Thanks so much for replying! Sorry to bother you again, I'm trying to figure out how large the difference is between the PRS-T1 and PRS-G1. I know you wrote the following in one thread.
Originally Posted by porkupan
If you have the Western or Japanese model of PRS-T1, your encryption keys are exactly the same as everyone else's. If you have a PRS-G1 or the Russian model of PRS-T1, the SD card update will not work for you, and the encryption method of the update packages is quite different. Beside the fact that they are signed by a private key.
One more thing to remember. If you have an update image on the SD card, it has priority over the update package in the internal memory. To get the "serial gadget" login you need to copy the XXX-Updater.package from the login_update
folder in this archive
into the root of the "internal memory" ("drive" READER).
I was hoping you might be able to tell me what is involved in finding the encryption key for the unit. I've looked over some of the scripts to extract the encryption key from the memory dumps and use them to unpack the upgrade "PRS-T1 Updater.package" packages. From my first inspection it looks like the only difference I could find between the PRS-G1 and PRS-T1 packages was that they now longer write "Salted__" at the beginning of the openssl encrypted files. That appears to indicate that openssl password based encryption was used. Now you will notice that there is no "Salted__" however the shift in data is approximately 8 bytes, and not 16 bytes. This emplies to me that the data is still salted and they are just hiding the "Salted__" flag from the beginning of the files. This is why I wasn't sure how you came to the conclusion that it was using public/private key encryption rather than still using the RSA password based encryption. I wanted to know in what way you had discovered the encryption for the PRS-T1 and the russian model as well as the PRS-G1 differ. I was hoping you could elaborate on how different the encryption is and if it will make it a lot more difficult to update if I were to find a way to dump the memory. I'm considering investing in some nand dumping and/or jtag equipment to have a go as it seems like an interesting challenge. I did however wonder how you dumped the initial unit to find the RSA key so you could build your first custom "PRS-T1 Updater.package". Will I need to build/buy a nand flash dumper?
EDIT: I just noticed the part in your comment about it being signed by a private key. It looks like the only way to root this would be to reprogram the nand flash directly. Perhaps this is a bit too much for a first project, knowing the public key on the unit wouldn't really get me far in terms of making a general XXX-Updater.package... Correct me if I'm wrong in this understanding. Thanks!
EDIT2: Finally I forgot to mention, that if you'de be interested in taking a look I'm very happy to pay to ship my device to you.