Remarry Bluray Drive on Linux

From PS3 Developer wiki
Jump to navigation Jump to search

Introduction

  • I was playing with HRL buffer of my BD drive on PS3 Slim and corrupted it.
  • After that i couldn't play BD movies on GameOS, BD player returned an error.
  • After i have written P-Block, S-Block and a new HRL, i could play my BD movies again :)
  • Hope this guide can help someone too.

EID2

P-Block and S-Block DES-CBC IV and key: 

IV: 00 00 00 00 00 00 00 00
key: 6C CA B3 54 05 FA 56 2C

Decrypting EID2

  • You can decrypt P- and S-Blocks with openssl e.g.
# eid2.bin is your EID2 from NOR/NAND flash

# You can dump EID2 e.g. with ps3dm

ps3dm iim get_data 2 > eid2.bin
 
(dd if=eid2.bin bs=1 skip=$((0x20)) count=$((0x80)); dd if=/dev/zero bs=1 count=16) | \
    openssl enc -d -aes-256-cbc -iv <your EID2 IV> -K <your EID2 key>  > pblock_des.bin

(dd if=eid2.bin bs=1 skip=$((0xa0)) count=$((0x690)); dd if=/dev/zero bs=1 count=16) | \
    openssl enc -d -aes-256-cbc -iv <your EID2 IV> -K <your EID2 key>  > sblock_des.bin

# First 16 bytes in pblock_des.bin and sblock_des.bin should be equal to: 01 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

Tools

Steps

  • The order is important. You cannot e.g. write HRL before writing P-Block or S-Block. I tried and corrupted my HRL.


1. Write P-Block

2. Authenticate BD drive with Storage Manager

3. Write S-Block

4. Write HRL

Writing P-Block

  • P-Block is stored in BD buffer 2.
  • BD buffer 2 is of size 0x60 bytes.
  • P-Block is in decrypted EID2 at offset 0x20 and of size 0x80.
  • Not all P-Block data is sent to BD drive. Only data starting at offset 0x10 and of size 0x60 bytes is written to BD drive buffer 2.
  • If you read back the BD buffer 2 right after you have written it then the first 0x10 bytes should match the first 0x10 bytes you sent. The remaining 0x50 bytes you read back should be all 0s.


Your P-Block should look like this after decryption: 

hexdump -C pblock.bin
00000000  xx xx xx xx xx xx xx xx  xx xx xx xx xx xx xx xx  |................|
00000010  xx xx xx xx xx xx xx xx  xx xx xx xx xx xx xx xx  |................|
00000020  xx xx xx xx xx xx xx xx  xx xx xx xx xx xx xx xx  |................|
00000030  04 00 04 00 00 00 00 00  fd 00 00 00 00 00 00 00  |................|
00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000050  xx xx xx xx xx xx xx xx  xx xx xx xx xx xx xx xx  |................|
00000060

Test

  • Tested on my PS3 Slim with OtherOS++.
  • After writing P-Block to BD drive buffer 2, authenticate the BD drive with ps3dm.
ls -l pblock.bin
-rw-r--r-- 1 glevand glevand 96 Aug 25 07:44 pblock.bin

# First enable writing BD buffer 2

sudo ./bd_enable_buffer_write -b 2

# Write P-Block to BD buffer 2

sudo ./bd_write_buffer -b 2 -i pblock.bin

# Authenticate the BD drive

sudo ps3dm -v sm drive_auth 0x29                 # It should not fail !!!
ss status 0

Writing S-Block

  • S-Block is stored in BD buffer 3.
  • BD buffer 3 is of size 0x670 bytes.
  • S-Block is in decryoted EID2 at offset 0xa0 and of size 0x690.
  • The first 0x10 bytes in your S-Block should match the first 0x10 bytes of your P-Block.
  • Not all S-Block data is sent to BD drive. Only data starting at offset 0x10 and of size 0x670 bytes is written to BD drive buffer 3.
  • If you read back the BD buffer 3 right after you have written it then the first 0x10 bytes should match the first 0x10 bytes you sent and also the first 0x10 bytes which your read bcak from BD buffer 2 after you sent P-Block. The remaining 0x660 bytes you read back should be all 0s.

Test

  • Tested on my PS3 Slim with OtherOS++.
ls -l sblock.bin
-rw-r--r-- 1 glevand glevand 1648 Aug 25 08:57 sblock.bin

# First enable writing BD buffer 3

sudo ./bd_enable_buffer_write -b 3

# Write P-Block to BD buffer 3

sudo ./bd_write_buffer -b 3 -i sblock.bin

Writing New HRL to BD Drive

  • HRL is stored in BD buffer 4.
  • BD buffer 4 is of size 0x8000 bytes.
  • If you dump HRL buffer after you have written P- and S-blocks but before you have written a new HRL then you wont't see a valid HRL but some junk. That's OK.
glevand@debian:~$ sudo sg_read_buffer -i 4 -m 2 -o 0 -l 0x8000 -r /dev/sr0 | hexdump -C
00000000  10 00 00 0c 00 03 10 03  00 00 00 01 21 00 00 34  |............!..4|
00000010  00 00 00 00 00 00 00 00  1b 0b f2 6d 47 9e 77 62  |...........mG.wb|
00000020  3d 91 fc 78 b1 59 c9 52  ca a4 c7 41 85 24 96 64  |=..x.Y.R...A.$.d|
00000030  8d 1d 95 8e 9b 84 c6 fa  4a dd 43 9b 42 98 fe ff  |........J.C.B...|
00000040  df e6 f3 56 85 81 e1 1b  27 53 08 14 16 6d 97 3c  |...V....'S...m.<|
00000050  20 2d e2 97 00 00 00 00  00 00 00 00 00 00 00 00  | -..............|
00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00008000

Test

  • Tested on my PS3 Slim with OtherOS++.
  • You cannot just write a new HRL to BD drive buffer 4. You can actually but it will corrupt your current BD HRL.
  • If you corrupt your HRL then nothing bad will happen but you won't be able to play BD movies.
  • First you have to send P-Block to BD drive, after that authenticate the BD drive and then write a new HRL. Only in this order will it work.
  • Dump default HRL from Lv2diag.self (size 0x54 bytes) or just use the hexdump i posted here and pad it with 0s to 0x8000 bytes.
ls -l default_hrl.bin
-rw-r--r-- 1 glevand glevand 32768 Aug 25 00:57 default_hrl.bin

# First enable writing BD buffer 4

sudo ./bd_enable_buffer_write -b 4

# Write HRL to BD buffer 4

sudo ./bd_write_buffer -b 4 -i default_hrl.bin

# Read back HRL

sudo sg_read_buffer -i 4 -m 2 -o 0 -l 0x8000 -r /dev/sr0 | hexdump -C
00000000  10 00 00 0c 00 03 10 03  00 00 00 01 21 00 00 34  |............!..4|
00000010  00 00 00 00 00 00 00 00  1b 0b f2 6d 47 9e 77 62  |...........mG.wb|
00000020  3d 91 fc 78 b1 59 c9 52  ca a4 c7 41 85 24 96 64  |=..x.Y.R...A.$.d|
00000030  8d 1d 95 8e 9b 84 c6 fa  4a dd 43 9b 42 98 fe ff  |........J.C.B...|
00000040  df e6 f3 56 85 81 e1 1b  27 53 08 14 16 6d 97 3c  |...V....'S...m.<|
00000050  20 2d e2 97 00 00 00 00  00 00 00 00 00 00 00 00  | -..............|
00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00008000
Retrieved from "http://www.psdevwiki.com/ps3/index.php?title=Remarry_Bluray_Drive_on_Linux&oldid=13723"