Sponsored Links

Sponsored Links

Results 1 to 5 of 5



  1. #1
    Senior Member ModderFokker's Avatar
    Join Date
    Mar 2008
    Posts
    281
    Sponsored Links

    First PSP Signed Homebrew is Now Released

    Sponsored Links
    First psp "signed" homebrew..

    Well ok, here it comes. tested on fat PSP with OFW 6.35

    How?
    Simple, notice it contains ~PSP header from demo game (UCES00206), it is exactly same header.
    It is easy to craft last 16 bytes of encrypted data block to match header CMAC - yes, that's the trick

    There are some strange things, it can't run homebrews with bigger executable block (data block does not matter), and because of ~PSP header, it has to match exact size of original game.

    This trick might be possible on firmware kernel modules to get permanent HEN on non-pandrorable PSPs, i was not able to do it but i was not trying that much.

    PS: i am not only one who found this trick
    Yeah i know its not PS3 but the PS3 made it possible due to awesome security

    Source: wololo.net/talk/viewtopic.php?f=5&t=1381&start=150#p20309 and wololo.net/talk/viewtopic.php?f=5&t=1381&p=20720#p20715

    PSP Crypto Keys including the 'Kirk' and 'Spock' keys:
    Code:
    Spock cmd 0x09 (Spock's "Master key"): u8 key[16] = 
       {
          0x9F, 0x46, 0xF9, 0xFC, 0xFA, 0xB2, 0xAD, 0x05,
          0x69, 0xF6, 0x88, 0xD8, 0x79, 0x4B, 0x92, 0xBA
       };
    
    Kirk cmd 0x11 key: u8 idskey0[16] = 
    {
       0x47, 0x5E, 0x09, 0xF4, 0xA2, 0x37, 0xDA, 0x9B, 
       0xEF, 0xFF, 0x3B, 0xC0, 0x77, 0x14, 0x3D, 0x8A
    };
    
    
    Kirk cmd 0x12 ECDSA PUB Keys (likely as they are yet to be tested): 
    
        // certSig0
        0x40, 0x04, 0xC8, 0x0B, 0xD9, 0xC8, 0xBA, 0x38,
        0x22, 0x10, 0x65, 0x92, 0x3E, 0x32, 0x4B, 0x5F,
        0x0E, 0xC1, 0x65, 0xED, 0x6C, 0xFF, 0x7D, 0x9F,
        0x2C, 0x42, 0x0B, 0x84, 0xDF, 0xDA, 0x6E, 0x96,
        0xC0, 0xAE, 0xE2, 0x99, 0x27, 0xBC, 0xAF, 0x1E,
         
        // certSig1
        0x06, 0x48, 0x5F, 0xD0, 0x29, 0x85, 0x3B, 0x55,
        0x2F, 0x7E, 0xFD, 0xD6, 0x7A, 0x2D, 0xE7, 0xA1,
        0xA4, 0xE2, 0x55, 0x37, 0xB2, 0x45, 0x9D, 0x87,
        0x86, 0x42, 0x6D, 0x5B, 0x27, 0xEF, 0xA5, 0xA9,
        0x31, 0x1C, 0xB8, 0xAB, 0xAB, 0xFA, 0x0E, 0xCE,
    
        // certSig2
        0x3F, 0x8C, 0x34, 0xF2, 0x10, 0xAE, 0xC4, 0x8E,
        0x15, 0x20, 0xFF, 0x2A, 0x44, 0x89, 0x9E, 0x05,
        0x4A, 0x0D, 0xA3, 0x3D, 0xF8, 0xB9, 0x75, 0x4B,
        0x09, 0xC0, 0xEC, 0x7E, 0x61, 0x86, 0x7A, 0x51,
        0x26, 0xFE, 0x69, 0x26, 0x97, 0x21, 0x96, 0xF5,
        
        // certSig3
        0xCC, 0xB3, 0x44, 0x0D, 0xC4, 0x83, 0x6D, 0xD5,
        0x19, 0xE1, 0x3B, 0x28, 0x05, 0xB3, 0x08, 0x70,
        0xDC, 0xAE, 0xE4, 0x62, 0x13, 0x6B, 0x38, 0x88,
        0x65, 0x1A, 0x98, 0xE0, 0x2B, 0x29, 0xFA, 0x0C,
        0xD3, 0x4F, 0x16, 0x16, 0xF1, 0xED, 0x57, 0x86,
        
        // certSig4
        0x08, 0xB3, 0x36, 0x92, 0x5C, 0x2B, 0x44, 0x5D,
        0x03, 0xA9, 0xBE, 0x51, 0xB9, 0xAA, 0xBF, 0x54,
        0xE4, 0xCC, 0x14, 0x2E, 0xA7, 0x2A, 0x23, 0xBB,
        0x80, 0x60, 0xB0, 0x3B, 0x71, 0xCD, 0xE0, 0x77,
        0x2D, 0xE8, 0x2A, 0xD8, 0x93, 0x16, 0x48, 0xD6,
        
        // certSig5
        0x4F, 0x0A, 0x2B, 0xC9, 0x98, 0x76, 0x40, 0x86,
        0x0E, 0x22, 0xEE, 0x5D, 0x86, 0x08, 0x7C, 0x96,
        0x92, 0x47, 0x0B, 0xDF, 0x59, 0xDC, 0x4C, 0x1F,
        0x2E, 0x38, 0xF9, 0x2C, 0xE7, 0xB6, 0x68, 0x75,
        0xB5, 0x9E, 0xD1, 0x0C, 0x9D, 0x84, 0xFA, 0x6A,
    P.S. None of those keys are on the ps3, don't bother looking there. More keys: [Register or Login to view links]

    For those who wonder, spock cmd 0x09 key is used to decrypt UMD keys stored in idstorage, those keys are then used by spock cmd 0x08 to decrypt the UMD master key (per disc key) Then this key is used in spock cmd 0x0A to decrypt the UMD raw sectors. Each different psp regions seems to have its own sets of UMD keys.

    You can more or less access Spock through lepton's ram (there is some hidden test mode on lepton allowing you to do just this). More on this later If I ever get the time to clean up those sources.

    P.S. Let's hope sony uses kirk cmd 0x12 for the kernel prx ECDSA checks and that they did the same fail as on ps3, would someone be so kind as to check it out ?

    Syntax for kirk cmd 0x11 key:
    Code:
    void GenerateSigncheck(SomeStructure *ss, int *b, u8 *out)
    {
       AES_KEY ctx, ctx2; // sp+0x20
       int i, j;
       u8 sg_key1[0x10], sg_key2[0x10]; // sp, sp+0x10
          
       AES_set_encrypt_key(idskey0, 128, &ctx);
       AES_set_decrypt_key(idskey0, 128, &ctx2);
    
       for (i = 0; i < 16; i++)
       {
          sg_key1[i] = sg_key2[i] = ss->buf1[i % 8];
       }
    
       for (i = 0; i < 3; i++)
       {
          AES_encrypt(sg_key2, sg_key2, &ctx);
          AES_decrypt(sg_key1, sg_key1, &ctx2);
       }
    
       AES_set_encrypt_key(sg_key2, 128, &ctx);
    
       for (i = 0; i < 3; i++)
       {
          for (j = 0; j < 3; j++)
          {
             AES_encrypt(sg_key1, sg_key1, &ctx);
          }
    
          memcpy(out+(i*16), sg_key1, 0x10);      
       }
    
       memcpy(out+0x30, ss->buf1, 8);
       memcpy(out+0x38, b, 4);
    
       P1(out);
    }
    Also below is the PSP Half-Byte loader via Wololo and a video of it in action: wololo.net/talk/viewtopic.php?f=5&t=1381&start=290



    Attached Files Attached Files

  2. #2
    Forum Moderator PS3 News's Avatar
    Join Date
    Apr 2005
    Posts
    27,656
    Sponsored Links
    Sponsored Links
    +Rep for the news ModderFokker, and ya, if it was perhaps a new/signed PSP iSO Loader I'd mainpage it but for now I am moving this to the PSP Forum for discussion.

    We just don't have a big PSP following here, and even in general the PSP scene seems to have died down in recent years as more people moved to PS3 perhaps.

  3. #3
    Registered User mccartercar's Avatar
    Join Date
    Jan 2011
    Posts
    1
    Sponsored Links
    Sponsored Links
    Oh this is very nice progress as concept turns into reality we will see psp/ps3 turned on its head as retail non jb units accept signed homebrew left and right.

    Good Times. After all, It only does everything.

  4. #4
    Registered User whitezombie2000's Avatar
    Join Date
    Sep 2010
    Posts
    1
    Great news! Can't wait to see more!

  5. #5
    Registered User playto's Avatar
    Join Date
    Nov 2010
    Posts
    2
    Good news. I hope some one will come out with a real CFW soon or find a way to get those v3 boards working properly, by properly I mean not through HEN.

 

Sponsored Links
Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News