Pandora: Difference between revisions
m (fixed the wiki text formatting.) |
m (→Properly encrypted Pandora compatible IPL blocks: fixed a typo) |
||
Line 225: | Line 225: | ||
</source> | </source> | ||
These are available | These are available in binary format here: | ||
[https://mega.nz/#F!MlFi1QqZ!fGo2pkCEmjFiPynKtDC0Hg] | [https://mega.nz/#F!MlFi1QqZ!fGo2pkCEmjFiPynKtDC0Hg] | ||
The 0xBFD00100 version of these blocks work as-is by replacing the time attacked forged block with the properly encrypted ones supplied. The 0xBFE01100 version (which only works on Development Tool units), requires you to rebuild/recompile your custom IPLs using 0xBFE01100 as the entrypoint, it may be wiser to rebuild it as a fully valid IPL instead using ipltool [https://github.com/zecoxao/ipltool],although using the Pandora compatible IPL block instead would allow you to port retail custom IPL projects on devkit with minimal efforts. | The 0xBFD00100 version of these blocks work as-is by replacing the time attacked forged block with the properly encrypted ones supplied. The 0xBFE01100 version (which only works on Development Tool units), requires you to rebuild/recompile your custom IPLs using 0xBFE01100 as the entrypoint, it may be wiser to rebuild it as a fully valid IPL instead using ipltool [https://github.com/zecoxao/ipltool],although using the Pandora compatible IPL block instead would allow you to port retail custom IPL projects on devkit with minimal efforts. |
Revision as of 15:56, 12 March 2018
On August 22 2007, Team C+D released the "Pandora's Battery" which was the Prometheus Project everyone was waiting for. It converted a spare Memory Stick Pro Duo and battery into a "Magic Memory Stick" and "JigKick Battery". Some People mistake Pandora's Battery for the Jigkick Battery, but Pandora's battery is both the Magic Memory Stick and the JigKick Battery. The Memory Stick and battery can then be used to downgrade any PSP of any version or to recover from a brick. To convert the Memory Stick and battery another PSP which is able to run 1.50 homebrew is needed. The Memory Stick can also be converted without using a homebrew PSP by using a Pandora's battery program, such as Pandora Easy GUI. After the downgrade/unbrick service has been completed, the Memory Stick and battery can be restored for normal usage.
JigKick Battery
This is a battery with its serial changed to 0xFFFFFFFF. When a psp's battery serial number is changed to 0xFFFFFFFF the PSP boots the ipl from sector 16 on the physical drive (the Magic Memory Stick). This unlocks the service mode of the PSP and launches the IPL from the Memory Stick (instead of from flash0). You can either Hardmod a battery or Softmod it.
Hardmod is when you you make a JigKick Battery by opening it up and and removing a pin, this can be done to any battery.
Softmod is when you make a JigKick Battery by using a program. But it has to be suitable. New Batteries cannot be softmodded.
Click here to find out more!
Magic Memory Stick
A Magic Memory Stick refers to any memory stick that has been converted to boot, and work with a JigKick Battery. Depending on the method of creation, a Magic Memory Stick can either downgrade or boot PSPs to 1.50 FW (Phat), upgrade any PSP to 3.71/3.80 M33, and their counterparts, or be able to launch various homebrew. But it has to be suitable. The Memory sticks can be made into Magic Memory Sticks only if they are Pro Duo, and below 4GB.
In-depth Technological Details
The fake encrypted data is bruteforced to decrypt into your chosen data (to be able to exploit the preipl). And the signature for your fake encrypted data is bruteforced again to make it appear valid in the eyes of the crypto engine so that it will will go ahead and decrypt your fake encrypted data.
The preipl exploit works like this:
First a decrypted ipl block:
0x00: load address
0x04: data size
0x08: entry address
0x0C: checksum of previous block
0x10: data
A typical example might be
0x040F1EA0
0x00000F50
0x00000000
0xB71C6EBA
...data...
Which means load 0xF50-byte data to 0x040F1EA0. 0xB71C6EBA is the checksum of the previous block. Then entry address is 0 since it hasnt reached the end yet and there are more blocks to load. Once it has loaded all the ipl blocks the very last block will have entry address of where the whole ipl has been loaded (typically 0x040F0000). And will then jump to that address.
Preipl pseudocode for loading & decrypting the ipl: Code:
int iplBlockNumber = 0;
u32 checksum = 0;
// load/decrypt all encrypted ipl blocks
while(1)
{
// copy an encrypted ipl block to 0xBFD00000-0xBFD01000 (4KB embedded cpu ram)
if (LoadIplBlock(iplBlockNum ber, block) < 0)
while(1);
// decrypt the ipl block in place (uh oh...)
if (DecryptIplBlock(block, block))
while(1);
// first block will have zero as its checksum since there is no previous block (another uh oh...)
if (block->checksum != checksum)
while(1);
// load the 'data' section of the ipl block to the specified address (0x040Fxxxx range)
if (block->loadaddr)
checksum = memcpy(block->loadaddr, block->data, block->blocksize);
// reached the end of the ipl, jump to the entry address (0x040F0000)
if (block->entry)
{
// clear caches
Dcache();
Icache();
// jump to ipl - do not return
block->entry();
}
iplBlockNumber++;
}
As the preipl loads the first ipl block (the fake one), it decrypts the block in-place, ie. the decrypted block just overwrites your encrypted block. The fake block only decrypts into four bytes of all 0's so it ends up only overwriting the first four bytes of your fake block (with four 0's) after decryption.
The fake signed block:
Code:
00000000: 00 00 00 00 00 00 00 00 00 01 D0 BF 00 00 00 00
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000020: 52 A1 05 CD 3A 52 59 28 0A D1 31 F1 BD 87 2E CC
00000030: 14 DA 02 2F 77 88 C7 66 F3 32 07 BD 1A 08 9E 4C
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000060: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000070: 04 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00
00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000000A0: 00 00 00 00 00 00 00 00 00 00 00 01 C6 5F 74 12
The most important parts to note:
0x20-0x3F is the bruteforced hash signatures
0xA0-0xAF is the bruteforced encrypted data
0x70-0x73 is the size of the decrypted data (only 4 bytes)
A slight flaw in the crypto engine allowed the bruteforce to be performed on a magnitude-times smaller scale than normally required.
After decryption, the preipl thinks the data is now a decrypted ipl block. So note the first 0x10 bytes:
0x00000000 (load address which was faked to four 0's when decrypted)
0x00000000 (size of the block to load, none)
0xBFD00100 (the entry address, the most important part, where your unsigned code is located)
0x00000000 (checksum)
It passes the checksum test (with 0x00000000), it skips the loading of any data (since the loadaddr has been faked to 0x00000000), see's the entry address of 0xBFD00100 and thinks it has reached the end of the ipl and so goes jumps to that address (which is where your unsigned code will be).
So that's essentially it in a nutshell. But dont let a quick 5 min. summary of the exploit underestimate the enormous effort involved in bringing it to fruition (as the final product known as Pandora).
Properly encrypted Pandora compatible IPL blocks
On March 10th 2018, Developer Mathieulh released properly encrypted Pandora hack compatible IPL blocks using kirk cmd 0x01 key.
Here are a few of those:
Retail flagged IPL block with entrypoint set to 0xBFD00100:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 00 8F B0 52 CB AE 94 F9 04 D8 30 3E 6D 21 9B 91 ..°RË®”ù.Ø0>m!›‘
00000010 D8 F6 D0 17 AD 37 05 E2 B0 8B 2C 5E D3 0F 73 7A ØöÐ..7.â°‹,^Ó.sz
00000020 D0 F9 88 F7 09 93 B7 B5 6C 37 6E 85 87 17 A5 34 Ðùˆ÷.“·µl7n…‡.¥4
00000030 A2 EE B9 CC 8B 1F DE 39 6E 41 1D 85 94 7A 3C 20 ¢î¹Ì‹.Þ9nA.…”z<
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000070 14 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000090 66 E9 4B D4 EF 8A 2C 3B 88 4C FA 59 CA 34 2B 2E féKÔïŠ,;ˆLúYÊ4+.
000000A0 41 87 7C C4 64 43 03 3C 9B C8 E9 01 26 0F 28 0B A‡|ÄdC.<›Èé.&.(.
000000B0 DC 34 84 75 7F D2 4D 0F B7 3E 25 9F B5 AB A4 A5 Ü4„u.ÒM.·>%Ÿµ«¤¥
000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Devkit flagged IPL block with entrypoint set to 0xBFD00100:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 00 8F B0 52 CB AE 94 F9 04 D8 30 3E 6D 21 9B 91 ..°RË®”ù.Ø0>m!›‘
00000010 D8 F6 D0 17 AD 37 05 E2 B0 8B 2C 5E D3 0F 73 7A ØöÐ..7.â°‹,^Ó.sz
00000020 DC 5C 78 5D 30 C6 15 9A 5B CF 19 CD D4 48 4E D6 Ü\x]0Æ.š[Ï.ÍÔHNÖ
00000030 51 7F 7B 4A 56 91 FE DD CC 16 B2 54 BD 5E 71 62 Q.{JV‘þÝÌ.²T½^qb
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 01 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF ............ÿÿÿÿ
00000070 14 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000090 66 E9 4B D4 EF 8A 2C 3B 88 4C FA 59 CA 34 2B 2E féKÔïŠ,;ˆLúYÊ4+.
000000A0 41 87 7C C4 64 43 03 3C 9B C8 E9 01 26 0F 28 0B A‡|ÄdC.<›Èé.&.(.
000000B0 DC 34 84 75 7F D2 4D 0F B7 3E 25 9F B5 AB A4 A5 Ü4„u.ÒM.·>%Ÿµ«¤¥
000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Devkit flagged IPL block with entrypoint set to 0xBFE01100 (only works on DTP-T1000/DEM-1000!):
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 00 8F B0 52 CB AE 94 F9 04 D8 30 3E 6D 21 9B 91 ..°RË®”ù.Ø0>m!›‘
00000010 D8 F6 D0 17 AD 37 05 E2 B0 8B 2C 5E D3 0F 73 7A ØöÐ..7.â°‹,^Ó.sz
00000020 DC 5C 78 5D 30 C6 15 9A 5B CF 19 CD D4 48 4E D6 Ü\x]0Æ.š[Ï.ÍÔHNÖ
00000030 F4 18 98 12 F7 5B 0F F5 8E F7 82 63 8D 82 44 09 ô.˜.÷[.õŽ÷‚c.‚D.
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 01 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF ............ÿÿÿÿ
00000070 14 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000090 66 E9 4B D4 EF 8A 2C 3B 88 4C FA 59 CA 34 2B 2E féKÔïŠ,;ˆLúYÊ4+.
000000A0 EE E2 51 4C 7C 0C A2 F0 2C B4 D9 7C 47 F0 24 D4 îâQL|.¢ð,´Ù|Gð$Ô
000000B0 FC 0E E6 DE 16 42 A6 FC 79 2A 95 9D B1 EB 6A 96 ü.æÞ.B¦üy*•.±ëj–
000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Retail flagged IPL with entrypoint set to 0xBFE01100 (only works on DTP-T1000/DEM-1000!):
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 00 8F B0 52 CB AE 94 F9 04 D8 30 3E 6D 21 9B 91 ..°RË®”ù.Ø0>m!›‘
00000010 D8 F6 D0 17 AD 37 05 E2 B0 8B 2C 5E D3 0F 73 7A ØöÐ..7.â°‹,^Ó.sz
00000020 D0 F9 88 F7 09 93 B7 B5 6C 37 6E 85 87 17 A5 34 Ðùˆ÷.“·µl7n…‡.¥4
00000030 C7 07 99 1D E9 31 AC C6 67 82 E0 F3 0A 62 0D F0 Ç.™.é1¬Æg‚àó.b.ð
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000070 14 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000090 66 E9 4B D4 EF 8A 2C 3B 88 4C FA 59 CA 34 2B 2E féKÔïŠ,;ˆLúYÊ4+.
000000A0 EE E2 51 4C 7C 0C A2 F0 2C B4 D9 7C 47 F0 24 D4 îâQL|.¢ð,´Ù|Gð$Ô
000000B0 FC 0E E6 DE 16 42 A6 FC 79 2A 95 9D B1 EB 6A 96 ü.æÞ.B¦üy*•.±ëj–
000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
These are available in binary format here:
The 0xBFD00100 version of these blocks work as-is by replacing the time attacked forged block with the properly encrypted ones supplied. The 0xBFE01100 version (which only works on Development Tool units), requires you to rebuild/recompile your custom IPLs using 0xBFE01100 as the entrypoint, it may be wiser to rebuild it as a fully valid IPL instead using ipltool [4],although using the Pandora compatible IPL block instead would allow you to port retail custom IPL projects on devkit with minimal efforts.