Editing Talk:Keys

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
== Superslim DEX Serial 1 Signature ==
<pre>
R:00 78 8C AE B0 E7 0C 3C D5 32 11 CC 0E 16 C2 A1 6E 9B F6 E6 80
S:00 82 03 7E 33 00 DE 68 DA 8A DD 87 E5 A8 E3 64 2F B7 55 3D D6
</pre>
== Superslim DEX Serial 1 Token ==
<pre>
2F 4A F9 92 92 F3 01 FD 40 31 53 AB 8F 4A 17 15
2F EA D8 C3 0D E5 F5 5F C8 6E 8B 19 EC BE 22 D2
82 F6 30 29 D2 CD 03 44 0B 55 06 84 0D 4E 83 0B
39 7C 4D 35 6A D8 B2 27 4C A5 74 35 95 C3 23 B4
4E 32 3B 39 5A 85 4B E4 FA E3 1B 0B 74 11 AF C9
</pre>
== 2.36 vs 3.30 appldr key 79481839C4... ==
Stop editing 79481839C4... as a PS3 FW 3.30 appldr key, unless you can disprove the absence of it since after PS3 FW 2.36 as seen here: http://pastebin.com/biWXJrst.
I see it there at offset 0x18C30 in the pastebin....
Here are some appldr keys: [http://www.sendspace.com/file/ou1ln1 .xls (dead link)] and I doubt about the versions and revisions because of ^^
Please edit and add it to the Page.
Disproving the absence: [https://www.sendspace.com/file/m0j3c1 (dead link)]
This archive contains files from PS3 FW 3.31 DECR (appldr, decrypted appldr and emer_init.self)
The key 79481839C4... is inside the decrypted appldr and used to decrypt emer_init.self.
== sv_iso_spu_module 1.02-3.55 ==
== sv_iso_spu_module 1.02-3.55 ==
<pre>
<pre>
key_0:  EF4F6A107742E8448BC1F9D8F2481B31 // key_0 is an aes_cfb128 iv
key_0:  EF4F6A107742E8448BC1F9D8F2481B31 //key_0 is an aes_cfb128 iv


iv_0:    2226928D44032F436AFD267E748B2393
iv_0:    2226928D44032F436AFD267E748B2393
key_0_0: 126C6B5945370EEECA68262D02DD12D2 // key_0_0 is used with iv_0 to generate gen_key_0
key_0_0: 126C6B5945370EEECA68262D02DD12D2 //key_0_0 is used with iv_0 to generate gen_key_0
key_0_1: D9A20A79666C27D11032ACCF0D7FB501 // key_0_1 is used with iv_0 to generate gen_key_1
key_0_1: D9A20A79666C27D11032ACCF0D7FB501 //key_0_1 is used with iv_0 to generate gen_key_1


key_1:  7CDD0E02076EFE4599B1B82C359919B3 // key_1 is used with iv_0
key_1:  7CDD0E02076EFE4599B1B82C359919B3 //key_1 is used with iv_0


iv_1:    3BD624020BD3F865E80B3F0CD6566DD0 // iv_1 is used with gen_key_0 and gen_key_1
iv_1:    3BD624020BD3F865E80B3F0CD6566DD0 //iv_1 is used with gen_key_0 and gen_key_1


key_2:  380BCF0B53455B3C7817AB4FA3BA90ED // key_2 + iv_2 are used to generate something from the disk name (id?)
key_2:  380BCF0B53455B3C7817AB4FA3BA90ED //key_2 + iv_2 are used to generate something from the disk name (id?)
iv_2:    69474772AF6FDAB342743AEFAA186287
iv_2:    69474772AF6FDAB342743AEFAA186287


debug_disc_fallback: 67C0758CF4996FEF7E88F90CC6959D66 // this fallback is used if the disk name (id?) is 'PS3_L_DEBUG_DISC'
debug_disc_fallback: 67C0758CF4996FEF7E88F90CC6959D66 //this fallback is used if the disk name (id?) is 'PS3_L_DEBUG_DISC'
</pre>
</pre>


=== Observations ===
===Observations===
 
<pre>genelib.dll (Build 1.20.2662.20880):
<pre>
genelib.dll (Build 1.20.2662.20880):
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
    
Line 66: Line 30:
00063E90  F4 99 6F EF 7E 88 F9 0C C6 95 9D 66              ô™oï~ˆù.Æ•.f</pre>
00063E90  F4 99 6F EF 7E 88 F9 0C C6 95 9D 66              ô™oï~ˆù.Æ•.f</pre>


<pre>genelib.dll (Build 3.12.4159.28611):
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 
0006BE80                                      67 C0 75 8C              gÀuŒ
0006BE90  F4 99 6F EF 7E 88 F9 0C C6 95 9D 66              ô™oï~ˆù.Æ•.f</pre>
<pre>genelib.dll (Build 3.30.4566.37262):
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 
00072E80                                      67 C0 75 8C              gÀuŒ
00072E90  F4 99 6F EF 7E 88 F9 0C C6 95 9D 66              ô™oï~ˆù.Æ•.f
</pre>
== sc_iso module 1.00-4.00 ==
<pre>
0x0                                   
0x1                                   
0x2    D413B89663E1FE9F75143D3BB4565274
0x3    FA72CEEF59B4D2989F111913287F51C7
0x4    DAA4B9F2BC70B280A7B340FA0D04BA14
0x5                                   
</pre>
=== Observations ===
<pre> 1.00:
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  00020210  DA A4 B9 F2 BC 70 B2 80 A7 B3 40 FA 0D 04 BA 14  Ú¤¹ò¼p²€§³@ú..º.  key rev 0x4
  00020220  FA 72 CE EF 59 B4 D2 98 9F 11 19 13 28 7F 51 C7  úrÎïY´Ò˜Ÿ...(.QÇ  key rev 0x3
  00020230  D4 13 B8 96 63 E1 FE 9F 75 14 3D 3B B4 56 52 74  Ô.¸–cáþŸu.=;´VRt  key rev 0x2
</pre>
<pre> 3.15:
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  00014110  D4 13 B8 96 63 E1 FE 9F 75 14 3D 3B B4 56 52 74  Ô.¸–cáþŸu.=;´VRt  key rev 0x4
  00014120  FA 72 CE EF 59 B4 D2 98 9F 11 19 13 28 7F 51 C7  úrÎïY´Ò˜Ÿ...(.QÇ  key rev 0x3
  00014130  DA A4 B9 F2 BC 70 B2 80 A7 B3 40 FA 0D 04 BA 14  Ú¤¹ò¼p²€§³@ú..º.  key rev 0x2
</pre>
<pre> 3.41:
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  00014110  D4 13 B8 96 63 E1 FE 9F 75 14 3D 3B B4 56 52 74  Ô.¸–cáþŸu.=;´VRt  key rev 0x4
  00014120  FA 72 CE EF 59 B4 D2 98 9F 11 19 13 28 7F 51 C7  úrÎïY´Ò˜Ÿ...(.QÇ  key rev 0x3
  00014130  DA A4 B9 F2 BC 70 B2 80 A7 B3 40 FA 0D 04 BA 14  Ú¤¹ò¼p²€§³@ú..º.  key rev 0x2
</pre>
<pre> 3.55:
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  00014110  D4 13 B8 96 63 E1 FE 9F 75 14 3D 3B B4 56 52 74  Ô.¸–cáþŸu.=;´VRt  key rev 0x4
  00014120  FA 72 CE EF 59 B4 D2 98 9F 11 19 13 28 7F 51 C7  úrÎïY´Ò˜Ÿ...(.QÇ  key rev 0x3
  00014130  DA A4 B9 F2 BC 70 B2 80 A7 B3 40 FA 0D 04 BA 14  Ú¤¹ò¼p²€§³@ú..º.  key rev 0x2
</pre>
<pre> 4.00:
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  ********  D4 13 B8 96 63 E1 FE 9F 75 14 3D 3B B4 56 52 74  Ô.¸–cáþŸu.=;´VRt  key rev 0x4
  ********  FA 72 CE EF 59 B4 D2 98 9F 11 19 13 28 7F 51 C7  úrÎïY´Ò˜Ÿ...(.QÇ  key rev 0x3
  ********  DA A4 B9 F2 BC 70 B2 80 A7 B3 40 FA 0D 04 BA 14  Ú¤¹ò¼p²€§³@ú..º.  key rev 0x2
</pre>
== aim_spu_module Keys Usage ==
See [[Keys#aim_spu_module_Keys]], especially aim_key, aim_iv and aim_compare.
Can anyone explain to me what is the purpose and functionality of these keys? I have never seen them in "action" before...


== spu_token_processor ==
== spu_token_processor ==
 
<pre> spu_token_processor 1.00-3.56
<pre>spu_token_processor 1.00-3.56
   token-hmac: CC30C4229113DB25733553AFD06E8762B3729D9EFAA6D5F35A6F58BF38FF8B5F58A25BD9C9B50B01D1AB4028676968EAC7F88833B662935D7506A6B5E0F9D97A
   token-hmac: CC30C4229113DB25733553AFD06E8762B3729D9EFAA6D5F35A6F58BF38FF8B5F58A25BD9C9B50B01D1AB4028676968EAC7F88833B662935D7506A6B5E0F9D97A
   token-key:  341812376291371C8BC756FFFC611525403F95A8EF9D0C996482EEC216B562ED
   token-key:  341812376291371C8BC756FFFC611525403F95A8EF9D0C996482EEC216B562ED
   token-iv:  E8663A69CD1A5C454A761E728C7C254E</pre>
   token-iv:  E8663A69CD1A5C454A761E728C7C254E</pre>
 
===Observations===
=== Observations ===
 
<pre>1.00:
<pre>1.00:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
Line 210: Line 109:
</pre>
</pre>


== appldr rev 0x01 ==
== aim_spu_module ==
  aim_ks_4 : 30B0395DC5835AAA3A7986B44AFAE684
  aim_ks_1 : 2ED7CE8D1D55454585BF6A3281CD03AF
  aim_iv  : 51F78B72A64711CF5C72323FB8607A00
  aim_key  : 922B198CDF0C07DCCE848B69882D804CC23F19C2EAE1244F35AF176F7FD37851
http://pastie.org/2547291 (ks version depends on the first four bytes of the eid)
(from main page)
 
===Observations===
<pre>  aim_spu_module.self.elf 1.00 :
 
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 
  00008670  40 1C 4A A6 3B 2C 8D 44 E2 45 F0 74 DA E7 78 2A  @.J¦;,.DâEðtÚçx*  <- compare  (1.00-3.42)
  00008680  36 0D 1E 8E E2 11 6B DF 6F 0D 8A 3C C1 7B E3 8F  6..Žâ.kßo.Š<Á{ã.  <- compare  (1.00-3.42)
  00008690  EA 48 B5 71 F4 D2 6D ED 00 00 00 00 00 00 00 00  êHµqôÒmí........  <- compare  (1.00-3.42)
  000086A0  51 F7 8B 72 A6 47 11 CF 5C 72 32 3F B8 60 7A 00  Q÷‹r¦G.Ï\r2?¸`z.  <- IV    (1.00-3.42 but not found in 3.50++)
  000086B0  92 2B 19 8C DF 0C 07 DC CE 84 8B 69 88 2D 80 4C  ’+.Œß..Ü΄‹iˆ-€L  <- KEY  (1.00-3.42 but not found in 3.50++)
  000086C0  C2 3F 19 C2 EA E1 24 4F 35 AF 17 6F 7F D3 78 51  Â?.Âêá$O5¯.o.ÓxQ  <- KEY  (1.00-3.42 but not found in 3.50++)
  000086D0  2E D7 CE 8D 1D 55 45 45 85 BF 6A 32 81 CD 03 AF  .×Î..UEE…¿j2.Í.¯  <- KS 1  (1.00-3.56)
  000086E0  30 B0 39 5D C5 83 5A AA 3A 79 86 B4 4A FA E6 84  0°9]ŃZª:y†´Júæ„  <- KS 4  (1.00-3.56)
</pre>
<pre>  aim_spu_module.self.elf 3.42:
 
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 
  00003070  30 B0 39 5D C5 83 5A AA 3A 79 86 B4 4A FA E6 84  0°9]ŃZª:y†´Júæ„  <- KS 4  (1.00-3.56)
  00003080  2E D7 CE 8D 1D 55 45 45 85 BF 6A 32 81 CD 03 AF  .×Î..UEE…¿j2.Í.¯  <- KS 1  (1.00-3.56)
  00003090  92 2B 19 8C DF 0C 07 DC CE 84 8B 69 88 2D 80 4C  ’+.Œß..Ü΄‹iˆ-€L  <- KEY  (1.00-3.42 but not found in 3.50++)
  000030A0  C2 3F 19 C2 EA E1 24 4F 35 AF 17 6F 7F D3 78 51  Â?.Âêá$O5¯.o.ÓxQ  <- KEY  (1.00-3.42 but not found in 3.50++)
  000030B0  51 F7 8B 72 A6 47 11 CF 5C 72 32 3F B8 60 7A 00  Q÷‹r¦G.Ï\r2?¸`z.  <- IV    (1.00-3.42 but not found in 3.50++)
  000030C0  40 1C 4A A6 3B 2C 8D 44 E2 45 F0 74 DA E7 78 2A  @.J¦;,.DâEðtÚçx*  <- compare  (1.00-3.42)
  000030D0  36 0D 1E 8E E2 11 6B DF 6F 0D 8A 3C C1 7B E3 8F  6..Žâ.kßo.Š<Á{ã.  <- compare  (1.00-3.42)
  000030E0  EA 48 B5 71 F4 D2 6D ED 00 00 00 00 00 00 00 00  êHµqôÒmí........  <- compare  (1.00-3.42)
</pre>
 
 
----


== appldr rev0x01 ==
  appold_R  :  B0CD2FDF15C9A79A2C28415B2B5385ED7E91D38D        # ps3publictools/include/keys.h
  appold_R  :  B0CD2FDF15C9A79A2C28415B2B5385ED7E91D38D        # ps3publictools/include/keys.h
  appold_n  :  B0E7CAFFC8DEEE8A55A3050D809ADFE38FA01DAB        # ...
  appold_n  :  B0E7CAFFC8DEEE8A55A3050D809ADFE38FA01DAB        # ...
Line 221: Line 158:
  appold_keypair_d :  3DEA9F72E7BED979EF787BA96930C01D00000000000000000000000000000000B227D4B47C5321D4FDE97B04EAF9C7F400000000000000000000000000000000        # ps3publictools/include/oddkeys.h
  appold_keypair_d :  3DEA9F72E7BED979EF787BA96930C01D00000000000000000000000000000000B227D4B47C5321D4FDE97B04EAF9C7F400000000000000000000000000000000        # ps3publictools/include/oddkeys.h


== npdrm rev 0x01 ==
== npdrm rev0x01 ==
 
  npdrm_R  :  A38BCB3E4E7309904AEFDFC5047D0FDF06E35C0D        # ps3publictools/include/keys.h
  npdrm_R  :  A38BCB3E4E7309904AEFDFC5047D0FDF06E35C0D        # ps3publictools/include/keys.h
  npdrm_n  :  B0E7CAFFC8DEEE8A55A3050D809ADFE38FA01DAB        # ...
  npdrm_n  :  B0E7CAFFC8DEEE8A55A3050D809ADFE38FA01DAB        # ...
Line 228: Line 164:
  npdrm_Da :  040AB47509BED04BD96521AD1B365B86BF620A98        # ...
  npdrm_Da :  040AB47509BED04BD96521AD1B365B86BF620A98        # ...
        
        
  klic_ps3_free :  72F990788F9CFF745725F08E4C128387        # ps3publictools/include/oddkeys.h
  npdrm_omac_key1 :  72F990788F9CFF745725F08E4C128387        # ps3publictools/include/oddkeys.h
  npd_header_hash_xor_key :  6BA52976EFDA16EF3C339FB2971E256B        # ...
  npdrm_omac_key2 :  6BA52976EFDA16EF3C339FB2971E256B        # ...
  npd_cid_fn_hash_aes_cmac_key :  9B515FEACF75064981AA604D91A54E97        # ...
  npdrm_omac_key3 :  9B515FEACF75064981AA604D91A54E97        # ...
        
        
  npdrm_keypair_e  :  A1C013ABCE98A7E3DC69923B07C0285F7554C512B0B0A96F245240F2FD433AF23F4EFEC6C183EA378D1BECB09D88DB328F2C8637B7AC72059B1556B0D95B5BE0        # ps3publictools/include/oddkeys.h
  npdrm_keypair_e  :  A1C013ABCE98A7E3DC69923B07C0285F7554C512B0B0A96F245240F2FD433AF23F4EFEC6C183EA378D1BECB09D88DB328F2C8637B7AC72059B1556B0D95B5BE0        # ps3publictools/include/oddkeys.h
Line 238: Line 174:
----
----


=== Using VSH ECDSA in Python ===


<pre>#!/usr/bin/env python
== vsh pub + curvetable ==
 
<pre>   pub    :   6227B00A02856FB04108876719E0A0183291EEB96E736ABF81F70EE9161B0DDEB026761AFF7BC85B
### Python 2 future-compatible workarounds: (see: http://python-future.org/compatible_idioms.html)
  curves :   000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
## prevent interpreting print(a,b) as a tuple plus support print(a, file=sys.stderr)
              000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
from __future__ import print_function
              0000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFE000000
## interpret long as int, support int.from_bytes()
              00000000000000000000000000FFFFFFFE00000000000000039A2EB773FCA61DCB5236A42C6F7FEB426E5ADA06
from builtins import int
              0000000000000000FFFE4A39E80D6F151E245270DDA65311EAB7634F69577D0F51E30602711A07059FBCA7BA92
## support bytes()
              F5E34D6F7216F0D828A37D413EF73F0000000000000000FFFFFFFE00000000000000000000000000000000FFFF
from builtins import bytes
              FFFE00000000000000035974123CCBE7FD63E2C31CC465CDE0334461F0F4000000000000000100004A51C3ADC1
 
              9C6BB0DED8ED713BDA9B780270209B1DBC843F5E092A5021D3A6A7AA814E24FFED9FBDAADB243C862A53A0B520</pre>
import hashlib
[http://www.multiupload.com/A19Q0HV7OW vsh-pub-curves.rar (367 Bytes)]
import binascii
 
CONST_VSH_ECDSA = {
    "P": { "INT": 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF, "DESC": "VSH P", },
    "A": { "INT": 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFC, "DESC": "VSH A", },
    "B": { "INT": 0xA68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B, "DESC": "VSH B", },
    "N": { "INT": 0xFFFFFFFFFFFFFFFEFFFFB5AE3C523E63944F2127, "DESC": "VSH Order N/Q", },
    "GX": { "INT": 0x128EC4256487FD8FDF64E2437BC0A1F6D5AFDE2C, "DESC": "VSH Gx", },
    "GY": { "INT": 0x5958557EB1DB001260425524DBC379D5AC5F4ADF, "DESC": "VSH Gy", },
    "PUBX": { "INT": 0x6227B00A02856FB04108876719E0A0183291EEB9, "DESC": "VSH PubKey X", },
    "PUBY": { "INT": 0x6E736ABF81F70EE9161B0DDEB026761AFF7BC85B, "DESC": "VSH PubKey Y", },
}
Data = bytes.fromhex("fcf66ca605a05f5274552f6df523050d98cf249bb06fdce5a0cc0db82503446cc9c00c57f7d7017368844a5f4dc25335b3d4af51238dde5b939d1d271c4922bd05017aa28d22b175165a49941ead92081044f5dd1e3f49d7b0f31a767425e702b75131fac432adfb2e24f62553cde74a8d03e1267893674b52693fbd20e801becd85fef37ccd7c735121a4f5910cf807")
print("Data:", binascii.hexlify(Data))
Sha1 = hashlib.sha1(Data).digest()  ## 0ac2caf8d2a7489be95673c7ab4d75c6a448c5f4
print("Sha1:", binascii.hexlify(Sha1))
 
Signature_R = 0x008288896404ecb6447a93bdc5606bda076ea0e6a1
Signature_S = 0x00846c7b4596e63808ca85b3e975b4673c2c84c711
 
print("----------")</pre>
A) With starkbank-ecdsa (faster) from https ://pypi.org/project/starkbank-ecdsa/<br>
Install via: pip install starkbank-ecdsa
<pre>import ellipticcurve.curve
import ellipticcurve.ecdsa
import ellipticcurve.point
import ellipticcurve.publicKey
import ellipticcurve.signature
 
Vsh_Curve = ellipticcurve.curve.CurveFp(CONST_VSH_ECDSA["A"]["INT"], CONST_VSH_ECDSA["B"]["INT"], CONST_VSH_ECDSA["P"]["INT"], CONST_VSH_ECDSA["N"]["INT"], CONST_VSH_ECDSA["GX"]["INT"], CONST_VSH_ECDSA["GY"]["INT"], "VSH Curve", oid=(1, 2, 3, 4))
#
Vsh_PubKey_Point = ellipticcurve.point.Point(CONST_VSH_ECDSA["PUBX"]["INT"], CONST_VSH_ECDSA["PUBY"]["INT"])
Vsh_PubKey = ellipticcurve.publicKey.PublicKey(Vsh_PubKey_Point, Vsh_Curve)
#
Signature = ellipticcurve.signature.Signature(Signature_R, Signature_S)
#
Data_String = Data.decode("latin-1")
Result = ellipticcurve.ecdsa.Ecdsa.verify(Data_String, Signature, Vsh_PubKey, hashfunc=hashlib.sha1)
print("Verify with module starkbank-ecdsa:", Result)
print("----------")</pre>
 
B) With ecdsa (slower) from https ://pypi.org/project/ecdsa/<br>
Install via: pip install ecdsa
<pre>import ecdsa.curves
import ecdsa.ecdsa
import ecdsa.ellipticcurve
import ecdsa.keys
 
Vsh_Curve = ecdsa.ellipticcurve.CurveFp(CONST_VSH_ECDSA["P"]["INT"], CONST_VSH_ECDSA["A"]["INT"], CONST_VSH_ECDSA["B"]["INT"])
Vsh_Generator = ecdsa.ellipticcurve.PointJacobi(Vsh_Curve, CONST_VSH_ECDSA["GX"]["INT"], CONST_VSH_ECDSA["GY"]["INT"], 1, order=CONST_VSH_ECDSA["N"]["INT"], generator=True)
#
Vsh_PubKey_Point = ecdsa.ellipticcurve.Point(Vsh_Curve, CONST_VSH_ECDSA["PUBX"]["INT"], CONST_VSH_ECDSA["PUBY"]["INT"], order=CONST_VSH_ECDSA["N"]["INT"])
Vsh_PubKey = ecdsa.ecdsa.Public_key(Vsh_Generator, Vsh_PubKey_Point, verify=True)
#
Signature = ecdsa.ecdsa.Signature(Signature_R, Signature_S)
#
Sha1_Int = int.from_bytes(Sha1, byteorder="big")
print("Sha1 Int:", Sha1_Int)
Result = Vsh_PubKey.verifies(Sha1_Int, Signature)
print("Verify with module ecdsa:", Result)
print("----------")</pre>
 
=== Observations ===


===Observations===
3.10:
3.10:
  PUB:
  PUB:
Line 412: Line 285:
   0062EEA0  20 9B 1D BC 84 3F 5E 09 2A 50 21 D3 A6 A7 AA 81  ›.¼„?^.*P!Ó¦§ª.
   0062EEA0  20 9B 1D BC 84 3F 5E 09 2A 50 21 D3 A6 A7 AA 81  ›.¼„?^.*P!Ó¦§ª.
   0062EEB0  4E 24 FF ED 9F BD AA DB 24 3C 86 2A 53 A0 B5 20  N$ÿ퟽ªÛ$<†*S µ  
   0062EEB0  4E 24 FF ED 9F BD AA DB 24 3C 86 2A 53 A0 B5 20  N$ÿ퟽ªÛ$<†*S µ  


3.55:
3.55:
Line 449: Line 323:
----
----


== Raw key list ==
==RAW key list==
 
Some insight in how the AES routines and SHA1 hashes relate to offsets in appldr:
* [http://pastie.org/private/fdabkjhmd3hwowi6dgsbw AES routines 3.15]
* [http://pastie.org/private/unpbjffn6zgy3vldefvivq sha1 hashes 3.15]
 
=== Primary Table ===
 
(C/P is from PS3 FW 3.56 Fix)


=== Primairy Table ===
(C/P is from 3.56 Fix)
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
        
        
Line 573: Line 441:
   0001A3B0  B2 C0 CD 24 92 B0 B5 A1 00 00 00 3A 00 00 00 00  ²ÀÍ$’°µ¡...:....  PUB - Curve
   0001A3B0  B2 C0 CD 24 92 B0 B5 A1 00 00 00 3A 00 00 00 00  ²ÀÍ$’°µ¡...:....  PUB - Curve


=== Secondary Tables ===
=== Secondairy Tables ===


==== 1.00 ====
====1.00====
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
    
Line 599: Line 467:
   000150B0  B4 57 8A 4C 61 C5 D6 BF 00 00 00 11 00 00 00 00  ´WŠLaÅÖ¿........  PUB - Curve
   000150B0  B4 57 8A 4C 61 C5 D6 BF 00 00 00 11 00 00 00 00  ´WŠLaÅÖ¿........  PUB - Curve


==== 2.40 ====
====2.40====
 
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
    
Line 610: Line 477:
   00018EF0  C7 46 05 E7 B8 CB 73 2D 00 00 00 08 00 00 00 00  ÇF.ç¸Ës-........  PUB - Curve
   00018EF0  C7 46 05 E7 B8 CB 73 2D 00 00 00 08 00 00 00 00  ÇF.ç¸Ës-........  PUB - Curve


==== 3.40 ====
====3.40====
 
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
    
Line 635: Line 501:
   000194E0  08 F6 A0 36 58 F2 97 0E 00 00 00 29 00 00 00 00  .ö 6Xò—....)....  PUB - Curve
   000194E0  08 F6 A0 36 58 F2 97 0E 00 00 00 29 00 00 00 00  .ö 6Xò—....)....  PUB - Curve


==== 3.50 ====
====3.50====
 
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
    
Line 660: Line 525:
   000197D0  27 CE 9E 47 88 9A 45 D0 00 00 00 2A 00 00 00 00  'ΞGˆšEÐ...*....  PUB - Curve
   000197D0  27 CE 9E 47 88 9A 45 D0 00 00 00 2A 00 00 00 00  'ΞGˆšEÐ...*....  PUB - Curve


==== 3.55 ====
====3.55====
 
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
    
Line 685: Line 549:
   0001A710  FA 3B E8 32 9E 01 5E 57 00 00 00 3A 00 00 00 00  ú;è2ž.^W...:....  PUB - Curve
   0001A710  FA 3B E8 32 9E 01 5E 57 00 00 00 3A 00 00 00 00  ú;è2ž.^W...:....  PUB - Curve


==== 3.56 ====
====3.56====
 
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
        
        
Line 710: Line 573:
   00020660  6A B0 91 E1 6B 23 14 33 00 00 00 3B 00 00 00 00  j°‘ák#.3...;....  PUB - Curve
   00020660  6A B0 91 E1 6B 23 14 33 00 00 00 3B 00 00 00 00  j°‘ák#.3...;....  PUB - Curve


* [http://pastebin.com/2btt19gh] <!--//Older pastie: http://pastebin.com/uWUqGXwx / http://pastie.org/private/enolspz7cyhvlg8rxhqwqg//-->
 
http://pastebin.com/2btt19gh
<!--//Older pastie: http://pastebin.com/uWUqGXwx / http://pastie.org/private/enolspz7cyhvlg8rxhqwqg//-->


=== Other ===
=== Other ===
some pasties mention parts of these, for completeness listed too.
some pasties mention parts of these, for completeness listed too.


==== Revokelist ====
==== Revokelist ====
Seen in: appldr, isoldr, lv2ldr, spu_pkg_rvk_verifier.self
Seen in: appldr, isoldr, lv2ldr, spu_pkg_rvk_verifier.self


===== 1.00-3.55 RVK =====
===== 1.00-3.55 RVK =====
 
(seen in =>1.00 <= 3.55)
(seen in => 1.00 <= 3.55)
 
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
        
        
Line 732: Line 593:
   0001AC40  5A 80 48 FD 86 5F 9D 8F 1A 91 89 53 5A 37 62 3E  Z€Hý†_...‘‰SZ7b>    PUB - rvklist 0.80-3.55
   0001AC40  5A 80 48 FD 86 5F 9D 8F 1A 91 89 53 5A 37 62 3E  Z€Hý†_...‘‰SZ7b>    PUB - rvklist 0.80-3.55
   0001AC50  29 21 42 74 63 A7 54 F7 00 00 00 00 00 00 00 00  )!Btc§T÷........    PUB - rvklist 0.80-3.55
   0001AC50  29 21 42 74 63 A7 54 F7 00 00 00 00 00 00 00 00  )!Btc§T÷........    PUB - rvklist 0.80-3.55
===== 3.56 RVK =====
===== 3.56 RVK =====
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
Line 743: Line 603:
   00020CC0  8F B5 B7 F4 B5 B4 E6 3B 00 00 00 00 00 00 00 00  .µ·ôµ´æ;........    PUB - rvklist 3.56
   00020CC0  8F B5 B7 F4 B5 B4 E6 3B 00 00 00 00 00 00 00 00  .µ·ôµ´æ;........    PUB - rvklist 3.56


==== 1.00+ ====
==== 1.00++ ====
 
(seen in =>1.00 <=3.56)
(seen in => 1.00 <=3.56)
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
        
        
Line 766: Line 625:


----
----
Params: 0C08000E090504040D010F000406020209060D03
KeygenV4: 6B1ACEA246B745FD8F93763B920594CD53483B82
Fallback key: D1C1E10B9C547E689B805DCD9710CE8D


<!--//Other lists//-->
<!--//Other lists//-->
Line 780: Line 635:


<!--//http://pastie.org/private/dhdhplnph3pondohxnrlnw checked, all are listed above or not curve e.g.: 03 af 06 fd 1c e6 da 36 //-->
<!--//http://pastie.org/private/dhdhplnph3pondohxnrlnw checked, all are listed above or not curve e.g.: 03 af 06 fd 1c e6 da 36 //-->
----
http://pastie.org/private/qwndjafrtkvhe9cikbxhg << some eid0 related stuff.


== Fake keys ==
== Fake keys ==
Line 791: Line 650:
|}
|}


silk.sprx DES key: <code>8E3E1E46FFEE0309</code>
 


== Colors ==
== Colors ==


=== HMAC ===
===HMAC===
{| class="wikitable" border="0" cellspacing="1" cellpadding="1"
{| {{table}} border="0" cellspacing="1" cellpadding="1"
|align="center" colspan="1" style="background:#f491ad" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#f491ad" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#94c681" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#94c681" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
Line 821: Line 680:
|}
|}


=== ldr key (inside decrypted metldr/asecure_loader) ===
===3.55===
 
====erk====
<pre>
{| {{table}} border="0" cellspacing="1" cellpadding="1"
erk: C0CEFE 84C227 F75BD0 7A7EB8 46509F 93B238 E770DA CB9FF4 A388F8 12482B E21B
riv: 47EE74 54E477 4CC9B8 960C7B 59F4C1 4D
pub: C2D4AA F31935 5019AF 99D44E 2B58CA 29252C 89123D 11D621 8F40B1 38CAB2 9B7101 F3AEB7 2A9750 19
R: 806E07 8FA152 9790CE 1AAE02 BADD6F AAA6AF 741700
n: E13A7E BC3ACC EB1CB5 6CC860 FCABDB 6A048C 55E100
K: BA9055 916861 B977ED CBED92 005092 F66C7A 3D8D00
Da: C5B2BF A1A413 DD16F2 6D31C0 F2ED47 20DCFB 067000
Priv: 00C5B2 BFA1A4 13DD16 F26D31 C0F2ED 4720DC FB0670
Curvetype: 0x20
</pre>
 
==== erk ====
 
{| class="wikitable" border="0" cellspacing="1" cellpadding="1"
|align="center" colspan="1" style="background:#C0CEFE" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#C0CEFE" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#84C227" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#84C227" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
Line 851: Line 696:
|}
|}


==== riv ====
====riv====
 
{| {{table}} border="0" cellspacing="1" cellpadding="1"
{| class="wikitable" border="0" cellspacing="1" cellpadding="1"
|align="center" colspan="1" style="background:#47EE74" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#47EE74" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#54E477" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#54E477" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
Line 862: Line 706:
|}
|}


==== pub ====
====pub====
 
{| {{table}} border="0" cellspacing="1" cellpadding="1"
{| class="wikitable" border="0" cellspacing="1" cellpadding="1"
|align="center" colspan="1" style="background:#C2D4AA" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#C2D4AA" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#F31935" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#F31935" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
Line 881: Line 724:
|}
|}


==== R ====
====R====
 
{| {{table}} border="0" cellspacing="1" cellpadding="1"
{| class="wikitable" border="0" cellspacing="1" cellpadding="1"
|align="center" colspan="1" style="background:#806E07" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#806E07" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#8FA152" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#8FA152" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
Line 893: Line 735:
|}
|}


==== n ====
====n====
 
{| {{table}} border="0" cellspacing="1" cellpadding="1"
{| class="wikitable" border="0" cellspacing="1" cellpadding="1"
|align="center" colspan="1" style="background:#E13A7E" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#E13A7E" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#BC3ACC" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#BC3ACC" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
Line 905: Line 746:
|}
|}


==== K ====
====K====
 
{| {{table}} border="0" cellspacing="1" cellpadding="1"
{| class="wikitable" border="0" cellspacing="1" cellpadding="1"
|align="center" colspan="1" style="background:#BA9055" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#BA9055" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#916861" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#916861" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
Line 917: Line 757:
|}
|}


==== Da ====
====Da====
 
{| {{table}} border="0" cellspacing="1" cellpadding="1"
{| class="wikitable" border="0" cellspacing="1" cellpadding="1"
|align="center" colspan="1" style="background:#C5B2BF" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#C5B2BF" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#A1A413" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#A1A413" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
Line 928: Line 767:
|align="center" colspan="1" style="background:#067000" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#067000" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|}
|}
:


==== Priv ====
{| class="wikitable" border="0" cellspacing="1" cellpadding="1"
|align="center" colspan="1" style="background:#00C5B2" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#BFA1A4" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#13DD16" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#F26D31" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#C0F2ED" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#4720DC" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#FB0670" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|}
==== Curve ====


{| class="wikitable" border="0" cellspacing="1" cellpadding="1"
==Non PS3 specific Keys==
|align="center" colspan="1" style="background:#000020" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|}
 
== Non PS3 specific Keys ==


=== Kirk (PSP) ===
=== Kirk (PSP) ===
 
not to be found in the PS3, but reference is here: http://wololo.net/talk/viewtopic.php?f=5&t=1381&p=20720#p20715
Not to be found in the PS3, but reference is here: http://wololo.net/talk/viewtopic.php?f=5&t=1381&p=20720#p20715
 
== Unknown value in Syscon eeprom ==
 
This value is used at least 3 times and it is (conveniently?) positioned at the start of SYSCON EEPROM, followed by another unknown block with the same size of EID1.
 
<pre>
99 D9 66 2B B3 D7 61 54 6B 9C 3F 9E D1 40 ED B0
</pre>
 
== Scrambling and unscrambling obfuscated keys from loader (PS3 FW 3.60 - 3.61) ==
 
from LV1LDR.ELF FW 3.61
 
  offset 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 
  1A390  00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 00 < curve_type
  1A3A0  00 00 00 00 00 00 00 00 00 01 2E 08 00 01 2D C0
  1A3B0  00 01 8A 90 00 01 8A D0 00 00 00 00 00 00 00 00
  1A3C0  00 00 00 00 00 00 00 00 00 01 2D 90 00 01 2D 78
  1A3D0  00 01 66 28 00 01 66 28 00 00 00 00 00 00 00 00
  1A3E0  1C DA BE 30 83 38 23 F4 61 CA 53 41 04 11 5F FF < pub
  1A3F0  60 01 0B 71 06 31 E4 35 A7 D9 15 E8 2A E8 8E DE < pub
  1A400  66 72 64 65 6C B7 06 2E 00 00 00 00 00 00 00 00 < pub
  1A410  84 4F 80 F3 C5 7C 45 5C 7F 09 00 00 00 00 00 00 < root_scramble_key
 
  1D140  F9 2C 86 66 EF FB AC 7E B5 83 E5 4A 25 7F 7C 05 < sk1_key
  1D150  DD F6 A5 B1 43 C1 14 1F EE D0 1C DA 71 97 05 C3 < sk2_key
  1D160  F2 E7 0B C4 BA C1 0C 3D 8D DB B7 DC 23 05 3F 9A < sk1_iv
  1D170  01 8E 69 5C 3A 29 AF 6E 74 6A 73 CB F7 3D BD FD < sk2_iv
  1D180  FF FF FF FF 00 00 00 00 00 00 00 01 00 00 00 01
  1D190  FF FF FF FF 00 00 00 07 00 00 00 06 00 00 00 02
  1D1A0  00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00
  1D1B0  FF FF FF FF 00 00 00 30 00 00 00 20 00 00 00 20
  1D1C0  00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00
  1D1D0  00 00 00 00 FF FF FF F0 00 00 00 00 00 00 00 00
  1D1E0  62 7C B1 80 8A B9 38 E3 2C 8C 09 17 08 72 6A 57
  1D1F0  9E 25 86 E4 00 00 00 00 00 00 00 00 00 00 00 00
 
  1DE00  18 09 79 66 C3 DE 8A 0D 82 BF 95 6C B3 9F AF 78 < erk_obf
  1DE10  22 95 C6 CA 7F 1E 54 7A B3 0E DF D7 EE 5C B8 12 < erk_obf
  1DE20  9B 32 B2 0F A7 72 80 F1 09 5E A1 3F 1C 2D 5C 99 < riv_obf
 
Unscrambling script: key_unscrambler.py
 
<syntaxhighlight lang="python" enclose="div">
  from CryptoPlus.Cipher import AES
  import hashlib, hmac
 
  def sha1_hmac(key, data):
    return hmac.new(key=key, msg=data, digestmod=hashlib.sha1).digest()
 
  def aes_decrypt_cbc(key, iv, data):
    crypto = AES.new(key, AES.MODE_CBC, iv)
    return crypto.decrypt(data)
   
  def unscramble(key, iv, data):
    key = sha1_hmac(root_scramble_key, key)
    return aes_decrypt_cbc(key[:16], iv, data)
 
  def unscramble_1(key):
    return unscramble(sk1_key, sk1_iv, key)
 
  def unscramble_2(key):
    return unscramble(sk2_key, sk2_iv, key)
 
  root_scramble_key = '844F80F3C57C455C7F09'.decode('hex')
 
  sk1_key = 'F92C8666EFFBAC7EB583E54A257F7C05'.decode('hex')
  sk1_iv = 'F2E70BC4BAC10C3D8DDBB7DC23053F9A'.decode('hex')
 
  sk2_key = 'DDF6A5B143C1141FEED01CDA719705C3'.decode('hex')
  sk2_iv = '018E695C3A29AF6E746A73CBF73DBDFD'.decode('hex')
 
  erk_obf = '18097966C3DE8A0D82BF956CB39FAF782295C6CA7F1E547AB30EDFD7EE5CB812'.decode('hex')
  riv_obf = '9B32B20FA77280F1095EA13F1C2D5C99'.decode('hex')
 
  erk_dec = unscramble_1(erk_obf)
  riv_dec = unscramble_2(riv_obf)
 
  print 'erk_dec:', erk_dec.encode('hex')
  print 'riv_dec:', riv_dec.encode('hex')
</syntaxhighlight>
 
Scrambling script: key_scrambler.py
 
<syntaxhighlight lang="python" enclose="div">
  from CryptoPlus.Cipher import AES
  import hashlib, hmac
 
  def sha1_hmac(key, data):
    return hmac.new(key=key, msg=data, digestmod=hashlib.sha1).digest()
 
  def aes_encrypt_cbc(key, iv, data):
    crypto = AES.new(key, AES.MODE_CBC, iv)
    return crypto.encrypt(data)
   
  def scramble(key, iv, data):
    key = sha1_hmac(root_scramble_key, key)
    return aes_encrypt_cbc(key[:16], iv, data)
 
  def scramble_1(key):
    return scramble(sk1_key, sk1_iv, key)
 
  def scramble_2(key):
    return scramble(sk2_key, sk2_iv, key)
 
  root_scramble_key = '844F80F3C57C455C7F09'.decode('hex')
 
  sk1_key = 'F92C8666EFFBAC7EB583E54A257F7C05'.decode('hex')
  sk1_iv = 'F2E70BC4BAC10C3D8DDBB7DC23053F9A'.decode('hex')
 
  sk2_key = 'DDF6A5B143C1141FEED01CDA719705C3'.decode('hex')
  sk2_iv = '018E695C3A29AF6E746A73CBF73DBDFD'.decode('hex')
 
  erk_dec = '5FF17D836E2C4AD69476E2614F64BDD05B9115389A9A6D055B5B544B1C34E3D5'.decode('hex')
  riv_dec = 'DF0F50EC3C4743C5B17839D7B49F24A4'.decode('hex')
 
  erk_obf = scramble_1(erk_dec)
  riv_obf = scramble_2(riv_dec)
 
  print 'erk_obf:', erk_obf.encode('hex')
  print 'riv_obf:', riv_obf.encode('hex')</code>
</syntaxhighlight>
 
* Source: [http://www.ps3news.com/forums/ps3-hacks-jailbreak/ps3-lv0-keys-leaked-4-21-4-25-4-30-cfw-updates-incoming-124532-24.html]
 
= SPU Status Codes =
 
<pre>
00 00 01 00 00 00 00 00  00 00 00 00 00 00 00 00 <- SUCCESS
00 00 01 01 00 00 00 00  00 00 00 00 00 00 00 00 <- ILLEGAL PARAMETER
00 00 01 03 00 00 00 00  00 00 00 00 00 00 00 00 <- INTERNAL ERROR
00 00 01 04 00 00 00 00  00 00 00 00 00 00 00 00 <- VERIFICATION FAILURE
00 00 01 0B 00 00 00 00  00 00 00 00 00 00 00 00 <- ??? (in sv_iso, when auth_mode = 0x46 && auth_drive_super() failed)
</pre>
 
= Private Key verifier (Anti-Troll) =
 
* Source: [https://web.archive.org/web/20141119122516/http://pastie.org/private/yfmid0zejc8fp5x0ogzj5g here]
 
<syntaxhighlight lang="python" enclose="div">
#!python2
import ecdsa, random, struct
from random import SystemRandom
randrange = SystemRandom().randrange
def s2i(s):
result = 0L
for c in s:
  result = 256 * result + ord(c)
return result
def get_vsh_curves(file_path):
curves = []
curve_fmt = '>20s20s20s20s20s20s'
with open(file_path, 'rb') as in_file:
  file_data = in_file.read()
  file_size = len(file_data)
  num_curves = int(file_size / struct.calcsize(curve_fmt))
  for i in xrange(num_curves):
  data = file_data[i * struct.calcsize(curve_fmt):(i + 1) * struct.calcsize(curve_fmt)]
  inv_data = ''.join([chr((~ord(x)) & 0xff) for x in data])
  p, a, b, n, gx, gy = struct.unpack(curve_fmt, inv_data)
  curves.append({
    'p': s2i(p),
    'a': s2i(a),
    'b': s2i(b),
    'n': s2i(n),
    'gx': s2i(gx),
    'gy': s2i(gy)
  })
return curves
def get_loader_curves(file_path):
curves = []
curve_fmt = '>20s20s20s21s20s20s'
with open(file_path, 'rb') as in_file:
  file_data = in_file.read()
  file_size = len(file_data)
  num_curves = int(file_size / struct.calcsize(curve_fmt))
  for i in xrange(num_curves):
  data = file_data[i * struct.calcsize(curve_fmt):(i + 1) * struct.calcsize(curve_fmt)]
  inv_data = ''.join([chr((~ord(x)) & 0xff) for x in data])
  p, a, b, n, gx, gy = struct.unpack(curve_fmt, inv_data)
  curves.append({
    'p': s2i(p),
    'a': s2i(a),
    'b': s2i(b),
    'n': s2i(n),
    'gx': s2i(gx),
    'gy': s2i(gy)
  })
return curves
curves = get_loader_curves('ldr_curves') #SELECT TYPE OF CURVES HERE, LDR_CURVES USED AS DEFAULT
def get_curve_parameters(type):
params = curves[type]
return params['p'], params['a'], params['b'], params['n'], params['gx'], params['gy']
curve_type = 0x27 # SELECT CURVE TYPE HERE, SD CURVE TYPE AS DEFAULT
p, a, b, n, gx, gy = get_curve_parameters(curve_type) # parameters
c = ecdsa.ellipticcurve.CurveFp(p, a, b) # curve equation
g = ecdsa.ellipticcurve.Point(c, gx, gy, n) # generator point
q = ecdsa.ellipticcurve.Point(c, gx, gy) # public point
k = 0x000000000000000000000000000000000001000000L # TODO: PLACE PRIVATE KEY HERE , USED SD KEY AS DEFAULT
public_key = ecdsa.ecdsa.Public_key(g, g * k)
print 'Qx: {0:040X}'.format(public_key.point.x())
print 'Qy: {0:040X}'.format(public_key.point.y())
</syntaxhighlight>
 
= Lv0 Passwords =
 
Lv0 sends this value to SPU when it loads lv1.self. Check is inside lv1ldr.
 
{| class="wikitable sortable"
|-
! version !! password
|-
| 3.40 - 3.42 || <code>9CD17AA7DBBFDE9B38F443F1F422B96E</code>
|-
| 3.50 || <code>C11BBA042177DA40E26C9A2CFB03978C</code>
|-
| 3.55 || <code>87746DC81CAE22812C44FC0E4F95338C</code>
|-
| 3.56 || <code>62E3F39DB055BDB16CBE68F79206FCC9</code>
|-
| 3.60 - 3.61 || <code>24D584F6452DD2AFF51A274A315CEC28</code>
|-
| 3.65 - 3.66 || <code>6B7CD8A6E714F28DAF10254303A25ED1</code>
|-
| 3.70 - 3.74 || <code>70D9A205D09B1D26AD00CA0213CC0B8D</code>
|-
| 4.00 - 4.11 || <code>8005ADF19082F027E19E947DC5A51A05</code>
|-
| 4.20 - {{latestPS3}} || <code>25EFE04B1D920B48CFFDCE7D43F438F1</code>
|}
 
= RSA Source Example =
 
* [https://paste.ubuntu.com/24678348/ (to mirror because needs account)]
* Uses Trophy Public Modulus and Exponent for Signature verification
* Adapted from [https://rosettacode.org/wiki/RSA_code#C Rosetta Code]
 
= Unknown Triple_DES key? =
 
Key = F1660C455AB510B98B42660B8FB0476402C503052DB2AC87
IV  = 6991982C9598E77C
* Location: explore_plugin.sprx
 
= SacModule =
 
Key = 01A325C749EB6DF8E9C7AF856D432B10
IV  = D23785A490CBE1860F1D249CE56F73AB
Data.enc = 5745E719A338CD681D02D7089A40FBF6D1E4206780ED0922E049B5BF69959DA3
Data.dec = 6794C8666FB90DF0B6350B1816D5C8F010101010101010101010101010101010
 
First 0x10 bytes only used from the decrypted data.
 
Key2 = 10CC98B53A7C4462B8700923E613FA39
IV2  = B07985E490BCB8520F1D639CE56F73AB
Data2.enc = E172AC67EFD5FB5EC97EC180592D17F2 .... 5A79457925B6678D3866ADC53C4658EE
Data2.dec = 00A09853C2AF506F5F8876AB4543233C .... 4334097D2FDD1C090909090909090909
 
There are 2 blobs inside:
* 1) offset = 0, size = 0xAF.
* 2) offset 0xB7, size = 0x240.
 
Second part contains RSA-1024 Private keyset, used to sign some data.
 
rsa sig pub: BF4F654ED270FE7EA234B0503EA6428CC65496E652380F308FA74165F2A4571CBCA16D7A7FF381E1D92F93AFD465D671C2C1478F58D5D48CB45624A528F69603
              6C21746224A4956D625087139679064961139227C9D001769D8250CA3E54FCDBDE311DA0B2B1EF13BDA3241E11C8FFB8BAB71879FB022730830612EC8F972305
rsa sig priv:4E6790A27436A0E66F3DDEC0945C794BCE809E737860C740E4AEEC6B86BCF982AA80122931453006CA86E825188C400DD17E7B0071ACF8F64D763C807FC0478C
              1B0DA0B18179DE1301D2BFE4B5D68682BEF06F532D331C026DE7BCE1E2F64F9D850A48602D4E1DE9358D7A4EDEF91388382439CE9F25B350ED511F4ED7E83545
rsa sig P:  F6B73A560471BB8DF71474F8682F7DF63FDC9F263CA9B76C43FB8090ADCF59D22BE2405C2D454A678D0B58942B47100CA4E3E9F03C4B5AB3B95ED77AF8168B4B
rsa sig Q:  C68268F30C242D5E234DF91ED0954D7C56AEEAA90EE554EB845473C6777182C92504C3AE6F7FEC44AF7C4C7963BD3E91B241D714A9D8D97B6B3041D2095A48EF
rsa sig DP:  BB5E3423978478983C8980BC1703DA79E5CE3BDFE23A525F1AD22AB5B60ABF806A6B8DCD73642839B458659141BCDA677FE2C78BF77E9307E3443009E7D7D739
rsa sig DQ:  39A67C0641FB6BB590393FE5441C68317917398D39873EBF5B620F718F14C72FD57169C70A18B3AC4AEEA56307A5593B84F27C1D432A7816D0CD660032B926BF
rsa sig QP:  71D9D08479685B74B35F318137865935E6DD4400888C97C24C08A0CD7B860809E361FE252E8638264D2E098D6303ADD1021B80AF4ACF210F0C4334097D2FDD1C
 
rsa enc pub: BE95A0C43EDEAADE777A54521F5B9836D8C1FA17071F12DDF1B30289CC9FB24200508B875E6F155F9AB8D8B808DB752682B20CAC56F8EA2276DB52D81E3195FE
              A31A539F9AB9E68232CC523735E18CEC41112AADF8A66DA782BA297AAC60CEA323B067D357B3410FCB84253159CAD55B6664FD888F196BB78EB2BE85EBEBDD1F
 
= Unity Keys =
 
<pre>
PS3:      I3-DDQR-F4PJ-5D8E-G4TT-DQS2
Vita:        I3-B2DJ-BSR5-HKTE-2HHH-9QR2
 
PS4:            I3-9HBF-CRK9-TDEA-422V-KDB5
Vita/PS4:    I3-M7AD-279S-X79U-FPTT-854R
 
PS3/Vita:    I3-CH9J-73FU-F25C-NVPU-7Q43
PS3/PS4:    I3-ZHZG-JS75-VJ5T-GJD4-EDTX
</pre>
 
= Fail Keys =
 
Sony's Hall of Shame, see [[Fail_Keys]]
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)

Template used on this page: