1 /*+-----------------------------+*/
3 /*|decrypt algos by flatz |*/
5 /*|GPL v3, DO NOT USE IF YOU |*/
6 /*|DISAGREE TO RELEASE SRC :P |*/
7 /*+-----------------------------+*/
19 // !!!---- IMPORTANT FOR FWRITE FILES > 2GB ON 32BIT SYSTEMS ----!!!
20 // add -D"_LARGEFILE64_SOURCE"
21 // and -D"_FILE_OFFSET_BITS=64"
23 // !!!-----------------------------------------------------------!!!
25 #define PS2_META_SEGMENT_START 1
26 #define PS2_DATA_SEGMENT_START 2
27 #define PS2_DEFAULT_SEGMENT_SIZE 0x4000
28 #define PS2_META_ENTRY_SIZE 0x20
30 #define PS2_VMC_ENCRYPT 1
31 #define PS2_VMC_DECRYPT 0
34 void ps2_encrypt_image(char mode
[], char image_name
[], char data_file
[], char real_out_name
[], char CID
[]);
35 void ps2_decrypt_image(char mode
[], char image_name
[], char meta_file
[], char data_file
[]);
36 void ps2_crypt_vmc(char mode
[], char vmc_path
[], char vmc_out
[], u8 root_key
[], int crypt_mode
);
37 static void build_ps2_header(u8
* buffer
, int npd_type
, char content_id
[], char filename
[], s64 iso_size
);
41 u8 ps2_per_console_seed
[] = { 0xD9, 0x2D, 0x65, 0xDB, 0x05, 0x7D, 0x49, 0xE1, 0xA6, 0x6F, 0x22, 0x74, 0xB8, 0xBA, 0xC5, 0x08 };
43 u8 ps2_key_cex_meta
[] = { 0x38, 0x9D, 0xCB, 0xA5, 0x20, 0x3C, 0x81, 0x59, 0xEC, 0xF9, 0x4C, 0x93, 0x93, 0x16, 0x4C, 0xC9 };
44 u8 ps2_key_cex_data
[] = { 0x10, 0x17, 0x82, 0x34, 0x63, 0xF4, 0x68, 0xC1, 0xAA, 0x41, 0xD7, 0x00, 0xB1, 0x40, 0xF2, 0x57 };
45 u8 ps2_key_cex_vmc
[] = { 0x64, 0xE3, 0x0D, 0x19, 0xA1, 0x69, 0x41, 0xD6, 0x77, 0xE3, 0x2E, 0xEB, 0xE0, 0x7F, 0x45, 0xD2 };
47 u8 ps2_key_dex_meta
[] = { 0x2B, 0x05, 0xF7, 0xC7, 0xAF, 0xD1, 0xB1, 0x69, 0xD6, 0x25, 0x86, 0x50, 0x3A, 0xEA, 0x97, 0x98 };
48 u8 ps2_key_dex_data
[] = { 0x74, 0xFF, 0x7E, 0x5D, 0x1D, 0x7B, 0x96, 0x94, 0x3B, 0xEF, 0xDC, 0xFA, 0x81, 0xFC, 0x20, 0x07 };
49 u8 ps2_key_dex_vmc
[] = { 0x30, 0x47, 0x9D, 0x4B, 0x80, 0xE8, 0x9E, 0x2B, 0x59, 0xE5, 0xC9, 0x14, 0x5E, 0x10, 0x64, 0xA9 };
51 u8 ps2_iv
[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
53 u8 fallback_header_hash
[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 };
55 u8 npd_omac_key2
[] = {0x6B,0xA5,0x29,0x76,0xEF,0xDA,0x16,0xEF,0x3C,0x33,0x9F,0xB2,0x97,0x1E,0x25,0x6B};
56 u8 npd_omac_key3
[] = {0x9B,0x51,0x5F,0xEA,0xCF,0x75,0x06,0x49,0x81,0xAA,0x60,0x4D,0x91,0xA5,0x4E,0x97};
57 u8 npd_kek
[] = {0x72,0xF9,0x90,0x78,0x8F,0x9C,0xFF,0x74,0x57,0x25,0xF0,0x8E,0x4C,0x12,0x83,0x87};
60 u8 eid_root_key
[0x30];
64 static void set_ps2_iv(u8 iv
[])
66 memcpy(iv
, ps2_iv
, 0x10);
70 static void build_ps2_header(u8
* buffer
, int npd_type
, char content_id
[], char filename
[], s64 iso_size
)
75 u8 test_hash
[] = { 0xBF, 0x2E, 0x44, 0x15, 0x52, 0x8F, 0xD7, 0xDD, 0xDB, 0x0A, 0xC2, 0xBF, 0x8C, 0x15, 0x87, 0x51 };
77 wbe32(buffer
, 0x50533200); // PS2\0
78 wbe16(buffer
+ 0x4, 0x1); // ver major
79 wbe16(buffer
+ 0x6, 0x1); // ver minor
80 wbe32(buffer
+ 0x8, npd_type
); // NPD type XX
81 wbe32(buffer
+ 0xc, type
); // type
83 wbe64(buffer
+ 0x88, iso_size
); //iso size
84 wbe32(buffer
+ 0x84, PS2_DEFAULT_SEGMENT_SIZE
); //segment size
86 strncpy(buffer
+ 0x10, content_id
, 0x30);
88 u8 npd_omac_key
[0x10];
90 for(i
=0;i
<0x10;i
++) npd_omac_key
[i
] = npd_kek
[i
] ^ npd_omac_key2
[i
];
92 get_rand(buffer
+ 0x40, 0x10); //npdhash1
93 //memcpy(buffer + 0x40, test_hash, 0x10);
95 int buf_len
= 0x30+strlen(filename
);
96 char *buf
= (char*)malloc(buf_len
+1);
97 memcpy(buf
, buffer
+ 0x10, 0x30);
98 strcpy(buf
+0x30, filename
);
99 aesOmacMode1(buffer
+ 0x50, buf
, buf_len
, npd_omac_key3
, sizeof(npd_omac_key3
)*8); //npdhash2
101 aesOmacMode1(buffer
+ 0x60, (u8
*)(buffer
), 0x60, npd_omac_key
, sizeof(npd_omac_key
)*8); //npdhash3
106 void ps2_decrypt_image(char mode
[], char image_name
[], char meta_file
[], char data_file
[])
112 u8 ps2_data_key
[0x10];
113 u8 ps2_meta_key
[0x10];
123 int num_child_segments
;
126 in
= fopen(image_name
, "rb");
127 meta_out
= fopen(meta_file
, "wb");
128 data_out
= fopen(data_file
, "wb");
131 read
= fread(header
, 256, 1, in
);
132 segment_size
= be32(header
+ 0x84);
133 data_size
= be64(header
+ 0x88);
134 num_child_segments
= segment_size
/ PS2_META_ENTRY_SIZE
;
136 printf("segment size: %x\ndata_size: %lx\n\n", segment_size
, data_size
);
139 data_buffer
= malloc(segment_size
*num_child_segments
);
140 meta_buffer
= malloc(segment_size
);
143 if(strcmp(mode
, "cex") == 0)
147 aes128cbc_enc(ps2_key_cex_data
, iv
, klicensee
, 0x10, ps2_data_key
);
148 aes128cbc_enc(ps2_key_cex_meta
, iv
, klicensee
, 0x10, ps2_meta_key
);
152 aes128cbc_enc(ps2_key_dex_data
, iv
, klicensee
, 0x10, ps2_data_key
);
153 aes128cbc_enc(ps2_key_dex_meta
, iv
, klicensee
, 0x10, ps2_meta_key
);
158 fseek(in
, segment_size
, SEEK_SET
);
160 while(read
= fread(meta_buffer
, 1, segment_size
, in
))
163 aes128cbc(ps2_meta_key
, iv
, meta_buffer
, read
, meta_buffer
);
164 fwrite(meta_buffer
, read
, 1, meta_out
);
167 read
= fread(data_buffer
, 1, segment_size
*num_child_segments
, in
);
168 for(i
=0;i
<num_child_segments
;i
++)
169 aes128cbc(ps2_data_key
, iv
, data_buffer
+(i
*segment_size
), segment_size
, data_buffer
+(i
*segment_size
));
170 if(data_size
>= read
)
171 fwrite(data_buffer
, read
, 1, data_out
);
173 fwrite(data_buffer
, data_size
, 1, data_out
);
188 void ps2_encrypt_image(char mode
[], char image_name
[], char data_file
[], char real_out_name
[], char CID
[])
193 u8 ps2_data_key
[0x10];
194 u8 ps2_meta_key
[0x10];
207 u32 num_child_segments
= 0x200;
208 u32 segment_number
= 0;
211 in
= fopen(image_name
, "rb");
212 data_out
= fopen(data_file
, "wb");
215 segment_size
= PS2_DEFAULT_SEGMENT_SIZE
;
216 fseeko(in
, 0, SEEK_END
);
217 data_size
= ftello(in
);
218 fseeko(in
, 0, SEEK_SET
);
220 printf("segment size: %x\ndata_size: %lx\nCID: %s\niso %s\nout file: %s\n", segment_size
, data_size
, CID
, image_name
, data_file
);
223 data_buffer
= malloc(segment_size
* 0x200);
224 meta_buffer
= malloc(segment_size
);
225 ps2_header
= malloc(segment_size
);
226 memset(ps2_header
, 0, segment_size
);
229 if(strcmp(mode
, "cex") == 0)
233 aes128cbc_enc(ps2_key_cex_data
, iv
, klicensee
, 0x10, ps2_data_key
);
234 aes128cbc_enc(ps2_key_cex_meta
, iv
, klicensee
, 0x10, ps2_meta_key
);
238 aes128cbc_enc(ps2_key_dex_data
, iv
, klicensee
, 0x10, ps2_data_key
);
239 aes128cbc_enc(ps2_key_dex_meta
, iv
, klicensee
, 0x10, ps2_meta_key
);
243 //write incomplete ps2 header
244 build_ps2_header(ps2_header
, 2, CID
, real_out_name
, data_size
);
245 fwrite(ps2_header
, segment_size
, 1, data_out
);
248 //write encrypted image
249 while(read
= fread(data_buffer
, 1, segment_size
*num_child_segments
, in
))
252 if(read
!= (segment_size
*num_child_segments
))
254 num_child_segments
= (read
/ segment_size
);
255 if((read
% segment_size
) > 0)
256 num_child_segments
+= 1;
259 memset(meta_buffer
, 0, segment_size
);
261 //encrypt data and create meta
262 for(i
=0;i
<num_child_segments
;i
++)
264 aes128cbc_enc(ps2_data_key
, iv
, data_buffer
+(i
*segment_size
), segment_size
, data_buffer
+(i
*segment_size
));
265 sha1(data_buffer
+(i
*segment_size
), segment_size
, meta_buffer
+(i
*PS2_META_ENTRY_SIZE
));
266 wbe32(meta_buffer
+(i
*PS2_META_ENTRY_SIZE
)+0x14, segment_number
);
271 aes128cbc_enc(ps2_meta_key
, iv
, meta_buffer
, segment_size
, meta_buffer
);
273 //write meta and data
274 fwrite(meta_buffer
, segment_size
, 1, data_out
);
275 fwrite(data_buffer
, segment_size
*num_child_segments
, 1, data_out
);
277 memset(data_buffer
, 0, segment_size
*num_child_segments
);
280 //finalize ps2_header
281 // - wtf is between signature and first segment?
292 void ps2_crypt_vmc(char mode
[], char vmc_path
[], char vmc_out
[], u8 root_key
[], int crypt_mode
)
298 u8 ps2_vmc_key
[0x10];
301 int segment_size
, data_size
;
308 segment_size
= PS2_DEFAULT_SEGMENT_SIZE
;
311 in
= fopen(vmc_path
, "rb");
312 data_out
= fopen(vmc_out
, "wb");
315 data_buffer
= malloc(segment_size
);
318 if(strcmp(mode
, "cex") == 0)
320 aes256cbc_enc(root_key
, root_key
+0x20, ps2_per_console_seed
, 0x10, iv
);
321 memcpy(ps2_vmc_key
, ps2_key_cex_vmc
, 0x10);
323 aes256cbc_enc(root_key
, root_key
+0x20, ps2_per_console_seed
, 0x10, iv
);
324 memcpy(ps2_vmc_key
, ps2_key_dex_vmc
, 0x10);
329 while(read
= fread(data_buffer
, 1, segment_size
, in
))
331 //decrypt or encrypt vmc
332 if(crypt_mode
== PS2_VMC_DECRYPT
)
333 aes128cbc(ps2_vmc_key
, ps2_iv
, data_buffer
, read
, data_buffer
);
335 aes128cbc_enc(ps2_vmc_key
, ps2_iv
, data_buffer
, read
, data_buffer
);
336 fwrite(data_buffer
, read
, 1, data_out
);
351 int main(int argc
, char *argv
[])
354 u8
* root_key
= NULL
;
356 printf("\nps2classic\nhttp://gitorious.ps3dev.net/ps2classic\nLicense: GPLv3\n\n");
361 printf("usage:\n\tiso:\n\t\t%s d [cex/dex] [klicensee] [encrypted image] [out data] [out meta]\n", argv
[0]);
362 printf("\t\t%s e [cex/dex] [klicensee] [iso] [out data] [real out name] [CID]\n", argv
[0]);
363 printf("\t\nvmc:\n\t\t%s vd [cex/dex] [vme file] [out vmc] [(eid root key)]\n", argv
[0]);
364 printf("\t\t%s ve [cex/dex] [vmc file] [out vme] [(eid root key)]\n", argv
[0]);
365 printf("\t\nimage tools:\n\t\t%s prepare [image file]\n", argv
[0]);
366 printf("\t\t%s info [image file]\n", argv
[0]);
371 klicensee
= mmap_file(argv
[3]);
373 if(strcmp(argv
[1], "d") == 0)
375 ps2_decrypt_image(argv
[2], argv
[4], argv
[6], argv
[5]);
377 printf("Error: invalid number of arguments for decryption\n");
378 else if(strcmp(argv
[1], "e") == 0)
380 ps2_encrypt_image(argv
[2], argv
[4], argv
[5], argv
[6], argv
[7]);
382 printf("Error: invalid number of arguments for encryption\n");
383 else if(strcmp(argv
[1], "vd") == 0 || strcmp(argv
[1], "ve") == 0)
386 root_key
= mmap_file(argv
[3]);
388 root_key
= malloc(0x30);
389 memset(root_key
, 0, 0x30);
391 printf("Error: invalid number of arguments for vme processing\n");
395 if(strcmp(argv
[1], "vd") == 0)
396 ps2_crypt_vmc(argv
[2], argv
[3], argv
[4], root_key
, PS2_VMC_DECRYPT
);
398 ps2_crypt_vmc(argv
[2], argv
[3], argv
[4], root_key
, PS2_VMC_ENCRYPT
);
402 else if(strcmp(argv
[1], "prepare") == 0 && argc
== 3)
404 prepare_iso(argv
[2]);
406 else if(strcmp(argv
[1], "info") == 0 && argc
== 3)
408 print_ps2image_info(argv
[2]);
411 printf("FAIL: unknown option or wrong number of arguments\n");