Extracting the Firmware Electronically

[andy0482]

edit

[apsd]

ok I think this is a good time to say: Where do we go from here?

If you mean for electronically extracting data off hte 32mb flash chip, first you need to know how to use it. I have some experience with SRAM chips and I know that most memory chips in general share a somewhat similar interface (for example, in SRAM: data lines, address lines, chip select, write enable, output enable), and these similar configurations loosely carry over to other types of memory (EEPROM, Flash, etc.). However, this Samsung chip combines both flash and sdram, and so it is rather unique, even though I doubt it has a some totally proprietary inteface. So to access that chip, someone first needs a pinout of it.

http://www.samsung.com/Products/Semicon ... 200307.pdf
That is all the information I've seen so far on the chip, and its the link from the other thread ooPo posted.

FBGA is extremely fugly. Consider it extreme surface mount... The easiest if not only way to access it is to hook a wire on to each thin line of the chip.
Take a look here: http://image.lik-sang.com/content/psp/r ... ease79.jpg

I'm not doing it. :-)

But, anyway one willing to open up their PSP and attach a few lines (if unskilled with an iron, you could possibly screw up the lines themselves (if you get frustrated ;-) )).

I wonder if they make some sort of mount that you could hook up to an address/data bus? That would make things much easier and could possibly remove the need for soldering.

Also does anyone think this can be cracked without opening the PSP and grabing data off of the bus?

Hardware wise, obviously not. But if a software vulnerability was discovered, it could be exploited and you could run your own code, then you could possibly access the firmware itself (if you can inject low-level code (not under the OS)).

The advantage of doing it through hardware (given that the firmware is stored unencrypted), is that once you figure out how to use the chip (electronically), you can easily readback the firmware (and write).

I would not mind putting down money to tear open one and try this but I have never ready data off a bus, ram or chips. (I stick to code) But is someone has a guide on how to get started I wouldnt mind trying.

I like your enthusiasm, but if you attempt this kind of stuff, be careful :-).

If someone who has a good skills with physical electronics would be willing to salvage (if thats what it comes to) a PSP, I'd be willing to donate some money to help :-)

[IceBerg]

I dont know how sony thinks, but this is how I would do things, so it may be worth having a look at the possibilities. I would the bios stored encrypted so that it decrypts at it's load point. I have worked with Risc processors before and I dont belive I have never seen this functionality as part of the processor. Since it isnt I dont know if it's even a posibility. Im no hardware expert, but knowing how the rest of the consoles have been hacked, I would definatly encrypt eerything I could. Another thing I would do is make it easier to run unsigned software off a memory stick so that us homebrew folk get what we want without making it simple for the pirates. The 32M flash could be split into a 2M unsecured, and 30M secured or something, or I could be totaly off my rocker, I just wanted to pose this for the thought of those who have the hardware knowledge.

[AlexGreen]

Is this board more than double layer? If that is the case, then attaching to the lines on the PCB might be very difficult (some traces are on inside the board). We'd still have to unsolder the chip (hairdryer?:) ) and then work with the ball grid array (ugh, that would be painful), not to mention we still don't have pinout.
Since the chip doubles as DRAM and FLASH, connecting to the hardware lines and just sniffing might be quite difficult. I'd expect frequencies to be around 100-200Mhz or more(saying that just because i know that Xbox has bus speed of 200Mhz to RAM), so we'd need some very expensive logic analyzers (I bet companies that make modchips have those).
So... I think it's going to be a while before we see extracted BIOS (let alone unencrypted) floating around.

[Guest]

The board is almost certainly more than double layer.

Furthermore, there is not a single via on the board that I can see.

Lots of pads the size of a spec of dust, yes, but no vias.

[apsd]

Hmm...

Is it really that difficult to access the traces?

I've never done this kind of electronics work so I wouldn't know. I was thinking you could use something like an exacto and peel off a few top layers (lol)... then hook up to the lines...

If that's ^ not feasible, then I guess you'd *have* to extract it and somehow work with it then....

[AlexGreen]

Here's another thing that might mess up sniffing the communication.
The goal is to read firmware as it is loaded from Flash to RAM, right?
Suppose that the chip has some logic to directly pump content of Flash to RAM. So connecting to traces would do you no good.

[MarioD]

saw a ref to BSAFE in the owner's manual...

http://www.rsasecurity.com/node.asp?id=1209

http://www.klastv.com/Global/story.asp?S=3119822

[Guest]

Hmm...
Is it really that difficult to access the traces?

In my opinion, it would take someone with the highest skills
in electronics soldering/tapping to have a chance of doing it.
Everything is super-miniaturized on the board, including any
visible traces and pads.

I have already ripped apart one PSP to be able to look closely
at a mainboard. I know there is nothing I could ever do with it,
and I am capable of simple soldering.

[IceBerg]

Just a thought, suposedly Moneky Island booted, how I dont know since noone even knows the memory addresses for the video... But if someone DOES have code running, wouldnt a simpler approch be to try to use software to read the bios. We know it can be written from software and surly they have somewayto read to do a verify. Just seems to me like this would be simpelER, not to say that it is by any means easy. If someone wants to point me at a good wintel r4000 dev suite I can play around with the idea.

[Gatchers]

Hi,

Stacked chip packages containing DRAM and FLASH are quite common nowadays, especially in the mobile phone industry.

It would be interesting to see if the processor core could read code directly from NAND flash - most don't, you run code from RAM and have a 'window' into the NAND FLASH data which you copy from - you may as well decrypt during this stage, it won't take long relatively speaking. Some implementations use the MMU to do this transparently and the NAND acts like a big encrypted swap file.

I wouldn't be surprised if there wa a small amount of boot (P)ROM acting as an IPL to get the thing up and running.

[Kamilion]

a while ago I was looking at building a prototype Intel BXA-255 board, and I happened acrost these.

http://www.tycoelectronics.com/prodnews.asp?id=460
http://www.arieselec.com/products/bgsocket.htm
http://www.advintcorp.com/bgastart.html

it'd be fairly easy to remove the flash chip with a heat gun of some kind.
Unfortunatly, I'm far too attached to my PSP to attempt it, and I have no hardware to do so either.

[PspPet]

> I wouldn't be surprised if there wa a small amount of boot (P)ROM acting as an IPL to get the thing up and running.
FWIW: the latest 2.00 firmware update has an update file called "ipl:/psp_ipl.bin", encrypted in some unique way, <256KB in size.