Trying to catch up and give a help

[bestnoob]

Hi guys,

Please no flaming, I have read most of this forum this morning and wanted to ask few questions to start on the right direction.

I have seen that all games have in the SYSDIR directory both a EBOOT.bin and a BOOT.bin.

1/ Is EBOOT.bin the encrypted version of BOOT.bin?
2/ If it is why would Sony include both on a disk?
3/ Having both the plain text and the cypher text how difficult is it to brute force both AES and the signature process private keys?

Edit1: 3/ => Ok I have read more about AES, the steps are quick and easy but even an early out would take considerable amount of time. Even if 128b seems small, parsing each combination at every 1 cycle would take > 2^96 seconds on a 3Ghz machine :)

Edit2: 2/ => AES is robust to such sort of attack, DES needed more than 2^43 cypher/plain couples to reduce the complexity, it is believed that AES needs even more, so unless Sony release 2^43 different games on the PSP there is no chance it will break this way, so Sony do not make their system less robust this way. However the question remains, is it there for future compatibility and for consoles that could only run unencrypted Boot.bin in case they change the public/private keys?

Edit3: I just realized that AES is symmetric since Sony are not complete idiots they must have used a random key for every game, key encrypted with their private RSA key. Encryption is just a smoke screen to stop us for a little while but when it will be cracked it will be for ever. This does not solve the problem though since we will not be able to sign executables.

boot.bin might not even be a decrypted version of eboot.bin but just a decoy left there by Sony. Am I over estimating Sony guys? :)

Bestnoob

[TRF-Yu-Ki]

First off, let me say good job for doing the research. This is much better than the posts like:

"Hey hackers, how about you just reverse-encrypt, get the keys, and encrypt again? I wanna play my SNES games on my PSP 1.5 already!"

NOTE: I purposely said reverse-encrypt instead of decrypt. ;-)

Anywayz, personally, I think the secret here is not to attack the encryption directly. I've seen VeriSign/RSA stuff used in different forms, and encryption that's pretty much time-tested stuff(like PGP) is basically invinsible against today's home PCs/MACs. Your research definitely shows that it's not some simple XORing bits like Microsoft does with certain passwords in the registery. ;-) Unless some game-dev'er accidentally leaks a private-key to a game, I'd leave the encryption defense alone. >_<

But keep working at it. :)

[Shine]

NOTE: I purposely said reverse-encrypt instead of decrypt. ;-)

Do you mean, it is a symmetrical encryption? So saving an unencrypted prx to flash and loading it with kernel functions will encrypt it?

[Agoln]

NOTE: I purposely said reverse-encrypt instead of decrypt. ;-)

Do you mean, it is a symmetrical encryption? So saving an unencrypted prx to flash and loading it with kernel functions will encrypt it?

No, he probably means people that know ABSOLUTELY nothing about encryption, and think of "what is the opposite of encription?" which they then think "AHHH revere-encryption" instead of decrypt.

[TRF-Yu-Ki]

Yeah... I just said that for people who don't understand anything about (strong)encryption. =^P

[StriderA]

Too many people believe in a do_magic(); function that just does all the hard stuff for us. Maybe when we can get to quantum computing will decrypting and finding the private key for the signing of the code be possible, but by then, I'm sure the PSP will be so obsolete that the next systems will blow our mind. Oh well... just be warned...

Never underestimate the power of stupid people in large numbers. :)