Advertising (This ad goes away for registered users. You can Login or Register)

Decryption keys

Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
wth
HBL Developer
Posts: 834
Joined: Wed Aug 31, 2011 4:44 pm
Contact:

Decryption keys

Post by wth » Sat Jul 07, 2012 12:37 am

According to "Tony"'s vita flash :

Code: Select all

u8 keys660_k0[0x10] = { 0x48, 0x58, 0xAA, 0x38, 0x78, 0x9A, 0x6C, 0x0D, 0x42, 0xEA, 0xC8, 0x19, 0x23, 0x34, 0x4D, 0xF0 };
u8 keys660_v0[0x10] = { 0x08, 0x57, 0xC2, 0x49, 0x15, 0xD6, 0x2C, 0xDB, 0x62, 0xBE, 0x86, 0x6C, 0x75, 0x19, 0xDC, 0x4D };
u8 keys660_v9[0x10] = { 0x4B, 0x6B, 0xC8, 0x98, 0xE7, 0xBC, 0x6A, 0xA3, 0xEF, 0x63, 0x72, 0x7F, 0xFD, 0x0E, 0x9E, 0x8C };

{ 0x4C949AF0, keys660_k0, 0x43 }, // 6.60 psvita
{ 0x457B9AF0, keys660_v0, 0x5B }, // 6.60 psvita
{ 0x38029AF0, keys660_v9, 0x5A }, // 6.60 psvita vshmain
but I was wondering, I know 0x4C949AF0, 0x457B9AF0 & 0x38029AF0 are tags at address 0xD0 in encrypted files, but how is it possible to find the keys themselves & their code (0x43, 0x5B, 0x5A) ?
I mean in theory, even on psp ? I heard the hashes at address 0xBFC00200 are of some use for that, but wonder what exactly
Advertising

Davee
Guru
Posts: 278
Joined: Mon Jan 10, 2011 1:24 am

Re: Decryption keys

Post by Davee » Sat Jul 07, 2012 1:18 am

The codes are the kirk key number for serv 7, and these "keys" are formed as a part of a seed at bfc00200 and respectfully from the cipher module (memlmd/mesgled). Together they are XORd and used as the nonce for the AES128-CBC-CTR used in the PRX header.
Advertising
Follow me on twitter: @DaveeFTW

wth
HBL Developer
Posts: 834
Joined: Wed Aug 31, 2011 4:44 pm
Contact:

Re: Decryption keys

Post by wth » Sat Jul 07, 2012 4:28 am

ok thanks =D
I'll look into vita's mesgled kirk7 to find these codes then and later report what I found

wth
HBL Developer
Posts: 834
Joined: Wed Aug 31, 2011 4:44 pm
Contact:

Re: Decryption keys

Post by wth » Mon Jul 23, 2012 4:52 am

Ok so I finally found some time to finish looking at this and it's actually quite simple

kernel second xor part lies in memlmd

Code: Select all

//	6.60 : memlmd_F26A33C3 <= memlmd_8450109F

//	keys167_k0 = key_2460 ^ hash167;


/* from 1.67 */
u8 key_2460[16] = {
	0x5b, 0x32, 0x65, 0x9b, 0x52, 0x1d, 0x35, 0xcd,
	0x61, 0x6b, 0x94, 0xf1, 0xe8, 0x26, 0xf1, 0xea
};

/* 1.67 0xBFC00200 hash */
u8 hash167[32] = {
	0x13, 0x6a, 0xcf, 0xa3, 0x2a, 0x87, 0x59, 0xc0,
	0x23, 0x81, 0x5c, 0xe8, 0xcb, 0x12, 0xbc, 0x1a
};
And for vsh keys they're directly hardcoded in mesg_led

Code: Select all

sceMesgLed_driver_5C3A61FE
sceMesgLed_driver_3783B0AD


u32 tag_9684 = 0x38029AF0;	// == v9

u8 key_9688[16] = {
	0x4B, 0x6B, 0xC8, 0x98, 0xE7, 0xBC, 0x6A, 0xA3,
	0xEF, 0x63, 0x72, 0x7F, 0xFD, 0x0E, 0x9E, 0x8C
};
// == keys660_v9

sub_000000E0(&tag_9684, key_9688, 0x5A, ...);




sceMesgLed_driver_2CB700EC
sceMesgLed_driver_308D37FF


u32 tag_969C = 0x457B9AF0;	// == v0

u8 key_96A0[16] = {
	0x08, 0x57, 0xC2, 0x49, 0x15, 0xD6, 0x2C, 0xDB,
	0x62, 0xBE, 0x86, 0x6C, 0x75, 0x19, 0xDC, 0x4D
};
// == keys660_v0

sub_000000E0(&tag_969C, key_96A0, 0x5B, ...);

I expected something more interesting for vsh keys but well lol

This still doesn't explain the 0x43 kirk7 code for the kernel key though .. anyone knows ? ^^
Or do kernel keys simply always use this 0x43 kirk7 code ?

Davee
Guru
Posts: 278
Joined: Mon Jan 10, 2011 1:24 am

Re: Decryption keys

Post by Davee » Mon Jul 23, 2012 9:36 am

Its simple because they aren't keys. It's the nonce for AES128-CBC-CTR, the key is the 0x43 kirk code which is defined by the relative decryption process.
Follow me on twitter: @DaveeFTW

wth
HBL Developer
Posts: 834
Joined: Wed Aug 31, 2011 4:44 pm
Contact:

Re: Decryption keys

Post by wth » Mon Jul 23, 2012 8:52 pm

ok so I assume kernel prx decryption always requires the 0x43 code right

Davee
Guru
Posts: 278
Joined: Mon Jan 10, 2011 1:24 am

Re: Decryption keys

Post by Davee » Mon Jul 23, 2012 8:54 pm

Effectively. It can (and i think has?) change though.
Follow me on twitter: @DaveeFTW

TS0SmikY
Posts: 15
Joined: Wed Jan 12, 2011 5:24 am
Location: N/A

Re: Decryption keys

Post by TS0SmikY » Fri Mar 29, 2013 1:42 pm

Hi @wth and @davee, may i know how can i get you are discuss keys? like procfw stargate module, in the file "key_decrypt.c", we can see like g_key_d9xxxxxx, for those key, just reverse mseg_led_xx.prx can get or need run some program to get?
sorry for my poor english. ;)


I find a way to get those key already. :mrgreen: ;)
Last edited by TS0SmikY on Thu May 02, 2013 10:00 am, edited 1 time in total.
PSP-2000: Kernel version prometheus v4.

Codewave
Banned
Posts: 43
Joined: Sun Mar 24, 2013 6:45 pm

Re: Decryption keys

Post by Codewave » Fri Mar 29, 2013 6:15 pm

Question from a noob

How do devs learn such advanced level psp programming without sonys help?

Davee
Guru
Posts: 278
Joined: Mon Jan 10, 2011 1:24 am

Re: Decryption keys

Post by Davee » Fri Mar 29, 2013 7:23 pm

PSP programming isn't advanced at all. It's just application of basic knowledge of computer systems.
Follow me on twitter: @DaveeFTW

Post Reply

Return to “Programming and Security”