Editing Talk:Keys

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
= EAP/EMC Aeolia Script for decrypting and keeping header =
= system modules keysets changes =
 
<pre>
import struct
from binascii import unhexlify as uhx
from binascii import hexlify as hx
from Crypto.Cipher import AES
from Crypto.Hash import SHA, HMAC
 
import os
import sys
 
CIPHERKEYSEMC = ['5F74FE7790127FECF82CC6E6D91FA2D1'] # FULL
CIPHERKEYSEAP = ['581A75D7E9C01F3C1BD7473DBD443B98']
HASHERKEYEMC  = ['73FE06F3906B05ECB506DFB8691F9F54']
HASHERKEYEAP  = ['824D9BB4DBA3209294C93976221249E4']
ZEROS128 =      ['00000000000000000000000000000000']
 
def aes_decrypt_cbc(key, iv, input):
    return AES.new(key, AES.MODE_CBC, iv).decrypt(input)
   
def aes_encrypt_cbc(key, iv, input):
    return AES.new(key, AES.MODE_CBC, iv).encrypt(input)
 
def emc_decrypt_header(hdr):
    return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
   
def emc_encrypt_header(hdr):
    return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
   
def eap_decrypt_header(hdr):
    return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
   
def eap_encrypt_header(hdr):
    return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
 
def main(argc, argv):
        with open(sys.argv[1], 'rb') as f:
            data = f.read(0x80)
            type = data[7:8]
            if type == uhx('48'):
                print 'EMC'
                hdr = emc_decrypt_header(data)
                body_aes_key  = hdr[0x30:0x40]
                body_hmac_key = hdr[0x40:0x50]
                body_hmac = hdr[0x50:0x64]
                zeroes = hdr[0x64:0x6C]
                print(hx(zeroes))
                header_hmac = hdr[0x6C:0x80]
                body_len = struct.unpack('<L', hdr[0xc:0x10])[0]
                print body_len
                ehdr = hdr[:0x6C]
                ebody = f.read(body_len)
                bhmac = HMAC.new(body_hmac_key, ebody, SHA)
                hhmac = HMAC.new(uhx(HASHERKEYEMC[0]), ehdr, SHA)
                body = aes_decrypt_cbc(body_aes_key, uhx(ZEROS128[0]), ebody)
                print bhmac.hexdigest()
                print hhmac.hexdigest()
                print hx(body_hmac)
                print hx(header_hmac)
                with open(sys.argv[1] + '.bin', 'wb') as g:
                    g.write(hdr+body)
            if type == uhx('68'):
                print 'EAP'
                hdr = eap_decrypt_header(data)
                body_aes_key  = hdr[0x30:0x40]
                body_hmac_key = hdr[0x40:0x50]
                body_hmac = hdr[0x50:0x64]
                zeroes = hdr[0x64:0x6C]
                print(hx(zeroes))
                header_hmac = hdr[0x6C:0x80]
                body_len = struct.unpack('<L', hdr[0xc:0x10])[0]
                print body_len
                ehdr = hdr[:0x6C]
                ebody = f.read(body_len)
                bhmac = HMAC.new(body_hmac_key, ebody, SHA)
                hhmac = HMAC.new(uhx(HASHERKEYEAP[0]), ehdr, SHA)
                body = aes_decrypt_cbc(body_aes_key, uhx(ZEROS128[0]), ebody)
                print bhmac.hexdigest()
                print hhmac.hexdigest()
                print hx(body_hmac)
                print hx(header_hmac)
                with open(sys.argv[1] + '.bin', 'wb') as g:
                    g.write(hdr+body)
           
           
 
if __name__ == '__main__':
    main(len(sys.argv), sys.argv)
</pre>
 
= EAP/EMC Aeolia Script for encrypting (with header necessary) =
 
<pre>
import struct
from binascii import unhexlify as uhx
from binascii import hexlify as hx
from Crypto.Cipher import AES
from Crypto.Hash import SHA, HMAC
 
import os
import sys
 
CIPHERKEYSEMC = ['5F74FE7790127FECF82CC6E6D91FA2D1'] # FULL
CIPHERKEYSEAP = ['581A75D7E9C01F3C1BD7473DBD443B98']
HASHERKEYEMC  = ['73FE06F3906B05ECB506DFB8691F9F54']
HASHERKEYEAP  = ['824D9BB4DBA3209294C93976221249E4']
ZEROS128 =      ['00000000000000000000000000000000']
 
def aes_decrypt_cbc(key, iv, input):
    return AES.new(key, AES.MODE_CBC, iv).decrypt(input)
   
def aes_encrypt_cbc(key, iv, input):
    return AES.new(key, AES.MODE_CBC, iv).encrypt(input)
 
def emc_decrypt_header(hdr):
    return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
   
def emc_encrypt_header(hdr):
    return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:])
   
def eap_decrypt_header(hdr):
    return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
   
def eap_encrypt_header(hdr):
    return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
 
def main(argc, argv):
        with open(sys.argv[1], 'rb') as f:
            data = f.read()
            type = data[7:8]
            if type == uhx('48'):
                print 'EMC'
               
                body_len = struct.unpack('<L', data[0xc:0x10])[0]
                body = data[0x80:0x80+body_len]
                body_aes_key  = data[0x30:0x40]
                ebody = aes_encrypt_cbc(body_aes_key, uhx(ZEROS128[0]), body)
                body_hmac_key = data[0x40:0x50]
                bhmac = HMAC.new(body_hmac_key, ebody, SHA)
                hdr = (data[0:0x50] + uhx(bhmac.hexdigest()) + data[0x64:0x6C])
                hhmac = HMAC.new(uhx(HASHERKEYEMC[0]), hdr, SHA)
                hdr = (hdr + uhx(hhmac.hexdigest()))
                hdr = emc_encrypt_header(hdr)
                print bhmac.hexdigest()
                print hhmac.hexdigest()
                with open(sys.argv[1] + '.bin', 'wb') as g:
                    g.write(hdr+ebody)
            if type == uhx('68'):
                print 'EAP'
                body_len = struct.unpack('<L', data[0xc:0x10])[0]
                body = data[0x80:0x80+body_len]
                body_aes_key  = data[0x30:0x40]
                ebody = aes_encrypt_cbc(body_aes_key, uhx(ZEROS128[0]), body)
                body_hmac_key = data[0x40:0x50]
                bhmac = HMAC.new(body_hmac_key, ebody, SHA)
                hdr = (data[0:0x50] + uhx(bhmac.hexdigest()) + data[0x64:0x6C])
                hhmac = HMAC.new(uhx(HASHERKEYEAP[0]), hdr, SHA)
                hdr = (hdr + uhx(hhmac.hexdigest()))
                hdr = eap_encrypt_header(hdr)
                print bhmac.hexdigest()
                print hhmac.hexdigest()
                with open(sys.argv[1] + '.bin', 'wb') as g:
                    g.write(hdr+ebody)
           
           
 
if __name__ == '__main__':
    main(len(sys.argv), sys.argv)
</pre>
 
= System modules keysets changes =
 
<pre>
<pre>
1.00 to 3.70 are 0
1.00 to 3.70 are 0
Line 179: Line 7:
5.50 to 5.56 are 4
5.50 to 5.56 are 4
6.00 to 6.20 are 5
6.00 to 6.20 are 5
6.50 to 6.72 are 6
6.50 to 6.8X are 6
7.00 to 7.02 are 7
7.00 to 7.02 are 7
7.50 to 7.55 are 8
7.50 to 7.XX are 8
8.00 to 8.03 are 9
8.50 to 8.52 are 0xA
9.00 to 9.04 are 0xB
9.50 to 9.60 are 0xC
10.00 to 10.01 are 0xD
10.50 to 10.70 are 0xE
11.00 to 11.02 are 0xF
11.50 to 11.XX are 0 (counter at 0xA at 1 instead of 0)
</pre>
 
* Final slot (0xF) has been depleted so in theory SIE will not be able to update keys again.
 
= Southbridge firmware keysets changes =
 
<pre>
1 is obsolete
13 is 0x10000
32/40 is 0x20000
36 is 0x30000
42 is 0x40000
</pre>
</pre>


= Order of keys in ShellCore =
= order of keys in shellcore =


P->Q->DQ->QP
P->Q->DQ->QP
Line 234: Line 42:
* <s>42 42 AA FD 7A 05 B4 5C F3 5E 08 22 D4 55 97 45</s> (ShellCore, QP, 0x80)
* <s>42 42 AA FD 7A 05 B4 5C F3 5E 08 22 D4 55 97 45</s> (ShellCore, QP, 0x80)


= Database rebuild trigger magic =
= Database reconstruction magic =


<pre>
<pre>
Line 242: Line 50:
= Portable Keys Dumps =
= Portable Keys Dumps =


* Static always.
* Static Always


== sealedkey_key_E ==
== sealedkey_key_E ==
Line 263: Line 71:
</pre>
</pre>


== sealedkey_key_sign_E ==
== sealedkey_key_sign_E ==


<pre>
<pre>
Line 291: Line 99:


== crepo_iv ==
== crepo_iv ==
Used for Crash Report.


<pre>
<pre>
Line 299: Line 105:


== crepo_key_1_sign_E ==
== crepo_key_1_sign_E ==
Used for Crash Report.


<pre>
<pre>
Line 307: Line 111:
</pre>
</pre>


== crepo_key_2_sign_E ==
== crepo_key_2_sign_E ==
 
Used for Crash Report.


<pre>
<pre>
Line 316: Line 118:
</pre>
</pre>


== crepo_key_1_sign_I ==
== crepo_key_1_sign_I   ==
 
Used for Crash Report.


<pre>
<pre>
Line 325: Line 125:
</pre>
</pre>


== crepo_key_2_sign_I ==
== crepo_key_2_sign_I   ==
 
Used for Crash Report.


<pre>
<pre>
Line 335: Line 133:


== crepo_key_1_E ==
== crepo_key_1_E ==
Used for Crash Report.
<pre>
<pre>
24 3F 86 77 5F 7C DA 8F 9A D4 8A 72 69 9C BC 1E  
24 3F 86 77 5F 7C DA 8F 9A D4 8A 72 69 9C BC 1E  
Line 349: Line 144:
</pre>
</pre>


== crepo_key_2_E ==
== crepo_key_2_E ==
 
Used for Crash Report.


<pre>
<pre>
Line 364: Line 157:
</pre>
</pre>


== crepo_key_1_I ==
== crepo_key_1_I   ==
 
Used for Crash Report.
 
<pre>
<pre>
8B 5B 04 14 D6 26 36 F6 86 37 DD 3A E2 8B EC FA  
8B 5B 04 14 D6 26 36 F6 86 37 DD 3A E2 8B EC FA  
Line 380: Line 170:


== rootparam_key_IV ==
== rootparam_key_IV ==
<pre>
<pre>
95 69 82 9C D4 B1 5F F8 43 30 54 5A 34 EC 1B C5
95 69 82 9C D4 B1 5F F8 43 30 54 5A 34 EC 1B C5
Line 428: Line 217:


== rootparam_key_0_I ==
== rootparam_key_0_I ==
<pre>
<pre>
F6 9F B6 9A 77 1F C2 D5 12 F7 25 2F A5 86 FB 22  
F6 9F B6 9A 77 1F C2 D5 12 F7 25 2F A5 86 FB 22  
Line 440: Line 228:
</pre>
</pre>


== rootparam_key_1_I ==
== rootparam_key_1_I ==
 
 


<pre>
<pre>
Line 453: Line 243:
</pre>
</pre>


== rootparam_key_2_I ==
== rootparam_key_2_I ==
 
 


<pre>
<pre>
Line 466: Line 258:
</pre>
</pre>


== rootparam_key_3_I ==
== rootparam_key_3_I ==
 


<pre>
<pre>
Line 478: Line 271:
18 83 AB 46 60 2F 27 D2 6B 86 65 0C CA C7 89 C1  
18 83 AB 46 60 2F 27 D2 6B 86 65 0C CA C7 89 C1  
</pre>
</pre>


== rootparam_key_4_I ==
== rootparam_key_4_I ==


<pre>
<pre>
Line 491: Line 286:
D6 7E A4 70 53 25 BE 42 D3 19 4A 8D B0 8A AC EF  
D6 7E A4 70 53 25 BE 42 D3 19 4A 8D B0 8A AC EF  
</pre>
</pre>


== rootparam_key_5_I ==
== rootparam_key_5_I ==
Line 518: Line 314:
E6 99 81 1C A7 25 73 C0 00 EA 1C A9 D6 B6 12 3A  
E6 99 81 1C A7 25 73 C0 00 EA 1C A9 D6 B6 12 3A  
</pre>
</pre>
== rootparam_key_2_sign_E ==
== rootparam_key_2_sign_E ==


Line 525: Line 320:
4C 60 CC 78 F7 F4 D5 45 82 9B 2E 79 62 D2 D1 CD  
4C 60 CC 78 F7 F4 D5 45 82 9B 2E 79 62 D2 D1 CD  
</pre>
</pre>
== rootparam_key_3_sign_E ==
== rootparam_key_3_sign_E ==


Line 532: Line 326:
4C 60 CC 78 F7 F4 D5 45 82 9B 2E 79 62 D2 D1 CD  
4C 60 CC 78 F7 F4 D5 45 82 9B 2E 79 62 D2 D1 CD  
</pre>
</pre>
== rootparam_key_4_sign_E ==
== rootparam_key_4_sign_E ==


Line 539: Line 332:
3D C7 51 95 7B A1 CB 80 A5 EC 47 81 43 A9 61 4E  
3D C7 51 95 7B A1 CB 80 A5 EC 47 81 43 A9 61 4E  
</pre>
</pre>
== rootparam_key_5_sign_E ==
== rootparam_key_5_sign_E ==


Line 626: Line 418:


== sealedkey_key_E (pfsSKKey__SecKey) ==
== sealedkey_key_E (pfsSKKey__SecKey) ==
Used for PFS encryption.


<pre>
<pre>
Line 639: Line 429:


* flag is 0
* flag is 0
* identical to I


== SCE_EAP_HDD__KEY (External) ==
== SCE_EAP_HDD__KEY (External) ==
Used for HDD encryption.


<pre>
<pre>
Line 660: Line 447:


== crepo_key_1_E (CFK1) ==
== crepo_key_1_E (CFK1) ==
Used for Crash Report.


<pre>
<pre>
Line 676: Line 461:


* flag is 0xC
* flag is 0xC
== crepo_key_1_I (CFK1) ==
Used for Crash Report.
<pre>
43 46 4B 31 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
77 B7 5A 04 C9 69 D3 FE BC 11 38 EE 2F B1 31 CC
71 E6 66 F7 D3 78 E4 F4 CD AB 35 D7 DE C4 A3 26
3B 2A 68 2C 43 06 15 CE 04 77 3D 4B A5 BC F8 7E
CF 9B CF 77 B4 8B A7 78 DE BD 09 75 BB 5B B1 27
44 A1 E3 CC EC 71 4F 10 09 48 CC 23 55 41 3C CE
11 34 1A 57 F2 34 69 F9 62 6B 2E 71 AD 17 B2 2C
</pre>


== crepo_key_2_E (CFK1) ==
== crepo_key_2_E (CFK1) ==
Used for Crash Report.


<pre>
<pre>
Line 723: Line 491:


* flag is 0x14
* flag is 0x14
== rootparam_key_0_I (SCEROOTPARAM_KEY) ==
<pre>
53 43 45 52 4F 4F 54 50 41 52 41 4D 5F 4B 45 59
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
CA 5C 5D 73 F7 57 0D 77 E9 00 AB 72 C0 5A C3 C4
B4 9C 45 CB CD 90 29 61 58 EC 47 1F 5F 26 72 52
29 ED 9C 0A F8 D3 97 00 29 85 A9 DF D0 F2 47 21
03 EA A7 1E B1 10 C0 03 99 B1 1D EC B2 E5 DF 08
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
</pre>


== rootparam_key_4_E  (SCEROOTPARAM_KEY) ==
== rootparam_key_4_E  (SCEROOTPARAM_KEY) ==
Line 753: Line 508:
* flag is 0x14
* flag is 0x14


== rootparam_key_5_E (SCEROOTPARAM_KEY) ==
== rootparam_key_5_E (SCEROOTPARAM_KEY) ==


<pre>
<pre>
Line 770: Line 525:


== SCE_LwUtoken_Key (External) ==
== SCE_LwUtoken_Key (External) ==
Used for "low" user tokens.


<pre>
<pre>
Line 787: Line 540:


== SCE_LwUtoken_Key (External-Extra1) ==
== SCE_LwUtoken_Key (External-Extra1) ==
Used for "low" user tokens.


<pre>
<pre>
Line 805: Line 556:


== SCE_LwUtoken_Key (External-Extra2) ==  
== SCE_LwUtoken_Key (External-Extra2) ==  
Used for "low" user tokens.


<pre>
<pre>
Line 823: Line 572:


== IPMI (E) ==
== IPMI (E) ==
Used for Inter-Process Method Invocation.


<pre>
<pre>
Line 840: Line 587:


== SCE_SBL_BAR_KEY1 (E) ==
== SCE_SBL_BAR_KEY1 (E) ==
Used for Secure Block Backup And Restore feature.
<pre>
<pre>
ffffff80869df8e0  53 43 45 5f 53 42 4c 5f  42 41 52 5f 4b 45 59 31  |SCE_SBL_BAR_KEY1|
ffffff80869df8e0  53 43 45 5f 53 42 4c 5f  42 41 52 5f 4b 45 59 31  |SCE_SBL_BAR_KEY1|
Line 870: Line 614:
* flag is 0x4C
* flag is 0x4C


== Unknown key 0x54 ==
== Other Keys ==
 
<pre>
91 0B 7C A6 6B 4B F9 DA 00 72 F1 67 6C 51 99 70
C1 4D B2 26 6A 59 29 C2 5E 1A 72 5D D8 19 05 BF
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
</pre>
 
* flag 0x54
 
== hidAuthThreadMain ==


<pre>
<pre>
Line 900: Line 629:
* hidAuthThreadMain  
* hidAuthThreadMain  
* flag 0x48
* flag 0x48
== livedump ==


<pre>
<pre>
Line 916: Line 643:
* livedump
* livedump
* flag 0x44
* flag 0x44
== pfs_sbl_key ==


<pre>
<pre>
Line 932: Line 657:
* pfs_sbl_key
* pfs_sbl_key
* flag 0x58
* flag 0x58
== SCECloudSD___KEY ==
Used for Cloud Save Data features. Similar to the Cloud Data Key Ring used in PS Vita since System Software version 3.100.081.


<pre>
<pre>
Line 998: Line 719:
* flag 0x1C
* flag 0x1C


= Portable Keys Dumps (ShellCore) =
= Portable Keys Dumps (Shellcore) =


== SCE_CFS_hostname (E) ==
== SCE_CFS_hostname (E) ==


Host by Amazon AWS at Portland, Oregon, 97086 United States of America. Alias of cfss.crs.playstation.net.
<pre>
 
Zeke Jedediah Dunbar is a main character of the Infamous videogame developped by Sony Computer Entertainment America.


<pre>
-------HEX DUMP------
-------HEX DUMP------
ffffff8085f7f8e0  53 43 45 5f 43 46 53 5f  68 6f 73 74 6e 61 6d 65  |SCE_CFS_hostname|
ffffff8085f7f8e0  53 43 45 5f 43 46 53 5f  68 6f 73 74 6e 61 6d 65  |SCE_CFS_hostname|
Line 1,020: Line 738:
* flag 0xD
* flag 0xD


== SCE_RCR_hostname (E) ==  
== SCE_RCR_hostname(E) ==  
 
Host by Amazon AWS at Portland, Oregon, 97086 United States of America. Owned by Minato-ku for Sony Computer Entertainment Inc. Network Platform Service Department at Tokyo (Japan).
 
Zeke Jedediah Dunbar is a main character of the Infamous videogame developped by Sony Computer Entertainment America.


<pre>
<pre>
Line 1,041: Line 755:


== SCE_CDN_hostname (E) ==
== SCE_CDN_hostname (E) ==
Used for Crash Report.


<pre>
<pre>
Line 1,055: Line 767:
ffffff8085f7f950  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff8085f7f950  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
</pre>
</pre>


* flag 0xD
* flag 0xD


== SCE_SYS_TLM_SECK (E) ==
== SCE_SYS_TLM_SECK(E) (GetOpenPsIdHash) ==
 
Used in GetOpenPsIdHash.


<pre>
<pre>
Line 1,077: Line 788:


== Other Keys ==
== Other Keys ==
<pre>
<pre>
-------HEX DUMP------
-------HEX DUMP------
Line 1,108: Line 818:
56 6B DD 67 C3 B6 B5 04 EF 1A 39 C0 CC AC 4B E2
56 6B DD 67 C3 B6 B5 04 EF 1A 39 C0 CC AC 4B E2
</pre>
</pre>
* same as Internal


* timezone_key_E | flag = 0x40
* timezone_key_E | flag = 0x40
Please note that all contributions to PS4 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS4 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)