Editing Remarry Bluray Drive on Linux

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
[[Category:OtherOS]]
 
=Introduction=
=Introduction=
* I was playing with HRL buffer of my BD drive on PS3 Slim and corrupted it.
* After that i couldn't play BD movies on GameOS, BD player returned an error.
* After i have written P-Block, S-Block and a new HRL, i could play my BD movies again :)
* Hope this guide can help someone too.
* I tested it on PS3 slim.
* It was tested on PS3 phat too.


=EID2=
=EID2=


* You will need decrypted EID2 data.
* You will need decrypted EID2 data.
* How to get it on Linux is described here: http://www.psdevwiki.com/ps3/Spuisofs#Dumping_EID2_Key_with_spuisofs
* How to get it on Linux is described here: http://www.ps3devwiki.com/wiki/Spuisofs#Dumping_EID2_Key_with_spuisofs
* EID2 contains encrypted P-Block and S-Block.
* EID2 contains encrypted P-Block and S-Block.
* To get decrypted S-Block and P-Block first you have to decrypt EID2 with EID2 key and IV and then decrypt the blocks with DES-CBC.
* To get decrypted S-Block and P-Block first you have to decrypt EID2 with EID2 key and IV and then decrypt the blocks with DES-CBC.
Line 22: Line 15:
key: 6C CA B3 54 05 FA 56 2C
key: 6C CA B3 54 05 FA 56 2C
</pre>
</pre>
==Decrypting EID2==
* You can decrypt P- and S-Blocks with openssl e.g.
{{Keyboard|content=<syntaxhighlight lang="bash">
# eid2.bin is your EID2 from NOR/NAND flash
# You can dump EID2 e.g. with ps3dm
ps3dm iim get_data 2 > eid2.bin
# ignore any "bad decrypt" messages from openssl from now on
# create pblock_des.bin
(dd if=eid2.bin bs=1 skip=$((0x20)) count=$((0x80)); dd if=/dev/zero bs=1 count=16) | \
    openssl enc -d -aes-256-cbc -iv <your EID2 IV> -K <your EID2 key>  > pblock_des.bin
# create sblock_des.bin
(dd if=eid2.bin bs=1 skip=$((0xa0)) count=$((0x690)); dd if=/dev/zero bs=1 count=16) | \
    openssl enc -d -aes-256-cbc -iv <your EID2 IV> -K <your EID2 key>  > sblock_des.bin
# First 16 bytes in pblock_des.bin and sblock_des.bin should be equal to:
# 01 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
# create pblock.bin
(dd if=pblock_des.bin bs=1 skip=$((0x10)) count=$((0x60)); dd if=/dev/zero bs=1 count=8) | \
    openssl enc -d -des-cbc -iv 0000000000000000 -K 6CCAB35405FA562C > pblock.bin
# create sblock.bin
(dd if=sblock_des.bin bs=1 skip=$((0x10)) count=$((0x670)); dd if=/dev/zero bs=1 count=8) | \
    openssl enc -d -des-cbc -iv 0000000000000000 -K 6CCAB35405FA562C > sblock.bin
# First 16 bytes in pblock.bin and sblock.bin should be equal
# pblock.bin and sblock.bin are the files which you write to BD drive buffers !!!
</syntaxhighlight>}}
=Tools=
* ps3vuart-tools: http://www.ps3devwiki.com/wiki/Ps3vuart-tools
* bd-tools: http://gitorious.ps3dev.net/ps3linux/bd-tools
* You could also use my PS3 Debian LiveCD which has ps3vuart-tools preinstalled and GCC compiler which you can use to compile all necessary BD tools. See http://www.ps3devwiki.com/wiki/Debian_LiveCD.
=Steps=
* The order is important. You cannot e.g. write HRL before writing P-Block or S-Block. I tried and corrupted my HRL.
1. Write P-Block
2. Authenticate BD drive with Storage Manager
3. Write S-Block
4. Write HRL


=Writing P-Block=
=Writing P-Block=
Line 89: Line 22:
* P-Block is in decrypted EID2 at offset 0x20 and of size 0x80.
* P-Block is in decrypted EID2 at offset 0x20 and of size 0x80.
* Not all P-Block data is sent to BD drive. Only data starting at offset 0x10 and of size 0x60 bytes is written to BD drive buffer 2.
* Not all P-Block data is sent to BD drive. Only data starting at offset 0x10 and of size 0x60 bytes is written to BD drive buffer 2.
* If you read back the BD buffer 2 right after you have written it then the first 0x10 bytes should match the first 0x10 bytes you sent. The remaining 0x50 bytes you read back should be all 0s.
Your P-Block should look like this after decryption:
<pre>
hexdump -C pblock.bin
00000000  xx xx xx xx xx xx xx xx  xx xx xx xx xx xx xx xx  |................|
00000010  xx xx xx xx xx xx xx xx  xx xx xx xx xx xx xx xx  |................|
00000020  xx xx xx xx xx xx xx xx  xx xx xx xx xx xx xx xx  |................|
00000030  04 00 04 00 00 00 00 00  fd 00 00 00 00 00 00 00  |................|
00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000050  xx xx xx xx xx xx xx xx  xx xx xx xx xx xx xx xx  |................|
00000060
</pre>


==Test==
==Test==
Line 111: Line 29:


<pre>
<pre>
ls -l pblock.bin
-rw-r--r-- 1 glevand glevand 96 Aug 25 07:44 pblock.bin
# First enable writing BD buffer 2
# First enable writing BD buffer 2


Line 123: Line 38:


# Authenticate the BD drive
# Authenticate the BD drive
# Make sure you unmount spuisofs/spuldrfs and unload kernel modules spuisofs/spuldrfs because
# spuisofs/spuldrfs use shared SPU for isolation which used by Dispatcher Manager too


sudo ps3dm -v sm drive_auth 0x29                # It should not fail !!!
sudo ps3dm -v sm drive_auth 0x29                # It should not fail !!!
Line 135: Line 48:
* BD buffer 3 is of size 0x670 bytes.
* BD buffer 3 is of size 0x670 bytes.
* S-Block is in decryoted EID2 at offset 0xa0 and of size 0x690.
* S-Block is in decryoted EID2 at offset 0xa0 and of size 0x690.
* The first 0x10 bytes in your S-Block should match the first 0x10 bytes of your P-Block.
* Not all S-Block data is sent to BD drive. Only data starting at offset 0x10 and of size 0x670 bytes is written to BD drive buffer 3.
* If you read back the BD buffer 3 right after you have written it then the first 0x10 bytes should match the first 0x10 bytes you sent and also the first 0x10 bytes which your read bcak from BD buffer 2 after you sent P-Block. The remaining 0x660 bytes you read back should be all 0s.


==Test==
==Test==
Line 144: Line 54:


<pre>
<pre>
ls -l sblock.bin
-rw-r--r-- 1 glevand glevand 1648 Aug 25 08:57 sblock.bin
# First enable writing BD buffer 3
# First enable writing BD buffer 3


sudo ./bd_enable_buffer_write -b 3
sudo ./bd_enable_buffer_write -b 3


# Write S-Block to BD buffer 3
# Write P-Block to BD buffer 3


sudo ./bd_write_buffer -b 3 -i sblock.bin
sudo ./bd_write_buffer -b 3 -i sblock.bin
Line 160: Line 67:
* HRL is stored in BD buffer 4.
* HRL is stored in BD buffer 4.
* BD buffer 4 is of size 0x8000 bytes.
* BD buffer 4 is of size 0x8000 bytes.
* If you dump HRL buffer after you have written P- and S-blocks but before you have written a new HRL then you wont't see a valid HRL but some junk. That's OK.
* default_hrl.bin: http://www.multiupload.nl/D1DSV0QBJX


<pre>
<pre>
Line 181: Line 86:
* You cannot just write a new HRL to BD drive buffer 4. You can actually but it will corrupt your current BD HRL.
* You cannot just write a new HRL to BD drive buffer 4. You can actually but it will corrupt your current BD HRL.
* If you corrupt your HRL then nothing bad will happen but you won't be able to play BD movies.
* If you corrupt your HRL then nothing bad will happen but you won't be able to play BD movies.
* First you have to send P-Block to BD drive, after that authenticate the BD drive and then write a new HRL. Only in this order will it work.
* First you have to send P-Block to BD drive, after that authenticate the BD drive and then write a new HRL. Only in this order will it work.  
* Dump default HRL from Lv2diag.self (size 0x54 bytes) or just use the hexdump i posted here and pad it with 0s to 0x8000 bytes.


<pre>
<pre>
ls -l default_hrl.bin
-rw-r--r-- 1 glevand glevand 32768 Aug 25 00:57 default_hrl.bin
# First enable writing BD buffer 4
# First enable writing BD buffer 4


Line 209: Line 110:
00008000
00008000
</pre>
</pre>
{{Linux}}<noinclude>[[Category:Main]]</noinclude>
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)

Templates used on this page:

Retrieved from "http://www.psdevwiki.com/ps3/Remarry_Bluray_Drive_on_Linux"