PS3 packages and how it leads to PSP signing

[Kirby115]

I don't know if this would be of any help, but I was on YouTube, and I saw the fail0verfl0w team at a conference explaining it.

http://www.youtube.com/watch?v=GPjd6gHY6A4

Sorry if that doesn't help =/ I'm not a programmer, lol.

Advertising

[boodee]

Well it's just a matter of time until the psp keys will be released.

True, but in this thread I'm not interested in the keys themselves rather than the process to discover them and the algorithm

Well there could be several ways as to how Sony signs the PSP eboots. Think of the PSX games. Any can be bought from the PSN store and they work on both the PS3 and PSP (i think, don't own ps3). Maybe there is a shared key between PSX games and PSP games which could also mean they sign both the same way? During the presentation at that hacking conference, they showed the structure of a PS3 app. Perhaps PSP also has a similar structure and that they also sign the keys the same way (random number is constant for each) which in this case, all you have to do is a math formula with 2 PSP signatures to be able to solve for the private key. Just my thoughts

Advertising

[MaX_SLayeR]

The PS3 can run EBOOTs. The Minis on a PS3 are PSP eboots, so are the PSX games. It's why when you transfer them to a PSP, they are the same size as the file on the PS3. I also looked at the file structure of Minis and PSX games on PS3 using a FTP server. It's essentially a folder with param.sfo that tells the PS3 to run either the PSX emulation or PSP emulation (or if you can only copy games directly to a PSP), then there's your icons, background picture, ect. Then there's another folder that contains the EBOOT and the DOCUMENT.DAT file that may be with the game. There's also a very small file with, IIRC, a .edat extension or something similar.

The pspemu files in the PS3's dev_flash are the files for emulating Minis, the PSX emu files run the PSX EBOOTs. As far as I'm concerned, the PSX emulation on the PS3 is just a modified pops. You may want to look at the pspemu.

That's all I know, hope it helped.

@wololo: you may want to take a look around psx-scene.com. There are some explanations on how to find the keys and tools that can help. You may also be able to ask the devs there for help or information.

[wololo]

MaX_SLayeR: I think I already have the tools I need... unless I can find a decompiler somewhere.
Regarding contacting other devs... well I think in the scene it's all a matter of trust. I know I can freely ask questions here because we know each other, but as far as the PS3 is concerned, I'm a nobody. I don't think anybody in the PS3 scene will answer my questions if I don't have something to show. At least that's how it works on the PSP side... people who don't already have 90% of the answers won't get a reply to their question (the principle being: 90% of your questions can be answered by google and a bit of personal research, so show us that you did your homework...)

Shouldn't the IBM Cell SDK contain a version of objdump that can deal with all aspects of the Cell processor?

hmmm, so now I guess that from this ELF, I need to start decompiling stuff... any existing tool for that?

Standard ELF, isn't it? Does objdump work?

Ok, thanks guys, will have a look.

I don't think you need 500$ to disassemble IBM Cell assembly. There should be some disassemblers already available out there. Another option is writing your own disassembler (but I guess this doesn't even interest you )

Actually, why not... I hate to reinvent the wheel, but it seems to me right now that nothing as convenient as prxtool exists for the PS3 yet. this would be an interesting project.

[MaX_SLayeR]

MaX_SLayeR: I think I already have the tools I need... unless I can find a decompiler somewhere.
Regarding contacting other devs... well I think in the scene it's all a matter of trust. I know I can freely ask questions here because we know each other, but as far as the PS3 is concerned, I'm a nobody. I don't think anybody in the PS3 scene will answer my questions if I don't have something to show. At least that's how it works on the PSP side... people who don't already have 90% of the answers won't get a reply to their question (the principle being: 90% of your questions can be answered by google and a bit of personal research, so show us that you did your homework...)

Ah. Well I suppose the best you can do is use documentation and your experience.

A bit off-topic: any plans on coding homebrew for PS3? Would be cool to see a Wagic port, no doubt you could do it

[coyotebean]

In the release directory, there is a file "emulator_drm.sprx", after decrypt, keys D916xxF0 can be found. In side the decrypted emulator_drm.sprx, there seems to be an encrypted 32bit elf start at offset 0x8000.....

[Zecoxao]

http://www.ps3-hacks.com/2011/01/02/ps3 ... l0verflow/
is this what you wanted ???

[wololo]

Zecoxaco, I really appreciate the help, but if you are not sure about your answer, it's probably not the answer I'm expecting

[JJS]

I don't know what he is talking about, but I can follow what coyotebean writes above. Three keys are in the outer sprx and there is an embedded sprx (this one obviously: [07:47] < @Mathieulh> they are inside an isolated module which is inside a sprx). So I tried to decrypt that, the iso key seems to kinda work, except that I get an empty output. But decrypt-self shows the file informations, so I guess the key is correct.

Edit: I am trying to figure out why the file is not written out, but for that I have to compile decrypt-self myself (heh). But it looks like I am stuck with compiling libopenssl for an hour or so .

[wololo]

the iso key seems to kinda work, except that I get an empty output. But decrypt-self shows the file informations, so I guess the key is correct.

I think you're doing the same mistake I did. you're running key 3.15 on firmware 3.55, or something similar. Be sure to use the appkey matching the PS3 update you used.
your symptoms are those of an incorrect key.
I can now see the keys coyotebean is talking about in that sprx file (after decryption) (note that self-decrypt also decrypts sprx... I'm probably stating the obvious here but it wasn't obvious to me...)