Vulnerabilities
Lib-PSP iplloader (PRE-IPL)
NMI Backdoor
(Found by: Mathieulh, Proxima, C+D/Prometheus, Anyone spending time reverse engineering the pre-ipl) - Earliest discovery: 4/4/2007
Fixed: Never
Vulnerable: Lib-PSP iplloader (all ROM Versions, 0.7.0 and newer Kbooti versions, PS Vita's PSP Bootrom)
The Lib-PSP iplloader rom (present within tachyon's IC package) as well as Lib-PSP iplloader versions 0.7.0 and onward feature a NMI/Interrupt handler backdoor in its loader part at the very first instructions of the bootrom.
This backdoor allows anyone in control of the memory location address 0xBC100000 to perform a jump to an arbitrary location defined in coprocessor register $9
If 0xBC100000 is not equal to 0 and coprocessor register $9 is set, Lib-PSP iplloader will jump to the address set in the register very early in the code (by the 8th instruction). If 0xBC100000 is equal to 0, coprocessor register $9 will be reset back to 0.
Below are the relevant pieces of code:
ROM:BFC00004 lw $v0, 0xBC100000 ROM:BFC0000C bnez $v0, loc_BFC00064
ROM:BFC00064 cfc0 $v0, $9 ROM:BFC00068 beqz $v0, loc_BFC00078 ROM:BFC0006C nop ROM:BFC00070 jr $v0
Because both address 0xBC100000 and coprocessor register $9 are controlled by syscon, this backdoor would allow an attacker performing a hardware based attack on syscon (by either replacing syscon or performing a man in the middle data injection) to set those values and gain Lib-PSP iplloader/pre-ipl time code execution, (by using kernel code execution to fill memory with a payload beforehand) and thus potentially dump the pre-ipl code on newer targets.