as is all over the news sony has finally got round to blocking acess to the OFW through pandora on recent motherboards, and as is postulated on the psp3000. So thinking into the future i think we need to start working on another way in!
I have a few ideas involving the sio, i believe the sio ( original ) has the facility to detect plug-in "debug " boxes thus theoretically has the potential to put psp into a mode that might alow a CFW to be loaded. I intend to continue work posted for the phat in this area, by brute force attack combined with insight to find the sio "key" ie set of serial data that would initialise the debug unit. If anyone else has ideas on this please post, unless we want to see an eventual end to homebrew i think this must be worked on.
Cracking the PSP OFW without pandora
-
KickinAezz
- Posts: 328
- Joined: Sun Jun 03, 2007 10:05 pm
BMX is a good game to look into for such exploits...jube wrote:bugger!! , ok thanks saved me a deal of work !
Are there any other avenues left unexplored, does the original Lumines or GTA crack still work?
The gameplay in the game is so awful... I wonder if they really took security into consideration. :D
Intrigued by PSP system Since December 2006.
Use it more for Development than for Gaming.
Use it more for Development than for Gaming.
-
KickinAezz
- Posts: 328
- Joined: Sun Jun 03, 2007 10:05 pm
as i understand it once OFW is booted it will only run code that passes the sony security cypher. So again as i understand there are 3 options
1) stopt the CFW booting ( ie pandora)
2) crack the sony cypher
3) find a piece of code that is already secured but that allows CFW to be loaded ( ie lumins exploit )
is this correct ?
1) stopt the CFW booting ( ie pandora)
2) crack the sony cypher
3) find a piece of code that is already secured but that allows CFW to be loaded ( ie lumins exploit )
is this correct ?
ok asked some engineer friends that specialise in reverse engineering.
The obvious answer is to JTAG the CFW onto the system E2PROM, this is an infallible solution since the processors are not clocking at all during a JTAG session. Problem, is that its not for everybody, and i would have to find the jtag points on the motherboard, and you need a JTAG box.
Would it be of any use to anyone to dump the system non-voilitile mem to a hex dump?
Apparently the phat circuit diagram exists, been reverse engineered by a company that specialise in these jobs ( $2000 , you give em the device , they give you the circuit ! , pity the FW doesnt come with that :) ) But its $60 a copy !
The obvious answer is to JTAG the CFW onto the system E2PROM, this is an infallible solution since the processors are not clocking at all during a JTAG session. Problem, is that its not for everybody, and i would have to find the jtag points on the motherboard, and you need a JTAG box.
Would it be of any use to anyone to dump the system non-voilitile mem to a hex dump?
Apparently the phat circuit diagram exists, been reverse engineered by a company that specialise in these jobs ( $2000 , you give em the device , they give you the circuit ! , pity the FW doesnt come with that :) ) But its $60 a copy !
doubt it, they will need JTAG access for production testing, so thats either to test points on pcb picked up with a pin array grid on a production test machine, or a micro-connector somewhere. ( some clever bastards even have stuck the jtag through short range rf link to onboard jtag micro, so you just test by passing wand over, trick eh !! )
If the design engineers run to form its prob on a jtag chain, including the memory arrays and any FPGA config memories, prob got their own format to recover individual units.
If they have no jtag cant think how they would do the hardware test algorithms, but have to confess not current on design for test, so just speculating.
If the design engineers run to form its prob on a jtag chain, including the memory arrays and any FPGA config memories, prob got their own format to recover individual units.
If they have no jtag cant think how they would do the hardware test algorithms, but have to confess not current on design for test, so just speculating.
yea, seems IP protection stratagies are maturing, there are a bunch of companies doing just that. Used to be able to figure a lot out ( not direct ref to psp ) from dumping FPGA config memories, but now its popular to encrypt even that.
The sig check is only run once on module load time, ( is that tru ? ) what if you could dynamically ( within the acceptable mem clocking/caching params ) change the contents of memstick addresses ( by simulating a memstick with micro then putting custom data in dynamically ), could it be theoretically possible to have standard module call + run sig check, but then the contents fetched and loaded would be what we chose?
The sig check is only run once on module load time, ( is that tru ? ) what if you could dynamically ( within the acceptable mem clocking/caching params ) change the contents of memstick addresses ( by simulating a memstick with micro then putting custom data in dynamically ), could it be theoretically possible to have standard module call + run sig check, but then the contents fetched and loaded would be what we chose?
-
Dariusc123456
- Posts: 388
- Joined: Tue Aug 12, 2008 12:46 am
Its possible to crack the sony sign-code and get it, but its hard. Plus if we do, I think that sony will have the right to sue that person (i think) but who cares about what sony think??? They mess around with the wrong hackers, lol...ne0h wrote:I don't know very well how the sce signature works, but It's really impossible to crack it?
-
Dariusc123456
- Posts: 388
- Joined: Tue Aug 12, 2008 12:46 am
Well, I know it will not work, but what happen if we can try to react thw Swaploit? Like we run the unsigned program, and if it load onto the memory, we switch Memory sticks with one that have sony official coding (sign code), or am I saying the wrong way??? Its like performing the Magic Swap on a ps2, but we are not using disc, we using memory stick.Hellcat wrote:Isn't the signcheck performed when the module is already completely loaded into memory?
If so, what good would altering the MS data do after the signcheck has been done?
I wonder....
Do anyone know if I use an unpacker and unpack a eboot.pbp from sony code, is it possible that it will keep it sign-code after unpacking so that we can add our data to it?
thats kind of why was looking for a hardware way in ( appart from being a hardware bloke and always looking for a hardware solution ! too many hours near a emc chamber fried brain :), if they missed pandora what else did they miss? Although so far its not looking good.
Obviously as we get into softer-ware im useless ,aside from provoking thought, cos not experienced with the psp os enough; but if anyone needs anything building to help, just post.
Obviously as we get into softer-ware im useless ,aside from provoking thought, cos not experienced with the psp os enough; but if anyone needs anything building to help, just post.
-
Dariusc123456
- Posts: 388
- Joined: Tue Aug 12, 2008 12:46 am
I wonder.. Is it possible to reverse the signing possess by using the pack-pbp or unpack-pbp? Just asking...
But if we find out the sign code, will sony change it within the next firmware?
EDIT:
Sony didnt completly block pandora, but they just block unsigned ipl.
jube, pm me. i think I got something that might help you. If sony receive it, then they can block it easily. lol
But if we find out the sign code, will sony change it within the next firmware?
EDIT:
Sony didnt completly block pandora, but they just block unsigned ipl.
jube, pm me. i think I got something that might help you. If sony receive it, then they can block it easily. lol
Just brainstorming:
-a signcheck needs the following to be performed:
long-long-long-long-... math lib usually done in slow software, hash computer and the public key to check against.
I don't think newer chips mount a whole alu dedicated to signchecking, so it has to be the main CPU that handles this. So:
-Program checking signature is a program itself, and hence it boots (too bad it does not reside on MS, but we can still try to attack here).
-The public key to check against is -well- public, it should come in plain near the verifier program.
-It's not a good idea to try to find the private key: it could never be done in human lapses of time and would be pointless: if i lose my home's key i would replace key and keyholes.
-We could replace the public key with the public part of a newly generated couple (or is it engraved on PSP's MoBo?? lol) whose private side we obviously know. That's only for ipl stuff, originals would still work because in a CFW signcheck on executables is not performed at all. (btw...is it the same key on IPL and on executables??)
hope this can help someone having a revelation....
jean
-a signcheck needs the following to be performed:
long-long-long-long-... math lib usually done in slow software, hash computer and the public key to check against.
I don't think newer chips mount a whole alu dedicated to signchecking, so it has to be the main CPU that handles this. So:
-Program checking signature is a program itself, and hence it boots (too bad it does not reside on MS, but we can still try to attack here).
-The public key to check against is -well- public, it should come in plain near the verifier program.
-It's not a good idea to try to find the private key: it could never be done in human lapses of time and would be pointless: if i lose my home's key i would replace key and keyholes.
-We could replace the public key with the public part of a newly generated couple (or is it engraved on PSP's MoBo?? lol) whose private side we obviously know. That's only for ipl stuff, originals would still work because in a CFW signcheck on executables is not performed at all. (btw...is it the same key on IPL and on executables??)
hope this can help someone having a revelation....
jean