Introduction[edit | edit source]

• ENCDEC is the encoder/decoder, integrated inside South Bridge
• The following information was reverse engineered from LV1, Storage Manager in LPAR1, sb_iso_spu_module.self and sv_iso_spu_module.self.

Linux Driver ps3encdec[edit | edit source]

• I'm using this driver to set/clear my ATA and VFLASH keys.
• Tested on Linux 3.5.1.
• You can send all supported ENCDEC commands with this driver.

Interesting Facts[edit | edit source]

• HDD sectors arrive in LV1 with tweak values already XORed.
• But VFLASH sectors are first encrypted/decrypted with ENCDEC keys and the fact is that VFLASH sectors are NOT already XORed with tweak values. LV1 does pre- and post-XORing with tweak values.
• LV1 allocates a DMA region where it stores the sector number for each requested sector and ENCDEC encryptes these tweak values.
• After that, LV1 XORes encrypted tweak values.
• See encdec_device_enqueue_decsec_request and EdecXTS_XorWithMask in LV1.
• I patched my LV1 for testing and killed XORing with encrypted tweak values. After that VFLASH sectors were encrypted/decrypted without tweak values, only with XTS data key.

Establish Secure Communication Channel[edit | edit source]

• First host and ENCDEC device exchange random numbers.
• From the exchanged random numbers host and ENCDEC device compute the session key.
• ENCDEC commands, e.g. to set ATA keys, are encrypted with the session key and AES-CBC-192.
• Before a secure communication channel is established, host and ENCDEC device use static AES-CBC-192 keys to encrypt communication data. The static keys can be found e.g. in sb_iso_spu_module.self or sv_iso_spu_module.self.
• Static ENCDEC keys depend on SB bus version. To get your SB bus version, read v2 of repository node SB bus id.

SB bus id from 3.15:

....bus. 00 00 00 00 62 75 73 01
id...... 69 64 00 00 00 00 00 00
........ 00 00 00 00 00 00 00 00
........ 00 00 00 00 00 00 00 00
........ 00 00 00 00 00 00 00 01
........ 00 00 00 00 03 00 01 03        <-------- SB bus id v2

# Dumping it with ps3lv1call-tools

~/ps3lv1call-tools$ sudo ./ps3lv1call 91 1 0x0000000062757301 0x6964000000000000 0 0
0000000000000001 0000000004000103

• During the communication, host and ENCDEC device use random IVs which are sent unencrypted together with encrypted payload.
• The ENCDEC commands, which are encrypted with the session key, contain magic 24 bytes which are checked by ENCDEC device and if some bits are not correct then the command is denied. The magic bytes can be found in sb_iso_spu_module.self too.
• The format of ENCDEC command to set ATA keys is slightly different from the ENCDEC command to set ENCDEC keys.

ENCDEC Commands[edit | edit source]

KGEN1 (0x81)[edit | edit source]

• Used by host to send host random to ENCDEC device and receive ENCDEC random from ENCDEC device.
• Sent data is encrypted with host static key and received data is encrypted with ENCDEC static key.

KGEN2 (0x82)[edit | edit source]

• Used by host to send host and ENCDEC randoms to ENCDEC device.
• Sent data is encrypted with host static key.

KSET (0x83)[edit | edit source]

• Used by host to send ENCDEC command to ENCDEC device.
• Sent data is encrypted with the session key.
• It contains magic 24 bytes from sb_iso_spu_module.self.

KGEN_FLASH (0x84)[edit | edit source]

• The command resets ENCDEC device state.
• LV1 calls this command "EdecKgenFlash", probably correct name is "EdecKgenFlush" :)

SB_CLEAR (0x87)[edit | edit source]

• No clue what it does but it is sent by Storage Manager after ATA keys are cleared.

Set ATA Keys[edit | edit source]

Set ENCDEC Keys[edit | edit source]

Linux Application[edit | edit source]

• Here the Linux application i use with my ps3encdec device driver to set/clear ATA/ENCDEC keys on my PS3.

See my GIT repo: http://gitorious.ps3dev.net/ps3linux/encdec

v e Reverse engineering General Bluedisk EID0 reDRM · Boot Order · Boot Memory Type · Bugs & Vulnerabilities · Dumping Bootldr · Dumping Metldr · Files on the PS3 · KaKaRoTo_Kind_of_´Jailbreak´ · PS3Cobra Payload Reverse Engineering · PS3UserCheat · QA Flagging · ReDRM / Piracy dongles · Revoke List · RSOD Fix‎ · rtcalarm.dat · Whitelisting · VTRM Hypervisor Hypervisor Reverse Engineering · Repository Nodes Services Appliance Information Manager · AV Manager · Dispatcher Manager · Factory Data Manager · Indi Info Manager · SB Manager · SC Manager · Secure LPAR Loader · Secure Profile Loader · Secure RTC Manager · Security Policy Manager · Storage Manager · Update Manager · Updater Frontend · USB Dongle Authenticator · User Token Manager · Virtual TRM Manager Plugin Interfaces ap_plugin · audioplayer_plugin · audiop_plugin_dummy · audiop_plugin_mini · auth_plugin · autodownload_plugin · autoupdateconf_plugin · avc_plugin · avc_util · avc2_game_plugin · avc2_game_video_plugin · avc2_text_plugin · bdp_disccheck_plugin · bdp_plugin · bdp_storage_plugin · campaign_plugin · category_setting_plugin · comboplay_plugin · custom_render_plugin · data_copy_plugin · deviceconf_plugin · dlna_plugin · download_plugin · dtcpip_util · edy_plugin · esehttp · eseibrd · eseidle · eselock · eula_cddb_plugin · eula_hcopy_plugin · eula_net_plugin · explore_plugin · explore_plugin_ft · explore_plugin_game · explore_plugin_np · filecopy_plugin · friendim_plugin · friendml_plugin · friendtrophy_plugin · game_ext_plugin · game_indicator_plugin · game_plugin · gamedata_plugin · gamelib_plugin · gameupdate_plugin · hknw_plugin · idle_plugin · impose_plugin · kensaku_plugin · msgdialog_plugin · mtpinitiator_plugin · musicbrowser_plugin · nas_plugin · netconf_plugin · newstore_plugin · np_eula_plugin · np_matching_plugin · np_multisignin_plugin · np_sns_plugin · npsignin_plugin · np_trophy_ingame · np_trophy_plugin · osk · oskfullkeypanel · oskpanel · pesm_plugin · photo_network_sharing_plugin · photolist_plugin · photoviewer_plugin · playlist_plugin · poweroff_plugin · premo_plugin · premo_game_plugin · print_plugin · profile_plugin · ps3_savedata_plugin · ps3_savedata_plugin_game · ps3_savedata_plugin_psp · rec_plugin · regcam_plugin · remotedownload_plugin · sacd_plugin · scenefolder_plugin · screenshot_plugin · software_update_plugin · soundvisualizer_plugin · strviewer_plugin · sysconf_plugin · system_plugin · thumthum_plugin · upload_util · user_info_plugin · user_plugin · videodownloader_plugin · videoeditor_plugin · videoplayer_util · videoplayer_plugin · vmc_savedata_plugin · wboard_plugin · webbrowser_plugin · webbrowser_service · webrender_plugin · xai_plugin · xmb_ingame · xmb_plugin Emulation PS1 Emulation · PS2 Emulation · PSP Emulation Extended features Printer support · Remote Play · String Viewer · Web Browser · XMB In-game background music · PS3 and PSVita Cross Functions · Widgets · Life with PlayStation · PlayView · XMB Manuals Online Consoleban · Environments · Online Connections · PSN · PSN Handshake Signup · X-I-5-Ticket Hardware SC SC Communication · SC EEPROM · Remarry Syscon · Syscon Thermal Configs · Syscon SPI CELL Cell Configuration Ring · CELL Reset Exploit · CellBE Hardware Implementation Registers · Unlocking the 8th SPE · SPU Isolated Modules Reverse Engineering · SPU LS Overflow Exploit RAM XDR Configuration · Rambus Registers SB ENCDEC Device Reverse Engineering HDD HDD Encryption BD Bluray disc · Basic Bluray disc authentication procedure · BD Drive Reverse Engineering · Disc Identification/Serialization Data · ODE · Remarry Bluray Drive Tools IDA pro disassembler and debugger · CCAPI · 0x000EAEB0 · Ps3.xml · Nids.txt · Nids all.txt · Unknown nids.txt · Fnids.idh Strings files emer_init · aim spu module‎ · lv1‎ · hdd_copy · eurus_fw · lv0 · factory data mngr dumps lv2 dump (Rebug 4.46) · lv1 dump (Rebug 4.46) · bootldr dump (2.70) · Network Loading of lv1ldr and above executables Reference Archaic · Drk_notes · Canaries Keys & Seeds Keys · Per Console Keys · Fail Keys · Seeds · ECDSA binaries · AES binaries · DES binaries · Cryptography Tricks