Security Updates

From PSP Developer wiki
Jump to navigation Jump to search

The PSP had many revisions to its security through firmware upgrades. Many of these were silently added and the rest were simply labeled as "Revisions to strengthen security" by the update. This page will document on a technical level the security updates made by each firmware.

1.03

  • Initial firmware launch in Japan. It should be noted that 1.XX firmwares are quite buggy and lacked features Sony was working on since 2004 that were later added in 2.00. Essentially they released the PSP before it was finished to compete with the Nintendo DS launch.
  • Does not allow execution of unsigned PRX.
  • Allows unsigned ELF of any privilege level (User/VSH/Kernel).

1.50

  • Introduced a bug in returning size of unsigned ELF, blocking normal EBOOTs, but can still be launched with Swapsploit/KXploit workaround.
  • Introduced another bug where no encrypted PRX executable compressed with gzip will run, only modules may be gzipped. This bug persists in 1.51/1.52 and was fixed in 2.00.
    • This bug may be why official updates were never gzipped despite games and demos eventually doing so, to ensure the updates can be run from all firmwares.

1.51

  • Blocks the loading of unsigned ELF from memory stick.

1.52

  • Introduced a module to set all files in flash0 to hidden+system. This was in response to the Wipeout browser exploit where using a DNS trick allows you to view and download files from any device.

2.00

  • This is the biggest PSP update ever made, with lots of new features and an overhaul to the kernel.
  • Properly blocks kernel ELF by restructuring the kernel. Also blocks unsigned ELF in proper. This is why the only way to run kernel ELF in newer firmwares requires the 1.XX kernel.
  • Introduced signchecking on PRX files to tie them per-system. This was in response to people physically dumping their NANDs and being able to flash them to downgrade.

2.01

  • Patches the libtiff exploit introduced in 2.00

2.50

2.60

  • The IPL now uses an extra layer of encryption in stage 2 tied to a pseudo-random number generated by doing a checksum of the pre-IPL.
  • The psp boot config files now contain checksums of all PRX files and block them if they don't match.

2.70

2.71

2.80

2.81

2.82

3.00

  • The lflash portion of the NAND is now encrypted, all reads/writes require passing through this layer.

3.01

3.02

3.03

3.10

3.11

3.30

3.40

3.50

  • Kernel NIDs are now scrambled, preventing applications which call them from working without a resolver.
  • All boot config files are now consolidated into one file.
  • Several PRX drivers are now consolidated into one file (may not be for security, but prevents easily mixing modules with older firmwares).
  • Encrypted PRX files now have the required firmware version stored in the ~PSP header.

3.51

  • Patched the Lumines exploit.

3.52

3.60

3.70

3.71

3.72

3.73

3.80

3.90

3.93

3.95

3.96

4.00

4.01

4.05

4.20

4.21

5.00

5.01

5.02

5.03

5.05

5.50

5.51

5.55

5.70

6.00

6.10

6.20

6.30

6.31

6.35

6.36

6.37

6.38

6.39

6.50

6.60

6.61