Editing BD Drive Reverse Engineering
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
=Information about EID4= | =Information about EID4= | ||
Line 14: | Line 10: | ||
* I modified sv_iso_spu_module.self to dump EID4 IV and key. | * I modified sv_iso_spu_module.self to dump EID4 IV and key. | ||
* I used | * I used spuisofs kernel module and the below SPU program to dump EID4 IV key. | ||
* After dumping EID4 key use CMAC-OMAC1 algorithm to check the CMAC of EID4. If the EID4 key you got is correct then the CMAC should match. | * After dumping EID4 key use CMAC-OMAC1 algorithm to check the CMAC of EID4. If the EID4 key you got is correct then the CMAC should match. | ||
My program to dump EID4 AES-CBC-128 IV and key to PPU memory: | |||
<pre> | |||
< | |||
/* | /* | ||
* Dump EID4 IV and key to EA with MFC | * Dump EID4 IV and key to EA with MFC | ||
Line 127: | Line 120: | ||
bi $lr | bi $lr | ||
</pre> | </pre> | ||
Line 152: | Line 125: | ||
* With both keys from EID4 we are now able to establish a secure communication channel with BD drive and send vendor-specific ATAPI commands to it. | * With both keys from EID4 we are now able to establish a secure communication channel with BD drive and send vendor-specific ATAPI commands to it. | ||
* ATAPI commands SEND_KEY and REPORT_KEY are used to exchange random number between host and BD drive. | * ATAPI commands SEND_KEY and REPORT_KEY are used to exchange random number between host and BD drive. | ||
* Exchanged random numbers are used to derive the session key which is used later to send vendor-specific ATAPI commands (0xE0 and 0xE1) to BD drive. | * Exchanged random numbers are used to derive the session key which is used later to send vendor-specific ATAPI commands (0xE0 and 0xE1) to BD drive. | ||