Sponsored Links

Sponsored Links

Sony PlayStation 2 (PS2) Classics Algorithm Revealed by Flat_z


Sponsored Links
98w ago - Following up on the previous updates, today PlayStation 3 developer Flat_z has revealed the Sony PlayStation 2 (PS2) Classics algorithm with details below.

Download: [Register or Login to view links]

To quote: Ok, guys. Unfortunately I forced to admit that I have no more time to work on PS3 stuff because I'm very busy lately. So I decided to publish all information related to PS2 classics as JuanNadie did with the NPDRM algorithm one year ago.

Firstly I wanted to say that he was the first who started reverse-engineering on this subject and when he left the scene I decided to continue his work to keep it from going to waste. And so I would like to thank JuanNadie for his amazing contribution to the PS3 scene. Besides that, he gave me some piece of information on the subject.

[Register or Login to view code]

All PS2 classics runs within the ps2_netemu.self which represents a different kernel for execution these PS2 games but before it started the VSH module loads your individual data for PSN/SEN (such as act.dat and .rif file for your game). It is absolutely the same process as used for usual PSN games and the goal of it is getting the key used for decryption of PS2 content which includes an optional CONFIG file, ISO.BIN.EDAT and ISO.BIN.ENC.

The latest one is the actual encrypted disc image of the game. All mentioned files are encrypted with the same key (called klicensee) which is stored in encrypted form inside .rif file for your game and it decrypted with the specified key from key table stored in act.dat. When you get this key you can decrypt ISO.BIN.EDAT and see if it contains a game title (for example, SLUS-20062 for GTA 3). This will mean that key is correct. Since almost all the information regarding EDATs is known (see ps3devwiki.com/wiki/Talk:EDAT_files and ps3devwiki.com/wiki/Talk:NPDRM_Selfs) I will not going to explain it again.

Well, now there are two another formats along with EDAT. Let's call the first one as ENC (it represents the actual disc image) and the second as VME (encrypted virtual memory cards). They are encrypted using different algorithms. The ENC format is similar to EDAT and the VME format have a simple encryption layer.

As I said before, ENC file is similar to EDAT and it have the header like in EDAT (but with different magic) and composed of segments of 16384 bytes each (you can see it at the header). I just remind you that file header consists of file magic (PS2\x00), version number (major and minor: 01.01), license type (it always 0x02), application type (0x01), content id, QA digest (seems like to be a SHA-1 hash of the non-finalized file generated using the tool from SDK), CID-FN hash (an AES CMAC hash of concatenation of content id and file name using the third NPDRM OMAC key as CMAC key), header hash (an AES CMAC hash of the 0x60 bytes from the beginning of file using xored bytes of the first NPDRM OMAC key and the second NPDRM OMAC key as CMAC key), time information which includes start and end time of the validity period (they are usually zeroed, base ticks = 62135596800000000), file flags (always zeros), segment size (16384 bytes), data size of the file data, two unknown hashes of 16 bytes each, 40 bytes of unknown data (possible another unknown signature) and pair of an ECDSA signature (40 bytes using the second VSH curve and the VSH public key).

I also remind you that two unknown hashes for EDAT case are known and represents meta data sections hash and extended header hash (an AES CMAC hash of 160 bytes from the beginning of file), both hashes uses the hash key as CMAC key and it depends on the file flags and keys). I don't know exactly what hashes are there for ENC format but when we zeroed them it seems like they are not checked on current firmwares. The file header ends at the offset of 256 bytes.

Segments are divided into two types: a meta data section and a file data section. Each meta data section can include 512 entries (max) of 32 bytes each (16384 / 32 = 512) and associates with a particular file data section. So if we have a meta data section which consists of 512 entries then it will mean that there are 512 file data sections after it and each file data section have size of 16384 bytes.

Besides that, the first meta data segment located at the offset of 16384 bytes. I don't know what data are stored before it but we also tried to zero them (these bytes starting at the offset of 256 bytes and ending at the offset of 16384 bytes) and it works as usual. I guess that it can be the encrypted garbage because the alignment of file data should be equal to the segment size.

Now I will explain what keys are used and how they are obtained. ENC/VME files are decrypted using the ENCDEC device so the decryption process are more faster than at EDAT case. While vSH checks files for their validity period, CMAC hashes and ECDSA signature and obtains the key for decryption from .rif file and it makes a system call #475 to LV2 (on older firmwares it was #471) along with the NPDRM information, klicensee, act.dat key and encrypted rif key. LV2 gets your console ID, encrypts the NPDRM constant using it as a key, decrypts the key from act.dat using the encrypted NPDRM constant and finally decrypts klicensee from .rif using the decrypted key from act.dat. Now we have a klicensee which will be used for later decryption process.

For EDAT case we can use free EDATs without .rif but for PS2 classics we should always use paid content and .rif file. So if you want to resign the game you need to generate .rif for the account on your console (I call this process as "personalization"). Don't forget that .rif file should be created for your act.dat (because it shares the account id) and console ID. Let's move on. When the PS3 gets the final decryption key it send a packet to the system manager inside LV1 which sets the inter-lpar parameter of type 3.

This parameter contains a version information and the klicensee. A system manager catches this packet and sends a request to the storage manager inside SS server #1 which then configures ENCDEC keys used for later decryption. It should be kept in mind that keys for decryption differs between CEX and DEX consoles so the storage manager checks the device type and uses different key slots for ENCDEC.

The configuration process started with running isolated SPU SB module which creates the final keys using klicensee as a key seed and send them back to the PPU which then send them to the device directly during the secure session. There are three types of keys: meta key, data key and vmc key and they are configured separately. The process of making keys consists of applying an AES 128 algorithm on the klicensee while using three different keys.

There are SHA-1 hashes of each of three keys (you should decrypt sb_iso_spu_module.self from 4.xx FW and find each of 16 bytes key by its SHA-1 hash):

For CEX mode:

[Register or Login to view code]

For DEX mode (you actually don't need it but anyways):

[Register or Login to view code]

Now we have all keys which are required to decrypt all files. So what we should also know?

ENC encryption uses an AES algorithm in CBC mode and the initialization vector of all zeros. The actual process of decryption of CONFIG and ISO.BIN.ENC started at seeking to the offset of 16384 bytes. There is a first meta data section so we should use the meta key as key for AES and decrypt the entire segment of 16384 bytes. As I said before each meta data sections contains of some entries and each entry have a size of 32 bytes. Each entry contains a SHA-1 hash (20 bytes) of the corresponding entire encrypted file data section and all these sections are located after this meta data section. After the SHA-1 hash we can see the section index of the corresponding file data section (4 bytes).

The rest is padded of zeros. After decryption of the meta data section we can decrypt all file data sections after it. Now we should use the data key! Before the actual decryption we can check the SHA-1 hash of each encrypted file data section and see if they matched to the hashes at entry table of the meta data section. If the actual file size of the disc image is not a multiple of 16834 bytes then we have less entries inside the latest meta data section.

After we finished the decryption of first 512 file data sections we can started decryption of the second meta data section and set of 512 file data sections after it and so on. I recommend to write decrypted meta data entries to another file than in the same file as file data section. It will make a process more easier. After decryption you should truncate your actual file to the data size specified at the header. Now you got an UDF disc image and you can mount it on your PC, for example.

So what is the next step? The next step is the decryption of encrypted virtual memory cards. Each PS2 classics package contains two empty encrypted virtual memory cards which located at SCEVMC0.VME and SCEVMC1.VME. As far I see they are identical for all games so we can use templates for all new virtual memory cards but only encrypts them with the new klicensee. To decrypt virtual memory cards you need to read an each segment of 16384 bytes and apply an AES encryption in CBC mode too but for this case you should use the VMC key. After decryption you should see Sony PS2 Memory Card Format 1.2.0.0 at the top of file.

Well, I attached a draft script for decryption of ENC/VME files. It was written for Python 2.7 and requires CryptoPlus (can be downloaded from: [Register or Login to view links]) and "ecdsa" (use EasyInstall or another package manager) libraries. I intentionally left all keys as SHA-1 hashes because of legal issues but you can find all keys by yourself using my hints. My script uses CONFIG/ISO.BIN.ENC/SCEVM0.VME/SCEVM1.VME file and klicensee file as input parameters. I hope that someone will create tools for that.

To use the script you need to create a file with name vsh.curves and put the contents of the curve table from VSH (get it from ps3devwiki.com/wiki/Keys at vsh pub + curvetable) and replace all hashes of keys by their real values (see FIXME comments). Also replace three NPDRM OMAC keys and VSH public key by their values from ps3devwiki.com/wiki/Keys.

I think that creation of PS2 remastering tool can lead us to getting the fully working games on our consoles but it requires testing. I recommend to create a static klicensee which can be used to encrypt all images in the same manner (static klicensee can also be implemented by patching VSH/LV2 at runtime, for example). After generating a klicensee you should create all keys based on it.

To build an encrypted disc image you should dump the original disc image and then append zero bytes to the end to make it multiple of 16384 bytes. Then you need to encrypt each of 512 segments using the generated data key. Then you should calculate SHA-1 hashes of each encrypted segment and generate meta data section for each pair of segment hash and segment index. After this you need to encrypt meta data section and so on. At the end you need to write an original disc image size to the header, write a content id for it and generate hashes at the file header.

After building ISO.BIN.ENC file you should create a file with the title id and pad it with zero bytes from the right side to get 12 bytes total. Then you need to create an EDAT container for this file. Hint: you can see a correct title id when mounting a disc image on your PC and looking at SYSTEM.CNF of it.

Unfortunately, I hadn't time to see what the CONFIG file does so I will skip this step. I only know that this file is optional or can be empty inside (after decryption). You are not required (and you simply can't do it) to generate a valid ECDSA signature for files because all custom firmwares are patched to skip the ECDSA check. Will be nice to be able to generate a game package for your PS2 game too if everything will works fine. Remember, that some flags at PS2 pkg format can be different.

Credits to: graf_chokolo, fail0verflow, JuanNadie, ps3dev.net, glevand and all my friends (you know who you are).

Finally, from zecoxao: i found the meta key and data key for cex, as for the vmc key, no clue where it is, the two are both in my previous post. you can check the sha1 of those in any site or with any program that supports it. somebody may post those on the wiki, if they want.

i'm happy... this is good and concise info time to search for more #poop

meta (CEX) : [Register or Login to view links]

[Register or Login to view code]



data (CEX): [Register or Login to view links]

[Register or Login to view code]



From flatz: It is at sb_iso_spu_module.elf too. First two bytes are 64 E3...

VMC key:

[Register or Login to view code]

kudos to this man








Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene and PlayStation 4 scene updates and fresh homebrew PS3 Downloads. Enjoy!
Sponsored Links
Sponsored Links

Comments 1255 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles.
 
#65 - Ezio - 178w ago
Ezio's Avatar
Maybe everybody waiting for the jailcrab-dh firmware and maybe no one moved to clone it.

#64 - saviour07 - 178w ago
saviour07's Avatar
I'm very surprised this hasn't been cloned yet!

I understand it's supposed to have some sort of on-board security, but since when has that stopped anyone

#63 - PS3 News - 178w ago
PS3 News's Avatar
For those who own one, Cobra USB Firmware 3.1 is now released with the following changes:

Cobra Firmware 3.1 is out, minor release to fix bugs.

  • Fixed stability problems. Cobra users are advised to update to this firmware as soon as possible.
  • Fixed compatibility issue with Mortal Kombat.
  • Fixed PAL/NTSC issues in psx games.
  • Bugfix: some few specific psx titles such as Langrisser Final Edition wouldn't play in other regions.
  • Fixed a possible discless bug under very rare circumstances.
  • Cobra USB Manager can now understand the ".001, .002, ..." name convention used by hjsplit and other similar programs and rename them automatically to ".0, .1", name convention. Users can use hjsplit or any other similar tool to split iso files in the PC.
  • Added functionality to the core to implement a cobra firmware updater in the PS3.

#62 - SpaceAgeHero - 184w ago
SpaceAgeHero's Avatar
As far as I know every PS3 model is capable of PSone emulation but not every model is PS2 backwards compatible.

Cobra USB however can enable PS2 emulation on every PS3.

#61 - PS3 News - 184w ago
PS3 News's Avatar
Here is an update for Cobra USB users by johnnydoe of the Cobra USB v3.55 patched with Kmeaw features: ps3crunch.net/forum/threads/355-Cobra?p=3474#post3474

To quote: Hi everyone! i have patched the cobra firmware with the usual stuff like lv2 peek/poke etc both their core os files are patched so it should work with or without the dongle.

If you wanna unpack it and have a look or try it you can download it here: [Register or Login to view links]

From the ReadMe file: This is cobras 3.55 firmware patched with peak/poke for lv2 on both coreos files and the usual vsh/nas_plugin and install package file option.

Finally, confirmed by PS3 hacker Cyberskunk stating there: It is what it says it is but you would still need the dongle to use the cobra features. I have not installed it though..

#60 - NTA - 184w ago
NTA's Avatar
I'm confused about this part. "Integrated support to play PS1 game ISO’s from HDD". Would this mean for backwards compatible PS3's on 3.55? I have one of the newer slims sadly lol.

#59 - PS3 News - 184w ago
PS3 News's Avatar
Today the Cobra USB 3.0 Firmware Pack and 3.55 PS3 CFW is released, with details below from their site:

Download: [Register or Login to view links]


The Cobra Team is proud to present the Cobra 3.0 firmware pack, available from downloads section. In this release we enabled the Cobra USB device on 3.55 via use of our own cfw. Enjoy the release and look forward to many new features to come in future releases. Please be sure to read the updated user manual for detailed instructions on upgrading and usage!

  • Added compatibility with 3.55. Support for firmware 3.41 is discontinued, since now all updates will be for 3.55. In 3.55, Cobra keeps all the features of previous versions, adds the ones listed below and also removes some of the annoyances of the jailbreak exploit. Please, follow the steps in the manual, you must install first Cobra 3.55 cfw.

  • Added a new discless mode for PS3 backups in jailbreak format. This mode will be activated automatically when you load a backup and there is no disc inserted. In this mode, games are loaded from disc icon, not app_home, although app_home hack is still supported. This mode has a higher compatibility than the app_home hack, and smaller than discless PS3 isos.

  • Added support for PS2 backups in iso format to the remaining backwards compatible models (CECHA and CECHB).

  • PS2 isos can now be played discless too.

  • Fixed compatibility issue with GT5. If you still experience poroblems, please delete installed game data from XMB and try again.

Note: Cobra CFW will behave like a 3.55 ofw if the PS3 is booted without Cobra USB connected. It is useless to install this CFW if you don’t have a Cobra USB device.

Cobra USB requires certain binary files of the firmware not to be changed. Changing these files may make Cobra USB not to work at all, or to behave incorrectly. Changing fonts, xml, etc is fine, if the user knows what he is doing.

#58 - daveshooter - 186w ago
daveshooter's Avatar
Its all very well people creating videos with homebrew icons in their xmb on 3.66 and going into psn, any fool can do that, but running homebrew is another matter.

Maybe a video of someone using homebrew 1st, then exiting back out to the xmb and then login to psn after would be nice.

#57 - PS3 News - 186w ago
PS3 News's Avatar
Today Cobra USB has announced that 3.55 compatibility is coming next week, as follows:

We’re pleased to announce that development work is drawing to a close for our Cobra USB 3.55 solution. As previously announced, the new firmware pack will allow users running 3.55 cfw’s to install a new firmware console and dongle side which will enable use of the Cobra USB functionality, as well as allowing users to retain standard 3.55 cfw functionality.

Owing to testing and security implementation, the development cycle lasted a little longer than expected, but we are on track to release the new firmware pack sometime next week. Enjoy the new release and look forward to the next, there’s plenty more features and surprises on the way from the Cobra team...

Also below is a Cobra USB Manager Reskinning Guide from gliitch for those who own the dongle itself:

BEFORE:

s3nint3!s3nint3!s3nint3!
AFTER:
s3nint3!s3nint3!s3nint3!s3nint3!s3nint3!
Cobra USB Manager Reskinned Tutorial:

PART 1:

To make things easier please make sure that the following programs are installed before hand.

The pictures MUST be in 1920x1080 for this to work. A quick google will bring up aload of images in that resolution. If you have a picture that isn't in 1920x1080 you can create it with Infan View.

1: Once you have the picture you want, load up Watermark Image, this is where you'll be able to layer on top of the current image. Anyway, upload the picture you have chosen, untick "Resize Images" and "Use 3D depth map."

Where it says Output Format make put it up to 100, then change the output format to PNG. Click "File", you'll then be asked to upload the picture. Now click "Select Preview Image" This will bring up an image of the picture you have chosen.

IMPORTANT: If the picture is of the wrong resolution and not [1920x1080] the teplate will turn your picture black. Now, where it says "Image used for watermarking".

It is best to keep everything in one directory so you know where it is. On your computer navigate to the "Templates" directory, select "Template 1" and use that. So now you should have your chosen photo overlayed with the template you've just selected.

Once you've created the templates, you will need to rename them as

  • "back1.PNG"
  • "back2.PNG"
  • "back3.PNG"

Then FTP them into /dev_hdd0/game/CBUM01234/USRDIR/

Overwrite the exsisting files. Below is an explanation of whateach of the templates do.

Templates Explained:

Template 1:

  • X - Load
  • Square - Change mode [Games PS3 Blu-Ray DVD PSX PS2]
  • Circle - Copy
  • Triangle - Delete

Template 2:

  • X - OK, Circle - Cancel
  • Copies Disks to HDD

Template 3:

  • X - OK, Circle - Cancel
  • Settings

As I am a very avid fan of Final Fantasy VII and to show my appreciation, i've decided to go with a FFVII Based Skin. You can use your own images, but they need to be 1920x1080 also in full color. it's due to the manager itself the wording doesn't show up properly if you use a white or light based background ] We haven't found a way to change the fonts, or the colors used yet, but once we/ i have, this will be updated to reflect these changes.

PART 2: MAKING BACKGROUND & ICON

These 2 must be in PNG format, the Background should be in 1920x1080, which should be named PIC1. Any Icon can be used but it has to be name as ICON0

PART 3: MAKING THE BACKGROUND MUSIC & MAKING IT LOOP.

Now open up Audicity select the audio you would like to use [MP3] and drag the little finger icon across to where you'd like your music to finish. Go to "Edit" "Delete" so you are now left with a part you wish to use as your background music.

If you would like your music to fade out select the end, 3 seconds will do, and then go to effects and select fade out. Now go to "File" and "Export As MP3" you will need to install the lame_enc.dll file, which also be included in the pack.

Once this is done, fire up Goldwave, go to File and select "Save As" and select WAV. then scroll down and select ATRAC3 66kbs. Now click save.

Finally click on to GWAT.exe, drag and drop the pre-made X.wav file into it. Press "Goldwave" it will then say "X.wav looped" but it will save it as "Looped X.at3"

PART 4: USING PS3SFO EDIT TO CHANGE THE NAME OF THE MANAGER.

Fire up FTP on your PS3 and whatever program you use, to FTP into it. Go to the following directory /dev_hdd0/game/CBUM01234. (i'm not joking that is the cobra directory >_

#56 - tigereye - 186w ago
tigereye's Avatar
its sound real good, let see when it comes out..

 

Sponsored Links

Sponsored Links







Advertising - Affiliates - Contact Us - PS3 Downloads - PS3 Forums - Privacy Statement - Site Rules - Top - © 2015 PlayStation 3 News