-
Notifications
You must be signed in to change notification settings - Fork 9
KIRK 1 decryption and authentication
There are two versions of this service: AES CMAC Verification, and ECDSA Verification. They use the header section of the input buffer slightly differently as follows.
Key Header Structure (Length 0x60):
0x00-0x0F is decryption key (but stored encrypted with AES128, is not PLAINTEXT key)
0x10-0x1F is CMAC key (but again, derived ver not plain)
0x20-0x2F is header hash (CMAC)
0x30-0x3F is data hash (CMAC)
0x40-0x5F is 0
Metadata Header Structure (Length 0x30):
0x60-0x63 is set to 1 to indicate KIRK1 Verification
0x64-0x67 is 0 to indicate AES CMAC Version
0x68-0x6B is 0
0x6C-0x6F is 0 for retail versions and 0xFFFFFFFF for dev versions
0x70-0x73 is length of decrypted data
0x74-0x77 is length of padding after Metadata header before real data starts
0x78-0x8F is 0
The first 0x20 bytes of the Key Header is decrypted with the KIRK 1 Stored AES Key. This was allegedly discovered by Datel by decapping the chip and reversing engineering the algorithms and keys. This was also recovered through the failure in PS3 cryptography by decrypting the isolated module in the PSP emulator on the PS3.
The first two blocks (0x20 bytes at offset 0) are decrypted with the KIRK 1 AES Key. The first block is the AES Key used for decrypting the main data. The second block is used to decrypt the next two blocks (0x20 bytes at offset 0x20). These represent the Metadata Header CMAC and the Data CMAC. They are checked against the AES CMAC of the header section and the AES CMAC of the data section.
For full details on the process and source code, please refer to the kirk-engine project.http://code.google.com/p/kirk-engine/
Key Header Structure (Length 0x60):
00x00-0x0F is decryption key (but stored encrypted with AES128, is not PLAINTEXT key)
0x10-0x23 is header ECDSA sig r
0x24-0x37 is header ECDSA sig s
0x38-0x4b is data ECDSA sig r
0x4c-0x5f is data ECDSA sig s
Metadata Header Structure (Length 0x30):
0x60-0x63 is set to 1 to indicate KIRK1 Verification
0x64-0x67 is set to 1 to indicate ECDSA version
0x68-0x6B is 0
0x6C-0x6F is 0 for retail versions and 0xFFFFFFFF for dev versions
0x70-0x73 is length of decrypted data
0x74-0x77 is length of padding after Metadata header before real data starts
0x78-0x8F is 0
The ECDSA version is slightly different. Only the first block (0x10 bytes) is decrypted with the Kirk 1 AES Key. It is used to decrypt the main data section just as in the AES CMAC version. Rather than a CMAC, the Metadata header is checked by SHA1 hashing its 0x30 bytes and checking the signature components through a ECDSA Verify call. The Data section is also checked via SHA1 of the entire data through a ECDSA Verify call.
The ECDSA curve parameters used for this ECDSA Verification are as follows.
p=FFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF
NP=FFFFFFFFFFFFFFFF0001B5C617F290EAE1DBAD8F
a=-3
b=65D1488C0359E234ADC95BD3908014BD91A525F9
Base Point:
Gx=2259ACEE15489CB096A882F0AE1CF9FD8EE5F8FA
Gy=604358456D0A1CB2908DE90F27D75C82BEC108C0
Public Point:
Px=ED9CE58234E61A53C685D64D51D0236BC3B5D4B9
Py=049DF1A075C0E04FB344858B61B79B69A63D2C39