The other day I got an idea for discovering the AES key used by the PSP for saving games. Basically the machine applies the function AES(DATA,KEY) = ENCRYPTED_DATA. Typically all we know is ENCRYPTED_DATA and it's pretty much useless to us. But what if we knew what DATA was in the first place? If we knew both DATA and ENCRYPTED_DATA, it would be an almost trivial matter of figuring out which key was used.
How can we get DATA? Well, my theory is, some of the games that are (or will be) released are just simple ports of other systems. If the data formatting were exactly the same, a save game from a PC or PS2 could match perfectly. Also, now that UMDs are starting to get dumped, maybe there is a common header in some of these files.
Anyway, that's my idea. What do you all think? Possible? Idiotic?
AES exploit theory
Another thread (http://forums.ps2dev.org/viewtopic.php?t=1635) suggested doing this on BOOT and EBOOT, given that EBOOT is just encrypted version of BOOT with some header info.
Unfortunately it seems that for all practical purposes plaintext attacks on the encryption used is infeasible.
edits: typos
Unfortunately it seems that for all practical purposes plaintext attacks on the encryption used is infeasible.
edits: typos
Last edited by cheriff on Tue May 10, 2005 2:21 pm, edited 2 times in total.
Damn, I need a decent signature!