SYS2x6 technical details discussion

l_oliveira · Sep 1, 2024

The whole thing with this is that ANY cryptographic function passed on to the card or read back from the card which involves decrypted data (for example on this case it's KC and KBIT keys for the K file), the data sent or received is supposed to be encrypted with the session key because on the real environment the IOP never sees any cryptographic data that has been decrypted, the whole point of the session key is keep the data out of reach from the IOP or anyone eavesdropping the card slot with an logic analyzer.

KC is the key used to encrypt the contents sectors and KBIT is the key used to decrypt the contents table. Each key is 128bits long. These two are the 32 bytes at the 0x28 offset of a K file.

darkgame · Nov 22, 2024

l_oliveira said:
Il punto è che QUALSIASI funzione crittografica passata alla scheda o letta dalla scheda che coinvolge dati decriptati (ad esempio in questo caso si tratta delle chiavi KC e KBIT per il file K), i dati inviati o ricevuti dovrebbero essere crittografati con la chiave di sessione perché nell'ambiente reale l'IOP non vede mai dati crittografici che sono stati decriptati; lo scopo della chiave di sessione è quello di tenere i dati fuori dalla portata dell'IOP o di chiunque intercetti lo slot della scheda con un analizzatore logico.

KC è la chiave usata per crittografare i settori dei contenuti e KBIT è la chiave usata per decrittografare la tabella dei contenuti. Ogni chiave è lunga 128 bit. Queste due sono i 32 byte all'offset 0x28 di un file K.

è possibile avere già i file impacchettati, che devono solo essere scritti? grazie

l_oliveira · Nov 23, 2024

darkgame said:
è possibile avere già i file impacchettati, che devono solo essere scritti? grazie

no perché il file boot.bin contiene dati KC/KBIT specifici della scheda dongle. E' quello di cui parlavo nel messaggio a cui hai risposto.

darkgame · Dec 2, 2024

could you explain to me in brief what I have to change and how to do it? I didn't understand anything, sorry

darkgame · Dec 17, 2024

l_oliveira said:
Ottieni kelf-tool.exe precompilato o compilato e poi metti questo file denominato "PS2KEYS.dat" nella directory principale del tuo profilo utente. Quindi puoi usarlo per decifrare il file boot.bin che ho pubblicato. Questo file ha le chiavi corrette per decifrare coh boot.bin ma funzionerà solo se è del tipo disco.

Modifica: per convertire qualsiasi file in un formato disco, basta incollare questi 32 byte all'offset 0x28 del file boot.bin:
41A9A25013C81C6F3FE0A6E9DCF7CB039DFFF1F2E6D19D2CB83323F47DDB0BF1

Si noti che questo funzionerà solo per i file boot.bin delle schede COH.

scusa per la domanda perché kelftool mi dice che non riesce a trovare i file dat? grazie

El_isra · Jan 2, 2025

I thought it was worth it putting this info here:

https://github.com/ps2dev/ps2sdk/blob/master/iop/security/secrman/src/secrman.c#L1141-L1380

This is the Security Dongle authentication routine, it's exactly the same than the one used by retail memory card with only one diff, the retail card auth has an additional command bc og retail cards use developer and retail magicgate (that command tells the card to use retail magicgate).

The only thing that makes security dongles different is that they use keys based on the arcade magicgate keystores, so only the arcade mechacon can auth those cards

l_oliveira · Jan 2, 2025

El_isra said:
I thought it was worth it putting this info here:

https://github.com/ps2dev/ps2sdk/blob/master/iop/security/secrman/src/secrman.c#L1141-L1380

This is the Security Dongle authentication routine, it's exactly the same than the one used by retail memory card with only one diff, the retail card auth has an additional command bc og retail cards use developer and retail magicgate (that command tells the card to use retail magicgate).

The only thing that makes security dongles different is that they use keys based on the arcade magicgate keystores, so only the arcade mechacon can auth those cards

When I added the COH keys to PS3MCA, I noticed that the dongle does not even acknowledge this additional command (because it does not support two keysets like the normal retail memory card does) so it worked either way, the command has no effect on it.

What the command does is tell the memory card to change keyset from DEX to CEX (yes normal memory cards support both DEX and CEX).

El_isra · Jan 3, 2025

l_oliveira said:
When I added the COH keys to PS3MCA, I noticed that the dongle does not even acknowledge this additional command (because it does not support two keysets like the normal retail memory card does) so it worked either way, the command has no effect on it.

What the command does is tell the memory card to change keyset from DEX to CEX (yes normal memory cards support both DEX and CEX).

what I dont understan is why did they need an additional card auth protocol?

After all, the mechacon is the one doing all the security, and the port restrictions are applied on the MCMAN/MCMANO modules (the cnum function)

l_oliveira · Jan 5, 2025

El_isra said:
what I dont understan is why did they need an additional card auth protocol?

After all, the mechacon is the one doing all the security, and the port restrictions are applied on the MCMAN/MCMANO modules (the cnum function)

DEX and CEX used different challenge keys because they wanted to make it so MC installed KELFs for DEX consoles not function on CEX consoles and MC installed KELFs for CEX not function on DEX console... But they still needed the same memory cards worked on both so it has a command to swap challenge keys and only CEX issue the swap command.

Search

Search

SYS2x6 technical details discussion

l_oliveira

darkgame

l_oliveira

darkgame

darkgame

El_isra

l_oliveira

El_isra

l_oliveira