SELF File Format and Decryption

From PS3 Developer wiki
Jump to: navigation, search

SELF stands for Signed Executable and Linkable Format.

A screenshot of f0f's presentation at CCC2010.

Introduction[edit]

It is the format used by the executables on the PS3 It has a specific header here called SCE header where it stores all the parameters for this process

  • SCE Header

It consist on information regarding the structure and offsets of the self. The first part is in plaintext until you reach Metadata Info.

  • Metadata Info

Metadata Info is itself under AES 256 CBC. This part contains KEY + IV to further decrypt the header using AES 128 CTR.

  • Metadata

The metadata header, Metadata Section Headers, Section Hash, Capabilities and Signature are under this AES 128 CTR layer and is decrypted with the key above.

  • Metadata Header

Metadata header contains the info required to authenticate the header and the structure of the metadata. The signature is ECDSA of the SHA1 hash of the self file starting at 0x0 and ending at 0x0+signatureInputLength

  • Data Sections

The data sections might be encrypted using AES 128 CTR and/or compressed. HMAC-SHA1 is used to authenticate they have not been modified.

Note: not only ELF/PRX files can be signed with this format, other known files with SCE header are :

  • revoke (e.g. RL_FOR_PACKAGE.img/RL_FOR_PROGRAM.img and pkg.srvk/prog.srvk)
  • spp (e.g. default.spp)
  • package (e.g. .pkg/.spkg_hdr.X)
  • edat

Cryptography[edit]

Here is a small summary on how the self cryptography works.

Basically here are the steps being involved by the loaders:

Loaders all have a static key and iv called respectively erk and riv, those are keys for the first decryption step which are used to decrypt the very first 0x40 bytes of the self's metadata using AES256CBC

Then the result is used as a key and iv to decrypt the rest of the metadata using AESCTR, finally the decrypted metadata contains the keys and iv for each data sections which are still decrypted through AES128CTR. This security model is based on the fact that the first 0x40 bytes of the self's metadata once decrypted by the static AES256CBC key in the loader should never be the same from one binary to the other. The same goes for any other value used as an AES128CTR key or iv.

Loaders are also involved with inflating the binaries using zlib.

The self authenticity is based on other independent steps, HMAC-SHA1 of the data sections and ECDSA for the actual signature in the header.

Short references[edit]

More indepth Online course about encryption in generic (also AES/ECDSA): Lecture Notes on Computer and Network Security by Avinash Kak

File Format[edit]

Notes:

  • Numbers are stored in big endian format.

SCE Header[edit]

Struct[edit]

typedef struct {
 uint32_t magic;                 /* 53434500 = SCE\0 */
 uint32_t hdr_version;           /* header version */
 uint16_t key_revision;          /* key_revision */
                                 /* 0x0 retail (type 0)
                                  * 0x1 retail (0.92-3.30)
                                  * 0x2 retail (type 1)
                                  * 0x3 unknown (npdrm1?)
                                  * 0x4 retail (3.40-3.42)
                                  * 0x5 unknown (npdrm1?)
                                  * 0x6 unknown (npdrm2?)
                                  * 0x7 retail (3.50)
                                  * 0x8 unknown (npdrm1?)
                                  * 0x9 unknown (npdrm2?)
                                  * 0xa retail (3.55)
                                  * 0xb unknown (npdrm1?)
                                  * 0xc unknown (npdrm2?)
                                  * 0xd retail (3.56)
                                  * 0xe unknown (npdrm1?)
                                  * 0xf unknown (npdrm2?)
                                  * 0x10 retail (3.60-3.61)
                                  * 0x11 unknown (npdrm1?)
                                  * 0x12 unknown (npdrm2?)
                                  * 0x13 retail (3.65)
                                  * 0x14 unknown (npdrm1?)
                                  * 0x15 unknown (npdrm2?)
                                  * 0x16 retail (3.70-3.74)
                                  * 0x17 unknown (npdrm1?)
                                  * 0x18 unknown (npdrm2?)
                                  * 0x19 retail (4.00-4.11)
                                  * 0x1A unknown (npdrm1?)
                                  * 0x1B unknown (npdrm2?)
                                  * 0x1C retail (4.20-)
                                  * 0x1D unknown (npdrm1?)
                                  * 0x1E unknown (npdrm2?)
                                  * 0x8000 DEBUG (devkit)
                                  */
 uint16_t header_type;           /* 1 self, 2 srvk/img, 3 pkg , 4 spp - : "category" SCE_File_Types */
 uint32_t metadata_offset;       /* metadata offset */
 uint64_t header_length;         /* SCE file header length */
 uint64_t data_length;           /* length of encapsulated data */
} __attribute__((packed)) SCE_HDR;

SELF Header[edit]

Struct[edit]

typedef struct {
 uint64_t header_type;           /* 3 - SELF */
 uint64_t appinfo_offset;        /* app info offset */
 uint64_t elf_offset;            /* ELF #1 offset */
 uint64_t phdr_offset;           /* program header offset */
 uint64_t shdr_offset;           /* section header offset */
 uint64_t section_info_offset;   /* section info offset */
 uint64_t sceversion_offset;     /* version offset */
 uint64_t controlinfo_offset;    /* control info offset */
 uint64_t controlinfo_length;    /* control length */
 uint64_t padding;               /* padding */
} __attribute__((packed)) SELF_HDR;

comments[edit]

The real ELF data is located after the SCE header (see header size). It is encrypted, unless the flags are 0x8000. unfself works by cutting the SCE header from the (fake) SELF.

App Info[edit]

Struct[edit]

typedef struct {
 uint64_t authid;                /* auth id */
 uint32_t vendor_id;             /* vendor id */
 uint32_t self_type;             /* app type
                                  * 1 level0,
                                  * 2 level1,
                                  * 3 level2,
                                  * 4 application,
                                  * 5 isolated SPU module,
                                  * 6 secure loader,
                                  * 7 unknown, handled by appldr,
                                  * 8 NPDRM app */
 uint64_t version;               /* app version */
 uint64_t padding;               /* UNKNOWN */
} __attribute__((packed)) APP_INFO;

Comments[edit]

Aligned to 0x10 bytes.

ELF Header[edit]

Struct[edit]

 typedef struct {
   uint8_t e_ident[16];              /* ELF identification */
   uint16_t e_type;                  /* object file type */
   uint16_t e_machine;               /* machine type */
   uint32_t e_version;               /* object file version */
   uint64_t e_entry;                 /* entry point address */
   uint64_t e_phoff;                 /* program header offset */
   uint64_t e_shoff;                 /* section header offset */
   uint16_t e_flags;                 /* processor-specific flags */
   uint32_t e_ehsize;                /* ELF header size */
   uint16_t e_phentsize;             /* size of program header entry */
   uint16_t e_phnum;                 /* number of program header entries */
   uint16_t e_shentsize;             /* size of section header entry */
   uint16_t e_shnum;                 /* number of section header entries */
   uint16_t e_shstrndx;              /* section name string table index */
 } __attribute__((packed)) ELF;

Comments[edit]

See Specifications here: ELF Header ELF-64 Object File Format

Processor specific elf types (e_type):

  • ET_SCE_IOPRELEXEC = 0xFF80
  • ET_SCE_IOPRELEXEC2= 0xFF81
  • ET_SCE_EERELEXEC = 0xFF90
  • ET_SCE_EERELEXEC2 = 0xFF91
  • ET_SCE_PSPRELEXEC = 0xFFA0
  • ET_SCE_PPURELEXEC = 0xFFA4
  • ET_SCE_PSPOVERLAY = 0xFFA8

EI_OSABI:

  • ELFOSABI_CELL_LV2=0x66

ELF Program Headers[edit]

Struct[edit]

 typedef struct {
   uint32_t p_type;                  /* type of segment */
   uint32_t p_flags;                 /* segment attributes */
   uint64_t p_offset;                /* offset in file */
   uint64_t p_vaddr;                 /* virtual address in memory */
   uint64_t p_paddr;                 /* reserved */
   uint64_t p_filesz;                /* size of segment in file */
   uint64_t p_memsz;                 /* size of segment in memory */
   uint64_t p_align;                 /* alignment of segment */
 } __attribute__((packed)) ELF_PHDR;

Comments[edit]

See Spec here: ELF Program Headers

Processor specific segment types (p_type):

  • PT_SCE_IOPMOD = 0x70000080
  • PT_SCE_EEMOD = 0x70000090
  • PT_SCE_PSPREL = 0x700000A0
  • PT_SCE_PPURELA= 0x700000A4
  • PT_SCE_SEGSYM = 0x700000A8

Processor specific segment flags (p_flags):

  • PF_SPU_X = 0x00100000
  • PF_SPU_W = 0x00200000
  • PF_SPU_R = 0x00400000
  • PF_RSX_X = 0x01000000
  • PF_RSX_W = 0x02000000
  • PF_RSX_R = 0x04000000


ELF Section Headers[edit]

Struct[edit]

 typedef struct {
   uint32_t sh_name;                 /* section name */
   uint32_t sh_type;                 /* section type */
   uint64_t sh_flags;                /* section attributes */
   uint64_t sh_addr;                 /* virtual address in memory */
   uint64_t sh_offset;               /* offset in file */
   uint64_t sh_size;                 /* size of section */
   uint32_t sh_link;                 /* link to other section */
   uint32_t sh_info;                 /* miscellaneous information */
   uint64_t sh_addralign;            /* address alignment boundary */
   uint64_t sh_entsize;              /* size of entries, if section has table */
 } __attribute__((packed)) ELF_SHDR;


Comments[edit]

Processor specific section types (sh_type):

  • SHT_SCE_IOPMOD = 0x70000080
  • SHT_SCE_EEMOD = 0x70000090
  • SHT_SCE_PSPREL = 0x700000a0
  • SHT_SCE_PPURELA = 0x700000a4

Segment Information[edit]

Struct[edit]

typedef struct {
 uint64_t offset;
 uint64_t size;
 uint32_t compressed; // 2=compressed
 uint32_t unknown1;
 uint32_t unknown2;
 uint32_t encrypted; // 1=encrypted
} __attribute__((packed)) SECTION_INFO;


Comments[edit]

There is one of these entries for each phdr entry in the elf file so that the ps3 knows where to decrypt the data from. (because it might also be compressed.)

Notes:

  • There is one Segment Information for each ELF Program Header.

SCE Version Info[edit]

Struct[edit]

typedef struct {
 uint32_t subheader_type; // 1 - sceversion
 uint32_t present;        // 0 - FALSE / 1 - TRUE
 uint32_t size;
 uint32_t unknown4;
} __attribute__((packed)) SCEVERSION_INFO;

Data Struct[edit]

typedef struct {
 uint16 unknown_1;
 uint16 unknown_2; //0x0001
 uint32 unknown_3;
 uint32 unknown_4; //Number of sections?
 uint32 unknown_5;
 ////
   uint64 offset;    //Data offset.
   uint64 size;      //Data size.
 //// <- these are supposed to be sections
} SCE_VERSION_DATA_30;

Comment[edit]

Control Information[edit]

Struct[edit]

typedef struct {
 uint32_t type; // 1==control flags; 2==file digest; 3==npdrm
 uint32_t size;
 uint64_t next; // 1 if another Control Info structure follows 0 if not
 union {
   // type 1 0x30 bytes
   struct {
     uint32_t ctrl_flag1; // ctrl_flag  0x80000000(all?);0x40000000(root);0x20000000(dbg);0x00000000(normal?) 
     uint32_t unknown2;
     uint32_t unknown3;
     uint32_t unknown4;
     uint32_t unknown5;
     uint32_t unknown6;
     uint32_t unknown7;   // 0;8;9;0xC
     uint32_t unknown8;   // 0;1;2;4
   } control_flags;
   // type 2 0x40 bytes
   struct {
     uint8_t digest1[20]; //hash digest, same for every file
     uint8_t digest2[20]; //sha1 hash digest calculated of .elf file...
     uint64_t padding;
   } file_digest40;
   // type 2 0x30 bytes
   struct {
     uint8_t digest1[20];
     uint64_t unknown2;
   } file_digest30;
   // type 3 0x90 bytes
   struct {
     uint32_t magic;
     uint32_t unknown2;
     uint32_t license; /* license_type  1 network, 2 local, 3 free */
     uint32_t type; /* app_type  1 exec, 0x21 update */
     uint8_t content_id[48];
     uint8_t digest[16];    // sha-1 hash of debug self/sprx created with make_fself_npdrm
     uint8_t invdigest[16]; //hash_cid_fname
     uint8_t xordigest[16]; //hash_ci
     uint64_t unknown3;
     uint64_t unknown4;
   } npdrm;
 };
} __attribute__((packed)) CONTROL_INFO;

Comments[edit]

Metadata Information[edit]

Struct[edit]

typedef struct {
 uint8_t key[16];
 uint8_t key_pad[16];
 uint8_t iv[16];
 uint8_t iv_pad[16];
} __attribute__((packed)) METADATA_INFO;


Comments[edit]

Notes:

  • The key and ivec fields are encrypted using AES256CBC.
  • This is not present if it is an FSELF.

Metadata Header[edit]

Struct[edit]

typedef struct {
 uint64_t signatureInputLength;
 uint32_t unknown02;            //Should be signature algorithm. It always = 1(ECDSA)
 uint32_t sectionCount;
 uint32_t keyCount;
 uint32_t optHeaderSize;
 uint32_t unknown06;
 uint32_t unknown07;
} __attribute__((packed)) METADATA_HEADER;

Comments[edit]

Notes:

  • The metadata header is located after the metadata info in the SELF file.
  • It is decrypted using AES128CTR with the key and ivec entries from the metadata information.
  • The signature input length is the number of bytes which are used to generate the SHA-1 which is used to generate the ECDSA signature. The length should be eveything from the beginning until the signature itself. The decrypted version of the input data is used.
  • This is only present if the metadata Information is present.

Metadata Section Headers[edit]

Struct[edit]

typedef struct {
 uint64_t data_offset;
 uint64_t data_size;
 uint32_t type; // 1 = shdr, 2 == phdr, 3 == unknown
 uint32_t program_idx;
 uint32_t hashed; //2=yes
 uint32_t sha1_idx;
 uint32_t encrypted; // 3=yes; 1=no
 uint32_t key_idx;
 uint32_t iv_idx;
 uint32_t compressed; // 2=yes; 1=no
} __attribute__((packed)) METADATA_SECTION_HEADER;

Comments[edit]

Notes:

  • The metadata section headers are located after the metadata header in the SELF file.
  • The number of sections is indicated by the sectionCount entry in the metadata header.
  • They are decrypted using AES128CTR with the key and ivec entries from the metadata information.
  • Section data is decrypted using AES128CTR with the key and ivec from the metadata keys specified by keyIndex and ivecIndex.
  • Section data will also need to be uncompressed using zlib.
  • The dataOffsets of the metadata section headers match in general the segment information dataOffsets.
  • This is only present if the metadata header is present.

Section Hash[edit]

Struct[edit]

typedef struct {
 uint8_t sha1[20];
 uint8_t padding[12];
 uint8_t hmac_key[64];
} __attribute__((packed)) SECTION_HASH;


Comments[edit]

Notes:

  • The metadata keys (section hash) are located after the metadata section headers in the SELF file.
  • The number of keys is indicated by the keyCount entry in the metadata header.
  • They are decrypted using AES128CTR with the key and ivec entries from the metadata information.
  • If the sha1Index points to a key, then key[sha1Index] and key[sha1Index+1] form the 160-bit hash. key[sha1Index+2] to key[key[sha1Index+6] form the 512-bit key for the HMAC-SHA1. The HMAC-SHA1 is calculated on the decrypted data and before the decompression.

Capabilities Info[edit]

Struct[edit]

typedef struct {
 uint32_t Type; // 1,2
 uint32_t capabilities_size; // capabilities  Type 1 0x30, Type 2 0x100
 uint32_t next; // 1 if there is another cap flag structure after this, 0 if not
 uint32_t unknown2;
 uint64_t unknown3;
 uint64_t unknown4;
 uint64_t flags;
 uint32_t unknown6;
 uint32_t unknown7;
} __attribute__((packed)) CAPABILITIES_INFO;

Comments[edit]

Signature[edit]

Struct[edit]

typedef struct {
 uint8_t r[21];
 uint8_t s[21];
 uint8_t padding[6];
} __attribute__((packed)) SIGNATURE;

Comments[edit]

Notes:

  • The signature is located after the the signature information in the SELF file.
  • It is even present if the signature information is not present.
  • It is decrypted using AES128CTR with the key and ivec entries from the metadata information.

Self Section Info[edit]

Struct[edit]

typedef struct {
 uint8_t *data;
 uint64_t size;
 uint64_t offset;
} SELF_SECTION;

Comments[edit]

Extracting an ELF
[edit]

ELF Header[edit]

Elf64_Ehdr elfHeader;

fseek ( selfFile, fix64 ( selfHeader.elfHeaderOffset ), SEEK_SET );
fread ( &elfHeader, sizeof ( Elf64_Ehdr ), 1, selfFile );

fseek ( elfFile, 0, SEEK_SET );
fwrite ( &elfHeader, sizeof ( Elf64_Ehdr ), 1, elfFile );

Section Headers[edit]

Elf64_Shdr elfSectionHeaders[100];

fseek ( selfFile, fix64 ( selfHeader.elfSectionHeadersOffset ), SEEK_SET );
fread ( elfSectionHeaders, sizeof ( Elf64_Shdr ), fix16 ( elfHeader.e_shnum ), selfFile );

fseek ( elfFile, fix64 ( elfHeader.e_shoff ), SEEK_SET );
fwrite ( elfSectionHeaders, sizeof ( Elf64_Shdr ), fix16 ( elfHeader.e_shnum ), elfFile );

Section Data[edit]

Notes:

  • Unknown, manually copying the data over works for now.
  • There should be a section data offset somewhere.

Program Headers[edit]

Elf64_Phdr elfProgramHeaders[100];

fseek ( selfFile, fix64 ( selfHeader.elfProgramHeadersOffset ), SEEK_SET );
fread ( elfProgramHeaders, sizeof ( Elf64_Phdr ), fix16 ( elfHeader.e_phnum ), selfFile );

fseek ( elfFile, fix64 ( elfHeader.e_phoff ), SEEK_SET );
fwrite ( elfProgramHeaders, sizeof ( Elf64_Phdr ), fix16 ( elfHeader.e_phnum ), elfFile );

Program Data[edit]

Notes:

  • Load the metadata information and decrypt the key and ivec entries using AES256CBC using erk and riv.
  • Load the metadata header and decrypt it using AES128CTR with the key and ivec entries from the metadata information.
  • Load sectionCount metadata section headers and decrypt them using AES128CTR with the key and ivec entries from the metadata information.
  • Load keyCount metadata keys and decrypt them using AES128CTR with the key and ivec entries from the metadata information.
  • For each metadata section:
    • In the SELF file, fseek to dataOffset and read in dataSize bytes.
    • Decrypt the data using AES128CTR with the key and ivec from the metadata keys specified by keyIndex and ivecIndex from the metadata section header.
    • Uncompress the data using zlib.
    • Write it to the ELF file as the program section specified by section Index in the metadata section header.

Meta Checksums[edit]

There are 3 checksums at the offset specified by meta_offset.

  • The first is the sha1 checksum of the entire self file.
  • The 2nd checksum is the inverse of the first checksum.
  • The 3rd checksum is the first checksum XORed with 0xAAAAAA..AAAAAB

The PSJailbreak payload ignores the actual checksums, but checks that the 3rd checksum is the 2nd checksum XORed with 0xAAAAAA..AAAAAB

self-capabilities flags[edit]


appldr

0x17 = 0x78

xsetting

0x17 = 0x3B
0x1B = 0x01
0x1D = 0x02

ps3swu

0x17 = 0x7B
0x1B = 0x01
0x1D = 0x11
0x1E = 0x60

lv2

0x17 = 0x7B
0x1B = 0x01

lv1

0x17 = 0x7B
0x1B = 0x01

libfs

0x17 = 0x7B
0x1B = 0x01

icolaunch

0x17 = 0x3B
0x1B = 0x01
0x1D = 0x04

hddcopy

0x17 = 0x7B
0x1B = 0x01
0x1D = 0x08

flowers

0x17 = 0x3B
0x1B = 0x01
0x1E = 0x20

fdm_spu

0x17 = 0x38

emu_drm

0x17 = 0x3B
0x1D = 0x02

bdj

0x0F = 0x01
0x17 = 0x27
0x1D = 0x02

0x0C = 0x00000001
0x14 = 0x00000038 / 0x0000003B / 0x00000078 / 0x0000007B / 0x00000027
0x18 = 0x00000001
0x1C = 0x00002000 / 0x00020000 / 0x00040000 / 0x00080000 / 0x00116000

0x14:

#define CAP_FLAG_REFTOOL 0x08
#define CAP_FLAG_DEBUG 0x10
#define CAP_FLAG_RETAIL 0x20
#define CAP_FLAG_SYSDBG 0x40

Some more cap flags: http://pastie.org/3090973 and http://pastie.org/3090976 (appldr 356 white(?)list) abbr title="ECDSA - Elliptic Curve Digital Signature Algorithm">ECDSA