Seeds: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
(→‎secure_com_lib_internal_key::time_key: <- these are keys, not seeds! moving to keys page)
No edit summary
Line 1: Line 1:
= Information about these seeds =
== Source of the PS3 seeds ==


The seeds present on this wiki page were acquired through different means. It started with a simple search (Which i have to thank glevand and naehrwert for, as had it not been for those guys, i wouldn't have found myself the confidence to post this) and it went through several people who helped me along the way, and that probably wish to stay anonymous.
The seeds presented on this page were acquired through different means. It started with a simple search (which I have to thank glevand and naehrwert for, as had it not been for those guys, I wouldn't have found myself the confidence to post this) and it went through several people who helped me along the way, and who probably wish to stay anonymous.
 
Without further ado, here are the seeds (both known and unknown) for several functions of the ps3.


== Common ==
== Common ==
Line 16: Line 14:
</pre>
</pre>


Used on old firmwares, possible for an old EID0 format (or fallback?) which can be 0x20 or 0x28 bytes in size. Decrypted section is always the same, see comments: http://pastie.org/private/rzg83pokd4vnxg60dj3qwg
* Used on old firmwares, possibly for an old EID0 format (or fallback?) which can be 0x20 or 0x28 bytes in size. Decrypted section is always the same.
 
* See [http://pastie.org/private/rzg83pokd4vnxg60dj3qwg comments].
Taken from: isoldr/appldr/lv1ldr
* Location: isoldr/appldr/lv1ldr


== eEID ==
== eEID ==


=== eid0 ===
=== EID0 ===


Used for individual ps3/psp/psn information.
Used for individual ps3/psp/psn information.


==== eid0 individuals seed ====
==== EID0 individuals seed ====


<pre>
<pre>
Line 35: Line 33:
</pre>
</pre>


Taken from: aim_spu_module.self/isoldr/appldr/lv1ldr/spu_token_processor.self/spu_utoken_processor.self
* Location: aim_spu_module.self/isoldr/appldr/lv1ldr/spu_token_processor.self/spu_utoken_processor.self
 
==== EID0 section 0 seed ====
 
<pre>2ED7CE8D1D55454585BF6A3281CD03AF</pre>


==== eid0 keyseed 0x0 ====
* Location: aim_spu_module.self


<pre>
==== EID0 section 6 seed ====
2ED7CE8D1D55454585BF6A3281CD03AF
</pre>


Taken from: aim_spu_module.self
<pre>3AB0E6C4ACFFB629362FFBBBDBC854BC</pre>


==== eid0 keyseed 0x6 ====
* Location: pspemudrm (KIRK)


<pre>
==== EID0 section 6 for per-console encrypted ECDSA private key ====
3AB0E6C4ACFFB629362FFBBBDBC854BC
</pre>


Taken from: pspemudrm (kirk)
Note: this seems to be the equivalent of the PSP KIRK command 0x10 AES128ECB key (idskey0).


==== eid0 keyseed 0x6 for perconsole encrypted private key ====
<pre>33793B9F79E2EBAE55D4D6BF0ED376E6</pre>


<pre>
Encrypt it with perconsole EID0_key to obtain the decryption key to decrypt your encrypted per-console ECDSA private key, located in the decrypted EID0 section 6 at offset 0x88.
33793B9F79E2EBAE55D4D6BF0ED376E6
</pre>


Encrypt it with perconsole eid0_key to obtain the decryption key to decrypt Your perconsole ecdsa private key, located into the decrypted eid0 section 6 at offset 0x88.<BR>
* Encryption algorithm: aes-256-ecb or aes-256-cbc with null IV. Why 256 bits ????
Encryption algo: aes-256-ecb.<BR>
* Decryption algo: aes-128-ecb or aes-128-cbc with null IV.
Decryption algo: aes-128-cbc. iv = 0.


Taken from: pspemudrm (kirk)
* Location: pspemudrm (KIRK)


==== eid0 keyseed 0xA ====
==== EID0 section 0xA seed ====


<pre>
<pre>30B0395DC5835AAA3A7986B44AFAE684</pre>
30B0395DC5835AAA3A7986B44AFAE684
</pre>


Taken from: aim_spu_module.self
* Location: aim_spu_module.self


=== eid1 ===
=== eid1 ===
Line 77: Line 70:
Used for individual SYSCON information.
Used for individual SYSCON information.


==== eid1 individuals seed ====
==== EID1 individuals seed ====


<pre>
<pre>
Line 86: Line 79:
</pre>
</pre>


Taken from: {{SD}} sc_iso.self/sc_iso_factory.self
* Location: {{SD}} sc_iso.self/sc_iso_factory.self


==== eid1 individuals seed ====
==== EID1 individuals seed ====


<pre>
<pre>
Line 97: Line 90:
</pre>
</pre>


Taken from: sc_iso.self/sc_iso_factory.self/ss_sc_init.self
* Location: sc_iso.self/sc_iso_factory.self/ss_sc_init.self




==== time eid1 keyseed ====
==== Time EID1 seed ====


<pre>
<pre>
Line 109: Line 102:
</pre>
</pre>


Taken from all decrypted eid1, offset 0x110, size 0x40
* Location: from all decrypted EID1, offset 0x110, size 0x40


=== eid2 ===
=== EID2 ===


Used for individual bluray information.
Used for individual bluray information.


==== eid2 individuals seed ====
==== EID2 individuals seed ====


<pre>
<pre>
Line 124: Line 117:
</pre>
</pre>


Taken from: fdm_spu_module.self
* Location: fdm_spu_module.self


==== eid2 DES key ====
==== EID2 DES key ====
<pre>
 
6CCAB35405FA562C
<pre>6CCAB35405FA562C</pre>
</pre>


Taken from: Lv2diag.self for BD remarry
* Location: Lv2diag.self for BD remarry


==== eid2 DES iv ====
==== EID2 DES IV ====


<pre>
<pre>0000000000000000</pre>  
0000000000000000
</pre>  


Taken from: Lv2diag.self for BD remarry
* Location: Lv2diag.self for BD remarry


=== eid3 ===
=== EID3 ===


Used for individual CPRM information.
Used for individual CPRM information.


==== eid3 individuals seed ====
==== EID3 individuals seed ====


<pre>
<pre>
Line 154: Line 144:
</pre>
</pre>


Taken from: CprmModule.spu.isoself
* Location: CprmModule.spu.isoself


==== eid3 keyseed ====
==== EID3 keyseed ====


<pre>
<pre>5FFF3FD81E18B956DAE4E6D3368297EF</pre>
5FFF3FD81E18B956DAE4E6D3368297EF
</pre>


Taken from: CprmModule.spu.isoself
* Location: CprmModule.spu.isoself


==== eid3 static key ====
==== EID3 static key ====


<pre>
<pre>D99406CA4BF30750436A454736834589</pre>
D99406CA4BF30750436A454736834589
</pre>


Taken from: CprmModule.spu.isoself
* Location: CprmModule.spu.isoself


=== eid4 ===
=== EID4 ===


Used for individual bluray auth information.
Used for individual bluray auth information.


==== eid4 individuals seed ====
==== EID4 individuals seed ====
 
<pre>
<pre>
3EC20C17021901978A2971793829D308
3EC20C17021901978A2971793829D308
Line 184: Line 171:
</pre>
</pre>


Taken from: sv_iso_spu_module.self
* Location: sv_iso_spu_module.self


== HDD Specific ==
== HDD Specific ==
Line 197: Line 184:
</pre>
</pre>


Taken from: sb_iso_spu_module.self
* Location: sb_iso_spu_module.self
 


=== ATA tweak individuals seed ===
=== ATA tweak individuals seed ===
Line 207: Line 193:
</pre>
</pre>


Taken from: sb_iso_spu_module.self
* Location: sb_iso_spu_module.self


=== ENCDEC data individuals seed ===
=== ENCDEC data individuals seed ===
Line 217: Line 203:


=== ENCDEC tweak individuals seed ===
=== ENCDEC tweak individuals seed ===
<pre>
<pre>
02083292C305D538BC50E699710C0A3E
02083292C305D538BC50E699710C0A3E
Line 224: Line 211:
=== Arcade/SYSDBG Seeds ===
=== Arcade/SYSDBG Seeds ===


====ATA data/tweak====
==== ATA data/tweak ====


<pre>
<pre>
Line 231: Line 218:
</pre>
</pre>


====ENCDEC data====
==== ENCDEC data ====
 
<pre>
<pre>
D2BCFF742D571A80DFEE5E2496D19C3A
D2BCFF742D571A80DFEE5E2496D19C3A
6F25FA0FC69764CAC20F4269EB540FD8
6F25FA0FC69764CAC20F4269EB540FD8
</pre>
</pre>
====ENCDEC tweak====
 
==== ENCDEC tweak ====
<pre>
<pre>
C19C7F987EDB6E244B07BEDEFA1E6CC9
C19C7F987EDB6E244B07BEDEFA1E6CC9
Line 244: Line 233:
== PS2 Emu Specific ==
== PS2 Emu Specific ==


Used for ps2 memory card save generation
Used for ps2 memory card save generation.


=== mc_iso individuals seed ===
=== mc_iso individuals seed ===
Line 255: Line 244:
</pre>
</pre>


Taken from: mc_iso_spu_module.self
* Location: mc_iso_spu_module.self
 


=== me_iso individuals seed ===
=== me_iso individuals seed ===
Line 267: Line 255:
</pre>
</pre>


Taken from: me_iso_spu_module.self
* Location: me_iso_spu_module.self


== Syscon Specific ==
== Syscon Specific ==
Line 283: Line 271:


=== sc_iso module seed {{SD}} ===
=== sc_iso module seed {{SD}} ===
<pre>
<pre>
0AB7611E56DA45076B46129718F5C80E
0AB7611E56DA45076B46129718F5C80E
Line 311: Line 300:
</pre>
</pre>


Size 256<br>
* Size: 256 bytes


=== random xseed ===
=== random xseed ===
Line 319: Line 308:
</pre>
</pre>


used for generating a random number through the use of ch74
Used for generating a random number through the use of ch74.


=== data key seed ===
=== data key seed ===
Line 333: Line 322:
</pre>
</pre>


=== vtrm keyseed ===
=== vtrm key seed ===


<pre>
<pre>
Line 436: Line 425:
</pre>
</pre>


* decrypted with flash key 0x10
* Decrypted with flash key 0x10.


= Notes =
= Notes =


* libeeid / ps3hdd_poc / ps3_decrypt_tools were adapted for this. so use them
* libeeid / ps3hdd_poc / ps3_decrypt_tools were adapted for this. So use them.
* you'll need eid_root_key, hdd image and eid
* https://github.com/zecoxao/ps3_decrypt_tools Up-to-date tools for decrypting and encrypting.
* the seeds are spreaded all over the wiki, so it's nice to have a spot where you can look at the seed you wish :)
* You will need eid_root_key (and IV), hdd image and EID.
* many thanks to fail0verfl0w for this. gotta love the print_hash function :3
* The seeds are scattered all over the wiki, so it's nice to have a spot where you can look at the seed you wish :)
* https://github.com/zecoxao/ps3_decrypt_tools tools for decrypting and encrypting.
* Many thanks to fail0verfl0w for this. Gotta love the print_hash function :3
 
* Regarding syscon, there are two chunks of data, one located at ss_sc_init and the other at sc_iso with sizes 0x290 and 0x280 respectively. one is after keyseed_for_srk2 and the other is between k4 and k5.
* Regarding syscon, there are two chunks of data, one located at ss_sc_init and the other at sc_iso with sizes 0x290 and 0x280 respectively. one is after keyseed_for_srk2 and the other is between k4 and k5.
* ss_sc_init contains fallback EID1 of size 0x290 bytes.
* ss_sc_init contains fallback EID1 of size 0x290 bytes.
Line 450: Line 440:
= References =
= References =


[http://pastie.org/2858016 THE PLACEHOLDER] <- this curious pastie contains the first 4 bytes of several keys/seeds
[https://web.archive.org/web/20141118233711/http://pastie.org/2858016 THE PLACEHOLDER] <- this curious pastie contains the first 4 bytes of several keys/seeds
 
<pre>
<pre>
1st-eid2 indiv seed
1st-eid2 indiv seed
Line 461: Line 452:
</pre>
</pre>


[http://www.ps3devwiki.com/wiki/Iso_module isolated modules] <- used as reference for eid specific seeds, amongst others
[Iso_module isolated modules] <- used as reference for EID specific seeds, amongst others


= What's inside: =
= EID Structure =


== Each EID0 Section (0xC0 bytes) ==
EID is made of 6 "partitions" from EID0 to EID5.
 
== EID0 ==
 
EID0 embeds 11 sections.
 
=== EID0 Section ===
 
* Size: 0xC0 bytes.


{|class="wikitable"
{|class="wikitable"
Line 483: Line 482:
| encrypted private key || 0x20 || encrypted blob that contains the section's private key (with padding)
| encrypted private key || 0x20 || encrypted blob that contains the section's private key (with padding)
|-
|-
| omac1/cmac || 0x10 || hash of the previous information in CMAC1/OMAC mode
| cmac || 0x10 || hash of the previous information in CMAC mode
|-
|-
| padding || 0x8 || zero byte padding
| padding || 0x8 || zero byte padding for AES 128 bits encryption
|}
|}


[http://pastie.org/6169158 Source of the information]
* [https://web.archive.org/web/20141118233713/http://pastie.org/6169158 naehrwert's EID0 section 0 ECDSA verification]
 
== EID1 ==


== EID1 (0x2A0 bytes) ==
* Size: 0x2A0 bytes.


{|class="wikitable"
{|class="wikitable"
Line 511: Line 512:
|-
|-
| 0x290 || 0x10  || CMAC of Encrypted FLASH Data Using Perconsole Key encrypted using root key and EID1 Seeds
| 0x290 || 0x10  || CMAC of Encrypted FLASH Data Using Perconsole Key encrypted using root key and EID1 Seeds
|-
|}
|}


== EID2(0x730 bytes) ==
== EID2 ==
http://www.psdevwiki.com/ps3/Hypervisor_Reverse_Engineering#Remarrying
 
* Size: 0x730 bytes.
 
Related to BD drive. See [[Hypervisor_Reverse_Engineering#Remarrying]].
 
{|class="wikitable"
{|class="wikitable"
|-
|-
Line 527: Line 531:
|}
|}


== EID3(0x100) ==
== EID3 ==
http://www.psdevwiki.com/ps3/Hypervisor_Reverse_Engineering#Communication
 
* Size: 0x100 bytes.
 
Related to Communicatio. See [[Hypervisor_Reverse_Engineering#Communication]].
 
{|class="wikitable"
{|class="wikitable"
|-
|-
Line 544: Line 552:
|}
|}


== EID4(0x30) ==
== EID4 ==
 
* Size: 0x30 bytes.


{|class="wikitable"
{|class="wikitable"
Line 555: Line 565:
|-
|-
| CMAC/OMAC1 || 0x10 || Hash of the previous bytes in CMAC/OMAC1 mode
| CMAC/OMAC1 || 0x10 || Hash of the previous bytes in CMAC/OMAC1 mode
|-
|}
|}


== EID5 (0xA00) ==
== EID5 ==
 
* Size: 0xA00 bytes.
 
The largest and quite possibly the most important EID of all 6. It's unknown what is inside this specific EID. We'll probably never know what's inside it without analyzing every possible clue about the PS3. And even then, it might be impossible to find its real use. Its size is similar to EID0, but it has an additional 0x1A0 bytes.


The largest and quite possibly the most important EID of all 6. It's unknown what is inside this specific EID. We'll probably never know what's inside it without analyzing every possible clue about the PS3. And even then, it might be impossible to find it's real use. It's size is similar to EID0, but it has an aditional 0x1A0 bytes.


{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude>
{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude>

Revision as of 23:42, 25 May 2020

Source of the PS3 seeds

The seeds presented on this page were acquired through different means. It started with a simple search (which I have to thank glevand and naehrwert for, as had it not been for those guys, I wouldn't have found myself the confidence to post this) and it went through several people who helped me along the way, and who probably wish to stay anonymous.

Common

Common individuals seed

59302145AC09B1EFE69E9B7A25FF8F86
E9F6814D37DE204D29729B8416BAEDE4
227098657F298CDB6A9B5E59E4A4BA2F
8E6A740E1FC1E3E935DDD2F66CDEDD6B
  • Used on old firmwares, possibly for an old EID0 format (or fallback?) which can be 0x20 or 0x28 bytes in size. Decrypted section is always the same.
  • See comments.
  • Location: isoldr/appldr/lv1ldr

eEID

EID0

Used for individual ps3/psp/psn information.

EID0 individuals seed

ABCAAD1771EFABFC2B921276FAC2130C
37A6BE3FEF82C79F3BA5733FC35A690B
08B358F970FA16A3D2FFE2299E841EE4
D3DB0E0C9BAEB51BC7DFF10467472F85
  • Location: aim_spu_module.self/isoldr/appldr/lv1ldr/spu_token_processor.self/spu_utoken_processor.self

EID0 section 0 seed

2ED7CE8D1D55454585BF6A3281CD03AF
  • Location: aim_spu_module.self

EID0 section 6 seed

3AB0E6C4ACFFB629362FFBBBDBC854BC
  • Location: pspemudrm (KIRK)

EID0 section 6 for per-console encrypted ECDSA private key

Note: this seems to be the equivalent of the PSP KIRK command 0x10 AES128ECB key (idskey0).

33793B9F79E2EBAE55D4D6BF0ED376E6

Encrypt it with perconsole EID0_key to obtain the decryption key to decrypt your encrypted per-console ECDSA private key, located in the decrypted EID0 section 6 at offset 0x88.

  • Encryption algorithm: aes-256-ecb or aes-256-cbc with null IV. Why 256 bits ????
  • Decryption algo: aes-128-ecb or aes-128-cbc with null IV.
  • Location: pspemudrm (KIRK)

EID0 section 0xA seed

30B0395DC5835AAA3A7986B44AFAE684
  • Location: aim_spu_module.self

eid1

Used for individual SYSCON information.

EID1 individuals seed

0AB7611E56DA45076B46129718F5C80E
80BFFBA1800145BF2F1C02F7C011FDE8
E486A45215B5FFFF432DD7F7DFF0C47D
989ADED904DD987FC93BD735DA114397
  • Location:  SD  sc_iso.self/sc_iso_factory.self

EID1 individuals seed

B0D655764C3B44B338F32DD1D0999B66
48A35A2CEB15E28EECDC2DC0B4C7EB05
DC8225C0D5789DBB2E89A24A78585800
72363834EE1A116C2CD25E58EE6763F7
  • Location: sc_iso.self/sc_iso_factory.self/ss_sc_init.self


Time EID1 seed

A8DCAB3577F30F7B81C788B80446B03F
C240BD9F72BBFC7268E4E688C1C24F6E
EF100F2B53199715A99C3E4794487073
74CE56F619FBD2486115A2FBA4F5FBB4
  • Location: from all decrypted EID1, offset 0x110, size 0x40

EID2

Used for individual bluray information.

EID2 individuals seed

7492E57C2C7C63F44942268FB41C58ED
668341F9C97B298396FA9D82075199D8
BC1A934B374FA38D46AF94C7C33373B3
09572084FE2DE34457E0F8527A34753D
  • Location: fdm_spu_module.self

EID2 DES key

6CCAB35405FA562C
  • Location: Lv2diag.self for BD remarry

EID2 DES IV

0000000000000000
  • Location: Lv2diag.self for BD remarry

EID3

Used for individual CPRM information.

EID3 individuals seed

01D0496A3BADD1735570CB29E16FA231
4FA9FD1ABA19A1C69EEA2F4AA607A71C
6FE23EF8DFBB0F2D9D452CD5FAD58B74
5BF8A4A50D8BDB29B2F4BF14C44ADD76
  • Location: CprmModule.spu.isoself

EID3 keyseed

5FFF3FD81E18B956DAE4E6D3368297EF
  • Location: CprmModule.spu.isoself

EID3 static key

D99406CA4BF30750436A454736834589
  • Location: CprmModule.spu.isoself

EID4

Used for individual bluray auth information.

EID4 individuals seed

3EC20C17021901978A2971793829D308
0429FA84E33E7F730C1D416EEA25CAFB
3DE02BC005EA490B03E99198F83F101F
1BA34B50589428ADD2B3EB3FF4C31A58
  • Location: sv_iso_spu_module.self

HDD Specific

Used for individual hard drive information.

ATA data individuals seed

D92D65DB057D49E1A66F2274B8BAC508
83844ED756CA79516362EA8ADAC60326
  • Location: sb_iso_spu_module.self

ATA tweak individuals seed

C3B3B5AACC74CD6A48EFABF44DCDF16E
379F55F5777D09FBEEDE07058E94BE08
  • Location: sb_iso_spu_module.self

ENCDEC data individuals seed

E2D05D4071945B01C36D5151E88CB833
4AAA298081D8C44F185DC660ED575686

ENCDEC tweak individuals seed

02083292C305D538BC50E699710C0A3E
55F51CBAA535A38030B67F79C905BDA3

Arcade/SYSDBG Seeds

ATA data/tweak

DA73ED9020918F4C0A703DCCF890617B
FFD25E3340009109583C643DF4A21324

ENCDEC data

D2BCFF742D571A80DFEE5E2496D19C3A
6F25FA0FC69764CAC20F4269EB540FD8

ENCDEC tweak

C19C7F987EDB6E244B07BEDEFA1E6CC9
F08524D98C05654CC742141E01F823E1

PS2 Emu Specific

Used for ps2 memory card save generation.

mc_iso individuals seed

5238D0FA23A993B8971D400F982D2177
8130DCF4DE7C4E119C1DE286AA37610B
1AB711223F27681659AE6B71F184F9CB
0E00D08AD06AF9F7A1D55F69C71D2B25
  • Location: mc_iso_spu_module.self

me_iso individuals seed

F2336E2563B603077A76657126CAE4DB
820E92856B693CE81422E9FB1C1CA5B3
E943388E4B480350AA24A5FBFABFD172
D97A1E25DE3E64A0A7A482528456B174
  • Location: me_iso_spu_module.self

Syscon Specific

Used for individual SYSCON authentication.

sc_iso module seed

B0D655764C3B44B338F32DD1D0999B66
48A35A2CEB15E28EECDC2DC0B4C7EB05
DC8225C0D5789DBB2E89A24A78585800
72363834EE1A116C2CD25E58EE6763F7

sc_iso module seed  SD 

0AB7611E56DA45076B46129718F5C80E
80BFFBA1800145BF2F1C02F7C011FDE8
E486A45215B5FFFF432DD7F7DFF0C47D
989ADED904DD987FC93BD735DA114397

sc_magic::auth_magic

63DCA7D3FEE47F749A408363F1104E8F auth_1 0x00
4D10094324009CC8E6B69C70328E34C5 auth_2 0x00
D97949BAD8DA69D0E01BF31523732832 auth_1 0x01
C9D1DD3CE27E356697E26C12A7B316A8 auth_2 0x01
72FF4C7FD2A5908D6C9C3FD3C037FEEB auth_1 0x02
FA8D083C052080D4A19453452E179A44 auth_2 0x02
35F8421295CBF484E06A17FA2FB98686 auth_1 0x03
C2F3685E7EF49768337B79FDBC8265BE auth_2 0x03
C6E19331FC6D75D1C2800913D1793C7E auth_1 0x04
771A755F402D5196D02A0D092BEFE01E auth_2 0x04
B11701629ED2FA918F9F4D8B78D72D74 auth_1 0x05
19930DE0B6FDCFFC7BA630B82D530431 auth_2 0x05
4420ED722FEA35021955AB40C78EE6DF auth_1 0x06
3E67C2D9432E15D09BEF0E6C6492455D auth_2 0x06
5FA6AF2BB07F72E2ABF80B4EF6DA98E0 auth_1 0x07
8CB782E53E8AEB8A768D366598281B9B auth_2 0x07
  • Size: 256 bytes

random xseed

AB19502586A381E670D34F560EAAF31A20475903

Used for generating a random number through the use of ch74.

data key seed

73686572776F6F645F73735F73656564 "sherwood_ss_seed"

tweak key seed

73735F736565645F6F6E655F6D6F7265 "ss_seed_one_more"

vtrm key seed

6B6579736565645F666F725F73726B32 "keyseed_for_srk2"

seed for backup

736565645F666F725F6261636B757000 "seed_for_backup."

eEID1 fallback

84DEDB601CBFE24C17DDC7BD1B466406
0126A315C548FDD56C0DF6DE19667079
CB21566A84CAFE5CC883F5255E9586E4
4C02AC7201D69D2F6274E86918BE2703
4A86714B7D122170D45E317F97D173E7
615506000725FDE96EE7ACA391D06F73
3B24EABA2DCB71B6AEC2AB4B809ABD09
B8B7EDD3361CC1F3B71DA99617B7DC01
518E3B27164816ACF9C89157B07BB6C8
633D8DD1CFCE1E15AED07083E38E8EBB
145138B3BA0E240F3A7E77678D9D2961
BD123E045C9C0C58A9A03EB8940A1B99
75A1EE8E575ADFD8811BDE09B098ED38
F87F7DC557618412C827EF32FD5215D0
20900F5D2DF6C1BA52CB1B2E5DBC0310
5C91D011F8F232DD14CFA4E9A3108069
DFA88A3C2E27CB4892E8074794B32CF4
B78EC1E9E6A83ECC280182E29E22EDCE
A0A8BA86FF4304C488A8BD461A9B2D6F
E56C435F841C561E0E724F6CEDF38505
1EBB412CB7BBD395D56FD515782C5957
B687263DF0F4E5353BBAD52CCE4C634F
842663A906ED14319746A91FC63E556A
60426AB2283679450F76054E0EB39F22
F92881B49D9811F846E392FB66056DCB
267AA10094FD262D121B5576A0E6C0F1
58DEF55F710C789D8ED78CDE4E6AD6F8
2D9F8180B8C050D9B1847BC50803D3A4
5CB1178E0241C39AC3AA77558BA96567
7EECBF204F0760ECD976FE20AE97BA5C
4150D9D7EA9AC4C286E63C21FBDCE903
B6AD8EDA663C266A1B8F81F843A1C919
5856F90CB7390EBDB5A000D87F4E2619
CDA436059FD3723C3B6DA657E6D936D8
EA517214BA336B9B57912840AF8A3E76
EA715EE979F03A9857AA358E83B45E0E
8FC797DF9927B0E933EA33EBA1592231
E34C8E3E54C98E27C2E3AB69CC0E45F1
AD1BC8B53D9F87107F3FB7BB1B5E26B2
B710593154505CF21A36E2E57823D5BE
0D5D3AB4CD04B1C27A74BEE02E6D25F4

eEID1 fallback decrypted

1E05FC2C1A5C5512E0604252C7A3C942
9E6C2A490A6543914510071EC93987BB
3BF1CDB740E234FE7D9A9444FC53E3AB
57548976BA11018074C3FF2ADD1A469A
680EDC509AD0CBC6C90CEA843905482A
BEAB40BA985E134492FD8FC1487DC828
0EEF78B26AD1A241C38C743BB344DAFE
1A0B7E797669107B673A95C4617AF0EC
3E600567DC98B61CFB44F5972086CD38
C36D5EC828F2D81476302FED32FC2E83
162FA5D83931BFE1154321CDAA240C6C
38B27DF52F81E0069F906075EDB6E739
4EE82A46A9729A68728735DFC9C9F461
A29CD185CC02CF9EB37BDD83D0ABA0AA
BA9D51FBD95F88E3CBDDD2300E51F086
3A059B178EB657C8E793473B0CC3298B
E9AF9924FDD6BCD0E7D3B43161DDF8BF
A8DCAB3577F30F7B81C788B80446B03F
C240BD9F72BBFC7268E4E688C1C24F6E
EF100F2B53199715A99C3E4794487073
74CE56F619FBD2486115A2FBA4F5FBB4
5900A06CB88F39D4D2B430B299EA6910
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
  • Decrypted with flash key 0x10.

Notes

  • libeeid / ps3hdd_poc / ps3_decrypt_tools were adapted for this. So use them.
  • https://github.com/zecoxao/ps3_decrypt_tools Up-to-date tools for decrypting and encrypting.
  • You will need eid_root_key (and IV), hdd image and EID.
  • The seeds are scattered all over the wiki, so it's nice to have a spot where you can look at the seed you wish :)
  • Many thanks to fail0verfl0w for this. Gotta love the print_hash function :3
  • Regarding syscon, there are two chunks of data, one located at ss_sc_init and the other at sc_iso with sizes 0x290 and 0x280 respectively. one is after keyseed_for_srk2 and the other is between k4 and k5.
  • ss_sc_init contains fallback EID1 of size 0x290 bytes.

References

THE PLACEHOLDER <- this curious pastie contains the first 4 bytes of several keys/seeds

1st-eid2 indiv seed
2nd-eid0 indiv seed
3rd-eid1 indiv seed
4th-eid4 indiv seed
5th-ata data seed
6th-me iso indiv seed
7th-mc iso indiv seed

[Iso_module isolated modules] <- used as reference for EID specific seeds, amongst others

EID Structure

EID is made of 6 "partitions" from EID0 to EID5.

EID0

EID0 embeds 11 sections.

EID0 Section

  • Size: 0xC0 bytes.
Description Length Note
Data 0x10 contains the actual data of the file (either idps or psid)
plaintext public key 0x28 contains the section's public key (without padding)
R 0x14 part of the ecdsa signature pair (r,s)
S 0x14 part of the ecdsa signature pair (r,s)
public key 0x28 ecdsa public key (can be used to verify ecdsa signature RS)
encrypted private key 0x20 encrypted blob that contains the section's private key (with padding)
cmac 0x10 hash of the previous information in CMAC mode
padding 0x8 zero byte padding for AES 128 bits encryption

EID1

  • Size: 0x2A0 bytes.
Offset Length Description
0 0x10 INIT Seed
0x10 0x80 AUTH1 Reencrypted Keyseeds
0x90 0x80 AUTH2 Reencrypted Keyseeds
0x110 0x40 Keyseeds (Time Service Purpose)
0x150 0x10 KeySeed (SNVS/Time Related)
0x160 0x120 Padding (Zeroes)
0x280 0x10 CMAC of Encrypted Data Using Master Key 0x20 if on EEPROM to CMAC (and encrypt/decrypt) or Master Key 0x10 if on FLASH
0x290 0x10 CMAC of Encrypted FLASH Data Using Perconsole Key encrypted using root key and EID1 Seeds

EID2

  • Size: 0x730 bytes.

Related to BD drive. See Hypervisor_Reverse_Engineering#Remarrying.

Description Length Note
Header 0x20
P(rimary) block 0x80 contains bd drive info
S(econdary) block 0x690 contains bd drive info

EID3

  • Size: 0x100 bytes.

Related to Communicatio. See Hypervisor_Reverse_Engineering#Communication.

Offset Description Length Note
0x00 Header 0x20 contains ckp_management_id, size of cprm keys + sha1 digest + padding and nonce
0x20 cprm player keys 0xB8
0xD8 sha1 digest 0x14 sha1 digest of previous section
0xEC padding 0x4
0xF0 omac1 digest 0x10 omac1 digest of whole eid3

EID4

  • Size: 0x30 bytes.
Description Length Note
Drive Key 1 0x10 Encrypts data sent from host to bd drive
Drive Key 2 0x10 Decrypts data sent from bd drive to host
CMAC/OMAC1 0x10 Hash of the previous bytes in CMAC/OMAC1 mode

EID5

  • Size: 0xA00 bytes.

The largest and quite possibly the most important EID of all 6. It's unknown what is inside this specific EID. We'll probably never know what's inside it without analyzing every possible clue about the PS3. And even then, it might be impossible to find its real use. Its size is similar to EID0, but it has an additional 0x1A0 bytes.