USB Dongle Authenticator: Difference between revisions

0x24000 - USB Dongle Authenticator

note: inside ss_server1.fself
Dongle check is done on Lv2 kernel start up

0x24001 - Generate Challenge

• I have got access to this service through DM and tested it
• The service expects no input parameters except those in SS packet header
• It uses 0x5003 service (Generate Random Number) to generate random numbers that are used in challenge body
• The length of a challnge body is always 23 bytes, first 3 bytes are always the same: 0x2E 0x02 0x01

Here are hexdumps of some challenge bodies i let 0x24001 service generate:

2E 02 01 72 3A 0A 76 BB 81 CB 29 BC E7 B5 D6 62 7C 0E EE 23 18 A9 1D

2E 02 01 F0 DA 78 D4 1D CB D7 C9 C7 F0 32 F4 2E 92 39 BD 3F 32 93 AA

2E 02 01 3B B2 9D FD A8 83 AF 9A C0 E9 13 BB AE D5 6C 8C 45 2E DE 13

0x24002 - Verify Response

• I have got access to this service and tested it with PSGroove
• The response body is 25 bytes large
• The first 3 bytes have to be 0x2E 0x02 0x02 or else the check fails
• The 16 bit at offset 3 is a dongle ID
• The dongle ID is checked if it's revoked or not
• When the verification succeedes then product mode is set to 1
• The service calculates USB Dongle Key from USB Dongle ID and USB Dongle Master Key by using HMAC SHA-1
• The service uses HMAC SHA-1 to calculate the correct response body from the challenge body and USB Dongle Key
• After that the service compares the calculated response body with the given one that was sent to the service
• It seems that laid and paid from SS packet header are used in decryption process

USB Dongle Master Key

• USB Dongle Master Key is stored encrypted in Process 6
• The encrypted key is 64 bytes large
• The decrypted key is 20 bytes large
• The USB Dongle Master Key is decrypted first time the service 0x24002 is used
• The USB Dongle Master Key is decrypted by using the service 0x200E (Decrypt Master) of Vitual TRM Manager
• The decrypted USB Dongle Master Key is stored in Process 6 in clear text (after first usage of this service)
• When decryption of USB Dongle Master Key fails then a dummy key is used
• Unfortunately, in the HV dump 3.15 the USB Dongle Master Key was not decrypted at the moment of dumping
• The first 12 bytes of decrypted USB Dongle Master Key is a magic value: _USB_DONGLE_. After these 12 bytes follows the real USB Dongle Master Key of size 20 bytes. So, if after decryption of USB Dongle Master Key, you see this magic value then the decryption was successfull.
• To decrypt USB Dongle master key you need SC Iso Encrypt/Decrypt 5 Key, Lpar Auth ID (0x1070000001000001), Program Auth ID (0x1070000045000001) and use VTRM Decrypt Master with the Master Key

Here is the encrypted USB Dongle Master Key from HV:

22 D5 D1 8C FF E2 4F AC EC 72 A2 42 A7 18 98 10
25 33 E0 96 F2 C1 91 0D 15 23 D3 07 74 E7 2B 72
DF A6 DD E9 68 8B 76 2A 6A 87 51 7F 85 39 0B D4
20 3F 46 89 04 82 B7 30 84 89 4B CC 9D B1 24 7C

This is the decrypted dongle master key:

46 DC EA D3 17 FE 45 D8 09 23
EB 97 E4 95 64 10 D4 CD B2 C2

This is the decrypted dongle key for dongle ID 0xAAAA :

04 4E 61 1B A6 A6 E3 9A 98 CF
35 81 2C 80 68 C7 FC 5F 7A E8

Here is the USB Dongle Master Dummy Key from HV:

D1 FC 57 55 BF 20 FA B2 D4 A5 4A 
0A 0C 5D 52 8E DF 66 CD 74

USB Dongle ID Revoke List

• Process 6 contains a revoke list for USB Dongle IDs
• The revoke list is 0x2000 bytes large. It's a bitmap.
• Each bit represents a USB Dongle ID. If bit is 0 then USB Dongle ID is revoked.

The following USB Dongle IDs are revoked in HV:

0, 2, 13, 32, 34, 176, 241

v e Reverse engineering General Bluedisk EID0 reDRM · Boot Order · Boot Memory Type · Bugs & Vulnerabilities · Dumping Bootldr · Dumping Metldr · Files on the PS3 · KaKaRoTo_Kind_of_´Jailbreak´ · PS3Cobra Payload Reverse Engineering · PS3UserCheat · QA Flagging · ReDRM / Piracy dongles · Revoke List · RSOD Fix‎ · rtcalarm.dat · Whitelisting · VTRM Hypervisor Hypervisor Reverse Engineering · Repository Nodes Services Appliance Information Manager · AV Manager · Dispatcher Manager · Factory Data Manager · Indi Info Manager · SB Manager · SC Manager · Secure LPAR Loader · Secure Profile Loader · Secure RTC Manager · Security Policy Manager · Storage Manager · Update Manager · Updater Frontend · USB Dongle Authenticator · User Token Manager · Virtual TRM Manager Plugin Interfaces ap_plugin · audioplayer_plugin · audiop_plugin_dummy · audiop_plugin_mini · auth_plugin · autodownload_plugin · autoupdateconf_plugin · avc_plugin · avc_util · avc2_game_plugin · avc2_game_video_plugin · avc2_text_plugin · bdp_disccheck_plugin · bdp_plugin · bdp_storage_plugin · campaign_plugin · category_setting_plugin · comboplay_plugin · custom_render_plugin · data_copy_plugin · deviceconf_plugin · dlna_plugin · download_plugin · dtcpip_util · edy_plugin · esehttp · eseibrd · eseidle · eselock · eula_cddb_plugin · eula_hcopy_plugin · eula_net_plugin · explore_plugin · explore_plugin_ft · explore_plugin_game · explore_plugin_np · filecopy_plugin · friendim_plugin · friendml_plugin · friendtrophy_plugin · game_ext_plugin · game_indicator_plugin · game_plugin · gamedata_plugin · gamelib_plugin · gameupdate_plugin · hknw_plugin · idle_plugin · impose_plugin · kensaku_plugin · msgdialog_plugin · mtpinitiator_plugin · musicbrowser_plugin · nas_plugin · netconf_plugin · newstore_plugin · np_eula_plugin · np_matching_plugin · np_multisignin_plugin · np_sns_plugin · npsignin_plugin · np_trophy_ingame · np_trophy_plugin · osk · oskfullkeypanel · oskpanel · pesm_plugin · photo_network_sharing_plugin · photolist_plugin · photoviewer_plugin · playlist_plugin · poweroff_plugin · premo_plugin · premo_game_plugin · print_plugin · profile_plugin · ps3_savedata_plugin · ps3_savedata_plugin_game · ps3_savedata_plugin_psp · rec_plugin · regcam_plugin · remotedownload_plugin · sacd_plugin · scenefolder_plugin · screenshot_plugin · software_update_plugin · soundvisualizer_plugin · strviewer_plugin · sysconf_plugin · system_plugin · thumthum_plugin · upload_util · user_info_plugin · user_plugin · videodownloader_plugin · videoeditor_plugin · videoplayer_util · videoplayer_plugin · vmc_savedata_plugin · wboard_plugin · webbrowser_plugin · webbrowser_service · webrender_plugin · xai_plugin · xmb_ingame · xmb_plugin Emulation PS1 Emulation · PS2 Emulation · PSP Emulation Extended features Printer support · Remote Play · String Viewer · Web Browser · XMB In-game background music · PS3 and PSVita Cross Functions · Widgets · Life with PlayStation · PlayView · XMB Manuals Online Consoleban · Environments · Online Connections · PSN · PSN Handshake Signup · X-I-5-Ticket Hardware SC SC Communication · SC EEPROM · Remarry Syscon · Syscon Thermal Configs · Syscon SPI CELL Cell Configuration Ring · CELL Reset Exploit · CellBE Hardware Implementation Registers · Unlocking the 8th SPE · SPU Isolated Modules Reverse Engineering · SPU LS Overflow Exploit RAM XDR Configuration · Rambus Registers SB ENCDEC Device Reverse Engineering HDD HDD Encryption BD Bluray disc · Basic Bluray disc authentication procedure · BD Drive Reverse Engineering · Disc Identification/Serialization Data · ODE · Remarry Bluray Drive Tools IDA pro disassembler and debugger · CCAPI · 0x000EAEB0 · Ps3.xml · Nids.txt · Nids all.txt · Unknown nids.txt · Fnids.idh Strings files emer_init · aim spu module‎ · lv1‎ · hdd_copy · eurus_fw · lv0 · factory data mngr dumps lv2 dump (Rebug 4.46) · lv1 dump (Rebug 4.46) · bootldr dump (2.70) · Network Loading of lv1ldr and above executables Reference Archaic · Drk_notes · Canaries Keys & Seeds Keys · Per Console Keys · Fail Keys · Seeds · ECDSA binaries · AES binaries · DES binaries · Cryptography Tricks