Well ok, here it comes. tested on fat PSP with OFW 6.35
Simple, notice it contains ~PSP header from demo game (UCES00206), it is exactly same header.
It is easy to craft last 16 bytes of encrypted data block to match header CMAC - yes, that's the trick
There are some strange things, it can't run homebrews with bigger executable block (data block does not matter), and because of ~PSP header, it has to match exact size of original game.
This trick might be possible on firmware kernel modules to get permanent HEN on non-pandrorable PSPs, i was not able to do it but i was not trying that much.
PS: i am not only one who found this trick
Yeah i know its not PS3 but the PS3 made it possible due to awesome security
Source: wololo.net/talk/viewtopic.php?f=5&t=1381&start=150#p20309 and wololo.net/talk/viewtopic.php?f=5&t=1381&p=20720#p20715
PSP Crypto Keys including the 'Kirk' and 'Spock' keys:
For those who wonder, spock cmd 0x09 key is used to decrypt UMD keys stored in idstorage, those keys are then used by spock cmd 0x08 to decrypt the UMD master key (per disc key) Then this key is used in spock cmd 0x0A to decrypt the UMD raw sectors. Each different psp regions seems to have its own sets of UMD keys.
You can more or less access Spock through lepton's ram (there is some hidden test mode on lepton allowing you to do just this). More on this later If I ever get the time to clean up those sources.
P.S. Let's hope sony uses kirk cmd 0x12 for the kernel prx ECDSA checks and that they did the same fail as on ps3, would someone be so kind as to check it out ?