PS3 I need help accessing my EID ROOT KEY

[redlegend]

THE PROBLEM
I want to access my bricked ps3 hdd from a pc and get my saves back but I don't have the EID ROOT KEY, so I can't access the drive. I know my ps3 is cfw compatible, but im currently on 4.89 ofw and the toolset hasn't been updated, I want to know if there is any other way of ripping the key, I was thinking something similar to extracting the eeprom from an original xbox using a raspberry pi, I've searched online but everything I found had to do with cfw

HOW THE PROBLEM STARTED
I was updating my ps3 to the latest HFW version and I'm not sure why or how, but my hdd got corrupted during the update, maybe there was a bug in the software or most likely the drive was in it's last legs (original ps3 160 hdd ) , point is my system wouldn't boot neither normally nor in safe mode, swapping the hdd and reinstalling the os made the system work again, the problem is I didn't have my saves backed up.

 

[atreyu187]

Not possible. It has to be done on that PS3 running CFW or you can not get it.

 

[tungatung]

If while on CFW you had the qa flags enabled you can downgrade and install cfw to extract the key, if not then just wait for the toolset to be updated

 

[Berion]

No ERK = no access to data on PC.
No other way of reading ERK than special tool which dump it on working PS3 with CFW.

https://www.psx-place.com/threads/h...on-3-hdd-on-pc-tutorials-tools-hub-faq.36261/

I was thinking something similar to extracting the eeprom from an original xbox using a raspberry pi, I've searched online but everything I found had to do with cf

Hypothetically, CPU key which is inside Cell processor, encrypting meta loader which is on NAND/NOR, so You can unsolder Cell, rip it, analyse and been the first person who read it, extract metldr from flash dump; in the so-called similar way as ATA Password from Xbox's EEPROM.

but my hdd got corrupted during the update (...) point is my system wouldn't boot neither normally nor in safe mode, swapping the hdd and reinstalling the os made the system work again, the problem is I didn't have my saves backed up.

So it means You must wait until 4.89 be ready for flash patch allowing installation of CFW. Keep the old HDD safe and do not connect it to PC on Windows (some users said that latest Windows 10 initializing them without ask, I don't know if this is true).

 

[redlegend]

Thank you all for your answers, I thought of an other way that I'm 99.9999999999999999999999999999999999% sure that it won't work, but I'm going to ask anyway :P
Lets say I get one of these adapters that lets you use an internal hdd as external via usb, then I connect that drive to the ps3 while the ps3 is running, is there any chance of the drive being unlocked over usb and the data being accessible from multiman?
The hdd will still require the key, but since this is the original console paired with the drive shouldn't the console (in theory) be able to provide the key to the hdd or this isn't possible from usb?

EVEN CRAZIER IDEA: unplugging the blu ray drive (assuming its sata, I have no idea if it is) plugging the bricked hdd in its place, booting using the hdd that works, meanwhile the bricked hdd is unlocked and (hopefully) visable in multiman

Hypothetically, CPU key which is inside Cell processor, encrypting meta loader which is on NAND/NOR, so You can unsolder Cell, rip it, analyse and been the first person who read it, extract metldr from flash dump; in the so-called similar way as ATA Password from Xbox's EEPROM.

You know something, I'm at a point in my life that I know I don't have the knowledge and skill required to pull something like this off, yet I'm dumb enough that one random night at 3AM I'll think this is a good idea, overestimate my capabilities, attempt it, completely brake the console and most likely burn the house in the process

 

[bguerville]

Thank you all for your answers, I thought of an other way that I'm 99.9999999999999999999999999999999999% sure that it won't work, but I'm going to ask anyway [emoji14]
Lets say I get one of these adapters that lets you use an internal hdd as external via usb, then I connect that drive to the ps3 while the ps3 is running, is there any chance of the drive being unlocked over usb and the data being accessible from multiman?
The hdd will still require the key, but since this is the original console paired with the drive shouldn't the console (in theory) be able to provide the key to the hdd or this isn't possible from usb?

EVEN CRAZIER IDEA: unplugging the blu ray drive (assuming its sata, I have no idea if it is) plugging the bricked hdd in its place, booting using the hdd that works, meanwhile the bricked hdd is unlocked and (hopefully) visable in multiman



You know something, I'm at a point in my life that I know I don't have the knowledge and skill required to pull something like this off, yet I'm dumb enough that one random night at 3AM I'll think this is a good idea, overestimate my capabilities, attempt it, completely brake the console and most likely burn the house in the process

The internal HDD uses an encrypted UFS2 partition, the decryption only takes place when the HDD is properly connected internally, not on USB for which GameOS only supports FAT partitions natively anyway and not connected through the BD dedicated socket either.

The partition decryption is done by the dedicated encdec hardware.
But luckily you can extract the eid_root_key if you hack the isolated SPU where metldr gets decrypted, currently the only known exploit available to do that requires both lv1 and lv2 exploitation.
Since HEN came out, afaik, nobody ever tried to find a way to port the SPU exploit to lv2 only (if that's even possible), so without lv1 exploit, for the time being the status quo is that ERK can only be dumped on CFW, no exceptions. That status quo will no doubt change in the future, but there's no telling when.

Given the alternatives, if I were you, I would just be patient, keep my encrypted HDD safe, you should be able to sort it all out soon enough by installing a CFW.

 

[Berion]

@redlegend PS3 is not PC and CellOS is not FreeBSD. There is no way to read HDD like internal on USB or from ODD connectors. At least not without some serious hacking which no one ever perform and this back You to square one anyway because means CFW needed. So as @bguerville said, You don't have any options but to wait for a way to install CFW. If there would be any other solutions, I would at least mentioned about them in my tutorials or just here in Your thread.

But besides that, if Your observations/assumptions are ok, You will be unable to read contents of this HDD just like that. Decryption is one thing but interpreting logic structure is another. If it is broken, then data recovery level rising up. I can provide such service for small fee but if You have some time, of course I can help (and only via forum, no private messages, because this would be material for others for learning). Just FYI.

meanwhile the bricked hdd is unlocked and (hopefully) visable in multiman

PS3 HDD is not locked so cannot be unlocked. The only console in history which using locking by user and master atapsswd was Xbox (later by MS called Xbox Classic). Sony since PS3, encrypting internal mass storage device and that's all.

 

[redlegend]

Thank you all, I've learnt quite a lot of very interesting and useful information from you and I really appreciate it.

I did test the hdd to usb adapter, obviously I couldn't access the drive, although the indicators where different than when I connected it to pc (the indicator on the adapter kept flashing when it was connected on the ps3, it didn't behave the same when it was connected on my pc), this in my mind could mean a lot of things, maybe the system was able to decrypt the drive but not read / access it or maybe the drive wasn't decrypted at all but the ps3 kept sending requests to access the drive again and again and that led to the indicator flashing.
As a note to what @bguerville said, I do understand that gameos only supports fat, my hope was that since the drive was formatted by the ps3 that it could hopefully be recognized, which wasn't the case, I did use irisman, an app that enables exfat support on ps3, but again no chance

Whatever the case, I do understand that without CFW I won't do anything, but since I am in that weird situation that the console is working, the hdd is most likely working but the OS is bricked there might be something stupid like the test I did, that noone tested because they didn't have a use for it, that could hopefully work or lead to something bigger.

If anything this issue has made me more interested in exploring new ways that could possibly help people that can't access CFW recover anything that can be recovered from broken drives, but my knowledge on these tings is definitely limited so I probably won't get far.

 

[atreyu187]

Thank you all, I've learnt quite a lot of very interesting and useful information from you and I really appreciate it.

I did test the hdd to usb adapter, obviously I couldn't access the drive, although the indicators where different than when I connected it to pc (the indicator on the adapter kept flashing when it was connected on the ps3, it didn't behave the same when it was connected on my pc), this in my mind could mean a lot of things, maybe the system was able to decrypt the drive but not read / access it or maybe the drive wasn't decrypted at all but the ps3 kept sending requests to access the drive again and again and that led to the indicator flashing.
As a note to what @bguerville said, I do understand that gameos only supports fat, my hope was that since the drive was formatted by the ps3 that it could hopefully be recognized, which wasn't the case, I did use irisman, an app that enables exfat support on ps3, but again no chance

Whatever the case, I do understand that without CFW I won't do anything, but since I am in that weird situation that the console is working, the hdd is most likely working but the OS is bricked there might be something stupid like the test I did, that noone tested because they didn't have a use for it, that could hopefully work or lead to something bigger.

If anything this issue has made me more interested in exploring new ways that could possibly help people that can't access CFW recover anything that can be recovered from broken drives, but my knowledge on these tings is definitely limited so I probably won't get far.

You can not get anywhere without the ERK as it is what allows the drive to unlock for decryption. Trust me been around since day one of PS3 hacking some 12 years ago. That key is unique to every system. And once you put a new HDD in that key is wiped and another is made. Now if it is an issue with your GameOS you can reinstall the firmware to get it working without wiping the drive unless you initialized the drive while plugged into PC. Even the ERK would not allow access to the drive. There was one hack that worked using the PS Store but has long since been dead.

 

[redlegend]

You can not get anywhere without the ERK as it is what allows the drive to unlock for decryption. Trust me been around since day one of PS3 hacking some 12 years ago. That key is unique to every system. And once you put a new HDD in that key is wiped and another is made. Now if it is an issue with your GameOS you can reinstall the firmware to get it working without wiping the drive unless you initialized the drive while plugged into PC. Even the ERK would not allow access to the drive. There was one hack that worked using the PS Store but has long since been dead.

How does one format gameos without deleting the save data? keep in mind I cant access safe mode while I use the broken hdd.

 

[atreyu187]

How does one format gameos without deleting the save data? keep in mind I cant access safe mode while I use the broken hdd.

If you initialized the drive on the PC nothing can be done. If just broken firmware files you can reinstall the PUP to get it to boot again. Did this myself the first time and lost everything despite having my ERK as I wasn't aware the first time. Wish there was a way to write to the drive but alas even with the key it is read only.

 

[redlegend]

If you initialized the drive on the PC nothing can be done. If just broken firmware files you can reinstall the PUP to get it to boot again. Did this myself the first time and lost everything despite having my ERK as I wasn't aware the first time. Wish there was a way to write to the drive but alas even with the key it is read only.

Wait a second because I'm getting confused now
Assuming I had the key I would use my pc to decrypt and read the disk, so if I understood what you said right I would have only one chance to do it?
Right now I've plugged that disk once in Windows using the sata to usb adapter, does this mean that even if I get the key I can't use it on that disk anymore?


Sorry for asking so many questions lol

 

[Berion]

maybe the system was able to decrypt the drive but not read / access it or maybe the drive wasn't decrypted at all but

CellOS attempt to read USB in MSC mode, expecting FAT32 on MBR. EVERYTHING else is ignored. Some homebrew can read GPT instead of MBR and NTFS or exFAT instead of FAT32 but none PS3PT and e.g UFS2, especially without using matched ATA key (came from ERK).

I saying this clear: reading HDD without ERK and getting ERK on HEN is currently IMPOSSIBLE.

there might be something stupid like the test I did, that noone tested because they didn't have a use for it, that could hopefully work or lead to something bigger.

Actually it is super important, so many people tried 'everything'. ;]

 

[Berion]

If you initialized the drive on the PC nothing can be done. If just broken firmware files you can reinstall the PUP to get it to boot again.

That's not true! It is possible to transplant valid sectors overwritten by MBR/GPT or ignoring it and jump to the UFS2 offset to decrypt it and mount it (UFS2 like many unix like fs using relative addressing, so it is possible without extra steps like e.g. providing "jump" from LBA0, the problem be with FAT32 and FAT16 partitions as their fs tables pointing to specific LBA). Tutorial howto: https://www.psx-place.com/threads/tutorial-fixing-windows-disk-initalization.27599/ Two users reported that first method, not works on CECH-3xxx but works for sure for 25xx (with old boot loader at least) and older like e.g CECHLxx.

You can also place ERK on last sector as form of backup: https://www.psx-place.com/threads/tutorial-last-sector-of-hdd.27590/ or store it in HPA area.

Wish there was a way to write to the drive but alas even with the key it is read only.

You can write to PS3 HDD on Linux with ufsfs kernel module compiled with write option. Tutorial: https://www.psx-place.com/threads/tutorial-hdd-mounting-and-decryption-on-linux.23308/

 

[redlegend]

Thanks a lot @Berion for dropping the knowledge, even if I didn't solve the problem yet your posts have helped me get a better understanding of the situation quite a bit

 

[Berion]

Assuming I had the key I would use my pc to decrypt and read the disk, so if I understood what you said right I would have only one chance to do it?

Because HDD is encrypted, for e.g OSes on PC, is empty because they cannot understand the logic structure. Linux will not do anything with PS3 HDD (all distributions old, today and in future), but Windows will ask about initialization, so if You agree, it means overwriting encrypted PS3 partition table by MBR or GPT partition table, breaking by that logic structure understand by PS3, beyond repair. This can be "fixed" but it is time consuming and annoying because needs making at least one disk image and at least once written whole back (imagine how long could take with 1.5TB internal HDD, so 3TB of transfer just to fix few KB ).

Some people reported that Windows 10 didn't ask about initialization and instead he just doing it without asking... I cannot confirm that but be warned and not use such aggressive shit.

- - -
Very good practice would be dumping ERK, calculating from it ATA and VFLASH keys and also just in case dumping first 2MB of data from PS3 HDD.

 

[zecoxao]

The internal HDD uses an encrypted UFS2 partition, the decryption only takes place when the HDD is properly connected internally, not on USB for which GameOS only supports FAT partitions natively anyway and not connected through the BD dedicated socket either.

The partition decryption is done by the dedicated encdec hardware.
But luckily you can extract the eid_root_key if you hack the isolated SPU where metldr gets decrypted, currently the only known exploit available to do that requires both lv1 and lv2 exploitation.
Since HEN came out, afaik, nobody ever tried to find a way to port the SPU exploit to lv2 only (if that's even possible), so without lv1 exploit, for the time being the status quo is that ERK can only be dumped on CFW, no exceptions. That status quo will no doubt change in the future, but there's no telling when.

Given the alternatives, if I were you, I would just be patient, keep my encrypted HDD safe, you should be able to sort it all out soon enough by installing a CFW.

It's not possible without either an lv1 or spu exploit, together with an lv2 exploit