forums.ps2dev.org

[Erant]

[PspPet]

Getting into the weeds and off topic for PsarDumper. Please send me an email if you want to don't understand the program.

Everything needed to decrypt 1.x and 2.x PRXs is in the PsarDumper2A source code (and the mysterious PSP hardware). You don't need any additional reverse engineering (except for fun).
BTW: None of this is related to the problems of getting 2.x PRXs to run under Homebrew 1.0/1.50.

[Erant]

[wiseg]

Is there a way to recompile the .psar?

[PspPet]

> Is there a way to recompile the .psar?
No, not in any meaningful way.

Somewhat related to security of encrypted PRXs. Each PSP knows how to decrypt them, but only Sony knows how to encrypt them.

[sherpya]

it's a classic encryption, I've seen sony uses RSAFE or similare and there are some 2k 1k keys on the flash. I think it would be possible to generate a key pair and put the public in the psp, so the private for the community can be used to "encrypt" hb, maybe this could make 2.0 capable of running hb.
The only problem is that it's a bit dangerous to make such things, at least until someone finds a way to flash via external programmer the psp

[Erant]

[moonlight]

Firmware 2.60.

I have modified the code of psardumper to acommodate the new length of the data.psar, but the decryption process fails. "0 decrypted of 118 data files saved"

have they changed the encryption again? :S

[PspPet]

> have they changed the encryption again?
Yes.
Three brand new keys, not used before. Can't decrypt because we don't have the plain-text versions to use. Otherwise the structure looks unchanged.

Also the IPL implementation has changed
"part3" of the IPL decoding (built into PsarDumper2A) doesn't work anymore
"part2" in the old version (2.50) contained a plain GZIPed image for part of the boot sequence. Now (2.60) it appears to be scrambled with another layer or two
( related thread -> http://forums.ps2dev.org/viewtopic.php?t=3573 )

If someone wants to disassemble (**) the new "part2" of the IPL, please give it a shot and report your results. That should be enough for me to add to PsarDumper.
** - or execute in a controlled environment so you can capture the results which may be easier
NOTE: code at start of 'part2_psp_ipl.bin' [will dump if you bump the buffer size and run on the 2.60 PSAR]

[zshadow]

So, from what I gather, the keys that the PSP uses to decrypt prx are located in the IPL?

I changed the buffer size and used your psardump program to dump part1 and part2 of the firmware 2.6 ipl, part3 won't copy over.

is it possible for me to use the keys from these ipl files to decrypt 2.6 prx. I have no idea where to start on trying to disassemble these files, the thread you linked to is very confusing to me.

also as another solution i am wondering since it is possible to boot homebrew on 2.6 (although limited as no kernel mode), maybe we could grab the key used to decrypt 2.6 prx?

[moonlight]

There is around there (http://pspupdates.qj.net/PSARDumper-v0-2Ae-Decrypt-firmware-2-6/pg/49/aid/29442)

the version v0.2Ae of psar dump...

But since PspPet has not posted it here as usual, and the file don't have the source code, i want to ask here to PspPet if that file is really of him or it's simple a mod of someone that has used PspPet name...

[0okm0000]

[the-dan]

[PspPet]

General rule - if it is not on my website, it isn't mine:
http://www.aibohack.com/psp

Increasing the buffer size is a simple change. The hard part is figuring out how the 2.6 (and newer) PRXs are keyed/mangled.

As always, be careful of EBOOT.PBP files you download from the web, expecially from unknown websites (remember there are 'bricker' programs)

[PspPet]

Updated version 2B (.02B)
http://www.aibohack.com/psp/psardump02b.zip

Larger buffer will extract files from the 2.6 and 2.7 PSAR files. A minor tweek needed for the 2.70 header.

NOTE: will extract only for 2.6 or 2.7. The decrypt function will not work
[see comment above, someone needs to look at "part2" of the IPL]

[zshadow]

thanks for the update PspPet :)

[moonlight]

I'll try to get a 2.60 user memory space dump to see if there is something useful there (has someone do that before?)

Btw, PspPet, can you guess if the encryption has changed from 2.60 to 2.70? I suppose it has not changed... but who knows, those guys of Sony are getting paranoid about security.

[zshadow]

some new modules I noticed in 2.7:

amctrl.prx
avcodec.prx
game_install_plugin.prx
iofilemgr_dnas.prx
irda.prx
mm_flash.prx
psheet.prx
usbacc.prx
usbcam.prx
usbgps.prx
usbgps_serial.prx
usbmic.prx
usbpspcm.prx
video_main_plugin.prx

seems camera support is there now (although I don't think the actual camera device has been released yet).

[PspPet]

> I'll try to get a 2.60 user memory space dump to see if there is something useful there (has someone do that before?)
I have suggested it to others in the past - but haven't seen any results (I'm living in the past with 1.0/1.5)

If someone has a user RAM capture, I'd like to see it. If they have GZ copies of some of the core system modules laying around (like in earlier releases), it will be easier than disassembling the IPL code.

> can you guess if the encryption has changed from 2.60 to 2.70?
Looks like it is the same (a number of the encrypted PRXs are identical in 2.6 and 2.7: chkreg.prx mcctrl.prx memab.prx openpsid.prx semawm.prx usbstorboot.prx)

> some new modules I noticed in 2.7:
> usbXXX.prx
Now things are getting interesting...

[Fanjita]

All we can really capture from 2.6 is user memory with GTA loaded - since GTA fills almost the whole of RAM, I'm not sure how much use that will be.

But feel free to PM me your email address if you want one, I've got some lying around somewhere.
_________________
Got a v2.0-v2.80 firmware PSP? Download the eLoader here to run homebrew on it!
The PSP Homebrew Database needs you!

[Fanjita]

[FreePlay]

I'm taking a quick peek at the IPL... though I must admit it's a bit above my head. I've noticed that there are several 4048-byte chunks of data, padded by identical 48-byte blocks to align them out to 4KB each. The last chunk, however, is 144 bytes shorter, and the first chunk is exactly 144 bytes when padded.

My first instinct is to shove those 144 bytes to the end of the file... though I'm not sure where to go from there. I'm also going to check over the 4KB chunks to see if there's anything interesting.

Dunno if you guys already knew this. I assume you know most if it. Anyways, I'll keep you updated if I come up with anything. Wish me luck.

[ryoko_no_usagi]

FreePlay: http://forums.ps2dev.org/viewtopic.php?t=3573

[FreePlay]

Yeah, that's about what I figured :/

[zshadow]

[Fanjita]

[moonlight]

I've added 2.80 prx decryption support to psardumper:
http://dax.lan.st/psardumpmod.rar

Some changes in 2.80:

- new operative mode: "pops" (pspbtcnf_pops). I don't know for what it is for. maybe for popstation? :P
- pspbtcnf* files now have a hash attached to each file like this:

[danzel]

Good work :)

wlanfirm_magpie.prx hhhmmm....
Maybe a new revision psp will be coming with a different wifi chipset, I can't find anything about a magpie wifi chipset on google however.

[0okm0000]

[moonlight]

UPDATE: i've added 2.60-2.71 decryption to the psar dumper mod.

http://dax.lan.st/psardumpmod.rar

Now all firmwares decrypt.