| Both sides previous revisionPrevious revisionNext revision | Previous revision | 
| himddiskformat [2009/09/30 16:38]  – Fix nested list formatting megadiscman | himddiskformat [2012/01/05 22:55] (current)  – Mention that tracks with variable MPEG version and variable MPEG layer can't be played back megadiscman | 
|---|
| ==== The file mclist0X.hma ==== | ==== The file mclist0X.hma ==== | 
|  |  | 
| The filename "mclist01.hma" obviuosly derives from "MAClist" which is the name of one of the modules in OpenMG. MAC here stands for "Message authentication code" (see [[http://en.wikipedia.org/wiki/Message_authentication_code]]). | The filename "mclist01.hma" obviuosly derives from "MAClist" which is the name of one of the modules in OpenMG. MAC here stands for "Message authentication code" (see [[http://en.wikipedia.org/wiki/Message_authentication_code]]). In this case, the DRM license info of each track is considered a message, and the authenticity of these messages is confirmed by adding a 8-byte field to the track information. The MAC list contains all the MAC values of the different tracks and a master MAC that ties these together into one bundle. | 
|  | Furthermore, the MAC list contains a header that ties the MAC list to a specific "generation" of a specific medium. The generation is increased every time the DRM info changes. | 
|  | The final authentication is done by combining checksums of the medium-specific and the track-specific parts into a master "integrity check value" (ICV) which is stored outside of the FAT file system and only accessible using authenticated and encrypted SCSI commands. | 
|  |  | 
| The contents of "mclist01.hma" are mostly zero, the non-zero part looks like this: | The contents of "mclist01.hma" are mostly zero until DRM protected tracks are uploaded, the non-zero part looks like this: | 
|  |  | 
| <code> | <code> | 
| </code> | </code> | 
|  |  | 
| It contains information for the DRM system Sony employs (mostly for the ATRAC encoded tracks). Most notably, it contains a copy of the disc ID (a master key to derive further encryption keys) which is stored at offset 40h in this file. Probably this field is used to tie the file system image to a specific medium. As the disc ID even changes if the medium formatted, a file system image only works until reformatting the medium and only on this medium. | The MAC list file is divided into three parts. The first 16 bytes are the file header, the next 80 bytes are for disc authentication and the remaining part is for track authentication. Both authentication parts start with an encrypted 3DES key used for authentication, followed by the data to authenticate. To decrypt the authentication key, a master key needs to be used. In the Sony DRM system, these master keys are stored in EKBs, in encrypted form. The disc authentication header contains an indication which EKB (that also means which master key) to use. | 
|  |  | 
|  | <code> | 
|  | 0000 BYTES  magic signature "MLST" | 
|  | 0004 DWORD  unknown purpose | 
|  | 0008 BYTES  8 unknown bytes, always zero, maybe padding. | 
|  |  | 
|  | 0010 BYTES  16 bytes encrypted 3DES key for authenticating the first MAC list part | 
|  | 0020 DWORD  Generation number of the DRM info | 
|  | 0024 BYTES  20 unknown bytes, always zero, maybe padding | 
|  | 0038 DWORD  ID of the EKB used for decrypting the authentication keys | 
|  | 003C DWORD  4 unknown bytes, always zero, maybe padding | 
|  | 0040 BYTES  16 bytes disc ID. This is a copy of the real disc ID stored outside of the file system | 
|  | 0050 BYTES  16 unknown bytes, always zero, maybe padding | 
|  |  | 
|  | 0060 BYTES  16 bytes encrypted 3DES key for authenticating the second MAC list part | 
|  | 0070 BYTES  4000 * 8 bytes MAC values of tracks. Intersting count, as Hi-MD only has 2048 tracks. | 
|  | </code> | 
|  |  | 
| The fields at offset 10h and 60h are presumably encryption keys for 3DES. It's not yet confirmed, whether those are the keys in cleartext or those are the keys in an encrypted form themselves. |  | 
|  |  | 
| ==== The file 00010012.hma ==== | ==== The file 00010012.hma ==== | 
| This file contains the "EKB", the enabling key block #00010012. This is the standard key block for HiMD audio. It's the string "EKB" followed by 29 null bytes (making a 32 byte header), and then the contents of the EKB that is also provided in OpenMG as 00010012-umd.EKB. It should never change, but if encrypted payware audio with other EKBs are uploaded, further all-numeric .hma files might appear. | This file contains the "EKB", the enabling key block #00010012. This is the standard key block for HiMD audio. It's the string "EKB" followed by 29 null bytes (making a 32 byte header), and then the contents of the EKB that is also provided in OpenMG as 00010012-umd.EKB. It should never change, but if encrypted payware audio with other EKBs are uploaded, further all-numeric .hma files might appear. | 
|  |  | 
| ==== The Audio-Data File ==== | ==== The Audio Data File ==== | 
|  |  | 
| The audio-data file contains the raw audio-data. | The audio data file contains the raw audio data. | 
|  |  | 
| It is divided into 16k blocks of the following layout | It is divided into 16k blocks of the following layout | 
|  |  | 
| <code> | <code> | 
| 0000 DWORD  Block Type ("LPCM"/"A3D "/"SMPA") | 0000 DWORD  Block Type ("LPCM" for PCM,"A3D " for ATRAC3, "ATX " for ATRAC3+, "SMPA" for MPEG) | 
| 0004 WORD   Number of frames (audio blocks only, zero for completely filled Atrac/PCM blocks) | 0004 WORD   Number of frames (MP3 blocks only, PCM/Atrac blocks have fixed size) | 
| 0006 WORD   "MCode" | 0006 WORD   "MCode" | 
| 0008 WORD   Data size in bytes (for MP3) | 0008 WORD   Data size in bytes (MP3 blocks only) | 
| 000A WORD   Reserved | 000A WORD   Reserved | 
| 000C DWORD  Serial number of block in stream | 000C DWORD  Serial number of block in stream | 
| 0010 BYTES  8 bytes "block seed | 0010 BYTES  PCM/Atrac: Encrypted DES key for the audio data | 
| 0018 BYTES  8 bytes initialization vector | 0018 BYTES  PCM/Atrac: DES CBC initialization vector for the audio data | 
|  |  | 
| 0020 BYTES  up to 3FC0 of encrypted audio data | 0020 BYTES  up to 3FC0 of encrypted audio data (ATRAC never uses all 3FC0 bytes) | 
|  |  | 
| 3FE0 BYTES  8 bytes backup of "block seed" | 3FE0 BYTES  Backup of encrypted key (offset 0010) | 
| 3FE8 BYTES  8 bytes reserved | 3FE8 BYTES  8 bytes reserved | 
| 3FF0 DWORD  backup of Block Type | 3FF0 DWORD  backup of Block Type | 
| 3FF4 WORD   reserved | 3FF4 WORD   reserved | 
| 3FF6 WORD   backup of "MCode" | 3FF6 WORD   backup of "MCode" | 
| 3FF8 DWORD  "Content ID" | 3FF8 DWORD  low order 32 bits of the Content ID | 
| 3FFC DWORD  backup of serial number | 3FFC DWORD  backup of serial number | 
| </code> | </code> | 
|  |  | 
| In case of MP3-audio, the data is XOR encrypted. The key for encryption is created from the DiscID which read/written using special SCSI-commands. | In case of MP3 audio, the data is XOR encrypted. The key for encryption is created from the DiscID which read/written using special SCSI commands. In case of ATRAC/PCM audio, the data is DES CBC encrypted. See below for more info on encryption. | 
|  | Each audio block contains only complete frames. The space in the audio block after the last complete frame is unused - which is especially wasteful for 352kbit/s ATRAC3+, as the frame size is exactly 2K, so 1984 bytes per frame are ignored, i.e. 12% of the block size. | 
|  |  | 
| ==== The _MDHIFI.HMA File ==== | ==== The _MDHIFI.HMA File ==== | 
| <code> | <code> | 
| 0000 DWORD   - date of recording (FAT format, 16 bit date, 16 bit time of day) | 0000 DWORD   - date of recording (FAT format, 16 bit date, 16 bit time of day) | 
| 0004 DWORD   + "EkbVersion" (Mac MP3: 0, Mac WAV: 10012; upload requirement: == 10012) | 0004 DWORD   ! "EkbVersion" (Mac MP3: 0, Mac WAV: 10012; upload requirement: == 10012) | 
| 0008 WORD    - Title (string number) | 0008 WORD    - Title (string number) | 
| 000A WORD    - Artist (string number) | 000A WORD    - Artist (string number) | 
| 000E BYTE    - Track number (within Album, not on MD) | 000E BYTE    - Track number (within Album, not on MD) | 
| 000F BYTE    - "Mode" | 000F BYTE    - "Mode" | 
| 0010 8 BYTES + MgrCK (upload requirement: completely zero) | 0010 8 BYTES ! MgrCK (upload requirement: completely zero) | 
| 0018 8 BYTES   CMac | 0018 8 BYTES   CMac | 
| 0020 BYTE    ? CodecId (see below) | 0020 BYTE    - CodecId (see below) | 
| 0021 3 BYTES ? Codec specific info | 0021 3 BYTES - Codec specific info | 
| 0024 WORD    ? Part Number (index into Parts Info Table) | 0024 WORD    - Part Number (index into Parts Info Table) | 
| 0026 WORD    ? Track Number | 0026 WORD    - Track Number | 
| 0028 WORD    ? Total time (units of seconds) | 0028 WORD    + Total time (units of seconds) | 
| 002A BYTE    ? "Lt" (Mac MP3: 10, Mac WAV: 1; upload requirement: == 1) | 002A BYTE    + "Lt" (Mac MP3: 10, Mac WAV: 1; upload requirement: == 1) | 
| 002B BYTE    ? "Dest" (upload requirement: == 1) | 002B BYTE    + "Dest" (upload requirement: == 1) | 
| 002C WORD    + More codec specific info | 002C WORD    + More codec specific info | 
| 002E WORD    + reserved | 002E WORD    + reserved | 
| 0030 20 BYTE + Content ID (for Mac Transferred Data: 02 03 00 00 + 16 random bytes) | 0030 20 BYTE + Content ID (for Mac Transferred Data: 02 03 00 00 + 16 random bytes) | 
| 0044 DWORD   + Start time (FAT format) | 0044 DWORD   + Start of playback license validity (FAT format, or 0 for no restriction) | 
| 0048 DWORD   + End time (FAT format) | 0048 DWORD   + End of playback license validity (FAT format, or 0 for no restriction) | 
| 004C BYTE    + "Xcc" (Mac MP3/WAV: 01; upload requirement: == 03 || == 07) | 004C BYTE    + "Xcc" (Mac MP3/WAV: 01; upload requirement: == 03 || == 07) | 
| 004D BYTE    ? "Ct" | 004D BYTE    + "Ct" | 
| 004E BYTE    ? "Cc" (Mac MP3: 40, Mac WAV: 44; upload requirement: == 08 || == 48) | 004E BYTE    + "Cc" (Mac MP3: 40, Mac WAV: 44; upload requirement: == 08 || == 48) | 
| 004F BYTE    + "Cn" (Mac MP3: 00, Mac WAV: 3) | 004F BYTE    + "Cn" (Mac MP3: 00, Mac WAV: 3) | 
| </code> | </code> | 
|  |  | 
| The +/-/? means: "+" this field influences the MAC. "-" this field does not influence the MAC. "?" we don't know yet. | The +/-/! means: "+" this field is included in MAC calculation. "-" this field does not influence the MAC. "!" this field controls the MAC calculation | 
|  |  | 
| "upload requirement" means that the HiMD Transfer Tool for Mac checks the given condition before allowing an upload of a track to the PC. These checks are independent from the track format. "Mac MP3"/"Mac WAV" means that these values are set by the HiMD transfer tool if downloading that type of music. Probably the fields annotated that way are involved in copy controlling. The first entry in the track info table is a dummy entry that contains the number of the first free track in its Track number field. All free entries are chained using that field. | "upload requirement" means that the HiMD Transfer Tool for Mac checks the given condition before allowing an upload of a track to the PC. These checks are independent from the track format. "Mac MP3"/"Mac WAV" means that these values are set by the HiMD transfer tool if downloading that type of music. Probably the fields annotated that way are involved in copy controlling. The first entry in the track info table is a dummy entry that contains the number of the first free track in its Track number field. All free entries are chained using that field. | 
| * 0023 bit field | * 0023 bit field | 
| * 80: Always set | * 80: Always set | 
| * 40: Variable MPEG version | * 40: Variable MPEG version (tracks with this bit set cause "cannot play") | 
| * 20: Variable MPEG Layer | * 20: Variable MPEG Layer (tracks with this bit set cause "cannot play") | 
| * 10: Variable bitrate | * 10: Variable bitrate | 
| * 08: Variable sample rate | * 08: Variable sample rate | 
| {{:himd_encryption.png|Encryption scheme of ATRAC and PCM tracks}} | {{:himd_encryption.png|Encryption scheme of ATRAC and PCM tracks}} | 
|  |  | 
| Red boxes indicate data stored on HiMD, Black boxes indicate "black boxes" - Operations we don't know how they work. For so called "weakly encrypted tracks" the Track key is 0000000000000000, the EKB ID is 00010012 and the fragment keys are 0000000000000000. This information fixes all input parameters to the Track Key Decryption black box. The output of that black box is known from analyzing the Mac software - it is F2266C6464C0D65C. | Red boxes indicate data stored on HiMD, Black boxes indicate "black boxes" - Operations we don't know how they work. For so called "weakly encrypted tracks" the Track key is 0000000000000000, the EKB ID is 00010012 and the fragment keys are 0000000000000000. This information fixes all input parameters to the Key encryption Key. This value is nearly known from analyzing the Mac software - it is F2266C6464C0D65C. As it is used as an DES key, the low bits of each bytes are unknown. | 
|  |  | 
| ==== Fragment keys ==== | ==== Fragment keys ==== |