Quote:
Originally Posted by Rupan
4.70:
HPK: 0x20160
HC: 0x20100
|
Why do you think the HPK in 4.70 is at 0x20160 ?
I just thought of using the XOR in the reverse for 4.70 because we know from keydb.cfg that the private key for cert FFFF80000146 is HPK=0027263F402E2D6DB56B1FB7BB4524C6CD5C9F2EF4. If we assume that they use the same aes-ctr (for which we do not know the key/iv) to encrypt the device keys and the host private key then:
HPK_part_1 = byte 01-16
HPK_part_2 = byte 17-21+padding
HPK_part1_enc = HPK_part1_dec xor DeviceKey1_enc xor DeviceKey1_dec = 05974EA73D2019A1FE03A7F685DCBD5A
This matches the first 16 bytes of "private key enc" on ps3devwiki and is located at 0x17B00
Now the question is why does ps3devwiki lists the value "004FC12D7464FBFB3E0D5754016AE6867A256C16EA" as "private key dec" when the real value is "0027263F402E2D6DB56B1FB7BB4524C6CD5C9F2EF4"
Update:
I noticed that
HPK_part2_enc = HPK_part2_dec xor DeviceKey2_enc xor DeviceKey2_dec
!= 7D2F07E5BF15DA291B31586C8840C75B (the second 16 bytes of "private key enc")
Since the same method works correct for the device keys and private key in FW4.45 it seems the device key 2 for FW4.70 I found is incorrect. So some keys did change from FW4.45 to FW4.50. Or someone knows what else could be the problem?
Update2:
Figured out that for padding the HPK from 21 to 32 bytes, they didn't use
HPK_part1_dec = 0027263F402E2D6DB56B1FB7BB4524C6
HPK_part2_dec = CD5C9F2EF4 + padding
but
HPK_part1_dec = 0027263F402E2D6DB56B1FB7BB4524C6
HPK_part2_dec = CD5C9F2EF40000000000000000000000 xor HPK_part1_dec
In this case we get the correct encrypted value
HPK_part2_enc = 7D2F07E5BF15DA291B31586C8840C75B