PS3 packages and how it leads to PSP signing

[criptych]

Does anyone know the relation between the KIRK header keys and the ~PSP header keys? I know the KIRK header keys are encrypted with the KIRK CMD1 key - I've been lurking here for a while now - but the ones in the ~PSP header are obviously obscured some other way (different key, different encryption, or something). Is it already known and I just can't find it online, or has no one else figured it out yet either?

[kgsws]

Check PRX decrypter source code.

[criptych]

Check PRX decrypter source code.

I actually started doing that in the meantime. It looks like DecryptPRX2 is what I want, but I don't know how to determine the tag info for a PRX whose tag isn't in PRXdecrypter's list, specifically the "key" used to initialize tmp2:

Code: Select all

    int i, j;
    u8 *p = tmp2+0x14;

    for (i = 0; i < 9; i++) {
        for (j = 0; j < 0x10; j++) {
            p[(i << 4) + j] = pti->key[j];
        }

        p[(i << 4)] = i;
    }

    if (Scramble((u32 *)tmp2, 0x90, pti->code) < 0) {


(I think there are few enough Scramble codes / keyseeds that I can just try them all.)

For example, one of those I'm testing with has the tag 0xc0cb167c. Where can I find the init key that goes with it? Is there some way to derive it, or will I have to brute-force it? (I hope not!)

EDIT: Hmm, never mind that last part... looks like it was one of the "old-style" PRXs that uses DecryptPRX1.

[coyotebean]

I actually started doing that in the meantime. It looks like DecryptPRX2 is what I want, but I don't know how to determine the tag info for a PRX whose tag isn't in PRXdecrypter's list, specifically the "key" used to initialize tmp2:

(I think there are few enough Scramble codes / keyseeds that I can just try them all.)

For example, one of those I'm testing with has the tag 0xc0cb167c. Where can I find the init key that goes with it? Is there some way to derive it, or will I have to brute-force it? (I hope not!)

EDIT: Hmm, never mind that last part... looks like it was one of the "old-style" PRXs that uses DecryptPRX1.

If a tag is not in PRXdecrypter, you have to dig into the firmware/game to find the necessary data.

[logical]

Guys what do you think about using precalculated header from ofw update pbp? I think if its possible "signed" homebrews may have kernel access

[warlock02]

Guys what do you think about using precalculated header from ofw update pbp? I think if its possible "signed" homebrews may have kernel access

you can`t unpack updater

[logical]

Answer please on my question! TN-C "signed" and can be run from ofw but file size less than 5mb, how he can do this?!

[coyotebean]

Answer please on my question! TN-C "signed" and can be run from ofw but file size less than 5mb, how he can do this?!

http://www.wololo.net/talk/viewtopic.php?f=5&t=1381&start=170#p20435
http://www.wololo.net/talk/viewtopic.php?f=5&t=1381&start=240#p21228
http://www.wololo.net/talk/viewtopic.php?f=5&t=1381&start=290#p22465

All current HEN/LCFW are user program using an exploit in kernel to elevate permission.

[juggernaut6613]

Answer please on my question! TN-C "signed" and can be run from ofw but file size less than 5mb, how he can do this?!

I think TN used PScrypter(Homebrew based application to sign other simple applications...) instead of PRXEncrypter...