HDD Keys generating scripts
Berion
Developer
@fresh Thanks. Finally works. Jezus, this was tricky for me.
- - -
So... if someone is curious, this is partition list from CECHL04:
- - -
And this is final version (?) of the script. If someone maintain the wiki, please add to it (maybe in HDD encryption section as attachment?). Procedure is in commented section if someone need step by step, yet condensed tutorial. Script can generate mass storage keys for FATs (both NAND and NOR) and Slims (CECH-2xxx only). As additional feature, can check if installed software properly generating keys (not much useful but oh, well, maybe someone find it handy).
//attachment was removed, newest version in first post
- - -
So... if someone is curious, this is partition list from CECHL04:
- - -
And this is final version (?) of the script. If someone maintain the wiki, please add to it (maybe in HDD encryption section as attachment?). Procedure is in commented section if someone need step by step, yet condensed tutorial. Script can generate mass storage keys for FATs (both NAND and NOR) and Slims (CECH-2xxx only). As additional feature, can check if installed software properly generating keys (not much useful but oh, well, maybe someone find it handy).
//attachment was removed, newest version in first post
Last edited:
Berion
Developer
Version 1.4:
- - -
So, there are left (true)DEX and DECR stations. Is ERK dumping method on them is known? There is CFW Rebug DECR - is Rebug Toolbox works on them, especially this feature? I would experiment with pleasure with them if someone could provide me some samples (ERK+2MiB HDD dumps). For various models if possible.
Have someone access to prototypes?
@Joonie @habib
//attachment was removed, newest version in first post
- added Arcade (GECR-xxxxx) support (at least for GECR-1500/System 357C)
- added "hidden" mode to delete all key files (excluded ERK) by pressing "x" instead of number
- - -
So, there are left (true)DEX and DECR stations. Is ERK dumping method on them is known? There is CFW Rebug DECR - is Rebug Toolbox works on them, especially this feature? I would experiment with pleasure with them if someone could provide me some samples (ERK+2MiB HDD dumps). For various models if possible.
Have someone access to prototypes?
@Joonie @habib
//attachment was removed, newest version in first post
Last edited:
Berion
Developer
@gmipf If You are be able to get EID Root Key, then probably yes (this depend of used seeds and algorithms but highly possible they are the same as on CEX and DEX). Just to be precise: ERK is unique per unit (except Arcade models).
Write support depend of used kernel (UFS2 write must be turned on because main partition using UFS2, default setting is read only).
Would You kindly send me first 2MiB of theirs HDD and theirs ERK? They doesn't contain any private data. I would like to check decryption. Especially I'm curious about Test model (maybe they using also static ERK like Arcades?).
Write support depend of used kernel (UFS2 write must be turned on because main partition using UFS2, default setting is read only).
Would You kindly send me first 2MiB of theirs HDD and theirs ERK? They doesn't contain any private data. I would like to check decryption. Especially I'm curious about Test model (maybe they using also static ERK like Arcades?).
Last edited:
Berion
Developer
In theory yes but I don't really follow the changes in kernel fs so maybe it is just not tested well enough. UFS2 is default turned on in Psxitarch for PS4 with easy pre-setup mount point (loader doing dump EAP Key which is used to some partitions decryption on PS4HDD) so maybe it is not untrusty as warnings says.
On BSD family we have Geom and Geli but the problem is that there is no tool to convert LE to BE on the fly. FreeBSD would be perfect for this task but that's the flaw here. Grafchocolo has wrote bswap16.ko for this task, later it was rewrite to userland app which talking with nbd-client/server. If we could get the same functionality on BSD, decryption should be easy and write trusted as UFS family are native for BSD systems.
PS: Thank You very much for the dumps, I'll try them and let You know about the results.
On BSD family we have Geom and Geli but the problem is that there is no tool to convert LE to BE on the fly. FreeBSD would be perfect for this task but that's the flaw here. Grafchocolo has wrote bswap16.ko for this task, later it was rewrite to userland app which talking with nbd-client/server. If we could get the same functionality on BSD, decryption should be easy and write trusted as UFS family are native for BSD systems.
PS: Thank You very much for the dumps, I'll try them and let You know about the results.
Berion
Developer
Version 1.6
changes since v1.4:
- removed unsupported models from script
+ new menu with more details supported units
+ new units added
f re-factorized menu
f changed filename from "hdd_key.bin" to "ata_key.bin"
- - -
mentions: @gmipf @justanyone @sandungas
//attachment was removed, newest version in first post
changes since v1.4:
- removed unsupported models from script
+ new menu with more details supported units
+ new units added
f re-factorized menu
f changed filename from "hdd_key.bin" to "ata_key.bin"
- - -
mentions: @gmipf @justanyone @sandungas
//attachment was removed, newest version in first post
Last edited:
Berion
Developer
@littlebalup Are You imply that there was 20xx or 21xx which have stock fw 3.60? Because if not, 2xxx is ok as covering up whole 2xxx line (20xx, 21xx, 25xx), from which ERK can be retrieved.
BTW: I'll be glad if someone could point me spelling/grammar errors in above screenshots (if there are any, but high probably there are many
).
BTW: I'll be glad if someone could point me spelling/grammar errors in above screenshots (if there are any, but high probably there are many
).justanyone
Member
pinky
Retired
do you have known extensions hidden? you might have eid_root_key.bin.bin. also, I found a bug with openssl when using c2d (not sure if it's like that here), but openssl.exe needs to have "run as administrator" checkmarked otherwise it will look in the wrong location for the cfg. I think it's a windows 10 bug (not sure).
Last edited:
Berion
Developer
@pinky Pinky, he using "Ubuntu", not "Ubuntu on WSL" and such problems as You mentioned in Linux word doesn't exist. ;p
@justanyone That's strange. I have uploaded new version. Changes are:
+ new option (please choose "7" and paste the results)
+ added clearing constants on script ending (maybe that was the problem? I never experienced it)
Jesus! Almost 4:00 am for me now. I'm dying. But this should works now. ;p
//attachment was removed, newest version in first post
@justanyone That's strange. I have uploaded new version. Changes are:
+ new option (please choose "7" and paste the results)
+ added clearing constants on script ending (maybe that was the problem? I never experienced it)
Jesus! Almost 4:00 am for me now. I'm dying. But this should works now. ;p
//attachment was removed, newest version in first post
Last edited:
justanyone
Member
justanyone
Member
tried again with ubuntu on windows, openssl is found but doesnt work and ERK.bin is not found too.
maybe i can send over my file and you will make keys for it?
.
maybe i can send over my file and you will make keys for it?
.
Berion
Developer
What? How is that possible? Well, the default environment path when user doesn't specify direct path should be "app dir" but in Your case it looks like is not, and that's why I suppose he doesn't finding the ERK. I have no idea how to "fix" it. For me, it works (Linux Mint across 17.x to 19.2).
Sure, I can. But Your case is interesting. Could You make another test and add # at the beginning of line no.170 ("rm *.fake"), save changes and choose option 6 (test keys generating)? This will (should) make fake ERK and testing my theory from above (if there is something wrong with system environment variables, script wouldn't create any generated fake keys in this path).
And do not choose option for Arcades because it will overwrite Your ERK by the static one for arcade units (if appdir would work) without question.
BTW I see on screenshots file named "decrypted.img". Is this Your HDD dump? If it is already decrypted (not just a SBS copy from PS3HDD), You don't need any keys to mount You know.
Sure, I can. But Your case is interesting. Could You make another test and add # at the beginning of line no.170 ("rm *.fake"), save changes and choose option 6 (test keys generating)? This will (should) make fake ERK and testing my theory from above (if there is something wrong with system environment variables, script wouldn't create any generated fake keys in this path).
And do not choose option for Arcades because it will overwrite Your ERK by the static one for arcade units (if appdir would work) without question.
BTW I see on screenshots file named "decrypted.img". Is this Your HDD dump? If it is already decrypted (not just a SBS copy from PS3HDD), You don't need any keys to mount You know.
Last edited:
justanyone
Member
yeah i do have a decrypted image, i also have an encrypted one too but i can't mount both of them as a explore able device (too hard to understand what to do lol, currently i'm only able to mount it as loop device).
currently downloading linux mint to try with it.
also, added that # at line 170 and when launching script via windows, lots of .fake files are generated, however launching same script on ubuntu does not make any files.
adding my ERK file too
currently downloading linux mint to try with it.
also, added that # at line 170 and when launching script via windows, lots of .fake files are generated, however launching same script on ubuntu does not make any files.
adding my ERK file too
Similar threads
-
-
-
PS3 MFW BUILDER "FATAL ERROR: WRONG # ARGS: SHOULD BE:"- Started by DarlanZ
- Replies: 3
-
PS3 PS3 Firmware 4.92 - Update is Live!- Started by LuanTeles
- Replies: 40