Unencrypted PRX files run on Retail PSP

steddy · Post by **steddy** » Tue May 10, 2005 7:45 am

I have been looking at the Wipeout UMD and noticed something interesting (before you ask I DO own the original)

The DEV in the following thread states that the retail PSP will not run unencrypted PRX files (fixup modules):

http://forums.ps2dev.org/viewtopic.php?t=1631

However, I have noticed the following files are in the clear on the Wipeout UMD in the USRDIR\PRX directory:

libatrac3plus.prx
libbase64.prx
libfont.prx
libhttp_rfc.prx
libparse_http.prx
libparse_uri.prx
libssl.prx
mpeg.prx
pspnet.prx
pspnet_adhoc.prx
pspnet_adhocctl.prx
pspnet_ap_dialog_dummy.prx
pspnet_apctl.prx
pspnet_inet.prx
pspnet_resolver.prx

As you can see, some of those are pretty interesting modules to have the clear versions of. They all appear to be standard ELF modules.

This also means the retail PSP will happily run unencrypted PRX modules.

Steddy

BTW can someone tell me the best tool to analyse linkage on PRX / ELF files?

allthatinny · Post by **allthatinny** » Tue May 10, 2005 7:49 am

Not all of the file are EFL some of them are ~PSP like the cert_loader.prx file and that file in particular crashes the PSP. when i put it as DATA.PSP the psp logo stays on for about 1min then it shuts off.

steddy · Post by **steddy** » Tue May 10, 2005 7:52 am

All the files I listed above are ELF files, not ~PSP files. I checked them all myself. There are other files in there that are ~PSP but not the ones I listed.

Also checked Ridge Racer, and the following PRX module is not encrypted:-

rinit.prx

Steddy

steddy · Post by **steddy** » Tue May 10, 2005 8:06 am

And theres more in the Ridge Racer module directory too (the one above was kmodule). Additional ones not also in Wipeout include

show_macaddr.prx
libadler.prx
libfpu.prx
libhttp.prx
libmt19937.prx
libnetcnf.prx
libqpcode.prx
pspnet_adhoc_download.prx
pspnet_adhoc_matching.prx
scan.prx

A similar file list in Vampire Chronicle too.

Steddy

ZeroOne · Post by **ZeroOne** » Tue May 10, 2005 12:31 pm

It is true that the some prx's are not encrypted. But they are relocatable modules, like Win32 dll's, they cannont execute by themselves. They get loaded by the game when the game needs them (saves on memory).

So bunging them in a PBP as DATA.PSP does nothing and trying to run them off the memory stick is pointless.

They might be useful if we can get a signed UMD game to run from the memory stick, then we could inject some code into one of these unencrypted prx modules and hijact the system. But AFAIK no one has managed to get a signed UMD game to run on the memory stick (I'm talking about on 1.5 firmware here).

I suppose you could attempt to reverse engineer all of the http/uri prx's and search for a potential buffer overflow attack via the browser, but that would be tricky to say the least.

(analyse the linkage? not sure exactly, but try looking at ee-objdump from the ps2dev tools, it can disassemble these (ELF) files to a certain degree (it doesn't know some op codes, they must be PSP specific)).

steddy · Post by **steddy** » Tue May 10, 2005 9:06 pm

Yes, I know these are DLL equivalents, but my concept here was two-fold:-

1. We could learn from these modules by dissembling them
2. If we can get it packaged correctly into a PBP, we could inject a false PRX into a verified BIN file which would allow us to run arbitary code on a 1.5 PSP.

Steddy