Editing Keys

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 2,886: Line 2,886:


= EMC Keys =
= EMC Keys =
See also [https://github.com/TeamFAPS/PS4-RE-tools/tree/master/ps4-emc-ipl-eap-kbl-tool PS4 EMC IPL and EAP KBL Tool] for usage.


== EMC Fuse Key for Aeolia ==
== EMC Fuse Key for Aeolia ==
Line 2,938: Line 2,936:


= EAP Keys =
= EAP Keys =
See also [https://github.com/TeamFAPS/PS4-RE-tools/tree/master/ps4-emc-ipl-eap-kbl-tool PS4 EMC IPL and EAP KBL Tool] for usage.


== EAP KBL Cipher Key for Aeolia ==
== EAP KBL Cipher Key for Aeolia ==
Line 2,960: Line 2,956:
* It hashes the header (size 0x6C) of EAP KBL.
* It hashes the header (size 0x6C) of EAP KBL.


= EMC/EAP/Kernel shared keys =
== EMC/EAP/KERNEL shared keys ==


== portability_seed_key ==
=== portability_seed_key ===


<pre>
<pre>
Line 2,968: Line 2,964:
</pre>
</pre>


== portability_seed ==
=== portability_seed ===


<pre>
<pre>
Line 2,974: Line 2,970:
</pre>
</pre>


== eap_hdd_key_blob_key1_seed ==
=== eap_hdd_key_blob_key1_seed ===


<pre>
<pre>
Line 2,981: Line 2,977:
</pre>
</pre>


== eap_hdd_key_blob_key2_seed ==
=== eap_hdd_key_blob_key2_seed ===


<pre>
<pre>
Line 2,988: Line 2,984:
</pre>
</pre>


== use_new_blob = Y ==
=== use_new_blob = Y ===


* Encryption Key:
* Encryption Key:
Line 3,013: Line 3,009:
</pre>
</pre>


== use_new_blob = N ==
=== use_new_blob = N ===


* Encryption Key:
* Encryption Key:
Line 3,038: Line 3,034:
</pre>
</pre>


== EAP_HDD_KEY_BLOB ==
=== EAP_HDD_KEY_BLOB ===


<pre>
<pre>
Line 3,051: Line 3,047:
</pre>
</pre>


== PS4-PS5 USB Extended Storage Key ==
=== PS4-PS5 USB Extended Storage Key ===


Used for USB Extended Storage encryption that was introduced in PS4 System Software 4.50.
Used for USB Extended Storage encryption that was introduced in PS4 System Software 4.50.
Line 3,163: Line 3,159:
== Crash Dump KeySeed ==
== Crash Dump KeySeed ==


Crash Dump Master keys (kd, kc):
<pre>
<pre>
kd, kc
KEYS = [
KEYS = [
     ['',''],
     ['',''],
Line 3,173: Line 3,169:
]
]
</pre>
</pre>
* Crash Dump AES-256-CBC-CFB IV = b'0000000000000000'
* Remark: kd and kc names may have been wrongly assigned in fail0verflow's writeup because kd should stand for Digest Key and kc for Cipher Key.
=== Usage for generation and unpacking ===
For generation, the kd key is used to encrypt the OpenPSID that will be stored in the header:
* OPENPSID_ENC = aes_ecb_encrypt(kd, OpenPSID)
For both generation and decryption, from the kc key and the encrypted OpenPSID are derived 2 keys:
* Crash Dump AES-256-CBC-CFB Key = hmac_sha256(kc, OPENPSID_ENC)[:0x10]
* Crash Dump HMAC-SHA256 Key = hmac_sha256(kc, OPENPSID_ENC)[0x10:]
For data encryption:
* Encrypted Data = AES.new(Crash Dump AES-256-CBC-CFB Key, AES.MODE_CBC, Crash Dump AES-256-CBC-CFB IV).encrypt(DATA)
* Remark: The algorithm should actually be AesCbcCfb128Encrypt but it is always block-size multiple in crashdump usage.
For signature generation:
* Digest in Final Header = hmac_sha256(Crash Dump HMAC-SHA256 Key, secure_header (aligned to 0x80) + DATA_ENC (without final_header))
* Remark: 0x80 bytes of secure_header are hashed for the data_hmac but only 0x14 bytes (actual used bytes) are actually written to disk.
For decryption, the kd key is used to decrypt the OpenPSID provided in the header:
* OpenPSID = aes_ecb_decrypt(kd, OPENPSID_ENC)
* Remark: for decryption the user does not have to know the OpenPSID as the encrypted OpenPSID is embedded in the Crash Dump header.
For signature verification:
* Digest in Final Header = hmac_sha256(Crash Dump HMAC-SHA256 Key, secure_header (aligned to 0x80) + DATA_ENC (without final_header))
* Remark: 0x80 bytes of secure_header are hashed for the data_hmac but only 0x14 bytes (actual used bytes) are actually written to disk.
For data decryption:
* Decrypted Data = AES.new(Crash Dump AES-256-CBC-CFB Key, AES.MODE_CBC, Crash Dump AES-256-CBC-CFB IV).decrypt(DATA_ENC)
* Remark: The algorithm should actually be AesCbcCfb128Decrypt but it is always block-size multiple in crashdump usage.
See also:
* Crash Dump decryption and verification implemented in: https://github.com/TeamFAPS/PS4-RE-tools/tree/master/ps4-crash-dump-decrypt
* Crash Dump analysis (parsing after decryption and verification) implemented in: https://fail0verflow.com/blog/2017/ps4-crashdump-dump


== PFS Keystone Keys ==
== PFS Keystone Keys ==
Please note that all contributions to PS4 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS4 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)

Template used on this page:

Retrieved from "http://www.psdevwiki.com/ps4/Keys"