Kirk

From PSP Developer wiki
Revision as of 00:24, 18 February 2020 by CelesteBlue (talk | contribs) (Created page with "The PSP KIRK Crypto Engine is a security hardware device that is embedded into the TACHYON main IC chip. It is a bus master and can DMA to/from main DDR RAM memory, operating...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

The PSP KIRK Crypto Engine is a security hardware device that is embedded into the TACHYON main IC chip. It is a bus master and can DMA to/from main DDR RAM memory, operating independantly of the CPU. It is intefaced via memory mapped registers at base of 0xBDE00000 ([SPOCK Crypto Engine] on the other hand is mapped to 0xBDF00000). It is capable of performing AES encryption, decryption, SHA1 Hash, pseudo random number generation, and signature checks (OMAC and ECDSA).

Commands

On PSP there are 18 KIRK commands. On PSVita, there are these 18 commands plus some new commands to support bigger keys (192 bits for example). See F00D commands.

Command ID Name Short description Input Output Result Used in
1 Super-Duper decryption (no inverse) Input size: size+0x40 memlmd, mesg_led
2 Encrypt Operation (inverse of cmd 3)
3 Decrypt Operation (inverse of cmd 2)
4 Encrypt Operation (inverse of cmd 7) (IV=0) Input size: size+0x14 chnnlsv, memab
5 Encrypt Operation (inverse of cmd 8) (IV=FuseID) Input size: size+0x14 chnnlsv
6 Encrypt Operation (inverse of cmd 9) (IV=UserDefined)
7 Decrypt Operation (inverse of cmd 4) (IV=0) Input size: size+0x14 memlmd, mesg_led,chnnlsv, memab
8 Decrypt Operation (inverse of cmd 5) (IV=FuseID) Input size: size+0x14 chnnlsv
9 Decrypt Operation (inverse of cmd 6) (IV=UserDefined)
10 (0xA) Private Signature Check (checks for private SCE sig)
11 (0xB) SHA1 Hash Input size: size memlmd, mesg_led, memab
12 (0xC) Mul1 Input size: 0 memab
13 (0xD) Mul2 Input size: 0x3C
14 (0xE) Pseudo Random Number Generation Input size: 0 mesg_led,chnnlsv,memab,semawm
15 (0xF) (absolutely no idea – could be KIRK initialization)
16 (0x10) Signature Generation Input size: 0x34 memab
17 (0x11) Signature Check (checks for generated sigs) Input size: 0x64 memab
18 (0x12) Certificate Check (idstorage signatures) Input size: 0xB8 openpsid, memab

Library

Calling commands using KIRK registers

Notes

In 2008 SilverSpring wrote:

Currently what is known about the cipher is that it is:
a block cipher operating in CBC mode
an all zero 128-bit initialization vector
128-bit block and key sizes
cmd4/7 uses a static key that is identical in all PSP’s
cmd5/8 uses a key based off the fuseID making all operations unique per PSP
cmd6/9 uses a user-defined 128-bit key
cmd1/2/3 uses the block cipher but also signature algorithms
the remaining KIRK cmd’s do not use the block cipher (sig, hash, & prng algo’s)
</source>