Unlike PS3, where every part of per-console security (including the HDD) is dictated by the eid_root_key, PS4 has two per-console keys for the HDD, one handled by SAMU (we cannot obtain this key atm) and the other handled by the South Bridge (Aeolia / Belize) which can be obtained.

Here are described the steps to mount a PS4 HDD on PC using the cryptmount utility on Linux.

Setup

Prerequisites

• Per-console PS4 EAP HDD Key (check in your kernel dump and in hxxps://github.com/Ps3itaTeam/ps4-kexec/blob/master/magic.h kern_off_eap_hdd_key offset)
• A PC running a Linux Distribution (ex: ubuntu, xubuntu live) that supports cryptmount

Getting eap_hdd_key.bin

You have to put the eap_hdd_key.bin file anywhere you want according to the cmtab file (see cmtab section below).

From kernel dump

• If your EAP HDD Key in the kernel dump looks like this:

D2 60 86 B3 8B D2 D3 5A EC 76 DB DE 50 30 00 40
15 D6 AE 04 44 3D A8 59 4B 03 3C 1F 0A DD FA 6B

• then the correct key will be:

40 00 30 50 DE DB 76 EC 5A D3 D2 8B B3 86 60 D2
6B FA DD 0A 1F 3C 03 4B 59 A8 3D 44 04 AE D6 15

From sflash

The keys.bin produced by hdd_script.py v2 will produce the keys in the right order! Just use keys.bin as eap_hdd_key.bin

Installing cryptmount

sudo apt install cryptmount

Settuping cmtab

• Add write permission on cmtab file:

sudo chmod 777 /dev/cryptmount/cmtab

cmtab for CUH-1000 and some CUH-1100

• cmtab file can be as follows:

# /etc/cryptmount/cmtab - encrypted filesystem information for cryptmount
# try 'man 8 cryptmount' or 'man 5 cmtab' for more details
user {
    dev=/dev/sda27
    dir=/home/xubuntu/Desktop/user
    flags=user,nofsck
    fstype=ufs mountoptions=ro,noatime,noexec,ufstype=ufs2
    cipher=aes-xts-plain64
    keyfile=/home/eap_hdd_key.bin
    keyformat=raw
}

cmtab for some CUH-1100 and later models

• In this case the cmtab file must have a small change:

# /etc/cryptmount/cmtab - encrypted filesystem information for cryptmount
# try 'man 8 cryptmount' or 'man 5 cmtab' for more details
user {
    dev=/dev/sda27
    dir=/home/username/Desktop/user
    flags=user,nofsck
    fstype=ufs mountoptions=ro,noatime,noexec,ufstype=ufs2
    cipher=aes-xts-plain64
    ivoffset=111669149696
    keyfile=/home/eap_hdd_key.bin
    keyformat=raw
}

• where ivoffset = (dev_no - 1) << 32
• here it is: (27 - 1) << 32 = 111669149696

Adapting cmtab

• Change "username" to your Linux user name.
• Change sda27 to sdb27 or sdc27, etc... according to where HDD is currently mounted.
• Change sda27 to sda1 or sda2 or etc... according to the partition you want to mount. Don't forget to change ivoffset and fstype accordingly.

Final steps

• Create "user" folder on Linux Desktop.
• Remove write permission on cmtab file:

sudo chmod 775 /dev/cryptmount/cmtab

• Mount PS4 "user" partition:

sudo cryptmount user

v e Linux Fedora Fedora28 kernel hardening, general installation, rpm building · Mounting HDD in Linux Others  · Clusters Kubernetes · Single System Images  ·