Mounting HDD in Linux: Difference between revisions

From PS4 Developer wiki
Jump to navigation Jump to search
No edit summary
 
(15 intermediate revisions by 4 users not shown)
Line 1: Line 1:
* Unlike the ps3, where every part of perconsole security (including the HDD) is dictated by the eid_root_key, the ps4 has two perconsole keys for the HDD, one is handled by SAMU (we cannot obtain this key atm) and the other is handled by the South Bridge / AEOLIA / BELIZE (which we can obtain)
Unlike PS3, where every part of per-console security (including the HDD) is dictated by the eid_root_key, PS4 has two per-console keys for the HDD, one handled by SAMU (we cannot obtain this key at this moment) and the other handled by the [[Southbridge]] which can be obtained.


* Here I describe the steps to mount your hdd on the pc using the cryptmount utility on Linux
Here are described the steps to mount a PS4 HDD on PC using the cryptmount utility on Linux.
 
= Partitions that can be mounted =
 
* preinst, preinst2, system, system(b), system_ex, system_ex(b) cannot be mounted as they use a key hidden in SAMU not eap_hdd_key. Cryptmount returns error device-mapper ioctl when trying with fstype=tmpfs.
* eap_vsh, update, user and eap_user can be mounted using cryptmount and eap_hdd_key.
* eap_kern can be read directly without mounting but anyway it remains an encrypted file that is decrypted by PS4 OS.
* sda13 cannot be mounted for now. Investigation neeeded. It might be system_data partition and so would behave as system and system_ex. It might also be swap partition.
* sda17 and sda19 can be mounted with fstype=tmpfs but they are void. Investigation neeeded.
* app_reserved can be mounted with fstype=tmpfs but it is void. Investigation neeeded.


= Setup =
= Setup =


* EAP HDD Key (check in your kernel dump and in hxxps://github.com/Ps3itaTeam/ps4-kexec/blob/master/magic.h kern_off_eap_hdd_key offset)
== Prerequisites ==
* Linux Distro (i'm using xubuntu live for this)
 
* cmtab file
* Per-console PS4 EAP HDD Key (check in your kernel dump and in https://github.com/Ps3itaTeam/ps4-kexec/blob/master/magic.h kern_off_eap_hdd_key offset)
* A PC running a Linux Distribution (ex: ubuntu, xubuntu live) that supports cryptmount
 
== Getting eap_hdd_key.bin ==
 
You have to put the eap_hdd_key.bin file anywhere you want according to the cmtab file (see cmtab section below).
 
=== From kernel dump ===
 
* If your EAP HDD Key in the kernel dump looks like this:
<pre>
D2 60 86 B3 8B D2 D3 5A EC 76 DB DE 50 30 00 40
15 D6 AE 04 44 3D A8 59 4B 03 3C 1F 0A DD FA 6B
</pre>
 
* then the correct key will be:
<pre>
40 00 30 50 DE DB 76 EC 5A D3 D2 8B B3 86 60 D2
6B FA DD 0A 1F 3C 03 4B 59 A8 3D 44 04 AE D6 15
</pre>
 
==== Linux command ====
 
<pre>
objcopy -I binary -O binary --reverse-bytes=16 dump.bin keys.bin
</pre>
 
=== From sflash ===
 
The keys.bin produced by hdd_script.py v2 will produce the keys in the right order! Just use keys.bin as eap_hdd_key.bin
 
== Installing cryptmount ==
 
<pre>
sudo apt install cryptmount
</pre>


== Step by Step Guide (CUH-1000 and CUH-1100) ==
== Settuping cmtab ==


* cmtab file can be as follows (example for xubuntu live)
* Add write permission on cmtab file:
<pre>
sudo chmod 777 /etc/cryptmount/cmtab
</pre>


=== cmtab for CUH-1000 and some CUH-1100 ===
* cmtab file can be as follows:
<pre>
<pre>
# /etc/cryptmount/cmtab - encrypted filesystem information for cryptmount
# /etc/cryptmount/cmtab - encrypted filesystem information for cryptmount
Line 20: Line 70:
     dir=/home/xubuntu/Desktop/user
     dir=/home/xubuntu/Desktop/user
     flags=user,nofsck
     flags=user,nofsck
     fstype=ufs mountoptions=ro,noatime,noexec,ufstype=ufs2
     fstype=ufs mountoptions=ro,noatime,noexec,ufstype=ufs2
     cipher=aes-xts-plain64
     cipher=aes-xts-plain64
     keyfile=/home/xubuntu/Desktop/eap.bin
     keyfile=/home/eap_hdd_key.bin
     keyformat=raw
     keyformat=raw
}
}
</pre>
</pre>


* if your key in the kernel dump looks like this:
=== cmtab for some CUH-1100 and later models ===


* In this case the cmtab file must have a small change:
<pre>
<pre>
D2 60 86 B3 8B D2 D3 5A EC 76 DB DE 50 30 00 40
# /etc/cryptmount/cmtab - encrypted filesystem information for cryptmount
15 D6 AE 04 44 3D A8 59 4B 03 3C 1F 0A DD FA 6B
# try 'man 8 cryptmount' or 'man 5 cmtab' for more details
user {
    dev=/dev/sda27
    dir=/home/username/Desktop/user
    flags=user,nofsck
    fstype=ufs mountoptions=ro,noatime,noexec,ufstype=ufs2
    cipher=aes-xts-plain64
    ivoffset=111669149696
    keyfile=/home/eap_hdd_key.bin
    keyformat=raw
}
</pre>
</pre>


* then the correct key will be:
* where ivoffset = (dev_no - 1) << 32
* here it is: (27 - 1) << 32 = 111669149696


<pre>
=== Adapting cmtab ===
40 00 30 50 DE DB 76 EC 5A D3 D2 8B B3 86 60 D2
6B FA DD 0A 1F 3C 03 4B 59 A8 3D 44 04 AE D6 15
</pre>


* Special Note : The keys.bin produced by hdd_script.py v2 will produce the keys in the right order! Just use keys.bin instead!
* Change "username" to your Linux user name.
* Change sda27 to sdb27 or sdc27, etc... according to where HDD is currently mounted.
* Change sda27 to sda1 or sda2 or etc... according to the partition you want to mount. Don't forget to change ivoffset and fstype accordingly.


* after the key file eap.bin is created and the user folder is also created in the Desktop, install cryptmount
== Final steps ==


* Create "user" folder on Linux Desktop.
* Remove write permission on cmtab file:
<pre>
<pre>
sudo apt install cryptmount
sudo chmod 644 /etc/cryptmount/cmtab
</pre>
</pre>
 
* Mount PS4 "user" partition:
* and then mount your partition
 
<pre>
<pre>
sudo cryptmount user
sudo cryptmount user
</pre>
</pre>


== Step by Step Guide (some CUH-1100, CUH-1200 and above) ==
= Sample cmtab =


* In this case the cmtab will have a small change
<pre>
<pre>
# /etc/cryptmount/cmtab - encrypted filesystem information for cryptmount
# /etc/cryptmount/cmtab - encrypted filesystem information for cryptmount
# try 'man 8 cryptmount' or 'man 5 cmtab' for more details
# try 'man 8 cryptmount' or 'man 5 cmtab' for more details
eap_vsh {
    dev=/dev/sda7
    dir=/home/username/Desktop/eap_vsh
    flags=user,nofsck
    fstype=msdos mountoptions=ro,noatime,noexec
    cipher=aes-xts-plain64
    ivoffset=25769803776
    keyfile=/home/eap_hdd_key.bin
    keyformat=raw
}
sda17 {
    dev=/dev/sda17
    dir=/home/username/Desktop/sda17
    flags=user,nofsck
    fstype=tmpfs mountoptions=ro,noatime,noexec
    cipher=aes-xts-plain64
    ivoffset=68719476736
    keyfile=/home/eap_hdd_key.bin
    keyformat=raw
}
sda19 {
    dev=/dev/sda19
    dir=/home/username/Desktop/sda19
    flags=user,nofsck
    fstype=tmpfs mountoptions=ro,noatime,noexec
    cipher=aes-xts-plain64
    ivoffset=77309411328
    keyfile=/home/eap_hdd_key.bin
    keyformat=raw
}
update {
    dev=/dev/sda25
    dir=/home/username/Desktop/update
    flags=user,nofsck
    fstype=msdos mountoptions=ro,noatime,noexec
    cipher=aes-xts-plain64
    ivoffset=103079215104
    keyfile=/home/eap_hdd_key.bin
    keyformat=raw
}
user {
user {
     dev=/dev/sda27
     dev=/dev/sda27
     dir=/home/xubuntu/Desktop/user
     dir=/home/username/Desktop/user
     flags=user,nofsck
     flags=user,nofsck
    fstype=ufs mountoptions=ro,noatime,noexec,ufstype=ufs2
    cipher=aes-xts-plain64
    ivoffset=111669149696
    keyfile=/home/eap_hdd_key.bin
    keyformat=raw
}


eap_user {
    dev=/dev/sda29
    dir=/home/username/Desktop/eap_user
    flags=user,nofsck
     fstype=ufs mountoptions=ro,noatime,noexec,ufstype=ufs2
     fstype=ufs mountoptions=ro,noatime,noexec,ufstype=ufs2
    cipher=aes-xts-plain64
    ivoffset=120259084288
    keyfile=/home/eap_hdd_key.bin
    keyformat=raw
}


app_reserved {
    dev=/dev/sda31
    dir=/home/username/Desktop/app_reserved
    flags=user,nofsck
    fstype=tmpfs mountoptions=ro,noatime,noexec
     cipher=aes-xts-plain64
     cipher=aes-xts-plain64
     ivoffset=111669149696
     ivoffset=128849018880
 
     keyfile=/home/eap_hdd_key.bin
     keyfile=/home/xubuntu/Desktop/eap.bin
     keyformat=raw
     keyformat=raw
}
}
</pre>
</pre>


* where iv offset is a number of partition - 1 << 32
= Files management =
* here it'll be (27-1)<<32=111669149696
 
== Read-only ==
 
UFS filesystem only allows to be mounted as read-only on Debian and Ubuntu. To enable read-write mounting, it is needed to either compile Linux kernel with ufs write flag enabled or to share the raw partition from Debian/Ubuntu to FreeBSD/equivalent running in a virtual machine (ex: VirtualBox).
 
This is not easy to setup, so better use a PS4 kernel exploit to get write access on PS4, and for example use FTP to conveniently write to the desired partition.
 
== root owner ==
 
When partitions are mounted to folders using cryptmount, these folders and files are owned by root. This can be annoying because it is required to use sudo to be able to open or copy most files and to open some folders.
 
To remove this annoyance, it is possible to change owner of folders and files to your user.
<pre>
sudo chown -R username mount_folder
</pre>
 
But it is not possible to apply this on the cryptmount folder directly. It is firstly needed to make a copy of the mount folder to a folder on the PC HDD.
<pre>
sudo cp -R /home/username/Desktop/mount_folder /home/username/mount_folder
sudo chown -R username /home/username/mount_folder
</pre>
 


{{Linux}}
{{Linux}}
<noinclude>[[Category:Main]]</noinclude>
<noinclude>[[Category:Main]]</noinclude>

Latest revision as of 21:09, 23 October 2023

Unlike PS3, where every part of per-console security (including the HDD) is dictated by the eid_root_key, PS4 has two per-console keys for the HDD, one handled by SAMU (we cannot obtain this key at this moment) and the other handled by the Southbridge which can be obtained.

Here are described the steps to mount a PS4 HDD on PC using the cryptmount utility on Linux.

Partitions that can be mounted[edit | edit source]

  • preinst, preinst2, system, system(b), system_ex, system_ex(b) cannot be mounted as they use a key hidden in SAMU not eap_hdd_key. Cryptmount returns error device-mapper ioctl when trying with fstype=tmpfs.
  • eap_vsh, update, user and eap_user can be mounted using cryptmount and eap_hdd_key.
  • eap_kern can be read directly without mounting but anyway it remains an encrypted file that is decrypted by PS4 OS.
  • sda13 cannot be mounted for now. Investigation neeeded. It might be system_data partition and so would behave as system and system_ex. It might also be swap partition.
  • sda17 and sda19 can be mounted with fstype=tmpfs but they are void. Investigation neeeded.
  • app_reserved can be mounted with fstype=tmpfs but it is void. Investigation neeeded.

Setup[edit | edit source]

Prerequisites[edit | edit source]

Getting eap_hdd_key.bin[edit | edit source]

You have to put the eap_hdd_key.bin file anywhere you want according to the cmtab file (see cmtab section below).

From kernel dump[edit | edit source]

  • If your EAP HDD Key in the kernel dump looks like this:
D2 60 86 B3 8B D2 D3 5A EC 76 DB DE 50 30 00 40
15 D6 AE 04 44 3D A8 59 4B 03 3C 1F 0A DD FA 6B
  • then the correct key will be:
40 00 30 50 DE DB 76 EC 5A D3 D2 8B B3 86 60 D2
6B FA DD 0A 1F 3C 03 4B 59 A8 3D 44 04 AE D6 15

Linux command[edit | edit source]

objcopy -I binary -O binary --reverse-bytes=16 dump.bin keys.bin

From sflash[edit | edit source]

The keys.bin produced by hdd_script.py v2 will produce the keys in the right order! Just use keys.bin as eap_hdd_key.bin

Installing cryptmount[edit | edit source]

sudo apt install cryptmount

Settuping cmtab[edit | edit source]

  • Add write permission on cmtab file:
sudo chmod 777 /etc/cryptmount/cmtab

cmtab for CUH-1000 and some CUH-1100[edit | edit source]

  • cmtab file can be as follows:
# /etc/cryptmount/cmtab - encrypted filesystem information for cryptmount
# try 'man 8 cryptmount' or 'man 5 cmtab' for more details
user {
    dev=/dev/sda27
    dir=/home/xubuntu/Desktop/user
    flags=user,nofsck
    fstype=ufs mountoptions=ro,noatime,noexec,ufstype=ufs2
    cipher=aes-xts-plain64
    keyfile=/home/eap_hdd_key.bin
    keyformat=raw
}

cmtab for some CUH-1100 and later models[edit | edit source]

  • In this case the cmtab file must have a small change:
# /etc/cryptmount/cmtab - encrypted filesystem information for cryptmount
# try 'man 8 cryptmount' or 'man 5 cmtab' for more details
user {
    dev=/dev/sda27
    dir=/home/username/Desktop/user
    flags=user,nofsck
    fstype=ufs mountoptions=ro,noatime,noexec,ufstype=ufs2
    cipher=aes-xts-plain64
    ivoffset=111669149696
    keyfile=/home/eap_hdd_key.bin
    keyformat=raw
}
  • where ivoffset = (dev_no - 1) << 32
  • here it is: (27 - 1) << 32 = 111669149696

Adapting cmtab[edit | edit source]

  • Change "username" to your Linux user name.
  • Change sda27 to sdb27 or sdc27, etc... according to where HDD is currently mounted.
  • Change sda27 to sda1 or sda2 or etc... according to the partition you want to mount. Don't forget to change ivoffset and fstype accordingly.

Final steps[edit | edit source]

  • Create "user" folder on Linux Desktop.
  • Remove write permission on cmtab file:
sudo chmod 644 /etc/cryptmount/cmtab
  • Mount PS4 "user" partition:
sudo cryptmount user

Sample cmtab[edit | edit source]

# /etc/cryptmount/cmtab - encrypted filesystem information for cryptmount
# try 'man 8 cryptmount' or 'man 5 cmtab' for more details

eap_vsh {
    dev=/dev/sda7
    dir=/home/username/Desktop/eap_vsh
    flags=user,nofsck
    fstype=msdos mountoptions=ro,noatime,noexec
    cipher=aes-xts-plain64
    ivoffset=25769803776
    keyfile=/home/eap_hdd_key.bin
    keyformat=raw
}

sda17 {
    dev=/dev/sda17
    dir=/home/username/Desktop/sda17
    flags=user,nofsck
    fstype=tmpfs mountoptions=ro,noatime,noexec
    cipher=aes-xts-plain64
    ivoffset=68719476736
    keyfile=/home/eap_hdd_key.bin
    keyformat=raw
}

sda19 {
    dev=/dev/sda19
    dir=/home/username/Desktop/sda19
    flags=user,nofsck
    fstype=tmpfs mountoptions=ro,noatime,noexec
    cipher=aes-xts-plain64
    ivoffset=77309411328
    keyfile=/home/eap_hdd_key.bin
    keyformat=raw
}

update {
    dev=/dev/sda25
    dir=/home/username/Desktop/update
    flags=user,nofsck
    fstype=msdos mountoptions=ro,noatime,noexec
    cipher=aes-xts-plain64
    ivoffset=103079215104
    keyfile=/home/eap_hdd_key.bin
    keyformat=raw
}

user {
    dev=/dev/sda27
    dir=/home/username/Desktop/user
    flags=user,nofsck
    fstype=ufs mountoptions=ro,noatime,noexec,ufstype=ufs2
    cipher=aes-xts-plain64
    ivoffset=111669149696
    keyfile=/home/eap_hdd_key.bin
    keyformat=raw
}

eap_user {
    dev=/dev/sda29
    dir=/home/username/Desktop/eap_user
    flags=user,nofsck
    fstype=ufs mountoptions=ro,noatime,noexec,ufstype=ufs2
    cipher=aes-xts-plain64
    ivoffset=120259084288
    keyfile=/home/eap_hdd_key.bin
    keyformat=raw
}

app_reserved {
    dev=/dev/sda31
    dir=/home/username/Desktop/app_reserved
    flags=user,nofsck
    fstype=tmpfs mountoptions=ro,noatime,noexec
    cipher=aes-xts-plain64
    ivoffset=128849018880
    keyfile=/home/eap_hdd_key.bin
    keyformat=raw
}

Files management[edit | edit source]

Read-only[edit | edit source]

UFS filesystem only allows to be mounted as read-only on Debian and Ubuntu. To enable read-write mounting, it is needed to either compile Linux kernel with ufs write flag enabled or to share the raw partition from Debian/Ubuntu to FreeBSD/equivalent running in a virtual machine (ex: VirtualBox).

This is not easy to setup, so better use a PS4 kernel exploit to get write access on PS4, and for example use FTP to conveniently write to the desired partition.

root owner[edit | edit source]

When partitions are mounted to folders using cryptmount, these folders and files are owned by root. This can be annoying because it is required to use sudo to be able to open or copy most files and to open some folders.

To remove this annoyance, it is possible to change owner of folders and files to your user.

sudo chown -R username mount_folder

But it is not possible to apply this on the cryptmount folder directly. It is firstly needed to make a copy of the mount folder to a folder on the PC HDD.

sudo cp -R /home/username/Desktop/mount_folder /home/username/mount_folder
sudo chown -R username /home/username/mount_folder