Editing Pandora

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 9: Line 9:
= Installation =
= Installation =


Refer to [[Magic Memory Stick]] and [[JigKick Battery]] for their installation and usage.
Refer to [[Magic Memory Stick]] and [[JigKick Battery]] for their installation and usage. For custom IPL see below.
 
To wikify: [https://forums.exophase.com/threads/using-the-universal-unbricker-to-unbrick-downgrade-restore-any-psp-to-5-00-m33-4.3780/].
 
For custom IPL see below.


= Uninstallation =
= Uninstallation =
Line 21: Line 17:
= Official JigKick =
= Official JigKick =


The official Jigkick is running as a battery emulator which communicates to the PSP's System Controller using the Baryon k line., it passes an authentication using special key IDs set during the challenge when the battery serial is 0xFFFFFFFF if it passes, the GPIO that sets service mode is enabled.
TODO
 
== PSP-1000/PSP-2000/PSP-3000 ==
 
The battery emulator connects to the Baryon K Line (middle pin (PIN 2) on the battery connector)
 
== PSP-N1000 ==
See [[Psp Go Jigkick|PSP Go Jigkick]]
 
== PSP-E1000 ==
 
On the PSP-E1000, the battery emulator connects to the Baryon K Line on the ID PIN of the Mini USB connector.
 
 
Button combo:
 
To initiate the Jigkick challenge, Hold down LTrigger + RTrigger + Left + Circle when the k line and DC 5V are connected;
Turn on Power on console without letting go of buttons.
 
 
== DTP-T1000/Development Tool JIG Test/emulation Mode ==
 
Starting from kbooti 0.7.0, a special JIG test mode exists, it will read an IPL block at 0x2000 on the Memory Stick instead of address 0xBFE01000 if the specific condition is met:
 
    if ( MEMORY[0xBFEFFFFC] < 0 ) use MS
 
Writing 0xFFFFFFFF at 0xBFEFFFFC does indeed enable the pseudo service mode and reads the block from the Memory stick, this mode is used by Sony Engineers to debug JIG Memory sticks by writing a kbooti using bloadp and then using reset parameters to set the flag at0xBFEFFFFC using the sbootp param/arg from the reset command of either dstdb or bsreset (dspreset) such as follows:
/usr/local/sony/bin/bootdispi/dspreset 80000000 (FFFEFFFF for example sets all boot flags to 0xFF), to set the DTP-T1000 into JIG emulation mode.
 
Because flags are incremental only the only way to clear the JIG flag using official SDK tools is to run the bloadp command again as this clears the whole tachsm0 memory including the flags.
 
Kbooti remains loaded in memory until the main unit is turned off or bloadp has ran again, allowing then to power cycle through different memory stick.
 
In kbooti revision 3.5.0 this mode skips the XOR step (overwrites the xor key with 00s in the scratchpad) on the kirk header, allowing to use a regular IPL block to achieve code execution and dump the payload (without the xor key).
 
== DTP-H1500/Testing Tool JIG Mode ==
 
The Battery emulator will simulate a Pandora battery (serial 0xFFFFFFFF) when the P24 switch on the S3503 DIPSW is set to 1.


= Custom IPL =
= Custom IPL =


[[JigKick Battery]] and [[Magic Memory Stick]] allow loading [[IPL]] from [[Memory Stick]] instead of NAND, which is useful for unbricking. But the [[IPL]] still has to be encrypted and signed to be accepted by [[PRE-IPL]]. This was first solved by Bruteforce attack (?2005? ?2007?). Then in 2011 [[KIRK Crypto Engine]] command 1 key got retrieved thanks to PS3 hack, and allowed properly encrypting and signing IPL, as demonstrated by mathieulh in 2018.
JigKick Battery and Magic Memory Stick allow loading [[IPL]] from Memory Stick instead of NAND, which is useful for unbricking. But the IPL must still be signed and encrypted to be accepted by PRE-IPL. This was first solved by Bruteforce attack (?2005? ?2007?). Then in 2011 [[KIRK Crypto Engine]] command 1 key got retrieved thanks to PS3 hack, and allowed encrypting and signing properly IPL, as demonstrated by mathieulh in 2018.


== IPL Bruteforce Attack ==
== IPL Bruteforce Attack ==


See [https://events.ccc.de/congress/2007/Fahrplan/attachments/1040_psphacking.odp 24C3 Talk by Tyranid (2007)]. [http://uofw.github.io/upspd/docs/SilverSpring_Blog/my.malloc.us/silverspring/pandora-exploit/index.html PRE-IPL exploit writeup by SilverSpring]
See [https://events.ccc.de/congress/2007/Fahrplan/attachments/1040_psphacking.odp 24C3 Talk by Tyranid (2007)].


The fake encrypted data is bruteforced to decrypt into your chosen data (to be able to exploit the [[PRE-IPL]]). And the signature for your fake encrypted data is bruteforced again to make it appear valid in the eyes of the crypto engine so that it will will go ahead and decrypt your fake encrypted data.
The fake encrypted data is bruteforced to decrypt into your chosen data (to be able to exploit the [[PRE-IPL]]). And the signature for your fake encrypted data is bruteforced again to make it appear valid in the eyes of the crypto engine so that it will will go ahead and decrypt your fake encrypted data.
Please note that all contributions to PSP Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PSP Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)
Retrieved from "http://www.psdevwiki.com/psp/Pandora"