PS3 [Tutorial] HDD mounting and decryption on Linux

[Berion]

If:

• Your PS3 HDD is /dev/sdc
• You want mount only dev_hdd1
• Your bswap16-ecb module is named bswap16.ko and match to kernel
• if Your console is Slim and keys generated are proper for this specific unit

then:

1. sudo su
2. insmod '/home/eruil/ps3/bswap16.ko'
3. cryptsetup create -c bswap16 -d /dev/zero ps3hdd-bs /dev/sdc
4. cryptsetup create -c aes-xts-plain64 -d /home/eruil/ps3/ata_key.bin -s 256 ps3hdd /dev/mapper/ps3hdd-bs
5. kpartx -a /dev/mapper/ps3hdd
6. mount -t vfat /dev/mapper/ps3hdd3 /home/eruil/ps3/dev_hdd1
7. Now You should be able to access to dev_hdd1 (only with root privileges) from i.e file manager level.
8. Delete everything what You see on it. If fm tells You about problem, it is possible that partition is damaged, so go to no.9 as normally and try dosfstools from other tutorial, and after that back to no.6, do no. 8 and jump to no.10.
   
9. umount -l /home/eruil/ps3/dev_hdd1
10. kpartx -d /dev/mapper/ps3hdd
11. cryptsetup remove ps3hdd
12. cryptsetup remove ps3hdd-bs
13. rmmod bswap16
14. exit
15. exit

PS: I'm hetero so no "b-job", sorry, but I have PayPal account if You will feel grateful. :P
PS2: "Poland", not "poland".
PS3: Remember to add executable right to bswap module (by chmod +x on it or via Nemo/Nautilus in file properties, also Your user right for reading).

 

[Eruil EOL]

ive tested in 2 different hdd , 80gb stock and 1 tb non stock (+ 8 free extra space using bswap16.512 courtesy of einsteinx2) . when i use ubuntu file manager it never show any PS3UPDATE data or folder (cause i dont know how to execute hdd reader.elf) . in both

what can i do?

PS: im hetero too ;D . that was a local joke XD (that b-job joke is used here , a lot )

 

[Berion]

Did You mount decrypted mapper in the first place? I cannot help You while You not telling me important informations from the process. So... make print screen from terminal after typing lsblk before no. 7

 

[Eruil EOL]

i did everything exactly as you wrote it . it never shown problems. . when i used dosfstools this was log :

root@Ryzentosh:/home/eruil# sudo dosfsck -w -r -l -a -v -t /dev/mapper/ps3hdd3
fsck.fat 4.1 (2017-01-24)
Checking we can access the last sector of the filesystem
Warning: Filesystem is FAT32 according to fat_length and fat32_length fields,
but has only 65519 clusters, less than the required minimum of 65525.
This may lead to problems on some systems.
Boot sector contents:
System ID " "
Media byte 0xf8 (hard disk)
512 bytes per logical sector
32768 bytes per cluster
32 reserved sectors
First FAT starts at byte 16384 (sector 32)
2 FATs, 32 bit entries
262144 bytes per FAT (= 512 sectors)
Root directory start at cluster 2 (arbitrary size)
Data area starts at byte 540672 (sector 1056)
65519 data clusters (2146926592 bytes)
0 sectors/track, 0 heads
0 hidden sectors
4194272 sectors total
Checking file /
Checking file /crash_report (CRASH_~1)
Checking file /crash_report/.
Checking file /crash_report/..
Checking file /crash_report/kernel (KERNEL)
Checking file /crash_report/kernel/.
Checking file /crash_report/kernel/..
Checking file /crash_report/kernel/ps3crash-kernel.dat (PS3CRA~1.DAT)
Checking for bad clusters.
Reclaiming unconnected clusters.
Checking free cluster summary.
/dev/mapper/ps3hdd3: 3 files, 4/65519 clusters
root@Ryzentosh:/home/eruil#

 

[Berion]

Good, so it means You successfully made mapper with decrypted partitions (otherwise dosfstools wouldn't do anything). So, mount it and just clean everything. Maybe data inside "~/ps3/dev_hdd1/crash_reporter/" cause Your boot loop not update files?

You need run file manager with root privileges to do that (sudo nautilus?) or You can make it via terminal ("cd ~/ps3/dev_hdd1/ && rmdir crash_report").

 

[Eruil EOL]

i see what was the problem. ubuntu 19.10 kernel wasnt properly compiled. i used my bros laptop and i was able to run mint cinnamon 19.2 . i ran dosfsck and log changed to

root@mint:/home/mint# sudo dosfsck -w -r -l -a -v -t /dev/mapper/ps3hdd3
fsck.fat 4.1 (2017-01-24)
Checking we can access the last sector of the filesystem
Warning: Filesystem is FAT32 according to fat_length and fat32_length fields,
but has only 65519 clusters, less than the required minimum of 65525.
This may lead to problems on some systems.
0x41: Dirty bit is set. Fs was not properly unmounted and some data may be corrupt.
Automatically removing dirty bit.
Boot sector contents:
System ID " "
Media byte 0xf8 (hard disk)
512 bytes per logical sector
32768 bytes per cluster
32 reserved sectors
First FAT starts at byte 16384 (sector 32)
2 FATs, 32 bit entries
262144 bytes per FAT (= 512 sectors)
Root directory start at cluster 2 (arbitrary size)
Data area starts at byte 540672 (sector 1056)
65519 data clusters (2146926592 bytes)
0 sectors/track, 0 heads
0 hidden sectors
4194272 sectors total
Checking file /
Checking for bad clusters.
Reclaiming unconnected clusters.
Checking free cluster summary.
Performing changes.
/dev/mapper/ps3hdd3: 0 files, 1/65519 clusters
root@mint:/home/mint#

ive ran again dosfsck again without any 0x41 dirty bit error . i connected again hdd in ps3 but console freezes at 68% .

 

[Berion]

If You deleted all data on "dev_hdd1/" (dosfsck doesn't doing it, it is app to analyse and eventually fix FAT tables), it means that Yours problem doesn't lie in dev_hdd1 and update files. I don't know what to advice You, sorry.

 

[Eruil EOL]

no worries pal. i think that im going to backup all my data on another 1 tb hdd. btw... how can i enable (again) the extra 8% with your new bswap16.ko ? (i dont know how to run your elf files) .... and have you tried it with 1 tb drive? i rode your post ... well your suggestion to use bsap16.1024 intead of bsawp.16.512 in 1tb drives. i dont know whats the best choice

thanks dude. ;D

 

[Berion]

"bswap16-nbd" is obsolete, so then neither. Use always "bswap16-ecb".

"Enable" it the same as before. How You will expose decrypted data is not important, modification of UFS2 table is and for this You don't need write support as You will not (and even cannot) mount file system. I don't understand what You have wrote TBH. ;p

 

[Eruil EOL]

tbh... i dont know what that means :S .

so basically to unlock extra 8% with byteswap16.ko i need to do this in terminal (correct me if im wrong). btw . which is better to byteswap a 1 tb drive? to 512 or to 1024 ? :

sudo su
insmod '/home/mint/ps3/bswap16-ecb.ko'
./makedev bswap16.512 /dev/sdb
cryptsetup create -c aes-xts-plain64 -d /home/mint/ps3/ata_key.bin -s 256 ps3hdd /dev/mapper/ps3hdd-bs
kpartx -a /dev/mapper/ps3hdd
ls -la /dev/mapper/
[ -d /mnt/PS3GameOS ] || mkdir /mnt/PS3GameOS && mount -t ufs -o ufstype=ufs2,ro /dev/mapper/ps3hdd_crypt2 /mnt/PS3GameOS && df -h | grep "Avail\|ps3hdd_crypt2" && umount /mnt/PS3GameOS
dd if=/dev/mapper/ps3hdd_crypt2 bs=512 count=256 of=GameOS_superblock.img
./find_ps3_ufs2_byte_locations GameOS_superblock.img
printf '\x01' | dd of=/dev/mapper/ps3hdd_crypt2 bs=1 seek=65599 count=1 conv=notrunc
printf '\x01' | dd of=/dev/mapper/ps3hdd_crypt2 bs=1 seek=65667 count=1 conv=notrunc
kpartx -d /dev/mapper/ps3hdd && cryptsetup remove ps3hdd
cryptsetup remove ps3hdd-bs
rmmod bswap16
exit

 

[Berion]

You have three kind of bswap16: first was kernel module and no longer works, second was merged with special fork of nbd-server (and this one can be split for two kind of HDDs, large and small) but this one is also obsolete now, the newest is bswap16 again in kernel module form and let's call it "bswap16-ecb" because he doing byte transformation in that way with zeroed key. Purpose of "byte swapping" is conversion on the fly Big Endian to Little Endian. That's why Yours question doesn't have sense, because You don't using "bswap16-nbd" but "bswap16-ecb".

No, no, totally wrong. You mixed everything blindly without understanding. Well, just paste link here for this tutorial (because I'm to lazy :P) and I'll write for You proper procedure.

BTW: Why You want reduce percentage reservation while Your console doesn't boot properly? This will not fix it.

 

[Eruil EOL]

i think that the one who is not understanding its you dude.
i got a perfectly working ps3 nor slim 2501a console with rebug 4.86 cfw installed . its installed in a 320GB hdd. i made all steps in einys tuto (dumped the superblock of gameos partition) to unlock extra 8% in a working 1TB hdd . i was only stuck with console freezing at 68% with that 1tb hdd.

nevermind, i need to backup all data , format with the console and redo all the work (something that i dont wanted but need to do if that hdd remains stuck in 68%) . i was wondering the way to do the same that einys did but now with your updated tools. (lets say that your quick guide and command prompts were very usefull to all of us that understand linux basics)

 

[Berion]

Now it's a little clearer to me. You mislead me with dev_hdd1 clearing thing and with messed bash commands. As I understand before, You wanted clear dev_hdd1 because of update loop. Now You want get back few percentage lost of HDD capacity, which still I don't see a connection between freezing (during updating fw?) at 68%.

BTW: If You already goes through "8% tutorial" using bswap16-nbd, You can do exactly the same but replacing bswap procedure to one fit to bswap16-ecb and mappers names. Everything else will be the same."ps3hdd-bs" is mapper created for bswap16-ecb, to easily show the user that this one is the same as /dev/sdx but byte swapped by bswap16-ecb. In my tutorial I'm creating mapper "ps3hdd" (which is the decrypted stuff what we need; instead of "ps3_crypt" or whatever it is), and that's why all partitions will be named using this base (i.e "ps3hdd1", "ps3hdd2" an so on, and not "ps3_crypt1", "ps3_crypt2" etc.).

Consider "/dev/mapper/ps3hdd-bs" as "/dev/sdx" which means encrypted yet already byte swapped.
Consider "/dev/mapper/ps3hdd" as "/dev/sdx" but decrypted.

Mappers are abstracts i.e for making operations per block on the fly. Without it, You would need first byte swapped whole PS3 HDD, then decrypt whole PS3 HDD, then do whatever You want, then again encrypt it, and then byte swapped it again.

I hope now it is clear how this works and helped You somehow.

 

[Eruil EOL]

is that correct or do i need to do something else?

sudo su
insmod '/home/mint/ps3/bswap16-ecb.ko'
cryptsetup create -c aes-xts-plain64 -d /home/mint/ps3/ata_key.bin -s 256 ps3hdd /dev/mapper/ps3hdd-bs
kpartx -a /dev/mapper/ps3hdd
ls -la /dev/mapper/
[ -d /mnt/PS3GameOS ] || mkdir /mnt/PS3GameOS && mount -t ufs -o ufstype=ufs2,ro /dev/mapper/ps3hdd_bs /mnt/PS3GameOS && df -h | grep "Avail\|ps3hdd_crypt2" && umount /mnt/PS3GameOS
dd if=/dev/mapper/ps3hdd_crypt2 bs=512 count=256 of=GameOS_superblock.img
./find_ps3_ufs2_byte_locations GameOS_superblock.img
printf '\x01' | dd of=/dev/mapper/ps3hdd_crypt2 bs=1 seek=65599 count=1 conv=notrunc
printf '\x01' | dd of=/dev/mapper/ps3hdd_crypt2 bs=1 seek=65667 count=1 conv=notrunc
kpartx -d /dev/mapper/ps3hdd && cryptsetup remove ps3hdd
cryptsetup remove ps3hdd-bs
rmmod bswap16
exit

 

[ichikameha]

Hello, I had accidental initialized my ps3 hdd on windows while trying to clone it.
I have since put CFW on my ps3 and obtained the EID key to my system.
I first used an extra hard drive on my ps3 and copied the first sector back onto the original hdd, the system said the os corroupt and prompted a reformat, I have tried several hdds and the last 15 sectors at the begging are always the same, only some data in the first sector changes. (this is through hxd)

My question right now is How to mount my hdd with aldo's ps3 hdd gui.
I have made a byte for byte copy and I have the eid key all in the same folder, but nothing is showing ( I do indeed open as administrator) Any help or advice would be awesome!
Further more, is there any way to view my old drive in question through CFW?
I have a clone file with the EID key, so I am hopeful.

One more thing, after I put CFW on my system, newly formated drives still have the same 16 sectors at the beginning of the drive.
unfortunately copying the first sector did not solve my problem.

Thanks again!

 

[Eruil EOL]

even if you decrypted with eid-root -key there is no such tool like a ps3 hdd cloner (the same reason: eid root key or encryption key)
if you want to mount with a readonly option you need to copy eidrootkey file in ps3 hdd gui root folder (its not possible , as far as i know , when you initialized ps3 hdd on windows, i think its a trouble with partition table )

 

[pinky]

even if you decrypted with eid-root -key there is no such tool like a ps3 hdd cloner (the same reason: eid root key or encryption key)
if you want to mount with a readonly option you need to copy eidrootkey file in ps3 hdd gui root folder (its not possible , as far as i know , when you initialized ps3 hdd on windows, i think its a trouble with partition table )

it's possible to fix an initialized hdd as long as it's NOR (possibly NAND too). emmc hdd can't be fixed currently afaik.

 

[ichikameha]

Thank your for the information, I do indeed have the (eid_root_key) in the same folder as ps3 hdd gui. But I am having trouble understanding the exact instructions for the ps3 data. If I understood correctly, I have the byte for byte copy of the hdd named backup.bin in the folder along with the eid key and ps3 hdd gui. Is that Correct?
I will assume my problem is the first sector of the hdd messing up the partition table, keeping ps3 hdd gui from decrypting it.
the PS3 in question is CHECH 2501B.
Thanks once again!

 

[Eruil EOL]

Thank your for the information, I do indeed have the (eid_root_key) in the same folder as ps3 hdd gui. But I am having trouble understanding the exact instructions for the ps3 data. If I understood correctly, I have the byte for byte copy of the hdd named backup.bin in the folder along with the eid key and ps3 hdd gui. Is that Correct?
I will assume my problem is the first sector of the hdd messing up the partition table, keeping ps3 hdd gui from decrypting it.
the PS3 in question is CHECH 2501B.
Thanks once again!

ive read it before... i think this is the link with the information that can help ya. not quite sure
https://www.psx-place.com/threads/tutorial-fixing-windows-disk-initalization.27599/

 

[pinky]

Thank your for the information, I do indeed have the (eid_root_key) in the same folder as ps3 hdd gui. But I am having trouble understanding the exact instructions for the ps3 data. If I understood correctly, I have the byte for byte copy of the hdd named backup.bin in the folder along with the eid key and ps3 hdd gui. Is that Correct?
I will assume my problem is the first sector of the hdd messing up the partition table, keeping ps3 hdd gui from decrypting it.
the PS3 in question is CHECH 2501B.
Thanks once again!

if you initialized, you're correct, the first sector is messed up now.