HDD Encryption: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
No edit summary
Line 11: Line 11:


==Program==
==Program==
My SPU program to dump ATA tweak and data XTS keys to PPU memory with spuisofs:
<pre>
/*
* Dump ATA keys
*
* Copyright (C) 2012 glevand <[email protected]>
* All rights reserved.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published
* by the Free Software Foundation; version 2 of the License.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
.text
start:
ila $2, 0x3dfa0
lr $sp, $2
ila $80, 0x3e000
lr $81, $3
stqd $7, 0($80) # store upper 16bytes of ATA data key
stqd $8, 0x10($80) # store lower 16bytes of ATA data key
stqd $9, 0x20($80)
stqd $10, 0x30($80)
stqd $11, 0x40($80) # store upper 16bytes of ATA tweak key
stqd $12, 0x50($80) # store lower 16bytes of ATA tweak key
lr $3, $80
lr $4, $81
il $5, 0x60
il $6, 0x7
il $7, 0x20
brsl $lr, 0x10 # mfc_dma_xfer
il $3, 0x7
brsl $lr, 0x28 # mfc_dma_wait
stop 0x666 # our evil stop code :)
/*
* r3 - LSA
* r4 - EA
* r5 - size
* r6 - tag
* r7 - cmd
*/
mfc_dma_xfer:
wrch $ch16, $3
wrch $ch17, $4
shlqbyi $4, $4, 4
wrch $ch18, $4
wrch $ch19, $5
wrch $ch20, $6
wrch $ch21, $7
bi $lr
/*
* r3 - tag
*/
mfc_dma_wait:
il $2, 0
nop $127
hbra 2f, 1f
wrch $ch23, $2
1:
rchcnt $2, $ch23
ceqi $2, $2, 1
nop $127
nop $127
nop $127
nop $127
nop $127
2:
brz $2, 1b
hbr 3f, $lr
rdch $2, $ch24
il $2, 1
shl $2, $2, $3
wrch $ch22, $2
il $2, 2
wrch $ch23, $2
rdch $2, $ch24
nop $127
3:
bi $lr
</pre>


==Result==
==Result==

Revision as of 06:57, 15 August 2012

Introduction

  • The following information was reverse enginered from LV1, Storage Manager in LPAR1 and sb_iso_spu_module.self.

HDD Encryption

  • XTS-AES-128 is used to encrypt all data on PS3 HDD.
  • VFLASH is encrypted twice. First with ENCDEC keys and then with ATA keys.

Dumping ATA Keys

Program

My SPU program to dump ATA tweak and data XTS keys to PPU memory with spuisofs:

/*
 * Dump ATA keys
 *
 * Copyright (C) 2012 glevand <[email protected]>
 * All rights reserved.
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published
 * by the Free Software Foundation; version 2 of the License.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License along
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */

.text

start:

	ila		$2, 0x3dfa0
	lr		$sp, $2

	ila		$80, 0x3e000
	lr		$81, $3

	stqd		$7, 0($80)	# store upper 16bytes of ATA data key
	stqd		$8, 0x10($80)	# store lower 16bytes of ATA data key
	stqd		$9, 0x20($80)
	stqd		$10, 0x30($80)
	stqd		$11, 0x40($80)	# store upper 16bytes of ATA tweak key
	stqd		$12, 0x50($80)	# store lower 16bytes of ATA tweak key

	lr		$3, $80
	lr		$4, $81
	il		$5, 0x60
	il		$6, 0x7
	il		$7, 0x20
	brsl		$lr, 0x10	# mfc_dma_xfer

	il		$3, 0x7
	brsl		$lr, 0x28	# mfc_dma_wait

	stop		0x666		# our evil stop code :)

/*
 * r3 - LSA
 * r4 - EA
 * r5 - size
 * r6 - tag
 * r7 - cmd
 */
mfc_dma_xfer:

	wrch		$ch16, $3
	wrch		$ch17, $4
	shlqbyi		$4, $4, 4
	wrch		$ch18, $4
	wrch		$ch19, $5
	wrch		$ch20, $6
	wrch		$ch21, $7

	bi		$lr

/*
 * r3 - tag
 */
mfc_dma_wait:

	il		$2, 0
	nop		$127
	hbra		2f, 1f
	wrch		$ch23, $2

1:

	rchcnt		$2, $ch23
	ceqi		$2, $2, 1
	nop		$127
	nop		$127
	nop		$127
	nop		$127
	nop		$127

2:

	brz		$2, 1b
	hbr		3f, $lr
	rdch		$2, $ch24
	il		$2, 1
	shl		$2, $2, $3
	wrch		$ch22, $2
	il		$2, 2
	wrch		$ch23, $2
	rdch		$2, $ch24
	nop		$127

3:

	bi		$lr

Result

Dumping ENCDEC Keys

Program

Result

Communication with ENCDEC Device