[zecoxao]

Code:

 private byte[] IV1 = new byte[] { 0x22, 0x26, 0x92, 0x8d, 0x44, 3, 0x2f, 0x43, 0x6a, 0xfd, 0x26, 0x7e, 0x74, 0x8b, 0x23, 0x93 };
 private byte[] IV2 = new byte[] { 0xe8, 11, 0x3f, 12, 0xd6, 0x56, 0x6d, 0xd0 };
 private byte[] IV3 = new byte[] { 0x3b, 0xd6, 0x24, 2, 11, 0xd3, 0xf8, 0x65, 0xe8, 11, 0x3f, 12, 0xd6, 0x56, 0x6d, 0xd0 };
 private static byte[] Key1 = new byte[0x10];
 private static byte[] Key2 = new byte[0x10];
 private byte[] Key3 = new byte[] { 0x12, 0x6c, 0x6b, 0x59, 0x45, 0x37, 14, 0xee, 0xca, 0x68, 0x26, 0x2d, 2, 0xdd, 0x12, 210 };
 private byte[] Key4 = new byte[] { 0xd9, 0xa2, 10, 0x79, 0x66, 0x6c, 0x27, 0xd1, 0x10, 50, 0xac, 0xcf, 13, 0x7f, 0xb5, 1 };
 private byte[] Key5 = new byte[] { 0x19, 0x76, 0x6f, 0xbc, 0x77, 0xe4, 0xe7, 0x5c, 0xf4, 0x41, 0xe4, 0x8b, 0x94, 0x2c, 0x5b, 0xd9 };
 private byte[] Key6 = new byte[] { 80, 0xcb, 0xa7, 240, 0xc2, 0xa7, 0xc0, 0xf6, 0xf3, 0x3a, 0x21, 0x43, 0x26, 0xac, 0x4e, 0xf3 };
 private static byte[] Key7 = new byte[0x10];
 private static byte[] Key8 = new byte[0x10];

here we can see the keys used by the ripper, taken from

http://www.ps3devwiki.com/wiki/BD_Dr...eering#Program

i'm gonna post more information as i find it...

http://www.ps3devwiki.com/wiki/BD_Dr...ion_about_EID4

the keys are in eid4, and yes, we DO need to decrypt it, or else Sony would be the biggest bunch of retards.

the eid4 key is used to verify the cmac hash of the first 0x20 bytes

edit2:
naehrwert's code seems to prove this:

Code:

void aes_omac1(u8* output, u8* input, int len, u8* aes_key_data, int aes_key_bits)
      aes_omac1(digest, eid4, 0x20, indiv + INDIV_EID4_KEY_OFFSET, 0x100);
      if(memcmp(digest, eid4 + 0x20, AES_OMAC1_DIGEST_SIZE) != 0)
		printf("warning: eid4 hash check failed!\n");

omac1 basically spits out the digest of the secure communication channel keys.
if you compare the digest with the last 16 bytes of eid4, it should match

edit3: corrected some info.

[diesel701]

http://www.ps3hax.net/showpost.php?p=532565

Anyway, good work man!

Originally Posted by zecoxao the keys are IN eid4, eid4 contains them already! we don't need to decrypt it. and those are the secure communication channel keys. the eid4 key and iv are used to verify the cmac hash of the entire eid4. i'll verify if this is correct or not, but i think i'm saying it right.

So, theorically for 3k and 4k we need only to read the eid4 (for example from the nor chip) and we get the keys needed for the ODE.. Right?

[zecoxao]

Originally Posted by diesel701 http://www.ps3hax.net/showpost.php?p=532565 Anyway, good work man! So, theorically for 3k and 4k we need only to read the eid4 (for example from the nor chip) and we get the keys needed for the ODE.. Right?

You still need to auth with the bd drive. that's the part Cobra/E3 figured out. we can do this normally with hacked consoles, but not with unhacked consoles.

[DEFAULTDNB]

Was @zadow28 s code for 1.00 or 1.02 of the ripper?

Have they "crypted the crypter" in 1.02?

[zecoxao]

lol, it looks like i was wrong in the part that the 3Dump.bin only contains the encrypted eid4. it contains also the eid_root_key. if that's true then i need to change my original post.

[jarmster]

Originally Posted by zecoxao lol, it looks like i was wrong in the part that the 3Dump.bin only contains the encrypted eid4. it contains also the eid_root_key. if that's true then i need to change my original post.

Where is that coming from? You see code that indicates it dumps the root key too, or seen a dump that contains it? My 3dump.bin was exactly the same output as decrypting the Eeid and the contents of the eid4 file. 2 keys and the hash...not a byte more.

[zecoxao]

Originally Posted by jarmster Where is that coming from? You see code that indicates it dumps the root key too, or seen a dump that contains it? My 3dump.bin was exactly the same output as decrypting the Eeid and the contents of the eid4 file. 2 keys and the hash...not a byte more.

if what you say is true, then there's no need to decrypt the eid4. but i was discussing with a person a moment ago and he said they also required the eid_root_key. so, i dunno which is which, and i'm slightly confused as to which person i should believe in. perhaps i misunderstood something here

[jarmster]

well thats why i asked you straight up why you were saying that...
I just double checked. there exactly them same...**** you not
and i just compared my root key to the dumps.....it aint in there in any form

[zecoxao]

Originally Posted by jarmster well thats why i asked you straight up why you were saying that... I just double checked. there exactly them same...**** you not and i just compared my root key to the dumps.....it aint in there in any form

if it isn't there, then i have no idea how you get the drive keys from the eid4 dump.

[jarmster]

What are you talking about? Im confused...The eid4 from running libeeid is a decrypted dump. The 3dump.bin is exactly the same.
The eEID_Dumper.pkg dumps the encrypted eid4.

And from the wiki

EID4 is of size 0x30 bytes: 0x0-0xf bytes = 1st key, 0x10-0x1f - 2nd key, 0x20-0x2f - CMAC-OMAC1 of EID4

so i dont follow your thinking