Talk:Keys
Jump to navigation
Jump to search
EAP/EMC Aeolia Script for decrypting and keeping header[edit source]
import struct
from binascii import unhexlify as uhx
from binascii import hexlify as hx
from Crypto.Cipher import AES
from Crypto.Hash import SHA, HMAC
import os
import sys
CIPHERKEYSEMC = ['5F74FE7790127FECF82CC6E6D91FA2D1'] # FULL
CIPHERKEYSEAP = ['581A75D7E9C01F3C1BD7473DBD443B98']
HASHERKEYEMC = ['73FE06F3906B05ECB506DFB8691F9F54']
HASHERKEYEAP = ['824D9BB4DBA3209294C93976221249E4']
ZEROS128 = ['00000000000000000000000000000000']
def aes_decrypt_cbc(key, iv, input):
return AES.new(key, AES.MODE_CBC, iv).decrypt(input)
def aes_encrypt_cbc(key, iv, input):
return AES.new(key, AES.MODE_CBC, iv).encrypt(input)
def emc_decrypt_header(hdr):
return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
def emc_encrypt_header(hdr):
return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
def eap_decrypt_header(hdr):
return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
def eap_encrypt_header(hdr):
return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
def main(argc, argv):
with open(sys.argv[1], 'rb') as f:
data = f.read(0x80)
type = data[7:8]
if type == uhx('48'):
print 'EMC'
hdr = emc_decrypt_header(data)
body_aes_key = hdr[0x30:0x40]
body_hmac_key = hdr[0x40:0x50]
body_hmac = hdr[0x50:0x64]
zeroes = hdr[0x64:0x6C]
print(hx(zeroes))
header_hmac = hdr[0x6C:0x80]
body_len = struct.unpack('<L', hdr[0xc:0x10])[0]
print body_len
ehdr = hdr[:0x6C]
ebody = f.read(body_len)
bhmac = HMAC.new(body_hmac_key, ebody, SHA)
hhmac = HMAC.new(uhx(HASHERKEYEMC[0]), ehdr, SHA)
body = aes_decrypt_cbc(body_aes_key, uhx(ZEROS128[0]), ebody)
print bhmac.hexdigest()
print hhmac.hexdigest()
print hx(body_hmac)
print hx(header_hmac)
with open(sys.argv[1] + '.bin', 'wb') as g:
g.write(hdr+body)
if type == uhx('68'):
print 'EAP'
hdr = eap_decrypt_header(data)
body_aes_key = hdr[0x30:0x40]
body_hmac_key = hdr[0x40:0x50]
body_hmac = hdr[0x50:0x64]
zeroes = hdr[0x64:0x6C]
print(hx(zeroes))
header_hmac = hdr[0x6C:0x80]
body_len = struct.unpack('<L', hdr[0xc:0x10])[0]
print body_len
ehdr = hdr[:0x6C]
ebody = f.read(body_len)
bhmac = HMAC.new(body_hmac_key, ebody, SHA)
hhmac = HMAC.new(uhx(HASHERKEYEAP[0]), ehdr, SHA)
body = aes_decrypt_cbc(body_aes_key, uhx(ZEROS128[0]), ebody)
print bhmac.hexdigest()
print hhmac.hexdigest()
print hx(body_hmac)
print hx(header_hmac)
with open(sys.argv[1] + '.bin', 'wb') as g:
g.write(hdr+body)
if __name__ == '__main__':
main(len(sys.argv), sys.argv)
EAP/EMC Aeolia Script for encrypting (with header necessary)[edit source]
import struct
from binascii import unhexlify as uhx
from binascii import hexlify as hx
from Crypto.Cipher import AES
from Crypto.Hash import SHA, HMAC
import os
import sys
CIPHERKEYSEMC = ['5F74FE7790127FECF82CC6E6D91FA2D1'] # FULL
CIPHERKEYSEAP = ['581A75D7E9C01F3C1BD7473DBD443B98']
HASHERKEYEMC = ['73FE06F3906B05ECB506DFB8691F9F54']
HASHERKEYEAP = ['824D9BB4DBA3209294C93976221249E4']
ZEROS128 = ['00000000000000000000000000000000']
def aes_decrypt_cbc(key, iv, input):
return AES.new(key, AES.MODE_CBC, iv).decrypt(input)
def aes_encrypt_cbc(key, iv, input):
return AES.new(key, AES.MODE_CBC, iv).encrypt(input)
def emc_decrypt_header(hdr):
return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
def emc_encrypt_header(hdr):
return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:])
def eap_decrypt_header(hdr):
return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
def eap_encrypt_header(hdr):
return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
def main(argc, argv):
with open(sys.argv[1], 'rb') as f:
data = f.read()
type = data[7:8]
if type == uhx('48'):
print 'EMC'
body_len = struct.unpack('<L', data[0xc:0x10])[0]
body = data[0x80:0x80+body_len]
body_aes_key = data[0x30:0x40]
ebody = aes_encrypt_cbc(body_aes_key, uhx(ZEROS128[0]), body)
body_hmac_key = data[0x40:0x50]
bhmac = HMAC.new(body_hmac_key, ebody, SHA)
hdr = (data[0:0x50] + uhx(bhmac.hexdigest()) + data[0x64:0x6C])
hhmac = HMAC.new(uhx(HASHERKEYEMC[0]), hdr, SHA)
hdr = (hdr + uhx(hhmac.hexdigest()))
hdr = emc_encrypt_header(hdr)
print bhmac.hexdigest()
print hhmac.hexdigest()
with open(sys.argv[1] + '.bin', 'wb') as g:
g.write(hdr+ebody)
if type == uhx('68'):
print 'EAP'
body_len = struct.unpack('<L', data[0xc:0x10])[0]
body = data[0x80:0x80+body_len]
body_aes_key = data[0x30:0x40]
ebody = aes_encrypt_cbc(body_aes_key, uhx(ZEROS128[0]), body)
body_hmac_key = data[0x40:0x50]
bhmac = HMAC.new(body_hmac_key, ebody, SHA)
hdr = (data[0:0x50] + uhx(bhmac.hexdigest()) + data[0x64:0x6C])
hhmac = HMAC.new(uhx(HASHERKEYEAP[0]), hdr, SHA)
hdr = (hdr + uhx(hhmac.hexdigest()))
hdr = eap_encrypt_header(hdr)
print bhmac.hexdigest()
print hhmac.hexdigest()
with open(sys.argv[1] + '.bin', 'wb') as g:
g.write(hdr+ebody)
if __name__ == '__main__':
main(len(sys.argv), sys.argv)
Order of keys in SceShellCore[edit source]
P->Q->DQ->QP
Trophy Debug -> Trophy Retail
Other random values in SceShellCore[edit source]
- 59 ED 05 E1 2B 97 3E E0 62 B8 07 A4 EB 48 10 10 (HTTP related)
- 65 9A 82 19 27 CF D6 2F 0C 1C C2 5F AF 67 96 5B (0x40 size, probably HTTP related)
- E7 F5 9C F2 AC 00 1C 3C 57 17 1C 82 4D 80 0B 57 (0x80 size, NP COMM SIGN related)
- 27 59 CD 8F 49 24 CF C5 64 2C 1A 44 E6 B6 12 79 (0x20 size, sp-int/ prod-qa / mgmt / np related? interesting stuff)
- 56 EE 5E 50 F9 58 97 47 DF 80 5B 3D 31 A5 A7 6B (0x20 size, sp-int/ prod-qa / mgmt / np related? interesting stuff)
- 4D 35 CC 3E 38 17 64 E2 DE F1 DC 7C 97 3E 6D 62 (0x100 size, sp-int?)
- B3 A8 76 EC D6 BA 02 43 72 B1 95 AD D7 47 3C 74 (0x100 size, prod-qa?)
- 09 CC 88 B3 8F D3 51 78 28 0F 63 E8 85 2A 00 E0 (0x100 size, mgmt?)
- C1 64 9F 42 A4 70 6B B5 2E 93 E2 6E C2 2B 64 BC (0x100 size, np?)
- 27 38 04 D2 5D A5 BA DE FF 59 C1 B9 2B 39 B8 40 (0x20 size)
- 33 D5 1F 9C 1A 4A AE 43 EC 54 99 4A 77 04 41 B2 (0x80 size, AES related)
- A7 99 29 D4 F4 25 C5 5C 9C A7 30 D4 62 D2 18 10 (0x80 size, AES related)
- BC C7 43 2A 7D 34 0A D8 35 6C 4F 6C AE 55 52 6B (0x80 size, AES related)
- D2 C3 D1 98 09 5C 73 FB 69 6F 6C 09 22 E3 84 0D (0x80 size, AES related)
- DE EF DF 9A 3A A6 C9 58 85 9A F0 D6 69 F7 A1 AD (0x20 size, AES related)
- 67 A7 CA 31 48 7A 5C 32 B4 83 8F 37 AA E5 9A 2A (0x20 size, AES related)
- 6E 58 9C 22 A7 96 11 2B 80 25 15 22 CC BA D1 72 (0x20 size, AES related)
- 33 F0 8A B8 DA 6F DD 99 08 6B 68 FF 28 DE E3 2D (0x20 size, AES related)
- 16 6B CA 06 61 F5 EA 64 FA CF 4A 87 8B AE D2 C0 (AES related)
- F7 D3 E8 A1 AB A1 FE 27 8E A1 C2 62 5D 1D F8 C4 (0x80 bytes)
42 42 AA FD 7A 05 B4 5C F3 5E 08 22 D4 55 97 45(SceShellCore, QP, 0x80)