Perhaps you keep forgetting, you don't need the HMAC key, at least for the IPL that can be brute forced in a few days for a single encrypted block which is all you need :) All you need to do is find the method of data encryption/decryption and job done.
It is worth remembering that the encryption itself was probably more about obfuscation than any actual protection mechanism, of course they have probably tweaked something to make it not just decrypt plain using AES on a PC but that is so you couldn't easily break the obfuscation. The history of PSP security measures has been one of security through obscurity, this is just one step in that. They are unlikely to be hiding the algorithms, in fact they could probably say it uses AES and SHA1 HMAC and we would be no closer really to finding anything.
When it comes down to it security of this kind is all about defense in depth and is also assumed to be time limited. If we had never got code to run on the device at all it would be considerably harder to do what has been done. If they hadn't screwed up from day 1 maybe, just maybe, the PSP would still be a "secure" system :)
Cracking the PSP OFW without pandora
new ta-090 apparently can be pandorized
Hi.
Just to complete this thread (slightly off-topic): I just found this announcement of a TA-090 that can be Pandorized:
http://psp.tgbus.com/yjzb/200809/20080918093811.shtml
Google engrish translation:
http://translate.google.com/translate?u ... n&ie=UTF-8
(Edit: removed a broken link to an unsupported claim.)
Just to complete this thread (slightly off-topic): I just found this announcement of a TA-090 that can be Pandorized:
http://psp.tgbus.com/yjzb/200809/20080918093811.shtml
Google engrish translation:
http://translate.google.com/translate?u ... n&ie=UTF-8
(Edit: removed a broken link to an unsupported claim.)