USB Dongle Authenticator: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
mNo edit summary
mNo edit summary
 
(11 intermediate revisions by 4 users not shown)
Line 1: Line 1:
[[Category:Software]]
 
== 0x24000 - USB Dongle Authenticator  ==
== 0x24000 - USB Dongle Authenticator  ==
note: inside ss_server1.fself
Dongle check is done on Lv2 kernel start up
File /dev_usb000/pmode_param.txt used by lv2 since fw 3.60


{| class="wikitable FCK__ShowTableBorders"
{| class="wikitable FCK__ShowTableBorders"
Line 22: Line 26:


Here are hexdumps of some challenge bodies i let 0x24001 service generate:  
Here are hexdumps of some challenge bodies i let 0x24001 service generate:  
<pre>2E 02 01 72 3A 0A 76 BB 81 CB 29 BC E7 B5 D6 62 7C 0E EE 23 18 A9 1D
<pre>2E 02 01 72 3A 0A 76 BB 81 CB 29 BC E7 B5 D6 62 7C 0E EE 23 18 A9 1D</pre>
</pre><pre>2E 02 01 F0 DA 78 D4 1D CB D7 C9 C7 F0 32 F4 2E 92 39 BD 3F 32 93 AA
<pre>2E 02 01 F0 DA 78 D4 1D CB D7 C9 C7 F0 32 F4 2E 92 39 BD 3F 32 93 AA</pre>
</pre><pre>2E 02 01 3B B2 9D FD A8 83 AF 9A C0 E9 13 BB AE D5 6C 8C 45 2E DE 13
<pre>2E 02 01 3B B2 9D FD A8 83 AF 9A C0 E9 13 BB AE D5 6C 8C 45 2E DE 13</pre>
</pre>
 
=== 0x24002 - Verify Response  ===
=== 0x24002 - Verify Response  ===


Line 50: Line 54:
*Unfortunately, in the HV dump 3.15 the USB Dongle Master Key was not decrypted at the moment of dumping  
*Unfortunately, in the HV dump 3.15 the USB Dongle Master Key was not decrypted at the moment of dumping  
*The first 12 bytes of decrypted USB Dongle Master Key is a magic value: '''_USB_DONGLE_'''. After these 12 bytes follows the real USB Dongle Master Key of size 20 bytes. So, if after decryption of USB Dongle Master Key, you see this magic value then the decryption was successfull.
*The first 12 bytes of decrypted USB Dongle Master Key is a magic value: '''_USB_DONGLE_'''. After these 12 bytes follows the real USB Dongle Master Key of size 20 bytes. So, if after decryption of USB Dongle Master Key, you see this magic value then the decryption was successfull.
*To decrypt USB Dongle master key you need SC Iso Encrypt/Decrypt 5 Key, seed, Lpar Auth ID (0x1070000001000001), Program Auth ID (0x1070000045000001) and use VTRM Decrypt Master with the Master Key
Here is the encrypted USB Dongle Master Key from HV:
{| class="wikitable"
|-
! 3.15 !! 4.xx
|-
| <pre>22 D5 D1 8C FF E2 4F AC EC 72 A2 42 A7 18 98 10
25 33 E0 96 F2 C1 91 0D 15 23 D3 07 74 E7 2B 72
DF A6 DD E9 68 8B 76 2A 6A 87 51 7F 85 39 0B D4
20 3F 46 89 04 82 B7 30 84 89 4B CC 9D B1 24 7C</pre> || <pre>8E 51 45 76 4B 66 35 2D 69 4A 38 D6 F8 71 CD 1A
25 26 D9 8E 0F 3D 2D D2 1F DC FC CF 1C F7 28 5F
C6 6E C7 03 DB 62 7F 86 AA F6 B9 55 11 D8 64 DD
34 72 C3 59 A0 C4 83 A3 F7 C1 5B 40 32 53 D8 C3</pre>
|-
|}
This is the 16 bytes ''' seed''':
{| class="wikitable"
|-
! 3.15 !! 4.xx
|-
| <pre>5F 55 53 42 5F 44 4F 4E 47 4C 45 5F 41 55 54 48</pre> || <pre>5F 55 53 42 5F 44 4F 4E 47 4C 45 5F 41 55 54 48</pre>
|-
|}


Here is the encrypted USB Dongle Master Key from HV 3.15:
<pre>0x22 0xD5 0xD1 0x8C 0xFF 0xE2 0x4F 0xAC 0xEC 0x72 0xA2 0x42 0xA7 0x18 0x98 0x10
0x25 0x33 0xE0 0x96 0xF2 0xC1 0x91 0x0D 0x15 0x23 0xD3 0x07 0x74 0xE7 0x2B 0x72
0xDF 0xA6 0xDD 0xE9 0x68 0x8B 0x76 0x2A 0x6A 0x87 0x51 0x7F 0x85 0x39 0x0B 0xD4
0x20 0x3F 0x46 0x89 0x04 0x82 0xB7 0x30 0x84 0x89 0x4B 0xCC 0x9D 0xB1 0x24 0x7C
</pre>
This is the '''decrypted''' dongle master key:  
This is the '''decrypted''' dongle master key:  
<pre>
{| class="wikitable"
0x46 0xDC 0xEA 0xD3 0x17 0xFE 0x45 0xD8 0x09 0x23
|-
0xEB 0x97 0xE4 0x95 0x64 0x10 0xD4 0xCD 0xB2 0xC2
! 3.15 !! 4.xx
</pre>
|-
This is the '''decrypted''' dongle key for dongle ID&nbsp;0xAAAA&nbsp;which works up to 3.55:
| <pre>46 DC EA D3 17 FE 45 D8 09 23
<pre>
EB 97 E4 95 64 10 D4 CD B2 C2</pre> || <pre>46 DC EA D3 17 FE 45 D8 09 23
0x04 0x4E 0x61 0x1B 0xA6 0xA6 0xE3 0x9A 0x98 0xCF
EB 97 E4 95 64 10 D4 CD B2 C2</pre>
0x35 0x81 0x2C 0x80 0x68 0xC7 0xFC 0x5F 0x7A 0xE8
|-
</pre>
|}
Here is the USB Dongle Master Dummy Key from HV 3.15:
 
<pre>0xD1 0xFC 0x57 0x55 0xBF 0x20 0xFA 0xB2 0xD4 0xA5 0x4A 0x0A 0x0C 0x5D 0x52 0x8E
 
0xDF 0x66 0xCD 0x74
This is the '''decrypted''' dongle key for dongle ID&nbsp;0xAAAA&nbsp;:
</pre>
{| class="wikitable"
|-
! 3.15-3.55 !! 4.xx
|-
| <pre>04 4E 61 1B A6 A6 E3 9A 98 CF
35 81 2C 80 68 C7 FC 5F 7A E8</pre> || <pre></pre>
|-
|}
 
 
Here is the USB Dongle Master Dummy Key from HV:
 
{| class="wikitable"
|-
! 3.15 !! 4.xx
|-
| <pre>D1 FC 57 55 BF 20 FA B2 D4 A5 4A
0A 0C 5D 52 8E DF 66 CD 74</pre> || <pre></pre>
|-
|}


==== USB Dongle ID Revoke List  ====
==== USB Dongle ID Revoke List  ====
Line 78: Line 122:
*Each bit represents a USB Dongle ID. If bit is 0 then USB Dongle ID is revoked.
*Each bit represents a USB Dongle ID. If bit is 0 then USB Dongle ID is revoked.


The following USB Dongle IDs are revoked in HV 3.15:
The following USB Dongle IDs are revoked in HV:
<pre>0, 2, 13, 32, 34, 176, 241
{| class="wikitable"
</pre>
|-
! 3.15 !! 4.70
|-
| <pre>0, 2, 13, 32, 34, 176, 241</pre> || <pre>0, 2, 13, 32, 34, 176, 241, 286</pre>
|-
|}
 
 
 
{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude>

Latest revision as of 12:30, 1 October 2018

0x24000 - USB Dongle Authenticator[edit | edit source]

note: inside ss_server1.fself
Dongle check is done on Lv2 kernel start up
File /dev_usb000/pmode_param.txt used by lv2 since fw 3.60
Packet ID Description
0x24001 Generate Challenge
0x24002 Verify Response

0x24001 - Generate Challenge[edit | edit source]

  • I have got access to this service through DM and tested it
  • The service expects no input parameters except those in SS packet header
  • It uses 0x5003 service (Generate Random Number) to generate random numbers that are used in challenge body
  • The length of a challnge body is always 23 bytes, first 3 bytes are always the same: 0x2E 0x02 0x01

Here are hexdumps of some challenge bodies i let 0x24001 service generate: 

2E 02 01 72 3A 0A 76 BB 81 CB 29 BC E7 B5 D6 62 7C 0E EE 23 18 A9 1D
2E 02 01 F0 DA 78 D4 1D CB D7 C9 C7 F0 32 F4 2E 92 39 BD 3F 32 93 AA
2E 02 01 3B B2 9D FD A8 83 AF 9A C0 E9 13 BB AE D5 6C 8C 45 2E DE 13

0x24002 - Verify Response[edit | edit source]

  • I have got access to this service and tested it with PSGroove
  • The response body is 25 bytes large
  • The first 3 bytes have to be 0x2E 0x02 0x02 or else the check fails
  • The 16 bit at offset 3 is a dongle ID
  • The dongle ID is checked if it's revoked or not
  • When the verification succeedes then product mode is set to 1
  • The service calculates USB Dongle Key from USB Dongle ID and USB Dongle Master Key by using HMAC SHA-1
  • The service uses HMAC SHA-1 to calculate the correct response body from the challenge body and USB Dongle Key
  • After that the service compares the calculated response body with the given one that was sent to the service
  • It seems that laid and paid from SS packet header are used in decryption process

USB Dongle Master Key[edit | edit source]

  • USB Dongle Master Key is stored encrypted in Process 6
  • The encrypted key is 64 bytes large
  • The decrypted key is 20 bytes large
  • The USB Dongle Master Key is decrypted first time the service 0x24002 is used
  • The USB Dongle Master Key is decrypted by using the service 0x200E (Decrypt Master) of Vitual TRM Manager
  • The decrypted USB Dongle Master Key is stored in Process 6 in clear text (after first usage of this service)
  • When decryption of USB Dongle Master Key fails then a dummy key is used
  • Unfortunately, in the HV dump 3.15 the USB Dongle Master Key was not decrypted at the moment of dumping
  • The first 12 bytes of decrypted USB Dongle Master Key is a magic value: _USB_DONGLE_. After these 12 bytes follows the real USB Dongle Master Key of size 20 bytes. So, if after decryption of USB Dongle Master Key, you see this magic value then the decryption was successfull.
  • To decrypt USB Dongle master key you need SC Iso Encrypt/Decrypt 5 Key, seed, Lpar Auth ID (0x1070000001000001), Program Auth ID (0x1070000045000001) and use VTRM Decrypt Master with the Master Key


Here is the encrypted USB Dongle Master Key from HV:

3.15 4.xx 
22 D5 D1 8C FF E2 4F AC EC 72 A2 42 A7 18 98 10
25 33 E0 96 F2 C1 91 0D 15 23 D3 07 74 E7 2B 72
DF A6 DD E9 68 8B 76 2A 6A 87 51 7F 85 39 0B D4
20 3F 46 89 04 82 B7 30 84 89 4B CC 9D B1 24 7C
 
8E 51 45 76 4B 66 35 2D 69 4A 38 D6 F8 71 CD 1A
25 26 D9 8E 0F 3D 2D D2 1F DC FC CF 1C F7 28 5F
C6 6E C7 03 DB 62 7F 86 AA F6 B9 55 11 D8 64 DD
34 72 C3 59 A0 C4 83 A3 F7 C1 5B 40 32 53 D8 C3

This is the 16 bytes seed:

3.15 4.xx 
5F 55 53 42 5F 44 4F 4E 47 4C 45 5F 41 55 54 48
 
5F 55 53 42 5F 44 4F 4E 47 4C 45 5F 41 55 54 48


This is the decrypted dongle master key:

3.15 4.xx 
46 DC EA D3 17 FE 45 D8 09 23
EB 97 E4 95 64 10 D4 CD B2 C2
 
46 DC EA D3 17 FE 45 D8 09 23
EB 97 E4 95 64 10 D4 CD B2 C2


This is the decrypted dongle key for dongle ID 0xAAAA :

3.15-3.55 4.xx 
04 4E 61 1B A6 A6 E3 9A 98 CF
35 81 2C 80 68 C7 FC 5F 7A E8
 








Here is the USB Dongle Master Dummy Key from HV: 







3.15
4.xx





D1 FC 57 55 BF 20 FA B2 D4 A5 4A 
0A 0C 5D 52 8E DF 66 CD 74








USB Dongle ID Revoke List[edit | edit source]


  • Process 6 contains a revoke list for USB Dongle IDs
    • 

  • The revoke list is 0x2000 bytes large. It's a bitmap.
    • 

  • Each bit represents a USB Dongle ID. If bit is 0 then USB Dongle ID is revoked.


The following USB Dongle IDs are revoked in HV: 







3.15
4.70





0, 2, 13, 32, 34, 176, 241


0, 2, 13, 32, 34, 176, 241, 286











General






Hypervisor
Services
Plugin
Interfaces

ap_plugin · audioplayer_plugin · audiop_plugin_dummy · audiop_plugin_mini · auth_plugin · autodownload_plugin · autoupdateconf_plugin · avc_plugin · avc_util · avc2_game_plugin · avc2_game_video_plugin · avc2_text_plugin · bdp_disccheck_plugin · bdp_plugin · bdp_storage_plugin · campaign_plugin · category_setting_plugin · comboplay_plugin · custom_render_plugin · data_copy_plugin · deviceconf_plugin · dlna_plugin · download_plugin · dtcpip_util · edy_plugin · esehttp · eseibrd · eseidle · eselock · eula_cddb_plugin · eula_hcopy_plugin · eula_net_plugin · explore_plugin · explore_plugin_ft · explore_plugin_game · explore_plugin_np · filecopy_plugin · friendim_plugin · friendml_plugin · friendtrophy_plugin · game_ext_plugin · game_indicator_plugin · game_plugin · gamedata_plugin · gamelib_plugin · gameupdate_plugin · hknw_plugin · idle_plugin · impose_plugin · kensaku_plugin · msgdialog_plugin · mtpinitiator_plugin · musicbrowser_plugin · nas_plugin · netconf_plugin · newstore_plugin · np_eula_plugin · np_matching_plugin ·  np_multisignin_plugin · np_sns_plugin ·  npsignin_plugin · np_trophy_ingame · np_trophy_plugin · osk · oskfullkeypanel · oskpanel · pesm_plugin · photo_network_sharing_plugin · photolist_plugin · photoviewer_plugin · playlist_plugin · poweroff_plugin · premo_plugin · premo_game_plugin · print_plugin · profile_plugin · ps3_savedata_plugin · ps3_savedata_plugin_game · ps3_savedata_plugin_psp · rec_plugin · regcam_plugin · remotedownload_plugin · sacd_plugin · scenefolder_plugin · screenshot_plugin · software_update_plugin · soundvisualizer_plugin · strviewer_plugin · sysconf_plugin · system_plugin · thumthum_plugin · upload_util · user_info_plugin · user_plugin · videodownloader_plugin · videoeditor_plugin · videoplayer_util · videoplayer_plugin · vmc_savedata_plugin · wboard_plugin · webbrowser_plugin · webbrowser_service · webrender_plugin · xai_plugin · xmb_ingame · xmb_plugin
Emulation


Extended
features
Online
Hardware


SC


CELL


RAM


SB


HDD


BD


Tools
Strings


files


dumps


Reference
Keys & Seeds


Retrieved from "http://www.psdevwiki.com/ps3/index.php?title=USB_Dongle_Authenticator&oldid=50759"