Sponsored Links

Sponsored Links

Sony PlayStation 2 (PS2) Classics Algorithm Revealed by Flat_z


Sponsored Links
76w ago - Following up on the previous updates, today PlayStation 3 developer Flat_z has revealed the Sony PlayStation 2 (PS2) Classics algorithm with details below.

Download: [Register or Login to view links]

To quote: Ok, guys. Unfortunately I forced to admit that I have no more time to work on PS3 stuff because I'm very busy lately. So I decided to publish all information related to PS2 classics as JuanNadie did with the NPDRM algorithm one year ago.

Firstly I wanted to say that he was the first who started reverse-engineering on this subject and when he left the scene I decided to continue his work to keep it from going to waste. And so I would like to thank JuanNadie for his amazing contribution to the PS3 scene. Besides that, he gave me some piece of information on the subject.

All PS2 classics runs within the ps2_netemu.self which represents a different kernel for execution these PS2 games but before it started the VSH module loads your individual data for PSN/SEN (such as act.dat and .rif file for your game). It is absolutely the same process as used for usual PSN games and the goal of it is getting the key used for decryption of PS2 content which includes an optional CONFIG file, ISO.BIN.EDAT and ISO.BIN.ENC.

The latest one is the actual encrypted disc image of the game. All mentioned files are encrypted with the same key (called klicensee) which is stored in encrypted form inside .rif file for your game and it decrypted with the specified key from key table stored in act.dat. When you get this key you can decrypt ISO.BIN.EDAT and see if it contains a game title (for example, SLUS-20062 for GTA 3). This will mean that key is correct. Since almost all the information regarding EDATs is known (see ps3devwiki.com/wiki/Talk:EDAT_files and ps3devwiki.com/wiki/Talk:NPDRM_Selfs) I will not going to explain it again.

Well, now there are two another formats along with EDAT. Let's call the first one as ENC (it represents the actual disc image) and the second as VME (encrypted virtual memory cards). They are encrypted using different algorithms. The ENC format is similar to EDAT and the VME format have a simple encryption layer.

As I said before, ENC file is similar to EDAT and it have the header like in EDAT (but with different magic) and composed of segments of 16384 bytes each (you can see it at the header). I just remind you that file header consists of file magic (PS2\x00), version number (major and minor: 01.01), license type (it always 0x02), application type (0x01), content id, QA digest (seems like to be a SHA-1 hash of the non-finalized file generated using the tool from SDK), CID-FN hash (an AES CMAC hash of concatenation of content id and file name using the third NPDRM OMAC key as CMAC key), header hash (an AES CMAC hash of the 0x60 bytes from the beginning of file using xored bytes of the first NPDRM OMAC key and the second NPDRM OMAC key as CMAC key), time information which includes start and end time of the validity period (they are usually zeroed, base ticks = 62135596800000000), file flags (always zeros), segment size (16384 bytes), data size of the file data, two unknown hashes of 16 bytes each, 40 bytes of unknown data (possible another unknown signature) and pair of an ECDSA signature (40 bytes using the second VSH curve and the VSH public key).

I also remind you that two unknown hashes for EDAT case are known and represents meta data sections hash and extended header hash (an AES CMAC hash of 160 bytes from the beginning of file), both hashes uses the hash key as CMAC key and it depends on the file flags and keys). I don't know exactly what hashes are there for ENC format but when we zeroed them it seems like they are not checked on current firmwares. The file header ends at the offset of 256 bytes.

Segments are divided into two types: a meta data section and a file data section. Each meta data section can include 512 entries (max) of 32 bytes each (16384 / 32 = 512) and associates with a particular file data section. So if we have a meta data section which consists of 512 entries then it will mean that there are 512 file data sections after it and each file data section have size of 16384 bytes.

Besides that, the first meta data segment located at the offset of 16384 bytes. I don't know what data are stored before it but we also tried to zero them (these bytes starting at the offset of 256 bytes and ending at the offset of 16384 bytes) and it works as usual. I guess that it can be the encrypted garbage because the alignment of file data should be equal to the segment size.

Now I will explain what keys are used and how they are obtained. ENC/VME files are decrypted using the ENCDEC device so the decryption process are more faster than at EDAT case. While vSH checks files for their validity period, CMAC hashes and ECDSA signature and obtains the key for decryption from .rif file and it makes a system call #475 to LV2 (on older firmwares it was #471) along with the NPDRM information, klicensee, act.dat key and encrypted rif key. LV2 gets your console ID, encrypts the NPDRM constant using it as a key, decrypts the key from act.dat using the encrypted NPDRM constant and finally decrypts klicensee from .rif using the decrypted key from act.dat. Now we have a klicensee which will be used for later decryption process.

For EDAT case we can use free EDATs without .rif but for PS2 classics we should always use paid content and .rif file. So if you want to resign the game you need to generate .rif for the account on your console (I call this process as "personalization"). Don't forget that .rif file should be created for your act.dat (because it shares the account id) and console ID. Let's move on. When the PS3 gets the final decryption key it send a packet to the system manager inside LV1 which sets the inter-lpar parameter of type 3.

This parameter contains a version information and the klicensee. A system manager catches this packet and sends a request to the storage manager inside SS server #1 which then configures ENCDEC keys used for later decryption. It should be kept in mind that keys for decryption differs between CEX and DEX consoles so the storage manager checks the device type and uses different key slots for ENCDEC.

The configuration process started with running isolated SPU SB module which creates the final keys using klicensee as a key seed and send them back to the PPU which then send them to the device directly during the secure session. There are three types of keys: meta key, data key and vmc key and they are configured separately. The process of making keys consists of applying an AES 128 algorithm on the klicensee while using three different keys.

There are SHA-1 hashes of each of three keys (you should decrypt sb_iso_spu_module.self from 4.xx FW and find each of 16 bytes key by its SHA-1 hash):

For CEX mode:

For DEX mode (you actually don't need it but anyways):

Now we have all keys which are required to decrypt all files. So what we should also know?

ENC encryption uses an AES algorithm in CBC mode and the initialization vector of all zeros. The actual process of decryption of CONFIG and ISO.BIN.ENC started at seeking to the offset of 16384 bytes. There is a first meta data section so we should use the meta key as key for AES and decrypt the entire segment of 16384 bytes. As I said before each meta data sections contains of some entries and each entry have a size of 32 bytes. Each entry contains a SHA-1 hash (20 bytes) of the corresponding entire encrypted file data section and all these sections are located after this meta data section. After the SHA-1 hash we can see the section index of the corresponding file data section (4 bytes).

The rest is padded of zeros. After decryption of the meta data section we can decrypt all file data sections after it. Now we should use the data key! Before the actual decryption we can check the SHA-1 hash of each encrypted file data section and see if they matched to the hashes at entry table of the meta data section. If the actual file size of the disc image is not a multiple of 16834 bytes then we have less entries inside the latest meta data section.

After we finished the decryption of first 512 file data sections we can started decryption of the second meta data section and set of 512 file data sections after it and so on. I recommend to write decrypted meta data entries to another file than in the same file as file data section. It will make a process more easier. After decryption you should truncate your actual file to the data size specified at the header. Now you got an UDF disc image and you can mount it on your PC, for example.

So what is the next step? The next step is the decryption of encrypted virtual memory cards. Each PS2 classics package contains two empty encrypted virtual memory cards which located at SCEVMC0.VME and SCEVMC1.VME. As far I see they are identical for all games so we can use templates for all new virtual memory cards but only encrypts them with the new klicensee. To decrypt virtual memory cards you need to read an each segment of 16384 bytes and apply an AES encryption in CBC mode too but for this case you should use the VMC key. After decryption you should see Sony PS2 Memory Card Format 1.2.0.0 at the top of file.

Well, I attached a draft script for decryption of ENC/VME files. It was written for Python 2.7 and requires CryptoPlus (can be downloaded from: [Register or Login to view links]) and "ecdsa" (use EasyInstall or another package manager) libraries. I intentionally left all keys as SHA-1 hashes because of legal issues but you can find all keys by yourself using my hints. My script uses CONFIG/ISO.BIN.ENC/SCEVM0.VME/SCEVM1.VME file and klicensee file as input parameters. I hope that someone will create tools for that.

To use the script you need to create a file with name vsh.curves and put the contents of the curve table from VSH (get it from ps3devwiki.com/wiki/Keys at vsh pub + curvetable) and replace all hashes of keys by their real values (see FIXME comments). Also replace three NPDRM OMAC keys and VSH public key by their values from ps3devwiki.com/wiki/Keys.

I think that creation of PS2 remastering tool can lead us to getting the fully working games on our consoles but it requires testing. I recommend to create a static klicensee which can be used to encrypt all images in the same manner (static klicensee can also be implemented by patching VSH/LV2 at runtime, for example). After generating a klicensee you should create all keys based on it.

To build an encrypted disc image you should dump the original disc image and then append zero bytes to the end to make it multiple of 16384 bytes. Then you need to encrypt each of 512 segments using the generated data key. Then you should calculate SHA-1 hashes of each encrypted segment and generate meta data section for each pair of segment hash and segment index. After this you need to encrypt meta data section and so on. At the end you need to write an original disc image size to the header, write a content id for it and generate hashes at the file header.

After building ISO.BIN.ENC file you should create a file with the title id and pad it with zero bytes from the right side to get 12 bytes total. Then you need to create an EDAT container for this file. Hint: you can see a correct title id when mounting a disc image on your PC and looking at SYSTEM.CNF of it.

Unfortunately, I hadn't time to see what the CONFIG file does so I will skip this step. I only know that this file is optional or can be empty inside (after decryption). You are not required (and you simply can't do it) to generate a valid ECDSA signature for files because all custom firmwares are patched to skip the ECDSA check. Will be nice to be able to generate a game package for your PS2 game too if everything will works fine. Remember, that some flags at PS2 pkg format can be different.

Credits to: graf_chokolo, fail0verflow, JuanNadie, ps3dev.net, glevand and all my friends (you know who you are).

Finally, from zecoxao: i found the meta key and data key for cex, as for the vmc key, no clue where it is, the two are both in my previous post. you can check the sha1 of those in any site or with any program that supports it. somebody may post those on the wiki, if they want.

i'm happy... this is good and concise info time to search for more #poop

meta (CEX) : [Register or Login to view links]



data (CEX): [Register or Login to view links]



From flatz: It is at sb_iso_spu_module.elf too. First two bytes are 64 E3...

VMC key:

kudos to this man








Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 704 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

PS3 News's Avatar
#689 - PS3 News - 7w ago
10 - 7 - 2014: Cobra ODE News - Update

We have now uploaded the 2.1 release for 5.1B QSV users who have the Microsemi M2S025 chipset.

In the future release for M2S010 and M2S025 version of 5.1B will be simultaneous.

Download: Cobra ODE Firmware v2.1 * M2S025 Only*










CRNY420's Avatar
#688 - CRNY420 - 9w ago
very helpful and detailed steps that make it easier to jailbreak the ps3

also a video: PS3 DIVX ODE Slim (2k5), Super Slim (4k) em 4.55 sem Bluray Original de Boot




PS3 News's Avatar
#687 - PS3 News - 9w ago
Below is some more Cobra ODE news and a warning, as follows:

24 - 6 - 2014: Cobra ODE News - Warning

PS3 ofw 4.60 has been released. All Cobra ODE users should avoid updating to 4.60 ofw until further notice.




















Note: This only works with the few games that don't need an update!

Cobra ODE 4.30A / MCU 2.1 / OFW 4.60 from Joonie86

Game with no update [1.00] Swap method works
Confirmed game: FFX HD Remaster

Game with update [1.01] Swap method doesn't work
Confirmed game: Beyond two souls.

Some of you may have noticed that all the videos of OFW 4.60 didn't use game updates. If these guys want to inform something, they should've made things clear.

However my 5.10 QSV doesn't work at all. [M2S025] board, currently stuck at a halfass FW [between 2.0-2.1] I can show you video proof at the end of the night, I tested three different systems with two boards [4.30A/5.10QSV] so do not update OFW 4.60 yet.

Update: CECH-4001C [US]

Cobra ODE 4.30A
MCU 2.1
OFW 4.60
bypass.4.55=1

Bootdisc = PES2008 / BLUS30111
Swapdisc = SONY BD-RE 25GB / RITEK-BW1-001

Games run fine with no update, 80010009 error with game update.

Interesting feature added on OFW 4.60 - You can update your game without launch (convenient but it would've been better if it was available on OFW 4.53 instead for users don't use bypass method).

CECH-4001C [US]

Cobra ODE 5.10 QSV [M2S025]
MCU 2.0
OFW 4.60
bypass.4.55=1

Bootdisc = PES2008 / BLUS30111
Swapdisc = SONY BD-RE 25GB / RITEK-BW1-001

It doesn't even make it to Swap disc, Red/blue flashing and then immediately fails,

Game with NO update = 80010017
Game with Update = 80010009

Soft-PT mode works fine. So, there is still hope, I guess Team Cobra can come up with better swap method to get around with game update issues.

24 - 6 - 2014: Cobra ODE News - Information

We are now accepting pre orders for the new 5.30A complete version of Cobra ODE pictured below, which supports PATA PHAT consoles, SATA PHAT and 2K/2K1 SATA consoles and 2K5,3K/4K SATA QSB consoles.

The Cobra 5.30A complete will be sold in parallel with Cobra 5.10B QSV version.

s3nint3!
Resellers can reserve their pre-order qty's by e-mail.

PS3 News's Avatar
#686 - PS3 News - 10w ago
Cobra ODE Bypass 4.55 v1.2 is now released with the changes outlined below, as follows:

16 - 6 - 2014 - Cobra ODE News - Update

Download: [Register or Login to view links] / [Register or Login to view links] (Mirror) / [Register or Login to view links] (Mirror #2)

Cobra ODE Bypass 4.55 IRD files and Windows command line binaries for ISO manipulation has been updated please re-download.

Genps3swapdisc v1.2 - New in this release:

  • Fixed a bug in 1.1 which would only generate 150mb swap disc instead of the 5gb swap disc.
  • The EBOOT folder has also been updated, now with 5760 total eboot files.

Update: Cobra CFW Tools v2.00 by bitsbubba is now available, with the changes outlined below as follows:

Download: [Register or Login to view links]

Cobra CFW Tools (v2.0 Changelog):

  • Added 4.46 REBUG/Cobra support
  • Added Plug in installer (webMAN/webMAN MOD/PSNPatch/Habib/Ingame screenshot~music)
  • Added Boot Plugin changer
  • Added Remote Play Patch 4.55 (4,46/4.53/4.55 included)
  • Added Cinavia patch 4.46/4.53/4.55 (faster single file install)
  • Added 15 custom gameboots for 4.46 (other FWs possibly soon)
  • Added 21 custom coldboots
  • Added 10 custom start up sounds
  • Added 13 custom waves (tested on NTSC)
  • Added multiMAN priority ON/OFF
  • Added Newer custom icons for webMAN (plus brunolee's folder icons)
  • Added aldostools newest XMBM+ Mod

Finally, below is a Spoofing to Latest PS3 Firmware with PSN Patch for Cobra CFW's Tutorial from atreyu187 (via psx-scene.com/forums/f339/tutorial-123454/)

So Sony pushed out another update and your waiting on a spoofer? Why wait when you have the tools to spoof and be right back online with Cobra CFW's. Simply locate your "psnpatch.cfg" which can be located in these places

  • dev_usb000:/
  • dev_hdd0:/games/BLJS10018
  • dev_hdd0:/games/PSNP11001

Open it with notepad or any text editor and changed the highlighted field to the latest firmware version out by Sony or higher like 9.98 to avoid accidental updates but don't go above Sony's latest version to go online. The reason for not using 9.99 is it will allow downgrading PUP's to still work in case of emergency as they are set to 9.99

#
# PSNPATCH Configuration File
#
# IDPS and PSID spoof will only be applied if non-zero;
# RAPS will be read from rap_path and aplied to the current IDPS;
# First valid user account will be automatically calculated;
# Disable CFW syscalls option at exit time;
# Clean history syscalls option at exit time;
#
# This file will be searched by the following order (support for the stealth version):
# 1 "/dev_usb000/psnpatch.cfg"
# 2 "/dev_hdd0/game/PSNP11001/USRDIR/psnpatch.cfg"
# 3 "/dev_hdd0/game/BLJS10018/USRDIR/psnpatch.cfg"
# And the default locations:
# 4 "/dev_hdd0/game/PSNP11001/USRDIR/default.cfg"
# 5 "/dev_hdd0/game/BLJS10018/USRDIR/default.cfg"

# Spoofs for IDPS & PSID
# if they are 0000 the spoofing will be ignored
idps=00000000000000000000000000000000
psid=00000000000000000000000000000000

# RAP to RIF handling
# First number to start search for a valid user account (usually 1)
# it can be changedd in psnpatch by pressing left/right buttons
user_account=1

# path to read rap/klic files from
# it can be changed in psnpatch by pressing up/down buttons
rap_path=/dev_usb000/exdata/

# cobra systems can be spoofed to any version if selected in cobra management menu
cobra_spoof_version=0460

PS3 News's Avatar
#685 - PS3 News - 11w ago
Here is a follow-up from magneto to the previous Cobra ODE 2.1 Public Beta for those interested:

We are releasing a public beta for the 2.1 firmware which is soon to be released. This beta is for v4.20, v4.30 and v5.10 boards only. Unfortunately, we are still finalizing the FPGA images for v3.x boards. You can download the beta from here: v2.1_beta.rar
For v4 board users, make sure you flash both FPGA images correctly.

For v5 board users, you MUST update to the 2.0 firmware before using this beta. If you did not update to 2.0 already, then the 2.0 firmware file is included in the beta archive.

Update 1: The beta image in the above file will not work on v5.x boards. Please use this beta file instead: [Register or Login to view links]

Here is the changelog:

  • FPGA1 : Fix timing issues in AES core
  • FPGA3 : Improve stability
  • Fix encryption issues causing 80010017 errors for v3, v4 and v5 boards
  • Fix bypass method for MPX001 motherboards
  • Fix issue when BD-RE disc is detected in drive
  • Added support for bypass.delay option (default is 10000 in milliseconds)
  • Enable mcu.underclock by default
  • Set default manager type to browser
  • Enable eject.on_selection by default
  • Enable eject.add_menu by default

Small changes are required, the browser, eject on selection, eject add menu and underclock are enabled by default, so in order to disable them you would need to use: mcu.underclock=0 or eject.add_menu=0 for example in cobra.cfg

Update 2: 2.1 Beta 9 Files: Link 1 (mediafire): [Register or Login to view links] / Link 2 (dropbox - mirror): [Register or Login to view links]

Comment: Both mediafire and dropbox files are identical one is just a mirror ...

Update procedure:

1. First update the .spi in the FPGA folder (reboot the ODE after the flash, it will finish after the reboot).
2. Then update the .spi in the root folder.
3. If you brick it, unbrick it with the procedure here: [Register or Login to view links]
4. Try step 1 and 2 again... (also some users and me (DarkKitarist) first updated to 2.0 from the official site and then updated to 2.1 beta 9)

Update 3: 14 - 6 - 2014 Cobra ODE News - Update

We are proud to present the 2.1 release, firstly we're updating the firmware to Improve stability and performance as well as fix bypass method not working for some PS3 models and we have made the Cobra browser the default game manager as well as displaying the firmware version in the browser and added new configuration options.

We haven now updated the bypass tools, the genps3swapdisc tool will now be able to update an existing swap disc when new eboots are added to it and previously converted isos will not need to be re-converted for the new swap disc. The EBOOT folder has also been updated, now with 5760 total eboots files.

The database has also been updated, and The user manual has now been updated illustrating new
config options.

A small number of 5.1B early production boards had a manufacturing issue which caused them to corrupt data and the PS3 would show an error when trying to run games.

We are releasing an update specifically for those boards which have issues and which should fix the problem, although we cannot guarantee every board will be fixed by the update. We recommend anyone with a defective board to return it for replacement after making sure the issue they are experiencing is caused by a defective board.

If the normal 2.1 firmware does not work for you and you get error 80010017 or 80010007 in the XMB, but the error disappears after you use the special 2.1 firmware for defective boards, then your board has the defect and you can request a replacement.

Cobra ODE 2.1 (Non-Beta) Changelog:

  • FPGA 1 : Fix AES encryption timing issues causing some encryption errors
  • FPGA 3 : Improve stability
  • V5.x boards : Update USB driver
  • V5.x boards : Fix race condition on USB reads causing error
  • Add support for bypass.delay configuration option
  • Add support for folders.ps3_games configuration option
  • Add support for folders.ps2_games configuration option
  • Add support for folders.ps1_games configuration option
  • Add support for folders.bd_movies configuration option
  • Add support for folders.dvd_movies configuration option
  • Fix issue with uninitialized configuration on ODE boot causing software pass-through mode to be enabled by default until valid HDD is inserted
  • Change default manager type to browser
  • Set eject.on_selection=1 option as default
  • Set eject.add_menu=1 option as default
  • Set mcu.underclock=1 option as default
  • Fix issue of disc not showing if PS3 boots with a BD-RE disc in tray
  • Display firmware version in XMB when using the browser
  • Fix bypass method freezing for 4k systems with MPX001 motherboards

Downloads:


Finally, from Joonie86: Here's the important files of swap disc tool, I just created a new swap iso files.

Download: [Register or Login to view links]

Path: D:\
891de28e99a099034174676fb4346ab2 SWAP.iso 150.0 MB (157,286,400)

TOTAL: 1 files - 150.0 MB (157,286,400 bytes)

This is really small and fast, I'm currently testing if all my previous ISOs are OK with new swap disc I just burnt. I'll also try different bootdisc as well without conversion.










Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News