Seeds: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
Line 273: Line 273:
<pre>
<pre>
73 73 5F 73 65 65 64 5F 6F 6E 65 5F 6D 6F 72 65 "ss_seed_one_more"
73 73 5F 73 65 65 64 5F 6F 6E 65 5F 6D 6F 72 65 "ss_seed_one_more"
</pre>
=== vtrm keyseed ===
<pre>
6B 65 79 73 65 65 64 5F 66 6F 72 5F 73 72 6B 32 "keyseed_for_srk2"
</pre>
</pre>



Revision as of 14:13, 21 October 2014

Information about these seeds

The seeds present on this wiki page were acquired through different means. It started with a simple search (Which i have to thank glevand and naehrwert for, as had it not been for those guys, i wouldn't have found myself the confidence to post this) and it went through several people who helped me along the way, and that probably wish to stay anonymous.

Without further ado, here are the seeds (both known and unknown) for several functions of the ps3.

Common

Common individuals seed

59 30 21 45 AC 09 B1 EF E6 9E 9B 7A 25 FF 8F 86
E9 F6 81 4D 37 DE 20 4D 29 72 9B 84 16 BA ED E4
22 70 98 65 7F 29 8C DB 6A 9B 5E 59 E4 A4 BA 2F
8E 6A 74 0E 1F C1 E3 E9 35 DD D2 F6 6C DE DD 6B

Used on old firmwares, possible for an old EID0 format (or fallback?) which can be 0x20 or 0x28 bytes in size. Decrypted section is always the same, see comments: http://pastie.org/private/rzg83pokd4vnxg60dj3qwg

Taken from: isoldr/appldr/lv1ldr

eEID

eid0

Used for individual ps3/psp/psn information.

eid0 individuals seed

AB CA AD 17 71 EF AB FC 2B 92 12 76 FA C2 13 0C 
37 A6 BE 3F EF 82 C7 9F 3B A5 73 3F C3 5A 69 0B 
08 B3 58 F9 70 FA 16 A3 D2 FF E2 29 9E 84 1E E4 
D3 DB 0E 0C 9B AE B5 1B C7 DF F1 04 67 47 2F 85

Taken from: aim_spu_module.self/isoldr/appldr/lv1ldr/spu_token_processor.self/spu_utoken_processor.self

eid0 keyseed 0x0

2E D7 CE 8D 1D 55 45 45 85 BF 6A 32 81 CD 03 AF

Taken from: aim_spu_module.self

eid0 keyseed 0x6

3A B0 E6 C4 AC FF B6 29 36 2F FB BB DB C8 54 BC

Taken from: pspemudrm (kirk)

eid0 keyseed 0xA

30 B0 39 5D C5 83 5A AA 3A 79 86 B4 4A FA E6 84

Taken from: aim_spu_module.self

eid1

Used for individual SYSCON information.

eid1 individuals seed

B0 D6 55 76 4C 3B 44 B3 38 F3 2D D1 D0 99 9B 66 
48 A3 5A 2C EB 15 E2 8E EC DC 2D C0 B4 C7 EB 05 
DC 82 25 C0 D5 78 9D BB 2E 89 A2 4A 78 58 58 00 
72 36 38 34 EE 1A 11 6C 2C D2 5E 58 EE 67 63 F7

Taken from: sc_iso.self/sc_iso_factory.self

eid2

Used for individual bluray information.

eid2 individuals seed

74 92 E5 7C 2C 7C 63 F4 49 42 26 8F B4 1C 58 ED 
66 83 41 F9 C9 7B 29 83 96 FA 9D 82 07 51 99 D8 
BC 1A 93 4B 37 4F A3 8D 46 AF 94 C7 C3 33 73 B3 
09 57 20 84 FE 2D E3 44 57 E0 F8 52 7A 34 75 3D

Taken from: fdm_spu_module.self

eid2 DES key

6C CA B3 54 05 FA 56 2C

Taken from: fdm_spu_module.self

eid2 DES iv

00 00 00 00 00 00 00 00

Taken from: fdm_spu_module.self

eid3

Used for individual CPRM information.

eid3 individuals seed

01 D0 49 6A 3B AD D1 73 55 70 CB 29 E1 6F A2 31
4F A9 FD 1A BA 19 A1 C6 9E EA 2F 4A A6 07 A7 1C
6F E2 3E F8 DF BB 0F 2D 9D 45 2C D5 FA D5 8B 74 
5B F8 A4 A5 0D 8B DB 29 B2 F4 BF 14 C4 4A DD 76

Taken from: CprmModule.spu.isoself

eid3 keyseed

5F FF 3F D8 1E 18 B9 56 DA E4 E6 D3 36 82 97 EF

Taken from: CprmModule.spu.isoself

eid3 static key

D9 94 06 CA 4B F3 07 50 43 6A 45 47 36 83 45 89

Taken from: CprmModule.spu.isoself

eid4

Used for individual bluray auth information.

eid4 individuals seed

3E C2 0C 17 02 19 01 97 8A 29 71 79 38 29 D3 08 
04 29 FA 84 E3 3E 7F 73 0C 1D 41 6E EA 25 CA FB 
3D E0 2B C0 05 EA 49 0B 03 E9 91 98 F8 3F 10 1F 
1B A3 4B 50 58 94 28 AD D2 B3 EB 3F F4 C3 1A 58

Taken from: sv_iso_spu_module.self

HDD Specific

Used for individual hard drive information.

ATA data individuals seed

D9 2D 65 DB 05 7D 49 E1 A6 6F 22 74 B8 BA C5 08 
83 84 4E D7 56 CA 79 51 63 62 EA 8A DA C6 03 26

Taken from: sb_iso_spu_module.self


ATA tweak individuals seed

C3 B3 B5 AA CC 74 CD 6A 48 EF AB F4 4D CD F1 6E 
37 9F 55 F5 77 7D 09 FB EE DE 07 05 8E 94 BE 08

Taken from: sb_iso_spu_module.self

ENCDEC data individuals seed

E2 D0 5D 40 71 94 5B 01 C3 6D 51 51 E8 8C B8 33 
4A AA 29 80 81 D8 C4 4F 18 5D C6 60 ED 57 56 86

ENCDEC tweak individuals seed

02 08 32 92 C3 05 D5 38 BC 50 E6 99 71 0C 0A 3E 
55 F5 1C BA A5 35 A3 80 30 B6 7F 79 C9 05 BD A3

PS2 Emu Specific

Used for individual communication between PS2 emulator and PS3.

mc_iso individuals seed

52 38 D0 FA 23 A9 93 B8 97 1D 40 0F 98 2D 21 77 
81 30 DC F4 DE 7C 4E 11 9C 1D E2 86 AA 37 61 0B 
1A B7 11 22 3F 27 68 16 59 AE 6B 71 F1 84 F9 CB 
0E 00 D0 8A D0 6A F9 F7 A1 D5 5F 69 C7 1D 2B 25

Taken from: mc_iso_spu_module.self


me_iso individuals seed

F2 33 6E 25 63 B6 03 07 7A 76 65 71 26 CA E4 DB 
82 0E 92 85 6B 69 3C E8 14 22 E9 FB 1C 1C A5 B3 
E9 43 38 8E 4B 48 03 50 AA 24 A5 FB FA BF D1 72 
D9 7A 1E 25 DE 3E 64 A0 A7 A4 82 52 84 56 B1 74

Taken from: me_iso_spu_module.self

Syscon Specific

Used for individual SYSCON authentication.

sc_iso module seed

B0 D6 55 76 4C 3B 44 B3 38 F3 2D D1 D0 99 9B 66 
48 A3 5A 2C EB 15 E2 8E EC DC 2D C0 B4 C7 EB 05 
DC 82 25 C0 D5 78 9D BB 2E 89 A2 4A 78 58 58 00 
72 36 38 34 EE 1A 11 6C 2C D2 5E 58 EE 67 63 F7

sc_iso key seeds for auth commands

63 DC A7 D3 FE E4 7F 74 9A 40 83 63 F1 10 4E 8F auth_1 0x00
4D 10 09 43 24 00 9C C8 E6 B6 9C 70 32 8E 34 C5 auth_2 0x00
D9 79 49 BA D8 DA 69 D0 E0 1B F3 15 23 73 28 32 auth_1 0x01
C9 D1 DD 3C E2 7E 35 66 97 E2 6C 12 A7 B3 16 A8 auth_2 0x01
72 FF 4C 7F D2 A5 90 8D 6C 9C 3F D3 C0 37 FE EB auth_1 0x02
FA 8D 08 3C 05 20 80 D4 A1 94 53 45 2E 17 9A 44 auth_2 0x02
35 F8 42 12 95 CB F4 84 E0 6A 17 FA 2F B9 86 86 auth_1 0x03
C2 F3 68 5E 7E F4 97 68 33 7B 79 FD BC 82 65 BE auth_2 0x03
C6 E1 93 31 FC 6D 75 D1 C2 80 09 13 D1 79 3C 7E auth_1 0x04
77 1A 75 5F 40 2D 51 96 D0 2A 0D 09 2B EF E0 1E auth_2 0x04
B1 17 01 62 9E D2 FA 91 8F 9F 4D 8B 78 D7 2D 74 auth_1 0x05
19 93 0D E0 B6 FD CF FC 7B A6 30 B8 2D 53 04 31 auth_2 0x05
44 20 ED 72 2F EA 35 02 19 55 AB 40 C7 8E E6 DF auth_1 0x06
3E 67 C2 D9 43 2E 15 D0 9B EF 0E 6C 64 92 45 5D auth_2 0x06
5F A6 AF 2B B0 7F 72 E2 AB F8 0B 4E F6 DA 98 E0 auth_1 0x07
8C B7 82 E5 3E 8A EB 8A 76 8D 36 65 98 28 1B 9B auth_2 0x07

Size 256

Session key seeds

9F 1D F8 16 BB 4A 4A 01 29 D0 31 CF B0 AD 9B 30 0x00
D3 02 FD E1 75 78 FB DB A1 05 84 49 BA 5C 1B EA 0x01
0E 6B 74 80 E5 CE B2 56 2A 33 47 BB 41 01 24 55 0x02
79 10 AC 5D 2A D1 60 01 F6 A2 78 39 79 09 61 03 0x03
E3 05 28 04 B7 D2 83 6F 28 79 A1 75 1B B4 0D 48 0x04
EF 58 6F 9D 59 91 70 67 68 50 59 0B A6 7D 4B C7 0x05
5D 95 98 63 7A F2 5F 80 23 62 3B 12 68 B5 13 1A 0x06
0E AA 32 14 0A 28 61 D8 65 96 26 F6 CE 22 86 DB 0x07

data key seed

73 68 65 72 77 6F 6F 64 5F 73 73 5F 73 65 65 64 "sherwood_ss_seed"

tweak key seed

73 73 5F 73 65 65 64 5F 6F 6E 65 5F 6D 6F 72 65 "ss_seed_one_more"

vtrm keyseed

6B 65 79 73 65 65 64 5F 66 6F 72 5F 73 72 6B 32 "keyseed_for_srk2"

fallback eEID1

84 DE DB 60 1C BF E2 4C 17 DD C7 BD 1B 46 64 06 
01 26 A3 15 C5 48 FD D5 6C 0D F6 DE 19 66 70 79 
CB 21 56 6A 84 CA FE 5C C8 83 F5 25 5E 95 86 E4 
4C 02 AC 72 01 D6 9D 2F 62 74 E8 69 18 BE 27 03 
4A 86 71 4B 7D 12 21 70 D4 5E 31 7F 97 D1 73 E7 
61 55 06 00 07 25 FD E9 6E E7 AC A3 91 D0 6F 73 
3B 24 EA BA 2D CB 71 B6 AE C2 AB 4B 80 9A BD 09 
B8 B7 ED D3 36 1C C1 F3 B7 1D A9 96 17 B7 DC 01 
51 8E 3B 27 16 48 16 AC F9 C8 91 57 B0 7B B6 C8 
63 3D 8D D1 CF CE 1E 15 AE D0 70 83 E3 8E 8E BB 
14 51 38 B3 BA 0E 24 0F 3A 7E 77 67 8D 9D 29 61 
BD 12 3E 04 5C 9C 0C 58 A9 A0 3E B8 94 0A 1B 99 
75 A1 EE 8E 57 5A DF D8 81 1B DE 09 B0 98 ED 38 
F8 7F 7D C5 57 61 84 12 C8 27 EF 32 FD 52 15 D0 
20 90 0F 5D 2D F6 C1 BA 52 CB 1B 2E 5D BC 03 10 
5C 91 D0 11 F8 F2 32 DD 14 CF A4 E9 A3 10 80 69 
DF A8 8A 3C 2E 27 CB 48 92 E8 07 47 94 B3 2C F4 
B7 8E C1 E9 E6 A8 3E CC 28 01 82 E2 9E 22 ED CE 
A0 A8 BA 86 FF 43 04 C4 88 A8 BD 46 1A 9B 2D 6F 
E5 6C 43 5F 84 1C 56 1E 0E 72 4F 6C ED F3 85 05 
1E BB 41 2C B7 BB D3 95 D5 6F D5 15 78 2C 59 57 
B6 87 26 3D F0 F4 E5 35 3B BA D5 2C CE 4C 63 4F 
84 26 63 A9 06 ED 14 31 97 46 A9 1F C6 3E 55 6A 
60 42 6A B2 28 36 79 45 0F 76 05 4E 0E B3 9F 22 
F9 28 81 B4 9D 98 11 F8 46 E3 92 FB 66 05 6D CB 
26 7A A1 00 94 FD 26 2D 12 1B 55 76 A0 E6 C0 F1 
58 DE F5 5F 71 0C 78 9D 8E D7 8C DE 4E 6A D6 F8 
2D 9F 81 80 B8 C0 50 D9 B1 84 7B C5 08 03 D3 A4 
5C B1 17 8E 02 41 C3 9A C3 AA 77 55 8B A9 65 67 
7E EC BF 20 4F 07 60 EC D9 76 FE 20 AE 97 BA 5C 
41 50 D9 D7 EA 9A C4 C2 86 E6 3C 21 FB DC E9 03 
B6 AD 8E DA 66 3C 26 6A 1B 8F 81 F8 43 A1 C9 19 
58 56 F9 0C B7 39 0E BD B5 A0 00 D8 7F 4E 26 19 
CD A4 36 05 9F D3 72 3C 3B 6D A6 57 E6 D9 36 D8 
EA 51 72 14 BA 33 6B 9B 57 91 28 40 AF 8A 3E 76 
EA 71 5E E9 79 F0 3A 98 57 AA 35 8E 83 B4 5E 0E 
8F C7 97 DF 99 27 B0 E9 33 EA 33 EB A1 59 22 31 
E3 4C 8E 3E 54 C9 8E 27 C2 E3 AB 69 CC 0E 45 F1 
AD 1B C8 B5 3D 9F 87 10 7F 3F B7 BB 1B 5E 26 B2 
B7 10 59 31 54 50 5C F2 1A 36 E2 E5 78 23 D5 BE 
0D 5D 3A B4 CD 04 B1 C2 7A 74 BE E0 2E 6D 25 F4

Notes

  • libeeid / ps3hdd_poc / ps3_decrypt_tools were adapted for this. so use them
  • you'll need eid_root_key, hdd image and eid
  • the seeds are spreaded all over the wiki, so it's nice to have a spot where you can look at the seed you wish :)
  • many thanks to fail0verfl0w for this. gotta love the print_hash function :3
  • https://github.com/zecoxao/ps3_decrypt_tools tools for decrypting and encrypting.
  • Regarding syscon, there are two chunks of data, one located at ss_sc_init and the other at sc_iso with sizes 0x290 and 0x280 respectively. one is after keyseed_for_srk2 and the other is between k4 and k5.
  • ss_sc_init contains fallback EID1 of size 0x290 bytes.

References

THE PLACEHOLDER <- this curious pastie contains the first 4 bytes of several keys/seeds

1st-eid2 indiv seed
2nd-eid0 indiv seed
3rd-eid1 indiv seed
4th-eid4 indiv seed
5th-ata data seed
6th-me iso indiv seed
7th-mc iso indiv seed

isolated modules <- used as reference for eid specific seeds, amongst others

Others (???)

eid4 fallback bytes

06 78 CE 0E (found, divx player key, decrypt divxdrm.sprx with sc services)

67 C0 75 8C F4 99 6F EF 7E 88 F9 0C C6 95 9D 66 (found, debug disc fallback) 

Taken respectively from N's Twitter

What's inside:

Each EID0 Section (0xC0 bytes)

Description Length Note
Data 0x38 contains the actual data of the file
R 0x14 part of the ecdsa signature pair (r,s)
S 0x14 part of the ecdsa signature pair (r,s)
public key 0x28 ecdsa public key
random padding ? 0x8 common between a retail and a true convert dump, probably padding
unknown 0x18 unknown
omac/cmac1 0x10 hash of the previous information in CMAC1/OMAC mode
padding 0x8 zero byte padding

Source of the information

EID1 (0x2A0 bytes)

This is, quite possibly, one of the most important EID parts in the system. Since the seed was found on syscon selfs, it's very likely that this is directly associated with SYSCON itself. Unfortunately, there is no way to know because there are additional layers of cryptography inside it.

EID2(0x730 bytes)

http://www.psdevwiki.com/ps3/Hypervisor_Reverse_Engineering#Remarrying

Description Length Note
Header 0x20
Pblock 0x80 contains bd drive info
Sblock 0x690 contains bd drive info

EID3(0x100)

http://www.psdevwiki.com/ps3/Hypervisor_Reverse_Engineering#Communication

Offset Description Length Note
0x00 Header 0x20 contains ckp_management_id, size of cprm keys + sha1 digest + padding and nonce
0x20 cprm player keys 0xB8
0xD8 sha1 digest 0x14 sha1 digest of previous section
0xEC padding 0x4
0xF0 omac1 digest 0x10 omac1 digest of whole eid3

EID4(0x30)

Description Length Note
Drive Key 1 0x10 Encrypts data sent from host to bd drive
Drive Key 2 0x10 Decrypts data sent from bd drive to host
CMAC/OMAC1 0x10 Hash of the previous bytes in CMAC/OMAC1 mode

EID5 (0xA00)

The largest and quite possibly the most important EID of all 6. It's unknown what is inside this specific EID. We'll probably never know what's inside it without analyzing every possible clue about the PS3. And even then, it might be impossible to find it's real use. It's size is similar to EID0, but it has an aditional 0x1A0 bytes.

Theory

0x40 bytes Header

Description Length Note
header(idps) 0x10 idps
unk(static) 0x2 00 12
unk2(static) 0x2 00 0B (eid0) 00 02(request_idps) 07 30 (eid5)
perconsole nonce 0xC
unk3(changes) 0x20

Content

Description Length Note
sections 0x9C0 13 sections of 0xC0 bytes each (copy of the 11 sections in EID0 and two sections dedicated to bootldr and metldr respectively)