Editing BD Drive Reverse Engineering

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
[[Category:Software]]
=Introduction=
=Introduction=


Line 22: Line 23:
My program to dump EID4 AES-CBC-256 IV and key to PPU memory:
My program to dump EID4 AES-CBC-256 IV and key to PPU memory:


<syntaxhighlight lang="asm">
<pre>
/*
/*
  * Dump EID4 IV and key to EA with MFC
  * Dump EID4 IV and key to EA with MFC
Line 127: Line 128:


bi $lr
bi $lr
</syntaxhighlight>
</pre>


==Result==
==Result==
Line 155: Line 156:
* ATAPI commands SEND_KEY and REPORT_KEY are used to exchange random number between host and BD drive.
* ATAPI commands SEND_KEY and REPORT_KEY are used to exchange random number between host and BD drive.
* Exchanged random numbers are used to derive the session key which is used later to send vendor-specific ATAPI commands (0xE0 and 0xE1) to BD drive.
* Exchanged random numbers are used to derive the session key which is used later to send vendor-specific ATAPI commands (0xE0 and 0xE1) to BD drive.
* The same procedue is followed e.g. by Storage Manager which runs in LPAR1.
* The same procedue is follwed e.g. by Storage Manager which runs in LPAR1.
* 3DES-CBC with 2 keys is used to encrypt commands sent to BD drive.
* 3DES-CBC with 2 keys is used to encrypt commands sent to BD drive.


Line 170: Line 171:
==Program==
==Program==


<syntaxhighlight lang="c">
<pre>
/*-
/*-
  * Copyright (C) 2012 glevand <[email protected]>
  * Copyright (C) 2012 glevand <[email protected]>
Line 1,083: Line 1,084:
exit(0);
exit(0);
}
}
</syntaxhighlight>
</pre>


==Result==
==Result==
Line 1,111: Line 1,112:


TODO
TODO
=Buffers=
{|class="wikitable"
|-
! ID !! Size !! Description
|-
| 0 || 0x800 ||
|-
| 1 || 0x800 || Serial Flash
|-
| 2 || 0x60 || P-Block
|-
| 3 || 0x670 || S-Block
|-
| 4 || 0x8000 || Empty AACS HRL 
|-
| 5 || 0x8000 || Current AACS HRL
|}


=Inquiry GameOS=
=Inquiry GameOS=
Line 1,136: Line 1,118:
* It was tested via Game OS on 4.21
* It was tested via Game OS on 4.21
* This is NO full source, but it is enough to copy&paste into your own code and modify for getting it to work.
* This is NO full source, but it is enough to copy&paste into your own code and modify for getting it to work.
( * you need sys storage access in order sys_storage_open to not fail, so either lv2_poke it or a fixed cfw ! )


==Program==
==Program==
Line 1,249: Line 1,230:
| 0x20 || 0x4 || "4154" || Product revision level ||  
| 0x20 || 0x4 || "4154" || Product revision level ||  
|}
|}
{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude>
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)

Templates used on this page:

Retrieved from "http://www.psdevwiki.com/ps3/BD_Drive_Reverse_Engineering"