Go Back   PS3Hax Network - Playstation 3 Hacks and Mods > PS3Hax > PS3 | Technical Development and Coding Area
Reload this Page NPDRM Self algorithm
Reply
Page 12 of 17 « First 2 10 11 12 13 14 Last »
 
Thread Tools
Old 12-21-2011   #111
EXE.trim.ALL
Apprentice
 
Join Date: Oct 2011
Posts: 14
Likes: 1
Liked 2 Times in 2 Posts
Mentioned: 22 Post(s)
Tagged: 0 Thread(s)
Originally Posted by Luzifer42 View Post
I have a NPD with uncompressed 0x20 bytes metadata section. It is trunkcated (9MB total), but it should be enough to understand.

I dont really known how to calculate the hash over this metadata, if it is present at all. The total length of the metadata seems rather short (0x00 to 0x20 bytes for 578 blocks), because the decryption works already at the offset 0x120.
For 0x3c type the metadata sections are placed before each data block.
For example in your file metadata for first block is at 0x100-0x120, then 0x120-0x4120 is first block of data, then again metadata for second block (0x4120-0x4140), then second block of data (0x4140-0x8140)...
But the problem of 0x3c is in obfuscation of data hash in metadata section.
In debug files in first 16 bytes is hash and then 16 nulled bytes.
EXE.trim.ALL is offline   Reply With Quote
Old 12-21-2011   #112
EXE.trim.ALL
Apprentice
 
Join Date: Oct 2011
Posts: 14
Likes: 1
Liked 2 Times in 2 Posts
Mentioned: 22 Post(s)
Tagged: 0 Thread(s)
@JuanNadie
So can you say something about metadata of 0x3c type?
Last edited by EXE.trim.ALL; 12-21-2011 at 12:50 PM.
EXE.trim.ALL is offline   Reply With Quote
Old 12-21-2011   #113
JuanNadie
Homebrew Developer
 
Join Date: Oct 2011
Posts: 20
Likes: 11
Liked 367 Times in 19 Posts
Mentioned: 68 Post(s)
Tagged: 0 Thread(s)
First new version for 0x3C:

http://pastebin.com/TtuNF5J5

@EXE.trim.ALL You are calculating properly the hash. However you probably are not considering FLAG0x10. This flags indicates that the algorithm for hash is HMAC instead of CMAC. If FLAG0x20 is set the hash len is 0x14, otherwise the hash is truncated to 0x10 bytes.

Also another effect of FLAG0x10 is that the hashkey != encryptionKey. When this byte is set the hashKey has to be reencrypted again to calculate the proper value. Check the code above

BTW I confirm that for files with flag0x20 the structure changes from all metadatasection + all data to metadatasection and data interleaved. That means that the metadatasectionhash is ignored. I also confirm your isEncrypted. (credits to @EXE.trim.ALL )
JuanNadie is offline   Reply With Quote
Likes: (3)
Old 12-22-2011   #114
EXE.trim.ALL
Apprentice
 
Join Date: Oct 2011
Posts: 14
Likes: 1
Liked 2 Times in 2 Posts
Mentioned: 22 Post(s)
Tagged: 0 Thread(s)
@JuanNadie Thanks a lot, now my prog works with all edats I have. But it's still need to be refactored to properly use flags)
EXE.trim.ALL is offline   Reply With Quote
Likes: (1)
Old 12-22-2011   #115
Luzifer42
Apprentice
 
Join Date: Dec 2011
Posts: 3
Likes: 0
Liked 2 Times in 1 Post
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Originally Posted by JuanNadie View Post
...
That key is selected randomly by the developer(activision, ea, ubisoft, square...) and it is a parameter used when creating a pkg. So for EDAT the key for the third hash is devklic xored with npdrm_omac_key2.

If we are going to recrypt an EDAT we need that key. There are several procedures to obtain it:

- Decrypt the SELF and use RCE to get it. We'll need an idc that locates the call. Very slow, tricky, requires large knowledge but always work.
- Hook the call that opens EDAT. Then we retrieve it on parameter r3. Faster, requires modifying the firmware. Always work
- Brute force it: Decrypt the self and try every combination of 16 sequential bytes on the file. I obtained using this method the key on Buzz and LBP. It faster than RCE but it does not always work (the key could be in other file or obfuscated)...
I have seen free retail pkg files with EDAT files but without SELF files (Here).
So there must be an other way for the PS3 to obtain the devklic key. As you said, it is used to create a pkg. The algorithm for debug pkg files has already been reverse engineered, and the devklic is stored in obfuscated form at offset 0x70. For retail files, this might be similar. The algorithm for debug files does not work on retail ones. The algorithm might be a more serious cipher with a "secret" key.
Luzifer42 is offline   Reply With Quote
Old 12-23-2011   #116
EXE.trim.ALL
Apprentice
 
Join Date: Oct 2011
Posts: 14
Likes: 1
Liked 2 Times in 2 Posts
Mentioned: 22 Post(s)
Tagged: 0 Thread(s)
Originally Posted by Luzifer42 View Post
I have seen free retail pkg files with EDAT files but without SELF files (Here).
So there must be an other way for the PS3 to obtain the devklic key. As you said, it is used to create a pkg. The algorithm for debug pkg files has already been reverse engineered, and the devklic is stored in obfuscated form at offset 0x70. For retail files, this might be similar. The algorithm for debug files does not work on retail ones. The algorithm might be a more serious cipher with a "secret" key.
Try to search for keys in unselfed vsh.
EXE.trim.ALL is offline   Reply With Quote
Old 12-28-2011   #117
Octopus
Member
 
Join Date: Oct 2011
Posts: 83
Likes: 31
Liked 50 Times in 9 Posts
Mentioned: 15 Post(s)
Tagged: 0 Thread(s)
@JuanNadie What about SPRX?
Octopus is offline   Reply With Quote
Old 12-28-2011   #118
Octopus
Member
 
Join Date: Oct 2011
Posts: 83
Likes: 31
Liked 50 Times in 9 Posts
Mentioned: 15 Post(s)
Tagged: 0 Thread(s)
Yeah I remembered
But for the rest (Selfs executed inside a program and EDAT) instead of using npdrm_omac_key1 another key is used. That key is called the klicensee (however as that name is already used I would call it devklic (developer klicensee)
Octopus is offline   Reply With Quote
Old 12-30-2011   #119
Octopus
Member
 
Join Date: Oct 2011
Posts: 83
Likes: 31
Liked 50 Times in 9 Posts
Mentioned: 15 Post(s)
Tagged: 0 Thread(s)
Problem solved, just use devklic.
Octopus is offline   Reply With Quote
Old 01-05-2012   #120
Luzifer42
Apprentice
 
Join Date: Dec 2011
Posts: 3
Likes: 0
Liked 2 Times in 1 Post
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
I dont know if it is useful, but for the sake of completeness, I have reversed the hash algorithms for debug NPD headers. Interestingly, the devklic can be retreived from debug files which are not type=1 (most EDATs are not type=1, only USRDIR/EBOOT.BIN are type=1).

Pseudocode:
Code:
function byte[] nameHash(byte[] digest) {
	byte[] nameHash=new byte[16];
	for (int i = 0; i < 16; i++)
		nameHash[i] = digest[i] ^ 0xFF;
	return nameHash;
}
Code:
function byte[] headerHash(byte[] digest, int type, byte[] devklic){
	byte[] headerHash;
	if (type == 1){
		headerHash={0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1};
	}else{
		headerHash=devklic;
	}
	for (int i = 0; i < 16; i++)
		headerHash[i] = headerHash[i] ^ digest[i] ^ 0x55;
	return headerHash;	
}
Luzifer42 is offline   Reply With Quote
Likes: (2)
Reply
Page 12 of 17 « First 2 10 11 12 13 14 Last »

Bookmarks

« Previous Thread | Next Thread »
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump



PS3Hax.net is Copyright © 2010-2013.
Use of this site is governed by our Terms of Use and Privacy Policy. All Trademarks and images are owned by their respected owners.
Posts and links are subject to each author on this forum and are no way affiliated with the operations and/or opinions of ps3hax.net
All times are GMT -5. The time now is 10:30 PM.
Powered by vBulletin. Copyright ©2000 - 2007, Jelsoft Enterprises Ltd.