Seeds: Difference between revisions
Line 270: | Line 270: | ||
</pre> | </pre> | ||
=== | === data key seed === | ||
<pre> | <pre> | ||
73 68 65 72 77 6F 6F 64 5F 73 73 5F 73 65 65 64 "sherwood_ss_seed" | |||
</pre> | </pre> | ||
=== ss_seed_one_more === | === ss_seed_one_more === |
Revision as of 13:53, 21 October 2014
Information about these seeds
The seeds present on this wiki page were acquired through different means. It started with a simple search (Which i have to thank glevand and naehrwert for, as had it not been for those guys, i wouldn't have found myself the confidence to post this) and it went through several people who helped me along the way, and that probably wish to stay anonymous.
Without further ado, here are the seeds (both known and unknown) for several functions of the ps3.
Common
Common individuals seed
59 30 21 45 AC 09 B1 EF E6 9E 9B 7A 25 FF 8F 86 E9 F6 81 4D 37 DE 20 4D 29 72 9B 84 16 BA ED E4 22 70 98 65 7F 29 8C DB 6A 9B 5E 59 E4 A4 BA 2F 8E 6A 74 0E 1F C1 E3 E9 35 DD D2 F6 6C DE DD 6B
Used on old firmwares, possible for an old EID0 format (or fallback?) which can be 0x20 or 0x28 bytes in size. Decrypted section is always the same, see comments: http://pastie.org/private/rzg83pokd4vnxg60dj3qwg
Taken from: isoldr/appldr/lv1ldr
eEID
eid0
Used for individual ps3/psp/psn information.
eid0 individuals seed
AB CA AD 17 71 EF AB FC 2B 92 12 76 FA C2 13 0C 37 A6 BE 3F EF 82 C7 9F 3B A5 73 3F C3 5A 69 0B 08 B3 58 F9 70 FA 16 A3 D2 FF E2 29 9E 84 1E E4 D3 DB 0E 0C 9B AE B5 1B C7 DF F1 04 67 47 2F 85
Taken from: aim_spu_module.self/isoldr/appldr/lv1ldr/spu_token_processor.self/spu_utoken_processor.self
eid0 keyseed 0x0
2E D7 CE 8D 1D 55 45 45 85 BF 6A 32 81 CD 03 AF
Taken from: aim_spu_module.self
eid0 keyseed 0x6
3A B0 E6 C4 AC FF B6 29 36 2F FB BB DB C8 54 BC
Taken from: pspemudrm (kirk)
eid0 keyseed 0xA
30 B0 39 5D C5 83 5A AA 3A 79 86 B4 4A FA E6 84
Taken from: aim_spu_module.self
eid1
Used for individual SYSCON information.
eid1 individuals seed
B0 D6 55 76 4C 3B 44 B3 38 F3 2D D1 D0 99 9B 66 48 A3 5A 2C EB 15 E2 8E EC DC 2D C0 B4 C7 EB 05 DC 82 25 C0 D5 78 9D BB 2E 89 A2 4A 78 58 58 00 72 36 38 34 EE 1A 11 6C 2C D2 5E 58 EE 67 63 F7
Taken from: sc_iso.self/sc_iso_factory.self
eid2
Used for individual bluray information.
eid2 individuals seed
74 92 E5 7C 2C 7C 63 F4 49 42 26 8F B4 1C 58 ED 66 83 41 F9 C9 7B 29 83 96 FA 9D 82 07 51 99 D8 BC 1A 93 4B 37 4F A3 8D 46 AF 94 C7 C3 33 73 B3 09 57 20 84 FE 2D E3 44 57 E0 F8 52 7A 34 75 3D
Taken from: fdm_spu_module.self
eid2 DES key
6C CA B3 54 05 FA 56 2C
Taken from: fdm_spu_module.self
eid2 DES iv
00 00 00 00 00 00 00 00
Taken from: fdm_spu_module.self
eid3
Used for individual CPRM information.
eid3 individuals seed
01 D0 49 6A 3B AD D1 73 55 70 CB 29 E1 6F A2 31 4F A9 FD 1A BA 19 A1 C6 9E EA 2F 4A A6 07 A7 1C 6F E2 3E F8 DF BB 0F 2D 9D 45 2C D5 FA D5 8B 74 5B F8 A4 A5 0D 8B DB 29 B2 F4 BF 14 C4 4A DD 76
Taken from: CprmModule.spu.isoself
eid3 keyseed
5F FF 3F D8 1E 18 B9 56 DA E4 E6 D3 36 82 97 EF
Taken from: CprmModule.spu.isoself
eid3 static key
D9 94 06 CA 4B F3 07 50 43 6A 45 47 36 83 45 89
Taken from: CprmModule.spu.isoself
eid4
Used for individual bluray auth information.
eid4 individuals seed
3E C2 0C 17 02 19 01 97 8A 29 71 79 38 29 D3 08 04 29 FA 84 E3 3E 7F 73 0C 1D 41 6E EA 25 CA FB 3D E0 2B C0 05 EA 49 0B 03 E9 91 98 F8 3F 10 1F 1B A3 4B 50 58 94 28 AD D2 B3 EB 3F F4 C3 1A 58
Taken from: sv_iso_spu_module.self
HDD Specific
Used for individual hard drive information.
ATA data individuals seed
D9 2D 65 DB 05 7D 49 E1 A6 6F 22 74 B8 BA C5 08 83 84 4E D7 56 CA 79 51 63 62 EA 8A DA C6 03 26
Taken from: sb_iso_spu_module.self
ATA tweak individuals seed
C3 B3 B5 AA CC 74 CD 6A 48 EF AB F4 4D CD F1 6E 37 9F 55 F5 77 7D 09 FB EE DE 07 05 8E 94 BE 08
Taken from: sb_iso_spu_module.self
ENCDEC data individuals seed
E2 D0 5D 40 71 94 5B 01 C3 6D 51 51 E8 8C B8 33 4A AA 29 80 81 D8 C4 4F 18 5D C6 60 ED 57 56 86
ENCDEC tweak individuals seed
02 08 32 92 C3 05 D5 38 BC 50 E6 99 71 0C 0A 3E 55 F5 1C BA A5 35 A3 80 30 B6 7F 79 C9 05 BD A3
PS2 Emu Specific
Used for individual communication between PS2 emulator and PS3.
mc_iso individuals seed
52 38 D0 FA 23 A9 93 B8 97 1D 40 0F 98 2D 21 77 81 30 DC F4 DE 7C 4E 11 9C 1D E2 86 AA 37 61 0B 1A B7 11 22 3F 27 68 16 59 AE 6B 71 F1 84 F9 CB 0E 00 D0 8A D0 6A F9 F7 A1 D5 5F 69 C7 1D 2B 25
Taken from: mc_iso_spu_module.self
me_iso individuals seed
F2 33 6E 25 63 B6 03 07 7A 76 65 71 26 CA E4 DB 82 0E 92 85 6B 69 3C E8 14 22 E9 FB 1C 1C A5 B3 E9 43 38 8E 4B 48 03 50 AA 24 A5 FB FA BF D1 72 D9 7A 1E 25 DE 3E 64 A0 A7 A4 82 52 84 56 B1 74
Taken from: me_iso_spu_module.self
Syscon Specific
Used for individual SYSCON authentication.
sc_iso module seed
B0 D6 55 76 4C 3B 44 B3 38 F3 2D D1 D0 99 9B 66 48 A3 5A 2C EB 15 E2 8E EC DC 2D C0 B4 C7 EB 05 DC 82 25 C0 D5 78 9D BB 2E 89 A2 4A 78 58 58 00 72 36 38 34 EE 1A 11 6C 2C D2 5E 58 EE 67 63 F7
sc_iso key seeds
63 DC A7 D3 FE E4 7F 74 9A 40 83 63 F1 10 4E 8F auth_1 0x00 4D 10 09 43 24 00 9C C8 E6 B6 9C 70 32 8E 34 C5 auth_2 0x00 D9 79 49 BA D8 DA 69 D0 E0 1B F3 15 23 73 28 32 auth_1 0x01 C9 D1 DD 3C E2 7E 35 66 97 E2 6C 12 A7 B3 16 A8 auth_2 0x01 72 FF 4C 7F D2 A5 90 8D 6C 9C 3F D3 C0 37 FE EB auth_1 0x02 FA 8D 08 3C 05 20 80 D4 A1 94 53 45 2E 17 9A 44 auth_2 0x02 35 F8 42 12 95 CB F4 84 E0 6A 17 FA 2F B9 86 86 auth_1 0x03 C2 F3 68 5E 7E F4 97 68 33 7B 79 FD BC 82 65 BE auth_2 0x03 C6 E1 93 31 FC 6D 75 D1 C2 80 09 13 D1 79 3C 7E auth_1 0x04 77 1A 75 5F 40 2D 51 96 D0 2A 0D 09 2B EF E0 1E auth_2 0x04 B1 17 01 62 9E D2 FA 91 8F 9F 4D 8B 78 D7 2D 74 auth_1 0x05 19 93 0D E0 B6 FD CF FC 7B A6 30 B8 2D 53 04 31 auth_2 0x05 44 20 ED 72 2F EA 35 02 19 55 AB 40 C7 8E E6 DF auth_1 0x06 3E 67 C2 D9 43 2E 15 D0 9B EF 0E 6C 64 92 45 5D auth_2 0x06 5F A6 AF 2B B0 7F 72 E2 AB F8 0B 4E F6 DA 98 E0 auth_1 0x07 8C B7 82 E5 3E 8A EB 8A 76 8D 36 65 98 28 1B 9B auth_2 0x07
Size 256
Session key seeds
9F 1D F8 16 BB 4A 4A 01 29 D0 31 CF B0 AD 9B 30 0x00 D3 02 FD E1 75 78 FB DB A1 05 84 49 BA 5C 1B EA 0x01 0E 6B 74 80 E5 CE B2 56 2A 33 47 BB 41 01 24 55 0x02 79 10 AC 5D 2A D1 60 01 F6 A2 78 39 79 09 61 03 0x03 E3 05 28 04 B7 D2 83 6F 28 79 A1 75 1B B4 0D 48 0x04 EF 58 6F 9D 59 91 70 67 68 50 59 0B A6 7D 4B C7 0x05 5D 95 98 63 7A F2 5F 80 23 62 3B 12 68 B5 13 1A 0x06 0E AA 32 14 0A 28 61 D8 65 96 26 F6 CE 22 86 DB 0x07
D4 13 B8 96 63 E1 FE 9F 75 14 3D 3B B4 56 52 74 rev 0x2 FA 72 CE EF 59 B4 D2 98 9F 11 19 13 28 7F 51 C7 rev 0x3 DA A4 B9 F2 BC 70 B2 80 A7 B3 40 FA 0D 04 BA 14 rev 0x4 (1.00 -> 4.00) 29 C1 94 FF EC 1F D1 4D 4A AE 00 6C 32 B3 59 90 rev 0x? (rev 5?, found on 4.30, maybe in below fw's)
data key seed
73 68 65 72 77 6F 6F 64 5F 73 73 5F 73 65 65 64 "sherwood_ss_seed"
ss_seed_one_more
E3 05 28 04 B7 D2 83 6F 28 79 A1 75 1B B4 0D 48 EF 58 6F 9D 59 91 70 67 68 50 59 0B A6 7D 4B C7 5D 95 98 63 7A F2 5F 80 23 62 3B 12 68 B5 13 1A 0E AA 32 14 0A 28 61 D8 65 96 26 F6 CE 22 86 DB
also used for vtrm block crypto (aes_xts)
first block contains crl and drl hashes(see this for any doubts you might have)
unknown_seed
E3 EF DE 98 7E 4A 2D 3F 8C F7 B3 B6 0E 84 6B 21 4A B0 26 66 4E 9D 02 F5 3E FF 95 44 54 9B 1F 97 7E CA 7F 29 98 91 F1 B2 43 11 9E 35 AE 94 C3 DE E0 B7 A0 86 7C F4 49 23 BA E6 5E 33 86 46 0C 80
used when sc_iso needs to authenticate ps3 with syscon during time commands (clock drift)
(seed_for_backup is used to decrypt encrypted root info inside syscon and is actually an ascii seed, just like keyseed_for_srk2)
something else
13 16 3A 92 B5 05 13 54 2C 18 AB AD 31 B8 5F B7 <- 1 2B C8 BB 73 F4 B5 9A C6 58 A7 37 A5 DD 53 5D FE <- 2 D6 C3 74 FC DF F8 C3 CF 44 01 8C 78 73 3B F5 B2 64 8B 9F F9 4E F3 21 C6 9A 4A E5 96 F2 F0 8D 22 62 6C 71 24 FC 5B A1 AF 74 36 38 9B A3 7C 66 54 9D 94 BE 46 1C AF 08 3C 9D 9F A1 85 C9 3A EE 7B 18 D3 92 2D 4C A4 9C 1F 48 A6 FE FD 24 1D 5C 23 <- n1 05 8E B0 A8 2D 91 99 E8 70 28 C6 7D B9 F4 9A CF <- n2 CC 6A 09 07 DF 49 51 BF 27 CF 7B C2 DE 24 C5 70 F7 6E 53 0B CB CD 38 76 BC EC C8 D5 96 B5 83 B4 12 3D E1 47 FB 53 D5 F4 9D 55 BE 64 0F 2D 7C B0 73 3A A5 52 3A 57 B7 70 F5 97 22 27 0C F2 31 40
1->n1->2->n2 (in ida)
Notes
- libeeid / ps3hdd_poc / ps3_decrypt_tools were adapted for this. so use them
- you'll need eid_root_key, hdd image and eid
- the seeds are spreaded all over the wiki, so it's nice to have a spot where you can look at the seed you wish :)
- many thanks to fail0verfl0w for this. gotta love the print_hash function :3
- https://github.com/zecoxao/ps3_decrypt_tools tools for decrypting and encrypting.
- Regarding syscon, there are two chunks of data, one located at ss_sc_init and the other at sc_iso with sizes 0x290 and 0x280 respectively. one is after keyseed_for_srk2 and the other is between k4 and k5.
- ss_sc_init contains fallback EID1 of size 0x290 bytes.
References
THE PLACEHOLDER <- this curious pastie contains the first 4 bytes of several keys/seeds
1st-eid2 indiv seed 2nd-eid0 indiv seed 3rd-eid1 indiv seed 4th-eid4 indiv seed 5th-ata data seed 6th-me iso indiv seed 7th-mc iso indiv seed
isolated modules <- used as reference for eid specific seeds, amongst others
Others (???)
06 78 CE 0E (found, divx player key, decrypt divxdrm.sprx with sc services) 67 C0 75 8C F4 99 6F EF 7E 88 F9 0C C6 95 9D 66 (found, debug disc fallback)
Taken respectively from N's Twitter
What's inside:
Each EID0 Section (0xC0 bytes)
Description | Length | Note |
---|---|---|
Data | 0x38 | contains the actual data of the file |
R | 0x14 | part of the ecdsa signature pair (r,s) |
S | 0x14 | part of the ecdsa signature pair (r,s) |
public key | 0x28 | ecdsa public key |
random padding ? | 0x8 | common between a retail and a true convert dump, probably padding |
unknown | 0x18 | unknown |
omac/cmac1 | 0x10 | hash of the previous information in CMAC1/OMAC mode |
padding | 0x8 | zero byte padding |
EID1 (0x2A0 bytes)
This is, quite possibly, one of the most important EID parts in the system. Since the seed was found on syscon selfs, it's very likely that this is directly associated with SYSCON itself. Unfortunately, there is no way to know because there are additional layers of cryptography inside it.
EID2(0x730 bytes)
http://www.psdevwiki.com/ps3/Hypervisor_Reverse_Engineering#Remarrying
Description | Length | Note |
---|---|---|
Header | 0x20 | |
Pblock | 0x80 | contains bd drive info |
Sblock | 0x690 | contains bd drive info |
EID3(0x100)
http://www.psdevwiki.com/ps3/Hypervisor_Reverse_Engineering#Communication
Offset | Description | Length | Note |
---|---|---|---|
0x00 | Header | 0x20 | contains ckp_management_id, size of cprm keys + sha1 digest + padding and nonce |
0x20 | cprm player keys | 0xB8 | |
0xD8 | sha1 digest | 0x14 | sha1 digest of previous section |
0xEC | padding | 0x4 | |
0xF0 | omac1 digest | 0x10 | omac1 digest of whole eid3 |
EID4(0x30)
Description | Length | Note |
---|---|---|
Drive Key 1 | 0x10 | Encrypts data sent from host to bd drive |
Drive Key 2 | 0x10 | Decrypts data sent from bd drive to host |
CMAC/OMAC1 | 0x10 | Hash of the previous bytes in CMAC/OMAC1 mode |
EID5 (0xA00)
The largest and quite possibly the most important EID of all 6. It's unknown what is inside this specific EID. We'll probably never know what's inside it without analyzing every possible clue about the PS3. And even then, it might be impossible to find it's real use. It's size is similar to EID0, but it has an aditional 0x1A0 bytes.
Theory
0x40 bytes Header
Description | Length | Note |
---|---|---|
header(idps) | 0x10 | idps |
unk(static) | 0x2 | 00 12 |
unk2(static) | 0x2 | 00 0B (eid0) 00 02(request_idps) 07 30 (eid5) |
perconsole nonce | 0xC | |
unk3(changes) | 0x20 |
Content
Description | Length | Note |
---|---|---|
sections | 0x9C0 | 13 sections of 0xC0 bytes each (copy of the 11 sections in EID0 and two sections dedicated to bootldr and metldr respectively) |