Mounting HDD on PC
Jump to navigation
Jump to search
Introduction
- The goal is to mount PS3 HDD on PC Linux and make changes to it.
- Use device mapper for transparent encryption/decryption.
ATA and ENCDEC Keys
See http://www.ps3devwiki.com/wiki/HDD_Encryption
Device Mapper
- A really cool feature of Linux 2.6/3.
- The device mapper is stackable.
- You have to enable a couple of new kernel features like device mapper crypto, XTS crypto and so on.
dm-bswap16
- Swaps bytes in each 16-bit word.
- It is necessray for HDD/VFLASH encryption/decryption.
- Tested on Linux 3.5.3
GIT repo: http://gitorious.ps3dev.net/ps3linux/dm-bswap16
Test
modprobe loop modprobe dm_mod modprobe dm-bswap16 dd if=/dev/zero of=test.bin bs=1K count=100 losetup /dev/loop0 ./test.bin echo "0 200 bswap16 /dev/loop0" | dmsetup create test ls -l /dev/mapper/test echo "00 01 00 01 00 01" | xxd -r -p > /dev/mapper/test # device mapper target hexdump -C /dev/mapper/test 00000000 00 01 00 01 00 01 00 00 00 00 00 00 00 00 00 00 |................| 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00019000 # real data, as you see bytes are swapped in each 16-bit word # device mapper allows you to do really cool things :) hexdump -C /home/glevand/test.bin 00000000 01 00 01 00 01 00 00 00 00 00 00 00 00 00 00 00 |................| 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00019000 dmsetup remove test
Test with ps3da
- Tested with Debian LiveCD and Linux 3.4.10
- xts_aes: http://gitorious.ps3dev.net/ps3linux/xts_aes
# clear ATA and ENCDEC keys # DO NOT DO IT WITH HDD MOUNTED !!! ps3dm sm set_del_encdec_key 0x110 ps3dm sm set_del_encdec_key 0x111 # for now don't use ps3da device directly, dump sectors to file and bind it to loop device # later we will use ps3da device directly when dm-bswap16 is well tested and bug free dd if=/dev/ps3da bs=512 count=2 of=hdd_enc.bin losetup /dev/loop1 ./hdd_enc.bin # we have to setup device mapper bswap16 target else HDD encryption/decryption won't work properly echo "0 2 bswap16 /dev/loop1" | dmsetup create test # decrypt using xts_aes cat /dev/mapper/test | ./xts_aes/xts_aes -d -k <your ATA data key> -t <your ATA tweak key> | hexdump -C 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000010 00 00 00 00 0f ac e0 ff 00 00 00 00 de ad fa ce |................| 00000020 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 02 |................| 00000030 00 00 00 00 00 00 00 08 00 00 00 00 00 08 00 00 |................| 00000040 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 0b |.p..............| 00000050 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000000c0 00 00 00 00 00 08 00 10 00 00 00 00 03 9a 8b 2d |...............-| 000000d0 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 000000e0 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 000000f0 10 20 00 00 03 00 00 01 00 00 00 00 00 00 00 03 |. ..............| 00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000150 00 00 00 00 03 a2 8b 45 00 00 00 00 00 3f ff f8 |.......E.....?..| 00000160 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000170 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000001e0 00 00 00 00 03 e2 8b 46 00 00 00 00 19 39 ce 0c |.......F.....9..| 000001f0 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000400
dm-crypto
- We don't need xts_aes application anymore.
- Linux kernel does enctyption/decryption of data transparently for us.
- One of the device mapper features is that it's stackable which is very useful for us.
- VFLASH is encrypted twice. So we have to create a second DM crypto target based on the DM crypto target for HDD.
HDD Test
- Tested on PS3 itself with Debian LiveCD and Linux kernel version 3.4.10 but you can use the same technique on a Linux PC. I was just lazy and it is easier to test on PS3.
# clear ATA and ENCDEC keys # DO NOT DO IT WITH HDD MOUNTED !!! ps3dm sm set_del_encdec_key 0x110 ps3dm sm set_del_encdec_key 0x111 # for now don't use ps3da device directly, dump sectors to file and bind it to loop device # later we will use ps3da device directly when dm-bswap16 is well tested and bug free dd if=/dev/ps3da bs=512 count=2 of=hdd_enc.bin losetup /dev/loop1 ./hdd_enc.bin # we have to setup device mapper bswap16 target else HDD encryption/decryption won't work properly echo "0 2 bswap16 /dev/loop1" | dmsetup create test # create key file echo <your data key as hex string> <your tweak key as hex string> | xxd -r -p > hdd_key.bin ls -l hdd_key.bin -rw-r--r-- 1 root root 32 Sep 4 09:28 hdd_key.bin # create DM crypto target # key size is 256bit because PS3 uses XTS-AES-128 and the key is just the concatenation of the data and tweak keys. cryptsetup create -c aes-xts-plain64 -d ./hdd_key.bin -s 256 test_crypt /dev/mapper/test ls -l /dev/mapper/ total 0 crw------- 1 root root 10, 236 Sep 4 09:23 control lrwxrwxrwx 1 root root 7 Sep 4 09:25 test -> ../dm-0 lrwxrwxrwx 1 root root 7 Sep 4 09:30 test_crypt -> ../dm-1 hexdump -C /dev/mapper/test_crypt 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000010 00 00 00 00 0f ac e0 ff 00 00 00 00 de ad fa ce |................| 00000020 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 02 |................| 00000030 00 00 00 00 00 00 00 08 00 00 00 00 00 08 00 00 |................| 00000040 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 0b |.p..............| 00000050 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000000c0 00 00 00 00 00 08 00 10 00 00 00 00 03 9a 8b 2d |...............-| 000000d0 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 000000e0 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 000000f0 10 20 00 00 03 00 00 01 00 00 00 00 00 00 00 03 |. ..............| 00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000150 00 00 00 00 03 a2 8b 45 00 00 00 00 00 3f ff f8 |.......E.....?..| 00000160 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000170 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000001e0 00 00 00 00 03 e2 8b 46 00 00 00 00 19 39 ce 0c |.......F.....9..| 000001f0 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000400 # and we don't need xts_aes tool anymore :) # Linux does encryption/decryption for us transparently now # now you have raw access to your encrypted PS3 HDD and you can make simple changes # Linux device mapper is really great !!!
VFLASH Test
# clear ATA and ENCDEC keys # DO NOT DO IT WITH HDD MOUNTED !!! ps3dm sm set_del_encdec_key 0x110 ps3dm sm set_del_encdec_key 0x111 # for now don't use ps3da device directly, dump sectors to file and bind it to loop device # later we will use ps3da device directly when dm-bswap16 is well tested and bug free dd if=/dev/ps3da bs=512 count=16 of=hdd_enc.bin losetup /dev/loop1 ./hdd_enc.bin # we have to setup device mapper bswap16 target else HDD encryption/decryption won't work properly echo "0 16 bswap16 /dev/loop1" | dmsetup create test # create hdd key file echo <your hdd data key as hex string> <your hdd tweak key as hex string> | xxd -r -p > hdd_key.bin ls -l hdd_key.bin -rw-r--r-- 1 root root 32 Sep 4 09:28 hdd_key.bin # create DM crypto target # key size is 256bit because PS3 uses XTS-AES-128 and the key is just the concatenation of the data and tweak keys. cryptsetup create -c aes-xts-plain64 -d ./hdd_key.bin -s 256 hdd_crypt /dev/mapper/hdd # VFLASH begins at sector 8 on HDD echo "0 8 linear /dev/mapper/hdd_crypt 8" | dmsetup create vflash # create VFLASH key file echo <your encdec data key as hex string> <your encdec tweak key as hex string> | xxd -r -p > vflash_key.bin ls -l vflash_key.bin -rw-r--r-- 1 root root 32 Sep 4 09:28 vflash_key.bin # create DM crypto target # key size is 256bit because PS3 uses XTS-AES-128 and the key is just the concatenation of the data and tweak keys. # here is important to use option -p because VFLASH starts with sector 8 and encryption/decryption depends on sector number. cryptsetup create -c aes-xts-plain64 -d ./vflash_key.bin -s 256 -p 8 vflash_crypt /dev/mapper/vflash ls -l /dev/mapper/ total 0 crw------- 1 root root 10, 236 Sep 4 10:46 control lrwxrwxrwx 1 root root 7 Sep 4 11:02 hdd -> ../dm-0 lrwxrwxrwx 1 root root 7 Sep 4 11:02 hdd_crypt -> ../dm-1 lrwxrwxrwx 1 root root 7 Sep 4 11:07 vflash -> ../dm-2 lrwxrwxrwx 1 root root 7 Sep 4 11:10 vflash_crypt -> ../dm-3 hexdump -C /dev/mapper/vflash_crypt 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000010 00 00 00 00 0f ac e0 ff 00 00 00 00 de ad fa ce |................| 00000020 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 02 |................| 00000030 00 00 00 00 00 00 00 08 00 00 00 00 00 00 75 f8 |..............u.| 00000040 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000000c0 00 00 00 00 00 00 78 00 00 00 00 00 00 06 3e 00 |......x.......>.| 000000d0 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 000000e0 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 000000f0 10 20 00 00 03 00 00 01 00 00 00 00 00 00 00 01 |. ..............| 00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000150 00 00 00 00 00 06 b6 00 00 00 00 00 00 00 80 00 |................| 00000160 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000170 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000001e0 00 00 00 00 00 07 36 00 00 00 00 00 00 00 04 00 |......6.........| 000001f0 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000200 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000270 00 00 00 00 00 07 3a 00 00 00 00 00 00 00 c0 00 |......:.........| 00000280 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000290 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 000002a0 10 80 00 00 04 00 00 01 00 00 00 00 00 00 00 03 |................| 000002b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000300 00 00 00 00 00 07 fa 00 00 00 00 00 00 00 02 00 |................| 00000310 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 |.p..............| 00000320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00001000 # now is VFLASH also decrypted # next step is partition table
PS3 HDD Partition Table
- Now that we can decrypt/encrypt PS3 HDD with Linux, we want to be able to mount HDD/VFLASH regions because only then we can do changes to UFS or FAT filesystems on the HDD.
- We have to implement PS3 HDD partition table in Linux kernel.
- The Linux kernel with this feature will create all partition devices automatically in this case and we could mount and modify any HDD regions easily.
- A new Linux kernel patch is necessary.
- PS3 partition table is of size 0x1000 bytes.
- Implemented PS3 partition support in Linux kernel. See patch 0035-ps3-partition.patch here http://gitorious.ps3dev.net/ps3linux/kernel-patches-35
Test
Links
- http://linuxgazette.net/114/kapil.html
- http://techgmm.blogspot.de/p/writing-your-own-device-mapper-target.html
- http://www.freeotfe.org/docs/Main/mobile_site/Linux_examples__dm-crypt.htm
- http://www.hopelesscase.com/linuxnotes/encrypted_filesystems/dmsetup_losetup_and_mount
- http://lxr.free-electrons.com/source/block/partitions/