Skip to content

dogtopus/IllegalSecurityChip

Repository files navigation

Illegal Security Chip

This is super illegal even without a proper key. Please DO NOT use it. Otherwise $**y will definitely sue you to death IMMEDIATELY!!!!!!!!!!!!111!!!!

-- S** FUDs

(LOL we somehow got mentioned on psxhax https://www.psxhax.com/threads/ps5tools-added-to-ps5-github-repository-by-skfu-invites-contributors.8264/)

WTF?

This is a JavaCard applet that emulates the A7105 security chip found in PS4 licensed controllers (at APDU level). It signs random challenges (nonce) sent from the host using an on-card RSA 2048 key (DS4Key). When sending the signature back, it also presents some identifying information and the public key (both combined forms DS4ID) to the host.

LIABILITY NOTICE: This applet enables NEITHER controller counterfeiting nor circumventing the PS4 peripheral authentication by default. It is NOT intended to be used for any illegal activities. The word "Illegal" in the project name is a joke in case you didn't get it already. No keys are provided for obvious reasons. Also I am not responsible for anything you will do with this applet.

Card Requirements

The card must satisfy all of the following in order to be able to install and run IllegalSecurityChip:

  • JavaCard API >= 3.0.1 (for Signature.ALG_RSA_SHA_256_PKCS1_PSS)
  • Properly implements Signature.ALG_RSA_SHA_256_PKCS1_PSS (Rare! Most random 3.0.1+ cards don't have this!)
    • Applet installation will fail with random error code (e.g. Applet installation error, unspecified error, condition not satisfied, or the "intended error code" function not supported) depending on the JavaCard implementation if this is not supported.
    • If the card does not support RSA 2048, it might fail with the same "function not supported". However this is much rarer (like who tf still make JavaCards that don't support RSA 2048 in 2020).
  • Approx. 512 bytes of transient memory. (Can be shrunk to just approx. 256 by merging the buffer used in JediIdentity with the top-level applet one)

The only card I came across that has Signature.ALG_RSA_SHA_256_PKCS1_PSS implemented is J3H145, which seems to run JCOP 3.x. However I believe that JCOP 2.4.2 cards like J2D081 should also work since the original A7105 security chip seem to run the exact same OS and also conveniently offers JavaCard API 3.0.1.

It should also be possible to install and run IllegalSecurityChip on a blank JCOP A710x (i.e. A710xCG). However I am unable to source such chip in manageable quantities and thus unable to test.

In short, devices that work and are tested:

Devices that might work but are untested:

  • J3D081 from SmartcardFocus (No longer available on SmartcardFocus)
  • J2D081 (SIM cut) from Aliexpress (if properly pre-personalized which they don't always do. Always ask!) or Futako (T=0)
  • Fidesmo Card v1.0 (J3D145 NFC only) and Fidesmo Card v2.0 (J3H145 NFC only)
  • NXP A710xCG (e.g. on Digi-key)
  • G&D SmartCafe Expert 7.0 Card/Security Dongle
    • https://www.commoncriteriaportal.org/files/epfiles/1028b_pdf.pdf section 8.1.1.2, FCS_COP.1.1/RSA-CRT-SIGN: "The TSF shall perform signature generation in accordance with a specified cryptographic algorithm RSA-CRT and cryptographic key sizes 512 up to 4096 bit that meet the following: scheme 1 of [ISO9796-2] chapter 8, [RSA] (RSASSAPKCS1-v15) chapter 8, [RSASSA-PSS] and [RSA-SHA-RFC2409].")
  • J3R180 from Futako and potentially other places.

Building and Usage

Simply run ant to build after checking out the submodules with git submodule update --init --recursive

To install the applet with GlobalPlatformPro, use:

gp --install IllegalSecurityChip.cap

Personalization Script

IllegalSecurityChip comes with a personalization script under utils/iscctl/. To use it, run

pipenv install

then

pipenv run ./iscctl.py --help

Refer to the built-in help for detailed usage.

NOTE: This applet does not support atomic operations. That is, interrupting all operations that write data to the card (i.e. updating DS4ID/DS4Key and any of their parts) can corrupt the data and make the applet unusable. In this case you might need to run nuke command or reinstantiate the applet via GlobalPlatform. All data saved on the card that belong to this applet will be deleted permanently.

Generating keys on-card

pipenv run ./iscctl.py gen-key

Importing existing DS4Key

pipenv run ./iscctl.py import-ds4key <path-to-ds4key-file>

NOTE: For those who are curious, DS4Key is basically the same format as jedi_cert.bin. Speaking more and the "Illegal" word in our name will no longer be a joke ;-).

Testing authentication

pipenv run ./iscctl.py test-auth [-c path-to-ca] [-p page-size]

This command should also work on A7105 security chip given proper bridge hardware between CCID over USB (or other protocol over other link supported by Microsoft Smart Card Base or pcsclite) and NXP SCI2C.

If page-size is 0, iscctl will try to send/receive the whole challenge/response block in one single extended length APDU. Otherwise it will send/receive in chunks of page-size bytes. It is unknown whether extended length APDU or 0 page-size is actually supported by A7105 security chip so be careful when setting page-size to 0 when running test-auth on A7105. page-size is set to 0x80 by default.

You can optionally specify the Jedi CA with the -c parameter so that iscctl will validate the signature of DS4ID on the card as well.

Changing the DS4ID serial number

pipenv run ./iscctl.py set-serial <new-16-byte-serial-number>

Note that changing the serial number will void the signature and it needs to be re-signed before any future authentications.

DS4ID signing using test CA

If this is not obvious enough: Test CA is only for testing and will NOT work on real PS4 without the 8-minute timeout.

First make sure that you generate the test CA key pair (no certificates needed, just the keys). The keys can be generated by using e.g. OpenSSL and they need to be encoded in plaintext PEM or DER format. Only RSA 2048 is supported since that is what $**y's DS4 authentication scheme was built on.

To sign the DS4ID using the test CA, use

pipenv run ./iscctl.py sign-ds4id -c <your-ca-private-key>