Top Menu

First a huge thanks to Gusha for his huge support donating a lot of time for testing stuff on his TA-88v3, cheers mate! This post I’ll describe what I have found out so far with the TA-88v3 and provide a model representing the security and operation of the TA-88v3 pre-IPL. Unfortunately, the hash has not been broken but this could be some useful information.

First, lets recap what we know already. The IPL is the “Initial Program Loader” bla bla, it is stored on the NAND or on the service mode memory stick and is divided into chunks of 0x1000, the size of the buffer used at 0xBFD00000 where they are decrypted. The IPL blocks are a standard KIRK cmd 1 block and passed directly for KIRK for decryption.

Now, Prometheus team broke this using a timing attack to calculate the CMAC hashes. Sony had to counter this and this is what Dark_AleX described it as:

The security of kirk hashes was destroyed by a timing attack, and the IPL became unprotected.

What has Sony added to fix this?

The answer may lie in the ipl’s of PSP Slims with firmware 4.0. Decreased body size encryption 0xF40 to leave 0x20 bytes at the end of each block (exit 0xFE0)

As discussed above, these remaining bytes were ignored … in pre-ipl’s of pre-TA88v3 PSP, and in fact can be randomized and ipl will still boot in those psp’s. In newest pre-ipl’s, these 0x20 bytes have a meaning.

The first 0x10 bytes is a hitherto unknown hash calculated from the decrypted block. It is deduced that is calculated from the decrypted block and not the ciphered as 4.01 and 4.05 have a lot of ipl blocks in common, which, when decrypted, are similar, but they are totally different in its encrypted. In these two ipl’s, the hash is the same, as you can see in the image

Then followed these two images to illustrate this idea:
Show ▼

He then continued to summarize:

The second 0x10 bytes seem to be equally dependent decrypted body (maybe dependent of the previous 0x10 bytes too?)

In the picture you can see they are different in 4.01 and 4.05, but can be interchanged, you can move those 0x10 bytes from the same block in 4.05 ipl to the 4.01, and will continue to charge, but however, this change can not be random.

This protection also destroys any possibility of downgrading below 4.00,
as these new CPU’s will not be able to boot previous firmwares ipl’s with those.

Summary: basically, all security of newest psp cpu’s is based on the calculation of those 0x20 bytes.

If pre-ipl could be dumped in some way, that security would fall COMPLETELY.

All in all, pretty accurate. This second “pseudo-random” block of 0x10 bytes however confused a lot of people. People had strange and completely incorrect ideas such as “Brokencodes” promoting the IDEA algorithm for this application. Infact, people went to depth to try to re-create Brokencode’s calculation with clear failure. This second “psuedo-random” block was a nightmare people thinking it was digital signatures and such when in fact it could be much easier.

Imagine that “[block 1]” is a block of 0x10 bytes and “[block 2]” is also 0x10 bytes. In memory they look like:
[block 1] [block 2]

This is our hash buffer, it stores 0x20 bytes as we expect. Now, lets look at the pre-IPL: it’s 4kB not a lot of space and it needs to do everything it does in the SLIM pre-IPL for backward compatibility. What resources does it have available? It has KIRK which provides a SHA-1 algorithm interface so surely SHA-1 is a good choice?

A SHA-1 hash is 0x14 bytes in size. So it will fill all of [block 1] and 4 bytes of [block 2].
Lets propose SCE do this.

We look at the 4.01 and 4.05 ipl which are identical when decrypted (at least for the first ipl block).
[4.01 hash block 1] [4.05 hash block 1] [4.01 hash block 2] [4.05 hash block 2] [4.01 hash block 1] and [4.05 hash block 1] are identical and the other blocks are not but they can be interchanged. So, what is this? It’s probably encrypted maybe? Think about it, if Sony could store 0x14 bytes instead of 0x20 they would. AES operates on blocks of 0x10 so the SHA-1 hash would need to be padded out 0x20 bytes. Lets assume that they use a random meaningless padding. It means that the second block, although containing 4 bytes of a SHA-1 sum contains 12 bytes of random data, which will make the encrypted block look random!

Assuming this idea, it would be silly for Sony to use anything other than KIRK 7 for the decryption (since there is no inverse). Initially I tried this and got no matching 0x14 bytes for any seed… but Proxima kindly pointed out that I wasn’t testing all the KIRK 7 seeds, (doh!). So yeah, guess what happened? KIRK 7 seed 0x6C resulted in the decrypted IPL hashes to match for 0x14 bytes! yaaaay!

This is sad story though. It wasn’t the SHA-1 value that it resulted in. I haven’t done a lot of analysis but it is probably some sort of permutation of the SHA-1, probably HMAC-SHA1 if Sony has any sense.

As for the pre-IPL, it does no checks on the encrypted data besides determining if it’s an ECDSA block or no. ECDSA blocks are determined by loading block + 0x64 and checking msb for 1. If it is true, it is an ECDSA block and it copies 0x28 bytes from block + 0xA0 in addition to the standard procedure of copying the 0x20 hash from 0xFE0. This copying is fixed and not calculated from the end of the data. So if your block only fills upto 0x100 of the IPL block, the hash will still have to be at 0xFE0.

The pre-IPL then goes on to decrypt the kirk data. Then all the hashing is done on the decrypted data. Everything after that is fuzzy and hard to gain information from but I suspect the TA-88v3 pre-IPL does a check for ECDSA block and then the jump address.

Thats a brief description. Ask stuff in the comments, i’ll reply.

-Davee

About The Author

47 Comments

  1. So do u think well break TA-88v3+ IPL security one day?

  2. Phen375 reviews…

    This is really fascinating, You’re an excessively skilled blogger. I have joined your feed and look forward to looking for extra of your fantastic post. Also, I have shared your web site in my social networks! phen375 reviews…

  3. Best Links 2011…

    I am so happy to read this. This is the kind of manual that needs to be given and not the random misinformation that’s at the other blogs. Appreciate your sharing this greatest doc….

  4. finnar gravid…

    […]f What cache solution do you use for this website? It loads so much faster th pe[…]…

  5. Best Links 2011…

    As I web-site possessor I believe the content matter here is rattling fantastic , appreciate it for your efforts. You should keep it up forever! Best of luck….

  6. a small question…

    Gday, I wanted to ask you one thing. Is this a wordpress webpage? My business is pondering transferring my blog site from Blogger to wordpress, ya think that is probable? In addition did you design this specific theme by yourself some how? Thanks for t…

  7. Best Links 2011…

    What’s Happening i am new to this, I stumbled upon this I have found It absolutely useful and it has aided me out loads. I hope to contribute & assist other users like its helped me. Good job….

  8. Best Links 2011…

    I think other site proprietors should take this web site as an model, very clean and wonderful user friendly style and design, as well as the content. You are an expert in this topic!…

  9. Recent Blogroll Additions……

    […]usually posts some very interesting stuff like this. If you’re new to this site[…]……

  10. I found just what I was needed, and it was entertainnig!

  11. Best Links 2011…

    I have been exploring for a little bit for any high quality articles or blog posts on this kind of area . Exploring in Yahoo I at last stumbled upon this web site. Reading this info So i’m happy to convey that I have a very good uncanny feeling I disco…

  12. This forum needed skhaing up and you’ve just done that. Great post!

  13. Best Links 2011…

    Your style is so unique compared to many other people. Thank you for publishing when you have the opportunity,Guess I will just make this bookmarked….

  14. Great Site…

    I observed this really good blog post today. Check it….

  15. Best Links 2011…

    Nice blog here! Also your site loads up fast! What host are you using? Can I get your affiliate link to your host? I wish my website loaded up as fast as yours lol…

  16. 72SWCF , [url=http://egsyiwngvpom.com/]egsyiwngvpom[/url], [link=http://nzozozujoabc.com/]nzozozujoabc[/link], http://hoopeghejkty.com/

  17. Best Links 2011…

    This blog is definitely rather handy since I’m at the moment creating an internet floral website – although I am only starting out therefore it’s really fairly small, nothing like this site. Can link to a few of the posts here as they are quite. Thanks…

  18. Best Links 2011…

    Greetings! Very helpful advice on this article! It is the little changes that make the biggest changes. Thanks a lot for sharing!”…

  19. Best Links 2011…

    Having read this I thought it was very informative. I appreciate you taking the time and effort to put this article together. I once again find myself spending way to much time both reading and commenting. But so what, it was still worth it!…

  20. Links…

    […]Sites of interest we have a link to[…]……

  21. Best Links 2011…

    Your style is so unique compared to many other people. Thank you for publishing when you have the opportunity,Guess I will just make this bookmarked….

  22. Best Links 2011…

    I’m not sure where you are getting your information, but good topic. I needs to spend some time learning much more or understanding more. Thanks for excellent info I was looking for this information for my mission….

  23. Best Links 2011…

    Thank you for the auspicious writeup. It in fact was a amusement account it. Look advanced to more added agreeable from you! However, how can we communicate?…

  24. Best Links 2011…

    Thank you for the auspicious writeup. It in fact was a amusement account it. Look advanced to more added agreeable from you! By the way, how can we communicate?…

  25. Best Links 2011…

    I have read a few good stuff here. Certainly worth bookmarking for revisiting. I wonder how much effort you put to create such a excellent informative web site….

  26. Best Links 2011…

    It is really a great and helpful piece of info. I’m glad that you shared this useful information with us. Please keep us informed like this. Thank you for sharing….

  27. Best Links 2011…

    I couldn’t resist commenting…

  28. Best Links 2011…

    I like what you guys are up too. Such clever work and reporting! Carry on the superb works guys I’ve incorporated you guys to my blogroll. I think it’ll improve the value of my site :)…

  29. {Check Out|Take a Look at|Look at|Come See} This {Great|Awesome|Good|Amazing|Insightful|Nice|Very Good|Informative} {Blog|Blog Post|Post|Article}…

    I just thought you could be interested with this relevant weblog….

  30. Best Links 2011…

    Thank you for the auspicious writeup. It in fact was a amusement account it. Look advanced to far added agreeable from you! By the way, how could we communicate?…

  31. {Interesting|Exciting|Significant|Fascinating|Appealing|Useful|Important|Intriguing|Unique|Helpful} {Post|Article|Blog post|Publish|Posting|Write-up|Place|Content|Submit|Put up}…

    Make sure you evaluate this place, it might provide beneficial information so you might add with your site….

  32. Best Links 2011…

    Nice post. I was checking constantly this blog and I’m impressed! Extremely helpful info specially the last part 🙂 I care for such information a lot. I was seeking this particular information for a long time. Thank you and best of luck….

  33. Best Links 2011…

    I was recommended this blog by my cousin. I’m not sure whether this post is written by him as nobody else know such detailed about my trouble. You are wonderful! Thanks!…

  34. Best Links 2011…

    Great write-up, I’m regular visitor of one’s site, maintain up the nice operate, and It is going to be a regular visitor for a lengthy time….

  35. Related…

    I really enjoy approaching your webpage! your unique tactic to see things is exactly what keeps me fascinated. Appreciate it so much!!!!…

  36. Recent Blogroll Additions……

    […]usually posts some very interesting stuff like this. If you’re new to this site[…]……

  37. Related…

    I truly love visiting your own web site! your unique strategy to see things is what keeps me fascinated. Appreciate it a lot!!!!…

  38. Great Site…

    I observed this truly good post today. Look at it….

  39. Best Links 2011…

    I love your blog.. very nice colors & theme. Did you create this website yourself? Please reply back as I’m looking to create my own blog and would like to know wheere u got this from. thanks…

  40. Best Links 2011…

    whoah this blog is excellent i love reading your posts. Keep up the great work! You know, lots of people are hunting around for this info, you could aid them greatly….

  41. Online Article……

    […]The information mentioned in the article are some of the best available […]……

  42. Best Links 2011…

    It’s really a nice and helpful piece of information. I am glad that you shared this useful info with us. Please keep us up to date like this. Thanks for sharing….

  43. Best Links 2011…

    I am not sure where you’re getting your info, but good topic. I needs to spend some time learning more or understanding more. Thanks for fantastic info I was looking for this info for my mission….

  44. Best Links 2011…

    Hi there, You’ve done a fantastic job. I’ll certainly digg it and personally suggest to my friends. I’m confident they’ll be benefited from this web site….

  45. Best Links 2011…

    Hello, you used to write magnificent, but the last few posts have been kinda boring… I miss your tremendous writings. Past several posts are just a little bit out of track! come on!…

  46. Hi Sir Davee… Just want to ask if you still looking for a ta-088v3 PSP to test the new IPL that you have?., I have one.. I can test it for you… Hope to hear from you soon…

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Close