Tweet
By Console Crunch
Today, zecoxao has released a guide on how to run PSP games on the PS3, this is done by making the PS3 think that they are minis running on the PS3.
This may also be the way that the Cobra-USB uses to run PSP games using their dongle.
Quote:
A little bird reminded me that the EDAT tool is based of Juan’s code. once again, I’m deeply sorry if I haven’t given the proper credit to that amazing person. it’ll be left in the header of this post for people to see. apologies…
Cleaned up. OK, so here’s how it works:
On each mini, there are two files called ISO.BIN.EDAT and MINIS.EDAT.
There’s also another one (the game) called EBOOT.PBP
Decrypting ISO.BIN.EDAT will generate a binary that contains the following :
http://www.ps3devwiki.com/wiki/Iso.b....bin_structure
Decrypting MINIS.EDAT will generate a binary that contains almost the same, except that it is much smaller because it only contains a small header and the encrypted version key (i’m going to add the info to the wiki so don’t worry)
Now, there is a program, with included source code, based on libkirk, that does all the hard work for us and decrypts the EBOOT.PBP. just rename EBOOT.PBP to NP.PBP and it’ll decrypt the eboots contents for you
That program will also generate the header (in big endian) and the version key (exists per pbp)
Let’s take care of the MINIS.BIN first. it has a random 16 bytes of data. if we decrypt that data with this specific key using aes-cbc
62 5E 77 79 46 62 6A 37 33 6E 3A 5D 4A 6B 71 4B
we will get the version key. that takes care of MINIS.BIN and we can forge our own if we want with another eboot.
let’s go now to ISO.BIN
the header there is the same as the generated header from the decryptor, except byte swapped in some places (again, little endian in ISO.BIN and big endian in np_header.bin)
header taken care of, we go to the table (lots of fucking hours on this one guys)
this is divided in 4 parts (cmac of block using another key, offset of block relative to np_header and size in bytes of encrypted and compressed data)
finding the block offset (tp[4] in code) and the block size (tp [5]) in the code was easy, as well as the padding bytes (tp [6] and [7]). the hard part was the cmac, which is now taken care of ( the link for the modified tool is here : http://dl.dropbox.com/u/35197530/npdpc.zip , take notice only the first block cmac is generated)
you’ll notice that in that code, there is a key in npeg.c . that is the minis1 key .
now we have proper cmacs. Very nice ;D:
what’s missing now is to find an iso and make it an eboot, and use the information of the eboot and put it on ISO.BIN and MINIS.BIN, then repack the edats (using KDSBest’s tool) , create a pkg and test it
for packing isos into eboots the closest we have is fake_np (also in libkirk)
for those of you who want to test these kirk tools, check the link under the minis table information
And that’s it
Today, zecoxao has released a guide on how to run PSP games on the PS3, this is done by making the PS3 think that they are minis running on the PS3.
This may also be the way that the Cobra-USB uses to run PSP games using their dongle.
Quote:
A little bird reminded me that the EDAT tool is based of Juan’s code. once again, I’m deeply sorry if I haven’t given the proper credit to that amazing person. it’ll be left in the header of this post for people to see. apologies…
Cleaned up. OK, so here’s how it works:
On each mini, there are two files called ISO.BIN.EDAT and MINIS.EDAT.
There’s also another one (the game) called EBOOT.PBP
Decrypting ISO.BIN.EDAT will generate a binary that contains the following :
http://www.ps3devwiki.com/wiki/Iso.b....bin_structure
Decrypting MINIS.EDAT will generate a binary that contains almost the same, except that it is much smaller because it only contains a small header and the encrypted version key (i’m going to add the info to the wiki so don’t worry)
Now, there is a program, with included source code, based on libkirk, that does all the hard work for us and decrypts the EBOOT.PBP. just rename EBOOT.PBP to NP.PBP and it’ll decrypt the eboots contents for you
That program will also generate the header (in big endian) and the version key (exists per pbp)
Let’s take care of the MINIS.BIN first. it has a random 16 bytes of data. if we decrypt that data with this specific key using aes-cbc
62 5E 77 79 46 62 6A 37 33 6E 3A 5D 4A 6B 71 4B
we will get the version key. that takes care of MINIS.BIN and we can forge our own if we want with another eboot.
let’s go now to ISO.BIN
the header there is the same as the generated header from the decryptor, except byte swapped in some places (again, little endian in ISO.BIN and big endian in np_header.bin)
header taken care of, we go to the table (lots of fucking hours on this one guys)
this is divided in 4 parts (cmac of block using another key, offset of block relative to np_header and size in bytes of encrypted and compressed data)
finding the block offset (tp[4] in code) and the block size (tp [5]) in the code was easy, as well as the padding bytes (tp [6] and [7]). the hard part was the cmac, which is now taken care of ( the link for the modified tool is here : http://dl.dropbox.com/u/35197530/npdpc.zip , take notice only the first block cmac is generated)
you’ll notice that in that code, there is a key in npeg.c . that is the minis1 key .
now we have proper cmacs. Very nice ;D:
what’s missing now is to find an iso and make it an eboot, and use the information of the eboot and put it on ISO.BIN and MINIS.BIN, then repack the edats (using KDSBest’s tool) , create a pkg and test it
for packing isos into eboots the closest we have is fake_np (also in libkirk)
for those of you who want to test these kirk tools, check the link under the minis table information
And that’s it