PS3 [Tutorial] HDD mounting and decryption on Linux

[Berion]

I don't remember now but with ' or " script didn't find this file. So I put it in `. And to be honest, I didn't know that about what You have said (I'm still kind of Linux noob).

BTW: I have tried today Mint 20.0 and nice change to older releases is that it have linux-headers. So compiling module no longer needs installing anything, just going to path with module source and typing: make. If someone is curious. ;]

 

[cinnamon_cat_crunch64]

Hey! I was able to translate the document with a website, then gone through all of it and edit into a proper format.
Here it is, as I've been working on it all day.

If there's any changes that would need to be made to it, please let me know!

 

[Berion]

@cinnamon_cat_crunch64 Thank You for Your time! It was a lot of work. I have read it all and almost everything seems ok. ^^


Few used Polish words cannot be translated to English like i.e "grzebacz" (because such words doesn't exist in English). But this doesn't impact anyhow the main content.

In "Magic Keys", no.6 in original is "sudo make" + "Also remember to change file attribute to execute". I know "sudo make install" doing it but also copying module to the system which I don't doing it. This will produce a little inconsistency with further screenshots and described paths (i.e to no.2 in next chapter). Average Linux user will figure this out automatically but new ones will stuck on it.

"On-the-fly decryption and assembly" >> "On-the-fly decryption and mounting"

"disc gate" >> "disk gate"

"If you are going to pin a sector image" >> "If you are going to use a sector image". In English meaning of this word is lost so better is replace it by just "use".

"without any inventions on the way," >> "without any additional controllers on the way,". In Polish "wynalazek" (invention) doesn't mean invention in this case because it's used as slang, a irony to cheap Chinese, often incomplete implementations of some controllers, translators etc.

"Since on "NORówki"," This whole sentence was butchered by automatic translator. ^^ I'll try recreate the sense in English: "While on NOR models ps3hdd1 occupies VFLASH, then ps3hdd3 act as dev_hdd1."

"However, do not do this because you may have a problem with disassembly later" >> "However, do not do this because you may have a problem with unmount later"

"Unix systems do not mount partitions represented by letters of the alphabet only where the user wants" >> "Unix systems do not mount partitions represented by letters of the alphabet but only where the user wants"

"loop1 unfastening" >> "loop1 unattaching" (de-attaching?)

"That is the logs that life can throw at your feet." This is Polish idiom, it means that life can be hard. I don't know if exist in English. If not, it is better to remove it I think.

"Q: "I have dump dump from firmware, how to read ERK?"" >> one "dump" is enough

"The Drive Key, the key used to wedge a drive or to emulate a drive," >> "The Drive Key, the key used to optical drive remarring or to emulate a drive,"

" if you can't read ERK then and you can't read DK or decode metldr." >> " if you can't read ERK then and you can't read DK or decrypt metldr."

"Q: After putting a disc in the console, it wants to format it! Why?" >> disk

"Because the file system or array has been corrupted" >> "Because the file system or partition table has been corrupted"

"Possibly because of an invalid key If the ERK and the hard disk". Lack of "." between "key" and "If". ^^"

"Q: Is all of the hard drive absolutely encrypted?" >> "Q: Is whole hard drive is absolutely encrypted?"

"but it can be used creatively (e.g. Oh yes)." >> "but it can be used creatively (e.g. like this)." "O tak" equivalent doesn't exist in English but it means the same in this context as "like this". Besides that, hyper link should be green like other.

"Q: Can I get an EQF on CFW and upload an official FW, then pirate games this way?" >> For some reason ERK was replaced by EQF. It must be of course ERK.

"and CD-ROMs" >> "discs"

 

[cinnamon_cat_crunch64]

How's this? I kinda got burned out for a long while after putting a bunch of effort into the first translated version

 

[Berion]

Thanks again for Your work. I'll look into it later. But I just letting You know now to not leave You of feeling been ignored. I really appreciate Your work, especially that You trying keep also txt colours and page structures. ^^

 

[oleguer]

@Berion any new releases of the script?? I want to try again!

 

[Berion]

New version for what? It works. You was very close but gave up. ;p Judging by Your last comment months ago, You have successfully decrypted HDD and dumped UFS2 superblock but You didn't launch script for modify it.

 

[Hellion75]

Apologies for reviving an old thread but wanted to ask if this works on Mint 20 or is it strictly on 19.3 and 19.4. I'm having a lot of trouble compiling my own bswap file and cryptsetup mapping. I'm pretty sure I have all of the packages installed but maybe it's just because my kernal is too new since it keeps returning fatal error and invalid files...?

 

[Berion]

@Hellion75 No reason to apologize. The only case where is not a good idea to dig out old thread is when someone want write something which doesn't add anything worth to the topic. There is nothing wrong in asking questions, especially which they didn't appear yet.

There is no Mint 19.4, the last from line 19 was v19.3. I have tried compiling bswap16-ecb on Mint 20.0 and there wasn't any troubles. I have attached module match for default kernel in live Mint 20. Everything else will works for sure because PS3 partition table still exist in mainline of multipath-tools.

What kernel are You using? Default from v20.0 or You have installed Linux and updated kernel? If so, then You must tell me to which version:

sudo uname -r

 

[Hellion75]

@Hellion75 There is no Mint 19.4, the last from line 19 was v19.3. I have tried compiling bswap16-ecb on Mint 20.0 and there wasn't any troubles. I have attached module match for default kernel in live Mint 20. Everything else will works for sure because PS3 partition table still exist in mainline of multipath-tools.

What kernel are You using? Default from v20.0 or You have installed Linux and updated kernel? If so, then You must tell me to which version:

sudo uname -r

I meant 19.2 and 19.3...(X_X)

You got it WORKING?? That proves my horrible coding skills...My kernel was 5.4.0.52generic and was missing some basic tool files in it's library but it kept prompting me that everything was updated, even through the terminal...The more I pulled from github, the more elaborate the compilation errors became so I'm in the midst of installing Mint 19.2...I should've just waited for your file. I would've totally tried your new bswap16 file but I'll get back to you on how it'll go later in the day. It might just be my under powered notebook too...

 

[Berion]

For kernels newer than those in 19.3, after unpacking archive with module source, delete default Makefile and change name from "Makefile (alt)" to "Makefile". Be sure You don't have space in any folder name on recurrence level higher than source (for some reason this is important now, on earlier Mints it wasn't). Be sure have installed build-essential and linux-headers matched to Your kernel. In Terminal, go to source dir and just type make (or sudo make, I don't remember). After few seconds, compiled "bswap16.ko" should appear in source dir. On Mint 19.2 or 19.3 You shouldn't experience any problems.

And of course we talking about "bswap16-ecb v1.1", not "bswap16-nbd" or dm-bswap16 which are obsolete now and unable to compiling without changes in code.

If You still struggling in compiling, use live distribution and already compiled kernel modules (You found them spread in attachment in this thread just like the one for Mint 20.0).

 

[Hellion75]

...After many days of messing about with update kernals, builds and messing about file orders....I just grabbed a usb pen drive to load live distribution with your bswap16 for 5.4.0.26 and finally got farther!

...only to hit another stump....

When using cryptsetup, it keeps stating "Cannot read requested amount of data". It's for a PHAT NOR system that's defined by 192 so not sure if my syntax is just wrong but the line is as followed:

>cryptsetup create -c aes-cbc-null -d /home/mint/PS3/ata_key.bin -s 192 ps3hdd /dev/mapper/ps3hdd-bs
>Cannot read requested amount of data
Hard drive from a CECHP01 unit.

 

[Berion]

@Hellion75 So may I assumed that so far, You know what /dev/sdx is Your PS3 HDD (sda, sdb, sdc, etc.)?

1. What "lsmod | grep bswap" returning to You?
2. What "lsblk -b /dev/sdx" returning to You?
3. What "lsblk -b /dev/mapper/ps3hdd-bs" returning to You?
4. What "hexdump -C /dev/sdx | head -8" displaying to You?
5. What "hexdump -C /dev/mapper/ps3hdd-bs | head -8" displaying to You?

You can freely paste this data as txt or image, it doesn't contain any private informations.

cannot read requested amount of data

It means that he cannot create "/dev/mapper/ps3hdd" because "/dev/mapper/ps3hdd-bs" doesn't exist. So for now it looks for me that You didn't create this mapper in one of the first tutorial steps. But answer to above questions anyway. ;]

Maybe You didn't read the full tutorial in PDF (in one of the latest comments, there is availble English translation prepared by one of the readers) but Quick Guide in TXT and You was mislead by "/dev/loop1" string, thinking that this line is not needed in Your case. Wrong, it is mandatory. If You do not use disk image attached as loop device, then replace it by sdx (sda, sdb, sdc, whatever match to Your real PS3 HDD). Quick Guide is for peoples with some Linux experience, because they don't need detailed tutorial as for them is sufficient to look only at voodoo to be type in terminal. Quick Guide is definitely not for Linux first comers. ^^

 

[Hellion75]

I think I pinned it correctly? I'm reading the full translated guide but in any case, the following was what I have for those command lines.

Spoiler: sdd output

root@mint:/home/mint# cryptsetup create -c aes-cbc-null -d /home/mint/PS3/ata_key.bin -s 192 ps3hdd /dev/mapper/ps3hdd-bs
Cannot read requested amount of data.

root@mint:/home/mint# lsmod | grep bswap
bswap16 16384 1

root@mint:/home/mint# lsblk -b /dev/sdd
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sdd 8:48 0 500107862016 0 disk
└─ps3hdd-bs 253:0 0 500107862016 0 crypt

root@mint:/home/mint# lsblk -b /dev/mapper/ps3hdd-bs
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
ps3hdd-bs 253:0 0 500107862016 0 crypt

root@mint:/home/mint# hexdump -C /dev/sdd | head -8
00000000 9d 7d df ec 5a b9 50 89 ce f1 13 80 97 cb 53 06 |.}..Z.P.......S.|
00000010 dd 48 36 d7 65 9d 53 34 22 d3 b4 9e a9 90 a8 26 |.H6.e.S4"......&|
00000020 ea 60 80 d5 93 95 31 a1 a5 49 39 fa b1 0a fb 8f |.`....1..I9.....|
00000030 b3 d1 8a 9d fd 37 2e 83 84 ee ab 2f d6 66 28 39 |.....7...../.f(9|
00000040 51 73 91 2d 18 d6 4f dc 58 92 fe dd 4e 71 26 52 |Qs.-..O.X...Nq&R|
00000050 36 55 b5 83 8b 76 ab 2e c4 72 b0 fa e2 12 4f 3f |6U...v...r....O?|
00000060 d1 ac 42 a4 74 27 77 bc ba 20 e8 54 ea 54 6b b1 |..B.t'w.. .T.Tk.|
00000070 db 60 cf 57 a8 3b 35 e1 51 63 0a 1a 1c 94 fe e4 |.`.W.;5.Qc......|

root@mint:/home/mint# hexdump -C /dev/mapper/ps3hdd-bs | head -8
00000000 7d 9d ec df b9 5a 89 50 f1 ce 80 13 cb 97 06 53 |}....Z.P.......S|
00000010 48 dd d7 36 9d 65 34 53 d3 22 9e b4 90 a9 26 a8 |H..6.e4S."....&.|
00000020 60 ea d5 80 95 93 a1 31 49 a5 fa 39 0a b1 8f fb |`......1I..9....|
00000030 d1 b3 9d 8a 37 fd 83 2e ee 84 2f ab 66 d6 39 28 |....7...../.f.9(|
00000040 73 51 2d 91 d6 18 dc 4f 92 58 dd fe 71 4e 52 26 |sQ-....O.X..qNR&|
00000050 55 36 83 b5 76 8b 2e ab 72 c4 fa b0 12 e2 3f 4f |U6..v...r.....?O|
00000060 ac d1 a4 42 27 74 bc 77 20 ba 54 e8 54 ea b1 6b |...B't.w .T.T..k|
00000070 60 db 57 cf 3b a8 e1 35 63 51 1a 0a 94 1c e4 fe |`.W.;..5cQ......|
root@mint:/home/mint#

I didn't use losetup loop1 since it said it was only for image files and I'm physically connecting a hard drive through SATA or usb. If I do need that /dev/loop1 string, when was I supposed to include that? Before defining the cryptsetup or...much earlier? (X_X)

 

[Berion]

For me it looks like You did everything fully properly (all data returned looks how it should). I don't see any reason why he doesn't allow You to create "/dev/mapper/ps3hdd".

Are You sure You have "ata_key.bin" in "PS3" folder (in tutorial is "ps3", so if You choose to use "PS3" You must remember to always put it upper case)? This is the diret path to You key file. In this step is creating mapper on which PS3 HDD is decrypted exactly by this key and choose algorithm.

Or maybe Ubuntu or dmcrypt authors have banned AES-CBC-192 as it not secure currently? Mint base on Ubuntu. Try with XTS as for Slims (it will not decrypt anything of course as this is wrong algo for Your PS3 but this could proofs lack of CBC support if mapper will be created).

Could You try repeat the procedure on Mint 19.3? I know it's painfully time consuming but nothing else coming to my mind now.

Here are is bs16ecb with compiled modules for various of default Mint kernels:
https://www.sendspace.com/file/w0m50r


BTW: If You only want read data from user partition, use HDD Reader (for Linux or Windows). It handle PS3 HDD by itself and needs only EID Root Key.

I didn't use losetup loop1 since it said it was only for image files and I'm physically connecting a hard drive through SATA or usb. If I do need that /dev/loop1 string, when was I supposed to include that? Before defining the cryptsetup or...much earlier? (X_X)

You don't need loop device and You read about it properly. Since most of peoples are lazy, I assumed that You have just grab the quick guide and aren't fully understand what You are doing. I'm sorry for that, but this happen often.

 

[Hellion75]

Are You sure You have "ata_key.bin" in "PS3" folder (in tutorial is "ps3", so if You choose to use "PS3" You must remember to always put)?

My main folder for the mount points was named "PS3" rather than "ps3" in the tutorial. Last minute change I know....

I'll make some more live media drives and try out 19.3. I wanted to confirm though, at this point will I still need to unmount the drive as stated in the end of the tutorial? Since nothing was mounted, I was just going to unplug it but if bswap is mounting something in order to read the data, should I somehow undo that process or is it safe to just shut down terminal and leave it as is?

 

[Berion]

You didn't mount anything so in theory no, but safer will be removing mapper and after that turning computer off or detach USB device (SATA is not hot swap as I remember). You don't need removing kernel module from memory, it is used only by dmcrypt as "algorithm source".

Last thing which comes to my mind: how long ata_key.bin is? If You run the keygen and choose proper model type, it should be ok but who knows. Also, could You perform in keygen check environment option? It will show You if key transformation is going properly.

 

[Hellion75]

Last thing which comes to my mind: how long ata_key.bin is? If You run the keygen and choose proper model type, it should be ok but who knows. Also, could You perform in keygen check environment option? It will show You if key transformation is going properly.

Berion! You're amazing! You were right, my ATA_key WAS bad! When I dumped my EID_root_key, I didn't really bother checking for any errors and the key generator said that my key was named differently and changed it for me (with an emoticon to add salt on the wound).

Anyways, after triple checking both the ATA_key and vflash_key files, I was able to read most of the drive...One more hurdle if you mind me asking...when I mount "ps3hdd2" as a ufs2 filetype to my "dev_hdd0" folder, an error line returns saying:

Spoiler: error line

>wrong fs type, bad option, bad superblock on /dev/mapper/ps3hdd2, missing codepage or helper program, or other error

I...hope this isn't a bad sign...I took another reformatted hard drive with the same PS3 unit and I was able to detect, decrypt and mount the ufs2 file system, read dev_hdd0 as a folder and find the main data for it...along with all the other partitions...my gut feeling is telling me the worst case scenario but if anyone can advise me what to do, I'd appreciate it...maybe if there's a ufs2 fsck function I could run as someone mentioned earlier but if I can't mount it while both decryption methods are in use, is there another way?

Sorry for the late reply btw...

 

[Berion]

Unfortunately, this is very bad sign. It means that UFS2 super block is damaged, also You cannot repair it on PC (lack of tools, for some reason even FreeBSD family systems doesn't want mount it so it looks like it is not standard UFS2 and/or problems with exposed mappers as disks in virtual machines). I see three roads from here:

• Taking this HDD to PS3 and in XMB (if You ever be allowed to boot normally without format) just turn off her by cutting power (warning: potential further damages risk). This will force PS3 to perform mandatory file system checking and rebuild database on next boot.

• Or You can make decrypted image of this partition alone and have try to recover data via any tools which reading UFS family fs (not all works on mappers, and not all accepting loops, so in worst case You could write it as disk image on some real device).

• Or You can make disk whole image, format drive on PS3, extract super block, inject it to disk image, test image if this help. Very time consuming due to disk image creation.

Copying decrypted and byte swapped UFS2 partition:

dd if=/dev/mapper/ps3hdd2" of=/home/mint/PS3/ufs2.raw bs=32M status=progress

Sorry for the late reply btw...

My autism gave me good memory, so don't worry, You could answer years later and high probably I still would be remember. ;p

 

[Hellion75]

You can make disk whole image, format drive on PS3, extract super block, inject it to disk image, test image if this help. Very time consuming due to disk image creation.

I know I'm beating a dead horse but I wanted to ask how the UFS2 byte location file works in linux? (The .sh file in your first post). Does it require the UFS2 partition to be mounted in order for it to work? Any file extraction and inject applications you recommend once I have image files of my hard drive?

Unfortunately, I tried pretty much every other official method at this point such as restoring file system, rebuilding databases and all. The main issue is that it froze when it was checking and restoring the file system after it either crashed or overheated (It's an older phat unit showing both signs of capacitor wear and overheating) and I was trying different games on OFW to pin point and see if it was actually overheating or just drawing too much power. I know it was a stupid idea but I was so used to the restore file system function working and doing it's thing every time it crashed that when it all of a sudden stopped and wouldn't recover, I thought it wouldn't be a big deal until it just asks to reformat the whole drive...