Thread: PlayStation 3
View Single Post
Old 1st April 2018, 20:48   #32  |  Link
candela
Registered User
 
Join Date: Jun 2005
Posts: 259
Quote:
Originally Posted by Rupan View Post

4.70:
HPK: 0x20160
HC: 0x20100
Why do you think the HPK in 4.70 is at 0x20160 ?

I just thought of using the XOR in the reverse for 4.70 because we know from keydb.cfg that the private key for cert FFFF80000146 is HPK=0027263F402E2D6DB56B1FB7BB4524C6CD5C9F2EF4. If we assume that they use the same aes-ctr (for which we do not know the key/iv) to encrypt the device keys and the host private key then:

HPK_part_1 = byte 01-16
HPK_part_2 = byte 17-21+padding

HPK_part1_enc = HPK_part1_dec xor DeviceKey1_enc xor DeviceKey1_dec = 05974EA73D2019A1FE03A7F685DCBD5A

This matches the first 16 bytes of "private key enc" on ps3devwiki and is located at 0x17B00

Now the question is why does ps3devwiki lists the value "004FC12D7464FBFB3E0D5754016AE6867A256C16EA" as "private key dec" when the real value is "0027263F402E2D6DB56B1FB7BB4524C6CD5C9F2EF4"

Update:
I noticed that
HPK_part2_enc = HPK_part2_dec xor DeviceKey2_enc xor DeviceKey2_dec != 7D2F07E5BF15DA291B31586C8840C75B (the second 16 bytes of "private key enc")

Since the same method works correct for the device keys and private key in FW4.45 it seems the device key 2 for FW4.70 I found is incorrect. So some keys did change from FW4.45 to FW4.50. Or someone knows what else could be the problem?

Update2:
Figured out that for padding the HPK from 21 to 32 bytes, they didn't use
HPK_part1_dec = 0027263F402E2D6DB56B1FB7BB4524C6
HPK_part2_dec = CD5C9F2EF4 + padding
but
HPK_part1_dec = 0027263F402E2D6DB56B1FB7BB4524C6
HPK_part2_dec = CD5C9F2EF40000000000000000000000 xor HPK_part1_dec

In this case we get the correct encrypted value
HPK_part2_enc = 7D2F07E5BF15DA291B31586C8840C75B

Last edited by candela; 2nd April 2018 at 13:41.
candela is offline   Reply With Quote