The First Homebrew in OFW Running.

[TOcean]

The first Homebrew Running in OFW.
See the video.

Simple, notice it contains ~PSP header from demo game (UCES00206), it is exactly same header. It is easy to craft last 16 bytes of encrypted data block to match header CMAC – yes, that’s the trick

There are some strange thigs, it can’t run homebrews with bigger executable block (data block does not matter), and because of ~PSP header, it has to match exact size of original game.

This trick might be possible on firmware kernel modules to get permanent HEN on non-pandrorable PSPs, i was not able to do it but i was not trying that much.

PS: i am not only one who found this trickn

This means that from now on OFW homebrews start.
Sony cannot patch this.
it works on all OFW

Download

How can i sign homebrews

Here's an overall process that worked for me:

1. Use PRXDecrypter or other like app to decrypt a demo game DATA.PSP. Just before it calls KIRK1, add a step to dump the KIRK1 message with header.
2. Zero out the data section of the KIRK1 message. Copy your homebrew ELF into it.
3. Look at the original PSP header and get the entry point and mod info offset it expects
4. Put a couple of lines of code at the expected entry point to jump to the real entrypoint of your own ELF
5. copy the modinfo section from your ELF to the address indicated by the original header.
6. Re-encrypt the new KIRK1 data section with the KIRK key (AES Key from Header)
7. Do a few xor of the last 16 bytes to make it result in the correct CMAC value (decode the CMAC data hash to see what the correct value needs to be)
8. Copy the data back to the original data.psp (at 0x150). pack-pbp the new data.psp along with your favorite param.sfo and icon files.

If the original game was compressed, you need to add step 5b. gzip the entire data section (0x110-EOF) and re-paste it into the file.

Enjoy!

PS. One bit of difficulty still that remains is how to deal with the KL4E compression that the kernel modules us. Since their headers indicate compression, and KL4E is the only algorithm the rebooter or ipl supports (I think...) we will have to find a way to create something that decompresses properly with KL4E.

Discussion: viewtopic.php?f=5&t=1381&start=170

Advertising

[TiPi]

Awesome.

Advertising

[TOcean]

Awesome.

This are the best moment of the PSP Scene.

[AssasinRam]

This is brilliant

[TOcean]

This is brilliant

[Phillyphries]

Nice!! There isn't much left to do with the PSP's now. PSP2 will be the next focus

[TOcean]

Nice!! There isn't much left to do with the PSP's now. PSP2 will be the next focus

PSP2 is difficult.

[xcanox]

The song in this homebrew is quite ossum.

[AssasinRam]

Nice!! There isn't much left to do with the PSP's now. PSP2 will be the next focus

PSP2 is difficult.

But it has way better potential than the PSP

[YuuhiKatagiri]

awesome