Some PSP arent fully hackeable, but...

Discussion in 'PSP - Games & Content' started by The Composer, Dec 20, 2010.

  1. The Composer

    The Composer GBAtemp Regular

    Sep 13, 2009
    Cote d'Ivoire
    We all know that PSP 1000 models are fully hackeable, while 3000 models arent.

    My question is about the unhacked models. Why arent some 2000 and higher models moddable?

    Because its already proven impossible, or is it because no one knows how to do it yet?

    Im asking this because I remember the PS3 wasnt hacked for a while now, but no one said why. I thought that it was because no one bothered on that, but later someone did.

  2. chrisrlink

    chrisrlink your friendly neighborhood serial killer

    Aug 27, 2009
    United States
    Elm street
    has to do with the motherboard in the 2k's cause the unhackable 2k's has the same board as the 3ks
  3. xist


    Jul 14, 2008

    This is an explanation of the security that was added in TA88v3

    When the PSP boots, the boot code (aka pre-ipl or ipl loader) loads the ipl from either the nand or memory stick. The IPL is split into pieces of 0x1000 bytes.

    The First 0xA0 bytes of each block is a header for the kirk hardware command 1. It contains keys,
    the size of the cipher data, and two hashes, one for part the header itself, and another one for the body. The 0xF60 remaining bytes are the ciphered body, which will decrypt to 0xF60 plain bytes... if the hashes, which are checked by kirk hardware itself, are OK. (Note: ciphered body can actually be less than 0xF60, in this case, remaining bytes are ignored... before TA88v3) For the first exploit and Pandora, the security of kirk hashes was destroyed by a timing attack, and the IPL became unprotected.

    What has Sony added to fix this?

    The answer can be found in 4.00+ slim ipl's. They decreased the size of the ciphered body to 0xF40 to leave 0x20 bytes at the end of each block (at offset 0xFE0).
    As stated before, these remaining bytes are ignored... in pre-ipl's of psp's prior to TA88v3, and in fact, they can be randomized and ipl will still boot in those psp's. In newest pre-ipl's, these 0x20 bytes have a meaning.

    The first 0x10 bytes is an unknown hash calculated from the decrypted block. It is deduced that it is calculated from the decrypted block and not the ciphered one due to the fact that 4.01 and 4.05 have a lot of ipl blocks in common, which, when decrypted, are similar, but they are totally different in its encrypted form. In these two ipl's, this hash is same, as seen in the picture

    The second 0x10 bytes seem also to be dependent of the decrypted body (maybe dependent of the previous 0x10 bytes too?). In the picture it can be seen that they are different in 4.01 and 4.05, but they can actually be interchanged, you can move those 0x10 bytes from the same block in 4.05 ipl to the 4.01 ipl and it will still boot; however it cannot be randomized.

    This protection also destroys any possibility of downgrading below 4.00, as these new cpu's won't be able to boot previous firmwares ipl's.

    Summary: basically, all security of newest psp cpu's rely on the secrecy of the calculation of those 0x20 bytes. If the pre-ipl were somehow dumped then we could probably work out IF a Pandora could possibly work. It doesn't guarantee a CFW, but tells us whether one is possible.
  4. Rydian

    Rydian Resident Furvert™

    Feb 4, 2010
    United States
    Cave Entrance, Watching Cyan Write Letters
    Hot damn, added to sticky.
  5. soulo.kun

    soulo.kun Member

    Dec 22, 2010
    Lost.... well.. basically he's right.. Motherboards TA-088v3 and above cannot be fully hacked and will depend on what firmware you're using (That includes the PSP Go)

    Don't be sad though... there's a hen for PSP ver. 6.20 anyways.. there's still a chance that a CFW can be created to partially MOD the psp without Overwriting/writing stuffs on the flash..
  6. 8BitWalugi

    8BitWalugi Taiyohhhhhh!

    Mar 22, 2008
    Side 7
    This was just un-necessary.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice