Mounting HDD on PC: Difference between revisions
Jump to navigation
Jump to search
(Document structure of partition table.) |
|||
(90 intermediate revisions by 5 users not shown) | |||
Line 1: | Line 1: | ||
[[Category:OtherOS]] | |||
=Introduction= | =Introduction= | ||
* The goal is to mount PS3 HDD on PC Linux and make changes to it. | |||
* Use device mapper for transparent encryption/decryption. | |||
=ATA and ENCDEC Keys= | |||
''Main Article [[HDD Encryption]]'' | |||
=Device Mapper= | =Device Mapper= | ||
* A really cool feature of Linux 2.6/3. | |||
* The device mapper is stackable. | |||
* You have to enable a couple of new kernel features like device mapper crypto, XTS crypto and so on. | |||
==dm-bswap16== | ==dm-bswap16== | ||
* Swaps bytes in each 16-bit word. | |||
* It is necessray for HDD/VFLASH encryption/decryption. | |||
* Tested on Linux 3.5.3 | |||
GIT repo: http://gitorious.ps3dev.net/ps3linux/dm-bswap16 | |||
===Test=== | |||
<pre> | |||
modprobe loop | |||
modprobe dm_mod | |||
modprobe dm-bswap16 | |||
dd if=/dev/zero of=test.bin bs=1K count=100 | |||
losetup /dev/loop0 ./test.bin | |||
echo "0 200 bswap16 /dev/loop0" | dmsetup create test | |||
ls -l /dev/mapper/test | |||
echo "00 01 00 01 00 01" | xxd -r -p > /dev/mapper/test | |||
# device mapper target | |||
hexdump -C /dev/mapper/test | |||
00000000 00 01 00 01 00 01 00 00 00 00 00 00 00 00 00 00 |................| | |||
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | |||
* | |||
00019000 | |||
# real data, as you see bytes are swapped in each 16-bit word | |||
# device mapper allows you to do really cool things :) | |||
hexdump -C /home/glevand/test.bin | |||
00000000 01 00 01 00 01 00 00 00 00 00 00 00 00 00 00 00 |................| | |||
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | |||
* | |||
00019000 | |||
dmsetup remove test | |||
</pre> | |||
===Test with ps3da=== | |||
* Tested with Debian LiveCD and Linux 3.4.10 | |||
* xts_aes: http://gitorious.ps3dev.net/ps3linux/xts_aes | |||
<pre> | |||
# clear ATA and ENCDEC keys | |||
# DO NOT DO IT WITH HDD MOUNTED !!! | |||
ps3dm sm set_del_encdec_key 0x110 | |||
ps3dm sm set_del_encdec_key 0x111 | |||
# for now don't use ps3da device directly, dump sectors to file and bind it to loop device | |||
# later we will use ps3da device directly when dm-bswap16 is well tested and bug free | |||
dd if=/dev/ps3da bs=512 count=2 of=hdd_enc.bin | |||
losetup /dev/loop1 ./hdd_enc.bin | |||
# we have to setup device mapper bswap16 target else HDD encryption/decryption won't work properly | |||
echo "0 2 bswap16 /dev/loop1" | dmsetup create test | |||
# decrypt using xts_aes | |||
cat /dev/mapper/test | ./xts_aes/xts_aes -d -k <your ATA data key> -t <your ATA tweak key> | hexdump -C | |||
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | |||
00000010 00 00 00 00 0f ac e0 ff 00 00 00 00 de ad fa ce |................| | |||
00000020 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 02 |................| | |||
00000030 00 00 00 00 00 00 00 08 00 00 00 00 00 08 00 00 |................| | |||
00000040 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 0b |.p..............| | |||
00000050 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | |||
* | |||
000000c0 00 00 00 00 00 08 00 10 00 00 00 00 03 9a 8b 2d |...............-| | |||
000000d0 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
000000e0 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
000000f0 10 20 00 00 03 00 00 01 00 00 00 00 00 00 00 03 |. ..............| | |||
00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | |||
* | |||
00000150 00 00 00 00 03 a2 8b 45 00 00 00 00 00 3f ff f8 |.......E.....?..| | |||
00000160 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
00000170 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | |||
* | |||
000001e0 00 00 00 00 03 e2 8b 46 00 00 00 00 19 39 ce 0c |.......F.....9..| | |||
000001f0 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
00000200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | |||
* | |||
00000400 | |||
</pre> | |||
==dm-crypt== | |||
* We don't need xts_aes application anymore. | |||
* Linux kernel does enctyption/decryption of data transparently for us. | |||
* One of the device mapper features is that it's stackable which is very useful for us. | |||
* VFLASH is encrypted twice. So we have to create a second DM crypto target based on the DM crypto target for HDD. | |||
===HDD Test=== | |||
* Tested on PS3 itself with Debian LiveCD and Linux kernel version 3.4.10 but you can use the same technique on a Linux PC. I was just lazy and it is easier to test on PS3. | |||
<pre> | |||
# clear ATA and ENCDEC keys | |||
# DO NOT DO IT WITH HDD MOUNTED !!! | |||
ps3dm sm set_del_encdec_key 0x110 | |||
ps3dm sm set_del_encdec_key 0x111 | |||
# for now don't use ps3da device directly, dump sectors to file and bind it to loop device | |||
# later we will use ps3da device directly when dm-bswap16 is well tested and bug free | |||
dd if=/dev/ps3da bs=512 count=2 of=hdd_enc.bin | |||
losetup /dev/loop1 ./hdd_enc.bin | |||
# we have to setup device mapper bswap16 target else HDD encryption/decryption won't work properly | |||
echo "0 2 bswap16 /dev/loop1" | dmsetup create test | |||
# create key file | |||
echo <your data key as hex string> <your tweak key as hex string> | xxd -r -p > hdd_key.bin | |||
ls -l hdd_key.bin | |||
-rw-r--r-- 1 root root 32 Sep 4 09:28 hdd_key.bin | |||
# create DM crypto target | |||
# key size is 256bit because PS3 uses XTS-AES-128 and the key is just the concatenation of the data and tweak keys. | |||
cryptsetup create -c aes-xts-plain64 -d ./hdd_key.bin -s 256 test_crypt /dev/mapper/test | |||
ls -l /dev/mapper/ | |||
total 0 | |||
crw------- 1 root root 10, 236 Sep 4 09:23 control | |||
lrwxrwxrwx 1 root root 7 Sep 4 09:25 test -> ../dm-0 | |||
lrwxrwxrwx 1 root root 7 Sep 4 09:30 test_crypt -> ../dm-1 | |||
hexdump -C /dev/mapper/test_crypt | |||
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | |||
00000010 00 00 00 00 0f ac e0 ff 00 00 00 00 de ad fa ce |................| | |||
00000020 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 02 |................| | |||
00000030 00 00 00 00 00 00 00 08 00 00 00 00 00 08 00 00 |................| | |||
00000040 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 0b |.p..............| | |||
00000050 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | |||
* | |||
000000c0 00 00 00 00 00 08 00 10 00 00 00 00 03 9a 8b 2d |...............-| | |||
000000d0 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
000000e0 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
000000f0 10 20 00 00 03 00 00 01 00 00 00 00 00 00 00 03 |. ..............| | |||
00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | |||
* | |||
00000150 00 00 00 00 03 a2 8b 45 00 00 00 00 00 3f ff f8 |.......E.....?..| | |||
00000160 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
00000170 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | |||
* | |||
000001e0 00 00 00 00 03 e2 8b 46 00 00 00 00 19 39 ce 0c |.......F.....9..| | |||
000001f0 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
00000200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | |||
* | |||
00000400 | |||
# and we don't need xts_aes tool anymore :) | |||
# Linux does encryption/decryption for us transparently now | |||
# now you have raw access to your encrypted PS3 HDD and you can make simple changes | |||
# Linux device mapper is really great !!! | |||
</pre> | |||
===VFLASH Test=== | |||
<pre> | |||
# clear ATA and ENCDEC keys | |||
# DO NOT DO IT WITH HDD MOUNTED !!! | |||
ps3dm sm set_del_encdec_key 0x110 | |||
ps3dm sm set_del_encdec_key 0x111 | |||
# for now don't use ps3da device directly, dump sectors to file and bind it to loop device | |||
# later we will use ps3da device directly when dm-bswap16 is well tested and bug free | |||
dd if=/dev/ps3da bs=512 count=16 of=hdd_enc.bin | |||
losetup /dev/loop1 ./hdd_enc.bin | |||
# we have to setup device mapper bswap16 target else HDD encryption/decryption won't work properly | |||
echo "0 16 bswap16 /dev/loop1" | dmsetup create test | |||
# create hdd key file | |||
echo <your hdd data key as hex string> <your hdd tweak key as hex string> | xxd -r -p > hdd_key.bin | |||
ls -l hdd_key.bin | |||
-rw-r--r-- 1 root root 32 Sep 4 09:28 hdd_key.bin | |||
# create DM crypto target | |||
# key size is 256bit because PS3 uses XTS-AES-128 and the key is just the concatenation of the data and tweak keys. | |||
cryptsetup create -c aes-xts-plain64 -d ./hdd_key.bin -s 256 hdd_crypt /dev/mapper/hdd | |||
# VFLASH begins at sector 8 on HDD | |||
echo "0 8 linear /dev/mapper/hdd_crypt 8" | dmsetup create vflash | |||
# create VFLASH key file | |||
echo <your encdec data key as hex string> <your encdec tweak key as hex string> | xxd -r -p > vflash_key.bin | |||
ls -l vflash_key.bin | |||
-rw-r--r-- 1 root root 32 Sep 4 09:28 vflash_key.bin | |||
# create DM crypto target | |||
# key size is 256bit because PS3 uses XTS-AES-128 and the key is just the concatenation of the data and tweak keys. | |||
# here is important to use option -p because VFLASH starts with sector 8 and encryption/decryption depends on sector number. | |||
cryptsetup create -c aes-xts-plain64 -d ./vflash_key.bin -s 256 -p 8 vflash_crypt /dev/mapper/vflash | |||
ls -l /dev/mapper/ | |||
total 0 | |||
crw------- 1 root root 10, 236 Sep 4 10:46 control | |||
lrwxrwxrwx 1 root root 7 Sep 4 11:02 hdd -> ../dm-0 | |||
lrwxrwxrwx 1 root root 7 Sep 4 11:02 hdd_crypt -> ../dm-1 | |||
lrwxrwxrwx 1 root root 7 Sep 4 11:07 vflash -> ../dm-2 | |||
lrwxrwxrwx 1 root root 7 Sep 4 11:10 vflash_crypt -> ../dm-3 | |||
hexdump -C /dev/mapper/vflash_crypt | |||
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | |||
00000010 00 00 00 00 0f ac e0 ff 00 00 00 00 de ad fa ce |................| | |||
00000020 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 02 |................| | |||
00000030 00 00 00 00 00 00 00 08 00 00 00 00 00 00 75 f8 |..............u.| | |||
00000040 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | |||
* | |||
000000c0 00 00 00 00 00 00 78 00 00 00 00 00 00 06 3e 00 |......x.......>.| | |||
000000d0 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
000000e0 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
000000f0 10 20 00 00 03 00 00 01 00 00 00 00 00 00 00 01 |. ..............| | |||
00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | |||
* | |||
00000150 00 00 00 00 00 06 b6 00 00 00 00 00 00 00 80 00 |................| | |||
00000160 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
00000170 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | |||
* | |||
000001e0 00 00 00 00 00 07 36 00 00 00 00 00 00 00 04 00 |......6.........| | |||
000001f0 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
00000200 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | |||
* | |||
00000270 00 00 00 00 00 07 3a 00 00 00 00 00 00 00 c0 00 |......:.........| | |||
00000280 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
00000290 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
000002a0 10 80 00 00 04 00 00 01 00 00 00 00 00 00 00 03 |................| | |||
000002b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | |||
* | |||
00000300 00 00 00 00 00 07 fa 00 00 00 00 00 00 00 02 00 |................| | |||
00000310 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
00000320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | |||
* | |||
00001000 | |||
# now is VFLASH also decrypted | |||
# next step is partition table | |||
</pre> | |||
=PS3 HDD Partition Table= | |||
* Now that we can decrypt/encrypt PS3 HDD with Linux, we want to be able to mount HDD/VFLASH regions because only then we can do changes to UFS or FAT filesystems on the HDD. | |||
* We have to implement PS3 HDD partition table in Linux kernel. | |||
* The Linux kernel with this feature will create all partition devices automatically in this case and we could mount and modify any HDD regions easily. | |||
* A new Linux kernel patch is necessary. | |||
* PS3 partition table is of size 0x1000 bytes. | |||
* Implemented PS3 partition support in Linux kernel. See patch '''0035-ps3-partition.patch''' here http://gitorious.ps3dev.net/ps3linux/kernel-patches-35 | |||
* Use kpartx tool to reread partition table. | |||
==Structure== | |||
<pre> | |||
#define MAX_ACL_ENTRIES 8 | |||
#define MAX_PARTITIONS 8 | |||
#define MAGIC1 0x0FACE0FFULL | |||
#define MAGIC2 0xDEADFACEULL | |||
struct p_acl_entry { | |||
u64 laid; | |||
u64 rights; | |||
}; | |||
struct d_partition { | |||
u64 p_start; | |||
u64 p_size; | |||
struct p_acl_entry p_acl[MAX_ACL_ENTRIES]; | |||
}; | |||
struct disklabel { | |||
u8 d_res1[16]; | |||
u64 d_magic1; | |||
u64 d_magic2; | |||
u64 d_res2; | |||
u64 d_res3; | |||
struct d_partition d_partitions[MAX_PARTITIONS]; | |||
u8 d_pad[0x600 - MAX_PARTITIONS * sizeof(struct d_partition)- 0x30]; | |||
}; | |||
</pre> | |||
==kpartx== | |||
* kpartx is a tool which reads partition tables and creates device maps. | |||
* We need kpartx in order to be able to create partitions from device mapper targets. | |||
* But kpartx doesn't support PS3 partition table currently. | |||
* We need a patch which adds PS3 partition table support. | |||
* Official GIT repo: http://git.opensvc.com/multipath-tools/.git | |||
* '''PS3 partition table support is upstream now, you don't have to patch it anymore !!!''' | |||
===Patching and Building=== | |||
* See my GIT repo: http://gitorious.ps3dev.net/ps3linux/multipath-tools-patches | |||
<pre> | |||
git clone http://git.opensvc.com/multipath-tools/.git multipath-tools | |||
cd multipath-tools | |||
patch -p1 < ../kpartx-ps3-partition.patch | |||
make | |||
</pre> | |||
===Test=== | |||
<pre> | |||
sudo ./kpartx/kpartx -l /dev/ps3da | |||
ps3da1 : 0 524288 /dev/ps3da 8 | |||
ps3da2 : 0 60459821 /dev/ps3da 524304 | |||
ps3da3 : 0 4194296 /dev/ps3da 60984133 | |||
ps3da4 : 0 423218700 /dev/ps3da 65178438 | |||
</pre> | |||
==Test== | |||
<pre> | |||
modprobe dm-bswap16 | |||
# clear ATA and ENCDEC keys | |||
# DO NOT DO IT WITH HDD MOUNTED !!! | |||
ps3dm sm set_del_encdec_key 0x110 | |||
ps3dm sm set_del_encdec_key 0x111 | |||
# we have to setup device mapper bswap16 target else HDD encryption/decryption won't work properly | |||
hdd_size=`blockdev --getsize /dev/ps3da` | |||
echo "0 $hdd_size bswap16 /dev/ps3da" | dmsetup create hdd | |||
# create key file | |||
echo <your data key as hex string> <your tweak key as hex string> | xxd -r -p > hdd_key.bin | |||
ls -l hdd_key.bin | |||
-rw-r--r-- 1 root root 32 Sep 4 09:28 hdd_key.bin | |||
# create DM crypto target | |||
# key size is 256bit because PS3 uses XTS-AES-128 and the key is just the concatenation of the data and tweak keys. | |||
cryptsetup create -c aes-xts-plain64 -d ./hdd_key.bin -s 256 hdd_crypt /dev/mapper/hdd | |||
ls -l /dev/mapper/ | |||
total 0 | |||
crw------- 1 root root 10, 236 Sep 6 11:07 control | |||
lrwxrwxrwx 1 root root 7 Sep 6 11:09 hdd -> ../dm-0 | |||
lrwxrwxrwx 1 root root 7 Sep 6 11:12 hdd_crypt -> ../dm-1 | |||
hexdump -C /dev/mapper/hdd_crypt | head -23 | |||
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | |||
00000010 00 00 00 00 0f ac e0 ff 00 00 00 00 de ad fa ce |................| | |||
00000020 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 02 |................| | |||
00000030 00 00 00 00 00 00 00 08 00 00 00 00 00 08 00 00 |................| | |||
00000040 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 0b |.p..............| | |||
00000050 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | |||
* | |||
000000c0 00 00 00 00 00 08 00 10 00 00 00 00 03 9a 8b 2d |...............-| | |||
000000d0 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
000000e0 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
000000f0 10 20 00 00 03 00 00 01 00 00 00 00 00 00 00 03 |. ..............| | |||
00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | |||
* | |||
00000150 00 00 00 00 03 a2 8b 45 00 00 00 00 00 3f ff f8 |.......E.....?..| | |||
00000160 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
00000170 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | |||
* | |||
000001e0 00 00 00 00 03 e2 8b 46 00 00 00 00 19 39 ce 0c |.......F.....9..| | |||
000001f0 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
00000200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | |||
# create device mapper partitions with kpartx | |||
kpartx-ps3 -l /dev/mapper/hdd_crypt | |||
hdd_crypt1 : 0 524288 /dev/mapper/hdd_crypt 8 | |||
hdd_crypt2 : 0 60459821 /dev/mapper/hdd_crypt 524304 | |||
hdd_crypt3 : 0 4194296 /dev/mapper/hdd_crypt 60984133 | |||
hdd_crypt4 : 0 423218700 /dev/mapper/hdd_crypt 65178438 | |||
kpartx-ps3 -a /dev/mapper/hdd_crypt | |||
ls -l /dev/mapper/ | |||
total 0 | |||
crw------- 1 root root 10, 236 Sep 7 01:09 control | |||
lrwxrwxrwx 1 root root 7 Sep 7 01:11 hdd -> ../dm-0 | |||
lrwxrwxrwx 1 root root 7 Sep 7 01:11 hdd_crypt -> ../dm-1 | |||
lrwxrwxrwx 1 root root 7 Sep 7 01:12 hdd_crypt1 -> ../dm-2 <---------- VFLASH | |||
lrwxrwxrwx 1 root root 7 Sep 7 01:12 hdd_crypt2 -> ../dm-3 <---------- GameOS UFS2 | |||
lrwxrwxrwx 1 root root 7 Sep 7 01:12 hdd_crypt3 -> ../dm-4 <---------- FAT32 region | |||
lrwxrwxrwx 1 root root 7 Sep 7 01:12 hdd_crypt4 -> ../dm-5 <---------- OtheroS++ HDD region | |||
# create VFLASH key file | |||
echo <your encdec data key as hex string> <your encdec tweak key as hex string> | xxd -r -p > vflash_key.bin | |||
ls -l vflash_key.bin | |||
-rw-r--r-- 1 root root 32 Sep 4 09:28 vflash_key.bin | |||
# create DM crypto target | |||
# key size is 256bit because PS3 uses XTS-AES-128 and the key is just the concatenation of the data and tweak keys. | |||
# here is important to use option -p because VFLASH starts with sector 8 and encryption/decryption depends on sector number. | |||
cryptsetup create -c aes-xts-plain64 -d ./vflash_key.bin -s 256 -p 8 vflash_crypt /dev/mapper/hdd_crypt1 | |||
hexdump -C /dev/mapper/vflash_crypt | head -23 | |||
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | |||
00000010 00 00 00 00 0f ac e0 ff 00 00 00 00 de ad fa ce |................| | |||
00000020 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 02 |................| | |||
00000030 00 00 00 00 00 00 00 08 00 00 00 00 00 00 75 f8 |..............u.| | |||
00000040 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | |||
* | |||
000000c0 00 00 00 00 00 00 78 00 00 00 00 00 00 06 3e 00 |......x.......>.| | |||
000000d0 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
000000e0 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
000000f0 10 20 00 00 03 00 00 01 00 00 00 00 00 00 00 01 |. ..............| | |||
00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | |||
* | |||
00000150 00 00 00 00 00 06 b6 00 00 00 00 00 00 00 80 00 |................| | |||
00000160 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
00000170 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | |||
* | |||
000001e0 00 00 00 00 00 07 36 00 00 00 00 00 00 00 04 00 |......6.........| | |||
000001f0 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
00000200 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| | |||
00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | |||
* | |||
# create device mapper partitions with kpartx | |||
kpartx-ps3 -l /dev/mapper/vflash_crypt | |||
vflash_crypt1 : 0 30200 /dev/mapper/vflash_crypt 8 | |||
vflash_crypt2 : 0 409088 /dev/mapper/vflash_crypt 30720 | |||
vflash_crypt3 : 0 32768 /dev/mapper/vflash_crypt 439808 | |||
vflash_crypt4 : 0 1024 /dev/mapper/vflash_crypt 472576 | |||
vflash_crypt5 : 0 49152 /dev/mapper/vflash_crypt 473600 | |||
vflash_crypt6 : 0 512 /dev/mapper/vflash_crypt 522752 | |||
kpartx-ps3 -a /dev/mapper/vflash_crypt | |||
ls -l /dev/mapper/ | |||
total 0 | |||
crw------- 1 root root 10, 236 Sep 7 01:09 control | |||
lrwxrwxrwx 1 root root 7 Sep 7 01:11 hdd -> ../dm-0 | |||
lrwxrwxrwx 1 root root 7 Sep 7 01:11 hdd_crypt -> ../dm-1 | |||
lrwxrwxrwx 1 root root 7 Sep 7 01:12 hdd_crypt1 -> ../dm-2 | |||
lrwxrwxrwx 1 root root 7 Sep 7 01:12 hdd_crypt2 -> ../dm-3 | |||
lrwxrwxrwx 1 root root 7 Sep 7 01:12 hdd_crypt3 -> ../dm-4 | |||
lrwxrwxrwx 1 root root 7 Sep 7 01:12 hdd_crypt4 -> ../dm-5 | |||
lrwxrwxrwx 1 root root 7 Sep 7 01:15 vflash_crypt -> ../dm-6 | |||
lrwxrwxrwx 1 root root 7 Sep 7 01:17 vflash_crypt1 -> ../dm-7 | |||
lrwxrwxrwx 1 root root 7 Sep 7 01:17 vflash_crypt2 -> ../dm-8 | |||
lrwxrwxrwx 1 root root 7 Sep 7 01:17 vflash_crypt3 -> ../dm-9 | |||
lrwxrwxrwx 1 root root 8 Sep 7 01:17 vflash_crypt4 -> ../dm-10 | |||
lrwxrwxrwx 1 root root 8 Sep 7 01:17 vflash_crypt5 -> ../dm-11 | |||
lrwxrwxrwx 1 root root 8 Sep 7 01:17 vflash_crypt6 -> ../dm-12 | |||
Now we can mount any PS3 HDD regions on PC :) | |||
Linux kernel device mapper is a really great feature. | |||
# mount UFS2 partition | |||
mount -t ufs -o ufstype=ufs2,ro /dev/mapper/hdd_crypt2 /mnt/ | |||
ls -l /mnt/ | |||
total 16 | |||
drwx-----x 5 root root 512 Dec 31 2008 crash_report | |||
drwx------ 3 root root 512 Dec 31 2008 drm | |||
drwxr-xr-x 6 root root 512 Dec 31 2008 game | |||
drwx------ 3 root root 512 Dec 31 2008 home | |||
drwx------ 3 root root 512 Dec 31 2008 mms | |||
drwx------ 5 root root 512 Dec 31 2008 tmp | |||
drwx------ 2 root root 512 Jun 17 2009 vm | |||
drwx------ 5 root root 512 Jul 15 2009 vsh | |||
umount /mnt | |||
mount /dev/mapper/vflash_crypt4 /mnt/ | |||
ls -l /mnt/ | |||
total 1 | |||
drwxr-xr-x 6 root root 512 Jul 15 2009 data-revoke | |||
</pre> | |||
=Making Changes to cell_ext_os_area VFLASH Region= | |||
* Here is one of the use cases for your dumped HDD and VFLASH keys. | |||
* It's the VFLASH region where petitboot is stored. | |||
* Useful for OtherOS++ users. | |||
* You will need it if you flash bad petitboot which doesn't boot and just hangs. | |||
* You have to connect your HDD to your PC, e.g. with SATA-2-USB adapter. | |||
* We will clear OtherOS boot flag and GameOS will boot again. | |||
* We don't have to decrypt VFLASH, only HDD, because cell_ext_os_area is NOT encrypted with VFLASH key, only with HDD key. | |||
* I tested everything myself, it's safe to use. | |||
<pre> | |||
modprobe dm_mod | |||
insmod dm-bswap16 | |||
# On my PC, sdd is the PS3 HDD connected through SATA-USB adapater | |||
hdd_size=`blockdev --getsize /dev/sdd` | |||
echo "0 $hdd_size bswap16 /dev/sdd" | dmsetup create hdd | |||
echo <your data key as hex string> <your tweak key as hex string> | xxd -r -p > hdd_key.bin | |||
cryptsetup create -c aes-xts-plain64 -d ./hdd_key.bin -s 256 hdd_crypt /dev/mapper/hdd | |||
kpartx-ps3 -a /dev/mapper/hdd_crypt | |||
# cell_ext_os_area starts at offset 0xe740000 on VFLASH | |||
# first dump os area parameters | |||
# it begins at offset 0xe740200 | |||
dd if=/dev/mapper/hdd_crypt1 of=params.bin bs=1 count=512 skip=$((0xe740200)) | |||
# now clear the boot flag | |||
# just make the first 4 bytes in params.bin all 0s | |||
# now we write it back | |||
dd of=/dev/mapper/hdd_crypt1 if=params.bin bs=1 count=512 seek=$((0xe740200)) | |||
sync | |||
# clean up everything before disconnecting PS3 HDD | |||
kpartx-ps3 -d /dev/mapper/hdd_crypt | |||
dmsetup remove hdd_crypt | |||
dmsetup remove hdd | |||
# now GameOS should boot and you can flash a new petitboot :) | |||
# you also could write new petitboot image to VFLASH :) | |||
</pre> | |||
=Further Work= | |||
* Encryption/decryption of HDD on FreeBSD using geli framework. | |||
=Links= | =Links= | ||
Line 11: | Line 592: | ||
* http://www.freeotfe.org/docs/Main/mobile_site/Linux_examples__dm-crypt.htm | * http://www.freeotfe.org/docs/Main/mobile_site/Linux_examples__dm-crypt.htm | ||
* http://www.hopelesscase.com/linuxnotes/encrypted_filesystems/dmsetup_losetup_and_mount | * http://www.hopelesscase.com/linuxnotes/encrypted_filesystems/dmsetup_losetup_and_mount | ||
* http://lxr.free-electrons.com/source/block/partitions/ | |||
* http://backreference.org/2010/09/25/access-partitions-in-non-disk-block-devices-with-kpartx/ | |||
* https://www.dan.me.uk/blog/2012/05/05/full-disk-encryption-in-freebsd-9-x-well-almost/ | |||
{{Linux}}<noinclude>[[Category:Main]]</noinclude> |
Latest revision as of 21:35, 24 June 2019
Introduction[edit | edit source]
- The goal is to mount PS3 HDD on PC Linux and make changes to it.
- Use device mapper for transparent encryption/decryption.
ATA and ENCDEC Keys[edit | edit source]
Main Article HDD Encryption
Device Mapper[edit | edit source]
- A really cool feature of Linux 2.6/3.
- The device mapper is stackable.
- You have to enable a couple of new kernel features like device mapper crypto, XTS crypto and so on.
dm-bswap16[edit | edit source]
- Swaps bytes in each 16-bit word.
- It is necessray for HDD/VFLASH encryption/decryption.
- Tested on Linux 3.5.3
GIT repo: http://gitorious.ps3dev.net/ps3linux/dm-bswap16
Test[edit | edit source]
modprobe loop modprobe dm_mod modprobe dm-bswap16 dd if=/dev/zero of=test.bin bs=1K count=100 losetup /dev/loop0 ./test.bin echo "0 200 bswap16 /dev/loop0" | dmsetup create test ls -l /dev/mapper/test echo "00 01 00 01 00 01" | xxd -r -p > /dev/mapper/test # device mapper target hexdump -C /dev/mapper/test 00000000 00 01 00 01 00 01 00 00 00 00 00 00 00 00 00 00 |................| 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00019000 # real data, as you see bytes are swapped in each 16-bit word # device mapper allows you to do really cool things :) hexdump -C /home/glevand/test.bin 00000000 01 00 01 00 01 00 00 00 00 00 00 00 00 00 00 00 |................| 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00019000 dmsetup remove test
Test with ps3da[edit | edit source]
- Tested with Debian LiveCD and Linux 3.4.10
- xts_aes: http://gitorious.ps3dev.net/ps3linux/xts_aes
# clear ATA and ENCDEC keys # DO NOT DO IT WITH HDD MOUNTED !!! ps3dm sm set_del_encdec_key 0x110 ps3dm sm set_del_encdec_key 0x111 # for now don't use ps3da device directly, dump sectors to file and bind it to loop device # later we will use ps3da device directly when dm-bswap16 is well tested and bug free dd if=/dev/ps3da bs=512 count=2 of=hdd_enc.bin losetup /dev/loop1 ./hdd_enc.bin # we have to setup device mapper bswap16 target else HDD encryption/decryption won't work properly echo "0 2 bswap16 /dev/loop1" | dmsetup create test # decrypt using xts_aes cat /dev/mapper/test | ./xts_aes/xts_aes -d -k <your ATA data key> -t <your ATA tweak key> | hexdump -C 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000010 00 00 00 00 0f ac e0 ff 00 00 00 00 de ad fa ce |................| 00000020 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 02 |................| 00000030 00 00 00 00 00 00 00 08 00 00 00 00 00 08 00 00 |................| 00000040 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 0b |.p..............| 00000050 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000000c0 00 00 00 00 00 08 00 10 00 00 00 00 03 9a 8b 2d |...............-| 000000d0 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 000000e0 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 000000f0 10 20 00 00 03 00 00 01 00 00 00 00 00 00 00 03 |. ..............| 00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000150 00 00 00 00 03 a2 8b 45 00 00 00 00 00 3f ff f8 |.......E.....?..| 00000160 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000170 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000001e0 00 00 00 00 03 e2 8b 46 00 00 00 00 19 39 ce 0c |.......F.....9..| 000001f0 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000400
dm-crypt[edit | edit source]
- We don't need xts_aes application anymore.
- Linux kernel does enctyption/decryption of data transparently for us.
- One of the device mapper features is that it's stackable which is very useful for us.
- VFLASH is encrypted twice. So we have to create a second DM crypto target based on the DM crypto target for HDD.
HDD Test[edit | edit source]
- Tested on PS3 itself with Debian LiveCD and Linux kernel version 3.4.10 but you can use the same technique on a Linux PC. I was just lazy and it is easier to test on PS3.
# clear ATA and ENCDEC keys # DO NOT DO IT WITH HDD MOUNTED !!! ps3dm sm set_del_encdec_key 0x110 ps3dm sm set_del_encdec_key 0x111 # for now don't use ps3da device directly, dump sectors to file and bind it to loop device # later we will use ps3da device directly when dm-bswap16 is well tested and bug free dd if=/dev/ps3da bs=512 count=2 of=hdd_enc.bin losetup /dev/loop1 ./hdd_enc.bin # we have to setup device mapper bswap16 target else HDD encryption/decryption won't work properly echo "0 2 bswap16 /dev/loop1" | dmsetup create test # create key file echo <your data key as hex string> <your tweak key as hex string> | xxd -r -p > hdd_key.bin ls -l hdd_key.bin -rw-r--r-- 1 root root 32 Sep 4 09:28 hdd_key.bin # create DM crypto target # key size is 256bit because PS3 uses XTS-AES-128 and the key is just the concatenation of the data and tweak keys. cryptsetup create -c aes-xts-plain64 -d ./hdd_key.bin -s 256 test_crypt /dev/mapper/test ls -l /dev/mapper/ total 0 crw------- 1 root root 10, 236 Sep 4 09:23 control lrwxrwxrwx 1 root root 7 Sep 4 09:25 test -> ../dm-0 lrwxrwxrwx 1 root root 7 Sep 4 09:30 test_crypt -> ../dm-1 hexdump -C /dev/mapper/test_crypt 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000010 00 00 00 00 0f ac e0 ff 00 00 00 00 de ad fa ce |................| 00000020 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 02 |................| 00000030 00 00 00 00 00 00 00 08 00 00 00 00 00 08 00 00 |................| 00000040 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 0b |.p..............| 00000050 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000000c0 00 00 00 00 00 08 00 10 00 00 00 00 03 9a 8b 2d |...............-| 000000d0 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 000000e0 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 000000f0 10 20 00 00 03 00 00 01 00 00 00 00 00 00 00 03 |. ..............| 00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000150 00 00 00 00 03 a2 8b 45 00 00 00 00 00 3f ff f8 |.......E.....?..| 00000160 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000170 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000001e0 00 00 00 00 03 e2 8b 46 00 00 00 00 19 39 ce 0c |.......F.....9..| 000001f0 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000400 # and we don't need xts_aes tool anymore :) # Linux does encryption/decryption for us transparently now # now you have raw access to your encrypted PS3 HDD and you can make simple changes # Linux device mapper is really great !!!
VFLASH Test[edit | edit source]
# clear ATA and ENCDEC keys # DO NOT DO IT WITH HDD MOUNTED !!! ps3dm sm set_del_encdec_key 0x110 ps3dm sm set_del_encdec_key 0x111 # for now don't use ps3da device directly, dump sectors to file and bind it to loop device # later we will use ps3da device directly when dm-bswap16 is well tested and bug free dd if=/dev/ps3da bs=512 count=16 of=hdd_enc.bin losetup /dev/loop1 ./hdd_enc.bin # we have to setup device mapper bswap16 target else HDD encryption/decryption won't work properly echo "0 16 bswap16 /dev/loop1" | dmsetup create test # create hdd key file echo <your hdd data key as hex string> <your hdd tweak key as hex string> | xxd -r -p > hdd_key.bin ls -l hdd_key.bin -rw-r--r-- 1 root root 32 Sep 4 09:28 hdd_key.bin # create DM crypto target # key size is 256bit because PS3 uses XTS-AES-128 and the key is just the concatenation of the data and tweak keys. cryptsetup create -c aes-xts-plain64 -d ./hdd_key.bin -s 256 hdd_crypt /dev/mapper/hdd # VFLASH begins at sector 8 on HDD echo "0 8 linear /dev/mapper/hdd_crypt 8" | dmsetup create vflash # create VFLASH key file echo <your encdec data key as hex string> <your encdec tweak key as hex string> | xxd -r -p > vflash_key.bin ls -l vflash_key.bin -rw-r--r-- 1 root root 32 Sep 4 09:28 vflash_key.bin # create DM crypto target # key size is 256bit because PS3 uses XTS-AES-128 and the key is just the concatenation of the data and tweak keys. # here is important to use option -p because VFLASH starts with sector 8 and encryption/decryption depends on sector number. cryptsetup create -c aes-xts-plain64 -d ./vflash_key.bin -s 256 -p 8 vflash_crypt /dev/mapper/vflash ls -l /dev/mapper/ total 0 crw------- 1 root root 10, 236 Sep 4 10:46 control lrwxrwxrwx 1 root root 7 Sep 4 11:02 hdd -> ../dm-0 lrwxrwxrwx 1 root root 7 Sep 4 11:02 hdd_crypt -> ../dm-1 lrwxrwxrwx 1 root root 7 Sep 4 11:07 vflash -> ../dm-2 lrwxrwxrwx 1 root root 7 Sep 4 11:10 vflash_crypt -> ../dm-3 hexdump -C /dev/mapper/vflash_crypt 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000010 00 00 00 00 0f ac e0 ff 00 00 00 00 de ad fa ce |................| 00000020 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 02 |................| 00000030 00 00 00 00 00 00 00 08 00 00 00 00 00 00 75 f8 |..............u.| 00000040 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000000c0 00 00 00 00 00 00 78 00 00 00 00 00 00 06 3e 00 |......x.......>.| 000000d0 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 000000e0 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 000000f0 10 20 00 00 03 00 00 01 00 00 00 00 00 00 00 01 |. ..............| 00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000150 00 00 00 00 00 06 b6 00 00 00 00 00 00 00 80 00 |................| 00000160 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000170 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000001e0 00 00 00 00 00 07 36 00 00 00 00 00 00 00 04 00 |......6.........| 000001f0 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000200 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000270 00 00 00 00 00 07 3a 00 00 00 00 00 00 00 c0 00 |......:.........| 00000280 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000290 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 000002a0 10 80 00 00 04 00 00 01 00 00 00 00 00 00 00 03 |................| 000002b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000300 00 00 00 00 00 07 fa 00 00 00 00 00 00 00 02 00 |................| 00000310 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00001000 # now is VFLASH also decrypted # next step is partition table
PS3 HDD Partition Table[edit | edit source]
- Now that we can decrypt/encrypt PS3 HDD with Linux, we want to be able to mount HDD/VFLASH regions because only then we can do changes to UFS or FAT filesystems on the HDD.
- We have to implement PS3 HDD partition table in Linux kernel.
- The Linux kernel with this feature will create all partition devices automatically in this case and we could mount and modify any HDD regions easily.
- A new Linux kernel patch is necessary.
- PS3 partition table is of size 0x1000 bytes.
- Implemented PS3 partition support in Linux kernel. See patch 0035-ps3-partition.patch here http://gitorious.ps3dev.net/ps3linux/kernel-patches-35
- Use kpartx tool to reread partition table.
Structure[edit | edit source]
#define MAX_ACL_ENTRIES 8 #define MAX_PARTITIONS 8 #define MAGIC1 0x0FACE0FFULL #define MAGIC2 0xDEADFACEULL struct p_acl_entry { u64 laid; u64 rights; }; struct d_partition { u64 p_start; u64 p_size; struct p_acl_entry p_acl[MAX_ACL_ENTRIES]; }; struct disklabel { u8 d_res1[16]; u64 d_magic1; u64 d_magic2; u64 d_res2; u64 d_res3; struct d_partition d_partitions[MAX_PARTITIONS]; u8 d_pad[0x600 - MAX_PARTITIONS * sizeof(struct d_partition)- 0x30]; };
kpartx[edit | edit source]
- kpartx is a tool which reads partition tables and creates device maps.
- We need kpartx in order to be able to create partitions from device mapper targets.
- But kpartx doesn't support PS3 partition table currently.
- We need a patch which adds PS3 partition table support.
- Official GIT repo: http://git.opensvc.com/multipath-tools/.git
- PS3 partition table support is upstream now, you don't have to patch it anymore !!!
Patching and Building[edit | edit source]
- See my GIT repo: http://gitorious.ps3dev.net/ps3linux/multipath-tools-patches
git clone http://git.opensvc.com/multipath-tools/.git multipath-tools cd multipath-tools patch -p1 < ../kpartx-ps3-partition.patch make
Test[edit | edit source]
sudo ./kpartx/kpartx -l /dev/ps3da ps3da1 : 0 524288 /dev/ps3da 8 ps3da2 : 0 60459821 /dev/ps3da 524304 ps3da3 : 0 4194296 /dev/ps3da 60984133 ps3da4 : 0 423218700 /dev/ps3da 65178438
Test[edit | edit source]
modprobe dm-bswap16 # clear ATA and ENCDEC keys # DO NOT DO IT WITH HDD MOUNTED !!! ps3dm sm set_del_encdec_key 0x110 ps3dm sm set_del_encdec_key 0x111 # we have to setup device mapper bswap16 target else HDD encryption/decryption won't work properly hdd_size=`blockdev --getsize /dev/ps3da` echo "0 $hdd_size bswap16 /dev/ps3da" | dmsetup create hdd # create key file echo <your data key as hex string> <your tweak key as hex string> | xxd -r -p > hdd_key.bin ls -l hdd_key.bin -rw-r--r-- 1 root root 32 Sep 4 09:28 hdd_key.bin # create DM crypto target # key size is 256bit because PS3 uses XTS-AES-128 and the key is just the concatenation of the data and tweak keys. cryptsetup create -c aes-xts-plain64 -d ./hdd_key.bin -s 256 hdd_crypt /dev/mapper/hdd ls -l /dev/mapper/ total 0 crw------- 1 root root 10, 236 Sep 6 11:07 control lrwxrwxrwx 1 root root 7 Sep 6 11:09 hdd -> ../dm-0 lrwxrwxrwx 1 root root 7 Sep 6 11:12 hdd_crypt -> ../dm-1 hexdump -C /dev/mapper/hdd_crypt | head -23 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000010 00 00 00 00 0f ac e0 ff 00 00 00 00 de ad fa ce |................| 00000020 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 02 |................| 00000030 00 00 00 00 00 00 00 08 00 00 00 00 00 08 00 00 |................| 00000040 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 0b |.p..............| 00000050 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000000c0 00 00 00 00 00 08 00 10 00 00 00 00 03 9a 8b 2d |...............-| 000000d0 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 000000e0 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 000000f0 10 20 00 00 03 00 00 01 00 00 00 00 00 00 00 03 |. ..............| 00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000150 00 00 00 00 03 a2 8b 45 00 00 00 00 00 3f ff f8 |.......E.....?..| 00000160 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000170 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000001e0 00 00 00 00 03 e2 8b 46 00 00 00 00 19 39 ce 0c |.......F.....9..| 000001f0 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| # create device mapper partitions with kpartx kpartx-ps3 -l /dev/mapper/hdd_crypt hdd_crypt1 : 0 524288 /dev/mapper/hdd_crypt 8 hdd_crypt2 : 0 60459821 /dev/mapper/hdd_crypt 524304 hdd_crypt3 : 0 4194296 /dev/mapper/hdd_crypt 60984133 hdd_crypt4 : 0 423218700 /dev/mapper/hdd_crypt 65178438 kpartx-ps3 -a /dev/mapper/hdd_crypt ls -l /dev/mapper/ total 0 crw------- 1 root root 10, 236 Sep 7 01:09 control lrwxrwxrwx 1 root root 7 Sep 7 01:11 hdd -> ../dm-0 lrwxrwxrwx 1 root root 7 Sep 7 01:11 hdd_crypt -> ../dm-1 lrwxrwxrwx 1 root root 7 Sep 7 01:12 hdd_crypt1 -> ../dm-2 <---------- VFLASH lrwxrwxrwx 1 root root 7 Sep 7 01:12 hdd_crypt2 -> ../dm-3 <---------- GameOS UFS2 lrwxrwxrwx 1 root root 7 Sep 7 01:12 hdd_crypt3 -> ../dm-4 <---------- FAT32 region lrwxrwxrwx 1 root root 7 Sep 7 01:12 hdd_crypt4 -> ../dm-5 <---------- OtheroS++ HDD region # create VFLASH key file echo <your encdec data key as hex string> <your encdec tweak key as hex string> | xxd -r -p > vflash_key.bin ls -l vflash_key.bin -rw-r--r-- 1 root root 32 Sep 4 09:28 vflash_key.bin # create DM crypto target # key size is 256bit because PS3 uses XTS-AES-128 and the key is just the concatenation of the data and tweak keys. # here is important to use option -p because VFLASH starts with sector 8 and encryption/decryption depends on sector number. cryptsetup create -c aes-xts-plain64 -d ./vflash_key.bin -s 256 -p 8 vflash_crypt /dev/mapper/hdd_crypt1 hexdump -C /dev/mapper/vflash_crypt | head -23 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000010 00 00 00 00 0f ac e0 ff 00 00 00 00 de ad fa ce |................| 00000020 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 02 |................| 00000030 00 00 00 00 00 00 00 08 00 00 00 00 00 00 75 f8 |..............u.| 00000040 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000000c0 00 00 00 00 00 00 78 00 00 00 00 00 00 06 3e 00 |......x.......>.| 000000d0 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 000000e0 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 000000f0 10 20 00 00 03 00 00 01 00 00 00 00 00 00 00 01 |. ..............| 00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000150 00 00 00 00 00 06 b6 00 00 00 00 00 00 00 80 00 |................| 00000160 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000170 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000001e0 00 00 00 00 00 07 36 00 00 00 00 00 00 00 04 00 |......6.........| 000001f0 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000200 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * # create device mapper partitions with kpartx kpartx-ps3 -l /dev/mapper/vflash_crypt vflash_crypt1 : 0 30200 /dev/mapper/vflash_crypt 8 vflash_crypt2 : 0 409088 /dev/mapper/vflash_crypt 30720 vflash_crypt3 : 0 32768 /dev/mapper/vflash_crypt 439808 vflash_crypt4 : 0 1024 /dev/mapper/vflash_crypt 472576 vflash_crypt5 : 0 49152 /dev/mapper/vflash_crypt 473600 vflash_crypt6 : 0 512 /dev/mapper/vflash_crypt 522752 kpartx-ps3 -a /dev/mapper/vflash_crypt ls -l /dev/mapper/ total 0 crw------- 1 root root 10, 236 Sep 7 01:09 control lrwxrwxrwx 1 root root 7 Sep 7 01:11 hdd -> ../dm-0 lrwxrwxrwx 1 root root 7 Sep 7 01:11 hdd_crypt -> ../dm-1 lrwxrwxrwx 1 root root 7 Sep 7 01:12 hdd_crypt1 -> ../dm-2 lrwxrwxrwx 1 root root 7 Sep 7 01:12 hdd_crypt2 -> ../dm-3 lrwxrwxrwx 1 root root 7 Sep 7 01:12 hdd_crypt3 -> ../dm-4 lrwxrwxrwx 1 root root 7 Sep 7 01:12 hdd_crypt4 -> ../dm-5 lrwxrwxrwx 1 root root 7 Sep 7 01:15 vflash_crypt -> ../dm-6 lrwxrwxrwx 1 root root 7 Sep 7 01:17 vflash_crypt1 -> ../dm-7 lrwxrwxrwx 1 root root 7 Sep 7 01:17 vflash_crypt2 -> ../dm-8 lrwxrwxrwx 1 root root 7 Sep 7 01:17 vflash_crypt3 -> ../dm-9 lrwxrwxrwx 1 root root 8 Sep 7 01:17 vflash_crypt4 -> ../dm-10 lrwxrwxrwx 1 root root 8 Sep 7 01:17 vflash_crypt5 -> ../dm-11 lrwxrwxrwx 1 root root 8 Sep 7 01:17 vflash_crypt6 -> ../dm-12 Now we can mount any PS3 HDD regions on PC :) Linux kernel device mapper is a really great feature. # mount UFS2 partition mount -t ufs -o ufstype=ufs2,ro /dev/mapper/hdd_crypt2 /mnt/ ls -l /mnt/ total 16 drwx-----x 5 root root 512 Dec 31 2008 crash_report drwx------ 3 root root 512 Dec 31 2008 drm drwxr-xr-x 6 root root 512 Dec 31 2008 game drwx------ 3 root root 512 Dec 31 2008 home drwx------ 3 root root 512 Dec 31 2008 mms drwx------ 5 root root 512 Dec 31 2008 tmp drwx------ 2 root root 512 Jun 17 2009 vm drwx------ 5 root root 512 Jul 15 2009 vsh umount /mnt mount /dev/mapper/vflash_crypt4 /mnt/ ls -l /mnt/ total 1 drwxr-xr-x 6 root root 512 Jul 15 2009 data-revoke
Making Changes to cell_ext_os_area VFLASH Region[edit | edit source]
- Here is one of the use cases for your dumped HDD and VFLASH keys.
- It's the VFLASH region where petitboot is stored.
- Useful for OtherOS++ users.
- You will need it if you flash bad petitboot which doesn't boot and just hangs.
- You have to connect your HDD to your PC, e.g. with SATA-2-USB adapter.
- We will clear OtherOS boot flag and GameOS will boot again.
- We don't have to decrypt VFLASH, only HDD, because cell_ext_os_area is NOT encrypted with VFLASH key, only with HDD key.
- I tested everything myself, it's safe to use.
modprobe dm_mod insmod dm-bswap16 # On my PC, sdd is the PS3 HDD connected through SATA-USB adapater hdd_size=`blockdev --getsize /dev/sdd` echo "0 $hdd_size bswap16 /dev/sdd" | dmsetup create hdd echo <your data key as hex string> <your tweak key as hex string> | xxd -r -p > hdd_key.bin cryptsetup create -c aes-xts-plain64 -d ./hdd_key.bin -s 256 hdd_crypt /dev/mapper/hdd kpartx-ps3 -a /dev/mapper/hdd_crypt # cell_ext_os_area starts at offset 0xe740000 on VFLASH # first dump os area parameters # it begins at offset 0xe740200 dd if=/dev/mapper/hdd_crypt1 of=params.bin bs=1 count=512 skip=$((0xe740200)) # now clear the boot flag # just make the first 4 bytes in params.bin all 0s # now we write it back dd of=/dev/mapper/hdd_crypt1 if=params.bin bs=1 count=512 seek=$((0xe740200)) sync # clean up everything before disconnecting PS3 HDD kpartx-ps3 -d /dev/mapper/hdd_crypt dmsetup remove hdd_crypt dmsetup remove hdd # now GameOS should boot and you can flash a new petitboot :) # you also could write new petitboot image to VFLASH :)
Further Work[edit | edit source]
- Encryption/decryption of HDD on FreeBSD using geli framework.
Links[edit | edit source]
- http://linuxgazette.net/114/kapil.html
- http://techgmm.blogspot.de/p/writing-your-own-device-mapper-target.html
- http://www.freeotfe.org/docs/Main/mobile_site/Linux_examples__dm-crypt.htm
- http://www.hopelesscase.com/linuxnotes/encrypted_filesystems/dmsetup_losetup_and_mount
- http://lxr.free-electrons.com/source/block/partitions/
- http://backreference.org/2010/09/25/access-partitions-in-non-disk-block-devices-with-kpartx/
- https://www.dan.me.uk/blog/2012/05/05/full-disk-encryption-in-freebsd-9-x-well-almost/