Editing Flash:Encrypted Individual Data - eEID

== Encrypted Individual Data - eEID ==

eEID certainly stands for encrypted EID as each section eEID embeds is encrypted. EID certainly stands for Encrypted Individual Data. Why two 'e' in eEID ?

EID is the equivalent of IdStorage on PSP and PSVita.

eEID is decrypted by metldr and is passed over to the isolated loader which may pass it to a SELF. We can see this in graf_chokolo’s original payload.

It is 0x10000 bytes in size (64 kB) but only the first 0x1DD0 bytes are used. The rest is padded with 0xFF.

It is composed of 6 sections numbered from 0 to 5.

eEID contains per-console data like Console Id, OpenPsId, BD drive information and some keys.

See also [[Cex2Dex#LibeEID|LibeEID]].

{|class="wikitable"
|-
! Section !! Usage !! Description !! [[iso module]]
|-
| [[Flash:Encrypted_Individual_Data_-_eEID#EID0|EID0]] || Identification Certificates || [[Flash:Encrypted_Individual_Data_-_eEID#EID0|EID0]] is needed for loading parameters to isoldr for loading isolated SELF files on a SPE || aim_spu_module
|-
| [[Flash:Encrypted_Individual_Data_-_eEID#EID1|EID1]] || SCinit || ? + Syscon paring + Auth1/Auth2/Validate (see [[SC_Communication|SC Communication]] for more (log with logic analyzer)) || ?sc_iso_factory or ss_sc_init?
|-
| [[Flash:Encrypted_Individual_Data_-_eEID#EID2|EID2]] || bd drive init || BD drive pairing || fdm_spu_module
|-
| [[Flash:Encrypted_Individual_Data_-_eEID#EID3|EID3]] || bd player || Movie Per_Device keys || AacsModule.spu.isoself CprmModule.spu.isoself
|-
| [[Flash:Encrypted_Individual_Data_-_eEID#EID4|EID4]] || bd driver key || ? + Drive_auth keys || sv_iso_spu_module, mc_iso_spu_module.self, me_iso_spu_module.self, me_iso_for_ps2emu.self
|-
| [[Flash:Encrypted_Individual_Data_-_eEID#EID5|EID5]] || DKI || ? Backup || ? Not used 
|}

=== Header ===

==== Example ====

{| class="wikitable"
|-
! NOR: 0x002F000 - 0x002F00F !! NAND: 0x0080800 - 0x008080F
|-
| <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
0002F000  00 00 00 06 00 00 1D D0 00 00 00 00 00 00 00 00  .......Ð........</pre> || <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00080800  00 00 00 06 00 00 1D D0 00 00 00 00 00 00 00 00  .......Ð........</pre>
|-
|}

==== Structure ====

{|class="wikitable"
|-
! Address !! Length !! Value !! Description
|-
| 0x0 || 0x4 || 0x6 || Number of entries
|-
| 0x4 || 0x4 || 0x1DD0 || Length of entire eEID package
|-
| 0x8 || 0x8 || 0x0 || Unknown/Blank
|}

=== File Table ===

This is the whole file table.

==== Example ====

{| class="wikitable"
|-
! NOR: 0x002F010 - 0x002F06F !! NAND: 0x0080810 - 0x008086F
|-
| <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
0002F010  00 00 00 70 00 00 08 60 00 00 00 00 00 00 00 00  ...p...`........
0002F020  00 00 08 D0 00 00 02 A0 00 00 00 00 00 00 00 01  ...Ð... ........
0002F030  00 00 0B 70 00 00 07 30 00 00 00 00 00 00 00 02  ...p...0........
0002F040  00 00 12 A0 00 00 01 00 00 00 00 00 00 00 00 03  ... ............
0002F050  00 00 13 A0 00 00 00 30 00 00 00 00 00 00 00 04  ... ...0........
0002F060  00 00 13 D0 00 00 0A 00 00 00 00 00 00 00 00 05  ...Ð............</pre> || <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00080810  00 00 00 70 00 00 08 60 00 00 00 00 00 00 00 00  ...p...`........
00080820  00 00 08 D0 00 00 02 A0 00 00 00 00 00 00 00 01  ...Ð... ........
00080830  00 00 0B 70 00 00 07 30 00 00 00 00 00 00 00 02  ...p...0........
00080840  00 00 12 A0 00 00 01 00 00 00 00 00 00 00 00 03  ... ............
00080850  00 00 13 A0 00 00 00 30 00 00 00 00 00 00 00 04  ... ...0........
00080860  00 00 13 D0 00 00 0A 00 00 00 00 00 00 00 00 05  ...Ð............</pre>
|-
|}

==== Structure ====

0x10 bytes per entry as follows:

{|class="wikitable"
|-
! Address !! Length !! Value !! Description
|-
| 0x0 || 0x4 || 0x70 || Entry point
|-
| 0x4 || 0x4 || 0x860 || Length
|-
| 0x8 || 0x8 || 0x0 || EID number
|}

==== Typical EID entry addresses and lengths ====

Entry point listed is offset from base EID address (NOR:0x002F000 / NAND:0x0080800 in these examples).

Absolute start address is base EID address + Entry point

Absolute end address is base EID address + Entry point + Length

{|class="wikitable"
|-
! colspan="3" rowspan="2" | Description !! rowspan="2" | Entry point !! rowspan="2" | Length !! colspan="2" | NOR Address || colspan="2" | NAND Address
|-
! start !! end !! start !! end
|-
| colspan="3" | [[Flash:Encrypted_Individual_Data_-_eEID#EID0|EID0]] || 0x70 || 0x860 || 0x002F070 || 0x002F8CF || 0x0080870 || 0x00810CF
|-
| || colspan="2" | EID0 HEADER || 0x70 || 0x20 || 0x002F070 || 0x002F08F || 0x0080870 || 0x008088F
|-
| || colspan="2" | EID0_0 || 0x90 || 0xC0 || 0x002F090 || 0x002F14F || 0x0080890 || 0x008094F
|-
| || || EID0_0_DATA ||  || 0x10 ||  ||  ||  || 
|-
| || || EID0_0_PUB ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_0_CERT_SIG ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_0_CERT_PUB ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_0_PRIV.ENC ||  || 0x20 ||  ||  ||  || 
|-
| || || EID0_0_OMAC ||  || 0x10 ||  ||  ||  || 
|-
| || || EID0_0_PAD ||  || 0x8 ||  ||  ||  || 
|-
| || colspan="2" | EID0_1 || 0x150 || 0xC0 || 0x002F150 || 0x002F20F || 0x0080950 || 0x0080A0F
|-
| || || EID0_1_DATA ||  || 0x10 ||  ||  ||  || 
|-
| || || EID0_1_PUB ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_1_CERT_SIG ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_1_CERT_PUB ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_1_PRIV.ENC ||  || 0x20 ||  ||  ||  || 
|-
| || || EID0_1_OMAC ||  || 0x10 ||  ||  ||  || 
|-
| || || EID0_1_PAD ||  || 0x8 ||  ||  ||  || 
|-
| || colspan="2" | EID0_2 || 0x210 || 0xC0 || 0x002F210 || 0x002F2CF || 0x0080A10 || 0x0080ACF
|-
| || || EID0_2_DATA ||  || 0x10 ||  ||  ||  || 
|-
| || || EID0_2_PUB ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_2_CERT_SIG ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_2_CERT_PUB ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_2_PRIV.ENC ||  || 0x20 ||  ||  ||  || 
|-
| || || EID0_2_OMAC ||  || 0x10 ||  ||  ||  || 
|-
| || || EID0_2_PAD ||  || 0x8 ||  ||  ||  || 
|-
| || colspan="2" | EID0_3 || 0x2D0 || 0xC0 || 0x002F2D0 || 0x002F38F || 0x0080AD0 || 0x0080B8F
|-
| || || EID0_3_DATA ||  || 0x10 ||  ||  ||  || 
|-
| || || EID0_3_PUB ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_3_CERT_SIG ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_3_CERT_PUB ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_3_PRIV.ENC ||  || 0x20 ||  ||  ||  || 
|-
| || || EID0_3_OMAC ||  || 0x10 ||  ||  ||  || 
|-
| || || EID0_3_PAD ||  || 0x8 ||  ||  ||  || 
|-
| || colspan="2" | EID0_4 || 0x390 || 0xC0 || 0x002F390 || 0x002F44F || 0x0080B90 || 0x0080C4F
|-
| || || EID0_4_DATA ||  || 0x10 ||  ||  ||  || 
|-
| || || EID0_4_PUB ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_4_CERT_SIG ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_4_CERT_PUB ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_4_PRIV.ENC ||  || 0x20 ||  ||  ||  || 
|-
| || || EID0_4_OMAC ||  || 0x10 ||  ||  ||  || 
|-
| || || EID0_4_PAD ||  || 0x8 ||  ||  ||  || 
|-
| || colspan="2" | EID0_5 || 0x450 || 0xC0 || 0x002F450 || 0x002F50F || 0x0080C50 || 0x0080D0F
|-
| || || EID0_5_DATA ||  || 0x10 ||  ||  ||  || 
|-
| || || EID0_5_PUB ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_5_CERT_SIG ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_5_CERT_PUB ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_5_PRIV.ENC ||  || 0x20 ||  ||  ||  || 
|-
| || || EID0_5_OMAC ||  || 0x10 ||  ||  ||  || 
|-
| || || EID0_5_PAD ||  || 0x8 ||  ||  ||  || 
|-
| || colspan="2" | EID0_6 || 0x510 || 0xC0 || 0x002F510 || 0x002F5CF || 0x0080D10 || 0x0080DCF
|-
| || || EID0_6_DATA ||  || 0x10 ||  ||  ||  || 
|-
| || || EID0_6_PUB ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_6_CERT_SIG ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_6_CERT_PUB ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_6_PRIV.ENC ||  || 0x20 ||  ||  ||  || 
|-
| || || EID0_6_OMAC ||  || 0x10 ||  ||  ||  || 
|-
| || || EID0_6_PAD ||  || 0x8 ||  ||  ||  || 
|-
| || colspan="2" | EID0_7 || 0x5D0 || 0xC0 || 0x002F5D0 || 0x002F68F || 0x0080DD0 || 0x0080E8F
|-
| || || EID0_7_DATA ||  || 0x10 ||  ||  ||  || 
|-
| || || EID0_7_PUB ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_7_CERT_SIG ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_7_CERT_PUB ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_7_PRIV.ENC ||  || 0x20 ||  ||  ||  || 
|-
| || || EID0_7_OMAC ||  || 0x10 ||  ||  ||  || 
|-
| || || EID0_7_PAD ||  || 0x8 ||  ||  ||  || 
|-
| || colspan="2" | EID0_8 || 0x690 || 0xC0 || 0x002F690 || 0x002F74F || 0x0080E90 || 0x0080F4F
|-
| || || EID0_8_DATA ||  || 0x10 ||  ||  ||  || 
|-
| || || EID0_8_PUB ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_8_CERT_SIG ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_8_CERT_PUB ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_8_PRIV.ENC ||  || 0x20 ||  ||  ||  || 
|-
| || || EID0_8_OMAC ||  || 0x10 ||  ||  ||  || 
|-
| || || EID0_8_PAD ||  || 0x8 ||  ||  ||  || 
|-
| || colspan="2" | EID0_9 || 0x750 || 0xC0 || 0x002F750 || 0x002F80F || 0x0080F50 || 0x008100F
|-
| || || EID0_9_DATA ||  || 0x10 ||  ||  ||  || 
|-
| || || EID0_9_PUB ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_9_CERT_SIG ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_9_CERT_PUB ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_9_PRIV.ENC ||  || 0x20 ||  ||  ||  || 
|-
| || || EID0_9_OMAC ||  || 0x10 ||  ||  ||  || 
|-
| || || EID0_9_PAD ||  || 0x8 ||  ||  ||  || 
|-
| || colspan="2" | EID0_A || 0x810 || 0xC0 || 0x002F810 || 0x002F8CF || 0x0081010 || 0x00810CF
|-
| || || EID0_A_DATA ||  || 0x10 ||  ||  ||  || 
|-
| || || EID0_A_PUB ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_A_CERT_SIG ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_A_CERT_PUB ||  || 0x28 ||  ||  ||  || 
|-
| || || EID0_A_PRIV.ENC ||  || 0x20 ||  ||  ||  || 
|-
| || || EID0_A_OMAC ||  || 0x10 ||  ||  ||  || 
|-
| || || EID0_A_PAD ||  || 0x8 ||  ||  ||  || 
|-
| colspan="3" | [[Flash:Encrypted_Individual_Data_-_eEID#EID1|EID1]] || 0x8D0 || 0x2A0 || 0x002F8D0 || 0x002FB6F || 0x00810D0 || 0x008136F
|-
| colspan="3" | [[Flash:Encrypted_Individual_Data_-_eEID#EID2|EID2]] || 0xB70 || 0x730 ||0x002FB70 || 0x003029F || 0x0081370 || 0x0081A9F
|-
| || colspan="2" | EID2_P_LEN ||  ||   ||  ||  ||  || 
|-
| || colspan="2" | EID2_S_LEN ||  ||   ||  ||  ||  || 
|-
| || colspan="2" | EID2_PAD || 0x28 ||   ||  ||  ||  || 
|-
| colspan="3" | [[Flash:Encrypted_Individual_Data_-_eEID#EID3|EID3]] || 0x12A0 || 0x100 || 0x00302A0 || 0x003039F || 0x0081AA0 || 0x0081B9F
|-
| colspan="3" | [[Flash:Encrypted_Individual_Data_-_eEID#EID4|EID4]] || 0x13A0 || 0x30 || 0x00303A0 || 0x00303CF || 0x0081BA0 || 0x0081BCF
|-
| colspan="3" | [[Flash:Encrypted_Individual_Data_-_eEID#EID5|EID5]] || 0x13D0 || 0xA00 || 0x00303D0 || 0x0030DCF || 0x0081BD0 || 0x00825CF
|}

=== EID0 ===

==== Example ====

{| class="wikitable"
|-
! NOR: 0x002F070 - 0x002F8CF !! NAND: 00080870 - 0x00810CF
|-
| <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
0002F070  00 00 00 01 00 89 00 08 14 01 01 06 1B 91 1C 5C  .....‰.......‘.\
0002F080  00 12 00 0B FC D1 D8 BE 6F F4 C8 D8 8F E1 C3 F7  ....üÑØ¾oôÈØ.áÃ÷
....
0002F8B0  5B B4 1B C2 81 59 79 1A E6 DA F1 FD 5C E8 5B 67  [´.Â.Yy.æÚñý\è[g
0002F8C0  EA 85 A8 F6 9F A1 C6 A2 5E 59 C5 61 A9 5F 6D 2E  ê…¨öŸ¡Æ¢^YÅa©_m.</pre> || <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00080870  00 00 00 01 00 8A 00 01 10 00 52 BC C7 11 6D B2  .....Š....R¼Ç.m²
00080880  00 12 00 0B 93 B7 DF 38 94 92 09 B6 C3 9C D2 AA  ....“·ß8”’.¶ÃœÒª
....
000810B0  05 CA AE F2 3A 9C 88 09 90 D6 41 4B DA 37 6C AF  .Ê®ò:œˆ..ÖAKÚ7l¯
000810C0  4A 63 D7 B0 3E DD 5A 29 55 6A 9B E7 96 6E E1 EE  Jc×°>ÝZ)Uj›ç–náî</pre>
|-
|}

==== Structure ====

{|class="wikitable"
|-
! Address !! Size !! Value !! Description !! Observations 
|-
| 0x0 || 0x10 || 00 00 00 01 00 89 00 08 14 01 01 06 1B 91 1C 5C || [[IDPS]] ||
|-
| 0x10 || 0x2 || 00 12 || Unknown || Unknown (00 11 on [[DEH-H1000A-E]] and earlier models)<!-- same value as "cISD1 relative offset 0x56" ? (see [[Talk:Flash:Individual System Data - cISD]] -->
|-
| 0x12 || 0x2 || 00 0B || EID0 sections number || Always 11.
|-
| 0x14 || 0xC || FC D1 D8 BE 6F F4 C8 D8 8F E1 C3 F7 || [[Flash:perconsole_nonce|perconsole nonce]] ||
|-
| 0x20 || Rest || Rest || Encrypted Data ||
|}

Individual info Manager can write to EID0. Appliance Info Manager can rehash it.

EID0 embeds 11 AES128CBC encrypted sections. These are the [[Identification Certificates]].

We do not have all EID0 sections enc/dec key seeds:
<pre>
section 0 (PS3 cert keyset 0) -> yes
section 1 (PS3 cert keyset 1)-> missing
section 2 (PS3 cert keyset 2) -> missing
section 3 (PS3 cert keyset 3) -> missing
section 4 (PS3 cert keyset 4) -> missing
section 5 (PS3 cert keyset 5) -> missing
section 6 (PSP cert keyset 1) -> yes
section 7 (PSP cert keyset 2) -> missing
section 8 (PSP cert keyset 3) -> missing
section 9 (PSP cert keyset 4) -> missing
section 0xA (PSP cert keyset 5) -> yes
</pre>

Keys for EID0 sections 0, 6 and 0xA key seeds were found in secure modules, for instance seeds for 0 and 0xA in aim_spu_module.

===== EID0 Sections =====

====== IDPS Certificate Structure ======

* Size: 0xC0 bytes.

{|class="wikitable"
|-
! Description !! Length !! Note
|-
| Data || 0x10 || actual data (either IDPS or OpenPSID)
|-
| plaintext public key || 0x28 || public key (without padding)
|-
| R || 0x14 || part of the ECDSA signature pair (r,s)
|-
| S || 0x14 || part of the ECDSA signature pair (r,s)
|-
| public key || 0x28 || ECDSA public key (can be used to verify ECDSA signature RS)
|-
| encrypted private key || 0x20 || encrypted ECDSA private key
|-
| cmac || 0x10 || hash of the previous information in AES CMAC mode
|-
| padding || 0x8 || zero byte padding for AES 128 bits encryption
|}

====== EID0 section 0 crypto ======

* [https://web.archive.org/web/20141118233713/http://pastie.org/6169158 naehrwert's EID0 section 0 ECDSA signature verification]

====== EID0 sections 6 and 0xA crypto ======

EID0 section 6 is used in the PSP emulator by the DRM crypto engine to retrieve PSID. EID0 section 0xA is used by some aim_spu_module to retrieve OpenPSID.

These sections' certificates uses PSP certificate keyset. It corresponds to PSP KIRK commands 0x10, 0x11 and 0x12 for verification of IdStorage Certificates. See also [[http://wololo.net/talk/viewtopic.php?p=20715#p20715]] and PSP wiki for PSP crypto stuff.

Note: Something interesting is that on PS3 it uses ECDSA curve VSH type 2 with the PSP IDPS Certificates public keys, whilst it uses a different curve with the PS3 exclusive Certificates (for example section 0). That is maybe how Davee and Proxima figured out the KIRK 0x10 and 0x11 ECDSA crypto keys. But not sure because their work was in 2011, not in 2012 (naehrwert) and it seems that PS3 uses a different seed for encrypting the ECDSA private key (see section 6 ECDSA private key seed).

=== EID1 ===

Used for individual SYSCON information.

==== Example ====

Here it is encrypted.

{| class="wikitable"
|-
! NOR: 0x002F8D0 - 0x002FB6F !! NAND: 0x00810D0 - 0x008136F
|-
| <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
0002F8D0  DB D1 FF 70 CF CA D6 A6 59 94 15 E1 B3 FC CF CA  ÛÑÿpÏÊÖ¦Y”.á³üÏÊ
0002F8E0  B6 48 D5 01 39 4A 76 00 25 76 F6 F0 36 65 68 A7  ¶HÕ.9Jv.%vöð6eh§
....
0002FB50  AB 66 60 E8 B7 0D 3F 78 C5 59 2B D4 77 EB 2C 2D  «f`è·.?xÅY+Ôwë,-
0002FB60  C3 6A B9 FA BB 63 CD EA 5D D2 39 8A 3F 77 2A 09  Ãj¹ú»cÍê]Ò9Š?w*.</pre> || <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
000810D0  A3 D6 F3 27 20 C6 80 11 EA A3 A1 75 48 36 4C 10  £Öó' Æ€.ê£¡uH6L.
000810E0  C9 6F B0 3D BF 85 4F D4 1F 89 01 C9 BC 64 DE 08  Éo°=¿…OÔ.‰.É¼dÞ.
....
00081350  2A DF F9 45 E4 94 FD 43 33 82 6E 82 BB E9 CD 3F  *ßùEä”ýC3‚n‚»éÍ?
00081360  53 5F E0 5A A2 7A 7E 6E 3D 50 A3 2B 16 68 7B 28  S_àZ¢z~n=P£+.h{(</pre>
|-
|}

==== Structure ====

* Size: 0x2A0 bytes.

{|class="wikitable"
|-
! Offset !! Length !! Description
|-
| 0 || 0x10 || INIT Seed
|-
| 0x10 || 0x80 || AUTH1 Reencrypted Keyseeds
|-
| 0x90 || 0x80 || AUTH2 Reencrypted Keyseeds
|-
| 0x110 || 0x40 || Keyseeds (Time Service Purpose)
|-
| 0x150 || 0x10 ||  KeySeed (SNVS/Time Related)
|-
| 0x160 || 0x120 || Padding (Zeroes)
|-
| 0x280 || 0x10  || CMAC of Encrypted Data Using Master Key 0x20 if on EEPROM to CMAC (and encrypt/decrypt) or Master Key 0x10 if on FLASH
|-
| 0x290 || 0x10  || CMAC of Encrypted FLASH Data Using Perconsole Key encrypted using root key and EID1 seeds
|}

=== EID2 ===

Used for individual BD drive information. See [[Hypervisor_Reverse_Engineering#Remarrying]].

==== Example ====

{| class="wikitable"
|-
! NOR: 0x002FB70 - 0x003029F !! NAND: 0x0081370 - 0x0081A9F
|-
| <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
0002FB70  00 80 06 90 00 00 00 00 00 00 00 00 00 00 00 00  .€..............
0002FB80  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0002FB90  56 64 18 79 DC 30 12 51 3C C5 69 21 0C AD ED 8F  Vd.yÜ0.Q<Åi!.í.
0002FBA0  67 DC 77 CC B6 4B 2D FB 68 F2 2E 41 A0 F4 C7 88  gÜwÌ¶K-ûhò.A ôÇˆ
....
00030280  03 92 40 B3 63 F4 62 97 D2 3D AE 82 1B F4 EC CA  .’@³côb—Ò=®‚.ôìÊ
00030290  30 72 60 A5 7E B7 11 54 D9 9D 02 5C 20 7A CE 83  0r`¥~·.TÙ..\ zÎƒ</pre> || <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00081370  00 80 06 90 00 00 00 00 00 00 00 00 00 00 00 00  .€..............
00081380  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00081390  FC CA 19 07 3F FA D0 87 DF 20 23 98 99 17 F1 DF  üÊ..?úÐ‡ß #˜™.ñß
000813A0  95 A7 98 49 EC 4D 68 D2 61 D7 2F BE 4A 7E 86 02  •§˜IìMhÒa×/¾J~†.
....
00081A80  76 D5 07 20 D1 85 07 39 4D 2E F9 CE 0F A4 61 ED  vÕ. Ñ….9M.ùÎ.¤aí
00081A90  18 A6 BB 00 F9 55 69 BB DC 60 54 6D 40 C5 AF 3D  .¦».ùUi»Ü`Tm@Å¯=</pre>
|-
|}

==== Structure ====

* Size: 0x730 bytes.

{|class="wikitable"
|-
! Address !! Size !! Value !! Description !! Observations 
|-
| 0x0 || 0x2 || 00 80 || P-Block Size  || Decrypted P-Block contains region settings (see [[#decryptednotes|Notes]])
|-
| 0x2 || 0x2 || 06 90 || S-Block Size  || 
|-
| 0x4 || 0x1A || 00s || Padding? ||
|-
| 0x1E? || 0x2 || 0x0000 || || on {{ARC}}/{{DEX}}/{{DECR}} there is 0x0003
|-
| 0x20 || 0x80 || encrypted data || P-Block || Contains BD drive info.
|-
| 0xA0 || 0x690 || encrypted data || S-Block || Contains BD drive info. on {{ARC}}/{{DEX}}/{{DECR}} S-Block is 00s
|}

Note: In decrypted P-Block these bytes match [[Product Code]]:

{| class="wikitable" style="font-size:x-small; border:2px ridge #999999;"
|-
! Value !! [[Product Code]] !! Console Type !! Remarks !! Confirmed ?
|-
| || {{TID80}} || ||
|-
| 0xFF || {{TID81}} || No BD playback with this [[Product Code]]. || {{yes}}
|-
| 0xFF || {{TID82}} || No BD playback with this [[Product Code]]. || {{yes}}
|-
| 0x01 || {{TID83}} || DVD Region 2 (NTSC)  || {{no}}
|-
| 0x02 || {{TID84}} || DVD Region 1 (NTSC)  || {{yes}}
|-
| 0x04 || {{TID85}} || DVD Region 2 (PAL)   || {{yes}}
|-
| 0x10 || {{TID86}} || DVD Region 3 (NTSC)  || {{no}}
|-
| 0x04 || {{TID87}} || DVD Region 2 (PAL)   || {{yes}}
|-
| 0x80 || {{TID88}} || DVD Region 4 (NTSC) 	|| {{yes}}
|-
| 0x08 || {{TID89}} || DVD Region 4 (PAL)  || {{no}}
|-
| 0x10 || {{TID8A}} || DVD Region 3 (NTSC)  || {{yes}}
|-
| 0x10 || {{TID8B}} || DVD Region 3 (NTSC)  || {{yes}}
|-
| 0x20 || {{TID8C}} || DVD Region 5 (NTSC/PAL)  || {{no}}
|-
| 0x40 || {{TID8D}} || DVD Region 6   || {{no}}
|-
| 0x10 || {{TID8E}} || DVD Region 3 (NTSC)  || {{yes}}
|-
| 0x80 || {{TID8F}} || DVD Region 4 (NTSC)  || {{no}}
|-
| 0xFF || {{TIDA0}} || No BD playback with this [[Product Code]].  || {{yes}}
|-
|}

This value also must match the first byte of the decrypted EID4.

Notes:
* 0xFF = 0b11111111 - all bits enabled
* 0x80 = 0b10000000 - {{TID88}} - bit 7 (DVD Region 4 (NTSC))
* 0x40 = 0b01000000 - {{TID8D}} - bit 6 (DVD Region 6)
* 0x20 = 0b00100000 - {{TID8C}} - bit 5 (DVD Region 5 (NTSC/PAL))
* 0x10 = 0b00010000 - {{TID8E}} | {{TID86}} | {{TID8A}} | {{TID8B}} -  bit 4 (DVD Region 3 (NTSC))
* 0x08 = 0b00001000 - {{TID89}} - bit 3 (DVD Region 4 (PAL))
* 0x04 = 0b00000100 - {{TID87}} | {{TID85}} - bit 2 (DVD Region 2(PAL))
* 0x02 = 0b00000010 - {{TID84}} - bit 1 (DVD Region 1 (NTSC))
* 0x01 = 0b00000001 - {{TID83}} - bit 0 (DVD Region 2 (NTSC))

=== EID3 ===

Used for individual CPRM information. See [[Hypervisor_Reverse_Engineering#Communication]].

==== Example ====

{| class="wikitable"
|-
! NOR: 0x00302A0 - 0x003039F !! NAND: 0x0081AA0 - 0x0081B9F
|-
| <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
000302A0  00 00 00 01 58 1B 20 6E 00 00 00 00 01 8B 39 46  ....X. n.....‹9F
000302B0  00 01 00 D0 FC D1 D8 BE 6F F4 C8 D8 8F E1 C3 F7  ...ÐüÑØ¾oôÈØ.áÃ÷
000302C0  31 6B 01 24 85 68 AD 48 F4 D9 C5 E1 3E D5 BD A8  1k.$…hHôÙÅá>Õ½¨
000302D0  A1 DD 7A 4A F2 95 3C FE 62 F2 F4 FD E0 48 98 35  ¡ÝzJò•<þbòôýàH˜5
000302E0  4D EB E2 E5 94 40 5F 29 BD 44 20 6E F1 14 92 5C  Mëâå”@_)½D nñ.’\
000302F0  19 1D 35 A5 32 54 FF 12 52 86 DD 19 4D E4 67 31  ..5¥2Tÿ.R†Ý.Mäg1
00030300  7F 34 A4 EE 0C 19 9B 0F C9 E3 81 4D F9 F7 1D 88  .4¤î..›.Éã.Mù÷.ˆ
00030310  90 C8 D3 F0 D5 40 5F 6B 2B A5 2D 1D D6 1F 58 37  .ÈÓðÕ@_k+¥-.Ö.X7
00030320  35 A5 7E 90 05 F1 89 2E 7F 76 BC 22 3F D4 F4 C3  5¥~..ñ‰..v¼"?ÔôÃ
00030330  31 58 62 79 2E D7 27 E3 4D 9F 16 BC 8E 7E B7 8D  1Xby.×'ãMŸ.¼Ž~·.
00030340  20 2F 8B 76 4F E7 FC 0F 4B 0E 26 54 AF 72 82 AD   /‹vOçü.K.&T¯r‚
00030350  9E 93 28 FB EA 3B 3D 62 47 C7 06 68 D0 5B C9 4E  ž“(ûê;=bGÇ.hÐ[ÉN
00030360  E9 8F 1F 45 B1 7B 9B E3 9E 5C 33 5F E3 15 C5 B6  é..E±{›ãž\3_ã.Å¶
00030370  E7 35 F4 0F C9 D6 F8 48 0B C7 63 A7 56 5D 96 C4  ç5ô.ÉÖøH.Çc§V]–Ä
00030380  CD 53 F2 95 5F 78 A1 5D 48 A6 9C D2 0B 40 D2 90  ÍSò•_x¡]H¦œÒ.@Ò.
00030390  7D 83 7B 24 12 F3 9F A7 F4 1E 7A 9B 98 50 2C 02  }ƒ{$.óŸ§ô.z›˜P,.</pre> || <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00081AA0  00 00 00 01 39 20 C4 E4 00 00 00 00 00 6E 38 61  ....9 Ää.....n8a
00081AB0  00 01 00 D0 93 B7 DF 38 94 92 09 B6 C3 9C D2 AA  ...Ð“·ß8”’.¶ÃœÒª
00081AC0  EA 14 35 C0 0F 48 31 01 FE 4C FD 1B F8 A5 C1 04  ê.5À.H1.þLý.ø¥Á.
00081AD0  B2 EE 21 12 5F F2 68 21 40 61 3D ED 62 7B EC 91  ²î!._òh!@a=íb{ì‘
00081AE0  0F C2 D4 27 D9 90 34 C4 19 0D AB 2E 28 9B F4 F6  .ÂÔ'Ù.4Ä..«.(›ôö
00081AF0  00 F5 05 71 FA 53 A6 E8 52 57 9D 9E 7E 8B 9C FD  .õ.qúS¦èRW.ž~‹œý
00081B00  C3 0B 92 AB 25 3E 34 D8 05 E0 92 DC 27 24 14 71  Ã.’«%>4Ø.à’Ü'$.q
00081B10  AF AC 4E C3 6B 66 EF 18 0B EB 72 5D E7 F1 96 28  ¯¬NÃkfï..ër]çñ–(
00081B20  6C 71 06 2B 45 7F 96 76 34 FA AC 7E D8 8F 97 B8  lq.+E.–v4ú¬~Ø.—¸
00081B30  F4 B5 10 BA 71 9E 38 CB 7C AD CB A7 09 E0 23 72  ôµ.ºqž8Ë|Ë§.à#r
00081B40  19 4B 32 A2 0A 13 1C 4B 12 67 C3 28 98 EE 2D 26  .K2¢...K.gÃ(˜î-&
00081B50  B8 81 39 08 81 E4 11 EF 7B 6B DB 0A E8 A9 D0 9E  ¸.9..ä.ï{kÛ.è©Ðž
00081B60  71 13 05 67 99 77 9B 1D E8 C9 0B 67 FB AC 4B 03  q..g™w›.èÉ.gû¬K.
00081B70  78 AF 44 B3 35 A9 39 1F 75 C1 9F 3C 46 E8 C6 71  x¯D³5©9.uÁŸ<FèÆq
00081B80  A5 5B 57 D3 37 6B E2 34 E7 7C B6 A5 04 FE 42 B5  ¥[WÓ7kâ4ç|¶¥.þBµ
00081B90  09 C7 97 0F 9E 2C 7F 94 F6 9C A2 15 4A 76 49 79  .Ç—.ž,.”öœ¢.JvIy</pre>
|-
|}

==== Structure ====

* Size: 0x100 bytes.

{|class="wikitable"
|-
! Offset !! Description !! Length !! Note
|-
| 0x00 || Header || 0x20 || contains ckp_management_id, size of cprm keys + sha1 digest + padding and nonce
|-
| 0x20 || cprm player keys || 0xB8 || 
|-
| 0xD8 || sha1 digest || 0x14 || sha1 digest of previous section
|-
| 0xEC || padding || 0x4 ||
|-
| 0xF0 || omac1 digest || 0x10 || omac1 digest of whole eid3
|}

{|class="wikitable"
|-
! Address !! Size !! Value !! Description !! Observations 
|-
| 0x0 || 0x4 || 0x00000001 || indication content available?  || 
|-
| 0x4 || 0x4 || 58 1B 20 6E || speculation: maybe 2x2 bytes indicating id's/build or smth? || 
|-
| 0x8 || 0x8 || 0x00000000018B3946 || ckp_management_id as in [[Flash:Individual_System_Data_-_cISD#cISD1|cISD1]] ||
|-
| 0x10 || 0x2 || 0x0001 ||  ||
|-
| 0x12 || 0x2 || 0x00D0 ||  ||
|-
| 0x14 || 0x0C || perconsole nonce || [[Flash:perconsole_nonce|perconsole nonce]] ||
|-
| 0x20 || 0xE0 || encrypted data ||  ||
|}

* On {{DEX}}/{{DECR}}<!-- /{{ARC}} --> EID3 is 00 filled.

=== EID4 ===

Used for individual bluray auth information. See also [[BD Drive Reverse Engineering]].

EID4 contains two 128bit keys which are necessary to establish a secure communication channel to the BD drive for sending vendor specific security commands.

EID4 is encrypted with AES-CBC-256 algorithm.

==== Example ====

{| class="wikitable"
|-
! NOR: 0x00303A0 - 0x00303CF !! NAND: 0x0081BA0 - 0x0081BCF
|-
| <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
000303A0  8B D7 1B A0 C3 DA 4B BE B3 72 AE 61 78 90 31 1F  ‹×. ÃÚK¾³r®ax.1.
000303B0  2E CD F1 92 28 8E 17 AD 6A 9C D5 8A 8E 17 86 39  .Íñ’(Ž.jœÕŠŽ.†9
000303C0  C8 0A F7 9B 92 D8 3A A8 92 60 73 6A 5E 12 2A 94  È.÷›’Ø:¨’`sj^.*”</pre> || <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00081BA0  40 9F 75 39 22 96 C2 12 A2 9C BC CF 53 99 73 40  @Ÿu9"–Â.¢œ¼ÏS™s@
00081BB0  5D AD A7 F6 26 6E 50 35 55 A8 8A B9 24 A1 F5 35  ]§ö&nP5U¨Š¹$¡õ5
00081BC0  BC 3B 7A 88 17 75 9C 44 A9 2D 4B E0 8B 80 92 E7  ¼;zˆ.uœD©-Kà‹€’ç</pre>
|-
|}

==== Structure ====

* Size: 0x30 bytes.

{|class="wikitable"
|-
! Offset !! Size !! Value !! Description !! Observations 
|-
| 0x0 || 0x10 || encrypted || First 128bit key || Encrypts data sent from host to BD drive. Initial byte (decrypted) matches TID (same as EID2 Notes), used for region.
|-
| 0x10 || 0x10 || encrypted || Second 128bit key || Decrypts data sent from BD drive to host.
|-
| 0x20 || 0x10 || encrypted || CMAC hash || CMAC hash of the previous bytes
|}

=== EID5 ===

The largest and quite possibly the most important EID section of all 6. It's unknown what is inside this specific EID. We will probably never know without analyzing every possible clue about the PS3. And even then, it might be impossible to find its real use.

EID5 size is quite similar to EID0, but it has an additional 0x1A0 bytes. EID5 header has many similarities with EID0 header.

==== Example ====

{| class="wikitable"
|-
! NOR: 0x00303D0 - 0x0030DCF !! NAND: 0x0081BD0 - 0x00825CF
|-
| <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
000303D0  00 00 00 01 00 89 00 08 14 01 01 06 1B 91 1C 5C  .....‰.......‘.\
000303E0  00 12 07 30 FC D1 D8 BE 6F F4 C8 D8 8F E1 C3 F7  ...0üÑØ¾oôÈØ.áÃ÷
000303F0  B7 05 8B 05 E4 2E 94 C7 41 8E 1D E9 DE 63 F6 E6  ·.‹.ä.”ÇAŽ.éÞcöæ
00030400  C5 18 28 E6 47 44 CE 5D 53 03 57 76 46 0C 97 AB  Å.(æGDÎ]S.WvF.—«
....
00030DB0  A8 55 8A FF 73 96 11 1B 6D 85 82 BD 73 FD 45 6D  ¨UŠÿs–..m…‚½sýEm
00030DC0  7B 7B 00 DD 0D EB A8 A1 57 5F 5D 0F C9 23 49 E8  {{.Ý.ë¨¡W_].É#Iè</pre> || <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00081BD0  00 00 00 01 00 8A 00 01 10 00 52 BC C7 11 6D B2  .....Š....R¼Ç.m²
00081BE0  00 12 07 30 93 B7 DF 38 94 92 09 B6 C3 9C D2 AA  ...0“·ß8”’.¶ÃœÒª
00081BF0  CB 95 EF 88 DB 8B E8 14 69 1F 99 A7 4A 66 F7 09  Ë•ïˆÛ‹è.i.™§Jf÷.
00081C00  DD 23 09 1F 73 22 43 26 F4 1A 65 44 9C F2 DB 89  Ý#..s"C&ô.eDœòÛ‰
....
000825B0  CE 82 2F 9B 8D F0 4E 22 6B EF 68 28 37 38 AA 08  Î‚/›.ðN"kïh(78ª.
000825C0  EA 85 EA 2C A4 1D F2 76 9C FF D5 D4 49 97 06 06  ê…ê,¤.òvœÿÕÔI—..</pre>
|-
|}

==== Structure ====

* Size: 0xA00 bytes.

{|class="wikitable"
|-
! Address !! Size !! Value !! Description !! Observations 
|-
| 0x0 || 0x10 || 00 00 00 01 00 89 00 08 14 01 01 06 1B 91 1C 5C || [[IDPS]] ||
|-
| 0x10 || 0x2 || 00 12 || Unknown || Unknown.
|-
| 0x12 || 0x2 || 07 30 || Unknown || Maybe data size in bytes (in EID0 it is encrypted Identification Certificates count). 0x730 on CEX, 0x7E0 on DEX/DECR.
|-
| 0x14 || 0xC || FC D1 D8 BE 6F F4 C8 D8 8F E1 C3 F7 || [[Flash:perconsole_nonce|perconsole nonce]] ||
|-
| 0x20 || Rest || || Encrypted, Unknown || 
|}

=== Unreferenced EID area ===

Possibly just unused EID region (which would explain why it is 0xFF filled).

==== Example ====

{| class="wikitable"
|-
! NOR: 0x0030DD0 - 0x003EFFF !! NAND: 0x00825D0 - 0x00907FF
|-
| <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00030DD0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00030DE0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
....
0003EFE0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0003EFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ</pre> || <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
000825D0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000825E0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
....
000907E0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000907F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ</pre>
|}

==== Structure ====

{|class="wikitable"
|-
! Address !! Length !! Value !! Description
|-
| 0x0 || 0xE22F || 0xFF || 0xFF filled area
|}


{{Flash}}
<noinclude>[[Category:Main]]</noinclude>