Spock: Difference between revisions
Jump to navigation
Jump to search
CelesteBlue (talk | contribs) No edit summary |
|||
| (32 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
Spock is the PSP hardware cryptography engine responsible for the raw sector level decryption of UMD’s. Named after Captain Spock of Star Trek. | Spock is the PSP hardware cryptography engine responsible for the raw sector level decryption of UMD’s. Named after Captain Spock of Star Trek. Mapped to 0xBDF00000. | ||
= Executing commands = | = Executing commands = | ||
You can more or less access Spock through Lepton's ram (there is some hidden test mode on Lepton allowing you to do this). Mathieulh will tell more on this later if he ever get the time to clean up those sources. | You can more or less access Spock through Lepton's ram (there is some hidden test mode on Lepton allowing you to do this). Mathieulh will tell more on this later if he ever get the time to clean up those sources. | ||
= Mapping Structure (PSP) = | |||
<pre> | |||
0xBDF00000 = Spock Signature | |||
0xBDF00004 = Spock Version | |||
0xBDF00008 = Spock Error | |||
0xBDF0000C = Spock Proc Phase | |||
0xBDF00010 = Spock CMD Number | |||
0xBDF00014 = Spock Result | |||
0xBDF00018 = Unknown? | |||
0xBDF0001C = Spock Status | |||
0xBDF00020 = Spock Status Asynchronous | |||
0xBDF00024 = Spock Status Asynchronous End | |||
0xBDF00028 = Spock Status End | |||
0xBDF0002C = Spock Source Address | |||
0xBDF00030 = Spock Destination Address | |||
sceUmdMan_driver_1b1bf9fd = sceUmdExecRead10Cmd (0xA) | |||
sceUmdMan_driver_e3716915 = sceUmdExecRead10Cmd (0xA) | |||
sceUmdMan_driver_f819e17c = sceUmdExecReadMKICmd (0x8) | |||
sceUmdMan_driver_6d17fd57 = sceUmdExecReadMKICmd (0x8) | |||
</pre> | |||
= Commands = | = Commands = | ||
| Line 20: | Line 44: | ||
0x0A: Decrypt UMD Disc Sector | 0x0A: Decrypt UMD Disc Sector | ||
0x0B: Reset SPOCK | 0x0B: Reset SPOCK | ||
0x0C: | 0x0C: Decrypt UMD Disc Sector Debug | ||
</pre> | </pre> | ||
== Command 1 == | == Command 1 (Init 1) == | ||
== Command 2 == | == Command 2 (Init 2) == | ||
== Command 3 == | == Command 3 (Step 1) == | ||
== Command 4 == | == Command 4 (Step 2) == | ||
== Command 5 == | == Command 5 (Step 3) == | ||
== Command 6 == | == Command 6 == | ||
| Line 38: | Line 62: | ||
== Command 7 == | == Command 7 == | ||
== Command 8 ( | == Command 8 (Decrypt UMD master key) == | ||
== Command 9 ( | == Command 9 (Decrypt IDStorage UMD leaves) == | ||
Spock command 9 key is used to decrypt UMD leaves stored in [[IDStorage]]. Those leaves are then used in Spock command 8 to decrypt the UMD master key (per disc key). Then this key is used in Spock command 10 to decrypt the UMD raw sectors. Each different PSP region seems to have its own set of UMD keys. | Spock command 9 key is used to decrypt UMD leaves stored in [[IDStorage]]. Those leaves are then used in Spock command 8 to decrypt the UMD master key (per disc key). Then this key is used in Spock command 10 to decrypt the UMD raw sectors. Each different PSP region seems to have its own set of UMD keys. | ||
< | <pre> | ||
9F46F9FCFAB2AD0569F688D8794B92BA | |||
</pre> | |||
</ | |||
[https://web.archive.org/web/20141201091221/http://pastie.org/1467912 more info on Spock by mathieulh] | [https://web.archive.org/web/20141201091221/http://pastie.org/1467912 more info on Spock by mathieulh] | ||
== Command 10 == | == Command 10 (0xA) (Decrypt UMD raw sectors) == | ||
== Command 11 (0xB) (Reset Spock) == | |||
== Command 12 (0xC) (Decrypt UMD Disc Sector Debug) == | |||
* Seems to exist only on KICHO DENCHO PSP firmware and devkit firmware, inside UMDMAN.prx | |||
= | = Where are spock commands used = | ||
* Commands 8 and 0xA are used on psp retail firmware, as well as testkit firmware | |||
* Commands 1, 2, 3, 4, 5, 8, 9, 0xA and 0xB are used on AV test tool firmware | |||
* Commands 1, 2, 3, 4, 5, 8, 9, 0xA, 0xB and 0xC are used on Kicho Dencho firmware, which is a special factory firmware. | |||
* Commands 1, 2, 3, 4, 5, 8, 9, 0xA, 0xB and 0xC are used on devkit firmware as well. | |||
* Usage of these commands can always be found in UMDMAN.prx | |||
Latest revision as of 04:19, 10 May 2024
Spock is the PSP hardware cryptography engine responsible for the raw sector level decryption of UMD’s. Named after Captain Spock of Star Trek. Mapped to 0xBDF00000.
Executing commands[edit | edit source]
You can more or less access Spock through Lepton's ram (there is some hidden test mode on Lepton allowing you to do this). Mathieulh will tell more on this later if he ever get the time to clean up those sources.
Mapping Structure (PSP)[edit | edit source]
0xBDF00000 = Spock Signature 0xBDF00004 = Spock Version 0xBDF00008 = Spock Error 0xBDF0000C = Spock Proc Phase 0xBDF00010 = Spock CMD Number 0xBDF00014 = Spock Result 0xBDF00018 = Unknown? 0xBDF0001C = Spock Status 0xBDF00020 = Spock Status Asynchronous 0xBDF00024 = Spock Status Asynchronous End 0xBDF00028 = Spock Status End 0xBDF0002C = Spock Source Address 0xBDF00030 = Spock Destination Address sceUmdMan_driver_1b1bf9fd = sceUmdExecRead10Cmd (0xA) sceUmdMan_driver_e3716915 = sceUmdExecRead10Cmd (0xA) sceUmdMan_driver_f819e17c = sceUmdExecReadMKICmd (0x8) sceUmdMan_driver_6d17fd57 = sceUmdExecReadMKICmd (0x8)
Commands[edit | edit source]
SPOCK Operations: 0x01: Init1 0x02: Init2 0x03: Step1 0x04: Step2 0x05: Step3 0x06: 0x07: 0x08: Decrypt UMD master key 0x09: Decrypt IDStorage UMD leaves 0x0A: Decrypt UMD Disc Sector 0x0B: Reset SPOCK 0x0C: Decrypt UMD Disc Sector Debug
Command 1 (Init 1)[edit | edit source]
Command 2 (Init 2)[edit | edit source]
Command 3 (Step 1)[edit | edit source]
Command 4 (Step 2)[edit | edit source]
Command 5 (Step 3)[edit | edit source]
Command 6[edit | edit source]
Command 7[edit | edit source]
Command 8 (Decrypt UMD master key)[edit | edit source]
Command 9 (Decrypt IDStorage UMD leaves)[edit | edit source]
Spock command 9 key is used to decrypt UMD leaves stored in IDStorage. Those leaves are then used in Spock command 8 to decrypt the UMD master key (per disc key). Then this key is used in Spock command 10 to decrypt the UMD raw sectors. Each different PSP region seems to have its own set of UMD keys.
9F46F9FCFAB2AD0569F688D8794B92BA
more info on Spock by mathieulh
Command 10 (0xA) (Decrypt UMD raw sectors)[edit | edit source]
Command 11 (0xB) (Reset Spock)[edit | edit source]
Command 12 (0xC) (Decrypt UMD Disc Sector Debug)[edit | edit source]
- Seems to exist only on KICHO DENCHO PSP firmware and devkit firmware, inside UMDMAN.prx
Where are spock commands used[edit | edit source]
- Commands 8 and 0xA are used on psp retail firmware, as well as testkit firmware
- Commands 1, 2, 3, 4, 5, 8, 9, 0xA and 0xB are used on AV test tool firmware
- Commands 1, 2, 3, 4, 5, 8, 9, 0xA, 0xB and 0xC are used on Kicho Dencho firmware, which is a special factory firmware.
- Commands 1, 2, 3, 4, 5, 8, 9, 0xA, 0xB and 0xC are used on devkit firmware as well.
- Usage of these commands can always be found in UMDMAN.prx