Editing Vulnerabilities
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 18: | Line 18: | ||
https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html | https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html | ||
== PSP Game Savedata == | == PSP Game Savedata == | ||
=== Before PS Vita era === | === Before PS Vita era === | ||
==== Grand Theft Auto: Liberty City Stories UMD ( | ==== Grand Theft Auto: Liberty City Stories UMD (Goofy exploit): PSP 2.00-3.03. Patched 3.30 ==== | ||
Discovered by Edison Carter | Discovered by Edison Carter. | ||
The GTA LCS exploit is a classic stack buffer overflow, in the savedata processing. In essence, the savedata mostly consists of a large structure, with an element indicating the total size. GTA LCS allocates a statically-sized buffer for this to be read into, on the stack - presumably using sizeof(savestruct) or similar. But it copies the number of bytes given by the .size element from the savedata into the stack buffer. By editing the .size element in the saved data, we can therefore force a buffer overflow. The .size element is at offset 0004 in the DATA.BIN file, in the savedata folder. Note that the DATA.BIN is encrypted, so you need to use something like the savedata sample from the pspsdk in order to modify it. | |||
The Exploit was patched in a second batch of UMD prints. | |||
Germany version: | Germany version: | ||
Line 117: | Line 47: | ||
Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched. | Another indication is the copyright date: if it is 2005 then it is unpatched, else it is 2006 and is patched. | ||
==== Lumines (Illuminati exploit): PSP <= 3.50. Patched 3.51 ==== | ==== Lumines (Illuminati exploit): PSP <= 3.50. Patched 3.51 ==== | ||
==== Gripshift by Matiaz: PSP <= 5.02?-5.03?. Patched 5.05 ==== | |||
==== Patapon 2 demo (USA) by Malloxis: PSP <= ?6.20? ==== | |||
==== | ==== Medal Of Honor Heroes, or Heroes 2, or both by kgsws: PSP <=? ==== | ||
2009-07-10 | |||
https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/ | https://wololo.net/2009/07/10/medal-of-honor-heroes-the-coolest-exploit-ever/ | ||
https://www.brewology.com/downloads/download.php?id=9900 | https://www.brewology.com/downloads/download.php?id=9900 | ||
https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit | https://www.dcemu.co.uk/vbulletin/threads/224663-Medal-of-Honor-Heroes-(MOHH)-second-exploit | ||
=== During PS Vita era === | === During PS Vita era === | ||
Line 298: | Line 165: | ||
==== "Jikkyou Powerful Pro Yakyu 2012 Ketteiban" (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: <= 2.61 ==== | ==== "Jikkyou Powerful Pro Yakyu 2012 Ketteiban" (Japanese: 実況パワフルプロ野球 2012決定版) (ULJM06206) by 173210: <= 2.61 ==== | ||
==== Pipe Madness by Frostegater: <= 2.61. Patched 3.00 ==== | ==== Pipe Madness by Frostegater: <= 2.61. Patched 3.00 ==== | ||
Line 349: | Line 212: | ||
==== MyStylist: <= 3.15 ==== | ==== MyStylist: <= 3.15 ==== | ||
==== Skate Park City | ==== Skate Park City: <= 3.15. Patched 3.18 ==== | ||
==== Space Invaders Extreme: <= 3.18 ==== | ==== Space Invaders Extreme: <= 3.18 ==== | ||
Line 363: | Line 224: | ||
==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: <= 3.18 ==== | ==== Gladiator Begins Demo (NPEH90050, NPUH90077, NPJH90084) by qwikrazor87: <= 3.18 ==== | ||
Discovered | Discovered around 2014-09-12 by qwikrazor87. | ||
https://wololo.net/talk/viewtopic.php?t=39771 | https://wololo.net/talk/viewtopic.php?t=39771 | ||
Line 381: | Line 238: | ||
https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/ | https://bitbucket.org/Acid_Snake/ark-2/src/master/exploit/usploit/wid_od_2_eu/ | ||
==== Patapon: <= 3.18 ==== | ==== Patapon 1: <= 3.18 ==== | ||
==== Talkman Travel: Tokyo: <= 3.18 ==== | ==== Talkman Travel: Tokyo: <= 3.18 ==== | ||
Line 392: | Line 249: | ||
==== Patapon 2 non-demo (UCES01177): <= 3.36 ==== | ==== Patapon 2 non-demo (UCES01177): <= 3.36 ==== | ||
https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/ | https://wololo.net/2019/08/13/hacking-consoles-a-learning-journey-part-4/ | ||
Line 414: | Line 269: | ||
==== Ape Escape: On the Loose: <= 3.50. Patched 3.51 ==== | ==== Ape Escape: On the Loose: <= 3.50. Patched 3.51 ==== | ||
==== "Toukiden: Kiwami (DEMO)" (討鬼伝 極 体験版) by 173210: <= 3.51 ==== | ==== "Toukiden: Kiwami (DEMO)" (討鬼伝 極 体験版) by 173210: <= 3.51 ==== | ||
Line 423: | Line 274: | ||
https://code.google.com/archive/p/valentine-hbl/source/default/source | https://code.google.com/archive/p/valentine-hbl/source/default/source | ||
==== Puzzle Scape: <= 3.52 ==== | |||
==== Puzzle Scape | |||
==== World of Pool, Pool Hall Pro: <= 3.52 ==== | ==== World of Pool, Pool Hall Pro: <= 3.52 ==== | ||
Line 449: | Line 282: | ||
https://github.com/173210/psp_exploits/ | https://github.com/173210/psp_exploits/ | ||
=== | === After PS Vita era === | ||
==== ScrabbleTM by ChampionLeake: probably not patched, 2018-05-17 ==== | |||
https://github.com/ChampionLeake/scrabblehax | |||
==== | ==== Carol Vorderman's Sudoku by ChampionLeake: probably not patched, 2019-04-22 ==== | ||
https://github.com/ChampionLeake/SudokuSTACK | |||
https://github.com/ChampionLeake/ | |||
=== Remarks === | === Remarks === | ||
Line 480: | Line 304: | ||
== PS1 Game Savedata == | == PS1 Game Savedata == | ||
=== | === Pinball Golden Logres (SuperLite 1500 Series) (NPJJ00460) by qwikrazor87 === | ||
Discovered around 2014-04- | Discovered around 2014-04-21 by qwikrazor87. | ||
Maybe not exploitable. | Maybe not exploitable. | ||
=== | === Noon (NPJJ00466) by qwikrazor87 === | ||
Discovered around 2014- | Discovered around 2014-10-03 by qwikrazor87. | ||
Maybe not exploitable. | Maybe not exploitable. | ||
Line 512: | Line 330: | ||
https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html | https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html | ||
=== Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87 | === Sports Superbike 2 (SLES03827) / XS Moto by qwikrazor87 and Acid_snake === | ||
Discovered around 2014-04-07 by qwikrazor87 | Discovered around 2014-04-07 by qwikrazor87 and Acid_snake. Released on 2015-03-12 in TN-X by Total_Noob. | ||
https://wololo.net/downloads/index.php/download/8275 | https://wololo.net/downloads/index.php/download/8275 | ||
Line 553: | Line 371: | ||
== POPS == | == POPS == | ||
=== POPS sandbox escape by qwikrazor87 and Acid_snake (TN-X) === | === POPS sandbox escape by qwikrazor87 and Acid_snake (TN-X) === | ||
Discovered | Discovered by qwikrazor87 and Acid_snake. Implemented in cef_psx and TN-X by Total_Noob. Released on 2015-03-12 in TN-X by Total_Noob. | ||
Due to the dynamic recompilation of POPS, any buffer overflow in a PS1 game that usually lets you control $ra is translated to native PSP code that lets you control parts of a register. This register contains a pointer where the system later <code>jalr</code> to. Because we do not control the entire register (due to memory address translations done by the dynarec), we can only address a fixed 4MB of RAM. Within these 4MB of RAM, you can find the pointer to the virtual memory card, that is loaded as a whole into RAM. VMC are plain text and there is no integrity check done to it at all. So you can read that pointer and jump to it, executing the VMC as a binary payload. Now the magic (never better said) comes from the fact that the VMC's magic number (first 4 bytes) are interpreted as a MIPS positive branch instruction (and the delay slot is effectively a NOP). This makes PSP (PSPemu) execute code well in the middle of the VMC, where you can inject your PSP usermode code payload. | Due to the dynamic recompilation of POPS, any buffer overflow in a PS1 game that usually lets you control $ra is translated to native PSP code that lets you control parts of a register. This register contains a pointer where the system later <code>jalr</code> to. Because we do not control the entire register (due to memory address translations done by the dynarec), we can only address a fixed 4MB of RAM. Within these 4MB of RAM, you can find the pointer to the virtual memory card, that is loaded as a whole into RAM. VMC are plain text and there is no integrity check done to it at all. So you can read that pointer and jump to it, executing the VMC as a binary payload. Now the magic (never better said) comes from the fact that the VMC's magic number (first 4 bytes) are interpreted as a MIPS positive branch instruction (and the delay slot is effectively a NOP). This makes PSP (PSPemu) execute code well in the middle of the VMC, where you can inject your PSP usermode code payload. | ||
https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/ | https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/ | ||
Line 574: | Line 382: | ||
== Unclassified usermode vulnerabilities == | == Unclassified usermode vulnerabilities == | ||
=== | === PsOneLoader by TheFloW === | ||
https://bitbucket.org/TheOfficialFloW/psoneloader/src/master/ | |||
== System == | |||
=== | === libtiff exploit #1 (TIFF Exploit 2.00): PSP <= 2.00 === | ||
Discovered on 2005-09-23 by Niacin and Skylark. | |||
The exploit involves using a wallpaper and a TIFF image file containing a buffer overflow. Since the data from the wallpaper is in a known location (VRAM), one can use the TIFF overflow to jump to the known VRAM location and execute userode code. | |||
Implemented in downgraders (like MPH downgrader to 1.50) and eLoader by Fanjita. | |||
https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit | |||
=== libtiff exploit #2 (TIFF Exploit 2.71): PSP <= 2.71 === | |||
Discovered in 2006-09. | |||
Implemented in Kriek eLoader and xLoader by Team N00bz. | |||
https:// | https://en.wikibooks.org/wiki/PSP/Homebrew_History#The_TIFF_Exploit | ||
=== libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP <= 4.20 === | === libtiff exploit #3 (TIFF Exploit 4.20) by wololo: PSP <= 4.20 === | ||
Line 606: | Line 416: | ||
https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/ | https://web.archive.org/web/20111226013924/http://secunia.com/advisories/31610/ | ||
=== libtiff exploit # | === libtiff exploit #4 (eggsploit) by Malloxis, Matiaz and davee: PSP <= 5.05 === | ||
Discovered in | Discovered in 2009-03-15 by Malloxis. Released on 2009-04-12 by Matiaz and davee. | ||
https://www.dcemu.co.uk/vbulletin/threads/197302-5-03-TIFF-Hello-World | |||
https:// | https://wololo.net/2009/04/13/eggsplanations/ | ||
https://www.youtube.com/watch?v=wV21QqQmX_o | |||
=== Unsigned System PRX allowed: PSP <= 6.20 === | === Unsigned System PRX allowed: PSP <= 6.20 === | ||
Line 638: | Line 436: | ||
Fixed: since PSP System Software version 6.30. | Fixed: since PSP System Software version 6.30. | ||
=== Old System PRX allowed | === Old System PRX allowed === | ||
Discovered around 2005. | Discovered around 2005. | ||
Line 660: | Line 458: | ||
Fixed: no. | Fixed: no. | ||
=== | === POPS memory card manager buffer overflow exploit by qwikrazor87 and Acid_snake === | ||
There is a buffer overflow vulnerability in POPS (PSP's PS1emu) memory card manager that potentially affects any PS1 game. One can overflow it with any PS1 game's name. qwikrazor87 and Acid_snake never went with this vulnerability as they were looking for an exploit compatible with PS Vita at the time. | |||
This vulnerability only affects PSP's PS1emu memory card manager, not PS1, PS2, PS3 or PS4' PS1emu memory card managers. | |||
= Kernel = | = Kernel = | ||
== UID planting Type Confusion | == kernel execution using encrypted UID planting Type Confusion kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita <= 3.74 == | ||
https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion | https://theofficialflow.github.io/2019/06/18/trinity.html#type-confusion | ||
Line 701: | Line 476: | ||
It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit. | It involves AES enc/dec (using sceChnnlsv buffer in kernel RAM for fake thread UID) for it to work with the sceKernelDeleteThread UID kexploit. | ||
== | == kernel arbitrary read using sceNpCore_8AFAB4A0 double-fetch race condition kexploit by qwikrazor87 (Trinity, ARK-4): PS Vita <= 3.70 == | ||
https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition | https://theofficialflow.github.io/2019/06/18/trinity.html#double-fetch-race-condition | ||
Line 740: | Line 484: | ||
https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c | https://github.com/PSP-Archive/ARK-4/blob/main/loader/live/kernel/kxploit/vita360/kxploit.c | ||
== VPL kexploit by qwikrazor87 or Total_Noob: PS Vita | == VPL kexploit by qwikrazor87 or Total_Noob: PS Vita 3.00-3.52 == | ||
[https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW] | [https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVpl/kxploit.c 3.00-3.35 from PROCFW] | ||
Line 746: | Line 490: | ||
https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V] | https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/vpl/kxploit.c 3.51-3.52 from TN-V] | ||
== | == Free kexploit by qwikrazor87: PS Vita <= 3.50 == | ||
Discovered around 2015-02-11 by qwikrazor87. Released on 2015-04-18 by anonymous (probably qwikrazor87). | Discovered around 2015-02-11 by qwikrazor87. Released on 2015-04-18 by anonymous (probably qwikrazor87). | ||
Line 756: | Line 500: | ||
https://pastebin.com/Sdz0XPRg | https://pastebin.com/Sdz0XPRg | ||
== | == sceKernelDeleteThread UID kexploit by qwikrazor87: PS Vita <= 3.50 == | ||
Discovered around 2014- | Discovered around 2014-10-20 by qwikrazor87. | ||
https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.50)%20sceKernelDeleteThread/explanation.txt | |||
== | == sceVideocodec race condition kexploit by qwikrazor87 and Acid_snake: PS Vita 3.30-3.36 == | ||
Discovered around 2014-01- | Discovered around 2014-01-29 by qwikrazor87 and Acid_snake. | ||
Three functions can be used to provoke the race condition: _sceVideocodecOpen, _sceVideocodecStop and _sceVideocodecDecode. | |||
https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt | https://github.com/GuidoAlessandroMenichetti/kxploits/blob/master/(3.36)%20sceVideocodecStop/explanation.txt | ||
Line 782: | Line 516: | ||
https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c | https://bitbucket.org/Acid_Snake/ark-4/src/master/kxploit/sceVideocodec/kxploit.c | ||
== _sceSdGetLastIndex | == _sceSdGetLastIndex kexploit by qwikrazor87 and Acid_snake (TN-X, TN-V): PS Vita <= 3.20 == | ||
Discovered around | Discovered around 2014-01-29 by qwikrazor87 and Acid_snake. Implemented in TN-X by Total_Noob around 2014-04-22. | ||
There is a time-of-check to time-of-use exploit in chnnlsv. | There is a time-of-check to time-of-use exploit in chnnlsv. | ||
Line 804: | Line 538: | ||
== _sceSdRemoveValue race condition kexploit by qwikrazor87 and Acid_snake: PS Vita <= ?3.20? == | == _sceSdRemoveValue race condition kexploit by qwikrazor87 and Acid_snake: PS Vita <= ?3.20? == | ||
Discovered around | Discovered around 2014-01-29 by qwikrazor87 and Acid_snake. | ||
There is a time-of-check to time-of-use exploit in chnnlsv. | There is a time-of-check to time-of-use exploit in chnnlsv. | ||
== | == _sceUsbGpsGetData kernel write kexploit by qwikrazor87 and Acid_snake: PS Vita <= ?3.15? == | ||
Discovered around 2014-01-29 by qwikrazor87 and Acid_snake. | |||
Simply call <code>_sceUsbGpsGetData(0x10000, sw_address);</code> where <code>sw_address</code> is the address of the function to hijack, usually _sceKernelLibcTime. | |||
== | == Stack Pointer hijack kexploit by qwikrazor87 and Acid_snake: PS Vita <= ?3.15? == | ||
Discovered around 2013- | Discovered around 2014-01-29 by qwikrazor87 and Acid_snake. | ||
The exploit steps are: | |||
1) Execute assembly that does saves context. | |||
2) Execute assembly that writes the evil UID 0x05FEF601 and the hijacked function _sceKernelLibcTime address to address 0x88000000. | |||
3) Create a dummy thread whose name is at address 0x88000000, using sceKernelCreateThread. | |||
4) Execute assembly that does something. | |||
5) Free the evil UID 0x05FEF601 at using sceKernelFreePartitionMemory. | |||
6) Execute assembly that restores context. | |||
7) Call the hijacked function _sceKernelLibcTime. | |||
== _sceWlanSetHostDiscover arbitrary write by qwikrazor87 and Acid_snake: PS Vita <= ?2.02? == | |||
Discovered around 2014-01-29 by qwikrazor87 and Acid_snake. | |||
In sceWlanDrv_lib library, the _sceWlanSetHostDiscover function allows arbitrary write to kernel. | |||
== sceKernelFreePartitionMemory UID kexploit by qwikrazor87 and Acid_snake: PS Vita <= ?3.15? == | |||
Discovered around 2014-01-03 by qwikrazor87 and Acid_snake. | |||
Call sceIoOpen many times to corrupt an UID then free the UID using sceKernelFreePartitionMemory. | |||
== __sceSasConcatenateATRAC3 kexploit by qwikrazor87 and Acid_snake: PS Vita <= ?3.15? == | |||
Discovered around 2014-01-01 by qwikrazor87 and Acid_snake. | |||
== sceGeList kexploit by qwikrazor87 and Acid_snake: PS Vita <= ?3.15? == | |||
Discovered around 2013-12-31 by qwikrazor87 and Acid_snake. | |||
== _sceLoadCertFromFlash kexploit by Total_Noob (TN-V): PS Vita <= ?3.15? == | |||
Discovered around 2013-10-22 by Total_Noob. | |||
https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c | https://github.com/GuidoAlessandroMenichetti/TN-Rev/blob/master/loader/main.c | ||
Line 974: | Line 743: | ||
http://www.kingx.de/forum/showthread.php?tid=15275 | http://www.kingx.de/forum/showthread.php?tid=15275 | ||
This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after. | This exploit clobbers 16 bytes of kernel memory, so it is needed to read kernel memory before exploiting and restore the other 12 after. | ||
Line 1,002: | Line 769: | ||
https://www.hitchhikr.net/Exploit_2.6.zip | https://www.hitchhikr.net/Exploit_2.6.zip | ||
== reused index.dat key: PSP 2.00, 2.01 == | == reused index.dat key: PSP 2.00, 2.01 == | ||
Line 1,031: | Line 794: | ||
Fixed: since PSP System Software version 6.35. | Fixed: since PSP System Software version 6.35. | ||
= iplloader = | = Lib-PSP iplloader = | ||
== NMI Backdoor == | == NMI Backdoor == | ||
Line 1,043: | Line 806: | ||
Applicable to: None | Applicable to: None | ||
Vulnerable: iplloader (all | Vulnerable: Lib-PSP iplloader (all bootrom versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP emulator bootrom) | ||
The iplloader bootrom (present within Tachyon's IC package) as well as iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom. | The Lib-PSP iplloader bootrom (present within Tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom. | ||
This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9 | This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9 | ||
If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0. | If value at address 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). Else (if value at address 0xBC100000 is equal to 0), coprocessor register $9 will be reset back to 0. | ||
Below are the relevant pieces of code: | Below are the relevant pieces of code: | ||
Line 1,064: | Line 827: | ||
</pre> | </pre> | ||
This backdoor may allow an attacker performing a hardware based attack to set those values and gain iplloader time code execution. | This backdoor may allow an attacker performing a hardware based attack to set those values and gain Lib-PSP iplloader time code execution. | ||
== Arbitrary IPL Load Address == | == Arbitrary IPL Load Address == | ||
Line 1,076: | Line 839: | ||
Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed. | Fixed: Partially in Tachyon 0x00600000. The CPU scratchpad (0xA0010000 uncached; 0x80010000 cached) range is now blacklisted, whilst all other addresses remain allowed. | ||
iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations. | Lib-PSP iplloader will not control the location at which it will load/copy the block. It will happily attempt to perform a memcpy (at a rate of 1 DWORD per cycle) to whatever load address is specified in the IPL header, assuming that the header passes the checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...). This allows to write a payload at arbitrary locations. | ||
== Arbitrary IPL Entrypoint Address == | == Arbitrary IPL Entrypoint Address == | ||
Line 1,086: | Line 849: | ||
Applicable to: IPL time code execution on 01g and 02g, used in Pandora | Applicable to: IPL time code execution on 01g and 02g, used in Pandora | ||
Fixed: iplloader 2.6.0 | Fixed: Lib-PSP iplloader 2.6.0 | ||
iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a "valid" block in a more timely fashion. | Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint. This allows arbitrary execution. This was used in conjunction with the Kirk time-attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a "valid" block in a more timely fashion. | ||
Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check. | Note: The vulnerability is also present on Tachyon 0x00600000 and later, but cannot be exploited by itself due to an ECDSA signature (Kirk cmd 17) check. | ||
Line 1,104: | Line 867: | ||
Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100. | Fixed: Tachyon 0x00600000. Bootrom now requires a minimum IPL block size of 0x100. | ||
iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block. | Lib-PSP iplloader will not control the block size. This allows to craft a small, favorable for time-attack, IPL block. | ||
https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/ | https://web.archive.org/web/20100409005536/http://my.malloc.us/silverspring/pandora-exploit/ | ||
== iplloader assumes a block with the checksum 0 is the first IPL block == | == Lib-PSP iplloader assumes a block with the checksum 0 is the first IPL block == | ||
Found by: C+D/Prometheus - Earliest discovery: 2006 Q4 | Found by: C+D/Prometheus - Earliest discovery: 2006 Q4 | ||
Line 1,118: | Line 881: | ||
Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself. | Fixed: indirectly since Tachyon 0x00600000 as no IPL that run on Tachyon 0x00600000 and onwards have a block that uses a previous block checksum of 0 other than block #0 itself. | ||
This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump iplloader. | This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader. | ||
== iplloader do not perform the XOR step when running in Jig/Service mode == | == Lib-PSP iplloader do not perform the XOR step when running in Jig/Service mode == | ||
Found by: Mathieulh - Earliest discovery: 2019 Q1 | Found by: Mathieulh - Earliest discovery: 2019 Q1 | ||
Introduced: iplloader 3.5.0 | Introduced: Lib-PSP iplloader 3.5.0 | ||
Applicable to: Code execution on 3.5.0 iplloader without previous knowledge of the XOR key. | Applicable to: Code execution on 3.5.0 Lib-PSP iplloader without previous knowledge of the XOR key. | ||
Fixed: probably never as 3.5.0 is the last known iplloader revision for Development Tool | Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool | ||
This is not so much a vulnerability as a poor design implementation. | This is not so much a vulnerability as a poor design implementation. | ||
To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions. | To allow service centers to use a unique Memory Stick for multiple PSP models during servicing, Lib-PSP iplloader deliberately disables the XOR step, allowing a non XORed IPL to run from Memory Stick. This is done so that the IPL can run on all systems from 01g to 11g. This is also presumably done because XOR keys may differ in between Tachyon revisions. | ||
This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed. | This allows a potential attacker with the ability to enable Jig mode on a targeted PSP to bypass the XOR step and thus not requiring to know the XOR key to gain execution at IPL time assuming that all other checks (Kirk cmd 1, Kirk cmd 1 ECDSA, Kirk cmd 0x6C SHA1 (on Tachyon 0x00600000 and later), ...) are passed. | ||
== iplloader clears the XOR key after doing a cache sync during normal execution == | == Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution == | ||
Found by: Proxima - Earliest discovery: 2020-01-27 | Found by: Proxima - Earliest discovery: 2020-01-27 | ||
Introduced: iplloader 3.5.0 | Introduced: Lib-PSP iplloader 3.5.0 | ||
Applicable to: Dumping the iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability | Applicable to: Dumping the Lib-PSP iplloader 3.5.0 XOR key from Jig mode execution when used in conjunction with the arbitrary load address vulnerability | ||
Fixed: probably never as 3.5.0 is the last known iplloader revision for Development Tool | Fixed: probably never as 3.5.0 is the last known Lib-PSP iplloader revision for Development Tool | ||
3.5.0 iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C. | 3.5.0 Lib-PSP iplloader clears the XOR key after doing a cache sync during normal execution. This allows to retrieve the key from the uncached memory at address 0xA001088C. | ||
In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000. | In Jig mode execution, the key is cleared much earlier, however resulting in the cache being synced once the key is already gone. This allows to easily retrieve the key using a XORed IPL block loaded at address 0xBFE01000. | ||
While it may be possible that Tachyon 0x00600000 and later iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000) | While it may be possible that Tachyon 0x00600000 and later Lib-PSP iplloader fix this issue, it is irrelevant because the code should remain accessible as part of the Tachyon bootrom at address 0xBFC00000) | ||
== Faulty ECDSA Hash Comparison == | == Faulty ECDSA Hash Comparison == | ||
Line 1,162: | Line 925: | ||
Fixed: never | Fixed: never | ||
Starting with Tachyon 0x00600000, iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature. | Starting with Tachyon 0x00600000, Lib-PSP iplloader XORs each IPL block hash as they are loaded, and then uses this final XOR to verify the signature. | ||
This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid. | This means that inserting two identical blocks in the chain will cancel the XOR change and the signature will remain valid. | ||
Line 1,169: | Line 932: | ||
= General writeups = | = General writeups = | ||
https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/ | https://wololo.net/2014/01/18/10-days-of-hacking-day-4-the-psp-part-1/ | ||
Line 1,179: | Line 940: | ||
https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP | https://github.com/BASLQC/BASLQC/wiki/PSP-Custom-Firmware-History#History_of_homebrew_on_PSP | ||