PS3 [Tutorial] HDD mounting and decryption on Linux

[Berion]

I have put into it many hours to make it as much noob friendly as possible (included Linux new comers which doesn't understand well this environment).

• "Montowanie pamięci wewnętrznej na Linuksie" - official Polish version
• "Mounting internal memory on Linux" - official English version
• "Quick Guide" is only for advanced Linux users which don't need wall of text and screens. If You are not familiar with Linux, this text will be confusing for You and brings only frustration!
  
• PS3 HDD Decryption Helper - Toolkit which contains various of scripts (including keygen and bswap16-ecb)

In case of some problems etc, don't be shy and ask.

Warning:
If You want only read data from PS3 HDD on Windows or even Linux, then a lot easier way for You is just using PS3 HDD Reader written by 3141card. You can also forget about ATA and VFLASH keys generation as this app doing it on the fly from EID Root Key and automatically recognize from what model HDD comes from. Tutorial is more likely for people who want read and write data, and for those who needs access to every part of disk, not only to partitions with filesystems.

 

[Laith]

If You will not succeed, try Linux way.

Hi! I'm happy to report back that using the latest version of PS3 HDD Reader, not the one from ps3tools, I could decrypt the HDD. Sucks that you can't write to it and recover the PS3 from a brick, but oh well, I at least got the data I needed. Thanks again for the help!

 

[Berion]

Even if You could, You wouldn't recover console from a brick as it's OS is written on NAND or NOR flash, not on HDD.

Glad to help.

 

[Laith]

Even if You could, You wouldn't recover console from a brick as it's OS is written on NAND or NOR flash, not on HDD.

Glad to help.

Yeah, but I'm stuck in an update loop due to a bad daughterboard. If you could replace dev_hdd1/PS3UPDATE/PS3UPDAT.PUP to have a no-BD one instead, I'm sure you could throw the PS3 out from the brick that it is in.

 

[sandungas]

The contents of dev_hdd1 are a bit special though, you can see its contents in managunz filemanager
But most of the times i took a look at it is either a single file or 2 files at most, and have a big size
Never took a look at the contents of dev_hdd1 while instaling a PUP though

 

[Laith]

The contents of dev_hdd1 are a bit special though, you can see its contents in managunz filemanager
But most of the times i took a look at it is either a single file or 2 files at most, and have a big size
Never took a look at the contents of dev_hdd1 while instaling a PUP though

Here is a screenshot of the contents of dev_hdd1/PS3UPDATE, the only directory on that partition. The "data" folder has nothing in it but another folder called "font" which has a bunch of TrueType fonts.

EDIT: On the "Mounting HDD on PC" page on psdevwiki, the author writes to GameOS on the HDD to fix a faulty petitboot image. Could you not theoretically write to the place where the PUP is at and replace it?

 

[Berion]

dev_hdd1 have FAT32 and it is fully writeable under Linux (but it isn't cleaned on each boot to GameOS?). You can always format whole HDD.

 

[Laith]

dev_hdd1 have FAT32 and it is fully writeable under Linux (but it isn't cleaned on each boot to GameOS?). You can always format whole HDD.

That is absolutely splendid news! I will set up a simple Linux environment tomorrow to throw my PS3 out of hell. Thank you so much!

 

[Berion]

Tutorial help You in access data to PS3 HDD. One of many examples: if Your console is dead and You want some files from her, You can attach it to PC and read it (of course You must have ERK).

 

[Berion]

I wouldn't be so happy yet, as probably You need also wipe "dev_hdd0/tmp/" which is on UFS2 so it is read only (and after that, upon boot You will encounter forced fscheck). ;p However, I read that kernel lines 5.x allow to also stable writing. I didn't check myself so I cannot confirm.

And use Linux Mint 18.2 because it have in repo last compatible nbd-client versions. In example v3.16.2 doesn't works and v3.13-262-g69a15c0-dirty (lol) works.

Anyway, first, try just mounting dev_hdd1 and delete everything on it. I don't know anyone ever try fix faulty update error in that way. It's interesting case. ^^

 

[Laith]

I wouldn't be so happy yet, as probably You need also wipe "dev_hdd0/tmp/" which is on UFS2 so it is read only (and after that, upon boot You will encounter forced fscheck). ;p However, I read that kernel lines 5.x allow to also stable writing. I didn't check myself so I cannot confirm.

And use Linux Mint 18.2 because it have in repo last compatible nbd-client versions. In example v3.16.2 doesn't works and v3.13-262-g69a15c0-dirty (lol) works.

Anyway, first, try just mounting dev_hdd1 and delete everything on it. I don't know anyone ever try fix faulty update error in that way. It's interesting case. ^^

Hi, so I've spent an hour on Linux with no apparent success. I've followed your guide as well as the psdevwiki guide with no success. I cannot mount the only partition that is visible in /dev/mapper/ps3hdd, which is dm-0. I'm not sure if I'm doing anything wrong or if it's my setup. Thank you so much for the help so far in any case.

 

[Berion]

If You not see other device mappers it means You didn't decrypt it. The reasons could be:

• wrong key (choose proper console model in keygen because Fat and Slims generate it in a little different way - I have provided both)
  
• wrong algorithm choosing (Fat and Slims using different - I have provided both)

Type "hexdump -C /dev/mapper/ps3hdd | head -8" and You should see mostly zeroes (drive start with "face off dead face" string if it's decrypted). If not, drive is definitely encrypted (or "decrypted" by wrong key).

Are drive was successfully "byte swapped" by nbd-client? What back information terminal give You?

What distro have You using, in what version (it is live version or installed? live sessions cannot be used because loop0 must be free even if You do not works on hdd image) and what is the version of nbd-client?

BTW: Look at the keygen in text editor, at the end I put short procedure which is of course commented out.


Can we continue this discussion in below thread? It is more accurate to the topic title. ^^"
https://www.psx-place.com/threads/tutorial-hdd-mounting-and-decryption-on-linux.23308/

 

[Laith]

If You not see other device mappers it means You didn't decrypt it. The reasons could be:

• wrong key (choose proper console model in keygen because Fat and Slims generate it in a little different way - I have provided both)
  
• wrong algorithm choosing (Fat and Slims using different - I have provided both)

Type "hexdump -C /dev/mapper/ps3hdd | head -8" and You should see mostly zeroes (drive start with "face off dead face" string if it's decrypted). If not, drive is definitely encrypted (or "decrypted" by wrong key).

Are drive was successfully "byte swapped" by nbd-client? What back information terminal give You?

What distro have You using, in what version (it is live version or installed? live sessions cannot be used because loop0 must be free even if You do not works on hdd image) and what is the version of nbd-client?

BTW: Look at the keygen in text editor, at the end I put short procedure which is of course commented out.


Can continue this discussion in below thread? It is more accurate to the topic title. ^^"
https://www.psx-place.com/threads/tutorial-hdd-mounting-and-decryption-on-linux.23308/

Hi. I used your script with the correct options, it being NAND. You're correct in that it didn't decrypt successfully, since your command returned gibberish bytes.

nbd-client hasn't given me any information.

I am using Linux Mint 18.2 live which you say apparently cannot be used. I'll try to get a real Linux box running in a few hours, its almost 4AM here and I'm getting tired. If it works on a real install, I'll make sure to report it. If I have any more questions I'll ask in that thread. Thank you again very much for the help.

 

[Berion]

Linux Mint 18.2 is ok (my distro of choice) but must be installed (all Linux known to me must be installed) because of this free slots. I'm experimenting with makedev script but with no success and for some reason loop0 is mandatory to be free (maybe there is way to switch it somehow).

You should get info: "loading nbd module...".

Thanks. Sure, on my side is also 4 AM. And try answer to all those questions, they are important as compatibility is not high as we could expecting.

 

[Laith]

Linux Mint 18.2 is ok (my distro of choice) but must be installed (all Linux known to me must be installed) because of this free slots. I'm experimenting with makedev script but with no success and for some reason loop0 is mandatory to be free (maybe there is way to switch it somehow).

You should get info: "loading nbd module...".

Thanks. Sure, on my side is also 4 AM. And try answer to all those questions, they are important as compatibility is not high as we could expecting.

Hi. I'm doing:

cryptsetup create -c aes-cbc-null -d /home/ps3/hdd_key.bin -s 192 ps3hdd /dev/sdb

I'll have access to a Linux box very soon to continue my testing.

 

[Berion]

/home/<user>/ps3/hdd_key.bin In my examples is /home/mint/ps3/ because I put all stuff into folder named "ps3" and my user is named "mint".

If key is generated for proper model range and You put it in the correct path then You shouldn't have problems with decrypting. I tested this on CECHG01, CECHL04 and CECH-2504. For NAND consoles, yes, You have used proper algorithm (-c aes-cbc-null -s 192).

You can install Linux on anything like i.e pendrive, memory card etc. Just choose advanced way during installation, make one partition "/" (You don't need more for this task) on i.e EXT4 and choose to install bootloader on the same device as Linux to not mess up with Your desktop environment.

 

[Laith]

/home/<user>/ps3/hdd_key.bin In my examples is /home/mint/ps3/ because I put all stuff into folder named "ps3" and my user is named "mint".

If key is generated for proper model range and You put it in the correct path then You shouldn't have problems with decrypting. I tested this on CECHG01, CECHL04 and CECH-2504. For NAND consoles, yes, You have used proper algorithm (-c aes-cbc-null -s 192).

You can install Linux on anything like i.e pendrive, memory card etc. Just choose advanced way during installation, make one partition "/" (You don't need more for this task) on i.e EXT4 and choose to install bootloader on the same device as Linux to not mess up with Your desktop environment.

Hello. I am currently on the full desktop version of Mint 18.2 Cinnamon and I'm still getting the decryption error. I've followed your guide as well as read your original thread a lot of times and I'm still getting the same error. I am getting the exact same gibberish bytes as I was getting when I tried doing this on the live CD, as well when trying to decrypt using aes-cbc-plain64 and aes-cbc-null, both on the HDD and the live CD.

Now of course, this means that there is an issue with the eid_root_key, but that cannot be the case. When I tried using ENCDEC Emulator on Windows, it displayed and extracted everything correctly. I'm at a loss at the moment and I do not know what to do.

Also worth notIng that I'm using your tools only at the moment. Thanks in advance.

 

[Berion]

That's strange. Are You sure /dev/sdb is PS3 HDD? Maybe You are trying decrypt not the disk from the console but any other connected to this computer? You can easly check it by lsblk command. Also You can use earlier command with hexdump on /dev/sdb instead of mapper to check if data is also almost zeroes (if yes, then for sure it is not PS3 HDD ).

Could You attach Your ERK + 2MiB of Your HDD from two points?

sudo dd if=/dev/sdb of=/home/you/test_raw.img bs=2M count=1
sudo dd if=/dev/nbd0 of=/home/you/test_bs.img bs=2M count=1

This is only partition table and not contain any private information. Both dumps will allow me to check if bswap was successful and if I can decrypt it on my side.

What exactly is Your console model? CECH<?>

aes-cbc-plain64 not applied here. Must be aes-cbc-null with 192 long key for NAND models, and aes-xts-plain64 with 256 long key for NOR consoles.

 

[Laith]

That's strange. Are You sure /dev/sdb is PS3 HDD? Maybe You are trying decrypt not the disk from the console but any other connected to this computer? You can easly check it by lsblk command. Also You can use earlier command with hexdump on /dev/sdb instead of mapper to check if data is also almost zeroes (if yes, then for sure it is not PS3 HDD ).

Could You attach Your ERK + 2MiB of Your HDD from two points?

sudo dd if=/dev/sdb of=/home/you/test_raw.img bs=2M count=1
sudo dd if=/dev/nbd0 of=/home/you/test_bs.img bs=2M count=1

This is only partition table and not contain any private information. Both dumps will allow me to check if bswap was successful and if I can decrypt it on my side.

What exactly is Your console model? CECH<?>

aes-cbc-plain64 not applied here. Must be aes-cbc-null with 192 long key for NAND models, and aes-xts-plain64 with 256 long key for NOR consoles.

Hi! Doing another reinstall worked! I could successfully decrypt my HDD using your tools.

On top of that, the dev_hdd1 "trick" worked! I was able to throw my PS3 out of the update loop brick by putting a noBD firmware there instead of the regular BD one it was trying to install. Everything worked out in the end!

 

[Berion]

Those programs aren't mine. bswap16 was at first kernel module, developed by Graf Chocolo. Years later, sguerrini97 rewrite it to userland application which communicate with network block device server/client. He also took my script, fix it, and months later I extend it (NAND consoles support, fullproof key generation and "internal" seeds). My Linux knowledge is on very basic level, and programming knowledge even lower.

What I did is wrote the tutorial and prepared autonomic script, with pre-compiled binaries to safe peoples some headache. Info on dev wiki is hard to assemble into working solution for newbies like me.

Thanks for the report. It is very good to know, to have a way of fixing upd error without need of formatting entire HDD. Maybe it is worth to add to wiki? Or make another article/note? @sandungas @Roxanne