Decrypt HDD with graf

[Sylphide]

Hello,

I installed last graf kernel and compiled his utils, but I don't understand how to use for exemple ps3dm_sm or ENCDEC to decrypt/disable encryption HDD.

I want to decrypt for example /dev/ps3db1 (ps3da and ps3dc seem to be already decrypted). I saw graf managed to mount gameOS with UFS2, but I think he could not mount an encrypted device ? He had to decrypt it first? Anyone has tried this?

Is it possible to disable encryption with ps3dm/ENCDEC driver, and dump ps3 decrypted filesystem with dd?

Thank you for your help and sorry for my english...

[MikeM64]

When you first boot your PS3, the drive is already decrypted, as the ENCDEC device has been started and initialized. Graf's tools will change the key in the ENCDEC device and you will then get the raw data from the HD (encrypted).

ps3db is already decrypted when you first start linux.
It can be mounted by running

Code:

mount -t ufs -o ufstype=ufs2 /dev/ps3db /mnt

as root.

[Sylphide]

Thanks a lot!

So every partition is decrypted? Even GameOS? "fdisk -l" returns many disks and partitions. It is difficult to find any useful information...

My goal is to get a decrypted File System from PS3. Usually, I would just do "dd if=/dev/ps3db1 of=/home/xx/img.dd" if ps3db is the right disk. Is something like this possible?

[MikeM64]

There aren't too many disks to choose from with the hd device:

ps3da is the entire disk
ps3db is gameos
ps3dc is for update storage.

Yea, if you haven't disabled the encryption, then you can easily read the data.

[Sylphide]

You mean read the data from PS3.

If I have understood you correctly I cannot read img.dd in Windows 7 for forensic research? The only thing I can do is mount from ps3.

[MikeM64]

Ah. You can currently only read the data from a PS3 HD with the PS3 that it was used in. There is no way to decrypt the data without that PS3.

[Sylphide]

oh ok, I understand a little bit better now.

Mike sorry I have a last question
The command to mount gameos works like a charm, I suppose it uses encdec to decrypt hdd and mount it.

The dd command does not use encdec because output is encrypted (hexdump etc of the image shows encrypted data : "dd if=/dev/ps3db bs=512 count=1 of=/home/ps3/img.bin"). How can I read decrypted output? Is there a way to dump a decrypted image of gameos using graf's encdec, like the mount command ?

I saw on his wiki that endec command 0x85 decrypts sectors but there is no example for this specific command... (Hypervisor Reverse Engineering - PS3Wiki). Maybe a c programm could use this 0x85 command (ioctl)...

[MikeM64]

The dd command will work. I've been using it to test a tool of mine :P.

Try running

Code:

dd if=/dev/ps3db bs=1024 count=1 skip=$((0x10000)) | hexdump -C

That should get you the superblock of the UFS2 fs. Or get the partition table from ps3da, it will be very easy to tell wether it's decrypted or not.

Just make sure that you haven't played around with graf's tools too much before starting it (restart your ps3 first ).

There are those commands, but I'm not sure how to use them, and they seem to only be used within the HV internally. Even graf says they cannot be used by ioctl.

[Sylphide]

Hmm, I am sure I missed an obvious detail.

Here is my ouput for you last command : #1867294 - Pastie
Ouput for ps3da : #1867300 - Pastie
2 other commands : #1867305 - Pastie

Did you custom your kernel config? (I just copied ps3-linux-config to .config and make oldconfig) Any modprobe? Other commands before dd?

Debian is installed on 30G partition ext4.

Sorry to ask so many questions, I really need this decrypted fs

[MikeM64]

Nothing missing . You got it right. That is the decrypted fs you're seeing.

I'm using graf's last kernel and config.