PSP [firmware] Dump [program]

Discuss the development of new homebrew software, tools and libraries.

Moderators: cheriff, TyRaNiD

Krevnik
Posts: 71
Joined: Wed Mar 09, 2005 12:07 pm

Post by Krevnik »

sq377 wrote:Out of curiosity, what does this do on a 1.5?
Same thing as Hello World PSP on a 1.5... nothing. :P
PinkPeach
Posts: 23
Joined: Wed Mar 02, 2005 10:36 pm

Post by PinkPeach »

Niiiiice Nem :) Does your toolchain permites to display shift-jis or euc japanese characters ?

(´ヘ`;) なんで1.5アップデート実行したかな~*しくしく*
laichung
Posts: 123
Joined: Fri May 06, 2005 2:02 pm

Post by laichung »

I got to say a big thank to you nem . Great work !!

Now I have some ideas why those file existed in the flash , I guess those files are part of the XMB. I think after the bootstrap finish bootup the PSP , it will start the XMB if no UMD or apps selected , which mean that XMB just a standalone program.

If the idea is right , we can look forward to having our own media centre just like xbox. (May be we can view DIVX movie in future too! haha)

Also I think people can give up about the certificate , every stantard browser have these file , I dont think these certificate is using for encrypt/decrypt the prx.

If hardware encrypt/decrypt really does on PSP , I think game developer no need to call a function to encrypt/decrypt the apps when it run , except encrypt/decrypt a save file. But I wonder , are they using the same key to encrypt/decrypt the save file and apps? I'm sure you can find the key to decrypt the save file from those game dump , but how about the key to run program? It really hard to trace it.

I think the bootstrap call the decrypt function when we run the apps. But that's the part we dont know too much about it. Also that's why we can run program on 1.0 but not 1.5. We got to keep working.

Thanks all!

nem wrote: laichung:
Total size of the files in flash0: is around 12MBytes. Where are those files come from? My obserbation/guess as follows:

- Memory chip on board contains 32MByte SDRAM and 32MByte FlashROM.
- 32MByte FlashROM consists of 1MByte bootstrap area and 31MByte disk storage area.
- Disk storage area have two partitions, 24MByte flash0: and 4MByte flash1:
- flash0: as system file volume, flash1: as configuration file volume

SONY says 32MByte SDRAM is divided to two parts, 8MByte kernel memory and 24MByte user memory.
User memory seems to be 0x08800000..0x09ffffff.

When system starts up, some files/modules are loaded to kernel memory, not all.
Krevnik
Posts: 71
Joined: Wed Mar 09, 2005 12:07 pm

Post by Krevnik »

laichung wrote:Also I think people can give up about the certificate , every stantard browser have these file , I dont think these certificate is using for encrypt/decrypt the prx.
I haven't claimed they are used for encryption, but signing. Sony has also mentioned code signing in their promotion of security features, which means not only do we need to crack any encryption, we have to crack the signature too. (Or just bypass all this via some sort of exploit that allows unencrypted/unsigned code, like the one on the 1.00 firmware)

I seriously doubt Sony would be setting themselves up as a Certificate Authority, and Verisign as the Primary Certificate Authority, and NOBODY else if it was for a 'standard browser'. It is being used for code signing. The presense of the BSAFE certificates are also key, since those provide some form of confirmation of what is behind the encryption on wrieless communication. Plus, if you look at the modules, there isn't anything for SSL, so while SSL might be in the http lib, it still doesn't account for the BSAFE and SCE certificate authorities.
If hardware encrypt/decrypt really does on PSP , I think game developer no need to call a function to encrypt/decrypt the apps when it run , except encrypt/decrypt a save file. But I wonder , are they using the same key to encrypt/decrypt the save file and apps? I'm sure you can find the key to decrypt the save file from those game dump , but how about the key to run program? It really hard to trace it.
The thing is, there is a difference between full-software, hardware-assist, and full-hardware encryption. Signatures and the like are a great way to securely provide the AES encryption key, ensuring knowledge of the source of the code/save file. Remember, the encryption isn't there just because, it is there to prevent unauthorized code from executing (i.e. anyone not paying Sony license fees). Their design will reflect these goals (code-signing).
I think the bootstrap call the decrypt function when we run the apps. But that's the part we dont know too much about it. Also that's why we can run program on 1.0 but not 1.5. We got to keep working.

Thanks all!
Here you admit we don't know much about the decryption mechanism for executables. So, how can you claim that the certificates (which include a timestamp authority, which is useful for game save timestamping, but really no other purpose on a system like this) aren't somehow attached to the system?

I bring up the issues that should be considered to increase the breadth of what is looked into, and possibly get someone to go 'Aha!' and maybe stumble on some information they didn't before. I don't have a 1.00 PSP, although I have gained a fair amount of knowledge of reverse engineering from mucking about on my PS2 and other projects in my past. I don't think it is wise to dismiss /anything/ simply because it appears to be useless at first.
laichung
Posts: 123
Joined: Fri May 06, 2005 2:02 pm

Post by laichung »

Be cool Krevnik , you can do what ever you like to those CA~
Of course you have more experience than me , those opinion from me about CA is just a guess. So if you does think you can get something with it , just do it. I will be very happy if anyone get the key or tell us more inside PSP.
F9zDark
Posts: 127
Joined: Sat Apr 02, 2005 11:34 am

Post by F9zDark »

Now if the files are dumped to the memstick, would that in essence be able to be reconstructed into a firmware 'downgrade' for those of us stuck on 1.5?

As well, if it were possible to downgrade to 1.0, perhaps a similarly constructed program could be run during the upgrade from 1.0 to 1.5 to possibly find where the encryption measures are contained? It seems to me that the encryption/signed software only came in the 1.5 update. Perhaps if a unit being upgraded to 1.5 has program to dump the 1.5 upgrade files to the memstick as they are being installed we can find a way to circumvent this encryption/signing method?

Just a thought...
laichung
Posts: 123
Joined: Fri May 06, 2005 2:02 pm

Post by laichung »

May be or may be not. We just get some files from flash roms doesnt mean we got the whole firmware. As nem said , the bootstrap area cannot access by the program. Unless we can run a program to read the flash rom from begin to the end , then write it back to correct position , I think we cant put 1.5 PSP back to 1.0

And the most important thing is , we cant run any program in 1.5 , what can we do ??haha~~~


F9zDark wrote:Now if the files are dumped to the memstick, would that in essence be able to be reconstructed into a firmware 'downgrade' for those of us stuck on 1.5?

As well, if it were possible to downgrade to 1.0, perhaps a similarly constructed program could be run during the upgrade from 1.0 to 1.5 to possibly find where the encryption measures are contained? It seems to me that the encryption/signed software only came in the 1.5 update. Perhaps if a unit being upgraded to 1.5 has program to dump the 1.5 upgrade files to the memstick as they are being installed we can find a way to circumvent this encryption/signing method?

Just a thought...
Krevnik
Posts: 71
Joined: Wed Mar 09, 2005 12:07 pm

Post by Krevnik »

While you /can/ do whatever you like with those CA, what would there be a use for Sony to be a CA for websites alone? They can get certificates for that a lot cheaper than setting up a few CAs.

Sony has stated their connection to BSAFE, and signed code. This is evidence that this is true. I was just annoyed that someone shrugged off these certs as 'nothing' when code-signing requires these certs and Sony has been midly open about their code-signing.
laichung
Posts: 123
Joined: Fri May 06, 2005 2:02 pm

Post by laichung »

My guess about why sony need their own CAs because PSP have "downloadable game/apps/firmware" feature. BSAFE is a safe connection between internet and PSP , but it cant make sure the things you download from internet is came from sony (or a place cert. by sony). That's just a step to protect your PSP from download a virus.

Does CAs essential for encrypt/decrypt? I dont know , I think KEY is more than CAs(from my point of view).

Anyway , thanks for your hard working in PSP development.

Krevnik wrote:While you /can/ do whatever you like with those CA, what would there be a use for Sony to be a CA for websites alone? They can get certificates for that a lot cheaper than setting up a few CAs.

Sony has stated their connection to BSAFE, and signed code. This is evidence that this is true. I was just annoyed that someone shrugged off these certs as 'nothing' when code-signing requires these certs and Sony has been midly open about their code-signing.
Krevnik
Posts: 71
Joined: Wed Mar 09, 2005 12:07 pm

Post by Krevnik »

I don't disagree with the BSAFE bit, but considering Japanese owners discovered that Ad-Hoc transmission is also encrypted, BSAFE is very likely used there.

Well, here is the thing... apps are:

- Encrypted
- Signed

If neither is correctly done, the app will likely not be loaded by firmware. This forms the basis of 'trusted code'. You can't just encrypt it, you also have to verify that it was authorized to run via a signature that is trusted. Remember, Sony is protecting their license income, not the code.

So, how do we sign? With a private key of course. A certificate is really just a bit of encoded information, a public key, and a signature to verify the certificate is authentic (signed by the public key's counterpart, encrypting the hash of the certificate). The certificate also signed by the CA, to setup actual trust that this certificate is vouched for, which also contains an encrypted hash of the certificate being vouched for, but contains some normal information about which certificate owner signed it so trust can be established.

This system is pretty secure, as long as the public key isn't compromised in such a way that the private key is discovered from the public key (which is difficult, try factoring a number in the range of 2^1024 looking for only TWO factors).

I think encryption is a problem, yes, and should probably be looked at first since it will be the first to be worked around/defeated. However, the signature poses a huge threat, since barring exploits, the system is secure enough that we cannot feasibly defeat it (and when we do, Sony will not care about the platform as it has developed the next one).

My personal opinion is to delve into the encryption to figure out EXACTLY what is going on, then if there is a signature that is verified (very likely IMO) by the firmware, instead of banging against that for awhile, focus entirely on alternative methods, since a direct attack on such a system would be a waste of time.
hanakuma
Posts: 2
Joined: Wed May 11, 2005 2:04 pm

noob idea

Post by hanakuma »

probably a dumb as hell idea...but maybe yall could just rewrite the bios to get rid of the signing check and flash it? like vid. card bios's--ive seen some rewritten to enable OCing

or with the analogy with wimdows and linux...write your own OS for the thing (or just edit theirs)

just a thought...
hanakuma
Posts: 2
Joined: Wed May 11, 2005 2:04 pm

noob idea

Post by hanakuma »

oops...double post
Orion_
Posts: 69
Joined: Thu Jan 27, 2005 8:47 am

Post by Orion_ »

we have not enough knowledge of the psp hardware to write own bios, and how will you flash it anyway ?
Guest

Re: noob idea

Post by Guest »

hanakuma wrote:probably a dumb as hell idea...but maybe yall could just rewrite the bios to get rid of the signing check and flash it? like vid. card bios's--ive seen some rewritten to enable OCing

or with the analogy with wimdows and linux...write your own OS for the thing (or just edit theirs)

just a thought...
Cart before the horse.

What you suggest can be done on any embedded device, in theory. Often is done in reality for cool gadgets. But it requires a minimal understanding of the hardware. Takes time.

BTW, what you suggest has implications for warezing. We cannot support activities that make it easy for warezing to occur. A gray area I know with such new hardware since its hard to know what is and isn't kosher with so little information still.
Guest

Post by Guest »

Another important thread stickied.
Vampire
Posts: 138
Joined: Tue Apr 12, 2005 8:16 am

Post by Vampire »

nem wrote:nn.bmp is background image of XMB. it's 60x34 bitmap
Image
annerajb
Posts: 40
Joined: Thu Mar 31, 2005 6:16 am

Post by annerajb »

vampire do you know if the .bmp can be changed and i also see other interesting files in the folder like game_boot.pmf
Vampire
Posts: 138
Joined: Tue Apr 12, 2005 8:16 am

Post by Vampire »

gameboot.pmf:
Image
Vampire
Posts: 138
Joined: Tue Apr 12, 2005 8:16 am

Post by Vampire »

annerajb wrote:vampire do you know if the .bmp can be changed
I don't have enough courage to mess around in the firmware of my psp.
If you give me yours, I'll try it out. ;-)
F9zDark
Posts: 127
Joined: Sat Apr 02, 2005 11:34 am

Post by F9zDark »

I would try it with mine, since I hate the damn background colors not being interchangeable, but my PSP is 1.5. So until there is a workaround for the 1.5 signing I can't do a damned thing.
ace11
Posts: 3
Joined: Thu May 12, 2005 3:57 pm

Post by ace11 »

[request deleted by mod]
Guest

Post by Guest »

Ace, the rules of the forum state you may not ask people to send copyrighted materials to you, especially bios dumps, files, etc... You want them, find the program that lets you do it on your own PSP.

You have been warned. Next forum rules violaton is a ban. You may wish to read up before your next post.
Last edited by Guest on Thu May 12, 2005 4:05 pm, edited 1 time in total.
ace11
Posts: 3
Joined: Thu May 12, 2005 3:57 pm

Post by ace11 »

ace11 wrote:[request deleted by mod]
Oops im realy sorry please forgive me.
Vampire
Posts: 138
Joined: Tue Apr 12, 2005 8:16 am

Post by Vampire »

F9zDark wrote:I would try it with mine, since I hate the damn background colors not being interchangeable, but my PSP is 1.5. So until there is a workaround for the 1.5 signing I can't do a damned thing.
If someone else would try it:
I've written a FileTool to select a file from the Memory Stick (ms0:) and copy the selected file from the Memory Stick to the Flash (flash0:/vsh/resource/01.bmp).
MDave
Posts: 82
Joined: Mon May 09, 2005 10:43 pm

Post by MDave »

Hey, can you make it do the opposite? :)
(copy from flash0: to ms0:) ?
Vampire
Posts: 138
Joined: Tue Apr 12, 2005 8:16 am

Post by Vampire »

MDave wrote:Hey, can you make it do the opposite? :)
(copy from flash0: to ms0:) ?
How do you think how I dumped the *.bmp files and the gameboot.pmf file?
Last edited by Vampire on Fri May 13, 2005 6:00 am, edited 1 time in total.
MDave
Posts: 82
Joined: Mon May 09, 2005 10:43 pm

Post by MDave »

Doh! Nevermind, totally forgot about them ...
Warren
Posts: 175
Joined: Sat Jan 24, 2004 8:26 am
Location: San Diego, CA

Post by Warren »

Vampire: the PSP will allow you to write to flash0 like any other device? I would have thought it would be write protected.
Vampire
Posts: 138
Joined: Tue Apr 12, 2005 8:16 am

Post by Vampire »

Warren wrote:Vampire: the PSP will allow you to write to flash0 like any other device? I would have thought it would be write protected.
That's what we try to figure out.
mrbrown
Site Admin
Posts: 1537
Joined: Sat Jan 17, 2004 11:24 am

Post by mrbrown »

There's an easier way to test if the flash is writeable, just try to open a file using the O_WRONLY access mode. If it doesn't return an error then you can write to it.
Post Reply