SCE File Format

[Pit0711]

I've found this, maybe interesting

Since the ScanHdd analysis work has cooled off a little bit, I decided to turn my attention to the file format used by $ony. Specifically, I looked at the OtherOS.self and updater.sce files.

Here are some findings:

1. SCE file format has 0x90 bytes of header at the beginning of the file.
2. There is a "SCE\0" magic marker at the beginning of the file.
3. The SCE header length seems to be mentioned at 0x30.
4. The file size is stored as 0x7bf bytes smaller than what it is at 0x40.
5. There IS an ELF image in both files starting at exactly 0x90 bytes into the file (right after the header).
6. ELF image checks out fine except for the following issues:
1. OS ABI version is of unknown type (0x66)
2. Segment header table's offset is waaay out of bounds relative to file size (0xDF2548 for the otheros.self file that is only 0x149D07 bytes)
3. Therefore, we cannot determine what sections exist in the file (.text, .init, .data, etc.)

There seems to be a lot of relative pointers within the file (offset values).

Also, there are file size related values. I have not been able to decipher them yet, help is welcome.

There is a 16 byte block that is exactly the same at the beginning of the ELF section, after (what seems to be) more program header/section header/segment header tables:
Code:

0x627CB180 8AB938E3 2C8C0917 08726A57

open document file: http://www.megaupload.com/de/?d=TOC0ERHL

[nonomia]

I've tried to find the format using firmware.
Here is the descripton of file format


TYPICAL HEADER of SCE format file

00000000h 53 43 45 00 Signature 'SCE\0x00'
00000004h 00 00 00 02 xx
00000008h 00 00 00 03 TYPE of SCE File
02 : Application Package
03 : Firmware/System Software
0000000ch 00 00 00 00 xx
00000010h 00 00 00 00 00 00 02 80 length of header
00000018h 00 00 00 00 00 1E 01 10 length of data block

00000280h 00 00 00 03 LOCATION OF FILE/SOFTWARE
00000284h 00 00 00 07 FORMAT
00000288h 00 00 00 00 00 00 00 01 INDEX OF FILE

00000290h 00 01 00 60 VERSION or DATE
00000294h 00 00 00 00 BUILD
00000298h 00 00 00 00 00 1E 00 90 length of code
000002A0h 00 00 00 00 00 1E 00 90 length of code - compressed
000002A8h 00 00 00 00 00 00 00 00
000002B0h 00 00 00 00 00 00 00 00
000002B8h 00 00 00 00 00 00 00 00
000002C0h 00 00 00 00 00 00 00 03
000002C8h 00 00 00 00 00 00 00 40
000002D0h 00 00 00 00 00 00 00 00
000002D8h 00 00 00 00 00 1E 00 90 length of code
000002E0h 00 00 00 00 00 00 00 01
000002E8h 00 00 00 00 00 00 00 01
000002F0h 00 00 00 00 00 00 00 00
000002F8h 00 00 00 00 00 00 00 00



THE DETAIL Information via various format

MASTER HEADER
SIGNATURE 53 43 45 00 'SCE\x00'
xx 00 00 00 02
TYPE 00 00 00 03
03 fireware/system software
02 applicaton
xx 00 00 00 00
LENGTH_OF_HEADER 00 00 00 00 00 00 00 00
LENGTH_OF_DATA 00 00 00 00 00 00 00 00

DATA HEADER for TYPE = 2
xx 00 00 00 04
xx 00 00 00 01
xx 00 01 00 00 00 00 00 00
NUMBER_OF_BLOCK 00 00 00 00 ' LENGTH OF BLOCK = 20h
xx 00 00 00 00
xx 00 00 00 00 00 00 00 00

DATA HEADER for TYPE = 3
SECTION 00 00 00 03
FORMAT 00 00 00 07
INDEX 00 00 00 00 00 00 00 01
format 8 00 00 00 00 00 00 0B 8E

FORMAT 7
VERSION_MAJOR 00 01
VERSION_MINIOR 00 60
VERSION_BUILD 00 00 00 00
LENGTH_OF_CODE 00 00 00 00 00 00 00 00
LENGTH_OF_CODE_COMPRESSED 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 03
xx 00 00 00 00 00 00 00 40
xx 00 00 00 00 00 00 00 00
LENGTH_OF_CODE_DECOMPRESSED 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 01
xx 00 00 00 00 00 00 00 01
xx 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 00

FORMAT 3 or 4
DATE 20 07 03 25 ' BCD
BUILD 02 50 21 00 ' BCD
LENGTH_OF_CODE 00 00 00 00 00 00 00 00
LENGTH_OF_CODE_COMPRESSED 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 03
xx 00 00 00 00 00 00 00 40
xx 00 00 00 00 00 00 00 00
LENGTH_OF_CODE_DECOMPRESSED 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 01
xx 00 00 00 00 00 00 00 01
xx 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 00

FORMAT 8
DATE 20 07 03 25 ' BCD
BUILD 02 50 21 -- ' BCD
LENGTH_OF_CODE 00 00 00 00 00 00 00 00
LENGTH_OF_CODE_COMPRESSED 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 03
xx 00 00 00 00 00 00 00 40
xx 00 00 00 00 00 00 00 00
LENGTH_OF_CODE_DECOMPRESSED 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 01
xx 00 00 00 00 00 00 00 01
xx 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 00

[laichung]

I can tell you that, the file is signed. So even you know the format, you can modify it in your own way~

Anyway, happy hacking~

[HanSooloo]

I've tried to find the format using firmware.
Here is the descripton of file format


TYPICAL HEADER of SCE format file

00000000h 53 43 45 00 Signature 'SCE\0x00'
00000004h 00 00 00 02 xx
00000008h 00 00 00 03 TYPE of SCE File
02 : Application Package
03 : Firmware/System Software
0000000ch 00 00 00 00 xx
00000010h 00 00 00 00 00 00 02 80 length of header
00000018h 00 00 00 00 00 1E 01 10 length of data block

00000280h 00 00 00 03 LOCATION OF FILE/SOFTWARE
00000284h 00 00 00 07 FORMAT
00000288h 00 00 00 00 00 00 00 01 INDEX OF FILE

00000290h 00 01 00 60 VERSION or DATE
00000294h 00 00 00 00 BUILD
00000298h 00 00 00 00 00 1E 00 90 length of code
000002A0h 00 00 00 00 00 1E 00 90 length of code - compressed
000002A8h 00 00 00 00 00 00 00 00
000002B0h 00 00 00 00 00 00 00 00
000002B8h 00 00 00 00 00 00 00 00
000002C0h 00 00 00 00 00 00 00 03
000002C8h 00 00 00 00 00 00 00 40
000002D0h 00 00 00 00 00 00 00 00
000002D8h 00 00 00 00 00 1E 00 90 length of code
000002E0h 00 00 00 00 00 00 00 01
000002E8h 00 00 00 00 00 00 00 01
000002F0h 00 00 00 00 00 00 00 00
000002F8h 00 00 00 00 00 00 00 00



THE DETAIL Information via various format

MASTER HEADER
SIGNATURE 53 43 45 00 'SCE\x00'
xx 00 00 00 02
TYPE 00 00 00 03
03 fireware/system software
02 applicaton
xx 00 00 00 00
LENGTH_OF_HEADER 00 00 00 00 00 00 00 00
LENGTH_OF_DATA 00 00 00 00 00 00 00 00

DATA HEADER for TYPE = 2
xx 00 00 00 04
xx 00 00 00 01
xx 00 01 00 00 00 00 00 00
NUMBER_OF_BLOCK 00 00 00 00 ' LENGTH OF BLOCK = 20h
xx 00 00 00 00
xx 00 00 00 00 00 00 00 00

DATA HEADER for TYPE = 3
SECTION 00 00 00 03
FORMAT 00 00 00 07
INDEX 00 00 00 00 00 00 00 01
format 8 00 00 00 00 00 00 0B 8E

FORMAT 7
VERSION_MAJOR 00 01
VERSION_MINIOR 00 60
VERSION_BUILD 00 00 00 00
LENGTH_OF_CODE 00 00 00 00 00 00 00 00
LENGTH_OF_CODE_COMPRESSED 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 03
xx 00 00 00 00 00 00 00 40
xx 00 00 00 00 00 00 00 00
LENGTH_OF_CODE_DECOMPRESSED 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 01
xx 00 00 00 00 00 00 00 01
xx 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 00

FORMAT 3 or 4
DATE 20 07 03 25 ' BCD
BUILD 02 50 21 00 ' BCD
LENGTH_OF_CODE 00 00 00 00 00 00 00 00
LENGTH_OF_CODE_COMPRESSED 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 03
xx 00 00 00 00 00 00 00 40
xx 00 00 00 00 00 00 00 00
LENGTH_OF_CODE_DECOMPRESSED 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 01
xx 00 00 00 00 00 00 00 01
xx 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 00

FORMAT 8
DATE 20 07 03 25 ' BCD
BUILD 02 50 21 -- ' BCD
LENGTH_OF_CODE 00 00 00 00 00 00 00 00
LENGTH_OF_CODE_COMPRESSED 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 03
xx 00 00 00 00 00 00 00 40
xx 00 00 00 00 00 00 00 00
LENGTH_OF_CODE_DECOMPRESSED 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 01
xx 00 00 00 00 00 00 00 01
xx 00 00 00 00 00 00 00 00
xx 00 00 00 00 00 00 00 00

nonomia,

Your post is very interesting, in that it does not exactly match the OtherOS.self and Updater.sce files. Can you please elaborate on how you derived this information and demonstrate it on a sample file?

Just as an example, you mention that the SCE header length is at offset 0x10 (e.g. 0x280); but my research shows that the header is almost always 0x90 bytes and is mentioned at 0x30 as an Xword (8 bytes).
Are we talking about the same file format? :-)

You can get in touch with me on EFnet IRC (HanSooloo).

[nonomia]

I got data from the analysis of firmware.
I want to suggest to review the data at offset 0x08. there are couple of difference data code such as 0x00000002, 0x00000003, and 0x00010001.
I guess this code specify the format of SCE file.
such as 0x00000002 for application or header, 0x00000003 for firmware/system device, and 0x00010001 for self extact software.

0x00000002
RL_FOR_PROGRAM.img
RL_FOR_PACKAGE.img

0x00000003
firmware... common format

0x00010001
otheros.self

we have to find a puzzle about hidden 0x200 bytes

When size of header is 0x280, the difference beween LengthOfData and LengofCode is 0x80 only.

Regards

[ralferoo]

I got data from the analysis of firmware.

What analysis of the firmware? That comment suggests that somebody has a dumped copy of the firmware somewhere (i.e. RAM/ROM image).

Or do you mean analysis of files from the firmware upgrade tarball? The approaches used are radically different.

My personal suspicion is that the data needs to be decrypted with an AES key in the firmware (or possibly even Sony's CLEF thing, although the PS3 officially predates the release of that). I'd strongly suspect that data file analysis of the encrypted data isn't going to turn up anything particularly useful.

OTOH, there are a couple of interesting files - there are some encrypted XML files in there, which should all start

Code: Select all

<?xml version="1

which is a handy 128-bit sized chunk if a 128-bit cipher is used. :) That said, without knowledge of exactly what cipher is used, attempting crytpanalysis is almost pointless.

Part of the holy grail of hypervisor exploits (at least as far as I see it) is the possibilty of working out what cipher is used and possibly even the key too.