Spock
Spock is the PSP hardware cryptography engine responsible for the raw sector level decryption of UMD’s. Named after Captain Spock of Star Trek. Mapped to 0xBDF00000.
Executing commands[edit | edit source]
You can more or less access Spock through Lepton's ram (there is some hidden test mode on Lepton allowing you to do this). Mathieulh will tell more on this later if he ever get the time to clean up those sources.
Mapping Structure (PSP)[edit | edit source]
0xBDF00000 = Spock Signature 0xBDF00004 = Spock Version 0xBDF00008 = Spock Error 0xBDF0000C = Spock Proc Phase 0xBDF00010 = Spock CMD Number 0xBDF00014 = Spock Result 0xBDF00018 = Unknown? 0xBDF0001C = Spock Status 0xBDF00020 = Spock Status Asynchronous 0xBDF00024 = Spock Status Asynchronous End 0xBDF00028 = Spock Status End 0xBDF0002C = Spock Source Address 0xBDF00030 = Spock Destination Address sceUmdMan_driver_1b1bf9fd = sceUmdExecRead10Cmd (0xA) sceUmdMan_driver_e3716915 = sceUmdExecRead10Cmd (0xA) sceUmdMan_driver_f819e17c = sceUmdExecReadMKICmd (0x8) sceUmdMan_driver_6d17fd57 = sceUmdExecReadMKICmd (0x8)
Commands[edit | edit source]
SPOCK Operations: 0x01: Init1 0x02: Authentication 0x03: Step1 0x04: Step2 0x05: Step3 0x06: 0x07: 0x08: Decrypt UMD master key / Read Master Key Index / Step 4 0x09: Decrypt IDStorage UMD leaves / Step 5 0x0A: Decrypt UMD Disc Sector 0x0B: Reset SPOCK 0x0C: Decrypt UMD Disc Sector Debug
Command 1 (Init 1)[edit | edit source]
- Uses generate_key_from_mesh(7). See Kirk#Final_PSP_Individual_Keys.
Command 2 (Authentication)[edit | edit source]
- uses spock2 aes cipher key 0
- uses spock2 aes cmac key 1
Command 3 (Step 1)[edit | edit source]
Command 4 (Step 2)[edit | edit source]
Command 5 (Step 3)[edit | edit source]
Command 6[edit | edit source]
Command 7[edit | edit source]
Command 8 (Decrypt UMD master key / Read Master Key Index / Step 4)[edit | edit source]
- uses spock8 aes cipher key 2
Decrypted MKI example:
All values are little endian.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 00000010 00 00 00 00 00 00 00 00 6A 1D 49 3E 9F 74 84 8D 00000020 2E 39 DA 7D 63 A8 C8 80 0F 00 00 00 00 00 00 80 00000030 2E 83 6A D5 FD 3C D1 97 B3 BC 7A C5 2A 31 DD B8 00000040 01 00 00 00 00 00 00 00 3E 66 41 AE 34 CA 36 EC 00000050 99 75 2A F6 94 DC C6 66 00 00 00 00 00 00 00 00 00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........... 00003FF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Command 9 (Decrypt IDStorage UMD leaves / Step 5)[edit | edit source]
- Uses generate_key_from_mesh(5). See Kirk#Final_PSP_Individual_Keys.
Spock command 9 key is used to decrypt UMD leaves stored in IDStorage. Those leaves are then used in Spock command 8 to decrypt the UMD master key (per disc key). Then this key is used in Spock command 10 to decrypt the UMD raw sectors. Each different PSP region seems to have its own set of UMD keys.
9F46F9FCFAB2AD0569F688D8794B92BA
more info on Spock by mathieulh
Command 10 (0xA) (Decrypt UMD raw sectors)[edit | edit source]
Command 11 (0xB) (Reset Spock)[edit | edit source]
Command 12 (0xC) (Decrypt UMD Disc Sector Debug)[edit | edit source]
- Seems to exist only on KICHO DENCHO PSP firmware and devkit firmware, inside UMDMAN.prx
Where are spock commands used[edit | edit source]
- Commands 1 and 9 use per-console keys.
- Commands 8 and 0xA are used on psp retail firmware, as well as testkit firmware.
- Commands 1, 2, 3, 4, 5, 8, 9, 0xA and 0xB are used on AV test tool firmware.
- Commands 1, 2, 3, 4, 5, 8, 9, 0xA, 0xB and 0xC are used on Kicho Dencho firmware, which is a special factory firmware.
- Commands 1, 2, 3, 4, 5, 8, 9, 0xA, 0xB and 0xC are used on devkit firmware as well.
- Usage of these commands can always be found in UMDMAN.prx.