Editing Seeds
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
= | = Information about these seeds = | ||
The seeds | The seeds present on this wiki page were acquired through different means. It started with a simple search (Which i have to thank glevand and naehrwert for, as had it not been for those guys, i wouldn't have found myself the confidence to post this) and it went through several people who helped me along the way, and that probably wish to stay anonymous. | ||
Without further ado, here are the seeds (both known and unknown) for several functions of the ps3. | |||
== Common == | == Common == | ||
Line 16: | Line 16: | ||
</pre> | </pre> | ||
Used on old firmwares, possible for an old EID0 format (or fallback?) which can be 0x20 or 0x28 bytes in size. Decrypted section is always the same, see comments: http://pastie.org/private/rzg83pokd4vnxg60dj3qwg | |||
Taken from: isoldr/appldr/lv1ldr | |||
== eEID == | == eEID == | ||
=== | === eid0 === | ||
Used for individual ps3/psp/psn information. | |||
==== | ==== eid0 individuals seed ==== | ||
<pre> | <pre> | ||
Line 33: | Line 35: | ||
</pre> | </pre> | ||
Taken from: aim_spu_module.self/isoldr/appldr/lv1ldr/spu_token_processor.self/spu_utoken_processor.self | |||
==== | ==== eid0 keyseed 0x0 ==== | ||
<pre>2ED7CE8D1D55454585BF6A3281CD03AF</pre> | <pre> | ||
2ED7CE8D1D55454585BF6A3281CD03AF | |||
</pre> | |||
Taken from: aim_spu_module.self | |||
==== | ==== eid0 keyseed 0x6 ==== | ||
<pre>3AB0E6C4ACFFB629362FFBBBDBC854BC</pre> | <pre> | ||
3AB0E6C4ACFFB629362FFBBBDBC854BC | |||
</pre> | |||
Taken from: pspemudrm (kirk) | |||
==== | ==== eid0 keyseed 0x6 for perconsole encrypted private key ==== | ||
<pre> | <pre> | ||
33793B9F79E2EBAE55D4D6BF0ED376E6 | |||
</pre> | |||
Encrypt it with perconsole eid0_key to obtain the decryption key to decrypt Your perconsole ecdsa private key, located into the decrypted eid0 section 6 at offset 0x88.<BR> | |||
Encryption algo: aes-256-ecb.<BR> | |||
Decryption algo: aes-128-cbc. iv = 0. | |||
Taken from: pspemudrm (kirk) | |||
==== eid0 keyseed 0xA ==== | |||
<pre> | |||
30B0395DC5835AAA3A7986B44AFAE684 | |||
</pre> | |||
Taken from: aim_spu_module.self | |||
=== eid1 === | |||
Used for individual SYSCON information. | |||
=== | ==== eid1 individuals seed ==== | ||
<pre> | <pre> | ||
Line 80: | Line 86: | ||
</pre> | </pre> | ||
Taken from: {{SD}} sc_iso.self/sc_iso_factory.self | |||
==== | ==== eid1 individuals seed ==== | ||
<pre> | <pre> | ||
Line 91: | Line 97: | ||
</pre> | </pre> | ||
Taken from: sc_iso.self/sc_iso_factory.self/ss_sc_init.self | |||
==== | |||
==== time eid1 keyseed ==== | |||
<pre> | <pre> | ||
Line 102: | Line 109: | ||
</pre> | </pre> | ||
Taken from all decrypted eid1, offset 0x110, size 0x40 | |||
=== | === eid2 === | ||
==== | Used for individual bluray information. | ||
==== eid2 individuals seed ==== | |||
<pre> | <pre> | ||
Line 115: | Line 124: | ||
</pre> | </pre> | ||
Taken from: fdm_spu_module.self | |||
==== | ==== eid2 DES key ==== | ||
<pre> | |||
6CCAB35405FA562C | |||
</pre> | |||
Taken from: Lv2diag.self for BD remarry | |||
==== eid2 DES iv ==== | |||
<pre> | |||
0000000000000000 | |||
</pre> | |||
Taken from: Lv2diag.self for BD remarry | |||
=== eid3 === | |||
Used for individual CPRM information. | |||
==== | ==== eid3 individuals seed ==== | ||
<pre> | <pre> | ||
Line 140: | Line 154: | ||
</pre> | </pre> | ||
Taken from: CprmModule.spu.isoself | |||
==== | ==== eid3 keyseed ==== | ||
<pre>5FFF3FD81E18B956DAE4E6D3368297EF</pre> | <pre> | ||
5FFF3FD81E18B956DAE4E6D3368297EF | |||
</pre> | |||
Taken from: CprmModule.spu.isoself | |||
==== | ==== eid3 static key ==== | ||
<pre>D99406CA4BF30750436A454736834589</pre> | <pre> | ||
D99406CA4BF30750436A454736834589 | |||
</pre> | |||
Taken from: CprmModule.spu.isoself | |||
=== | === eid4 === | ||
Used for individual bluray auth information. | |||
==== eid4 individuals seed ==== | |||
<pre> | <pre> | ||
3EC20C17021901978A2971793829D308 | 3EC20C17021901978A2971793829D308 | ||
Line 165: | Line 184: | ||
</pre> | </pre> | ||
Taken from: sv_iso_spu_module.self | |||
== HDD Specific == | == HDD Specific == | ||
Line 178: | Line 197: | ||
</pre> | </pre> | ||
Taken from: sb_iso_spu_module.self | |||
=== ATA tweak individuals seed === | === ATA tweak individuals seed === | ||
Line 187: | Line 207: | ||
</pre> | </pre> | ||
Taken from: sb_iso_spu_module.self | |||
=== ENCDEC data individuals seed === | === ENCDEC data individuals seed === | ||
Line 197: | Line 217: | ||
=== ENCDEC tweak individuals seed === | === ENCDEC tweak individuals seed === | ||
<pre> | <pre> | ||
02083292C305D538BC50E699710C0A3E | 02083292C305D538BC50E699710C0A3E | ||
Line 205: | Line 224: | ||
=== Arcade/SYSDBG Seeds === | === Arcade/SYSDBG Seeds === | ||
==== ATA data/tweak ==== | ====ATA data/tweak==== | ||
<pre> | <pre> | ||
Line 212: | Line 231: | ||
</pre> | </pre> | ||
==== ENCDEC data ==== | ====ENCDEC data==== | ||
<pre> | <pre> | ||
D2BCFF742D571A80DFEE5E2496D19C3A | D2BCFF742D571A80DFEE5E2496D19C3A | ||
6F25FA0FC69764CAC20F4269EB540FD8 | 6F25FA0FC69764CAC20F4269EB540FD8 | ||
</pre> | </pre> | ||
====ENCDEC tweak==== | |||
==== ENCDEC tweak ==== | |||
<pre> | <pre> | ||
C19C7F987EDB6E244B07BEDEFA1E6CC9 | C19C7F987EDB6E244B07BEDEFA1E6CC9 | ||
Line 227: | Line 244: | ||
== PS2 Emu Specific == | == PS2 Emu Specific == | ||
Used for ps2 memory card save generation | Used for ps2 memory card save generation | ||
=== mc_iso individuals seed === | === mc_iso individuals seed === | ||
Line 238: | Line 255: | ||
</pre> | </pre> | ||
Taken from: mc_iso_spu_module.self | |||
=== me_iso individuals seed === | === me_iso individuals seed === | ||
Line 249: | Line 267: | ||
</pre> | </pre> | ||
Taken from: me_iso_spu_module.self | |||
== Syscon Specific == | == Syscon Specific == | ||
Line 264: | Line 282: | ||
</pre> | </pre> | ||
=== sc_iso module seed | === sc_iso module seed {{SD}} === | ||
<pre> | <pre> | ||
0AB7611E56DA45076B46129718F5C80E | 0AB7611E56DA45076B46129718F5C80E | ||
Line 294: | Line 311: | ||
</pre> | </pre> | ||
Size 256<br> | |||
=== secure_com_lib_internal_key::session_key_create_key === | |||
<pre> | |||
9F1DF816BB4A4A0129D031CFB0AD9B30 0x00 0x50 | |||
D302FDE17578FBDBA1058449BA5C1BEA 0x01 0x60 | |||
0E6B7480E5CEB2562A3347BB41012455 0x02 0x70 | |||
7910AC5D2AD16001F6A2783979096103 0x03 0x80 | |||
E3052804B7D2836F2879A1751BB40D48 0x04 0x90 | |||
EF586F9D599170676850590BA67D4BC7 0x05 0xA0 | |||
5D9598637AF25F8023623B1268B5131A 0x06 0xB0 | |||
0EAA32140A2861D8659626F6CE2286DB 0x07 0xC0 | |||
</pre> | |||
=== secure_com_lib_internal_key::time_key === | |||
<pre> | |||
E3EFDE987E4A2D3F8CF7B3B60E846B21 0x00 0x110 seed with 0xD0 keyvault key | |||
4AB026664E9D02F53EFF9544549B1F97 0x01 0x120 seed with 0xE0 keyvault key | |||
7ECA7F299891F1B243119E35AE94C3DE 0x02 0x130 seed with 0xF0 keyvault key | |||
E0B7A0867CF44923BAE65E3386460C80 0x03 0x140 seed with 0x100 keyvault key | |||
</pre> | |||
=== random xseed === | === random xseed === | ||
Line 302: | Line 341: | ||
</pre> | </pre> | ||
used for generating a random number through the use of ch74 | |||
=== data key seed === | === data key seed === | ||
Line 316: | Line 355: | ||
</pre> | </pre> | ||
=== vtrm | === vtrm keyseed === | ||
<pre> | <pre> | ||
Line 328: | Line 367: | ||
</pre> | </pre> | ||
== eEID1 fallback == | === eEID1 fallback === | ||
<pre> | <pre> | ||
Line 374: | Line 413: | ||
</pre> | </pre> | ||
== eEID1 fallback decrypted == | |||
<pre> | <pre> | ||
Line 419: | Line 458: | ||
</pre> | </pre> | ||
* | * decrypted with flash key 0x10 | ||
= Notes = | = Notes = | ||
* | * libeeid / ps3hdd_poc / ps3_decrypt_tools were adapted for this. so use them | ||
* | * you'll need eid_root_key, hdd image and eid | ||
* | * the seeds are spreaded all over the wiki, so it's nice to have a spot where you can look at the seed you wish :) | ||
* | * many thanks to fail0verfl0w for this. gotta love the print_hash function :3 | ||
* https://github.com/zecoxao/ps3_decrypt_tools tools for decrypting and encrypting. | |||
* Regarding syscon, there are two chunks of data, one located at ss_sc_init and the other at sc_iso with sizes 0x290 and 0x280 respectively. one is after keyseed_for_srk2 and the other is between k4 and k5. | |||
* ss_sc_init contains fallback EID1 of size 0x290 bytes. | |||
= References = | |||
[http://pastie.org/2858016 THE PLACEHOLDER] <- this curious pastie contains the first 4 bytes of several keys/seeds | |||
<pre> | <pre> | ||
1st | 1st-eid2 indiv seed | ||
2nd | 2nd-eid0 indiv seed | ||
3rd | 3rd-eid1 indiv seed | ||
4th | 4th-eid4 indiv seed | ||
5th | 5th-ata data seed | ||
6th | 6th-me iso indiv seed | ||
7th | 7th-mc iso indiv seed | ||
</pre> | </pre> | ||
= | [http://www.ps3devwiki.com/wiki/Iso_module isolated modules] <- used as reference for eid specific seeds, amongst others | ||
= What's inside: = | |||
== Each EID0 Section (0xC0 bytes) == | |||
{|class="wikitable" | |||
|- | |||
! Description !! Length !! Note | |||
|- | |||
| Data || 0x10 || contains the actual data of the file (either idps or psid) | |||
|- | |||
| plaintext public key || 0x28 || contains the section's public key (without padding) | |||
|- | |||
| R || 0x14 || part of the ecdsa signature pair (r,s) | |||
|- | |||
| S || 0x14 || part of the ecdsa signature pair (r,s) | |||
|- | |||
| public key || 0x28 || ecdsa public key (can be used to verify ecdsa signature RS) | |||
|- | |||
| encrypted private key || 0x20 || encrypted blob that contains the section's private key (with padding) | |||
|- | |||
| omac1/cmac || 0x10 || hash of the previous information in CMAC1/OMAC mode | |||
|- | |||
| padding || 0x8 || zero byte padding | |||
|} | |||
[http://pastie.org/6169158 Source of the information] | |||
== EID1 (0x2A0 bytes) == | |||
{|class="wikitable" | |||
|- | |||
! Offset !! Length !! Description | |||
|- | |||
| 0 || 0x10 || INIT Seed | |||
|- | |||
| 0x10 || 0x80 || AUTH1 Reencrypted Keyseeds | |||
|- | |||
| 0x90 || 0x80 || AUTH2 Reencrypted Keyseeds | |||
|- | |||
| 0x110 || 0x40 || Keyseeds (Time Service Purpose) | |||
|- | |||
| 0x150 || 0x10 || KeySeed (SNVS/Time Related) | |||
|- | |||
| 0x160 || 0x120 || Padding (Zeroes) | |||
|- | |||
| 0x280 || 0x10 || CMAC of Encrypted Data Using Master Key 0x20 if on EEPROM to CMAC (and encrypt/decrypt) or Master Key 0x10 if on FLASH | |||
|- | |||
| 0x290 || 0x10 || CMAC of Encrypted FLASH Data Using Perconsole Key encrypted using root key and EID1 Seeds | |||
|- | |||
|} | |||
== EID2(0x730 bytes) == | |||
http://www.psdevwiki.com/ps3/Hypervisor_Reverse_Engineering#Remarrying | |||
{|class="wikitable" | |||
|- | |||
! Description !! Length !! Note | |||
|- | |||
| Header || 0x20 || | |||
|- | |||
| P(rimary) block || 0x80 || contains bd drive info | |||
|- | |||
| S(econdary) block || 0x690 || contains bd drive info | |||
|} | |||
== EID3(0x100) == | |||
http://www.psdevwiki.com/ps3/Hypervisor_Reverse_Engineering#Communication | |||
{|class="wikitable" | |||
|- | |||
! Offset !! Description !! Length !! Note | |||
|- | |||
| 0x00 || Header || 0x20 || contains ckp_management_id, size of cprm keys + sha1 digest + padding and nonce | |||
|- | |||
| 0x20 || cprm player keys || 0xB8 || | |||
|- | |||
| 0xD8 || sha1 digest || 0x14 || sha1 digest of previous section | |||
|- | |||
| 0xEC || padding || 0x4 || | |||
|- | |||
| 0xF0 || omac1 digest || 0x10 || omac1 digest of whole eid3 | |||
|} | |||
== EID4(0x30) == | |||
{|class="wikitable" | |||
|- | |||
! Description !! Length !! Note | |||
|- | |||
| Drive Key 1 || 0x10 || Encrypts data sent from host to bd drive | |||
|- | |||
| Drive Key 2 || 0x10 || Decrypts data sent from bd drive to host | |||
|- | |||
| CMAC/OMAC1 || 0x10 || Hash of the previous bytes in CMAC/OMAC1 mode | |||
|- | |||
|} | |||
== EID5 (0xA00) == | |||
The largest and quite possibly the most important EID of all 6. It's unknown what is inside this specific EID. We'll probably never know what's inside it without analyzing every possible clue about the PS3. And even then, it might be impossible to find it's real use. It's size is similar to EID0, but it has an aditional 0x1A0 bytes. | |||
{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude> | {{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude> |