Gaming PSP keys dumped -- ANYTHING can now be signed as

[Exaltys]

Will we be able to get PSP games and PSP DLC that are PSN only now?

 

[kiafazool]

I can not promise I will be correct but for a bit of elaboration.

kirk keys seems to be the name for the master keys for the psp, why they were on the PS3 I am not sure (everything I know about such crypto says you keep the master/private keys locked down tight not distributed to X million potentially hostile types)- it is not the same the PS3 stuff that allowed private keys to be derived but that the PSP keys were stored in full on the PSP (presumably for allowing the PS3 to act as a server for PSP code- why they did it that way I am not sure but it is not the first time something has fallen to such silliness (I recall an itunes hack along similar lines some years back)).

All of what follows pretty much comes from kizafool's post http://gbatemp.net/t272666-psp-keys-dumped...t&p=3371333

Want kirk keys?
1. Go to /dev_flash/pspemu/release/emulator_drm.sprx

/dev_flash/ is unix ish naming/filesystem talk- it means rock up to your PS3 onboard flash memory (dev stands for device- flash means flash).
There is a file system on there as there is with most larger memory spaces.
In the pspemu/release/emulator directory (maybe give or take some version numbers) there is a file called emulator_drm.sprx -prx is a plugin format (sprx is a minor tweak on it) and this is what houses the keys.
The sprx will be encrypted but we have decryption tools now available for various things PS3. There are also IDA modules for them to allow disassembly and presumably a measure of cleanup (IDA is very powerful).
You might be able to sidestep this step given current events and pull it from a PS3 firmware update (assuming it comes with firmware and is not a download).

"get spu_handler.isoself"
Not sure if this is an API or a module for the emulator_drm.sprx module. Simply put though it is likely the code bit of code that handles signing for the PSP stuff.
"decrypt it" seems to imply that it would not have been decrypted in your initial decrypting of the emulator_drm.sprx module. I believe there are SPU/SPE emulators and keys these days if nothing else.

grab keys
If they are not plain text (the starting values that were given being more than enough to tell) or embedded/referenced in an instruction/call now you have decrypted this spu_handler.isoself code you can probably poke a few things (feed a 00000...000h file or something to generate them if you have to- remember encryption is mathematics and signing long lengths of 00s and/or FF's- one or the other at least tends to spit out exact keys) to grab the keys.

Profit- you have the keys but

Keep in mind that keys are useless without their algorithms, so go reverse that (it's also in spu_handler.isoself)

Looking at the PS3 SELF stuff and assuming the ideas carry across if not the implementation- the header is encrypted which leads to another set of hashes which are signed and stuff like that each with different keys and initialisation vectors (which you now have). The trouble will be figuring out what order each key gets applied in and what sections it gets applied to (and if you are good at this what each section does). Fortunately the emulator_drm.sprx or indeed the spu_handler.isoself also handle this for the PS3 so by stepping through (or emulating) the program/calls you can figure out what order, locations and methods are used at each step and there is no end of sample code to test it out on.

By replicating these steps (presumably as a PC program but in a pinch you might be able to get the PS3 to do your dirty work by hacking the code to do it all) you get to sign code- in and of itself that might not be that useful right away as different formats available to a stock PSP for use and hardware level restrictions will likely crop up which you will need to sort- thinking that despite being readily able to write to PSP3000, unhackable 2000s and PSP GO flash memory you still have the various things to sort as per http://img371.imageshack.us/img371/6698/cpus.png (thanks to others in this post for reminding me of that picture). Nothing terribly difficult to sort given the existing amount of code that does it but not quite a magic bullet.


In conclusion- nothing terribly difficult, can probably be replicated by anyone with basic assembly level hacking skills (it is essentially a play by play) and a beer/nod in the direction of Mathieulh.

you spelled my name wrong
its kiafazool not kizafool

and i found the emulator_drm.sprx
but i dont know how to decrypt it

 

[ecko]

so...now psp 2000/3000 can have permanent cfw?

 

[bjorno]

you spelled my name wrong
its kiafazool not kizafool

and i found the emulator_drm.sprx
but i dont know how to decrypt it

Guys everyone needs to help Kiafazool, anyone know how to decrypt it? Post it

 

[FAST6191]

My sincere apologies kiafazool, I usually copy and paste but for some reason did not on this occasion.

 

[SifJar]

over at wololo's forums, there's a thread about it: http://wololo.net/talk/viewtopic.php?f=5&t=1381

FYI, the file in question can be obtained from the update file, freely downloadable from Sony's website. It is in PUP format, which can be unpacked with fail0verflow tools, or KaKaRoTo's tools or possibly a few other people's tools. Then just look in the extracted files and you should find it.

 

[bjorno]

We support you Kiafazool! Hope that this will turn out

~~~~ Kirk Keys Hype ON ~~~~

 

[kiafazool]

you spelled my name wrong
its kiafazool not kizafool

and i found the emulator_drm.sprx
but i dont know how to decrypt it

Guys everyone needs to help Kiafazool, anyone know how to decrypt it? Post it

i only found one .sprx decrypter but its works like a ps3 homebrew and i dont own a ps3 and i highly dought it will work

My sincere apologies kiafazool, I usually copy and paste but for some reason did not on this occasion.

no need for apologies


QUOTE(bjorno @ Jan 6 2011, 05:13 PM)

We support you Kiafazool! Hope that this will turn out

~~~~ Kirk Keys Hype ON ~~~~

thank you but its not hard to find
took me 5 mins

 

[djgarf]

With the dreamcast you could burn bootable CDs yourself from any PC, but I think that had less to do with keys and more to do with simply figuring out the proper GD filesystem.

it was actually simpler than that
when games were being developed for the dreamcast originally rather than burn gd-r disks for each test build sega added a piece of code to the bios that allowed normal cd media burnt in a specific way to boot
their downfall was forgetting to remove the cd booting code from the retail bios

 

[Rydian]

the reason the psp keys where in the PS3 is most likely for the psp minis which are programmed as PSP games, but simple enough for the PS3 to easily emulate.Minis are dual-architecture as far as I know. The emulation stuff comes into play when content is shared/streamed between the PS3/PSP.

So Mathieulh is saying that the kirk engine keys are the missing piece to good PSP emulators. I wonder why.PSP can't run encrypted games, you need to decrypt them, and in order to do that you need a PSP to decrypt them on.

QUOTE(ecko @ Jan 6 2011, 01:01 PM)

so...now psp 2000/3000 can have permanent cfw?

If somebody decides to sign an IPL for it, then yes.

 

[fgghjjkll]

the reason the psp keys where in the PS3 is most likely for the psp minis which are programmed as PSP games, but simple enough for the PS3 to easily emulate.Minis are dual-architecture as far as I know. The emulation stuff comes into play when content is shared/streamed between the PS3/PSP.

So Mathieulh is saying that the kirk engine keys are the missing piece to good PSP emulators. I wonder why.PSP can't run encrypted games, you need to decrypt them, and in order to do that you need a PSP to decrypt them on.

QUOTE(ecko @ Jan 6 2011, 01:01 PM)

so...now psp 2000/3000 can have permanent cfw?

If somebody decides to sign an IPL for it, then yes.

Question to Rydian:
Can the IPL keys be found with the kirk encryption keys?

 

[Rydian]

Iunno'.