Firmware 2.0 - new modules

[PspPet]

7 new core PRX modules, 10 new VSH modules.
Not as much as I hoped, but some things look promising for reuse.
[still no USB Hosting ;-< ]

Files added (from 1.52 to 2.00):

Code: Select all

> flash0:/data/cert/Equifax_S_CA.cer
> flash0:/data/cert/Equifax_S_eBiz_CA-1.cer
> flash0:/data/cert/GeoTrust_G_CA.cer
> flash0:/font/shadow.pgf
> flash0:/kd/cert_loader.prx
> flash0:/kd/http_storage.prx
> flash0:/kd/libdnas.prx
> flash0:/kd/libdnas_core.prx
> flash0:/kd/libssl.prx
> flash0:/kd/mcctrl.prx
> flash0:/kd/pspnet_adhoc_transfer_int.prx
> flash0:/kd/resource
> flash0:/kd/resource/big5_table.dat
> flash0:/kd/resource/cp949_table.dat
> flash0:/kd/resource/gbk_table.dat
> flash0:/vsh/etc/cp1251ucs.bin
> flash0:/vsh/etc/cp1252ucs.bin
> flash0:/vsh/etc/ucs2uhc.bin
> flash0:/vsh/etc/uhc2ucs.bin
> flash0:/vsh/module
> flash0:/vsh/module/dnas_plugin.prx
> flash0:/vsh/module/htmlviewer_plugin.prx
> flash0:/vsh/module/htmlviewer_ui.prx
> flash0:/vsh/module/htmlviewer_utility.prx
> flash0:/vsh/module/libfont_hv.prx
> flash0:/vsh/module/libslim.prx
> flash0:/vsh/module/libwww.prx
> flash0:/vsh/module/netconf_plugin_auto_bfl.prx
> flash0:/vsh/module/netconf_plugin_auto_nec.prx
> flash0:/vsh/module/netfront.prx
> flash0:/vsh/resource/dnas_plugin.rco
> flash0:/vsh/resource/htmlviewer.fbm
> flash0:/vsh/resource/htmlviewer.gim
> flash0:/vsh/resource/htmlviewer.msg
> flash0:/vsh/resource/htmlviewer.res
> flash0:/vsh/resource/htmlviewer.snd
> flash0:/vsh/resource/htmlviewer_plugin.rco
> flash0:/vsh/resource/netfront.rc
> flash0:/vsh/resource/netfront.skn
> flash0:/vsh/resource/netfront.uhc
> flash1:/net/http
> ipl:/psp_ipl.bin
- a few unintersting files removed

Signficant changes in size of some core modules: (requires more analysis)

Code: Select all

+ flash0:/kd/fatmsmod.prx - 34K bigger
+ flash0:/kd/ge.prx - >5K bigger
+ flash0:/kd/libhttp.prx - 17K bigger
+ flash0:/kd/loadexec.prx - 3K bigger
+ flash0:/kd/mebooter_umdvideo.prx - >60K bigger
+ flash0:/kd/msaudio.prx - >8K bigger
+ flash0:/kd/pspnet_apctl.prx - 17K bigger
+ flash0:/kd/utility.prx - 8K bigger
++   and various vsh components for new UI features

[gandalf the grey]

Do you think it will be possible to flash over just the browser, background, theme functions?

[xecuterbox]

Are te prx files encrypted in a way we dont know yet, Im not a hardcore coder, but im just wondering if dev peeps might be able to use the prx's to make better homebrew ie web browsers ;)

[Matrixdub]

Can you tell me how you were able to dump the flash on a 2.0 machine? Or was it a PBP analyser?

[EdwardFMA]

has anyone tried comparing flash0:/kd/loadexec.prx with 1.5's flash0:/kd/loadexec.prx i think if we replace all the files,but that one we should still be able to load hombrew and have the Web browser ;) Just a guess might work *shrugs*

[PspPet]

General comment:
My first goal is to learn how the new parts of the system work. After that it *may* be possible to reuse some of the newer modules, loaded from memory stick, in a homebrew app that will only run on a Homebrew capable PSP (1.0 or 1.50 firmware).
LEGAL NOTE: This is copyright friendly since you do all the work (ie. *you* have to download the firmware from the Sony site, and do the ripping on your machine -- don't post the binary bits, they are Sony copyrighted material)
As we learn more, downgrading or other reflashing tricks may be possible, but not yet.
---
> Do you think it will be possible to flash over just the browser, background, theme functions?
Probably not. In general reflashing is too dangerous. Similar to other "downgrading" attempts.
Also some of the higher level components 2.00 (like the web browser) may require updated (2.00) versions of the system components. A hybrid may be possible (loaded from memory stick).

> Are te prx files encrypted in a way we dont know yet
Looks to be the standard way (PRX=encrypted ELF). The core boot/reboot loader needs them to be in encrypted form, otherwise this would be a lot easier.

> Can you tell me how you were able to dump the flash on a 2.0 machine?
Nope. No 2.00 exploit to run homebrew code.
> Or was it a PBP analyser?
Yes, dumping the EBOOT.PBP from the updater (aka PSAR dumping) -- see this thread for more info: http://forums.ps2dev.org/viewtopic.php?t=931&start=30

> has anyone tried comparing flash0:/kd/loadexec.prx with 1.5's flash0:/kd/loadexec.prx i think if we replace all the files,but that one we should still be able to load hombrew and have the Web browser ;) Just a guess might work *shrugs*
Still working on a more detailed analysis, but looking at the size of the PRXs I am doubtful (Version 1.0 is 8KB, Version 2.0 is 63KB !!, compressed PRX size)
I doubt a single file replacement will work for other reasons, and reflashing is too dangerous for random configuration testing.

BTW: This has been suggested before (cut and paste PSAR contents, for downgrading attempts), with few gutsy enough to try the reflashing part.
Originally it was tried with the 1.00 bogus update and the 1.50 contents. This technically can't work because of the way the data is keyed. Fortunately all the current releases (1.50, 1,52, 2.00) use the same encryption key so cut-and-paste tricks *may* be possible. Exploit research is no longer discussed on this BBS, so I'll leave it at that ;->

[Krevnik]

The huge difference in loadexec must mean something, and I am not talking exploit trash either. Is this responsible for understanding how files are accessed beyond just PSP executable files (multimedia files keyed here to find out how to handle them, perhaps)? If it is strictly tied to executable files, then the huge increase makes no sense, even with the security patches. It is almost as if they are working in support for something that isn't public yet.

[Agoln]

It is almost as if they are working in support for something that isn't public yet.

If they were still working on something, then why would it be released? I would imagine that if something was being developed, then they wouldn't release it until it was finished.

[DigitalFoundry]

The huge difference in loadexec must mean something, and I am not talking exploit trash either. Is this responsible for understanding how files are accessed beyond just PSP executable files (multimedia files keyed here to find out how to handle them, perhaps)? If it is strictly tied to executable files, then the huge increase makes no sense, even with the security patches. It is almost as if they are working in support for something that isn't public yet.

Perhaps the whole system of booting a game has been completely redesigned for forthcoming software - the new PRX supports the new system while at the same time providing legacy support for existing software? Just a thought...

[Krevnik]

I think Digital Foundary might be onto something, but a difference of *8 times* is far too big for just that. I guess we will find out if someone gets a little curious and takes a peek. (As I am still completely stuck out of the homebrew scene to try it myself, for a couple reasons now) The sort of size difference would practically have to be related to some new format support.

If they were still working on something, then why would it be released? I would imagine that if something was being developed, then they wouldn't release it until it was finished.

I said "isn't public yet", I didn't say "not finished". For example, if you poke around MacOS X, you will find all sorts of actual features that exist but haven't been enabled yet (such as a resolution independent display feature). Those features are /done/, but the support around them to make them worthwhile isn't. Doesn't mean you actually go out of your way to remove all that code from the shipping product.

[DigitalFoundry]

In Sony's eyes, the fact we can run any kind of executable code on 1.0/1.5 PSPs is a bad thing. A very bad thing. The fact that it is possible to read off UMD is another bad thing, whether or not the resultant dumps can be run or not.

Surely the only way to prevent both would be to change the layout of the UMD - the file system itself - in addition to toughening up the validation of encrypted executables. Perhaps the goal is to make all future games incompatible on every level with 1.0/1.5 firmware PSPs.

In this sense, the homebrew and piracy sections of the PSP market would be isolated and contained, and Sony could even make a few extra shekels by getting people who insist on keeping their 1.5 PSPs to buy secondary machines for games playing.

Perhaps that might explain the larger module.

[Warren]

Surely the only way to prevent both would be to change the layout of the UMD - the file system itself - in addition to toughening up the validation of encrypted executables. Perhaps the goal is to make all future games incompatible on every level with 1.0/1.5 firmware PSPs.

Well UMDs use iso9660 and I doubt that they will change it or what the UMDs use as UMD is now an official ECMA spec.

[PspPet]

RETRACTION:
>> Are the prx files encrypted in a way we dont know yet ?
> Looks to be the standard way (PRX=encrypted ELF). ...

Oops, spoke too soon.
Sony *did* change the ~PSP file format, including new keying options. The existing "prxdecrypter" technology does not work for the PSP 2.0 binaries !-<

Bummer, that makes reusing those libraries on Homebrew compatible PSPs much more difficult.
----
Will post a PSAR dumper soon if someone wants to look at it. The dumper decrypts the PSAR and saves the files that would be written to "flash0:". Will double decrypt the PRXs for disassembly/analysis where it can (not for 2.00).
=======
How this gets re-bootstrapped to handle the new format .PRX files is interesting. If you look in the 2.00 update file list, there is an update to the "IPL" (file is encrypted in some unique way, <256KB in size)
> ipl:/psp_ipl.bin
Very interesting...

[Krevnik]

Surely the only way to prevent both would be to change the layout of the UMD - the file system itself - in addition to toughening up the validation of encrypted executables. Perhaps the goal is to make all future games incompatible on every level with 1.0/1.5 firmware PSPs.

Well UMDs use iso9660 and I doubt that they will change it or what the UMDs use as UMD is now an official ECMA spec.

Actually, not layout as in the file system itself... but the UMD layout, which would make work-arounds harder, but not impossible.

But some other major changes to how booting works (with backwards compat) would definitely make sense, and fit into the "not public yet" category. :)

[Krevnik]

I just realized something... Sony is definitely tightening up the PSP a bit from what I am seeing so far, and has created another catch-22 in the process for homebrewers:

2.0 uses an updated encryption mechanism to break the methods currently in use for reverse engineering. This new mechanism exists within the 2.0 update, meaning some modules that are encrypted cannot be decrypted without 2.0 running the software. Ooops.

I am starting to think that there isn't much to see with 2.0 and homebrew for awhile until other issues get tackled, or some people start really doing some interesting Javascript work again.

[Warren]

2.0 uses an updated encryption mechanism to break the methods currently in use for reverse engineering. This new mechanism exists within the 2.0 update, meaning some modules that are encrypted cannot be decrypted without 2.0 running the software. Ooops.

The modules that the updater program uses are encrypted with the v1.x keys and the modules inside of the PSAR file are encrypted with the v2.0 keys. I fail to see a catch 22 here.

[PspPet]

> Sony is definitely tightening up the PSP a bit from what I am seeing so far,...
You bet. They are paid to make homebrew impossible.
They are responsive/reactive as well. They check the public BBSs and tighten up the holes that homebrew hackers find. Even the PSAR format was scrambled to make it harder to understand. I suspect future updates will make it even harder.

Consider this: since the PSP original release (~8 months), there have been 4 firmware updates, all of which have tightened the holes.
[compare that to the NDS or XBOX or PS2 or most other console - many of which are running original release firmware]

---
> The modules that the updater program uses are encrypted with the v1.x keys and the modules inside of the PSAR file are encrypted with the v2.0 keys. I fail to see a catch 22 here.
The problem is that DOUBLE encryption.

The V2.00 update program itself is single encrypted (can be decoded using prxdecrypter on a 1.0/1.50 device, otherwise it wouldn't run)
Some of the V2.00 update data is single encrypted (the bitmaps, .rco files etc)

The more interesting parts are the V2.00 .prx files and they are DOUBLE encrypted. "PSAR Dumper" (the upcoming tool that runs on a Homebrew capable PSP) will extract and decrypt one half of the double encryption.
Those .prx files aren't usable on a Homebrew capable machine because it doesn't understand the 2.00 PRX format.
They are potentially useful on a 2.00 machine, which can't do Homebrew ("catch 22")

My guess/theory is that the IPL update changes a 1.x machine to a 2.x compatible machine. Part of this process will close off the known "homebrew" exploits (1.00 and 1.50), forcing an upgrade to all 2.0 encrypted prx files.
[recap: the Sony engineers are paid to make homebrew impossible]

[EdwardFMA]

Ok because my curiosity really got to me i upgraded to Version 2 and so far the only thing i've been able to get is how to make it so that your homebrew won't be seen as Corrupted Data and Thats by changing the offset 0x0000004C in PARAM.SFO to "x" or Hex:"78". BTW i love the Browser haven't tried out anything else yet.

[Warren]

The problem is that DOUBLE encryption.

That isn't "double" encryption. All PRXes in the kernel have always been encrypted. The PSAR is encrypted so that people can't modify the data that is being flashed into the PSP's FW.

The V2.00 update program itself is single encrypted (can be decoded using prxdecrypter on a 1.0/1.50 device, otherwise it wouldn't run)

Yes, as most of the PRXes that are present on the PSP, the updater program is encryptted. It is the same encryption that all PRXes use on v1.x consoles.

Some of the V2.00 update data is single encrypted (the bitmaps, .rco files etc)

They are not "single encrypted" they are just inside the firmware PSAR container.

Those .prx files aren't usable on a Homebrew capable machine because it doesn't understand the 2.00 PRX format.

The format is the same, only the key to decrypt it has changed. This was an expected move by Sony and I would have done the exact same thing if I was in their shoes.

My guess/theory is that the IPL update changes a 1.x machine to a 2.x compatible machine. Part of this process will close off the known "homebrew" exploits (1.00 and 1.50), forcing an upgrade to all 2.0 encrypted prx files.

For those of you thank aren't familiar with an IPL it is the Initial Program Loader that is jumped to by the CPU on poweron to configure and boot the system. On the PSP I would suspect it holds the decryption keys and loads/starts the initial drivers and VSH.

[recap: the Sony engineers are paid to make homebrew impossible]

Yes and they've been doing a progressively better job since they botched the v1.0 implementation of what is a fairly well designed security system. It's just too bad that its designers don't seem to have stayed around for the implementation (good for us though).

[PspPet]

re: double encrypted terminology

The PRXs files are encrypted ELF files, stored as .prx files in flash0 ROM.
For the flash update those pre-encrypted files are stored inside the "PSAR container". The PSAR data is itself encrypted (using a different process)

I call that "double encrypted" -- they are encrypted TWICE using two *different* encryption keys. You may or may not like the term.
You need *both* decryption keys to view them as plain ELF files (to disassemble, find NIDs etc)
For the 1.51/1.52 updates, we have both -- no problem. PSAR dumper will do both steps for you (ie. double-decrypt where necessary giving plain ELF files)
For the 2.00 update, we only have one -- problem.

[Warren]

Do they still ship msgdialog_plugin.prx unencrypted?

Nope.

[Souls85]

pardon my n00bness but couldnt you extract the psp encription key from a umd game? somehow?

[Agoln]

pardon my n00bness but couldnt you extract the psp encription key from a umd game? somehow?

short answer... no, you cannot.

Long answer, search around in the forums, probably in the archives. It's been discussed very much.

[Krevnik]

2.0 uses an updated encryption mechanism to break the methods currently in use for reverse engineering. This new mechanism exists within the 2.0 update, meaning some modules that are encrypted cannot be decrypted without 2.0 running the software. Ooops.

The modules that the updater program uses are encrypted with the v1.x keys and the modules inside of the PSAR file are encrypted with the v2.0 keys. I fail to see a catch 22 here.

The catch 22 exists when you attempt to reverse engineer the 2.0 modules on a 1.x device. You can't decrypt them without 2.0, but you want to decrypt the 2.0 modules to find out what they are doing, but can only run the software to get the dump on a 1.0/1.5 device.

That is the catch 22.

[shifty]

hi,

we know 2.0japan can upgrade
to 2.0american, thanks to sony's announcement (as fwded by
pspupdates), but what if someone in japan upgrades to
2.0american...can they get 2.0japan back? It might be
nice if we could flip back and forth repeatedly to observe
things...

[mrbrown]

Thread has veered way off-topic. Locked.