Prx Decryption NID’s !!!!!

January 10th, 2009 silverspring

I never thought these would ever be cracked but finally here are the sceMesgLed NID’s (these are only valid upto 2.00 since the NID’s were later ‘randomised’ the following update in 2.50):

  • 0x84a04017 sceUtilsGetLoadModuleCLength
  • 0xa86d5005 sceUtilsGetLoadModuleCLengthByPolling
  • 0xa4547df1 sceUtilsGetLoadModuleDLength
  • 0x94eb1072 sceUtilsGetLoadModuleDLengthByPolling
  • 0x198fd3be sceUtilsGetLoadModuleILength
  • 0xfbc694c7 sceUtilsGetLoadModuleILengthByPolling
  • 0x07e152be sceUtilsGetLoadModuleJLength
  • 0x9906f33a sceUtilsGetLoadModuleJLengthByPolling
  • 0x46ac0e78 sceUtilsGetLoadModuleKLength
  • 0x55c8785e sceUtilsGetLoadModuleKLengthByPolling
  • 0x67a5ecdf sceUtilsGetLoadModuleLLength
  • 0x85b9d9f3 sceUtilsGetLoadModuleLLengthByPolling
  • 0x951f4a5b sceUtilsGetLoadModuleMLength
  • 0x58999d8e sceUtilsGetLoadModuleMLengthByPolling
  • 0x9fc926a0 sceUtilsGetLoadModuleNLength
  • 0x7a922276 sceUtilsGetLoadModuleNLengthByPolling

As you can see the naming is very cryptic, but the names do make a little bit of sense (more than some other crypto functions & libs). Each of these functions decrypts a particular ~PSP encrypted executable. The executable type is at offset 0x7C of a ~PSP file, and the executable type number corresponds to the letter listed in the above functions. For example, Type3 exe’s (vshmain modules) use the ‘C’ function to decrypt, Type4 exe’s (user modules) use the ‘D’ function, etc. There are no types 5,6,7,8 exe’s so those letters are missing. Other exe types that use the above functions include:

  • Type09 UMD games (use ‘I’ to decrypt)
  • Type10 Gamesharing games (use ‘J’ to decrypt)
  • Type11 Debug Gamesharing games (use ‘K’ to decrypt)
  • Type12 MS Updater (use ‘L’ to decrypt)
  • Type13 MS Demo games (use ‘M’ to decrypt)
  • Type14 Flash application eboots (use ‘N’ to decrypt)

Later fw added extra exe types also (such as POPS executables – Type20). So as you can see the numbering of the executable type corresponds to the letter of the alphabet used in the decryption functions naming.

Type1 exe’s are internal debug modules while Type2 exe’s are kernel modules, they are both decrypted the same way hence the ‘A’ and ‘B’ in the function sceUtilsGetLoadModuleABLength of memlmd.prx.

Here are also 2 more NID’s from memlmd (these ONLY exist in 2.00 which was when these functions were added into the fw, they were later ‘randomised’ the following update in 2.50):

  • 0xc3a6f784 sceUtilsPrepareGetLoadModuleABLength
  • 0xdf76975e sceUtilsPrepareGetLoadModuleABLengthByPolling

This function is similar to the ‘sigcheck’ functions in that they take an encrypted ~PSP file and ‘scrambles’ the ‘sig’ area (0xD0 Bytes from offset 0×80-0×150 of ~PSP binaries). The only difference is that this scrambling is not unique per PSP, whereas the normal sigchecking IS unique per PSP (using each PSP’s FuseID to flash the unique prxs, which is why files from different PSP’s are not compatible and therefore cannot be shared).