Editing Vulnerabilities
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
= Usermode = | = Usermode = | ||
== | == Game savedata == | ||
=== To sort === | |||
https:// | https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/ | ||
=== Before PS Vita era === | === Before PS Vita era === | ||
- Grand Theft Auto: Liberty City Stories UMD: <=?3.03? | |||
- Lumines ?<=3.50? | |||
- Gripshift: ?<=5.00 or 5.03? | |||
- Patapon 2 demo (USA) by Malloxis: ?PSP <=6.20? | |||
- Medal Of Honor Heroes, or Heroes 2, or both by kgsws: ? | |||
=== During PS Vita era === | === During PS Vita era === | ||
- Everybody's Tennis: <= 1.61 | |||
- Motorstorm: Arctic Edge: <= 1.61. Patched 1.65 | |||
- Super Collapse 3 by Bryan Keller: <= 1.67. Patched 1.69?0?, 2014-11-10 | |||
https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3 | https://github.com/bryankeller/PSP-Exploit-Super-Collapse-3 | ||
- Monster Hunter Freedom Unite, Monster Hunter Freedom 2, Monster Hunter Portable 2ndG, Monster Hunter Portable 3rd: <= 1.80. Patched 1.81 | |||
- Mad Blocker Alpha: <= 1.81. Patched on 2.00 | |||
- Gravity Crash Portable by teck4 and frostegater: <= ?1.81? | |||
- Urbanix first exploit: <= 1.81. Patched on 2.00 | |||
- UNO by xiaolin, zer01ne, MaxiExtreme and frostegater: <= 2.02. Patched 2.05 | |||
- Apache Overkill by Tomtomdu80: <= 2.06 | |||
- Gamocracy One by qwikrazor87: <= 2.12 | |||
- Arcade Hockey & bowling, Arcade Pool & snooker, World of Pool, Arcade Darts by Acid_snake: <=2.60. Patched 2.61 | |||
- "Jikkyou Powerful Pro Yakyu 2012 Ketteiban" (Japanese: 実況パワフルプロ野球 2012決定版): <= 2.61 | |||
- Pipe Madness: <= 2.61. Patched 3.00 | |||
- Jewel Keepers: <= 2.61. Patched 3.00 | |||
- Half Minute Hero: <= 2.61. Patched 3.00 | |||
- FieldRunners by frostegater: <= 2.61. Patched 3.00 | |||
= | - Urbanix second exploit: <= 2.61. Patched 3.00 | ||
- Cubixx: PS Vita <= 3.00. Patched 3.01 | |||
- Ben 10 Alien Force: Vilgax Attacks: <= 3.01. Patched 3.10 | |||
- King Of Pool by qwikrazor87: <= 3.01. Patched 3.10 | |||
- 101-in-1 Megamix by xerpi: <= 3.01. Patched 3.10 | |||
- Fifa 2011, Fifa 2012: <= 3.01. Patched 3.10 | |||
- Persona 2: Innocent Sin, Persona 2: Tsumi: <= 3.01. Patched 3.10 | |||
- Arcade Airhockey & Bowling, Arcade Pool & Snooker, World of Pool, Pool Hall Pro: <= 3.01. Patched 3.10 | |||
- "Jikkyou Powerful Pro Yakyu 2012 Ketteiban" (Japanese: 実況パワフルプロ野球 2012決定版): <= 3.12 | |||
- MyStylist: <= 3.15 | |||
- Skate Park City: <= 3.15. Patched 3.18 | |||
- Space Invaders Extreme: <= 3.18 | |||
- Zettei Hero Project Unlosing Ranger V Darkdeath by KanadeEngel: <= 3.18 | |||
https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit | https://github.com/KanadeEngel/PSP/tree/master/Exploits/Usermode/Zettei%20Hero%20Project%20-%203.18%20Exploit | ||
- Gladiator Begins: <= 3.18 | |||
- Patapon 1: <= 3.18 | |||
- Talkman Travel: Tokyo: <= 3.18 | |||
- Go! Sudoku: <= 3.30 | |||
- Arcade Darts: <= 3.36 | |||
- Patapon 2 non-demo: <=3.36 | |||
https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/ | https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/ | ||
https://github.com/TheOct0/patapon_exploit | https://github.com/TheOct0/patapon_exploit | ||
https://github.com/wololo-learning-journey/patapon_exploit | https://github.com/wololo-learning-journey/patapon_exploit | ||
- Numblast: <= 3.36 | |||
- Hot Brain: <= 3.36 | |||
- Hatsune Miku: DIVA extend: <= 3.36 | |||
- Ape Escape: On the Loose: <= 3.50. Patched 3.51 | |||
- "Toukiden: Kiwami (DEMO)" (討鬼伝 極 体験版) by 173210: <= 3.51 | |||
- Puzzle Scape: <= 3.52 | |||
- World of Pool, Pool Hall Pro: <= 3.52 | |||
- Metal Gear Solid Portable OPS+ by 173210: <= 3.57 | |||
https://github.com/173210/psp_exploits/ | https://github.com/173210/psp_exploits/ | ||
=== After PS Vita era === | === After PS Vita era === | ||
- ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 | |||
https://github.com/ChampionLeake/scrabblehax | |||
https://github.com/ChampionLeake/ | - Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 | ||
https://github.com/ChampionLeake/SudokuSTACK | |||
=== Remarks === | === Remarks === | ||
Line 473: | Line 130: | ||
https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/ | https://wololo.net/2009/10/10/looking-for-vulnerabilities-in-the-psp-firmware/ | ||
== System == | == System == | ||
=== Old System PRX allowed === | |||
=== Old System PRX allowed | |||
Discovered around 2005. | Discovered around 2005. | ||
Line 656: | Line 155: | ||
Fixed: no. | Fixed: no. | ||
=== | === Unsigned System PRX allowed === | ||
Discovered in 2011 by kgsws. | |||
When the PS3 was hacked and a selection of PSP encryption keys were released, this allowed one to sign his own usermode applications. HEN/CFW can be loaded much faster through a signed application rather than loading of a game. We can now sign our own vshmain and replace a step in the bootchain. | |||
kgsws first demonstrated this bootchain injection back in 2011 and lead to the creation of 6.20 permanent custom firmware. Sony did patch this up in later firmware by applying an ECDSA signature to PRX files in the bootchain which we cannot forge. | |||
Fixed: since PSP System Software version 6.30. | |||
= Kernel = | = Kernel = | ||
sceNetMCopyback kernel arbitrary read by qwikrazor87 and AcidSnake (ARK-4): PSP <=6.61 | |||
https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c | https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/rodumper/main.c | ||
TBD:implementation by CelesteBlue | |||
This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 32 bits of data so you iterate 32 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison. | |||
PSP | sceRtcCompareTick kernel arbitrary read by davee: PSP <=6.61 | ||
TBD:implementation by CelesteBlue | |||
This vulnerability lets you compare the value at any place in kernel memory with whatever value you pass to it. There are 64 bits of data so you iterate 64 times. On each iteration, you determine the value of the current bit (0 or 1) by doing one comparison. | |||
sceNetMPulldown (also called ifhandle 6.60-6.61) kexploit by davee (PROCFW, Chronoswitch, Infinity 2): PSP 6.60-6.61 | |||
https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c | https://github.com/uofw/uofwinst/blob/master/PXE/Launcher/kxp_660.c | ||
https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp | https://github.com/DaveeFTW/Infinity/blob/master/kexploit/src/k660.cpp | ||
https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c | https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c | ||
https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c | https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/psp660/kxploit.c | ||
sceHttpStorageOpen kexploit, 0xFFFFFFFFailSploit, write 0xFFFFFFFF to anywhere by some1, liquidzigong, SmikY (Chronoswitch): PSP 6.20-6.61 | |||
https://wololo.net/talk/viewtopic.php?t=6612 | https://wololo.net/talk/viewtopic.php?t=6612 | ||
https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c | https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c | ||
https://github.com/smiky/psptools/blob/master/kxploit/main.c | https://github.com/smiky/psptools/blob/master/kxploit/main.c | ||
sceUtilityPowerRegisterCallback kexploit by TN and davee with sceKernelUtilsMd5BlockInit kexploit to keep the data dynamic (TN-HEN, Chronoswitch): PSP 6.20-6.35 | |||
https://lolhax.org/2010/12/23/arcanum/ | https://lolhax.org/2010/12/23/arcanum/ | ||
https://wololo.net/talk/viewtopic.php?f=5&t=947 | https://wololo.net/talk/viewtopic.php?f=5&t=947 | ||
https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c | https://github.com/DaveeFTW/Chronoswitch/blob/master/src/kernel_exploit.c | ||
ifhandle 5.70 race condition kexploit by davee: PSP 5.00-5.70, patched on PSP 6.20 | |||
https://wololo.net/talk/viewtopic.php?f=5&t=11877&start=10 | |||
https://wololo.net/talk/viewtopic.php? | |||
sceDRMInstallGetFileInfo memset anywhere (also called psheet 5.03) kexploit by davee, lack of k1 checks (ChickHEN): PSP <=5.03 | |||
https://wololo.net/talk/viewtopic.php?p=2022 | https://wololo.net/talk/viewtopic.php?p=2022 | ||
https://wololo.net/talk/viewtopic.php?f=5&t=242 | https://wololo.net/talk/viewtopic.php?f=5&t=242 | ||
http://www.kingx.de/forum/showthread.php?tid=15275 | http://www.kingx.de/forum/showthread.php?tid=15275 | ||
The psheet exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after. | |||
registry error store: PSP <=2.80 | |||
sceKernelLoadExec buffer overflow by hitchhikr / Neural: PSP 2.01-2.60 | |||
https://forums.ps2dev.org/viewtopic.php?t=6091 | |||
https://www.hitchhikr.net/Exploit_2.6.zip | |||
reused index.dat key: PSP 2.00, 2.01 | |||
swaptrick/kxploit: PSP <=1.50 | |||
kernel flagged ELF: PSP <=1.00 | |||
== PS Vita ePSP kernel exploits == | |||
kernel execution using encrypted UID planting Type Confusion kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita 3.60-3.74 | |||
https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion | |||
https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c | |||
https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c | |||
It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit. | |||
kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita 3.70 | |||
https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition | |||
https://github.com/TheOfficialFloW/Trinity/blob/master/eboot/mips.c | |||
https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c | |||
VPL kexploit: PS Vita 3.00-3.52 | |||
https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c | |||
https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c | |||
sceKernelDeleteThread UID kexploit by qwikrazor87: PS Vita <=3.50 | |||
https://github.com/GuidoAlessandroMenichetti/kxploits | |||
sceVideocodec kexploit: PS Vita 3.30-3.36 | |||
https://github.com/GuidoAlessandroMenichetti/kxploits | |||
https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c | |||
_sceSdGetLastIndex kexploit (TN-X, TN-V) by qwikrazor87: PS Vita 3.18-3.20 | |||
https://github.com/173210/TN-Rev/blob/master/loader/main.c | |||
https://github.com/GuidoAlessandroMenichetti/kxploits | |||
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/sceSdGetLastIndex/kxploit.c | |||
https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceSdGetLastIndex/kxploit.c | |||
https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita320/kxploit.c | |||
https:// | _sceLoadCertFromFlash kexploit (TN-V): PS Vita <3.18 | ||
https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c | |||
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/loadCertFromFlash/kxploit.c | |||
https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceLoadCertFromFlash/kxploit.c | |||
https:// | sceWlanGetEtherAddr kexploit: PS Vita 1.61-1.80 | ||
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanGetEtherAddr/kxploit.c | |||
https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanGetEtherAddr/kxploit.c | |||
https:// | _sceG729EncodeTermResource kexploit: PS Vita FW unk | ||
https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceG729/kxploit.c | |||
https:// | sceWlanDrv kexploit: PS Vita FW unk | ||
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/kxploit/wlanDrvLib/kxploit.c | |||
https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceWlanDrvLib/kxploit.c | |||
== Remarks == | == Remarks == | ||
Line 1,027: | Line 276: | ||
Fixed: since PSP System Software version 6.35. | Fixed: since PSP System Software version 6.35. | ||
= iplloader = | = Lib-PSP iplloader = | ||
== NMI Backdoor == | == NMI Backdoor == | ||
Line 1,039: | Line 288: | ||
Applicable to: None | Applicable to: None | ||
Vulnerable: iplloader (all | Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom) | ||
The iplloader bootrom (present within Tachyon's IC package) as well as iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom. | The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom. | ||
This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9 | This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9 | ||
If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0. | If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0. | ||
Below are the relevant pieces of code: | Below are the relevant pieces of code: | ||
Line 1,060: | Line 309: | ||
</pre> | </pre> | ||
This backdoor may allow an attacker performing a hardware based attack to set those values and gain iplloader time code execution. | This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution. | ||
== Arbitrary IPL Load Address == | == Arbitrary IPL Load Address == | ||
Line 1,072: | Line 321: | ||
Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed. | Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed. | ||
iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations. | Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations. | ||
== Arbitrary IPL Entrypoint Address == | == Arbitrary IPL Entrypoint Address == | ||
Line 1,082: | Line 331: | ||
Applicable to: IPL time code execution on 01g and 02g, used in Pandora | Applicable to: IPL time code execution on 01g and 02g, used in Pandora | ||
Fixed: iplloader 2.6.0 | Fixed: Lib-PSP iplloader 2.6.0 | ||
iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a "valid" block in a more timely fashion. | Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a "valid" block in a more timely fashion. | ||
Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check. | Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check. | ||
== No minimum IPL block size == | == No minimum IPL block size == | ||
Line 1,100: | Line 347: | ||
Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100. | Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100. | ||
iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block. | Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block. | ||
== Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block == | |||
== iplloader assumes a block with the checksum 0 is the first IPL block == | |||
Found by: C+D/Prometheus - Earliest discovery: 2006 Q4 | Found by: C+D/Prometheus - Earliest discovery: 2006 Q4 | ||
Line 1,114: | Line 359: | ||
Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself. | Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself. | ||
This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump iplloader. | This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader. | ||
== iplloader do not perform the XOR step when running in Jig/Service mode == | == Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode == | ||
Found by: Mathieulh - Earliest discovery: 2019 Q1 | Found by: Mathieulh - Earliest discovery: 2019 Q1 | ||
Introduced: iplloader 3.5.0 | Introduced: Lib-PSP iplloader 3.5.0 | ||
Applicable to: Code execution on 3.5.0 iplloader without previous knowledge of the XOR key. | Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key. | ||
Fixed: probably never as 3.5.0 is the last known iplloader revision for Development Tool | Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool | ||
This is not so much a vulnerability as a poor design implementation. | This is not so much a vulnerability as a poor design implementation. | ||
To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions. | To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions. | ||
This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed. | This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed. | ||
== iplloader clears the XOR key after doing a cache sync during normal execution == | == Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution == | ||
Found by: Proxima - Earliest discovery: 2020-01-27 | Found by: Proxima - Earliest discovery: 2020-01-27 | ||
Introduced: iplloader 3.5.0 | Introduced: Lib-PSP iplloader 3.5.0 | ||
Applicable to: Dumping the iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability | Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability | ||
Fixed: probably never as 3.5.0 is the last known iplloader revision for Development Tool | Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool | ||
3.5.0 iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C. | 3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C. | ||
In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000. | In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000. | ||
While it may be possible that Tachyon 0x00600000 and later iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000) | While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000) | ||
== Faulty ECDSA Hash Comparison == | == Faulty ECDSA Hash Comparison == | ||
Line 1,158: | Line 403: | ||
Fixed: never | Fixed: never | ||
Starting with Tachyon 0x00600000, iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature. | Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature. | ||
This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid. | This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid. | ||
Line 1,165: | Line 410: | ||
= General writeups = | = General writeups = | ||
https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/ | https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/ | ||
Line 1,175: | Line 418: | ||
https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP | https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP | ||