PS3 IDPS Viewer Tool Homebrew Application is Released


108w ago - It's been awhile since the last IDPS update, and today I've created this PS3 IDPS Viewer homebrew application based on research I'm doing and had not planned to release the tool out yet, but if someone needs it here it is (Thanks to J-Martin for the logo).

Download: PS3 IDPS Viewer Homebrew Application / PS3 IDPS Viewer Homebrew Application (USB)

What does this tool?

  • Displays the IDPS
  • Shows Target ID
  • Displays Motherboard revision
  • Save your IDPS in IDPS.bin file

Note: THIS TOOL IS SAFE

When the program starts you will see the typical intro screen, if you choose "Yes" you will see the data from your PS3, if sounds three beeps indicates that it was not possible dump and show the error message, and if all went well sounds a beep and you are able to see the data.

Automatically saves the IDPS in dev_hdd0/IDPS.bin, you must open it with a hex editor and look hexadecimal values, for example (IDPS false, I will not reveal my IDPS):

e.g Notepad

Hex Editor

The IDPS in this case would be: 00 00 00 01 00 85 00 May 87 47 64 15 A4 F6 4D AA

It has been tested on PS3 FAT, SLIM should work perfectly in also.

Regards

Finally, in related news PlayStation 3 developer naehrwert has recently blogged (nwert.wordpress.com/2011/12/24/individual-infos/) about PS3 Individual Infos, to quote:

One of the PS3′s console specific cryptography works as follows:

At factory time there is a console specific key generated, probably from a private constant value and a console specific seed. Maybe that’s the key used for encrypting bootldr and metldr. Fact is, that metldr stores another console specific keyset (key/iv) to LS offset 0x00000.

That keyset is probably calculated from the first one. At factory time the isolated root keyset (how I call it) is used to encrypt the console’s “Individual Infos”, like eEID. But not the whole eEID is encrypted the same way, special seeds are used to calculate key/iv pairs for the different sections.

And not even that is true for every eEID section, because for e.g. EID0 another step is needed to generate the final section key(set). Each of the isolated modules using such an “Individual Info” has a special section that isoldr uses to generate the derived key(set)s.

But the generation works in a way, that the section data is encrypted with aes-cbc using the isolated root keyset, so it is not possible to calculate the isolated root keyset back from the derived key(set)s, because aes shouldn’t allow a known plaintext attack.

So far I can decrypt some of EID0′s sections, EID1, EID2 and EID4. EID5 encryption should be similar to EID0′s but I lack the generation keys for that one.






Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 40 Comments - Go to Forum Thread »

Quick Reply Quick Reply

scousetomo's Avatar
#40 - scousetomo - 27w ago
i've got a working ps3 id, is there any tool available to use without a flasher? i'm on harib 4.50 cfw now on a banned slim but the id off a fat unbanned one

zant's Avatar
#39 - zant - 28w ago
Can somebody make a working NAND version, please? I have been waiting to use something like this for a while now since Joris' didn't work.

JAYRIDER666's Avatar
#38 - JAYRIDER666 - 28w ago
i tried but ps nope 1.05 don't work on my rogero 4.46

dyceast's Avatar
#37 - dyceast - 28w ago
PSNope 1.05 is all you need.

JAYRIDER666's Avatar
#36 - JAYRIDER666 - 28w ago
I have a working idps but i have no program to put this to my ps3 cfw rogero 4.46 do anyone can help?

Also below is some VTRM crypto and Blu-ray playback from zecoxao, as follows:

This is already known info but i figured i'd make it into a nice post so let's start.

There are two VTRM blocks at the flash. Each block corresponds to each ros. Essentially one VTRM is a backup of the other.

Inside the VTRM block there are encrypted blocks. there might be 4,5,6,etc blocks. The reason why the number of blocks changes we don't know. The blocks have a size of 0x40 bytes.

There are two ways to decrypt the blocks: using aes-xts and sherwood_ss_seed and ss_seed_one more OR(recomended) using aes cbc and keyseed_for_srk2.

Method is the following:

First, encrypt root key with sc_iso metadata seeds. key is at 0x20, size 0x10, iv is at 0x10. then, encrypt (pick one) either sherwood_ss_seed(for data) and ss_seed_one_more(for tweak) or keyseed_for_srk2(this is a string used as a seed) with aes cbc-128 for block key (iv is 0).

After obtaining the data and tweak keys (or the block key) use the keys and decrypt each block.

Most of the blocks contain nothing inside, except for the very first one.

First block contains a hash of DRL (0x14 bytes) followed by a hash of CRL(0x14 bytes) in sha1 format. If you just remarried your console, you can fix bluray playback by replacing the hashes there with the ones you currently have.

There's another set of hashes in plain sight, and they're probably all sha1. First hash is repeated in a set of patterns. second hash is cleverly hidden among the patterns, and third hash is at the VTRM header. Corruption of these hashes is very likely to cause RSOD. There has been a debate wether replacing a corrupted hash with another equal hash would be advisable ( it fixes the RSOD error, but we don't know the direct consequences of this)

Oh, forgot the link to glevand's mastery: psdevwiki.com/ps3/Fixing_DRL_and_CRL_Hashes

I i just had a word with flatz.. two of the 3 hashes can be calculated already:

Empty sector:

User i asked you about the method to dump srk and srh, but unfortunately, even with your help, i wasn't able to dump the data. running the code with your pokes hangs at a black screen. if you're interested in sharing that package to dump srk and srh that would be very cool of you

From u$er: the prx has been tested on 446 dex in debug mode. it should work on cex as well, but you won't see any result... just connect to port 4546 and type "dumpsrk".

Download: test.sprx (load with prx loader) / pastie.org/private/kfbm2w1dzjddczxvdonba (src)

it should look like this:

From zecoxao: Thanks u$er. i got the encrypted srk, srh, and something else

Alright, here's the structure of the decrypted data (i'm going to upload the algorithm to generate the backup key and iv to decrypt the data using aes-cbc to my decrypt_tools)

First 0x10 bytes of data are unknown. we don't know what they are basically then comes srh, then srk and finally a padding of 8 zeroes. I've verified this myself

Now what's left to analyze are those 0x10 bytes. flatz wondered if they could be any master key, but i highly doubt it. either way, it's worth checking it out.

Edit: srh is the hash of the signature table (the giant table with the repeated hashes and the hidden one) hashed with srk key

Edit2: header hash is just a hmac sha1 of hmac sha1 of vtrm section without header (0x28 bytes) and signature table (again, with srk key, hashed twice)

More info from flatz:

syscon data (total size: 0x400 bytes) includes:

management block:
0x00 - syscon state/status (0x10 bytes with padding)

root info block:
0x10 - key (0x10 bytes)
0x20-0x34 - srh (0x14 bytes)
0x34-0x48 - srk (0x14 bytes)
0x48-0x50 - padding

???:
0x50-0x80: encrypted stuff (???)

updater block/region data block:
0x80-0x380 - system version, coreos hashes (?), etc
each block have a size of 0x30 bytes (?)













Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News