Editing Flash:Encrypted Individual Data - eEID

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
== Encrypted Individual Data - eEID ==
== Encrypted Individual Data - eEID ==


eEID certainly stands for encrypted EID as each section eEID embeds is encrypted. EID certainly stands for Encrypted Individual Data. Why two 'e' in eEID ?
eEID certainly stands for encrypted EID. EID stands for Encrypted Individual Data. EID is the equivalent of IdStorage on PSP and PSVita.
 
EID is the equivalent of IdStorage on PSP and PSVita.
 
eEID is decrypted by metldr and is passed over to the isolated loader which may pass it to a SELF. We can see this in graf_chokolo’s original payload.


It is 0x10000 bytes in size (64 kB) but only the first 0x1DD0 bytes are used. The rest is padded with 0xFF.
It is 0x10000 bytes in size (64 kB) but only the first 0x1DD0 bytes are used. The rest is padded with 0xFF.
Line 358: Line 354:
Individual info Manager can write to EID0. Appliance Info Manager can rehash it.
Individual info Manager can write to EID0. Appliance Info Manager can rehash it.


EID0 embeds many (usually 11) AES128CBC encrypted sections. Each section is a IDPS Certificate.
EID0 embeds 11 AES128CBC encrypted sections. These are the [[Identification Certificates]].


We do not have all EID0 sections enc/dec key seeds:
We don't have all EID0 enc/dec keys:
<pre>
<pre>
section 0 (PS3 cert keyset 0) -> yes
section 0 -> yes
section 1 (PS3 cert keyset 1)-> missing
section 1 -> missing
section 2 (PS3 cert keyset 2) -> missing
section 2 -> missing
section 3 (PS3 cert keyset 3) -> missing
section 3 -> missing
section 4 (PS3 cert keyset 4) -> missing
section 4 -> missing
section 5 (PS3 cert keyset 5) -> missing
section 5 (probably equivalent to PSP section 0) -> missing
section 6 (PSP cert keyset 1) -> yes
section 6 (equivalent to PSP section 1) -> yes
section 7 (PSP cert keyset 2) -> missing
section 7 (probably equivalent to PSP section 2) -> missing
section 8 (PSP cert keyset 3) -> missing
section 8 (probably equivalent to PSP section 3) -> missing
section 9 (PSP cert keyset 4) -> missing
section 9 (probably equivalent to PSP section 4) -> missing
section 0xA (PSP cert keyset 5) -> yes
section 0xA (equivalent to PSP section 5) -> yes<
</pre>
</pre>


Keys for EID0 sections 0, 6 and 0xA key seeds were found in secure modules, for instance seeds for 0 and 0xA in aim_spu_module, seed for 6 in pspemudrm.
===== EID0 Section =====
 
===== EID0 Sections =====
 
====== IDPS Certificate Structure ======


* Size: 0xC0 bytes.
* Size: 0xC0 bytes.
Line 387: Line 379:
! Description !! Length !! Note
! Description !! Length !! Note
|-
|-
| Data || 0x10 || actual data (either IDPS or OpenPSID)
| Data || 0x10 || contains the actual data of the file (either IPDS or OpenPSID)
|-
|-
| plaintext public key || 0x28 || public key (without padding)
| plaintext public key || 0x28 || contains the section's public key (without padding)
|-
|-
| R || 0x14 || part of the ECDSA signature pair (r,s)
| R || 0x14 || part of the ecdsa signature pair (r,s)
|-
|-
| S || 0x14 || part of the ECDSA signature pair (r,s)
| S || 0x14 || part of the ecdsa signature pair (r,s)
|-
|-
| public key || 0x28 || ECDSA public key (can be used to verify ECDSA signature RS)
| public key || 0x28 || ecdsa public key (can be used to verify ecdsa signature RS)
|-
|-
| encrypted private key || 0x20 || encrypted ECDSA private key
| encrypted private key || 0x20 || encrypted blob that contains the section's private key (with padding)
|-
|-
| cmac || 0x10 || hash of the previous information in AES CMAC mode
| cmac || 0x10 || hash of the previous information in CMAC mode
|-
|-
| padding || 0x8 || zero byte padding for AES 128 bits encryption
| padding || 0x8 || zero byte padding for AES 128 bits encryption
|}
|}


====== EID0 section 0-5 crypto ======
====== EID0 section 0 crypto ======


* [https://web.archive.org/web/20141118233713/http://pastie.org/6169158 naehrwert's EID0 section 0 ECDSA signature verification]
* [https://web.archive.org/web/20141118233713/http://pastie.org/6169158 naehrwert's EID0 section 0 ECDSA signature verification]


====== EID0 sections 6-0xA crypto ======
====== EID0 sections 6 and 0xA crypto ======
 
EID0 section 6 is used in the PSP emulator by the DRM crypto engine to retrieve PSID. EID0 section 0xA is used by aim_spu_module to retrieve OpenPSID.
 
These sections' certificates uses PSP certificate keyset. It corresponds to PSP KIRK commands 0x10, 0x11 and 0x12 for verification of IdStorage Certificates. See also [[http://wololo.net/talk/viewtopic.php?p=20715#p20715]] and PSP wiki for PSP crypto stuff.


====== Note ======
EID0 section 6 is used in the PSP emulator by the DRM crypto engine. It corresponds to PSP KIRK commands 0x10, 0x11 and 0x12 verification of IdStorage Certificates. See also [[http://wololo.net/talk/viewtopic.php?p=20715#p20715]] and PSP wiki for PSP crypto stuff.


On PS3 it uses ECDSA curve VSH type 2 with the PSP IDPS Certificates, whilst it uses a different curve with the PS3 exclusive IDPS Certificates (for example section 0). That is maybe how Davee and Proxima figured out the KIRK 0x10 and 0x11 ECDSA crypto keys. But not sure because their work was in 2011, not in 2012 (naehrwert) and it seems that PS3 uses a different seed for encrypting the ECDSA private key (see section 6 ECDSA private key seed).
Note: What's interesting is that on PS3 it uses ECDSA curve VSH type 2 with the PSP Identification Certificates public keys, whilst it uses a different curve with the PS3 exclusive Certificates (for example section 0). That's maybe how Davee and Proxima figured out the KIRK 0x10 and 0x11 ECDSA crypto keys. But not sure because their work was in 2011, not in 2012 nor 2013 (naehrwert) and it seems PS3 uses a different seed for encrypting the ECDSA private key (see section 6 ECDSA private key seed).


=== EID1 ===
=== EID1 ===
Line 526: Line 514:
{| class="wikitable" style="font-size:x-small; border:2px ridge #999999;"
{| class="wikitable" style="font-size:x-small; border:2px ridge #999999;"
|-
|-
! Value !! [[Product Code]] !! Console Type !! Remarks !! Confirmed ?
! Value !! [[Product Code]] !! Console Type !! Remarks
|-
|-
| || {{TID80}} || ||
| || {{TID80}} ||  
|-
|-
| 0xFF || {{TID81}} || No BD playback with this [[Product Code]]. || {{yes}}
| 0xFF || {{TID81}} || No BD playback with this [[Product Code]].
|-
|-
| 0xFF || {{TID82}} || No BD playback with this [[Product Code]]. || {{yes}}
| 0xFF || {{TID82}} || No BD playback with this [[Product Code]].
|-
|-
| 0x01 || {{TID83}} || DVD Region 2 (NTSC)  || {{no}}
| 0x01 || {{TID83}} ||  
|-
|-
| 0x02 || {{TID84}} || DVD Region 1 (NTSC)  || {{yes}}
| 0x02 || {{TID84}} ||  
|-
|-
| 0x04 || {{TID85}} || DVD Region 2 (PAL)  || {{yes}}
| 0x04 || {{TID85}} ||  
|-
|-
| 0x10 || {{TID86}} || DVD Region 3 (NTSC)  || {{no}}
| 0x10 || {{TID86}} ||  
|-
|-
| 0x04 || {{TID87}} || DVD Region 2 (PAL)  || {{yes}}
| 0x04 || {{TID87}} ||  
|-
|-
| 0x80 || {{TID88}} || DVD Region 4 (NTSC) || {{yes}}
| || {{TID88}} ||  
|-
|-
| 0x08 || {{TID89}} || DVD Region 4 (PAL)  || {{no}}
| 0x08 || {{TID89}} ||  
|-
|-
| 0x10 || {{TID8A}} || DVD Region 3 (NTSC)  || {{yes}}
| || {{TID8A}} ||  
|-
|-
| 0x10 || {{TID8B}} || DVD Region 3 (NTSC)  || {{yes}}
| || {{TID8B}} ||  
|-
|-
| 0x20 || {{TID8C}} || DVD Region 5 (NTSC/PAL)  || {{no}}
| 0x20 || {{TID8C}} ||  
|-
|-
| 0x40 || {{TID8D}} || DVD Region 6  || {{no}}
| || {{TID8D}} ||  
|-
|-
| 0x10 || {{TID8E}} || DVD Region 3 (NTSC)  || {{yes}}
| 0x10 || {{TID8E}} ||  
|-
|-
| 0x80 || {{TID8F}} || DVD Region 4 (NTSC)  || {{no}}
| || {{TID8F}} ||  
|-
|-
| 0xFF || {{TIDA0}} || No BD playback with this [[Product Code]]. || {{yes}}
| 0xFF || {{TIDA0}} || No BD playback with this [[Product Code]].
|-
|-
|}
|}
Line 568: Line 556:
Notes:
Notes:
* 0xFF = 0b11111111 - all bits enabled
* 0xFF = 0b11111111 - all bits enabled
* 0x80 = 0b10000000 - {{TID88}} - bit 7 (DVD Region 4 (NTSC))
* 0x20 = 0b00100000 - {{TID8C}} - bit 5
* 0x40 = 0b01000000 - {{TID8D}} - bit 6 (DVD Region 6)
* 0x10 = 0b00010000 - {{TID8E}} | {{TID86}} -  bit 4
* 0x20 = 0b00100000 - {{TID8C}} - bit 5 (DVD Region 5 (NTSC/PAL))
* 0x08 = 0b00001000 - {{TID89}} - bit 3
* 0x10 = 0b00010000 - {{TID8E}} | {{TID86}} | {{TID8A}} | {{TID8B}} -  bit 4 (DVD Region 3 (NTSC))
* 0x04 = 0b00000100 - {{TID87}} | {{TID85}} - bit 2
* 0x08 = 0b00001000 - {{TID89}} - bit 3 (DVD Region 4 (PAL))
* 0x02 = 0b00000010 - {{TID84}} - bit 1
* 0x04 = 0b00000100 - {{TID87}} | {{TID85}} - bit 2 (DVD Region 2(PAL))
* 0x01 = 0b00000001 - {{TID83}} - bit 0
* 0x02 = 0b00000010 - {{TID84}} - bit 1 (DVD Region 1 (NTSC))
* 0x01 = 0b00000001 - {{TID83}} - bit 0 (DVD Region 2 (NTSC))


=== EID3 ===
=== EID3 ===
Line 708: Line 694:
=== EID5 ===
=== EID5 ===


The largest and quite possibly the most important EID section of all 6. It's unknown what is inside this specific EID. We will probably never know without analyzing every possible clue about the PS3. And even then, it might be impossible to find its real use.
The largest and quite possibly the most important EID section of all 6. It's unknown what is inside this specific EID. We'll probably never know without analyzing every possible clue about the PS3. And even then, it might be impossible to find its real use.


EID5 size is quite similar to EID0, but it has an additional 0x1A0 bytes. EID5 header has many similarities with EID0 header.
EID5 size is similar to EID0, but it has an additional 0x1A0 bytes. EID5 header has some similarities with EID0 header.


==== Example ====
==== Example ====
Line 750: Line 736:
| 0x10 || 0x2 || 00 12 || Unknown || Unknown.
| 0x10 || 0x2 || 00 12 || Unknown || Unknown.
|-
|-
| 0x12 || 0x2 || 07 30 || Unknown || Maybe data size in bytes (in EID0 it is encrypted Identification Certificates count). 0x730 on CEX, 0x7E0 on DEX/DECR.
| 0x12 || 0x2 || 07 30 || Unknown || Unknown. 07 E0 on DEX/DECR
|-
|-
| 0x14 || 0xC || FC D1 D8 BE 6F F4 C8 D8 8F E1 C3 F7 || [[Flash:perconsole_nonce|perconsole nonce]] ||
| 0x14 || 0xC || FC D1 D8 BE 6F F4 C8 D8 8F E1 C3 F7 || [[Flash:perconsole_nonce|perconsole nonce]] ||
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)

Templates used on this page:

Retrieved from "http://www.psdevwiki.com/ps3/Flash:Encrypted_Individual_Data_-_eEID"