Editing Seeds

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
= Source of the PS3 seeds =
= Information about these seeds =


The seeds presented on this page were acquired through different means. It started with a simple search (which I have to thank glevand and naehrwert for, as had it not been for those guys, I wouldn't have found myself the confidence to post this) and it went through several people who helped me along the way, and who probably wish to stay anonymous.
The seeds present on this wiki page were acquired through different means. It started with a simple search (Which i have to thank glevand and naehrwert for, as had it not been for those guys, i wouldn't have found myself the confidence to post this) and it went through several people who helped me along the way, and that probably wish to stay anonymous.


= Seeds =
Without further ado, here are the seeds (both known and unknown) for several functions of the ps3.


== Common ==
== Common ==
Line 16: Line 16:
</pre>
</pre>


* Used on old firmwares, possibly for an old EID0 format (or fallback?) which can be 0x20 or 0x28 bytes in size. Decrypted section is always the same.
Used on old firmwares, possible for an old EID0 format (or fallback?) which can be 0x20 or 0x28 bytes in size. Decrypted section is always the same, see comments: http://pastie.org/private/rzg83pokd4vnxg60dj3qwg
* See [https://web.archive.org/web/20141118235214/http://pastie.org/private/rzg83pokd4vnxg60dj3qwg comments].
 
* Location: isoldr/appldr/lv1ldr
Taken from: isoldr/appldr/lv1ldr


== eEID ==
== eEID ==


=== EID0 ===
=== eid0 ===


==== EID0 individuals seed ====
Used for individual ps3/psp/psn information.
 
==== eid0 individuals seed ====


<pre>
<pre>
Line 33: Line 35:
</pre>
</pre>


* Location: aim_spu_module.self/isoldr/appldr/lv1ldr/spu_token_processor.self/spu_utoken_processor.self
Taken from: aim_spu_module.self/isoldr/appldr/lv1ldr/spu_token_processor.self/spu_utoken_processor.self


==== EID0 section 0 seed for enc/dec + CMAC (Kirk command 0x12) ====
==== eid0 keyseed 0x0 ====


<pre>2ED7CE8D1D55454585BF6A3281CD03AF</pre>
<pre>
2ED7CE8D1D55454585BF6A3281CD03AF
</pre>


* Location: aim_spu_module.self
Taken from: aim_spu_module.self


==== EID0 section 6 seed for enc/dec + CMAC (Kirk command 0x12) ====
==== eid0 keyseed 0x6 ====


<pre>3AB0E6C4ACFFB629362FFBBBDBC854BC</pre>
<pre>
3AB0E6C4ACFFB629362FFBBBDBC854BC
</pre>


* Location: pspemudrm (KIRK)
Taken from: pspemudrm (kirk)


==== EID0 section 0xA seed for enc/dec + CMAC (Kirk command 0x12) ====
==== eid0 keyseed 0x6 for perconsole encrypted private key ====


<pre>30B0395DC5835AAA3A7986B44AFAE684</pre>
<pre>
33793B9F79E2EBAE55D4D6BF0ED376E6
</pre>


* Location: aim_spu_module.self
Encrypt it with perconsole eid0_key to obtain the decryption key to decrypt Your perconsole ecdsa private key, located into the decrypted eid0 section 6 at offset 0x88.<BR>
Encryption algo: aes-256-ecb.<BR>
Decryption algo: aes-128-cbc. iv = 0.


==== EID0 section 6 seed for encrypted ECDSA private key (Kirk command 0x10) ====
Taken from: pspemudrm (kirk)


<pre>33793B9F79E2EBAE55D4D6BF0ED376E6</pre>
==== eid0 keyseed 0xA ====


Notes:
<pre>
* This seed is the equivalent of the PSP Kirk command 0x10 AES128ECB seed (idskey0).
30B0395DC5835AAA3A7986B44AFAE684
* EID0 sections 7-0xA use a different and unknown seed.
</pre>


1) aes-256-ecb encrypt the seed with per-console EID0_key (indiv+0x20) and EID0_iv (indiv+0x10), in order to obtain the 128bit decryption key to decrypt per-console encrypted ECDSA private key.
Taken from: aim_spu_module.self


2) aes-128-cbc decrypt with iv=0 the encrypted ECDSA private key, located at certificate offset 0x88.
=== eid1 ===


3) Verify the ECDSA private key by using the ECDSA public key at certificate offset 0x10. See KIRK command 0x10 on PSP or PS3 wiki (same constant public key and curve).
Used for individual SYSCON information.


* Location: pspemudrm (KIRK)
==== eid1 individuals seed ====
 
=== EID1 ===
 
==== EID1 individuals seed (SD) ====


<pre>
<pre>
Line 80: Line 86:
</pre>
</pre>


* Location: {{SD}} sc_iso.self/sc_iso_factory.self
Taken from: {{SD}} sc_iso.self/sc_iso_factory.self


==== EID1 individuals seed ====
==== eid1 individuals seed ====


<pre>
<pre>
Line 91: Line 97:
</pre>
</pre>


* Location: sc_iso.self/sc_iso_factory.self/ss_sc_init.self
Taken from: sc_iso.self/sc_iso_factory.self/ss_sc_init.self


==== Time EID1 seed ====
 
==== time eid1 keyseed ====


<pre>
<pre>
Line 102: Line 109:
</pre>
</pre>


* Location: from all decrypted EID1, offset 0x110, size 0x40
Taken from all decrypted eid1, offset 0x110, size 0x40


=== EID2 ===
=== eid2 ===


==== EID2 individuals seed ====
Used for individual bluray information.
 
==== eid2 individuals seed ====


<pre>
<pre>
Line 115: Line 124:
</pre>
</pre>


* Location: fdm_spu_module.self
Taken from: fdm_spu_module.self


==== EID2 DES key ====
==== eid2 DES key ====
<pre>
6CCAB35405FA562C
</pre>


<pre>6CCAB35405FA562C</pre>
Taken from: Lv2diag.self for BD remarry


* Location: Lv2diag.self for BD remarry
==== eid2 DES iv ====


==== EID2 DES IV ====
<pre>
0000000000000000
</pre>


<pre>0000000000000000</pre>
Taken from: Lv2diag.self for BD remarry


* Location: Lv2diag.self for BD remarry
=== eid3 ===


=== EID3 ===
Used for individual CPRM information.


==== EID3 individuals seed ====
==== eid3 individuals seed ====


<pre>
<pre>
Line 140: Line 154:
</pre>
</pre>


* Location: CprmModule.spu.isoself
Taken from: CprmModule.spu.isoself


==== EID3 seed ====
==== eid3 keyseed ====


<pre>5FFF3FD81E18B956DAE4E6D3368297EF</pre>
<pre>
5FFF3FD81E18B956DAE4E6D3368297EF
</pre>


* Location: CprmModule.spu.isoself
Taken from: CprmModule.spu.isoself


==== EID3 static key ====
==== eid3 static key ====


<pre>D99406CA4BF30750436A454736834589</pre>
<pre>
D99406CA4BF30750436A454736834589
</pre>


* Location: CprmModule.spu.isoself
Taken from: CprmModule.spu.isoself


=== EID4 ===
=== eid4 ===


==== EID4 individuals seed ====
Used for individual bluray auth information.


==== eid4 individuals seed ====
<pre>
<pre>
3EC20C17021901978A2971793829D308
3EC20C17021901978A2971793829D308
Line 165: Line 184:
</pre>
</pre>


* Location: sv_iso_spu_module.self
Taken from: sv_iso_spu_module.self


== HDD Specific ==
== HDD Specific ==
Line 178: Line 197:
</pre>
</pre>


* Location: sb_iso_spu_module.self
Taken from: sb_iso_spu_module.self
 


=== ATA tweak individuals seed ===
=== ATA tweak individuals seed ===
Line 187: Line 207:
</pre>
</pre>


* Location: sb_iso_spu_module.self
Taken from: sb_iso_spu_module.self


=== ENCDEC data individuals seed ===
=== ENCDEC data individuals seed ===
Line 197: Line 217:


=== ENCDEC tweak individuals seed ===
=== ENCDEC tweak individuals seed ===
<pre>
<pre>
02083292C305D538BC50E699710C0A3E
02083292C305D538BC50E699710C0A3E
Line 205: Line 224:
=== Arcade/SYSDBG Seeds ===
=== Arcade/SYSDBG Seeds ===


==== ATA data/tweak ====
====ATA data/tweak====


<pre>
<pre>
Line 212: Line 231:
</pre>
</pre>


==== ENCDEC data ====
====ENCDEC data====
 
<pre>
<pre>
D2BCFF742D571A80DFEE5E2496D19C3A
D2BCFF742D571A80DFEE5E2496D19C3A
6F25FA0FC69764CAC20F4269EB540FD8
6F25FA0FC69764CAC20F4269EB540FD8
</pre>
</pre>
 
====ENCDEC tweak====
==== ENCDEC tweak ====
<pre>
<pre>
C19C7F987EDB6E244B07BEDEFA1E6CC9
C19C7F987EDB6E244B07BEDEFA1E6CC9
Line 227: Line 244:
== PS2 Emu Specific ==
== PS2 Emu Specific ==


Used for ps2 memory card save generation.
Used for ps2 memory card save generation


=== mc_iso individuals seed ===
=== mc_iso individuals seed ===
Line 238: Line 255:
</pre>
</pre>


* Location: mc_iso_spu_module.self
Taken from: mc_iso_spu_module.self
 


=== me_iso individuals seed ===
=== me_iso individuals seed ===
Line 249: Line 267:
</pre>
</pre>


* Location: me_iso_spu_module.self
Taken from: me_iso_spu_module.self


== Syscon Specific ==
== Syscon Specific ==
Line 264: Line 282:
</pre>
</pre>


=== sc_iso module seed (SD) ===
=== sc_iso module seed {{SD}} ===
 
<pre>
<pre>
0AB7611E56DA45076B46129718F5C80E
0AB7611E56DA45076B46129718F5C80E
Line 294: Line 311:
</pre>
</pre>


* Size: 256 bytes
Size 256<br>
 
=== secure_com_lib_internal_key::time_key ===
 
<pre>
E3EFDE987E4A2D3F8CF7B3B60E846B21 0x00 0x110 seed with 0xD0 keyvault key
4AB026664E9D02F53EFF9544549B1F97 0x01 0x120 seed with 0xE0 keyvault key
7ECA7F299891F1B243119E35AE94C3DE 0x02 0x130 seed with 0xF0 keyvault key
E0B7A0867CF44923BAE65E3386460C80 0x03 0x140 seed with 0x100 keyvault key
</pre>


=== random xseed ===
=== random xseed ===
Line 302: Line 328:
</pre>
</pre>


Used for generating a random number through the use of ch74.
used for generating a random number through the use of ch74


=== data key seed ===
=== data key seed ===
Line 316: Line 342:
</pre>
</pre>


=== vtrm key seed ===
=== vtrm keyseed ===


<pre>
<pre>
Line 328: Line 354:
</pre>
</pre>


== eEID1 fallback ==
=== eEID1 fallback ===


<pre>
<pre>
Line 374: Line 400:
</pre>
</pre>


=== eEID1 fallback decrypted ===
== eEID1 fallback decrypted ==


<pre>
<pre>
Line 419: Line 445:
</pre>
</pre>


* Decrypted with flash key 0x10.
* decrypted with flash key 0x10


= Notes =
= Notes =


* There are some tools that to work with these seeds: libeeid / ps3hdd_poc / ps3_decrypt_tools.
* libeeid / ps3hdd_poc / ps3_decrypt_tools were adapted for this. so use them
* https://github.com/zecoxao/ps3_decrypt_tools Up-to-date tool for EID decryption and encryption.
* you'll need eid_root_key, hdd image and eid
* The seeds are scattered all over the wiki, so it's nice to have a spot where you can look at the seed you wish :)
* the seeds are spreaded all over the wiki, so it's nice to have a spot where you can look at the seed you wish :)
* Many thanks to fail0verfl0w for this. Gotta love the print_hash function :3
* many thanks to fail0verfl0w for this. gotta love the print_hash function :3
* https://github.com/zecoxao/ps3_decrypt_tools tools for decrypting and encrypting.
* Regarding syscon, there are two chunks of data, one located at ss_sc_init and the other at sc_iso with sizes 0x290 and 0x280 respectively. one is after keyseed_for_srk2 and the other is between k4 and k5.
* ss_sc_init contains fallback EID1 of size 0x290 bytes.


* Regarding Syscon, there are two chunks of data, one located at ss_sc_init and the other at sc_iso with sizes 0x290 and 0x280 respectively. one is after keyseed_for_srk2 and the other is between k4 and k5.
= References =
* ss_sc_init contains fallback EID1 of size 0x290 bytes.


* [https://web.archive.org/web/20141118233711/http://pastie.org/2858016 THE PLACEHOLDER]. This curious pastie contains the first 4 bytes of several keys/seeds:
[http://pastie.org/2858016 THE PLACEHOLDER] <- this curious pastie contains the first 4 bytes of several keys/seeds
<pre>
<pre>
1st line - EID2 individuals seed
1st-eid2 indiv seed
2nd line - EID0 individuals seed
2nd-eid0 indiv seed
3rd line - EID1 individuals seed
3rd-eid1 indiv seed
4th line - EID4 individuals seed
4th-eid4 indiv seed
5th line - ata data seed
5th-ata data seed
6th line - me iso indiv seed
6th-me iso indiv seed
7th line - mc iso indiv seed
7th-mc iso indiv seed
</pre>
</pre>


= References =
[http://www.ps3devwiki.com/wiki/Iso_module isolated modules] <- used as reference for eid specific seeds, amongst others
 
= What's inside: =
 
== Each EID0 Section (0xC0 bytes) ==
 
{|class="wikitable"
|-
! Description !! Length !! Note
|-
| Data || 0x10 || contains the actual data of the file (either idps or psid)
|-
| plaintext public key || 0x28 || contains the section's public key (without padding)
|-
| R || 0x14 || part of the ecdsa signature pair (r,s)
|-
| S || 0x14 || part of the ecdsa signature pair (r,s)
|-
| public key || 0x28 || ecdsa public key (can be used to verify ecdsa signature RS)
|-
| encrypted private key || 0x20 || encrypted blob that contains the section's private key (with padding)
|-
| omac1/cmac || 0x10 || hash of the previous information in CMAC1/OMAC mode
|-
| padding || 0x8 || zero byte padding
|}
 
[http://pastie.org/6169158 Source of the information]
 
== EID1 (0x2A0 bytes) ==
 
{|class="wikitable"
|-
! Offset !! Length !! Description
|-
| 0 || 0x10 || INIT Seed
|-
| 0x10 || 0x80 || AUTH1 Reencrypted Keyseeds
|-
| 0x90 || 0x80 || AUTH2 Reencrypted Keyseeds
|-
| 0x110 || 0x40 || Keyseeds (Time Service Purpose)
|-
| 0x150 || 0x10 ||  KeySeed (SNVS/Time Related)
|-
| 0x160 || 0x120 || Padding (Zeroes)
|-
| 0x280 || 0x10  || CMAC of Encrypted Data Using Master Key 0x20 if on EEPROM to CMAC (and encrypt/decrypt) or Master Key 0x10 if on FLASH
|-
| 0x290 || 0x10  || CMAC of Encrypted FLASH Data Using Perconsole Key encrypted using root key and EID1 Seeds
|-
|}
 
== EID2(0x730 bytes) ==
http://www.psdevwiki.com/ps3/Hypervisor_Reverse_Engineering#Remarrying
{|class="wikitable"
|-
! Description !! Length !! Note
|-
| Header || 0x20 ||
|-
| P(rimary) block || 0x80 || contains bd drive info
|-
| S(econdary) block || 0x690 || contains bd drive info
|}
 
== EID3(0x100) ==
http://www.psdevwiki.com/ps3/Hypervisor_Reverse_Engineering#Communication
{|class="wikitable"
|-
! Offset !! Description !! Length !! Note
|-
| 0x00 || Header || 0x20 || contains ckp_management_id, size of cprm keys + sha1 digest + padding and nonce
|-
| 0x20 || cprm player keys || 0xB8 ||
|-
| 0xD8 || sha1 digest || 0x14 || sha1 digest of previous section
|-
| 0xEC || padding || 0x4 ||
|-
| 0xF0 || omac1 digest || 0x10 || omac1 digest of whole eid3
|}
 
== EID4(0x30) ==
 
{|class="wikitable"
|-
! Description !! Length !! Note
|-
| Drive Key 1 || 0x10 || Encrypts data sent from host to bd drive
|-
| Drive Key 2 || 0x10 || Decrypts data sent from bd drive to host
|-
| CMAC/OMAC1 || 0x10 || Hash of the previous bytes in CMAC/OMAC1 mode
|-
|}


[[Iso_module|Isolated modules]] <- used as reference for EID specific seeds, amongst others
== EID5 (0xA00) ==


The largest and quite possibly the most important EID of all 6. It's unknown what is inside this specific EID. We'll probably never know what's inside it without analyzing every possible clue about the PS3. And even then, it might be impossible to find it's real use. It's size is similar to EID0, but it has an aditional 0x1A0 bytes.


{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude>
{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude>
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)