS2 write support is unstable on Linux. I think I will try the decryption on FreeBSD.
     
    jcorrea and Berion like this.
  8. 2,183
    2,065
    372
    Berion

    Berion Developer

    Joined:
    Feb 3, 2015
    Messages:
    2,183
    Likes Received:
    2,065
    Trophy Points:
    372
    Gender:
    Male
    Location:
    rom0:/
    In theory yes but I don't really follow the changes in kernel fs so maybe it is just not tested well enough. UFS2 is default turned on in Psxitarch for PS4 with easy pre-setup mount point (loader doing dump EAP Key which is used to some partitions decryption on PS4HDD) so maybe it is not untrusty as warnings says.

    On BSD family we have Geom and Geli but the problem is that there is no tool to convert LE to BE on the fly. FreeBSD would be perfect for this task but that's the flaw here. Grafchocolo has wrote bswap16.ko for this task, later it was rewrite to userland app which talking with nbd-client/server. If we could get the same functionality on BSD, decryption should be easy and write trusted as UFS family are native for BSD systems.


    PS: Thank You very much for the dumps, I'll try them and let You know about the results.
     
    gmipf and jcorrea like this.
  9. 2,183
    2,065
    372
    Berion

    Berion Developer

    Joined:
    Feb 3, 2015
    Messages:
    2,183
    Likes Received:
    2,065
    Trophy Points:
    372
    Gender:
    Male
    Location:
    rom0:/
    Version 1.6

    changes since v1.4:
    - removed unsupported models from script
    + new menu with more details supported units
    + new units added
    f re-factorized menu
    f changed filename from "hdd_key.bin" to "ata_key.bin"

    ps3keygen_scr_16a.png
    ps3keygen_scr_16b.png

    - - -
    mentions: @gmipf @justanyone @sandungas
     

    Attached Files:

    Last edited: Aug 12, 2019
    jolek, gmipf, sandungas and 3 others like this.
  10. 11,944
    4,773
    497
    pinky

    pinky Bitsiboo's Other Half Developer

    Joined:
    Mar 8, 2015
    Messages:
    11,944
    Likes Received:
    4,773
    Trophy Points:
    497
    Gender:
    Male
    Location:
    The Great Gig in the Sky
    I like the shout out to John Snow. I've watched up to season 6 I believe.
     
    Berion likes this.
  11. 1,182
    1,191
    272
    littlebalup

    littlebalup Developer PSX-Place Supporter

    Joined:
    Oct 16, 2014
    Messages:
    1,182
    Likes Received:
    1,191
    Trophy Points:
    272
    Location:
    43°36'16.0"N 1°26'36.1"E
    What about CECH-21xxx ?
    ;)

    maybe better to say CECH-20xxx and CECH-21xxx than CECH-2xxxx
     
  12. 2,183
    2,065
    372
    Berion

    Berion Developer

    Joined:
    Feb 3, 2015
    Messages:
    2,183
    Likes Received:
    2,065
    Trophy Points:
    372
    Gender:
    Male
    Location:
    rom0:/
    @littlebalup Are You imply that there was 20xx or 21xx which have stock fw 3.60? Because if not, 2xxx is ok as covering up whole 2xxx line (20xx, 21xx, 25xx), from which ERK can be retrieved.


    BTW: I'll be glad if someone could point me spelling/grammar errors in above screenshots (if there are any, but high probably there are many :D).
     
  13. 20
    0
    5
    justanyone

    justanyone Forum Noob

    Joined:
    Aug 11, 2019
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    5
    i am getting this error for some reason, however i have ERK.bin file in directory
     

    Attached Files:

    • hmmm.png
      hmmm.png
      File size:
      100.4 KB
      Views:
      61
  14. 11,944
    4,773
    497
    pinky

    pinky Bitsiboo's Other Half Developer

    Joined:
    Mar 8, 2015
    Messages:
    11,944
    Likes Received:
    4,773
    Trophy Points:
    497
    Gender:
    Male
    Location:
    The Great Gig in the Sky
    do you have known extensions hidden? you might have eid_root_key.bin.bin. also, I found a bug with openssl when using c2d (not sure if it's like that here), but openssl.exe needs to have "run as administrator" checkmarked otherwise it will look in the wrong location for the cfg. I think it's a windows 10 bug (not sure).
     
    Last edited: Aug 12, 2019
  15. 2,183
    2,065
    372
    Berion

    Berion Developer

    Joined:
    Feb 3, 2015
    Messages:
    2,183
    Likes Received:
    2,065
    Trophy Points:
    372
    Gender:
    Male
    Location:
    rom0:/
    @pinky Pinky, he using "Ubuntu", not "Ubuntu on WSL" and such problems as You mentioned in Linux word doesn't exist. ;p

    @justanyone That's strange. I have uploaded new version. Changes are:
    + new option (please choose "7" and paste the results)
    + added clearing constants on script ending (maybe that was the problem? I never experienced it)

    Jesus! Almost 4:00 am for me now. I'm dying. But this should works now. ;p
     

    Attached Files:

  16. 11,944
    4,773
    497
    pinky

    pinky Bitsiboo's Other Half Developer

    Joined:
    Mar 8, 2015
    Messages:
    11,944
    Likes Received:
    4,773
    Trophy Points:
    497
    Gender:
    Male
    Location:
    The Great Gig in the Sky
    oh, I didn't notice, sorry. I was just remembering some of the stuff from c2d with the eid_root_key.
     
  17. 20
    0
    5
    justanyone

    justanyone Forum Noob

    Joined:
    Aug 11, 2019
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    5
    here are my results.
    maybe there is a problem with my linux distro? which linux do you use?
    or someone could teach me how to use this tool in windows 10 ubuntu because i haven't found how to make openssl work
     

    Attached Files:

    • hmmm.png
      hmmm.png
      File size:
      115.7 KB
      Views:
      58
  18. 20
    0
    5
    justanyone

    justanyone Forum Noob

    Joined:
    Aug 11, 2019
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    5
    tried again with ubuntu on windows, openssl is found but doesnt work and ERK.bin is not found too.
    maybe i can send over my file and you will make keys for it?
    .
     
  19. 2,183
    2,065
    372
    Berion

    Berion Developer

    Joined:
    Feb 3, 2015
    Messages:
    2,183
    Likes Received:
    2,065
    Trophy Points:
    372
    Gender:
    Male
    Location:
    rom0:/
    What? How is that possible? Well, the default environment path when user doesn't specify direct path should be "app dir" but in Your case it looks like is not, and that's why I suppose he doesn't finding the ERK. I have no idea how to "fix" it. For me, it works (Linux Mint across 17.x to 19.2).

    Sure, I can. But Your case is interesting. Could You make another test and add # at the beginning of line no.170 ("rm *.fake"), save changes and choose option 6 (test keys generating)? This will (should) make fake ERK and testing my theory from above (if there is something wrong with system environment variables, script wouldn't create any generated fake keys in this path).

    And do not choose option for Arcades because it will overwrite Your ERK by the static one for arcade units (if appdir would work) without question.

    BTW I see on screenshots file named "decrypted.img". Is this Your HDD dump? If it is already decrypted (not just a SBS copy from PS3HDD), You don't need any keys to mount You know. ;)
     
    Last edited: Aug 13, 2019
  20. 20
    0
    5
    justanyone

    justanyone Forum Noob

    Joined:
    Aug 11, 2019
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    5
    yeah i do have a decrypted image, i also have an encrypted one too but i can't mount both of them as a explore able device (too hard to understand what to do lol, currently i'm only able to mount it as loop device).
    currently downloading linux mint to try with it.
    also, added that # at line 170 and when launching script via windows, lots of .fake files are generated, however launching same script on ubuntu does not make any files.
    adding my ERK file too
     

    Attached Files:

Share This Page