naehrwert: on eEID Cryptography - 改機
By Eartha
at 2012-07-12T09:58
at 2012-07-12T09:58
Table of Contents
http://nwert.wordpress.com/2012/07/11/eeid-cryptography/
When metldr is encrypted at factory, a special keyset is set in the
binary before encryption. Later when an isolated loader is loaded by
metldr, it will copy the keyset to LS offset 0x00000. It consists of
eid_root_key and eid_root_iv. To not having to use the same key for
all eEID parts, several subkeys are generated from special data called
individual information seed. These seeds are stored in the metadata
header of isolated modules loaded by isoldr. When isoldr will load a
module, it will call a subroutine that encrypts each seed chunk (0x40
bytes) using eid_root_key and eid_root_iv. Then the so-called
individual infos are passed in registers r7 to r22 (= 0x100 bytes in
total) to the loaded module where they are used further. Usually
isolated modules have a seed section of 0x100 bytes but all of them
(except sb_iso_spu_module) have all zeroes but the first 0x40 bytes
chunk. You can, for example, find the recently published EID0 seed in
the metadata section of aim_spu_module. Appliance info manager is used
to get e.g. the target ID or the PSID from EID0. This explains why the
seed can also be found in isoldr directly, since that one is checking
EID0 too.
As you can probably think, a fair amount of reversing time and
knowledge has gone into finding this, so stop calling us *swearwords*
for not releasing information that could potentially lead to more
piracy, because we think that this would do more harm to the “scene”
than just keeping some information in private (for now). Also I can
only encourage everyone that thinks about us this way or is greedy
demanding for developers/reverse engineers to release their stuff, to
fire up isoldr in IDA or disassemble it with objdump and try to
reverse all this from start to end. We’ll see, who is able to pull
this through on his own...
--
○ ____ _ _ _ _ ____ _ _ ____ _____ ____
。 ★(_ _)( \( )( \/ )( ___)( \( )(_ _)( _ )( _ \
o _)(_ ) ( \ / )__) ) ( )( )(_)( ) / ● ‧
(____)(_)\_) \/ (____)(_)\_) (__) (_____)(_)\_) ★
o
--
When metldr is encrypted at factory, a special keyset is set in the
binary before encryption. Later when an isolated loader is loaded by
metldr, it will copy the keyset to LS offset 0x00000. It consists of
eid_root_key and eid_root_iv. To not having to use the same key for
all eEID parts, several subkeys are generated from special data called
individual information seed. These seeds are stored in the metadata
header of isolated modules loaded by isoldr. When isoldr will load a
module, it will call a subroutine that encrypts each seed chunk (0x40
bytes) using eid_root_key and eid_root_iv. Then the so-called
individual infos are passed in registers r7 to r22 (= 0x100 bytes in
total) to the loaded module where they are used further. Usually
isolated modules have a seed section of 0x100 bytes but all of them
(except sb_iso_spu_module) have all zeroes but the first 0x40 bytes
chunk. You can, for example, find the recently published EID0 seed in
the metadata section of aim_spu_module. Appliance info manager is used
to get e.g. the target ID or the PSID from EID0. This explains why the
seed can also be found in isoldr directly, since that one is checking
EID0 too.
As you can probably think, a fair amount of reversing time and
knowledge has gone into finding this, so stop calling us *swearwords*
for not releasing information that could potentially lead to more
piracy, because we think that this would do more harm to the “scene”
than just keeping some information in private (for now). Also I can
only encourage everyone that thinks about us this way or is greedy
demanding for developers/reverse engineers to release their stuff, to
fire up isoldr in IDA or disassemble it with objdump and try to
reverse all this from start to end. We’ll see, who is able to pull
this through on his own...
--
○ ____ _ _ _ _ ____ _ _ ____ _____ ____
。 ★(_ _)( \( )( \/ )( ___)( \( )(_ _)( _ )( _ \
o _)(_ ) ( \ / )__) ) ( )( )(_)( ) / ● ‧
(____)(_)\_) \/ (____)(_)\_) (__) (_____)(_)\_) ★
o
--
Tags:
改機
All Comments
Related Posts
好像刷到壞掉了...
By Isabella
at 2012-07-10T18:09
at 2012-07-10T18:09
CEX-to-DEX
By Necoo
at 2012-07-09T15:14
at 2012-07-09T15:14
CEX-to-DEX
By Hedwig
at 2012-07-09T13:35
at 2012-07-09T13:35
請問多年前的改機可以讀現在的備份片嗎?
By Madame
at 2012-07-07T00:23
at 2012-07-07T00:23
3.3J軟改與Motion Plus
By Madame
at 2012-07-06T23:38
at 2012-07-06T23:38