Sunday, January 16, 2011

First “Signed” PSP Homebrew Example Released

Developer kgsws shares an example homebrew of  First Sign Homebrew  that requires zero hacks
No Hack , No CFW , No HEN needed

This means that from now on OFW homebrews start.
Sony cannot patch this.
it works on all OFW

On Future Scene We dont need Exploit or HEN because all Homebrew are now Sign!
                                                 Take a look of this   AweSome  Video

How’s it work?

kgsws answers:

Simple, notice it contains ~PSP header from demo game (UCES00206), it is exactly same header. It is easy to craft last 16 bytes of encrypted data block to match header CMAC – yes, that’s the trick
There are some strange thigs, it can’t run homebrews with bigger executable block (data block does not matter), and because of ~PSP header, it has to match exact size of original game.
This trick might be possible on firmware kernel modules to get permanent HEN on non-pandrorable PSPs, i was not able to do it but i was not trying that much.
PS: i am not only one who found this trick

How can i sign homebrews
by Proxima 

Here's an overall process that worked for me:

1. Use PRXDecrypter or other like app to decrypt a demo game DATA.PSP. Just before it calls KIRK1, add a step to dump the KIRK1 message with header.
2. Zero out the data section of the KIRK1 message. Copy your homebrew ELF into it.
3. Look at the original PSP header and get the entry point and mod info offset it expects
4. Put a couple of lines of code at the expected entry point to jump to the real entrypoint of your own ELF
5. copy the modinfo section from your ELF to the address indicated by the original header.
6. Re-encrypt the new KIRK1 data section with the KIRK key (AES Key from Header)
7. Do a few xor of the last 16 bytes to make it result in the correct CMAC value (decode the CMAC data hash to see what the correct value needs to be)
8. Copy the data back to the original data.psp (at 0x150). pack-pbp the new data.psp along with your favorite param.sfo and icon files.

If the original game was compressed, you need to add step 5b. gzip the entire data section (0x110-EOF) and re-paste it into the file.


PS. One bit of difficulty still that remains is how to deal with the KL4E compression that the kernel modules us. Since their headers indicate compression, and KL4E is the only algorithm the rebooter or ipl supports (I think...) we will have to find a way to create something that decompresses properly with KL4E. 

No comments:

Post a Comment