Security Updates

From PSP Developer wiki
Revision as of 21:39, 17 June 2024 by CelesteBlue (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

The PSP had many revisions to its security through firmware upgrades. Many of these were silently added and the rest were simply labeled as "Revisions to strengthen security" by the update. This page will document on a technical level the security updates made by each firmware.

0.30 (Pre-Release)[edit | edit source]

0.31 (Pre-Release)[edit | edit source]

0.40 (Pre-Release)[edit | edit source]

0.50 (Pre-Release)[edit | edit source]

0.60 (Pre-Release)[edit | edit source]

0.65 (Pre-Release)[edit | edit source]

0.70 (Pre-Release)[edit | edit source]

0.80 (Pre-Release)[edit | edit source]

  • Restructured the ~PSP header and added more information to it.
  • Blocks unsigned kernel/VSH modules (PRX)

0.90 (Pre-Release)[edit | edit source]

  • Boot config files are now encrypted and unsigned versions are also blocked
  • Blocks unsigned user modules (PRX)

1.00 (Pre-Release)[edit | edit source]

1.01 (Pre-Release)[edit | edit source]

1.02 (Pre-Release)[edit | edit source]

1.03[edit | edit source]

  • Initial firmware launch in Japan. It should be noted that 1.XX firmwares are quite buggy and lacked features Sony was working on since 2004 that were later added in 2.00. Essentially they released the PSP before it was finished to compete with the Nintendo DS launch.
  • Does not allow execution of unsigned PRX.
  • Allows unsigned ELF of any privilege level (User/VSH/Kernel).

1.50[edit | edit source]

  • Introduced a bug in returning size of unsigned ELF, blocking normal EBOOTs, but can still be launched with Swapsploit/KXploit workaround.
  • Introduced another bug where no encrypted PRX executable compressed with gzip will run, only modules may be gzipped. This bug persists in 1.51/1.52 and was fixed in 2.00.
    • This bug may be why official updates were never gzipped despite games and demos eventually doing so, to ensure the updates can be run from all firmwares.
  • Reboot code has been moved out of reboot.prx and is now hidden within loadexec.prx.

1.51[edit | edit source]

  • Blocks the loading of unsigned ELF from memory stick.

1.52[edit | edit source]

  • Introduced a module to set all files in flash0 to hidden+system. This was in response to the Wipeout browser exploit where using a DNS trick allows you to view and download files from any device.

2.00[edit | edit source]

  • This is the biggest PSP update ever made, with lots of new features and an overhaul to the kernel.
  • Properly blocks kernel ELF by restructuring the kernel. Also blocks unsigned ELF in proper. This is why the only way to run kernel ELF in newer firmwares requires the 1.XX kernel.
  • Introduced signchecking on PRX files to tie them per-system. This was in response to people physically dumping their NANDs and being able to flash them to downgrade.
  • Introduced a new privilege level, 0x0200, specifically for applications/demos ran from memory stick. Prior to 2.00 the firmware checked 0 for all unfinished APIs.

2.01[edit | edit source]

  • Patches the libtiff exploit introduced in 2.00.

2.50[edit | edit source]

2.60[edit | edit source]

  • The IPL now uses an extra layer of encryption in stage 2 tied to a pseudo-random number generated by doing a checksum of the iplloader.

2.70[edit | edit source]

2.71[edit | edit source]

2.80[edit | edit source]

  • The psp boot config files now contain checksums of all PRX files and block them if they don't match.

2.81[edit | edit source]

2.82[edit | edit source]

3.00[edit | edit source]

  • The lflash portion of the NAND is now encrypted, all reads/writes require passing through this layer.

3.01[edit | edit source]

3.02[edit | edit source]

3.03[edit | edit source]

3.10[edit | edit source]

3.11[edit | edit source]

3.30[edit | edit source]

3.40[edit | edit source]

3.50[edit | edit source]

  • Kernel NIDs are now scrambled, preventing applications which call them from working without a resolver.
  • All boot config files are now consolidated into one file.
  • Several PRX drivers are now consolidated into one file (may not be for security, but prevents easily mixing modules with older firmwares).
  • Encrypted PRX files now have the required firmware version stored in the ~PSP header.

3.51[edit | edit source]

  • Patched the Lumines exploit.

3.52[edit | edit source]

3.60[edit | edit source]

3.70[edit | edit source]

3.71[edit | edit source]

3.72[edit | edit source]

3.73[edit | edit source]

3.80[edit | edit source]

3.90[edit | edit source]

3.93[edit | edit source]

3.95[edit | edit source]

3.96[edit | edit source]

4.00[edit | edit source]

4.01[edit | edit source]

4.05[edit | edit source]

4.20[edit | edit source]

4.21[edit | edit source]

5.00[edit | edit source]

5.01[edit | edit source]

5.02[edit | edit source]

5.03[edit | edit source]

5.05[edit | edit source]

5.50[edit | edit source]

5.51[edit | edit source]

5.55[edit | edit source]

5.70[edit | edit source]

6.00[edit | edit source]

6.10[edit | edit source]

6.20[edit | edit source]

6.30[edit | edit source]

  • ECDSA signatures are now checked for all kernel PRX as well as updaters. This was partly in response to Datel's Action Replay, which is signed as an update.

6.31[edit | edit source]

6.35[edit | edit source]

  • The ~SCE header exploit was fixed, which had allowed running unsigned PRX by using the header to point to a signed PRX located after it.

6.36[edit | edit source]

6.37[edit | edit source]

6.38[edit | edit source]

6.39[edit | edit source]

6.50[edit | edit source]

6.60[edit | edit source]

6.61[edit | edit source]