Editing Kirk
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 20: | Line 20: | ||
Both use the usual Weierstrass form. | Both use the usual Weierstrass form. | ||
== Elliptic curve for Kirk commands 1/2/3/ | == Elliptic curve for Kirk commands 1/2/3/10 == | ||
This curve is used for the ECDSA verification of Kirk commands 1, 2, 3 and | This curve is used for the ECDSA verification of Kirk commands 1, 2, 3 and 10. | ||
<pre> | <pre> | ||
Line 36: | Line 36: | ||
== Elliptic curve for the other commands == | == Elliptic curve for the other commands == | ||
This curved is used for Kirk commands | This curved is used for Kirk commands 12, 13, 14, 16 and 17. | ||
<pre> | <pre> | ||
Line 46: | Line 46: | ||
</pre> | </pre> | ||
The public key is variable. For the latest Pre-IPL version which add an additional ECDSA verification of the XOR of the block hashes, the public key is (0xBC660611A70BD7F2D140A48215C096D11D2D4112, 0xF0E9379AC4E0D387C542D091349DD15169DD5A87). | |||
== Code sample == | == Code sample == | ||
Line 146: | Line 146: | ||
|} | |} | ||
= | = Per-console keys = | ||
Some Kirk commands like commands 16 and 18 use individual (per-console) seeds. The base per-console seed is the Fuse ID (6 bytes), which is transformed into a 0x30 bytes buffer ("key mesh"). This buffer is used to generate different keys depending on a seed. | |||
{| class="wikitable" | {| class="wikitable" | ||
|+ | |+ | ||
!Seed | !Seed | ||
!Usage | !Usage | ||
|- | |- | ||
|0 | |0 | ||
|Kirk commands 2 (encryption) & 3 (decryption) (the real encryption | |Kirk commands 2 (encryption) & 3 (decryption) (the real encryption & CMAC keys are random, but this per-console key is used to encrypt them) | ||
|- | |- | ||
|1 | |1 | ||
Line 313: | Line 175: | ||
|RNG buffer reseeding | |RNG buffer reseeding | ||
|} | |} | ||
<source lang="c"> | |||
typedef struct ScePspKeyMesh { // size is 0x30 | |||
SceUInt8 aes128cbc_key_1[0x10]; // used by Kirk commands 5 & 8 and 16 | |||
SceUInt8 aes128cbc_key_2[0x10]; // used by Kirk command 2 & 3, 6 & 9 and 18 | |||
SceUInt8 derivation_key[0x10]; // used to derive the 2 other keys | |||
} ScePspKeyMesh; | |||
<source lang=" | |||
typedef struct | |||
SceUInt8 | |||
SceUInt8 | |||
} | |||
</source> | </source> | ||
To generate the key mesh of a PSP, provided the Fuse ID (0xBC100090 and 0xBC100094 hardware registers), execute the following code. | |||
<source lang="c"> | |||
void gen_psp_individual_seed() { | |||
<source lang=" | int i, k; | ||
void | ScePspKeyMesh seed; | ||
u8 subkey_1[0x10], subkey_2[0x10]; | |||
rijndael_ctx aes_ctx; | |||
u8 fuseid[8]; | |||
// Byte-reverse the Fuse ID | |||
u32 g_fuse90 = *(u32 *)0xBC100090; | |||
u32 g_fuse94 = *(u32 *)0xBC100094; | |||
fuseid[7] = g_fuse90 &0xFF; | |||
fuseid[6] = (g_fuse90>>8) &0xFF; | |||
fuseid[5] = (g_fuse90>>16) &0xFF; | |||
fuseid[4] = (g_fuse90>>24) &0xFF; | |||
fuseid[3] = g_fuse94 &0xFF; | |||
fuseid[2] = (g_fuse94>>8) &0xFF; | |||
fuseid[1] = (g_fuse94>>16) &0xFF; | |||
fuseid[0] = (g_fuse94>>24) &0xFF; | |||
rijndael_set_key(&aes_ctx, ids_master_key, 128); // set ids_master_key as AES key | |||
for (i = 0; i < 0x10; i++) // initialize the subkeys using the Fuse ID | |||
subkey_2[i] = subkey_1[i] = fuseid[i % 8]; | |||
for (i = 0; i < 3; i++) { // encrypt first subkey three times, and decrypt second subkey three times | |||
rijndael_encrypt(&aes_ctx, subkey_1, subkey_1); | |||
rijndael_decrypt(&aes_ctx, subkey_2, subkey_2); | |||
} | |||
} | |||
rijndael_set_key(&aes_ctx, subkey_1, 128); // set subkey_1 as AES key | |||
for (i = 0; i < 3; i++) { // encrypt 3, 6 and 9 times the subkey_2 to obtain the final keymesh | |||
for (k = 0; k < 3; k++) | |||
rijndael_encrypt(&aes_ctx, subkey_2, subkey_2); | |||
memcpy(&seed[i * 0x10], subkey_2, 0x10); | |||
} | |||
} | |||
} | } | ||
</source>The key mesh can then be used along with a seed to generate a key using the following algorithm:<syntaxhighlight lang="c"> | |||
void | void make_perconsole_key(u8 output[16], int seed, ScePspKeyMesh keymesh) | ||
{ | |||
if (seed & 1) { | |||
memcpy(output, keymesh.aes128cbc_key_2, 16); | |||
} else { | |||
memcpy(output, keymesh.aes128cbc_key_1, 16); | |||
} | |||
// Encrypt the result several times depending on the seed | |||
rijndael_set_key(&aes_ctx, keymesh.aes128cbc_derivation_key); | |||
seed = (seed / 2) + 1; | |||
while ((seed--) >= 0) { | |||
rijndael_encrypt(&aes_ctx, output); | |||
} | |||
} | } | ||
</syntaxhighlight> | |||
</ | |||
= Commands = | = Commands = | ||
Line 681: | Line 431: | ||
|} | |} | ||
== Command | == Command 0: decrypt kbooti == | ||
This command is only used by devkits to decrypt the kbooti, ie the devkit's | This command is only used by devkits to decrypt the kbooti, ie the devkit's Pre-IPL. It supposedly can only be run at a very early stage. The very short header is as follows. | ||
{| class="wikitable" | {| class="wikitable" | ||
|+ | |+ | ||
Line 709: | Line 459: | ||
# Decrypt body using AES slotted key 0 | # Decrypt body using AES slotted key 0 | ||
== Commands | == Commands 1, 2, 3 & 10: decryption and authentication == | ||
=== Overview === | === Overview === | ||
Line 718: | Line 468: | ||
* Command 2 is used to decrypt DRMBB and reencrypt them using a (random key encrypted with a) per-console key to generate data to pass to command 3. | * Command 2 is used to decrypt DRMBB and reencrypt them using a (random key encrypted with a) per-console key to generate data to pass to command 3. | ||
* Command 3 decrypts data encrypted by command 2. | * Command 3 decrypts data encrypted by command 2. | ||
* Command | * Command 10 takes the same data as commands 1, 2 and 3 but only does the signature verification for the header (not for the body) and no decryption (or reencryption). | ||
There are two versions of this service: AES CMAC verification, and ECDSA verification. They use the header section of the input buffer slightly differently. | There are two versions of this service: AES CMAC verification, and ECDSA verification. They use the header section of the input buffer slightly differently. | ||
Line 822: | Line 572: | ||
# Generate a valid CMAC or ECDSA signature for the output. For ECDSA, this uses the private key stored in key slot 4 (and is the private counterpart of slots 5/6 used by command 3). | # Generate a valid CMAC or ECDSA signature for the output. For ECDSA, this uses the private key stored in key slot 4 (and is the private counterpart of slots 5/6 used by command 3). | ||
=== Command | === Command 10 === | ||
Its behavior is very simple: | Its behavior is very simple: | ||
Line 901: | Line 651: | ||
# Decrypt the data using the result of step 2 as a key | # Decrypt the data using the result of step 2 as a key | ||
== Command | == Command 11: SHA1 == | ||
This command computes the SHA1 of the input. The input must be prefixed with a 4-byte header giving the length of the buffer. Output is 0x14-byte long. | This command computes the SHA1 of the input. The input must be prefixed with a 4-byte header giving the length of the buffer. Output is 0x14-byte long. | ||
== Command | == Command 12: ECDSA key pair generation == | ||
This command generates a random private key and computes the associated public key. See above for the parameters of the elliptic curve. | This command generates a random private key and computes the associated public key. See above for the parameters of the elliptic curve. | ||
Line 914: | Line 664: | ||
*0x28 - Public Key point y value | *0x28 - Public Key point y value | ||
== Command | == Command 13: ECDSA point multiplication == | ||
This command multiplies an elliptic curve point by a scalar. See above for the parameters of the elliptic curve. | This command multiplies an elliptic curve point by a scalar. See above for the parameters of the elliptic curve. | ||
Line 929: | Line 679: | ||
The result is a new point (x and y are each 0x14 bytes long). | The result is a new point (x and y are each 0x14 bytes long). | ||
== Command | == Command 14: PRNG == | ||
This function takes no input and generates an ECDSA private key similarly to command 12, but without computing the associated public key. (This is basically getting random data, but within the range given by the order of the curve.) | This function takes no input and generates an ECDSA private key similarly to command 12, but without computing the associated public key. (This is basically getting random data, but within the range given by the order of the curve.) | ||
== Command | == Command 15: Seed RNG buffer == | ||
This function seeds the Kirk | This function seeds the Kirk RNG buffer used to generate all the random data coming from Kirk. | ||
It takes as an input and output data of size 0x1c: | It takes as an input and output data of size 0x1c: | ||
* 0x00 - | * 0x00 - unknown - modified by an unknown opcode | ||
* 0x08 - seed data | * 0x04 - counter - increased by 1 in the output | ||
* 0x08 - seed data - used for seeding, and contains fresh reseeded data for the output | |||
Seeding works this way: | Seeding works this way: | ||
# | # Increase input counter and do unknown operation on offset 0x00 | ||
# Set | # Set the PRNG seed to the input seed data, XOR'ed with a SHA1 of data coming from a true random number generator | ||
# Initialize | # Initialize RNG buffer to two empty words, and then output data at offsets 0x00 and 0x04 | ||
# Do a reseeding | # Do a reseeding | ||
# Output | # Output resulting buffer. | ||
Reseeding is then done by all operations requiring random data and works this way: | Reseeding is then done by all operations requiring random data and works this way: | ||
# Encrypt RNG buffer with AES per-console key with seed 6 | # Encrypt RNG buffer with AES per-console key with seed 6 | ||
# | # Reseed the PRNG with the RNG buffer | ||
# Regenerate data with the PRNG | # Regenerate data with the PRNG | ||
== Command | == Command 16: ECDSA signature generation == | ||
This command generates an ECDSA signature of a SHA1 hash (0x14 buffer) using an encrypted private key. It is used to verify IdStorage IDPS certificates. | This command generates an ECDSA signature of a SHA1 hash (0x14 buffer) using an encrypted private key. It is used to verify IdStorage IDPS certificates. | ||
Line 968: | Line 718: | ||
The private key buffer is encrypted with the per-console key with seed 3. The command simply decrypts it, verifies that the scalar is valid (non-zero and less than the order of the curve), and outputs the resulting signature. | The private key buffer is encrypted with the per-console key with seed 3. The command simply decrypts it, verifies that the scalar is valid (non-zero and less than the order of the curve), and outputs the resulting signature. | ||
== Command | == Command 17: ECDSA signature verification == | ||
This command verifies an ECDSA signature | This command verifies an ECDSA signature. | ||
It takes no output, and takes as an input: | It takes no output, and takes as an input: | ||
Line 980: | Line 730: | ||
The result of the operation is given by the return value (0 on success, KIRK_ECDSA_DATA_INVALID on failure to verify the signature). | The result of the operation is given by the return value (0 on success, KIRK_ECDSA_DATA_INVALID on failure to verify the signature). | ||
== Command | == Command 18: verify certificate == | ||
This command has no output. | This command has no output. | ||
It takes as input | It takes as an input a 0xB8-long buffer: | ||
*0x00: certificate data (either ConsoleID or OpenPSID) and ECDSA signature etc. (unused here) | |||
*0xA8: AES-CMAC hash of the rest of the header. | |||
It verifies the AES CMAC of the header using per-console key with seed 4. | |||
It | |||
= Error codes = | = Error codes = |