PS3 [Tutorial] HDD mounting and decryption on Linux

[sandungas]

Eruil, the forum have a text corrector that is breaking your pastes a bit, everytime you write a @ the text corrector is replacing it automatically by [email protected]

In this case, because you are copying big chunks of text from terminal the best solution is if you enclose them with [code][/code], this way:

root@mypc

---------------
Edit:
Damn, the forum text corrector is catching it from inside the code... then the alternative is to do what i did in the first line of this post, by using [plain][/plain], this way:
root@mypc




---------------
Edit3:
Just add an space next to it, the forum thinks is an email, but if you add spaces in between then it ignores it
@ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @

 

[Eruil EOL]

with an optimized 1% space .img

root/Ryzentosh:/home/eruil/ps3# ./find_ps3_ufs2_byte_locations.sh superblock.img
Minimum free space already configured to 1%
Optimization type already set to SPACE

with a non optimized superblock.img (ive made some tests in 3 other hdds, just to make some experiments)

root/Ryzentosh:/home/eruil# cd /home/eruil/ps3
root/Ryzentosh:/home/eruil/ps3# ./find_ps3_ufs2_byte_locations.sh superblock.img
Minimum free space byte location: 65599
Optimiation type byte location: 65667

i dumped all data in my hdd , formatted and tested optimization with bswap16.ko and it ran smooth. i though that i had a problem when i unmounted hdd with einys tools. now its working fine


"---------------
Edit3:
Just add an space next to it, the forum thinks is an email, but if you add spaces in between then it ignores it
@ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @"

no worries sandungas, i replaced @ with /

Berion:

stat --printf="%s" /home/eruil/ps3/superblock.img >> /home/eruil/ps3/test_output.txt
created the test_output.txt file . it only shows = 131072

 

[bel3atar]

Interesting.
Too bad it's in polish

 

[Berion]

@bel3atar If someone could donate me enough $ for professional translator (I don't know how much it costs in Poland but if someone is interested, I can make some research), I don't see a problem to attach it in English. For free, no one want to do it (and I'm fine with that because text is hard and quite long).

 

[Eruil EOL]

Interesting.
Too bad it's in polish

You can use google translator and spend some time to translate it. Or you can donate some money to berion

 

[Wildfire1]

Has anyone tried using the WSL to try this and see if it works or not? Also which distro of Ubuntu should I go with?

 

[Berion]

Linux Mint 19.2 or 19.3 works for sure on real hardware (attached compiled modules are for default kernel in 19.2, if You want use another, You must compile it from attached source).

But I don't have Windows 10 so I cannot check if WSL or WSL2 allow any distro, and if not limited raw access to real devices. You can be pioneer.

 

[Wildfire1]

I think Linux Mint uses a version of Ubuntu but not sure which one as I'll have to do some testing.

Sent from my SM-G981U using Tapatalk

 

[Berion]

Yes. Mint 19.x is equivalent of Ubuntu 18.x LTS.

 

[Wildfire1]

With WSL2 I can install Ubuntu 18.04 LTS but as far as I can tell its terminal only. I may try to do some tests here soon and report back in a while.

 

[Berion]

I saw that mounted file systems are (or will be?) displaying in Explorer like standard windows partitions.

Thanks. I'll be waiting for the feedback.

 

[artiko17]

Hi berion... First of all, many Thanks for your hard work with tutorial on how to reclaim up to 8% of reserved ps3 hard disk space... Unfornetly i have problem with that tutorial. Secound I am From Poland like you, and i will prefer talk in my native... BUT anyway I have a problem with 10 line of your tutorial.

http://puu.sh/FFSHG.png

Here is like it looks. I have cechl04 ps3 system. I done everything step by step, and i do not really understand what is wrong. I am using ubuntu 16.04.6LTS system.

In theory I have to decrypt the drive, before i create decrypted device, but did your script do not do this?


BTW, disc is connected to virtual machine as sdb - connected via usb, like in your example

 

[Berion]

@artiko17 Witam rodaka.

I'm not the author of script for unlocking 8% of reserved free space on UFS2. I'm the author of tutorial about PS3 HDD decrypting.

Do not use bswap16 for nbd client. It will no longer works with current versions of nbd client and demand from You to be installed because loop0 must be free. Current solution is flexible and easy, thanks to bswap16-ecb kernel module which replaced nbd.

Besides that, You choose wrong algo (but this is my fault, I made mistake in older versions of tutorial; FATs on NOR using AES CBC, not XTS). Also current keygen version don't using "hdd_key.bin" file name but "ata_key.bin" (just cosmetics in this case).

Download tutorial from first post (I have updated it two weeks ago) and adapt changes.

In theory I have to decrypt the drive, before i create decrypted device, but did your script do not do this?

Operations needed:
1. conversion from Big Endian to Little Endian (that's why we need bswap16)
2. creating mapper with decrypted device (that's why we need cryptsetup)
3. creating mappers with partitions (that's why we need kpartx)

BTW, disc is connected to virtual machine as sdb - connected via usb, like in your example

Disk not disc. In English it's similar write and pronounce but they are two different things. Disc can be i.e optical like i.e DVD, disk is i.e metal disk like HDD.

If Linux see it at the end of this chain, then it should be no problem.

 

[zetsurin]

Thanks so much for these tutorials. I have been patching the protections from my PS3-based arcade games for preservation purposes but the worlkflow I need to do so takes hours. If I can manage to mount and directly modify my drives it would be a huge help for my preservation efforts (I just know my HDDs must be about to die soon!)

I am running on Ubuntu 20.04, and have compiled bswap16-ecb for my kernel. However when I do the following, I am only seeing the very first byte swapped only.

The commands I ran:

sudo su
insmod bswap16.ko
cryptsetup create -c bswap16 -d /dev/zero ps3hdd-bs /dev/sdb

And this is my test output to determine if the bytes are being swpped. As you can see in ps3hdd-bs, only the first pair of bytes are ever swapped. Any ideas what I might be able to try?

root@Laptop:/home/user/Work/PS3# hexdump -C /dev/sdb | head -8
00000000  41 ac e4 32 21 a2 44 49  f9 42 35 d2 54 8f 44 45  |A..2!.DI.B5.T.DE|
00000010  5a 67 4e ca ec f3 5c f9  ae e5 f7 76 e6 d2 f2 fd  |ZgN...\....v....|
00000020  55 20 4a fc 65 32 ce 13  42 1a bd 7a 79 43 42 89  |U J.e2..B..zyCB.|
00000030  09 6b 12 18 3a 38 bd 6c  0c 0e f8 57 06 50 f0 c4  |.k..:8.l...W.P..|
00000040  bb c1 30 fc 7f 96 f6 20  97 b3 2e 6c df ec f0 69  |..0.... ...l...i|
00000050  7a ac a6 6c ec e3 cd b2  99 a5 89 0d f2 1b 05 2c  |z..l...........,|
00000060  4b a2 b0 b4 a6 6a 99 37  9b 96 b4 a9 2b 37 a4 ef  |K....j.7....+7..|
00000070  55 40 59 69 1c 9c 72 31  05 96 d6 b2 7d c0 28 b8  |[email protected]....}.(.|

root@Laptop:/home/user/Work/PS3# hexdump -C /dev/mapper/ps3hdd-bs | head -8
00000000  ac 41 73 48 46 13 68 e6  06 b0 2b 77 ba 86 11 cb  |.AsHF.h...+w....|
00000010  23 1f 90 29 bd 26 15 af  b9 57 d8 12 25 90 1b 20  |#..).&...W..%.. |
00000020  d2 a8 a9 6a 78 99 76 fc  d4 51 38 a7 fe 03 f0 01  |...jx.v..Q8.....|
00000030  29 80 11 79 2a 22 56 85  b3 60 5b f6 a8 51 c2 a0  |)..y*"V..`[..Q..|
00000040  31 7f 47 f1 a6 83 5f 60  45 b7 fb 9d c2 b3 b6 1c  |1.G..._`E.......|
00000050  5c 13 16 0a 45 80 5e 2e  68 2b 94 2c 92 ff de 1e  |\...E.^.h+.,....|
00000060  a7 67 ff 12 da 12 91 f3  0f ac 32 22 83 82 c4 93  |.g........2"....|
00000070  e4 ba 3c 19 c5 75 2d ee  e4 34 b7 40 16 cf c5 e8  |..<..u-..4.@....|

 

[Berion]

@zetsurin
You're welcome. ^^

That's strange. I never experienced such error before and don't even have idea why module doesn't swapping data beyond first 2B. I'm sorry but I don't know. You can try live distro (i.e older Ubuntu on which for sure it works, or all Mint 18.x up to 19.x which also works, tested by myself). That's poor help, I know.

- - -
Meanwhile, I have updated Windows 10 to insider line to have WSL2 and I don't know how to run it with generic kernel. Original MS kernel source doesn't have full module source and compilation of course failed

I have created in home dir ".wslconfig" with below magic but VM doesn't boot and prints timeout:

[wsl2]
kernel=D:\test\vmlinuz-5.4.0-26-generic
memory=4GB
processors=2

Any ideas?

 

[zetsurin]

@Berion, I tried to rewrite bswap16 as a compression stream instead of a crypto stream just out of curiosity, but didn't get anywhere.

I actually set up a blank install of Mint 18.2 and bswap is working fine.

By the way, for my Namco System 357 key, I used a version of the key generator which had arcade support, this yielded 32-byte keys. However, this would not decrypt for me. What I needed to do was generate a key as such:

cat ata_data_and_tweak_key.bin ata_data_and_tweak_key.bin > arcade_key.bin

And now I see it is correctly decrypting:

# hexdump -C /dev/mapper/ps3hdd | head -8
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 0f ac e0 ff  00 00 00 00 de ad fa ce  |................|
00000020  00 00 00 00 00 00 00 03  00 00 00 00 00 00 00 02  |................|
00000030  00 00 00 00 00 00 00 08  00 00 00 00 00 08 00 00  |................|
00000040  10 70 00 00 01 00 00 01  00 00 00 00 00 00 00 0b  |.p..............|
00000050  10 70 00 00 02 00 00 01  00 00 00 00 00 00 00 03  |.p..............|
00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

So all good now

BTW, regarding WSL (this applies to 1 or 2), it has no support for loop devices at all. Just worth keeping in mind. Under Windows, I think a minimal VirtualBox install is probably going to be the most reliable.

EDIT: To be precise (and to help anyone reading this in the future to save them time), the exact contents of the ata_key.bin needed for Namco System 357 needs to be:

5F 20 A2 1E D1 2F F6 42 5B 62 FD E0 D1 88 1C 84
64 13 1B E7 6B 28 CE 9A 73 5D 4A 1C 88 FE DF 07
5F 20 A2 1E D1 2F F6 42 5B 62 FD E0 D1 88 1C 84
64 13 1B E7 6B 28 CE 9A 73 5D 4A 1C 88 FE DF 07

And it is configured just like a phat PS3 with aes-cbc-null 192 bit

 

[Berion]

@zetsurin But this is exactly key which is output from my script. Did You generate it using keygen script on newest Ubuntu or also on Mint 18.2? If You open script (v1.8b), You can see uncommented i.e ATA Key in Arcade section which is exactly the same (and the same should be generated from eid_root_key_arcade.bin).

Could You try also VFLASH? Because I didn't test it myself (if this model even have NOR Flash instead to 2x128MiB of NAND, I don't know).

And big thanks for the report.

 

[zetsurin]

@Berion, I ran the script on Ubuntu 20.04. Perhaps I was using an old version or something.

I tried VFLASH, it works fine for this machine. I think this model is NAND as it doesn't have xRegistry present in the HDD VFLASH. It's based on the phattest of phat PS3s

 

[Berion]

If it have NAND, then it haven't VFLASH which is replacement of eFlash area from NAND but on HDD.

Normally, xRegistry.sys is on "dev_flash2/etc/" but I never saw GECR systems so who knows, maybe it is somewhere else.

 

[oleguer]

Hello @Berion I try to do this tutorial and I finally block on step 6 (and I do the 7 ^^'"") to make bswap16.ko module what I need to do and use??
use bswap16-ecb v1.1?
or use bswap-16 (for nbd-client)??
or use dm-swap16 (source only)??
(I use virtual machine of linux mint 19.2 like you)
and how command I need to make it? only sudo make??
Thank you!!