Vulnerabilities: Difference between revisions

From PSP Developer wiki
Jump to navigation Jump to search
(→‎Lib-PSP iplloader (PRE-IPL): Added more Lib-PSP iplloader vulnerabilities)
Line 33: Line 33:


== Arbitrary Load Address ==
== Arbitrary Load Address ==
(Found by: C+D/Prometheus) - Earliest discovery: 4/4/2007
(Found by: C+D/Prometheus) - Earliest discovery: 4/4/2007
Introduced: Tachyon 0x00140000 Boot rom
Introduced: Tachyon 0x00140000 Boot rom
Fixed: Never
Fixed: Never


Lib-PSP iplloader will not control the location at which it will load/copy the block, it will happily attempt to perform a memcpy (at a rate of 1 dword per cycle)
Lib-PSP iplloader will not control the location at which it will load/copy the block, it will happily attempt to perform a memcpy (at a rate of 1 dword per cycle)
Line 43: Line 47:


(Found by: C+D/Prometheus) - Earliest discovery: 4/4/2007
(Found by: C+D/Prometheus) - Earliest discovery: 4/4/2007
Introduced: Tachyon 0x00140000 Boot rom
Introduced: Tachyon 0x00140000 Boot rom
Fixed: Lib-PSP iplloader 2.6.0
Fixed: Lib-PSP iplloader 2.6.0


Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint, this allows arbitrary execution, this was used in conjunction with the kirk time attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a "valid" block in a more timely fashion.
Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint, this allows arbitrary execution, this was used in conjunction with the kirk time attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a "valid" block in a more timely fashion.
Line 53: Line 60:


Introduced: Tachyon 0x00140000 Boot rom
Introduced: Tachyon 0x00140000 Boot rom
Fixed: indirectly since 03g as no IPL that run on 03g and onwards have a block that uses a previous block checksum of 0 other than block0 itself.
Fixed: indirectly since 03g as no IPL that run on 03g and onwards have a block that uses a previous block checksum of 0 other than block0 itself.


This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.
This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.

Revision as of 12:46, 28 January 2021

Lib-PSP iplloader (PRE-IPL)

NMI Backdoor

(Found by: Mathieulh, Proxima, C+D/Prometheus, Anyone spending time reverse engineering the pre-ipl) - Earliest discovery: 4/4/2007

Introduced: Tachyon 0x00140000 Boot rom Fixed: Never

Vulnerable: Lib-PSP iplloader (all ROM Versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP Bootrom)


The Lib-PSP iplloader rom (present within tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor (most likely used internally for debugging purposes) in its loader part at the very first instructions of the bootrom.

This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9

If 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). If 0xBC100000 is equal to 0, coprocessor register $9 will be reset back to 0.

Below are the relevant pieces of code:

ROM:BFC00004                 lw      $v0, 0xBC100000             # store 0xBC100000 to $v0
ROM:BFC0000C                 bnez    $v0, loc_BFC00064           # if $v0 (0xBC100000) is not equal to zero, jump to 0xBFC00064
ROM:BFC00064                 cfc0    $v0, $9                     # store coprocessor $9 to $v0
ROM:BFC00068                 beqz    $v0, loc_BFC00078 $         # if $v0 (coproc $9) is equal to 0 jump to 0xBFC00078
ROM:BFC0006C                 nop
ROM:BFC00070                 jr      $v0                         # jump to register $v0 (value initially set in coproc $9)


Because both address 0xBC100000 and coprocessor register $9 are controlled by syscon, this backdoor would allow an attacker performing a hardware based attack on syscon (by either replacing syscon or performing a man in the middle data injection) to set those values and gain Lib-PSP iplloader/pre-ipl time code execution (this requires using kernel code execution to fill memory with a payload to jump to beforehand), and thus potentially dump the pre-ipl code on newer targets.

Arbitrary Load Address

(Found by: C+D/Prometheus) - Earliest discovery: 4/4/2007

Introduced: Tachyon 0x00140000 Boot rom

Fixed: Never


Lib-PSP iplloader will not control the location at which it will load/copy the block, it will happily attempt to perform a memcpy (at a rate of 1 dword per cycle) to whatever load address is specified in the IPL header, assuming the header passes the checks (kirk1 hashes, HMAC-SHA1 (on 03g+)...) this allows to potentially write a payload at arbitrary locations.

Arbitrary Entrypoint Address

(Found by: C+D/Prometheus) - Earliest discovery: 4/4/2007

Introduced: Tachyon 0x00140000 Boot rom

Fixed: Lib-PSP iplloader 2.6.0


Lib-PSP iplloader will jump to any location specified in the last IPL block's entrypoint, this allows arbitrary execution, this was used in conjunction with the kirk time attack to craft a block and gain execution from at address 0xBFD00100 in the Pandora hack, and thus allowed to craft a "valid" block in a more timely fashion.

Lib-PSP iplloader always assumes a block with the checksum 0 is the first IPL block

(Found by: C+D/Prometheus) - Earliest discovery: Q4 2006

Introduced: Tachyon 0x00140000 Boot rom

Fixed: indirectly since 03g as no IPL that run on 03g and onwards have a block that uses a previous block checksum of 0 other than block0 itself.


This implementation fault has been exploited to create a memory hole in VRAM that could be filled with our own payload to gain execution and dump Lib-PSP iplloader.