eEID Cryptography

July 11, 2012

When metldr is encrypted at factory, a special keyset is set in the binary before encryption. Later when an isolated loader is loaded by metldr, it will copy the keyset to LS offset 0x00000. It consists of eid_root_key and eid_root_iv. To not having to use the same key for all eEID parts, several subkeys are generated from special data called individual information seed. These seeds are stored in the metadata header of isolated modules loaded by isoldr. When isoldr will load a module, it will call a subroutine that encrypts each seed chunk (0x40 bytes) using eid_root_key and eid_root_iv. Then the so-called individual infos are passed in registers r7 to r22 (= 0x100 bytes in total) to the loaded module where they are used further. Usually isolated modules have a seed section of 0x100 bytes but all of them (except sb_iso_spu_module) have all zeroes but the first 0x40 bytes chunk. You can, for example, find the recently published EID0 seed in the metadata section of aim_spu_module. Appliance info manager is used to get e.g. the target ID or the PSID from EID0. This explains why the seed can also be found in isoldr directly, since that one is checking EID0 too.

As you can probably think, a fair amount of reversing time and knowledge has gone into finding this, so stop calling us *swearwords* for not releasing information that could potentially lead to more piracy, because we think that this would do more harm to the “scene” than just keeping some information in private (for now). Also I can only encourage everyone that thinks about us this way or is greedy demanding for developers/reverse engineers to release their stuff, to fire up isoldr in IDA or disassemble it with objdump and try to reverse all this from start to end. We’ll see, who is able to pull this through on his own…

About these ads

12 Responses to “eEID Cryptography”

  1. johny Says:

    meh piracy piracy…. well accessing SP-INT is a f+ckin crime… and your secrecy allowed the DRM dongles to appear…

    oh and yes lets all fire up our “legit” stolen from ESET copies of IDA

    get a grip! you are a great dev/reverser but those arguments after the process has been made public and noobs and smaller devs finaly understanding where those eboots were coming is not valid anymore.

    for the mask has fallen
    johny

    • naehrwert Says:

      Thus why I said “or disassemble it with objdump” ;)
      Wait, what, now it’s our fault that TB and others kept appearing? Didn’t I make it clear to have no intention in enabling piracy? So you can’t really blame us to be responsible for not enabling it before TB when we were never going to..

      • Heh Says:

        Interesting. You do not want to ‘enable piracy’, but at the same time you have no problems using pirated IDA, like all the other hypocrites in the scene?

        I am dying to find out how much you paid for your copy of IDA, and why Hex-Rays guys decided to sell it to you. Since I’ve been through IDA purchasing process before (twice), I know what kind of pain it is, but I presume you are a special snowflake, right?

        I can tell you one thing, though. Quite few ‘older’ guys (like myself) did start looking into PS3 2 years ago and made some progress because it was fun (and hobby should be fun), but once we realized how many retards exist in this ‘scene’ (silly name, though), we just gave up. Takes way too much effort to share information with others, too many ‘devs’ are just obsessed with getting paid for their findings, there is nothing genuine about this ‘scene’.

        Something that should be hobby and fun is actually business for some of you. But that still doesn’t stop you from trying to claim moral high ground.

        Amusing.

      • naehrwert Says:

        You obviously can’t read, or you would have seen that I clearly stated “or disassemble it with objdump”, since I’ve got a tool that produces nice control flow graphs to visualize them using graphviz.
        And yes you are right, some ‘devs’ in this ‘scene’ are out for money, but I can tell you one thing too: I’m writing this blog because I have fun reversing and want to share a bit of that with interested people. I’ve never asked for money/donations or however you want to call it, and I never will nor would I ever take any money for something that IS a hobby to me. So it’s my good right to try to have at least a bit of moral and be against piracy.

  2. Jules Says:

    Thanks for sharing! I understand both Sites, sometimes stuff must keeped Non Public, but as the State of the Scene that is pretty much *sweared* up that most of these private Information are used by Companies like TB and E3, is just sad for me seeing that the Work from Graf and his dedication could be stopped by Sony, and others make profit from warez! i think Piracy must not hurt, look at xBox homebrew Developers and the iPhone Scene, Apple and Microsoft profiting so much from the work people do fro free, even if it enables piracy, in case of Sony i really dont wanna support them anymore, and if i knowing what the do with graf i would never buy theyre product! But it mus be a pain in the ars, getting asked about new cfw over and over again in this demanding maner that kids do this days! anyway! thx for share!

  3. CaptainCPS-X Says:

    Thanks for your dedication naehrwert! you have my respect!

    Btw, can you recommend me some books related to the security of the PS3 system?, I recently got “Understanding
    Cryptography – A Textbook for Students and Practitioners”, in hopes of understanding more of this.

    I already have experience with C/C++/PHP and a couple of other languages and been programming for the windows platform.

    I don’t have experience with assembly language but I guess if I want to go deeper into this I will have to learn as well.

    Any indication of what I should learn to understand the PS3 system security would be greatly appreciated (software / hardware).

    SeeYa! :)

    • naehrwert Says:

      I guess any book that tells you how symmetric and asymmetric ciphers work will do ;) If you really want to dig into the PS3’s security, you should look at IBM’s Cell/B.E documents (which can be found here: https://www-01.ibm.com/chips/techlib/techlib.nsf/products/Cell_Broadband_Engine) first and learn PPC/SPU assembler. If you’re interested in the PS3’s crypto, then the isolated loaders/modules are waiting for you to be reversed :)

      • CaptainCPS-X Says:

        Thanks for the quick reply ! I am very motivated with this so I will indeed start my learning on these areas you mentioned. I just didn’t want to waste time in other areas that has no relation with the PS3 security :), so I appreciate for pointing me in the right direction.

        Take Care!

        SeeYa! :D

  4. gyph256 Says:

    Alright. This needs to be said.

    I’m a pirate. Through and through. I’ll steal any game I want play it, if it has decent online play I’ll buy it. SIngle player? I can wait until its able to be emulated a decade from now if I have to. With a few exceptions of course.

    That being said, there has always been a code of ethics amongst those who do pirate.

    I feel the majority of people in the scene normally just sit by and enjoy the ride. I can code database applications and the occasional crappy game for a contest (this was high school), but I wouldn’t even know where to begin with encryption, nor do I feel the need to yell, scream, or demand things from someone that is doing this in their free time. So I sit quietly by and enjoy the work of others.

    This can’t be said for everyone, but if I have the extra money and I like the work someone is doing I’ll throw a few bucks their way.

    Because I want to.

    Because I respect their work. I get to play games I would otherwise have to wait a decade or so to enjoy. And with any good hack for a console comes the onslaught of homebrew (which I am a major fan of on my PS3. It let me introduce a few friends to seiken densetsu 3.).

    I do not own a TB or any other sort of dongle. The first thing I hacked my PS3 with was and old graphing calculator I had around (and later my android phone). I refuse to give money to a company for playing in what I feel like should be a developers playground.

    Most of you guys actually enjoy doing this stuff or you wouldn’t do it. You wouldn’t fight so hard for your right to do so in court. You wouldn’t continue to do so lawsuit after lawsuit.

    What I don’t understand, is if you have the power to take the money away from people that are profiting of your research, why not do so?

  5. zygote Says:

    Appreciate your hard work..thnx for this info

  6. mikawi Says:

    although i didn’t understand anything, i appreciate ur job …
    we need CFW ….


  7. [...] it”The connection with naehrwertThis hack was revealed as a leak. It seems obvious (based on his recent blog post) that naehrwert was part of the people working on all the reversing work required to access this [...]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.