Why Dark_Alex cannot hack the TA88v3

October 6th, 2008, 03:26 Posted By: tinman

Dark_Alex posed this explaining why.

This is an explanation of the security that was added in TA88v3, and which will be likely in PSP3000.

When the PSP boots, the boot code (aka pre-ipl or ipl loader) loads the ipl from either the nand or memory stick. The IPL is splitted into pieces of 0x1000 bytes.

First 0xA0 bytes of each block is a header for the kirk hardware command 1. It contains keys,
the size of the cipher data, and two hashes, one for part the header itself, and another one for the body. The 0xF60 remaining bytes are the ciphered body, which will decrypt to 0xF60 plain bytes... if the hashes, which are checked by kirk hardware itself, are OK. (Note: ciphered body can actually be less than 0xF60, in this case, remaining bytes are ignored... before TA88v3) Fir

The security of kirk hashes was destroyed by a timing attack, and the IPL became unprotected.
What has Sony added to fix this?

The answer can be found in 4.00+ slim ipl's. They decreased the size of the ciphered body to 0xF40 to leave 0x20 bytes at the end of each block (at offset 0xFE0).
As stated before, these remaining bytes are ignored... in pre-ipl's of psp's prior to TA88v3, and in fact, they can be randomized and ipl will still boot in those psp's. In newest pre-ipl's, these 0x20 bytes have a meaning.

The first 0x10 bytes is an unknown hash calculated from the decrypted block. It is deduced that is calculated from the decrypted block and not the ciphered one due to the fact that 4.01 and 4.05 have a lot of ipl blocks in common, which, when decrypted, are similar, but they are totally different in its encrypted form. In these two ipl's, this hash is same, as seen in the picture:

The second 0x10 bytes seem also to be dependent of the decrypted body (maybe dependent of the previous 0x10 bytes too?). In the picture it can be seen that they are different in 4.01 and 4.05, but they can actually be interchanged, you can move those 0x10 bytes from the same block in 4.05 ipl to the 4.01 ipl and it will still boot; however it cannot be randomized.

This protection also destroys any possibility of downgrading below 4.00, as these new cpu's won't be able to boot previous firmwares ipl's.

Summary: basically, all security of newest psp cpu's rely on the secrecy of the calculation of those 0x20 bytes. If pre-ipl were dumped somehow, the security would go down TOTALLY.

Graphic summary:

For more information and downloads, click here!

There are 19 comments - Join In and Discuss Here

Forum Info

Users online:

Guests online: 9389. Total online: 9389.

You have to register or login before you can post on our forums or use our advanced features.

Total threads: 206,210
Total posts: 750,001

Go to the forum

Advert

Buy Sony

PS4

PS3

PS2

PSone

PSVita

PSP

Sony Consoles News

Release: OpenOrbis Toolchain (PS4 Homebrew SDK) 0.5.2
PS4 Release: Hamachi client 0.2.1 by Sleirsgoevy, adds Firmware 9.00 support
PS4 Release: MultiTrainer 1.1.5.5
PS4 Release: PS4 DLC Unlocker Maker
PlayStation 5 sold 4.5m units in less than two months
Spider-Man: Miles Morales has sold 4.1m copies
PS5 to launch in China in Q2 2021
PS5's DualSense controller also faces drift issues
First PS5 drift class action lawsuit filed against Sony
DuckStation dev.0.1-2956
GAME details efforts to prevent PS5 scalpers
TheFlow announces WIP 'Grand Theft Auto: San Andreas' port for the PS Vita
PS4 firmware 7.55 exploit revealed by TheFlow
Harry Potter RPG 'Hogwarts Legacy' delayed to 2022
What we learned from PlayStation Vita
hpsx64 v0340
[1-11-2021] A Playable PSP Remake of the Original ‘Tomb Raider’ Has Been Discovered
Polish competition watchdog investigating Cyberpunk 2077
[RELEASE] Sonic CD for PS Vita
Sony reportedly discontinues all PS4 Pro and most PS4 Slim models production in Japan
Play! rev.800926fa
Excellent Improvement for Digimon World 2
PlayStation Plus games for January 2021 revealed
DuckStation dev.0.1-2663
PS5 Upgrade Feature Will Let You Know If You're Playing PS4 Games
PlayStation 4: Linux Loader now ported to FW 7.02 thanks to @mircoho
CD Projekt facing class-action suit over Cyberpunk 2077
DuckStation (2020/12/22)
VICEVita updated to version 1.2
PlayStation 4: PS4HEN released for Firmware 7.02
PS4 7.02 full stack exploit (user + kernel) released
PS4 7.02 exploit: Sleirsgoevy working on a port of the Synacktiv webkit exploit
PSVita: DaedalusX64 0.6 released
PCSX2 v1.7.0-dev-767
Super Robot Wars: Original Generations (PS2) translation released
Sony pulls Cyberpunk 2077 from PlayStation Store
Requests for refunds on Cyberpunk 2077 met with inconsistent response
PPSSPP dev.1.10.3-1330
PS4: Webkit exploit released for 6.xx, could potentially work on 7.xx
Play! rev.ff172d6b - PS2 Emulator for Windows
Xebra(Arbex) (2020/12/09)
PlayStation 3: Sony releases Firmware 4.87 for their 14 year old console – HFW 4.87.1
Xebra(Arbex) v200929b (2020/12/03)
PlayStation 5: Users getting banned for unlocking PS5-exclusive PlayStation Plus Coll
PS5: A second firmware update on its launch month, doesn’t seem to fix users’ issues
PSVita: re3-vita 1.1 released
PlayStation Plus games for December 2020 revealed
Sony declares PS5 is biggest launch in PlayStation history
Scalpers and bots reportedly driving PS5 shortages
The first PlayStation 5 game has been dumped
Jpcsp XLink Kai Support 1.0
PCSX-Redux v1578.20201119.6
PS4: OpenOrbis Toolchain updated to 0.5.1
The Search for the PS5 on Launch Day in the UK i Was Successful
PlayStation 5 sold almost six times as many units as Xbox Series X|S in Japan
PSX mecha action game Remote Control Dandy translated
PSVita Release: ds34vita released
PS5 Reports Warn of Putting PlayStation Console in Rest Mode
PCSX-Redux v1531.20201113.6
GePatch 0.2.0 released with ability to skip GE patches & more
PlayStation 4: Firmware 8.00 released with new avatars, revamped Party & Messages
HEX-Flow Launcher: A coverflow-like launcher for the Vita out for the public
Zanki Zero English Translation Patch for the PSVita released
PSVita: Grand Theft Auto III port by Rinnegatamante & TheFlow released
PSVita Release: Double Tap 2 Sleep Plugin Released by Joel16
Rinnegatamante working on porting Grand Theft Auto: Vice City to the PSVita
Phantasy Star Portable 2 Infinity Fan Translations [PSP] [Released]
Hermes V1.10 (PS2 Game)
PCSX-Redux v1523.20201113.2
PCSX-Redux v1503.20201030.3
hpsx64 v0330
PlayStation Plus games for November announced, includes Bugsnax for PS5
Phantasy Star Portable 2 Infinity - English Localization Public Release
First 12 hours of PS5 preorders match first 12 weeks of PS4's
PS4 shipments near 114m as new generation looms
Sony expects PS5 to exceed PS4's 7.6m launch sales this fiscal year
Sony to give away adapters to allow VR use on PlayStation 5
Jim Ryan: "We're more than a few minutes from the future of VR"
Sony details PS5 accessibility features
Sony legal threat compels PS5 faceplate company to cancel all orders
UK retail warns against launch day purchases of next-gen consoles
Does PlayStation need to buy more games studios?
No day one stock for retail as Sony focuses PS5 launch sales online
If Xbox is Netflix, then PS5 is cinema | Console analysis
PlayStation 5 | Critical Consensus
Sony debuts PS5 games ad as part of “memorable” launch efforts
Hermes v1.10 (PS2 Game)
Marvel's Avengers game to get an open beta this weekend
PlayStation: Launching a console during a pandemic “is a massive challenge
Rogue Hearts Dungeon Translation Released
English Translation Of Vampire Panic Released!
PlayStation Japan warns of Ghost of Tsushima stock shortage
Ghost of Tsushima sells 2.4 million in three days
Suikoden successor's Kickstarter raises $1.5 million on day one
Sony DualShock 4 controllers will not work with PS5 games
PlayStation software and services drive strong Q1 for Sony
Could Sony stumble on cross-generation games?
PES 2021 "pared back" as Konami focuses on Xbox Series X, PS5 version
Sony Boosting Output of PlayStation 5 to Meet Surge in Demand
Rogue Hearts Dungeon Translation Released
PlayStation suspends Facebook advertising
New PlayStation 2 exploit 'FreeDVDBoot' allows burnt DVD games to run without modchip
PPSSPP v1.10 PSP Emulator for Android and Windows
Sony announces PlayStation 5 Digital Edition
PS5 will far outsell Xbox Series X, predicts analyst
Grand Theft Auto Online coming to PS5 for free in 2021
Bethesda's Deathloop and Ghostwire: Tokyo will be timed PS5 exclusives
PS5 Digital Edition exists because "many consumers purchase solely digitally"
PlayStation 5's reveal was all about continuity
Grand Theft Auto Online is a killer app for PlayStation 5
EA: "PS5 and Xbox Series X games will feel different, better and more visceral"
The Last of Us Part 2 sells 4 million
Sony requires PS5 compatibility for all future PS4 releases
Sony postpones PlayStation 5 game reveal event
Sony shuts PlayStation Store back door in China
PlayStation fined $2.4m for misleading Australian customers over refunds
PlayStation 5 games to be revealed on June 4th
Sony's Jim Ryan: “It's time to give fans something that can only be enjoyed on PS5
Sony's games business declines as new generation looms
Sony's PS5 reveal will be all about the software
PlayStation Now reaches 2.2m subscribers
PlayStation Plus reaches 41.5m subscribers
The Last of Us Part 2 reportedly banned in the Middle East
Mira Project HEN, OpenOrbis PlayStation 4 toolchain homebrew both released
PlayStation Studios brand will launch alongside PS5
PCSX2 v1.6.0 released!
Sony temporarily closes PlayStation Store in China
hpsx64 v0301
vitaQuake v4.11 - Full HD 1920x1080 rendering for PSTV
vitaQuakeII - Quake II port for PSVITA
PlayStation Classic: AutoBleem 0.9 & RetroBoot 1.1 released
Hermes v1.10 (PSP Game)
Final Fantasy VII Remake ships 3.5m in three days
PlayStation 4 software update 7.50 released
Sony reportedly limiting PS5 launch window to 6m units
Rinnegatamante demonstrates quick progress in emulating the Nintendo 64 on Vita
Catherine: Full Body’s English translation for the Vita
Sony introduces PS5 DualSense controller
Sony takes $400 million stake in Bilibili
Xebra(Arbex) (2020/04/05)
PS4Delta Git (2020/04/06)
Vita3K Git (2020/04/06)
VitaPresence
PS3HEN 3.0.1 is out with FW 4.86 support!
Rebug 4.86.1 LITE released for CFW-capable PlayStation 3 consoles
Sharpscale – native 960×544 HDMI output for PSTV
PlayStation Plus games for April 2020 include Uncharted 4 and Dirt Rally 2.0
Sony sets up $100m COVID-19 Relief Fund
BetterTrackPlug 1.0.3
Project Eris for the PlayStation Classic version 0.9
VICEVita released for hacked PlayStation Vita consoles
vitaVoyager 0.7 Released
vitaHexen II 2.3 Released for PSVita
100 song mod for Taiko no Tatsujin V Version released!
PSOneScrot plugin released!
vitaQuake - Quake port for PSVITA
HFW 4.86.1 Released for PS3
Xerpi ports Play! to the PSVita
Sony declines to sell Call of Duty in Russia (again)
Avocado Git (2020/03/30)
DobieStation Git (2020/03/31)
rpcs3 Git (2020/03/31)
PlayStation 3 gets new firmware update for version 4.86
PlayStation 3: bguerville releases PlayStation 3 Toolset – A PS3 Exploitation
Final Fantasy VII Remake shipping early amid COVID-19 disruption
Sony doesn't see pandemic affecting PS5 launch
European studio boss Michael Denny leaves Sony after 25 years
Sony reduces PSN download speeds for the US
GameStop says no indication of PS5, Xbox Series X delays
Nintendo presses Sony to remove Mario creations from Dreams
Sony throttles back game downloads in Europe
CLR-DEV9 v0.8.7
hpsx64 v0290
Sony lays out more PS5 details
TheFlow is teasing a possible exploit for the PlayStation 4, for those on on OFW 6.20
Learning the lessons of the PlayStation 2
PSVita Release: Dasutein releases PC voices mod for The Legend of Heroes: Trails of C
Shadow of the Colossus and Sonic Forces are March's PS Plus games
3DS Release: 3DSync, a utility letting you upload Checkpoint saves to Dropbox
BGFTP Released
PlayStation and Facebook cancel GDC appearances citing coronavirus concerns
Sony announces closure of its official Playstation community forums
Expensive components drive PS5 production costs to $450 per unit
Sony files patent which encourages stuck players to spend money on DLC
PlayStation 4: PS4HEN 2.1.2 released with FW 7.02 spoofing support
GPCS4 v0.10
DobieStation Git (2020/02/09)
DuckStation Git (2020/02/09)
GPCS4 (PS4 emulator) News
PlayStation to close Manchester VR studio
Official PlayStation 5 website goes up, states that "they're not ready to fully unvei
Sony gaming revenue and profit on the decline as new console generation looms
PlayStation survey asks if players would enjoy having PS4 Remote Play on the Nintendo
vitaExhumed Released
DobieStation Git (2020/01/28)
English Translation of PSX Action-RPG Brave Prove Released
YouTube TV comes to PS4 as PS Vue moves out
PSVita Releases: VitaShell 2.02 & TailTale REsurrected
PSVita Releases: RealYoti updates VitaShell, Download Enabler, NoLockScreen and NoTro
PS4 News: Fire30 releases WebKit exploit for PS4 FW 6.00-6.72

The DCEmu Homebrew and Gaming Network

Welcome to the DCEmu Homebrew and Gaming Network. This Network of sites is owned and ran by fans of all games consoles, we post news on all the consoles we cover about hardware aspects, gaming and Homebrew. Homebrew and Emulation are software thats made using free and legal tools to play on games consoles. This Network is the only worldwide network of sites where coders can upload and post comments they deserve for all their hardwork. We have a Network that currently supports PSVita, WiiU, Nintendo Wii, Xbox360, PS3, PS2,PS1, Snes, N64, Gameboy, Nes, Xbox, Gamecube, Nintendo DS, PSP, GBA, Dreamcast, Sega Saturn,3DS, DSi, Switch, PS4, Pandora, xboxone, GP2X, iPhone, Windows Phone, iPad, Android and also Mobile Phone Emulation. When new consoles appear we will expand to cover those consoles. We also cover Theme Park News and news and reviews of Beer, cider, lager, wines and spirits. news of their own releases and get the credit and Please help DCEmu become stronger by posting on the forums every day and make our community larger.

Main

Search DCEmu

Social Media

The DCEmu Homebrew & Gaming Network

News Archive

DCEmu Newcomers