“..yet.”
You may have noticed that DA’s site has been down for a while. Now that’s its back up, Dark_AleX has provided some details to the situation of unhackable PSP’s.
The technical stuff in the full article.
Quote: Dark_AleX
When the PSP boots, the boot code (aka pre-ipl or ipl loader) loads the ipl from either the nand or memory stick. The IPL is splitted into pieces of 0×1000 bytes.
First 0xA0 bytes of each block is a header for the kirk hardware command 1. It contains keys,
the size of the cipher data, and two hashes, one for part the header itself, and another one for the body. The 0xF60 remaining bytes are the ciphered body, which will decrypt to 0xF60 plain bytes… if the hashes, which are checked by kirk hardware itself, are OK. (Note: ciphered body can actually be less than 0xF60, in this case, remaining bytes are ignored… before TA88v3) FirThe security of kirk hashes was destroyed by a timing attack, and the IPL became unprotected.
What has Sony added to fix this?The answer can be found in 4.00+ slim ipl’s. They decreased the size of the ciphered body to 0xF40 to leave 0×20 bytes at the end of each block (at offset 0xFE0).
As stated before, these remaining bytes are ignored… in pre-ipl’s of psp’s prior to TA88v3, and in fact, they can be randomized and ipl will still boot in those psp’s. In newest pre-ipl’s, these 0×20 bytes have a meaning.The first 0×10 bytes is an unknown hash calculated from the decrypted block. It is deduced that is calculated from the decrypted block and not the ciphered one due to the fact that 4.01 and 4.05 have a lot of ipl blocks in common, which, when decrypted, are similar, but they are totally different in its encrypted form. In these two ipl’s, this hash is same, as seen in the picture:
Click to enlarge
The second 0×10 bytes seem also to be dependent of the decrypted body (maybe dependent of the previous 0×10 bytes too?). In the picture it can be seen that they are different in 4.01 and 4.05, but they can actually be interchanged, you can move those 0×10 bytes from the same block in 4.05 ipl to the 4.01 ipl and it will still boot; however it cannot be randomized.
This protection also destroys any possibility of downgrading below 4.00, as these new cpu’s won’t be able to boot previous firmwares ipl’s.
Summary: basically, all security of newest psp cpu’s rely on the secrecy of the calculation of those 0×20 bytes. If pre-ipl were dumped somehow, the security would go down TOTALLY.
Graphic summary
Source: Dark-AleX.org
Thanks Saging for the tip!
Similar Posts
Digg it
Stumble
Del.ico.us
Reddit
Newsvine
Add your link!
February 25, 2009 at 8:45 am
I was just thinking…. cant hackers decode the demos which sony offers which work on the memory stick and find out what makes them work on the memory stick?!? then they could easily add all the stuff necessary into the GAMES instead of hacking the psp 3000 itself….
February 25, 2009 at 5:21 pm
“I was just thinking…. cant hackers decode the demos which sony offers which work on the memory stick and find out what makes them work on the memory stick?!? then they could easily add all the stuff necessary into the GAMES instead of hacking the psp 3000 itself….”
Dude, you just don’t understand.. noob.
March 7, 2009 at 10:29 pm
Guys im stuck i Have psp 2001 with OFW of 5.03 and I dont know how to downgrade it or make CFW because of its 5.03 update and I dont know what to do please help.
March 10, 2009 at 10:15 pm
thanx a lot–dark alex 4ever
March 18, 2009 at 11:55 pm
i will now:
many people says you can hack the owf4.1 (TA88v3 model) with dclv7 or dclv8(despertar del ceme…)
IS THAT RIGHT!!!!!!!!!!
PLEASE HELP!!!!
sorry for my english im german.
March 23, 2009 at 1:22 am
and how would you tell if you have the correct motherboard on your psp to actuall hack the 2000 ones?
March 25, 2009 at 10:52 pm
Nothing is impossible.
I myself am working on it.. The result so far is nothing.. But i know it will happen..
March 26, 2009 at 10:31 pm
How much longer we has to wait
March 27, 2009 at 3:56 am
Status, someone give me status!!!!
March 30, 2009 at 11:05 am
i think dark alex can find a way to hack ta88v3 mobo
but when?
psp 3000 has a ta88v3 motherboard too.
April 4, 2009 at 7:00 am
I have OFW 5.03 on my PSP Slim & Lite PSP-2001PB/98510. Even though I have not been able to use the DAX Motherboard Identifier, I know or a fact that any PSP above ta-88v3 is unhackable at the time being. However, I will be patient with DA because even though I’ve stayed loyal to OFW up till now, he’s done an excellent job. I do have one question however, and it concerns PSP UMD Games (Off Topic, I know, but still…). Is it possible to rip UMD’s into ISO, then creat EBOOT.PBP’s with them through a EBOOT.PBP program for PSX or can DA attempt to make one? If so, then it would be deeply appriciated. If not, then I’ll apprciate it anyways. The program idea is for OFW btw. Perhaps, it can use an exploit?
April 27, 2009 at 12:45 pm
i have a psp slim 2006 model with official firmware 4.01, ive been through different stores to upgrade my psp but still, its unhackable, it doesnt work with a pandora or MMS and i dont want to risk upgrading it myself or it might brick…
April 29, 2009 at 8:59 am
you can hack psp ofw 4.01 or any unhackble psp by hard modification,, the mother board will be replaced by a hackable mother board.. this is 100% true and working … here it cost 3000 Pesos about $60 Us Dollars
May 4, 2009 at 5:21 pm
Er, Cris, I just got my psp slim felicia blue 2000 ofw 4.01…so ur telling me this is hackable by means of hard mod? Sorry, yes, i know im a noob but i want to just clarify this. Help!
April 29, 2009 at 1:20 pm
i have psp 2004 with ofw 5.50 and i want to hack it without pandora or mms please help!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
April 29, 2009 at 1:21 pm
any one their
April 29, 2009 at 1:23 pm
please please please please help$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
April 29, 2009 at 4:20 pm
come on give it please*************************************************8