how to generate "SIG check key" for v2 prx ?

Discuss the development of new homebrew software, tools and libraries.

Moderators: cheriff, TyRaNiD

Post Reply
User avatar
0okm0000
Posts: 116
Joined: Fri Jan 13, 2006 9:51 am
Contact:

how to generate "SIG check key" for v2 prx ?

Post by 0okm0000 »

how to generate "SIG check key" for v2 prx ?

on psp FW 2.xx
each psp have different prx file(key)

is there any one know
how to gen. this key for v2 prx ?

Image
ata.prx software dump from FW2.01 EBOOT.PBP

Image
ata.prx hardware dump from PSP(2.01) NAND Flash

Image
ata.prx hardware dump from PSP(1.51 -> 2.01) NAND Flash
Last edited by 0okm0000 on Mon Apr 24, 2006 1:38 am, edited 1 time in total.
PSP hardware hack
http://0okm.blogspot.com/
PspPet
Posts: 210
Joined: Wed Mar 30, 2005 2:13 am
Contact:

Post by PspPet »

We don't know how to REGENERATE (Aka Encrypt) PRX files.

The "key" area you see at the start of the PRX is only part of a relatively complicated decryption process (it is merged in with several other "keys" stored in the PSP - and run through the decryption hardware)

See the PsarDumper (source code) for how to decode PRXs (up to version 2.5)
http://www.aibohack.com/psp

Probably insufficient to re-encrypt the files.
User avatar
0okm0000
Posts: 116
Joined: Fri Jan 13, 2006 9:51 am
Contact:

Post by 0okm0000 »

PspPet wrote:We don't know how to REGENERATE (Aka Encrypt) PRX files.

The "key" area you see at the start of the PRX is only part of a relatively complicated decryption process (it is merged in with several other "keys" stored in the PSP - and run through the decryption hardware)

See the PsarDumper (source code) for how to decode PRXs (up to version 2.5)
http://www.aibohack.com/psp

Probably insufficient to re-encrypt the files.
thx for your reply
i not want to REGENERATE PRX files
i just want to replace [new ver PRX files] with [old ver PRX files]
this "key" was gen. by psp when update
so is there have method to gen. this "key"?
PSP hardware hack
http://0okm.blogspot.com/
User avatar
0okm0000
Posts: 116
Joined: Fri Jan 13, 2006 9:51 am
Contact:

Post by 0okm0000 »

0okm0000 wrote:...
i just want to replace [new ver PRX files] with [old ver PRX files]
this "key" was gen. by psp when update
so is there have method to gen. this "key"?
is it impossible?

if i make a "hot-swap FW"
(1 FW w/ encrypt prx file another w/ decrypt prx file)
is it possible to use a decrypt prx file?
PSP hardware hack
http://0okm.blogspot.com/
jimparis
Posts: 1145
Joined: Fri Jun 10, 2005 4:21 am
Location: Boston

Post by jimparis »

0okm0000 wrote:this "key" was gen. by psp when update
so is there have method to gen. this "key"?
I don't know, but the 16-byte hashes stored in save games is also unique to each PSP, so maybe it is computed in a similar fashion. See the savedata/encrypt/hash.c example for how this is computed (the sceChnnlsv_* functions use the crypto hardware to do their work).
BiGbrother13
Posts: 2
Joined: Thu Apr 06, 2006 11:11 am

Post by BiGbrother13 »

2 ALL:
Can someone disasm decrypted updater 2.50 to check, does is signs files from psar before putting them to flash0/flash1?
If yes, how does it exactly happens?

2 0okm0000:
Thats not possible to use decrypted unmodified prx files and only $ony have the way to encrypt them.
PspPet
Posts: 210
Joined: Wed Mar 30, 2005 2:13 am
Contact:

Post by PspPet »

> i just want to replace [new ver PRX files] with [old ver PRX files]
In general it won't work.
Short answer: the older boot loader can't load the newer 2.x modules (system or game), the newer boot loader won't load old 1.x system modules.
----
The newer system firmware will load old and new PRXs. That's necessary so a 2.0+ firmware PSP can run old 1.0 style games.

You think it would be possible to start with a newer (2.x) firmware and stick in a few older PRXs (perhaps from 1.0 or 1.50) if you could find a working combination.

The Sony engineers thought of that case, and disabled it!!!
Believe it or not, during the PRX decryption logic, it checks the PRX it is decrypting against a list of blocked PRXes and won't load them.
The blocked PRX list includes most of the system components from earlier releases (almost everything from 1.0, 1.50, 1.51). I'm not sure if they are constantly updating it (ie. to prevent 2.50 components loading under 2.60)
User avatar
0okm0000
Posts: 116
Joined: Fri Jan 13, 2006 9:51 am
Contact:

Post by 0okm0000 »

PspPet wrote:> i just want to replace [new ver PRX files] with [old ver PRX files]
In general it won't work.
Short answer: the older boot loader can't load the newer 2.x modules (system or game), the newer boot loader won't load old 1.x system modules.
----
The newer system firmware will load old and new PRXs. That's necessary so a 2.0+ firmware PSP can run old 1.0 style games.

You think it would be possible to start with a newer (2.x) firmware and stick in a few older PRXs (perhaps from 1.0 or 1.50) if you could find a working combination.

The Sony engineers thought of that case, and disabled it!!!
Believe it or not, during the PRX decryption logic, it checks the PRX it is decrypting against a list of blocked PRXes and won't load them.
The blocked PRX list includes most of the system components from earlier releases (almost everything from 1.0, 1.50, 1.51). I'm not sure if they are constantly updating it (ie. to prevent 2.50 components loading under 2.60)
thank you for your reply
i will try to find another way to make my "PSP FW 2.50 w/ ex. FW 1.50"
PSP hardware hack
http://0okm.blogspot.com/
florinsasu
Posts: 47
Joined: Wed Dec 15, 2004 4:23 am

Post by florinsasu »

PspPet wrote:We don't know how to REGENERATE (Aka Encrypt) PRX files.

The "key" area you see at the start of the PRX is only part of a relatively complicated decryption process (it is merged in with several other "keys" stored in the PSP - and run through the decryption hardware)
There are some parts of the header that can be edited. The following code is redoing the sha1 hash. Durring the decryption process, that PspPet is talking about, the keys are transformed by hw to what you'll see below in the code. With these new keys, you can edit the header of the prx file and redo the hash. Specificaly, you can edit the first 0x80 bytes in the file and from 0xE8 to 0x110.
also check http://ps2dev.ps2-scene.org/pspformat.txt

Code: Select all

#include <stdio.h>
#include <string.h>
#include "sha1.h"

unsigned char
key0&#91;20&#93; = &#123;0xBE, 0xF3, 0x21, 0x7B, 0x1D, 0x5E, 0x9C, 0x29, 0x71, 0x5E, 0x9C, 0x1C, 0x45, 0x46, 0xCB, 0x96, 0xE0, 0x1B, 0x9B, 0x3C&#125;,
key1&#91;20&#93; = &#123;0x7A, 0x51, 0x59, 0xBA, 0xC5, 0xFB, 0xA5, 0x52, 0x2E, 0x14, 0x84, 0x82, 0xF9, 0x9D, 0x01, 0xB1, 0xE2, 0x23, 0x7C, 0x87&#125;,
key2&#91;20&#93; = &#123;0x32, 0xA9, 0xFD, 0xCC, 0x76, 0x6F, 0xC0, 0x51, 0xCF, 0xCC, 0x6D, 0x04, 0x1E, 0x82, 0xE1, 0x49, 0x4C, 0x02, 0x3B, 0x7D&#125;,
key3&#91;20&#93; = &#123;0xCA, 0xF5, 0xC8, 0xA6, 0x80, 0xC0, 0x67, 0x6D, 0x3A, 0x4D, 0x4F, 0x92, 0x6A, 0xA0, 0x7C, 0x04, 0x97, 0x02, 0x64, 0x08&#125;;

int main&#40;int argc, char* argv&#91;&#93;&#41;&#123;
	FILE *f;
	static unsigned char buf&#91;10*1024*1024&#93;, header&#91;0x150&#93;;//only 0x14C used
	sha1_context cnx;
	size_t size;

	if &#40;argc < 2&#41;&#123;
		printf&#40;"Usage&#58; fixprxhdr.exe <file.prx>\n"&#41;;
		return 1;
	&#125;

	if &#40;fopen_s&#40;&f, argv&#91;1&#93;, "rb"&#41;&#41;&#123;
		printf&#40;"Could not open file '%s'\n", argv&#91;1&#93;&#41;;
		return 2;
	&#125;

	size=fread&#40;buf, 1, 10*1024*1024, f&#41;;
	fclose&#40;f&#41;;
	if &#40;size<0x150&#41;&#123;
		printf&#40;"File '%s' is too small\n", argv&#91;1&#93;&#41;;
		return 3;
	&#125;

	memcpy&#40;header+0x00, buf+0xD0, 0x80&#41;;
	memcpy&#40;header+0x80, buf+0x80, 0x50&#41;;
	memcpy&#40;header+0xD0, buf+0x00, 0x80&#41;;
	switch&#40;*&#40;int*&#41;header&#41;&#123;
	case 0&#58;
		memcpy&#40;header+0x04, key0, 0x14&#41;;break;
	case 1&#58;
		memcpy&#40;header+0x04, key1, 0x14&#41;;break;
	case 2&#58;
		memcpy&#40;header+0x04, key2, 0x14&#41;;break;
	case 3&#58;
		memcpy&#40;header+0x04, key3, 0x14&#41;;break;
	default&#58;
		printf&#40;"Unsupported version of the file&#58; +0xD0&#58; 0x%08X\n", *&#40;int*&#41;header&#41;;
		return 4;
	&#125;

	sha1_starts&#40;&cnx&#41;;
	sha1_update&#40;&cnx, header+0x04, 0x14C&#41;;
	sha1_finish&#40;&cnx, buf+0xD4&#41;;

	fopen_s&#40;&f, argv&#91;1&#93;, "wb"&#41;;
	fwrite&#40;buf, 1, size, f&#41;;
	fclose&#40;f&#41;;

	printf&#40;"PRX updated successfuly\n"&#41;;

	return 0;
&#125;
User avatar
0okm0000
Posts: 116
Joined: Fri Jan 13, 2006 9:51 am
Contact:

Post by 0okm0000 »

florinsasu wrote: There are some parts of the header that can be edited. The following code is redoing the sha1 hash. Durring the decryption process, that PspPet is talking about, the keys are transformed by hw to what you'll see below in the code. With these new keys, you can edit the header of the prx file and redo the hash. Specificaly, you can edit the first 0x80 bytes in the file and from 0xE8 to 0x110.
also check http://ps2dev.ps2-scene.org/pspformat.txt
...
thank you for your code and information
i will try it ^o^
PSP hardware hack
http://0okm.blogspot.com/
johnmph
Posts: 119
Joined: Sat Jul 23, 2005 11:48 pm

Post by johnmph »

I made some reverse engineering with sceChkuppkg module (in 2.70 data.psp update).

It's not finished but you can see that this module reads data in idstorage (http://forums.ps2dev.org/viewtopic.php?t=5512) and uses semaphore function (same that psppet uses in psardumper) to modify a buffer :

Code: Select all


u32 sceChkuppkgUnknow_offset0x19C &#40;u32 *a0, u32 a1, u32 a2&#41;  // demangle ?
&#123;
 a0&#91;0&#93; = 5;
 a0&#91;1&#93; = 0;
 a0&#91;2&#93; = 0;
 a0&#91;3&#93; = a2;
 a0&#91;4&#93; = a1;

 a1 += 20; 

 return &#40;semaphore_4C537C72&#40;a0,a1,a0,a1,7&#41;&#41; ? -1 &#58; 0;
&#125;

u32 sceChkuppkgUnknow_offset0x250 &#40;u8 *unk&#41;
&#123;
 u8 *p1, *p2;
 u32 v0;


 p1 = unk;
 p2 = sp;

 // Copy 4 bytes ?
 for &#40;x=0;x<4;x++&#41; p2&#91;x&#93; = p1&#91;x + 4&#93;;

 if &#40;sp&#91;0&#93; == 0x1&#41; return 0x1;

 // Read key 0x141 &#40;full 512 bytes&#41; in a buffer &#40;0xA30&#41;
 if &#40;sceIdStorageReadLeaf&#40;0x141,0xA30&#41; < 0&#41; return 0x80000025;
 
 p1 = unk&#91;0x24&#93;;

 // Copy 160 bytes ?
 for &#40;x=0;x<160;x++&#41; p1&#91;x&#93; = 0xA30&#91;x&#93;; &#40;byte&#41;

 // Demangle ?
 v0 = sceChkuppkgUnknow_offset0x19C&#40;0xC30,160,8&#41;;
 if &#40;v0 < 0&#41; return v0;

 0x20&#91;0&#93; = unk;

 // Copy 160 bytes ?
 for &#40;x=0;x<160;x++&#41; 0xA30&#91;x&#93; = unk&#91;x&#93;;

 // Do something with idstorage data ? &#40;opcode = 3&#41;
 if &#40;semaphore_4C537C72&#40;0xA30,512,0xA30,512,3&#41;&#41; return 0x80000108;

 return &#40;&#40;sp&#91;0&#93; ^ 0xA30&#91;0&#93;&#41; < 1&#41; ? 1 &#58; 0;
&#125;

User avatar
dot_blank
Posts: 498
Joined: Wed Sep 28, 2005 8:47 am
Location: Brasil

Post by dot_blank »

:D
10011011 00101010 11010111 10001001 10111010
User avatar
0okm0000
Posts: 116
Joined: Fri Jan 13, 2006 9:51 am
Contact:

Post by 0okm0000 »

johnmph wrote:I made some reverse engineering with sceChkuppkg module (in 2.70 data.psp update).

It's not finished but you can see that this module reads data in idstorage (http://forums.ps2dev.org/viewtopic.php?t=5512) and uses semaphore function (same that psppet uses in psardumper) to modify a buffer :

Code: Select all

...
 // Read key 0x141 &#40;full 512 bytes&#41; in a buffer &#40;0xA30&#41;
 if &#40;sceIdStorageReadLeaf&#40;0x141,0xA30&#41; < 0&#41; return 0x80000025;
...
i can't find key 0x141 on all of my psp
is i find the wrong place ?

Code: Select all

0000D8000 - 20 01 21 01 22 01 23 01 24 01 25 01 26 01 27 01 -  .!.".#.$.%.&.'.
0000D8010 - 28 01 29 01 2A 01 2B 01 2C 01 2D 01 2E 01 2F 01 - &#40;.&#41;.*.+.,.-.../.
0000D8020 - 30 01 31 01 32 01 33 01 34 01 35 01 36 01 37 01 - 0.1.2.3.4.5.6.7.
0000D8030 - 38 01 39 01 3A 01 3B 01 3C 01 3D 01 3E 01 3F 01 - 8.9.&#58;.;.<.=.>.?.
0000D8040 - 10 00 11 00 12 00 13 00 14 00 15 00 16 00 17 00 - ................
0000D8050 - 18 00 19 00 1A 00 1B 00 1C 00 1D 00 1E 00 1F 00 - ................
0000D8060 - 20 00 21 00 22 00 23 00 24 00 25 00 26 00 27 00 -  .!.".#.$.%.&.'.
0000D8070 - 28 00 29 00 2A 00 2B 00 2C 00 2D 00 2E 00 2F 00 - &#40;.&#41;.*.+.,.-.../.
0000D8080 - 40 01 FF FF FF FF FF FF FF FF FF FF FF FF FF FF - @...............
0000D8090 - FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
0000D80A0 - FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
0000D80B0 - FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
0000D80C0 - FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
0000D80D0 - FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
0000D80E0 - FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
0000D80F0 - FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
0000D8100 - 00 01 01 01 02 01 03 01 04 01 05 01 06 01 07 01 - ................
0000D8110 - 08 01 09 01 0A 01 0B 01 0C 01 0D 01 0E 01 0F 01 - ................
0000D8120 - 10 01 11 01 12 01 13 01 14 01 15 01 16 01 17 01 - ................
0000D8130 - 18 01 19 01 1A 01 1B 01 1C 01 1D 01 1E 01 1F 01 - ................
0000D8140 - 0F 00 50 00 45 00 46 00 47 00 04 00 05 00 06 00 - ..P.E.F.G.......
0000D8150 - 41 00 42 00 43 00 44 00 40 00 30 00 31 00 32 00 - [email protected]
0000D8160 - 33 00 34 00 35 00 36 00 37 00 38 00 39 00 3A 00 - 3.4.5.6.7.8.9.&#58;.
0000D8170 - 3B 00 3C 00 3D 00 3E 00 3F 00 FF FF FF FF FF FF - ;.<.=.>.?.......
0000D8180 - F5 FF F5 FF F5 FF F5 FF F5 FF F5 FF F5 FF F5 FF - ................
0000D8190 - F5 FF F5 FF F5 FF F5 FF F5 FF F5 FF F5 FF F5 FF - ................
0000D81A0 - F5 FF F5 FF F5 FF F5 FF F5 FF F5 FF F5 FF F5 FF - ................
0000D81B0 - F5 FF F5 FF F5 FF F5 FF F5 FF F5 FF F5 FF F5 FF - ................
0000D81C0 - FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
0000D81D0 - FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
0000D81E0 - FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
0000D81F0 - FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
PSP hardware hack
http://0okm.blogspot.com/
johnmph
Posts: 119
Joined: Sat Jul 23, 2005 11:48 pm

Post by johnmph »

0okm0000 wrote: i can't find key 0x141 on all of my psp
is i find the wrong place ?
i have this with sceIdStorageReadLeaf(0x141,buffer) :

Code: Select all


00000000h&#58; 30 A8 2E 88 D9 D2 10 D3 58 61 22 88 00 00 00 00 ; 0¨.ˆÙÒ.ÓXa"ˆ....
00000010h&#58; A0 65 00 88 00 00 00 00 00 00 00 00 00 00 00 00 ;  e.ˆ............
00000020h&#58; 30 74 00 88 D0 1F 01 88 00 00 00 00 00 00 00 00 ; 0t.ˆÐ..ˆ........
00000030h&#58; 58 61 22 88 D9 D2 10 D3 58 61 22 88 00 00 00 00 ; Xa"ˆÙÒ.ÓXa"ˆ....
00000040h&#58; A4 7D 00 88 D9 D2 10 D3 58 61 22 88 00 00 00 00 ; ¤&#125;.ˆÙÒ.ÓXa"ˆ....
00000050h&#58; 30 A8 2E 88 C4 65 00 88 00 00 00 00 00 00 00 00 ; 0¨.ˆÄe.ˆ........
00000060h&#58; 90 7D 00 88 70 1F 01 88 00 00 00 00 00 00 00 00 ; �&#125;.ˆp..ˆ........
00000070h&#58; 58 61 22 88 58 61 22 88 00 00 00 00 00 00 00 00 ; Xa"ˆXa"ˆ........
00000080h&#58; E8 41 00 88 58 61 22 88 00 00 00 00 00 00 00 00 ; èA.ˆXa"ˆ........
00000090h&#58; D9 D2 10 D3 68 64 00 88 00 00 00 00 00 00 00 00 ; ÙÒ.Óhd.ˆ........
000000a0h&#58; D4 41 00 88 C8 1C 01 88 0C 00 00 00 00 00 00 00 ; ÔA.ˆÈ..ˆ........
000000b0h&#58; 58 61 22 88 C8 1C 01 88 57 2B 4C 04 88 69 00 88 ; Xa"ˆÈ..ˆW+L.ˆi.ˆ
000000c0h&#58; 58 61 22 88 C8 1C 01 88 00 00 00 00 98 FC 00 88 ; Xa"ˆÈ..ˆ....˜ü.ˆ
000000d0h&#58; 00 2B 4C 04 00 00 10 D3 0A 00 00 00 07 00 00 00 ; .+L....Ó........
000000e0h&#58; 00 00 00 00 00 52 6F 01 24 1A 01 88 00 00 00 00 ; .....Ro.$..ˆ....
000000f0h&#58; 00 AE 90 08 00 52 6F 01 24 1A 01 88 A4 1E 00 88 ; .®�..Ro.$..ˆ¤..ˆ
00000100h&#58; 58 61 22 88 00 00 00 00 00 00 00 00 00 00 00 00 ; Xa"ˆ............
00000110h&#58; 00 00 03 00 02 00 00 00 00 00 00 00 00 52 6F 01 ; .............Ro.
00000120h&#58; 00 00 00 00 30 00 00 00 00 00 00 00 FF FF FF FF ; ....0.......ÿÿÿÿ
00000130h&#58; 57 2B 4C 04 01 00 00 00 00 00 03 00 04 3C 00 88 ; W+L..........<.ˆ
00000140h&#58; 58 61 22 88 00 00 80 08 00 00 80 01 0F 00 00 00 ; Xa"ˆ..€...€.....
00000150h&#58; 00 00 91 08 00 52 6F 01 30 00 00 00 E0 A9 2E 88 ; ..‘..Ro.0...à©.ˆ
00000160h&#58; 84 1F 02 88 84 1F 02 88 30 00 00 00 84 1F 02 88 ; „..ˆ„..ˆ0...„..ˆ
00000170h&#58; 03 86 00 20 DC 38 90 88 F8 A8 2E 88 DC 38 90 88 ; .†. Ü8�ˆø¨.ˆÜ8�ˆ
00000180h&#58; 00 00 00 00 00 0E 00 00 00 00 91 08 00 00 00 00 ; ..........‘.....
00000190h&#58; 00 00 91 08 50 8B 90 08 50 8B 90 08 28 48 90 88 ; ..‘.P‹�.P‹�.&#40;H�ˆ
000001a0h&#58; A0 91 90 08 20 00 00 00 1C 3E 90 88 00 00 00 00 ;  ‘�. ....>�ˆ....
000001b0h&#58; 48 AE 90 08 00 00 00 00 A0 91 90 08 00 00 00 00 ; H®�..... ‘�.....
000001c0h&#58; B4 7E 90 08 50 8B 90 08 0E 00 00 00 E0 A9 2E 88 ; ´~�.P‹�.....à©.ˆ
000001d0h&#58; 1D 00 00 00 13 00 00 00 EF BE AD DE EF BE AD DE ; ........ï¾­Þï¾­Þ
000001e0h&#58; E0 A9 2E 88 40 49 90 88 02 00 00 00 00 00 91 08 ; à©.ˆ@I�ˆ......‘.
000001f0h&#58; 1D 00 00 00 74 A9 2E 88 01 00 00 00 E0 A9 2E 88 ; ....t©.ˆ....à©.ˆ

Keys 0x100 and 0x120 are also read with sceIdStorageLookup (with offset = 0x38 and size = 0xb8)
User avatar
ryoko_no_usagi
Posts: 65
Joined: Tue Nov 29, 2005 4:47 pm

Post by ryoko_no_usagi »

0x141 doesn't exist in my 1.5 either. Did you upgrade?
johnmph
Posts: 119
Joined: Sat Jul 23, 2005 11:48 pm

Post by johnmph »

0okm0000 wrote:i can't find key 0x141 on all of my psp
is i find the wrong place ?
ryoko_no_usagi wrote:0x141 doesn't exist in my 1.5 either. Did you upgrade?
You are right, this key doesn't exist.

It's because i had not looked at the return value of sceIdStorageReadLeaf and the buffer was not initialized to 0, it's for that which I believed that this key existed.

But this key must exist in 2.70 (and below ?) firmware because sceChkuppkg (in 2.70 update) reads it.
User avatar
dot_blank
Posts: 498
Joined: Wed Sep 28, 2005 8:47 am
Location: Brasil

Post by dot_blank »

key 0x141 does not exist on 1.5
just to make sure for others ;P

but it seems to come into play with version
2.01 and up ...but what is this key used for?

keep up the great job people :)
10011011 00101010 11010111 10001001 10111010
johnmph
Posts: 119
Joined: Sat Jul 23, 2005 11:48 pm

Post by johnmph »

This is the code which manipulates 0x100 and 0x120 keys (key 0x120 is used if key 0x100 doesn't exist) :

Code: Select all


u32 sceChkuppkg_offset0x374 &#40;void&#41;
&#123;
 u32 *v0;
 u8 *buffer = 0x0; // Change with relocation


 if &#40;sceIdStorageLookup&#40;0x100,0x38,buffer,0xB8&#41; < 0&#41;
 &#123;
  if &#40;sceIdStorageLookup&#40;0x120,0x38,buffer,0xB8&#41; < 0&#41; return 0x80000025;
 &#125;

 // Set a flag ?
 v0 = 0; // Change with relocation
 v0&#91;48 / 4&#93; = 1;

 return 0;
&#125;


u32 sceChkuppkg_offset0x3f0 &#40;void&#41;
&#123;
 u8 *buffer = 0x0; // Change with relocation &#40;same that buffer in sceChkuppkg_offset0x374&#41;

 if &#40;semaphore_4C537C72&#40;0,0,buffer,0xB8,18&#41;&#41; return 0x80000108;

 return 0;
&#125;


u32 sceChkuppkg_offset0x42c &#40;u8 *unk&#41;
&#123;
 u32 *v0;


 v0 = 0x0; // Change with relocation

 // Verify flag ?
 if &#40;!&#40;v0&#91;48 / 4&#93;&#41;&#41;
 &#123;
  // Read data in idstorage
  v0 = sceChkuppkg_offset0x374&#40;&#41;;
  if &#40;v0&#41; return v0;
 &#125;

 // Set hardware decrypt buffers with idstorage data ?
 v0 = sceChkuppkg_offset0x3f0&#40;&#41;;
 if &#40;v0&#41; return v0;

 // ?
 u8 *buffer = 0x0; // Change with relocation

 unk&#91;0x0&#93; = buffer&#91;0x73&#93;;
 unk&#91;0x1&#93; = buffer&#91;0x72&#93;;
 unk&#91;0x2&#93; = buffer&#91;0x75&#93;;
 unk&#91;0x3&#93; = buffer&#91;0x74&#93;;
 unk&#91;0x4&#93; = buffer&#91;0x77&#93;;
 unk&#91;0x5&#93; = buffer&#91;0x76&#93;;
 unk&#91;0x6&#93; = buffer&#91;0x78&#93; >> 0x2;
 unk&#91;0x7&#93; = 0;
 
 return v0;
&#125;

User avatar
0okm0000
Posts: 116
Joined: Fri Jan 13, 2006 9:51 am
Contact:

Post by 0okm0000 »

Code: Select all

IdStorage key 0x100-0x106 &#58; &#91;?&#93;

00C0000 - xx...xx
00C0038 - 00 00 00 01 00 03 00 02 - nn nn nn nn nn nn nn nn
00C0048 - xx...xx
00C0098 - 40 04 C8 0B D9 C8 BA 38 - 22 10 65 92 3E 32 4B 5F
00C00A8 - 0E C1 65 ED 6C FF 7D 9F - 2C 42 0B 84 DF DA 6E 96
00C00B8 - C0 AE E2 99 27 BC AF 1E
00C00C0 - xx...xx
00C00F0 - 00 00 00 01 00 03 00 02 - nn nn nn nn nn nn nn nn
00C0100 - xx...xx
00C0150 - 06 48 5F D0 29 85 3B 55 - 2F 7E FD D6 7A 2D E7 A1
00C0160 - A4 E2 55 37 B2 45 9D 87 - 86 42 6D 5B 27 EF A5 A9
00C0170 - 31 1C B8 AB AB FA 0E CE
00C0178 - xx...xx
00C01A8 - 00 00 00 01 00 03 00 02 - nn nn nn nn nn nn nn nn
00C01B8 - xx...xx
00C0208 - 3F 8C 34 F2 10 AE C4 8E - 15 20 FF 2A 44 89 9E 05
00C0218 - 4A 0D A3 3D F8 B9 75 4B - 09 C0 EC 7E 61 86 7A 51
00C0228 - 26 FE 69 26 97 21 96 F5
00C0230 - xx...xx
00C0260 - 00 00 00 01 00 03 00 02 - nn nn nn nn nn nn nn nn
00C0270 - xx...xx
00C02C0 - CC B3 44 0D C4 83 6D D5 - 19 E1 3B 28 05 B3 08 70
00C02D0 - DC AE E4 62 13 6B 38 88 - 65 1A 98 E0 2B 29 FA 0C
00C02E0 - D3 4F 16 16 F1 ED 57 86
00C02E8 - xx...xx
00C0318 - 00 00 00 01 00 03 00 02 - nn nn nn nn nn nn nn nn
00C0328 - xx...xx
00C0378 - 08 B3 36 92 5C 2B 44 5D - 03 A9 BE 51 B9 AA BF 54
00C0388 - E4 CC 14 2E A7 2A 23 BB - 80 60 B0 3B 71 CD E0 77
00C0398 - 2D E8 2A D8 93 16 48 D6
00C03A0 - xx...xx
00C0430 - 4F 0A 2B C9 98 76 40 86 - 0E 22 EE 5D 86 08 7C 96
00C0440 - 92 47 0B DF 59 DC 4C 1F - 2E 38 F9 2C E7 B6 68 75
00C0450 - B5 9E D1 0C 9D 84 FA 6A
00C0458 - xx...xx
00C04B0 - FF FF FF FF 01 00 00 80 - 00 00 00 00 00 00 00 80
00C04C0 - 0F 00 00 00 00 00 00 80 - 10 00 00 00 00 00 00 80
00C04D0 - 1F 00 00 00 00 00 00 80 - 20 00 00 00 00 00 00 80
00C04E0 - 2F 00 00 00 00 00 00 80 - 30 00 00 00 00 00 00 80
00C04F0 - 3F 00 00 00 00 00 00 80 - 40 00 00 00 00 00 00 80
00C0500 - 4F 00 00 00 00 00 00 80 - 0F 00 00 10 00 00 00 80
00C0510 - 1F 00 00 10 00 00 00 80 - 2F 00 00 10 00 00 00 80
00C0520 - 3F 00 00 10 00 00 00 80 - 4F 00 00 10 00 00 00 80
00C0530 - 0F 00 00 20 00 00 00 80 - 01 00 00 00 00 00 00 00
00C0540 - 02 00 00 00 00 00 00 00 - 04 00 00 00 00 00 00 00
00C0550 - 08 00 00 00 00 00 00 00 - 10 00 00 00 00 00 00 00
00C0560 - 20 00 00 00 00 00 00 00 - 40 00 00 00 00 00 00 00
00C0570 - 80 00 00 00 00 00 00 00 - 01 01 00 00 00 00 00 00
00C0580 - 02 02 00 00 00 00 00 00 - 04 04 00 00 00 00 00 00
00C0590 - 08 08 00 00 00 00 00 00 - 10 10 00 00 00 00 00 00
00C05A0 - 20 20 00 00 00 00 00 00 - 40 40 00 00 00 00 00 00
00C05B0 - 81 80 00 00 00 00 00 00 - 03 01 01 00 00 00 00 00
00C05C0 - 06 02 02 00 00 00 00 00 - 0C 04 04 00 00 00 00 00
00C05D0 - 18 08 08 00 00 00 00 00 - 30 10 10 00 00 00 00 00
00C05E0 - 60 20 20 00 00 00 00 00 - C0 40 40 00 00 00 00 00
00C05F0 - 80 81 80 00 00 00 00 00 - 00 03 01 01 00 00 00 00
00C0600 - 00 06 02 02 00 00 00 00 - 01 0C 04 04 00 00 00 00
00C0610 - 02 18 08 08 00 00 00 00 - 04 30 10 10 00 00 00 00
00C0620 - 08 60 20 20 00 00 00 00 - 10 C0 40 40 00 00 00 00
00C0630 - 20 80 81 80 00 00 00 00 - 41 00 03 01 01 00 00 00
00C0640 - 82 00 06 02 02 00 00 00 - 04 01 0C 04 04 00 00 00
00C0650 - 08 02 18 08 08 00 00 00 - 10 04 30 10 10 00 00 00
00C0660 - 20 08 60 20 20 00 00 00 - 40 10 C0 40 40 00 00 00
00C0670 - 80 20 80 81 80 00 00 00 - 00 41 00 03 01 01 00 00
00C0680 - xx...xx
00C0C40 - 00...00

IdStorage key 0x120-0x126 &#58; &#91;?&#93;&#40;SAME AS key 0x100-0x106&#41;
PSP hardware hack
http://0okm.blogspot.com/
User avatar
0okm0000
Posts: 116
Joined: Fri Jan 13, 2006 9:51 am
Contact:

Post by 0okm0000 »

Image
Image
Image

Image
Image
Image

why first 8Bytes "SIG check key" on 2.60 & 2.70 is same ?
PSP hardware hack
http://0okm.blogspot.com/
moonlight
Posts: 567
Joined: Wed Oct 26, 2005 7:46 pm

Post by moonlight »

0okm0000 wrote:
why first 8Bytes "SIG check key" on 2.60 & 2.70 is same ?
Maybe it's a identifier of the same encription? (just guessing, i don't know it).
Have you seen if the same happens between 2.00/2.01/2.50 or 1.0/1.50/1.51/1.52?

EDIT: ok i have seen your first post, and it doesn't happen between those two 2.01 :S At least, not in the same location...
Post Reply