Help the PSP 3D community grow!
Vote for us below:
| | Homebrew/Hacking - Discuss the latest available homebrew applications and games. |
Welcome to PSP3D.com - Sony PlayStation Portable News, Homebrew, Hacks, Reviews, Videos, Mods, Forums!
You are currently viewing our website as a guest, which gives you limited access to reply and interact to discussions and other members. By joining our free community, you will be able to post topics in the forums, communicate privately with other members, vote in polls, and access many other special features.
Registration is fast, simple, and absolutely free so join our community today!
|
 | | 
05-24-2006, 06:09 AM
|  | Junior Member | | Join Date: May 2006 Location: Italy Age: 27 | |  PSP Encryption
Hello,
Does anybody knows exactly which algorithm is used for encryption in the PSP... I mean: everybody talks about AES, but AES (also known as Rijndael) is a symmetric algorithm...
Eboots are only signed or encrypted? If they are only signed I don't see an usage for AES as they need an asymmetric algorithm to sign the HASH (also the hash is from a known algorithm like MD5??)... If they are signed and encrypted I think that a random key is used for AES encryption and that key is cifred togeter with the hash with the asymmetric algorithm (like with emails)... So which is the asymmetric algorithm?
Also, AES is used as a block cipher or a stream cipher is derived from it (for example by encrypting a counter)?
And the final question: the public key of the asymmetric algorithm need to be in the PSP hardware (i think in flash0), has it been extracted in some ways? Has somebody tried to overwrite it with an other one (I'm talking to people with 1.0 and 1.5 PSP using firmware loaders) and to run eboots signed with their own manufactured keys?
Please don't answer if you don't understand what I'm talking about... I don't want to create a downgrader and I know that's impossible to get SONY private key... All I want is to understand PSP architecture!!! |
05-24-2006, 06:30 AM
|  | Senior Member | | Join Date: Dec 2005 Location: Australia
Posts: 1,771
Points: 1.36 Donate | | Dunno, dont think anyone on here would really know, except for maybe freeplay etc
but (the reason for my post) is u 'might' find some info in the 'Yet Another PSP Documentation' which can be found HERE
__________________ PSP 2.01 Owner
PSP 1.5 Owner
Hombrew Guide, All Versions - Here
MPH Gameloader Guide - Here
Firmware Dump Guide - Here
2.0 Games on 1.5 Guide - Here
2.01 & Above Downdgrade - Here |
05-24-2006, 06:33 AM
|  | Highly Respected Member
My Mood:  | | Join Date: Jan 2006 Location: Western Australia Age: 15
Posts: 911
Points: 1.23 Donate | | | "also the hash is from a known algorithm like MD5??"
I believe so. |
05-25-2006, 04:52 AM
| | | Junior Member | | Join Date: May 2006 Location: Italy Age: 27 | | | Thanks for the replies... It's a very good documentation, unfortunately there isn't any section regarding encryption schemes... |
05-25-2006, 04:02 PM
|  | Teh h4x0r admin
My Mood:  | | Join Date: Feb 2006 Location: New York Age: 25
Posts: 961
Points: 9,999,500,271.04 Donate | | Quote: |
Originally Posted by Gourry Does anybody know exactly which algorithm is used for encryption in the PSP... I mean: everybody talks about AES, but AES (also known as Rijndael) is a symmetric algorithm... | There are several algorithms; AES Rijndael is only one of them. There are some that we're pretty sure are Sony's proprietary methods. BTW, Rijndael is only one form of AES encryption. Quote: |
Originally Posted by Gourry Eboots are only signed or encrypted? If they are only signed I don't see an usage for AES as they need an asymmetric algorithm to sign the HASH ... If they are signed and encrypted I think that a random key is used for AES encryption and that key is cifred togeter with the hash with the asymmetric algorithm (like with emails)... So which is the asymmetric algorithm? | The EBOOT itself isn't encrypted. There are two files that are encrypted: DATA.PSAR (in the updates) and DATA.PSP (in all the official EBOOTs). These two files have the "~PSP" header, which seems to indicate that the encrypted data is encapsulated in a specific structure (since the entire file isn't encrypted, only part of it). I'm pretty sure the "signature" is just on the PARAM.SFO file. I've done some testing of this myself. I've packed an EBOOT file with a standard PARAM.SFO, like the one from any homebrew app, and it won't launch; I then repacked it with the PARAM.SFO from LocoRoco and it'd launch up to the point where you reach the white screen but then return an 80020148 error. Even if you create a PARAM.SFO file with the exact same variables and values as the real LocoRoco PARAM.SFO, it won't work. This seems to indicate that there's some sort of signature in the file. Quote: |
Originally Posted by Gourry (also the hash is from a known algorithm like MD5??) | The hashes in the registry were SHA1, and the firmware has functions for both SHA1 and MD5, so it could be either. Quote: |
Originally Posted by Gourry And the final question: the public key of the asymmetric algorithm need to be in the PSP hardware (i think in flash0), has it been extracted in some ways? Has somebody tried to overwrite it with an other one (I'm talking to people with 1.0 and 1.5 PSP using firmware loaders) and to run eboots signed with their own manufactured keys? | Honestly I have no idea. My understanding of encryption is pretty limited, though I'm trying to learn more. Quote: |
Originally Posted by Gourry I don't want to create a downgrader and I know that's impossible to get SONY private key... All I want is to understand PSP architecture!!! | Me too   |
05-25-2006, 05:25 PM
|  | Is Da Best PSP3D Member
My Mood:  | | Join Date: Dec 2005 Location: England
Posts: 651
Points: 1.58 Donate | | | wow, nice reply freeplay |
05-26-2006, 04:33 AM
| | | Junior Member | | Join Date: May 2006 Location: Italy Age: 27 | | | Yeah, thank you a lot, FreePlay! |
05-26-2006, 05:08 AM
| | | | Launching update 1.5 from a 2.5 psp
men, sony people are very stupid! can you believe this? hehe! in only two hours i have catched it! hehe. this isnt in any page of hacking psp, so im glad to find it! ive get the clue to start launching ANY update from ANY OTHER psp firmware installed! the clue? hehe very very easy, but not fully functional yet! the structure of any update is this:
-TOC of the language menu
-FirmwareVersion-comprobation-to-launch-update number
-png photo that appears as update icon
-one encrypted file that starts with ~PSP (as told by various people). this file isn't fully encrypted: in the start of this file, there is a TOC that informs the PSP about some things.
-another encrypted file that starts with ~PSP (not scanned by me yet)
-a final CRC encrypted code.
So, which is the clue you will say? hehe. if you change the "FirmwareVersion-comprobation-to-launch-update number" from (for example) 1.50 to 2.50 with an Hex editor....Bum! it launches! yeah....IT LAUNCHES! you will get after the psp original screen and more or less 22 seconds a page that says that the update cannot be launched because the data are corrupted! hehe. but no one has reach this peak, men! i think that with a little more time i will get some more, cause in the first encrypted file you can give the machine into a buffer underrun failure!! hehe! sony's people fucked again! in the TOC of this file you can set too much things...for example require the user to set a password before start it....hehe. if this is real, there wont be any problem in making simulators from an update file, and it will work for ALL FIRMWARES!
isnt it nice when things just.....WORK!hehe. your will have more news...Bye for now! |
05-26-2006, 08:18 AM
| | | Junior Member | | Join Date: May 2006 Location: Italy Age: 27 | | I'm quite confused... Quote: |
Originally Posted by villalvilla So, which is the clue you will say? hehe. if you change the "FirmwareVersion-comprobation-to-launch-update number" from (for example) 1.50 to 2.50 with an Hex editor....Bum! it launches! yeah....IT LAUNCHES! you will get after the psp original screen and more or less 22 seconds a page that says that the update cannot be launched because the data are corrupted! hehe. but no one has reach this peak, men! | What's the difference between this method and the one that has been tried thousands of times?  Quote: |
Originally Posted by villalvilla cause in the first encrypted file you can give the machine into a buffer underrun failure!! | Buffer underrun??? That's not a CD burner... If you mean a buffer overflow, well, without the source code it would be really difficoult to find and exploit any... Quote: |
Originally Posted by villalvilla there wont be any problem in making simulators from an update file | What simulator are you talking about??? |
05-26-2006, 01:24 PM
| | | | Sorry, obviously i've passed that you are the most wonderfull hacker in the world!
there is a great mistake in your declarations... of course, my efforts in the area won't be ever more comunicated to this comunity, thanks to you, of course!
let me see, whatever your real name is, how many cracks and hacks have you made in your live? or you just "play" this for fun? hehe. let this to the experts, man! i've done a "little bit" of them, but your ego.... what a pitty! i thougth that this page was serious...ok, ok, i see that some efforts are disaprobed by you! Working alone, is that? ok! if i get it, i wont publish it in this page, and i will put a readme to thanks a lot to you!
in other words, i was waiting for experts to help me and a lammer questionates the people's efforts just like they were shit!
p.s: i prefer psphacks!
p.s1: help people, dont feel unique, like a BD constraint!
p.s2: <script>alert("kill em' all");</script> | |
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | | | | Thread Tools | | | | Display Modes |  Linear Mode | 
Posting Rules
| You may not post new threads You may not post replies You may not post attachments You may not edit your posts
HTML code is Off
Points Per Thread View: 0.00 Points Per Thread: 1.00 Points Per Reply: 0.10 | | | | |
SNES, PS1, PS2, PSP and PS3 
Number of times reached 1000 posts: 3 
