Untitled

[00:16] <@Draan> Mathieulh: haha, nice then. IIRC we need kirk 7 key to sign kernel modules
[00:17] <Zecoxao> what about that guy, Proxima?
[00:17] <Zecoxao> seems like he's finding interesting stuff
[00:18] <@Draan> kirk 7 key is used to encrypt kernel header iirc
[00:18] <@Draan> ECDSA encrytion is used to encrypt the file itself
[00:18] == RoxFox64 [~RoxFox64@66-190-90-133.dhcp.athn.ga.charter.com] has quit [Ping timeout: 258 seconds]
[00:18] <@Draan> looks like Proxima figured out that stuff
[00:22] <+Mathieulh> you can calculate the priv
[00:22] <+Mathieulh> for kirk 0x01
[00:22] <+Mathieulh> that's enough to fake sign any kernel module
[00:22] <+Mathieulh> with what you already have
[00:23] <some1_> you need to forge ~PSP header as well
[00:24] <Zecoxao> so all you need is kirk 7?
[00:25] <+Mathieulh> you don't need kirk 7 cause you can reuse sony's own stuff
[00:25] <some1_> lol, so back to fake signing?
[00:25] <@Draan> kernel modules? xD
[00:25] <+Mathieulh> the same reason you don't need the curves for ecdsa
[00:25] <+Mathieulh> because you can reuse their R value
[00:27] <@Draan> Mathieulh: well...so it's possibile to sign an updater?
[00:28] <some1_> I'm sure perm cfw will be out by the end of the year
[00:28] <some1_> actually, I'm surprised its not further along already
[00:29] <@PspHellcat> o_O
[00:29] <@PspHellcat> nold?
[00:29] <some1_> lolno
[00:29] <@Draan> artart? o_O
[00:29] <+Mathieulh> Draan yes it is
[00:29] <+Mathieulh> but there is no point
[00:30] <+Mathieulh> because we already have a kernel exploit
[00:30] <+Mathieulh> also sony can fix this in their next firmware
[00:30] <some1_> mhmm
[00:30] <@PspHellcat> sploits can be fixed
[00:30] <+Mathieulh> by using cmd 0x10
[00:31] <+Mathieulh> there is another neat exploit out there anyway
[00:31] <+Mathieulh> it's just not public
[00:32] <+Mathieulh> and I am not the one who found it so meh....
[00:34] <Zecoxao> so, it's possible to fake sign kernel applications without the fear for a system update or not?
[00:34] <@Draan> no, they can fix it
[00:34] <+Mathieulh> yah
[00:34] <@JEEB> unless something is done in hardware I'd say system updates can fix everything
[00:34] <+Mathieulh> they can just stop using cmd 0x01
[00:34] <some1_> yup
[00:34] <@JEEB> yeh
[00:34] <@Draan> because they can change kernel encryption as they wish
[00:34] <+Mathieulh> and provide their own pub + priv
[00:34] <some1_> find an exploit in pre-ipl tho, screwed for life :D
[00:35] <+Mathieulh> not really
[00:35] <+Mathieulh> you'd still need a way to write your ipl
[00:35] <+Mathieulh> basically you'd need service mode + your own IPL
[00:35] <+Mathieulh> then you are settled
[00:35] <some1_> well, if you can obtain pre-ipl somehow, I'm sure you can forge the 0x20 hash
[00:36] <@Draan> btw, i think we can truesign IPLs for old devices ;)
[00:36] <@Draan> as it uses only 0x1
[00:36] <some1_> or I should say, most likely 0x14 hash + salt
[00:36] <+Mathieulh> well, we can sign the ecdsa
[00:36] <+Mathieulh> for a pspgo or 3k ip
[00:36] <+Mathieulh> ipl*
[00:37] <+Mathieulh> cause we have the priv
[00:37] <+Mathieulh> but we don't know how they generate the 0x20 hash
[00:37] <+Mathieulh> that's what's stopping us
[00:37] <some1_> mhmm
[00:37] <@Draan> bruteforce anyone? xD
[00:37] <some1_> lmao
[00:37] <@JEEB> lol
[00:38] <@PspHellcat> knowing sony
[00:38]  * JEEB coughs and looks at the access key to a computing cluster
[00:38] <@PspHellcat> its some lazy XOR
[00:38] <some1_> it could be anythign tbh
[00:38] <some1_> sha-1 + xor + possible encryption
[00:38] <some1_> + salt
[00:39] <@JEEB> yah
[00:41] <+Mathieulh> I think we abused the only possible pre-ipl exploits
[00:41] <+Mathieulh> and they closed them
[00:41] <+Mathieulh> the only way now would be to decap
[00:41] <some2_> <Draan> bruteforce anyone? xD <--- grab an 88v3 and go ahead and start xP