Editing Flash:Encrypted Individual Data - eEID

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
== Encrypted Individual Data - eEID ==
== Encrypted Individual Data - eEID ==


eEID certainly stands for encrypted EID as each section eEID embeds is encrypted. EID certainly stands for Encrypted Individual Data. Why two 'e' in eEID ?
This section of flash contains QA tokens


EID is the equivalent of IdStorage on PSP and PSVita.
It is 0x10000 in length (64 kb) but only the first 0x1DD0 is used, the rest is padded with FF


eEID is decrypted by metldr and is passed over to the isolated loader which may pass it to a SELF. We can see this in graf_chokolo’s original payload.
It is composed of 6 sections numbered from 0 to 5


It is 0x10000 bytes in size (64 kB) but only the first 0x1DD0 bytes are used. The rest is padded with 0xFF.
eEID contains your system model data, your target ID, and your PS3 motherboard revision
 
It is composed of 6 sections numbered from 0 to 5.
 
eEID contains per-console data like Console Id, OpenPsId, BD drive information and some keys.
 
See also [[Cex2Dex#LibeEID|LibeEID]].


{|class="wikitable"
{|class="wikitable"
|-
|-
! Section !! Usage !! Description !! [[iso module]]
! Section !! Description !! [[iso module]]
|-
|-
| [[Flash:Encrypted_Individual_Data_-_eEID#EID0|EID0]] || Identification Certificates || [[Flash:Encrypted_Individual_Data_-_eEID#EID0|EID0]] is needed for loading parameters to isoldr for loading isolated SELF files on a SPE || aim_spu_module
| [[Flash:Encrypted_Individual_Data_-_eEID#EID0|EID0]] || [[Flash:Encrypted_Individual_Data_-_eEID#EID0|EID0]] is needed for loading parameters to isoldr for loading isolated SELF files on a SPE || aim_spu_module
|-
|-
| [[Flash:Encrypted_Individual_Data_-_eEID#EID1|EID1]] || SCinit || ? + Syscon paring + Auth1/Auth2/Validate (see [[SC_Communication|SC Communication]] for more (log with logic analyzer)) || ?sc_iso_factory or ss_sc_init?
| [[Flash:Encrypted_Individual_Data_-_eEID#EID1|EID1]] || ? + Syscon paring + Auth1/Auth2/Validate (see [[SC_Communication|SC Communication]] for more (log with logic analyzer)) || ?sc_iso_factory or ss_sc_init?
|-
|-
| [[Flash:Encrypted_Individual_Data_-_eEID#EID2|EID2]] || bd drive init || BD drive pairing || fdm_spu_module
| [[Flash:Encrypted_Individual_Data_-_eEID#EID2|EID2]] || ? + BD drive pairing || fdm_spu_module
|-
|-
| [[Flash:Encrypted_Individual_Data_-_eEID#EID3|EID3]] || bd player || Movie Per_Device keys || AacsModule.spu.isoself CprmModule.spu.isoself
| [[Flash:Encrypted_Individual_Data_-_eEID#EID3|EID3]] || ? + Movie Per_Device keys || AacsModule.spu.isoself CprmModule.spu.isoself
|-
|-
| [[Flash:Encrypted_Individual_Data_-_eEID#EID4|EID4]] || bd driver key || ? + Drive_auth keys || sv_iso_spu_module, mc_iso_spu_module.self, me_iso_spu_module.self, me_iso_for_ps2emu.self
| [[Flash:Encrypted_Individual_Data_-_eEID#EID4|EID4]] || ? + Drive_auth keys || sv_iso_spu_module, mc_iso_spu_module.self, me_iso_spu_module.self, me_iso_for_ps2emu.self
|-
|-
| [[Flash:Encrypted_Individual_Data_-_eEID#EID5|EID5]] || DKI || ? Backup || ? Not used  
| [[Flash:Encrypted_Individual_Data_-_eEID#EID5|EID5]] || ? Backup || ? Not used  
|}
|}
Note: For data structure of [[Flash:Encrypted_Individual_Data_-_eEID|EID]], see [[Cex2Dex#LibeEID|LibeEID]]


=== Header ===
=== Header ===
 
==== example ====
==== Example ====
 
{| class="wikitable"
{| class="wikitable"
|-
|-
Line 47: Line 41:
|-
|-
|}
|}
 
==== structure ====
==== Structure ====
 
{|class="wikitable"
{|class="wikitable"
|-
|-
Line 62: Line 54:


=== File Table ===
=== File Table ===
This is the whole file table


This is the whole file table.
==== example ====
 
==== Example ====
 
{| class="wikitable"
{| class="wikitable"
|-
|-
Line 88: Line 78:
|-
|-
|}
|}
 
==== structure ====
==== Structure ====
 
0x10 bytes per entry as follows:
0x10 bytes per entry as follows:
{|class="wikitable"
{|class="wikitable"
|-
|-
Line 101: Line 88:
| 0x4 || 0x4 || 0x860 || Length
| 0x4 || 0x4 || 0x860 || Length
|-
|-
| 0x8 || 0x8 || 0x0 || EID number
| 0x8 || 0x8 || 0x0 || EID number  
|}
|}
 
====Typical EID entry addresses and lengths====
==== Typical EID entry addresses and lengths ====
Entry point listed is offset from base EID address (NOR:0x002F000 / NAND:0x0080800 in these examples) <br />
 
Absolute start address is base EID address + Entry point <br />
Entry point listed is offset from base EID address (NOR:0x002F000 / NAND:0x0080800 in these examples).
 
Absolute start address is base EID address + Entry point
 
Absolute end address is base EID address + Entry point + Length
Absolute end address is base EID address + Entry point + Length
{|class="wikitable"
{|class="wikitable"
|-
|-
Line 126: Line 108:
| || || EID0_0_DATA ||  || 0x10 ||  ||  ||  ||  
| || || EID0_0_DATA ||  || 0x10 ||  ||  ||  ||  
|-
|-
| || || EID0_0_PUB ||  || 0x28 ||  ||  ||  ||  
| || || EID0_0_UNK1 ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_0_CERT_SIG ||  || 0x28 ||  ||  ||  ||  
| || || EID0_0_SIG ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_0_CERT_PUB ||  || 0x28 ||  ||  ||  ||  
| || || EID0_0_PUB ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_0_PRIV.ENC ||  || 0x20 ||  ||  ||  ||  
| || || EID0_0_UNK2 ||  || 0x20 ||  ||  ||  ||  
|-
|-
| || || EID0_0_OMAC ||  || 0x10 ||  ||  ||  ||  
| || || EID0_0_OMAC ||  || 0x10 ||  ||  ||  ||  
Line 142: Line 124:
| || || EID0_1_DATA ||  || 0x10 ||  ||  ||  ||  
| || || EID0_1_DATA ||  || 0x10 ||  ||  ||  ||  
|-
|-
| || || EID0_1_PUB ||  || 0x28 ||  ||  ||  ||  
| || || EID0_1_UNK1 ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_1_CERT_SIG ||  || 0x28 ||  ||  ||  ||  
| || || EID0_1_SIG ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_1_CERT_PUB ||  || 0x28 ||  ||  ||  ||  
| || || EID0_1_PUB ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_1_PRIV.ENC ||  || 0x20 ||  ||  ||  ||  
| || || EID0_1_UNK2 ||  || 0x20 ||  ||  ||  ||  
|-
|-
| || || EID0_1_OMAC ||  || 0x10 ||  ||  ||  ||  
| || || EID0_1_OMAC ||  || 0x10 ||  ||  ||  ||  
Line 158: Line 140:
| || || EID0_2_DATA ||  || 0x10 ||  ||  ||  ||  
| || || EID0_2_DATA ||  || 0x10 ||  ||  ||  ||  
|-
|-
| || || EID0_2_PUB ||  || 0x28 ||  ||  ||  ||  
| || || EID0_2_UNK1 ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_2_CERT_SIG ||  || 0x28 ||  ||  ||  ||  
| || || EID0_2_SIG ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_2_CERT_PUB ||  || 0x28 ||  ||  ||  ||  
| || || EID0_2_PUB ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_2_PRIV.ENC ||  || 0x20 ||  ||  ||  ||  
| || || EID0_2_UNK2 ||  || 0x20 ||  ||  ||  ||  
|-
|-
| || || EID0_2_OMAC ||  || 0x10 ||  ||  ||  ||  
| || || EID0_2_OMAC ||  || 0x10 ||  ||  ||  ||  
Line 174: Line 156:
| || || EID0_3_DATA ||  || 0x10 ||  ||  ||  ||  
| || || EID0_3_DATA ||  || 0x10 ||  ||  ||  ||  
|-
|-
| || || EID0_3_PUB ||  || 0x28 ||  ||  ||  ||  
| || || EID0_3_UNK1 ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_3_CERT_SIG ||  || 0x28 ||  ||  ||  ||  
| || || EID0_3_SIG ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_3_CERT_PUB ||  || 0x28 ||  ||  ||  ||  
| || || EID0_3_PUB ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_3_PRIV.ENC ||  || 0x20 ||  ||  ||  ||  
| || || EID0_3_UNK2 ||  || 0x20 ||  ||  ||  ||  
|-
|-
| || || EID0_3_OMAC ||  || 0x10 ||  ||  ||  ||  
| || || EID0_3_OMAC ||  || 0x10 ||  ||  ||  ||  
Line 190: Line 172:
| || || EID0_4_DATA ||  || 0x10 ||  ||  ||  ||  
| || || EID0_4_DATA ||  || 0x10 ||  ||  ||  ||  
|-
|-
| || || EID0_4_PUB ||  || 0x28 ||  ||  ||  ||  
| || || EID0_4_UNK1 ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_4_CERT_SIG ||  || 0x28 ||  ||  ||  ||  
| || || EID0_4_SIG ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_4_CERT_PUB ||  || 0x28 ||  ||  ||  ||  
| || || EID0_4_PUB ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_4_PRIV.ENC ||  || 0x20 ||  ||  ||  ||  
| || || EID0_4_UNK2 ||  || 0x20 ||  ||  ||  ||  
|-
|-
| || || EID0_4_OMAC ||  || 0x10 ||  ||  ||  ||  
| || || EID0_4_OMAC ||  || 0x10 ||  ||  ||  ||  
Line 206: Line 188:
| || || EID0_5_DATA ||  || 0x10 ||  ||  ||  ||  
| || || EID0_5_DATA ||  || 0x10 ||  ||  ||  ||  
|-
|-
| || || EID0_5_PUB ||  || 0x28 ||  ||  ||  ||  
| || || EID0_5_UNK1 ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_5_CERT_SIG ||  || 0x28 ||  ||  ||  ||  
| || || EID0_5_SIG ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_5_CERT_PUB ||  || 0x28 ||  ||  ||  ||  
| || || EID0_5_PUB ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_5_PRIV.ENC ||  || 0x20 ||  ||  ||  ||  
| || || EID0_5_UNK2 ||  || 0x20 ||  ||  ||  ||  
|-
|-
| || || EID0_5_OMAC ||  || 0x10 ||  ||  ||  ||  
| || || EID0_5_OMAC ||  || 0x10 ||  ||  ||  ||  
Line 222: Line 204:
| || || EID0_6_DATA ||  || 0x10 ||  ||  ||  ||  
| || || EID0_6_DATA ||  || 0x10 ||  ||  ||  ||  
|-
|-
| || || EID0_6_PUB ||  || 0x28 ||  ||  ||  ||  
| || || EID0_6_UNK1 ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_6_CERT_SIG ||  || 0x28 ||  ||  ||  ||  
| || || EID0_6_SIG ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_6_CERT_PUB ||  || 0x28 ||  ||  ||  ||  
| || || EID0_6_PUB ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_6_PRIV.ENC ||  || 0x20 ||  ||  ||  ||  
| || || EID0_6_UNK2 ||  || 0x20 ||  ||  ||  ||  
|-
|-
| || || EID0_6_OMAC ||  || 0x10 ||  ||  ||  ||  
| || || EID0_6_OMAC ||  || 0x10 ||  ||  ||  ||  
Line 238: Line 220:
| || || EID0_7_DATA ||  || 0x10 ||  ||  ||  ||  
| || || EID0_7_DATA ||  || 0x10 ||  ||  ||  ||  
|-
|-
| || || EID0_7_PUB ||  || 0x28 ||  ||  ||  ||  
| || || EID0_7_UNK1 ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_7_CERT_SIG ||  || 0x28 ||  ||  ||  ||  
| || || EID0_7_SIG ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_7_CERT_PUB ||  || 0x28 ||  ||  ||  ||  
| || || EID0_7_PUB ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_7_PRIV.ENC ||  || 0x20 ||  ||  ||  ||  
| || || EID0_7_UNK2 ||  || 0x20 ||  ||  ||  ||  
|-
|-
| || || EID0_7_OMAC ||  || 0x10 ||  ||  ||  ||  
| || || EID0_7_OMAC ||  || 0x10 ||  ||  ||  ||  
Line 254: Line 236:
| || || EID0_8_DATA ||  || 0x10 ||  ||  ||  ||  
| || || EID0_8_DATA ||  || 0x10 ||  ||  ||  ||  
|-
|-
| || || EID0_8_PUB ||  || 0x28 ||  ||  ||  ||  
| || || EID0_8_UNK1 ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_8_CERT_SIG ||  || 0x28 ||  ||  ||  ||  
| || || EID0_8_SIG ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_8_CERT_PUB ||  || 0x28 ||  ||  ||  ||  
| || || EID0_8_PUB ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_8_PRIV.ENC ||  || 0x20 ||  ||  ||  ||  
| || || EID0_8_UNK2 ||  || 0x20 ||  ||  ||  ||  
|-
|-
| || || EID0_8_OMAC ||  || 0x10 ||  ||  ||  ||  
| || || EID0_8_OMAC ||  || 0x10 ||  ||  ||  ||  
Line 270: Line 252:
| || || EID0_9_DATA ||  || 0x10 ||  ||  ||  ||  
| || || EID0_9_DATA ||  || 0x10 ||  ||  ||  ||  
|-
|-
| || || EID0_9_PUB ||  || 0x28 ||  ||  ||  ||  
| || || EID0_9_UNK1 ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_9_CERT_SIG ||  || 0x28 ||  ||  ||  ||  
| || || EID0_9_SIG ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_9_CERT_PUB ||  || 0x28 ||  ||  ||  ||  
| || || EID0_9_PUB ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_9_PRIV.ENC ||  || 0x20 ||  ||  ||  ||  
| || || EID0_9_UNK2 ||  || 0x20 ||  ||  ||  ||  
|-
|-
| || || EID0_9_OMAC ||  || 0x10 ||  ||  ||  ||  
| || || EID0_9_OMAC ||  || 0x10 ||  ||  ||  ||  
Line 286: Line 268:
| || || EID0_A_DATA ||  || 0x10 ||  ||  ||  ||  
| || || EID0_A_DATA ||  || 0x10 ||  ||  ||  ||  
|-
|-
| || || EID0_A_PUB ||  || 0x28 ||  ||  ||  ||  
| || || EID0_A_UNK1 ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_A_CERT_SIG ||  || 0x28 ||  ||  ||  ||  
| || || EID0_A_SIG ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_A_CERT_PUB ||  || 0x28 ||  ||  ||  ||  
| || || EID0_A_PUB ||  || 0x28 ||  ||  ||  ||  
|-
|-
| || || EID0_A_PRIV.ENC ||  || 0x20 ||  ||  ||  ||  
| || || EID0_A_UNK2 ||  || 0x20 ||  ||  ||  ||  
|-
|-
| || || EID0_A_OMAC ||  || 0x10 ||  ||  ||  ||  
| || || EID0_A_OMAC ||  || 0x10 ||  ||  ||  ||  
Line 314: Line 296:
| colspan="3" | [[Flash:Encrypted_Individual_Data_-_eEID#EID5|EID5]] || 0x13D0 || 0xA00 || 0x00303D0 || 0x0030DCF || 0x0081BD0 || 0x00825CF
| colspan="3" | [[Flash:Encrypted_Individual_Data_-_eEID#EID5|EID5]] || 0x13D0 || 0xA00 || 0x00303D0 || 0x0030DCF || 0x0081BD0 || 0x00825CF
|}
|}
Note: IDPS is present in EID0_0 and EID0_6. PSID is present in EID0_A. They're available only in decrypted form.


=== EID0 ===
=== EID0 ===
'''
Indi manager can write to it <br />
AIM can rehash it
'''


==== Example ====
==== example ====
 
{| class="wikitable"
{| class="wikitable"
|-
|-
Line 338: Line 325:
|-
|-
|}
|}
 
==== structure ====
==== Structure ====
 
{|class="wikitable"
{|class="wikitable"
|-
|-
! Address !! Size !! Value !! Description !! Observations  
! Address !! Size !! Value !! Description !! Observations  
|-
|-
| 0x0 || 0x10 || 00 00 00 01 00 89 00 08 14 01 01 06 1B 91 1C 5C || [[IDPS]] ||
| 0x0 || 0x10 || 00 00 00 01 00 89 00 08 14 01 01 06 1B 91 1C 5C || IDPS  || [[IDPS]] - This contains your [[Target ID]]/[[SKU_Models#Regioning|Region]], [[SKU_Models|PS3 Model]], Chassis and others.
|-
| 0x10 || 0x2 || 00 12 || Unknown || Unknown (00 11 on [[DEH-H1000A-E]] and earlier models)<!-- same value as "cISD1 relative offset 0x56" ? (see [[Talk:Flash:Individual System Data - cISD]] -->
|-
| 0x12 || 0x2 || 00 0B || EID0 sections number || Always 11.
|-
| 0x14 || 0xC || FC D1 D8 BE 6F F4 C8 D8 8F E1 C3 F7 || [[Flash:perconsole_nonce|perconsole nonce]] ||
|-
| 0x20 || Rest || Rest || Encrypted Data ||
|}
 
Individual info Manager can write to EID0. Appliance Info Manager can rehash it.
 
EID0 embeds many (usually 11) AES128CBC encrypted sections. Each section is a IDPS Certificate.
 
We do not have all EID0 sections enc/dec key seeds:
<pre>
section 0 (PS3 cert keyset 0) -> yes
section 1 (PS3 cert keyset 1)-> missing
section 2 (PS3 cert keyset 2) -> missing
section 3 (PS3 cert keyset 3) -> missing
section 4 (PS3 cert keyset 4) -> missing
section 5 (PS3 cert keyset 5) -> missing
section 6 (PSP cert keyset 1) -> yes
section 7 (PSP cert keyset 2) -> missing
section 8 (PSP cert keyset 3) -> missing
section 9 (PSP cert keyset 4) -> missing
section 0xA (PSP cert keyset 5) -> yes
</pre>
 
Keys for EID0 sections 0, 6 and 0xA key seeds were found in secure modules, for instance seeds for 0 and 0xA in aim_spu_module, seed for 6 in pspemudrm.
 
===== EID0 Sections =====
 
====== IDPS Certificate Structure ======
 
* Size: 0xC0 bytes.
 
{|class="wikitable"
|-
! Description !! Length !! Note
|-
| Data || 0x10 || actual data (either IDPS or OpenPSID)
|-
| plaintext public key || 0x28 || public key (without padding)
|-
| R || 0x14 || part of the ECDSA signature pair (r,s)
|-
| S || 0x14 || part of the ECDSA signature pair (r,s)
|-
|-
| public key || 0x28 || ECDSA public key (can be used to verify ECDSA signature RS)
| 0x10 || 0x4 || 00 12 00 0B || Unknown  || Appears to be static. Last byte contains number of eid0 sections in hex (11)
|-
|-
| encrypted private key || 0x20 || encrypted ECDSA private key
| 0x14 || 0xC || FC D1 D8 BE 6F F4 C8 D8 8F E1 C3 F7 || [[Flash:perconsole_nonce|perconsole nonce]] || Appear to be the same nonce as in the encrypted files metloader/bootloader at offset 0x14-0x1F
|-
|-
| cmac || 0x10 || hash of the previous information in AES CMAC mode
| Rest || Rest || Rest || Encrypted Data ||
|-
| padding || 0x8 || zero byte padding for AES 128 bits encryption
|}
|}
====== EID0 section 0-5 crypto ======
* [https://web.archive.org/web/20141118233713/http://pastie.org/6169158 naehrwert's EID0 section 0 ECDSA signature verification]
====== EID0 sections 6-0xA crypto ======
EID0 section 6 is used in the PSP emulator by the DRM crypto engine to retrieve PSID. EID0 section 0xA is used by aim_spu_module to retrieve OpenPSID.
These sections' certificates uses PSP certificate keyset. It corresponds to PSP KIRK commands 0x10, 0x11 and 0x12 for verification of IdStorage Certificates. See also [[http://wololo.net/talk/viewtopic.php?p=20715#p20715]] and PSP wiki for PSP crypto stuff.
====== Note ======
On PS3 it uses ECDSA curve VSH type 2 with the PSP IDPS Certificates, whilst it uses a different curve with the PS3 exclusive IDPS Certificates (for example section 0). That is maybe how Davee and Proxima figured out the KIRK 0x10 and 0x11 ECDSA crypto keys. But not sure because their work was in 2011, not in 2012 (naehrwert) and it seems that PS3 uses a different seed for encrypting the ECDSA private key (see section 6 ECDSA private key seed).


=== EID1 ===
=== EID1 ===


Used for individual SYSCON information.
==== example ====
 
==== Example ====
 
Here it is encrypted.
 
{| class="wikitable"
{| class="wikitable"
|-
|-
Line 445: Line 361:
|-
|-
|}
|}
==== structure ====
Appears to be encrypted, not much is known about this one


==== Structure ====
* Size: 0x2A0 bytes.
{|class="wikitable"
|-
! Offset !! Length !! Description
|-
| 0 || 0x10 || INIT Seed
|-
| 0x10 || 0x80 || AUTH1 Reencrypted Keyseeds
|-
| 0x90 || 0x80 || AUTH2 Reencrypted Keyseeds
|-
| 0x110 || 0x40 || Keyseeds (Time Service Purpose)
|-
| 0x150 || 0x10 ||  KeySeed (SNVS/Time Related)
|-
| 0x160 || 0x120 || Padding (Zeroes)
|-
| 0x280 || 0x10  || CMAC of Encrypted Data Using Master Key 0x20 if on EEPROM to CMAC (and encrypt/decrypt) or Master Key 0x10 if on FLASH
|-
| 0x290 || 0x10  || CMAC of Encrypted FLASH Data Using Perconsole Key encrypted using root key and EID1 seeds
|}


=== EID2 ===
=== EID2 ===


Used for individual BD drive information. See [[Hypervisor_Reverse_Engineering#Remarrying]].
==== example ====
 
==== Example ====
 
{| class="wikitable"
{| class="wikitable"
|-
|-
Line 500: Line 391:
|-
|-
|}
|}
 
==== structure ====
==== Structure ====
 
* Size: 0x730 bytes.
 
{|class="wikitable"
{|class="wikitable"
|-
|-
Line 517: Line 404:
| 0x1E? || 0x2 || 0x0000 || || on {{ARC}}/{{DEX}}/{{DECR}} there is 0x0003
| 0x1E? || 0x2 || 0x0000 || || on {{ARC}}/{{DEX}}/{{DECR}} there is 0x0003
|-
|-
| 0x20 || 0x80 || encrypted data || P-Block || Contains BD drive info.
| 0x20 || 0x80 || encrypted data || P-Block ||
|-
|-
| 0xA0 || 0x690 || encrypted data || S-Block || Contains BD drive info. on {{ARC}}/{{DEX}}/{{DECR}} S-Block is 00s
| 0xA0 || 0x690 || encrypted data || S-Block || on {{ARC}}/{{DEX}}/{{DECR}} S-Block is 00s
|}
|}


Note: In decrypted P-Block these bytes match [[Product Code]]:
<div id="decryptednotes">Notes</div>
 
In decrypted P-Block these bytes match [[Target ID]]:
{| class="wikitable" style="font-size:x-small; border:2px ridge #999999;"
{| class="wikitable" style="font-size:x-small; border:2px ridge #999999;"
|-
|-
! Value !! [[Product Code]] !! Console Type !! Remarks !! Confirmed ?
! Value !! [[Target ID]] !! Console Type !! Remarks
|-
|-
| || {{TID80}} || ||
| || {{TID80}} ||  
|-
|-
| 0xFF || {{TID81}} || No BD playback with this [[Product Code]]. || {{yes}}
| 0xFF || {{TID81}} || No BD playback on that [[Target ID]]
|-
|-
| 0xFF || {{TID82}} || No BD playback with this [[Product Code]]. || {{yes}}
| 0xFF || {{TID82}} || No BD playback on that [[Target ID]]
|-
|-
| 0x01 || {{TID83}} || DVD Region 2 (NTSC)  || {{no}}
| 0x01 || {{TID83}} ||  
|-
|-
| 0x02 || {{TID84}} || DVD Region 1 (NTSC)  || {{yes}}
| 0x02 || {{TID84}} ||  
|-
|-
| 0x04 || {{TID85}} || DVD Region 2 (PAL)  || {{yes}}
| 0x04 || {{TID85}} ||  
|-
|-
| 0x10 || {{TID86}} || DVD Region 3 (NTSC)  || {{no}}
| 0x10 || {{TID86}} ||  
|-
|-
| 0x04 || {{TID87}} || DVD Region 2 (PAL)  || {{yes}}
| 0x04 || {{TID87}} ||  
|-
|-
| 0x80 || {{TID88}} || DVD Region 4 (NTSC) || {{yes}}
| || {{TID88}} ||  
|-
|-
| 0x08 || {{TID89}} || DVD Region 4 (PAL)  || {{no}}
| 0x08 || {{TID89}} ||  
|-
|-
| 0x10 || {{TID8A}} || DVD Region 3 (NTSC)  || {{yes}}
| || {{TID8A}} ||  
|-
|-
| 0x10 || {{TID8B}} || DVD Region 3 (NTSC)  || {{yes}}
| || {{TID8B}} ||  
|-
|-
| 0x20 || {{TID8C}} || DVD Region 5 (NTSC/PAL)  || {{no}}
| 0x20 || {{TID8C}} ||  
|-
|-
| 0x40 || {{TID8D}} || DVD Region 6  || {{no}}
| || {{TID8D}} ||  
|-
|-
| 0x10 || {{TID8E}} || DVD Region 3 (NTSC)  || {{yes}}
| 0x10 || {{TID8E}} ||  
|-
|-
| 0x80 || {{TID8F}} || DVD Region 4 (NTSC)  || {{no}}
| || {{TID8F}} ||  
|-
|-
| 0xFF || {{TIDA0}} || No BD playback with this [[Product Code]].  || {{yes}}
| 0xFF || {{TIDA0}} || No BD playback on that [[Target ID]]
|-
|-
|}
|}
 
This value also must be match the first byte of the decrypted EID4.
This value also must match the first byte of the decrypted EID4.


Notes:
Notes:
* 0xFF = 0b11111111 - all bits enabled
* FF=11111111 - all bits enabled
* 0x80 = 0b10000000 - {{TID88}} - bit 7 (DVD Region 4 (NTSC))
* 20=00100000 - {{TID8C}} - bit 6
* 0x40 = 0b01000000 - {{TID8D}} - bit 6 (DVD Region 6)
* 10=00010000 - {{TID8E}} | {{TID86}} -  bit 5
* 0x20 = 0b00100000 - {{TID8C}} - bit 5 (DVD Region 5 (NTSC/PAL))
* 08=00001000 - {{TID89}} - bit 4
* 0x10 = 0b00010000 - {{TID8E}} | {{TID86}} | {{TID8A}} | {{TID8B}} -  bit 4 (DVD Region 3 (NTSC))
* 04=00000100 - {{TID87}} | {{TID85}} - bit 3
* 0x08 = 0b00001000 - {{TID89}} - bit 3 (DVD Region 4 (PAL))
* 02=00000010 - {{TID84}} - bit 2
* 0x04 = 0b00000100 - {{TID87}} | {{TID85}} - bit 2 (DVD Region 2(PAL))
* 01=00000001 - {{TID83}} - bit 1
* 0x02 = 0b00000010 - {{TID84}} - bit 1 (DVD Region 1 (NTSC))
* 0x01 = 0b00000001 - {{TID83}} - bit 0 (DVD Region 2 (NTSC))


=== EID3 ===
=== EID3 ===


Used for individual CPRM information. See [[Hypervisor_Reverse_Engineering#Communication]].
==== example ====
 
==== Example ====
 
{| class="wikitable"
{| class="wikitable"
|-
|-
Line 625: Line 506:
|}
|}


==== Structure ====
==== structure ====
 
* Size: 0x100 bytes.
 
{|class="wikitable"
|-
! Offset !! Description !! Length !! Note
|-
| 0x00 || Header || 0x20 || contains ckp_management_id, size of cprm keys + sha1 digest + padding and nonce
|-
| 0x20 || cprm player keys || 0xB8 ||
|-
| 0xD8 || sha1 digest || 0x14 || sha1 digest of previous section
|-
| 0xEC || padding || 0x4 ||
|-
| 0xF0 || omac1 digest || 0x10 || omac1 digest of whole eid3
|}
 
{|class="wikitable"
{|class="wikitable"
|-
|-
Line 658: Line 521:
| 0x12 || 0x2 || 0x00D0 ||  ||
| 0x12 || 0x2 || 0x00D0 ||  ||
|-
|-
| 0x14 || 0x0C || perconsole nonce || [[Flash:perconsole_nonce|perconsole nonce]] ||
| 0x14 || 0x0C || per console nonce || [[Flash:perconsole_nonce|perconsole nonce]] ||
|-
|-
| 0x20 || 0xE0 || encrypted data ||  ||
| 0x20 || 0xE0 || encrypted data ||  ||
Line 666: Line 529:


=== EID4 ===
=== EID4 ===
==== Information about EID4 ====


Used for individual bluray auth information. See also [[BD Drive Reverse Engineering]].
* EID4 contains 2 128bit keys which are necessary to establish a secure communication channel to BD drive for sending vendor specific security commands.
 
* EID4 is encrypted with AES-CBC-256 algorithm.
EID4 contains two 128bit keys which are necessary to establish a secure communication channel to the BD drive for sending vendor specific security commands.
* EID4 is of size 0x30 bytes: 0x0-0xf bytes = 1st key, 0x10-0x1f - 2nd key, 0x20-0x2f - CMAC-OMAC1 of EID4
 
* The first key is used for encrypting data sent from host to BD drive.
EID4 is encrypted with AES-CBC-256 algorithm.
* The second key is used for decrypting data sent from BD drive to host.


==== Example ====
(More about it in [[BD_Drive_Reverse_Engineering| BD Drive Reverse Engineering]] )


==== example ====
{| class="wikitable"
{| class="wikitable"
|-
|-
Line 690: Line 555:
|-
|-
|}
|}
 
==== structure ====
==== Structure ====
Encrypted encdec key (used for e.g. BD drive)
 
* Size: 0x30 bytes.


{|class="wikitable"
{|class="wikitable"
|-
|-
! Offset !! Size !! Value !! Description !! Observations  
! Address !! Size !! Value !! Description !! Observations  
|-
|-
| 0x0 || 0x10 || encrypted || First 128bit key || Encrypts data sent from host to BD drive. Initial byte (decrypted) matches TID (same as EID2 Notes), used for region.
| 0x0 || 0x10 || encrypted || 1st 128bit key || Initial byte (decrypted) matches TID (same as EID2 Notes) , used for region
|-
|-
| 0x10 || 0x10 || encrypted || Second 128bit key || Decrypts data sent from BD drive to host.
| 0x10 || 0x10 || encrypted || 2nd 128bit key ||  
|-
|-
| 0x20 || 0x10 || encrypted || CMAC hash || CMAC hash of the previous bytes
| 0x20 || 0x10 || encrypted|| CMAC-OMAC1 of EID4 ||
|}
|}


=== EID5 ===
=== EID5 ===


The largest and quite possibly the most important EID section of all 6. It's unknown what is inside this specific EID. We will probably never know without analyzing every possible clue about the PS3. And even then, it might be impossible to find its real use.
==== example ====
 
EID5 size is quite similar to EID0, but it has an additional 0x1A0 bytes. EID5 header has many similarities with EID0 header.
 
==== Example ====
 
{| class="wikitable"
{| class="wikitable"
|-
|-
Line 737: Line 595:
|-
|-
|}
|}
 
==== structure ====
==== Structure ====
Similar again to EID0
 
* Size: 0xA00 bytes.
 
{|class="wikitable"
{|class="wikitable"
|-
|-
! Address !! Size !! Value !! Description !! Observations  
! Address !! Size !! Value !! Description !! Observations  
|-
|-
| 0x0 || 0x10 || 00 00 00 01 00 89 00 08 14 01 01 06 1B 91 1C 5C || [[IDPS]] ||
| 0x0 || 0x10 || 00 00 00 01 00 89 00 08 14 01 01 06 1B 91 1C 5C || IDPS  || [[IDPS]]
|-
| 0x10 || 0x2 || 00 12 || Unknown || Unknown.
|-
|-
| 0x12 || 0x2 || 07 30 || Unknown || Maybe data size in bytes (in EID0 it is encrypted Identification Certificates count). 0x730 on CEX, 0x7E0 on DEX/DECR.
| 0x10 || 0x4 || 00 12 07 30 || Unknown || Changes from EID0/ 00 12 07 E0 on DEX
|-
|-
| 0x14 || 0xC || FC D1 D8 BE 6F F4 C8 D8 8F E1 C3 F7 || [[Flash:perconsole_nonce|perconsole nonce]] ||
| 0x14 || 0xC || FC D1 D8 BE 6F F4 C8 D8 8F E1 C3 F7 || [[Flash:perconsole_nonce|perconsole nonce]] || Contains the 0xC byte perconsole nonce (as seen in bootldr/metldr and EID0) again at 0x14 to 0x1F
|-
|-
| 0x20 || Rest || || Encrypted, Unknown ||  
| Rest || Rest || Rest || Encrypted Data ||
|}
|}


=== Unreferenced EID area ===
=== unreferenced area ===
 
Possibly just unused EID region (which also explains why it is FF filled) <br />
Possibly just unused EID region (which would explain why it is 0xFF filled).
==== example ====
 
==== Example ====
 
{| class="wikitable"
{| class="wikitable"
|-
|-
Line 780: Line 630:
000907E0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000907E0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000907F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ</pre>
000907F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ</pre>
|-
|}
|}
 
==== structure ====
==== Structure ====
 
{|class="wikitable"
{|class="wikitable"
|-
|-
! Address !! Length !! Value !! Description
! Address !! Length !! Value !! Description
|-
|-
| 0x0 || 0xE22F || 0xFF || 0xFF filled area
| 0x0 || 0xE22F || 0xFF || FF filled area
|-
|}
|}


{{Flash}}
{{Flash}}
<noinclude>[[Category:Main]]</noinclude>
<noinclude>[[Category:Main]]</noinclude>
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)

Templates used on this page:

Retrieved from "http://www.psdevwiki.com/ps3/Flash:Encrypted_Individual_Data_-_eEID"