PS4 HDD Script by anonymous

[zecoxao]

This script converts the encripted eap hdd keys in your sflash0 into valid ones that you can use to browse some of the content in your ps4 hdd. It only requires a dump of sflash0, which means you don't need to hack your console to get access to most of the hdd.

Usage:

Install pathlib and pycryptoplus using pip2 (python2 is required)
Dump your sflash0 (either via ftp using hax or via hw flasher)
Make sure your sflash0 is 32MB! (0x2000000 bytes!)
Make sure the magic at 0x1C91FC is 0xE5E5E501 !
Run the script with sflash0 next to it

python2 hdd_script.py

It'll output your keys and export them to a file called keys.bin

You can then use these keys on linux to mount certain partitions of the hdd, such as :

/user
/eap_user
/eap_vsh
/update

To name a few

The procedure to mount is done using cryptmount and documented on the wiki:

https://www.psdevwiki.com/ps4/Mounting_HDD_in_Linux

The script is attached below. Enjoy!

 

[Berion]

It only requires a dump of sflash0, which means you don't need to hack your console to get access to most of the hdd.

How can I dump sflash0 without hacking console? :P

So, if I need hacked console, wouldn't easier be this?
https://www.psx-place.com/threads/hdd-reading.20760/#post-197105

What partitions can be decrypted? You mentioned only mount points. I know only about partition 27 (order from GPT), but what else? I have newest fw so I cannot check myself so I would be glad if .

And thanks for the script! ^^

 

[zecoxao]

How can I dump sflash0 without hacking console? :P

So, if I need hacked console, wouldn't easier be this?
https://www.psx-place.com/threads/hdd-reading.20760/#post-197105

What partitions can be decrypted? You mentioned only mount points. I know only about partition 27 (order from GPT), but what else? I have newest fw so I cannot check myself so I would be glad if .

And thanks for the script! ^^

https://psdevwiki.com/ps4/MX25L25635FMI-10G
https://psdevwiki.com/ps4/Flashing

Spoiler: Hint

Hint

On Board Dumping does not work (it works with VCC pin lifted). To Read/Write the chip in the safest way possible, you will need to desolder the Macronix Flash from the PS4 Mainboard and use a external flasher like the Teensy and [URL='https://psdevwiki.com/ps4/SPIway']SPIway

Spoiler: Hint

or the Raspberry Pi and JAISPI. For the desoldering part you should use a Hot Air SMD Rework Station like this one and a nozzle to only heat up the pins of the Chip.

[/URL]

 

[Berion]

Oh, I got it now. Very cool! Even if means soldering skills. ;p

 

[pinky]

I just got my keys from the sflash0 I dumped earlier using this script. it's identical to the ones I got from orbisman. I just wanted to check if they were the same.

 

[pinky]

I wrote some instructions from start to finish on using this script on temp. here they are:

the eap key is the hdd encryption key. to use the script, install python 2.7.9 (contains pip), add the scripts folder (has pip inside) to the path in environmental variables, install both dependencies as mentioned above using pip install dependency name in command prompt. you need to install another dependency for the crypto, but it will tell you what. I've forgotten what it was, but it will be easy to find via google, otherwise the crypto will fail to install. then, after that's done. just run the script on the sflash0. make sure it's called sflash0 and not sflash0.bin or something else or the script will error. you'll be given a new file called keys.bin. that's your eap key. keep it safe. mine was exactly the same as the one I got from orbisman, which is the easiest way to get it, but I think orbisman may only work on 4.55 and 5.05. this script should work on any console, any firmware afaik.

on a side note, I finally compiled wfs-extract. I found out what was wrong earlier today. unfortunately, the exe still errors at the same file of the mlc.bin for the wii u as the official release does. I compiled a second version that was one kilobyte larger, and it did the same thing. thus, now, I'm redumping the mlc right now. I think something may have happened when I merged it with copy /b. that's the only thing I can think of, so I'm going to keep it split as well as merge it with admin privileges.

 

[zecoxao]

Added a video:

 

[Berion]

@zecoxao I have used script from attachment but generated "keys.bin" file is different than "eap_hdd_key.bin" from Psxitarch Linux (which is valid because I've decrypted i.e partition no. 27 successfully). So the script doesn't covering up this PS4 model?

SFLASH0 came from CUH-2215B. It has exactly 32MiB, magic at pointed offset and script doesn't complain.

- - -

If someone want to know how to run it on Linux Mint 20.3 live session:

sudo su
apt update
apt install python2
add-apt-repository universe
apt update
curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py
python2 get-pip.py
pip2 install pathlib
pip2 install pycryptoplus

Put the script in the same place where "sflash0" (no extension) file is and type:

python2 hdd_script.py

In this dir You will find "keys.bin" file, which is EAP Key. At least in theory. :P

 

[zecoxao]

@zecoxao I have used script from attachment but generated "keys.bin" file is different than "eap_hdd_key.bin" from Psxitarch Linux (which is valid because I've decrypted i.e partition no. 27 successfully). So the script doesn't covering up this PS4 model?

SFLASH0 came from CUH-2215B. It has exactly 32MiB, magic at pointed offset and script doesn't complain.

- - -

If someone want to know how to run it on Linux Mint 20.3 live session:

sudo su
apt update
apt install python2
add-apt-repository universe
apt update
curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py
python2 get-pip.py
pip2 install pathlib
pip2 install pycryptoplus

Put the script in the same place where "sflash0" (no extension) file is and type:

python2 hdd_script.py

In this dir You will find "keys.bin" file, which is EAP Key. At least in theory. :P

your console has baikal model of south bridge. it requires a kernel dump ( we do not have any keys of tha model )

 

[Thefirebeast]

your console has baikal model of south bridge. it requires a kernel dump ( we do not have any keys of tha model )

If i understand correctly and you are referring to the cuh-2215B as being baikal then i can confirm that its not. Or at the very least my 2215b is not a baikal but is a belize. ChendoChaps southbridge identifier bin says its belize 2 and only belize kernels work on my 2215b

If i misread your message then im sorry

 

[zecoxao]

If i understand correctly and you are referring to the cuh-2215B as being baikal then i can confirm that its not. Or at the very least my 2215b is not a baikal but is a belize. ChendoChaps southbridge identifier bin says its belize 2 and only belize kernels work on my 2215b

If i misread your message then im sorry

thank you for finally confirming what is the missing part. do you have a dump of sflash0s0 for analysis?

 

[Thefirebeast]

thank you for finally confirming what is the missing part. do you have a dump of sflash0s0 for analysis?

Your welcome, i can grab that and any of these other files after work tomorrow.(screenshot i had taken earlier)

 

[zecoxao]

i'm only interested in sflash0s0 (or sflash0)

 

[magix01]

Wait so if this allows for hdd to be externally mounted and decrypted, what prevents us from dumping the key, then updating the console and doing backports, install game, remove and mount hdd and extract the package?

 

[Berion]

@magix01 EID Root Key from which ATA and VFLASH keys are calculated, is part of metldr, which is encrypted by unknown key (probably by Cell Key) by unknown way. We can retrieve it thanks to exploit which expose us meta loader as decrypted from SPU. This file not exist after models published with fw 3.56 or newer, and/or exploit no longer works (we don't know that because no one yet defeat LV1 on those models, and this is the reason why only HEN they can use but not CFW).

So, if You able to hack Your PS3 by installing CFW and read ERK, You can install OFW and still have access to every part on HDD on sector and filesystem level. Well, nothing shocking with that. It is knowledge from now around 6 years old for "fats" and even more for slims reaching time of metldrpwn.

Backports are not needed anyway, as HEN works on latest firmware, the same there are CFW for latest firmware. And TBH, none game past 4.6x was published which using new keys.

Content on PS3 is not stored in package form, so it is already unpacked. This format is only a "delivery form".

edit: Oh sh*t, I was sure it is PS3 thread. LOL
But similar, if You can get EAP Key, then yes You have access to the second "half" of HDD (actually last six) because first "half" of partitions are encrypted additionally/differently. Lucky for us, all user data lie on decryptable partitions. BUT... Packages are encrypted by PFS Key and You need it to encrypt/decrypt them outside PS4. This key cannot be retrieved past fw v7.02 if I'm correct, at least by published ways (Flatz made script for it if I'm correct, the same with pfs tools).

 

[magix01]

I was reading in and was like "is this ps4 thread?"

Ok so the keys cant be pwned with exploiting, does the key change on each firmware update? If not can you then brute force the dec key and dump the hdd on any firmware?

I am sure bitcoin farms are now sitting empty, maybe they can help , for backports someone needs just 1 bruted console i guess.

 

[Berion]

@magix01 HDD encryption is one layer (on sector level), and this is partially defeated on hacked PS4 because we can read EAP Key on all current models. PFS encryption is another encryption layer (on file system level, some files are put inside PFS containers like games, patches, saves, user trophies etc.), consider them as kind of "RAR with password". That "password" we don't know how to retrieve past fw 7.02.

Bruteforcing PFS Key is beyond capability of all current computers on Earth linked together. It is to long.

And no, none of the keys mentioned above are changing between firmware versions. All are unique per each PS4 unit. They cannot be changed because changes means mandatory HDD format. So EAP Key and PFS Key are only for one console, another PS4 have different.

However, there are some constant keys related to PFS for external drive. If someone get them and figure out how those containers are made and encrypted, then it will be possible to dump/create external environment with games and saves for any PS4 and any PS5.

 

[magix01]

@Berion

Sorry for asking noob questions i am new to the scene, is there any handshare when descrypting external hdd game container? Like the dec key is sent or the PS4 load the container in its own memory then does the decryption? How is the decryption done if the external game container is too big to fit inside memory, chunks?

 

[Berion]

You shouldn't ever be sorry by asking questions. ;] No questions = no growth.

Containers are to big to be send to memory as a whole (or else You would need e.g terabytes of RAM and waiting as long as transfer speed cover container size). Encryption/decryption for sure is done by blocks (byte chunks), like in similar HDD case.

 

[magix01]

Ah makes sense i can only imagine what performance hit that causes as sony added so much encryption layers upon layers.

If you could dump the contents of ram during the decryption (hardware mod), can you somehow get the key that way? Or the ram is encrypted in some way.

Edit: I am not sure what enc sony is using, but i know that AES256 key is 32 bytes in size, if we dump byte by byte and pull every 32 byte value, the key must be in there somewhere?