A look at the TA-88v3 IPL Hash
3 July, 2011
First a huge thanks to Gusha for his huge support donating a lot of time for testing stuff on his TA-88v3, cheers mate! This post I’ll describe what I have found out so far with the TA-88v3 and provide a model representing the security and operation of the TA-88v3 pre-IPL. Unfortunately, the hash has not been broken but this could be some useful information.
First, lets recap what we know already.
6.35 and 6.31 Downgrader
24 January, 2011
Sony, being as sneaky as they are decided to do a rather interesting move. As researched by Coyotebean, Sony started enforcing using a public key method of verifying KIRK data and removing the ability to load the old types of data. As they did this, firmware 6.30+ cannot decrypt the updater and the PRX inside and therefore cannot use the index.dat spoofing to downgrade.
This application does the simple job of rebooting into the updater with a PRX that allows the updater to decrypt.
23 December, 2010
Now that 6.20 TN-A is out in the open, allow me to describe the kernel vulnerability used. Back in 5.70⁄6.00 Sony introduced a feature into the sceUtility_private library that allowed to set and unset a callback with kernel privileges.
sceUtility_private_764F5A3C //Set power callback
sceUtility_private_2DC8380C // release (unset) power callback These two functions are not normally imported so they require some special techniques such as syscall estimation to reach them in order to utilise their functionality.