Editing Talk:Keys

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
= Battery Keys =
= After the String (TA-093) =
 
== A01V13M07G chip ==
 
<pre>
<pre>
New Key 8: 0A2E73305C382D4F310D0AED84A41800
0B2385010FB279BDE1C3ECA91959040D
New Key 9: D20474308FE269046ED7BB07CF1CFF43
661A4D7F6ECD33C52BF5F29586A76448
New Key A: AC00C0E3E80AF0683FDD1745194543BD
New Key B: 0177D750BDFD2BC1A0493A134A4C6ACF
New Key C: 05349170939345EE951A14843334A0DE
New Key D: DFF3FCD608B05597CF09A23BD17D3FD2
</pre>
</pre>


= Even More Keys from Kicho & Dencho =


= V2 Script for comms of battery =
<pre>
<pre>
23 1B 76 C8 E3 49 0C AD  05 BD 59 4C 1B 63 40 BE
#!/usr/bin/env python
</pre>
'''


* from TEST.prx, used for some umd seed generation
PSP v2 Syscon Handshake Calculator by Proxima (R)


<pre>
'''
"FlashROM PreCalc"
</pre>


* from flashData.prx, used in idStorage 256-320 generation
* https://github.com/mathieulh/Despertar-Del-Cementerio/blob/master/idsregeneration/main.c#L5749




<pre>
sbox = [
"Key-Info MI-Node"
    0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
</pre>
    0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
    0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
    0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
    0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
    0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
    0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
    0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
    0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
    0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
    0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
    0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
    0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
    0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
    0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
    0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16,
    ]


* from flashData.prx, used in idStorage 256-320 generation


= Wake Me Up Before You Go Go =
key = [
    0x5C, 0xF3, 0x89, 0xEC, 0x52, 0x82, 0xD8, 0x16, 0xD9, 0xAC, 0x81, 0x29, 0x1C, 0xA4, 0x78, 0x7B,
    0x1A, 0xE9, 0x60, 0x8C, 0xF7, 0x75, 0xAD, 0xBB, 0xF8, 0x54, 0xD5, 0xFC, 0xD2, 0x76, 0x0E, 0x75,
    0xF2, 0x1B, 0x7B, 0xF7, 0x47, 0x32, 0x9F, 0x24, 0x65, 0x31, 0xE4, 0x18, 0xB6, 0xC0, 0xCE, 0xBB,
    0xC0, 0xDB, 0xA0, 0x57, 0xEA, 0xD8, 0x47, 0x63, 0x8F, 0xBE, 0x5A, 0x42, 0xDE, 0x1E, 0xD0, 0x6B,
    0x33, 0xE8, 0x48, 0x1F, 0xC6, 0x1E, 0x59, 0x3A, 0xF0, 0x4E, 0x14, 0x56, 0x85, 0x9B, 0x4B, 0x20,
    0xA3, 0x4B, 0x03, 0x1C, 0x77, 0x69, 0x30, 0x0A, 0x47, 0x09, 0x1D, 0x4B, 0x45, 0xDE, 0x95, 0xB5,
    0xE4, 0xAF, 0xAC, 0xB0, 0xC4, 0xAD, 0x9D, 0x97, 0x92, 0x9B, 0x86, 0xCD, 0xD9, 0x07, 0x92, 0x27,
    0x2C, 0x83, 0x2F, 0x9F, 0x79, 0xD4, 0x49, 0xDE, 0x5E, 0xC5, 0x43, 0x8E, 0x3E, 0x39, 0xAB, 0x8C,
    0xB1, 0x32, 0x1D, 0x82, 0x60, 0xB4, 0xFD, 0x23, 0x3A, 0xFF, 0xBC, 0x32, 0xE5, 0xDC, 0x77, 0xFB,
    0x8C, 0xBE, 0xA3, 0x21, 0x43, 0xF7, 0x0A, 0x29, 0x35, 0xCA, 0x76, 0x44, 0xF6, 0x2A, 0x5D, 0xA6,
    0x1F, 0xA1, 0x02, 0x23, 0x58, 0xAF, 0xA5, 0x8C, 0x11, 0xDB, 0xAD, 0xE9, 0x0B, 0x21, 0x7C, 0xDA,
    0x9D, 0xE1, 0x09, 0xA6, 0x4F, 0xB6, 0x30, 0xA5, 0x50, 0x8E, 0x7D, 0xB5, 0xFC, 0x12, 0xDB, 0xAA,
    0x9A, 0x7B, 0x72, 0xD4, 0x9A, 0x2C, 0x1C, 0xB9, 0xFC, 0x72, 0x0F, 0xBA, 0xD8, 0xCA, 0x11, 0xBB,
    0xCE, 0xB5, 0xC7, 0x13, 0x6E, 0x42, 0x5E, 0xE7, 0x16, 0x64, 0x6B, 0xD1, 0x90, 0x5A, 0x4B, 0xF0,
    0x5E, 0xEB, 0x2C, 0x3F, 0x50, 0x12, 0x4C, 0xAB, 0x9A, 0xFE, 0x95, 0x44, 0xED, 0xB7, 0xFC, 0x0C,
    0x34, 0xDF, 0xF3, 0xCC, 0x4B, 0x59, 0x15, 0xBE, 0x64, 0x9A, 0x0F, 0x4B, 0x98, 0x2F, 0xD3, 0xDF,
    0x8A, 0x55, 0xA6, 0x6A, 0xF8, 0xA1, 0xB4, 0x0A, 0xFA, 0x60, 0x6F, 0x24, 0xD3, 0xFC, 0x2F, 0xF0,
    0xCD, 0x98, 0x3E, 0x54, 0xCE, 0x6F, 0xDB, 0xD1, 0x76, 0x16, 0x79, 0x5D, 0xD1, 0x2D, 0x02, 0xF2,
    0xB3, 0x2B, 0x15, 0x41, 0x82, 0xED, 0x36, 0xE7, 0xFF, 0xE9, 0x90, 0xCD, 0xF1, 0xDC, 0xDE, 0x2C,
    0xA7, 0x8C, 0x99, 0xD8, 0x3F, 0xD2, 0xE4, 0x03, 0x8E, 0x67, 0xF7, 0x3A, 0x72, 0xAE, 0x70, 0x5C,
    0xC7, 0x4B, 0xD2, 0x0A, 0xBF, 0x6D, 0x89, 0x8A, 0xC4, 0xA3, 0x54, 0x6E, 0x13, 0xBD, 0xCD, 0x91,
    0x8F, 0xC4, 0x16, 0x1C, 0x20, 0x4D, 0xC4, 0x4E, 0x45, 0xE6, 0xB2, 0xDC, 0x74, 0xC9, 0x04, 0x95,
    0x09, 0x64, 0x1B, 0xF0, 0x75, 0xAC, 0xC0, 0xFC, 0x98, 0xF7, 0x90, 0xAB, 0x88, 0x62, 0x9D, 0xFF,
    0xB8, 0xDC, 0xC7, 0x37, 0x17, 0xBB, 0x7B, 0x87, 0x8E, 0x79, 0xE9, 0x42, 0x04, 0x66, 0xFB, 0x04,
    0xAD, 0x71, 0xB6, 0x81, 0x3B, 0x80, 0xFB, 0x7C, 0x7C, 0x05, 0xEC, 0xAE, 0x9E, 0xF8, 0x03, 0x07,
    0xB9, 0xC8, 0x7E, 0xFF, 0xDF, 0x5F, 0xA4, 0xD8, 0xB9, 0xBC, 0x50, 0xFE, 0x92, 0x6A, 0x69, 0x6E,
    0xD0, 0x18, 0x66, 0x99, 0x64, 0x3B, 0x9F, 0x47, 0x26, 0x9A, 0xCA, 0x34, 0x84, 0xEE, 0x87, 0xE9,
    0x60, 0x78, 0x1E, 0x87, 0x7C, 0x47, 0xD8, 0x9F, 0x38, 0xA2, 0x68, 0x5C, 0x6A, 0x84, 0x03, 0xEA,
    0x9B, 0xE3, 0xFD, 0x7A, 0x36, 0x71, 0xA9, 0x36, 0xBF, 0x1D, 0x75, 0x29, 0x7D, 0xF9, 0xFA, 0x10,
    0xDE, 0x3D, 0xC0, 0xBA, 0x93, 0xE2, 0x4B, 0x7D, 0x75, 0x68, 0x1D, 0x34, 0xA7, 0x5E, 0xA4, 0xB4,
    0xA1, 0x9C, 0x5C, 0xE6, 0x8B, 0x69, 0x22, 0x5F, 0xF8, 0x90, 0x8D, 0xB9, 0x53, 0x0D, 0xA9, 0x1D,
    0x75, 0xE9, 0xB5, 0x53, 0xDD, 0xB4, 0x96, 0xC9, 0x5C, 0xCC, 0x41, 0xF8, 0xDD, 0xD0, 0x79, 0x64,
    0x9E, 0x77, 0xC2, 0x91, 0x9C, 0x28, 0xBE, 0x77, 0x1F, 0xD3, 0x92, 0x6A, 0x30, 0xE0, 0x99, 0xFD,
    0xC9, 0x06, 0xD8, 0x8C, 0x11, 0x4A, 0xD6, 0xDE, 0x5C, 0x26, 0xD9, 0x30, 0xE2, 0x86, 0xD0, 0x59,
    0xD5, 0xD3, 0x0B, 0x87, 0x15, 0x5F, 0x89, 0x57, 0x97, 0xB1, 0x68, 0x58, 0x86, 0x00, 0xD0, 0x89,
    0x8C, 0x5F, 0x54, 0xD3, 0x7F, 0x20, 0xA9, 0xFE, 0x30, 0x81, 0xE9, 0xB1, 0x91, 0x91, 0x41, 0xC8,
    0x33, 0x6C, 0x38, 0xEB, 0xB7, 0x97, 0x3E, 0xC0, 0xD8, 0x59, 0xB0, 0x01, 0xF7, 0x66, 0x27, 0xEF,
    0x81, 0xED, 0xD5, 0x3E, 0xCB, 0x5C, 0x62, 0xA2, 0x07, 0x5E, 0xEE, 0xEF, 0x1E, 0x78, 0x5F, 0xB0,
    0xAB, 0x46, 0x93, 0xAD, 0x14, 0x48, 0x2A, 0x88, 0xE0, 0xBE, 0x50, 0xBF, 0xAC, 0xD4, 0x8B, 0x3B,
    0x4F, 0x09, 0x9A, 0x37, 0x1C, 0x54, 0x7E, 0xF6, 0x02, 0xBC, 0xEC, 0x53, 0x39, 0xED, 0x66, 0x5D,
    0x4D, 0x44, 0xDE, 0xE9, 0xF1, 0xA5, 0xDB, 0x2D, 0x4E, 0xF2, 0x1E, 0x4D, 0xA3, 0x4E, 0x28, 0x75,
    0x15, 0x51, 0x8F, 0x66, 0x12, 0xB7, 0x6C, 0x41, 0xD3, 0x21, 0x3F, 0x72, 0xBD, 0xF3, 0xDB, 0xAE,
    0x8D, 0xDC, 0x53, 0x35, 0x52, 0xE5, 0x89, 0xC8, 0x37, 0x16, 0x29, 0x5B, 0x8E, 0x7D, 0xA6, 0x08,
    0x53, 0x8F, 0xDC, 0xE9, 0x6B, 0x8E, 0x07, 0xCF, 0x07, 0x11, 0x38, 0x63, 0x18, 0x65, 0xC3, 0xCB,
    0x66, 0xFB, 0x90, 0x9E, 0x75, 0x42, 0x3F, 0xD2, 0x39, 0x73, 0xD7, 0xC6, 0xD2, 0xB2, 0xA3, 0x0C,
    0xD2, 0x29, 0xB9, 0x27, 0xC1, 0x83, 0xBC, 0x6E, 0xC7, 0xB4, 0x63, 0xA5, 0xD9, 0x6B, 0xC8, 0xC4,
    0x4F, 0x66, 0xDF, 0xF8, 0xC7, 0x44, 0xF8, 0x96, 0xDB, 0x6F, 0x0C, 0xA9, 0x15, 0x7E, 0xB6, 0x72,
    0xDB, 0xBD, 0x62, 0x9A, 0x14, 0x50, 0xA8, 0x3E, 0x9B, 0xF4, 0xF8, 0x51, 0x54, 0x2A, 0x9C, 0xEE,
    0x61, 0xDC, 0xBE, 0x24, 0xC5, 0x95, 0x3D, 0x03, 0xB3, 0x47, 0xBF, 0xEE, 0xEC, 0xC6, 0x5A, 0xB4,
    0x0A, 0xD6, 0x68, 0x4C, 0xED, 0x78, 0x45, 0x46, 0x3E, 0x79, 0xC6, 0x28, 0xDA, 0x1C, 0x46, 0xF2,
    0x70, 0xA6, 0xCE, 0x82, 0xD9, 0xA1, 0xE4, 0xA2, 0xB7, 0xCE, 0x08, 0x20, 0xF3, 0xEF, 0xA9, 0x5B,
    0x0A, 0xAC, 0x62, 0xE0, 0x6E, 0xCF, 0x2B, 0x89, 0x8E, 0x40, 0x48, 0x68, 0xE0, 0x0F, 0xA6, 0xFD,
    0x2D, 0x81, 0xE3, 0x03, 0x2B, 0xE4, 0xCF, 0x46, 0xDA, 0x9A, 0xD2, 0xBA, 0x01, 0x0E, 0xA8, 0x55,
    0x6C, 0xED, 0x0E, 0x0D, 0xDF, 0x3B, 0xF4, 0xB2, 0x26, 0xBC, 0x6E, 0xD4, 0x7A, 0x74, 0xDC, 0x89,
    0x6D, 0x80, 0x8E, 0x83, 0x97, 0xAC, 0x58, 0xEA, 0x81, 0x3D, 0x53, 0x87, 0xAD, 0xD9, 0x05, 0x8C,
    0xF4, 0xF4, 0xD1, 0x8F, 0xFA, 0xDB, 0x86, 0x99, 0xEF, 0xAB, 0x74, 0x05, 0x20, 0x31, 0xFD, 0x66,
    0x1B, 0xEF, 0x3E, 0xB1, 0x91, 0x4A, 0xCC, 0x55, 0xDC, 0x77, 0x03, 0x06, 0x53, 0x62, 0x9F, 0xF9,
    0xE5, 0x0A, 0x34, 0x85, 0xFE, 0xB4, 0x78, 0x2D, 0x45, 0x32, 0x31, 0x37, 0x9B, 0xF9, 0x66, 0x9F,
    0x39, 0x33, 0x07, 0x82, 0x64, 0xD0, 0xA8, 0x85, 0x9E, 0xAC, 0x9D, 0xAA, 0x0C, 0xF5, 0x93, 0x0C,
    0xA6, 0x95, 0x92, 0x10, 0xC8, 0x18, 0xB0, 0x35, 0x60, 0xCC, 0x51, 0xFB, 0x1F, 0xEA, 0x79, 0x75,
    0x20, 0xB5, 0x27, 0x37, 0xC7, 0xDF, 0x6F, 0x5A, 0xFD, 0x31, 0x60, 0x9B, 0xD5, 0x3F, 0x46, 0x33,
    0xBE, 0x0B, 0x2C, 0x1B, 0xD3, 0x0C, 0x63, 0x39, 0x3E, 0x0F, 0x6F, 0xF4, 0x4F, 0x70, 0x36, 0x05,
    0xEC, 0xE7, 0xCB, 0xD0, 0x6C, 0x60, 0x03, 0x3A, 0x55, 0x5A, 0x35, 0xC1, 0xE0, 0x90, 0xA6, 0xA3,
    0xEC, 0x0B, 0xC0, 0x10, 0x14, 0x74, 0x77, 0x4D, 0x5F, 0x05, 0x30, 0xF1, 0x90, 0x00, 0xA6, 0x05,
    0x14, 0x1F, 0xDF, 0xCF, 0xB5, 0xC1, 0xB6, 0xFB, 0x34, 0x31, 0x01, 0xF0, 0x5A, 0x5A, 0xFC, 0xF9,
    0x2D, 0x32, 0xED, 0x22, 0x39, 0xF8, 0x4E, 0xB5, 0xAD, 0x9C, 0x9D, 0x6D, 0xD0, 0x8A, 0x76, 0x8F,
    0xEA, 0x63, 0xF9, 0x4F, 0x0C, 0xD7, 0x61, 0x35, 0x81, 0xE9, 0x13, 0x2D, 0x13, 0x30, 0x5A, 0xDC,
    0x7D, 0x1E, 0xE7, 0xA8, 0xD4, 0x03, 0x62, 0x57, 0x07, 0xEE, 0xFD, 0xD0, 0x97, 0xA7, 0xFD, 0x21,
    0x24, 0x3A, 0xDD, 0x75, 0xA4, 0xA7, 0xC5, 0x92, 0xFA, 0x14, 0xE9, 0x39, 0x55, 0xF2, 0x0F, 0x2E,
    0x6F, 0x55, 0x88, 0xFD, 0xB6, 0x11, 0xD4, 0x46, 0xCB, 0xDF, 0x36, 0x0F, 0xC8, 0x3A, 0x35, 0x1B,
    0x3D, 0x68, 0xE0, 0x1D, 0xC0, 0xD1, 0x05, 0x43, 0x64, 0xBB, 0x8D, 0x82, 0x9C, 0xA6, 0x93, 0x88,
    0x37, 0x5F, 0xBF, 0xA2, 0xD3, 0x02, 0x07, 0x44, 0xA0, 0x1B, 0x96, 0x14, 0x38, 0x9E, 0x0D, 0x85,
    0x0C, 0x53, 0xEC, 0x4E, 0x29, 0x2B, 0x2C, 0x68, 0x37, 0x2C, 0xBA, 0xAE, 0x02, 0x9C, 0x91, 0x14,
    0x09, 0x5A, 0xB6, 0xF8, 0xCD, 0xE6, 0xCA, 0xA2, 0xCD, 0xE1, 0x5B, 0xF5, 0x2D, 0xB1, 0x20, 0x34,
    0xB3, 0xE9, 0x5F, 0xA7, 0x2B, 0xCD, 0x07, 0xA5, 0xD5, 0x34, 0x6F, 0x9A, 0x6C, 0xDD, 0xFD, 0xC9,
    0xAE, 0x47, 0x18, 0xBF, 0x93, 0x5E, 0x59, 0xFC, 0x08, 0x3C, 0x53, 0xC9, 0x30, 0xED, 0x10, 0xD9,
    0x28, 0x6F, 0x77, 0xC8, 0x4E, 0x10, 0x49, 0xB5, 0x3D, 0x01, 0x52, 0x9B, 0x38, 0xD5, 0xC5, 0x1C,
]
   


== HandShake 0x80 ==  
def ShiftRows(state):
    tmp = state[5]
    state[5] = state[7]
    state[7] = tmp
    tmp = state[8]
    state[8] = state[0xB]
    state[0xB] = tmp
    tmp = state[9]
    state[9] = state[0xA]
    state[0xA] = tmp
    tmp = state[0xC]
    state[0xC] = state[0xE]
    state[0xE] = tmp


<pre>
Key EB
418499BE9D35A3B9FC6AD0D6F041BB26


Challenge 1 EB
def SubBytes(state):
0BD9027E851FA123
    for i in range(0,0x10):
        state[i] = sbox[state[i]]


Challenge 2 EB
F791ED0B3F49A448


Key B3
def MixColumns(a,state):
03BEB65499140483BA187A64EF90261D
    b=state[a]
    tmp =b
    tmp = tmp <<1
    if(tmp >=0x100):
        tmp = tmp ^ 0x1B
    b = tmp & 0xff
   
    c=state[a+4]
    tmp =c
    tmp = tmp <<1
    if(tmp >=0x100):
        tmp = tmp ^ 0x1B
    c = tmp & 0xff
    u = c ^ state[a+4] ^ b ^ state[a+8] ^ state[a+0xC]


Challenge 1 B3
    c=state[a+4]
DBD3AEA4DB046410
    tmp =c
    tmp = tmp <<1
    if(tmp >=0x100):
        tmp = tmp ^ 0x1B
    c = tmp & 0xff
   
    d=state[a+8]
    tmp =d
    tmp = tmp <<1
    if(tmp >=0x100):
        tmp = tmp ^ 0x1B
    d = tmp & 0xff


Challenge 2 B3
    x = d ^ state[a+8] ^ c ^ state[a] ^ state[a+0xc]
E32B8F56B2641298
   
</pre>
    d=state[a+8]
    tmp =d
    tmp = tmp <<1
    if(tmp >=0x100):
        tmp = tmp ^ 0x1B
    d = tmp & 0xff
   
    e=state[a+0xC]
    tmp =e
    tmp = tmp <<1
    if(tmp >=0x100):
        tmp = tmp ^ 0x1B
    e = tmp & 0xff


== Handshake 0x90 ==
    y = e ^ state[a+0xC] ^ d ^ state[a] ^ state[a+4]   
   
    e=state[a+0xC]
    tmp =e
    tmp = tmp <<1
    if(tmp >=0x100):
        tmp = tmp ^ 0x1B
    e = tmp & 0xff
   
    b=state[a]
    tmp =b
    tmp = tmp <<1
    if(tmp >=0x100):
        tmp = tmp ^ 0x1B
    b = tmp & 0xff


<pre>
    z = b ^ state[a] ^ e ^ state[a+4] ^ state[a+8]   
Yet another battery handshake key 1
    state[a+0xC] = z
880E2A94110926B20E53E22AE648AE9D IV/DATA
    state[a+8] = y
    state[a+4] = x
    state[a] = u
   
 
def AddRoundKey(version,b,state):
    for i in range(0, 2):
        state[(i*2)] ^= key[(0xB0*version)+(b*0x10)+(i*2)]
        state[(i*2)+1] ^= key[(0xB0*version)+(b*0x10)+(i*2)+1]
    for i in range(2, 8):
        a=state[(i*2)] ^ key[(0xB0*version)+(b*0x10)+(i*2)]
        c=state[(i*2)+1] ^ key[(0xB0*version)+(b*0x10)+(i*2)+1]
        state[(i*2)+1]=a
        state[(i*2)]=c


Yet another battery handshake key 2
C66E9ED6ECBCB121B7465D25037D6646 KEY


Yet another battery handshake key 3
def FinalRoundKey(version,state):
DA24DAB43A61CBDF61FD255D0AEA7957 KEY
    for i in range(0, 2):
        state[(i*2)] ^= key[(0xB0*version)+(10*0x10)+(i*2)]
        state[(i*2)+1] ^= key[(0xB0*version)+(10*0x10)+(i*2)+1]
    for i in range(2, 8):
        a=state[(i*2)] ^ key[(0xB0*version)+(10*0x10)+(i*2)]
        c=state[(i*2)+1] ^ key[(0xB0*version)+(10*0x10)+(i*2)+1]
        state[(i*2)+1]=c
        state[(i*2)]=a


Yet another battery handshake const val
82828282
</pre>


== Flash Update Handshake ==
def sony_encrypt(version,data):
    AddRoundKey(version,0,data)
    for i in range (1,10):
        ShiftRows(data)
        SubBytes(data)
        MixColumns(0,data)
        MixColumns(1,data)
        MixColumns(2,data)
        MixColumns(3,data)
        AddRoundKey(version,i,data)
    ShiftRows(data)
    SubBytes(data)
    FinalRoundKey(version,data)


<pre>
Flash Update Handshake key1
78721A6284050ACF07F52C6EBAA32F98


Flash Update Handshake key2
def MixSecret1(version,data, challenge):
08489E59EDD0666E6A83237585C795CB
    secret1 = [
    0xD2, 0x07, 0x22, 0x53, 0xA4, 0xF2, 0x74, 0x68,
    0xF5, 0xD7, 0xD4, 0xB5, 0x75, 0xF0, 0x8E, 0x4E,
    0xB3, 0x7A, 0x16, 0xEF, 0x55, 0x7B, 0xD0, 0x89,
    0xCC, 0x69, 0x95, 0x81, 0xFD, 0x89, 0x12, 0x6C,
    0xA0, 0x4E, 0x32, 0xBB, 0xA7, 0x13, 0x9E, 0x46,
    0x49, 0x5E, 0x03, 0x47, 0x94, 0x93, 0x1D, 0x7B,
    0xB0, 0xB8, 0x09, 0x83, 0x39, 0x89, 0xFA, 0xE2,
    ]


Flash Update Handshake shared secret 1
    data[0] =secret1[(version *8)+0]
6EBE650DCEDCB6163158AC0CAD158907
     data[4] =secret1[(version *8)+1]
</pre>
     data[8] =secret1[(version *8)+2]
 
     data[0xC] =secret1[(version *8)+3]
= Other Key Material =
     data[1] =secret1[(version *8)+4]
<pre>
     data[5] =secret1[(version *8)+5]
TA-093 RCON
     data[9] =secret1[(version *8)+6]
 
     data[0xD] =secret1[(version *8)+7]
01020408102040801B366CD8AB4D9A2F5EBC63C697356AD4B37DFAEFC591A9037ED9F08993B79A7C773C0D264810A081FE192402DEFC87AC3C332B48B4EB
 
TA-093 ???
6A659283E3C41709214D8F29C6BACAFF67C419A2D064F04FA01271307A2BC5F5A56E
 
TA-093 Other Device Key0 (message)
 
03763C6865C69B0FFE8FD8EEA43616A0 (KIRK 4/7) (0x14)
 
TA-093 Other Device Key1 (Handler)
 
C1BF66818EF953F2E1266B6F550CC9CD (KIRK 4/7) (0x69)
 
TA-093 Other Device Key2 (Handler)
 
7D50B85CAF6769F0E54AA8098B0EBE1C (KIRK 4/7) (0x15)
 
TA-093 Other Device Key3 (message)
 
F10730C311E026FCF87B50AEA3D17BA0
 
TA-093 Other Device Secret0 (Handler)
 
8D5DA608F2BBC6CC
 
TA-093 Other Device Secret1 (Handler)
 
34DB81241D6F4057
 
TA-093 Other Device Secret2 (Handler)
 
E0DC41AFC2CD1C2D
 
TA-093 Battery Magic String (Handler)
 
SonyEnergyDevices\x00
 
TA-093 Other Device Secret3 (session)
 
0B2385010FB279BD
 
TA-093 Other Device Secret4 (session)
 
E1C3ECA91959040D
 
TA-093 Other Device Secret5 (session)
 
661A4D7F6ECD33C52BF5F29586A76448
</pre>
 
= V5 Script for comms of battery =
<pre>
#!/usr/bin/env python
'''
 
PSP v4 Syscon Handshake Calculator by Proxima (R)
 
'''
from Crypto.Cipher import AES
import os
 
 
 
keystore = {
0: [0x5C, 0x52, 0xD9, 0x1C, 0xF3, 0x82, 0xAC, 0xA4, 0x89, 0xD8, 0x81, 0x78, 0xEC, 0x16, 0x29, 0x7B],
1: [0x9D, 0x4F, 0x50, 0xFC, 0xE1, 0xB6, 0x8E, 0x12, 0x09, 0x30, 0x7D, 0xDB, 0xA6, 0xA5, 0xB5, 0xAA],
2: [0x09, 0x75, 0x98, 0x88, 0x64, 0xAC, 0xF7, 0x62, 0x1B, 0xC0, 0x90, 0x9D, 0xF0, 0xFC, 0xAB, 0xFF],
3: [0xC9, 0x11, 0x5C, 0xE2, 0x06, 0x4A, 0x26, 0x86, 0xD8, 0xD6, 0xD9, 0xD0, 0x8C, 0xDE, 0x30, 0x59],
4: [0x66, 0x75, 0x39, 0xD2, 0xFB, 0x42, 0x73, 0xB2, 0x90, 0x3F, 0xD7, 0xA3, 0x9E, 0xD2, 0xC6, 0x0C],
5: [0xF4, 0xFA, 0xEF, 0x20, 0xF4, 0xDB, 0xAB, 0x31, 0xD1, 0x86, 0x74, 0xFD, 0x8F, 0x99, 0x05, 0x66],
6: [0xEA, 0x0C, 0x81, 0x13, 0x63, 0xD7, 0xE9, 0x30, 0xF9, 0x61, 0x13, 0x5A, 0x4F, 0x35, 0x2D, 0xDC],
8: [0x0A, 0x2E, 0x73, 0x30, 0x5C, 0x38, 0x2D, 0x4F, 0x31, 0x0D, 0x0A, 0xED, 0x84, 0xA4, 0x18, 0x00],
0xA: [0xAC, 0x00, 0xC0, 0xE3, 0xE8, 0x0A, 0xF0, 0x68, 0x3F, 0xDD, 0x17, 0x45, 0x19, 0x45, 0x43, 0xBD],
0xD: [0xDF, 0xF3, 0xFC, 0xD6, 0x08, 0xB0, 0x55, 0x97, 0xCF, 0x09, 0xA2, 0x3B, 0xD1, 0x7D, 0x3F, 0xD2],
0xD9: [0xC7, 0xAC, 0x13, 0x06, 0xDE, 0xFE, 0x39, 0xEC, 0x83, 0xA1, 0x48, 0x3B, 0x0E, 0xE2, 0xEC, 0x89],
}
 
 
 
   
 
 
 
challenge1_secret = {
0: [0xD2, 0x07, 0x22, 0x53, 0xA4, 0xF2, 0x74, 0x68],
1: [0xF5, 0xD7, 0xD4, 0xB5, 0x75, 0xF0, 0x8E, 0x4E],
2: [0xB3, 0x7A, 0x16, 0xEF, 0x55, 0x7B, 0xD0, 0x89],
3: [0xCC, 0x69, 0x95, 0x81, 0xFD, 0x89, 0x12, 0x6C],
4: [0xA0, 0x4E, 0x32, 0xBB, 0xA7, 0x13, 0x9E, 0x46],
5: [0x49, 0x5E, 0x03, 0x47, 0x94, 0x93, 0x1D, 0x7B],
6: [0xB0, 0xB8, 0x09, 0x83, 0x39, 0x89, 0xFA, 0xE2],
8: [0xAD, 0x40, 0x43, 0xB2, 0x56, 0xEB, 0x45, 0x8B],
0xA: [0xC2, 0x37, 0x7E, 0x8A, 0x74, 0x09, 0x6C, 0x5F],
0xD: [0x58, 0x1C, 0x7F, 0x19, 0x44, 0xF9, 0x62, 0x62],
0xD9: [0x90, 0xE1, 0xF0, 0xC0, 0x01, 0x78, 0xE3, 0xFF]
}
 
challenge2_secret = {
0: [0xF4, 0xE0, 0x43, 0x13, 0xAD, 0x2E, 0xB4, 0xDB],
1: [0xFE, 0x7D, 0x78, 0x99, 0xBF, 0xEC, 0x47, 0xC5],
2: [0x86, 0x5E, 0x3E, 0xEF, 0x9D, 0xFB, 0xB1, 0xFD],
3: [0x30, 0x6F, 0x3A, 0x03, 0xD8, 0x6C, 0xBE, 0xE4],
4: [0xFF, 0x72, 0xBD, 0x2B, 0x83, 0xB8, 0x9D, 0x2F],
5: [0x84, 0x22, 0xDF, 0xEA, 0xE2, 0x1B, 0x63, 0xC2],
6: [0x58, 0xB9, 0x5A, 0xAE, 0xF3, 0x99, 0xDB, 0xD0],
8: [0x67, 0xC0, 0x72, 0x15, 0xD9, 0x6B, 0x39, 0xA1],
0xA: [0x09, 0x3E, 0xC5, 0x19, 0xAF, 0x0F, 0x50, 0x2D],
0xD: [0x31, 0x80, 0x53, 0x87, 0x5C, 0x20, 0x3E, 0x24],
0xD9: [0xC3, 0x4A, 0x6A, 0x7B, 0x20, 0x5F, 0xE8, 0xF9]
}
   
 
 
def MixChallenge1(version, challenge):
   
    data = [ 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0]
    secret1=challenge1_secret[version]
    data[0] =secret1[0]
     data[4] =secret1[1]
     data[8] =secret1[2]
     data[0xC] =secret1[3]
     data[1] =secret1[4]
     data[5] =secret1[5]
     data[9] =secret1[6]
     data[0xD] =secret1[7]
     data[2] = challenge[0]
     data[2] = challenge[0]
     data[6] = challenge[1]
     data[6] = challenge[1]
Line 224: Line 272:
     data[0xB] = challenge[6]
     data[0xB] = challenge[6]
     data[0xF] = challenge[7]
     data[0xF] = challenge[7]
    return data




def MixChallenge2(version, challenge):
def MixSecret2(version,data, challenge):
 
     secret2 = [  
     data = [ 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0]
    0xF4, 0xE0, 0x43, 0x13, 0xAD, 0x2E, 0xB4, 0xDB,
     secret2=challenge2_secret[version]
    0xFE, 0x7D, 0x78, 0x99, 0xBF, 0xEC, 0x47, 0xC5,  
    0x86, 0x5E, 0x3E, 0xEF, 0x9D, 0xFB, 0xB1, 0xFD,
    0x30, 0x6F, 0x3A, 0x03, 0xD8, 0x6C, 0xBE, 0xE4,
    0xFF, 0x72, 0xBD, 0x2B, 0x83, 0xB8, 0x9D, 0x2F,
    0x84, 0x22, 0xDF, 0xEA, 0xE2, 0x1B, 0x63, 0xC2,
    0x58, 0xB9, 0x5A, 0xAE, 0xF3, 0x99, 0xDB, 0xD0,
    ]
      
     data[0] =challenge[0]
     data[0] =challenge[0]
     data[4] =challenge[1]
     data[4] =challenge[1]
Line 239: Line 293:
     data[9] =challenge[6]
     data[9] =challenge[6]
     data[0xD] =challenge[7]
     data[0xD] =challenge[7]
     data[2] = secret2[0]
     data[2] = secret2[(version *8)+0]
     data[6] = secret2[1]
     data[6] = secret2[(version *8)+1]
     data[0xA] = secret2[2]
     data[0xA] = secret2[(version *8)+2]
     data[0xE] = secret2[3]
     data[0xE] = secret2[(version *8)+3]
     data[3] = secret2[4]
     data[3] = secret2[(version *8)+4]
     data[7] = secret2[5]
     data[7] = secret2[(version *8)+5]
     data[0xB] = secret2[6]
     data[0xB] = secret2[(version *8)+6]
     data[0xF] = secret2[7]
     data[0xF] = secret2[(version *8)+7]
    return data
 


def BatteryResponseRemap(dataA, dataB):
    message = [ 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0]
    message[0] = dataA[0]
    message[1] = dataA[4]
    message[2] = dataA[8]
    message[3] = dataA[0xC]
    message[4] = dataA[1]
    message[5] = dataA[5]
    message[6] = dataA[7]
    message[7] = dataA[0xD] 


     
    message[8] = dataB[0]
    message[9] = dataB[1]
    message[0xA] = dataB[2]
    message[0xB] = dataB[3]
    message[0xC] = dataB[4]
    message[0xD] = dataB[5]
    message[0xE] = dataB[6]
    message[0xF] = dataB[7]     
   
    return message     


newmap = [
    0x00, 0x04, 0x08, 0x0C, 0x01, 0x05, 0x09, 0x0D, 0x02, 0x06, 0x0A, 0x0E, 0x03, 0x07, 0x0B, 0x0F,
]


def SysconResponseRemap(dataA):
    message = [ 0,0,0,0, 0,0,0,0]
    message[0] = dataA[0]
    message[1] = dataA[4]
    message[2] = dataA[8]
    message[3] = dataA[0xC]
    message[4] = dataA[1]
    message[5] = dataA[5]
    message[6] = dataA[7]
    message[7] = dataA[0xD] 
   
    return message




def MatrixSwap(key):
def BatteryResponseRemap2(dataA):
     temp = [0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0]
     message = [ 0,0,0,0, 0,0,0,0]
     for i in range(0,len(key)):
    message[0] = dataA[0]  
        temp[i] = key[newmap[i]]
     message[1] = dataA[4]
     return temp[0:len(key)]
    message[2] = dataA[8]
   
    message[3] = dataA[0xC]
    message[4] = dataA[1]
    message[5] = dataA[5]  
     message[6] = dataA[7]  
    message[7] = dataA[0xD]  


    return message




def sam_rcon(round):
    rcon = 0x8d
    for i in range(0, round):
        rcon = ((rcon << 1) ^ (0x11b & - (rcon >> 7))) & 0xff
    return rcon
   
   
def ExpandKey(key):
    exp = bytearray(0xB0)
    #copy in key
    for i in range(0,0x10):
        exp[i] = key[i]
    #calculate additional round keys       
    for b in range (1,11):
        # calculate the sbox based values
        exp[b*0x10] = exp[(b-1)*0x10] ^ sbox[exp[((b-1)*0x10)+7]] ^ sam_rcon(b)
        exp[(b*0x10) + 4] = exp[((b-1)*0x10)+4] ^ sbox[exp[((b-1)*0x10)+0xB]]
        exp[(b*0x10) + 8] = exp[((b-1)*0x10)+8] ^ sbox[exp[((b-1)*0x10)+0xF]]
        exp[(b*0x10) + 0xC] = exp[((b-1)*0x10)+0xC] ^ sbox[exp[((b-1)*0x10)+3]]
        # calculate the xor based values
        for i in (1,2,3,5,6,7,9,0xA,0xB,0xD,0xE,0xF):
            exp[(b*0x10)+i] = exp[(b*0x10)+(i-1)] ^ exp[((b-1)*0x10)+i]
   
    return exp
         
   
   
def main():
def main():
 
    data = [ 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0]
     screq=bytes.fromhex(input("Syscon Challenge 1(9 bytes, first byte is version):"))
   
   
    # Uncomment this section to try the keygen
    inkey=bytes.fromhex(input("Key:"))
    rk=ExpandKey(inkey)
    for i in range(0,11):
        print("Round Key %02d: " % i + bytes(rk[i*0x10:(i*0x10)+0x10]).hex().upper())
   
     screq=bytes.fromhex(input("Syscon Challenge 1:"))




Line 278: Line 401:
     version= screq[0]
     version= screq[0]
     req = screq[1:]
     req = screq[1:]
   
     print('-> Syscon Challenge 1: 0B 80 ' + bytes(screq).hex().upper())
     print('-> Syscon Challenge 1: 0B 80 ' + bytes(screq).hex().upper())
    MixSecret1(version,data,req)
    sony_encrypt(version,data)
    second = data.copy()
    sony_encrypt(version,second)
    lastResponse=second[0:8]
    message=BatteryResponseRemap(data, second)
    print('<- Battery Response 1: 12 06 ' + bytes(message).hex().upper())
      
      
     # The first challenge mixes the syscon generated challenge and the first challenge secret
     MixSecret2(version,data,lastResponse)
    data=MixChallenge1(version,req)
     sony_encrypt(version,data)  
   
     message=SysconResponseRemap(data)
    # The first challenge has two encryption, one for the first half and one for the second half
     print('-> Syscon Challenge 2: 0A 81 ' + bytes(message).hex().upper())
    challenge1a=AES.new(bytes(keystore[version]), AES.MODE_ECB).encrypt(bytes(MatrixSwap(data)))
     sony_encrypt(version,data)  
    #print("Challenge1a: " +(bytes( challenge1a).hex().upper()))
    message=BatteryResponseRemap2(data)
    #second = bytearray(0x10)
     print('<- Battery Response 2: 0A 06 ' + bytes(message).hex().upper())
    #second[:] = challenge1a[:]
   
    #challenge1b=MatrixSwap(AES.new(bytes(keystore[version]), AES.MODE_ECB).encrypt(bytes((second))))
    #print("Challenge1b: " +(bytes( challenge1b).hex().upper()))
    challenge1b = bytearray.fromhex('AAAAAAAAAAAAAAAA')
    response1 = bytes(challenge1a[0:8]) + bytes(challenge1b[0:8])
       
    print('<- Battery Response 1: 12 06 ' + bytes(response1).hex().upper())
   
    # The second challenge only uses the half of the first challenge and the second challenge secret
    data2=MixChallenge2(version,challenge1b[0:8])
     #data2=MixChallenge2(version,cb)
     challenge2=AES.new(bytes(keystore[version]), AES.MODE_ECB).encrypt(bytes(MatrixSwap(data2)))
   
     print('-> Syscon Challenge 2: 0A 81 ' + bytes(challenge2[0:8]).hex().upper())
      
    response2=(AES.new(bytes(keystore[version]), AES.MODE_ECB).encrypt(challenge2))
   
     print('<- Battery Response 2: 0A 06 ' + bytes(response2[0:8]).hex().upper())


      
      
if __name__ == "__main__":
if __name__ == "__main__":
     main()
     main()


</pre>
</pre>
Please note that all contributions to PSP Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PSP Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)