PSP Download Applet

[Vampire]

net.scee.drm...

Digital Rights Management?

https://www.yourpsp.com/download/static ... ppletS.cab
or
https://www.yourpsp.com/download/static ... ppletS.jar

https://www.yourpsp.com/download/psp_usb/download.jsp

[etx]

Ah ha! I just jumped on to post about this! Also notice that the java applet pulls the Hardware ID from the psp somehow.

[netwerx]

can anyone elaborate on what this means?

[Yanks]

Basically, I grabbed the JAR and started sifting through it. I'm on a mac, and it won't run. Does it run on windows systems? I can't tell from here :(

Anyway I decided to take a good look at the code that is contained in the jar file. While I won't post any code here, I would suggest that you all take a look at what is written in the code using JAD, a java decompiler. I'm only 3rd year CS, but I can tell that not only does the program grab the PSP's ID (This could be the private key) it also provides functions/methods for encryption and decryption.

This could be it, guys. The solution for running code on a 1.5 PSP.

[piercer]

At last something I can really help with.

OK First impressions (this will not tell you too much, but is a start) - I will edit it later with further info as I find it.

The jar is a signed, unobfuscated (wow) applet.

1) Signed applet - means it runs in a browser (applet container) but could be allowed acces to local file system (since signed).

2) Unobfuscated means it is easy to read and work out what it does.

It should be possible to get a webpage to point to it and see what it does - more later.

[chaos]

from pspdirstructure..

COMMON_DIR = "PPCD00001DLS001";
PSP_ID_FILENAME = "data2.bin";

so that's where it gets the id, i would imagine..

[piercer]

Amazing you beat me to it - that bit caught my interest too and I was just about to post about it - lol

But surely the PSP ID would be in firmware and not on the memory stick - is it possible that this is simply the ID to use for DRM and not the PSP ID itself?

I have a feeling that this applet will not be very useful (I may be wrong of course) since at the moment all it seems to do is put files on the Memory Stick using the windows mounted volume, hence ignoring the PSP altogether.

However if the data2.bin is the PSP id and it could be changed meaningfully then what would that mean?

1) Is PPCD00001DLS001 an accessible firmware directory that pretends to be part of the memory stick?

I'm probably talking out of my arse now so I'll shut up for the moment...

[piercer]

OMG identity.class would seem to have some very interesting information in it.

I will not post source since I'm sure that would be illegal, but it seems to be able to read firmware version, nickname, hardwareid and timestamp.

It does this via an SHA1 cypher which has a key as the first bit of the file.

How useful is this?

[piercer]

Sorry, key seems to be at the end of the file - after a 'fingerprint' ??

It seems that the file has format

version 4 bytes
hardwareId 20 bytes
timeStamp 4 bytes
nickName 208 bytes
fingerprint 20 bytes
if the passed in recordSize is greater than 256 then there is a 20 byte key.

In IdentityCollection.class we see that the record length is 276 byte and that data2.bin must be an exact multiple of this to be valid. Also this means that there is a key.

This is probably to do with DRM isn't it???

[chaos]

here is what it looks like to me. PPCD00001DLS001 is a public folder that all games can access. it's most likely created when you format the memstick in the psp. after formatting, the psp dumps the psp id into a .bin file, so games can access it easily.

[piercer]

Yep, just check - I already have a data2.bin - hmmm, now I can read it...

Wonde what the fingerprint is?

[chaos]

i like this.

INTERNAL_KEY[] = Util.parseBytes("D3C64E430B3F2C1152DBFEF1A5C71CA4");

[piercer]

Wow. It couldn't be could it?

[chaos]

my guess is that it uses that key to determine if the data from the data2.bin file is authentic, for drm purposes..

[piercer]

The output of

parseBytes("D3C64E430B3F2C1152DBFEF1A5C71CA4")

produces the following 16 element array:

0: -45
1: -58
2: 78
3: 67
4: 11
5: 63
6: 44
7: 17
8: 82
9: -37
10: -2
11: -15
12: -91
13: -57
14: 28
15: -92

Any use?

[piercer]

Actually data2.bin can contain multiple identities, each of length 276 bytes (or 256 without key, but see no reference to unkeyed identities in code).

Am now writing simple data2.bin unpacker for anybody interested.

[piercer]

Ok - apologies in advance if this is illegal (and please remove it if it is).

Here is a little java file that takes a data2.bin formatted file name as input and outputs a little information from it.

It is unfortunately not self contained as it uses the SHA1CypherStream object from the jar and I haven't had time to write my own. Hope it helps someone

package com.piercer.psp;

Code: Select all

import java.io.FileInputStream;
import java.io.File;
import java.io.InputStream;

public class Data2Reader
{

    private static final char HEX[] =
    {
        '0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
        'A', 'B', 'C', 'D', 'E', 'F'
    };

    public static void main (String[] args)
    {
        File data2File=new File(args[0]);
        long fileLength = data2File.length();
        if(fileLength % 276L != 0L)
        {
            System.out.println("Error: File length not multiple of 276");
            System.exit(1);
        }
        else
        {
            try
            {
               InputStream dis = new FileInputStream(data2File);
                int nIdent = (int) (fileLength / 276L);
                for&#40;int i = 0; &#40;long&#41;i < nIdent; i++&#41;
                &#123;
                    byte&#91;&#93; version     = new byte&#91;4&#93;;
                    byte&#91;&#93; hardwareId  = new byte&#91;20&#93;;
                    byte&#91;&#93; timeStamp   = new byte&#91;4&#93;;
                    byte&#91;&#93; nickName    = new byte&#91;208&#93;;
                    byte&#91;&#93; fingerprint = new byte&#91;20&#93;;
                    byte&#91;&#93; key         = new byte&#91;20&#93;;
                    dis.read&#40;version&#41;;
                    dis.read&#40;hardwareId&#41;;
                    dis.read&#40;timeStamp&#41;;
                    dis.read&#40;nickName&#41;;
                    dis.read&#40;fingerprint&#41;;
                    dis.read&#40;key&#41;;
                    SHA1CipherStream cipher = new SHA1CipherStream&#40;key&#41;;
                    cipher.xor&#40;version&#41;;
                    cipher.xor&#40;hardwareId&#41;;
                    cipher.xor&#40;timeStamp&#41;;
                    cipher.xor&#40;nickName&#41;;
                    cipher.xor&#40;fingerprint&#41;;
                    System.out.println&#40;"Found identity&#58; "+convertToString&#40;nickName&#41;&#41;;
                    System.out.println&#40;"HardwareID&#58; "+dump&#40;hardwareId&#41;&#41;;
                    System.out.println&#40;"Version&#58; "+dump&#40;version&#41;&#41;;
                    System.out.println&#40;"TimeStamp&#58; "+dump&#40;timeStamp&#41;&#41;;
                    System.out.println&#40;&#41;;
                &#125;
            &#125;
            catch &#40;Exception e&#41;
            &#123;
                System.out.println&#40;"Error&#58; "+e&#41;;
            &#125;
        &#125;
    &#125;

    public static final String convertToString&#40;byte&#91;&#93; input&#41;
    &#123;
        try
        &#123;
            int n=0;
            while &#40;input&#91;n&#93;!=0&#41; n++;
            return new String&#40;input, 0, n, "UTF8"&#41;;
        &#125;
        catch&#40;Exception e&#41;
        &#123;
            return null;
        &#125;
    &#125;

    public static final String dump&#40;byte a&#91;&#93;&#41;
    &#123;
        StringBuffer buf = new StringBuffer&#40;&#41;;
        for&#40;int i = 0; i < a.length; i++&#41;
        &#123;
            buf.append&#40;HEX&#91;a&#91;i&#93; >> 4 & 0xf&#93;&#41;;
            buf.append&#40;HEX&#91;a&#91;i&#93; & 0xf&#93;&#41;;
        &#125;
        return buf.toString&#40;&#41;;
    &#125;

&#125;

[mrbrown]

Moved to PSP Exploit Discussion.

[Danj]

https://www.yourpsp.com/download/psp_usb/download.jsp

What is that page supposed to do? I tried it (both with and without my PSP connected) and I just get a "your session has timed out" error. Is there a particular sequence of pages I should be going through to get there?

[Vampire]

https://www.yourpsp.com/download/psp_usb/download.jsp

What is that page supposed to do? I tried it (both with and without my PSP connected) and I just get a "your session has timed out" error. Is there a particular sequence of pages I should be going through to get there?

try http://www.wipeoutpure.com/

[Shine]

This could be it, guys. The solution for running code on a 1.5 PSP.

I don't think so. It does the same what the wipeout pure browser does: Downloading something, extracting it and storing it to the memory stick. The only interesting thing is the SHA1 fingerprint check, because game files and other things could use the same signing method (but which is not related to the encryption for executables).

[Danj]

This could be it, guys. The solution for running code on a 1.5 PSP.

I don't think so. It does the same what the wipeout pure browser does: Downloading something, extracting it and storing it to the memory stick. The only interesting thing is the SHA1 fingerprint check, because game files and other things could use the same signing method (but which is not related to the encryption for executables).

Well, it's still an interesting development even if it is only the encryption for save files. It'd allow hacking of save files, which might then lead to being able to craft a malformed save file to cause a buffer overflow or some other exploit. Personally I'd be quite interested in being able to read data from my Metal Gear Acid save files; not because I want to cheat, but because I want to write a better deck editor/viewer on my PC.

[MindWall]

just want to point out that the CAB and the JAR files are different, and the JAR contains a few more files...
including a file called SCEE.DSA

[Shine]

just want to point out that the CAB and the JAR files are different, and the JAR contains a few more files...
including a file called SCEE.DSA

See standard Java doc: http://www.unix.org.ua/orelly/java-ent/ ... ppa_02.htm

[MindWall]

thanx this explains a few things :)

A signed JAR file is identical to a standard JAR file except that a signed JAR file contains two additional entries:

SIGNER.SF--A file containing an SHA message digest for each class file in the archive. The digest is calculated from the three lines in the manifest for the class file. The base of this name (SIGNER) varies; it is typically based upon the alias of the keystore entry used to sign the archive.

SIGNER.DSA--A file containing the digital signature of the .SF file. The base of this name matches the first part of the .SF file; the extension is the algorithm used to generate the signature. This file also contains the certificate of the entity that signed the archive.

The algorithm used to generate the signature depends upon the type of the key found in the keystore: if the key is a X509 (DSA) key, a DSA signature will be generated. If the key is an RSA key, an RSA signature will be generated (assuming you have installed a security provider capable of producing such signatures). If you have a keystore that contains other types of keys, jarsigner will be unable to use them to sign the JAR file.

These entries are held in the META-INF directory of the JAR file.

[MrSiir[S]]

Only by curiosity

Go to http://www.wipeoutpure.com and login, now you can make requests to the server DCDP:

https://www.yourpsp.com/download/DCDP/O ... CALE=en_US

Code: Select all

<properties>
version=0.20
sessionId=XXXXXXXXXXXXXXXXXX
status=true
valid=true
</properties>

https://www.yourpsp.com/download/DCDP/G ... CALE=en_US

Code: Select all

<properties>
version=0.20
sessionId=XXXXXXXXXXXXXXXXXX
assets=liverpool_wop_ucus98612dgammapack1_040505
status=true
valid=true
</properties>

https://www.yourpsp.com/download/DCDP/G ... ck1_040505

Code: Select all

<properties>
version=0.20
sessionId=XXXXXXXXXXXXXXXXXX
name=liverpool_wop_ucus98612dgammapack1_040505
is-restricted=false
length=3660555
file-fingerprint=2A430FFF2867A89DFD8EF2429DBDDE74148E7D91
is-downloadable=true
external=true
application=1
provider=1
is-boundtouser=true
location=http&#58;//download.yourpsp.com/psp_asset/UCUS98612DGAMMAPACK1.zip
signature-level=0
content-type=application/octet-stream
local-storage=/PSP/SAVEDATA/UCUS98612DGAMMAPACK1
is-archive=true
status=true
valid=true
</properties>

https://www.yourpsp.com/download/DCDP/G ... ck1_040505

Code: Select all

<DOWNLOAD FILE UCUS98612DGAMMAPACK1.zip>

What is DCDP server?

[MindWall]

Dynamic Configuration and Distribution Protocol
??

[th0mas]

http://www.research.ibm.com/people/a/archan/pcs2001.pdf

related to dynamically creating wireless networks if it matches the pdf.

[piercer]

OK a question for UTF knowledgeable out there.

My nickname is Piercer on my PSP looking at the way this is stored in DATA2.BIN decrrypted/dehashed of course it looks like

50EFBD P
89EFBD i
85EFBD e
92EFBD r
83EFBD c
85EFBD e
92E38080 r (but slightly different) ????

What for of UTF is this - even though its supposed to be UTF8.

Any info on this encoding and how to view it as ascii?

[th0mas]

on UTF I've encountered before, the last byte mapped to the ASCII value. It looks like something similiar here, only the lowercase values are offset by 0x20.

for example, (with help from www.lookuptables.com)

0x50 = P
0x69 = i = 0x89 - 0x20
0x65 = e = 0x85 - 0x20
0x72 = r = 0x92 - 0x20
0x63 = c = 0x83 - 0x20
0x55 = e = 0x85 - 0x20
0x72 = r = 0x92 - 0x20

Either your decoding method is slightly wrong, or the version of UTF has the lowercase characters mapped with the LSB(assumably) offset +0x20.

In either case you could just take that LSB, and if it's value is > 0x81, subtract 0x20 and you have the ASCII value for it.