PSAR Dumper 2.0 (PRX 2.0 format decrypted)

[Erant]

My guess: the byte "code" is a seed used by the block cipher.
There are other 'code' values. There are other 0x90 byte key blocks too [something like 16 in V1, and new ones added in V2]. The 0x90 byte key block must be combined with the correct byte "code"

Would you happen to know where these bytes are stored? They have to be somewhere in either kernel or user memory space. Are they in either sceMesgLed or sceMemlmd? Reverse engineering would probably be just a little too much for me, as I have trouble enough struggling with just coding ;)

[PspPet]

Getting into the weeds and off topic for PsarDumper. Please send me an email if you want to don't understand the program.

Everything needed to decrypt 1.x and 2.x PRXs is in the PsarDumper2A source code (and the mysterious PSP hardware). You don't need any additional reverse engineering (except for fun).
BTW: None of this is related to the problems of getting 2.x PRXs to run under Homebrew 1.0/1.50.

[Erant]

BTW: None of this is related to the problems of getting 2.x PRXs to run under Homebrew 1.0/1.50.

I know, but my curiosity is getting the better of me ;) I'll send you an email shortly

[wiseg]

Is there a way to recompile the .psar?

[PspPet]

> Is there a way to recompile the .psar?
No, not in any meaningful way.

Somewhat related to security of encrypted PRXs. Each PSP knows how to decrypt them, but only Sony knows how to encrypt them.

[sherpya]

it's a classic encryption, I've seen sony uses RSAFE or similare and there are some 2k 1k keys on the flash. I think it would be possible to generate a key pair and put the public in the psp, so the private for the community can be used to "encrypt" hb, maybe this could make 2.0 capable of running hb.
The only problem is that it's a bit dangerous to make such things, at least until someone finds a way to flash via external programmer the psp

[Erant]

it's a classic encryption, I've seen sony uses RSAFE or similare and there are some 2k 1k keys on the flash. I think it would be possible to generate a key pair and put the public in the psp, so the private for the community can be used to "encrypt" hb, maybe this could make 2.0 capable of running hb.
The only problem is that it's a bit dangerous to make such things, at least until someone finds a way to flash via external programmer the psp

The mesg_led.prx file is responsible for decrypting some files (Not all, some are done in the IPL), and thus contains a few keys, and their 'seeds'. In theory, you could change those keys and seeds. But PsPPet told me this would probably crash the PSP because of some protection. I'm also not sure if RSAFE does any 'header mangling', as this is done on the ~PSP header. I also believe the mangling uses a different cypher.

[moonlight]

Firmware 2.60.

I have modified the code of psardumper to acommodate the new length of the data.psar, but the decryption process fails. "0 decrypted of 118 data files saved"

have they changed the encryption again? :S

[PspPet]

> have they changed the encryption again?
Yes.
Three brand new keys, not used before. Can't decrypt because we don't have the plain-text versions to use. Otherwise the structure looks unchanged.

Also the IPL implementation has changed
"part3" of the IPL decoding (built into PsarDumper2A) doesn't work anymore
"part2" in the old version (2.50) contained a plain GZIPed image for part of the boot sequence. Now (2.60) it appears to be scrambled with another layer or two
( related thread -> http://forums.ps2dev.org/viewtopic.php?t=3573 )

If someone wants to disassemble (**) the new "part2" of the IPL, please give it a shot and report your results. That should be enough for me to add to PsarDumper.
** - or execute in a controlled environment so you can capture the results which may be easier
NOTE: code at start of 'part2_psp_ipl.bin' [will dump if you bump the buffer size and run on the 2.60 PSAR]

[zshadow]

So, from what I gather, the keys that the PSP uses to decrypt prx are located in the IPL?

I changed the buffer size and used your psardump program to dump part1 and part2 of the firmware 2.6 ipl, part3 won't copy over.

is it possible for me to use the keys from these ipl files to decrypt 2.6 prx. I have no idea where to start on trying to disassemble these files, the thread you linked to is very confusing to me.

also as another solution i am wondering since it is possible to boot homebrew on 2.6 (although limited as no kernel mode), maybe we could grab the key used to decrypt 2.6 prx?

[moonlight]

There is around there (http://pspupdates.qj.net/PSARDumper-v0- ... /aid/29442)

the version v0.2Ae of psar dump...

But since PspPet has not posted it here as usual, and the file don't have the source code, i want to ask here to PspPet if that file is really of him or it's simple a mod of someone that has used PspPet name...

[0okm0000]

There is around there (http://pspupdates.qj.net/PSARDumper-v0- ... /aid/29442)

the version v0.2Ae of psar dump...

But since PspPet has not posted it here as usual, and the file don't have the source code, i want to ask here to PspPet if that file is really of him or it's simple a mod of someone that has used PspPet name...

oh
that may be my fault
i post a mod ver in http://forums.ps2dev.org/viewtopic.php?t=5556
to let people dump FW2.6 by themself
i don't know why pspupdates will say this is a new ver.
sorry.....

[the-dan]

There is around there (http://pspupdates.qj.net/PSARDumper-v0- ... /aid/29442)

the version v0.2Ae of psar dump...

But since PspPet has not posted it here as usual, and the file don't have the source code, i want to ask here to PspPet if that file is really of him or it's simple a mod of someone that has used PspPet name...

oh
that may be my fault
i post a mod ver in http://forums.ps2dev.org/viewtopic.php?t=5556
to let people dump FW2.6 by themself
i don't know why pspupdates will say this is a new ver.
sorry.....

It has been fixed, our apologies. This one should not have been posted, but seeing as it did, all I can do is say we're sorry and it has been fixed. Things like this have slipped before, and shouldn't happen again, *crosses fingers*. Anyways guys, thanks for pointing this out and our apologies for the confusion.

- Dan

[PspPet]

General rule - if it is not on my website, it isn't mine:
http://www.aibohack.com/psp

Increasing the buffer size is a simple change. The hard part is figuring out how the 2.6 (and newer) PRXs are keyed/mangled.

As always, be careful of EBOOT.PBP files you download from the web, expecially from unknown websites (remember there are 'bricker' programs)

[PspPet]

Updated version 2B (.02B)
http://www.aibohack.com/psp/psardump02b.zip

Larger buffer will extract files from the 2.6 and 2.7 PSAR files. A minor tweek needed for the 2.70 header.

NOTE: will extract only for 2.6 or 2.7. The decrypt function will not work
[see comment above, someone needs to look at "part2" of the IPL]

[zshadow]

thanks for the update PspPet :)

[moonlight]

I'll try to get a 2.60 user memory space dump to see if there is something useful there (has someone do that before?)

Btw, PspPet, can you guess if the encryption has changed from 2.60 to 2.70? I suppose it has not changed... but who knows, those guys of Sony are getting paranoid about security.

[zshadow]

some new modules I noticed in 2.7:

amctrl.prx
avcodec.prx
game_install_plugin.prx
iofilemgr_dnas.prx
irda.prx
mm_flash.prx
psheet.prx
usbacc.prx
usbcam.prx
usbgps.prx
usbgps_serial.prx
usbmic.prx
usbpspcm.prx
video_main_plugin.prx

seems camera support is there now (although I don't think the actual camera device has been released yet).

[PspPet]

> I'll try to get a 2.60 user memory space dump to see if there is something useful there (has someone do that before?)
I have suggested it to others in the past - but haven't seen any results (I'm living in the past with 1.0/1.5)

If someone has a user RAM capture, I'd like to see it. If they have GZ copies of some of the core system modules laying around (like in earlier releases), it will be easier than disassembling the IPL code.

> can you guess if the encryption has changed from 2.60 to 2.70?
Looks like it is the same (a number of the encrypted PRXs are identical in 2.6 and 2.7: chkreg.prx mcctrl.prx memab.prx openpsid.prx semawm.prx usbstorboot.prx)

> some new modules I noticed in 2.7:
> usbXXX.prx
Now things are getting interesting...

[Fanjita]

All we can really capture from 2.6 is user memory with GTA loaded - since GTA fills almost the whole of RAM, I'm not sure how much use that will be.

But feel free to PM me your email address if you want one, I've got some lying around somewhere.

[Fanjita]

some new modules I noticed in 2.7:

amctrl.prx
avcodec.prx
game_install_plugin.prx
iofilemgr_dnas.prx
irda.prx
mm_flash.prx
psheet.prx
usbacc.prx
usbcam.prx
usbgps.prx
usbgps_serial.prx
usbmic.prx
usbpspcm.prx
video_main_plugin.prx

seems camera support is there now (although I don't think the actual camera device has been released yet).

Any idea if loadexec.prx or similar modules look like they've changed? This would help to confirm / refute the rumour that the syscall mechanism has been modified.

[FreePlay]

I'm taking a quick peek at the IPL... though I must admit it's a bit above my head. I've noticed that there are several 4048-byte chunks of data, padded by identical 48-byte blocks to align them out to 4KB each. The last chunk, however, is 144 bytes shorter, and the first chunk is exactly 144 bytes when padded.

My first instinct is to shove those 144 bytes to the end of the file... though I'm not sure where to go from there. I'm also going to check over the 4KB chunks to see if there's anything interesting.

Dunno if you guys already knew this. I assume you know most if it. Anyways, I'll keep you updated if I come up with anything. Wish me luck.

[ryoko_no_usagi]

FreePlay: http://forums.ps2dev.org/viewtopic.php?t=3573

[FreePlay]

Yeah, that's about what I figured :/

[zshadow]

Any idea if loadexec.prx or similar modules look like they've changed? This would help to confirm / refute the rumour that the syscall mechanism has been modified.

2.7 loadexec.prx is about ~5KB larger than the 2.6 module. So it seems quite a bit was added / changed.

[Fanjita]

Any idea if loadexec.prx or similar modules look like they've changed? This would help to confirm / refute the rumour that the syscall mechanism has been modified.

2.7 loadexec.prx is about ~5KB larger than the 2.6 module. So it seems quite a bit was added / changed.

Bah, rotters! ;)

[moonlight]

I've added 2.80 prx decryption support to psardumper:
http://dax.lan.st/psardumpmod.rar

Some changes in 2.80:

- new operative mode: "pops" (pspbtcnf_pops). I don't know for what it is for. maybe for popstation? :P
- pspbtcnf* files now have a hash attached to each file like this:

Code: Select all

$/kd/sysmem.prx 5070b5f8bb8310a00d699742b912f08b

- new prx: wlanfirm_magpie.prx and maybe some other. i haven't checked.

[danzel]

Good work :)

wlanfirm_magpie.prx hhhmmm....
Maybe a new revision psp will be coming with a different wifi chipset, I can't find anything about a magpie wifi chipset on google however.

[0okm0000]

I've added 2.80 prx decryption support to psardumper:
http://dax.lan.st/psardumpmod280.rar

Some changes in 2.80:

- new operative mode: "pops" (pspbtcnf_pops). I don't know for what it is for. maybe for popstation? :P
- pspbtcnf* files now have a hash attached to each file like this:

Code: Select all

$/kd/sysmem.prx 5070b5f8bb8310a00d699742b912f08b

- new prx: wlanfirm_magpie.prx and maybe some other. i haven't checked.

Great Wotk

it also can decrypt FW2.81 :)

[moonlight]

UPDATE: i've added 2.60-2.71 decryption to the psar dumper mod.

http://dax.lan.st/psardumpmod.rar

Now all firmwares decrypt.