Editing Kirk
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 46: | Line 46: | ||
</pre> | </pre> | ||
These commands allow to do operations with any public key. For the latest | These commands allow to do operations with any public key. For the latest Pre-IPL version which adds an additional ECDSA verification of the XOR of the block hashes, the public key which is hardcoded in the Pre-IPL is (0xBC660611A70BD7F2D140A48215C096D11D2D4112, 0xF0E9379AC4E0D387C542D091349DD15169DD5A87). | ||
== Code sample == | == Code sample == | ||
Line 146: | Line 146: | ||
|} | |} | ||
= | = Per-console keys = | ||
Kirk commands | Some Kirk commands like commands 16 and 18 use individual (per-console) seeds. The base per-console seed is the Fuse ID (6 bytes), which is transformed into a 0x30 bytes buffer ("key mesh"). This buffer is used to generate different keys depending on a seed. | ||
= | {| class="wikitable" | ||
|+ | |||
!Seed | |||
!Usage | |||
|- | |||
|0 | |||
|Kirk commands 2 (encryption) & 3 (decryption) (the real encryption & CMAC keys are random, but this per-console key is used to encrypt them) | |||
|- | |||
|1 | |||
|Kirk command 5 (encryption) & 8 (decryption) | |||
|- | |||
|2 | |||
|Kirk command 6 (encryption) & 9 (decryption) | |||
|- | |||
|3 | |||
|Kirk command 16 | |||
|- | |||
|4 | |||
|Kirk command 18 | |||
|- | |||
|5 | |||
|Unused | |||
|- | |||
|6 | |||
|RNG buffer reseeding | |||
|} | |||
<source lang="c"> | <source lang="c"> | ||
typedef struct | typedef struct ScePspKeyMesh { // size is 0x30 | ||
SceUInt8 | SceUInt8 aes128cbc_key_1[0x10]; // used by Kirk commands 5 & 8 and 16 | ||
SceUInt8 | SceUInt8 aes128cbc_key_2[0x10]; // used by Kirk command 2 & 3, 6 & 9 and 18 | ||
SceUInt8 derivation_key[0x10]; // | SceUInt8 derivation_key[0x10]; // used to derive the 2 other keys | ||
} | } ScePspKeyMesh; | ||
</source> | </source> | ||
To generate the key mesh of a PSP, provided the Fuse ID (0xBC100090 and 0xBC100094 hardware registers), execute the following code. | |||
To generate the | |||
<source lang="c"> | <source lang="c"> | ||
void | void gen_psp_individual_seed() { | ||
int i, k; | int i, k; | ||
ScePspKeyMesh seed; | |||
u8 subkey_1[0x10], subkey_2[0x10]; | u8 subkey_1[0x10], subkey_2[0x10]; | ||
rijndael_ctx aes_ctx; | rijndael_ctx aes_ctx; | ||
u8 | u8 fuseid[8]; | ||
// Byte-reverse the Fuse ID | // Byte-reverse the Fuse ID | ||
u32 g_fuse90 = *(u32 *)0xBC100090; | u32 g_fuse90 = *(u32 *)0xBC100090; | ||
u32 g_fuse94 = *(u32 *)0xBC100094; | u32 g_fuse94 = *(u32 *)0xBC100094; | ||
fuseid[7] = g_fuse90 &0xFF; | |||
fuseid[6] = (g_fuse90>>8) &0xFF; | |||
fuseid[5] = (g_fuse90>>16) &0xFF; | |||
fuseid[4] = (g_fuse90>>24) &0xFF; | |||
fuseid[3] = g_fuse94 &0xFF; | |||
fuseid[2] = (g_fuse94>>8) &0xFF; | |||
fuseid[1] = (g_fuse94>>16) &0xFF; | |||
fuseid[0] = (g_fuse94>>24) &0xFF; | |||
rijndael_set_key(&aes_ctx, ids_master_key, 128); // set ids_master_key as AES key | rijndael_set_key(&aes_ctx, ids_master_key, 128); // set ids_master_key as AES key | ||
for (i = 0; i < 0x10; i++) // initialize the subkeys using the Fuse ID | for (i = 0; i < 0x10; i++) // initialize the subkeys using the Fuse ID | ||
subkey_2[i] = subkey_1[i] = | subkey_2[i] = subkey_1[i] = fuseid[i % 8]; | ||
for (i = 0; i < 3; i++) { // encrypt first subkey three times, and decrypt second subkey three times | for (i = 0; i < 3; i++) { // encrypt first subkey three times, and decrypt second subkey three times | ||
Line 197: | Line 219: | ||
rijndael_set_key(&aes_ctx, subkey_1, 128); // set subkey_1 as AES key | rijndael_set_key(&aes_ctx, subkey_1, 128); // set subkey_1 as AES key | ||
for (i = 0; i < 3; i++) { // encrypt 3, 6 and 9 times subkey_2 to obtain the final | for (i = 0; i < 3; i++) { // encrypt 3, 6 and 9 times the subkey_2 to obtain the final keymesh | ||
for (k = 0; k < 3; k++) | for (k = 0; k < 3; k++) | ||
rijndael_encrypt(&aes_ctx, subkey_2, subkey_2); | rijndael_encrypt(&aes_ctx, subkey_2, subkey_2); | ||
memcpy( | memcpy(&seed[i * 0x10], subkey_2, 0x10); | ||
} | } | ||
} | } | ||
</source>The key mesh can then be used along with a seed to generate a key using the following algorithm:<syntaxhighlight lang="c"> | |||
void make_perconsole_key(u8 output[16], int seed, ScePspKeyMesh keymesh) | |||
{ | |||
if (seed & 1) { | |||
memcpy(output, keymesh.aes128cbc_key_2, 16); | |||
} else { | |||
memcpy(output, keymesh.aes128cbc_key_1, 16); | |||
} | |||
// Encrypt the result several times depending on the seed | |||
rijndael_set_key(&aes_ctx, keymesh.aes128cbc_derivation_key); | |||
seed = (seed / 2) + 1; | |||
while ((seed--) >= 0) { | |||
</source> | |||
<syntaxhighlight lang="c"> | |||
void make_perconsole_key(u8 output[16], int | |||
if ( | |||
memcpy(output, | |||
else | |||
memcpy(output, | |||
// Encrypt the result several times depending on the seed | |||
rijndael_set_key(&aes_ctx, | |||
while (( | |||
rijndael_encrypt(&aes_ctx, output); | rijndael_encrypt(&aes_ctx, output); | ||
} | } | ||
Line 285: | Line 242: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
== | == 0x40-byte buffer == | ||
There | There is a 0x40-byte buffer, named here <code>ScePspIndividualSeed</code>, used in both PSP flashData.prx and (to be checked) in PS Vita cmep keyrings 0x601 and 0x602. It might be slightly different from the mesh buffer described above, so we keep it for now. Indeed, it is unsure if this 0x40 bytes buffer on PS Vita holds the final AES keys or if it is before applying the derivation_key. | ||
Some Kirk commands like commands 16 and 18 use individual (per-console) seeds. The base per-console seed is the Fuse ID (6 bytes), which is transformed into a 0x40 bytes buffer. The first 0x10 bytes of the buffer is the AES CBC MAC key used by Kirk command 18 whilst the second 0x10 bytes are the AES CBC key used by Kirk command 16. | |||
<source lang="C"> | <source lang="C"> | ||
typedef struct | typedef struct ScePspIndividualSeed { // size is 0x40 | ||
SceUInt8 aes128cbc_mac_key[0x10]; // used by Kirk command 18 | |||
SceUInt8 aes128cbc_key[0x10]; // used by Kirk command 16 | |||
SceUInt8 derivation_key[0x10]; // used to derive the 2 other keys of the structure | |||
SceUInt8 fuse_id[8]; // endianness to precise | SceUInt8 fuse_id[8]; // endianness to precise | ||
SceUInt32 padding; // usually set to zero | |||
SceUInt32 hash; // the hash algorithm is in PSP Jig Kick flashData.prx | SceUInt32 hash; // the hash algorithm is in PSP Jig Kick flashData.prx | ||
} | } ScePspIndividualSeed; | ||
</source> | </source> | ||
To generate ScePspIndividualSeed, provided the Fuse ID (0xBC100090 and 0xBC100094 hardware registers), execute the following code. | |||
To generate | |||
<source lang="C"> | <source lang="C"> | ||
void | void gen_psp_individual_seed() { | ||
int i, k; | |||
ScePspIndividualSeed seed; | |||
int | u8 subkey_1[0x10], subkey_2[0x10]; | ||
rijndael_ctx aes_ctx; | |||
u8 fuseid[8]; | |||
// Byte-reverse the Fuse ID | |||
u32 g_fuse90 = *(u32 *)0xBC100090; | |||
u32 g_fuse94 = *(u32 *)0xBC100094; | |||
fuseid[7] = g_fuse90 &0xFF; | |||
fuseid[6] = (g_fuse90>>8) &0xFF; | |||
fuseid[5] = (g_fuse90>>16) &0xFF; | |||
fuseid[4] = (g_fuse90>>24) &0xFF; | |||
fuseid[3] = g_fuse94 &0xFF; | |||
fuseid[2] = (g_fuse94>>8) &0xFF; | |||
fuseid[1] = (g_fuse94>>16) &0xFF; | |||
fuseid[0] = (g_fuse94>>24) &0xFF; | |||
rijndael_set_key(&aes_ctx, ids_master_key, 128); // set ids_master_key as AES key | |||
for (i = 0; i < 0x10; i++) // initialize the subkeys using the Fuse ID | |||
subkey_2[i] = subkey_1[i] = fuseid[i % 8]; | |||
for (i = 0; i < 3; i++) { // encrypt first subkey three times, and decrypt second subkey three times | |||
rijndael_encrypt(&aes_ctx, subkey_1, subkey_1); | |||
rijndael_decrypt(&aes_ctx, subkey_2, subkey_2); | |||
} | |||
} | |||
rijndael_set_key(&aes_ctx, subkey_1, 128); // set subkey_1 as AES key | |||
for (i = 0; i < 3; i++) { // encrypt three times each one of the three first blocks | |||
for (k = 0; k < 3; k++) | |||
rijndael_encrypt(&aes_ctx, subkey_2, subkey_2); | |||
memcpy(&seed[i * 0x10], subkey_2, 0x10); | |||
} | |||
rijndael_set_key(&aes_ctx, seed.derivation_key, 128); // set the derivation key as AES key | |||
for (i = 0; i < 2; i++) { // encrypt twice the seeds to get the final keys | |||
rijndael_encrypt(&aes_ctx, seed.aes128cbc_mac_key, seed.aes128cbc_mac_key); | |||
rijndael_encrypt(&aes_ctx, seed.aes128cbc_key, seed.aes128cbc_key); | |||
} | |||
for ( | |||
} | |||
} | } | ||
</source> | </source> | ||
= Commands = | = Commands = | ||
Line 682: | Line 500: | ||
== Command 0x0: decrypt kbooti == | == Command 0x0: decrypt kbooti == | ||
This command is only used by devkits to decrypt the kbooti, ie the devkit's | This command is only used by devkits to decrypt the kbooti, ie the devkit's Pre-IPL. It supposedly can only be run at a very early stage. The very short header is as follows. | ||
{| class="wikitable" | {| class="wikitable" | ||
|+ | |+ | ||
Line 934: | Line 752: | ||
== Command 0xF: Seed RNG buffer == | == Command 0xF: Seed RNG buffer == | ||
This function seeds the Kirk | This function seeds the Kirk RNG buffer used to generate all the random data coming from Kirk. | ||
It takes as an input and output data of size 0x1c: | It takes as an input and output data of size 0x1c: | ||
* 0x00 - | * 0x00 - unknown - modified by an unknown opcode | ||
* 0x08 - seed data | * 0x04 - counter - increased by 1 in the output | ||
* 0x08 - seed data - used for seeding, and contains fresh reseeded data for the output | |||
Seeding works this way: | Seeding works this way: | ||
# | # Increase input counter and do unknown operation on offset 0x00 | ||
# Set | # Set the PRNG seed to the input seed data, XOR'ed with a SHA1 of data coming from a true random number generator | ||
# Initialize | # Initialize RNG buffer to two empty words, and then output data at offsets 0x00 and 0x04 | ||
# Do a reseeding | # Do a reseeding | ||
# Output | # Output resulting buffer. | ||
Reseeding is then done by all operations requiring random data and works this way: | Reseeding is then done by all operations requiring random data and works this way: | ||
# Encrypt RNG buffer with AES per-console key with seed 6 | # Encrypt RNG buffer with AES per-console key with seed 6 | ||
# | # Reseed the PRNG with the RNG buffer | ||
# Regenerate data with the PRNG | # Regenerate data with the PRNG | ||
== Command 0x10: ECDSA signature generation == | == Command 0x10: ECDSA signature generation == | ||
Line 970: | Line 788: | ||
== Command 0x11: ECDSA signature verification == | == Command 0x11: ECDSA signature verification == | ||
This command verifies an ECDSA signature | This command verifies an ECDSA signature. | ||
It takes no output, and takes as an input: | It takes no output, and takes as an input: | ||
Line 981: | Line 799: | ||
== Command 0x12: verify certificate == | == Command 0x12: verify certificate == | ||
This command has no output. | This command has no output. | ||
It takes as input | It takes as an input a 0xB8-long buffer: | ||
*0x00: certificate data (either ConsoleID or OpenPSID) and ECDSA signature etc. (unused here) | |||
*0xA8: AES-CMAC hash of the rest of the header. | |||
It verifies the AES CMAC of the header using per-console key with seed 4. | |||
It | |||
= Error codes = | = Error codes = |