Editing Talk:Keys

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
= Battery Keys =


== A01V13M07G chip ==


= V2 Script for comms of battery =
<pre>
<pre>
New Key 8: 0A2E73305C382D4F310D0AED84A41800
#!/usr/bin/env python
New Key 9: D20474308FE269046ED7BB07CF1CFF43
'''
New Key A: AC00C0E3E80AF0683FDD1745194543BD
New Key B: 0177D750BDFD2BC1A0493A134A4C6ACF
New Key C: 05349170939345EE951A14843334A0DE
New Key D: DFF3FCD608B05597CF09A23BD17D3FD2
</pre>


= Even More Keys from Kicho & Dencho =
PSP v2 Syscon Handshake Calculator by Proxima (R)


<pre>
'''
23 1B 76 C8 E3 49 0C AD  05 BD 59 4C 1B 63 40 BE
</pre>


* from TEST.prx, used for some umd seed generation


<pre>
"FlashROM PreCalc"
</pre>


* from flashData.prx, used in idStorage 256-320 generation
sbox = [
* https://github.com/mathieulh/Despertar-Del-Cementerio/blob/master/idsregeneration/main.c#L5749
    0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
    0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
    0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
    0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
    0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
    0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
    0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
    0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
    0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
    0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
    0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
    0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
    0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
    0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
    0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
    0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16,  
    ]




<pre>
key = [
"Key-Info MI-Node"
    0x5C, 0xF3, 0x89, 0xEC, 0x52, 0x82, 0xD8, 0x16, 0xD9, 0xAC, 0x81, 0x29, 0x1C, 0xA4, 0x78, 0x7B,
</pre>
    0x1A, 0xE9, 0x60, 0x8C, 0xF7, 0x75, 0xAD, 0xBB, 0xF8, 0x54, 0xD5, 0xFC, 0xD2, 0x76, 0x0E, 0x75,
    0xF2, 0x1B, 0x7B, 0xF7, 0x47, 0x32, 0x9F, 0x24, 0x65, 0x31, 0xE4, 0x18, 0xB6, 0xC0, 0xCE, 0xBB,
    0xC0, 0xDB, 0xA0, 0x57, 0xEA, 0xD8, 0x47, 0x63, 0x8F, 0xBE, 0x5A, 0x42, 0xDE, 0x1E, 0xD0, 0x6B,
    0x33, 0xE8, 0x48, 0x1F, 0xC6, 0x1E, 0x59, 0x3A, 0xF0, 0x4E, 0x14, 0x56, 0x85, 0x9B, 0x4B, 0x20,
    0xA3, 0x4B, 0x03, 0x1C, 0x77, 0x69, 0x30, 0x0A, 0x47, 0x09, 0x1D, 0x4B, 0x45, 0xDE, 0x95, 0xB5,
    0xE4, 0xAF, 0xAC, 0xB0, 0xC4, 0xAD, 0x9D, 0x97, 0x92, 0x9B, 0x86, 0xCD, 0xD9, 0x07, 0x92, 0x27,
    0x2C, 0x83, 0x2F, 0x9F, 0x79, 0xD4, 0x49, 0xDE, 0x5E, 0xC5, 0x43, 0x8E, 0x3E, 0x39, 0xAB, 0x8C,
    0xB1, 0x32, 0x1D, 0x82, 0x60, 0xB4, 0xFD, 0x23, 0x3A, 0xFF, 0xBC, 0x32, 0xE5, 0xDC, 0x77, 0xFB,
    0x8C, 0xBE, 0xA3, 0x21, 0x43, 0xF7, 0x0A, 0x29, 0x35, 0xCA, 0x76, 0x44, 0xF6, 0x2A, 0x5D, 0xA6,
    0x1F, 0xA1, 0x02, 0x23, 0x58, 0xAF, 0xA5, 0x8C, 0x11, 0xDB, 0xAD, 0xE9, 0x0B, 0x21, 0x7C, 0xDA,
    0x9D, 0xE1, 0x09, 0xA6, 0x4F, 0xB6, 0x30, 0xA5, 0x50, 0x8E, 0x7D, 0xB5, 0xFC, 0x12, 0xDB, 0xAA,
    0x9A, 0x7B, 0x72, 0xD4, 0x9A, 0x2C, 0x1C, 0xB9, 0xFC, 0x72, 0x0F, 0xBA, 0xD8, 0xCA, 0x11, 0xBB,
    0xCE, 0xB5, 0xC7, 0x13, 0x6E, 0x42, 0x5E, 0xE7, 0x16, 0x64, 0x6B, 0xD1, 0x90, 0x5A, 0x4B, 0xF0,
    0x5E, 0xEB, 0x2C, 0x3F, 0x50, 0x12, 0x4C, 0xAB, 0x9A, 0xFE, 0x95, 0x44, 0xED, 0xB7, 0xFC, 0x0C,
    0x34, 0xDF, 0xF3, 0xCC, 0x4B, 0x59, 0x15, 0xBE, 0x64, 0x9A, 0x0F, 0x4B, 0x98, 0x2F, 0xD3, 0xDF,
    0x8A, 0x55, 0xA6, 0x6A, 0xF8, 0xA1, 0xB4, 0x0A, 0xFA, 0x60, 0x6F, 0x24, 0xD3, 0xFC, 0x2F, 0xF0,
    0xCD, 0x98, 0x3E, 0x54, 0xCE, 0x6F, 0xDB, 0xD1, 0x76, 0x16, 0x79, 0x5D, 0xD1, 0x2D, 0x02, 0xF2,
    0xB3, 0x2B, 0x15, 0x41, 0x82, 0xED, 0x36, 0xE7, 0xFF, 0xE9, 0x90, 0xCD, 0xF1, 0xDC, 0xDE, 0x2C,
    0xA7, 0x8C, 0x99, 0xD8, 0x3F, 0xD2, 0xE4, 0x03, 0x8E, 0x67, 0xF7, 0x3A, 0x72, 0xAE, 0x70, 0x5C,
    0xC7, 0x4B, 0xD2, 0x0A, 0xBF, 0x6D, 0x89, 0x8A, 0xC4, 0xA3, 0x54, 0x6E, 0x13, 0xBD, 0xCD, 0x91,
    0x8F, 0xC4, 0x16, 0x1C, 0x20, 0x4D, 0xC4, 0x4E, 0x45, 0xE6, 0xB2, 0xDC, 0x74, 0xC9, 0x04, 0x95,
    0x09, 0x64, 0x1B, 0xF0, 0x75, 0xAC, 0xC0, 0xFC, 0x98, 0xF7, 0x90, 0xAB, 0x88, 0x62, 0x9D, 0xFF,
    0xB8, 0xDC, 0xC7, 0x37, 0x17, 0xBB, 0x7B, 0x87, 0x8E, 0x79, 0xE9, 0x42, 0x04, 0x66, 0xFB, 0x04,
    0xAD, 0x71, 0xB6, 0x81, 0x3B, 0x80, 0xFB, 0x7C, 0x7C, 0x05, 0xEC, 0xAE, 0x9E, 0xF8, 0x03, 0x07,
    0xB9, 0xC8, 0x7E, 0xFF, 0xDF, 0x5F, 0xA4, 0xD8, 0xB9, 0xBC, 0x50, 0xFE, 0x92, 0x6A, 0x69, 0x6E,
    0xD0, 0x18, 0x66, 0x99, 0x64, 0x3B, 0x9F, 0x47, 0x26, 0x9A, 0xCA, 0x34, 0x84, 0xEE, 0x87, 0xE9,
    0x60, 0x78, 0x1E, 0x87, 0x7C, 0x47, 0xD8, 0x9F, 0x38, 0xA2, 0x68, 0x5C, 0x6A, 0x84, 0x03, 0xEA,
    0x9B, 0xE3, 0xFD, 0x7A, 0x36, 0x71, 0xA9, 0x36, 0xBF, 0x1D, 0x75, 0x29, 0x7D, 0xF9, 0xFA, 0x10,
    0xDE, 0x3D, 0xC0, 0xBA, 0x93, 0xE2, 0x4B, 0x7D, 0x75, 0x68, 0x1D, 0x34, 0xA7, 0x5E, 0xA4, 0xB4,
    0xA1, 0x9C, 0x5C, 0xE6, 0x8B, 0x69, 0x22, 0x5F, 0xF8, 0x90, 0x8D, 0xB9, 0x53, 0x0D, 0xA9, 0x1D,
    0x75, 0xE9, 0xB5, 0x53, 0xDD, 0xB4, 0x96, 0xC9, 0x5C, 0xCC, 0x41, 0xF8, 0xDD, 0xD0, 0x79, 0x64,
    0x9E, 0x77, 0xC2, 0x91, 0x9C, 0x28, 0xBE, 0x77, 0x1F, 0xD3, 0x92, 0x6A, 0x30, 0xE0, 0x99, 0xFD,
    0xC9, 0x06, 0xD8, 0x8C, 0x11, 0x4A, 0xD6, 0xDE, 0x5C, 0x26, 0xD9, 0x30, 0xE2, 0x86, 0xD0, 0x59,
    0xD5, 0xD3, 0x0B, 0x87, 0x15, 0x5F, 0x89, 0x57, 0x97, 0xB1, 0x68, 0x58, 0x86, 0x00, 0xD0, 0x89,
    0x8C, 0x5F, 0x54, 0xD3, 0x7F, 0x20, 0xA9, 0xFE, 0x30, 0x81, 0xE9, 0xB1, 0x91, 0x91, 0x41, 0xC8,
    0x33, 0x6C, 0x38, 0xEB, 0xB7, 0x97, 0x3E, 0xC0, 0xD8, 0x59, 0xB0, 0x01, 0xF7, 0x66, 0x27, 0xEF,
    0x81, 0xED, 0xD5, 0x3E, 0xCB, 0x5C, 0x62, 0xA2, 0x07, 0x5E, 0xEE, 0xEF, 0x1E, 0x78, 0x5F, 0xB0,
    0xAB, 0x46, 0x93, 0xAD, 0x14, 0x48, 0x2A, 0x88, 0xE0, 0xBE, 0x50, 0xBF, 0xAC, 0xD4, 0x8B, 0x3B,
    0x4F, 0x09, 0x9A, 0x37, 0x1C, 0x54, 0x7E, 0xF6, 0x02, 0xBC, 0xEC, 0x53, 0x39, 0xED, 0x66, 0x5D,
    0x4D, 0x44, 0xDE, 0xE9, 0xF1, 0xA5, 0xDB, 0x2D, 0x4E, 0xF2, 0x1E, 0x4D, 0xA3, 0x4E, 0x28, 0x75,
    0x15, 0x51, 0x8F, 0x66, 0x12, 0xB7, 0x6C, 0x41, 0xD3, 0x21, 0x3F, 0x72, 0xBD, 0xF3, 0xDB, 0xAE,
    0x8D, 0xDC, 0x53, 0x35, 0x52, 0xE5, 0x89, 0xC8, 0x37, 0x16, 0x29, 0x5B, 0x8E, 0x7D, 0xA6, 0x08,
    0x53, 0x8F, 0xDC, 0xE9, 0x6B, 0x8E, 0x07, 0xCF, 0x07, 0x11, 0x38, 0x63, 0x18, 0x65, 0xC3, 0xCB,
    0x66, 0xFB, 0x90, 0x9E, 0x75, 0x42, 0x3F, 0xD2, 0x39, 0x73, 0xD7, 0xC6, 0xD2, 0xB2, 0xA3, 0x0C,
    0xD2, 0x29, 0xB9, 0x27, 0xC1, 0x83, 0xBC, 0x6E, 0xC7, 0xB4, 0x63, 0xA5, 0xD9, 0x6B, 0xC8, 0xC4,
    0x4F, 0x66, 0xDF, 0xF8, 0xC7, 0x44, 0xF8, 0x96, 0xDB, 0x6F, 0x0C, 0xA9, 0x15, 0x7E, 0xB6, 0x72,
    0xDB, 0xBD, 0x62, 0x9A, 0x14, 0x50, 0xA8, 0x3E, 0x9B, 0xF4, 0xF8, 0x51, 0x54, 0x2A, 0x9C, 0xEE,
    0x61, 0xDC, 0xBE, 0x24, 0xC5, 0x95, 0x3D, 0x03, 0xB3, 0x47, 0xBF, 0xEE, 0xEC, 0xC6, 0x5A, 0xB4,
    0x0A, 0xD6, 0x68, 0x4C, 0xED, 0x78, 0x45, 0x46, 0x3E, 0x79, 0xC6, 0x28, 0xDA, 0x1C, 0x46, 0xF2,
    0x70, 0xA6, 0xCE, 0x82, 0xD9, 0xA1, 0xE4, 0xA2, 0xB7, 0xCE, 0x08, 0x20, 0xF3, 0xEF, 0xA9, 0x5B,
    0x0A, 0xAC, 0x62, 0xE0, 0x6E, 0xCF, 0x2B, 0x89, 0x8E, 0x40, 0x48, 0x68, 0xE0, 0x0F, 0xA6, 0xFD,
    0x2D, 0x81, 0xE3, 0x03, 0x2B, 0xE4, 0xCF, 0x46, 0xDA, 0x9A, 0xD2, 0xBA, 0x01, 0x0E, 0xA8, 0x55,
    0x6C, 0xED, 0x0E, 0x0D, 0xDF, 0x3B, 0xF4, 0xB2, 0x26, 0xBC, 0x6E, 0xD4, 0x7A, 0x74, 0xDC, 0x89,
    0x6D, 0x80, 0x8E, 0x83, 0x97, 0xAC, 0x58, 0xEA, 0x81, 0x3D, 0x53, 0x87, 0xAD, 0xD9, 0x05, 0x8C,
    0xF4, 0xF4, 0xD1, 0x8F, 0xFA, 0xDB, 0x86, 0x99, 0xEF, 0xAB, 0x74, 0x05, 0x20, 0x31, 0xFD, 0x66,
    0x1B, 0xEF, 0x3E, 0xB1, 0x91, 0x4A, 0xCC, 0x55, 0xDC, 0x77, 0x03, 0x06, 0x53, 0x62, 0x9F, 0xF9,
    0xE5, 0x0A, 0x34, 0x85, 0xFE, 0xB4, 0x78, 0x2D, 0x45, 0x32, 0x31, 0x37, 0x9B, 0xF9, 0x66, 0x9F,
    0x39, 0x33, 0x07, 0x82, 0x64, 0xD0, 0xA8, 0x85, 0x9E, 0xAC, 0x9D, 0xAA, 0x0C, 0xF5, 0x93, 0x0C,
    0xA6, 0x95, 0x92, 0x10, 0xC8, 0x18, 0xB0, 0x35, 0x60, 0xCC, 0x51, 0xFB, 0x1F, 0xEA, 0x79, 0x75,
    0x20, 0xB5, 0x27, 0x37, 0xC7, 0xDF, 0x6F, 0x5A, 0xFD, 0x31, 0x60, 0x9B, 0xD5, 0x3F, 0x46, 0x33,
    0xBE, 0x0B, 0x2C, 0x1B, 0xD3, 0x0C, 0x63, 0x39, 0x3E, 0x0F, 0x6F, 0xF4, 0x4F, 0x70, 0x36, 0x05,
    0xEC, 0xE7, 0xCB, 0xD0, 0x6C, 0x60, 0x03, 0x3A, 0x55, 0x5A, 0x35, 0xC1, 0xE0, 0x90, 0xA6, 0xA3,
    0xEC, 0x0B, 0xC0, 0x10, 0x14, 0x74, 0x77, 0x4D, 0x5F, 0x05, 0x30, 0xF1, 0x90, 0x00, 0xA6, 0x05,
    0x14, 0x1F, 0xDF, 0xCF, 0xB5, 0xC1, 0xB6, 0xFB, 0x34, 0x31, 0x01, 0xF0, 0x5A, 0x5A, 0xFC, 0xF9,
    0x2D, 0x32, 0xED, 0x22, 0x39, 0xF8, 0x4E, 0xB5, 0xAD, 0x9C, 0x9D, 0x6D, 0xD0, 0x8A, 0x76, 0x8F,
    0xEA, 0x63, 0xF9, 0x4F, 0x0C, 0xD7, 0x61, 0x35, 0x81, 0xE9, 0x13, 0x2D, 0x13, 0x30, 0x5A, 0xDC,
    0x7D, 0x1E, 0xE7, 0xA8, 0xD4, 0x03, 0x62, 0x57, 0x07, 0xEE, 0xFD, 0xD0, 0x97, 0xA7, 0xFD, 0x21,
    0x24, 0x3A, 0xDD, 0x75, 0xA4, 0xA7, 0xC5, 0x92, 0xFA, 0x14, 0xE9, 0x39, 0x55, 0xF2, 0x0F, 0x2E,
    0x6F, 0x55, 0x88, 0xFD, 0xB6, 0x11, 0xD4, 0x46, 0xCB, 0xDF, 0x36, 0x0F, 0xC8, 0x3A, 0x35, 0x1B,
    0x3D, 0x68, 0xE0, 0x1D, 0xC0, 0xD1, 0x05, 0x43, 0x64, 0xBB, 0x8D, 0x82, 0x9C, 0xA6, 0x93, 0x88,
    0x37, 0x5F, 0xBF, 0xA2, 0xD3, 0x02, 0x07, 0x44, 0xA0, 0x1B, 0x96, 0x14, 0x38, 0x9E, 0x0D, 0x85,
    0x0C, 0x53, 0xEC, 0x4E, 0x29, 0x2B, 0x2C, 0x68, 0x37, 0x2C, 0xBA, 0xAE, 0x02, 0x9C, 0x91, 0x14,
    0x09, 0x5A, 0xB6, 0xF8, 0xCD, 0xE6, 0xCA, 0xA2, 0xCD, 0xE1, 0x5B, 0xF5, 0x2D, 0xB1, 0x20, 0x34,
    0xB3, 0xE9, 0x5F, 0xA7, 0x2B, 0xCD, 0x07, 0xA5, 0xD5, 0x34, 0x6F, 0x9A, 0x6C, 0xDD, 0xFD, 0xC9,
    0xAE, 0x47, 0x18, 0xBF, 0x93, 0x5E, 0x59, 0xFC, 0x08, 0x3C, 0x53, 0xC9, 0x30, 0xED, 0x10, 0xD9,
    0x28, 0x6F, 0x77, 0xC8, 0x4E, 0x10, 0x49, 0xB5, 0x3D, 0x01, 0x52, 0x9B, 0x38, 0xD5, 0xC5, 0x1C,
]
   


* from flashData.prx, used in idStorage 256-320 generation
def ShiftRows(state):
    tmp = state[5]
    state[5] = state[7]
    state[7] = tmp
    tmp = state[8]
    state[8] = state[0xB]
    state[0xB] = tmp
    tmp = state[9]
    state[9] = state[0xA]
    state[0xA] = tmp
    tmp = state[0xC]
    state[0xC] = state[0xE]
    state[0xE] = tmp


= Wake Me Up Before You Go Go =


== HandShake 0x80 ==
def SubBytes(state):
    for i in range(0,0x10):
        state[i] = sbox[state[i]]


<pre>
Key EB
418499BE9D35A3B9FC6AD0D6F041BB26


Challenge 1 EB
def MixColumns(a,state):
0BD9027E851FA123
    b=state[a]
    tmp =b
    tmp = tmp <<1
    if(tmp >=0x100):
        tmp = tmp ^ 0x1B
    b = tmp & 0xff
   
    c=state[a+4]
    tmp =c
    tmp = tmp <<1
    if(tmp >=0x100):
        tmp = tmp ^ 0x1B
    c = tmp & 0xff
    u = c ^ state[a+4] ^ b ^ state[a+8] ^ state[a+0xC]


Challenge 2 EB
    c=state[a+4]
F791ED0B3F49A448
    tmp =c
    tmp = tmp <<1
    if(tmp >=0x100):
        tmp = tmp ^ 0x1B
    c = tmp & 0xff
   
    d=state[a+8]
    tmp =d
    tmp = tmp <<1
    if(tmp >=0x100):
        tmp = tmp ^ 0x1B
    d = tmp & 0xff


Key B3
    x = d ^ state[a+8] ^ c ^ state[a] ^ state[a+0xc]
03BEB65499140483BA187A64EF90261D
   
    d=state[a+8]
    tmp =d
    tmp = tmp <<1
    if(tmp >=0x100):
        tmp = tmp ^ 0x1B
    d = tmp & 0xff
   
    e=state[a+0xC]
    tmp =e
    tmp = tmp <<1
    if(tmp >=0x100):
        tmp = tmp ^ 0x1B
    e = tmp & 0xff


Challenge 1 B3
    y = e ^ state[a+0xC] ^ d ^ state[a] ^ state[a+4]   
DBD3AEA4DB046410
   
    e=state[a+0xC]
    tmp =e
    tmp = tmp <<1
    if(tmp >=0x100):
        tmp = tmp ^ 0x1B
    e = tmp & 0xff
   
    b=state[a]
    tmp =b
    tmp = tmp <<1
    if(tmp >=0x100):
        tmp = tmp ^ 0x1B
    b = tmp & 0xff


Challenge 2 B3
    z = b ^ state[a] ^ e ^ state[a+4] ^ state[a+8]   
E32B8F56B2641298
    state[a+0xC] = z
</pre>
    state[a+8] = y
 
    state[a+4] = x
== Handshake 0x90 ==
    state[a] = u
 
   
<pre>
 
Yet another battery handshake key 1
def AddRoundKey(version,b,state):
880E2A94110926B20E53E22AE648AE9D IV/DATA
    for i in range(0, 2):
 
        state[(i*2)] ^= key[(0xB0*version)+(b*0x10)+(i*2)]
Yet another battery handshake key 2
        state[(i*2)+1] ^= key[(0xB0*version)+(b*0x10)+(i*2)+1]
C66E9ED6ECBCB121B7465D25037D6646 KEY
    for i in range(2, 8):
 
        a=state[(i*2)] ^ key[(0xB0*version)+(b*0x10)+(i*2)]
Yet another battery handshake key 3
        c=state[(i*2)+1] ^ key[(0xB0*version)+(b*0x10)+(i*2)+1]
DA24DAB43A61CBDF61FD255D0AEA7957 KEY
        state[(i*2)+1]=a
        state[(i*2)]=c


Yet another battery handshake const val
82828282
</pre>


== Flash Update Handshake ==
def FinalRoundKey(version,state):
    for i in range(0, 2):
        state[(i*2)] ^= key[(0xB0*version)+(10*0x10)+(i*2)]
        state[(i*2)+1] ^= key[(0xB0*version)+(10*0x10)+(i*2)+1]
    for i in range(2, 8):
        a=state[(i*2)] ^ key[(0xB0*version)+(10*0x10)+(i*2)]
        c=state[(i*2)+1] ^ key[(0xB0*version)+(10*0x10)+(i*2)+1]
        state[(i*2)+1]=c
        state[(i*2)]=a


<pre>
Flash Update Handshake key1
78721A6284050ACF07F52C6EBAA32F98


Flash Update Handshake key2
def sony_encrypt(version,data):
08489E59EDD0666E6A83237585C795CB
    AddRoundKey(version,0,data)
    for i in range (1,10):
        ShiftRows(data)
        SubBytes(data)
        MixColumns(0,data)
        MixColumns(1,data)
        MixColumns(2,data)
        MixColumns(3,data)
        AddRoundKey(version,i,data)
    ShiftRows(data)
    SubBytes(data)
    FinalRoundKey(version,data)


Flash Update Handshake shared secret 1
6EBE650DCEDCB6163158AC0CAD158907
</pre>


= Other Key Material =
def MixSecret1(version,data, challenge):
<pre>
    secret1 = [
TA-093 RCON
    0xD2, 0x07, 0x22, 0x53, 0xA4, 0xF2, 0x74, 0x68,
    0xF5, 0xD7, 0xD4, 0xB5, 0x75, 0xF0, 0x8E, 0x4E,
    0xB3, 0x7A, 0x16, 0xEF, 0x55, 0x7B, 0xD0, 0x89,
    0xCC, 0x69, 0x95, 0x81, 0xFD, 0x89, 0x12, 0x6C,
    0xA0, 0x4E, 0x32, 0xBB, 0xA7, 0x13, 0x9E, 0x46,
    0x49, 0x5E, 0x03, 0x47, 0x94, 0x93, 0x1D, 0x7B,
    0xB0, 0xB8, 0x09, 0x83, 0x39, 0x89, 0xFA, 0xE2,
    ]


01020408102040801B366CD8AB4D9A2F5EBC63C697356AD4B37DFAEFC591A9037ED9F08993B79A7C773C0D264810A081FE192402DEFC87AC3C332B48B4EB
    data[0] =secret1[(version *8)+0]
 
     data[4] =secret1[(version *8)+1]
TA-093 ???
     data[8] =secret1[(version *8)+2]
6A659283E3C41709214D8F29C6BACAFF67C419A2D064F04FA01271307A2BC5F5A56E
     data[0xC] =secret1[(version *8)+3]
 
     data[1] =secret1[(version *8)+4]
TA-093 Other Device Key0 (message)
     data[5] =secret1[(version *8)+5]
 
     data[9] =secret1[(version *8)+6]
03763C6865C69B0FFE8FD8EEA43616A0 (KIRK 4/7) (0x14)
     data[0xD] =secret1[(version *8)+7]
 
TA-093 Other Device Key1 (Handler)
 
C1BF66818EF953F2E1266B6F550CC9CD (KIRK 4/7) (0x69)
 
TA-093 Other Device Key2 (Handler)
 
7D50B85CAF6769F0E54AA8098B0EBE1C (KIRK 4/7) (0x15)
 
TA-093 Other Device Key3 (message)
 
F10730C311E026FCF87B50AEA3D17BA0
 
TA-093 Other Device Secret0 (Handler)
 
8D5DA608F2BBC6CC
 
TA-093 Other Device Secret1 (Handler)
 
34DB81241D6F4057
 
TA-093 Other Device Secret2 (Handler)
 
E0DC41AFC2CD1C2D
 
TA-093 Battery Magic String (Handler)
 
SonyEnergyDevices\x00
 
TA-093 Other Device Secret3 (session)
 
0B2385010FB279BD
 
TA-093 Other Device Secret4 (session)
 
E1C3ECA91959040D
 
TA-093 Other Device Secret5 (session)
 
661A4D7F6ECD33C52BF5F29586A76448
</pre>
 
= V5 Script for comms of battery =
<pre>
#!/usr/bin/env python
'''
 
PSP v4 Syscon Handshake Calculator by Proxima (R)
 
'''
from Crypto.Cipher import AES
import os
 
 
 
keystore = {
0: [0x5C, 0x52, 0xD9, 0x1C, 0xF3, 0x82, 0xAC, 0xA4, 0x89, 0xD8, 0x81, 0x78, 0xEC, 0x16, 0x29, 0x7B],
1: [0x9D, 0x4F, 0x50, 0xFC, 0xE1, 0xB6, 0x8E, 0x12, 0x09, 0x30, 0x7D, 0xDB, 0xA6, 0xA5, 0xB5, 0xAA],
2: [0x09, 0x75, 0x98, 0x88, 0x64, 0xAC, 0xF7, 0x62, 0x1B, 0xC0, 0x90, 0x9D, 0xF0, 0xFC, 0xAB, 0xFF],
3: [0xC9, 0x11, 0x5C, 0xE2, 0x06, 0x4A, 0x26, 0x86, 0xD8, 0xD6, 0xD9, 0xD0, 0x8C, 0xDE, 0x30, 0x59],
4: [0x66, 0x75, 0x39, 0xD2, 0xFB, 0x42, 0x73, 0xB2, 0x90, 0x3F, 0xD7, 0xA3, 0x9E, 0xD2, 0xC6, 0x0C],
5: [0xF4, 0xFA, 0xEF, 0x20, 0xF4, 0xDB, 0xAB, 0x31, 0xD1, 0x86, 0x74, 0xFD, 0x8F, 0x99, 0x05, 0x66],
6: [0xEA, 0x0C, 0x81, 0x13, 0x63, 0xD7, 0xE9, 0x30, 0xF9, 0x61, 0x13, 0x5A, 0x4F, 0x35, 0x2D, 0xDC],
8: [0x0A, 0x2E, 0x73, 0x30, 0x5C, 0x38, 0x2D, 0x4F, 0x31, 0x0D, 0x0A, 0xED, 0x84, 0xA4, 0x18, 0x00],
0xA: [0xAC, 0x00, 0xC0, 0xE3, 0xE8, 0x0A, 0xF0, 0x68, 0x3F, 0xDD, 0x17, 0x45, 0x19, 0x45, 0x43, 0xBD],
0xD: [0xDF, 0xF3, 0xFC, 0xD6, 0x08, 0xB0, 0x55, 0x97, 0xCF, 0x09, 0xA2, 0x3B, 0xD1, 0x7D, 0x3F, 0xD2],
0xD9: [0xC7, 0xAC, 0x13, 0x06, 0xDE, 0xFE, 0x39, 0xEC, 0x83, 0xA1, 0x48, 0x3B, 0x0E, 0xE2, 0xEC, 0x89],
}
 
 
 
   
 
 
 
challenge1_secret = {
0: [0xD2, 0x07, 0x22, 0x53, 0xA4, 0xF2, 0x74, 0x68],
1: [0xF5, 0xD7, 0xD4, 0xB5, 0x75, 0xF0, 0x8E, 0x4E],
2: [0xB3, 0x7A, 0x16, 0xEF, 0x55, 0x7B, 0xD0, 0x89],
3: [0xCC, 0x69, 0x95, 0x81, 0xFD, 0x89, 0x12, 0x6C],
4: [0xA0, 0x4E, 0x32, 0xBB, 0xA7, 0x13, 0x9E, 0x46],
5: [0x49, 0x5E, 0x03, 0x47, 0x94, 0x93, 0x1D, 0x7B],
6: [0xB0, 0xB8, 0x09, 0x83, 0x39, 0x89, 0xFA, 0xE2],
8: [0xAD, 0x40, 0x43, 0xB2, 0x56, 0xEB, 0x45, 0x8B],
0xA: [0xC2, 0x37, 0x7E, 0x8A, 0x74, 0x09, 0x6C, 0x5F],
0xD: [0x58, 0x1C, 0x7F, 0x19, 0x44, 0xF9, 0x62, 0x62],
0xD9: [0x90, 0xE1, 0xF0, 0xC0, 0x01, 0x78, 0xE3, 0xFF]
}
 
challenge2_secret = {
0: [0xF4, 0xE0, 0x43, 0x13, 0xAD, 0x2E, 0xB4, 0xDB],
1: [0xFE, 0x7D, 0x78, 0x99, 0xBF, 0xEC, 0x47, 0xC5],
2: [0x86, 0x5E, 0x3E, 0xEF, 0x9D, 0xFB, 0xB1, 0xFD],
3: [0x30, 0x6F, 0x3A, 0x03, 0xD8, 0x6C, 0xBE, 0xE4],
4: [0xFF, 0x72, 0xBD, 0x2B, 0x83, 0xB8, 0x9D, 0x2F],
5: [0x84, 0x22, 0xDF, 0xEA, 0xE2, 0x1B, 0x63, 0xC2],
6: [0x58, 0xB9, 0x5A, 0xAE, 0xF3, 0x99, 0xDB, 0xD0],
8: [0x67, 0xC0, 0x72, 0x15, 0xD9, 0x6B, 0x39, 0xA1],
0xA: [0x09, 0x3E, 0xC5, 0x19, 0xAF, 0x0F, 0x50, 0x2D],
0xD: [0x31, 0x80, 0x53, 0x87, 0x5C, 0x20, 0x3E, 0x24],
0xD9: [0xC3, 0x4A, 0x6A, 0x7B, 0x20, 0x5F, 0xE8, 0xF9]
}
   
 
 
def MixChallenge1(version, challenge):
   
    data = [ 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0]
    secret1=challenge1_secret[version]
    data[0] =secret1[0]
     data[4] =secret1[1]
     data[8] =secret1[2]
     data[0xC] =secret1[3]
     data[1] =secret1[4]
     data[5] =secret1[5]
     data[9] =secret1[6]
     data[0xD] =secret1[7]
     data[2] = challenge[0]
     data[2] = challenge[0]
     data[6] = challenge[1]
     data[6] = challenge[1]
Line 224: Line 267:
     data[0xB] = challenge[6]
     data[0xB] = challenge[6]
     data[0xF] = challenge[7]
     data[0xF] = challenge[7]
    return data




def MixChallenge2(version, challenge):
def MixSecret2(version,data, challenge):
 
     secret2 = [  
     data = [ 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0]
    0xF4, 0xE0, 0x43, 0x13, 0xAD, 0x2E, 0xB4, 0xDB,
     secret2=challenge2_secret[version]
    0xFE, 0x7D, 0x78, 0x99, 0xBF, 0xEC, 0x47, 0xC5,  
    0x86, 0x5E, 0x3E, 0xEF, 0x9D, 0xFB, 0xB1, 0xFD,
    0x30, 0x6F, 0x3A, 0x03, 0xD8, 0x6C, 0xBE, 0xE4,
    0xFF, 0x72, 0xBD, 0x2B, 0x83, 0xB8, 0x9D, 0x2F,
    0x84, 0x22, 0xDF, 0xEA, 0xE2, 0x1B, 0x63, 0xC2,
    0x58, 0xB9, 0x5A, 0xAE, 0xF3, 0x99, 0xDB, 0xD0,
    ]
      
     data[0] =challenge[0]
     data[0] =challenge[0]
     data[4] =challenge[1]
     data[4] =challenge[1]
Line 239: Line 288:
     data[9] =challenge[6]
     data[9] =challenge[6]
     data[0xD] =challenge[7]
     data[0xD] =challenge[7]
     data[2] = secret2[0]
     data[2] = secret2[(version *8)+0]
     data[6] = secret2[1]
     data[6] = secret2[(version *8)+1]
     data[0xA] = secret2[2]
     data[0xA] = secret2[(version *8)+2]
     data[0xE] = secret2[3]
     data[0xE] = secret2[(version *8)+3]
     data[3] = secret2[4]
     data[3] = secret2[(version *8)+4]
     data[7] = secret2[5]
     data[7] = secret2[(version *8)+5]
     data[0xB] = secret2[6]
     data[0xB] = secret2[(version *8)+6]
     data[0xF] = secret2[7]
     data[0xF] = secret2[(version *8)+7]
    return data
 


def BatteryResponseRemap(dataA, dataB):
    message = [ 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0]
    message[0] = dataA[0]
    message[1] = dataA[4]
    message[2] = dataA[8]
    message[3] = dataA[0xC]
    message[4] = dataA[1]
    message[5] = dataA[5]
    message[6] = dataA[7]
    message[7] = dataA[0xD] 


     
    message[8] = dataB[0]
    message[9] = dataB[1]
    message[0xA] = dataB[2]
    message[0xB] = dataB[3]
    message[0xC] = dataB[4]
    message[0xD] = dataB[5]
    message[0xE] = dataB[6]
    message[0xF] = dataB[7]     
   
    return message     


newmap = [
    0x00, 0x04, 0x08, 0x0C, 0x01, 0x05, 0x09, 0x0D, 0x02, 0x06, 0x0A, 0x0E, 0x03, 0x07, 0x0B, 0x0F,
]


def SysconResponseRemap(dataA):
    message = [ 0,0,0,0, 0,0,0,0]
    message[0] = dataA[0]
    message[1] = dataA[4]
    message[2] = dataA[8]
    message[3] = dataA[0xC]
    message[4] = dataA[1]
    message[5] = dataA[5]
    message[6] = dataA[7]
    message[7] = dataA[0xD] 
   
    return message




def MatrixSwap(key):
def BatteryResponseRemap2(dataA):
     temp = [0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0]
     message = [ 0,0,0,0, 0,0,0,0]
     for i in range(0,len(key)):
    message[0] = dataA[0]  
        temp[i] = key[newmap[i]]
     message[1] = dataA[4]
     return temp[0:len(key)]
    message[2] = dataA[8]
   
    message[3] = dataA[0xC]
    message[4] = dataA[1]
    message[5] = dataA[5]  
     message[6] = dataA[7]  
    message[7] = dataA[0xD]  


    return message




def sam_rcon(round):
    rcon = 0x8d
    for i in range(0, round):
        rcon = ((rcon << 1) ^ (0x11b & - (rcon >> 7))) & 0xff
    return rcon
   
   
def ExpandKey(key):
    exp = bytearray(0xB0)
    #copy in key
    for i in range(0,0x10):
        exp[i] = key[i]
    #calculate additional round keys       
    for b in range (1,11):
        # calculate the sbox based values
        exp[b*0x10] = exp[(b-1)*0x10] ^ sbox[exp[((b-1)*0x10)+7]] ^ sam_rcon(b)
        exp[(b*0x10) + 4] = exp[((b-1)*0x10)+4] ^ sbox[exp[((b-1)*0x10)+0xB]]
        exp[(b*0x10) + 8] = exp[((b-1)*0x10)+8] ^ sbox[exp[((b-1)*0x10)+0xF]]
        exp[(b*0x10) + 0xC] = exp[((b-1)*0x10)+0xC] ^ sbox[exp[((b-1)*0x10)+3]]
        # calculate the xor based values
        for i in (1,2,3,5,6,7,9,0xA,0xB,0xD,0xE,0xF):
            exp[(b*0x10)+i] = exp[(b*0x10)+(i-1)] ^ exp[((b-1)*0x10)+i]
   
    return exp
         
   
   
def main():
def main():
 
    data = [ 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0]
     screq=bytes.fromhex(input("Syscon Challenge 1(9 bytes, first byte is version):"))
   
   
    # Uncomment this section to try the keygen
    inkey=bytes.fromhex(input("Key:"))
    rk=ExpandKey(inkey)
    for i in range(0,11):
        print("Round Key %02d: " % i + bytes(rk[i*0x10:(i*0x10)+0x10]).hex().upper())
   
     screq=bytes.fromhex(input("Syscon Challenge 1:"))




Line 278: Line 396:
     version= screq[0]
     version= screq[0]
     req = screq[1:]
     req = screq[1:]
   
     print('-> Syscon Challenge 1: 0B 80 ' + bytes(screq).hex().upper())
     print('-> Syscon Challenge 1: 0B 80 ' + bytes(screq).hex().upper())
    MixSecret1(version,data,req)
    sony_encrypt(version,data)
    second = data.copy()
    sony_encrypt(version,second)
    lastResponse=second[0:8]
    message=BatteryResponseRemap(data, second)
    print('<- Battery Response 1: 12 06 ' + bytes(message).hex().upper())
      
      
     # The first challenge mixes the syscon generated challenge and the first challenge secret
     MixSecret2(version,data,lastResponse)
    data=MixChallenge1(version,req)
     sony_encrypt(version,data)  
   
     message=SysconResponseRemap(data)
    # The first challenge has two encryption, one for the first half and one for the second half
     print('-> Syscon Challenge 2: 0A 81 ' + bytes(message).hex().upper())
    challenge1a=AES.new(bytes(keystore[version]), AES.MODE_ECB).encrypt(bytes(MatrixSwap(data)))
     sony_encrypt(version,data)  
    #print("Challenge1a: " +(bytes( challenge1a).hex().upper()))
    message=BatteryResponseRemap2(data)
    #second = bytearray(0x10)
     print('<- Battery Response 2: 0A 06 ' + bytes(message).hex().upper())
    #second[:] = challenge1a[:]
   
    #challenge1b=MatrixSwap(AES.new(bytes(keystore[version]), AES.MODE_ECB).encrypt(bytes((second))))
    #print("Challenge1b: " +(bytes( challenge1b).hex().upper()))
    challenge1b = bytearray.fromhex('AAAAAAAAAAAAAAAA')
    response1 = bytes(challenge1a[0:8]) + bytes(challenge1b[0:8])
       
    print('<- Battery Response 1: 12 06 ' + bytes(response1).hex().upper())
   
    # The second challenge only uses the half of the first challenge and the second challenge secret
    data2=MixChallenge2(version,challenge1b[0:8])
     #data2=MixChallenge2(version,cb)
     challenge2=AES.new(bytes(keystore[version]), AES.MODE_ECB).encrypt(bytes(MatrixSwap(data2)))
   
     print('-> Syscon Challenge 2: 0A 81 ' + bytes(challenge2[0:8]).hex().upper())
      
    response2=(AES.new(bytes(keystore[version]), AES.MODE_ECB).encrypt(challenge2))
   
     print('<- Battery Response 2: 0A 06 ' + bytes(response2[0:8]).hex().upper())


      
      
if __name__ == "__main__":
if __name__ == "__main__":
     main()
     main()


</pre>
</pre>
Please note that all contributions to PSP Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PSP Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)
Retrieved from "http://www.psdevwiki.com/psp/Talk:Keys"