Editing Iplloader

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
<b>iplloader</b> <i>(also known as PRE-IPL or BootROM)</i> — is the first code to run on PSP main [[CPU]].
<b>iplloader</b> <i>(also called PRE-IPL or BootROM, as [[Sony]] calls it internally)</i> — is the first code to run on PSP main [[CPU]].


Its role is to load and decrypt encrypted [[Initial Program Loader]] from the [[NAND_Flash_Memory|NAND]] or [[Memory Stick]]. iplloader contains the routines to boot into service mode.
Its role is to load and decrypt encrypted [[Initial Program Loader]] from the [[NAND_Flash_Memory|NAND]] or [[Memory Stick]]. iplloader contains the routines to boot into service mode.
Line 319: Line 319:
=== The loader ===
=== The loader ===


The loader part is almost the same for all retail iplloader versions.
The loader part is almost the same for all retail PRE-IPL versions.


<pre>
<pre>
Line 341: Line 341:
     jump to 0x80010000;
     jump to 0x80010000;
}
}
// image ends with a copyright string, and a build timestamp: 0x20040420, 0x20050104 and 0x20070910 for successive iplloader versions
// image ends with a copyright string, and a build timestamp: 0x20040420, 0x20050104 and 0x20070910 for successive PRE-IPL versions
</pre>
</pre>


=== First version ===
=== First version ===


This version of the iplloader is used for Tachyon 0x00140000 to 0x00300000 (ie all versions of 01g except the few last).
This version of the PRE-IPL is used for Tachyon 0x00140000 to 0x00300000 (ie all versions of 01g except the few last).


Here is the pseudocode of the payload (not including implementation details, and excluding the information to interface with NAND & MemoryStick):
Here is the pseudocode of the payload (not including implementation details, and excluding the information to interface with NAND & MemoryStick):
Line 419: Line 419:
=== Second version ===
=== Second version ===


This version of the iplloader is used by Tachyon versions 0x00400000 to 0x00500000. This corresponds to the last 01g motherboard versions, and all the 02g versions except the last.
This version of the PRE-IPL is used by Tachyon versions 0x00400000 to 0x00500000. This corresponds to the last 01g motherboard versions, and all the 02g versions except the last.


It is very close to the original version, only some hardware initialization is modified, probably to improve stability/prevent crashes:
It is very close to the original version, only some hardware initialization is modified, probably to improve stability/prevent crashes:
Line 443: Line 443:
=== Third version ===  
=== Third version ===  


This version of the iplloader is present on the last 02g model and all of the 03g+ models.
This version of the PRE-IPL is present on the last 02g model and all of the 03g+ models.


It adds many security checks to avoid the creation of custom IPLs for these models — all of which have been broken since.
It adds many security checks to avoid the creation of custom IPLs for these models — all of which have been broken since.
Line 472: Line 472:
==== Vulnerabilities ====
==== Vulnerabilities ====


Since the KIRK command 1 ECDSA private key & encryption key were known, the main issues for dumping the iplloader were the XOR keys, the hash check, and the additional ECDSA check on the XOR of hashes.
Since the KIRK command 1 ECDSA private key & encryption key were known, the main issues for dumping the PRE-IPL were the XOR keys, the hash check, and the additional ECDSA check on the XOR of hashes.


The XOR keys are easy to disable if you can enable jigkick, which had been done for 03g before Davee dumped the iplloader. (Note that now that we know that it can be disabled writing the appropriate data in the NAND spare data, it could also be circumvented that way.)
The XOR keys are easy to disable if you can enable jigkick, which had been done for 03g before Davee dumped the PRE-IPL. (Note that now that we know that it can be disabled writing the appropriate data in the NAND spare data, it could also be circumvented that way.)


The hash check would've been easy to solve, but the fact the block was rotated before being hashed was unknown. Davee glitched this check in order to pass.
The hash check would've been easy to solve, but the fact the block was rotated before being hashed was unknown. Davee glitched this check in order to pass.


For the additional check, it could be skipped using a clever trick: if you set 0xBC10004C as the destination address of the IPL block, then the CPU resets and remaps 0xBFD00000 to 0xBFC00000 then runs back at 0xBFC00000. Since 0xBFD00000 is used as a temporary space for the decrypted IPL, it means you can easily achieve code execution. Davee used this method to dump the iplloader payload, which contains all the relevant information.
For the additional check, it could be skipped using a clever trick: if you set 0xBC10004C as the destination address of the IPL block, then the CPU resets and remaps 0xBFD00000 to 0xBFC00000 then runs back at 0xBFC00000. Since 0xBFD00000 is used as a temporary space for the decrypted IPL, it means you can easily achieve code execution. Davee used this method to dump the PRE-IPL payload, which contains all the relevant information.


Now that the code is known, the two first issues are very easy to handle. For the last one, an easy trick is that the signature is on the XOR of the SHA1's, which means if you place your own block twice before a legitimate IPL, the two SHA1's will cancel each other and the signature check will pass.
Now that the code is known, the two first issues are very easy to handle. For the last one, an easy trick is that the signature is on the XOR of the SHA1's, which means if you place your own block twice before a legitimate IPL, the two SHA1's will cancel each other and the signature check will pass.
Please note that all contributions to PSP Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PSP Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)