[element]

Sorry for be a little bit offtopic .... but have anyone some example exdata folder from ReactPSN (including the act.dat)

[ZOMBIEKILLAH]

Originally Posted by element Sorry for be a little bit offtopic .... but have anyone some example exdata folder from ReactPSN (including the act.dat)

I have exdata folder with MW3 all Elite DLC + BLACK OPS BLUS30591/BLES01031 DLC activated rifs .I have 2 act.dat in my folder though i can not remember if i copied my act.dat in there from my other ps3 .When i first tried reactpsn the tutorial was terrible so i tried a few things till i figured it out cause, it did not work at first.

I believe the act.key & act.dat goes together.. I left both in the folder if you want it .One of the act.dat is from reactpsn for sure.. I will PM you link ,then i am out of here for now it is l8...

[ccfman2004]

Originally Posted by JuanNadie Well, a year passed since I opened this thread so lets celebrate with an update I have been able to resolve the EDAT v4 version. Basically S**Y add a new key/hash. When creating the hv99 call, field38 contains the key index. For version 0 to 3 key index zero is used (older key). For version 4, index 1 (the new key) is used. Keys SHAs: Code: EDATKEY0: 84E9FC3574EAA11A9462FFA53D5EA46B4D0003BF EDATKEY1: 6ECDFEC0A11890C1F2A689062D3EFE562317B2FB EDATHASH0: 8A721A06ABC7BB9BF398C5EF5D6F1FD997BC0A56 EDATHASH1: F7B2917B1FA260FD51D37716A91036651F6F42F2 In addition to that I reversed more fields of the edat header: 0x40 - 0x4F: Before I said that is was a unknown hash. The value actually is the first 0x10 bytes of the SHA1 of the file before is packed (after using make_edata_npdrm) 0x70 - 0x77 and 0x78 to 0x7F: While normally zero on some betas has a value. This is actually dates (since and upto) of validity. When used in combination of a riff the most restrictive is used 0xD8 - 0xFF: Here are the bad news. This is an ECDSA signature. The pub/curve used is the same that the one used on rifs or act.dats. I haven't found a collision so priv can not be obtained. Fortunately the check is not active (I don't know why... perhaps older version have this not properly implemented) Finally an update version of the code. I have to break compatibility with @KDSBest release in order to integrate the additional key. Also I added the ecdsa check as a warning (won't stop decryption) as well as minor fixes. http://pastebin.com/ZpSY1Nf7 On the .ENC files (AKA PS2 remastered games on PSN): I started reversing those. At the moment I know that the OMAC checks are still there (the klicensee is the default). The ECDSA check is ENABLED for PS2 games and on lv2 an ENC is required to be a paid content (so patching vsh.self and lv2 will be required to use a fake ISO.BIN.ENC). I can not gave more information of the encryption although I suspect that an encryption similar to BDEMU is used

I too would like to know how to compile this so I can try it out.

[oakhead69]

EDIT: Sorry please delete the post just found what I was asking about.

[spyro2670]

is there not a prograam that will do the job for you :P??

[Asure]

Good news! Flat_z reversed the whole ps2 emu encryption today!
See his twitter: https://twitter.com/flat_z

Nothing public yet, but i'm sure things will come to us in time. (All good things come to those who wait.)

[omnizero]

Originally Posted by JuanNadie Keys SHAs: Code: EDATKEY0: 84E9FC3574EAA11A9462FFA53D5EA46B4D0003BF EDATKEY1: 6ECDFEC0A11890C1F2A689062D3EFE562317B2FB EDATHASH0: 8A721A06ABC7BB9BF398C5EF5D6F1FD997BC0A56 EDATHASH1: F7B2917B1FA260FD51D37716A91036651F6F42F2

Does anyone know where the EDATKEY1 and EDATHASH1 are located or how to find them, any help is appreciated.

[catalinnc]

hi...does anybody know an example of game with compressed EDATs? also an example of game with compressed SDATs (beside crysis3) would be nice...respect...
_

[jjkkyu]

Originally Posted by omnizero Does anyone know where the EDATKEY1 and EDATHASH1 are located or how to find them, any help is appreciated.

Anyone can help?
I also want to know the way of how to get these keys.

[oakhead69]

Originally Posted by jjkkyu Anyone can help? I also want to know the way of how to get these keys.

OK here is the process I used to reverse the V4 Keys, EDATKEY1 and EDATHASH1 from my PS3.
99% of what I will post here is already public domain, I will just pull it together in one place here.

I used IDA and a customised version of KDS Best's SPU Emulator

JuanNadie posted here the SH1 hashes of the EDAT keys and hashes and I can confirm that these are correct.
http://www.ps3hax.net/showpost.php?p...&postcount=134

The encrypted EDAT hashes and keys can be found in the 4.xx appldr.elf. sorg posted these here.
http://www.ps3hax.net/showpost.php?p...&postcount=238

So the 3 keys you are missing are the KEY, the IV and the ERK.

The KEY and the IV are in the appldr and are un-encrypted. You can use the IDA or an SPU emulator to figure it out, just work backwards from the below spu code at 28BE4 (I think this offset is for F/W version 4.27 if I remember correctly)

The ERK is generated from the contents returned by channel 73.
The appldr reads channel 73, 3 times which is the FW version check channel.
So in FW 4.30 it will return 0xkk04kk30 0xkkkkkkkk 0xkkkkkkkk where k is the hash initilisation for generating the ERK. 04 30 is F/W version number.
The appldr strips out the F/W version leaving you with the 0xkkkkkkkkkkkkkkkkkkkk 10 byte hash initialisation (ch73 in the code below).
Again most of this information can be found in this thread http://www.ps3hax.net/showthread.php?t=44645
To get the values from channel 73 and you will have to write an isolated SPU to read these values. It has to be an isolated SPU as channel 64 controls the access to channel 73 and one of the last things the appldr does it to isolate channel 73 by writing 0x60000 to channel 64. This information was posted one forum somewhere, just can't remember where. Just Google it (may edit my post later when I find it).

I wrote my spu isolated module based on the dump_encdec_keys by glevand. Just Google and you will find the associated wikis and gits.
http://www.ps3devwiki.com/wiki/Makin...es_and_Loaders is a good starting point.
You will have to do a bit of hand calculation for the branch offsets to shoehorn in some code something like this to read ch73 3 times.

Code:

 
	ila      $83, 0x10000
	wrch     $ch64, $83
	rdch     $83, $ch73
	stqd	 $83, 0($80)
	rdch     $83, $ch73
	stqd	 $83, 0x10($80)
	rdch     $83, $ch73
	stqd	 $83, 0x20($80)

OK so you should now have the encrypted keys (sorg posted) the KEY, the IV and the hash seed for the ERK.

When you find the encrypted keys based on the post from sorg this will lead you as it did me to the following code in the appldr.

Code:

 
RAM:28BE4 loc_28BE4:                              ; CODE XREF: FW_CHECK_??:JUMP_28B98j
RAM:28BE4                                         ; DATA XREF: FW_CHECK_??:JUMP_28B98r
RAM:28BE4                 brsl    $LR, readch73
RAM:28BE8                 ori     $4, PASSED_IN_FW_80, 0 ; r4 key
RAM:28BEC                 shlqbyi $5, $81, 0      ; r5 key len
RAM:28BF0                 brnz    PARAM_FW_VERSION_3, loc_28C2C
RAM:28BF4                 ai      $6, $SP, 0x20   ; r6 src 1b90
RAM:28BF8                 il      $7, 0xA         ; r7 len
RAM:28BFC                 shlqbyi PARAM_FW_VERSION_3, $86, 0 ; r3 dest 1ba0
RAM:28C00                 brsl    $LR, sha1_hmac_buffer
RAM:28C04                 ori     $4, $82, 0      ; r4 src
RAM:28C08                 ori     $5, $83, 0      ; r5 len
RAM:28C0C                 brnz    PARAM_FW_VERSION_3, loc_28C2C
RAM:28C10                 ori     $6, $86, 0      ; r6 key
RAM:28C14                 shlqbyi PARAM_FW_VERSION_3, $85, 0 ; r3 dst
RAM:28C18                 ori     $8, $84, 0      ; r8 iv
RAM:28C1C                 il      $7, 0x80        ; r7 128 bit
RAM:28C20                 brsl    $LR, AesCbc128Decrypt
RAM:28C24                 il      $2, 0
RAM:28C28                 brz     PARAM_FW_VERSION_3, loc_28C30

Independently of me redcfw also found the same SPU code and generated C code from it and posted it here http://www.ps3hax.net/showpost.php?p...&postcount=460
I had already generated the following C# code from the SPU code and below is an example for edathash1, it was good to see him confirm the same code as at the time I had still had not figured out how to read ch73.

Code:

 
        byte[] ch73 = ConversionUtils.getByteArray("kkkkkkkkkkkkkkkkkkkk"); 
        byte[] hashOut = new byte[0x14];
        byte[] ch73shErk = new byte[0x10];
        byte[] result = new byte[0x10];
        byte[] key = ConversionUtils.getByteArray("????????????????????????????????"); // From appldr
        byte[] iv = ConversionUtils.getByteArray("????????????????????????????????"); // From appldr
        byte[] edathash1 = ConversionUtils.getByteArray("????????????????????????????????"); // From appldr see sorg's post

        HMACGenerator hash = new HMACGenerator();
        hash.setHashLen(0x10);
        hash.doInit(ch73);
        hash.doUpdate(key, 0, key.Length);
        hash.doFinal(hashOut);
        for (int i = 0; i < ch73shErk.Length; i++)
        {
            ch73shErk[i] = hashOut[i];
        }
        ToolsImpl.aescbcDecrypt(ch73shErk, iv, edathash1, 0, result, 0, edathash1.Length);

There you have it how to reverse the EDATKEY1 and EDATHASH1 from your CFW 4.xx PS3.

Sorry bit of a brain dump, will tidy the post up later if I get the time and add more links to the information sources. I am sure I should credit more people than I have here. If and when I add the source links I will add credits.

Please do not ask me for any of the keys needed here or for the final EDAT keys as I will not post them for obvious reason. As I have already said 99% of this information is already available in forums and wikis. I have just pulled the information together here.

Hope you have as much fun as I did playing with the SPU code .