PS3 packages and how it leads to PSP signing

[Mathieulh]

Advertising

Seriously though, your name is mentioned 4 times in the OP, and I clearly stated that you were the source (I quote: "I'm trying to understand the process with which Mathieu found the PSP master key"), not sure what else we can do to please you here

My bad, I only saw page 6 when I wrote that xD

[Mathieulh]

Advertising

On a sidenode I got kirk to return 0x00 on my data for kirk cmd 07 and 0A

[coyotebean]

I think the keys are on the kirk chip. So unless they have some "spare" keys that they didn't put in the PS3, that is not doable because they can't revoke all of them.

Kirk 7 accept key index from 0x00-0xFF, Kirk 4 allows you to use 0x00-0x3F. Only 6 of the 192 keys blocked in Kirk 4 is exposed.

[kgsws]

From my analysis, at offset 0xbdc0 in the dumped SPU asm is the KIRK1 function. KIRK4 is at 0xa398 and KIRK7 is at 0xafe8. At least in the 3.15 and 3.41 versions.

I think i can confirm cmd 4 and 7, also used version 3.15 , that's where i found key offsets.

Kirk 7 accept key index from 0x00-0xFF, Kirk 4 allows you to use 0x00-0x3F. Only 6 of the 192 keys blocked in Kirk 4 is exposed.

Actually max index is 0x7F .

EDIT: Maybe this will help if you don't know SPU assembly.

[coyotebean]

Kirk 7 accept key index from 0x00-0xFF, Kirk 4 allows you to use 0x00-0x3F. Only 6 of the 192 keys blocked in Kirk 4 is exposed.

Actually max index is 0x7F .

EDIT: Maybe this will help if you don't know SPU assembly.

I was talking about actual Kirk operation on the PSP.
Also in 3.55 version of emulator_drm, if I read it correctly, there is a special case in Kirk emulator which will not work with PSP, index 0x100

Code: Select all

    b188:   34 0d 80 83    lqd      $3,864($1)   # 360
    b18c:   7c 40 01 82    ceqi   $2,$3,256   # 100
    b190:   21 00 3a 02    brnz   $2,0xb360   # b360
    b194:   32 00 3c 80    br      0xb378   # b378

    b360:   42 73 d0 02    ila      $2,59296   # e7a0
    b364:   34 0c 40 83    lqd      $3,784($1)   # 310
    b368:   3e c0 00 84    cwd      $4,0($1)
    b36c:   b0 60 c1 04    shufb   $3,$2,$3,$4
    b370:   24 0c 40 83    stqd   $3,784($1)   # 310
    b374:   32 00 03 80    br      0xb390   # b390

E7A0  00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F


[Mathieulh]

I think the keys are on the kirk chip. So unless they have some "spare" keys that they didn't put in the PS3, that is not doable because they can't revoke all of them.

Kirk 7 accept key index from 0x00-0xFF, Kirk 4 allows you to use 0x00-0x3F. Only 6 of the 192 keys blocked in Kirk 4 is exposed.

Yeah I also think some keys might be missing or might have to be calculated from some index table.

There are enough keys in there to hash and encrypt prx though. It seems kirk is fully emulated by this module while it also does additional things (probably marlin related)

[kgsws]

I was talking about actual Kirk operation on the PSP.

It might be different than indexes up to 0x7F. If i use same code for indexes 0x80 and more, kirk returns me error 0x0F. (Invalid size?)

[coyotebean]

I was talking about actual Kirk operation on the PSP.

It might be different than indexes up to 0x7F. If i use same code for indexes 0x80 and more, kirk returns me error 0x0F. (Invalid size?)

Yes, you are right. I found that I was quoting result from Kirk 4 testing,
which returns error 14 (invalid code/seed) for 0x40 to 0xFF.
Kirk 7 returns error 15 (invalid size?) for 0x80 to 0xFF.

[kgsws]

I don't know why but i made my encryption code too complicated, here is better version.
Anyway, i am still lost with kirk cmd 1. Is there some more info about kirk cmd 1 header structure? I know few things but i am not still sure how one value works.
Also i confirm that there have to be SHA2, there is table of round constants for SHA2 at 0xdd20.
And i wonder what are these blocks for: 0xde20 0xdf20 0xe020 0xe120 0xe220 0xe320 0xe420 0xe520

[Draan]

There is, you can check PSARDUMPER source, if you haven't yet. Especially pspDecrypt helper module.