1. ## encrypted harddisk

hi,

i have an encrypted hdd. it is 40 gb large und totally encrypted via an hardware encryption. i dumped the 40 gb and splited the dump into 16 mb chunks. then compressed each chunk with bzip in order to see how compressable the data is. in average each could be reduced by 15 percent.

this confused me somehow. isn't that a sign for a bad encryption ?

second question. if i would now the plaintext of the hdd. for example 40 gb of 0x00, would an plaintext attack be possible without knowing anything about the hardware encryption algorithm ?

I'm very interested in that area to it would be great if somebody can lead me into the right direction ?

regards,

OHPen

2. I would start by trying to find the most about the encryption algo: Do you know its name, it characteristics, the size of the compression blocks? its inner working? Then you could research the internet for known weaknesses and or plain text attacks. The fact that the cyphertext is compressible is a weak clue, there might be repetition, but the pseudo random nature of the cypher may allow some pattern. I would no assume this fact as proof of a weak encryption.

3. @naides: hey, I'm currently playing witht the ps3 harddisk encryption, therefore i don't have a clue what encryption algorithm ist used. probably they designed an own piece of hardware to encrypt the disk.

I just finished a few more test. I dumped the hdd after i got my first ps3 (bought on ebay). when i started to dump the disk the data of the former owner were still there.
i save the dump in my storage.
After that i used the ps3 menu to format the disk securely. i took about 2, 5 hours. i think the hdd was filled with zeros, but im not sure right now. i have to check that again by using linux to zero the disk to be sure.

Just for the fun i compare my first two dumps. what i discovered was pretty interesting and invites to conclude

The first 0x1E bytes of the disk were equal, even after formating the disk.
maybe the first bytes are an key or some kind of header

This is the dump of the first bytes of the disk when i got it from ebay:

Code:
```00000000 C5 48 55 A0 E6 EE 4F 8F 0A C5 63 AD FA C2 0E 52 .HU...O...c....R
00000010 30 FA 16 FA C7 F2 FF 55 FE 31 B5 2F 40 40 52 DA 0......U.1./@@R.
00000020 E2 86 2B 3C 00 D1 2D B1 B8 C4 DE DD E6 EC 12 E3 ..+<..-.........
00000030 6B 31 C0 0A 9E DE 8A 7C 8C 65 1F 85 B7 22 8E 3A k1.....|.e...".:
00000040 9D 8D 1E 8A A6 BD 63 96 14 7D 14 BB EF CF B2 F0 ......c..}......
00000050 E3 E4 10 90 D8 8E 73 94 7A D6 12 CE E8 0C F6 FC ......s.z.......
00000060 52 C7 55 50 8C 61 F2 DE 5E 00 C3 65 AF 54 13 BC R.UP.a..^..e.T..
00000070 65 D1 F9 E8 08 C9 64 F6 7D 77 A7 37 D1 94 0B 91 e.....d.}w.7....
00000080 6E 97 89 3E 17 61 B2 29 BA B7 87 36 C5 51 EC 88 n..>.a.)...6.Q..
00000090 27 BB D9 6B 0E 1B F8 74 EA B6 15 12 C6 E9 6F 19 '..k...t......o.
000000A0 10 48 60 AC 0C 0B AF 50 99 0C 6A 11 7A 09 79 AC .H`....P..j.z.y.
000000B0 97 AD 1F A3 5C B4 15 B4 27 DC DE 6A 2B 16 43 78 ....\...'..j+.Cx
000000C0 01 28 67 E9 7E B6 22 73 D8 30 03 82 78 1E 6B 05 .(g.~."s.0..x.k.
000000D0 0B D4 3C 5D 75 0D 95 BB 83 48 DB D6 B2 C7 93 93 ..<]u....H......
000000E0 37 56 A6 C7 18 0B B4 A4 26 22 C6 7E 6B 02 D9 25 7V......&".~k..%
000000F0 54 E3 F3 4A 3F 4E CA 21 EB 2F E0 A8 91 4C 2D 4F T..J?N.!./...L-O```
and here the snippet of the disk after formating it:

Code:
```00000000 C5 48 55 A0 E6 EE 4F 8F 0A C5 63 AD FA C2 0E 52 .HU...O...c....R
00000010 30 FA 16 FA C7 F2 FF 55 FE 31 B5 2F 40 40 52 DA 0......U.1./@@R.
00000020 9E F3 C6 89 94 FD C6 2A 62 D9 8F 20 3D 1B 14 9B .......*b.. =...
00000030 29 A9 04 C2 1D 08 16 3A 09 15 5E DC AF 1C AC AD )......:..^.....
00000040 F8 70 C4 70 78 48 2F D9 D8 94 90 89 6F D3 DD 42 .p.pxH/.....o..B
00000050 14 BC 08 05 E7 CF 36 C9 A0 80 DA 58 1F C4 D7 7D ......6....X...}
00000060 1D AE 34 E6 AF 03 EF 5E E4 B6 B9 F7 E2 5F 9A 9F ..4....^....._..
00000070 1D B4 D4 81 7D 48 8B C5 D8 FB 82 BE E7 A6 62 FB ....}H........b.
00000080 0E 4B 8E 21 D6 7B E5 47 03 F9 6D 4B FF 35 05 91 .K.!.{.G..mK.5..
00000090 41 92 5E 41 C1 24 73 46 E0 27 6A A4 3B AC 14 D0 A.^A.\$sF.'j.;...
000000A0 1D 80 C5 EF DE 19 7A 82 2E A8 7D 95 96 78 76 F6 ......z...}..xv.
000000B0 1F 9C 01 A0 A6 BF 37 E7 06 C5 11 20 09 3F 33 B6 ......7.... .?3.
000000C0 76 58 B0 AE 10 3F F4 AA 34 B7 DB 42 3E 31 9F 10 vX...?..4..B>1..
000000D0 BD BA AD 23 A1 7C B3 3B 41 79 30 7C C4 13 60 EC ...#.|.;Ay0|..`.
000000E0 48 B0 35 47 C6 B8 7E FF 55 E7 34 97 5C EC F1 FC H.5G..~.U.4.\...
000000F0 6A F1 34 C0 B6 33 0D 4D 2F F5 C1 B9 BC D7 5F CE j.4..3.M/....._.```
As you can see the first 1F bytes are equal and the rest is completly different.

Apparently i mad a failure while trying to compress the data of the dump. I told you that i was able reduce the size of the part by 15 %. this is no longer true. i made more tests and i was able to compress the first gb of each dump to 4,4 MB ( right MB no GB). Strange thing, because this is really huge compression percentage for non text in my opinion.

What do you think about it ?

Regards,

OHPen

4. If you are correct, that is a whopping 99% compression!!
If that is the case you should be able to see a repetitive pattern, chances are some power of 2 in size: 256, 512?

I suggest an experiment: Open one of those first Gb in a good hex editor, able to handle files of that size comfortably.
Pick a non trivial number of bytes 16, 32? at random, not near the beginning or the end of the files (That is where the headers and epilogues are placed). then search for all occurrences of the byte pattern in the cyphertext. See any thing regular???

Is there anyway that you could "feed" the encryption machine a file of your choosing? a couple of megabytes of "12121212" repetitions?

5. @naides: i will try that searching for a number but i dont see what this will prove ?

regarding the experiment with the file, that should be possible
because you can download stuff from the inet. i will try that too, but shouldn't be my experiment with the zero filled hdd do it as well ?

6. here we go with the third dump:

Code:
```00000000 C5 48 55 A0 E6 EE 4F 8F 0A C5 63 AD FA C2 0E 52 .HU...O...c....R
00000010 30 FA 16 FA C7 F2 FF 55 FE 31 B5 2F 40 40 52 DA 0......U.1./@@R.
00000020 9E F3 C6 89 94 FD C6 2A 62 D9 8F 20 3D 1B 14 9B .......*b.. =...
00000030 29 A9 04 C2 1D 08 16 3A 09 15 5E DC AF 1C AC AD )......:..^.....
00000040 F8 70 C4 70 78 48 2F D9 D8 94 90 89 6F D3 DD 42 .p.pxH/.....o..B
00000050 14 BC 08 05 E7 CF 36 C9 A0 80 DA 58 1F C4 D7 7D ......6....X...}
00000060 1D AE 34 E6 AF 03 EF 5E E4 B6 B9 F7 E2 5F 9A 9F ..4....^....._..
00000070 1D B4 D4 81 7D 48 8B C5 D8 FB 82 BE E7 A6 62 FB ....}H........b.
00000080 0E 4B 8E 21 D6 7B E5 47 03 F9 6D 4B FF 35 05 91 .K.!.{.G..mK.5..
00000090 41 92 5E 41 C1 24 73 46 E0 27 6A A4 3B AC 14 D0 A.^A.\$sF.'j.;...
000000A0 1D 80 C5 EF DE 19 7A 82 2E A8 7D 95 96 78 76 F6 ......z...}..xv.
000000B0 1F 9C 01 A0 A6 BF 37 E7 06 C5 11 20 09 3F 33 B6 ......7.... .?3.
000000C0 76 58 B0 AE 10 3F F4 AA 34 B7 DB 42 3E 31 9F 10 vX...?..4..B>1..
000000D0 BD BA AD 23 A1 7C B3 3B 41 79 30 7C C4 13 60 EC ...#.|.;Ay0|..`.
000000E0 48 B0 35 47 C6 B8 7E FF 55 E7 34 97 5C EC F1 FC H.5G..~.U.4.\...
000000F0 6A F1 34 C0 B6 33 0D 4D 2F F5 C1 B9 BC D7 5F CE j.4..3.M/....._.```
this was dump again after formating the harddisk secure again. the result is also pretty interesting. as you can see after writing exactly the same data to disk (in case of secure formating only zeros) the encrypted data is still the same. now i know that there is nothing used like a random seed for the encryption
dunno if it is usefull yet, but its nice to know

7. Must be some block cipher, so that each fixed-size block of 0's would end up being encrypted in the same way (causing the massive compressability). The poster of this thread http://forums.ps2dev.org/viewtopic.php?t=7534 suggests sector sized (512B I suppose) blocks.

Whatever algorithm they're using, it's likely complex enough that bruteforcing won't give you the key anytime soon . It also wouldn't surprise me if every PS3 had a different encryption key to prevent "break one = break all" scenarios.

Still, a highly interesting project.

8. @arc: hey, i will try that too. a friend of mine also have a ps3, he will format the disk for me again. and i will check the dump for equality.
if you are right, the encrypted data will show up different.

as you said. very interesting project

regards,

OHPen

9. Ah, you don't even have to bother doing such a comparison. People have already determined that the key is indeed per-unit:

Originally Posted by http://jeff.bovine.net/PlayStation_3
The PS3 hard disk has been determined to use encryption that is unit-specific and contain many sections of data interleaved with regular regions of encryption. The interleaved portions of encrypted data may serve as digital signature to prevent unexpected modifications to the disk contents.
More research (although without really substantial results) can be found here: http://www.ps3news.com/forums/ps3-hdd-news/ps3-hdd-contents-64646.html
I bet many others have already been hacking around with the hard drive, you should probably find out as much as possible about the current state of things before spending time on finding out things that are already known...

in the meanttime i bought two 20 GB hdds for faster analysis. this will also do it regarding an analysis of the hdd layout.
i'm really suprised that sony offers so much information about the hdd layout. i don't understand why they didn't encrypt the whole disc completly. anyway it will be funny to gather more information

regards,

OHPen

11. another question: what do you think are the first 0x1E bytes. in the ps3dev forum they are talking about a digital signature or something similar, but i don't agree.

if it would be a signature to restrict hdd modification, then it should be different for different data blobs on the disk. i checked this twice and saw that these bytes are unique for my 40 GB, i have to check it for the 20 GB disks as well but i think i know the result. the first bytes will still be the same.

any idea on that ?

12. It might be a cryptographic signature, it might be an information header, or if it is the same for any drive in any PS3 it could just be a (long) magic value to indicate the drive was formatted for PS3 usage... The byte sequence doesn't seem to contain offsets or lengths (no 0 bytes), so imho there's hardly a way to tell what it is without having the actual drive decryption code, seeing as Sony are presumably using a custom, non-public encryption algorithm.

13. Originally Posted by OHPen
another question: what do you think are the first 0x1E bytes
why don't you just overwrite/modify them and plug in the drive? maybe you'll get a meaningful error message

14. If its PS3, maybe you should seek out and PM Yates.

Have Phun

#### Posting Permissions

• You may not post new threads
• You may not post replies
• You may not post attachments
• You may not edit your posts
•