Editing User talk:Masterzorag

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 189: Line 189:


We got info0 + info1, 64bytes each
We got info0 + info1, 64bytes each
content is 2845bytes, total is data length 2973
content is 2845bytes, total is data lenght 2973
info0, info1 are not encrypted
info0, info1 are not encrypted
</pre>
</pre>
Line 362: Line 362:


=questions=
=questions=
'''z'''<br />
why you collect these hashes and signatures?<br />
why you collect these hashes and signatures?<br />
Now if 2 digests are different then R signatures would be diffenet too. Pseudo Random number (that used to creating signature) now is F(digest);<br />
Now if 2 digests are different then R signatures would be diffenet too. Pseudo Random number (that used to creating signature) now is F(digest);<br />
Line 369: Line 368:
<br />
<br />


'''m'''<br />
_Reply_<br />
ECDSA signature is the (r, s) keypair:<br />
ECDSA signature is the (r, s) keypair:<br />
http://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm#Signature_generation_algorithm
http://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm#Signature_generation_algorithm
Line 394: Line 393:


*those two needs investigation
*those two needs investigation
{|
1. For every digest, we have 1 and only 1 signature (R,S).<br />
| 1. "''For every digest, we have 1 and only 1 signature (R,S).''"<br />Sorry, but don't think so, because as you can have read, r comes from a random number.<br />2. "''Pseudo Random number (that used to creating signature) now is F(digest);''"<br />They can't be so idiots, since digest is ever known...<br /> || [[File:Signing with my keypair.png|100px|thumbnail]]
Sorry , but don't think so, because as you can have read, r comes from a random number. (I'll check)<br />
|}
2. Pseudo Random number (that used to creating signature) now is F(digest);<br />
*example of different signatures from custom keypair to test for dig: da39a3ee5e6b4b0d3255bfef95601890afd80709<br />
They can't be so idiots, since digest is ever known...<br />
pub: df4222f3bff899845d203cd9373358ff7a0752f501c7f378195c0ac7e157f61e14ff231d73a0137f<br />
_EndOfReply_<br /><br />
sig0: 008e8eaee8452d2915ef2186358079ee82a7c90d410063de8d98f012778596c14eb0df17f7464da65a02<br />
sig1: 00fdb20299e37c4a23a6cdc07ee0e91539e58ae62b00fc8ec36e79d2de33b4569f7968ea2211a4a92bef<br />
sig2: 0067af6858bf5bc2eb239dfcb997bc0c21fbaf16dc002f1c4cd4dcc5d71037d65caf05bbbccfce4f7fc1<br />


=playing on the vsh curve=
*So I will show for you that R = Function(digest) and what this fail is not so critical.
{| class="wikitable"
|-
|'''z'''<br />
So I will show for you that R = Function(digest) and what this fail is not so critical.
I was interested for edat algorithm and figured out how edats (and sdat) files are signed.<br />
I was interested for edat algorithm and figured out how edats (and sdat) files are signed.<br />
It contains 2 non-randomfailed ecdsa signatures. http://www.psdevwiki.com/ps3/EDAT_files#Structure_.28Encrypted_Format.29<br />
It contains 2 non-randomfailed ecdsa signatures. http://www.psdevwiki.com/ps3/EDAT_files#Structure_.28Encrypted_Format.29<br />
Line 416: Line 408:
So if digests are same then pseudo_random_numbers are same and signatures are same.<br />
So if digests are same then pseudo_random_numbers are same and signatures are same.<br />
Please make your conclusions.<br />
Please make your conclusions.<br />
|}
<br />


{| class="wikitable"
_Reply_<br />
|-
[[File:EDATs diff.png|thumbnail]]
|'''m'''<br />You have already seen differences between two files, but maybe some other not. Here a png.<br />Page is telling me that at 0xB0 there is an ECDSA signature, and you are pointing out that we have the same (ECDSA) signature on two different files !?!<br />1. I see your "same signature", but how do you get "metadata digest = DA39A3EE5E6B4B0D3255BFEF95601890AFD80709" from both?<br />2. Conclusion to me are that at 0xB0 there is not an ECDSA signature, so: have you checked? Have you validated? Have you proven that r, s is the valid signature for the digest?<br />3. There is also another aspect to not forget: alignment (%16 = 0), so there is an ECDSA signature in 40 bytes? does not sound good to me...<br />4. SHA-1 produces a fixed length of 20 bytes: at wiki page I read "''0x40 QA digest, size 0x10 (seems like to be a SHA-1 hash of the non-finalized file) ... Can be ... zeroed on forged file.''" !?!<br />5. There are two ECDSA signatures on an EDAT file and only one to protect CORE_OS_PACKAGE.pkg from alteration !?!?! || [[File:EDATs diff.png|thumbnail|100px]]
You have already seen differences between two files, but maybe some other not. Here a png.<br />
|}
First of all, that wiki page have a lot of "?", so something can be (really) different from what I've read.<br />
<br />
Page is telling me that at 0xB0 there is an ECDSA signature, and you are pointing out that we have the same (ECDSA) signature on two different files !?!<br />
1. I see your "same signature", but how do you get "metadata digest = DA39A3EE5E6B4B0D3255BFEF95601890AFD80709" from both?<br />
2. Conclusion to me are that at 0xB0 there is not an ECDSA signature, so: have you checked? Have you validated? Have you proven that r, s is the valid signature for the digest?<br />
3. There is also another aspect to not forget: alignment (%16 = 0), so there is an ECDSA signature in 40 bytes? does not sound good to me...<br />
4. SHA-1 produces a fixed lenght of 20 bytes: at wiki page I read "''0x40 QA digest, size 0x10 (seems like to be a SHA-1 hash of the non-finalized file) ... Can be ... zeroed on forged file.''" !?!<br />
5. There are two ECDSA signatures on an EDAT file and only one to protect CORE_OS_PACKAGE.pkg from alteration !?!?!<br />
_EndOfReply_<br /><br />


{| class="wikitable"
_Reply for reply_<br />
|-
|'''z'''<br />
1. metadata length = 0 bytes for both files, so digest for empty message is DA39A3EE5E6B4B0D3255BFEF95601890AFD80709.<br />
1. metadata length = 0 bytes for both files, so digest for empty message is DA39A3EE5E6B4B0D3255BFEF95601890AFD80709.<br />
2. r,s validated and valid of course. so you can use make_npdata the newest version for validate signatures into edats. there are no mistakes, it is realy ecdsa sig.<br />
2. r,s validated and valid of course. so you can use make_npdata the newest version for validate signatures into edats. there are no mistakes, it is realy ecdsa sig.<br />
Line 432: Line 428:
4. Sony used full 20 bytes length sha1 hash for validate ECDSA signatures.<br />
4. Sony used full 20 bytes length sha1 hash for validate ECDSA signatures.<br />
5. Correct info. SCE pkg file have only header signature. edat have metadata sig and header sig.<br />
5. Correct info. SCE pkg file have only header signature. edat have metadata sig and header sig.<br />
|}
{| class="wikitable"
|-
|'''m'''<br />You are right, I've verified all, as you can see in my shots.<br />I've also noticed one thing that explain something: with zeroed ECDSA signature every digest results in a valid signature!<br />Why?<br />Because the signature becomes the point at infinity!<br />That's because on signature generation when r = 0 you have to select another random integer, as 0 < rand < n! And the same applies for s.<br />But really cool stuff can happen exacly with this kind of crazyness!||[[File:EDAT signatures on vsh curve 1.png|thumbnail|100px]] || [[File:EDAT signatures on vsh curve 2.png|thumbnail|100px]]
|}
<br />
{| class="wikitable"
|-
|'''z'''<br />Im verified metadata and header signatures for both edat files. Check my screenshotes please. || [[File:Hdd_package_key.edat_ECDSA_validation.jpg|thumbnail|100px]] || [[File:Destiny.edat_ECDSA_validation.jpg|thumbnail|100px]]
|}
{| class="wikitable"
|-
|'''m'''<br />
Checked your data, validated the same:
r =    00a2732e0161e20c290108fdd0b567120c42aab3d2
s =    00b894e8775aff90a3cbb6cc08bc918c14f759d439
hash =  da39a3ee5e6b4b0d3255bfef95601890afd80709 < zerolength metadata digest
call to check_ecdsa return 1, signature is VALID!
r =    00ff83adbd03d9ba619f3a6d80efef6408561f08d2
s =    009c3102a2852cdda21648014c4d0a1471bd6512fc
hash =  c9210133558bedda8981e5e06d6189be0dee84f3
call to check_ecdsa return 1, signature is VALID!
r =    0011f2e3ded044e3ace8e4513306a81ee124356e7a
s =    00ac9e20528900839f7a577c4b84e026539b89425e
hash =  6db5d204d7f9fa19442209a27647c3973a7e7232
call to check_ecdsa return 1, signature is VALID!
||
I can confirm your two signatures EDATs, when metadata length is zero the signature is valid as you told me and verified.<br />
could you try to validate a zeroed signature on two random hash with your implementation?<br />
f0f's one (and derived make_npdata) does not check for 1 < (r, s) < N - 1 as stated in signature verification algorithm, so a zeroed sig is valid for us!!<br />
|}
<br />
{| class="wikitable"
|-
|'''z'''<br />Im tryed to validate a zeroed signature on two random hashes. Check my screenshot please. My Conclusion. Signatures R would be same only when random numbers are same. -->> Random numbers are not random again! So you can find another examples with another same digests and same signatures(R,S) -->> Random number are depends of digest. If we find algorithm how the "Random" numbers depends of the digests , we can calculate the "Random" number itself and obtain the private key.|| [[File:Zeroed_signature_validation.jpg|thumbnail|100px]]
|}
*conclusion<br />
when you EDAT have your famous zero metadata length, so the same digest, they MUST use EVER the same signature, else they let us solve the math!<br />
that's the real reason that explain also your wrong think about "''there is only one signature''" for a digest.
* [https://www.youtube.com/watch?v=9UbTT_2yxeM sample psl1ght app: ec_gmp]
[https://github.com/andoma/ps3toolchain ps3toolchain and psl1ght from andoma], [https://gmplib.org gmplib] port, [https://github.com/masterzorag/xbm_tools xbm font] in [https://scognito.wordpress.com/2010/11/07/sconsole-a-simple-function-for-printing-strings-on-ps3 sconsole]: compute P = kG to eternity
=Petitboot NAND/NOR precompiled images=


* Not sure what is happening with you right now, but do you have some petitboot precompiled images? That'd be nice contribution for the wiki. Thanks :)
_Reply_<br />
[[File:EDAT signatures on vsh curve 1.png|thumbnail]][[File:EDAT signatures on vsh curve 2.png|thumbnail]]
I've verified all, as you can see in my shots.<br />
I've also noticed one thing that explain something: with zeroed ECDSA signature every digest results in a valid signature! Why?<br />
Because the signature becomes the point at infinity! That's because on signature generation when r = 0 you have to select another random integer, as 0 < r < n! And the same applies for s.<br />
But really cool stuff can happen exacly with this kind of crazyness!<br />
_EndOfReply_<br /><br />
irc: #ps3hax, #playstationhax
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)