Breaking Eggs And Making Omelettes

Topics On Multimedia Technology and Reverse Engineering


Archives:

PS3 Notes

December 20th, 2009 by Multimedia Mike

I have been working (and occasionally playing) with my PlayStation 3 recently. I upgraded the 80 GB internal hard drive to a 1/2 TB one. Since I have the old 80 GB HD laying around, of course I have to plug it in and see if there’s anything familiar about the data. It’s a short exploration: As you might suspect, the HD is completely impenetrable. No partition table reported through Linux fdisk. No human-readable strings can be seen when running ‘strings’ over the raw HD sectors. Based on forum postings I have read where one PS3 HD can’t successfully be transplanted to another PS3 (and have all the data accessible; the HD could still be reformatted fresh to work in another PS3), I’m guessing that every sector is encrypted with a key derived at least partially from a unique ID embedded in each console. That’s all the effort I plan to put into this exercise. Next stop for this HD is my Eee PC 701 which is currently struggling to run Ubuntu Linux on a mere 4 GB SSD.

I downloaded a free movie trailer through the PlayStation store. When I inspected the information through the PS3’s XMB menu, the filetype was reported as “MNV”. A little Googling ties this format into the paid content format of the PS3 store. I’m not especially confident about this format since the trailer that I downloaded doesn’t even play correctly on the PS3. The video stutters back and forth, almost as though it’s swapping pairs of frames during playback: 1, 0, 3, 2, 5, 4, 7, 6, etc. The XMB allows me to “backup” this media. This option needs to be distinguished from “copy”, which is sometimes an option. “Copy” implies an unlocked version that can be copied onto removable media and used anywhere. “Backup” implies that it can be copied onto removable media but is still keyed to — and can only be used on — this console. I backed it up and was able to inspect the data on the USB drive. It turns out that the MNV file is still a stock MP4 but with custom DRM. When FFmpeg is aimed at this file, this is the result:

[h264 @ 0x1004000]AVC: nal size -2055117847
[h264 @ 0x1004000]no frame!
[...repeated many times...]
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x1002600]max_analyze_duration reached

Seems stream 0 codec frame rate differs from container frame rate:
 48000.00 (48000/1) -> 23.98 (24000/1001)
Input #0, mov,mp4,m4a,3gp,3g2,mj2, from
 '/Volumes/KINGSTON/PS3/EXPORT/VIDEOBKP/20091220-220733-00000001/20091220-220733-00000001.001':
  Metadata:
    major_brand     : MGSV
    minor_version   : 20842393
    compatible_brands: MGSVmp42isom
  Duration: 00:01:46.64, start: 0.000000, bitrate: 8651 kb/s
    Stream #0.0(und): Video: h264, 2205 kb/s, 23.98 fps, 23.98 tbr, 24k tbn, 48k tbc
    Stream #0.1(eng): Audio: aac, 48000 Hz, stereo, s16, 264 kb/s
    Stream #0.2(eng): Audio: aac, 48000 Hz, 5.1, s16, 395 kb/s
    Stream #0.3(und): Data: mp4s / 0x7334706D, 759552 kb/s
Video pixel format is unknown, stream cannot be decoded

I remember some patches flying around the FFmpeg-devel list recently which would allow the program to print warnings and bail out if it encountered a known DRM scheme. When I shove an Apple-encrypted file through FFmpeg, it doesn’t tell me anything special so I don’t think the patch is in yet. However, FFmpeg should probably detect this type of DRM file as well.

Posted in DRM, Game Hacking | 6 Comments »

6 Responses

  1. Kostya Says:

    Ahem, I don’t think 701 model has enough internal space for HD at all (IIRC they use just flash chip soldered onto motherboard). So it may be an external drive though.

  2. Multimedia Mike Says:

    You might be right. I haven’t found a definitive answer on whether the Eee PC 701’s HD is upgradeable (even though the RAM certainly is, and I’ve upgraded that).

  3. Multimedia Mike Says:

    Ah, here we go: http://en.wikipedia.org/wiki/ASUS_Eee_PC#Specifications

    Eee PC 701 has 4 GB SSD soldered. I guess that saves me the trouble of disassembling. I just need to make that 4 GB stretch farther.

  4. Daniel Says:

    Hey Mike,

    My Windows Media DRM detection patches are in fact in – it’s only the FairPlay (Quicktime) DRM detection patches that Baptiste won’t commit. The patches work fine so you can always grab them from:

    http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/2009-November/077985.html

    If you can put up a small sample or figure out how the DRM could be detected I can write up a small patch for that as well.

  5. bcoudurier Says:

    Don’t be so hard on me :(
    Yes, I’d like a sample to double check, and I will apply the patch.
    Thanks :)

  6. Multimedia Mike Says:

    I have sent some DRM’d samples to the right parties in order to hopefully move this along.