Editing Talk:Keys

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
= EAP/EMC Aeolia Script for decrypting and keeping header =
= Other random values in ShellCore =


<pre>
* 59 ED 05 E1 2B 97 3E E0 62 B8 07 A4 EB 48 10 10 (http related)
import struct
* 65 9A 82 19 27 CF D6 2F 0C 1C C2 5F AF 67 96 5B (0x40 size, prolly http related)
from binascii import unhexlify as uhx
from binascii import hexlify as hx
from Crypto.Cipher import AES
from Crypto.Hash import SHA, HMAC
 
import os
import sys
 
CIPHERKEYSEMC = ['5F74FE7790127FECF82CC6E6D91FA2D1'] # FULL
CIPHERKEYSEAP = ['581A75D7E9C01F3C1BD7473DBD443B98']
HASHERKEYEMC  = ['73FE06F3906B05ECB506DFB8691F9F54']
HASHERKEYEAP  = ['824D9BB4DBA3209294C93976221249E4']
ZEROS128 =      ['00000000000000000000000000000000']
 
def aes_decrypt_cbc(key, iv, input):
    return AES.new(key, AES.MODE_CBC, iv).decrypt(input)
   
def aes_encrypt_cbc(key, iv, input):
    return AES.new(key, AES.MODE_CBC, iv).encrypt(input)
 
def emc_decrypt_header(hdr):
    return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
   
def emc_encrypt_header(hdr):
    return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
   
def eap_decrypt_header(hdr):
    return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
   
def eap_encrypt_header(hdr):
    return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
 
def main(argc, argv):
        with open(sys.argv[1], 'rb') as f:
            data = f.read(0x80)
            type = data[7:8]
            if type == uhx('48'):
                print 'EMC'
                hdr = emc_decrypt_header(data)
                body_aes_key  = hdr[0x30:0x40]
                body_hmac_key = hdr[0x40:0x50]
                body_hmac = hdr[0x50:0x64]
                zeroes = hdr[0x64:0x6C]
                print(hx(zeroes))
                header_hmac = hdr[0x6C:0x80]
                body_len = struct.unpack('<L', hdr[0xc:0x10])[0]
                print body_len
                ehdr = hdr[:0x6C]
                ebody = f.read(body_len)
                bhmac = HMAC.new(body_hmac_key, ebody, SHA)
                hhmac = HMAC.new(uhx(HASHERKEYEMC[0]), ehdr, SHA)
                body = aes_decrypt_cbc(body_aes_key, uhx(ZEROS128[0]), ebody)
                print bhmac.hexdigest()
                print hhmac.hexdigest()
                print hx(body_hmac)
                print hx(header_hmac)
                with open(sys.argv[1] + '.bin', 'wb') as g:
                    g.write(hdr+body)
            if type == uhx('68'):
                print 'EAP'
                hdr = eap_decrypt_header(data)
                body_aes_key  = hdr[0x30:0x40]
                body_hmac_key = hdr[0x40:0x50]
                body_hmac = hdr[0x50:0x64]
                zeroes = hdr[0x64:0x6C]
                print(hx(zeroes))
                header_hmac = hdr[0x6C:0x80]
                body_len = struct.unpack('<L', hdr[0xc:0x10])[0]
                print body_len
                ehdr = hdr[:0x6C]
                ebody = f.read(body_len)
                bhmac = HMAC.new(body_hmac_key, ebody, SHA)
                hhmac = HMAC.new(uhx(HASHERKEYEAP[0]), ehdr, SHA)
                body = aes_decrypt_cbc(body_aes_key, uhx(ZEROS128[0]), ebody)
                print bhmac.hexdigest()
                print hhmac.hexdigest()
                print hx(body_hmac)
                print hx(header_hmac)
                with open(sys.argv[1] + '.bin', 'wb') as g:
                    g.write(hdr+body)
           
           
 
if __name__ == '__main__':
    main(len(sys.argv), sys.argv)
</pre>
 
= EAP/EMC Aeolia Script for encrypting (with header necessary) =
 
<pre>
import struct
from binascii import unhexlify as uhx
from binascii import hexlify as hx
from Crypto.Cipher import AES
from Crypto.Hash import SHA, HMAC
 
import os
import sys
 
CIPHERKEYSEMC = ['5F74FE7790127FECF82CC6E6D91FA2D1'] # FULL
CIPHERKEYSEAP = ['581A75D7E9C01F3C1BD7473DBD443B98']
HASHERKEYEMC  = ['73FE06F3906B05ECB506DFB8691F9F54']
HASHERKEYEAP  = ['824D9BB4DBA3209294C93976221249E4']
ZEROS128 =      ['00000000000000000000000000000000']
 
def aes_decrypt_cbc(key, iv, input):
    return AES.new(key, AES.MODE_CBC, iv).decrypt(input)
   
def aes_encrypt_cbc(key, iv, input):
    return AES.new(key, AES.MODE_CBC, iv).encrypt(input)
 
def emc_decrypt_header(hdr):
    return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
   
def emc_encrypt_header(hdr):
    return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:])
   
def eap_decrypt_header(hdr):
    return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
   
def eap_encrypt_header(hdr):
    return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
 
def main(argc, argv):
        with open(sys.argv[1], 'rb') as f:
            data = f.read()
            type = data[7:8]
            if type == uhx('48'):
                print 'EMC'
               
                body_len = struct.unpack('<L', data[0xc:0x10])[0]
                body = data[0x80:0x80+body_len]
                body_aes_key  = data[0x30:0x40]
                ebody = aes_encrypt_cbc(body_aes_key, uhx(ZEROS128[0]), body)
                body_hmac_key = data[0x40:0x50]
                bhmac = HMAC.new(body_hmac_key, ebody, SHA)
                hdr = (data[0:0x50] + uhx(bhmac.hexdigest()) + data[0x64:0x6C])
                hhmac = HMAC.new(uhx(HASHERKEYEMC[0]), hdr, SHA)
                hdr = (hdr + uhx(hhmac.hexdigest()))
                hdr = emc_encrypt_header(hdr)
                print bhmac.hexdigest()
                print hhmac.hexdigest()
                with open(sys.argv[1] + '.bin', 'wb') as g:
                    g.write(hdr+ebody)
            if type == uhx('68'):
                print 'EAP'
                body_len = struct.unpack('<L', data[0xc:0x10])[0]
                body = data[0x80:0x80+body_len]
                body_aes_key  = data[0x30:0x40]
                ebody = aes_encrypt_cbc(body_aes_key, uhx(ZEROS128[0]), body)
                body_hmac_key = data[0x40:0x50]
                bhmac = HMAC.new(body_hmac_key, ebody, SHA)
                hdr = (data[0:0x50] + uhx(bhmac.hexdigest()) + data[0x64:0x6C])
                hhmac = HMAC.new(uhx(HASHERKEYEAP[0]), hdr, SHA)
                hdr = (hdr + uhx(hhmac.hexdigest()))
                hdr = eap_encrypt_header(hdr)
                print bhmac.hexdigest()
                print hhmac.hexdigest()
                with open(sys.argv[1] + '.bin', 'wb') as g:
                    g.write(hdr+ebody)
           
           
 
if __name__ == '__main__':
    main(len(sys.argv), sys.argv)
</pre>
 
= Order of keys in [[SceShellCore]] =
 
P->Q->DQ->QP
 
Trophy Debug -> Trophy Retail
 
= Other random values in [[SceShellCore]] =
 
* 59 ED 05 E1 2B 97 3E E0 62 B8 07 A4 EB 48 10 10 (HTTP related)
* 65 9A 82 19 27 CF D6 2F 0C 1C C2 5F AF 67 96 5B (0x40 size, probably HTTP related)
* E7 F5 9C F2 AC 00 1C 3C 57 17 1C 82 4D 80 0B 57 (0x80 size, NP COMM SIGN related)
* E7 F5 9C F2 AC 00 1C 3C 57 17 1C 82 4D 80 0B 57 (0x80 size, NP COMM SIGN related)
* 27 59 CD 8F 49 24 CF C5 64 2C 1A 44 E6 B6 12 79 (0x20 size, sp-int/ prod-qa / mgmt / np related? interesting stuff)
* 27 59 CD 8F 49 24 CF C5 64 2C 1A 44 E6 B6 12 79 (0x20 size, sp-int/ prod-qa / mgmt / np related? interesting stuff)
Line 198: Line 21:
* 16 6B CA 06 61 F5 EA 64 FA CF 4A 87 8B AE D2 C0 (AES related)
* 16 6B CA 06 61 F5 EA 64 FA CF 4A 87 8B AE D2 C0 (AES related)
* F7 D3 E8 A1 AB A1 FE 27 8E A1 C2 62 5D 1D F8 C4 (0x80 bytes)
* F7 D3 E8 A1 AB A1 FE 27 8E A1 C2 62 5D 1D F8 C4 (0x80 bytes)
* <s>42 42 AA FD 7A 05 B4 5C F3 5E 08 22 D4 55 97 45</s> (SceShellCore, QP, 0x80)
 
= Database reconstruction magic =
 
<pre>
0102FECA (or CAFE0201 byteswapped)
</pre>
 
= Portable Keys Dumps =
 
== pfsSKKey__SecKey (External) ==
 
<pre>
00000000  70 66 73 53 4b 4b 65 79  5f 5f 53 65 63 4b 65 79  |pfsSKKey__SecKey|
00000010  b5 da ef ff 39 e6 d9 0e  ca 7d c5 b0 29 a8 15 3e  |....9....}..)..>|
00000020  87 07 96 0a 53 46 8d 6c  84 3b 3d c9 62 4e 22 af  |....SF.l.;=.bN".|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000080
</pre>
 
== SCE_EAP_HDD__KEY (External) ==
 
<pre>
00000000  53 43 45 5f 45 41 50 5f  48 44 44 5f 5f 4b 45 59  |SCE_EAP_HDD__KEY|
00000010  bb 6c d6 6d dc 67 1f ac  36 64 f7 bf 50 49 ba a8  |.l.m.g..6d..PI..|
00000020  c4 68 79 04 bc 31 cf 4f  2f 4e 9f 89 fa 45 87 93  |.hy..1.O/N...E..|
00000030  81 17 45 e7 c7 e8 0d 46  0f af 23 26 55 0b d7 e4  |..E....F..#&U...|
00000040  d2 a0 a0 d9 72 9d e5 d2  11 7d 70 67 6f 1d 55 74  |....r....}pgo.Ut|
00000050  8d c1 7c df 29 c8 6a 85  5f 2a e9 a1 ad 3e 91 5f  |..|.).j._*...>._|
00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000080
</pre>
 
== CFK1 (External) ==
 
<pre>
00000000  43 46 4b 31 00 00 00 00  00 00 00 00 00 00 00 00  |CFK1............|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  61 9a d0 db 62 cb 51 37  d8 aa 84 d0 28 b9 92 2d  |a...b.Q7....(..-|
00000030  74 46 01 4d 5a 20 67 31  af d2 ab 62 44 d1 f5 92  |tF.MZ g1...bD...|
00000040  de 9f 35 6c 99 1b 1c 04  3d 76 cd 9f b1 a7 03 57  |..5l....=v.....W|
00000050  89 73 d9 26 a1 60 ea 72  d8 e7 33 9f b0 52 f0 e2  |.s.&.`.r..3..R..|
00000060  06 80 47 c4 d7 7a fd fd  95 72 27 8d 97 ab f4 21  |..G..z...r'....!|
00000070  aa cd 9d 9d 2a a2 30 cc  0d 37 b8 69 47 d1 6a ac  |....*.0..7.iG.j.|
00000080
</pre>
 
== SCEROOTPARAM_KEY (External) ==
 
<pre>
00000000  53 43 45 52 4f 4f 54 50  41 52 41 4d 5f 4b 45 59  |SCEROOTPARAM_KEY|
00000010  01 00 01 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000040  29 ed 9c 0a f8 d3 97 00  29 85 a9 df d0 f2 47 21  |).......).....G!|
00000050  03 ea a7 1e b1 10 c0 03  99 b1 1d ec b2 e5 df 08  |................|
00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000080
</pre>
 
== SCE_LwUtoken_Key (External) ==
 
<pre>
00000000  53 43 45 5f 4c 77 55 74  6f 6b 65 6e 5f 4b 65 79  |SCE_LwUtoken_Key|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000040  e4 03 52 c3 02 18 f1 a6  22 5a cf 4c a7 9e 54 eb  |..R....."Z.L..T.|
00000050  b2 7a bc be b7 1f b4 7a  5c d0 66 c7 9e 99 9f 2a  |.z.....z\.f....*|
00000060  66 4a b9 75 36 4c f3 0e  75 ee 24 15 9c 38 51 f3  |fJ.u6L..u.$..8Q.|
00000070  01 00 01 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000080
</pre>
Please note that all contributions to PS4 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS4 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)
Retrieved from "http://www.psdevwiki.com/ps4/Talk:Keys"