Editing Talk:Keys

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
= Battery Keys =
= Before The String (TA-093) =
 
== A01V13M07G chip ==


<pre>
<pre>
New Key 8: 0A2E73305C382D4F310D0AED84A41800
83CE15D82490C2992628B96BDB583E50
New Key 9: D20474308FE269046ED7BB07CF1CFF43
AD3218D82CD3CC1566E715A6EC2AA98C
New Key A: AC00C0E3E80AF0683FDD1745194543BD
BA4A5E95BBE615C9105CDD27F878D7B4
New Key B: 0177D750BDFD2BC1A0493A134A4C6ACF
9D051AA8EFCB798F1C890B937A29BA45
New Key C: 05349170939345EE951A14843334A0DE
DB04415CD0B19CDF0F91226AC2E61178
New Key D: DFF3FCD608B05597CF09A23BD17D3FD2
9797CC50685A38EBBCEFA56772132703
813C3D260C7814AAB6394830C35BA38F
EF8CB347B6F79D42312C4241E2176A52
7F4C8406B2DA34BE7B7595B704B5BC66
008BA83E1E90F9906EF6AD82DC42CF7A
6873F8E9DA75B6BDA549E98B2EB1B445
B705A8F64207DC799FFA81D2EB3C76E9
5647CB334B12DB8CF25F0E177F17AEA3
D10564897D003A29C342C51F4F1045BD
1E86182F6452F9140FCEC5AE6FB236A7
F73DD0634E1FB4C8AC8E0AD5055813EF
43F29CF6FE94B25D970603B039B07DFC
C8CE7EC9010FAA21CEA15F68E524AD5D
5278711133E6144EC3DE779A17FA4D4F
33F919900B896B3B149C6D60B2C63A73
BE2CA1327A5012773C64F52B45ADF558
26BD1836F55D0C38C90EDF8251926DC6
4D82242B5B47F9608DDFD2242F4C44B6
5306CE99F93B27A99D93B192345DEEA1
352E64C31A287B9D3C48FB02E65E4002
5772F958CF166B5F03763C6865C69B0F
FE8FD8EEA43616A0C1BF66818EF953F2
E1266B6F550CC9CD7D50B85CAF6769F0
E54AA8098B0EBE1CF10730C311E026FC
F87B50AEA3D17BA08D5DA608F2BBC6CC
34DB81241D6F4057E0DC41AFC2CD1C2D
</pre>
</pre>


= Even More Keys from Kicho & Dencho =
= The String (TA-093) =


<pre>
<pre>
23 1B 76 C8 E3 49 0C AD  05 BD 59 4C 1B 63 40 BE
SonyEnergyDevices\x00
</pre>
</pre>


* from TEST.prx, used for some umd seed generation
= After the String (TA-093) =
 
<pre>
<pre>
"FlashROM PreCalc"
0B2385010FB279BDE1C3ECA91959040D
661A4D7F6ECD33C52BF5F29586A76448
</pre>
</pre>


* from flashData.prx, used in idStorage 256-320 generation
= V2 Script for comms of battery =
* https://github.com/mathieulh/Despertar-Del-Cementerio/blob/master/idsregeneration/main.c#L5749
 
 
<pre>
<pre>
"Key-Info MI-Node"
#!/usr/bin/env python
</pre>
'''


* from flashData.prx, used in idStorage 256-320 generation
PSP v2 Syscon Handshake Calculator by Proxima (R)


= Wake Me Up Before You Go Go =
'''


== HandShake 0x80 ==


<pre>
Key EB
418499BE9D35A3B9FC6AD0D6F041BB26


Challenge 1 EB
sbox = [
0BD9027E851FA123
    0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
    0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
    0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
    0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
    0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
    0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
    0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
    0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
    0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
    0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
    0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
    0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
    0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
    0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
    0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
    0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16,
    ]


Challenge 2 EB
F791ED0B3F49A448


Key B3
key = [
03BEB65499140483BA187A64EF90261D
    0x5C, 0xF3, 0x89, 0xEC, 0x52, 0x82, 0xD8, 0x16, 0xD9, 0xAC, 0x81, 0x29, 0x1C, 0xA4, 0x78, 0x7B,
    0x1A, 0xE9, 0x60, 0x8C, 0xF7, 0x75, 0xAD, 0xBB, 0xF8, 0x54, 0xD5, 0xFC, 0xD2, 0x76, 0x0E, 0x75,
    0xF2, 0x1B, 0x7B, 0xF7, 0x47, 0x32, 0x9F, 0x24, 0x65, 0x31, 0xE4, 0x18, 0xB6, 0xC0, 0xCE, 0xBB,
    0xC0, 0xDB, 0xA0, 0x57, 0xEA, 0xD8, 0x47, 0x63, 0x8F, 0xBE, 0x5A, 0x42, 0xDE, 0x1E, 0xD0, 0x6B,
    0x33, 0xE8, 0x48, 0x1F, 0xC6, 0x1E, 0x59, 0x3A, 0xF0, 0x4E, 0x14, 0x56, 0x85, 0x9B, 0x4B, 0x20,
    0xA3, 0x4B, 0x03, 0x1C, 0x77, 0x69, 0x30, 0x0A, 0x47, 0x09, 0x1D, 0x4B, 0x45, 0xDE, 0x95, 0xB5,
    0xE4, 0xAF, 0xAC, 0xB0, 0xC4, 0xAD, 0x9D, 0x97, 0x92, 0x9B, 0x86, 0xCD, 0xD9, 0x07, 0x92, 0x27,
    0x2C, 0x83, 0x2F, 0x9F, 0x79, 0xD4, 0x49, 0xDE, 0x5E, 0xC5, 0x43, 0x8E, 0x3E, 0x39, 0xAB, 0x8C,
    0xB1, 0x32, 0x1D, 0x82, 0x60, 0xB4, 0xFD, 0x23, 0x3A, 0xFF, 0xBC, 0x32, 0xE5, 0xDC, 0x77, 0xFB,
    0x8C, 0xBE, 0xA3, 0x21, 0x43, 0xF7, 0x0A, 0x29, 0x35, 0xCA, 0x76, 0x44, 0xF6, 0x2A, 0x5D, 0xA6,
    0x1F, 0xA1, 0x02, 0x23, 0x58, 0xAF, 0xA5, 0x8C, 0x11, 0xDB, 0xAD, 0xE9, 0x0B, 0x21, 0x7C, 0xDA,
    0x9D, 0xE1, 0x09, 0xA6, 0x4F, 0xB6, 0x30, 0xA5, 0x50, 0x8E, 0x7D, 0xB5, 0xFC, 0x12, 0xDB, 0xAA,
    0x9A, 0x7B, 0x72, 0xD4, 0x9A, 0x2C, 0x1C, 0xB9, 0xFC, 0x72, 0x0F, 0xBA, 0xD8, 0xCA, 0x11, 0xBB,
    0xCE, 0xB5, 0xC7, 0x13, 0x6E, 0x42, 0x5E, 0xE7, 0x16, 0x64, 0x6B, 0xD1, 0x90, 0x5A, 0x4B, 0xF0,
    0x5E, 0xEB, 0x2C, 0x3F, 0x50, 0x12, 0x4C, 0xAB, 0x9A, 0xFE, 0x95, 0x44, 0xED, 0xB7, 0xFC, 0x0C,
    0x34, 0xDF, 0xF3, 0xCC, 0x4B, 0x59, 0x15, 0xBE, 0x64, 0x9A, 0x0F, 0x4B, 0x98, 0x2F, 0xD3, 0xDF,
    0x8A, 0x55, 0xA6, 0x6A, 0xF8, 0xA1, 0xB4, 0x0A, 0xFA, 0x60, 0x6F, 0x24, 0xD3, 0xFC, 0x2F, 0xF0,
    0xCD, 0x98, 0x3E, 0x54, 0xCE, 0x6F, 0xDB, 0xD1, 0x76, 0x16, 0x79, 0x5D, 0xD1, 0x2D, 0x02, 0xF2,
    0xB3, 0x2B, 0x15, 0x41, 0x82, 0xED, 0x36, 0xE7, 0xFF, 0xE9, 0x90, 0xCD, 0xF1, 0xDC, 0xDE, 0x2C,
    0xA7, 0x8C, 0x99, 0xD8, 0x3F, 0xD2, 0xE4, 0x03, 0x8E, 0x67, 0xF7, 0x3A, 0x72, 0xAE, 0x70, 0x5C,
    0xC7, 0x4B, 0xD2, 0x0A, 0xBF, 0x6D, 0x89, 0x8A, 0xC4, 0xA3, 0x54, 0x6E, 0x13, 0xBD, 0xCD, 0x91,
    0x8F, 0xC4, 0x16, 0x1C, 0x20, 0x4D, 0xC4, 0x4E, 0x45, 0xE6, 0xB2, 0xDC, 0x74, 0xC9, 0x04, 0x95,
    0x09, 0x64, 0x1B, 0xF0, 0x75, 0xAC, 0xC0, 0xFC, 0x98, 0xF7, 0x90, 0xAB, 0x88, 0x62, 0x9D, 0xFF,
    0xB8, 0xDC, 0xC7, 0x37, 0x17, 0xBB, 0x7B, 0x87, 0x8E, 0x79, 0xE9, 0x42, 0x04, 0x66, 0xFB, 0x04,
    0xAD, 0x71, 0xB6, 0x81, 0x3B, 0x80, 0xFB, 0x7C, 0x7C, 0x05, 0xEC, 0xAE, 0x9E, 0xF8, 0x03, 0x07,
    0xB9, 0xC8, 0x7E, 0xFF, 0xDF, 0x5F, 0xA4, 0xD8, 0xB9, 0xBC, 0x50, 0xFE, 0x92, 0x6A, 0x69, 0x6E,
    0xD0, 0x18, 0x66, 0x99, 0x64, 0x3B, 0x9F, 0x47, 0x26, 0x9A, 0xCA, 0x34, 0x84, 0xEE, 0x87, 0xE9,
    0x60, 0x78, 0x1E, 0x87, 0x7C, 0x47, 0xD8, 0x9F, 0x38, 0xA2, 0x68, 0x5C, 0x6A, 0x84, 0x03, 0xEA,
    0x9B, 0xE3, 0xFD, 0x7A, 0x36, 0x71, 0xA9, 0x36, 0xBF, 0x1D, 0x75, 0x29, 0x7D, 0xF9, 0xFA, 0x10,
    0xDE, 0x3D, 0xC0, 0xBA, 0x93, 0xE2, 0x4B, 0x7D, 0x75, 0x68, 0x1D, 0x34, 0xA7, 0x5E, 0xA4, 0xB4,
    0xA1, 0x9C, 0x5C, 0xE6, 0x8B, 0x69, 0x22, 0x5F, 0xF8, 0x90, 0x8D, 0xB9, 0x53, 0x0D, 0xA9, 0x1D,
    0x75, 0xE9, 0xB5, 0x53, 0xDD, 0xB4, 0x96, 0xC9, 0x5C, 0xCC, 0x41, 0xF8, 0xDD, 0xD0, 0x79, 0x64,
    0x9E, 0x77, 0xC2, 0x91, 0x9C, 0x28, 0xBE, 0x77, 0x1F, 0xD3, 0x92, 0x6A, 0x30, 0xE0, 0x99, 0xFD,
    0xC9, 0x06, 0xD8, 0x8C, 0x11, 0x4A, 0xD6, 0xDE, 0x5C, 0x26, 0xD9, 0x30, 0xE2, 0x86, 0xD0, 0x59,
    0xD5, 0xD3, 0x0B, 0x87, 0x15, 0x5F, 0x89, 0x57, 0x97, 0xB1, 0x68, 0x58, 0x86, 0x00, 0xD0, 0x89,
    0x8C, 0x5F, 0x54, 0xD3, 0x7F, 0x20, 0xA9, 0xFE, 0x30, 0x81, 0xE9, 0xB1, 0x91, 0x91, 0x41, 0xC8,
    0x33, 0x6C, 0x38, 0xEB, 0xB7, 0x97, 0x3E, 0xC0, 0xD8, 0x59, 0xB0, 0x01, 0xF7, 0x66, 0x27, 0xEF,
    0x81, 0xED, 0xD5, 0x3E, 0xCB, 0x5C, 0x62, 0xA2, 0x07, 0x5E, 0xEE, 0xEF, 0x1E, 0x78, 0x5F, 0xB0,
    0xAB, 0x46, 0x93, 0xAD, 0x14, 0x48, 0x2A, 0x88, 0xE0, 0xBE, 0x50, 0xBF, 0xAC, 0xD4, 0x8B, 0x3B,
    0x4F, 0x09, 0x9A, 0x37, 0x1C, 0x54, 0x7E, 0xF6, 0x02, 0xBC, 0xEC, 0x53, 0x39, 0xED, 0x66, 0x5D,
    0x4D, 0x44, 0xDE, 0xE9, 0xF1, 0xA5, 0xDB, 0x2D, 0x4E, 0xF2, 0x1E, 0x4D, 0xA3, 0x4E, 0x28, 0x75,
    0x15, 0x51, 0x8F, 0x66, 0x12, 0xB7, 0x6C, 0x41, 0xD3, 0x21, 0x3F, 0x72, 0xBD, 0xF3, 0xDB, 0xAE,
    0x8D, 0xDC, 0x53, 0x35, 0x52, 0xE5, 0x89, 0xC8, 0x37, 0x16, 0x29, 0x5B, 0x8E, 0x7D, 0xA6, 0x08,
    0x53, 0x8F, 0xDC, 0xE9, 0x6B, 0x8E, 0x07, 0xCF, 0x07, 0x11, 0x38, 0x63, 0x18, 0x65, 0xC3, 0xCB,
    0x66, 0xFB, 0x90, 0x9E, 0x75, 0x42, 0x3F, 0xD2, 0x39, 0x73, 0xD7, 0xC6, 0xD2, 0xB2, 0xA3, 0x0C,
    0xD2, 0x29, 0xB9, 0x27, 0xC1, 0x83, 0xBC, 0x6E, 0xC7, 0xB4, 0x63, 0xA5, 0xD9, 0x6B, 0xC8, 0xC4,
    0x4F, 0x66, 0xDF, 0xF8, 0xC7, 0x44, 0xF8, 0x96, 0xDB, 0x6F, 0x0C, 0xA9, 0x15, 0x7E, 0xB6, 0x72,
    0xDB, 0xBD, 0x62, 0x9A, 0x14, 0x50, 0xA8, 0x3E, 0x9B, 0xF4, 0xF8, 0x51, 0x54, 0x2A, 0x9C, 0xEE,
    0x61, 0xDC, 0xBE, 0x24, 0xC5, 0x95, 0x3D, 0x03, 0xB3, 0x47, 0xBF, 0xEE, 0xEC, 0xC6, 0x5A, 0xB4,
    0x0A, 0xD6, 0x68, 0x4C, 0xED, 0x78, 0x45, 0x46, 0x3E, 0x79, 0xC6, 0x28, 0xDA, 0x1C, 0x46, 0xF2,
    0x70, 0xA6, 0xCE, 0x82, 0xD9, 0xA1, 0xE4, 0xA2, 0xB7, 0xCE, 0x08, 0x20, 0xF3, 0xEF, 0xA9, 0x5B,
    0x0A, 0xAC, 0x62, 0xE0, 0x6E, 0xCF, 0x2B, 0x89, 0x8E, 0x40, 0x48, 0x68, 0xE0, 0x0F, 0xA6, 0xFD,
    0x2D, 0x81, 0xE3, 0x03, 0x2B, 0xE4, 0xCF, 0x46, 0xDA, 0x9A, 0xD2, 0xBA, 0x01, 0x0E, 0xA8, 0x55,
    0x6C, 0xED, 0x0E, 0x0D, 0xDF, 0x3B, 0xF4, 0xB2, 0x26, 0xBC, 0x6E, 0xD4, 0x7A, 0x74, 0xDC, 0x89,
    0x6D, 0x80, 0x8E, 0x83, 0x97, 0xAC, 0x58, 0xEA, 0x81, 0x3D, 0x53, 0x87, 0xAD, 0xD9, 0x05, 0x8C,
    0xF4, 0xF4, 0xD1, 0x8F, 0xFA, 0xDB, 0x86, 0x99, 0xEF, 0xAB, 0x74, 0x05, 0x20, 0x31, 0xFD, 0x66,
    0x1B, 0xEF, 0x3E, 0xB1, 0x91, 0x4A, 0xCC, 0x55, 0xDC, 0x77, 0x03, 0x06, 0x53, 0x62, 0x9F, 0xF9,
    0xE5, 0x0A, 0x34, 0x85, 0xFE, 0xB4, 0x78, 0x2D, 0x45, 0x32, 0x31, 0x37, 0x9B, 0xF9, 0x66, 0x9F,
    0x39, 0x33, 0x07, 0x82, 0x64, 0xD0, 0xA8, 0x85, 0x9E, 0xAC, 0x9D, 0xAA, 0x0C, 0xF5, 0x93, 0x0C,
    0xA6, 0x95, 0x92, 0x10, 0xC8, 0x18, 0xB0, 0x35, 0x60, 0xCC, 0x51, 0xFB, 0x1F, 0xEA, 0x79, 0x75,
    0x20, 0xB5, 0x27, 0x37, 0xC7, 0xDF, 0x6F, 0x5A, 0xFD, 0x31, 0x60, 0x9B, 0xD5, 0x3F, 0x46, 0x33,
    0xBE, 0x0B, 0x2C, 0x1B, 0xD3, 0x0C, 0x63, 0x39, 0x3E, 0x0F, 0x6F, 0xF4, 0x4F, 0x70, 0x36, 0x05,
    0xEC, 0xE7, 0xCB, 0xD0, 0x6C, 0x60, 0x03, 0x3A, 0x55, 0x5A, 0x35, 0xC1, 0xE0, 0x90, 0xA6, 0xA3,
    0xEC, 0x0B, 0xC0, 0x10, 0x14, 0x74, 0x77, 0x4D, 0x5F, 0x05, 0x30, 0xF1, 0x90, 0x00, 0xA6, 0x05,
    0x14, 0x1F, 0xDF, 0xCF, 0xB5, 0xC1, 0xB6, 0xFB, 0x34, 0x31, 0x01, 0xF0, 0x5A, 0x5A, 0xFC, 0xF9,
    0x2D, 0x32, 0xED, 0x22, 0x39, 0xF8, 0x4E, 0xB5, 0xAD, 0x9C, 0x9D, 0x6D, 0xD0, 0x8A, 0x76, 0x8F,
    0xEA, 0x63, 0xF9, 0x4F, 0x0C, 0xD7, 0x61, 0x35, 0x81, 0xE9, 0x13, 0x2D, 0x13, 0x30, 0x5A, 0xDC,
    0x7D, 0x1E, 0xE7, 0xA8, 0xD4, 0x03, 0x62, 0x57, 0x07, 0xEE, 0xFD, 0xD0, 0x97, 0xA7, 0xFD, 0x21,
    0x24, 0x3A, 0xDD, 0x75, 0xA4, 0xA7, 0xC5, 0x92, 0xFA, 0x14, 0xE9, 0x39, 0x55, 0xF2, 0x0F, 0x2E,
    0x6F, 0x55, 0x88, 0xFD, 0xB6, 0x11, 0xD4, 0x46, 0xCB, 0xDF, 0x36, 0x0F, 0xC8, 0x3A, 0x35, 0x1B,
    0x3D, 0x68, 0xE0, 0x1D, 0xC0, 0xD1, 0x05, 0x43, 0x64, 0xBB, 0x8D, 0x82, 0x9C, 0xA6, 0x93, 0x88,
    0x37, 0x5F, 0xBF, 0xA2, 0xD3, 0x02, 0x07, 0x44, 0xA0, 0x1B, 0x96, 0x14, 0x38, 0x9E, 0x0D, 0x85,
    0x0C, 0x53, 0xEC, 0x4E, 0x29, 0x2B, 0x2C, 0x68, 0x37, 0x2C, 0xBA, 0xAE, 0x02, 0x9C, 0x91, 0x14,
    0x09, 0x5A, 0xB6, 0xF8, 0xCD, 0xE6, 0xCA, 0xA2, 0xCD, 0xE1, 0x5B, 0xF5, 0x2D, 0xB1, 0x20, 0x34,
    0xB3, 0xE9, 0x5F, 0xA7, 0x2B, 0xCD, 0x07, 0xA5, 0xD5, 0x34, 0x6F, 0x9A, 0x6C, 0xDD, 0xFD, 0xC9,
    0xAE, 0x47, 0x18, 0xBF, 0x93, 0x5E, 0x59, 0xFC, 0x08, 0x3C, 0x53, 0xC9, 0x30, 0xED, 0x10, 0xD9,
    0x28, 0x6F, 0x77, 0xC8, 0x4E, 0x10, 0x49, 0xB5, 0x3D, 0x01, 0x52, 0x9B, 0x38, 0xD5, 0xC5, 0x1C,
]
   


Challenge 1 B3
def ShiftRows(state):
DBD3AEA4DB046410
    tmp = state[5]
    state[5] = state[7]
    state[7] = tmp
    tmp = state[8]
    state[8] = state[0xB]
    state[0xB] = tmp
    tmp = state[9]
    state[9] = state[0xA]
    state[0xA] = tmp
    tmp = state[0xC]
    state[0xC] = state[0xE]
    state[0xE] = tmp


Challenge 2 B3
E32B8F56B2641298
</pre>


== Handshake 0x90 ==
def SubBytes(state):
    for i in range(0,0x10):
        state[i] = sbox[state[i]]


<pre>
Yet another battery handshake key 1
880E2A94110926B20E53E22AE648AE9D IV/DATA


Yet another battery handshake key 2
def MixColumns(a,state):
C66E9ED6ECBCB121B7465D25037D6646 KEY
    b=state[a]
    tmp =b
    tmp = tmp <<1
    if(tmp >=0x100):
        tmp = tmp ^ 0x1B
    b = tmp & 0xff
   
    c=state[a+4]
    tmp =c
    tmp = tmp <<1
    if(tmp >=0x100):
        tmp = tmp ^ 0x1B
    c = tmp & 0xff
    u = c ^ state[a+4] ^ b ^ state[a+8] ^ state[a+0xC]


Yet another battery handshake key 3
    c=state[a+4]
DA24DAB43A61CBDF61FD255D0AEA7957 KEY
    tmp =c
    tmp = tmp <<1
    if(tmp >=0x100):
        tmp = tmp ^ 0x1B
    c = tmp & 0xff
   
    d=state[a+8]
    tmp =d
    tmp = tmp <<1
    if(tmp >=0x100):
        tmp = tmp ^ 0x1B
    d = tmp & 0xff


Yet another battery handshake const val
    x = d ^ state[a+8] ^ c ^ state[a] ^ state[a+0xc]
82828282
   
</pre>
    d=state[a+8]
    tmp =d
    tmp = tmp <<1
    if(tmp >=0x100):
        tmp = tmp ^ 0x1B
    d = tmp & 0xff
   
    e=state[a+0xC]
    tmp =e
    tmp = tmp <<1
    if(tmp >=0x100):
        tmp = tmp ^ 0x1B
    e = tmp & 0xff


== Flash Update Handshake ==
    y = e ^ state[a+0xC] ^ d ^ state[a] ^ state[a+4]   
   
    e=state[a+0xC]
    tmp =e
    tmp = tmp <<1
    if(tmp >=0x100):
        tmp = tmp ^ 0x1B
    e = tmp & 0xff
   
    b=state[a]
    tmp =b
    tmp = tmp <<1
    if(tmp >=0x100):
        tmp = tmp ^ 0x1B
    b = tmp & 0xff


<pre>
    z = b ^ state[a] ^ e ^ state[a+4] ^ state[a+8]   
Flash Update Handshake key1
    state[a+0xC] = z
78721A6284050ACF07F52C6EBAA32F98
    state[a+8] = y
 
    state[a+4] = x
Flash Update Handshake key2
    state[a] = u
08489E59EDD0666E6A83237585C795CB
   
 
 
Flash Update Handshake shared secret 1
def AddRoundKey(version,b,state):
6EBE650DCEDCB6163158AC0CAD158907
    for i in range(0, 2):
</pre>
        state[(i*2)] ^= key[(0xB0*version)+(b*0x10)+(i*2)]
 
        state[(i*2)+1] ^= key[(0xB0*version)+(b*0x10)+(i*2)+1]
= Other Key Material =
    for i in range(2, 8):
<pre>
        a=state[(i*2)] ^ key[(0xB0*version)+(b*0x10)+(i*2)]
TA-093 RCON
        c=state[(i*2)+1] ^ key[(0xB0*version)+(b*0x10)+(i*2)+1]
 
        state[(i*2)+1]=a
01020408102040801B366CD8AB4D9A2F5EBC63C697356AD4B37DFAEFC591A9037ED9F08993B79A7C773C0D264810A081FE192402DEFC87AC3C332B48B4EB
        state[(i*2)]=c
 
TA-093 ???
6A659283E3C41709214D8F29C6BACAFF67C419A2D064F04FA01271307A2BC5F5A56E
 
TA-093 Other Device Key0 (message)
 
03763C6865C69B0FFE8FD8EEA43616A0 (KIRK 4/7) (0x14)
 
TA-093 Other Device Key1 (Handler)
 
C1BF66818EF953F2E1266B6F550CC9CD (KIRK 4/7) (0x69)
 
TA-093 Other Device Key2 (Handler)
 
7D50B85CAF6769F0E54AA8098B0EBE1C (KIRK 4/7) (0x15)
 
TA-093 Other Device Key3 (message)
 
F10730C311E026FCF87B50AEA3D17BA0
 
TA-093 Other Device Secret0 (Handler)
 
8D5DA608F2BBC6CC
 
TA-093 Other Device Secret1 (Handler)
 
34DB81241D6F4057
 
TA-093 Other Device Secret2 (Handler)
 
E0DC41AFC2CD1C2D
 
TA-093 Battery Magic String (Handler)
 
SonyEnergyDevices\x00
 
TA-093 Other Device Secret3 (session)


0B2385010FB279BD


TA-093 Other Device Secret4 (session)
def FinalRoundKey(version,state):
    for i in range(0, 2):
        state[(i*2)] ^= key[(0xB0*version)+(10*0x10)+(i*2)]
        state[(i*2)+1] ^= key[(0xB0*version)+(10*0x10)+(i*2)+1]
    for i in range(2, 8):
        a=state[(i*2)] ^ key[(0xB0*version)+(10*0x10)+(i*2)]
        c=state[(i*2)+1] ^ key[(0xB0*version)+(10*0x10)+(i*2)+1]
        state[(i*2)+1]=c
        state[(i*2)]=a


E1C3ECA91959040D


TA-093 Other Device Secret5 (session)
def sony_encrypt(version,data):
    AddRoundKey(version,0,data)
    for i in range (1,10):
        ShiftRows(data)
        SubBytes(data)
        MixColumns(0,data)
        MixColumns(1,data)
        MixColumns(2,data)
        MixColumns(3,data)
        AddRoundKey(version,i,data)
    ShiftRows(data)
    SubBytes(data)
    FinalRoundKey(version,data)


661A4D7F6ECD33C52BF5F29586A76448
</pre>


= V5 Script for comms of battery =
def MixSecret1(version,data, challenge):
<pre>
    secret1 = [
#!/usr/bin/env python
    0xD2, 0x07, 0x22, 0x53, 0xA4, 0xF2, 0x74, 0x68,
'''
    0xF5, 0xD7, 0xD4, 0xB5, 0x75, 0xF0, 0x8E, 0x4E,
    0xB3, 0x7A, 0x16, 0xEF, 0x55, 0x7B, 0xD0, 0x89,
    0xCC, 0x69, 0x95, 0x81, 0xFD, 0x89, 0x12, 0x6C,
    0xA0, 0x4E, 0x32, 0xBB, 0xA7, 0x13, 0x9E, 0x46,
    0x49, 0x5E, 0x03, 0x47, 0x94, 0x93, 0x1D, 0x7B,
    0xB0, 0xB8, 0x09, 0x83, 0x39, 0x89, 0xFA, 0xE2,
    ]


PSP v4 Syscon Handshake Calculator by Proxima (R)
    data[0] =secret1[(version *8)+0]
 
     data[4] =secret1[(version *8)+1]
'''
     data[8] =secret1[(version *8)+2]
from Crypto.Cipher import AES
     data[0xC] =secret1[(version *8)+3]
import os
     data[1] =secret1[(version *8)+4]
 
     data[5] =secret1[(version *8)+5]
 
     data[9] =secret1[(version *8)+6]
 
     data[0xD] =secret1[(version *8)+7]
keystore = {
0: [0x5C, 0x52, 0xD9, 0x1C, 0xF3, 0x82, 0xAC, 0xA4, 0x89, 0xD8, 0x81, 0x78, 0xEC, 0x16, 0x29, 0x7B],
1: [0x9D, 0x4F, 0x50, 0xFC, 0xE1, 0xB6, 0x8E, 0x12, 0x09, 0x30, 0x7D, 0xDB, 0xA6, 0xA5, 0xB5, 0xAA],
2: [0x09, 0x75, 0x98, 0x88, 0x64, 0xAC, 0xF7, 0x62, 0x1B, 0xC0, 0x90, 0x9D, 0xF0, 0xFC, 0xAB, 0xFF],
3: [0xC9, 0x11, 0x5C, 0xE2, 0x06, 0x4A, 0x26, 0x86, 0xD8, 0xD6, 0xD9, 0xD0, 0x8C, 0xDE, 0x30, 0x59],
4: [0x66, 0x75, 0x39, 0xD2, 0xFB, 0x42, 0x73, 0xB2, 0x90, 0x3F, 0xD7, 0xA3, 0x9E, 0xD2, 0xC6, 0x0C],
5: [0xF4, 0xFA, 0xEF, 0x20, 0xF4, 0xDB, 0xAB, 0x31, 0xD1, 0x86, 0x74, 0xFD, 0x8F, 0x99, 0x05, 0x66],
6: [0xEA, 0x0C, 0x81, 0x13, 0x63, 0xD7, 0xE9, 0x30, 0xF9, 0x61, 0x13, 0x5A, 0x4F, 0x35, 0x2D, 0xDC],
8: [0x0A, 0x2E, 0x73, 0x30, 0x5C, 0x38, 0x2D, 0x4F, 0x31, 0x0D, 0x0A, 0xED, 0x84, 0xA4, 0x18, 0x00],
0xA: [0xAC, 0x00, 0xC0, 0xE3, 0xE8, 0x0A, 0xF0, 0x68, 0x3F, 0xDD, 0x17, 0x45, 0x19, 0x45, 0x43, 0xBD],
0xD: [0xDF, 0xF3, 0xFC, 0xD6, 0x08, 0xB0, 0x55, 0x97, 0xCF, 0x09, 0xA2, 0x3B, 0xD1, 0x7D, 0x3F, 0xD2],
0xD9: [0xC7, 0xAC, 0x13, 0x06, 0xDE, 0xFE, 0x39, 0xEC, 0x83, 0xA1, 0x48, 0x3B, 0x0E, 0xE2, 0xEC, 0x89],
}
 
 
 
   
 
 
 
challenge1_secret = {
0: [0xD2, 0x07, 0x22, 0x53, 0xA4, 0xF2, 0x74, 0x68],
1: [0xF5, 0xD7, 0xD4, 0xB5, 0x75, 0xF0, 0x8E, 0x4E],
2: [0xB3, 0x7A, 0x16, 0xEF, 0x55, 0x7B, 0xD0, 0x89],
3: [0xCC, 0x69, 0x95, 0x81, 0xFD, 0x89, 0x12, 0x6C],
4: [0xA0, 0x4E, 0x32, 0xBB, 0xA7, 0x13, 0x9E, 0x46],
5: [0x49, 0x5E, 0x03, 0x47, 0x94, 0x93, 0x1D, 0x7B],
6: [0xB0, 0xB8, 0x09, 0x83, 0x39, 0x89, 0xFA, 0xE2],
8: [0xAD, 0x40, 0x43, 0xB2, 0x56, 0xEB, 0x45, 0x8B],
0xA: [0xC2, 0x37, 0x7E, 0x8A, 0x74, 0x09, 0x6C, 0x5F],
0xD: [0x58, 0x1C, 0x7F, 0x19, 0x44, 0xF9, 0x62, 0x62],
0xD9: [0x90, 0xE1, 0xF0, 0xC0, 0x01, 0x78, 0xE3, 0xFF]
}
 
challenge2_secret = {
0: [0xF4, 0xE0, 0x43, 0x13, 0xAD, 0x2E, 0xB4, 0xDB],
1: [0xFE, 0x7D, 0x78, 0x99, 0xBF, 0xEC, 0x47, 0xC5],
2: [0x86, 0x5E, 0x3E, 0xEF, 0x9D, 0xFB, 0xB1, 0xFD],
3: [0x30, 0x6F, 0x3A, 0x03, 0xD8, 0x6C, 0xBE, 0xE4],
4: [0xFF, 0x72, 0xBD, 0x2B, 0x83, 0xB8, 0x9D, 0x2F],
5: [0x84, 0x22, 0xDF, 0xEA, 0xE2, 0x1B, 0x63, 0xC2],
6: [0x58, 0xB9, 0x5A, 0xAE, 0xF3, 0x99, 0xDB, 0xD0],
8: [0x67, 0xC0, 0x72, 0x15, 0xD9, 0x6B, 0x39, 0xA1],
0xA: [0x09, 0x3E, 0xC5, 0x19, 0xAF, 0x0F, 0x50, 0x2D],
0xD: [0x31, 0x80, 0x53, 0x87, 0x5C, 0x20, 0x3E, 0x24],
0xD9: [0xC3, 0x4A, 0x6A, 0x7B, 0x20, 0x5F, 0xE8, 0xF9]
}
   
 
 
def MixChallenge1(version, challenge):
   
    data = [ 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0]
    secret1=challenge1_secret[version]
    data[0] =secret1[0]
     data[4] =secret1[1]
     data[8] =secret1[2]
     data[0xC] =secret1[3]
     data[1] =secret1[4]
     data[5] =secret1[5]
     data[9] =secret1[6]
     data[0xD] =secret1[7]
     data[2] = challenge[0]
     data[2] = challenge[0]
     data[6] = challenge[1]
     data[6] = challenge[1]
Line 224: Line 313:
     data[0xB] = challenge[6]
     data[0xB] = challenge[6]
     data[0xF] = challenge[7]
     data[0xF] = challenge[7]
    return data




def MixChallenge2(version, challenge):
def MixSecret2(version,data, challenge):
 
     secret2 = [  
     data = [ 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0]
    0xF4, 0xE0, 0x43, 0x13, 0xAD, 0x2E, 0xB4, 0xDB,
     secret2=challenge2_secret[version]
    0xFE, 0x7D, 0x78, 0x99, 0xBF, 0xEC, 0x47, 0xC5,  
    0x86, 0x5E, 0x3E, 0xEF, 0x9D, 0xFB, 0xB1, 0xFD,
    0x30, 0x6F, 0x3A, 0x03, 0xD8, 0x6C, 0xBE, 0xE4,
    0xFF, 0x72, 0xBD, 0x2B, 0x83, 0xB8, 0x9D, 0x2F,
    0x84, 0x22, 0xDF, 0xEA, 0xE2, 0x1B, 0x63, 0xC2,
    0x58, 0xB9, 0x5A, 0xAE, 0xF3, 0x99, 0xDB, 0xD0,
    ]
      
     data[0] =challenge[0]
     data[0] =challenge[0]
     data[4] =challenge[1]
     data[4] =challenge[1]
Line 239: Line 334:
     data[9] =challenge[6]
     data[9] =challenge[6]
     data[0xD] =challenge[7]
     data[0xD] =challenge[7]
     data[2] = secret2[0]
     data[2] = secret2[(version *8)+0]
     data[6] = secret2[1]
     data[6] = secret2[(version *8)+1]
     data[0xA] = secret2[2]
     data[0xA] = secret2[(version *8)+2]
     data[0xE] = secret2[3]
     data[0xE] = secret2[(version *8)+3]
     data[3] = secret2[4]
     data[3] = secret2[(version *8)+4]
     data[7] = secret2[5]
     data[7] = secret2[(version *8)+5]
     data[0xB] = secret2[6]
     data[0xB] = secret2[(version *8)+6]
     data[0xF] = secret2[7]
     data[0xF] = secret2[(version *8)+7]
    return data




     
def BatteryResponseRemap(dataA, dataB):
    message = [ 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0]
    message[0] = dataA[0]
    message[1] = dataA[4]
    message[2] = dataA[8]
    message[3] = dataA[0xC]
    message[4] = dataA[1]
    message[5] = dataA[5]
    message[6] = dataA[7]
    message[7] = dataA[0xD] 


newmap = [
    message[8] = dataB[0]
     0x00, 0x04, 0x08, 0x0C, 0x01, 0x05, 0x09, 0x0D, 0x02, 0x06, 0x0A, 0x0E, 0x03, 0x07, 0x0B, 0x0F,
     message[9] = dataB[1]
]
    message[0xA] = dataB[2]
    message[0xB] = dataB[3]
    message[0xC] = dataB[4]
    message[0xD] = dataB[5]
    message[0xE] = dataB[6]
    message[0xF] = dataB[7]     
   
    return message     




def SysconResponseRemap(dataA):
    message = [ 0,0,0,0, 0,0,0,0]
    message[0] = dataA[0]
    message[1] = dataA[4]
    message[2] = dataA[8]
    message[3] = dataA[0xC]
    message[4] = dataA[1]
    message[5] = dataA[5]
    message[6] = dataA[7]
    message[7] = dataA[0xD] 
   
    return message


def MatrixSwap(key):
    temp = [0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0]
    for i in range(0,len(key)):
        temp[i] = key[newmap[i]]
    return temp[0:len(key)]


def BatteryResponseRemap2(dataA):
    message = [ 0,0,0,0, 0,0,0,0]
    message[0] = dataA[0]
    message[1] = dataA[4]
    message[2] = dataA[8]
    message[3] = dataA[0xC]
    message[4] = dataA[1]
    message[5] = dataA[5]
    message[6] = dataA[7]
    message[7] = dataA[0xD] 
    return message




def sam_rcon(round):
    rcon = 0x8d
    for i in range(0, round):
        rcon = ((rcon << 1) ^ (0x11b & - (rcon >> 7))) & 0xff
    return rcon
   
   
def ExpandKey(key):
    exp = bytearray(0xB0)
    #copy in key
    for i in range(0,0x10):
        exp[i] = key[i]
    #calculate additional round keys       
    for b in range (1,11):
        # calculate the sbox based values
        exp[b*0x10] = exp[(b-1)*0x10] ^ sbox[exp[((b-1)*0x10)+7]] ^ sam_rcon(b)
        exp[(b*0x10) + 4] = exp[((b-1)*0x10)+4] ^ sbox[exp[((b-1)*0x10)+0xB]]
        exp[(b*0x10) + 8] = exp[((b-1)*0x10)+8] ^ sbox[exp[((b-1)*0x10)+0xF]]
        exp[(b*0x10) + 0xC] = exp[((b-1)*0x10)+0xC] ^ sbox[exp[((b-1)*0x10)+3]]
        # calculate the xor based values
        for i in (1,2,3,5,6,7,9,0xA,0xB,0xD,0xE,0xF):
            exp[(b*0x10)+i] = exp[(b*0x10)+(i-1)] ^ exp[((b-1)*0x10)+i]
   
    return exp
         
   
   
def main():
def main():
 
    data = [ 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0]
     screq=bytes.fromhex(input("Syscon Challenge 1(9 bytes, first byte is version):"))
   
   
    # Uncomment this section to try the keygen
    inkey=bytes.fromhex(input("Key:"))
    rk=ExpandKey(inkey)
    for i in range(0,11):
        print("Round Key %02d: " % i + bytes(rk[i*0x10:(i*0x10)+0x10]).hex().upper())
   
     screq=bytes.fromhex(input("Syscon Challenge 1:"))




Line 278: Line 442:
     version= screq[0]
     version= screq[0]
     req = screq[1:]
     req = screq[1:]
   
     print('-> Syscon Challenge 1: 0B 80 ' + bytes(screq).hex().upper())
     print('-> Syscon Challenge 1: 0B 80 ' + bytes(screq).hex().upper())
    MixSecret1(version,data,req)
    sony_encrypt(version,data)
    second = data.copy()
    sony_encrypt(version,second)
    lastResponse=second[0:8]
    message=BatteryResponseRemap(data, second)
    print('<- Battery Response 1: 12 06 ' + bytes(message).hex().upper())
      
      
     # The first challenge mixes the syscon generated challenge and the first challenge secret
     MixSecret2(version,data,lastResponse)
    data=MixChallenge1(version,req)
     sony_encrypt(version,data)  
   
     message=SysconResponseRemap(data)
    # The first challenge has two encryption, one for the first half and one for the second half
     print('-> Syscon Challenge 2: 0A 81 ' + bytes(message).hex().upper())
    challenge1a=AES.new(bytes(keystore[version]), AES.MODE_ECB).encrypt(bytes(MatrixSwap(data)))
     sony_encrypt(version,data)  
    #print("Challenge1a: " +(bytes( challenge1a).hex().upper()))
    message=BatteryResponseRemap2(data)
    #second = bytearray(0x10)
     print('<- Battery Response 2: 0A 06 ' + bytes(message).hex().upper())
    #second[:] = challenge1a[:]
   
    #challenge1b=MatrixSwap(AES.new(bytes(keystore[version]), AES.MODE_ECB).encrypt(bytes((second))))
    #print("Challenge1b: " +(bytes( challenge1b).hex().upper()))
    challenge1b = bytearray.fromhex('AAAAAAAAAAAAAAAA')
    response1 = bytes(challenge1a[0:8]) + bytes(challenge1b[0:8])
       
    print('<- Battery Response 1: 12 06 ' + bytes(response1).hex().upper())
   
    # The second challenge only uses the half of the first challenge and the second challenge secret
    data2=MixChallenge2(version,challenge1b[0:8])
     #data2=MixChallenge2(version,cb)
     challenge2=AES.new(bytes(keystore[version]), AES.MODE_ECB).encrypt(bytes(MatrixSwap(data2)))
   
     print('-> Syscon Challenge 2: 0A 81 ' + bytes(challenge2[0:8]).hex().upper())
      
    response2=(AES.new(bytes(keystore[version]), AES.MODE_ECB).encrypt(challenge2))
   
     print('<- Battery Response 2: 0A 06 ' + bytes(response2[0:8]).hex().upper())


      
      
if __name__ == "__main__":
if __name__ == "__main__":
     main()
     main()


</pre>
</pre>
Please note that all contributions to PSP Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PSP Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)