- Following up on the previous
updates, today CapetLeVrai
shared a video demonstrating PSP game ISOs running on Sony PS3 Firmware 4.41
with details below.
To quote (via Wololo
): You might remember the psp2ps3 tools, and all the excitement a few weeks ago around a recent hack breakthrough that allows people to run psp isos (and, potentially, homebrews) on a hacked PS3, by “camouflaging” the game inside a PSP Mini.
Although people believed this trick was reserved to PS3s running a Custom Firmware, this might become an incorrect statement very soon…
I was contacted by scene member CapetLeVrai
who apparently found a way to run those PSP ISOs on a non hacked PS3 running the latest official firmware 4.41.
The current technique will probably not blow your mind for now, as it requires you to own both a hacked and a non hacked PS3, but it could open huge opportunities in the near future if the right people decide to look into that. The basic idea is that after being installed on a CFW PS3, the ISO can be transferred to the OFW PS3 through the integrated Data Transfer Utility, and will still run perfectly fine.
How It Works
The PS3 allows you to copy data from one PS3 to another, usually when you want to transfer all your existing content in the case you bought a new PS3. This is done by connecting your two PS3s with an ethernet cable. What CapetLeVrai did, which sounds simple enough but appears to work, was to install the game on his hacked PS3, then copy the entire content of his hacked PS3 to the OFW one with the Data Transfer Utility, and the hacked iso then simply accepted to run on the OFW PS3.
Please note I haven’t confirmed myself because I’m beyond lazy and don’t want to lose my OFW PS3′s content (copying from your hacked PS3 to your unhacked PS3 will erase the previous content!) but from what I can tell this is legit.
Now, why would it be interesting if this requires a hacked PS3 in the first place? Well, it shows that once installed, the game seems to be able to bypass the standard DRM security checks on OFW that should prevent it from running in the first place. Or, rather, that the hack perfectly tricked the OFW PS3 into believing the game was legally acquired. Which means that if people had a way to run a package installer on official firmware PS3s, there could be a way to install and run psp isos (and, who knows, PSP homebrews) on the latest PS3 Official firmware.
Is it far fetched? Probably. But exciting? Definitely. Enjoy the video, in French. If you are able to confirm this and post a video on your own, please do credit CapetLeVrai for this discovery, as, as far as I know, nobody else had found that (at least publicly) before him.
From the video's caption: This vulnerability requires a PS3 CFW at least able to install the file. Pkg
I am not a hacker, at least I do not code and I do not claim to be a pirate, I am interested in this field and I put it gradually but I'm still far from finding and exploiting real flaws, this video aims to acquaint developers much more qualified than I am to try to find a solution for users who want to enjoy their PSP games on PS3 OFW (Official FirmWare) or via a possible HEN CFW (as I know KaKaRoToKs found a flaw like this...
For console users DEX (formal or via CFW whatever) who want to transfer data on a console OFW:
System mode: Normal
XMB Operation Mode: CEX
Debug Menu Type: CEX QA
LV2 Kernel: CEX
Target Type: CEX
Hello World PSPHomebrew on PS3 By Harryoke
PSP Homebrew on PS3 By Xerpi (YA2D with Controls) Tested by Harryoke
Download: YA2D PSP Library
Homebrew By Xerpi (YA2D PSP Library) Tested by Harryoke
Squares By Xerpi - The First Playable PSP Homebrew Game on PS3. Tested by Harryoke
This thank you very much for watching the video, if you are interested in PlayStation hack let me know in the comments I will make a small series of video to tell you all this technical vocabulary that ultimately is not that complicated!
Finally, from samson
: Also i found the kurok source files (bladebattles.com/kurok/files/), harryoke
you was asking for sources
Wavegen pspsdk sample:
Download: [PSP2PS3] WAVEGEN [Remaster].pkg
No screen output (because its suffers the same problem as gta games) but audio and controller work, X to change wave form, push joystick up for higher frequency and down for lower frequency. do not have volume too high before starting, enjoy.
: From xxmcvapourxx
: KIRK 13 ECDSA
Guys, After months of researching and alot of studying on security this might help other devs.
Let me explain: LV2_kernal.elf hold's the public key underneath holds the ECDSA curve.
E6 79 2E 44 6C EB A2 7B CA DF 37 4B 99 50 4F D8 E8 0A DF EB 00 00 00 00 3E 66 DE 73 FF E5 8D 32 91 22 1C 65 01 8C 03 8D 38 22 C3 C9 <--- this is public key to lv2_Kernal.elf
A6 8B ED C3 34 18 02 9C 1D 3C E3 3B 9A 32 1F CC BB 9E 0F 0B = B
ECDSA Curve: D9 AA EB 60 54 30 7F C0 FB 48 8B 15 AE 11 B5 58 C7 5F C8 A3 00 00 00 00 EC 49 07 E1 29 C5 B5 CD 38 6D 94 D8 23 18 B9 D5 58 77 7C 5A 62 7C B1 80 8A B9 38 E3 2C 8C 09 17 08 72 6A 57 9E 25 86 E4
p = FFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF
KIRK 13 ECDSA point multiplication
Elliptic Curve Math formula : with NP points on the curve
p = FFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF
memcpy(buffer, multiplier, 0x14);
memcpy(buffer+0x14, pointx, 0x14);
memcpy(buffer+0x28, pointy, 0x14);
The result is a new point(x and y are each 0x14 bytes long).
To test this, you can call 0xC service and copy the first 0x14 bytes to a new buffer, then copy the Gx and Gy values after that. Calling 0xD with the new buffer will return the values of x and y that were generated by the 0xC call.
This has been updated in wiki euss had kindly confirmed and helped me. This does not lead getting private keys but its usefully for other devs.
: Some keys stuff (kirk/psp related)
That is a decrypted self found inside emulator_drm.sprx in pspemu. You can look at the keys starting at offset 0x19EA0 from there until 0x19F80 you have kirk cmd 4/7 keys (already documented in libkirk) On offset 0x1A060 you have the section 0x6 keyseed and below it, some ecdsa stuff (the seed is already documented in seeds page, the ecdsa stuff however, isn't) This is for filling up the keys page. it's also good to have a look at.
PS: You can only find the seed on later firmwares. 3.55 and below firmwares do not have that seed.