Donate
03
July
July
First a huge thanks to Gusha for his huge support donating a lot of time for testing stuff on his TA-88v3, cheers mate! This post I’ll describe what I have found out so far with the TA-88v3 and provide a model representing the security and operation of the TA-88v3 pre-IPL. Unfortunately, the hash has not been broken but this could be some useful information.
First, lets recap what we know already. The IPL is the “Initial Program Loader” bla bla, it is stored on the NAND or on the service mode memory stick and is divided into chunks of 0×1000, the size of the buffer used at 0xBFD00000 where they are decrypted. The IPL blocks are a standard KIRK cmd 1 block and passed directly for KIRK for decryption.
Now, Prometheus team broke this using a timing attack to calculate the CMAC hashes. Sony had to counter this and this is what Dark_AleX described it as:
The security of kirk hashes was destroyed by a timing attack, and the IPL became unprotected.
What has Sony added to fix this?
The answer may lie in the ipl’s of PSP Slims with firmware 4.0. Decreased body size encryption 0xF40 to leave 0×20 bytes at the end of each block (exit 0xFE0)
As discussed above, these remaining bytes were ignored … in pre-ipl’s of pre-TA88v3 PSP, and in fact can be randomized and ipl will still boot in those psp’s. In newest pre-ipl’s, these 0×20 bytes have a meaning.
The first 0×10 bytes is a hitherto unknown hash calculated from the decrypted block. It is deduced that is calculated from the decrypted block and not the ciphered as 4.01 and 4.05 have a lot of ipl blocks in common, which, when decrypted, are similar, but they are totally different in its encrypted. In these two ipl’s, the hash is the same, as you can see in the image
Then followed these two images to illustrate this idea:
Show ▼
He then continued to summarize:
The second 0×10 bytes seem to be equally dependent decrypted body (maybe dependent of the previous 0×10 bytes too?)
In the picture you can see they are different in 4.01 and 4.05, but can be interchanged, you can move those 0×10 bytes from the same block in 4.05 ipl to the 4.01, and will continue to charge, but however, this change can not be random.
This protection also destroys any possibility of downgrading below 4.00,
as these new CPU’s will not be able to boot previous firmwares ipl’s with those.Summary: basically, all security of newest psp cpu’s is based on the calculation of those 0×20 bytes.
If pre-ipl could be dumped in some way, that security would fall COMPLETELY.
All in all, pretty accurate. This second “pseudo-random” block of 0×10 bytes however confused a lot of people. People had strange and completely incorrect ideas such as “Brokencodes” promoting the IDEA algorithm for this application. Infact, people went to depth to try to re-create Brokencode’s calculation with clear failure. This second “psuedo-random” block was a nightmare people thinking it was digital signatures and such when in fact it could be much easier.
Imagine that “[block 1]” is a block of 0×10 bytes and “[block 2]” is also 0×10 bytes. In memory they look like:
[block 1]
[block 2]
This is our hash buffer, it stores 0×20 bytes as we expect. Now, lets look at the pre-IPL: it’s 4kB not a lot of space and it needs to do everything it does in the SLIM pre-IPL for backward compatibility. What resources does it have available? It has KIRK which provides a SHA-1 algorithm interface so surely SHA-1 is a good choice?
A SHA-1 hash is 0×14 bytes in size. So it will fill all of [block 1] and 4 bytes of [block 2].
Lets propose SCE do this.
We look at the 4.01 and 4.05 ipl which are identical when decrypted (at least for the first ipl block).
[4.01 hash block 1] [4.05 hash block 1]
[4.01 hash block 2] [4.05 hash block 2]
[4.01 hash block 1] and [4.05 hash block 1] are identical and the other blocks are not but they can be interchanged. So, what is this? It’s probably encrypted maybe? Think about it, if Sony could store 0×14 bytes instead of 0×20 they would. AES operates on blocks of 0×10 so the SHA-1 hash would need to be padded out 0×20 bytes. Lets assume that they use a random meaningless padding. It means that the second block, although containing 4 bytes of a SHA-1 sum contains 12 bytes of random data, which will make the encrypted block look random!
Assuming this idea, it would be silly for Sony to use anything other than KIRK 7 for the decryption (since there is no inverse). Initially I tried this and got no matching 0×14 bytes for any seed… but Proxima kindly pointed out that I wasn’t testing all the KIRK 7 seeds, (doh!). So yeah, guess what happened? KIRK 7 seed 0x6C resulted in the decrypted IPL hashes to match for 0×14 bytes! yaaaay!
This is sad story though. It wasn’t the SHA-1 value that it resulted in. I haven’t done a lot of analysis but it is probably some sort of permutation of the SHA-1, probably HMAC-SHA1 if Sony has any sense.
As for the pre-IPL, it does no checks on the encrypted data besides determining if it’s an ECDSA block or no. ECDSA blocks are determined by loading block + 0×64 and checking msb for 1. If it is true, it is an ECDSA block and it copies 0×28 bytes from block + 0xA0 in addition to the standard procedure of copying the 0×20 hash from 0xFE0. This copying is fixed and not calculated from the end of the data. So if your block only fills upto 0×100 of the IPL block, the hash will still have to be at 0xFE0.
The pre-IPL then goes on to decrypt the kirk data. Then all the hashing is done on the decrypted data. Everything after that is fuzzy and hard to gain information from but I suspect the TA-88v3 pre-IPL does a check for ECDSA block and then the jump address.
Thats a brief description. Ask stuff in the comments, i’ll reply.
-Davee
46 Responses
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.
-
-
-
This forum needed skhaing up and you’ve just done that. Great post!
Wed 7th September, 2011 at 18:03 BST -
72SWCF , [url=http://egsyiwngvpom.com/]egsyiwngvpom[/url], [link=http://nzozozujoabc.com/]nzozozujoabc[/link], http://hoopeghejkty.com/
Thu 8th September, 2011 at 12:58 BST -
Hi Sir Davee… Just want to ask if you still looking for a ta-088v3 PSP to test the new IPL that you have?., I have one.. I can test it for you… Hope to hear from you soon…
Tue 20th September, 2011 at 03:00 BST
Continuing the Discussion
-
phen375 reviews
Phen375 reviews…
This is really fascinating, You’re an excessively skilled blogger. I have joined your feed and look forward to looking for extra of your fantastic post. Also, I have shared your web site in my social networks! phen375 reviews…
Mon 5th September, 201103:23 BST -
online jobs
Best Links 2011…
I am so happy to read this. This is the kind of manual that needs to be given and not the random misinformation that’s at the other blogs. Appreciate your sharing this greatest doc….
Mon 5th September, 201112:38 BST -
finnar gravid
finnar gravid…
[...]f What cache solution do you use for this website? It loads so much faster th pe[...]…
Mon 5th September, 201113:26 BST -
commercial heating
Best Links 2011…
As I web-site possessor I believe the content matter here is rattling fantastic , appreciate it for your efforts. You should keep it up forever! Best of luck….
Mon 5th September, 201113:53 BST -
lloyds internet banking
a small question…
Gday, I wanted to ask you one thing. Is this a wordpress webpage? My business is pondering transferring my blog site from Blogger to wordpress, ya think that is probable? In addition did you design this specific theme by yourself some how? Thanks for t…
Mon 5th September, 201114:24 BST -
internet marketing tips
Best Links 2011…
What’s Happening i am new to this, I stumbled upon this I have found It absolutely useful and it has aided me out loads. I hope to contribute & assist other users like its helped me. Good job….
Mon 5th September, 201115:03 BST -
SEO PRESSOR REVIEW
Best Links 2011…
I think other site proprietors should take this web site as an model, very clean and wonderful user friendly style and design, as well as the content. You are an expert in this topic!…
Mon 5th September, 201119:18 BST -
Eric S Brown Parking
Recent Blogroll Additions……
[...]usually posts some very interesting stuff like this. If you’re new to this site[...]……
Tue 6th September, 201111:08 BST -
online marketing blog
Best Links 2011…
I have been exploring for a little bit for any high quality articles or blog posts on this kind of area . Exploring in Yahoo I at last stumbled upon this web site. Reading this info So i’m happy to convey that I have a very good uncanny feeling I disco…
Wed 7th September, 201100:23 BST -
Oberschenkelstraffung
Best Links 2011…
Your style is so unique compared to many other people. Thank you for publishing when you have the opportunity,Guess I will just make this bookmarked….
Thu 8th September, 201112:19 BST -
Best shampoo for dandruff
Great Site…
I observed this really good blog post today. Check it….
Thu 8th September, 201112:39 BST -
electric cigarettes
Best Links 2011…
Nice blog here! Also your site loads up fast! What host are you using? Can I get your affiliate link to your host? I wish my website loaded up as fast as yours lol…
Thu 8th September, 201112:45 BST -
best smokeless cigarette
Best Links 2011…
This blog is definitely rather handy since I’m at the moment creating an internet floral website – although I am only starting out therefore it’s really fairly small, nothing like this site. Can link to a few of the posts here as they are quite. Thanks…
Thu 8th September, 201113:08 BST -
Subliminal Advertising
Best Links 2011…
Greetings! Very helpful advice on this article! It is the little changes that make the biggest changes. Thanks a lot for sharing!”…
Thu 8th September, 201120:37 BST -
Gumby Robbery
Best Links 2011…
Having read this I thought it was very informative. I appreciate you taking the time and effort to put this article together. I once again find myself spending way to much time both reading and commenting. But so what, it was still worth it!…
Thu 8th September, 201120:57 BST -
Eric S Brown Parking
Links…
[...]Sites of interest we have a link to[...]……
Fri 9th September, 201110:00 BST -
diet pills that work fast
Best Links 2011…
Your style is so unique compared to many other people. Thank you for publishing when you have the opportunity,Guess I will just make this bookmarked….
Fri 9th September, 201114:26 BST -
hcg diet
Best Links 2011…
I’m not sure where you are getting your information, but good topic. I needs to spend some time learning much more or understanding more. Thanks for excellent info I was looking for this information for my mission….
Fri 9th September, 201114:36 BST -
forex platform
Best Links 2011…
Thank you for the auspicious writeup. It in fact was a amusement account it. Look advanced to more added agreeable from you! However, how can we communicate?…
Fri 9th September, 201119:48 BST -
wedding speeches
Best Links 2011…
Thank you for the auspicious writeup. It in fact was a amusement account it. Look advanced to more added agreeable from you! By the way, how can we communicate?…
Fri 9th September, 201120:28 BST -
Private Label Rights, PLR eBooks
Best Links 2011…
I have read a few good stuff here. Certainly worth bookmarking for revisiting. I wonder how much effort you put to create such a excellent informative web site….
Fri 9th September, 201120:55 BST -
You've Tried And Failed Before, Now Try A Program That Really Pays
Best Links 2011…
It is really a great and helpful piece of info. I’m glad that you shared this useful information with us. Please keep us informed like this. Thank you for sharing….
Fri 9th September, 201122:12 BST -
bidcactus
Best Links 2011…
I couldn’t resist commenting…
Fri 9th September, 201123:19 BST -
weight loss news
Best Links 2011…
I like what you guys are up too. Such clever work and reporting! Carry on the superb works guys I’ve incorporated you guys to my blogroll. I think it’ll improve the value of my site
Fri 9th September, 201123:43 BST
… -
{How to find yourself a nice flat screen tv for cheap|LCD Televisions Explained|Top 3: 3D LCD Televisions|Samsung LCD Televisions|Simple Steps to Install Your LCD Televisions|Selecting an LCD Television Mount|Cheap Flat Screen TV|Cheap Flat Screen|Cheap L
{Check Out|Take a Look at|Look at|Come See} This {Great|Awesome|Good|Amazing|Insightful|Nice|Very Good|Informative} {Blog|Blog Post|Post|Article}…
I just thought you could be interested with this relevant weblog….
Fri 9th September, 201123:47 BST -
healthy diet plans
Best Links 2011…
Thank you for the auspicious writeup. It in fact was a amusement account it. Look advanced to far added agreeable from you! By the way, how could we communicate?…
Sat 10th September, 201100:40 BST -
{How to find yourself a nice flat screen tv for cheap|LCD Televisions Explained|Top 3: 3D LCD Televisions|Samsung LCD Televisions|Simple Steps to Install Your LCD Televisions|Selecting an LCD Television Mount|Cheap Flat Screen TV|Cheap Flat Screen|Cheap L
{Interesting|Exciting|Significant|Fascinating|Appealing|Useful|Important|Intriguing|Unique|Helpful} {Post|Article|Blog post|Publish|Posting|Write-up|Place|Content|Submit|Put up}…
Make sure you evaluate this place, it might provide beneficial information so you might add with your site….
Sat 10th September, 201101:42 BST -
hcg diet weight loss maintenance
Best Links 2011…
Nice post. I was checking constantly this blog and I’m impressed! Extremely helpful info specially the last part
Sat 10th September, 201101:43 BST I care for such information a lot. I was seeking this particular information for a long time. Thank you and best of luck…. -
digestion
Best Links 2011…
I was recommended this blog by my cousin. I’m not sure whether this post is written by him as nobody else know such detailed about my trouble. You are wonderful! Thanks!…
Sat 10th September, 201101:53 BST -
online jobs
Best Links 2011…
Great write-up, I’m regular visitor of one’s site, maintain up the nice operate, and It is going to be a regular visitor for a lengthy time….
Sat 10th September, 201102:47 BST -
Banking Online is an Easy
Related…
I really enjoy approaching your webpage! your unique tactic to see things is exactly what keeps me fascinated. Appreciate it so much!!!!…
Sat 10th September, 201113:29 BST -
t nation fat loss
Recent Blogroll Additions……
[...]usually posts some very interesting stuff like this. If you’re new to this site[...]……
Sun 11th September, 201122:00 BST -
baby video monitor
Related…
I truly love visiting your own web site! your unique strategy to see things is what keeps me fascinated. Appreciate it a lot!!!!…
Mon 12th September, 201106:48 BST -
365 crockpot
Great Site…
I observed this truly good post today. Look at it….
Mon 12th September, 201117:45 BST -
Asian Tiger Mosquito
Best Links 2011…
I love your blog.. very nice colors & theme. Did you create this website yourself? Please reply back as I’m looking to create my own blog and would like to know wheere u got this from. thanks…
Mon 12th September, 201123:19 BST -
Iron Deficiency Symptoms
Best Links 2011…
whoah this blog is excellent i love reading your posts. Keep up the great work! You know, lots of people are hunting around for this info, you could aid them greatly….
Tue 13th September, 201102:01 BST -
Skimmer Weirs
Online Article……
[...]The information mentioned in the article are some of the best available [...]……
Tue 13th September, 201104:11 BST -
Subliminal
Best Links 2011…
It’s really a nice and helpful piece of information. I am glad that you shared this useful info with us. Please keep us up to date like this. Thanks for sharing….
Tue 13th September, 201104:23 BST -
make money from home
Best Links 2011…
I am not sure where you’re getting your info, but good topic. I needs to spend some time learning more or understanding more. Thanks for fantastic info I was looking for this info for my mission….
Tue 13th September, 201122:06 BST -
Place an add
Best Links 2011…
Hi there, You’ve done a fantastic job. I’ll certainly digg it and personally suggest to my friends. I’m confident they’ll be benefited from this web site….
Tue 13th September, 201122:44 BST -
Heartburn Symptoms
Best Links 2011…
Hello, you used to write magnificent, but the last few posts have been kinda boring… I miss your tremendous writings. Past several posts are just a little bit out of track! come on!…
Wed 14th September, 201100:03 BST
So do u think well break TA-88v3+ IPL security one day?
Thu 11th August, 2011 at 02:27 BST