Mounting HDD in Linux
Unlike PS3, where every part of per-console security (including the HDD) is dictated by the eid_root_key, PS4 has two per-console keys for the HDD, one handled by SAMU (we cannot obtain this key atm) and the other handled by the South Bridge (Aeolia / Belize) which can be obtained.
Here are described the steps to mount a PS4 HDD on PC using the cryptmount utility on Linux.
Partitions that can be mounted
- preinst, preinst2, system, system(b), system_ex, system_ex(b) cannot be mounted as they use a key hidden in SAMU not eap_hdd_key. Cryptmount returns error device-mapper ioctl when trying with fstype=tmpfs.
- eap_vsh, update, user and eap_user can be mounted using cryptmount and eap_hdd_key.
- eap_kern can be read directly without mounting but anyway it remains an encrypted file that is decrypted by PS4 OS.
- sda13 cannot be mounted for now. Investigation neeeded. It might be system_data partition and so would behave as system and system_ex. It might also be swap partition.
- sda17 and sda19 can be mounted with fstype=tmpfs but they are void. Investigation neeeded.
- app_reserved can be mounted with fstype=tmpfs but it is void. Investigation neeeded.
Setup
Prerequisites
- Per-console PS4 EAP HDD Key (check in your kernel dump and in hxxps://github.com/Ps3itaTeam/ps4-kexec/blob/master/magic.h kern_off_eap_hdd_key offset)
- A PC running a Linux Distribution (ex: ubuntu, xubuntu live) that supports cryptmount
Getting eap_hdd_key.bin
You have to put the eap_hdd_key.bin file anywhere you want according to the cmtab file (see cmtab section below).
From kernel dump
- If your EAP HDD Key in the kernel dump looks like this:
D2 60 86 B3 8B D2 D3 5A EC 76 DB DE 50 30 00 40 15 D6 AE 04 44 3D A8 59 4B 03 3C 1F 0A DD FA 6B
- then the correct key will be:
40 00 30 50 DE DB 76 EC 5A D3 D2 8B B3 86 60 D2 6B FA DD 0A 1F 3C 03 4B 59 A8 3D 44 04 AE D6 15
From sflash
The keys.bin produced by hdd_script.py v2 will produce the keys in the right order! Just use keys.bin as eap_hdd_key.bin
Installing cryptmount
sudo apt install cryptmount
Settuping cmtab
- Add write permission on cmtab file:
sudo chmod 777 /etc/cryptmount/cmtab
cmtab for CUH-1000 and some CUH-1100
- cmtab file can be as follows:
# /etc/cryptmount/cmtab - encrypted filesystem information for cryptmount # try 'man 8 cryptmount' or 'man 5 cmtab' for more details user { dev=/dev/sda27 dir=/home/xubuntu/Desktop/user flags=user,nofsck fstype=ufs mountoptions=ro,noatime,noexec,ufstype=ufs2 cipher=aes-xts-plain64 keyfile=/home/eap_hdd_key.bin keyformat=raw }
cmtab for some CUH-1100 and later models
- In this case the cmtab file must have a small change:
# /etc/cryptmount/cmtab - encrypted filesystem information for cryptmount # try 'man 8 cryptmount' or 'man 5 cmtab' for more details user { dev=/dev/sda27 dir=/home/username/Desktop/user flags=user,nofsck fstype=ufs mountoptions=ro,noatime,noexec,ufstype=ufs2 cipher=aes-xts-plain64 ivoffset=111669149696 keyfile=/home/eap_hdd_key.bin keyformat=raw }
- where ivoffset = (dev_no - 1) << 32
- here it is: (27 - 1) << 32 = 111669149696
Adapting cmtab
- Change "username" to your Linux user name.
- Change sda27 to sdb27 or sdc27, etc... according to where HDD is currently mounted.
- Change sda27 to sda1 or sda2 or etc... according to the partition you want to mount. Don't forget to change ivoffset and fstype accordingly.
Final steps
- Create "user" folder on Linux Desktop.
- Remove write permission on cmtab file:
sudo chmod 775 /etc/cryptmount/cmtab
- Mount PS4 "user" partition:
sudo cryptmount user
Sample cmtab
# /etc/cryptmount/cmtab - encrypted filesystem information for cryptmount # try 'man 8 cryptmount' or 'man 5 cmtab' for more details eap_vsh { dev=/dev/sda7 dir=/home/username/Desktop/eap_vsh flags=user,nofsck fstype=msdos mountoptions=ro,noatime,noexec cipher=aes-xts-plain64 ivoffset=25769803776 keyfile=/home/eap_hdd_key.bin keyformat=raw } sda17 { dev=/dev/sda17 dir=/home/username/Desktop/sda17 flags=user,nofsck fstype=tmpfs mountoptions=ro,noatime,noexec cipher=aes-xts-plain64 ivoffset=68719476736 keyfile=/home/eap_hdd_key.bin keyformat=raw } sda19 { dev=/dev/sda19 dir=/home/username/Desktop/sda19 flags=user,nofsck fstype=tmpfs mountoptions=ro,noatime,noexec cipher=aes-xts-plain64 ivoffset=77309411328 keyfile=/home/eap_hdd_key.bin keyformat=raw } update { dev=/dev/sda25 dir=/home/username/Desktop/update flags=user,nofsck fstype=msdos mountoptions=ro,noatime,noexec cipher=aes-xts-plain64 ivoffset=103079215104 keyfile=/home/eap_hdd_key.bin keyformat=raw } user { dev=/dev/sda27 dir=/home/username/Desktop/user flags=user,nofsck fstype=ufs mountoptions=ro,noatime,noexec,ufstype=ufs2 cipher=aes-xts-plain64 ivoffset=111669149696 keyfile=/home/eap_hdd_key.bin keyformat=raw } eap_user { dev=/dev/sda29 dir=/home/username/Desktop/eap_user flags=user,nofsck fstype=ufs mountoptions=ro,noatime,noexec,ufstype=ufs2 cipher=aes-xts-plain64 ivoffset=120259084288 keyfile=/home/eap_hdd_key.bin keyformat=raw } app_reserved { dev=/dev/sda31 dir=/home/username/Desktop/app_reserved flags=user,nofsck fstype=tmpfs mountoptions=ro,noatime,noexec cipher=aes-xts-plain64 ivoffset=128849018880 keyfile=/home/eap_hdd_key.bin keyformat=raw }
Files management
Read-only
UFS filesystem only allows to be mounted as read-only on Debian and Ubuntu. To enable read-write mounting, it is needed to either compile Linux kernel with ufs write flag enabled or to share the raw partition from Debian/Ubuntu to FreeBSD/equivalent running in a virtual machine (ex: VirtualBox).
This is not easy to setup, so better use a PS4 kernel exploit to get write access on PS4, and for example use FTP to conveniently write to the desired partition.
root owner
When partitions are mounted to folders using cryptmount, these folders and files are owned by root. This can be annoying because it is required to use sudo to be able to open or copy most files and to open some folders.
To remove this annoyance, it is possible to change owner of folders and files to your user.
sudo chown -R username mount_folder
But it is not possible to apply this on the cryptmount folder directly. It is firstly needed to make a copy of the mount folder to a folder on the PC HDD.
sudo cp -R /home/username/Desktop/mount_folder /home/username/mount_folder sudo chown -R username /home/username/mount_folder
|