Printable View
I would like to learn more about how the MCID worked on the old memory card exploits and if the ELF encryption was ever recreated in a PC executable or similar.
In a nutshell, I want to try to get the content and card keys from an ELF that was encrypted.
Anyone help or a pointer in the right direction would be great!
Sorry... but from my basic understanding of how FMCB generated the filed needed to "sign" the forged update files, it can't be done without a real PS2.Quote:
Originally Posted by supa
It seems like FMCB's installer loads several modules and interfaces with SECRMAN to sign the forged update files.
However, SECRMAN requires the PS2's MECHACON (drive MECHanics CONtroller) to encrypt data (The encryption method hasn't been cracked before).
Maybe the devs of FMCB can give a more accurate and correct response than this answer I've given.
I see. Thanks for the reply!
I have a PS2 handy if necessary. I just haven't found much luck finding anything that describes or has source available to show how the kBit and kC could be generated/brute forced/etc. I would like to be able to find these values for an encrypted ELF on a memory card I have, and then possibly re-encrypt those ELFs for use with a new memory card.
API names or anything would be extremely helpful.
You could look at the FMCB 1.7 sources (1.8x sources are not available to the public).
Oh! Great lead. I'll have to follow this up as soon as I get home.
I asked about source before and read that it was no longer available - but I'm sure 1.7 source has to be out there somewhere.
Somewhat off topic - any tips on a NAND Flash programmer that supports the almost completely deprecated 64Mb flash from a Sony memory card? Preferrably one that doesn't cost $300, or even a "roll your own" with some AVRs or something....
I think that the original FMCB thread here still has it as an attachment on the 1st post of that thread.Quote:
Originally Posted by supa
Otherwise, PM me if you can't find it.
I don't know of such a programmer... but why would you need it (Unless you're planning to use those EEPROMS that exist within a SCE Memory card...)?Quote:
Somewhat off topic - any tips on a NAND Flash programmer that supports the almost completely deprecated 64Mb flash from a Sony memory card? Preferrably one that doesn't cost $300, or even a "roll your own" with some AVRs or something....
BTW: Some links + info that might interest you on the MCID generation (Regarding some of the modules that were used):
SECRMAN functions reference: http://www.cdvdmania.com.ru/secrman.html
MCSERV functions list: http://www.cdvdmania.com.ru/mcserv.html
You might also want to look at the MCMAN replacement module that's bundled with uLE (4.4x releases, in the "Changed sources" folder) if you want to play around with MCMAN's functions.
I see some code that says,
"SecrDownloadFile: Cannot get kbit
SecrDownloadFile: Cannot get kc
SecrDownloadFile: Cannot get icvps2"
Well, more accurately some strings in some code, but more importantly...
KeyC is a content key, kB is something from MG and ICVPS2... is... what is that?
Where did you see those strings?Quote:
Originally Posted by supa
They're strings found in SECRMAN... but when did you see them (Did some program display those messages as errors, or did you just happen to find them in SECRMAN?)?
I think that those functions are used for encryption.
The FMCB devs should be able to answer your question on what ICVPS2 stands for.
I just happened across them in SECRMAN while poking around for clues.
Considered disassembling it, but I'm not really up to date on my MIPS assembly....