[Released] JigKick for PSP-2000 (TA-088v3 supported)

[ErikPshat]

Well, homebrews also use kirk 7, which we don't have, but we can sign it anyway, using CMAC trick. This won't work on .enc files?
Does someone exactly know how to decrypt those .enc files?

You saw the header files ENC. They are similar to the title of IPL.
If you can sign them as well, with the new MSID, then it will be a huge breakthrough.

We certainly know how the programmer to rewrite the MSID, but if there is a method of recording software MSID, then it can use not only professionals in the service workshops.

Actually, this Pandora was published only because of what was leaked and began to speculate on this, ie ready to sell cards, and hence, further distribution and services for flashing.

Also, if i understand, i can't run this on PSP-1000 model?

No. IPL in the memory card is not suitable for the PSP-100X. It only works on PSP-200X/300X. And for the PSP-300X want to transfer to a service-only special equipment that are connected to the middle terminal on battery power and knowing how to respond to requests from the encrypted PSP.

Advertising

[kgsws]

I don't see anything obvious in enc files. Exact decrypting way will help.
Also, i can't work with that IPL, i don't have any PSP-2000.

Advertising

[Davee]

Well, homebrews also use kirk 7, which we don't have, but we can sign it anyway, using CMAC trick. This won't work on .enc files?
Does someone exactly know how to decrypt those .enc files?

Also, if i understand, i can't run this on PSP-1000 model?

Err, to change the MSID for it to run you need the KIRK 7 key.

Also, really this is a dead end, whats the point in running Sony code?

[Llywelyn]

Err, to change the MSID for it to run you need the KIRK 7 key.

Also, really this is a dead end, whats the point in running Sony code?

Allowing people to unbrick their PSP-2000 without paying 120 bucks

[coyotebean]

The scramble method for the enc files are much different from the normal prx scramble.

Even if the enc files are authentificated with CMAC (which allow us to hijack the header), Sony IPL (which cannot be distributed) is still needed. We have no way to forge the IPL for TA-088v3. As discovered by Davee, those mysterious 0x20 bytes hashes are decrypted with one of the protected key of Kirk 7 and the method to create the hash is still unknown.

Also I have some doubt if this "package" will run with PSP-300X or not when service mode can be activated. Since starting with PSP-300X, there is an extra scramble in the (Nand) IPL (byte 0x62 is 1 and the block cannot be decrypted with Kirk 1). I would think the service IPL will need the same extra scramble.

[ErikPshat]

This "package" is working on PSP-300X. This is reliable information.
However, for 3000 does not fit the usual battery, translated into the service mode.
Of PSP are encrypted request to the battery, but it must be the correct answer. Perhaps, as usual, apply the operation XOR.

We have long tried to decipher a conversation with the PSP battery. The boys drew a diagram of the terminal K-Line, and gathered to listen to the request/response. Just write a program to manage responses.

+ Talking PSP and JIG

• 1st byte - 5A request; A5 response
• 2nd byte - length of the command being sent
• 3rd byte - command code (decoding of codes available (06 - Reply))
• The last byte - checksum = FF - (minus) the sum of all bytes (u8)

log PSP-3000:

Code: Select all

5A02 01 A2                                     //Request the status energyleft_mAh: u16
A505 06 106E01 D0                              //Reply the energyleft 016E (10 - code) = 366 mAh
5A02 0C 97                                     //Request serial number
A506 06 FFFFFFFF 52                            //Reply Serial Number FFFFFFFF
5A0B 80D9 AF3D2E36BF5EFE48 8E                  //Encrypted request
A512 06 A1031B0E1ACC8DE4964E09013CE2C0D1 81    //Encrypted reply
5A0A 81 BD8CD84793BE24F6 47                    //Encrypted request
A50A 06 A01166DA69B4C45F 19                    //Encrypted reply
5A02 01 A2                                     //Request the status energyleft_mAh: u16
A505 06 006E01 E0                              //Reply the energyleft 016E (00 - code)  = 366 mAh
5A0B 80D9 A07E97753B554082 C5
A512 06 44B183DCED693F384686D44C8A767EDC DB
5A0A 81 4973EF87C323D8CA 60
A50A 06 F14CFB0731757426 CB
5A02 01 A2
A505 06 006E01 E0
5A02 03 A0                                     //Request the status voltage_mV: u16
A504 06 AF0E 93                                //Reply 0EAF = 3759 mV
5A0B 80D9 05E6C958B8C036F7 90
A512 06 E4245C3A5728F818B2D937EEEB05DAFA A1
5A0A 81 4EFA163A7B5FE24A 7C
A50A 06 BA1EE3FD575F2D02 AD
5A02 01 A2
A505 06 006E01 E0
5A02 07 9C                                     //Request the capacity_mAh: u16
A504 06 D804 74                                //Reply 04D8 = 1240 mAh
5A02 0B 98                                     //???
A504 06 0000 50
5A02 09 9A                                     //Request the timeleft_min: u16
A504 06 2B00 25                                //Reply 002B = 43 min
5A02 02 A1                                     //Request the temperature: u8
A503 06 1B 36                                  //Reply 1B = 27°
5A02 04 9F                                     //Request the current_mA: short ???
A504 06 0000 50
5A02 03 A0                                                              
A504 06 AF0E 93
5A02 01 A2
A505 06 106E01 D0
5A02 09 9A
A504 06 2B00 25
5A02 02 A1
A503 06 1B 36
5A02 04 9F
A504 06 0000 50
5A02 03 A0
A504 06 AF0E 93
5A02 01 A2
A505 06 106E01D0
5A02 03 A0
A504 06 AF0E93
5A02 0C 97                                     //Request serial number
A506 06 FFFFFFFF 52                            //Reply Serial Number FFFFFFFF
5A0B 80D9 B1DFE1F5D3F74426 A7
A512 06 C71DA54C4BE51CB3B2D937EEEB05DAFA FA
5A0A 81 4EFA163A7B5FE24A 7C
A50A 06 BA1EE3FD575F2D02 AD
5A02 01 A2
A505 06 006E01 E0
5A02 09 9A
A504 06 2B00 25
5A02 02 A1
A503 06 1B 36
Service Mode = On

To sign the files with a new key MSID probably will not work.
It is therefore easier to find a way to programmatically change the MSID on a memory card. And it certainly can make it through a PSP. Not a PC.

[haslomaslo2]

It may be of interest to try to sniff the traffic from/to KIRK while the PSP and the battery are talking.

[Davee]

It may be of interest to try to sniff the traffic from/to KIRK while the PSP and the battery are talking.

very difficult...

[psphbldude]

It may be of interest to try to sniff the traffic from/to KIRK while the PSP and the battery are talking.

very difficult...

Davee this is the first time i quote you because i felt i had too .... you said very difficult not impossible so it can be done!

[Davee]

It may be of interest to try to sniff the traffic from/to KIRK while the PSP and the battery are talking.

very difficult...

Davee this is the first time i quote you because i felt i had too .... you said very difficult not impossible so it can be done!

yes, if you feel like decapping the CPU to see the internal connections xD