PSISOIMG0000 Mystery key? = PSONE/PSX related.

September 17, 2012

Is our situation not dismal? Wonderland is so discombobulated that lady bugs have turned belligerent and enlisted in the queen's army! PUNISH THEIR CONVERSION!

Is our situation not dismal? Wonderland is so discombobulated that lady bugs have turned belligerent and enlisted in the queen’s army! PUNISH THEIR CONVERSION!

User @munky875821417 today made a thread about a key that was released on Wiki Talk Page. (Ps3devwiki) by Nas_Plugi.

To quote:

PSISOIMG0000

Public key: 948DA13E8CAFD5BA0E90CE434461BB327FE7E080475EAA0AD3AD4F5B6247A7FDA86DF69790196773
Curve type: 2 (vsh)

They say that curiosity killed the cat…and @GregoryRasputin found this:
User Tommydanger member of lan.st started some research about all this:

Hi
I thought I would share my findings about the PSX Eboots. (official ones )
It’s by far not complete, there is still many unknown. (atleast to me :P )
(I haven’t found a place with a proper discussion about it yet :/ )
But I hope with the help of others we are able to reverse engineer the format much quicker

Feel free to correct me If I got something wrong

keys.bin
16 Byte file with the “keys” required to run the game?
If you try to run the game without the keys.bin present it gives you CA000005 error on 3.02 OE-B. I don’t know if this is a custom error code from Dax?!
Used for XOR encryption -> memory card?!

document.dat
According to Dax bunch of pngs which hold the manual
Encrypted

Infact if you try to enter the manual with no document.dat present, it states that there is no user manual.
You can however switch document.dat, it doesn’t seem to be tied to the eboot (I could open Cool Boarders 2 manual even though I was playing Hot Shots Golf )

16 byte header which is the same on every document.dat.
Starting with magic key 0″PGD”, 0 Byte is followed by PGD
followed by 2 4bytes which MSB is 1 and other 0 then followed by 4 0 Bytes to finish of the header.
Quote:
00 50 47 44 01 00 00 00 01 00 00 00 00 00 00 00
Eboot.pbp
Contains the compressed ISO image of the psx game.
40Byte header, just like any other pbp.
Contains offset to:
-sfo
-icon0 (icon you’ll see in the xmb)
-pic0(semi transparent png which is always in front of pic1)
-pic1(full res background)
-psp
-psar
Psar offset points to
“PSISOIMG0000″ followed by 4 Bytes of unknown purpose.
(Maybe some offset?)
16 bytes header, however only the last 4 bytes differ from eboot to eboot.
Resident Evil Directors Cut [JP]
Quote:
50 53 49 53 4F 49 4D 47 30 30 30 30 00 B3 82 16
Cool Boarders [US]
Quote:
50 53 49 53 4F 49 4D 47 30 30 30 30 C0 DD 7D 11
Hot Shots Golf 2 [US]
Quote:
50 53 49 53 4F 49 4D 47 30 30 30 30 40 C2 F6 08
Immediately after the PSISOIMG0000 header there are some 0 bytes, which size vary from eboot to eboot
(Note, there are some 0 bytes before the PSISOIMG0000 label too)
After the 0 bytes there’s a PGD header of unknown purpose

At the very bottom of every PSX Eboot you can find a PNG image.
(I still have to figure the offset to it out)
This is simply the image you will see when you execute your PSX Eboot.
On a non PSX Eboot you would see the gameboot.pmf.
I think it can be changed without breaking the eboot.

Then after the PNG image, theres another PGD header also of unkown purpose. After it -> EOF.
(Maybe the 2 PGD files in it are responsible for the way the manual works.
e.g When you browse through the manual and say exit it at page 15 and then you reenter the manual or reenter after you exited the game it’s still at page 15.
I tested it on document.dat, leaving it on page 15 and then on page 20, nothing changed, file is still the same.
So there must be some indicator that keeps track of which page you browsed the last, maybe these two PGD’s have something to do with it?!)

Savegames
It saves at ms0:/PSP/SAVEDATA/GAMEID
param.sfo
Ordinary param.sfo
icon0.png
Png which was extracted from the eboot
config.bin
Always 1024 bytes.
Purpose yet to be revealed
memcard1.dat/memcard2.dat
Always 131104 bytes.
Most likely imitates the playstation memory card file system
Encrypted (xor keys.bin?!)

Yeah that’s it for now, tell me what you think

So far we have:

  • Nas_plugi found this key inside EMU not VSH.
  • It’s not DEX specific (or unique for DEX).
  • Common for al TargetID that has EMU.
  • It’s on its in ps1_netemu.self.elf and ps1_newemu.self.elf.
  • Key is STATIC.
  • Curvetype is INSIDE vsh.self not the key.

What we can do with this?:

Just wait and see what happens but is related too:

  • PS ONE emulation
  • PSX emulation
  • We don’t know what key was used to decrypt but since the KEY is static *could* be the same.

==========================================================

Note: I will keep updating this until we reach something worth to the average user to understand, please don’t jump into conclusions if it’s COBRA pwned or something like that. It’s a research and a key posted on PS3DEVWIKI.

[Source] :

Nas_Plugi talk Page 

Tommydanger’s:  Research about PSX Eboots

========================

[Links of Interest] : 

TargetID

Emulation: Talk page

PSISOIMG0000 key released on wiki

Regards

Hellsing9

P.s: Many THANKS to @euss for his time and patience.

Tweet this!Tweet this!

Previous post:

Next post: