Mounting HDD on PC: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
(Document structure of partition table.)
 
(77 intermediate revisions by 5 users not shown)
Line 1: Line 1:
[[Category:OtherOS]]
=Introduction=
=Introduction=


* The goal is to mount PS3 HDD on PC Linux and make changes to it.
* The goal is to mount PS3 HDD on PC Linux and make changes to it.
* Use device mapper for transparent encryption/decryption.
* Use device mapper for transparent encryption/decryption.
=ATA and ENCDEC Keys=
''Main Article [[HDD Encryption]]''


=Device Mapper=
=Device Mapper=
Line 8: Line 13:
* A really cool feature of Linux 2.6/3.
* A really cool feature of Linux 2.6/3.
* The device mapper is stackable.
* The device mapper is stackable.
* You have to enable a couple of new kernel features like device mapper crypto, XTS crypto and so on.


==dm-bswap16==
==dm-bswap16==
Line 22: Line 28:
modprobe loop
modprobe loop
modprobe dm_mod
modprobe dm_mod
 
modprobe dm-bswap16
insmod ./dm-bswap16.ko


dd if=/dev/zero of=test.bin bs=1K count=100
dd if=/dev/zero of=test.bin bs=1K count=100
Line 56: Line 61:


===Test with ps3da===
===Test with ps3da===
* Tested with Debian LiveCD and Linux 3.4.10
* xts_aes: http://gitorious.ps3dev.net/ps3linux/xts_aes


<pre>
<pre>
Line 63: Line 71:
ps3dm sm set_del_encdec_key 0x110
ps3dm sm set_del_encdec_key 0x110
ps3dm sm set_del_encdec_key 0x111
ps3dm sm set_del_encdec_key 0x111
# for now don't use ps3da device directly, dump sectors to file and bind it to loop device
# later we will use ps3da device directly when dm-bswap16 is well tested and bug free


dd if=/dev/ps3da bs=512 count=2 of=hdd_enc.bin
dd if=/dev/ps3da bs=512 count=2 of=hdd_enc.bin


losetup /dev/loop1 ./hdd_enc.bin
losetup /dev/loop1 ./hdd_enc.bin
# we have to setup device mapper bswap16 target else HDD encryption/decryption won't work properly


echo "0 2 bswap16 /dev/loop1" | dmsetup create test
echo "0 2 bswap16 /dev/loop1" | dmsetup create test
Line 99: Line 112:
</pre>
</pre>


==dm-crypto==
==dm-crypt==


* We don't need xts_aes application anymore.
* We don't need xts_aes application anymore.
* Linux kernel does enctyption/decryption of data transparently for us.
* Linux kernel does enctyption/decryption of data transparently for us.
* One of the device mapper features is that it's stackable which is very useful for us.
* VFLASH is encrypted twice. So we have to create a second DM crypto target based on the DM crypto target for HDD.
===HDD Test===
* Tested on PS3 itself with Debian LiveCD and Linux kernel version 3.4.10 but you can use the same technique on a Linux PC. I was just lazy and it is easier to test on PS3.
<pre>
# clear ATA and ENCDEC keys
# DO NOT DO IT WITH HDD MOUNTED !!!
ps3dm sm set_del_encdec_key 0x110
ps3dm sm set_del_encdec_key 0x111
# for now don't use ps3da device directly, dump sectors to file and bind it to loop device
# later we will use ps3da device directly when dm-bswap16 is well tested and bug free
dd if=/dev/ps3da bs=512 count=2 of=hdd_enc.bin
losetup /dev/loop1 ./hdd_enc.bin
# we have to setup device mapper bswap16 target else HDD encryption/decryption won't work properly
echo "0 2 bswap16 /dev/loop1" | dmsetup create test
# create key file
echo <your data key as hex string> <your tweak key as hex string> | xxd -r -p > hdd_key.bin
ls -l hdd_key.bin
-rw-r--r-- 1 root root 32 Sep  4 09:28 hdd_key.bin
# create DM crypto target
# key size is 256bit because PS3 uses XTS-AES-128 and the key is just the concatenation of the data and tweak keys.
cryptsetup create -c aes-xts-plain64 -d ./hdd_key.bin -s 256 test_crypt /dev/mapper/test
ls -l /dev/mapper/
total 0
crw------- 1 root root 10, 236 Sep  4 09:23 control
lrwxrwxrwx 1 root root      7 Sep  4 09:25 test -> ../dm-0
lrwxrwxrwx 1 root root      7 Sep  4 09:30 test_crypt -> ../dm-1
hexdump -C /dev/mapper/test_crypt
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 0f ac e0 ff  00 00 00 00 de ad fa ce  |................|
00000020  00 00 00 00 00 00 00 03  00 00 00 00 00 00 00 02  |................|
00000030  00 00 00 00 00 00 00 08  00 00 00 00 00 08 00 00  |................|
00000040  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 0b  |.p..............|
00000050  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000000c0  00 00 00 00 00 08 00 10  00 00 00 00 03 9a 8b 2d  |...............-|
000000d0  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
000000e0  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
000000f0  10 20 00 00 03 00 00 01  00 00 00 00 00 00 00 03  |. ..............|
00000100  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000150  00 00 00 00 03 a2 8b 45  00 00 00 00 00 3f ff f8  |.......E.....?..|
00000160  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000170  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001e0  00 00 00 00 03 e2 8b 46  00 00 00 00 19 39 ce 0c  |.......F.....9..|
000001f0  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000200  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000400
# and we don't need xts_aes tool anymore :)
# Linux does encryption/decryption for us transparently now
# now you have raw access to your encrypted PS3 HDD and you can make simple changes
# Linux device mapper is really great !!!
</pre>
===VFLASH Test===
<pre>
# clear ATA and ENCDEC keys
# DO NOT DO IT WITH HDD MOUNTED !!!
ps3dm sm set_del_encdec_key 0x110
ps3dm sm set_del_encdec_key 0x111
# for now don't use ps3da device directly, dump sectors to file and bind it to loop device
# later we will use ps3da device directly when dm-bswap16 is well tested and bug free
dd if=/dev/ps3da bs=512 count=16 of=hdd_enc.bin
losetup /dev/loop1 ./hdd_enc.bin
# we have to setup device mapper bswap16 target else HDD encryption/decryption won't work properly
echo "0 16 bswap16 /dev/loop1" | dmsetup create test
# create hdd key file
echo <your hdd data key as hex string> <your hdd tweak key as hex string> | xxd -r -p > hdd_key.bin
ls -l hdd_key.bin
-rw-r--r-- 1 root root 32 Sep  4 09:28 hdd_key.bin
# create DM crypto target
# key size is 256bit because PS3 uses XTS-AES-128 and the key is just the concatenation of the data and tweak keys.
cryptsetup create -c aes-xts-plain64 -d ./hdd_key.bin -s 256 hdd_crypt /dev/mapper/hdd
# VFLASH begins at sector 8 on HDD
echo "0 8 linear /dev/mapper/hdd_crypt 8" | dmsetup create vflash
# create VFLASH key file
echo <your encdec data key as hex string> <your encdec tweak key as hex string> | xxd -r -p > vflash_key.bin
ls -l vflash_key.bin
-rw-r--r-- 1 root root 32 Sep  4 09:28 vflash_key.bin
# create DM crypto target
# key size is 256bit because PS3 uses XTS-AES-128 and the key is just the concatenation of the data and tweak keys.
# here is important to use option -p because VFLASH starts with sector 8 and encryption/decryption depends on sector number.
cryptsetup create -c aes-xts-plain64 -d ./vflash_key.bin -s 256 -p 8 vflash_crypt /dev/mapper/vflash
ls -l /dev/mapper/
total 0
crw------- 1 root root 10, 236 Sep  4 10:46 control
lrwxrwxrwx 1 root root      7 Sep  4 11:02 hdd -> ../dm-0
lrwxrwxrwx 1 root root      7 Sep  4 11:02 hdd_crypt -> ../dm-1
lrwxrwxrwx 1 root root      7 Sep  4 11:07 vflash -> ../dm-2
lrwxrwxrwx 1 root root      7 Sep  4 11:10 vflash_crypt -> ../dm-3
hexdump -C /dev/mapper/vflash_crypt
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 0f ac e0 ff  00 00 00 00 de ad fa ce  |................|
00000020  00 00 00 00 00 00 00 03  00 00 00 00 00 00 00 02  |................|
00000030  00 00 00 00 00 00 00 08  00 00 00 00 00 00 75 f8  |..............u.|
00000040  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000000c0  00 00 00 00 00 00 78 00  00 00 00 00 00 06 3e 00  |......x.......>.|
000000d0  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
000000e0  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
000000f0  10 20 00 00 03 00 00 01  00 00 00 00 00 00 00 01  |. ..............|
00000100  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000150  00 00 00 00 00 06 b6 00  00 00 00 00 00 00 80 00  |................|
00000160  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000170  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001e0  00 00 00 00 00 07 36 00  00 00 00 00 00 00 04 00  |......6.........|
000001f0  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000200  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000210  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000270  00 00 00 00 00 07 3a 00  00 00 00 00 00 00 c0 00  |......:.........|
00000280  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000290  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
000002a0  10 80 00 00 04 00 00 01  00 00 00 00 00 00 00 03  |................|
000002b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000300  00 00 00 00 00 07 fa 00  00 00 00 00 00 00 02 00  |................|
00000310  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000320  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00001000
# now is VFLASH also decrypted
# next step is partition table
</pre>
=PS3 HDD Partition Table=
* Now that we can decrypt/encrypt PS3 HDD with Linux, we want to be able to mount HDD/VFLASH regions because only then we can do changes to UFS or FAT filesystems on the HDD.
* We have to implement PS3 HDD partition table in Linux kernel.
* The Linux kernel with this feature will create all partition devices automatically in this case and we could mount and modify any HDD regions easily.
* A new Linux kernel patch is necessary.
* PS3 partition table is of size 0x1000 bytes.
* Implemented PS3 partition support in Linux kernel. See patch '''0035-ps3-partition.patch''' here http://gitorious.ps3dev.net/ps3linux/kernel-patches-35
* Use kpartx tool to reread partition table.
==Structure==
<pre>
#define MAX_ACL_ENTRIES 8
#define MAX_PARTITIONS 8
#define MAGIC1 0x0FACE0FFULL
#define MAGIC2 0xDEADFACEULL
struct p_acl_entry {
u64 laid;
u64 rights;
};
struct d_partition {
u64 p_start;
u64 p_size;
struct p_acl_entry p_acl[MAX_ACL_ENTRIES];
};
struct disklabel {
u8 d_res1[16];
u64 d_magic1;
u64 d_magic2;
u64 d_res2;
u64 d_res3;
struct d_partition d_partitions[MAX_PARTITIONS];
u8 d_pad[0x600 - MAX_PARTITIONS * sizeof(struct d_partition)- 0x30];
};
</pre>
==kpartx==
* kpartx is a tool which reads partition tables and creates device maps.
* We need kpartx in order to be able to create partitions from device mapper targets.
* But kpartx doesn't support PS3 partition table currently.
* We need a patch which adds PS3 partition table support.
* Official GIT repo: http://git.opensvc.com/multipath-tools/.git
* '''PS3 partition table support is upstream now, you don't have to patch it anymore !!!'''
===Patching and Building===
* See my GIT repo: http://gitorious.ps3dev.net/ps3linux/multipath-tools-patches
<pre>
git clone http://git.opensvc.com/multipath-tools/.git multipath-tools
cd multipath-tools
patch -p1 < ../kpartx-ps3-partition.patch
make
</pre>
===Test===
<pre>
sudo ./kpartx/kpartx -l /dev/ps3da
ps3da1 : 0 524288 /dev/ps3da 8
ps3da2 : 0 60459821 /dev/ps3da 524304
ps3da3 : 0 4194296 /dev/ps3da 60984133
ps3da4 : 0 423218700 /dev/ps3da 65178438
</pre>
==Test==
<pre>
modprobe dm-bswap16
# clear ATA and ENCDEC keys
# DO NOT DO IT WITH HDD MOUNTED !!!
ps3dm sm set_del_encdec_key 0x110
ps3dm sm set_del_encdec_key 0x111
# we have to setup device mapper bswap16 target else HDD encryption/decryption won't work properly
hdd_size=`blockdev --getsize /dev/ps3da`
echo "0 $hdd_size bswap16 /dev/ps3da" | dmsetup create hdd
# create key file
echo <your data key as hex string> <your tweak key as hex string> | xxd -r -p > hdd_key.bin
ls -l hdd_key.bin
-rw-r--r-- 1 root root 32 Sep  4 09:28 hdd_key.bin
# create DM crypto target
# key size is 256bit because PS3 uses XTS-AES-128 and the key is just the concatenation of the data and tweak keys.
cryptsetup create -c aes-xts-plain64 -d ./hdd_key.bin -s 256 hdd_crypt /dev/mapper/hdd
ls -l /dev/mapper/
total 0
crw------- 1 root root 10, 236 Sep  6 11:07 control
lrwxrwxrwx 1 root root      7 Sep  6 11:09 hdd -> ../dm-0
lrwxrwxrwx 1 root root      7 Sep  6 11:12 hdd_crypt -> ../dm-1
hexdump -C /dev/mapper/hdd_crypt | head -23
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 0f ac e0 ff  00 00 00 00 de ad fa ce  |................|
00000020  00 00 00 00 00 00 00 03  00 00 00 00 00 00 00 02  |................|
00000030  00 00 00 00 00 00 00 08  00 00 00 00 00 08 00 00  |................|
00000040  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 0b  |.p..............|
00000050  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000000c0  00 00 00 00 00 08 00 10  00 00 00 00 03 9a 8b 2d  |...............-|
000000d0  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
000000e0  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
000000f0  10 20 00 00 03 00 00 01  00 00 00 00 00 00 00 03  |. ..............|
00000100  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000150  00 00 00 00 03 a2 8b 45  00 00 00 00 00 3f ff f8  |.......E.....?..|
00000160  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000170  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001e0  00 00 00 00 03 e2 8b 46  00 00 00 00 19 39 ce 0c  |.......F.....9..|
000001f0  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000200  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
# create device mapper partitions with kpartx
kpartx-ps3 -l /dev/mapper/hdd_crypt
hdd_crypt1 : 0 524288 /dev/mapper/hdd_crypt 8
hdd_crypt2 : 0 60459821 /dev/mapper/hdd_crypt 524304
hdd_crypt3 : 0 4194296 /dev/mapper/hdd_crypt 60984133
hdd_crypt4 : 0 423218700 /dev/mapper/hdd_crypt 65178438
kpartx-ps3 -a /dev/mapper/hdd_crypt
ls -l /dev/mapper/
total 0
crw------- 1 root root 10, 236 Sep  7 01:09 control
lrwxrwxrwx 1 root root      7 Sep  7 01:11 hdd -> ../dm-0
lrwxrwxrwx 1 root root      7 Sep  7 01:11 hdd_crypt -> ../dm-1
lrwxrwxrwx 1 root root      7 Sep  7 01:12 hdd_crypt1 -> ../dm-2            <---------- VFLASH
lrwxrwxrwx 1 root root      7 Sep  7 01:12 hdd_crypt2 -> ../dm-3            <---------- GameOS UFS2
lrwxrwxrwx 1 root root      7 Sep  7 01:12 hdd_crypt3 -> ../dm-4            <---------- FAT32 region
lrwxrwxrwx 1 root root      7 Sep  7 01:12 hdd_crypt4 -> ../dm-5            <---------- OtheroS++ HDD region
# create VFLASH key file
echo <your encdec data key as hex string> <your encdec tweak key as hex string> | xxd -r -p > vflash_key.bin
ls -l vflash_key.bin
-rw-r--r-- 1 root root 32 Sep  4 09:28 vflash_key.bin
# create DM crypto target
# key size is 256bit because PS3 uses XTS-AES-128 and the key is just the concatenation of the data and tweak keys.
# here is important to use option -p because VFLASH starts with sector 8 and encryption/decryption depends on sector number.
cryptsetup create -c aes-xts-plain64 -d ./vflash_key.bin -s 256 -p 8 vflash_crypt /dev/mapper/hdd_crypt1
hexdump -C /dev/mapper/vflash_crypt | head -23
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 0f ac e0 ff  00 00 00 00 de ad fa ce  |................|
00000020  00 00 00 00 00 00 00 03  00 00 00 00 00 00 00 02  |................|
00000030  00 00 00 00 00 00 00 08  00 00 00 00 00 00 75 f8  |..............u.|
00000040  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000000c0  00 00 00 00 00 00 78 00  00 00 00 00 00 06 3e 00  |......x.......>.|
000000d0  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
000000e0  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
000000f0  10 20 00 00 03 00 00 01  00 00 00 00 00 00 00 01  |. ..............|
00000100  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000150  00 00 00 00 00 06 b6 00  00 00 00 00 00 00 80 00  |................|
00000160  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000170  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001e0  00 00 00 00 00 07 36 00  00 00 00 00 00 00 04 00  |......6.........|
000001f0  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000200  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000210  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
# create device mapper partitions with kpartx
kpartx-ps3 -l /dev/mapper/vflash_crypt
vflash_crypt1 : 0 30200 /dev/mapper/vflash_crypt 8
vflash_crypt2 : 0 409088 /dev/mapper/vflash_crypt 30720
vflash_crypt3 : 0 32768 /dev/mapper/vflash_crypt 439808
vflash_crypt4 : 0 1024 /dev/mapper/vflash_crypt 472576
vflash_crypt5 : 0 49152 /dev/mapper/vflash_crypt 473600
vflash_crypt6 : 0 512 /dev/mapper/vflash_crypt 522752
kpartx-ps3 -a /dev/mapper/vflash_crypt
ls -l /dev/mapper/
total 0
crw------- 1 root root 10, 236 Sep  7 01:09 control
lrwxrwxrwx 1 root root      7 Sep  7 01:11 hdd -> ../dm-0
lrwxrwxrwx 1 root root      7 Sep  7 01:11 hdd_crypt -> ../dm-1
lrwxrwxrwx 1 root root      7 Sep  7 01:12 hdd_crypt1 -> ../dm-2
lrwxrwxrwx 1 root root      7 Sep  7 01:12 hdd_crypt2 -> ../dm-3
lrwxrwxrwx 1 root root      7 Sep  7 01:12 hdd_crypt3 -> ../dm-4
lrwxrwxrwx 1 root root      7 Sep  7 01:12 hdd_crypt4 -> ../dm-5
lrwxrwxrwx 1 root root      7 Sep  7 01:15 vflash_crypt -> ../dm-6
lrwxrwxrwx 1 root root      7 Sep  7 01:17 vflash_crypt1 -> ../dm-7
lrwxrwxrwx 1 root root      7 Sep  7 01:17 vflash_crypt2 -> ../dm-8
lrwxrwxrwx 1 root root      7 Sep  7 01:17 vflash_crypt3 -> ../dm-9
lrwxrwxrwx 1 root root      8 Sep  7 01:17 vflash_crypt4 -> ../dm-10
lrwxrwxrwx 1 root root      8 Sep  7 01:17 vflash_crypt5 -> ../dm-11
lrwxrwxrwx 1 root root      8 Sep  7 01:17 vflash_crypt6 -> ../dm-12
Now we can mount any PS3 HDD regions on PC :)
Linux kernel device mapper is a really great feature.
# mount UFS2 partition
mount -t ufs -o ufstype=ufs2,ro /dev/mapper/hdd_crypt2 /mnt/
ls -l /mnt/
total 16
drwx-----x 5 root root 512 Dec 31  2008 crash_report
drwx------ 3 root root 512 Dec 31  2008 drm
drwxr-xr-x 6 root root 512 Dec 31  2008 game
drwx------ 3 root root 512 Dec 31  2008 home
drwx------ 3 root root 512 Dec 31  2008 mms
drwx------ 5 root root 512 Dec 31  2008 tmp
drwx------ 2 root root 512 Jun 17  2009 vm
drwx------ 5 root root 512 Jul 15  2009 vsh
umount /mnt
mount /dev/mapper/vflash_crypt4 /mnt/
ls -l /mnt/
total 1
drwxr-xr-x 6 root root 512 Jul 15  2009 data-revoke
</pre>
=Making Changes to cell_ext_os_area VFLASH Region=
* Here is one of the use cases for your dumped HDD and VFLASH keys.
* It's the VFLASH region where petitboot is stored.
* Useful for OtherOS++ users.
* You will need it if you flash bad petitboot which doesn't boot and just hangs.
* You have to connect your HDD to your PC, e.g. with SATA-2-USB adapter.
* We will clear OtherOS boot flag and GameOS will boot again.
* We don't have to decrypt VFLASH, only HDD, because cell_ext_os_area is NOT encrypted with VFLASH key, only with HDD key.
* I tested everything myself, it's safe to use.
<pre>
modprobe dm_mod
insmod dm-bswap16
# On my PC, sdd is the PS3 HDD connected through SATA-USB adapater
hdd_size=`blockdev --getsize /dev/sdd`
echo "0 $hdd_size bswap16 /dev/sdd" | dmsetup create hdd
echo <your data key as hex string> <your tweak key as hex string> | xxd -r -p > hdd_key.bin
cryptsetup create -c aes-xts-plain64 -d ./hdd_key.bin -s 256 hdd_crypt /dev/mapper/hdd
kpartx-ps3 -a /dev/mapper/hdd_crypt
# cell_ext_os_area starts at offset 0xe740000 on VFLASH
# first dump os area parameters
# it begins at offset 0xe740200
dd if=/dev/mapper/hdd_crypt1 of=params.bin bs=1 count=512 skip=$((0xe740200))
# now clear the boot flag
# just make the first 4 bytes in params.bin all 0s
# now we write it back
dd of=/dev/mapper/hdd_crypt1 if=params.bin bs=1 count=512 seek=$((0xe740200))
sync
# clean up everything before disconnecting PS3 HDD
kpartx-ps3 -d /dev/mapper/hdd_crypt
dmsetup remove hdd_crypt
dmsetup remove hdd
# now GameOS should boot and you can flash a new petitboot :)
# you also could write new petitboot image to VFLASH :)
</pre>
=Further Work=
* Encryption/decryption of HDD on FreeBSD using geli framework.


=Links=
=Links=
Line 110: Line 592:
* http://www.freeotfe.org/docs/Main/mobile_site/Linux_examples__dm-crypt.htm
* http://www.freeotfe.org/docs/Main/mobile_site/Linux_examples__dm-crypt.htm
* http://www.hopelesscase.com/linuxnotes/encrypted_filesystems/dmsetup_losetup_and_mount
* http://www.hopelesscase.com/linuxnotes/encrypted_filesystems/dmsetup_losetup_and_mount
* http://lxr.free-electrons.com/source/block/partitions/
* http://backreference.org/2010/09/25/access-partitions-in-non-disk-block-devices-with-kpartx/
* https://www.dan.me.uk/blog/2012/05/05/full-disk-encryption-in-freebsd-9-x-well-almost/
{{Linux}}<noinclude>[[Category:Main]]</noinclude>

Latest revision as of 21:35, 24 June 2019

Introduction[edit | edit source]

  • The goal is to mount PS3 HDD on PC Linux and make changes to it.
  • Use device mapper for transparent encryption/decryption.

ATA and ENCDEC Keys[edit | edit source]

Main Article HDD Encryption

Device Mapper[edit | edit source]

  • A really cool feature of Linux 2.6/3.
  • The device mapper is stackable.
  • You have to enable a couple of new kernel features like device mapper crypto, XTS crypto and so on.

dm-bswap16[edit | edit source]

  • Swaps bytes in each 16-bit word.
  • It is necessray for HDD/VFLASH encryption/decryption.
  • Tested on Linux 3.5.3

GIT repo: http://gitorious.ps3dev.net/ps3linux/dm-bswap16

Test[edit | edit source]

modprobe loop
modprobe dm_mod
modprobe dm-bswap16

dd if=/dev/zero of=test.bin bs=1K count=100

losetup /dev/loop0 ./test.bin

echo "0 200 bswap16 /dev/loop0" | dmsetup create test

ls -l /dev/mapper/test

echo "00 01 00 01 00 01" | xxd -r -p > /dev/mapper/test

# device mapper target

hexdump -C /dev/mapper/test 
00000000  00 01 00 01 00 01 00 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00019000

# real data, as you see bytes are swapped in each 16-bit word
# device mapper allows you to do really cool things :)

hexdump -C /home/glevand/test.bin
00000000  01 00 01 00 01 00 00 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00019000

dmsetup remove test

Test with ps3da[edit | edit source]

# clear ATA and ENCDEC keys
# DO NOT DO IT WITH HDD MOUNTED !!!

ps3dm sm set_del_encdec_key 0x110
ps3dm sm set_del_encdec_key 0x111

# for now don't use ps3da device directly, dump sectors to file and bind it to loop device
# later we will use ps3da device directly when dm-bswap16 is well tested and bug free

dd if=/dev/ps3da bs=512 count=2 of=hdd_enc.bin

losetup /dev/loop1 ./hdd_enc.bin

# we have to setup device mapper bswap16 target else HDD encryption/decryption won't work properly

echo "0 2 bswap16 /dev/loop1" | dmsetup create test

# decrypt using xts_aes

cat /dev/mapper/test | ./xts_aes/xts_aes -d -k <your ATA data key> -t <your ATA tweak key> | hexdump -C
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 0f ac e0 ff  00 00 00 00 de ad fa ce  |................|
00000020  00 00 00 00 00 00 00 03  00 00 00 00 00 00 00 02  |................|
00000030  00 00 00 00 00 00 00 08  00 00 00 00 00 08 00 00  |................|
00000040  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 0b  |.p..............|
00000050  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000000c0  00 00 00 00 00 08 00 10  00 00 00 00 03 9a 8b 2d  |...............-|
000000d0  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
000000e0  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
000000f0  10 20 00 00 03 00 00 01  00 00 00 00 00 00 00 03  |. ..............|
00000100  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000150  00 00 00 00 03 a2 8b 45  00 00 00 00 00 3f ff f8  |.......E.....?..|
00000160  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000170  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001e0  00 00 00 00 03 e2 8b 46  00 00 00 00 19 39 ce 0c  |.......F.....9..|
000001f0  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000200  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000400

dm-crypt[edit | edit source]

  • We don't need xts_aes application anymore.
  • Linux kernel does enctyption/decryption of data transparently for us.
  • One of the device mapper features is that it's stackable which is very useful for us.
  • VFLASH is encrypted twice. So we have to create a second DM crypto target based on the DM crypto target for HDD.

HDD Test[edit | edit source]

  • Tested on PS3 itself with Debian LiveCD and Linux kernel version 3.4.10 but you can use the same technique on a Linux PC. I was just lazy and it is easier to test on PS3.
# clear ATA and ENCDEC keys
# DO NOT DO IT WITH HDD MOUNTED !!!

ps3dm sm set_del_encdec_key 0x110
ps3dm sm set_del_encdec_key 0x111

# for now don't use ps3da device directly, dump sectors to file and bind it to loop device
# later we will use ps3da device directly when dm-bswap16 is well tested and bug free

dd if=/dev/ps3da bs=512 count=2 of=hdd_enc.bin

losetup /dev/loop1 ./hdd_enc.bin

# we have to setup device mapper bswap16 target else HDD encryption/decryption won't work properly

echo "0 2 bswap16 /dev/loop1" | dmsetup create test

# create key file

echo <your data key as hex string> <your tweak key as hex string> | xxd -r -p > hdd_key.bin

ls -l hdd_key.bin
-rw-r--r-- 1 root root 32 Sep  4 09:28 hdd_key.bin

# create DM crypto target
# key size is 256bit because PS3 uses XTS-AES-128 and the key is just the concatenation of the data and tweak keys.

cryptsetup create -c aes-xts-plain64 -d ./hdd_key.bin -s 256 test_crypt /dev/mapper/test

ls -l /dev/mapper/
total 0
crw------- 1 root root 10, 236 Sep  4 09:23 control
lrwxrwxrwx 1 root root       7 Sep  4 09:25 test -> ../dm-0
lrwxrwxrwx 1 root root       7 Sep  4 09:30 test_crypt -> ../dm-1

hexdump -C /dev/mapper/test_crypt
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 0f ac e0 ff  00 00 00 00 de ad fa ce  |................|
00000020  00 00 00 00 00 00 00 03  00 00 00 00 00 00 00 02  |................|
00000030  00 00 00 00 00 00 00 08  00 00 00 00 00 08 00 00  |................|
00000040  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 0b  |.p..............|
00000050  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000000c0  00 00 00 00 00 08 00 10  00 00 00 00 03 9a 8b 2d  |...............-|
000000d0  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
000000e0  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
000000f0  10 20 00 00 03 00 00 01  00 00 00 00 00 00 00 03  |. ..............|
00000100  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000150  00 00 00 00 03 a2 8b 45  00 00 00 00 00 3f ff f8  |.......E.....?..|
00000160  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000170  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001e0  00 00 00 00 03 e2 8b 46  00 00 00 00 19 39 ce 0c  |.......F.....9..|
000001f0  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000200  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000400

# and we don't need xts_aes tool anymore :)
# Linux does encryption/decryption for us transparently now
# now you have raw access to your encrypted PS3 HDD and you can make simple changes

# Linux device mapper is really great !!!

VFLASH Test[edit | edit source]

# clear ATA and ENCDEC keys
# DO NOT DO IT WITH HDD MOUNTED !!!

ps3dm sm set_del_encdec_key 0x110
ps3dm sm set_del_encdec_key 0x111

# for now don't use ps3da device directly, dump sectors to file and bind it to loop device
# later we will use ps3da device directly when dm-bswap16 is well tested and bug free

dd if=/dev/ps3da bs=512 count=16 of=hdd_enc.bin

losetup /dev/loop1 ./hdd_enc.bin

# we have to setup device mapper bswap16 target else HDD encryption/decryption won't work properly

echo "0 16 bswap16 /dev/loop1" | dmsetup create test

# create hdd key file

echo <your hdd data key as hex string> <your hdd tweak key as hex string> | xxd -r -p > hdd_key.bin

ls -l hdd_key.bin
-rw-r--r-- 1 root root 32 Sep  4 09:28 hdd_key.bin

# create DM crypto target
# key size is 256bit because PS3 uses XTS-AES-128 and the key is just the concatenation of the data and tweak keys.

cryptsetup create -c aes-xts-plain64 -d ./hdd_key.bin -s 256 hdd_crypt /dev/mapper/hdd

# VFLASH begins at sector 8 on HDD

echo "0 8 linear /dev/mapper/hdd_crypt 8" | dmsetup create vflash

# create VFLASH key file

echo <your encdec data key as hex string> <your encdec tweak key as hex string> | xxd -r -p > vflash_key.bin

ls -l vflash_key.bin
-rw-r--r-- 1 root root 32 Sep  4 09:28 vflash_key.bin

# create DM crypto target
# key size is 256bit because PS3 uses XTS-AES-128 and the key is just the concatenation of the data and tweak keys.
# here is important to use option -p because VFLASH starts with sector 8 and encryption/decryption depends on sector number.

cryptsetup create -c aes-xts-plain64 -d ./vflash_key.bin -s 256 -p 8 vflash_crypt /dev/mapper/vflash

ls -l /dev/mapper/
total 0
crw------- 1 root root 10, 236 Sep  4 10:46 control
lrwxrwxrwx 1 root root       7 Sep  4 11:02 hdd -> ../dm-0
lrwxrwxrwx 1 root root       7 Sep  4 11:02 hdd_crypt -> ../dm-1
lrwxrwxrwx 1 root root       7 Sep  4 11:07 vflash -> ../dm-2
lrwxrwxrwx 1 root root       7 Sep  4 11:10 vflash_crypt -> ../dm-3

hexdump -C /dev/mapper/vflash_crypt
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 0f ac e0 ff  00 00 00 00 de ad fa ce  |................|
00000020  00 00 00 00 00 00 00 03  00 00 00 00 00 00 00 02  |................|
00000030  00 00 00 00 00 00 00 08  00 00 00 00 00 00 75 f8  |..............u.|
00000040  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000000c0  00 00 00 00 00 00 78 00  00 00 00 00 00 06 3e 00  |......x.......>.|
000000d0  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
000000e0  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
000000f0  10 20 00 00 03 00 00 01  00 00 00 00 00 00 00 01  |. ..............|
00000100  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000150  00 00 00 00 00 06 b6 00  00 00 00 00 00 00 80 00  |................|
00000160  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000170  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001e0  00 00 00 00 00 07 36 00  00 00 00 00 00 00 04 00  |......6.........|
000001f0  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000200  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000210  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000270  00 00 00 00 00 07 3a 00  00 00 00 00 00 00 c0 00  |......:.........|
00000280  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000290  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
000002a0  10 80 00 00 04 00 00 01  00 00 00 00 00 00 00 03  |................|
000002b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000300  00 00 00 00 00 07 fa 00  00 00 00 00 00 00 02 00  |................|
00000310  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000320  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00001000

# now is VFLASH also decrypted
# next step is partition table

PS3 HDD Partition Table[edit | edit source]

  • Now that we can decrypt/encrypt PS3 HDD with Linux, we want to be able to mount HDD/VFLASH regions because only then we can do changes to UFS or FAT filesystems on the HDD.
  • We have to implement PS3 HDD partition table in Linux kernel.
  • The Linux kernel with this feature will create all partition devices automatically in this case and we could mount and modify any HDD regions easily.
  • A new Linux kernel patch is necessary.
  • PS3 partition table is of size 0x1000 bytes.
  • Implemented PS3 partition support in Linux kernel. See patch 0035-ps3-partition.patch here http://gitorious.ps3dev.net/ps3linux/kernel-patches-35
  • Use kpartx tool to reread partition table.

Structure[edit | edit source]

#define MAX_ACL_ENTRIES		8
#define MAX_PARTITIONS		8

#define MAGIC1						0x0FACE0FFULL
#define MAGIC2						0xDEADFACEULL

struct p_acl_entry {
	u64 laid;
	u64 rights;
};

struct d_partition {
	u64 p_start;
	u64 p_size;
	struct p_acl_entry p_acl[MAX_ACL_ENTRIES];
};

struct disklabel {
	u8 d_res1[16];
	u64 d_magic1;
	u64 d_magic2;
	u64 d_res2;
	u64 d_res3;
	struct d_partition d_partitions[MAX_PARTITIONS];
	u8 d_pad[0x600 - MAX_PARTITIONS * sizeof(struct d_partition)- 0x30];
};

kpartx[edit | edit source]

  • kpartx is a tool which reads partition tables and creates device maps.
  • We need kpartx in order to be able to create partitions from device mapper targets.
  • But kpartx doesn't support PS3 partition table currently.
  • We need a patch which adds PS3 partition table support.
  • Official GIT repo: http://git.opensvc.com/multipath-tools/.git
  • PS3 partition table support is upstream now, you don't have to patch it anymore !!!

Patching and Building[edit | edit source]

git clone http://git.opensvc.com/multipath-tools/.git multipath-tools
cd multipath-tools
patch -p1 < ../kpartx-ps3-partition.patch
make

Test[edit | edit source]

sudo ./kpartx/kpartx -l /dev/ps3da
ps3da1 : 0 524288 /dev/ps3da 8
ps3da2 : 0 60459821 /dev/ps3da 524304
ps3da3 : 0 4194296 /dev/ps3da 60984133
ps3da4 : 0 423218700 /dev/ps3da 65178438

Test[edit | edit source]

modprobe dm-bswap16

# clear ATA and ENCDEC keys
# DO NOT DO IT WITH HDD MOUNTED !!!

ps3dm sm set_del_encdec_key 0x110
ps3dm sm set_del_encdec_key 0x111

# we have to setup device mapper bswap16 target else HDD encryption/decryption won't work properly

hdd_size=`blockdev --getsize /dev/ps3da`

echo "0 $hdd_size bswap16 /dev/ps3da" | dmsetup create hdd

# create key file

echo <your data key as hex string> <your tweak key as hex string> | xxd -r -p > hdd_key.bin

ls -l hdd_key.bin
-rw-r--r-- 1 root root 32 Sep  4 09:28 hdd_key.bin

# create DM crypto target
# key size is 256bit because PS3 uses XTS-AES-128 and the key is just the concatenation of the data and tweak keys.

cryptsetup create -c aes-xts-plain64 -d ./hdd_key.bin -s 256 hdd_crypt /dev/mapper/hdd

ls -l /dev/mapper/
total 0
crw------- 1 root root 10, 236 Sep  6 11:07 control
lrwxrwxrwx 1 root root       7 Sep  6 11:09 hdd -> ../dm-0
lrwxrwxrwx 1 root root       7 Sep  6 11:12 hdd_crypt -> ../dm-1


hexdump -C /dev/mapper/hdd_crypt | head -23
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 0f ac e0 ff  00 00 00 00 de ad fa ce  |................|
00000020  00 00 00 00 00 00 00 03  00 00 00 00 00 00 00 02  |................|
00000030  00 00 00 00 00 00 00 08  00 00 00 00 00 08 00 00  |................|
00000040  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 0b  |.p..............|
00000050  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000000c0  00 00 00 00 00 08 00 10  00 00 00 00 03 9a 8b 2d  |...............-|
000000d0  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
000000e0  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
000000f0  10 20 00 00 03 00 00 01  00 00 00 00 00 00 00 03  |. ..............|
00000100  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000150  00 00 00 00 03 a2 8b 45  00 00 00 00 00 3f ff f8  |.......E.....?..|
00000160  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000170  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001e0  00 00 00 00 03 e2 8b 46  00 00 00 00 19 39 ce 0c  |.......F.....9..|
000001f0  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000200  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

# create device mapper partitions with kpartx

kpartx-ps3 -l /dev/mapper/hdd_crypt
hdd_crypt1 : 0 524288 /dev/mapper/hdd_crypt 8
hdd_crypt2 : 0 60459821 /dev/mapper/hdd_crypt 524304
hdd_crypt3 : 0 4194296 /dev/mapper/hdd_crypt 60984133
hdd_crypt4 : 0 423218700 /dev/mapper/hdd_crypt 65178438

kpartx-ps3 -a /dev/mapper/hdd_crypt
ls -l /dev/mapper/
total 0
crw------- 1 root root 10, 236 Sep  7 01:09 control
lrwxrwxrwx 1 root root       7 Sep  7 01:11 hdd -> ../dm-0
lrwxrwxrwx 1 root root       7 Sep  7 01:11 hdd_crypt -> ../dm-1
lrwxrwxrwx 1 root root       7 Sep  7 01:12 hdd_crypt1 -> ../dm-2             <---------- VFLASH
lrwxrwxrwx 1 root root       7 Sep  7 01:12 hdd_crypt2 -> ../dm-3             <---------- GameOS UFS2
lrwxrwxrwx 1 root root       7 Sep  7 01:12 hdd_crypt3 -> ../dm-4             <---------- FAT32 region
lrwxrwxrwx 1 root root       7 Sep  7 01:12 hdd_crypt4 -> ../dm-5             <---------- OtheroS++ HDD region

# create VFLASH key file

echo <your encdec data key as hex string> <your encdec tweak key as hex string> | xxd -r -p > vflash_key.bin

ls -l vflash_key.bin
-rw-r--r-- 1 root root 32 Sep  4 09:28 vflash_key.bin

# create DM crypto target
# key size is 256bit because PS3 uses XTS-AES-128 and the key is just the concatenation of the data and tweak keys.
# here is important to use option -p because VFLASH starts with sector 8 and encryption/decryption depends on sector number.

cryptsetup create -c aes-xts-plain64 -d ./vflash_key.bin -s 256 -p 8 vflash_crypt /dev/mapper/hdd_crypt1

hexdump -C /dev/mapper/vflash_crypt | head -23
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 0f ac e0 ff  00 00 00 00 de ad fa ce  |................|
00000020  00 00 00 00 00 00 00 03  00 00 00 00 00 00 00 02  |................|
00000030  00 00 00 00 00 00 00 08  00 00 00 00 00 00 75 f8  |..............u.|
00000040  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000000c0  00 00 00 00 00 00 78 00  00 00 00 00 00 06 3e 00  |......x.......>.|
000000d0  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
000000e0  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
000000f0  10 20 00 00 03 00 00 01  00 00 00 00 00 00 00 01  |. ..............|
00000100  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000150  00 00 00 00 00 06 b6 00  00 00 00 00 00 00 80 00  |................|
00000160  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000170  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001e0  00 00 00 00 00 07 36 00  00 00 00 00 00 00 04 00  |......6.........|
000001f0  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000200  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000210  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*

# create device mapper partitions with kpartx

kpartx-ps3 -l /dev/mapper/vflash_crypt
vflash_crypt1 : 0 30200 /dev/mapper/vflash_crypt 8
vflash_crypt2 : 0 409088 /dev/mapper/vflash_crypt 30720
vflash_crypt3 : 0 32768 /dev/mapper/vflash_crypt 439808
vflash_crypt4 : 0 1024 /dev/mapper/vflash_crypt 472576
vflash_crypt5 : 0 49152 /dev/mapper/vflash_crypt 473600
vflash_crypt6 : 0 512 /dev/mapper/vflash_crypt 522752

kpartx-ps3 -a /dev/mapper/vflash_crypt
ls -l /dev/mapper/
total 0
crw------- 1 root root 10, 236 Sep  7 01:09 control
lrwxrwxrwx 1 root root       7 Sep  7 01:11 hdd -> ../dm-0
lrwxrwxrwx 1 root root       7 Sep  7 01:11 hdd_crypt -> ../dm-1
lrwxrwxrwx 1 root root       7 Sep  7 01:12 hdd_crypt1 -> ../dm-2
lrwxrwxrwx 1 root root       7 Sep  7 01:12 hdd_crypt2 -> ../dm-3
lrwxrwxrwx 1 root root       7 Sep  7 01:12 hdd_crypt3 -> ../dm-4
lrwxrwxrwx 1 root root       7 Sep  7 01:12 hdd_crypt4 -> ../dm-5
lrwxrwxrwx 1 root root       7 Sep  7 01:15 vflash_crypt -> ../dm-6
lrwxrwxrwx 1 root root       7 Sep  7 01:17 vflash_crypt1 -> ../dm-7
lrwxrwxrwx 1 root root       7 Sep  7 01:17 vflash_crypt2 -> ../dm-8
lrwxrwxrwx 1 root root       7 Sep  7 01:17 vflash_crypt3 -> ../dm-9
lrwxrwxrwx 1 root root       8 Sep  7 01:17 vflash_crypt4 -> ../dm-10
lrwxrwxrwx 1 root root       8 Sep  7 01:17 vflash_crypt5 -> ../dm-11
lrwxrwxrwx 1 root root       8 Sep  7 01:17 vflash_crypt6 -> ../dm-12

Now we can mount any PS3 HDD regions on PC :)
Linux kernel device mapper is a really great feature.

# mount UFS2 partition

mount -t ufs -o ufstype=ufs2,ro /dev/mapper/hdd_crypt2 /mnt/
ls -l /mnt/
total 16
drwx-----x 5 root root 512 Dec 31  2008 crash_report
drwx------ 3 root root 512 Dec 31  2008 drm
drwxr-xr-x 6 root root 512 Dec 31  2008 game
drwx------ 3 root root 512 Dec 31  2008 home
drwx------ 3 root root 512 Dec 31  2008 mms
drwx------ 5 root root 512 Dec 31  2008 tmp
drwx------ 2 root root 512 Jun 17  2009 vm
drwx------ 5 root root 512 Jul 15  2009 vsh

umount /mnt

mount /dev/mapper/vflash_crypt4 /mnt/
ls -l /mnt/
total 1
drwxr-xr-x 6 root root 512 Jul 15  2009 data-revoke

Making Changes to cell_ext_os_area VFLASH Region[edit | edit source]

  • Here is one of the use cases for your dumped HDD and VFLASH keys.
  • It's the VFLASH region where petitboot is stored.
  • Useful for OtherOS++ users.
  • You will need it if you flash bad petitboot which doesn't boot and just hangs.
  • You have to connect your HDD to your PC, e.g. with SATA-2-USB adapter.
  • We will clear OtherOS boot flag and GameOS will boot again.
  • We don't have to decrypt VFLASH, only HDD, because cell_ext_os_area is NOT encrypted with VFLASH key, only with HDD key.
  • I tested everything myself, it's safe to use.
modprobe dm_mod
insmod dm-bswap16

# On my PC, sdd is the PS3 HDD connected through SATA-USB adapater

hdd_size=`blockdev --getsize /dev/sdd`

echo "0 $hdd_size bswap16 /dev/sdd" | dmsetup create hdd

echo <your data key as hex string> <your tweak key as hex string> | xxd -r -p > hdd_key.bin

cryptsetup create -c aes-xts-plain64 -d ./hdd_key.bin -s 256 hdd_crypt /dev/mapper/hdd

kpartx-ps3 -a /dev/mapper/hdd_crypt

# cell_ext_os_area starts at offset 0xe740000 on VFLASH

# first dump os area parameters
# it begins at offset 0xe740200

dd if=/dev/mapper/hdd_crypt1 of=params.bin bs=1 count=512 skip=$((0xe740200))

# now clear the boot flag
# just make the first 4 bytes in params.bin all 0s

# now we write it back

dd of=/dev/mapper/hdd_crypt1 if=params.bin bs=1 count=512 seek=$((0xe740200))

sync

# clean up everything before disconnecting PS3 HDD

kpartx-ps3 -d /dev/mapper/hdd_crypt
dmsetup remove hdd_crypt
dmsetup remove hdd

# now GameOS should boot and you can flash a new petitboot :)

# you also could write new petitboot image to VFLASH :)

Further Work[edit | edit source]

  • Encryption/decryption of HDD on FreeBSD using geli framework.

Links[edit | edit source]