PS3 packages and how it leads to PSP signing

[kgsws]

decrypt_cbc 0x00 to 0x1F using Kirk 1 key
decrypt_cbc 0x90+value at 0x74 to end of file using decrypted 0x00-0x0F as key

That "plaintext" before 0x90+value seems to be IV. You can't notice it because in ms_ipl.bin it is all zero. Try it with any PRX, if you start decrypting at 0x90 you will get correct ELF header, but if you start at 0x90+value, first 16 bytes are wrong. It should be simple to compute IV = decrypting plaintext. I am going to test it now.
Also got working header CMAC thanks to your info.

EDIT: ok, it was just bug, forgot to clean IV
EDIT: changing any byte in header make data hash invalid, seems like data hash also checks header
EDIT: got correct data hash ... but only for ms_ipl right now

EDIT: still something strange on kirk, anyway i got matching data hash for uhura.prx (from AR) and 620ipl, but kirk refuses it ...
Data hash calculation is CMAC of kirk header (starting from 0x60) + "plaintext" data (between header and encrypted data) + encrypted data

Advertising

[sven]

Here's what i reversed today: http://pastie.org/private/ehru4uqqgz0hmmrpeuf1nq
Works fine for the IPL and I can't test it on any more stuff.

oh, also: who invented that stupid register question (Half ... Loader)? i had to ask several people before i was able to answer it :/

Advertising

[Battosai94]

Sven, member of the fail0verflow's team, wants to share that with you :

http://pastie.org/private/ehru4uqqgz0hmmrpeuf1nq

IRC log (from #PS3Dev at EFNET) :

<@sven> http://pastie.org/private/ehru4uqqgz0hmmrpeuf1nq <-- kirk cmd 1 algorithm
<+DarukBot> (title) Private Paste - Pastie
<@sven> someone please give it those people, i'm too fail to register at that forum: viewtopic.php?f=5&t=1381&start=80
<+DarukBot> (title) wololo.net/talk • View topic - PS3 packages and how it leads to PSP signing

Edit : Sorry, I was to slow

Edit 2 : Not a really stupid question, not for the PSP Scene, it concerns the fabulous HBL from Wololo ^^x

[wololo]

Thanks guys

oh, also: who invented that stupid register question (Half ... Loader)? i had to ask several people before i was able to answer it :/

I did.
Half Byte Loader is a tool that was used by 99% of the users of this forum when the forum was created. But the forum's grown and HBL is slowly becoming a thing of the past, I might have to come up with a new (more generic?) question, apologies if our homebrew loader is not as famous as team fail0verfl0w nowadays

[Supafreak]

Here's what i reversed today: http://pastie.org/private/ehru4uqqgz0hmmrpeuf1nq
Works fine for the IPL and I can't test it on any more stuff.

oh, also: who invented that stupid register question (Half ... Loader)? i had to ask several people before i was able to answer it :/

lol that was the question holding me back too..

[sven]

oh, it's some famous thing in the PSP scene. I personally never had a PSP which might explain why i've never heard of some Half Byte Loader.
Sorry

[kgsws]

I made PRX that is correctly decrypted with PRX decrypter, but PSP can't run it - error 0x80020148.
So next question, is there another check, for ~PSP header?

[Mathieulh]

we miss the key seed 0x43 from kirk cmd 4/7, it's not in the spu_handler (the ps3 version of kirk) so we can't do the mangling on kernel prxs (kinda sucks because we can't pwn the bootchain with prx encryption so far), we can however encrypt and hash user prx with all the provided keys as well as IPL blocks for psp-1000/2000 (We'd need the new pre-ipl hash stuff for the psp-3000 and newer), it's also believe that the new pre-ipl on the go or newer use kirk cmd 11/12 with an ECDSA check on the IPL block

Does anyone happen (Silverspring ? ) to know what's kirk cpu architecture ?

[Proxima]

It's not the most elegant path, but couldn't we just use KIRK cmd 4 to encrypt the 0x43 ones for the kernel on the PSP itself? Looks like the final signer app may have to be a native PSP app.

[Mathieulh]

It's not the most elegant path, but couldn't we just use KIRK cmd 4 to encrypt the 0x43 ones for the kernel on the PSP itself? Looks like the final signer app may have to be a native PSP app.

kirk cmd4 sadly doesn't generate/encrypt all bits.