Editing Talk:Keys

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
== aim_key , aim_iv and aim_compare ==
can anyone explain to me what is the purpose and funcionality of these keys? i've never seen them in "action" before...
== 2.36 vs 3.30 appldr key 79481839C4... ==
== 2.36 vs 3.30 appldr key 79481839C4... ==
Stop editing 79481839C4... as a 3.30 appldr key, unless you can disprove the absence of it since after 2.36 as seen here: http://pastebin.com/biWXJrst
i see it there on offset 18C30 in the pastebin ....


Stop editing 79481839C4... as a PS3 FW 3.30 appldr key, unless you can disprove the absence of it since after PS3 FW 2.36 as seen here: http://pastebin.com/biWXJrst.
Here is an appldr keys: [http://www.sendspace.com/file/ou1ln1 .xls] & I doubt about the versions and revisions because of ^^


I see it there at offset 0x18C30 in the pastebin....
Please edit & add it to the Page.


Here are some appldr keys: [http://www.sendspace.com/file/ou1ln1 .xls (dead link)] and I doubt about the versions and revisions because of ^^


Please edit and add it to the Page.
Disproving the absence:


Disproving the absence: [https://www.sendspace.com/file/m0j3c1 (dead link)]
https://www.sendspace.com/file/m0j3c1


This archive contains files from PS3 FW 3.31 DECR (appldr, decrypted appldr and emer_init.self)
This archive contains files from 3.31DECR (appldr, decrypted appldr and emer_init.self)


The key 79481839C4... is inside the decrypted appldr and used to decrypt emer_init.self.
The key 79481839C4... is inside the decrypted appldr and used to decrypt emer_init.self


== sv_iso_spu_module 1.02-3.55 ==
== sv_iso_spu_module 1.02-3.55 ==
<pre>
<pre>
key_0:  EF4F6A107742E8448BC1F9D8F2481B31 // key_0 is an aes_cfb128 iv
key_0:  EF4F6A107742E8448BC1F9D8F2481B31 //key_0 is an aes_cfb128 iv


iv_0:    2226928D44032F436AFD267E748B2393
iv_0:    2226928D44032F436AFD267E748B2393
key_0_0: 126C6B5945370EEECA68262D02DD12D2 // key_0_0 is used with iv_0 to generate gen_key_0
key_0_0: 126C6B5945370EEECA68262D02DD12D2 //key_0_0 is used with iv_0 to generate gen_key_0
key_0_1: D9A20A79666C27D11032ACCF0D7FB501 // key_0_1 is used with iv_0 to generate gen_key_1
key_0_1: D9A20A79666C27D11032ACCF0D7FB501 //key_0_1 is used with iv_0 to generate gen_key_1


key_1:  7CDD0E02076EFE4599B1B82C359919B3 // key_1 is used with iv_0
key_1:  7CDD0E02076EFE4599B1B82C359919B3 //key_1 is used with iv_0


iv_1:    3BD624020BD3F865E80B3F0CD6566DD0 // iv_1 is used with gen_key_0 and gen_key_1
iv_1:    3BD624020BD3F865E80B3F0CD6566DD0 //iv_1 is used with gen_key_0 and gen_key_1


key_2:  380BCF0B53455B3C7817AB4FA3BA90ED // key_2 + iv_2 are used to generate something from the disk name (id?)
key_2:  380BCF0B53455B3C7817AB4FA3BA90ED //key_2 + iv_2 are used to generate something from the disk name (id?)
iv_2:    69474772AF6FDAB342743AEFAA186287
iv_2:    69474772AF6FDAB342743AEFAA186287


debug_disc_fallback: 67C0758CF4996FEF7E88F90CC6959D66 // this fallback is used if the disk name (id?) is 'PS3_L_DEBUG_DISC'
debug_disc_fallback: 67C0758CF4996FEF7E88F90CC6959D66 //this fallback is used if the disk name (id?) is 'PS3_L_DEBUG_DISC'
</pre>
</pre>


=== Observations ===
===Observations===
 
<pre>genelib.dll (Build 1.20.2662.20880):
<pre>
genelib.dll (Build 1.20.2662.20880):
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
    
Line 59: Line 62:
    
    
00072E80                                      67 C0 75 8C              gÀuŒ
00072E80                                      67 C0 75 8C              gÀuŒ
00072E90  F4 99 6F EF 7E 88 F9 0C C6 95 9D 66              ô™oï~ˆù.Æ•.f
00072E90  F4 99 6F EF 7E 88 F9 0C C6 95 9D 66              ô™oï~ˆù.Æ•.f</pre>
</pre>


== sc_iso module 1.00-4.00 ==
== sc_iso module 1.00-4.00 ==
<pre>
<pre>
0x0                                     
0x0                                     
Line 74: Line 75:


=== Observations ===
=== Observations ===
<pre> 1.00:
<pre> 1.00:
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
Line 105: Line 105:
   ********  DA A4 B9 F2 BC 70 B2 80 A7 B3 40 FA 0D 04 BA 14  Ú¤¹ò¼p²€§³@ú..º.  key rev 0x2
   ********  DA A4 B9 F2 BC 70 B2 80 A7 B3 40 FA 0D 04 BA 14  Ú¤¹ò¼p²€§³@ú..º.  key rev 0x2
</pre>
</pre>
== aim_spu_module Keys Usage ==
See [[Keys#aim_spu_module_Keys]], especially aim_key, aim_iv and aim_compare.
Can anyone explain to me what is the purpose and functionality of these keys? I have never seen them in "action" before...


== spu_token_processor ==
== spu_token_processor ==
 
<pre> spu_token_processor 1.00-3.56
<pre>spu_token_processor 1.00-3.56
   token-hmac: CC30C4229113DB25733553AFD06E8762B3729D9EFAA6D5F35A6F58BF38FF8B5F58A25BD9C9B50B01D1AB4028676968EAC7F88833B662935D7506A6B5E0F9D97A
   token-hmac: CC30C4229113DB25733553AFD06E8762B3729D9EFAA6D5F35A6F58BF38FF8B5F58A25BD9C9B50B01D1AB4028676968EAC7F88833B662935D7506A6B5E0F9D97A
   token-key:  341812376291371C8BC756FFFC611525403F95A8EF9D0C996482EEC216B562ED
   token-key:  341812376291371C8BC756FFFC611525403F95A8EF9D0C996482EEC216B562ED
   token-iv:  E8663A69CD1A5C454A761E728C7C254E</pre>
   token-iv:  E8663A69CD1A5C454A761E728C7C254E</pre>
 
===Observations===
=== Observations ===
 
<pre>1.00:
<pre>1.00:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
Line 193: Line 184:
</pre>
</pre>


== appldr rev 0x01 ==
== aim_spu_module ==
  aim_ks_4 : 30B0395DC5835AAA3A7986B44AFAE684
  aim_ks_1 : 2ED7CE8D1D55454585BF6A3281CD03AF
  aim_iv  : 51F78B72A64711CF5C72323FB8607A00
  aim_key  : 922B198CDF0C07DCCE848B69882D804CC23F19C2EAE1244F35AF176F7FD37851
http://pastie.org/2547291 (ks version depends on the first four bytes of the eid)
(from main page)
 
===Observations===
<pre>  aim_spu_module.self.elf 1.00 :
 
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 
  00008670  40 1C 4A A6 3B 2C 8D 44 E2 45 F0 74 DA E7 78 2A  @.J¦;,.DâEðtÚçx*  <- compare  (1.00-3.42)
  00008680  36 0D 1E 8E E2 11 6B DF 6F 0D 8A 3C C1 7B E3 8F  6..Žâ.kßo.Š<Á{ã.  <- compare  (1.00-3.42)
  00008690  EA 48 B5 71 F4 D2 6D ED 00 00 00 00 00 00 00 00  êHµqôÒmí........  <- compare  (1.00-3.42)
  000086A0  51 F7 8B 72 A6 47 11 CF 5C 72 32 3F B8 60 7A 00  Q÷‹r¦G.Ï\r2?¸`z.  <- IV    (1.00-3.42 but not found in 3.50++)
  000086B0  92 2B 19 8C DF 0C 07 DC CE 84 8B 69 88 2D 80 4C  ’+.Œß..Ü΄‹iˆ-€L  <- KEY  (1.00-3.42 but not found in 3.50++)
  000086C0  C2 3F 19 C2 EA E1 24 4F 35 AF 17 6F 7F D3 78 51  Â?.Âêá$O5¯.o.ÓxQ  <- KEY  (1.00-3.42 but not found in 3.50++)
  000086D0  2E D7 CE 8D 1D 55 45 45 85 BF 6A 32 81 CD 03 AF  .×Î..UEE…¿j2.Í.¯  <- KS 1  (1.00-3.56)
  000086E0  30 B0 39 5D C5 83 5A AA 3A 79 86 B4 4A FA E6 84  0°9]ŃZª:y†´Júæ„  <- KS 4  (1.00-3.56)
</pre>
<pre>  aim_spu_module.self.elf 3.42:
 
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 
  00003070  30 B0 39 5D C5 83 5A AA 3A 79 86 B4 4A FA E6 84  0°9]ŃZª:y†´Júæ„  <- KS 4  (1.00-3.56)
  00003080  2E D7 CE 8D 1D 55 45 45 85 BF 6A 32 81 CD 03 AF  .×Î..UEE…¿j2.Í.¯  <- KS 1  (1.00-3.56)
  00003090  92 2B 19 8C DF 0C 07 DC CE 84 8B 69 88 2D 80 4C  ’+.Œß..Ü΄‹iˆ-€L  <- KEY  (1.00-3.42 but not found in 3.50++)
  000030A0  C2 3F 19 C2 EA E1 24 4F 35 AF 17 6F 7F D3 78 51  Â?.Âêá$O5¯.o.ÓxQ  <- KEY  (1.00-3.42 but not found in 3.50++)
  000030B0  51 F7 8B 72 A6 47 11 CF 5C 72 32 3F B8 60 7A 00  Q÷‹r¦G.Ï\r2?¸`z.  <- IV    (1.00-3.42 but not found in 3.50++)
  000030C0  40 1C 4A A6 3B 2C 8D 44 E2 45 F0 74 DA E7 78 2A  @.J¦;,.DâEðtÚçx*  <- compare  (1.00-3.42)
  000030D0  36 0D 1E 8E E2 11 6B DF 6F 0D 8A 3C C1 7B E3 8F  6..Žâ.kßo.Š<Á{ã.  <- compare  (1.00-3.42)
  000030E0  EA 48 B5 71 F4 D2 6D ED 00 00 00 00 00 00 00 00  êHµqôÒmí........  <- compare  (1.00-3.42)
</pre>


----
== appldr rev0x01 ==
  appold_R  :  B0CD2FDF15C9A79A2C28415B2B5385ED7E91D38D        # ps3publictools/include/keys.h
  appold_R  :  B0CD2FDF15C9A79A2C28415B2B5385ED7E91D38D        # ps3publictools/include/keys.h
  appold_n  :  B0E7CAFFC8DEEE8A55A3050D809ADFE38FA01DAB        # ...
  appold_n  :  B0E7CAFFC8DEEE8A55A3050D809ADFE38FA01DAB        # ...
Line 204: Line 233:
  appold_keypair_d :  3DEA9F72E7BED979EF787BA96930C01D00000000000000000000000000000000B227D4B47C5321D4FDE97B04EAF9C7F400000000000000000000000000000000        # ps3publictools/include/oddkeys.h
  appold_keypair_d :  3DEA9F72E7BED979EF787BA96930C01D00000000000000000000000000000000B227D4B47C5321D4FDE97B04EAF9C7F400000000000000000000000000000000        # ps3publictools/include/oddkeys.h


== npdrm rev 0x01 ==
== npdrm rev0x01 ==
 
  npdrm_R  :  A38BCB3E4E7309904AEFDFC5047D0FDF06E35C0D        # ps3publictools/include/keys.h
  npdrm_R  :  A38BCB3E4E7309904AEFDFC5047D0FDF06E35C0D        # ps3publictools/include/keys.h
  npdrm_n  :  B0E7CAFFC8DEEE8A55A3050D809ADFE38FA01DAB        # ...
  npdrm_n  :  B0E7CAFFC8DEEE8A55A3050D809ADFE38FA01DAB        # ...
Line 211: Line 239:
  npdrm_Da :  040AB47509BED04BD96521AD1B365B86BF620A98        # ...
  npdrm_Da :  040AB47509BED04BD96521AD1B365B86BF620A98        # ...
        
        
  klic_ps3_free :  72F990788F9CFF745725F08E4C128387        # ps3publictools/include/oddkeys.h
  npdrm_omac_key1 :  72F990788F9CFF745725F08E4C128387        # ps3publictools/include/oddkeys.h
  npd_header_hash_xor_key :  6BA52976EFDA16EF3C339FB2971E256B        # ...
  npdrm_omac_key2 :  6BA52976EFDA16EF3C339FB2971E256B        # ...
  npd_cid_fn_hash_aes_cmac_key :  9B515FEACF75064981AA604D91A54E97        # ...
  npdrm_omac_key3 :  9B515FEACF75064981AA604D91A54E97        # ...
        
        
  npdrm_keypair_e  :  A1C013ABCE98A7E3DC69923B07C0285F7554C512B0B0A96F245240F2FD433AF23F4EFEC6C183EA378D1BECB09D88DB328F2C8637B7AC72059B1556B0D95B5BE0        # ps3publictools/include/oddkeys.h
  npdrm_keypair_e  :  A1C013ABCE98A7E3DC69923B07C0285F7554C512B0B0A96F245240F2FD433AF23F4EFEC6C183EA378D1BECB09D88DB328F2C8637B7AC72059B1556B0D95B5BE0        # ps3publictools/include/oddkeys.h
Line 221: Line 249:
----
----


=== Using VSH ECDSA in Python ===
<pre>#!/usr/bin/env python
### Python 2 future-compatible workarounds: (see: http://python-future.org/compatible_idioms.html)
## prevent interpreting print(a,b) as a tuple plus support print(a, file=sys.stderr)
from __future__ import print_function
## interpret long as int, support int.from_bytes()
from builtins import int
## support bytes()
from builtins import bytes
import hashlib
import binascii
CONST_VSH_ECDSA = {
    "P": { "INT": 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF, "DESC": "VSH P", },
    "A": { "INT": 0xFFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFC, "DESC": "VSH A", },
    "B": { "INT": 0xA68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B, "DESC": "VSH B", },
    "N": { "INT": 0xFFFFFFFFFFFFFFFEFFFFB5AE3C523E63944F2127, "DESC": "VSH Order N/Q", },
    "GX": { "INT": 0x128EC4256487FD8FDF64E2437BC0A1F6D5AFDE2C, "DESC": "VSH Gx", },
    "GY": { "INT": 0x5958557EB1DB001260425524DBC379D5AC5F4ADF, "DESC": "VSH Gy", },
    "PUBX": { "INT": 0x6227B00A02856FB04108876719E0A0183291EEB9, "DESC": "VSH PubKey X", },
    "PUBY": { "INT": 0x6E736ABF81F70EE9161B0DDEB026761AFF7BC85B, "DESC": "VSH PubKey Y", },
}
Data = bytes.fromhex("fcf66ca605a05f5274552f6df523050d98cf249bb06fdce5a0cc0db82503446cc9c00c57f7d7017368844a5f4dc25335b3d4af51238dde5b939d1d271c4922bd05017aa28d22b175165a49941ead92081044f5dd1e3f49d7b0f31a767425e702b75131fac432adfb2e24f62553cde74a8d03e1267893674b52693fbd20e801becd85fef37ccd7c735121a4f5910cf807")
print("Data:", binascii.hexlify(Data))
Sha1 = hashlib.sha1(Data).digest()  ## 0ac2caf8d2a7489be95673c7ab4d75c6a448c5f4
print("Sha1:", binascii.hexlify(Sha1))
Signature_R = 0x008288896404ecb6447a93bdc5606bda076ea0e6a1
Signature_S = 0x00846c7b4596e63808ca85b3e975b4673c2c84c711
print("----------")</pre>
A) With starkbank-ecdsa (faster) from https ://pypi.org/project/starkbank-ecdsa/<br>
Install via: pip install starkbank-ecdsa
<pre>import ellipticcurve.curve
import ellipticcurve.ecdsa
import ellipticcurve.point
import ellipticcurve.publicKey
import ellipticcurve.signature


Vsh_Curve = ellipticcurve.curve.CurveFp(CONST_VSH_ECDSA["A"]["INT"], CONST_VSH_ECDSA["B"]["INT"], CONST_VSH_ECDSA["P"]["INT"], CONST_VSH_ECDSA["N"]["INT"], CONST_VSH_ECDSA["GX"]["INT"], CONST_VSH_ECDSA["GY"]["INT"], "VSH Curve", oid=(1, 2, 3, 4))
== vsh pub + curvetable ==
#
<pre>  pub    :  6227B00A02856FB04108876719E0A0183291EEB96E736ABF81F70EE9161B0DDEB026761AFF7BC85B
Vsh_PubKey_Point = ellipticcurve.point.Point(CONST_VSH_ECDSA["PUBX"]["INT"], CONST_VSH_ECDSA["PUBY"]["INT"])
  curves :  000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Vsh_PubKey = ellipticcurve.publicKey.PublicKey(Vsh_PubKey_Point, Vsh_Curve)
              000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
#
              0000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFE000000
Signature = ellipticcurve.signature.Signature(Signature_R, Signature_S)
              00000000000000000000000000FFFFFFFE00000000000000039A2EB773FCA61DCB5236A42C6F7FEB426E5ADA06
#
              0000000000000000FFFE4A39E80D6F151E245270DDA65311EAB7634F69577D0F51E30602711A07059FBCA7BA92
Data_String = Data.decode("latin-1")
              F5E34D6F7216F0D828A37D413EF73F0000000000000000FFFFFFFE00000000000000000000000000000000FFFF
Result = ellipticcurve.ecdsa.Ecdsa.verify(Data_String, Signature, Vsh_PubKey, hashfunc=hashlib.sha1)
              FFFE00000000000000035974123CCBE7FD63E2C31CC465CDE0334461F0F4000000000000000100004A51C3ADC1
print("Verify with module starkbank-ecdsa:", Result)
              9C6BB0DED8ED713BDA9B780270209B1DBC843F5E092A5021D3A6A7AA814E24FFED9FBDAADB243C862A53A0B520</pre>
print("----------")</pre>
vsh-pub-curves.rar (367 Bytes):
 
* <span style="text-decoration: line-through;">http://www.multiupload.com/A19Q0HV7OW</span>
B) With ecdsa (slower) from https ://pypi.org/project/ecdsa/<br>
* http://www.rapidspread.com/file.jsp?id=ew2wexn74o
Install via: pip install ecdsa
* http://www.mirrorcreator.com/files/1XFSXLGU/vsh-pub-curves.rar_links
<pre>import ecdsa.curves
import ecdsa.ecdsa
import ecdsa.ellipticcurve
import ecdsa.keys
 
Vsh_Curve = ecdsa.ellipticcurve.CurveFp(CONST_VSH_ECDSA["P"]["INT"], CONST_VSH_ECDSA["A"]["INT"], CONST_VSH_ECDSA["B"]["INT"])
Vsh_Generator = ecdsa.ellipticcurve.PointJacobi(Vsh_Curve, CONST_VSH_ECDSA["GX"]["INT"], CONST_VSH_ECDSA["GY"]["INT"], 1, order=CONST_VSH_ECDSA["N"]["INT"], generator=True)
#
Vsh_PubKey_Point = ecdsa.ellipticcurve.Point(Vsh_Curve, CONST_VSH_ECDSA["PUBX"]["INT"], CONST_VSH_ECDSA["PUBY"]["INT"], order=CONST_VSH_ECDSA["N"]["INT"])
Vsh_PubKey = ecdsa.ecdsa.Public_key(Vsh_Generator, Vsh_PubKey_Point, verify=True)
#
Signature = ecdsa.ecdsa.Signature(Signature_R, Signature_S)
#
Sha1_Int = int.from_bytes(Sha1, byteorder="big")
print("Sha1 Int:", Sha1_Int)
Result = Vsh_PubKey.verifies(Sha1_Int, Signature)
print("Verify with module ecdsa:", Result)
print("----------")</pre>
 
=== Observations ===


===Observations===
3.10:
3.10:
  PUB:
  PUB:
Line 395: Line 363:
   0062EEA0  20 9B 1D BC 84 3F 5E 09 2A 50 21 D3 A6 A7 AA 81  ›.¼„?^.*P!Ó¦§ª.
   0062EEA0  20 9B 1D BC 84 3F 5E 09 2A 50 21 D3 A6 A7 AA 81  ›.¼„?^.*P!Ó¦§ª.
   0062EEB0  4E 24 FF ED 9F BD AA DB 24 3C 86 2A 53 A0 B5 20  N$ÿ퟽ªÛ$<†*S µ  
   0062EEB0  4E 24 FF ED 9F BD AA DB 24 3C 86 2A 53 A0 B5 20  N$ÿ퟽ªÛ$<†*S µ  


3.55:
3.55:
Line 432: Line 401:
----
----


== Raw key list ==
==RAW key list==
 
Some insight in how the AES routines and SHA1 hashes relate to offsets in appldr : [http://pastie.org/private/fdabkjhmd3hwowi6dgsbw aes 3.15] [http://pastie.org/private/unpbjffn6zgy3vldefvivq sha1 3.15]
Some insight in how the AES routines and SHA1 hashes relate to offsets in appldr:
* [http://pastie.org/private/fdabkjhmd3hwowi6dgsbw AES routines 3.15]
* [http://pastie.org/private/unpbjffn6zgy3vldefvivq sha1 hashes 3.15]
 
=== Primary Table ===
 
(C/P is from PS3 FW 3.56 Fix)


=== Primairy Table ===
(C/P is from 3.56 Fix)
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
        
        
Line 556: Line 520:
   0001A3B0  B2 C0 CD 24 92 B0 B5 A1 00 00 00 3A 00 00 00 00  ²ÀÍ$’°µ¡...:....  PUB - Curve
   0001A3B0  B2 C0 CD 24 92 B0 B5 A1 00 00 00 3A 00 00 00 00  ²ÀÍ$’°µ¡...:....  PUB - Curve


=== Secondary Tables ===
=== Secondairy Tables ===


==== 1.00 ====
====1.00====
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
    
Line 582: Line 546:
   000150B0  B4 57 8A 4C 61 C5 D6 BF 00 00 00 11 00 00 00 00  ´WŠLaÅÖ¿........  PUB - Curve
   000150B0  B4 57 8A 4C 61 C5 D6 BF 00 00 00 11 00 00 00 00  ´WŠLaÅÖ¿........  PUB - Curve


==== 2.40 ====
====2.40====
 
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
    
Line 593: Line 556:
   00018EF0  C7 46 05 E7 B8 CB 73 2D 00 00 00 08 00 00 00 00  ÇF.ç¸Ës-........  PUB - Curve
   00018EF0  C7 46 05 E7 B8 CB 73 2D 00 00 00 08 00 00 00 00  ÇF.ç¸Ës-........  PUB - Curve


==== 3.40 ====
====3.40====
 
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
    
Line 618: Line 580:
   000194E0  08 F6 A0 36 58 F2 97 0E 00 00 00 29 00 00 00 00  .ö 6Xò—....)....  PUB - Curve
   000194E0  08 F6 A0 36 58 F2 97 0E 00 00 00 29 00 00 00 00  .ö 6Xò—....)....  PUB - Curve


==== 3.50 ====
====3.50====
 
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
    
Line 643: Line 604:
   000197D0  27 CE 9E 47 88 9A 45 D0 00 00 00 2A 00 00 00 00  'ΞGˆšEÐ...*....  PUB - Curve
   000197D0  27 CE 9E 47 88 9A 45 D0 00 00 00 2A 00 00 00 00  'ΞGˆšEÐ...*....  PUB - Curve


==== 3.55 ====
====3.55====
 
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
    
Line 668: Line 628:
   0001A710  FA 3B E8 32 9E 01 5E 57 00 00 00 3A 00 00 00 00  ú;è2ž.^W...:....  PUB - Curve
   0001A710  FA 3B E8 32 9E 01 5E 57 00 00 00 3A 00 00 00 00  ú;è2ž.^W...:....  PUB - Curve


==== 3.56 ====
====3.56====
 
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
        
        
Line 693: Line 652:
   00020660  6A B0 91 E1 6B 23 14 33 00 00 00 3B 00 00 00 00  j°‘ák#.3...;....  PUB - Curve
   00020660  6A B0 91 E1 6B 23 14 33 00 00 00 3B 00 00 00 00  j°‘ák#.3...;....  PUB - Curve


* [http://pastebin.com/2btt19gh] <!--//Older pastie: http://pastebin.com/uWUqGXwx / http://pastie.org/private/enolspz7cyhvlg8rxhqwqg//-->
 
http://pastebin.com/2btt19gh
<!--//Older pastie: http://pastebin.com/uWUqGXwx / http://pastie.org/private/enolspz7cyhvlg8rxhqwqg//-->


=== Other ===
=== Other ===
some pasties mention parts of these, for completeness listed too.
some pasties mention parts of these, for completeness listed too.


==== Revokelist ====
==== Revokelist ====
Seen in: appldr, isoldr, lv2ldr, spu_pkg_rvk_verifier.self
Seen in: appldr, isoldr, lv2ldr, spu_pkg_rvk_verifier.self


===== 1.00-3.55 RVK =====
===== 1.00-3.55 RVK =====
 
(seen in =>1.00 <= 3.55)
(seen in => 1.00 <= 3.55)
 
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
        
        
Line 715: Line 672:
   0001AC40  5A 80 48 FD 86 5F 9D 8F 1A 91 89 53 5A 37 62 3E  Z€Hý†_...‘‰SZ7b>    PUB - rvklist 0.80-3.55
   0001AC40  5A 80 48 FD 86 5F 9D 8F 1A 91 89 53 5A 37 62 3E  Z€Hý†_...‘‰SZ7b>    PUB - rvklist 0.80-3.55
   0001AC50  29 21 42 74 63 A7 54 F7 00 00 00 00 00 00 00 00  )!Btc§T÷........    PUB - rvklist 0.80-3.55
   0001AC50  29 21 42 74 63 A7 54 F7 00 00 00 00 00 00 00 00  )!Btc§T÷........    PUB - rvklist 0.80-3.55
===== 3.56 RVK =====
===== 3.56 RVK =====
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
Line 726: Line 682:
   00020CC0  8F B5 B7 F4 B5 B4 E6 3B 00 00 00 00 00 00 00 00  .µ·ôµ´æ;........    PUB - rvklist 3.56
   00020CC0  8F B5 B7 F4 B5 B4 E6 3B 00 00 00 00 00 00 00 00  .µ·ôµ´æ;........    PUB - rvklist 3.56


==== 1.00+ ====
==== 1.00++ ====
 
(seen in =>1.00 <=3.56)
(seen in => 1.00 <=3.56)
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
        
        
Line 763: Line 718:


<!--//http://pastie.org/private/dhdhplnph3pondohxnrlnw checked, all are listed above or not curve e.g.: 03 af 06 fd 1c e6 da 36 //-->
<!--//http://pastie.org/private/dhdhplnph3pondohxnrlnw checked, all are listed above or not curve e.g.: 03 af 06 fd 1c e6 da 36 //-->
----
http://pastie.org/private/qwndjafrtkvhe9cikbxhg << [http://pastebin.com/wHSRj9gW some eid0 related stuff].


== Fake keys ==
== Fake keys ==
Line 773: Line 732:
|-
|-
|}
|}
silk.sprx DES key: <code>8E3E1E46FFEE0309</code>
silk.sprx DES key: <code>8E3E1E46FFEE0309</code>


== Colors ==
== Colors ==


=== HMAC ===
===HMAC===
{| class="wikitable" border="0" cellspacing="1" cellpadding="1"
{| class="wikitable" border="0" cellspacing="1" cellpadding="1"
|align="center" colspan="1" style="background:#f491ad" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#f491ad" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
Line 805: Line 763:


=== ldr key (inside decrypted metldr/asecure_loader) ===
=== ldr key (inside decrypted metldr/asecure_loader) ===
 
<pre>erk: C0CEFE 84C227 F75BD0 7A7EB8 46509F 93B238 E770DA CB9FF4 A388F8 12482B E21B
<pre>
erk: C0CEFE 84C227 F75BD0 7A7EB8 46509F 93B238 E770DA CB9FF4 A388F8 12482B E21B
riv: 47EE74 54E477 4CC9B8 960C7B 59F4C1 4D
riv: 47EE74 54E477 4CC9B8 960C7B 59F4C1 4D
pub: C2D4AA F31935 5019AF 99D44E 2B58CA 29252C 89123D 11D621 8F40B1 38CAB2 9B7101 F3AEB7 2A9750 19
pub: C2D4AA F31935 5019AF 99D44E 2B58CA 29252C 89123D 11D621 8F40B1 38CAB2 9B7101 F3AEB7 2A9750 19
Line 815: Line 771:
Da: C5B2BF A1A413 DD16F2 6D31C0 F2ED47 20DCFB 067000
Da: C5B2BF A1A413 DD16F2 6D31C0 F2ED47 20DCFB 067000
Priv: 00C5B2 BFA1A4 13DD16 F26D31 C0F2ED 4720DC FB0670
Priv: 00C5B2 BFA1A4 13DD16 F26D31 C0F2ED 4720DC FB0670
Curvetype: 0x20
Curvetype: 0x20</pre>
</pre>
====erk====
 
==== erk ====
 
{| class="wikitable" border="0" cellspacing="1" cellpadding="1"
{| class="wikitable" border="0" cellspacing="1" cellpadding="1"
|align="center" colspan="1" style="background:#C0CEFE" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#C0CEFE" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
Line 834: Line 787:
|}
|}


==== riv ====
====riv====
 
{| class="wikitable" border="0" cellspacing="1" cellpadding="1"
{| class="wikitable" border="0" cellspacing="1" cellpadding="1"
|align="center" colspan="1" style="background:#47EE74" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#47EE74" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
Line 845: Line 797:
|}
|}


==== pub ====
====pub====
 
{| class="wikitable" border="0" cellspacing="1" cellpadding="1"
{| class="wikitable" border="0" cellspacing="1" cellpadding="1"
|align="center" colspan="1" style="background:#C2D4AA" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#C2D4AA" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
Line 864: Line 815:
|}
|}


==== R ====
====R====
 
{| class="wikitable" border="0" cellspacing="1" cellpadding="1"
{| class="wikitable" border="0" cellspacing="1" cellpadding="1"
|align="center" colspan="1" style="background:#806E07" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#806E07" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
Line 876: Line 826:
|}
|}


==== n ====
====n====
 
{| class="wikitable" border="0" cellspacing="1" cellpadding="1"
{| class="wikitable" border="0" cellspacing="1" cellpadding="1"
|align="center" colspan="1" style="background:#E13A7E" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#E13A7E" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
Line 888: Line 837:
|}
|}


==== K ====
====K====
 
{| class="wikitable" border="0" cellspacing="1" cellpadding="1"
{| class="wikitable" border="0" cellspacing="1" cellpadding="1"
|align="center" colspan="1" style="background:#BA9055" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#BA9055" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
Line 900: Line 848:
|}
|}


==== Da ====
====Da====
 
{| class="wikitable" border="0" cellspacing="1" cellpadding="1"
{| class="wikitable" border="0" cellspacing="1" cellpadding="1"
|align="center" colspan="1" style="background:#C5B2BF" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#C5B2BF" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
Line 911: Line 858:
|align="center" colspan="1" style="background:#067000" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#067000" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|}
|}
:


==== Priv ====
====Priv====
 
{| class="wikitable" border="0" cellspacing="1" cellpadding="1"
{| class="wikitable" border="0" cellspacing="1" cellpadding="1"
|align="center" colspan="1" style="background:#00C5B2" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#00C5B2" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
Line 923: Line 870:
|align="center" colspan="1" style="background:#FB0670" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#FB0670" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|}
|}
:


==== Curve ====
====Curve====
 
{| class="wikitable" border="0" cellspacing="1" cellpadding="1"
{| class="wikitable" border="0" cellspacing="1" cellpadding="1"
|align="center" colspan="1" style="background:#000020" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|align="center" colspan="1" style="background:#000020" | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|}
|}
:


== Non PS3 specific Keys ==
==Non PS3 specific Keys==


=== Kirk (PSP) ===
=== Kirk (PSP) ===
not to be found in the PS3, but reference is here: http://wololo.net/talk/viewtopic.php?f=5&t=1381&p=20720#p20715


Not to be found in the PS3, but reference is here: http://wololo.net/talk/viewtopic.php?f=5&t=1381&p=20720#p20715
== Unknown value in syscon eeprom ==
 
this value is used at least 3 times and it's (conveniently?) positioned at the start of SYSCON EEPROM, followed by another unknown block with the same size of EID1
== Unknown value in Syscon eeprom ==
 
This value is used at least 3 times and it is (conveniently?) positioned at the start of SYSCON EEPROM, followed by another unknown block with the same size of EID1.


<pre>
<pre>
Line 944: Line 890:
</pre>
</pre>


== Scrambling and unscrambling obfuscated keys from loader (PS3 FW 3.60 - 3.61) ==
==Scrambling and unscrambling obfuscated keys from loader (PS3 FW 3.60 - 3.61)==


from LV1LDR.ELF FW 3.61
from LV1LDR.ELF FW3.61


   offset 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   offset 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
Line 958: Line 904:
   1A3F0  60 01 0B 71 06 31 E4 35 A7 D9 15 E8 2A E8 8E DE < pub
   1A3F0  60 01 0B 71 06 31 E4 35 A7 D9 15 E8 2A E8 8E DE < pub
   1A400  66 72 64 65 6C B7 06 2E 00 00 00 00 00 00 00 00 < pub
   1A400  66 72 64 65 6C B7 06 2E 00 00 00 00 00 00 00 00 < pub
   1A410  84 4F 80 F3 C5 7C 45 5C 7F 09 00 00 00 00 00 00 < root_scramble_key
   1A410  84 4F 80 F3 C5 7C 45 5C 7F 09 00 00 00 00 00 00 < root_scramlbe_key
    
    
   1D140  F9 2C 86 66 EF FB AC 7E B5 83 E5 4A 25 7F 7C 05 < sk1_key
   1D140  F9 2C 86 66 EF FB AC 7E B5 83 E5 4A 25 7F 7C 05 < sk1_key
Line 976: Line 922:
   1DE10  22 95 C6 CA 7F 1E 54 7A B3 0E DF D7 EE 5C B8 12 < erk_obf
   1DE10  22 95 C6 CA 7F 1E 54 7A B3 0E DF D7 EE 5C B8 12 < erk_obf
   1DE20  9B 32 B2 0F A7 72 80 F1 09 5E A1 3F 1C 2D 5C 99 < riv_obf
   1DE20  9B 32 B2 0F A7 72 80 F1 09 5E A1 3F 1C 2D 5C 99 < riv_obf


Unscrambling script: key_unscrambler.py
Unscrambling script: key_unscrambler.py
<syntaxhighlight lang="python" enclose="div">
<syntaxhighlight lang="python" enclose="div">
   from CryptoPlus.Cipher import AES
   from CryptoPlus.Cipher import AES
Line 1,017: Line 963:
   print 'riv_dec:', riv_dec.encode('hex')
   print 'riv_dec:', riv_dec.encode('hex')
</syntaxhighlight>
</syntaxhighlight>
Scrambling script: key_scrambler.py
Scrambling script: key_scrambler.py
<syntaxhighlight lang="python" enclose="div">
<syntaxhighlight lang="python" enclose="div">
   from CryptoPlus.Cipher import AES
   from CryptoPlus.Cipher import AES
Line 1,058: Line 1,002:
   print 'riv_obf:', riv_obf.encode('hex')</code>
   print 'riv_obf:', riv_obf.encode('hex')</code>
</syntaxhighlight>
</syntaxhighlight>
 
source: [http://www.ps3news.com/forums/ps3-hacks-jailbreak/ps3-lv0-keys-leaked-4-21-4-25-4-30-cfw-updates-incoming-124532-24.html]
* Source: [http://www.ps3news.com/forums/ps3-hacks-jailbreak/ps3-lv0-keys-leaked-4-21-4-25-4-30-cfw-updates-incoming-124532-24.html]


= SPU Status Codes =
= SPU Status Codes =
Line 1,071: Line 1,014:
</pre>
</pre>


= Private Key verifier (Anti-Troll) =
= Private Key verifier (Anti-Troll)=
 
http://pastie.org/private/yfmid0zejc8fp5x0ogzj5g
* Source: [https://web.archive.org/web/20141119122516/http://pastie.org/private/yfmid0zejc8fp5x0ogzj5g here]
 
<syntaxhighlight lang="python" enclose="div">
<syntaxhighlight lang="python" enclose="div">
#!python2
#!python2
Line 1,153: Line 1,094:
= Lv0 Passwords =
= Lv0 Passwords =


Lv0 sends this value to SPU when it loads lv1.self. Check is inside lv1ldr.
Lv0 sends this value to SPU when it loads lv1.self<br>
Check is inside lv1ldr.


{| class="wikitable sortable"
{| class="wikitable sortable"
Line 1,175: Line 1,117:
| 4.00 - 4.11 || <code>8005ADF19082F027E19E947DC5A51A05</code>
| 4.00 - 4.11 || <code>8005ADF19082F027E19E947DC5A51A05</code>
|-
|-
| 4.20 - {{latestPS3}} || <code>25EFE04B1D920B48CFFDCE7D43F438F1</code>
| 4.20 - {{latest}} || <code>25EFE04B1D920B48CFFDCE7D43F438F1</code>
|-
|}
|}


= RSA Source Example =
= RSA Source Example =


* [https://paste.ubuntu.com/24678348/ (to mirror because needs account)]
* https://paste.ubuntu.com/24678348/
* Uses Trophy Public Modulus and Exponent for Signature verification
* Uses Trophy Public Modulus and Exponent for Signature verification
* Adapted from [https://rosettacode.org/wiki/RSA_code#C Rosetta Code]
* adapted from https://rosettacode.org/wiki/RSA_code#C


= Unknown Triple_DES key? =
= Unknown Triple_DES key ? =


  Key = F1660C455AB510B98B42660B8FB0476402C503052DB2AC87
  Key = F1660C455AB510B98B42660B8FB0476402C503052DB2AC87
  IV  = 6991982C9598E77C
  IV  = 6991982C9598E77C
* Location: explore_plugin.sprx
* Location: explore_plugin.sprx
= Unknown psp drm keys ? =
<code>61B0C0587157D9FA74670E5C7E6E95B9</code>
<pre>
xor key0:  EC6D29592635A57F972A0DBCA3263300
xor key1:  7044A3AEEF5DA5F2857FF2D694F5363B
xor key2:  D8C0B0F33E6B7685FDFB4D7D451E9203
xor key3:  36A53EACC5269EA383D9EC256C484872
xor key4:  FAAA50EC2FDE5493AD14B2CEA53005DF
xor key5:  CB15F407F96A523C04B9B2EE5C53FA86
xor key6:  678D7FA32A9CA0D1508AD8385E4B017E
xor key7:  135FA47CAB395BA476B8CCA98F3A0445
xor key8:  E350ED1D910A1FD029BB1C3EF34077FB
</pre>


= SacModule =
= SacModule =
Line 1,196: Line 1,154:
  Data.enc = 5745E719A338CD681D02D7089A40FBF6D1E4206780ED0922E049B5BF69959DA3
  Data.enc = 5745E719A338CD681D02D7089A40FBF6D1E4206780ED0922E049B5BF69959DA3
  Data.dec = 6794C8666FB90DF0B6350B1816D5C8F010101010101010101010101010101010
  Data.dec = 6794C8666FB90DF0B6350B1816D5C8F010101010101010101010101010101010
 
First 0x10 bytes only used from the decrypted data
First 0x10 bytes only used from the decrypted data.


  Key2 = 10CC98B53A7C4462B8700923E613FA39
  Key2 = 10CC98B53A7C4462B8700923E613FA39
Line 1,203: Line 1,160:
  Data2.enc = E172AC67EFD5FB5EC97EC180592D17F2 .... 5A79457925B6678D3866ADC53C4658EE
  Data2.enc = E172AC67EFD5FB5EC97EC180592D17F2 .... 5A79457925B6678D3866ADC53C4658EE
  Data2.dec = 00A09853C2AF506F5F8876AB4543233C .... 4334097D2FDD1C090909090909090909
  Data2.dec = 00A09853C2AF506F5F8876AB4543233C .... 4334097D2FDD1C090909090909090909
 
There are 2 blobs inside: 1) offset = 0, size = 0xAF 2) offset 0xB7, size = 0x240
There are 2 blobs inside:
* 1) offset = 0, size = 0xAF.
* 2) offset 0xB7, size = 0x240.


Second part contains RSA-1024 Private keyset, used to sign some data.
Second part contains RSA-1024 Private keyset, used to sign some data.
Line 1,223: Line 1,177:
               A31A539F9AB9E68232CC523735E18CEC41112AADF8A66DA782BA297AAC60CEA323B067D357B3410FCB84253159CAD55B6664FD888F196BB78EB2BE85EBEBDD1F
               A31A539F9AB9E68232CC523735E18CEC41112AADF8A66DA782BA297AAC60CEA323B067D357B3410FCB84253159CAD55B6664FD888F196BB78EB2BE85EBEBDD1F


= Unity Keys =
= save disc id for HDD =
 
D1C1E10B9C547E689B805DCD9710CE8D
<pre>
PS3:      I3-DDQR-F4PJ-5D8E-G4TT-DQS2
Vita:        I3-B2DJ-BSR5-HKTE-2HHH-9QR2
 
PS4:            I3-9HBF-CRK9-TDEA-422V-KDB5
Vita/PS4:    I3-M7AD-279S-X79U-FPTT-854R
 
PS3/Vita:    I3-CH9J-73FU-F25C-NVPU-7Q43
PS3/PS4:    I3-ZHZG-JS75-VJ5T-GJD4-EDTX
</pre>
 
= Fail Keys =


Sony's Hall of Shame, see [[Fail_Keys]]
* used for hdd-boot game saves as hashkey
* located at ss_server1.fself in lv1
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)

Template used on this page:

Retrieved from "http://www.psdevwiki.com/ps3/Talk:Keys"