PlayStation 3

candela · 20th March 2018, 21:12

As we all know, a long time ago the PS3 was hacked and its bluray device keys and host certificate were leaked. The device keys decrypt discs up to MKBv30 and host certificate FFFF80000039 was revoked in MKBv32. The device keys are in the latest KEYDB.cfg but are incorrectly listed as processing keys

Code:

| PK | 0x810827A76E5B2CC1685E3217A23E2186 ; DK_V01-V12
| PK | 0x44145A846F19D096F2C84A2E50C5C4F5 ; DK_V14-V16
| PK | 0xEB55A475080FBCF18534EFA0839A7373 ; DK_V17-V19
| PK | 0xFB4AC39009E82113D45ECF4B7EAEA467 ; DK_V20-V21
| PK | 0x8BF4FBD91A7FB7DB8576D1E5A15A8544 ; DK_V23-V28

This means libaacs cannot use these keys. Although they are not needed (they can be used to calculate the processing keys that are also in KEYDB.cfg) I tried to make them work in VLC. With the libaacs source code, some trial and error, and info on the PS3DevWiki I've managed to convert them to the correct KEYDB format for device keys.

Code:

| DK | DEVICE_KEY 0x810827A76E5B2CC1685E3217A23E2186 | DEVICE_NODE 0x0389 | KEY_UV 0x00000100 | KEY_U_MASK_SHIFT 0x17
| DK | DEVICE_KEY 0x44145A846F19D096F2C84A2E50C5C4F5 | DEVICE_NODE 0x0389 | KEY_UV 0x00000280 | KEY_U_MASK_SHIFT 0x09
| DK | DEVICE_KEY 0xEB55A475080FBCF18534EFA0839A7373 | DEVICE_NODE 0x0389 | KEY_UV 0x00000340 | KEY_U_MASK_SHIFT 0x08
| DK | DEVICE_KEY 0xFB4AC39009E82113D45ECF4B7EAEA467 | DEVICE_NODE 0x0389 | KEY_UV 0x00000384 | KEY_U_MASK_SHIFT 0x07
| DK | DEVICE_KEY 0x8BF4FBD91A7FB7DB8576D1E5A15A8544 | DEVICE_NODE 0x0389 | KEY_UV 0x00000384 | KEY_U_MASK_SHIFT 0x05

I'm not sure the device node is correct, also 0x0388 and higher seems to work but I got the 0x389 from the PS3DevWiki command:

Code:

./aacs_proc_key -n 0x389 -k ps3_device_keys -u ps3_device_key_u_masks_uvs mkbs/MKB_RW_v3.inf

Then I noticed the following in the PS3DevWiki commands: "ps3_device_keys" and "ps3_device_key_u_masks_uvs". I found these 2 files on github and they turn out to be 2 binary files:
- ps3_device_keys: contains 253 DEVICE_KEY (=253x16bytes)
- ps3_device_key_u_masks_uvs: contains 253 KEY_U_MASK_SHIFT + KEY_UV (=253x5 bytes) corresponding to the 253 device keys

Nothing we didn't know but then I found another AACS section on PS3DevWiki with a mysterious pastebin link [Another decrypted arrays with this key]

The pastebin post contains 3 arrays:
- array1 = ?
- array2 = looks like an updated version of ps3_device_key_u_masks_uvs (253x5 bytes, same format just some updated values)
- array3 = host certificate CFFFF80000146 which was revoked in MKBv58

Since the private key for this new host certificate was later posted here and array2 seems to be new uv data, I'm wondering if the PS3 device keys were found a second time. Those should work until around MKBv58 when the host certificate was revoked.

However, they are not in array1. As far as I understand there should always be 253 keys which isn't the case. I also tried to use array1 with aacskeys which doesn't require the uv data but it doesn't work with any MKB version I tried.

Anyone have an idea what array1 might be or if there is any updated version of the file ps3_device_keys floating around? Or is it a dead end?

20th March 2018, 21:12	#1 \| Link
candela Registered User Join Date: Jun 2005 Posts: 259	PlayStation 3 As we all know, a long time ago the PS3 was hacked and its bluray device keys and host certificate were leaked. The device keys decrypt discs up to MKBv30 and host certificate FFFF80000039 was revoked in MKBv32. The device keys are in the latest KEYDB.cfg but are incorrectly listed as processing keys Code: \| PK \| 0x810827A76E5B2CC1685E3217A23E2186 ; DK_V01-V12 \| PK \| 0x44145A846F19D096F2C84A2E50C5C4F5 ; DK_V14-V16 \| PK \| 0xEB55A475080FBCF18534EFA0839A7373 ; DK_V17-V19 \| PK \| 0xFB4AC39009E82113D45ECF4B7EAEA467 ; DK_V20-V21 \| PK \| 0x8BF4FBD91A7FB7DB8576D1E5A15A8544 ; DK_V23-V28 This means libaacs cannot use these keys. Although they are not needed (they can be used to calculate the processing keys that are also in KEYDB.cfg) I tried to make them work in VLC. With the libaacs source code, some trial and error, and info on the PS3DevWiki I've managed to convert them to the correct KEYDB format for device keys. Code: \| DK \| DEVICE_KEY 0x810827A76E5B2CC1685E3217A23E2186 \| DEVICE_NODE 0x0389 \| KEY_UV 0x00000100 \| KEY_U_MASK_SHIFT 0x17 \| DK \| DEVICE_KEY 0x44145A846F19D096F2C84A2E50C5C4F5 \| DEVICE_NODE 0x0389 \| KEY_UV 0x00000280 \| KEY_U_MASK_SHIFT 0x09 \| DK \| DEVICE_KEY 0xEB55A475080FBCF18534EFA0839A7373 \| DEVICE_NODE 0x0389 \| KEY_UV 0x00000340 \| KEY_U_MASK_SHIFT 0x08 \| DK \| DEVICE_KEY 0xFB4AC39009E82113D45ECF4B7EAEA467 \| DEVICE_NODE 0x0389 \| KEY_UV 0x00000384 \| KEY_U_MASK_SHIFT 0x07 \| DK \| DEVICE_KEY 0x8BF4FBD91A7FB7DB8576D1E5A15A8544 \| DEVICE_NODE 0x0389 \| KEY_UV 0x00000384 \| KEY_U_MASK_SHIFT 0x05 I'm not sure the device node is correct, also 0x0388 and higher seems to work but I got the 0x389 from the PS3DevWiki command: Code: ./aacs_proc_key -n 0x389 -k ps3_device_keys -u ps3_device_key_u_masks_uvs mkbs/MKB_RW_v3.inf Then I noticed the following in the PS3DevWiki commands: "ps3_device_keys" and "ps3_device_key_u_masks_uvs". I found these 2 files on github and they turn out to be 2 binary files: - ps3_device_keys: contains 253 DEVICE_KEY (=253x16bytes) - ps3_device_key_u_masks_uvs: contains 253 KEY_U_MASK_SHIFT + KEY_UV (=253x5 bytes) corresponding to the 253 device keys Nothing we didn't know but then I found another AACS section on PS3DevWiki with a mysterious pastebin link [Another decrypted arrays with this key] The pastebin post contains 3 arrays: - array1 = ? - array2 = looks like an updated version of ps3_device_key_u_masks_uvs (253x5 bytes, same format just some updated values) - array3 = host certificate CFFFF80000146 which was revoked in MKBv58 Since the private key for this new host certificate was later posted here and array2 seems to be new uv data, I'm wondering if the PS3 device keys were found a second time. Those should work until around MKBv58 when the host certificate was revoked. However, they are not in array1. As far as I understand there should always be 253 keys which isn't the case. I also tried to use array1 with aacskeys which doesn't require the uv data but it doesn't work with any MKB version I tried. Anyone have an idea what array1 might be or if there is any updated version of the file ps3_device_keys floating around? Or is it a dead end?