tinman
October 6th, 2008, 02:26
Dark_Alex (http://www.dark-alex.org/forum/viewtopic.php?f=44&t=1194) posed this explaining why.
This is an explanation of the security that was added in TA88v3, and which will be likely in PSP3000.
When the PSP boots, the boot code (aka pre-ipl or ipl loader) loads the ipl from either the nand or memory stick. The IPL is splitted into pieces of 0x1000 bytes.
First 0xA0 bytes of each block is a header for the kirk hardware command 1. It contains keys,
the size of the cipher data, and two hashes, one for part the header itself, and another one for the body. The 0xF60 remaining bytes are the ciphered body, which will decrypt to 0xF60 plain bytes... if the hashes, which are checked by kirk hardware itself, are OK. (Note: ciphered body can actually be less than 0xF60, in this case, remaining bytes are ignored... before TA88v3) Fir
The security of kirk hashes was destroyed by a timing attack, and the IPL became unprotected.
What has Sony added to fix this?
The answer can be found in 4.00+ slim ipl's. They decreased the size of the ciphered body to 0xF40 to leave 0x20 bytes at the end of each block (at offset 0xFE0).
As stated before, these remaining bytes are ignored... in pre-ipl's of psp's prior to TA88v3, and in fact, they can be randomized and ipl will still boot in those psp's. In newest pre-ipl's, these 0x20 bytes have a meaning.
The first 0x10 bytes is an unknown hash calculated from the decrypted block. It is deduced that is calculated from the decrypted block and not the ciphered one due to the fact that 4.01 and 4.05 have a lot of ipl blocks in common, which, when decrypted, are similar, but they are totally different in its encrypted form. In these two ipl's, this hash is same, as seen in the picture:
http://xero1.tinman.googlepages.com/3.png/3-large.png (http://xero1.tinman.googlepages.com/3.png/3-full;init:.png)
The second 0x10 bytes seem also to be dependent of the decrypted body (maybe dependent of the previous 0x10 bytes too?). In the picture it can be seen that they are different in 4.01 and 4.05, but they can actually be interchanged, you can move those 0x10 bytes from the same block in 4.05 ipl to the 4.01 ipl and it will still boot; however it cannot be randomized.
This protection also destroys any possibility of downgrading below 4.00, as these new cpu's won't be able to boot previous firmwares ipl's.
Summary: basically, all security of newest psp cpu's rely on the secrecy of the calculation of those 0x20 bytes. If pre-ipl were dumped somehow, the security would go down TOTALLY.
Graphic summary:
http://xero1.tinman.googlepages.com/20081005-cpus.png/20081005-cpus-large.png (http://xero1.tinman.googlepages.com/20081005-cpus.png/20081005-cpus-full;init:.png)
This is an explanation of the security that was added in TA88v3, and which will be likely in PSP3000.
When the PSP boots, the boot code (aka pre-ipl or ipl loader) loads the ipl from either the nand or memory stick. The IPL is splitted into pieces of 0x1000 bytes.
First 0xA0 bytes of each block is a header for the kirk hardware command 1. It contains keys,
the size of the cipher data, and two hashes, one for part the header itself, and another one for the body. The 0xF60 remaining bytes are the ciphered body, which will decrypt to 0xF60 plain bytes... if the hashes, which are checked by kirk hardware itself, are OK. (Note: ciphered body can actually be less than 0xF60, in this case, remaining bytes are ignored... before TA88v3) Fir
The security of kirk hashes was destroyed by a timing attack, and the IPL became unprotected.
What has Sony added to fix this?
The answer can be found in 4.00+ slim ipl's. They decreased the size of the ciphered body to 0xF40 to leave 0x20 bytes at the end of each block (at offset 0xFE0).
As stated before, these remaining bytes are ignored... in pre-ipl's of psp's prior to TA88v3, and in fact, they can be randomized and ipl will still boot in those psp's. In newest pre-ipl's, these 0x20 bytes have a meaning.
The first 0x10 bytes is an unknown hash calculated from the decrypted block. It is deduced that is calculated from the decrypted block and not the ciphered one due to the fact that 4.01 and 4.05 have a lot of ipl blocks in common, which, when decrypted, are similar, but they are totally different in its encrypted form. In these two ipl's, this hash is same, as seen in the picture:
http://xero1.tinman.googlepages.com/3.png/3-large.png (http://xero1.tinman.googlepages.com/3.png/3-full;init:.png)
The second 0x10 bytes seem also to be dependent of the decrypted body (maybe dependent of the previous 0x10 bytes too?). In the picture it can be seen that they are different in 4.01 and 4.05, but they can actually be interchanged, you can move those 0x10 bytes from the same block in 4.05 ipl to the 4.01 ipl and it will still boot; however it cannot be randomized.
This protection also destroys any possibility of downgrading below 4.00, as these new cpu's won't be able to boot previous firmwares ipl's.
Summary: basically, all security of newest psp cpu's rely on the secrecy of the calculation of those 0x20 bytes. If pre-ipl were dumped somehow, the security would go down TOTALLY.
Graphic summary:
http://xero1.tinman.googlepages.com/20081005-cpus.png/20081005-cpus-large.png (http://xero1.tinman.googlepages.com/20081005-cpus.png/20081005-cpus-full;init:.png)