Editing Vulnerabilities
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
= | = Lib-PSP iplloader (PRE-IPL) = | ||
== NMI Backdoor == | == NMI Backdoor == | ||
(Found by: Mathieulh, Proxima, C+D/Prometheus, Anyone spending time reverse engineering the pre-ipl) - Earliest discovery: 4/4/2007 | |||
Found by: Mathieulh, Proxima, C+D/Prometheus - Earliest discovery: 2007 | |||
Fixed: Never | Fixed: Never | ||
Vulnerable: Lib-PSP iplloader (all ROM Versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP Bootrom) | |||
The iplloader | The Lib-PSP iplloader rom (present within tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom. | ||
This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9 | This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9 | ||
If | If 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). If 0xBC100000 is equal to 0, coprocessor register $9 will be reset back to 0. | ||
Below are the relevant pieces of code: | Below are the relevant pieces of code: | ||
<pre> | <pre> | ||
Line 1,060: | Line 28: | ||
</pre> | </pre> | ||
Because both address 0xBC100000 and coprocessor register $9 are controlled by syscon, this backdoor would allow an attacker performing a hardware based attack on syscon (by either replacing syscon or performing a man in the middle data injection) to set those values and gain Lib-PSP iplloader/pre-ipl time code execution (this requires using kernel code execution to fill memory with a payload to jump to beforehand), and thus potentially dump the pre-ipl code on newer targets. | |||