Editing BD Drive Reverse Engineering
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
=Introduction= | =Introduction= | ||
* The | * The follwing information was reverse engineered from Storage Manager which runs in LPAR1 and from sv_iso_spu_module.self. | ||
=Information about EID4= | =Information about EID4= | ||
Line 14: | Line 14: | ||
* I modified sv_iso_spu_module.self to dump EID4 IV and key. | * I modified sv_iso_spu_module.self to dump EID4 IV and key. | ||
* I used | * I used spuisofs kernel module and the below SPU program to dump EID4 IV key. | ||
* After dumping EID4 key use CMAC-OMAC1 algorithm to check the CMAC of EID4. If the EID4 key you got is correct then the CMAC should match. | * After dumping EID4 key use CMAC-OMAC1 algorithm to check the CMAC of EID4. If the EID4 key you got is correct then the CMAC should match. | ||
My program to dump EID4 AES-CBC-128 IV and key to PPU memory: | |||
<pre> | |||
< | |||
/* | /* | ||
* Dump EID4 IV and key to EA with MFC | * Dump EID4 IV and key to EA with MFC | ||
Line 127: | Line 124: | ||
bi $lr | bi $lr | ||
</pre> | </pre> | ||
Line 152: | Line 129: | ||
* With both keys from EID4 we are now able to establish a secure communication channel with BD drive and send vendor-specific ATAPI commands to it. | * With both keys from EID4 we are now able to establish a secure communication channel with BD drive and send vendor-specific ATAPI commands to it. | ||
* ATAPI commands SEND_KEY and REPORT_KEY are used to exchange random number between host and BD drive. | * ATAPI commands SEND_KEY and REPORT_KEY are used to exchange random number between host and BD drive. | ||
* Exchanged random numbers are used to derive the session key which is used later to send vendor-specific ATAPI commands (0xE0 and 0xE1) to BD drive. | * Exchanged random numbers are used to derive the session key which is used later to send vendor-specific ATAPI commands (0xE0 and 0xE1) to BD drive. | ||
* The same procedue is | * The same procedue is folled e.g. by Storage Manager which runs in LPAR1. | ||
=Get Version= | =Get Version= | ||
Line 166: | Line 137: | ||
* Here is an example of a simple program which establishes a secure communication channel with BD drive and reads BD FW version by using vendor-specific ATAPI commands 0xE0 and 0xE1. | * Here is an example of a simple program which establishes a secure communication channel with BD drive and reads BD FW version by using vendor-specific ATAPI commands 0xE0 and 0xE1. | ||
* It was tested on PS3 OtherOS++ 3.55 and Linux kernel 3.5.1. | * It was tested on PS3 OtherOS++ 3.55 and Linux kernel 3.5.1. | ||
<pre> | |||
< | |||
/*- | /*- | ||
* Copyright (C) 2012 glevand <[email protected]> | * Copyright (C) 2012 glevand <[email protected]> | ||
Line 1,083: | Line 1,051: | ||
exit(0); | exit(0); | ||
} | } | ||
</pre> | </pre> | ||