Posted By: wraggster
Uberjack one of the PSP Scenes most vocal coders posted this article at his site:
You’ve probably heard about this elsewhere already, but Dark_AleX has recently posted information on why the newer PSP models (later-model Slim, and likely Brite) cannot currently be hacked.
The upshot of the story is that 32 bytes of data that were previously unused space used for padding, are now actually used for storing two cryptographic hashes. The hashes are assumed to be (and in all likelihood are) based on the decrypted copy of the encrypted information, and are used to authenticate the validity of the encrypted data. If a computed hash doesn’t match the supplied hash, the CPU will refuse to run the firmware.
The new implementation is not very different from the implementation of the SSL/TLS protocol, as well as many other common encryption protocols — in fact, it’s rather strange (though perhaps fortuitous for us) that it wasn’t implemented until now. It does, however, significantly complicate the initial bootstrapping process (if only in terms of cryptography), which simply required valid decrypted data (according to the same article, original encryption was destroyed by employing a timing attack).
If there is a silver lining here, it’s in the potential weakness of the human element. For those of you who recall, Pandora came about when a Sony repairman left specially-formatted memory stick in a repaired PSP sent back to a customer. Let’s hope that some lucky soul somewhere finds a bunch of unencrypted boot IPL’s in his/her memory stick (and that he/she knows who to send them to).