The Download Play protocol and all local-WLAN communications have the WPA2 passphrase generated the same way. The input data used with [[Process_Services|EncryptDecryptAes]] with [[PSPXI:EncryptDecryptAes|keytype1]] is a 0x10-byte hash over an input passphrase. This input passphrase is fixed for Download Play, it's unique per local-WLAN protocol. The CTR is a 0x10-byte hash over a 16-byte structure which among other data includes the host MAC address, and an ID which is normally from the application's uniqueID in the titleID.(The uniqueID used for Download Play is fixed however) The hex output from crypting that data is the final WPA2 passphrase. This 0x10-byte hash is unknown, however this might be MD5.
The WPA2 passphrase used for communications with the booted Download Play executable is a separate passphrase, generated using the above method where the input passphrase is a random hex string.