Delurk...
I apologize if I am teaching my grandmother to suck eggs, but I have been reading these forums for some time now and I was thinking it might be good to link together two areas of attack.
People have been
1) analysing the traffick between two PSPs. Especially interesting is the discussion of the namco game download packets.
2) analysing the PBP file format.
Has anybody tried to see if there is some similarity between the data transfered for a downloaded game (such as what happens when you share a game in the namco museum) and the PBP file formats for what are presumably the executables in a firmware update. The fact that you apparently see a key exchange in the wireless transfer may be just a little bit of extra information in cracking this nut.
Sorry if this is a nonsense question, but you never know.
Ethereal and PBP file format
Well, more likely than not the PBP is read into main memory when running software from memory stick as well, so there is no reason to assume that the format is _not_ the same either. Capturing the transmission of a gameshare should be enough to figure out if they are the same format or not.
Flying at a high speed
Having the courage
Getting over crisis
I rescue the people
Having the courage
Getting over crisis
I rescue the people
Re: Ethereal and PBP file format
i was thinking about this the other day, people seemed to dismiss my idea pretty quick though, but these were my thoughts:piercer wrote:Has anybody tried to see if there is some similarity between the data transfered for a downloaded game (such as what happens when you share a game in the namco museum) and the PBP file formats for what are presumably the executables in a firmware update.
In the thread on the game sharing stuff it mentions two things, what we think is a key exchange and the transfer of the encrypted/compressed data. What if you were able to replace the execuable code in the pbp file to get it to run, (unless there is some other way of excuting code i don't know?) which would leave the key somewhere. I had a quick look but there didn't seem to be any sort of similar data in the pbp to the key exchange.
This would be going on the assumption that it's not sending a pbp but some excutable data (encrypted), much like one of the files inside the psp, the psar or the other one, forgot which one.
Maybe we are looking this the wrong way? What if we tried to replicate the data sent and try to make a psp run a game through gamesharing. I guess that we'd still need to find the key and the psp name (we could just rename ours :P) Not quite homebrew development but will certainly prove usefull?
P.S Just trying to help out here.
P.S Just trying to help out here.
Ioannis KarAvas
Perhaps the transferred game binary isn't encrypted?
Let's assume that the encrypted binaries that are coming from Sony via the network update and the executables on the UMD's are encrypted with Sony's carefully guarded private key, with the public key built into the flash ROM (which I'd guess is built into the system RAM to prevent bus-snooping to get said key). We've heard that in the dev process they work with unencrypted binaries on systems that can only run unencrypted binaries and the final product gets shipped to Sony for encryption and manufacturing.
Wouldn't that make developing network-sharable games somewhat difficult? Just guessing here, but considering the logistical difficulty in getting Sony to rebuild your game for you so that your game sends an encrypted binary, rather than the unencrypted one you developed with, perhaps network shared games aren't encrypted outside of the network connection itself. That would make the development process a real PITA and I wouldn't be surprised if the developers (with Sony's blessing or instruction) cut a corner there and just left the transferred binary unencrypted.
Of course, mounting a man-in-the-middle attack against two PSP's chatting it up will be a big challenge, but it might also be a way in.
Let's assume that the encrypted binaries that are coming from Sony via the network update and the executables on the UMD's are encrypted with Sony's carefully guarded private key, with the public key built into the flash ROM (which I'd guess is built into the system RAM to prevent bus-snooping to get said key). We've heard that in the dev process they work with unencrypted binaries on systems that can only run unencrypted binaries and the final product gets shipped to Sony for encryption and manufacturing.
Wouldn't that make developing network-sharable games somewhat difficult? Just guessing here, but considering the logistical difficulty in getting Sony to rebuild your game for you so that your game sends an encrypted binary, rather than the unencrypted one you developed with, perhaps network shared games aren't encrypted outside of the network connection itself. That would make the development process a real PITA and I wouldn't be surprised if the developers (with Sony's blessing or instruction) cut a corner there and just left the transferred binary unencrypted.
Of course, mounting a man-in-the-middle attack against two PSP's chatting it up will be a big challenge, but it might also be a way in.
Well, now you're assuming that the transferred game is somehow compiled into the main binary. If it's just a file on the UMD, the main application doesn't really have to care about the contents, and so it will be no difference in operation when you are using an unencryped file during development, or an encryped file during production. So no particular PITA, Sony just have to encrypt two of the files instead of one when they master the UMD in the final step.
Flying at a high speed
Having the courage
Getting over crisis
I rescue the people
Having the courage
Getting over crisis
I rescue the people