PS3Hax Network - Playstation 3 Hacks and Mods
Page 1 of 3 1 2 3
Show 40 post(s) from this thread on one page

PS3Hax Network - Playstation 3 Hacks and Mods (http://www.ps3hax.net/forums.php)
-   PS3 | Technical Development and Coding Area (http://www.ps3hax.net/forumdisplay.php?f=151)
-   -   analyzing 3k3y's code (http://www.ps3hax.net/showthread.php?t=51310)

zecoxao 01-31-2013 04:35 PM
analyzing 3k3y's code
 
Code:
private byte[] IV1 = new byte[] { 0x22, 0x26, 0x92, 0x8d, 0x44, 3, 0x2f, 0x43, 0x6a, 0xfd, 0x26, 0x7e, 0x74, 0x8b, 0x23, 0x93 };
 private byte[] IV2 = new byte[] { 0xe8, 11, 0x3f, 12, 0xd6, 0x56, 0x6d, 0xd0 };
 private byte[] IV3 = new byte[] { 0x3b, 0xd6, 0x24, 2, 11, 0xd3, 0xf8, 0x65, 0xe8, 11, 0x3f, 12, 0xd6, 0x56, 0x6d, 0xd0 };
 private static byte[] Key1 = new byte[0x10];
 private static byte[] Key2 = new byte[0x10];
 private byte[] Key3 = new byte[] { 0x12, 0x6c, 0x6b, 0x59, 0x45, 0x37, 14, 0xee, 0xca, 0x68, 0x26, 0x2d, 2, 0xdd, 0x12, 210 };
 private byte[] Key4 = new byte[] { 0xd9, 0xa2, 10, 0x79, 0x66, 0x6c, 0x27, 0xd1, 0x10, 50, 0xac, 0xcf, 13, 0x7f, 0xb5, 1 };
 private byte[] Key5 = new byte[] { 0x19, 0x76, 0x6f, 0xbc, 0x77, 0xe4, 0xe7, 0x5c, 0xf4, 0x41, 0xe4, 0x8b, 0x94, 0x2c, 0x5b, 0xd9 };
 private byte[] Key6 = new byte[] { 80, 0xcb, 0xa7, 240, 0xc2, 0xa7, 0xc0, 0xf6, 0xf3, 0x3a, 0x21, 0x43, 0x26, 0xac, 0x4e, 0xf3 };
 private static byte[] Key7 = new byte[0x10];
 private static byte[] Key8 = new byte[0x10];
here we can see the keys used by the ripper, taken from

http://www.ps3devwiki.com/wiki/BD_Dr...eering#Program

i'm gonna post more information as i find it...

http://www.ps3devwiki.com/wiki/BD_Dr...ion_about_EID4

the keys are in eid4, and yes, we DO need to decrypt it, or else Sony would be the biggest bunch of retards.

the eid4 key is used to verify the cmac hash of the first 0x20 bytes

edit2:
naehrwert's code seems to prove this:
Code:
void aes_omac1(u8* output, u8* input, int len, u8* aes_key_data, int aes_key_bits)
      aes_omac1(digest, eid4, 0x20, indiv + INDIV_EID4_KEY_OFFSET, 0x100);
      if(memcmp(digest, eid4 + 0x20, AES_OMAC1_DIGEST_SIZE) != 0)
                printf("warning: eid4 hash check failed!\n");
omac1 basically spits out the digest of the secure communication channel keys.
if you compare the digest with the last 16 bytes of eid4, it should match :)

edit3: corrected some info.

diesel701 01-31-2013 04:45 PM
http://www.ps3hax.net/showpost.php?p=532565

Anyway, good work man! ;)

Quote:
Originally Posted by zecoxao (Post 533523)
the keys are IN eid4, eid4 contains them already! we don't need to decrypt it. and those are the secure communication channel keys.

the eid4 key and iv are used to verify the cmac hash of the entire eid4. i'll verify if this is correct or not, but i think i'm saying it right.
So, theorically for 3k and 4k we need only to read the eid4 (for example from the nor chip) and we get the keys needed for the ODE.. Right?

zecoxao 01-31-2013 05:02 PM
Quote:
Originally Posted by diesel701 (Post 533527)
http://www.ps3hax.net/showpost.php?p=532565

Anyway, good work man! ;)


So, theorically for 3k and 4k we need only to read the eid4 (for example from the nor chip) and we get the keys needed for the ODE.. Right?
You still need to auth with the bd drive. that's the part Cobra/E3 figured out. we can do this normally with hacked consoles, but not with unhacked consoles.

DEFAULTDNB 01-31-2013 05:07 PM
Was @zadow28 s code for 1.00 or 1.02 of the ripper?

Have they "crypted the crypter" in 1.02?

zecoxao 01-31-2013 05:26 PM
lol, it looks like i was wrong in the part that the 3Dump.bin only contains the encrypted eid4. it contains also the eid_root_key. if that's true then i need to change my original post.

jarmster 01-31-2013 05:47 PM
Quote:
Originally Posted by zecoxao (Post 533551)
lol, it looks like i was wrong in the part that the 3Dump.bin only contains the encrypted eid4. it contains also the eid_root_key. if that's true then i need to change my original post.
Where is that coming from? You see code that indicates it dumps the root key too, or seen a dump that contains it? My 3dump.bin was exactly the same output as decrypting the Eeid and the contents of the eid4 file. 2 keys and the hash...not a byte more.

zecoxao 01-31-2013 06:05 PM
Quote:
Originally Posted by jarmster (Post 533558)
Where is that coming from? You see code that indicates it dumps the root key too, or seen a dump that contains it? My 3dump.bin was exactly the same output as decrypting the Eeid and the contents of the eid4 file. 2 keys and the hash...not a byte more.
if what you say is true, then there's no need to decrypt the eid4. but i was discussing with a person a moment ago and he said they also required the eid_root_key. so, i dunno which is which, and i'm slightly confused as to which person i should believe in. perhaps i misunderstood something here

jarmster 01-31-2013 06:12 PM
well thats why i asked you straight up why you were saying that...
I just double checked. there exactly them same...**** you not
and i just compared my root key to the dumps.....it aint in there in any form

zecoxao 01-31-2013 06:35 PM
Quote:
Originally Posted by jarmster (Post 533571)
well thats why i asked you straight up why you were saying that...
I just double checked. there exactly them same...**** you not
and i just compared my root key to the dumps.....it aint in there in any form
if it isn't there, then i have no idea how you get the drive keys from the eid4 dump.

jarmster 01-31-2013 06:50 PM
What are you talking about? Im confused...The eid4 from running libeeid is a decrypted dump. The 3dump.bin is exactly the same.
The eEID_Dumper.pkg dumps the encrypted eid4.

And from the wiki

EID4 is of size 0x30 bytes: 0x0-0xf bytes = 1st key, 0x10-0x1f - 2nd key, 0x20-0x2f - CMAC-OMAC1 of EID4

so i dont follow your thinking


All times are GMT -5. The time now is 10:13 PM.
Page 1 of 3 1 2 3
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2013, vBulletin Solutions, Inc.