Seeds: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 100: Line 100:
Taken from: fdm_spu_module.self
Taken from: fdm_spu_module.self


=== eid3 ===
=== eid3 -> used for individual CPRM information ===


==== eid3 individuals seed ====
==== eid3 individuals seed ====

Revision as of 15:26, 6 July 2014

Information about these seeds

The seeds present on this wiki page were acquired through different means. It started with a simple search (Which i have to thank glevand and naehrwert for, as had it not been for those guys, i wouldn't have found myself the confidence to post this) and it went through several people who helped me along the way, and that probably wish to stay anonymous.

Without further ado, here are the seeds (both known and unknown) for several functions of the ps3.

Common

Common individuals seed

59 30 21 45 AC 09 B1 EF E6 9E 9B 7A 25 FF 8F 86
E9 F6 81 4D 37 DE 20 4D 29 72 9B 84 16 BA ED E4
22 70 98 65 7F 29 8C DB 6A 9B 5E 59 E4 A4 BA 2F
8E 6A 74 0E 1F C1 E3 E9 35 DD D2 F6 6C DE DD 6B

Used on old firmwares, possible for an old EID0 format (or fallback?) which can be 0x20 or 0x28 bytes in size. Decrypted section is always the same, see comments: http://pastie.org/private/rzg83pokd4vnxg60dj3qwg

Taken from: isoldr/appldr/lv1ldr

eEID

eid0 -> used for individual ps3/psp/psn information

eid0 individuals seed

AB CA AD 17 71 EF AB FC 2B 92 12 76 FA C2 13 0C 
37 A6 BE 3F EF 82 C7 9F 3B A5 73 3F C3 5A 69 0B 
08 B3 58 F9 70 FA 16 A3 D2 FF E2 29 9E 84 1E E4 
D3 DB 0E 0C 9B AE B5 1B C7 DF F1 04 67 47 2F 85

Taken from: aim_spu_module.self/isoldr/appldr/lv1ldr/spu_token_processor.self/spu_utoken_processor.self

eid0 keyseed 0x0

2E D7 CE 8D 1D 55 45 45 85 BF 6A 32 81 CD 03 AF

Taken from: aim_spu_module.self

eid0 keyseed 0x6

3A B0 E6 C4 AC FF B6 29 36 2F FB BB DB C8 54 BC

Taken from: pspemudrm (kirk)

eid0 keyseed 0xA

30 B0 39 5D C5 83 5A AA 3A 79 86 B4 4A FA E6 84

Taken from: aim_spu_module.self

eid1 -> used for individual SYSCON information

eid1 individuals seed

B0 D6 55 76 4C 3B 44 B3 38 F3 2D D1 D0 99 9B 66 
48 A3 5A 2C EB 15 E2 8E EC DC 2D C0 B4 C7 EB 05 
DC 82 25 C0 D5 78 9D BB 2E 89 A2 4A 78 58 58 00 
72 36 38 34 EE 1A 11 6C 2C D2 5E 58 EE 67 63 F7

Taken from: sc_iso.self/sc_iso_factory.self

eid2 -> used for individual bluray information

eid2 individuals seed

74 92 E5 7C 2C 7C 63 F4 49 42 26 8F B4 1C 58 ED 
66 83 41 F9 C9 7B 29 83 96 FA 9D 82 07 51 99 D8 
BC 1A 93 4B 37 4F A3 8D 46 AF 94 C7 C3 33 73 B3 
09 57 20 84 FE 2D E3 44 57 E0 F8 52 7A 34 75 3D

Taken from: fdm_spu_module.self

eid2 DES key

6C CA B3 54 05 FA 56 2C

Taken from: fdm_spu_module.self

eid2 DES iv

00 00 00 00 00 00 00 00

Taken from: fdm_spu_module.self

eid3 -> used for individual CPRM information

eid3 individuals seed

01 D0 49 6A 3B AD D1 73 55 70 CB 29 E1 6F A2 31
4F A9 FD 1A BA 19 A1 C6 9E EA 2F 4A A6 07 A7 1C
6F E2 3E F8 DF BB 0F 2D 9D 45 2C D5 FA D5 8B 74 
5B F8 A4 A5 0D 8B DB 29 B2 F4 BF 14 C4 4A DD 76

Taken from: CprmModule.spu.isoself

eid3 keyseed

5F FF 3F D8 1E 18 B9 56 DA E4 E6 D3 36 82 97 EF

Taken from: CprmModule.spu.isoself

eid3 static key

D9 94 06 CA 4B F3 07 50 43 6A 45 47 36 83 45 89

Taken from: CprmModule.spu.isoself

eid4

eid4 individuals seed

3E C2 0C 17 02 19 01 97 8A 29 71 79 38 29 D3 08 
04 29 FA 84 E3 3E 7F 73 0C 1D 41 6E EA 25 CA FB 
3D E0 2B C0 05 EA 49 0B 03 E9 91 98 F8 3F 10 1F 
1B A3 4B 50 58 94 28 AD D2 B3 EB 3F F4 C3 1A 58

Taken from: sv_iso_spu_module.self


HDD Specific

ATA data individuals seed

D9 2D 65 DB 05 7D 49 E1 A6 6F 22 74 B8 BA C5 08 
83 84 4E D7 56 CA 79 51 63 62 EA 8A DA C6 03 26

Taken from: sb_iso_spu_module.self


ATA tweak individuals seed

C3 B3 B5 AA CC 74 CD 6A 48 EF AB F4 4D CD F1 6E 
37 9F 55 F5 77 7D 09 FB EE DE 07 05 8E 94 BE 08

Taken from: sb_iso_spu_module.self

ENCDEC data individuals seed

E2 D0 5D 40 71 94 5B 01 C3 6D 51 51 E8 8C B8 33 
4A AA 29 80 81 D8 C4 4F 18 5D C6 60 ED 57 56 86

ENCDEC tweak individuals seed

02 08 32 92 C3 05 D5 38 BC 50 E6 99 71 0C 0A 3E 
55 F5 1C BA A5 35 A3 80 30 B6 7F 79 C9 05 BD A3

PS2 Emu Specific

mc_iso individuals seed(?)

52 38 D0 FA 23 A9 93 B8 97 1D 40 0F 98 2D 21 77 
81 30 DC F4 DE 7C 4E 11 9C 1D E2 86 AA 37 61 0B 
1A B7 11 22 3F 27 68 16 59 AE 6B 71 F1 84 F9 CB 
0E 00 D0 8A D0 6A F9 F7 A1 D5 5F 69 C7 1D 2B 25

Taken from: mc_iso_spu_module.self


me_iso individuals seed(?)

F2 33 6E 25 63 B6 03 07 7A 76 65 71 26 CA E4 DB 
82 0E 92 85 6B 69 3C E8 14 22 E9 FB 1C 1C A5 B3 
E9 43 38 8E 4B 48 03 50 AA 24 A5 FB FA BF D1 72 
D9 7A 1E 25 DE 3E 64 A0 A7 A4 82 52 84 56 B1 74

Taken from: me_iso_spu_module.self

Syscon Specific

sc_iso module seed

B0 D6 55 76 4C 3B 44 B3 38 F3 2D D1 D0 99 9B 66 
48 A3 5A 2C EB 15 E2 8E EC DC 2D C0 B4 C7 EB 05 
DC 82 25 C0 D5 78 9D BB 2E 89 A2 4A 78 58 58 00 
72 36 38 34 EE 1A 11 6C 2C D2 5E 58 EE 67 63 F7

sc_iso key seeds

63 DC A7 D3 FE E4 7F 74 9A 40 83 63 F1 10 4E 8F (1)
4D 10 09 43 24 00 9C C8 E6 B6 9C 70 32 8E 34 C5 [2]
D9 79 49 BA D8 DA 69 D0 E0 1B F3 15 23 73 28 32 (3)
C9 D1 DD 3C E2 7E 35 66 97 E2 6C 12 A7 B3 16 A8 [4]
72 FF 4C 7F D2 A5 90 8D 6C 9C 3F D3 C0 37 FE EB (5)
FA 8D 08 3C 05 20 80 D4 A1 94 53 45 2E 17 9A 44 [6]
35 F8 42 12 95 CB F4 84 E0 6A 17 FA 2F B9 86 86 (7)
C2 F3 68 5E 7E F4 97 68 33 7B 79 FD BC 82 65 BE [8]
C6 E1 93 31 FC 6D 75 D1 C2 80 09 13 D1 79 3C 7E (9)
77 1A 75 5F 40 2D 51 96 D0 2A 0D 09 2B EF E0 1E [10]
B1 17 01 62 9E D2 FA 91 8F 9F 4D 8B 78 D7 2D 74 (11)
19 93 0D E0 B6 FD CF FC 7B A6 30 B8 2D 53 04 31 [12]
44 20 ED 72 2F EA 35 02 19 55 AB 40 C7 8E E6 DF (13)
3E 67 C2 D9 43 2E 15 D0 9B EF 0E 6C 64 92 45 5D [14]
5F A6 AF 2B B0 7F 72 E2 AB F8 0B 4E F6 DA 98 E0 (15)
8C B7 82 E5 3E 8A EB 8A 76 8D 36 65 98 28 1B 9B [16]

Size 256
() first, [] second on ida

D4 13 B8 96 63 E1 FE 9F 75 14 3D 3B B4 56 52 74  rev 0x2
FA 72 CE EF 59 B4 D2 98 9F 11 19 13 28 7F 51 C7  rev 0x3
DA A4 B9 F2 BC 70 B2 80 A7 B3 40 FA 0D 04 BA 14  rev 0x4 (1.00 -> 4.00)
29 C1 94 FF EC 1F D1 4D 4A AE 00 6C 32 B3 59 90  rev 0x? (rev 5?, found on 4.30, maybe in below fw's)

sherwood_ss_seed

9F 1D F8 16 BB 4A 4A 01 29 D0 31 CF B0 AD 9B 30 
D3 02 FD E1 75 78 FB DB A1 05 84 49 BA 5C 1B EA 
0E 6B 74 80 E5 CE B2 56 2A 33 47 BB 41 01 24 55 
79 10 AC 5D 2A D1 60 01 F6 A2 78 39 79 09 61 03

used for vtrm block crypto (aes_xts)

ss_seed_one_more

E3 05 28 04 B7 D2 83 6F 28 79 A1 75 1B B4 0D 48 
EF 58 6F 9D 59 91 70 67 68 50 59 0B A6 7D 4B C7 
5D 95 98 63 7A F2 5F 80 23 62 3B 12 68 B5 13 1A 
0E AA 32 14 0A 28 61 D8 65 96 26 F6 CE 22 86 DB

also used for vtrm block crypto (aes_xts)

first block contains crl and drl hashes(see this for any doubts you might have)

unknown_seed

E3 EF DE 98 7E 4A 2D 3F 8C F7 B3 B6 0E 84 6B 21
4A B0 26 66 4E 9D 02 F5 3E FF 95 44 54 9B 1F 97
7E CA 7F 29 98 91 F1 B2 43 11 9E 35 AE 94 C3 DE
E0 B7 A0 86 7C F4 49 23 BA E6 5E 33 86 46 0C 80

used when sc_iso needs to authenticate ps3 with syscon during time commands (clock drift)

(seed_for_backup is used to decrypt encrypted root info inside syscon and is actually an ascii seed, just like keyseed_for_srk2)

something else

13 16 3A 92 B5 05 13 54 2C 18 AB AD 31 B8 5F B7 <- 1 
2B C8 BB 73 F4 B5 9A C6 58 A7 37 A5 DD 53 5D FE <- 2
D6 C3 74 FC DF F8 C3 CF 44 01 8C 78 73 3B F5 B2
64 8B 9F F9 4E F3 21 C6 9A 4A E5 96 F2 F0 8D 22
62 6C 71 24 FC 5B A1 AF 74 36 38 9B A3 7C 66 54
9D 94 BE 46 1C AF 08 3C 9D 9F A1 85 C9 3A EE 7B

18 D3 92 2D 4C A4 9C 1F 48 A6 FE FD 24 1D 5C 23 <- n1
05 8E B0 A8 2D 91 99 E8 70 28 C6 7D B9 F4 9A CF <- n2
CC 6A 09 07 DF 49 51 BF 27 CF 7B C2 DE 24 C5 70 
F7 6E 53 0B CB CD 38 76 BC EC C8 D5 96 B5 83 B4 
12 3D E1 47 FB 53 D5 F4 9D 55 BE 64 0F 2D 7C B0 
73 3A A5 52 3A 57 B7 70 F5 97 22 27 0C F2 31 40

1->n1->2->n2 (in ida)

http://pastie.org/8710005

Notes

  • libeeid / ps3hdd_poc / ps3_decrypt_tools were adapted for this. so use them
  • you'll need eid_root_key, hdd image and eid
  • the seeds are spreaded all over the wiki, so it's nice to have a spot where you can look at the seed you wish :)
  • many thanks to fail0verfl0w for this. gotta love the print_hash function :3
  • https://github.com/zecoxao/ps3_decrypt_tools tools for decrypting and encrypting.
  • Regarding syscon, there are two chunks of data, one located at ss_sc_init and the other at sc_iso with sizes 0x290 and 0x280 respectively. one is after keyseed_for_srk2 and the other is between k4 and k5.
  • ss_sc_init contains fallback EID1 of size 0x290 bytes.

References

THE PLACEHOLDER <- this curious pastie contains the first 4 bytes of several keys/seeds

1st-eid2 indiv seed
2nd-eid0 indiv seed
3rd-eid1 indiv seed
4th-eid4 indiv seed
5th-ata data seed
6th-me iso indiv seed
7th-mc iso indiv seed

isolated modules <- used as reference for eid specific seeds, amongst others

Others (???)

eid4 fallback bytes

06 78 CE 0E (found, divx player key, decrypt divxdrm.sprx with sc services)

67 C0 75 8C F4 99 6F EF 7E 88 F9 0C C6 95 9D 66 (found, debug disc fallback) 

Taken respectively from N's Twitter

What's inside:

Each EID0 Section (0xC0 bytes)

Description Length Note
Data 0x38 contains the actual data of the file
R 0x14 part of the ecdsa signature pair (r,s)
S 0x14 part of the ecdsa signature pair (r,s)
public key 0x28 ecdsa public key
unknown 0x20 unknown
omac/cmac1 0x10 hash of the previous information in CMAC1/OMAC mode
padding 0x8 zero byte padding

Source of the information

EID1 (0x2A0 bytes)

This is, quite possibly, one of the most important EID parts in the system. Since the seed was found on syscon selfs, it's very likely that this is directly associated with SYSCON itself. Unfortunately, there is no way to know because there are additional layers of cryptography inside it.

EID2(0x730 bytes)

http://www.psdevwiki.com/ps3/Hypervisor_Reverse_Engineering#Remarrying

Description Length Note
Header 0x20
Pblock 0x80 contains bd drive info
Sblock 0x690 contains bd drive info

EID3(0x100)

http://www.psdevwiki.com/ps3/Hypervisor_Reverse_Engineering#Communication

Offset Description Length Note
0x00 Header 0x20
0x20 cprm player keys 0xB8
0xD8 sha1 digest 0x14 sha1 digest of previous section
0xEC padding 0x4
0xF0 omac1 digest 0x10 omac1 digest of whole eid3

EID4(0x30)

Description Length Note
Drive Key 1 0x10 Encrypts data sent from host to bd drive
Drive Key 2 0x10 Decrypts data sent from bd drive to host
CMAC/OMAC1 0x10 Hash of the previous bytes in CMAC/OMAC1 mode

EID5 (0xA00)

The largest and quite possibly the most important EID of all 6. It's unknown what is inside this specific EID. We'll probably never know what's inside it without analyzing every possible clue about the PS3. And even then, it might be impossible to find it's real use. It's size is similar to EID0, but it has an aditional 0x1A0 bytes.

Theory

0x40 bytes Header

Description Length Note
header(idps) 0x10 idps
unk(static) 0x2 00 12
unk2(static) 0x2 00 0B (eid0) 00 02(request_idps) 07 30 (eid5)
perconsole nonce 0xC
unk3(changes) 0x20

Content

Description Length Note
sections 0x9C0 13 sections of 0xC0 bytes each (copy of the 11 sections in EID0 and two sections dedicated to bootldr and metldr respectively)