Spuisofs
Jump to navigation
Jump to search
Introduction
- spuisofs is a Linux virtual filesystem which allows you to execute isolated SPU modules from user-space.
- spuisofs can execute only isolated SPU modules which are decrypted by isoldr.
- I used this driver e.g. to dump my EID0 key and my ATA keys.
Mounting
glevand@debian:~$ sudo mount -t spuisofs none /mnt
Filesystem Layout
glevand@debian:~$ ls -l /mnt total 0 -rw-rw-rw- 1 root root 1048576 Aug 16 11:10 app -rw-rw-rw- 1 root root 1048576 Aug 16 11:10 arg1 -rw-rw-rw- 1 root root 1048576 Aug 16 11:10 arg2 --w--w--w- 1 root root 0 Aug 16 11:10 cont -r--r--r-- 1 root root 0 Aug 16 11:10 info -rw-rw-rw- 1 root root 262144 Aug 16 11:10 ls -rw-rw-rw- 1 root root 131072 Aug 16 11:10 priv2 -rw-rw-rw- 1 root root 131072 Aug 16 11:10 problem --w--w--w- 1 root root 24 Aug 16 11:10 run -r--r--r-- 1 root root 4096 Aug 16 11:10 shadow glevand@debian:~$ cat /mnt/info arg1 d000000003b9d000 arg2 d000000003c9e000
Dumping EID0 Key with spuisofs
- I modified aim_spu_module.self to dump EID0 IV and key with my spuisofs.
- Encrypt EID0 key seed with the dumped IV and key and you will get your EID0 AES-CBC-128 key.
EID0 Key Seed
2E D7 CE 8D 1D 55 45 45 85 BF 6A 32 81 CD 03 AF
SPU Program
Here is my SPU program to dump EID0 key and IV:
/* * Dump EID0 IV and key to EA with MFC * * Copyright (C) 2012 glevand <[email protected]> * All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published * by the Free Software Foundation; version 2 of the License. * * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ .text start: ila $2, 0x3dfa0 lr $sp, $2 ila $80, 0x3e000 lr $81, $3 stqd $7, 0($80) stqd $8, 0x10($80) # store EID0 IV stqd $9, 0x20($80) # store upper 16bytes of EID0 key stqd $10, 0x30($80) # store lower 16bytes of EID0 key stqd $11, 0x40($80) stqd $12, 0x50($80) lr $3, $80 lr $4, $81 il $5, 0x60 il $6, 0x7 il $7, 0x20 brsl $lr, 0x10 # mfc_dma_xfer il $3, 0x7 brsl $lr, 0x28 # mfc_dma_wait stop 0x666 # our evil stop code :) /* * r3 - LSA * r4 - EA * r5 - size * r6 - tag * r7 - cmd */ mfc_dma_xfer: wrch $ch16, $3 wrch $ch17, $4 shlqbyi $4, $4, 4 wrch $ch18, $4 wrch $ch19, $5 wrch $ch20, $6 wrch $ch21, $7 bi $lr /* * r3 - tag */ mfc_dma_wait: il $2, 0 nop $127 hbra 2f, 1f wrch $ch23, $2 1: rchcnt $2, $ch23 ceqi $2, $2, 1 nop $127 nop $127 nop $127 nop $127 nop $127 2: brz $2, 1b hbr 3f, $lr rdch $2, $ch24 il $2, 1 shl $2, $2, $3 wrch $ch22, $2 il $2, 2 wrch $ch23, $2 rdch $2, $ch24 nop $127 3: bi $lr
Result
[glevand@arch dump_eid0_key]$ ./dump_eid0_key ../dump_eid0_key.self ../eid0 spuisofs found at /mnt arg1 kernel virtual address d000000000722000 shadow: spe_execution_status 7 priv2: puint_mb_R 2 shadow: spe_execution_status b problem: spu_status_R 6660082 [glevand@arch dump_eid0_key]$ hexdump -C /mnt/arg1 ... Here are your EID0 key and IV At offset 0x10 is EID0 IV (16 bytes) At offset 0x20 is EID0 key (32 bytes) ...