[KezraPlanes]

yep, i agree. i came from msdn where they freely share code. they always tell us not to reinvent the wheel. i wonder what's this psp devs stealing the work of this psp devs dramas of the past then.:huh: oh well better not mess with something i know little about then :whistle:

also judging from your sig, you've stolen more than Datel ever will.

 

[WalangAlam]

Far from lame. They are using information and tools open to the public, they aren't stealing anything. Same with Pandora, the information was there, the sdk was there, they just choose not to acknowledge the original developers which (IMO) is pretty wrong, but definately not stealing anything.

I don't understand why a lot of the psp scene seem to think that they are owed in some way or another. They don't you need to pay you back in *ANY* way, plus what have you done to deserve to be paid back?

It's not shameless, stop trying to justify in anyway that datel owe you. They didn't steal anything, they used OPEN SOURCE and PUBLIC DOMAIN information. It's not like the other dramas where private code has been stolen and leaked.

Also, their cryptographic engineers are probably better trained than a lot of the people in the homebrew scene seeing the managed to re-engineer the crypto in the kirk.

Please stop trying to justify that anyone owes you and don't state things have been stolen when you're clearly not a developer that has been affected. Also, FYI, BenHur was credited for IntraFont within the Datel AR.

Thanks for explaining. They have been kudos by SilverSpring(who is very credible in my eyes) which means they did something great. If SilverSpring said so, then i believe him . Just kidding around i guess. Ya they don't own me anything since Im not part whatsoever with the psp scene. <However, i got this wishful thinking though that i was a part of the psp scene during Nem's or Fanjita's era not this era > I was telling that they own the psp scene even at least a thanks. I didn't use the "we at the psp scene" but "the psp scene" and the "our homebrews" may mean i got or will have homebrews that need to be signed and does not necessarily mean im part of the scene. But then again im not serious about that either. My sincerest apologies for my earlier statements and will be careful later with kidding around (used of emoticons like or or means my statements are not serious) since other people might take it seriously(sometimes too seriously). and I owe you a lot for that ChickHEN of yours. A million thanks for that:love:

@Kezra. Don't take my sig seriously. It was just making fun of the dramas (not referring to persons but the dramas itself) back then. Anyway, i can't do anything if you take it seriously .

 

[Davee]

Thanks for explaining. They have been kudos by SilverSpring(who is very credible in my eyes) which means they did something great. If SilverSpring said so, then i believe him . Just kidding around i guess. Ya they don't own me anything since Im not part whatsoever with the psp scene. <However, i got this wishful thinking though that i was a part of the psp scene during Nem's or Fanjita's era not this era > I was telling that they own the psp scene even at least a thanks. I didn't use the "we at the psp scene" but "the psp scene" and the "our homebrews" may mean i got or will have homebrews that need to be signed and does not necessarily mean im part of the scene. But then again im not serious about that either. My sincerest apologies for my earlier statements and will be careful later with kidding around (used of emoticons like or or means my statements are not serious) since other people might take it seriously(sometimes too seriously). and I owe you a lot for that ChickHEN of yours. A million thanks for that:love:

@Kezra. Don't take my sig seriously. It was just making fun of the dramas (not referring to persons but the dramas itself) back then. Anyway, i can't do anything if you take it seriously .

Yeah, I agree, they should of at least acknowledged the developers. Don't take my previous post as serious as it looks, I'm just really sick of people shunning developers down.

 

[WalangAlam]

Yeah, I agree, they should of at least acknowledged the developers. Don't take my previous post as serious as it looks, I'm just really sick of people shunning developers down.

I understand. Maybe I was also guilty of "shunning developers down" and will be careful in the future not to do so. But then, "criticizing" others' work will make them strive to further improve their programs. Ya, it should be feedback not criticism or putting them down. There are also a lot people who are very grateful of developers like you including me though we are not that too vocal about it - "Praise them too much and their heads will swell".

I still dream of an open source psp scene so "nobody will steal from anybody" (and learning psp programming will be a lot easier for lazy programmers who learn by example:blushing:, we are still learning, though lazily:huh::blushing:). I've seen m0skit0 doing that and ya there are lots of good tutorials/sample code out there and more won't hurt.

"Mom where's my MIPS and C++ Reference books, I need to understand what m0skit0 is teaching me through his code samples" "Use google instead son, that's a lot better":sneaky2:.

 

[x3sphere]

I acknowledge Datel's contributions and think they do great work but IMO they are arrogant. When releasing the "TOOL" battery they acted as if it was a breakthrough made solely by them. Not giving proper credits is a big deal to me and it is why I will never purchase one of their products, just out of principal.

 

[LocutusEstBorg]

So they figured out:
1. The modified AES algorithm for encryption.

2. Dumped the decryption key from KIRK and used the same key for encryption since I'm guessing it's symmetric (which we were blindly using for decrypting modules with KIRK commands). Or maybe performed some kind of known plaintext attack since we can already decrypt modules without the key.

3.Dumped the HMAC secret (or maybe it was leaked) for hashing.

Right?

 

[NoEffex]

Anyone wondering, you can unpack-pbp the files, rename DATA.PSP to EBOOT.BIN, use Yoshihiro's tool to decrypt the EBOOT.BIN, grab the new EBOOT.BIN and replace the old one, then run

pack-pbp EBOOT.PBP PARAM.SFO ICON0.PNG NULL PIC0.PNG PIC1.PNG NULL EBOOT.BIN NULL

and it'll work on M33, assuming it didn't before. If that's the case, it's decrypted regardless and if you know what you're doing, search for ~PSP in the binary and there's two modules, scotty (22930 bytes) and uhura (2066 bytes) . Both of them seem to be loaded kernel.

 

[slicer4ever]

pretty epic, i hope something comes of this, would love to be able to program again on the psp go

 

[explosions]

Anyone wondering, you can unpack-pbp the files, rename DATA.PSP to EBOOT.BIN, use Yoshihiro's tool to decrypt the EBOOT.BIN, grab the new EBOOT.BIN and replace the old one, then run

pack-pbp EBOOT.PBP PARAM.SFO ICON0.PNG NULL PIC0.PNG PIC1.PNG NULL EBOOT.BIN NULL

and it'll work on M33, assuming it didn't before. If that's the case, it's decrypted regardless and if you know what you're doing, search for ~PSP in the binary and there's two modules, scotty (22930 bytes) and uhura (2066 bytes) . Both of them seem to be loaded kernel.

I disassembled it and saw scotty and uhura and wondered where I had read that. Then I realized I had 23 MB of asm source and I don't know anything about asm.

 

[afiser]

this would be cool if they could learn how to sign ps3 executables

 

[Deathrow]

You don't expect them to figure out the encryption mechanism of the PSP and be dumb enough to not put some kind of security on the EBOOT, do you?

I'm convinced the eboot will run in "Demo" mode on a psp for which it hasn't been "validated".
The licence key probably only works for one PSP too. People who bought it could maybe confirm that.

Bottom line: download the demo, it'll probably work the same for you.

@wololo~excuse me, i didnt realize their was a demo until I saw your video proof. The demo can be easily decrypted...Im just now trying to figure out how it is signed...

 

[BlackSheep]

Wow I wonder if there going to get sued?

 

[NoEffex]

@wololo~excuse me, i didnt realize their was a demo until I saw your video proof. The demo can be easily decrypted...Im just now trying to figure out how it is signed...

It's signed like any other eboot.

The codes are what you want to look at.

On another note, it seems both Scotty and Uhura are loaded into kernel memory, and Uhura is some sort of decryption or verification module

[HIGHLIGHT=C]int Uhura_00(int unk0)
{
int val0 = 0x43EFFF70;
int val1 = unkn0&0xFFFC;
val1 += val0;
if(val0 > 4)
{
return 0x12345678;
}
return val;
}

int Uhura_01(int unk0)
{
int val0 = 0x43EFFF70;
int val1 = unkn0&0xFFFC;
val1 += val0;
if(val0 > 4)
{
return 0x12345678;
}
return val;
}[/HIGHLIGHT]

 

[explosions]

It's signed like any other eboot.

The codes are what you want to look at.

On another note, it seems both Scotty and Uhura are loaded into kernel memory, and Uhura is some sort of decryption or verification module

[HIGHLIGHT=C]int Uhura_00(int unk0)
{
int val0 = 0x43EFFF70;
int val1 = unkn0&0xFFFC;
val1 += val0;
if(val0 > 4)
{
return 0x12345678;
}
return val;
}

int Uhura_01(int unk0)
{
int val0 = 0x43EFFF70;
int val1 = unkn0&0xFFFC;
val1 += val0;
if(val0 > 4)
{
return 0x12345678;
}
return val;
}[/HIGHLIGHT]

return val?

 

[Lachrymose]

@NoEffex Good job with the reversing! Keep it up!

 

[NoEffex]

My bad. I was in a hurry.

Spoiler: fixed

[HIGHLIGHT=C]int Uhura_00(int unkn0)
{
int val0 = 0x43EFFF70;
int val1 = unkn0&0xFFFFFFFC;
val0 += val1;
if(val0 > 4)
{
return 0x12345678;
}
return val1;
}

int Uhura_01(int unkn0)
{
int val0 = 0x43EFFF70;
int val1 = unkn0&0xFFFFFFFC;
val0 += val1;
if(val0 > 4)
{
return 0x12345678;
}
return val1;
}[/HIGHLIGHT]

 

[biscottealacreve]

@NoEffex > please could you explain us why both function are same ?
and why val0 is a const ? in this cas the if(val0 > 4) become useless ...

 

[Slasher]

@NoEffex > please could you explain us why both function are same ?
and why val0 is a const ? in this cas the if(val0 > 4) become useless ...

I can't speak for what's going on here, but I can tell you right now that val0 isn't a constant variable... it's referring to a certain section of memory at address 0x43EFFF70 which stores a varying integer


EDIT After NoEffex: Yeah, but the variable 'val0' isn't a constant itself lol... int const val0; would mean the variable is constant. Thanks for clearing that up though NoEffex

 

[NoEffex]

@NoEffex > please could you explain us why both function are same ?
and why val0 is a const ? in this cas the if(val0 > 4) become useless ...

I don't know why they're the same, but they are. If I was allowed to I'd post the ASM, but they're the **exact** same thing.

I can't speak for what's going on here, but I can tell you right now that val0 isn't a constant variable... it's referring to a certain section of memory at address 0x43EFFF70 which stores a varying integer

Referring to the previous individual..

int val0 = 0x43EFFF70; <--Constant
val0 += val1; <---Edited, this varies

Then val1 is changed depending on unkn0.

If needbe I'll compile it then patch the import NIDS, and see what gets passed onto it. One can inject it in, so yeah.

 

[SilverSpring]

Might as well post a more correct version:

It's part of their "PSPID" generation. The function makes sure that you pass the correct "PSPID" registers (which is actually the FuseID registers which are unique per each PSP) and passes the unique ID back (one half of it, they call the function twice to grab the full ID).

// Pass FuseID Register as addr: 0xBC10009x
// FuseID only 6 Bytes but needs to be read
// via two word reads at 0xBC100090 and 0xBC100094
u32 uhura_driver_38CF8431(void *addr)
{
    // Ignore least significant nibble (0-3)
    u32 *mem = (u32)addr & 0xFFFFFFFC;

    // verify correct register address passed
    if ((u32)mem - 0xBC100090 > 4)
        return(0x12345678)
        
    // return one half of FuseID
    return(mem[0])
}

The other function, uhura_driver_AF6F18BA, is identical (though only one of them is actually used).