Seeds: Difference between revisions
No edit summary |
No edit summary |
||
Line 72: | Line 72: | ||
Taken from: sc_iso.self/sc_iso_factory.self | Taken from: sc_iso.self/sc_iso_factory.self | ||
=== eid2 === | === eid2 -> used for individual bluray information === | ||
==== eid2 individuals seed ==== | ==== eid2 individuals seed ==== |
Revision as of 15:25, 6 July 2014
Information about these seeds
The seeds present on this wiki page were acquired through different means. It started with a simple search (Which i have to thank glevand and naehrwert for, as had it not been for those guys, i wouldn't have found myself the confidence to post this) and it went through several people who helped me along the way, and that probably wish to stay anonymous.
Without further ado, here are the seeds (both known and unknown) for several functions of the ps3.
Common
Common individuals seed
59 30 21 45 AC 09 B1 EF E6 9E 9B 7A 25 FF 8F 86 E9 F6 81 4D 37 DE 20 4D 29 72 9B 84 16 BA ED E4 22 70 98 65 7F 29 8C DB 6A 9B 5E 59 E4 A4 BA 2F 8E 6A 74 0E 1F C1 E3 E9 35 DD D2 F6 6C DE DD 6B
Used on old firmwares, possible for an old EID0 format (or fallback?) which can be 0x20 or 0x28 bytes in size. Decrypted section is always the same, see comments: http://pastie.org/private/rzg83pokd4vnxg60dj3qwg
Taken from: isoldr/appldr/lv1ldr
eEID
eid0 -> used for individual ps3/psp/psn information
eid0 individuals seed
AB CA AD 17 71 EF AB FC 2B 92 12 76 FA C2 13 0C 37 A6 BE 3F EF 82 C7 9F 3B A5 73 3F C3 5A 69 0B 08 B3 58 F9 70 FA 16 A3 D2 FF E2 29 9E 84 1E E4 D3 DB 0E 0C 9B AE B5 1B C7 DF F1 04 67 47 2F 85
Taken from: aim_spu_module.self/isoldr/appldr/lv1ldr/spu_token_processor.self/spu_utoken_processor.self
eid0 keyseed 0x0
2E D7 CE 8D 1D 55 45 45 85 BF 6A 32 81 CD 03 AF
Taken from: aim_spu_module.self
eid0 keyseed 0x6
3A B0 E6 C4 AC FF B6 29 36 2F FB BB DB C8 54 BC
Taken from: pspemudrm (kirk)
eid0 keyseed 0xA
30 B0 39 5D C5 83 5A AA 3A 79 86 B4 4A FA E6 84
Taken from: aim_spu_module.self
eid1 -> used for individual SYSCON information
eid1 individuals seed
B0 D6 55 76 4C 3B 44 B3 38 F3 2D D1 D0 99 9B 66 48 A3 5A 2C EB 15 E2 8E EC DC 2D C0 B4 C7 EB 05 DC 82 25 C0 D5 78 9D BB 2E 89 A2 4A 78 58 58 00 72 36 38 34 EE 1A 11 6C 2C D2 5E 58 EE 67 63 F7
Taken from: sc_iso.self/sc_iso_factory.self
eid2 -> used for individual bluray information
eid2 individuals seed
74 92 E5 7C 2C 7C 63 F4 49 42 26 8F B4 1C 58 ED 66 83 41 F9 C9 7B 29 83 96 FA 9D 82 07 51 99 D8 BC 1A 93 4B 37 4F A3 8D 46 AF 94 C7 C3 33 73 B3 09 57 20 84 FE 2D E3 44 57 E0 F8 52 7A 34 75 3D
Taken from: fdm_spu_module.self
eid2 DES key
6C CA B3 54 05 FA 56 2C
Taken from: fdm_spu_module.self
eid2 DES iv
00 00 00 00 00 00 00 00
Taken from: fdm_spu_module.self
eid3
eid3 individuals seed
01 D0 49 6A 3B AD D1 73 55 70 CB 29 E1 6F A2 31 4F A9 FD 1A BA 19 A1 C6 9E EA 2F 4A A6 07 A7 1C 6F E2 3E F8 DF BB 0F 2D 9D 45 2C D5 FA D5 8B 74 5B F8 A4 A5 0D 8B DB 29 B2 F4 BF 14 C4 4A DD 76
Taken from: CprmModule.spu.isoself
eid3 keyseed
5F FF 3F D8 1E 18 B9 56 DA E4 E6 D3 36 82 97 EF
Taken from: CprmModule.spu.isoself
eid3 static key
D9 94 06 CA 4B F3 07 50 43 6A 45 47 36 83 45 89
Taken from: CprmModule.spu.isoself
eid4
eid4 individuals seed
3E C2 0C 17 02 19 01 97 8A 29 71 79 38 29 D3 08 04 29 FA 84 E3 3E 7F 73 0C 1D 41 6E EA 25 CA FB 3D E0 2B C0 05 EA 49 0B 03 E9 91 98 F8 3F 10 1F 1B A3 4B 50 58 94 28 AD D2 B3 EB 3F F4 C3 1A 58
Taken from: sv_iso_spu_module.self
HDD Specific
ATA data individuals seed
D9 2D 65 DB 05 7D 49 E1 A6 6F 22 74 B8 BA C5 08 83 84 4E D7 56 CA 79 51 63 62 EA 8A DA C6 03 26
Taken from: sb_iso_spu_module.self
ATA tweak individuals seed
C3 B3 B5 AA CC 74 CD 6A 48 EF AB F4 4D CD F1 6E 37 9F 55 F5 77 7D 09 FB EE DE 07 05 8E 94 BE 08
Taken from: sb_iso_spu_module.self
ENCDEC data individuals seed
E2 D0 5D 40 71 94 5B 01 C3 6D 51 51 E8 8C B8 33 4A AA 29 80 81 D8 C4 4F 18 5D C6 60 ED 57 56 86
ENCDEC tweak individuals seed
02 08 32 92 C3 05 D5 38 BC 50 E6 99 71 0C 0A 3E 55 F5 1C BA A5 35 A3 80 30 B6 7F 79 C9 05 BD A3
PS2 Emu Specific
mc_iso individuals seed(?)
52 38 D0 FA 23 A9 93 B8 97 1D 40 0F 98 2D 21 77 81 30 DC F4 DE 7C 4E 11 9C 1D E2 86 AA 37 61 0B 1A B7 11 22 3F 27 68 16 59 AE 6B 71 F1 84 F9 CB 0E 00 D0 8A D0 6A F9 F7 A1 D5 5F 69 C7 1D 2B 25
Taken from: mc_iso_spu_module.self
me_iso individuals seed(?)
F2 33 6E 25 63 B6 03 07 7A 76 65 71 26 CA E4 DB 82 0E 92 85 6B 69 3C E8 14 22 E9 FB 1C 1C A5 B3 E9 43 38 8E 4B 48 03 50 AA 24 A5 FB FA BF D1 72 D9 7A 1E 25 DE 3E 64 A0 A7 A4 82 52 84 56 B1 74
Taken from: me_iso_spu_module.self
Syscon Specific
sc_iso module seed
B0 D6 55 76 4C 3B 44 B3 38 F3 2D D1 D0 99 9B 66 48 A3 5A 2C EB 15 E2 8E EC DC 2D C0 B4 C7 EB 05 DC 82 25 C0 D5 78 9D BB 2E 89 A2 4A 78 58 58 00 72 36 38 34 EE 1A 11 6C 2C D2 5E 58 EE 67 63 F7
sc_iso key seeds
63 DC A7 D3 FE E4 7F 74 9A 40 83 63 F1 10 4E 8F (1) 4D 10 09 43 24 00 9C C8 E6 B6 9C 70 32 8E 34 C5 [2] D9 79 49 BA D8 DA 69 D0 E0 1B F3 15 23 73 28 32 (3) C9 D1 DD 3C E2 7E 35 66 97 E2 6C 12 A7 B3 16 A8 [4] 72 FF 4C 7F D2 A5 90 8D 6C 9C 3F D3 C0 37 FE EB (5) FA 8D 08 3C 05 20 80 D4 A1 94 53 45 2E 17 9A 44 [6] 35 F8 42 12 95 CB F4 84 E0 6A 17 FA 2F B9 86 86 (7) C2 F3 68 5E 7E F4 97 68 33 7B 79 FD BC 82 65 BE [8] C6 E1 93 31 FC 6D 75 D1 C2 80 09 13 D1 79 3C 7E (9) 77 1A 75 5F 40 2D 51 96 D0 2A 0D 09 2B EF E0 1E [10] B1 17 01 62 9E D2 FA 91 8F 9F 4D 8B 78 D7 2D 74 (11) 19 93 0D E0 B6 FD CF FC 7B A6 30 B8 2D 53 04 31 [12] 44 20 ED 72 2F EA 35 02 19 55 AB 40 C7 8E E6 DF (13) 3E 67 C2 D9 43 2E 15 D0 9B EF 0E 6C 64 92 45 5D [14] 5F A6 AF 2B B0 7F 72 E2 AB F8 0B 4E F6 DA 98 E0 (15) 8C B7 82 E5 3E 8A EB 8A 76 8D 36 65 98 28 1B 9B [16]
Size 256
() first, [] second on ida
D4 13 B8 96 63 E1 FE 9F 75 14 3D 3B B4 56 52 74 rev 0x2 FA 72 CE EF 59 B4 D2 98 9F 11 19 13 28 7F 51 C7 rev 0x3 DA A4 B9 F2 BC 70 B2 80 A7 B3 40 FA 0D 04 BA 14 rev 0x4 (1.00 -> 4.00) 29 C1 94 FF EC 1F D1 4D 4A AE 00 6C 32 B3 59 90 rev 0x? (rev 5?, found on 4.30, maybe in below fw's)
sherwood_ss_seed
9F 1D F8 16 BB 4A 4A 01 29 D0 31 CF B0 AD 9B 30 D3 02 FD E1 75 78 FB DB A1 05 84 49 BA 5C 1B EA 0E 6B 74 80 E5 CE B2 56 2A 33 47 BB 41 01 24 55 79 10 AC 5D 2A D1 60 01 F6 A2 78 39 79 09 61 03
used for vtrm block crypto (aes_xts)
ss_seed_one_more
E3 05 28 04 B7 D2 83 6F 28 79 A1 75 1B B4 0D 48 EF 58 6F 9D 59 91 70 67 68 50 59 0B A6 7D 4B C7 5D 95 98 63 7A F2 5F 80 23 62 3B 12 68 B5 13 1A 0E AA 32 14 0A 28 61 D8 65 96 26 F6 CE 22 86 DB
also used for vtrm block crypto (aes_xts)
first block contains crl and drl hashes(see this for any doubts you might have)
unknown_seed
E3 EF DE 98 7E 4A 2D 3F 8C F7 B3 B6 0E 84 6B 21 4A B0 26 66 4E 9D 02 F5 3E FF 95 44 54 9B 1F 97 7E CA 7F 29 98 91 F1 B2 43 11 9E 35 AE 94 C3 DE E0 B7 A0 86 7C F4 49 23 BA E6 5E 33 86 46 0C 80
used when sc_iso needs to authenticate ps3 with syscon during time commands (clock drift)
(seed_for_backup is used to decrypt encrypted root info inside syscon and is actually an ascii seed, just like keyseed_for_srk2)
something else
13 16 3A 92 B5 05 13 54 2C 18 AB AD 31 B8 5F B7 <- 1 2B C8 BB 73 F4 B5 9A C6 58 A7 37 A5 DD 53 5D FE <- 2 D6 C3 74 FC DF F8 C3 CF 44 01 8C 78 73 3B F5 B2 64 8B 9F F9 4E F3 21 C6 9A 4A E5 96 F2 F0 8D 22 62 6C 71 24 FC 5B A1 AF 74 36 38 9B A3 7C 66 54 9D 94 BE 46 1C AF 08 3C 9D 9F A1 85 C9 3A EE 7B 18 D3 92 2D 4C A4 9C 1F 48 A6 FE FD 24 1D 5C 23 <- n1 05 8E B0 A8 2D 91 99 E8 70 28 C6 7D B9 F4 9A CF <- n2 CC 6A 09 07 DF 49 51 BF 27 CF 7B C2 DE 24 C5 70 F7 6E 53 0B CB CD 38 76 BC EC C8 D5 96 B5 83 B4 12 3D E1 47 FB 53 D5 F4 9D 55 BE 64 0F 2D 7C B0 73 3A A5 52 3A 57 B7 70 F5 97 22 27 0C F2 31 40
1->n1->2->n2 (in ida)
Notes
- libeeid / ps3hdd_poc / ps3_decrypt_tools were adapted for this. so use them
- you'll need eid_root_key, hdd image and eid
- the seeds are spreaded all over the wiki, so it's nice to have a spot where you can look at the seed you wish :)
- many thanks to fail0verfl0w for this. gotta love the print_hash function :3
- https://github.com/zecoxao/ps3_decrypt_tools tools for decrypting and encrypting.
- Regarding syscon, there are two chunks of data, one located at ss_sc_init and the other at sc_iso with sizes 0x290 and 0x280 respectively. one is after keyseed_for_srk2 and the other is between k4 and k5.
- ss_sc_init contains fallback EID1 of size 0x290 bytes.
References
THE PLACEHOLDER <- this curious pastie contains the first 4 bytes of several keys/seeds
1st-eid2 indiv seed 2nd-eid0 indiv seed 3rd-eid1 indiv seed 4th-eid4 indiv seed 5th-ata data seed 6th-me iso indiv seed 7th-mc iso indiv seed
isolated modules <- used as reference for eid specific seeds, amongst others
Others (???)
06 78 CE 0E (found, divx player key, decrypt divxdrm.sprx with sc services) 67 C0 75 8C F4 99 6F EF 7E 88 F9 0C C6 95 9D 66 (found, debug disc fallback)
Taken respectively from N's Twitter
What's inside:
Each EID0 Section (0xC0 bytes)
Description | Length | Note |
---|---|---|
Data | 0x38 | contains the actual data of the file |
R | 0x14 | part of the ecdsa signature pair (r,s) |
S | 0x14 | part of the ecdsa signature pair (r,s) |
public key | 0x28 | ecdsa public key |
unknown | 0x20 | unknown |
omac/cmac1 | 0x10 | hash of the previous information in CMAC1/OMAC mode |
padding | 0x8 | zero byte padding |
EID1 (0x2A0 bytes)
This is, quite possibly, one of the most important EID parts in the system. Since the seed was found on syscon selfs, it's very likely that this is directly associated with SYSCON itself. Unfortunately, there is no way to know because there are additional layers of cryptography inside it.
EID2(0x730 bytes)
http://www.psdevwiki.com/ps3/Hypervisor_Reverse_Engineering#Remarrying
Description | Length | Note |
---|---|---|
Header | 0x20 | |
Pblock | 0x80 | contains bd drive info |
Sblock | 0x690 | contains bd drive info |
EID3(0x100)
http://www.psdevwiki.com/ps3/Hypervisor_Reverse_Engineering#Communication
Offset | Description | Length | Note |
---|---|---|---|
0x00 | Header | 0x20 | |
0x20 | cprm player keys | 0xB8 | |
0xD8 | sha1 digest | 0x14 | sha1 digest of previous section |
0xEC | padding | 0x4 | |
0xF0 | omac1 digest | 0x10 | omac1 digest of whole eid3 |
EID4(0x30)
Description | Length | Note |
---|---|---|
Drive Key 1 | 0x10 | Encrypts data sent from host to bd drive |
Drive Key 2 | 0x10 | Decrypts data sent from bd drive to host |
CMAC/OMAC1 | 0x10 | Hash of the previous bytes in CMAC/OMAC1 mode |
EID5 (0xA00)
The largest and quite possibly the most important EID of all 6. It's unknown what is inside this specific EID. We'll probably never know what's inside it without analyzing every possible clue about the PS3. And even then, it might be impossible to find it's real use. It's size is similar to EID0, but it has an aditional 0x1A0 bytes.
Theory
0x40 bytes Header
Description | Length | Note |
---|---|---|
header(idps) | 0x10 | idps |
unk(static) | 0x2 | 00 12 |
unk2(static) | 0x2 | 00 0B (eid0) 00 02(request_idps) 07 30 (eid5) |
perconsole nonce | 0xC | |
unk3(changes) | 0x20 |
Content
Description | Length | Note |
---|---|---|
sections | 0x9C0 | 13 sections of 0xC0 bytes each (copy of the 11 sections in EID0 and two sections dedicated to bootldr and metldr respectively) |