SELF - SPRX: Difference between revisions
CelesteBlue (talk | contribs) |
CelesteBlue (talk | contribs) |
||
| Line 428: | Line 428: | ||
<source lang="C"> | <source lang="C"> | ||
typedef struct { | typedef struct { | ||
uint32_t type; // 1=PS3 | uint32_t type; // 1=PS3 plaintext_capability; 2=PS3 ELF digest info; 3=PS3 NPDRM info, 4=PSVita ELF digest info; 5=PSVita NPDRM info; 6=PSVita boot param info; 7=PSVita shared secret info | ||
uint32_t size; | uint32_t size; | ||
uint64_t next; // 1 if another Supplemental Header element follows else 0 | uint64_t next; // 1 if another Supplemental Header element follows else 0 | ||
| Line 435: | Line 435: | ||
// type 1, 0x30 bytes | // type 1, 0x30 bytes | ||
struct { // 0x20 bytes of data | struct { // 0x20 bytes of data | ||
plaintext_capability_t plaintext_capability; | |||
} PS3_plaintext_capability; | |||
} | |||
// type 2, 0x40 bytes | // type 2, 0x40 bytes | ||
| Line 519: | Line 512: | ||
The PSJailbreak payload ignores the actual checksums, but checks that the 3rd checksum is the 2nd checksum XORed with 0xAAAAAA..AAAAAB. | The PSJailbreak payload ignores the actual checksums, but checks that the 3rd checksum is the 2nd checksum XORed with 0xAAAAAA..AAAAAB. | ||
Notes: | Notes: | ||
* | * See [[Control_Flags]]. | ||
*loader uses supplemental_header_table to handle | * PS3 loader uses supplemental_header_table to handle some data: | ||
<source lang="C"> | <source lang="C"> | ||
typedef struct { | |||
uint256_t control_flags; /* self_control_flags */ | uint256_t control_flags; /* self_control_flags */ | ||
uint8[0x14] elf_digest; /* sha1 hash of the ELF file */ | uint8[0x14] elf_digest; /* sha1 hash of the ELF file */ | ||
uint32_t unknown_0; /* seems to be padding */ | uint32_t unknown_0; /* seems to be padding */ | ||
uint64_t PS3_SYSTEM_VER; /* required_system_vesion, decimal format */ | uint64_t PS3_SYSTEM_VER; /* required_system_vesion, decimal format */ | ||
} supplemental_header_table; | |||
</source> | </source> | ||
Revision as of 21:43, 24 December 2019
| This article is marked for rewrite/restructuring in proper wiki format. You can help PS3 Developer wiki by editing it. |
SELF stands for Signed Executable and Linkable Format. It is the format used by the executables on the PS3 and PS Vita.
Introduction
It consists of a CF header with an extended header followed by the encapsulated ELF file. ELF sections can be compressed using gzip. SELFs are encrypted and signed, unlike fSELFs. ELF sections are encrypted using AES CTR (maybe more algos?) and signed using ECDSA + HMAC-SHA1. SELF file has a specific header called Extended header where it stores all the parameters for this program.
- Extended Header
It consists of information regarding the structure and offsets of the SELF. The first part is in plaintext until you reach Encryption Root Header.
- Encryption Root Header
Encryption Root Header is itself encrypted under AES256CBC. This part contains key and ivec to further decrypt the header using AES128CTR.
- Metadata
The Certification Header, Segment Certification Headers, Section Hashes, Capabilities and Signature are all encrypted under this AES128CTR layer and are decrypted with the key above.
- Certification Header
Certification Header contains the info required to authenticate the header and the structure of the metadata. The signature is ECDSA of the SHA1 hash of the SELF file starting at offset 0x0 and ending at 0x0+signatureInputLength.
- Data Sections
The data sections might be encrypted using AES128CTR and/or compressed. HMAC-SHA1 is used to ensure that they have not been modified.
Cryptography
Here is a small summary on how the SELF cryptography works.
Basically here are the steps being involved by the loaders:
Loaders all have a static key and iv called respectively erk and riv. Those are keys for the first decryption step which are used to decrypt the very first 0x40 bytes of the SELF's metadata using AES256CBC.
Then the result is used as key and iv to decrypt the rest of the metadata using AESCTR. Finally the decrypted metadata contains the key and iv for each data sections which are still decrypted through AES128CTR. This security model is based on the fact that the first 0x40 bytes of the SELF's metadata once decrypted by the static AES256CBC key in the loader should never be the same from one binary to the other. The same goes for any other value used as an AES128CTR key or iv.
Loaders are also involved with inflating the binaries using zlib.
The SELF authenticity is based on other independent steps, HMAC-SHA1 of the data sections and ECDSA for the actual signature in the header.
Short references
More indepth Online course about encryption in generic (also AES/ECDSA): Lecture Notes on Computer and Network Security by Avinash Kak
File Format
Notes:
- Warning: PS3 uses big endian, PSVita uses little endian.
- Encapsulated ELF header fields are useless (only the EI_CLASS EI_DATA and EI_VERSION fields are checked).
PS3 early type 3 SELFs
SDK 0.60: No sce version and digest SDK 0.8X: No sce version, with 0x30 digest SDK 0.9X: With sce version and 0x40 digest (scetool produces this type)
Extended Header
Extended Header offsets are relative to Certified File start.
Struct
typedef struct { // Size is 0x50 bytes
uint64_t ext_hdr_version;
uint64_t program_identification_hdr_offset;
uint64_t ehdr_offset;
uint64_t phdr_offset;
uint64_t shdr_offset;
uint64_t sections_hdr_offset;
uint64_t version_hdr_offset;
uint64_t supplemental_hdr_offset;
uint64_t supplemental_hdr_size;
uint64_t padding;
} __attribute__((packed)) ext_hdr;
Table
| field | offset | type | notes |
|---|---|---|---|
| Extended Header version | 0x0 | u64 | 3 for PS3, 4 for PSVita |
| Program Identification Header offset | 0x8 | u64 | Offset to Program Identification Header. |
| ELF Header offset | 0x10 | u64 | Offset to ELF header. |
| Program Header offset | 0x18 | u64 | Offset to ELF Program Header. |
| Section Header offset | 0x20 | u64 | Offset to ELF Section Header. |
| Program Extended Header offset | 0x28 | u64 | Offset to Program Extended Header. |
| Version Header offset | 0x30 | u64 | Offset to Version Header. |
| Supplemental Header offset | 0x38 | u64 | Offset to Supplemental Header. |
| Supplemental Header size | 0x40 | u64 | Size of Supplemental Header. |
| Padding | 0x48 | u64 |
Comments
The real ELF data is located after the extended header (see header size). It is encrypted, unless attribute is 0x8000. unfself works by cutting the SCE header from the (fake)SELF and if needed decompressing sections.
Program Identification Header
Temp name was App Info. Official name is Program Identification Header.
Struct
typedef struct {
uint64_t program_authority_id;
uint32_t program_vendor_id;
uint32_t program_type;
uint64_t program_sceversion;
uint64_t padding;
} __attribute__((packed)) program_identification_header;
Table
| field | offset | type | notes | example |
|---|---|---|---|---|
| program_authority_id | 0x00 | u64 | See authority_id | ex: 21 00 00 10 1C CA 01 30 |
| program_vendor_id | 0x08 | u32 | See vendor_id | ex: 00 00 00 00 |
| program_type | 0x0C | u32 | See Program Type | ex: 08 00 00 00 |
| program_sceversion | 0x10 | u64 | ?SDK version or app version? version ex: 01.02 is translated by make_fself.exe to 02 01 00 00 | ex: 0x0000036000000000 (3.600.011), 0x0000009450000000 (0.945.040) |
| padding | 0x18 | u64 | Padding | 00 00 00 00 00 00 00 00 |
Comments
Aligned to 0x10 bytes.
ELF Header
Struct
PS3
typedef struct {
uint8_t e_ident[16]; /* ELF identification */
uint16_t e_type; /* object file type */
uint16_t e_machine; /* machine type */
uint32_t e_version; /* object file version */
uint64_t e_entry; /* entry point address */
uint64_t e_phoff; /* program header offset */
uint64_t e_shoff; /* section header offset */
uint32_t e_flags; /* processor-specific flags */
uint16_t e_ehsize; /* ELF header size */
uint16_t e_phentsize; /* size of program header entry */
uint16_t e_phnum; /* number of program header entries */
uint16_t e_shentsize; /* size of section header entry */
uint16_t e_shnum; /* number of section header entries */
uint16_t e_shstrndx; /* section name string table index */
} __attribute__((packed)) ELF;
See also specifications: ELF Header ELF-64 Object File Format
PSVita
typedef struct {
uint8_t e_ident[16]; /* ELF identification */
uint16_t e_type; /* object file type */
uint16_t e_machine; /* machine type */
uint32_t e_version; /* object file version */
uint32_t e_entry; /* entry point address */
uint32_t e_phoff; /* program header offset */
uint32_t e_shoff; /* section header offset */
uint32_t e_flags; /* processor-specific flags */
uint16_t e_ehsize; /* ELF header size */
uint16_t e_phentsize; /* size of program header entry */
uint16_t e_phnum; /* number of program header entries */
uint16_t e_shentsize; /* size of section header entry */
uint16_t e_shnum; /* number of section header entries */
uint16_t e_shstrndx; /* section name string table index */
} __attribute__((packed)) ELF;
| Name of the variable | Offset | Size | Notes |
|---|---|---|---|
| e_ident[0..3] | 0 | 4 | Magic. |
| e_ident[4] | 4 | 1 | Class Type. Must be [ELFCLASS32 = 0x01]. |
| e_ident[5] | 5 | 1 | Data Type. Must be [ELFDATA2LSB = 0x01]. |
| e_ident[6] | 6 | 1 | File version. Must be 1. |
| e_ident[7...15] | 7 | 9 | unused |
| e_type | 0x10 | 2 | See SCE-specific e_type. |
| e_machine | 0x12 | 2 | Must be [EM_ARM = 0x0028]. |
| e_version | 0x14 | 4 | Must be 0x1. |
| e_entry | 0x18 | 4 | Address to jump to in order to start program (warning not always set) |
| e_phoff | 0x1C | 4 | Boundary checked, but unused (already given by SELF header). ?and for fSELF? |
| e_shoff | 0x20 | 4 | unused |
| e_flags | 0x24 | 4 | unused |
| e_ehsize | 0x28 | 2 | Must be sizeof(Elf32_Ehdr) = 0x0034. |
| e_phentsize | 0x2A | 2 | Must be sizeof(Elf32_Phdr) = 0x0020. |
| e_phnum | 0x2C | 2 | Count of Program Header in this ELF. |
| e_shentsize | 0x2E | 2 | unused |
| e_shnum | 0x30 | 2 | unused |
| e_shstrndx | 0x32 | 2 | unused |
See also specifications: yifanlu specs
SCE specific ELF types (e_type)
/* SCE-specific definitions for e_type: */
#define ET_SCE_EXEC 0xFE00 /* SCE Executable */
#define ET_SCE_RELEXEC 0xFE04 /* SCE Relocatable Executable */
#define ET_SCE_STUBLIB 0xFE0C /* SCE SDK Stubs */
#define ET_SCE_DYNAMIC 0xFE18 /* ? */
#define ET_SCE_IOPRELEXEC 0xFF80 /* SCE IOP Relocatable Executable */
#define ET_SCE_IOPRELEXEC2 0xFF81 /* SCE IOP Relocatable Executable Version 2 */
#define ET_SCE_EERELEXEC 0xFF90 /* SCE EE Relocatable Executable */
#define ET_SCE_EERELEXEC2 0xFF91 /* SCE EE Relocatable Executable Version 2 */
#define ET_SCE_PSPRELEXEC 0xFFA0 /* SCE PSP Relocatable Executable */
#define ET_SCE_PPURELEXEC 0xFFA4 /* SCE PPU Relocatable Executable */
#define ET_SCE_ARMRELEXEC 0xFFA5 /* ?SCE ARM Relocatable Executable (PSVita FW <=0.931) */
#define ET_SCE_PSPOVERLAY 0xFFA8 /* ? */
OS ABI identification
#define ELFOSABI_CELL_LV2 102 /* CELL LV2 */
ELF Program Header
Struct
PS3
typedef struct
{
Elf64_Word p_type; /* Segment type */
Elf64_Word p_flags; /* Segment flags */
Elf64_Off p_offset; /* Segment file offset */
Elf64_Addr p_vaddr; /* Segment virtual address */
Elf64_Addr p_paddr; /* Segment physical address */
Elf64_Xword p_filesz; /* Segment size in file */
Elf64_Xword p_memsz; /* Segment size in memory */
Elf64_Xword p_align; /* Segment alignment */
} Elf64_Phdr;
PSVita
typedef struct
{
Elf32_Word p_type; /* Segment type */
Elf32_Off p_offset; /* Segment file offset */
Elf32_Addr p_vaddr; /* Segment virtual address */
Elf32_Addr p_paddr; /* Segment physical address */
Elf32_Word p_filesz; /* Segment size in file */
Elf32_Word p_memsz; /* Segment size in memory */
Elf32_Word p_flags; /* Segment flags */
Elf32_Word p_align; /* Segment alignment */
} Elf32_Phdr;
See Spec here: ELF Program Headers
Processor specific segment types (p_type)
*PT_SCE_IOPMOD = 0x70000080
*PT_SCE_EEMOD = 0x70000090
*PT_SCE_PSPREL = 0x700000A0
*PT_SCE_PPURELA = 0x700000A4
*PT_SCE_SEGSYM = 0x700000A8
Processor specific segment flags (p_flags)
*PF_SPU_X = 0x00100000
*PF_SPU_W = 0x00200000
*PF_SPU_R = 0x00400000
*PF_RSX_X = 0x01000000
*PF_RSX_W = 0x02000000
*PF_RSX_R = 0x04000000
ELF Section Header
Struct
typedef struct {
uint32_t sh_name; /* section name */
uint32_t sh_type; /* section type */
uint64_t sh_flags; /* section attributes */
uint64_t sh_addr; /* virtual address in memory */
uint64_t sh_offset; /* offset in file */
uint64_t sh_size; /* size of section */
uint32_t sh_link; /* link to other section */
uint32_t sh_info; /* miscellaneous information */
uint64_t sh_addralign; /* address alignment boundary */
uint64_t sh_entsize; /* size of entries, if section has table */
} __attribute__((packed)) ELF_SHDR;
Comments
Processor specific section types (sh_type):
- SHT_SCE_IOPMOD = 0x70000080
- SHT_SCE_EEMOD = 0x70000090
- SHT_SCE_PSPREL = 0x700000a0
- SHT_SCE_PPURELA = 0x700000a4
Program Extended Header
A table which maps each phdr entry to the actual offset/size within the encrypted CF. Indeed, because sections can be compressed, they might not match the values listed within the ELF phdr/shdr.
There is one of these entries (Section/Segment Information) for each ELF phdr (Program Header) entry in the ELF file so that the console knows where to decrypt the data from (because it might also be compressed).
Struct
typedef struct {
uint64_t offset;
uint64_t size;
uint32_t compression;
uint32_t unknown;
uint64_t encryption;
} __attribute__((packed)) program_ext_header;
Table
| field | offset | type | notes |
|---|---|---|---|
| Offset | 0x00 | u64 | Offset to data |
| Size | 0x08 | u64 | Size of data |
| Compression | 0x10 | u32 | 1 = uncompressed, 2 = compressed |
| Unknown | 0x14 | u32 | Always 0, as far as I know. |
| Encryption | 0x18 | u64 | 1 = encrypted, 2 = unencrypted |
Version Header
It contains some version information, including an offset to the .sceversion section of the encrypted ELF.
Struct
typedef struct {
uint32_t subheader_type; // 1 - sceversion
uint32_t present; // 0 = false, 1 = true
uint32_t size; // ex: 0
uint32_t unknown4;
} __attribute__((packed)) version_header;
Data Struct
typedef struct {
uint16 unknown_1;
uint16 unknown_2; // 0x1
uint32 unknown_3;
uint32 unknown_4; // ?Number of sections?
uint32 unknown_5;
////
uint64 offset; // Data offset
uint64 size; // Data size
//// <- these are supposed to be sections
} SCE_VERSION_DATA_30;
Comments
Supplemental Header Table
Temp name was Control Information. Official name is Supplemental Header.
Struct
typedef struct {
uint32_t type; // 1=PS3 plaintext_capability; 2=PS3 ELF digest info; 3=PS3 NPDRM info, 4=PSVita ELF digest info; 5=PSVita NPDRM info; 6=PSVita boot param info; 7=PSVita shared secret info
uint32_t size;
uint64_t next; // 1 if another Supplemental Header element follows else 0
union {
// type 1, 0x30 bytes
struct { // 0x20 bytes of data
plaintext_capability_t plaintext_capability;
} PS3_plaintext_capability;
// type 2, 0x40 bytes
struct { // 0x30 bytes of data
uint8_t constant[0x14]; // same for every PSVita/PS3 SELF, hardcoded in make_fself.exe: 627CB1808AB938E32C8C091708726A579E2586E4
uint8_t elf_digest[0x14]; // on PSVita: SHA-256 of source ELF file, on PS3: SHA-1. Hash F2C552BF716ED24759CBE8A0A9A6DB9965F3811C is blackisted by appldr
uint64_t required_system_version; // filled on Sony auth server, contains decimal PS3_SYSTEM_VER value from PARAM.SFO
} PS3_elf_digest_40;
// type 2, 0x30 bytes
struct { // 0x20 bytes of data
uint8_t constant_or_elf_digest[0x14];
uint8_t padding[0xC];
} PS3_elf_digest_30;
// type 3, 0x90 bytes
struct { // 0x80 bytes of data
uint32_t magic; // 4E 50 44 00 ("NPD.")
uint32_t license_version;
uint32_t drm_type; // [[License Types|license_type]]
uint32_t app_type; // [[App Types|app_type]]
uint8_t content_id[0x30];
uint8_t digest[0x10]; // sha-1 hash of debug self/sprx created with make_fself_npdrm
uint8_t inv_digest[0x10]; // hash_cid_fname
uint8_t xor_digest[0x10]; // hash_cid
uint8_t padding[0x10];
} PS3_npdrm_info;
// type 4, 0x50 bytes
struct { // 0x40 bytes of data
uint8_t constant[0x14]; // same for every PSVita/PS3 SELF, hardcoded in make_fself.exe: 627CB1808AB938E32C8C091708726A579E2586E4
uint8_t elf_digest[0x20]; // on PSVita: SHA-256 of source ELF file, on PS3: SHA-1
uint8_t padding[8];
uint32_t min_required_fw; // ex: 0x363 for 3.63
} PSVita_elf_digest_info;
// type 5, 0x110 bytes
struct { // 0x80 bytes of data
uint32_t magic; // 7F 44 52 4D (".DRM")
uint32_t finalized_flag; // ex: 80 00 00 01
uint32_t drm_type; // [[License Types|license_type]] ex: 2 local, 0xD free with license
uint32_t padding;
uint8_t content_id[0x30];
uint8_t digest[0x10]; // ?sha-1 hash of debug self/sprx created using make_fself_npdrm?
uint8_t padding_78[0x78];
uint8_t hash_signature[0x38]; // unknown hash/signature
} PSVita_npdrm_info;
// type 6, 0x110 bytes
struct { // 0x100 bytes of data
uint32_t is_used; // 0=false, 1=true
uint8_t boot_param[0x9C]; // ex: starting with 02 00 00 00
} PSVita_boot_param_info;
// type 7, 0x50 bytes
struct { // 0x40 bytes of data
uint8_t shared_secret_0[0x10]; // ex: 0x7E7FD126A7B9614940607EE1BF9DDF5E or full of zeroes
uint8_t shared_secret_1[0x10]; // ex: full of zeroes
uint8_t shared_secret_2[0x10]; // ex: full of zeroes
uint8_t shared_secret_3[0x10]; // ex: full of zeroes
} PSVita_shared_secret_info;
};
} __attribute__((packed)) supplemental_header;
Table
Comments
There are 3 digests in ps3_npdrm_info:
- digest is the sha1 checksum of the entire SELF file.
- inv_digest is the inverse of digest.
- xor_digest is digest XORed with 0xAAAAAA..AAAAAB.
The PSJailbreak payload ignores the actual checksums, but checks that the 3rd checksum is the 2nd checksum XORed with 0xAAAAAA..AAAAAB.
Notes:
- See Control_Flags.
- PS3 loader uses supplemental_header_table to handle some data:
typedef struct {
uint256_t control_flags; /* self_control_flags */
uint8[0x14] elf_digest; /* sha1 hash of the ELF file */
uint32_t unknown_0; /* seems to be padding */
uint64_t PS3_SYSTEM_VER; /* required_system_vesion, decimal format */
} supplemental_header_table;
Encryption Root Header
Temp name was Metadata Information. Official name is encryption_root_header.
This is not present in fSELF.
Struct
typedef struct {
uint8_t key[16];
uint8_t key_pad[16];
uint8_t iv[16];
uint8_t iv_pad[16];
} __attribute__((packed)) encryption_root_header;
Comments
Notes:
- The key and ivec fields are encrypted using AES256CBC.
Certification Header
Temp name was Metadata Header. Official name is certification_header.
This is only present if the Encryption Root Header is present.
The Certification Header is located after the Encryption Root Header in the SELF file. It is decrypted using AES128CTR with the key and ivec entries from the Encryption Root Header.
Struct
typedef struct {
uint64_t signatureInputLength;
uint32_t unknown02; // Might be signature algorithm. It always = 1 (ECDSA)
uint32_t sectionCount;
uint32_t keyCount;
uint32_t optional_header_size;
uint64_t unknown06;
} __attribute__((packed)) certification_header;
Comments
Notes:
- signatureInputLength is the number of bytes which are used to generate the SHA-1 which is used to generate the ECDSA signature. The length should be eveything from the beginning until the signature itself. The decrypted version of the input data is used.
Segment Certification Header
Temp name was Metadata Section Headers. Official name is segment_certification_header.
This is only present if the Certification Header is present.
The Segment Certification Headers are located after the Certification Header in the SELF file.
Struct
typedef struct {
uint64_t data_offset;
uint64_t data_size;
uint32_t type; // 1 = shdr, 2 = phdr, 3 = sceversion
uint32_t program_idx; // 0,1,2,3,etc for phdr, always 3 for shdrs, sceversion shdr number for sceversion
uint32_t hash_algorithm; // 2 = sha1_hmac, 3 = sha1
uint32_t hash_idx;
uint32_t enc_algorithm; // 1 = plain, 2 = aes128cbccfb, 3 = aes128ctr
uint32_t key_idx;
uint32_t iv_idx;
uint32_t compressed; // 1 = no, 2 = yes
} __attribute__((packed)) segment_certification_header;
Comments
Notes:
- The number of sections is indicated by the sectionCount entry in the Certification Header.
- They are decrypted using AES128CTR with the key and ivec entries from the Encryption Root Header.
- Section data is decrypted using AES128CTR with the key and ivec from the metadata keys specified by keyIndex and ivecIndex.
- Section data will also need to be uncompressed using zlib.
- The data_offset of the Segment Certification Header matches in general the Segment Extended Header offset.
Section Hash
Temp name was Metadata Keys.
- The Section Hashes are located after the Segment Certification Headers in the SELF file.
Struct
typedef struct {
uint8_t sha1[20];
uint8_t padding[12];
uint8_t hmac_key[64];
} __attribute__((packed)) SECTION_HASH;
Comments
Notes:
- The number of keys is indicated by the keyCount entry in the Certification Header.
- They are decrypted using AES128CTR with the key and ivec entries from the Encryption Root Header.
- If the sha1Index points to a key, then key[sha1Index] and key[sha1Index+1] form the 160-bit hash. key[sha1Index+2] to key[key[sha1Index+6] form the 512-bit key for the HMAC-SHA1. The HMAC-SHA1 is calculated on the decrypted data and before the decompression.
Optional Header Table
Temp name was Signature Info, Capabilities Info. Official name is optional_header_table.
The Optional Header Table is located after the Section Hash in the SELF file.
It is only present if optional_header_size in the Certification Header is not zero.
Struct
typedef struct {
uint32_t type; // 1=capability_header, 2=individual_seed_header, 3=attribute_header
uint32_t size;
uint64_t next; // 1 if another optional_header structure follows else 0
union {
// type 1
struct { // 0x20 bytes of data
uint8_t capability[0x20];
} capability_header;
// type 2
struct { // 0x100 bytes of data
uint8_t individual_seed[0x100];
} individual_seed_header;
// type 3
struct { // 0x20 bytes of data
uint8_t attribute[0x20];
} attribute_header;
};
} __attribute__((packed)) optional_header;
Comments
- It is decrypted using AES128CTR with the key and ivec entries from the Encryption Root Header.
- Type 1 contains capability flags also known as encrypted_capability. See capabilities.
Signature
The signature is located after the Signature Information in the SELF file.
It is even present if the Signature Information is not present.
Struct
typedef struct {
uint8_t r[21];
uint8_t s[21];
uint8_t padding[6];
} __attribute__((packed)) SIGNATURE;
Comments
Notes:
- It is decrypted using AES128CTR with the key and ivec entries from the Encryption Root Header.
Segment Extended Header
Temp name was SELF Section Info. Official name is segment_ext_header.
Struct
typedef struct {
void *data;
uint64_t size;
uint64_t offset;
} segment_ext_header;
Extracting an ELF
ELF Header
Elf64_Ehdr elfHeader; fseek ( selfFile, fix64 ( selfHeader.elfHeaderOffset ), SEEK_SET ); fread ( &elfHeader, sizeof ( Elf64_Ehdr ), 1, selfFile ); fseek ( elfFile, 0, SEEK_SET ); fwrite ( &elfHeader, sizeof ( Elf64_Ehdr ), 1, elfFile );
Section Headers
Elf64_Shdr elfSectionHeaders[100]; fseek ( selfFile, fix64 ( selfHeader.elfSectionHeadersOffset ), SEEK_SET ); fread ( elfSectionHeaders, sizeof ( Elf64_Shdr ), fix16 ( elfHeader.e_shnum ), selfFile ); fseek ( elfFile, fix64 ( elfHeader.e_shoff ), SEEK_SET ); fwrite ( elfSectionHeaders, sizeof ( Elf64_Shdr ), fix16 ( elfHeader.e_shnum ), elfFile );
Section Data
Notes:
- Unknown, manually copying the data over works for now.
- There should be a section data offset somewhere.
Program Headers
Elf64_Phdr elfProgramHeaders[100]; fseek ( selfFile, fix64 ( selfHeader.elfProgramHeadersOffset ), SEEK_SET ); fread ( elfProgramHeaders, sizeof ( Elf64_Phdr ), fix16 ( elfHeader.e_phnum ), selfFile ); fseek ( elfFile, fix64 ( elfHeader.e_phoff ), SEEK_SET ); fwrite ( elfProgramHeaders, sizeof ( Elf64_Phdr ), fix16 ( elfHeader.e_phnum ), elfFile );
Program Data
Notes:
- Load the Encryption Root Header and decrypt the key and ivec entries using AES256CBC using erk and riv.
- Load the Certification Header and decrypt it using AES128CTR with the key and ivec entries from the Encryption Root Header.
- Load sectionCount Segment Certification Headers and decrypt them using AES128CTR with the key and ivec entries from the Encryption Root Header.
- Load keyCount metadata keys and decrypt them using AES128CTR with the key and ivec entries from the Encryption Root Header.
- For each metadata section:
- In the SELF file, fseek to dataOffset and read in dataSize bytes.
- Decrypt the data using AES128CTR with the key and ivec from the metadata keys specified by keyIndex and ivecIndex in the Segment Certification Header.
- Uncompress the data using zlib.
- Write it to the ELF file as the program section specified by program_idx in the Segment Certification Header.
Capabilities Flags
appldr
0x17 = 0x78
xsetting
0x17 = 0x3B 0x1B = 0x01 0x1D = 0x02
ps3swu
0x17 = 0x7B 0x1B = 0x01 0x1D = 0x11 0x1E = 0x60
lv2
0x17 = 0x7B 0x1B = 0x01
lv1
0x17 = 0x7B 0x1B = 0x01
libfs
0x17 = 0x7B 0x1B = 0x01
icolaunch
0x17 = 0x3B 0x1B = 0x01 0x1D = 0x04
hddcopy
0x17 = 0x7B 0x1B = 0x01 0x1D = 0x08
flowers
0x17 = 0x3B 0x1B = 0x01 0x1E = 0x20
fdm_spu
0x17 = 0x38
emu_drm
0x17 = 0x3B 0x1D = 0x02
bdj
0x0F = 0x01 //qa-bdp type1 0x17 = 0x27 0x1D = 0x02
swagner
0x0F = 0x02 //qa-bdp type2 0x17 = 0x3F 0x1D = 0x02
0x0C = 0x00000001 / 0x00000002 // qa_bdp_type_flags
0x14 = 0x00000038 / 0x0000003B / 0x00000078 / 0x0000007B / 0x00000027
0x18 = 0x00000001
0x1C = 0x00002000 / 0x00020000 / 0x00040000 / 0x00080000 / 0x00116000
0x14:
#define CAP_FLAG_REFTOOL 0x08 // DEH #define CAP_FLAG_DEBUG 0x10 // DEX #define CAP_FLAG_RETAIL 0x20 // CEX #define CAP_FLAG_SYSDBG 0x40 // ARCADE
Some more cap flags: https://web.archive.org/web/20161126102609/http://pastie.org/3090973 and https://web.archive.org/web/20161126102716/http://pastie.org/3090976 (appldr 356 white(?)list) ECDSA
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
