[jester]

Validates first 0xA0 bytes on EDAT. This uses appldr with the following execution (see below): -Single execution -Encrypted arguments -CMAC. Key: rifkey, expectedHash: data at 0xA0-0xAF -No Encryption erk:null,riv:null

Hey juannadie, I'm having no luck with verifying the very first 0xA0 bytes of edats. Is this the same for every edat type or only for 0xC?
I've tried both with decrypted klicensee (obtained using SELF algo), and with the dev_klic extracted bruteforcing the eboot

Is the CMAC algo you mentioned the same used for this?

The second is a CMAC. The key is npdrm_omac_key3, and the message is the titleID (0x30 bytes) concat to the filename (excluding path and case sensitive),

[Octopus]

We have decrypt edat, trying to re-encrypt it for free. What to do with 0x90-0xAF ?

[JuanNadie]

First of all, here is an implementation of the algorithm. It is not fully tested (for example with ISO.BIN.EDAT it validates but fails when decrypting) and is missing the decompression algorithm (I tried deflate but is does not work if someone identifies the algorithm please post it. Blocks start with 0x05). Also keys have been eliminated. On previous port you have the SHA1.

http://pastebin.com/SuAukd8B

About compression: Instead of having metadatasections of 0x10 byes the new section is 0x20 bytes long.

Code:

struct compressMetadataSection {
	uint8_t hash[0x10];
	uint64_t fileOffset;
	uint32_t len;
	uint32_t isEndOfCompression;   
}

The obtain bytes 0x10-01F xor of data is used

@jester You probably forgot to decrypt the key. The result of syscall471 must be decrypted using EDATKEY and RIVKEY.

@Octopus to make free files.
- Create a memory image of the file.
- Decrypt the data, so you have a memory copy of the file decrypted (for compressed no need to decompress)
- Modify NPD to make if free (0x03 instead of 0x02). Recalculate hashes using devlikc (that why we need it).
- Recrypt each block using the devklic as base to calculate blocks keys (wich will then be transformed again as does the appldr for that type).
- Once recrypted, recalculate the hashes of the sections so they matched the new value for the encrypted data.
-If compressed recalculate the offset and len on the metadatasection
-Using the new metadatasection recalculate data 0x90-0x9F.
-Using the new NPD header + new metadatasectionHash calculate hash and place it at 0xA0-0xAF.
-Write file to disk (Remember, that file is function of filename, you must overwrite (not recommend while testing) or remember to rename it properly).

Done

[advocatusdiaboli]

Finally a good thread on here, most of what is said is history, but it’s a nice reminder to the functions and their sources.

[EXE.trim.ALL]

Thanks a lot for new info.
So we finally can re-encrypt local licensed edats to free license (except compressed ones).
Have you any progress on sdat?

[Octopus]

I have to say thanks for all @JuanNadie , we had re-encrypt edat in free. What about SDAT? Translators asking for it VERY hard.

[H3avyRa1n]

thanks @JuanNadie for your contribution

[snowydew]

jaun, was wondering if there was an easier way to contact you?

[JuanNadie]

The code I posted already implements SDAT. You just need the SDATKEY.
The SHA1 is ED2A015EEB1BD0CE06D0447F1A22AF4C1C401E4A

However you won't find it by bruteforce as it is coded as a series of inmediate values. If you check routine sub_5529C at graf_chokolo's dump_lv2 you'll see the routine that checks the edat/sdat header. Few lines below at address 5543C you'll see those inmediate values that are xored with the hash of the NPD to create the fake rifkey (the first 0x100 bytes of the npd are loaded starting at sp + 0x110)

About compression: We don´t know the algorithm but if we decrypt the data and modify the NPD so it looks like a debug you can use make_edata_npdrm to decompress it

[dsadsadsa]

Originally Posted by JuanNadie The code I posted already implements SDAT. You just need the SDATKEY. The SHA1 is ED2A015EEB1BD0CE06D0447F1A22AF4C1C401E4A...

@JuanNadie , Thanks for your great work! Would it be possible for you to have a short chat with Kakaroto about his work on the NPDRM algo? I think you could really help him, and in turn advance the scene a whole lot!