Sponsored Links

Sponsored Links

PS3 HDD Decryption PoC From a PC By Flat_z and Glevand Arrives


Sponsored Links
128w ago - Following up on the previous work by PlayStation 3 developer Graf Chokolo, today naehrwert has announced news of a PS3 HDD decryption proof-of-concept (PoC) from a PC as a result of reverse-engineering work done by flat_z and glevand.

Download: [Register or Login to view links] / [Register or Login to view links] (Mirror)

Below are the details (via ps3devwiki.com/wiki/HDD_Encryption), to quote:

Introduction

  • The following information was reverse engineered from LV1, Storage Manager in LPAR1 and sb_iso_spu_module.self.
  • I'm able to decrypt/encrypt my PS3 HDD and VFLASH on PC now.

HDD Encryption

  • XTS-AES-128 is used to encrypt all data on PS3 HDD.
  • XTS is NOT CBC!!! It's AES-ECB with tweak XORing. AES-CBC is impractical for HDD encryption. Each sector can be encrypted/decrypted independantly from other HDD sectors.
  • Good paper about XTS-AES: ntnu.diva-portal.org/smash/get/diva2:347753/FULLTEXT01
  • VFLASH is encrypted twice. First with ENCDEC keys and then with ATA keys.
  • Tweak and data XTS keys are of size 32 bytes but only the first 16 bytes are used.
  • You can set and clear ATA keys with my Linux ps3encdec device driver which i use to test HDD/VFLASH encryption. But be careful, never set/clear ATA keys while some HDD regions/partitions are mounted !!! You will corrupt your data on your HDD !!!

Dumping ATA Keys

  • I modified sb_iso_spu_module.self to dump ATA keys.
  • ATA keys are passed as parameters to sb_iso_spu_module.self.

Program

My SPU program to dump ATA tweak and data XTS keys to PPU memory with spuisofs:

[Register or Login to view code]

pastie.org/4503109

Result

[Register or Login to view code]

Test

  • To test your ATA XTS tweak and data keys, you need encrypted HDD sectors. You can either connect your HDD to PC and dump it or use my ps3vuart-tools on Linux and clear ATA keys and then dump it from ps3da. I tried both methods. But make sure you unmount all HDD regions before using ps3vuart-tools to clear your ATA keys.
  • I coded a small application which implements XTS-AES encryption/decryption. XTS-AES paper is a good reference how to implement it.
  • You have to pass the correct sector number in order to get correct results.
  • As you see below in my examples, i pass sector number 0 and sector 8 for VFLASH because VFLASH begins at sector 8 on HDD.
  • Another interesting fact is that you have to swap half-words after encrypting and before decrypting HDD sectors else you will get wrong results. This swapping is not necessary for VFLASH sectors.
  • Another note is that you have to decrypt VFLASH sectors with ATA keys first and then with ENCDEC keys.

Result with 1st encrypted sector from HDD:

[Register or Login to view code]

Dumping ENCDEC Keys

  • VFLASH is encrypted twice. First with ENCDEC keys and then with ATA keys.
  • You cannot dump ENCDEC keys with sb_iso_spu_module.self. They are set in lv1ldr only (see here: gitorious.ps3dev.net/reversing/lv1ldr/trees/master).
  • I used a modified lv1ldr with my Linux spuldrfs driver and dumped ENCDEC keys.
  • XTS-AES-128 with 128bit tweak key and 128bit data key, just like ATA keys.
  • ENCDEC tweak and data keys are passed to lv1ldr NOT in clear text.
  • ENCDEC keys are computed by lv1ldr with AES-CBC-256 by encrypting 32byte seeds.
  • metldr passes to lv1ldr AES-CBC-256 IV and key which are used to compute ENCDEC keys.
  • I tested my ENCDEC keys with my ps3encdec Linux driver and set them again, and VFLASH was still working fine. As soon as i changed some bits in these keys, VFLASH could not be decrypted properly anymore It means keys are correct.

ENCDEC Key Seeds

  • Use the dumped ENCDEC IV and key to encrypt these seeds and you will get your ENCDEC keys for VFLASH.
  • You can find these seeds in lv1ldr.

Data key seed:

[Register or Login to view code]

Tweak key seed:

[Register or Login to view code]

Program

Here is my SPU program which i used to dump ENCDEC keys:

[Register or Login to view code]

pastie.org/4503119

Result

  • Test run with spuldrfs on Linux 3.5.1

[Register or Login to view code]

Test

  • To test your ENCDEC XTS tweak and data keys, you need encrypted VFLASH sectors. You can dump it from ps3da starting with sector 8.
  • You have to pass the correct sector number in order to get correct results.
  • As you see below in my examples, i pass sector 8 for VFLASH because VFLASH begins at sector 8 on HDD.
  • The input sector was already decrypted with ATA keys.

Result with 1st encrypted sector from VFLASH:

[Register or Login to view code]

Finally, from KDSBest: The keys are on wiki why not expose them in your source code naehrwert. The key generation algo is nearly the same as the eid0 key generation algo. Seed AES Encrypt with EID Root key.

[Register or Login to view code]


I dunno if this works only a idea of a bored man.

[Register or Login to view code]

Should read the Adress in lv2 for you. Can someone with a PS3 that can try this... I dunno if I can write the SPRG0 with mtspr, but if that is possible you can dump lv2 with this on 3.55. I don't think Sony changed this syscall on higher FWs.




Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene and PlayStation 4 scene updates and fresh homebrew PS3 Downloads. Enjoy!

Comments 35 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles.
 
#25 - barrybarryk - 201w ago
barrybarryk's Avatar
you do realise they're suing him for circulating copy-righted material (PSN Eboots) and encouraging others to do the same.

It's to deter him and anyone else from working on the NPDRM encryption and activation techniques.

So in all likelihood he's probably still working on it (HV Hacking and linux on PS3) because it has absolutely nothing to do with his lawsuit

#24 - GotNoUsername - 201w ago
GotNoUsername's Avatar
Some legal info from good old Germany, Graf still develops because:

1. If you break a security system here just for research, no real damage done to society or endanger it even if it is forbidden you just get slap on your fingers! Likely a fine like 20 days * 20 but it depends = 200€ but not too much that the criminal law (you can also convert it into jail time if you want). Our criminal law is to protect society mostly.

2. Is the private law with its compensation (for damages) and here it gets complicated the cased damage has to be directly casually linked to the person and action and here Sony has to prove it they also have to prove the amount of damage to be casual linked. And even if you succeed in doing so it is often restricted by the court to a certain level.

This casual and linked stuff is very strict here in Germany and I really doubt Sony can link him to many damage at all therefore they wanted his HDD’s I think Sony here demand’s the 1.000.000€ (I doubt they will get that much at all)

3. They also could try to establish kind of pre or contract between him and Sony (As far as I know that’s the way they use in the US I don’t know if it is mandatory) but this is nearly impossible by German law only if certain conditions are met (They are strict and plenty) and I haven’t noticed one.

4. And even if you win you only get the right to get your money if the persons has it (if not you will get a part of its wage every month until he paid) , here a certain amount of money is safe from Government and Law

5. About the seizure thing and if you allowed to rebuy e.g. a PS3 I don’t know it. I only know it for PC’s and you are allowed!

#23 - PS3 News - 201w ago
PS3 News's Avatar
I have promoted the news to the main page now and +Rep for submitting it SinnerShanky.

#22 - SinnerShanky - 201w ago
SinnerShanky's Avatar
Recently Graf_Chokolo revealed that he is working on a PS3 3.55 HV CFW, which will have dual boot Linux built in.

To quote from Dukio: I plan to implement dual boot feature in HV, just like i did on my PS3 3.41, and you can boot with it either gameos or linux or some other system like freebsd. You won’t need any bootos on gameos for that. I will also patch HV and enable more features

I will do it on PS3 slim, first i will resize HDD and add a partition for Linux there

Expect more features coming in as the HV patching continues. Oh, and he is working on a 3.55 FW only at the moment, although on the newer firmware versions is possible according to graf.

Now for 3.55, on other version offsets are different so the code is the same but offsets to patch are different.

When ask about the progress of his lawsuit and if he requires more legal funds, graf_chokolo had to say this:

It's very slow, for now it’s enough i think, thanks.

I have no huge news yet regarding lawsuit but soon I think I will have.

More PlayStation 3 News...

#21 - xUb3rn00dlEx - 201w ago
xUb3rn00dlEx's Avatar
Quote Originally Posted by zideeq View Post
It's like having having your property siezed for serious accusations put forward with warrants.

If my PS3 was seized because I was doing some credit card fraud like stealing PSN accounts or whatever I wouldn't be allowed to buy another PS3 or even have access to it, even if it isn't mine!

If he is, he's violating the court order which results in a penalty and in this case, a severe one..


Thank you for the info. But I'm still curious if Sony really flat out barred him from touching another PS3. How would they be able to track it? What if he just went over a friends house who happened to have a PS3, would they come busting in all guns blazing?

#20 - zideeq - 201w ago
zideeq's Avatar
It's like having having your property siezed for serious accusations put forward with warrants.

If my PS3 was seized because I was doing some credit card fraud like stealing PSN accounts or whatever I wouldn't be allowed to buy another PS3 or even have access to it, even if it isn't mine!

If he is, he's violating the court order which results in a penalty and in this case, a severe one..

#19 - xUb3rn00dlEx - 201w ago
xUb3rn00dlEx's Avatar
Just a question. Why doesn't Graf have a PS3? I know they seized his during the raid, but is there a court order preventing him from buying/ possessing one now?

#18 - jarvis - 201w ago
jarvis's Avatar
Awesome progress, terrific work graf! I'm wouldn't worry about a 3.61 or whatever patch. Those who are in the know already are not going to move past 3.55. It would probably be a requirement to setup a dual boot system. That really would be the best of both worlds.

CFW so we can do what we want while offline (I really only want to run emulators) and an unmodified partition so Sony doesn't wet theirs pants. One can dream...

#17 - ijuakos - 201w ago
ijuakos's Avatar
Coming soon on the news page: Sony releases update 3.61. No added features, just a "security update".

#16 - replar - 201w ago
replar's Avatar
His attitude is a perfect example for 1 other developer...

 

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Advertising - Affiliates - Contact Us - PS3 Downloads - PS3 Forums - Privacy Statement - Site Rules - Top - © 2015 PlayStation 3 News