Table of Contents

SCSI for DRM stuff on HiMD

Commands

Command A3: Write Crypto Stuff

(This is officially "Send Key", but only on CD/DVD devices…)

00: BYTE  Command byte A3
01: BYTE  unused (might contain LUN)
02: DWORD Object Number
06: BYTE  unused
07: BYTE  Key class - For Sony DRM: BD
08: WORD  Size of cryptographic data
0A: BYTE  key type
0B: BYTE  unused

Command A4: Read Crypto Stuff

(This is officially "Report Key", but only on CD/DVD devices…)

00: BYTE  Command byte A4
01: BYTE  unused, send as Zero (might contain LUN)
02: DWORD Object Number
06: BYTE  unsused
07: BYTE  Key class - For Sony DRM: BD
08: WORD  Size of cryptographic data
0A: BYTE  key type
0B: BYTE  unused

Data formats

even key types imply data transfer to device (using A3 command), whereas odd key types imply data transfer from device (using A4 command)

Generally, all unused fields are sent as zero.

Key type 30: Authentication Token 1

This data packet is sent from the Host to the HiMD device

00: WORD  Length, must be 0012
02: WORD  unsused
04: BYTES 8 bytes "Leaf ID of Host"
0C: BYTES 8 bytes "Nonce from Host"

Key type 31: Authentication Token 2

This data packet is sent from the HiMD device to the Host, the expected length is 43C (i.e. header + 64 keys?)

00: DWORD unknown, maybe length in first WORD
04: BYTES 16 bytes "Disc ID"
14: BYTES 8 bytes "MAC from Device"
1C: BYTES 8 bytes "Leaf ID of Device"
24: BYTES 8 bytes "Nonce from Device"
2C: BYTES The "local EKB of the Device" Starts with its length in 16 byte units - 1

Key type 32: Authentication Token 3

This data packet is sent from the Host to the HiMD device

00: WORD  Length, must be 41A
02: WORD  unused
04: BYTES 8 bytes "MAC from Host"
0C: BYTES The "local EKB of the Host"

Key type 33: ICV from device

This data packet is sent from the HiMD device to the Host (expected length 404) While this packet is never explained in the HiMD Transfer Tool for MAC, it looks suspiciously like the next one, just the other transfer direction.

00: DWORD unknown, length?
04: BYTE  unknown, must be zero
05: BYTE  bit flags. Bits 6,7: encryption type (0=plain, 2=des ecb, 3=des cbc)
                     Bit  5:   MAC flag
                     Bit  4:   DIR flag
06: WORD  length of following data
08: DWORD generation number
0C: BYTES data, length from field 6.
..: BYTES MAC, only present if MAC bit is set. NOT included in length

Key type 34: ICV data to device

This data packet is sent from the Host to the HiMD device

00: WORD  length (must be 404)
02: WORD  unused
04: BYTE  ICV slot number (must be between 0 and 31)
05: BYTE  bit flags, same bits used as in Type 33
06: WORD  length of ICV data
08: DWORD Generation number
0C: BYTES ICV data
XX: BYTES 8 Bytes MAC

Key type 38: secure clock

This data packet is sent to the device

00: BYTE  unused
01: BYTE  constant 0
02: WORD  unused
04: BYTE  unused
05: BYTE  constant 20
06: BYTE  unused
07: BYTE  constant 8
08: DWORD unused
0C: BYTE  unused
0D: BYTE  Seconds
0E: BYTE  Minutes
0F: BYTE  Hour
10: BYTE  Day
11: BYTE  Month
12: BYTE  Year
13: BYTE  unused
14: BYTES MAC

Key type 39: Unique ID

This data packet is sent from the HiMD device to the host (expected length 192 bytes)

00: DWORD unknown, maybe length in first two bytes
04: WORD  "UidCode"
06: BYTE  Version
07: BYTE  Length
08: BYTES Uid Data

Key type 3B: Leaf ID

This data packet is sent from the HiMD device to the host

00: WORD  unknown, length?
02: BYTES 8 Bytes leaf ID

Key type 3D: Disc ID

00: WORD  unknown, length?
02: BYTES 16 bytes disc ID