thx for your replyPspPet wrote:We don't know how to REGENERATE (Aka Encrypt) PRX files.
The "key" area you see at the start of the PRX is only part of a relatively complicated decryption process (it is merged in with several other "keys" stored in the PSP - and run through the decryption hardware)
See the PsarDumper (source code) for how to decode PRXs (up to version 2.5)
http://www.aibohack.com/psp
Probably insufficient to re-encrypt the files.
is it impossible?0okm0000 wrote:...
i just want to replace [new ver PRX files] with [old ver PRX files]
this "key" was gen. by psp when update
so is there have method to gen. this "key"?
I don't know, but the 16-byte hashes stored in save games is also unique to each PSP, so maybe it is computed in a similar fashion. See the savedata/encrypt/hash.c example for how this is computed (the sceChnnlsv_* functions use the crypto hardware to do their work).0okm0000 wrote:this "key" was gen. by psp when update
so is there have method to gen. this "key"?
thank you for your replyPspPet wrote:> i just want to replace [new ver PRX files] with [old ver PRX files]
In general it won't work.
Short answer: the older boot loader can't load the newer 2.x modules (system or game), the newer boot loader won't load old 1.x system modules.
----
The newer system firmware will load old and new PRXs. That's necessary so a 2.0+ firmware PSP can run old 1.0 style games.
You think it would be possible to start with a newer (2.x) firmware and stick in a few older PRXs (perhaps from 1.0 or 1.50) if you could find a working combination.
The Sony engineers thought of that case, and disabled it!!!
Believe it or not, during the PRX decryption logic, it checks the PRX it is decrypting against a list of blocked PRXes and won't load them.
The blocked PRX list includes most of the system components from earlier releases (almost everything from 1.0, 1.50, 1.51). I'm not sure if they are constantly updating it (ie. to prevent 2.50 components loading under 2.60)
There are some parts of the header that can be edited. The following code is redoing the sha1 hash. Durring the decryption process, that PspPet is talking about, the keys are transformed by hw to what you'll see below in the code. With these new keys, you can edit the header of the prx file and redo the hash. Specificaly, you can edit the first 0x80 bytes in the file and from 0xE8 to 0x110.PspPet wrote:We don't know how to REGENERATE (Aka Encrypt) PRX files.
The "key" area you see at the start of the PRX is only part of a relatively complicated decryption process (it is merged in with several other "keys" stored in the PSP - and run through the decryption hardware)
Code: Select all
#include <stdio.h>
#include <string.h>
#include "sha1.h"
unsigned char
key0[20] = {0xBE, 0xF3, 0x21, 0x7B, 0x1D, 0x5E, 0x9C, 0x29, 0x71, 0x5E, 0x9C, 0x1C, 0x45, 0x46, 0xCB, 0x96, 0xE0, 0x1B, 0x9B, 0x3C},
key1[20] = {0x7A, 0x51, 0x59, 0xBA, 0xC5, 0xFB, 0xA5, 0x52, 0x2E, 0x14, 0x84, 0x82, 0xF9, 0x9D, 0x01, 0xB1, 0xE2, 0x23, 0x7C, 0x87},
key2[20] = {0x32, 0xA9, 0xFD, 0xCC, 0x76, 0x6F, 0xC0, 0x51, 0xCF, 0xCC, 0x6D, 0x04, 0x1E, 0x82, 0xE1, 0x49, 0x4C, 0x02, 0x3B, 0x7D},
key3[20] = {0xCA, 0xF5, 0xC8, 0xA6, 0x80, 0xC0, 0x67, 0x6D, 0x3A, 0x4D, 0x4F, 0x92, 0x6A, 0xA0, 0x7C, 0x04, 0x97, 0x02, 0x64, 0x08};
int main(int argc, char* argv[]){
FILE *f;
static unsigned char buf[10*1024*1024], header[0x150];//only 0x14C used
sha1_context cnx;
size_t size;
if (argc < 2){
printf("Usage: fixprxhdr.exe <file.prx>\n");
return 1;
}
if (fopen_s(&f, argv[1], "rb")){
printf("Could not open file '%s'\n", argv[1]);
return 2;
}
size=fread(buf, 1, 10*1024*1024, f);
fclose(f);
if (size<0x150){
printf("File '%s' is too small\n", argv[1]);
return 3;
}
memcpy(header+0x00, buf+0xD0, 0x80);
memcpy(header+0x80, buf+0x80, 0x50);
memcpy(header+0xD0, buf+0x00, 0x80);
switch(*(int*)header){
case 0:
memcpy(header+0x04, key0, 0x14);break;
case 1:
memcpy(header+0x04, key1, 0x14);break;
case 2:
memcpy(header+0x04, key2, 0x14);break;
case 3:
memcpy(header+0x04, key3, 0x14);break;
default:
printf("Unsupported version of the file: +0xD0: 0x%08X\n", *(int*)header);
return 4;
}
sha1_starts(&cnx);
sha1_update(&cnx, header+0x04, 0x14C);
sha1_finish(&cnx, buf+0xD4);
fopen_s(&f, argv[1], "wb");
fwrite(buf, 1, size, f);
fclose(f);
printf("PRX updated successfuly\n");
return 0;
}
thank you for your code and informationflorinsasu wrote: There are some parts of the header that can be edited. The following code is redoing the sha1 hash. Durring the decryption process, that PspPet is talking about, the keys are transformed by hw to what you'll see below in the code. With these new keys, you can edit the header of the prx file and redo the hash. Specificaly, you can edit the first 0x80 bytes in the file and from 0xE8 to 0x110.
also check http://ps2dev.ps2-scene.org/pspformat.txt
...
Code: Select all
u32 sceChkuppkgUnknow_offset0x19C (u32 *a0, u32 a1, u32 a2) // demangle ?
{
a0[0] = 5;
a0[1] = 0;
a0[2] = 0;
a0[3] = a2;
a0[4] = a1;
a1 += 20;
return (semaphore_4C537C72(a0,a1,a0,a1,7)) ? -1 : 0;
}
u32 sceChkuppkgUnknow_offset0x250 (u8 *unk)
{
u8 *p1, *p2;
u32 v0;
p1 = unk;
p2 = sp;
// Copy 4 bytes ?
for (x=0;x<4;x++) p2[x] = p1[x + 4];
if (sp[0] == 0x1) return 0x1;
// Read key 0x141 (full 512 bytes) in a buffer (0xA30)
if (sceIdStorageReadLeaf(0x141,0xA30) < 0) return 0x80000025;
p1 = unk[0x24];
// Copy 160 bytes ?
for (x=0;x<160;x++) p1[x] = 0xA30[x]; (byte)
// Demangle ?
v0 = sceChkuppkgUnknow_offset0x19C(0xC30,160,8);
if (v0 < 0) return v0;
0x20[0] = unk;
// Copy 160 bytes ?
for (x=0;x<160;x++) 0xA30[x] = unk[x];
// Do something with idstorage data ? (opcode = 3)
if (semaphore_4C537C72(0xA30,512,0xA30,512,3)) return 0x80000108;
return ((sp[0] ^ 0xA30[0]) < 1) ? 1 : 0;
}
i can't find key 0x141 on all of my pspjohnmph wrote:I made some reverse engineering with sceChkuppkg module (in 2.70 data.psp update).
It's not finished but you can see that this module reads data in idstorage (http://forums.ps2dev.org/viewtopic.php?t=5512) and uses semaphore function (same that psppet uses in psardumper) to modify a buffer :
Code: Select all
... // Read key 0x141 (full 512 bytes) in a buffer (0xA30) if (sceIdStorageReadLeaf(0x141,0xA30) < 0) return 0x80000025; ...
Code: Select all
0000D8000 - 20 01 21 01 22 01 23 01 24 01 25 01 26 01 27 01 - .!.".#.$.%.&.'.
0000D8010 - 28 01 29 01 2A 01 2B 01 2C 01 2D 01 2E 01 2F 01 - (.).*.+.,.-.../.
0000D8020 - 30 01 31 01 32 01 33 01 34 01 35 01 36 01 37 01 - 0.1.2.3.4.5.6.7.
0000D8030 - 38 01 39 01 3A 01 3B 01 3C 01 3D 01 3E 01 3F 01 - 8.9.:.;.<.=.>.?.
0000D8040 - 10 00 11 00 12 00 13 00 14 00 15 00 16 00 17 00 - ................
0000D8050 - 18 00 19 00 1A 00 1B 00 1C 00 1D 00 1E 00 1F 00 - ................
0000D8060 - 20 00 21 00 22 00 23 00 24 00 25 00 26 00 27 00 - .!.".#.$.%.&.'.
0000D8070 - 28 00 29 00 2A 00 2B 00 2C 00 2D 00 2E 00 2F 00 - (.).*.+.,.-.../.
0000D8080 - 40 01 FF FF FF FF FF FF FF FF FF FF FF FF FF FF - @...............
0000D8090 - FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
0000D80A0 - FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
0000D80B0 - FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
0000D80C0 - FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
0000D80D0 - FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
0000D80E0 - FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
0000D80F0 - FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
0000D8100 - 00 01 01 01 02 01 03 01 04 01 05 01 06 01 07 01 - ................
0000D8110 - 08 01 09 01 0A 01 0B 01 0C 01 0D 01 0E 01 0F 01 - ................
0000D8120 - 10 01 11 01 12 01 13 01 14 01 15 01 16 01 17 01 - ................
0000D8130 - 18 01 19 01 1A 01 1B 01 1C 01 1D 01 1E 01 1F 01 - ................
0000D8140 - 0F 00 50 00 45 00 46 00 47 00 04 00 05 00 06 00 - ..P.E.F.G.......
0000D8150 - 41 00 42 00 43 00 44 00 40 00 30 00 31 00 32 00 - A.B.C.D.@.0.1.2.
0000D8160 - 33 00 34 00 35 00 36 00 37 00 38 00 39 00 3A 00 - 3.4.5.6.7.8.9.:.
0000D8170 - 3B 00 3C 00 3D 00 3E 00 3F 00 FF FF FF FF FF FF - ;.<.=.>.?.......
0000D8180 - F5 FF F5 FF F5 FF F5 FF F5 FF F5 FF F5 FF F5 FF - ................
0000D8190 - F5 FF F5 FF F5 FF F5 FF F5 FF F5 FF F5 FF F5 FF - ................
0000D81A0 - F5 FF F5 FF F5 FF F5 FF F5 FF F5 FF F5 FF F5 FF - ................
0000D81B0 - F5 FF F5 FF F5 FF F5 FF F5 FF F5 FF F5 FF F5 FF - ................
0000D81C0 - FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
0000D81D0 - FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
0000D81E0 - FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
0000D81F0 - FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
i have this with sceIdStorageReadLeaf(0x141,buffer) :0okm0000 wrote: i can't find key 0x141 on all of my psp
is i find the wrong place ?
Code: Select all
00000000h: 30 A8 2E 88 D9 D2 10 D3 58 61 22 88 00 00 00 00 ; 0¨.ˆÙÒ.ÓXa"ˆ....
00000010h: A0 65 00 88 00 00 00 00 00 00 00 00 00 00 00 00 ; e.ˆ............
00000020h: 30 74 00 88 D0 1F 01 88 00 00 00 00 00 00 00 00 ; 0t.ˆÐ..ˆ........
00000030h: 58 61 22 88 D9 D2 10 D3 58 61 22 88 00 00 00 00 ; Xa"ˆÙÒ.ÓXa"ˆ....
00000040h: A4 7D 00 88 D9 D2 10 D3 58 61 22 88 00 00 00 00 ; ¤}.ˆÙÒ.ÓXa"ˆ....
00000050h: 30 A8 2E 88 C4 65 00 88 00 00 00 00 00 00 00 00 ; 0¨.ˆÄe.ˆ........
00000060h: 90 7D 00 88 70 1F 01 88 00 00 00 00 00 00 00 00 ; �}.ˆp..ˆ........
00000070h: 58 61 22 88 58 61 22 88 00 00 00 00 00 00 00 00 ; Xa"ˆXa"ˆ........
00000080h: E8 41 00 88 58 61 22 88 00 00 00 00 00 00 00 00 ; èA.ˆXa"ˆ........
00000090h: D9 D2 10 D3 68 64 00 88 00 00 00 00 00 00 00 00 ; ÙÒ.Óhd.ˆ........
000000a0h: D4 41 00 88 C8 1C 01 88 0C 00 00 00 00 00 00 00 ; ÔA.ˆÈ..ˆ........
000000b0h: 58 61 22 88 C8 1C 01 88 57 2B 4C 04 88 69 00 88 ; Xa"ˆÈ..ˆW+L.ˆi.ˆ
000000c0h: 58 61 22 88 C8 1C 01 88 00 00 00 00 98 FC 00 88 ; Xa"ˆÈ..ˆ....˜ü.ˆ
000000d0h: 00 2B 4C 04 00 00 10 D3 0A 00 00 00 07 00 00 00 ; .+L....Ó........
000000e0h: 00 00 00 00 00 52 6F 01 24 1A 01 88 00 00 00 00 ; .....Ro.$..ˆ....
000000f0h: 00 AE 90 08 00 52 6F 01 24 1A 01 88 A4 1E 00 88 ; .®�..Ro.$..ˆ¤..ˆ
00000100h: 58 61 22 88 00 00 00 00 00 00 00 00 00 00 00 00 ; Xa"ˆ............
00000110h: 00 00 03 00 02 00 00 00 00 00 00 00 00 52 6F 01 ; .............Ro.
00000120h: 00 00 00 00 30 00 00 00 00 00 00 00 FF FF FF FF ; ....0.......ÿÿÿÿ
00000130h: 57 2B 4C 04 01 00 00 00 00 00 03 00 04 3C 00 88 ; W+L..........<.ˆ
00000140h: 58 61 22 88 00 00 80 08 00 00 80 01 0F 00 00 00 ; Xa"ˆ..€...€.....
00000150h: 00 00 91 08 00 52 6F 01 30 00 00 00 E0 A9 2E 88 ; ..‘..Ro.0...à©.ˆ
00000160h: 84 1F 02 88 84 1F 02 88 30 00 00 00 84 1F 02 88 ; „..ˆ„..ˆ0...„..ˆ
00000170h: 03 86 00 20 DC 38 90 88 F8 A8 2E 88 DC 38 90 88 ; .†. Ü8�ˆø¨.ˆÜ8�ˆ
00000180h: 00 00 00 00 00 0E 00 00 00 00 91 08 00 00 00 00 ; ..........‘.....
00000190h: 00 00 91 08 50 8B 90 08 50 8B 90 08 28 48 90 88 ; ..‘.P‹�.P‹�.(H�ˆ
000001a0h: A0 91 90 08 20 00 00 00 1C 3E 90 88 00 00 00 00 ; ‘�. ....>�ˆ....
000001b0h: 48 AE 90 08 00 00 00 00 A0 91 90 08 00 00 00 00 ; H®�..... ‘�.....
000001c0h: B4 7E 90 08 50 8B 90 08 0E 00 00 00 E0 A9 2E 88 ; ´~�.P‹�.....à©.ˆ
000001d0h: 1D 00 00 00 13 00 00 00 EF BE AD DE EF BE AD DE ; ........ï¾Þï¾Þ
000001e0h: E0 A9 2E 88 40 49 90 88 02 00 00 00 00 00 91 08 ; à©.ˆ@I�ˆ......‘.
000001f0h: 1D 00 00 00 74 A9 2E 88 01 00 00 00 E0 A9 2E 88 ; ....t©.ˆ....à©.ˆ
0okm0000 wrote:i can't find key 0x141 on all of my psp
is i find the wrong place ?
You are right, this key doesn't exist.ryoko_no_usagi wrote:0x141 doesn't exist in my 1.5 either. Did you upgrade?
Code: Select all
u32 sceChkuppkg_offset0x374 (void)
{
u32 *v0;
u8 *buffer = 0x0; // Change with relocation
if (sceIdStorageLookup(0x100,0x38,buffer,0xB8) < 0)
{
if (sceIdStorageLookup(0x120,0x38,buffer,0xB8) < 0) return 0x80000025;
}
// Set a flag ?
v0 = 0; // Change with relocation
v0[48 / 4] = 1;
return 0;
}
u32 sceChkuppkg_offset0x3f0 (void)
{
u8 *buffer = 0x0; // Change with relocation (same that buffer in sceChkuppkg_offset0x374)
if (semaphore_4C537C72(0,0,buffer,0xB8,18)) return 0x80000108;
return 0;
}
u32 sceChkuppkg_offset0x42c (u8 *unk)
{
u32 *v0;
v0 = 0x0; // Change with relocation
// Verify flag ?
if (!(v0[48 / 4]))
{
// Read data in idstorage
v0 = sceChkuppkg_offset0x374();
if (v0) return v0;
}
// Set hardware decrypt buffers with idstorage data ?
v0 = sceChkuppkg_offset0x3f0();
if (v0) return v0;
// ?
u8 *buffer = 0x0; // Change with relocation
unk[0x0] = buffer[0x73];
unk[0x1] = buffer[0x72];
unk[0x2] = buffer[0x75];
unk[0x3] = buffer[0x74];
unk[0x4] = buffer[0x77];
unk[0x5] = buffer[0x76];
unk[0x6] = buffer[0x78] >> 0x2;
unk[0x7] = 0;
return v0;
}
Code: Select all
IdStorage key 0x100-0x106 : [?]
00C0000 - xx...xx
00C0038 - 00 00 00 01 00 03 00 02 - nn nn nn nn nn nn nn nn
00C0048 - xx...xx
00C0098 - 40 04 C8 0B D9 C8 BA 38 - 22 10 65 92 3E 32 4B 5F
00C00A8 - 0E C1 65 ED 6C FF 7D 9F - 2C 42 0B 84 DF DA 6E 96
00C00B8 - C0 AE E2 99 27 BC AF 1E
00C00C0 - xx...xx
00C00F0 - 00 00 00 01 00 03 00 02 - nn nn nn nn nn nn nn nn
00C0100 - xx...xx
00C0150 - 06 48 5F D0 29 85 3B 55 - 2F 7E FD D6 7A 2D E7 A1
00C0160 - A4 E2 55 37 B2 45 9D 87 - 86 42 6D 5B 27 EF A5 A9
00C0170 - 31 1C B8 AB AB FA 0E CE
00C0178 - xx...xx
00C01A8 - 00 00 00 01 00 03 00 02 - nn nn nn nn nn nn nn nn
00C01B8 - xx...xx
00C0208 - 3F 8C 34 F2 10 AE C4 8E - 15 20 FF 2A 44 89 9E 05
00C0218 - 4A 0D A3 3D F8 B9 75 4B - 09 C0 EC 7E 61 86 7A 51
00C0228 - 26 FE 69 26 97 21 96 F5
00C0230 - xx...xx
00C0260 - 00 00 00 01 00 03 00 02 - nn nn nn nn nn nn nn nn
00C0270 - xx...xx
00C02C0 - CC B3 44 0D C4 83 6D D5 - 19 E1 3B 28 05 B3 08 70
00C02D0 - DC AE E4 62 13 6B 38 88 - 65 1A 98 E0 2B 29 FA 0C
00C02E0 - D3 4F 16 16 F1 ED 57 86
00C02E8 - xx...xx
00C0318 - 00 00 00 01 00 03 00 02 - nn nn nn nn nn nn nn nn
00C0328 - xx...xx
00C0378 - 08 B3 36 92 5C 2B 44 5D - 03 A9 BE 51 B9 AA BF 54
00C0388 - E4 CC 14 2E A7 2A 23 BB - 80 60 B0 3B 71 CD E0 77
00C0398 - 2D E8 2A D8 93 16 48 D6
00C03A0 - xx...xx
00C0430 - 4F 0A 2B C9 98 76 40 86 - 0E 22 EE 5D 86 08 7C 96
00C0440 - 92 47 0B DF 59 DC 4C 1F - 2E 38 F9 2C E7 B6 68 75
00C0450 - B5 9E D1 0C 9D 84 FA 6A
00C0458 - xx...xx
00C04B0 - FF FF FF FF 01 00 00 80 - 00 00 00 00 00 00 00 80
00C04C0 - 0F 00 00 00 00 00 00 80 - 10 00 00 00 00 00 00 80
00C04D0 - 1F 00 00 00 00 00 00 80 - 20 00 00 00 00 00 00 80
00C04E0 - 2F 00 00 00 00 00 00 80 - 30 00 00 00 00 00 00 80
00C04F0 - 3F 00 00 00 00 00 00 80 - 40 00 00 00 00 00 00 80
00C0500 - 4F 00 00 00 00 00 00 80 - 0F 00 00 10 00 00 00 80
00C0510 - 1F 00 00 10 00 00 00 80 - 2F 00 00 10 00 00 00 80
00C0520 - 3F 00 00 10 00 00 00 80 - 4F 00 00 10 00 00 00 80
00C0530 - 0F 00 00 20 00 00 00 80 - 01 00 00 00 00 00 00 00
00C0540 - 02 00 00 00 00 00 00 00 - 04 00 00 00 00 00 00 00
00C0550 - 08 00 00 00 00 00 00 00 - 10 00 00 00 00 00 00 00
00C0560 - 20 00 00 00 00 00 00 00 - 40 00 00 00 00 00 00 00
00C0570 - 80 00 00 00 00 00 00 00 - 01 01 00 00 00 00 00 00
00C0580 - 02 02 00 00 00 00 00 00 - 04 04 00 00 00 00 00 00
00C0590 - 08 08 00 00 00 00 00 00 - 10 10 00 00 00 00 00 00
00C05A0 - 20 20 00 00 00 00 00 00 - 40 40 00 00 00 00 00 00
00C05B0 - 81 80 00 00 00 00 00 00 - 03 01 01 00 00 00 00 00
00C05C0 - 06 02 02 00 00 00 00 00 - 0C 04 04 00 00 00 00 00
00C05D0 - 18 08 08 00 00 00 00 00 - 30 10 10 00 00 00 00 00
00C05E0 - 60 20 20 00 00 00 00 00 - C0 40 40 00 00 00 00 00
00C05F0 - 80 81 80 00 00 00 00 00 - 00 03 01 01 00 00 00 00
00C0600 - 00 06 02 02 00 00 00 00 - 01 0C 04 04 00 00 00 00
00C0610 - 02 18 08 08 00 00 00 00 - 04 30 10 10 00 00 00 00
00C0620 - 08 60 20 20 00 00 00 00 - 10 C0 40 40 00 00 00 00
00C0630 - 20 80 81 80 00 00 00 00 - 41 00 03 01 01 00 00 00
00C0640 - 82 00 06 02 02 00 00 00 - 04 01 0C 04 04 00 00 00
00C0650 - 08 02 18 08 08 00 00 00 - 10 04 30 10 10 00 00 00
00C0660 - 20 08 60 20 20 00 00 00 - 40 10 C0 40 40 00 00 00
00C0670 - 80 20 80 81 80 00 00 00 - 00 41 00 03 01 01 00 00
00C0680 - xx...xx
00C0C40 - 00...00
IdStorage key 0x120-0x126 : [?](SAME AS key 0x100-0x106)
Maybe it's a identifier of the same encription? (just guessing, i don't know it).0okm0000 wrote:
why first 8Bytes "SIG check key" on 2.60 & 2.70 is same ?