Remarry Bluray Drive on Linux
Jump to navigation
Jump to search
Introduction[edit | edit source]
- I was playing with HRL buffer of my BD drive on PS3 Slim and corrupted it.
- After that i couldn't play BD movies on GameOS, BD player returned an error.
- After i have written P-Block, S-Block and a new HRL, i could play my BD movies again :)
- Hope this guide can help someone too.
- I tested it on PS3 slim.
- It was tested on PS3 phat too.
EID2[edit | edit source]
- You will need decrypted EID2 data.
- How to get it on Linux is described here: http://www.psdevwiki.com/ps3/Spuisofs#Dumping_EID2_Key_with_spuisofs
- EID2 contains encrypted P-Block and S-Block.
- To get decrypted S-Block and P-Block first you have to decrypt EID2 with EID2 key and IV and then decrypt the blocks with DES-CBC.
P-Block and S-Block DES-CBC IV and key:
IV: 00 00 00 00 00 00 00 00 key: 6C CA B3 54 05 FA 56 2C
Decrypting EID2[edit | edit source]
- You can decrypt P- and S-Blocks with openssl e.g.
# eid2.bin is your EID2 from NOR/NAND flash # You can dump EID2 e.g. with ps3dm ps3dm iim get_data 2 > eid2.bin # ignore any "bad decrypt" messages from openssl from now on # create pblock_des.bin (dd if=eid2.bin bs=1 skip=$((0x20)) count=$((0x80)); dd if=/dev/zero bs=1 count=16) | \ openssl enc -d -aes-256-cbc -iv <your EID2 IV> -K <your EID2 key> > pblock_des.bin # create sblock_des.bin (dd if=eid2.bin bs=1 skip=$((0xa0)) count=$((0x690)); dd if=/dev/zero bs=1 count=16) | \ openssl enc -d -aes-256-cbc -iv <your EID2 IV> -K <your EID2 key> > sblock_des.bin # First 16 bytes in pblock_des.bin and sblock_des.bin should be equal to: # 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 # create pblock.bin (dd if=pblock_des.bin bs=1 skip=$((0x10)) count=$((0x60)); dd if=/dev/zero bs=1 count=8) | \ openssl enc -d -des-cbc -iv 0000000000000000 -K 6CCAB35405FA562C > pblock.bin # create sblock.bin (dd if=sblock_des.bin bs=1 skip=$((0x10)) count=$((0x670)); dd if=/dev/zero bs=1 count=8) | \ openssl enc -d -des-cbc -iv 0000000000000000 -K 6CCAB35405FA562C > sblock.bin # First 16 bytes in pblock.bin and sblock.bin should be equal # pblock.bin and sblock.bin are the files which you write to BD drive buffers !!!
Tools[edit | edit source]
- ps3vuart-tools: http://www.ps3devwiki.com/wiki/Ps3vuart-tools
- bd-tools: http://gitorious.ps3dev.net/ps3linux/bd-tools
- You could also use my PS3 Debian LiveCD which has ps3vuart-tools preinstalled and GCC compiler which you can use to compile all necessary BD tools. See http://www.ps3devwiki.com/wiki/Debian_LiveCD.
Steps[edit | edit source]
- The order is important. You cannot e.g. write HRL before writing P-Block or S-Block. I tried and corrupted my HRL.
1. Write P-Block
2. Authenticate BD drive with Storage Manager
3. Write S-Block
4. Write HRL
Writing P-Block[edit | edit source]
- P-Block is stored in BD buffer 2.
- BD buffer 2 is of size 0x60 bytes.
- P-Block is in decrypted EID2 at offset 0x20 and of size 0x80.
- Not all P-Block data is sent to BD drive. Only data starting at offset 0x10 and of size 0x60 bytes is written to BD drive buffer 2.
- If you read back the BD buffer 2 right after you have written it then the first 0x10 bytes should match the first 0x10 bytes you sent. The remaining 0x50 bytes you read back should be all 0s.
Your P-Block should look like this after decryption:
hexdump -C pblock.bin 00000000 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx |................| 00000010 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx |................| 00000020 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx |................| 00000030 04 00 04 00 00 00 00 00 fd 00 00 00 00 00 00 00 |................| 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000050 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx |................| 00000060
Test[edit | edit source]
- Tested on my PS3 Slim with OtherOS++.
- After writing P-Block to BD drive buffer 2, authenticate the BD drive with ps3dm.
ls -l pblock.bin -rw-r--r-- 1 glevand glevand 96 Aug 25 07:44 pblock.bin # First enable writing BD buffer 2 sudo ./bd_enable_buffer_write -b 2 # Write P-Block to BD buffer 2 sudo ./bd_write_buffer -b 2 -i pblock.bin # Authenticate the BD drive # Make sure you unmount spuisofs/spuldrfs and unload kernel modules spuisofs/spuldrfs because # spuisofs/spuldrfs use shared SPU for isolation which used by Dispatcher Manager too sudo ps3dm -v sm drive_auth 0x29 # It should not fail !!! ss status 0
Writing S-Block[edit | edit source]
- S-Block is stored in BD buffer 3.
- BD buffer 3 is of size 0x670 bytes.
- S-Block is in decryoted EID2 at offset 0xa0 and of size 0x690.
- The first 0x10 bytes in your S-Block should match the first 0x10 bytes of your P-Block.
- Not all S-Block data is sent to BD drive. Only data starting at offset 0x10 and of size 0x670 bytes is written to BD drive buffer 3.
- If you read back the BD buffer 3 right after you have written it then the first 0x10 bytes should match the first 0x10 bytes you sent and also the first 0x10 bytes which your read bcak from BD buffer 2 after you sent P-Block. The remaining 0x660 bytes you read back should be all 0s.
Test[edit | edit source]
- Tested on my PS3 Slim with OtherOS++.
ls -l sblock.bin -rw-r--r-- 1 glevand glevand 1648 Aug 25 08:57 sblock.bin # First enable writing BD buffer 3 sudo ./bd_enable_buffer_write -b 3 # Write S-Block to BD buffer 3 sudo ./bd_write_buffer -b 3 -i sblock.bin
Writing New HRL to BD Drive[edit | edit source]
- HRL is stored in BD buffer 4.
- BD buffer 4 is of size 0x8000 bytes.
- If you dump HRL buffer after you have written P- and S-blocks but before you have written a new HRL then you wont't see a valid HRL but some junk. That's OK.
- default_hrl.bin: http://www.multiupload.nl/D1DSV0QBJX
glevand@debian:~$ sudo sg_read_buffer -i 4 -m 2 -o 0 -l 0x8000 -r /dev/sr0 | hexdump -C 00000000 10 00 00 0c 00 03 10 03 00 00 00 01 21 00 00 34 |............!..4| 00000010 00 00 00 00 00 00 00 00 1b 0b f2 6d 47 9e 77 62 |...........mG.wb| 00000020 3d 91 fc 78 b1 59 c9 52 ca a4 c7 41 85 24 96 64 |=..x.Y.R...A.$.d| 00000030 8d 1d 95 8e 9b 84 c6 fa 4a dd 43 9b 42 98 fe ff |........J.C.B...| 00000040 df e6 f3 56 85 81 e1 1b 27 53 08 14 16 6d 97 3c |...V....'S...m.<| 00000050 20 2d e2 97 00 00 00 00 00 00 00 00 00 00 00 00 | -..............| 00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00008000
Test[edit | edit source]
- Tested on my PS3 Slim with OtherOS++.
- You cannot just write a new HRL to BD drive buffer 4. You can actually but it will corrupt your current BD HRL.
- If you corrupt your HRL then nothing bad will happen but you won't be able to play BD movies.
- First you have to send P-Block to BD drive, after that authenticate the BD drive and then write a new HRL. Only in this order will it work.
- Dump default HRL from Lv2diag.self (size 0x54 bytes) or just use the hexdump i posted here and pad it with 0s to 0x8000 bytes.
ls -l default_hrl.bin -rw-r--r-- 1 glevand glevand 32768 Aug 25 00:57 default_hrl.bin # First enable writing BD buffer 4 sudo ./bd_enable_buffer_write -b 4 # Write HRL to BD buffer 4 sudo ./bd_write_buffer -b 4 -i default_hrl.bin # Read back HRL sudo sg_read_buffer -i 4 -m 2 -o 0 -l 0x8000 -r /dev/sr0 | hexdump -C 00000000 10 00 00 0c 00 03 10 03 00 00 00 01 21 00 00 34 |............!..4| 00000010 00 00 00 00 00 00 00 00 1b 0b f2 6d 47 9e 77 62 |...........mG.wb| 00000020 3d 91 fc 78 b1 59 c9 52 ca a4 c7 41 85 24 96 64 |=..x.Y.R...A.$.d| 00000030 8d 1d 95 8e 9b 84 c6 fa 4a dd 43 9b 42 98 fe ff |........J.C.B...| 00000040 df e6 f3 56 85 81 e1 1b 27 53 08 14 16 6d 97 3c |...V....'S...m.<| 00000050 20 2d e2 97 00 00 00 00 00 00 00 00 00 00 00 00 | -..............| 00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00008000