Hacking PRO Custom IPL flash.

[Rydian]

Can anybody tell me about it? Like, xist-level know-how?

What it affects, how it works, what models it works on, what sort of recovery options are available in case of failure across the varying models because of that, blah blah blah.

 

[ars25]

Can anybody tell me about it? Like, xist-level know-how?

What it affects, how it works, what models it works on, what sort of recovery options are available in case of failure across the varying models because of that, blah blah blah.

ok so the pro custom ipl flash is an ipl flash developed by nerun what ever his name is for pro firmware 6.39 it's kind of like the prema patch for 6.20 but only for the fully hackable models 1000's early 2000's and the first gen 3000 the 3g models. what it affects is nothing other then tampering with the ipl so the lcfw could stay permanent at cold boot. there is the normal Pandora battery sadly that's all i know in recovery wise xist might add more as he is more into the psp scene

 

[Rydian]

Oh, so it's just another method for permanent on older models, but on later firmwares?

 

[ars25]

Oh, so it's just another method for permanent on older models, but on later firmwares?

yes curently 6.20 6.39 and 6.60 are perm 6.20 for 1-5g and 6.39 and 6.60 are perm for the fully hackable models

 

[xist]

Remember how the security for the hash checks changed on the newer motherboards and there was never any way to hijack that process to insert new code (meaning no Pandora/Jigkick recovery for those consoles or permanent firmware).

The old consoles utilise a modified IPL when they use a permanent custom firmware (excluding the recent perms that work on everything). In essence Dark Alex worked out how to hijack the PSP from the get go because he was able to modify that initial loading sequence (thanks to timing attacks used to dump the Pre-IPL etc...) There's a big lecture by Tyranid out there on the PSP's security if you're interested.

Therefore the CIPL for the new firmwares are effectively just a new set of boot instructions which can be used since the security during the boot process on older mobo's has been cracked.

The newer motherboards have the new layer of security and thus a Custom IPL flash would possibly work, but then when you tried to turn the PSP on it wouldn't know what to do as the hash checks would fail and you'd get a brick. Therefore the way the perm firmwares work on these secure consoles is different.

The new permanent firmwares work via a combination of 2 exploits-

A power.prx exploit in the PowerLock syscall functions, allowing PRO to trigger a kernel thread call into user memory and a type 2 prx signature check bug that allows the fake-signing of a vshmain.prx file to replace the original XMB module on flash.

This fake-signed vshmain.prx file runs in usermode. The PRO team therefore coded a wrapper module which loads the real XMB module (which is renamed on flash0) and then triggers the PowerLock syscall exploit to get kernel permission...

After kernel permission is granted PRO simply patches all the kernel modules necessary to unlock the firmware to give it the custom permissions.

The info above, starting from "The new permanent firmwares...." is 100% accurate. And by 100% i really mean 100%. My technical knowledge isn't that good but the person who explained that to me knows the process in detail.....

That ok?

 

[Rydian]

The vshmain replacement's been explained elsewhere, I was just curious about the CIPL flash (now that I know it stands for Custom IPL it makes sense) since people seemed all excited about it, I thought it might be something useful to keep track of and allow an automatic boot into OFW on later models...

 

[SifJar]

Basically it's just like the custom IPLs used in SE, OE, M33 etc. CFWs back in the days of Dark-Alex. Only for 6.XX firmwares. It has no relevance for newer models seeing as the new protection is in the pre-IPL, which can't be changed, so Custom IPLs will always be possible for old models, and may never be for newer models.