90w ago - Following up on his previous revision, today PlayStation 3 developer naehrwert has updated PS3 SCETool v0.2.5 which utilizes metadata information for decryption among the changes outlined below.
USAGE: scetool [options] command
COMMANDS Parameters Explanation
-h, --help Print this help.
-k, --print-keys List keys.
-i, --print-infos file_in Print SCE file info.
-d, --decrypt file_in file_out Decrypt/dump SCE file.
-e, --encrypt file_in file_out Encrypt/create SCE file.
OPTIONS Possible Values Explanation
-v, --verbose Enable verbose output.
-r, --raw Enable raw value output.
-0, --sce-type SELF/RVK/PKG/SPP SCE File Type
-1, --compress-data TRUE/FALSE(default) Whether to compress data or not.
-2, --key-revision e.g. 00,01,...,0A,... Key Revision
-m, --meta-info Use provided meta info to decrypt.
-3, --self-auth-id e.g. 1010000001000003 Auth ID
-4, --self-vendor-id e.g. 01000002 Vendor ID
-5, --self-type LV0/LV1/LV2/APP/ISO/
LDR/NPDRM SELF Type
-6, --self-fw-version e.g. 0003004100000000 Firmware Version
-7, --self-add-shdrs TRUE(default)/FALSE Whether to add ELF shdrs or not.
-8, --self-ctrl-flags Override control flags.
-9, --self-cap-flags Override capability flags.
-b, --np-license-type FREE License Type
-c, --np-app-type SPRX/EXEC/UPDATE App Type
-f, --np-content-id Content ID
-g, --np-real-fname e.g. EBOOT.BIN Real Filename
-j, --np-add-sig TRUE/FALSE(default) Whether to add a NP sig. or not.
Added option to use provided metadata info for decryption.
"PS3" path environment variable will now be searched for keys/ldr_curves/vsh_curves too.
Added option to display raw values.
Moved factory Auth-IDs to (as they are on ps3devwiki now).
Added options to override control/capability flags (32 bytes each).
Fixed where a false keyset would crash scetool when decrypting a file.
Some source level changes and optimizations.
zlib is required to use scetool.
'sdk_type' was changed to 'revision' in data/keys.
Greetings to: you know who you are!
Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!
Here are a few quick updates from naehrwert (twitter.com/naehrwert) for those following:
haha just figured the eid3 algo, nice!
KaKaRoToKS and I added basic NPDRM support to scetool
SELF generation works now for SPU and PPU, except for compressing the data and NPDRM
added SPU SELF generation to scetool
Also from his site: nwert.wordpress.com/2011/12/24/individual-infos/
One of the PS3′s console specific cryptography works as follows:
At factory time there is a console specific key generated, probably from a private constant value and a console specific seed. Maybe that’s the key used for encrypting bootldr and metldr. Fact is, that metldr stores another console specific keyset (key/iv) to LS offset 0×00000. That keyset is probably calculated from the first one. At factory time the isolated root keyset (how I call it) is used to encrypt the console’s “Individual Infos”, like eEID.
But not the whole eEID is encrypted the same way, special seeds are used to calculate key/iv pairs for the different sections. And not even that is true for every eEID section, because for e.g. EID0 another step is needed to generate the final section key(set). Each of the isolated modules using such an “Individual Info” has a special section that isoldr uses to generate the derived key(set)s.
But the generation works in a way, that the section data is encrypted with aes-cbc using the isolated root keyset, so it is not possible to calculate the isolated root keyset back from the derived key(set)s, because aes shouldn’t allow a known plaintext attack. So far I can decrypt some of EID0′s sections, EID1, EID2 and EID4. EID5 encryption should be similar to EID0′s but I lack the generation keys for that one.