Vulnerabilities: Difference between revisions

From PSP Developer wiki
Jump to navigation Jump to search
(→‎NMI Backdoor: Added comments to the assembly.)
Line 18: Line 18:


<pre>
<pre>
ROM:BFC00004                lw      $v0, 0xBC100000
ROM:BFC00004                lw      $v0, 0xBC100000 # stores 0xBC100000 to $v0
ROM:BFC0000C                bnez    $v0, loc_BFC00064
ROM:BFC0000C                bnez    $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064
</pre>
</pre>
<pre>
<pre>
ROM:BFC00064                cfc0    $v0, $9
ROM:BFC00064                cfc0    $v0, $9 #store coprocessor $9 to $v0
ROM:BFC00068                beqz    $v0, loc_BFC00078
ROM:BFC00068                beqz    $v0, loc_BFC00078 $ if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078
ROM:BFC0006C                nop
ROM:BFC0006C                nop
ROM:BFC00070                jr      $v0
ROM:BFC00070                jr      $v0 #jump to register $v0 (value initially set in coproc $9)
</pre>
</pre>




Because both address 0xBC100000 and coprocessor register $9 are controlled by syscon, this backdoor would allow an attacker performing a hardware based attack on syscon (by either replacing syscon or performing a man in the middle data injection) to set those values and gain Lib-PSP iplloader/pre-ipl time code execution (this requires using kernel code execution to fill memory with a payload to jump to beforehand), and thus potentially dump the pre-ipl code on newer targets.
Because both address 0xBC100000 and coprocessor register $9 are controlled by syscon, this backdoor would allow an attacker performing a hardware based attack on syscon (by either replacing syscon or performing a man in the middle data injection) to set those values and gain Lib-PSP iplloader/pre-ipl time code execution (this requires using kernel code execution to fill memory with a payload to jump to beforehand), and thus potentially dump the pre-ipl code on newer targets.

Revision as of 23:52, 13 November 2018

Lib-PSP iplloader (PRE-IPL)

NMI Backdoor

(Found by: Mathieulh, Proxima, C+D/Prometheus, Anyone spending time reverse engineering the pre-ipl) - Earliest discovery: 4/4/2007

Fixed: Never

Vulnerable: Lib-PSP iplloader (all ROM Versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP Bootrom)


The Lib-PSP iplloader rom (present within tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor in its loader part at the very first instructions of the bootrom.

This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9

If 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). If 0xBC100000 is equal to 0, coprocessor register $9 will be reset back to 0.

Below are the relevant pieces of code:

ROM:BFC00004                 lw      $v0, 0xBC100000 # stores 0xBC100000 to $v0
ROM:BFC0000C                 bnez    $v0, loc_BFC00064 # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064
ROM:BFC00064                 cfc0    $v0, $9 #store coprocessor $9 to $v0
ROM:BFC00068                 beqz    $v0, loc_BFC00078 $ if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078
ROM:BFC0006C                 nop
ROM:BFC00070                 jr      $v0 #jump to register $v0 (value initially set in coproc $9)


Because both address 0xBC100000 and coprocessor register $9 are controlled by syscon, this backdoor would allow an attacker performing a hardware based attack on syscon (by either replacing syscon or performing a man in the middle data injection) to set those values and gain Lib-PSP iplloader/pre-ipl time code execution (this requires using kernel code execution to fill memory with a payload to jump to beforehand), and thus potentially dump the pre-ipl code on newer targets.