Lib-PSP iplloader (PRE-IPL)

NMI Backdoor

(Found by: Mathieulh, Proxima, C+D/Prometheus, Anyone spending time reverse engineering the pre-ipl) - Earliest discovery: 4/4/2007

Fixed: Never

Vulnerable: Lib-PSP iplloader (all ROM Versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP Bootrom)

The Lib-PSP iplloader rom (present within tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor in its loader part at the very first instructions of the bootrom.

This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9

If 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). If 0xBC100000 is equal to 0, coprocessor register $9 will be reset back to 0.

Below are the relevant pieces of code:

ROM:BFC00004                 lw      $v0, 0xBC100000
ROM:BFC0000C                 bnez    $v0, loc_BFC00064

ROM:BFC00064                 cfc0    $v0, $9
ROM:BFC00068                 beqz    $v0, loc_BFC00078
ROM:BFC0006C                 nop
ROM:BFC00070                 jr      $v0

Because both address 0xBC100000 and coprocessor register $9 are controlled by syscon, this backdoor would allow an attacker performing a hardware based attack on syscon (by either replacing syscon or performing a man in the middle data injection) to set those values and gain Lib-PSP iplloader/pre-ipl time code execution (this requires using kernel code execution to fill memory with a payload to jump to beforehand), and thus potentially dump the pre-ipl code on newer targets.