Introduction

• The goal is to mount PS3 HDD on PC Linux and make changes to it.
• Use device mapper for transparent encryption/decryption.

ATA and ENCDEC Keys

Main Article HDD Encryption

Device Mapper

• A really cool feature of Linux 2.6/3.
• The device mapper is stackable.
• You have to enable a couple of new kernel features like device mapper crypto, XTS crypto and so on.

dm-bswap16

• Swaps bytes in each 16-bit word.
• It is necessray for HDD/VFLASH encryption/decryption.
• Tested on Linux 3.5.3

GIT repo: http://gitorious.ps3dev.net/ps3linux/dm-bswap16

Test

modprobe loop
modprobe dm_mod
modprobe dm-bswap16

dd if=/dev/zero of=test.bin bs=1K count=100

losetup /dev/loop0 ./test.bin

echo "0 200 bswap16 /dev/loop0" | dmsetup create test

ls -l /dev/mapper/test

echo "00 01 00 01 00 01" | xxd -r -p > /dev/mapper/test

# device mapper target

hexdump -C /dev/mapper/test 
00000000  00 01 00 01 00 01 00 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00019000

# real data, as you see bytes are swapped in each 16-bit word
# device mapper allows you to do really cool things :)

hexdump -C /home/glevand/test.bin
00000000  01 00 01 00 01 00 00 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00019000

dmsetup remove test

Test with ps3da

• Tested with Debian LiveCD and Linux 3.4.10
• xts_aes: http://gitorious.ps3dev.net/ps3linux/xts_aes

# clear ATA and ENCDEC keys
# DO NOT DO IT WITH HDD MOUNTED !!!

ps3dm sm set_del_encdec_key 0x110
ps3dm sm set_del_encdec_key 0x111

# for now don't use ps3da device directly, dump sectors to file and bind it to loop device
# later we will use ps3da device directly when dm-bswap16 is well tested and bug free

dd if=/dev/ps3da bs=512 count=2 of=hdd_enc.bin

losetup /dev/loop1 ./hdd_enc.bin

# we have to setup device mapper bswap16 target else HDD encryption/decryption won't work properly

echo "0 2 bswap16 /dev/loop1" | dmsetup create test

# decrypt using xts_aes

cat /dev/mapper/test | ./xts_aes/xts_aes -d -k <your ATA data key> -t <your ATA tweak key> | hexdump -C
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 0f ac e0 ff  00 00 00 00 de ad fa ce  |................|
00000020  00 00 00 00 00 00 00 03  00 00 00 00 00 00 00 02  |................|
00000030  00 00 00 00 00 00 00 08  00 00 00 00 00 08 00 00  |................|
00000040  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 0b  |.p..............|
00000050  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000000c0  00 00 00 00 00 08 00 10  00 00 00 00 03 9a 8b 2d  |...............-|
000000d0  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
000000e0  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
000000f0  10 20 00 00 03 00 00 01  00 00 00 00 00 00 00 03  |. ..............|
00000100  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000150  00 00 00 00 03 a2 8b 45  00 00 00 00 00 3f ff f8  |.......E.....?..|
00000160  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000170  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001e0  00 00 00 00 03 e2 8b 46  00 00 00 00 19 39 ce 0c  |.......F.....9..|
000001f0  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000200  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000400

dm-crypt

• We don't need xts_aes application anymore.
• Linux kernel does enctyption/decryption of data transparently for us.
• One of the device mapper features is that it's stackable which is very useful for us.
• VFLASH is encrypted twice. So we have to create a second DM crypto target based on the DM crypto target for HDD.

HDD Test

• Tested on PS3 itself with Debian LiveCD and Linux kernel version 3.4.10 but you can use the same technique on a Linux PC. I was just lazy and it is easier to test on PS3.

# clear ATA and ENCDEC keys
# DO NOT DO IT WITH HDD MOUNTED !!!

ps3dm sm set_del_encdec_key 0x110
ps3dm sm set_del_encdec_key 0x111

# for now don't use ps3da device directly, dump sectors to file and bind it to loop device
# later we will use ps3da device directly when dm-bswap16 is well tested and bug free

dd if=/dev/ps3da bs=512 count=2 of=hdd_enc.bin

losetup /dev/loop1 ./hdd_enc.bin

# we have to setup device mapper bswap16 target else HDD encryption/decryption won't work properly

echo "0 2 bswap16 /dev/loop1" | dmsetup create test

# create key file

echo <your data key as hex string> <your tweak key as hex string> | xxd -r -p > hdd_key.bin

ls -l hdd_key.bin
-rw-r--r-- 1 root root 32 Sep  4 09:28 hdd_key.bin

# create DM crypto target
# key size is 256bit because PS3 uses XTS-AES-128 and the key is just the concatenation of the data and tweak keys.

cryptsetup create -c aes-xts-plain64 -d ./hdd_key.bin -s 256 test_crypt /dev/mapper/test

ls -l /dev/mapper/
total 0
crw------- 1 root root 10, 236 Sep  4 09:23 control
lrwxrwxrwx 1 root root       7 Sep  4 09:25 test -> ../dm-0
lrwxrwxrwx 1 root root       7 Sep  4 09:30 test_crypt -> ../dm-1

hexdump -C /dev/mapper/test_crypt
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 0f ac e0 ff  00 00 00 00 de ad fa ce  |................|
00000020  00 00 00 00 00 00 00 03  00 00 00 00 00 00 00 02  |................|
00000030  00 00 00 00 00 00 00 08  00 00 00 00 00 08 00 00  |................|
00000040  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 0b  |.p..............|
00000050  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000000c0  00 00 00 00 00 08 00 10  00 00 00 00 03 9a 8b 2d  |...............-|
000000d0  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
000000e0  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
000000f0  10 20 00 00 03 00 00 01  00 00 00 00 00 00 00 03  |. ..............|
00000100  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000150  00 00 00 00 03 a2 8b 45  00 00 00 00 00 3f ff f8  |.......E.....?..|
00000160  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000170  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001e0  00 00 00 00 03 e2 8b 46  00 00 00 00 19 39 ce 0c  |.......F.....9..|
000001f0  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000200  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000400

# and we don't need xts_aes tool anymore :)
# Linux does encryption/decryption for us transparently now
# now you have raw access to your encrypted PS3 HDD and you can make simple changes

# Linux device mapper is really great !!!

VFLASH Test

# clear ATA and ENCDEC keys
# DO NOT DO IT WITH HDD MOUNTED !!!

ps3dm sm set_del_encdec_key 0x110
ps3dm sm set_del_encdec_key 0x111

# for now don't use ps3da device directly, dump sectors to file and bind it to loop device
# later we will use ps3da device directly when dm-bswap16 is well tested and bug free

dd if=/dev/ps3da bs=512 count=16 of=hdd_enc.bin

losetup /dev/loop1 ./hdd_enc.bin

# we have to setup device mapper bswap16 target else HDD encryption/decryption won't work properly

echo "0 16 bswap16 /dev/loop1" | dmsetup create test

# create hdd key file

echo <your hdd data key as hex string> <your hdd tweak key as hex string> | xxd -r -p > hdd_key.bin

ls -l hdd_key.bin
-rw-r--r-- 1 root root 32 Sep  4 09:28 hdd_key.bin

# create DM crypto target
# key size is 256bit because PS3 uses XTS-AES-128 and the key is just the concatenation of the data and tweak keys.

cryptsetup create -c aes-xts-plain64 -d ./hdd_key.bin -s 256 hdd_crypt /dev/mapper/hdd

# VFLASH begins at sector 8 on HDD

echo "0 8 linear /dev/mapper/hdd_crypt 8" | dmsetup create vflash

# create VFLASH key file

echo <your encdec data key as hex string> <your encdec tweak key as hex string> | xxd -r -p > vflash_key.bin

ls -l vflash_key.bin
-rw-r--r-- 1 root root 32 Sep  4 09:28 vflash_key.bin

# create DM crypto target
# key size is 256bit because PS3 uses XTS-AES-128 and the key is just the concatenation of the data and tweak keys.
# here is important to use option -p because VFLASH starts with sector 8 and encryption/decryption depends on sector number.

cryptsetup create -c aes-xts-plain64 -d ./vflash_key.bin -s 256 -p 8 vflash_crypt /dev/mapper/vflash

ls -l /dev/mapper/
total 0
crw------- 1 root root 10, 236 Sep  4 10:46 control
lrwxrwxrwx 1 root root       7 Sep  4 11:02 hdd -> ../dm-0
lrwxrwxrwx 1 root root       7 Sep  4 11:02 hdd_crypt -> ../dm-1
lrwxrwxrwx 1 root root       7 Sep  4 11:07 vflash -> ../dm-2
lrwxrwxrwx 1 root root       7 Sep  4 11:10 vflash_crypt -> ../dm-3

hexdump -C /dev/mapper/vflash_crypt
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 0f ac e0 ff  00 00 00 00 de ad fa ce  |................|
00000020  00 00 00 00 00 00 00 03  00 00 00 00 00 00 00 02  |................|
00000030  00 00 00 00 00 00 00 08  00 00 00 00 00 00 75 f8  |..............u.|
00000040  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000000c0  00 00 00 00 00 00 78 00  00 00 00 00 00 06 3e 00  |......x.......>.|
000000d0  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
000000e0  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
000000f0  10 20 00 00 03 00 00 01  00 00 00 00 00 00 00 01  |. ..............|
00000100  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000150  00 00 00 00 00 06 b6 00  00 00 00 00 00 00 80 00  |................|
00000160  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000170  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001e0  00 00 00 00 00 07 36 00  00 00 00 00 00 00 04 00  |......6.........|
000001f0  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000200  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000210  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000270  00 00 00 00 00 07 3a 00  00 00 00 00 00 00 c0 00  |......:.........|
00000280  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000290  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
000002a0  10 80 00 00 04 00 00 01  00 00 00 00 00 00 00 03  |................|
000002b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000300  00 00 00 00 00 07 fa 00  00 00 00 00 00 00 02 00  |................|
00000310  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000320  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00001000

# now is VFLASH also decrypted
# next step is partition table

PS3 HDD Partition Table

• Now that we can decrypt/encrypt PS3 HDD with Linux, we want to be able to mount HDD/VFLASH regions because only then we can do changes to UFS or FAT filesystems on the HDD.
• We have to implement PS3 HDD partition table in Linux kernel.
• The Linux kernel with this feature will create all partition devices automatically in this case and we could mount and modify any HDD regions easily.
• A new Linux kernel patch is necessary.
• PS3 partition table is of size 0x1000 bytes.
• Implemented PS3 partition support in Linux kernel. See patch 0035-ps3-partition.patch here http://gitorious.ps3dev.net/ps3linux/kernel-patches-35
• Use kpartx tool to reread partition table.

Structure

#define MAX_ACL_ENTRIES		8
#define MAX_PARTITIONS		8

#define MAGIC1						0x0FACE0FFULL
#define MAGIC2						0xDEADFACEULL

struct p_acl_entry {
	u64 laid;
	u64 rights;
};

struct d_partition {
	u64 p_start;
	u64 p_size;
	struct p_acl_entry p_acl[MAX_ACL_ENTRIES];
};

struct disklabel {
	u8 d_res1[16];
	u64 d_magic1;
	u64 d_magic2;
	u64 d_res2;
	u64 d_res3;
	struct d_partition d_partitions[MAX_PARTITIONS];
	u8 d_pad[0x600 - MAX_PARTITIONS * sizeof(struct d_partition)- 0x30];
};

kpartx

• kpartx is a tool which reads partition tables and creates device maps.
• We need kpartx in order to be able to create partitions from device mapper targets.
• But kpartx doesn't support PS3 partition table currently.
• We need a patch which adds PS3 partition table support.
• Official GIT repo: http://git.opensvc.com/multipath-tools/.git
• PS3 partition table support is upstream now, you don't have to patch it anymore !!!

Patching and Building

• See my GIT repo: http://gitorious.ps3dev.net/ps3linux/multipath-tools-patches

git clone http://git.opensvc.com/multipath-tools/.git multipath-tools
cd multipath-tools
patch -p1 < ../kpartx-ps3-partition.patch
make

Test

sudo ./kpartx/kpartx -l /dev/ps3da
ps3da1 : 0 524288 /dev/ps3da 8
ps3da2 : 0 60459821 /dev/ps3da 524304
ps3da3 : 0 4194296 /dev/ps3da 60984133
ps3da4 : 0 423218700 /dev/ps3da 65178438

Test

modprobe dm-bswap16

# clear ATA and ENCDEC keys
# DO NOT DO IT WITH HDD MOUNTED !!!

ps3dm sm set_del_encdec_key 0x110
ps3dm sm set_del_encdec_key 0x111

# we have to setup device mapper bswap16 target else HDD encryption/decryption won't work properly

hdd_size=`blockdev --getsize /dev/ps3da`

echo "0 $hdd_size bswap16 /dev/ps3da" | dmsetup create hdd

# create key file

echo <your data key as hex string> <your tweak key as hex string> | xxd -r -p > hdd_key.bin

ls -l hdd_key.bin
-rw-r--r-- 1 root root 32 Sep  4 09:28 hdd_key.bin

# create DM crypto target
# key size is 256bit because PS3 uses XTS-AES-128 and the key is just the concatenation of the data and tweak keys.

cryptsetup create -c aes-xts-plain64 -d ./hdd_key.bin -s 256 hdd_crypt /dev/mapper/hdd

ls -l /dev/mapper/
total 0
crw------- 1 root root 10, 236 Sep  6 11:07 control
lrwxrwxrwx 1 root root       7 Sep  6 11:09 hdd -> ../dm-0
lrwxrwxrwx 1 root root       7 Sep  6 11:12 hdd_crypt -> ../dm-1


hexdump -C /dev/mapper/hdd_crypt | head -23
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 0f ac e0 ff  00 00 00 00 de ad fa ce  |................|
00000020  00 00 00 00 00 00 00 03  00 00 00 00 00 00 00 02  |................|
00000030  00 00 00 00 00 00 00 08  00 00 00 00 00 08 00 00  |................|
00000040  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 0b  |.p..............|
00000050  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000000c0  00 00 00 00 00 08 00 10  00 00 00 00 03 9a 8b 2d  |...............-|
000000d0  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
000000e0  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
000000f0  10 20 00 00 03 00 00 01  00 00 00 00 00 00 00 03  |. ..............|
00000100  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000150  00 00 00 00 03 a2 8b 45  00 00 00 00 00 3f ff f8  |.......E.....?..|
00000160  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000170  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001e0  00 00 00 00 03 e2 8b 46  00 00 00 00 19 39 ce 0c  |.......F.....9..|
000001f0  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000200  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

# create device mapper partitions with kpartx

kpartx-ps3 -l /dev/mapper/hdd_crypt
hdd_crypt1 : 0 524288 /dev/mapper/hdd_crypt 8
hdd_crypt2 : 0 60459821 /dev/mapper/hdd_crypt 524304
hdd_crypt3 : 0 4194296 /dev/mapper/hdd_crypt 60984133
hdd_crypt4 : 0 423218700 /dev/mapper/hdd_crypt 65178438

kpartx-ps3 -a /dev/mapper/hdd_crypt
ls -l /dev/mapper/
total 0
crw------- 1 root root 10, 236 Sep  7 01:09 control
lrwxrwxrwx 1 root root       7 Sep  7 01:11 hdd -> ../dm-0
lrwxrwxrwx 1 root root       7 Sep  7 01:11 hdd_crypt -> ../dm-1
lrwxrwxrwx 1 root root       7 Sep  7 01:12 hdd_crypt1 -> ../dm-2             <---------- VFLASH
lrwxrwxrwx 1 root root       7 Sep  7 01:12 hdd_crypt2 -> ../dm-3             <---------- GameOS UFS2
lrwxrwxrwx 1 root root       7 Sep  7 01:12 hdd_crypt3 -> ../dm-4             <---------- FAT32 region
lrwxrwxrwx 1 root root       7 Sep  7 01:12 hdd_crypt4 -> ../dm-5             <---------- OtheroS++ HDD region

# create VFLASH key file

echo <your encdec data key as hex string> <your encdec tweak key as hex string> | xxd -r -p > vflash_key.bin

ls -l vflash_key.bin
-rw-r--r-- 1 root root 32 Sep  4 09:28 vflash_key.bin

# create DM crypto target
# key size is 256bit because PS3 uses XTS-AES-128 and the key is just the concatenation of the data and tweak keys.
# here is important to use option -p because VFLASH starts with sector 8 and encryption/decryption depends on sector number.

cryptsetup create -c aes-xts-plain64 -d ./vflash_key.bin -s 256 -p 8 vflash_crypt /dev/mapper/hdd_crypt1

hexdump -C /dev/mapper/vflash_crypt | head -23
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 0f ac e0 ff  00 00 00 00 de ad fa ce  |................|
00000020  00 00 00 00 00 00 00 03  00 00 00 00 00 00 00 02  |................|
00000030  00 00 00 00 00 00 00 08  00 00 00 00 00 00 75 f8  |..............u.|
00000040  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000000c0  00 00 00 00 00 00 78 00  00 00 00 00 00 06 3e 00  |......x.......>.|
000000d0  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
000000e0  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
000000f0  10 20 00 00 03 00 00 01  00 00 00 00 00 00 00 01  |. ..............|
00000100  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000150  00 00 00 00 00 06 b6 00  00 00 00 00 00 00 80 00  |................|
00000160  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000170  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001e0  00 00 00 00 00 07 36 00  00 00 00 00 00 00 04 00  |......6.........|
000001f0  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000200  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000210  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*

# create device mapper partitions with kpartx

kpartx-ps3 -l /dev/mapper/vflash_crypt
vflash_crypt1 : 0 30200 /dev/mapper/vflash_crypt 8
vflash_crypt2 : 0 409088 /dev/mapper/vflash_crypt 30720
vflash_crypt3 : 0 32768 /dev/mapper/vflash_crypt 439808
vflash_crypt4 : 0 1024 /dev/mapper/vflash_crypt 472576
vflash_crypt5 : 0 49152 /dev/mapper/vflash_crypt 473600
vflash_crypt6 : 0 512 /dev/mapper/vflash_crypt 522752

kpartx-ps3 -a /dev/mapper/vflash_crypt
ls -l /dev/mapper/
total 0
crw------- 1 root root 10, 236 Sep  7 01:09 control
lrwxrwxrwx 1 root root       7 Sep  7 01:11 hdd -> ../dm-0
lrwxrwxrwx 1 root root       7 Sep  7 01:11 hdd_crypt -> ../dm-1
lrwxrwxrwx 1 root root       7 Sep  7 01:12 hdd_crypt1 -> ../dm-2
lrwxrwxrwx 1 root root       7 Sep  7 01:12 hdd_crypt2 -> ../dm-3
lrwxrwxrwx 1 root root       7 Sep  7 01:12 hdd_crypt3 -> ../dm-4
lrwxrwxrwx 1 root root       7 Sep  7 01:12 hdd_crypt4 -> ../dm-5
lrwxrwxrwx 1 root root       7 Sep  7 01:15 vflash_crypt -> ../dm-6
lrwxrwxrwx 1 root root       7 Sep  7 01:17 vflash_crypt1 -> ../dm-7
lrwxrwxrwx 1 root root       7 Sep  7 01:17 vflash_crypt2 -> ../dm-8
lrwxrwxrwx 1 root root       7 Sep  7 01:17 vflash_crypt3 -> ../dm-9
lrwxrwxrwx 1 root root       8 Sep  7 01:17 vflash_crypt4 -> ../dm-10
lrwxrwxrwx 1 root root       8 Sep  7 01:17 vflash_crypt5 -> ../dm-11
lrwxrwxrwx 1 root root       8 Sep  7 01:17 vflash_crypt6 -> ../dm-12

Now we can mount any PS3 HDD regions on PC :)
Linux kernel device mapper is a really great feature.

# mount UFS2 partition

mount -t ufs -o ufstype=ufs2,ro /dev/mapper/hdd_crypt2 /mnt/
ls -l /mnt/
total 16
drwx-----x 5 root root 512 Dec 31  2008 crash_report
drwx------ 3 root root 512 Dec 31  2008 drm
drwxr-xr-x 6 root root 512 Dec 31  2008 game
drwx------ 3 root root 512 Dec 31  2008 home
drwx------ 3 root root 512 Dec 31  2008 mms
drwx------ 5 root root 512 Dec 31  2008 tmp
drwx------ 2 root root 512 Jun 17  2009 vm
drwx------ 5 root root 512 Jul 15  2009 vsh

umount /mnt

mount /dev/mapper/vflash_crypt4 /mnt/
ls -l /mnt/
total 1
drwxr-xr-x 6 root root 512 Jul 15  2009 data-revoke

Making Changes to cell_ext_os_area VFLASH Region

• Here is one of the use cases for your dumped HDD and VFLASH keys.
• It's the VFLASH region where petitboot is stored.
• Useful for OtherOS++ users.
• You will need it if you flash bad petitboot which doesn't boot and just hangs.
• You have to connect your HDD to your PC, e.g. with SATA-2-USB adapter.
• We will clear OtherOS boot flag and GameOS will boot again.
• We don't have to decrypt VFLASH, only HDD, because cell_ext_os_area is NOT encrypted with VFLASH key, only with HDD key.
• I tested everything myself, it's safe to use.

modprobe dm_mod
insmod dm-bswap16

# On my PC, sdd is the PS3 HDD connected through SATA-USB adapater

hdd_size=`blockdev --getsize /dev/sdd`

echo "0 $hdd_size bswap16 /dev/sdd" | dmsetup create hdd

echo <your data key as hex string> <your tweak key as hex string> | xxd -r -p > hdd_key.bin

cryptsetup create -c aes-xts-plain64 -d ./hdd_key.bin -s 256 hdd_crypt /dev/mapper/hdd

kpartx-ps3 -a /dev/mapper/hdd_crypt

# cell_ext_os_area starts at offset 0xe740000 on VFLASH

# first dump os area parameters
# it begins at offset 0xe740200

dd if=/dev/mapper/hdd_crypt1 of=params.bin bs=1 count=512 skip=$((0xe740200))

# now clear the boot flag
# just make the first 4 bytes in params.bin all 0s

# now we write it back

dd of=/dev/mapper/hdd_crypt1 if=params.bin bs=1 count=512 seek=$((0xe740200))

sync

# clean up everything before disconnecting PS3 HDD

kpartx-ps3 -d /dev/mapper/hdd_crypt
dmsetup remove hdd_crypt
dmsetup remove hdd

# now GameOS should boot and you can flash a new petitboot :)

# you also could write new petitboot image to VFLASH :)

Further Work

• Encryption/decryption of HDD on FreeBSD using geli framework.

Links

• http://linuxgazette.net/114/kapil.html
• http://techgmm.blogspot.de/p/writing-your-own-device-mapper-target.html
• http://www.freeotfe.org/docs/Main/mobile_site/Linux_examples__dm-crypt.htm
• http://www.hopelesscase.com/linuxnotes/encrypted_filesystems/dmsetup_losetup_and_mount
• http://lxr.free-electrons.com/source/block/partitions/
• http://backreference.org/2010/09/25/access-partitions-in-non-disk-block-devices-with-kpartx/
• https://www.dan.me.uk/blog/2012/05/05/full-disk-encryption-in-freebsd-9-x-well-almost/

v e Linux Linux Crux on PS3 · Distributions · Resizing VFLASH Storage Device · Booting petitboot from VFLASH · Booting Linux from PS3 internal HDD · Booting Linux 2.6 kernel on running PS3 Linux with kexec · Petitboot · Downgrading with linux · Cross Compiling · Links to precompiled stuff · OtherOS++ · Linux 3 on PS3 · spuisofs · spuldrfs · ps3vuart-tools · ps3sed · Debian LiveCD · Remarry Bluray Drive on Linux · Updating Bluray Drive Firmware on Linux · Fixing DRL and CRL Hashes · Mounting HDD on PC · PS3 OpenWRT · Making Isolated SPU Modules and Loaders · WLAN Access Point with PS3 Jupiter · PS3 GPU DRM Driver · Remastering Debian Netinstall CD for PS3