Editing BD Drive Reverse Engineering
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 16: | Line 16: | ||
* I used my spuisofs Linux kernel module and the below SPU program to dump EID4 IV key on PS3 Linux. | * I used my spuisofs Linux kernel module and the below SPU program to dump EID4 IV key on PS3 Linux. | ||
* After dumping EID4 key use CMAC-OMAC1 algorithm to check the CMAC of EID4. If the EID4 key you got is correct then the CMAC should match. | * After dumping EID4 key use CMAC-OMAC1 algorithm to check the CMAC of EID4. If the EID4 key you got is correct then the CMAC should match. | ||
==SPU Program== | ==SPU Program== | ||
Line 22: | Line 21: | ||
My program to dump EID4 AES-CBC-256 IV and key to PPU memory: | My program to dump EID4 AES-CBC-256 IV and key to PPU memory: | ||
< | <pre> | ||
/* | /* | ||
* Dump EID4 IV and key to EA with MFC | * Dump EID4 IV and key to EA with MFC | ||
Line 127: | Line 126: | ||
bi $lr | bi $lr | ||
</ | </pre> | ||
==Result== | ==Result== | ||
Line 143: | Line 142: | ||
[glevand@arch dump_eid4_key]$ hexdump -C /mnt/arg1 | [glevand@arch dump_eid4_key]$ hexdump -C /mnt/arg1 | ||
... | ... | ||
Here should be | Here should be you EID4 IV and key | ||
IV is at offset 0x10 (16 bytes) | IV is at offset 0x10 (16 bytes) | ||
Key is at offset 0x20 (32 bytes) | Key is at offset 0x20 (32 bytes) | ||
Line 155: | Line 154: | ||
* ATAPI commands SEND_KEY and REPORT_KEY are used to exchange random number between host and BD drive. | * ATAPI commands SEND_KEY and REPORT_KEY are used to exchange random number between host and BD drive. | ||
* Exchanged random numbers are used to derive the session key which is used later to send vendor-specific ATAPI commands (0xE0 and 0xE1) to BD drive. | * Exchanged random numbers are used to derive the session key which is used later to send vendor-specific ATAPI commands (0xE0 and 0xE1) to BD drive. | ||
* The same procedue is | * The same procedue is follwed e.g. by Storage Manager which runs in LPAR1. | ||
* 3DES-CBC with 2 keys is used to encrypt commands sent to BD drive. | * 3DES-CBC with 2 keys is used to encrypt commands sent to BD drive. | ||
Line 170: | Line 169: | ||
==Program== | ==Program== | ||
< | <pre> | ||
/*- | /*- | ||
* Copyright (C) 2012 glevand <[email protected]> | * Copyright (C) 2012 glevand <[email protected]> | ||
Line 1,083: | Line 1,082: | ||
exit(0); | exit(0); | ||
} | } | ||
</ | </pre> | ||
==Result== | ==Result== | ||
Line 1,090: | Line 1,089: | ||
<pre> | <pre> | ||
glevand@debian:~$ sudo ./bd_get_version -k | glevand@debian:~$ sudo ./bd_get_version -k 04fb584aef2febd479c905a2e3bc5bd9 -l 480210d53dd040d445f41bb1cf984ef3 | ||
TEST UNIT READY failed: status 2 host status 0 driver status 8 | TEST UNIT READY failed: status 2 host status 0 driver status 8 | ||
sense buffer: 70 00 02 00 00 00 00 0a 00 00 00 00 3a 00 00 00 | sense buffer: 70 00 02 00 00 00 00 0a 00 00 00 00 3a 00 00 00 | ||
Line 1,103: | Line 1,102: | ||
version: 00 03 00 50 00 00 00 00 | version: 00 03 00 50 00 00 00 00 | ||
</pre> | </pre> | ||