PS3 [Tutorial] HDD mounting and decryption on Linux

  • I have moved all apps from attachment to psx-place resource section (this cleansed attachments and makes apps easier to find and management).
  • Removed ufs_byte_location script as simply better solution and far more easy is PS3 Unlock HDD Space.
  • Removed link to @3141card's official www as it is now dead (but still You can go to see it in PS3 HDD Reader resource if want it to view via e.g webarchive.org (which have several copies)).
  • Speaking of which. I've also uploaded the latest versions of Windows and Linux of this app, including source code. Data and date came from archives build attached back then on Mega.
Tutorials itself doesn't change, yet link to bswap16 in PDFs are broken (so user must go to resource section and just download bswap16 AIO). Reuploading guides with fixed only one link is not worth a time, so I will do this in future only if some serious changes be needed.

So far, tutorial and software still work, e.g on Linux Mint 20.3 (in bswap16 AIO, already compiled module for default kernel in live mode is included, so no need of any Linux installation or bswap16-ecb compilation).
 
Last edited:
So I have sat on this and I can compile ufs module but... I cannot mount or remount partition with rw:
mount: /home/mint/ps3/test: mount point not mounted or bad option.
Click to expand...
So I don't know if my config was used or not. :/ Looks like it doesn't but why?

I'm working on my UFS2 dump, already byte swapped and decrypted:
Code: 
sudo insmod ~/ps3/apps/ufs.ko
sudo losetup /dev/loop9 ~/ufs2.img
sudo mount -t ufs -o ufstype=ufs2,ro /dev/loop9 ~/ps3/test
sudo mount -t ufs -o remount,ufstype=ufs2,rw /dev/loop9 ~/ps3/test
Works only in read only. So for sure problem lies in module.

Procedure:
Code: 
    apt install libncurses-dev libssl-dev build-essential bc -y
    # apt source linux-modules-$(uname -r)
     sudo cp ~/ps3/apps/source/ufs/*   /usr/src/linux-headers-$(uname -r)/fs/ufs
    # sudo cp /boot/.config /usr/src/linux-headers-$(uname -r)
     sudo sed -i 's/# CONFIG_UFS_FS_WRITE is not set/CONFIG_UFS_FS_WRITE=y/' /usr/src/linux-headers-$(uname -r)/.config
     cd /usr/src/linux-headers-$(uname -r)
     sudo make M=fs/ufs/ modules
     cd fs/ufs
     cp ufs.ko ~/ps3/apps
     chmod +x ~/ps3/apps/ufs.ko
     modinfo ~/ps3/apps/ufs.ko
  • Once I downloaded and unpacked linux-modules, I've copied src to "~/ps3/apps/source/ufs" and that's why later I copying it from there. It was easier and quicker for me doing it that way on live environment.
  • In Mint 21.0, ".config" is already there so I just editing it to making UFS write feature.
  • In Mint 21.0 linux-headers are already installed.
  • Versions matching and I successfully load it memory.
Is there a way to check if this module have this damn parram turned on? Using systool I getting only this, so rather nothing usefull
Code: 
sudo systool -v -m ufs
Module = "ufs"

  Attributes:
  coresize  = "102400"
  initsize  = "0"
  initstate  = "live"
  refcnt  = "0"
  srcversion  = "CF83FC12C6174EED2B15945"
  taint  = "OE"
  uevent  = <store method only>

  Sections:
  .altinstr_replacement= "0xffffffffc1a8a612"
  .altinstructions  = "0xffffffffc1a8cbac"
  .bss  = "0xffffffffc1a901c0"
  .data  = "0xffffffffc1a8e000"
  .exit.text  = "0xffffffffc1a8a642"
  .gnu.linkonce.this_module= "0xffffffffc1a8fe40"
  .init.text  = "0xffffffffc1a94000"
  .note.Linux  = "0xffffffffc1a8b024"
  .note.gnu.build-id  = "0xffffffffc1a8b000"
  .parainstructions  = "0xffffffffc1a8cab0"
  .retpoline_sites  = "0xffffffffc1a8cc6c"
  .rodata  = "0xffffffffc1a8b080"
  .rodata.str1.1  = "0xffffffffc1a8c4c6"
  .rodata.str1.8  = "0xffffffffc1a8bb30"
  .smp_locks  = "0xffffffffc1a8ca00"
  .strtab  = "0xffffffffc1a970a0"
  .symtab  = "0xffffffffc1a95000"
  .text  = "0xffffffffc1a7a000"
  .text.unlikely  = "0xffffffffc1a887ed"
  __bug_table  = "0xffffffffc1a8fd5c"
  __jump_table  = "0xffffffffc1a8d000"
  __mcount_loc  = "0xffffffffc1a8b858"

Any ideas? :/
@gmipf @DUDUŚ @bguerville
 

Attachments

Last edited:
@Berion idk... i think it's impossible to check from .ko file
PS: Idk if this work but i saw on xda some years ago that copying crc from current kernel module to prebuild ufs.ko /w write enabled
EDIT:
There is newer copymodulecrc.c (copyrighted 2016 y.) by aleksey (like that) ... but can't find that.
 
Even if worked, that's kind of a dirty solution. I rather want to understand what I did wrong (if I even did anything wrong).
 
Hello, i want to retrive old pictures from corrupted ps3 drive. I tried to use fuse-ufs2+be but i dont really know how to handle with mappers in linux. How to mapp directory without mounting? I have a folder with directory hdd0 (folder for ps3 data), fuse-ufs.1, fuse-ufs.pc.in and fuse-ufs2+be.elf. Do im prepared for fuse-ufs2+be usage?

When i tried to run
Code: 
fuse-ufs2+be.elf /dev/mapper/ps3hdd2 /home/mint/ps3/dev_hdd0 -o rw+
i got an error:
Code: 
fuse-ufs2+be.elf: 1: Syntax error: Unterminated quoted string
 
@wewtorek If You want recover data from broken (broken how exactly?) HDD, You must create two mappers, one with conversion to Little Endian on the fly and second with decrypted data. Which covering up tutorial in first post (including mounting all partitions). Why You didn't read it? Based on Your nick, especially that it is also in Polish language.

Fuse UFS2+BE is experimental tool which granting write support in UFS2. Highly not stable and not recommended, especially for data recovery where he can break further fs. It works with mapper described above.

If You will be unable to mount UFS2 in case when it is broken, then You need make sector by sector image of this partition from last in chain mapper, and try fix it on FreeBSD or Solaris (Open Indiana maybe). Windows and Linux have not any tools for manipulating UFS2. Eventually You can try retrieving data by signature scan from this mapper or use mentioned earlier image in some commercial Windows software which have support for it.

Anyway, it is not an easy task and I doing such things for money. ;) If You provide me HDD dump + ERK, I can recover this data for You.

How to mapp directory without mounting?
Click to expand...
You cannot. It is not how it works. Mappers came from block devices, in case of PS3, with two mathematical operations performed. They allows us to do things on the fly per needed at the moment block.

I have a folder with directory hdd0 (folder for ps3 data), fuse-ufs.1, fuse-ufs.pc.in and fuse-ufs2+be.elf. Do im prepared for fuse-ufs2+be usage?
Click to expand...
I don't know what You have. ;) For mounting UFS2 partition, You need it exposed in any way, as eg. from image attached to loop device or from device mapper. It is one executable and one alone is needed for read data. But anyway, forget about it, it is not tool for You.

Focus first on decrypting, mapping partition table and mounting UFS2 if possible.
 
Last edited:
@wewtorek Without ERK You cannot because disk is encrypted by long enough key so You can forget about bruteforce it for many many years. Could be possible if Sony put somewhere on disk backdoor like eg. ATA key in form not needed any additional key known only to Sony (because can be encrypted too, obfucated etc. not just plain hex ready to use). Also could be possible if we would be able to decrypt metldr from flash dump (where ERK is stored), but we cannot, at least not today. So for now it is not possible. Without ERK or working exploitable console, data on her HDD is lost.
 
Last edited:
Possible but needs temporary storage for disk image or target disk will be written twice. And only for NAND models (because NOR models have VFLASH partition with some unique per model data). But that's not have much sense because CellOS registering disk and user cannot freely swap disks (unregistered will be consider as empty, so in the middle of the process, user must put target disk to PS3 so she will format it and also registering).
 
Berion said:
Possible but needs temporary storage for disk image or target disk will be written twice. And only for NAND models (because NOR models have VFLASH partition with some unique per model data). But that's not have much sense because CellOS registering disk and user cannot freely swap disks (unregistered will be consider as empty, so in the middle of the process, user must put target disk to PS3 so she will format it and also registering).
Click to expand...

This sounds much more complicated than simply mounting both disks and copying files. Thanks.
 
@hoodangel Keys are indeed the same for all GEXes but the way how they are decrypting by it, different for different models. Like on CEX/SEX/DEX/DEV/QA models.

In Your post there is lack of important details. What key have You tried, eventually from what calculated and how mappers You have created.

Try this:
https://www.psx-place.com/resources/ps3-hdd-decryption-helper.1293/

Put ERK in keys, run keygen script. Or if You already have ATA key run Mounter script. After that, run Reporter script and paste here the results.

Most important for me is this kind of output which will be generated:
ps3hdd_script_reporter_2-png.38471
 
OtherOS bootloader is encrypted three times. But for what f*g reason? o_O

ps3hdd_oos.png


Last partition is for OtherOS, probably threat as whole device so with his own partition table and partitions but I cannot install any Linux, none of bootloaders see Linux on USB. :/

Probably it is encrypted twice because there should be zeroes, while I have some garbage.

Setup from OFW 3.16.


@sandungas [?]
 
@Berion Great guide, thanks! Got my PS3 Slim CECH-2503 1TB SSD mounted no problem after I got the steps right (second time as I chose Phat and wondered why the keys weren't decrypting the drive).

What I really need though is write access to the dev_hdd0 partition whereas this guide only allows read. How can I put things on the drive via Mint to save me doing it to the PS3 directly via FTP and it's 20MB/s or so speed cap?

Thanks in advance.
 
@zekepliskin Thank You. Tutorial is a little outdated because meanwhile, I wrote toolkit to automatize almost all actions (it is faster and far easier now than typing everything by hand):
https://www.psx-place.com/resources/ps3-hdd-decryption-helper.1293/

You need to compile ufs module with write privileges. And this is where I stuck for now, however, I have some idea (thanks to @Iridule) why it doesn't work but I don't have time for that now. You can test it by yourself. ;]

1. So, after unpacking toolkit, run Keygen to generate your keys (the same as in tutorial, if You already have those keys You can skip this step).

2. Now run KO Manager script. Choose option no 4 (for compiling "bswap16-ecb.ko" but if You have it already, matched to current kernel, You can skip this step too).

3. Be sure You have internet connection and run again KO Manager script and this time choose option no.6. ufs.ko should compile fine, and I believe with custom config providing write privilege.

4. Run again KO Manager and choose option no.1.

5. And here is the catch. Normally You should now run PS3 HDD Mounter script but this will not grant You write privilege for sure (which is very strange because I'm pretty sure compiled "ufs.ko" have custom rules). We have theory that this happening because mounting is pointed to "${HOME}/ps3/storage/hdd/dev_hdd0" (and for some reason, Mint don't allows write to mount points inside /home). If You will change all those instances to i.e "/mnt/dev_hdd0" (and of course create such folder in /mnt), then You should get write access as root user.

So try replace above path to mnt and use such modified Mounter. If You don't want use this script, remember to mount dev_hdd0 as read only and then perform remount to rw. For unknown reason, partition cannot be mounted by rw on first shot.
 
You must log in or register to reply here.

Similar threads

Back
Top