PRO Custom IPL flash.

Discussion in 'PSP - Hacking & Homebrew' started by Rydian, Aug 25, 2011.

Aug 25, 2011

PRO Custom IPL flash. by Rydian at 5:45 AM (967 Views / 0 Likes) 6 replies

  1. Rydian
    OP

    Member Rydian Resident Furvert™

    Joined:
    Feb 4, 2010
    Messages:
    27,883
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    Can anybody tell me about it? Like, xist-level know-how? [​IMG]

    What it affects, how it works, what models it works on, what sort of recovery options are available in case of failure across the varying models because of that, blah blah blah.
     
  2. ars25

    Member ars25 I like tacos and pie

    Joined:
    Oct 21, 2010
    Messages:
    800
    Location:
    the world that never was
    Country:
    United States
    ok so the pro custom ipl flash is an ipl flash developed by nerun what ever his name is for pro firmware 6.39 it's kind of like the prema patch for 6.20 but only for the fully hackable models 1000's early 2000's and the first gen 3000 the 3g models. what it affects is nothing other then tampering with the ipl so the lcfw could stay permanent at cold boot. there is the normal Pandora battery sadly that's all i know in recovery wise xist might add more as he is more into the psp scene
     
  3. Rydian
    OP

    Member Rydian Resident Furvert™

    Joined:
    Feb 4, 2010
    Messages:
    27,883
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    Oh, so it's just another method for permanent on older models, but on later firmwares?
     
  4. ars25

    Member ars25 I like tacos and pie

    Joined:
    Oct 21, 2010
    Messages:
    800
    Location:
    the world that never was
    Country:
    United States
    yes curently 6.20 6.39 and 6.60 are perm 6.20 for 1-5g and 6.39 and 6.60 are perm for the fully hackable models
     
  5. xist

    Member xist ΚΑΤΑ ΤΟΝ ΔΑΙΜΟΝΑ ΕΑΥΤΟΥ

    Joined:
    Jul 14, 2008
    Messages:
    5,861
    Country:
    United Kingdom
    Remember how the security for the hash checks changed on the newer motherboards and there was never any way to hijack that process to insert new code (meaning no Pandora/Jigkick recovery for those consoles or permanent firmware).

    The old consoles utilise a modified IPL when they use a permanent custom firmware (excluding the recent perms that work on everything). In essence Dark Alex worked out how to hijack the PSP from the get go because he was able to modify that initial loading sequence (thanks to timing attacks used to dump the Pre-IPL etc...) There's a big lecture by Tyranid out there on the PSP's security if you're interested.

    Therefore the CIPL for the new firmwares are effectively just a new set of boot instructions which can be used since the security during the boot process on older mobo's has been cracked.

    The newer motherboards have the new layer of security and thus a Custom IPL flash would possibly work, but then when you tried to turn the PSP on it wouldn't know what to do as the hash checks would fail and you'd get a brick. Therefore the way the perm firmwares work on these secure consoles is different.

    The new permanent firmwares work via a combination of 2 exploits-

    A power.prx exploit in the PowerLock syscall functions, allowing PRO to trigger a kernel thread call into user memory and a type 2 prx signature check bug that allows the fake-signing of a vshmain.prx file to replace the original XMB module on flash.

    This fake-signed vshmain.prx file runs in usermode. The PRO team therefore coded a wrapper module which loads the real XMB module (which is renamed on flash0) and then triggers the PowerLock syscall exploit to get kernel permission...

    After kernel permission is granted PRO simply patches all the kernel modules necessary to unlock the firmware to give it the custom permissions.

    The info above, starting from "The new permanent firmwares...." is 100% accurate. And by 100% i really mean 100%. My technical knowledge isn't that good but the person who explained that to me knows the process in detail.....

    That ok?
     
  6. Rydian
    OP

    Member Rydian Resident Furvert™

    Joined:
    Feb 4, 2010
    Messages:
    27,883
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    The vshmain replacement's been explained elsewhere, I was just curious about the CIPL flash (now that I know it stands for Custom IPL it makes sense) since people seemed all excited about it, I thought it might be something useful to keep track of and allow an automatic boot into OFW on later models...
     
  7. SifJar

    Member SifJar Not a pirate

    Joined:
    Apr 4, 2009
    Messages:
    6,022
    Country:
    United Kingdom
    Basically it's just like the custom IPLs used in SE, OE, M33 etc. CFWs back in the days of Dark-Alex. Only for 6.XX firmwares. It has no relevance for newer models seeing as the new protection is in the pre-IPL, which can't be changed, so Custom IPLs will always be possible for old models, and may never be for newer models.
     

Share This Page