Kirk is one of the crypto processors running on the PlayStation Portable. The engine’s binary has apparently been dumped recently, with Zecoxao announcing the breakthrough a few weeks ago*. Although open source implementations for the Kirk Engine have been floating around for some time, as I understand it, these do not include the full set of operations. A full-fledged reverse engineer would allow to perform all encryption/decryption operations on a PC, without the need for a PSP.
It is nice to see more discoveries still happening for the PSP. With the main crypto engine of the console now fully available, I am not sure if the PSP has any more secrets to reveal?
The hackers behind this have chosen to not disclose for now) how the KIRK binary was accessed.
What is Kirk for the PSP?
The PSP KIRK Crypto Engine is a security hardware device that is embedded into the TACHYON main IC chip. It is a bus master and can DMA to/from main DDR RAM memory, operating independently of the CPU. It is capable of performing AES encryption, decryption, SHA1 Hash, pseudo random number generation, and signature generation and verifications (ECDSA) and CMAC. (source)
Kirk handles most of the encryption/decryption steps on the PSP, including per console content such as the NAND. Other modules on the PSP in charge of encryption/decryption are Lepton and Spock, focusing more on UMD.
About the Kirk Binary Dump
From Zecoxao on PSX-Place:
In a conjoined effort, the APE discord group managed to finally dump the elusive Playstation Portable Kirk Rom. With the knowledge in hand, they were able to decipher most of the kirk commands (kirk0 was assumed to be nonexistant until now) and derive the perconsole keys and seeds used for prng and kirk commands 3,5,6,8,9,0xF,0x10 and 0x12 respectively. The follow up information can be found in the Playstation Portable wiki, under the Kirk section (https://www.psdevwiki.com/psp/Kirk). As for the rom, it can be downloaded from Darthsternie’s site, here: https://darthsternie.net/psp-assorted-firmwares/
The ida processor module can be found here:
https://github.com/ProximaV/kirk
The ghidra processor module can be found here:
https://github.com/LemonHaze420/ghidra_kirk
An alternative version of the ghidra processor module also exists here:
https://github.com/balika011/ghidra_kirk
Credit is given to the following people for the recent Kirk Dump:
- Anonymous, for you know what you have done
- Proxima, for the processor module
- davee, for general purpose RE and more proc opcodes
- LemonHaze, for opcode contrib
Download PSP Kirk ROM
You can download the Kirk dump itself here
Source: Zecoxao
* And yelling at me for not talking about it here when this was announced. Sorry but I had “reasons“!
The post The PlayStation Portable’s Kirk ROM (encryption/decryption engine) has been dumped appeared first on Wololo.net.