Talk:Keys
Jump to navigation
Jump to search
EAP/EMC Aeolia Script for decrypting and keeping header
import struct
from binascii import unhexlify as uhx
from binascii import hexlify as hx
from Crypto.Cipher import AES
from Crypto.Hash import SHA, HMAC
import os
import sys
CIPHERKEYSEMC = ['5F74FE7790127FECF82CC6E6D91FA2D1'] # FULL
CIPHERKEYSEAP = ['581A75D7E9C01F3C1BD7473DBD443B98']
HASHERKEYEMC = ['73FE06F3906B05ECB506DFB8691F9F54']
HASHERKEYEAP = ['824D9BB4DBA3209294C93976221249E4']
ZEROS128 = ['00000000000000000000000000000000']
def aes_decrypt_cbc(key, iv, input):
return AES.new(key, AES.MODE_CBC, iv).decrypt(input)
def aes_encrypt_cbc(key, iv, input):
return AES.new(key, AES.MODE_CBC, iv).encrypt(input)
def emc_decrypt_header(hdr):
return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
def emc_encrypt_header(hdr):
return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
def eap_decrypt_header(hdr):
return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
def eap_encrypt_header(hdr):
return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
def main(argc, argv):
with open(sys.argv[1], 'rb') as f:
data = f.read(0x80)
type = data[7:8]
if type == uhx('48'):
print 'EMC'
hdr = emc_decrypt_header(data)
body_aes_key = hdr[0x30:0x40]
body_hmac_key = hdr[0x40:0x50]
body_hmac = hdr[0x50:0x64]
zeroes = hdr[0x64:0x6C]
print(hx(zeroes))
header_hmac = hdr[0x6C:0x80]
body_len = struct.unpack('<L', hdr[0xc:0x10])[0]
print body_len
ehdr = hdr[:0x6C]
ebody = f.read(body_len)
bhmac = HMAC.new(body_hmac_key, ebody, SHA)
hhmac = HMAC.new(uhx(HASHERKEYEMC[0]), ehdr, SHA)
body = aes_decrypt_cbc(body_aes_key, uhx(ZEROS128[0]), ebody)
print bhmac.hexdigest()
print hhmac.hexdigest()
print hx(body_hmac)
print hx(header_hmac)
with open(sys.argv[1] + '.bin', 'wb') as g:
g.write(hdr+body)
if type == uhx('68'):
print 'EAP'
hdr = eap_decrypt_header(data)
body_aes_key = hdr[0x30:0x40]
body_hmac_key = hdr[0x40:0x50]
body_hmac = hdr[0x50:0x64]
zeroes = hdr[0x64:0x6C]
print(hx(zeroes))
header_hmac = hdr[0x6C:0x80]
body_len = struct.unpack('<L', hdr[0xc:0x10])[0]
print body_len
ehdr = hdr[:0x6C]
ebody = f.read(body_len)
bhmac = HMAC.new(body_hmac_key, ebody, SHA)
hhmac = HMAC.new(uhx(HASHERKEYEAP[0]), ehdr, SHA)
body = aes_decrypt_cbc(body_aes_key, uhx(ZEROS128[0]), ebody)
print bhmac.hexdigest()
print hhmac.hexdigest()
print hx(body_hmac)
print hx(header_hmac)
with open(sys.argv[1] + '.bin', 'wb') as g:
g.write(hdr+body)
if __name__ == '__main__':
main(len(sys.argv), sys.argv)
EAP/EMC Aeolia Script for encrypting (with header necessary)
import struct
from binascii import unhexlify as uhx
from binascii import hexlify as hx
from Crypto.Cipher import AES
from Crypto.Hash import SHA, HMAC
import os
import sys
CIPHERKEYSEMC = ['5F74FE7790127FECF82CC6E6D91FA2D1'] # FULL
CIPHERKEYSEAP = ['581A75D7E9C01F3C1BD7473DBD443B98']
HASHERKEYEMC = ['73FE06F3906B05ECB506DFB8691F9F54']
HASHERKEYEAP = ['824D9BB4DBA3209294C93976221249E4']
ZEROS128 = ['00000000000000000000000000000000']
def aes_decrypt_cbc(key, iv, input):
return AES.new(key, AES.MODE_CBC, iv).decrypt(input)
def aes_encrypt_cbc(key, iv, input):
return AES.new(key, AES.MODE_CBC, iv).encrypt(input)
def emc_decrypt_header(hdr):
return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
def emc_encrypt_header(hdr):
return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:])
def eap_decrypt_header(hdr):
return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
def eap_encrypt_header(hdr):
return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
def main(argc, argv):
with open(sys.argv[1], 'rb') as f:
data = f.read()
type = data[7:8]
if type == uhx('48'):
print 'EMC'
body_len = struct.unpack('<L', data[0xc:0x10])[0]
body = data[0x80:0x80+body_len]
body_aes_key = data[0x30:0x40]
ebody = aes_encrypt_cbc(body_aes_key, uhx(ZEROS128[0]), body)
body_hmac_key = data[0x40:0x50]
bhmac = HMAC.new(body_hmac_key, ebody, SHA)
hdr = (data[0:0x50] + uhx(bhmac.hexdigest()) + data[0x64:0x6C])
hhmac = HMAC.new(uhx(HASHERKEYEMC[0]), hdr, SHA)
hdr = (hdr + uhx(hhmac.hexdigest()))
hdr = emc_encrypt_header(hdr)
print bhmac.hexdigest()
print hhmac.hexdigest()
with open(sys.argv[1] + '.bin', 'wb') as g:
g.write(hdr+ebody)
if type == uhx('68'):
print 'EAP'
body_len = struct.unpack('<L', data[0xc:0x10])[0]
body = data[0x80:0x80+body_len]
body_aes_key = data[0x30:0x40]
ebody = aes_encrypt_cbc(body_aes_key, uhx(ZEROS128[0]), body)
body_hmac_key = data[0x40:0x50]
bhmac = HMAC.new(body_hmac_key, ebody, SHA)
hdr = (data[0:0x50] + uhx(bhmac.hexdigest()) + data[0x64:0x6C])
hhmac = HMAC.new(uhx(HASHERKEYEAP[0]), hdr, SHA)
hdr = (hdr + uhx(hhmac.hexdigest()))
hdr = eap_encrypt_header(hdr)
print bhmac.hexdigest()
print hhmac.hexdigest()
with open(sys.argv[1] + '.bin', 'wb') as g:
g.write(hdr+ebody)
if __name__ == '__main__':
main(len(sys.argv), sys.argv)
Order of keys in SceShellCore
P->Q->DQ->QP
Trophy Debug -> Trophy Retail
Other random values in SceShellCore
- 59 ED 05 E1 2B 97 3E E0 62 B8 07 A4 EB 48 10 10 (HTTP related)
- 65 9A 82 19 27 CF D6 2F 0C 1C C2 5F AF 67 96 5B (0x40 size, probably HTTP related)
- E7 F5 9C F2 AC 00 1C 3C 57 17 1C 82 4D 80 0B 57 (0x80 size, NP COMM SIGN related)
- 27 59 CD 8F 49 24 CF C5 64 2C 1A 44 E6 B6 12 79 (0x20 size, sp-int/ prod-qa / mgmt / np related? interesting stuff)
- 56 EE 5E 50 F9 58 97 47 DF 80 5B 3D 31 A5 A7 6B (0x20 size, sp-int/ prod-qa / mgmt / np related? interesting stuff)
- 4D 35 CC 3E 38 17 64 E2 DE F1 DC 7C 97 3E 6D 62 (0x100 size, sp-int?)
- B3 A8 76 EC D6 BA 02 43 72 B1 95 AD D7 47 3C 74 (0x100 size, prod-qa?)
- 09 CC 88 B3 8F D3 51 78 28 0F 63 E8 85 2A 00 E0 (0x100 size, mgmt?)
- C1 64 9F 42 A4 70 6B B5 2E 93 E2 6E C2 2B 64 BC (0x100 size, np?)
- 27 38 04 D2 5D A5 BA DE FF 59 C1 B9 2B 39 B8 40 (0x20 size)
- 33 D5 1F 9C 1A 4A AE 43 EC 54 99 4A 77 04 41 B2 (0x80 size, AES related)
- A7 99 29 D4 F4 25 C5 5C 9C A7 30 D4 62 D2 18 10 (0x80 size, AES related)
- BC C7 43 2A 7D 34 0A D8 35 6C 4F 6C AE 55 52 6B (0x80 size, AES related)
- D2 C3 D1 98 09 5C 73 FB 69 6F 6C 09 22 E3 84 0D (0x80 size, AES related)
- DE EF DF 9A 3A A6 C9 58 85 9A F0 D6 69 F7 A1 AD (0x20 size, AES related)
- 67 A7 CA 31 48 7A 5C 32 B4 83 8F 37 AA E5 9A 2A (0x20 size, AES related)
- 6E 58 9C 22 A7 96 11 2B 80 25 15 22 CC BA D1 72 (0x20 size, AES related)
- 33 F0 8A B8 DA 6F DD 99 08 6B 68 FF 28 DE E3 2D (0x20 size, AES related)
- 16 6B CA 06 61 F5 EA 64 FA CF 4A 87 8B AE D2 C0 (AES related)
- F7 D3 E8 A1 AB A1 FE 27 8E A1 C2 62 5D 1D F8 C4 (0x80 bytes)
42 42 AA FD 7A 05 B4 5C F3 5E 08 22 D4 55 97 45(SceShellCore, QP, 0x80)