Talk:Keys: Difference between revisions

From PS4 Developer wiki
Jump to navigation Jump to search
(Moved to non-talk.)
 
(42 intermediate revisions by 6 users not shown)
Line 1: Line 1:
= system modules keysets changes =
= EAP/EMC Aeolia Script for decrypting and keeping header =
 
<pre>
import struct
from binascii import unhexlify as uhx
from binascii import hexlify as hx
from Crypto.Cipher import AES
from Crypto.Hash import SHA, HMAC
 
import os
import sys
 
CIPHERKEYSEMC = ['5F74FE7790127FECF82CC6E6D91FA2D1'] # FULL
CIPHERKEYSEAP = ['581A75D7E9C01F3C1BD7473DBD443B98']
HASHERKEYEMC  = ['73FE06F3906B05ECB506DFB8691F9F54']
HASHERKEYEAP  = ['824D9BB4DBA3209294C93976221249E4']
ZEROS128 =      ['00000000000000000000000000000000']
 
def aes_decrypt_cbc(key, iv, input):
    return AES.new(key, AES.MODE_CBC, iv).decrypt(input)
   
def aes_encrypt_cbc(key, iv, input):
    return AES.new(key, AES.MODE_CBC, iv).encrypt(input)
 
def emc_decrypt_header(hdr):
    return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
   
def emc_encrypt_header(hdr):
    return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
   
def eap_decrypt_header(hdr):
    return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
   
def eap_encrypt_header(hdr):
    return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
 
def main(argc, argv):
        with open(sys.argv[1], 'rb') as f:
            data = f.read(0x80)
            type = data[7:8]
            if type == uhx('48'):
                print 'EMC'
                hdr = emc_decrypt_header(data)
                body_aes_key  = hdr[0x30:0x40]
                body_hmac_key = hdr[0x40:0x50]
                body_hmac = hdr[0x50:0x64]
                zeroes = hdr[0x64:0x6C]
                print(hx(zeroes))
                header_hmac = hdr[0x6C:0x80]
                body_len = struct.unpack('<L', hdr[0xc:0x10])[0]
                print body_len
                ehdr = hdr[:0x6C]
                ebody = f.read(body_len)
                bhmac = HMAC.new(body_hmac_key, ebody, SHA)
                hhmac = HMAC.new(uhx(HASHERKEYEMC[0]), ehdr, SHA)
                body = aes_decrypt_cbc(body_aes_key, uhx(ZEROS128[0]), ebody)
                print bhmac.hexdigest()
                print hhmac.hexdigest()
                print hx(body_hmac)
                print hx(header_hmac)
                with open(sys.argv[1] + '.bin', 'wb') as g:
                    g.write(hdr+body)
            if type == uhx('68'):
                print 'EAP'
                hdr = eap_decrypt_header(data)
                body_aes_key  = hdr[0x30:0x40]
                body_hmac_key = hdr[0x40:0x50]
                body_hmac = hdr[0x50:0x64]
                zeroes = hdr[0x64:0x6C]
                print(hx(zeroes))
                header_hmac = hdr[0x6C:0x80]
                body_len = struct.unpack('<L', hdr[0xc:0x10])[0]
                print body_len
                ehdr = hdr[:0x6C]
                ebody = f.read(body_len)
                bhmac = HMAC.new(body_hmac_key, ebody, SHA)
                hhmac = HMAC.new(uhx(HASHERKEYEAP[0]), ehdr, SHA)
                body = aes_decrypt_cbc(body_aes_key, uhx(ZEROS128[0]), ebody)
                print bhmac.hexdigest()
                print hhmac.hexdigest()
                print hx(body_hmac)
                print hx(header_hmac)
                with open(sys.argv[1] + '.bin', 'wb') as g:
                    g.write(hdr+body)
           
           
 
if __name__ == '__main__':
    main(len(sys.argv), sys.argv)
</pre>
 
= EAP/EMC Aeolia Script for encrypting (with header necessary) =
 
<pre>
<pre>
1.00 to 3.70 are 0
import struct
4.00 to 4.07 are 1
from binascii import unhexlify as uhx
4.50 to 4.74 are 2
from binascii import hexlify as hx
5.00 to 5.07 are 3
from Crypto.Cipher import AES
5.50 to 5.56 are 4
from Crypto.Hash import SHA, HMAC
6.00 to 6.20 are 5
 
6.50 to 6.72 are 6
import os
7.00 to 7.02 are 7
import sys
7.50 to 7.51 are 8
 
8.00 to 8.XX are 9
CIPHERKEYSEMC = ['5F74FE7790127FECF82CC6E6D91FA2D1'] # FULL
CIPHERKEYSEAP = ['581A75D7E9C01F3C1BD7473DBD443B98']
HASHERKEYEMC  = ['73FE06F3906B05ECB506DFB8691F9F54']
HASHERKEYEAP  = ['824D9BB4DBA3209294C93976221249E4']
ZEROS128 =      ['00000000000000000000000000000000']
 
def aes_decrypt_cbc(key, iv, input):
    return AES.new(key, AES.MODE_CBC, iv).decrypt(input)
   
def aes_encrypt_cbc(key, iv, input):
    return AES.new(key, AES.MODE_CBC, iv).encrypt(input)
 
def emc_decrypt_header(hdr):
    return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
   
def emc_encrypt_header(hdr):
    return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:])
   
def eap_decrypt_header(hdr):
    return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
   
def eap_encrypt_header(hdr):
    return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
 
def main(argc, argv):
        with open(sys.argv[1], 'rb') as f:
            data = f.read()
            type = data[7:8]
            if type == uhx('48'):
                print 'EMC'
               
                body_len = struct.unpack('<L', data[0xc:0x10])[0]
                body = data[0x80:0x80+body_len]
                body_aes_key  = data[0x30:0x40]
                ebody = aes_encrypt_cbc(body_aes_key, uhx(ZEROS128[0]), body)
                body_hmac_key = data[0x40:0x50]
                bhmac = HMAC.new(body_hmac_key, ebody, SHA)
                hdr = (data[0:0x50] + uhx(bhmac.hexdigest()) + data[0x64:0x6C])
                hhmac = HMAC.new(uhx(HASHERKEYEMC[0]), hdr, SHA)
                hdr = (hdr + uhx(hhmac.hexdigest()))
                hdr = emc_encrypt_header(hdr)
                print bhmac.hexdigest()
                print hhmac.hexdigest()
                with open(sys.argv[1] + '.bin', 'wb') as g:
                    g.write(hdr+ebody)
            if type == uhx('68'):
                print 'EAP'
                body_len = struct.unpack('<L', data[0xc:0x10])[0]
                body = data[0x80:0x80+body_len]
                body_aes_key  = data[0x30:0x40]
                ebody = aes_encrypt_cbc(body_aes_key, uhx(ZEROS128[0]), body)
                body_hmac_key = data[0x40:0x50]
                bhmac = HMAC.new(body_hmac_key, ebody, SHA)
                hdr = (data[0:0x50] + uhx(bhmac.hexdigest()) + data[0x64:0x6C])
                hhmac = HMAC.new(uhx(HASHERKEYEAP[0]), hdr, SHA)
                hdr = (hdr + uhx(hhmac.hexdigest()))
                hdr = eap_encrypt_header(hdr)
                print bhmac.hexdigest()
                print hhmac.hexdigest()
                with open(sys.argv[1] + '.bin', 'wb') as g:
                    g.write(hdr+ebody)
           
           
 
if __name__ == '__main__':
    main(len(sys.argv), sys.argv)
</pre>
</pre>


= order of keys in shellcore =
= Order of keys in [[SceShellCore]] =


P->Q->DQ->QP
P->Q->DQ->QP
Line 19: Line 176:
Trophy Debug -> Trophy Retail
Trophy Debug -> Trophy Retail


= Other random values in ShellCore =
= Other random values in [[SceShellCore]] =


* 59 ED 05 E1 2B 97 3E E0 62 B8 07 A4 EB 48 10 10 (http related)
* 59 ED 05 E1 2B 97 3E E0 62 B8 07 A4 EB 48 10 10 (HTTP related)
* 65 9A 82 19 27 CF D6 2F 0C 1C C2 5F AF 67 96 5B (0x40 size, prolly http related)
* 65 9A 82 19 27 CF D6 2F 0C 1C C2 5F AF 67 96 5B (0x40 size, probably HTTP related)
* E7 F5 9C F2 AC 00 1C 3C 57 17 1C 82 4D 80 0B 57 (0x80 size, NP COMM SIGN related)
* E7 F5 9C F2 AC 00 1C 3C 57 17 1C 82 4D 80 0B 57 (0x80 size, NP COMM SIGN related)
* 27 59 CD 8F 49 24 CF C5 64 2C 1A 44 E6 B6 12 79 (0x20 size, sp-int/ prod-qa / mgmt / np related? interesting stuff)
* 27 59 CD 8F 49 24 CF C5 64 2C 1A 44 E6 B6 12 79 (0x20 size, sp-int/ prod-qa / mgmt / np related? interesting stuff)
Line 41: Line 198:
* 16 6B CA 06 61 F5 EA 64 FA CF 4A 87 8B AE D2 C0 (AES related)
* 16 6B CA 06 61 F5 EA 64 FA CF 4A 87 8B AE D2 C0 (AES related)
* F7 D3 E8 A1 AB A1 FE 27 8E A1 C2 62 5D 1D F8 C4 (0x80 bytes)
* F7 D3 E8 A1 AB A1 FE 27 8E A1 C2 62 5D 1D F8 C4 (0x80 bytes)
* <s>42 42 AA FD 7A 05 B4 5C F3 5E 08 22 D4 55 97 45</s> (ShellCore, QP, 0x80)
* <s>42 42 AA FD 7A 05 B4 5C F3 5E 08 22 D4 55 97 45</s> (SceShellCore, QP, 0x80)
 
= Database reconstruction magic =
 
<pre>
0102FECA (or CAFE0201 byteswapped)
</pre>
 
= Portable Keys Dumps =
 
* Static Always
 
== sealedkey_key_E ==
 
<pre>
AC 81 12 EC 4B B2 E1 4D 13 57 8F 72 AC 56 F2 67
F7 D5 CB E2 04 84 F5 2C 7F EB A5 80 FF 56 65 2C
91 D6 52 BC F2 44 8B 58 CE B7 E9 C2 47 FB C7 C0
F9 83 36 31 75 C1 25 8A 63 7A 27 B2 F8 40 1B 87
9D DA 5C 2B 48 9B 31 16 22 5F F6 25 D6 E5 CA B5
97 D3 08 69 8C 69 88 94 AC 44 8D 02 75 85 56 D1
28 76 0D B7 C7 16 E4 E2 6D 89 89 6F 3F 27 5D F7
7B E0 07 9F 3E 1A B8 38 D3 91 89 D4 7C 82 6A 6D
</pre>
 
== sealedkey_key_IV ==
 
<pre>
F6 00 16 BA CD 42 AD 21 C7 0D 9B 07 5C B5 19 83
</pre>
 
==  sealedkey_key_sign_E  ==
 
<pre>
E0 B8 33 73 96 0E F4 46 C2 C7 04 BB 25 9B 27 DA
39 70 D0 AE EF 3E 72 62 7C D1 5E FF 8B FC FC F0
</pre>
 
== sealedkey_key_I ==
 
<pre>
7D 72 D3 AD 98 30 8C 5B AA 86 08 2B 5A 5A 69 69
94 60 D3 5A 10 A6 7D 80 89 10 11 2F 14 E7 95 34
62 99 90 68 9A 84 13 9B B6 A9 40 AA C4 CB DF 3B
81 DE E5 63 9F 70 F3 18 CD 26 8C 3D DD 38 5C EA
38 6D 9C 73 E1 82 8F 0D 81 69 C3 AF 7D 72 6A 4C
87 F1 16 F3 D8 D4 27 BB 37 DC 62 71 64 82 B7 9B
0B D2 A3 B2 6A 62 3B 54 8E A7 DA D2 0B 61 62 66
C5 C9 1A 1F 78 C6 A0 A8 2E 69 13 CC 1D EB 9E 8B
</pre>
 
== sealedkey_key_sign_I ==
 
<pre>
2A E5 A0 FB C1 4F C7 34 F5 3B EB B7 13 CE B7 2D
7E 62 06 E6 09 05 AE 28 E3 5B FB D2 8E E1 EC 78
</pre>
 
== crepo_iv ==
 
<pre>
23 F8 85 CA 50 B2 98 0A AB 7E 88 AE 65 51 C0 BF
</pre>
 
== crepo_key_1_sign_E ==
 
<pre>
AE 41 33 01 F9 6E 1D 03 F1 D9 98 1B 2F B3 75 87
05 C0 6A 94 AD 29 34 5C ED 22 17 ED 4C 7A A3 D1
</pre>
 
== crepo_key_2_sign_E  ==
 
<pre>
E6 A0 82 8A B4 7A 8D A2 AF B4 A7 34 20 DF B7 88
F6 6B 78 E7 DF F7 17 69 43 8B 15 64 75 15 F3 33
</pre>
 
== crepo_key_1_sign_I  ==
 
<pre>
00 3F 02 7D 1A BE F2 9A BB E5 23 D7 0F 7B 55 3A
14 F7 F0 83 14 04 05 0F 2A B5 23 DD D1 5D F4 C6
</pre>
 
== crepo_key_2_sign_I    ==
 
<pre>
B1 2B 7C 5B 0E 11 18 C3 B0 F6 7B 31 80 C8 B8 F7
B6 9E 3D 97 E5 36 47 C2 08 E0 34 43 51 0A DC 13
</pre>
 
== crepo_key_1_E ==
<pre>
24 3F 86 77 5F 7C DA 8F 9A D4 8A 72 69 9C BC 1E
97 6E 77 0B CE E0 C9 5C 06 CD A7 D4 FD A2 1F E4
B8 1F 78 FD 20 80 81 9B B5 4C 49 D7 12 87 18 86
CE 04 7A 2C 47 63 10 A7 FC 38 F4 C2 C9 2F 8A 38
80 E6 F4 5E F3 32 FF 11 E0 7C D5 DA 99 A9 36 72
EC BD E0 B1 E2 27 90 73 3C DD 8F B6 1B 3B E8 88
29 E6 85 EC E9 FB 4C D9 B9 53 FA D5 0D D0 73 78
6F 91 03 07 54 F6 CF 74 98 E9 4C D7 DF 8F 5F CA
</pre>
 
== crepo_key_2_E  ==
 
<pre>
E6 6C 7A 2A 1F 0F B8 B1 11 E4 23 09 48 05 0A 21
9A EF 3C FC 8C 23 33 55 FE 92 9D 27 37 60 72 6C
7B D2 4A 68 8A 47 F9 9A 8A 47 7C A3 11 45 1B D0
C4 B1 08 65 0A 75 6E 2A FB 67 A8 D7 F6 BD 9F 9A
D0 20 B3 66 57 71 CA 02 1C E4 4E C0 76 9B 06 AC
F4 21 90 AF 68 0E 63 CE 18 4D B2 49 9B 15 BE 4B
19 B8 00 51 CA 98 DD 3B 78 57 41 11 AE B2 D9 C6
EC C1 28 54 1C 06 B2 DB 32 4B 88 8D 6E FB 23 F0
</pre>
 
== crepo_key_1_I  ==
<pre>
8B 5B 04 14 D6 26 36 F6 86 37 DD 3A E2 8B EC FA
44 54 2C EB 14 6D 61 F7 4B 47 CF B5 6D 3F 82 F1
45 49 B1 52 50 B9 95 59 37 56 4A A5 59 A7 AC DA
CA 09 D5 04 F0 1A 23 95 E4 99 B8 D3 4A B5 41 C9
4B BE 57 53 61 BF E7 55 95 EE DC 1F 52 E3 16 C2
3E E6 2A 52 3F 17 36 A9 F2 4D 4D BD 0A 15 16 EB
3C 6B 55 0F B9 24 32 48 E0 F7 89 69 B6 D5 5C 09
31 4B 29 23 46 90 B3 1C B6 B3 CB C8 58 31 3E 65
</pre>
 
== rootparam_key_IV ==
<pre>
95 69 82 9C D4 B1 5F F8 43 30 54 5A 34 EC 1B C5
</pre>
 
== rootparam_key_0_sign_I ==
 
<pre>
56 CF 9D AE DC 50 B4 1F D7 AA 70 9C A5 4B 9F 1A
74 82 ED 32 BC 74 39 63 55 AD B4 97 E0 53 59 48
</pre>
 
== rootparam_key_1_sign_I ==
 
<pre>
F5 1C 1C 99 EF 32 50 74 74 D8 A8 1E 18 98 2B D1
AC FE FB E1 44 BC E8 1F FA B0 01 A9 AA 10 84 09
</pre>
 
== rootparam_key_2_sign_I ==
 
<pre>
30 28 0F 86 13 4C 1E 6D 63 79 CF D6 2D 00 11 50
D7 8D 58 D9 F1 6B 0C A2 94 BB 61 17 77 70 62 80
</pre>
 
== rootparam_key_3_sign_I ==
 
<pre>
54 98 5A 3A A1 8E 1C C6 78 62 A3 B9 71 C7 85 13
12 93 87 86 64 D7 4A B0 A0 87 DF C7 55 BD 28 60
</pre>
 
== rootparam_key_4_sign_I ==
 
<pre>
B9 CC D2 86 B6 3B 9C 1C 35 08 27 B3 2A D9 30 9A
9A AE F9 FB 45 CA D1 32 0D 93 21 41 F8 85 48 26
</pre>
 
== rootparam_key_5_sign_I ==
 
<pre>
9C 5F A8 5E 4D 1C A8 C7 81 D1 EF 42 1E 34 A2 D0
ED 3B 4D E5 6C 7C 34 1B 49 EC CF 36 2D B5 C2 43
</pre>
 
== rootparam_key_0_I ==
<pre>
F6 9F B6 9A 77 1F C2 D5 12 F7 25 2F A5 86 FB 22
0D BF A3 F2 38 89 A5 17 97 49 34 D7 83 83 D6 6D
F9 74 DA 89 35 6B 7F A8 00 63 42 61 ED 70 19 5C
A7 A0 34 73 8D FC 2E E3 66 D6 FC 07 D4 F4 FC 86
E4 67 B4 8B E9 54 34 0D AE B2 01 60 AA A4 70 42
0E 95 62 13 AC D4 7D 11 88 DB 22 7D 4D 1D 92 D2
CF E9 D8 E5 54 7A B6 D6 51 C6 A8 8E 29 B3 C0 51
45 66 F6 41 82 A1 33 1D 7C 6C F8 00 43 F0 BD D3
</pre>
 
== rootparam_key_1_I  ==
 
 
 
<pre>
95 C7 DC 5B 0A EA 8D 72 A2 6A 57 9E 54 12 6F 22
C8 C9 7C 84 1C E9 F3 E4 02 F8 7D 63 03 21 5F 9D
AA 52 46 E7 31 24 58 14 BA ED F2 9D 34 A3 2A 11
C3 08 1E 5C A6 39 50 38 6A 0F CA D4 31 26 31 89
65 78 67 BF 4A BF 4B C0 FE A5 B1 84 48 1D 5A E6
A5 DA 6B BB 54 57 E8 AB A5 2E 95 C4 C5 84 4B EB
95 01 0B 6B 37 8C B6 5D E0 A4 B8 2A 7F 9C 87 9F
46 E4 67 82 84 58 71 C8 6E 41 CF 02 FA 4C 41 D5
</pre>
 
== rootparam_key_2_I  ==
 
 
 
<pre>
A9 60 9B D1 75 16 C8 85 03 49 D2 14 47 04 DD 1A
E7 A5 EF 87 45 76 DA 51 1F 42 82 8F 76 48 81 9B
95 CF 6A 22 21 84 3F 0A 2E 16 B3 64 E5 8C 08 CC
5E AD B8 5B F4 AC AB 9F 6D 3C 7B B9 2B 63 83 FB
89 07 A5 CF 8D 00 18 F9 F5 95 57 7A 8A B2 0A 25
03 53 69 EB BC 58 EE 96 42 D8 3C 99 E1 5F 62 92
C8 05 5B A3 47 25 C5 B5 97 B9 05 5E D2 52 1B 6A
90 22 FD 01 6F D3 95 2B 12 86 F3 7E 1D 74 04 E0
</pre>
 
== rootparam_key_3_I  ==
 
 
<pre>
8C E4 47 03 2A C2 DA A9 8C 83 6E 9B 47 35 D5 37
CC B8 36 DA C4 F8 22 E8 7A FA 26 50 C8 17 71 26
BC F4 8A B7 55 EE 81 3A F9 80 6D 34 E6 9A B8 7D
93 8F C0 BD 3A 16 5C 7E CD FF 36 D5 9A BC 6F 15
D5 45 DF 5D 15 5D E7 C6 AF 67 6F 18 D1 8B 95 2E
7C D4 2D B2 E0 72 E3 A1 80 7B 01 F0 32 BB 27 88
24 08 B1 EE BF E0 5E 28 9B 1B C5 F3 F0 84 D5 3E
18 83 AB 46 60 2F 27 D2 6B 86 65 0C CA C7 89 C1
</pre>
 
 
== rootparam_key_4_I ==
 
 
<pre>
5C 5D B0 53 08 4B A6 BA A7 B1 E2 6B C6 36 32 CA
38 E7 DC 3A 19 67 34 D0 AB 5D 3C CA 29 1B 10 C2
B9 A5 84 99 82 B5 AA EE 75 36 B1 3C 9B 64 A4 83
42 51 68 8E 4B 1F 14 D3 F8 38 1E 8A A3 56 8A 41
43 CD D6 E7 05 6D 7F B5 A9 4E A2 34 ED 82 29 80
8D 63 C0 AF F8 C3 35 66 DC 49 E6 B6 AB F5 AA F6
1E B3 FD 52 F8 79 18 F2 55 98 66 8C 61 4E 83 F1
D6 7E A4 70 53 25 BE 42 D3 19 4A 8D B0 8A AC EF
</pre>
 
 
== rootparam_key_5_I ==
 
<pre>
36 EF D1 C2 7E 49 6E 6B 23 98 C4 43 AE AB DB B0
BA 5D A5 6C 2A E1 86 45 F8 39 E9 26 DB FD 4C 10
1A A4 32 D0 F0 0C A3 13 5D 17 82 5A 45 9C C7 76
5F 70 25 31 23 3E A0 15 C6 01 BE 5F 48 56 A7 15
08 9D F2 D6 64 9A 2F 38 8F 67 DA 09 17 A9 4D 02
79 EA D9 31 23 C4 37 19 36 EE 4F 7D 88 1D 8B 5D
EB C6 74 F2 EA FE F6 E6 F4 66 B6 FF 0A 65 FD 46
14 D2 98 88 CF 13 49 15 58 BE E6 E6 1E CB 42 F7
</pre>
 
== rootparam_key_0_sign_E ==
 
<pre>
6C 11 E6 DD 2F 5D 27 D5 8F 06 9E FC 24 11 6F DD
1D 26 36 33 F4 A7 A2 DE C9 06 17 88 51 88 ED 61
</pre>
 
== rootparam_key_1_sign_E ==
 
<pre>
BC 8E 1B D1 91 D4 EF A8 65 A4 25 15 C6 6F BE D1
E6 99 81 1C A7 25 73 C0 00 EA 1C A9 D6 B6 12 3A
</pre>
== rootparam_key_2_sign_E ==
 
<pre>
55 29 35 D8 4A B8 D5 FD B0 0C B7 71 CF E3 5D 48
4C 60 CC 78 F7 F4 D5 45 82 9B 2E 79 62 D2 D1 CD
</pre>
== rootparam_key_3_sign_E ==
 
<pre>
55 29 35 D8 4A B8 D5 FD B0 0C B7 71 CF E3 5D 48
4C 60 CC 78 F7 F4 D5 45 82 9B 2E 79 62 D2 D1 CD
</pre>
== rootparam_key_4_sign_E ==
 
<pre>
F5 AA 42 70 7B D5 F6 3D 3B 9C 6C 99 36 8B 94 65
3D C7 51 95 7B A1 CB 80 A5 EC 47 81 43 A9 61 4E
</pre>
== rootparam_key_5_sign_E ==
 
<pre>
03 D2 54 72 DB 35 27 C6 7B 98 EE 9F 1F C8 A7 74
6F BB BF DF DD E9 97 5C F7 86 48 8E 5F 4D EE 63
</pre>
 
== rootparam_key_0_E ==
 
<pre>
19 54 0D A2 DF F8 D6 6A 66 08 30 0F 37 8B F5 D4
B3 59 C2 EA B7 9B EB C4 5B 8B B5 E8 6A B8 77 A6
4E 7E 7B 33 6D F1 10 A8 C1 2D 46 29 D4 B4 3C 60
B2 AD 4F BB C9 33 39 38 65 62 AA C4 FE 74 D2 4A
CD 23 A9 36 B7 36 3C B0 E1 AB BF 6C 25 C4 2C 4C
58 E9 4D 20 4A A2 AD 15 C2 74 E8 51 00 44 DA 15
BB 74 2D 91 E1 DC 52 DF DC 7D F6 93 3C EF F2 E5
45 5D 3A DA C6 E1 25 12 2B BA B2 42 5E F3 F5 FE
</pre>
 
== rootparam_key_1_E ==
 
<pre>
F9 DA 87 36 B5 B2 30 17 DC 1D 47 51 FE 0B 75 23
2A 3E 58 AD 92 96 B3 D1 C1 11 97 DA FD 7D A2 E5
51 33 49 F4 31 DC EA 7B 3F 15 54 DF 26 6B 66 88
50 4D 3B 59 AD 95 0B D6 6F B5 62 AF 0F F6 BD E0
CB 08 FA 5D 44 B1 A4 94 82 A3 74 63 25 C5 56 9E
12 54 53 B6 DA C8 DD BF CF 7A 7B A2 1A 8C A0 88
AC 74 2E D4 96 CD 36 2E 14 83 A1 51 5A 0D 8A A9
28 1B 53 FA 5A C2 DF C5 EE E9 37 0F F5 64 61 F7
</pre>
 
== rootparam_key_2_E ==
 
<pre>
E6 EA DF D7 E8 B0 23 7B 9A 40 8F 96 52 15 3B 78
2C 63 28 6A 47 AE 91 92 36 DF 6B D1 BE A5 10 34
55 EC C7 D3 FE 43 5C 60 27 4F AB BC 68 2A 00 37
EB 28 7C 58 54 E1 0A 1C D5 30 47 B5 6E 40 8E A3
6D ED 64 81 CE A1 81 D8 CF 9E C7 C2 1E 6C 2F 86
CF 30 F3 16 A8 5B C0 74 EB 03 6A E4 C3 48 82 2E
54 75 61 44 B5 D5 4F BB 24 7A E5 21 11 49 1D 48
8F D2 B0 78 AA EF 6A 3B A5 C9 35 62 C7 7A 6C C2
</pre>
 
== rootparam_key_3_E ==
 
<pre>
E6 EA DF D7 E8 B0 23 7B 9A 40 8F 96 52 15 3B 78
2C 63 28 6A 47 AE 91 92 36 DF 6B D1 BE A5 10 34
55 EC C7 D3 FE 43 5C 60 27 4F AB BC 68 2A 00 37
EB 28 7C 58 54 E1 0A 1C D5 30 47 B5 6E 40 8E A3
6D ED 64 81 CE A1 81 D8 CF 9E C7 C2 1E 6C 2F 86
CF 30 F3 16 A8 5B C0 74 EB 03 6A E4 C3 48 82 2E
54 75 61 44 B5 D5 4F BB 24 7A E5 21 11 49 1D 48
8F D2 B0 78 AA EF 6A 3B A5 C9 35 62 C7 7A 6C C2
</pre>
 
== rootparam_key_4_E ==
 
<pre>
F6 C5 1C A3 8E F0 18 2D 55 35 48 75 47 AE BE BA
D2 70 93 D5 C5 87 01 00 34 65 FE D8 87 A4 2C B3
0F D0 C5 F3 FD EA B2 78 09 CB 4D BF 4C 02 26 02
F6 5D 0E 86 C3 D5 30 5B 78 9A E8 A4 3E 19 22 FC
5B 7D F4 4D 66 50 73 72 CF EB 03 AC 7F 82 55 90
F1 06 02 2F A5 88 93 07 2C 94 51 57 05 92 87 F9
F6 2B 15 6B F4 EE 15 BF D2 2B C4 BE 4C D7 AC 28
AD 52 F0 E4 F4 92 CC 90 E6 20 D6 F7 DD D4 AA 57
</pre>
 
== rootparam_key_5_E ==
 
<pre>
B2 37 2E C2 0A CA 40 00 99 03 21 83 3B 03 D2 74
5C 41 42 A4 13 F3 E1 28 CB B5 BC 7B 3A D0 30 20
CC 5D 99 AB 56 4B F4 B2 05 57 26 C3 63 EC 93 32
5B 4A 66 06 88 B5 91 02 CD D5 35 2F E2 C1 B7 7A
14 E3 B2 D5 14 80 06 28 F3 00 D7 61 32 5B F9 54
A1 25 D2 EC 69 16 4B 0C 95 06 86 60 50 31 80 67
44 9F 57 87 4E 8D 09 20 73 3E BE F8 A9 CF C2 0B
68 22 EC DD 65 8A D8 BB 70 04 F5 7A 69 3D 19 DC
</pre>
 
== sealedkey_key_E (pfsSKKey__SecKey) ==
 
<pre>
00000000  70 66 73 53 4b 4b 65 79  5f 5f 53 65 63 4b 65 79  |pfsSKKey__SecKey|
00000010  b5 da ef ff 39 e6 d9 0e  ca 7d c5 b0 29 a8 15 3e  |....9....}..)..>|
00000020  87 07 96 0a 53 46 8d 6c  84 3b 3d c9 62 4e 22 af  |....SF.l.;=.bN".|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000080
</pre>
 
* flag is 0
 
== SCE_EAP_HDD__KEY (External) ==
 
<pre>
00000000  53 43 45 5f 45 41 50 5f  48 44 44 5f 5f 4b 45 59  |SCE_EAP_HDD__KEY|
00000010  bb 6c d6 6d dc 67 1f ac  36 64 f7 bf 50 49 ba a8  |.l.m.g..6d..PI..|
00000020  c4 68 79 04 bc 31 cf 4f  2f 4e 9f 89 fa 45 87 93  |.hy..1.O/N...E..|
00000030  81 17 45 e7 c7 e8 0d 46  0f af 23 26 55 0b d7 e4  |..E....F..#&U...|
00000040  d2 a0 a0 d9 72 9d e5 d2  11 7d 70 67 6f 1d 55 74  |....r....}pgo.Ut|
00000050  8d c1 7c df 29 c8 6a 85  5f 2a e9 a1 ad 3e 91 5f  |..|.).j._*...>._|
00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000080
</pre>
 
* flag is 0x20
 
== crepo_key_1_E (CFK1) ==
 
<pre>
00000000  43 46 4b 31 00 00 00 00  00 00 00 00 00 00 00 00  |CFK1............|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  61 9a d0 db 62 cb 51 37  d8 aa 84 d0 28 b9 92 2d  |a...b.Q7....(..-|
00000030  74 46 01 4d 5a 20 67 31  af d2 ab 62 44 d1 f5 92  |tF.MZ g1...bD...|
00000040  de 9f 35 6c 99 1b 1c 04  3d 76 cd 9f b1 a7 03 57  |..5l....=v.....W|
00000050  89 73 d9 26 a1 60 ea 72  d8 e7 33 9f b0 52 f0 e2  |.s.&.`.r..3..R..|
00000060  06 80 47 c4 d7 7a fd fd  95 72 27 8d 97 ab f4 21  |..G..z...r'....!|
00000070  aa cd 9d 9d 2a a2 30 cc  0d 37 b8 69 47 d1 6a ac  |....*.0..7.iG.j.|
00000080
</pre>
 
* flag is 0xC
 
== crepo_key_2_E (CFK1) ==
 
<pre>
00000000  40 83 63 f3 b4 d0 4b 54  09 ba f3 f4 27 41 13 c4  |@.c...KT....'A..|
00000010  ac 97 ae 26 3b 9b 26 1c  2d 87 50 35 80 a3 e0 34  |...&;.&.-.P5...4|
00000020  f9 97 e5 b9 8c 85 9d 90  33 68 04 32 81 1b 50 21  |........3h.2..P!|
00000030  1f a4 5d 36 63 a3 50 7b  cc 68 12 7c bf 9a aa 2d  |..]6c.P{.h.|...-|
00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000080
</pre>
 
* flag is 0xC
 
== rootparam_key_0_E (SCEROOTPARAM_KEY) ==
 
<pre>
00000000  53 43 45 52 4f 4f 54 50  41 52 41 4d 5f 4b 45 59  |SCEROOTPARAM_KEY|
00000010  01 00 01 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000040  29 ed 9c 0a f8 d3 97 00  29 85 a9 df d0 f2 47 21  |).......).....G!|
00000050  03 ea a7 1e b1 10 c0 03  99 b1 1d ec b2 e5 df 08  |................|
00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000080
</pre>
 
* flag is 0x14
 
== rootparam_key_4_E  (SCEROOTPARAM_KEY) ==
 
<pre>
00000000  ab 75 84 e1 58 6e f3 38  66 3b 39 9b 09 40 49 54  |.u..Xn.8f;9..@IT|
00000010  6b ce b2 f0 9f 32 0a 1b  f8 de 0a a0 d1 5f 28 bd  |k....2......._(.|
00000020  7f f5 78 1d c5 4c 80 fb  e4 7a 3e 36 91 8d 19 3e  |..x..L...z>6...>|
00000030  09 67 ae 3d 61 4e b1 4f  7d 71 cf 20 e4 40 71 1f  |.g.=aN.O}q. .@q.|
00000040  05 65 93 0d fd 2d a6 d1  21 3c ef f4 5a 00 97 cb  |.e...-..!<..Z...|
00000050  2f e9 ed b5 ce 07 bb d3  57 4e fa b1 ac a3 fe 80  |/.......WN......|
00000060  88 3f 0a 0e 75 9b 4f 2f  40 6a c6 ef 98 23 b9 e5  |.?..u.O/@j...#..|
00000070  ae bd 3b 75 b7 c6 e1 68  5f b3 90 c4 12 a0 4d 24  |..;u...h_.....M$|
00000080
</pre>
 
* flag is 0x14
 
== rootparam_key_5_E  (SCEROOTPARAM_KEY) ==
 
<pre>
00000000  44 62 12 3c 06 10 f2 55  3c 01 d1 f8 50 eb 1e 88  |Db.<...U<...P...|
00000010  c0 34 61 40 04 19 80 9d  ab b4 63 f6 f3 6c e9 4d  |[email protected]|
00000020  39 6e 07 40 d9 8a d3 27  0c 27 e1 4a ad 0e b1 19  |9n.@...'.'.J....|
00000030  fe 79 df 09 7c 07 9b eb  ec f9 aa 64 f0 42 f6 4d  |.y..|......d.B.M|
00000040  58 45 0e 46 d9 e8 31 98  5d c5 10 ed 81 32 f5 c8  |XE.F..1.]....2..|
00000050  8a d2 48 5b cc 6f 7e 2d  38 b0 f4 3e 8f 2b 0c 63  |..H[.o~-8..>.+.c|
00000060  19 1d f8 5f 50 0b 77 f9  37 ec 7c 6b ea cd c9 15  |..._P.w.7.|k....|
00000070  ea e6 d8 e1 bf 80 28 a3  eb 3e 9a 9d 5c 00 48 ad  |......(..>..\.H.|
00000080
</pre>
 
* flag is 0x14
 
== SCE_LwUtoken_Key (External) ==
 
<pre>
00000000  53 43 45 5f 4c 77 55 74  6f 6b 65 6e 5f 4b 65 79  |SCE_LwUtoken_Key|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000040  e4 03 52 c3 02 18 f1 a6  22 5a cf 4c a7 9e 54 eb  |..R....."Z.L..T.|
00000050  b2 7a bc be b7 1f b4 7a  5c d0 66 c7 9e 99 9f 2a  |.z.....z\.f....*|
00000060  66 4a b9 75 36 4c f3 0e  75 ee 24 15 9c 38 51 f3  |fJ.u6L..u.$..8Q.|
00000070  01 00 01 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000080
</pre>
 
* flag is 0x24
 
== SCE_LwUtoken_Key (External-Extra1) ==
 
<pre>
00000000  a3 c6 b1 40 de 3d d5 e9  44 8c 16 0a 18 54 75 6f  |...@.=..D....Tuo|
00000010  1c 51 87 64 cd 3d a4 6f  ce 72 a8 36 eb 61 f6 81  |.Q.d.=.o.r.6.a..|
00000020  5a 3f b5 c4 73 08 7e 87  a9 ff 8d a6 a7 27 60 22  |Z?..s.~......'`"|
00000030  fe 2f 64 64 ed 9c 97 fe  72 38 e4 d3 11 a9 b1 8b  |./dd....r8......|
00000040  35 32 29 d6 38 1e 7d 47  cc 09 0e 61 23 67 5f 00  |52).8.}G...a#g_.|
00000050  cc 11 f2 51 69 5d 51 64  1b 4f c1 47 62 bb c0 3b  |...Qi]Qd.O.Gb..;|
00000060  46 60 85 53 7c 41 78 76  39 5c 5a a3 fa 7e 40 17  |F`.S|Axv9\Z..~@.|
00000070  34 6f 6c 2a 27 04 25 cc  7c ad 87 c4 6a eb f6 bf  |4ol*'.%.|...j...|
00000080
</pre>
 
* flag is 0x24
 
== SCE_LwUtoken_Key (External-Extra2) ==
 
<pre>
00000000  2c e9 d0 41 3b f5 29 aa  ad aa 0f 3b d6 18 44 7e  |,..A;.)....;..D~|
00000010  35 95 f6 9f af f0 03 92  1a cd 6e 59 22 54 c5 d9  |5.........nY"T..|
00000020  6b 9d c2 14 d6 3f ee bf  ef 07 58 af 96 1a ab 5d  |k....?....X....]|
00000030  77 09 27 96 2d fe a8 20  03 b4 e3 41 94 75 b2 49  |w.'.-.. ...A.u.I|
00000040  54 4f 08 e7 5d f4 dc 87  3a 34 5d 8e a8 10 67 22  |TO..]...:4]...g"|
00000050  e4 78 c4 70 d6 1b 9f 8c  5a b9 a9 d7 c9 17 83 30  |.x.p....Z......0|
00000060  35 0e 11 ba a2 27 46 82  f9 f1 88 31 ea af ec 75  |5....'F....1...u|
00000070  dc 5b 86 d7 70 90 c9 dc  76 c2 35 5c cd 9c 33 d4  |.[..p...v.5\..3.|
00000080
</pre>
 
* flag is 0x24
 
== IPMI (E) ==
 
<pre>
ffffff80869df8e0  53 49 45 49 50 4d 49 00  00 00 00 00 00 00 00 00  |SIEIPMI.........|
ffffff80869df8f0  1a 88 b2 a3 64 e6 a2 8e  78 08 4e 3f 7f 40 fd 01  |....d...x.N?.@..|
ffffff80869df900  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff80869df910  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff80869df920  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff80869df930  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff80869df940  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff80869df950  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
</pre>
 
* flag is 0x50
 
== SCE_SBL_BAR_KEY1 (E) ==
<pre>
ffffff80869df8e0  53 43 45 5f 53 42 4c 5f  42 41 52 5f 4b 45 59 31  |SCE_SBL_BAR_KEY1|
ffffff80869df8f0  1f 18 c9 70 d0 00 ac 7e  6f cc 1a 8c dd 89 b4 fe  |...p...~o.......|
ffffff80869df900  cd a1 33 a1 0e c8 f5 25  98 22 23 f5 86 1f 02 00  |..3....%."#.....|
ffffff80869df910  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff80869df920  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff80869df930  79 c8 cc c8 89 a1 54 0d  4f 2e 27 bb 61 4f d6 53  |y.....T.O.'.aO.S|
ffffff80869df940  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff80869df950  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
</pre>
 
* flag is 0x28
 
== SCE_KDF_NCDT_PSK(E) ==
<pre>
ffffff80869df8e0  53 43 45 5f 4b 44 46 5f  4e 43 44 54 5f 50 53 4b  |SCE_KDF_NCDT_PSK|
ffffff80869df8f0  59 e6 32 88 b0 4e 7f 68  f8 b8 db 83 86 1e 07 50  |Y.2..N.h.......P|
ffffff80869df900  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff80869df910  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff80869df920  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff80869df930  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff80869df940  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff80869df950  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
</pre>
 
* flag is 0x4C
 
== Other Keys ==
 
<pre>
ED E7 41 CC 7F D6 0E 1F 2D B0 89 16 1F C0 EB 66
7C A4 DA 59 40 CE 19 54 00 90 1D BF 59 25 EE 4F
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
</pre>
 
* hidAuthThreadMain
* flag 0x48
 
<pre>
96 1E 5E 85 B5 3E 77 64 43 E5 F4 45 85 E8 90 0A
52 5E 06 2A 4C 79 64 69 0F 75 2F 28 71 9C 6B A1
A8 C2 A0 0D 84 31 E7 17 DD EF 6D 80 F6 5C AE 32
42 1F CB E5 E7 A4 F9 1F 79 2B 25 C7 A1 0C 9E 5A
7B 07 82 9F F3 7C 3F B4 66 2F CB F8 E4 0A 63 F2
99 EE B8 6F 06 D5 58 CD 6E 8E 6A F7 5E 48 3A 24
CC 73 EA E7 73 2F 44 2F 8B E5 28 FB 19 60 62 50
F4 A9 9C A5 9E FC 63 2C 2D CC 67 73 2B 8B 5A DE
</pre>
 
* livedump
* flag 0x44
 
<pre>
2B CF 69 8E 79 CF DD FA C2 4D 4C 25 BF 35 1E 62
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
</pre>
 
* pfs_sbl_key
* flag 0x58
 
<pre>
53 43 45 43 6C 6F 75 64 53 44 5F 5F 5F 4B 45 59
01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
61 6F AD DF 22 04 AC 7A 24 06 4C CE D8 CD 88 A0
DE 07 F0 15 43 45 32 7D BE 4D 49 E1 CA 87 5D 98
5E F0 E4 AB 2A CE 26 69 00 96 D9 48 D4 C0 1B 36
8B B0 B2 1D 45 72 7D 70 91 26 F4 A1 10 77 0C F9
7A 0A F1 17 81 97 33 CC 71 05 73 92 4F D2 5C 1B
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
</pre>
 
<pre>
5F 15 6F 65 CF DA 91 51 83 7C E3 06 D3 39 75 71
08 3C 5B 08 10 5A 9C 6D 79 F0 64 29 DF D1 6D 33
4A 75 88 66 9B 61 54 B4 2F A6 C2 29 55 6E AD 76
34 4B B4 B8 F6 03 83 4D F4 B4 92 5A C8 F9 39 8E
31 60 25 1A 88 51 53 F7 A4 D9 5E 4C FF D0 3D 4B
95 A7 6F E8 DD BF 92 B2 D4 1C 0B 0E 28 29 B3 40
B0 AD 2F 35 8A 19 D9 C1 2D AA 81 C3 23 16 3A 17
15 0D 4C 33 3A 62 49 A7 51 A3 3C 4E 78 01 50 F8
 
B1 24 25 11 6E C0 95 15 9E FA 11 B6 48 BD 96 70
AE 87 C9 99 DA 38 2E F1 B7 D6 41 81 09 98 A1 FF
27 69 85 D1 68 1C BE 72 2A F2 38 7F 65 AD 66 95
8B 72 A5 C8 73 34 3E A8 35 E2 82 74 2A 94 67 40
30 DF 3B 19 6C 5D CC D9 AD 44 7E 6C 22 76 ED 0A
64 E8 A1 46 A0 BE B7 D9 CA 6F CB 4F 54 92 2F 0F
41 90 1F 95 62 AF 0B 0E 18 63 06 C0 EA 22 8C 2E
3C 7E E9 79 73 A0 09 0C 36 D2 09 8D 75 DE 88 C7
 
EB 3E E3 B6 66 0F DD 75 99 CE 39 76 59 07 15 60
86 92 96 C5 B3 CB 06 B1 C2 E9 E9 C5 8B 13 35 5E
76 34 61 BA A2 4F F2 DB 99 CC BC DC 3C 13 2C A3
13 56 55 A7 0A FD 88 43 11 95 0A 0D 6D A4 7F 74
F3 2C 67 BC F4 E9 6F 1E 4D 69 5C CC 2E 1C 57 A8
CE 97 0B 4B D9 6A 5A 81 42 3F 6E 5C 7B A5 4A 78
AE 95 97 26 2A FF 9E 00 4F B4 F0 BB 40 72 1C 1F
8F 4B F7 AB FD D3 8C DC 14 FE 92 DD 16 51 A1 2F
 
01 AB 69 DF 87 71 AE BF E7 97 CD 88 18 F1 98 BF
A9 D3 3B 1A 95 C5 F1 37 65 17 DB FE C4 4D 0C 3B
26 27 73 61 F9 60 36 BE 90 36 A5 73 0F A5 98 EB
AE BD 9E 84 35 BD B4 CD A8 59 15 4C 25 CA DE 33
FA 53 D9 5C 9B 26 CD 1A BA CC 80 8F A5 0F 1A 6A
1D 2D A3 0D 52 56 89 FF BC 63 AE 7A 0B D4 F6 24
8F 3D BF F8 BD DB DB 9A 2A 52 85 EB AB D4 BA 08
37 39 EE EE 4A D2 ED D3 52 A5 BA 39 50 1B BA A3
 
F7 1B 39 B8 5D 55 7D 5E B7 6F 22 F9 82 95 0E 45
1B CC 18 CD B9 FB 14 25 5A 22 FC BA 98 1D 50 C6
20 1C 15 47 C7 1D 1D 55 CC A2 94 8D CF 4E A9 8E
4D F8 2F 96 D6 C3 AB B9 46 A4 0C 1A FD E5 01 B9
8F 07 DE DA BC 20 FF 0D BD CC CE FD 77 E2 28 62
25 56 1A F3 D1 92 DD F7 72 43 64 9C D4 38 7A C6
FA C3 60 45 61 B2 EA 3B C5 90 AC 0F 20 0F 26 73
14 03 A8 2D 00 48 35 2D 45 8A 86 7B 6B 28 69 02
</pre>
 
* Cloud Key
* flag 0x1C
 
= Portable Keys Dumps (Shellcore) =
 
== SCE_CFS_hostname (E) ==
 
<pre>
 
-------HEX DUMP------
ffffff8085f7f8e0  53 43 45 5f 43 46 53 5f  68 6f 73 74 6e 61 6d 65  |SCE_CFS_hostname|
ffffff8085f7f8f0  63 66 73 73 2e 64 75 6e  62 61 72 2e 73 63 65 61  |cfss.dunbar.scea|
ffffff8085f7f900  2e 63 6f 6d 00 00 00 00  00 00 00 00 00 00 00 00  |.com............|
ffffff8085f7f910  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff8085f7f920  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff8085f7f930  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff8085f7f940  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff8085f7f950  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
</pre>
 
* flag 0xD
 
== SCE_RCR_hostname(E) ==
 
<pre>
-------HEX DUMP------
ffffff8085f7f8e0  53 43 45 5f 52 43 52 5f  68 6f 73 74 6e 61 6d 65  |SCE_RCR_hostname|
ffffff8085f7f8f0  7a 65 6b 65 2e 73 63 65  61 2e 63 6f 6d 00 00 00  |zeke.scea.com...|
ffffff8085f7f900  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff8085f7f910  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff8085f7f920  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff8085f7f930  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff8085f7f940  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff8085f7f950  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
</pre>
 
* flag 0xD
 
== SCE_CDN_hostname (E) ==
 
<pre>
-------HEX DUMP------
ffffff8085f7f8e0  53 43 45 5f 43 44 4e 5f  68 6f 73 74 6e 61 6d 65  |SCE_CDN_hostname|
ffffff8085f7f8f0  63 72 65 70 6f 2e 77 77  2e 64 6c 2e 70 6c 61 79  |crepo.ww.dl.play|
ffffff8085f7f900  73 74 61 74 69 6f 6e 2e  6e 65 74 00 00 00 00 00  |station.net.....|
ffffff8085f7f910  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff8085f7f920  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff8085f7f930  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff8085f7f940  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff8085f7f950  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
</pre>
 
 
* flag 0xD
 
== SCE_SYS_TLM_SECK(E) (GetOpenPsIdHash) ==
 
<pre>
-------HEX DUMP------
ffffff80861838e0  53 43 45 5f 53 59 53 5f  54 4c 4d 5f 53 45 43 4b  |SCE_SYS_TLM_SECK|
ffffff80861838f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff8086183900  99 e9 ac b7 36 53 5e 4b  25 4d 25 b9 e2 ab 3e 09  |....6S^K%M%...>.|
ffffff8086183910  cb cb c7 a7 c0 e8 1a ef  93 cf ae e1 57 4c 1a 7c  |............WL.||
ffffff8086183920  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff8086183930  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff8086183940  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff8086183950  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
</pre>
 
* flag 0x3C
 
== Other Keys ==
<pre>
-------HEX DUMP------
ffffff807b92b8e0  15 a0 cb 65 d6 a4 05 27  e6 1c cd da 2a ef 53 3b  |...e...'....*.S;|
ffffff807b92b8f0  13 fc 7c 35 24 14 b3 54  3d c7 83 24 6e fc c9 64  |..|5$..T=..$n..d|
ffffff807b92b900  9d f8 40 9a c2 02 09 82  3c 08 61 2b e6 2a 51 79  |..@.....<.a+.*Qy|
ffffff807b92b910  cf 87 62 61 c0 85 46 c2  a5 da a1 9b d0 e7 ff 79  |..ba..F........y|
ffffff807b92b920  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff807b92b930  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff807b92b940  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
ffffff807b92b950  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
</pre>
 
* flag 0xA
 
<pre>
C6 8A 9B 40 49 35 77 E7 54 3A 2D 95 59 9F 7E 96
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
</pre>
 
* beta_update_key_E | flag = 0x40
 
<pre>
56 6B DD 67 C3 B6 B5 04 EF 1A 39 C0 CC AC 4B E2
</pre>
 
* timezone_key_E | flag = 0x40
 
<pre>
8C 81 17 54 AB E7 2C 8A 1B 4D DC A2 32 B8 CC 2A
</pre>
 
* system_log_config_key_E | flag = 0x40
 
<pre>
8A 7A 15 CE 5D 21 62 19 7C FA 83 B1 DC 77 3C C7
</pre>
 
* system_log_unknown_key_E | flag = 0x40
 
<pre>
DA AF 3B 06 99 F7 6E 04 8F 3C 27 BF 0B E8 95 1C
</pre>
 
* bgdc_key_E | flag = 0x40
 
<pre>
67 EE DA F2 67 E0 43 BE B5 AD 5C 7A 6F 54 C5 37
</pre>
 
* wctl_key_E | flag = 0x40
 
<pre>
5A 1F 16 C3 47 F8 24 6B F6 D7 8B E3 C4 D6 F2 D1
</pre>
 
* morpheus_updatelist_key_E | flag = 0x40
 
<pre>
49 B6 1A 0B 8F 33 BC 28 6F 85 6D A8 CB 04 B8 B4
</pre>
 
* entitlementmgr_key_E | flag = 0x40
 
<pre>
66 01 69 2E 46 1B BD CC 85 6E A8 DC CE 06 3C F1
</pre>
 
* netev_key_E | flag = 0x40
 
<pre>
9B 12 DA 7C 22 44 3B CD 2B BC F6 C0 18 5E 77 70
</pre>
 
* patch_key_E | flag = 0x40
 
<pre>
F1 1B 19 25 D9 3C E7 70 86 F4 9C CC 50 96 45 56
</pre>
 
* bgft_key_E | flag = 0x40
 
<pre>
CE A4 74 20 1F 0C A2 36 8D D8 37 BF A1 B4 BD 78
</pre>
 
* system_log_privacy_key_E | flag = 0x40

Latest revision as of 05:13, 1 January 2025

EAP/EMC Aeolia Script for decrypting and keeping header[edit source]

import struct
from binascii import unhexlify as uhx
from binascii import hexlify as hx
from Crypto.Cipher import AES
from Crypto.Hash import SHA, HMAC

import os
import sys

CIPHERKEYSEMC = ['5F74FE7790127FECF82CC6E6D91FA2D1'] # FULL
CIPHERKEYSEAP = ['581A75D7E9C01F3C1BD7473DBD443B98']
HASHERKEYEMC  = ['73FE06F3906B05ECB506DFB8691F9F54']
HASHERKEYEAP  = ['824D9BB4DBA3209294C93976221249E4']
ZEROS128 =      ['00000000000000000000000000000000']

def aes_decrypt_cbc(key, iv, input):
    return AES.new(key, AES.MODE_CBC, iv).decrypt(input)
    
def aes_encrypt_cbc(key, iv, input):
    return AES.new(key, AES.MODE_CBC, iv).encrypt(input)

def emc_decrypt_header(hdr):
    return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
    
def emc_encrypt_header(hdr):
    return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
    
def eap_decrypt_header(hdr):
    return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
    
def eap_encrypt_header(hdr):
    return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])

def main(argc, argv):
        with open(sys.argv[1], 'rb') as f:
            data = f.read(0x80)
            type = data[7:8]
            if type == uhx('48'):
                print 'EMC'
                hdr = emc_decrypt_header(data)
                body_aes_key  = hdr[0x30:0x40]
                body_hmac_key = hdr[0x40:0x50]
                body_hmac = hdr[0x50:0x64]
                zeroes = hdr[0x64:0x6C]
                print(hx(zeroes))
                header_hmac = hdr[0x6C:0x80]
                body_len = struct.unpack('<L', hdr[0xc:0x10])[0]
                print body_len
                ehdr = hdr[:0x6C]
                ebody = f.read(body_len)
                bhmac = HMAC.new(body_hmac_key, ebody, SHA)
                hhmac = HMAC.new(uhx(HASHERKEYEMC[0]), ehdr, SHA)
                body = aes_decrypt_cbc(body_aes_key, uhx(ZEROS128[0]), ebody)
                print bhmac.hexdigest()
                print hhmac.hexdigest()
                print hx(body_hmac)
                print hx(header_hmac)
                with open(sys.argv[1] + '.bin', 'wb') as g:
                    g.write(hdr+body)
            if type == uhx('68'):
                print 'EAP'
                hdr = eap_decrypt_header(data)
                body_aes_key  = hdr[0x30:0x40]
                body_hmac_key = hdr[0x40:0x50]
                body_hmac = hdr[0x50:0x64]
                zeroes = hdr[0x64:0x6C]
                print(hx(zeroes))
                header_hmac = hdr[0x6C:0x80]
                body_len = struct.unpack('<L', hdr[0xc:0x10])[0]
                print body_len
                ehdr = hdr[:0x6C]
                ebody = f.read(body_len)
                bhmac = HMAC.new(body_hmac_key, ebody, SHA)
                hhmac = HMAC.new(uhx(HASHERKEYEAP[0]), ehdr, SHA)
                body = aes_decrypt_cbc(body_aes_key, uhx(ZEROS128[0]), ebody)
                print bhmac.hexdigest()
                print hhmac.hexdigest()
                print hx(body_hmac)
                print hx(header_hmac)
                with open(sys.argv[1] + '.bin', 'wb') as g:
                    g.write(hdr+body)
            
            

if __name__ == '__main__':
    main(len(sys.argv), sys.argv)

EAP/EMC Aeolia Script for encrypting (with header necessary)[edit source]

import struct
from binascii import unhexlify as uhx
from binascii import hexlify as hx
from Crypto.Cipher import AES
from Crypto.Hash import SHA, HMAC

import os
import sys

CIPHERKEYSEMC = ['5F74FE7790127FECF82CC6E6D91FA2D1'] # FULL
CIPHERKEYSEAP = ['581A75D7E9C01F3C1BD7473DBD443B98']
HASHERKEYEMC  = ['73FE06F3906B05ECB506DFB8691F9F54']
HASHERKEYEAP  = ['824D9BB4DBA3209294C93976221249E4']
ZEROS128 =      ['00000000000000000000000000000000']

def aes_decrypt_cbc(key, iv, input):
    return AES.new(key, AES.MODE_CBC, iv).decrypt(input)
    
def aes_encrypt_cbc(key, iv, input):
    return AES.new(key, AES.MODE_CBC, iv).encrypt(input)

def emc_decrypt_header(hdr):
    return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
    
def emc_encrypt_header(hdr):
    return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:])
    
def eap_decrypt_header(hdr):
    return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
    
def eap_encrypt_header(hdr):
    return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])

def main(argc, argv):
        with open(sys.argv[1], 'rb') as f:
            data = f.read()
            type = data[7:8]
            if type == uhx('48'):
                print 'EMC'
                
                body_len = struct.unpack('<L', data[0xc:0x10])[0]
                body = data[0x80:0x80+body_len]
                body_aes_key  = data[0x30:0x40]
                ebody = aes_encrypt_cbc(body_aes_key, uhx(ZEROS128[0]), body)
                body_hmac_key = data[0x40:0x50]
                bhmac = HMAC.new(body_hmac_key, ebody, SHA)
                hdr = (data[0:0x50] + uhx(bhmac.hexdigest()) + data[0x64:0x6C])
                hhmac = HMAC.new(uhx(HASHERKEYEMC[0]), hdr, SHA)
                hdr = (hdr + uhx(hhmac.hexdigest()))
                hdr = emc_encrypt_header(hdr)
                print bhmac.hexdigest()
                print hhmac.hexdigest()
                with open(sys.argv[1] + '.bin', 'wb') as g:
                    g.write(hdr+ebody)
            if type == uhx('68'):
                print 'EAP'
                body_len = struct.unpack('<L', data[0xc:0x10])[0]
                body = data[0x80:0x80+body_len]
                body_aes_key  = data[0x30:0x40]
                ebody = aes_encrypt_cbc(body_aes_key, uhx(ZEROS128[0]), body)
                body_hmac_key = data[0x40:0x50]
                bhmac = HMAC.new(body_hmac_key, ebody, SHA)
                hdr = (data[0:0x50] + uhx(bhmac.hexdigest()) + data[0x64:0x6C])
                hhmac = HMAC.new(uhx(HASHERKEYEAP[0]), hdr, SHA)
                hdr = (hdr + uhx(hhmac.hexdigest()))
                hdr = eap_encrypt_header(hdr)
                print bhmac.hexdigest()
                print hhmac.hexdigest()
                with open(sys.argv[1] + '.bin', 'wb') as g:
                    g.write(hdr+ebody)
            
            

if __name__ == '__main__':
    main(len(sys.argv), sys.argv)

Order of keys in SceShellCore[edit source]

P->Q->DQ->QP

Trophy Debug -> Trophy Retail

Other random values in SceShellCore[edit source]

  • 59 ED 05 E1 2B 97 3E E0 62 B8 07 A4 EB 48 10 10 (HTTP related)
  • 65 9A 82 19 27 CF D6 2F 0C 1C C2 5F AF 67 96 5B (0x40 size, probably HTTP related)
  • E7 F5 9C F2 AC 00 1C 3C 57 17 1C 82 4D 80 0B 57 (0x80 size, NP COMM SIGN related)
  • 27 59 CD 8F 49 24 CF C5 64 2C 1A 44 E6 B6 12 79 (0x20 size, sp-int/ prod-qa / mgmt / np related? interesting stuff)
  • 56 EE 5E 50 F9 58 97 47 DF 80 5B 3D 31 A5 A7 6B (0x20 size, sp-int/ prod-qa / mgmt / np related? interesting stuff)
  • 4D 35 CC 3E 38 17 64 E2 DE F1 DC 7C 97 3E 6D 62 (0x100 size, sp-int?)
  • B3 A8 76 EC D6 BA 02 43 72 B1 95 AD D7 47 3C 74 (0x100 size, prod-qa?)
  • 09 CC 88 B3 8F D3 51 78 28 0F 63 E8 85 2A 00 E0 (0x100 size, mgmt?)
  • C1 64 9F 42 A4 70 6B B5 2E 93 E2 6E C2 2B 64 BC (0x100 size, np?)
  • 27 38 04 D2 5D A5 BA DE FF 59 C1 B9 2B 39 B8 40 (0x20 size)
  • 33 D5 1F 9C 1A 4A AE 43 EC 54 99 4A 77 04 41 B2 (0x80 size, AES related)
  • A7 99 29 D4 F4 25 C5 5C 9C A7 30 D4 62 D2 18 10 (0x80 size, AES related)
  • BC C7 43 2A 7D 34 0A D8 35 6C 4F 6C AE 55 52 6B (0x80 size, AES related)
  • D2 C3 D1 98 09 5C 73 FB 69 6F 6C 09 22 E3 84 0D (0x80 size, AES related)
  • DE EF DF 9A 3A A6 C9 58 85 9A F0 D6 69 F7 A1 AD (0x20 size, AES related)
  • 67 A7 CA 31 48 7A 5C 32 B4 83 8F 37 AA E5 9A 2A (0x20 size, AES related)
  • 6E 58 9C 22 A7 96 11 2B 80 25 15 22 CC BA D1 72 (0x20 size, AES related)
  • 33 F0 8A B8 DA 6F DD 99 08 6B 68 FF 28 DE E3 2D (0x20 size, AES related)
  • 16 6B CA 06 61 F5 EA 64 FA CF 4A 87 8B AE D2 C0 (AES related)
  • F7 D3 E8 A1 AB A1 FE 27 8E A1 C2 62 5D 1D F8 C4 (0x80 bytes)
  • 42 42 AA FD 7A 05 B4 5C F3 5E 08 22 D4 55 97 45 (SceShellCore, QP, 0x80)