Pandora

From PSP Developer wiki
Revision as of 22:20, 26 March 2018 by Mathieulh (talk | contribs) (→‎Properly encrypted Pandora compatible IPL blocks: fixed ipl block load address)
Jump to navigation Jump to search

On August 22 2007, Team C+D released the "Pandora's Battery" which was the Prometheus Project everyone was waiting for. It converted a spare Memory Stick Pro Duo and battery into a "Magic Memory Stick" and "JigKick Battery". Some People mistake Pandora's Battery for the Jigkick Battery, but Pandora's battery is both the Magic Memory Stick and the JigKick Battery. The Memory Stick and battery can then be used to downgrade any PSP of any version or to recover from a brick. To convert the Memory Stick and battery another PSP which is able to run 1.50 homebrew is needed. The Memory Stick can also be converted without using a homebrew PSP by using a Pandora's battery program, such as Pandora Easy GUI. After the downgrade/unbrick service has been completed, the Memory Stick and battery can be restored for normal usage.


JigKick Battery

This is a battery with its serial changed to 0xFFFFFFFF. When a psp's battery serial number is changed to 0xFFFFFFFF the PSP boots the ipl from sector 16 on the physical drive (the Magic Memory Stick). This unlocks the service mode of the PSP and launches the IPL from the Memory Stick (instead of from flash0). You can either Hardmod a battery or Softmod it.

Hardmod is when you you make a JigKick Battery by opening it up and and removing a pin, this can be done to any battery.

Softmod is when you make a JigKick Battery by using a program. But it has to be suitable. New Batteries cannot be softmodded.

Click here to find out more!

Magic Memory Stick

A Magic Memory Stick refers to any memory stick that has been converted to boot, and work with a JigKick Battery. Depending on the method of creation, a Magic Memory Stick can either downgrade or boot PSPs to 1.50 FW (Phat), upgrade any PSP to 3.71/3.80 M33, and their counterparts, or be able to launch various homebrew. But it has to be suitable. The Memory sticks can be made into Magic Memory Sticks only if they are Pro Duo, and below 4GB.

In-depth Technological Details

The fake encrypted data is bruteforced to decrypt into your chosen data (to be able to exploit the preipl). And the signature for your fake encrypted data is bruteforced again to make it appear valid in the eyes of the crypto engine so that it will will go ahead and decrypt your fake encrypted data.

The preipl exploit works like this:

First a decrypted ipl block:
0x00: load address
0x04: data size
0x08: entry address
0x0C: checksum of previous block
0x10: data

A typical example might be
0x040F1EA0
0x00000F50
0x00000000
0xB71C6EBA
...data...

Which means load 0xF50-byte data to 0x040F1EA0. 0xB71C6EBA is the checksum of the previous block. Then entry address is 0 since it hasnt reached the end yet and there are more blocks to load. Once it has loaded all the ipl blocks the very last block will have entry address of where the whole ipl has been loaded (typically 0x040F0000). And will then jump to that address.

Preipl pseudocode for loading & decrypting the ipl: Code:

int iplBlockNumber = 0;
u32 checksum = 0;

// load/decrypt all encrypted ipl blocks
while(1)
{
// copy an encrypted ipl block to 0xBFD00000-0xBFD01000 (4KB embedded cpu ram)
if (LoadIplBlock(iplBlockNum ber, block) < 0)
while(1);

// decrypt the ipl block in place (uh oh...)
if (DecryptIplBlock(block, block))
while(1);

// first block will have zero as its checksum since there is no previous block (another uh oh...)
if (block->checksum != checksum)
while(1);

// load the 'data' section of the ipl block to the specified address (0x040Fxxxx range)
if (block->loadaddr)
checksum = memcpy(block->loadaddr, block->data, block->blocksize);

// reached the end of the ipl, jump to the entry address (0x040F0000)
if (block->entry)
{
// clear caches
Dcache();
Icache();

// jump to ipl - do not return
block->entry();
}

iplBlockNumber++;
}

As the preipl loads the first ipl block (the fake one), it decrypts the block in-place, ie. the decrypted block just overwrites your encrypted block. The fake block only decrypts into four bytes of all 0's so it ends up only overwriting the first four bytes of your fake block (with four 0's) after decryption.

The fake signed block:

Code:
00000000: 00 00 00 00 00 00 00 00 00 01 D0 BF 00 00 00 00
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000020: 52 A1 05 CD 3A 52 59 28 0A D1 31 F1 BD 87 2E CC
00000030: 14 DA 02 2F 77 88 C7 66 F3 32 07 BD 1A 08 9E 4C
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000060: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000070: 04 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00
00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000000A0: 00 00 00 00 00 00 00 00 00 00 00 01 C6 5F 74 12


The most important parts to note: 0x20-0x3F is the bruteforced hash signatures 0xA0-0xAF is the bruteforced encrypted data 0x70-0x73 is the size of the decrypted data (only 4 bytes)

A slight flaw in the crypto engine allowed the bruteforce to be performed on a magnitude-times smaller scale than normally required.

After decryption, the preipl thinks the data is now a decrypted ipl block. So note the first 0x10 bytes:

0x00000000 (load address which was faked to four 0's when decrypted)
0x00000000 (size of the block to load, none)
0xBFD00100 (the entry address, the most important part, where your unsigned code is located)
0x00000000 (checksum)

It passes the checksum test (with 0x00000000), it skips the loading of any data (since the loadaddr has been faked to 0x00000000), see's the entry address of 0xBFD00100 and thinks it has reached the end of the ipl and so goes jumps to that address (which is where your unsigned code will be).

So that's essentially it in a nutshell. But dont let a quick 5 min. summary of the exploit underestimate the enormous effort involved in bringing it to fruition (as the final product known as Pandora).

Properly encrypted Pandora compatible IPL blocks

On March 10th 2018, Developer Mathieulh released properly encrypted Pandora hack compatible IPL blocks using kirk cmd 0x01 key.

[1] [2]

Here are a few of those:


Retail flagged IPL block with entrypoint set to 0xBFD00100:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  00 8F B0 52 CB AE 94 F9 04 D8 30 3E 6D 21 9B 91  ..°RË®”ù.Ø0>m!›‘
00000010  D8 F6 D0 17 AD 37 05 E2 B0 8B 2C 5E D3 0F 73 7A  ØöÐ..7.â°‹,^Ó.sz
00000020  D0 F9 88 F7 09 93 B7 B5 6C 37 6E 85 87 17 A5 34  Ðùˆ÷.“·µl7n…‡.¥4
00000030  A2 EE B9 CC 8B 1F DE 39 6E 41 1D 85 94 7A 3C 20  ¢î¹Ì‹.Þ9nA.…”z< 
00000040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000060  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000070  14 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00  ................
00000080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000090  66 E9 4B D4 EF 8A 2C 3B 88 4C FA 59 CA 34 2B 2E  féKÔïŠ,;ˆLúYÊ4+.
000000A0  41 87 7C C4 64 43 03 3C 9B C8 E9 01 26 0F 28 0B  A‡|ÄdC.<›Èé.&.(.
000000B0  DC 34 84 75 7F D2 4D 0F B7 3E 25 9F B5 AB A4 A5  Ü4„u.ÒM.·>%Ÿµ«¤¥
000000C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................


Devkit flagged IPL block with entrypoint set to 0xBFD00100:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  00 8F B0 52 CB AE 94 F9 04 D8 30 3E 6D 21 9B 91  ..°RË®”ù.Ø0>m!›‘
00000010  D8 F6 D0 17 AD 37 05 E2 B0 8B 2C 5E D3 0F 73 7A  ØöÐ..7.â°‹,^Ó.sz
00000020  DC 5C 78 5D 30 C6 15 9A 5B CF 19 CD D4 48 4E D6  Ü\x]0Æ.š[Ï.ÍÔHNÖ
00000030  51 7F 7B 4A 56 91 FE DD CC 16 B2 54 BD 5E 71 62  Q.{JV‘þÝÌ.²T½^qb
00000040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000060  01 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF  ............ÿÿÿÿ
00000070  14 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00  ................
00000080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000090  66 E9 4B D4 EF 8A 2C 3B 88 4C FA 59 CA 34 2B 2E  féKÔïŠ,;ˆLúYÊ4+.
000000A0  41 87 7C C4 64 43 03 3C 9B C8 E9 01 26 0F 28 0B  A‡|ÄdC.<›Èé.&.(.
000000B0  DC 34 84 75 7F D2 4D 0F B7 3E 25 9F B5 AB A4 A5  Ü4„u.ÒM.·>%Ÿµ«¤¥
000000C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................


Devkit flagged IPL block with entrypoint set to 0xBFE01100 (only works on DTP-T1000/DEM-1000!):

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  00 8F B0 52 CB AE 94 F9 04 D8 30 3E 6D 21 9B 91  ..°RË®”ù.Ø0>m!›‘
00000010  D8 F6 D0 17 AD 37 05 E2 B0 8B 2C 5E D3 0F 73 7A  ØöÐ..7.â°‹,^Ó.sz
00000020  DC 5C 78 5D 30 C6 15 9A 5B CF 19 CD D4 48 4E D6  Ü\x]0Æ.š[Ï.ÍÔHNÖ
00000030  F4 18 98 12 F7 5B 0F F5 8E F7 82 63 8D 82 44 09  ô.˜.÷[.õŽ÷‚c.‚D.
00000040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000060  01 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF  ............ÿÿÿÿ
00000070  14 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00  ................
00000080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000090  66 E9 4B D4 EF 8A 2C 3B 88 4C FA 59 CA 34 2B 2E  féKÔïŠ,;ˆLúYÊ4+.
000000A0  EE E2 51 4C 7C 0C A2 F0 2C B4 D9 7C 47 F0 24 D4  îâQL|.¢ð,´Ù|Gð$Ô
000000B0  FC 0E E6 DE 16 42 A6 FC 79 2A 95 9D B1 EB 6A 96  ü.æÞ.B¦üy*•.±ëj–
000000C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................


Retail flagged IPL with entrypoint set to 0xBFE01100 (only works on DTP-T1000/DEM-1000!):

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  00 8F B0 52 CB AE 94 F9 04 D8 30 3E 6D 21 9B 91  ..°RË®”ù.Ø0>m!›‘
00000010  D8 F6 D0 17 AD 37 05 E2 B0 8B 2C 5E D3 0F 73 7A  ØöÐ..7.â°‹,^Ó.sz
00000020  D0 F9 88 F7 09 93 B7 B5 6C 37 6E 85 87 17 A5 34  Ðùˆ÷.“·µl7n…‡.¥4
00000030  C7 07 99 1D E9 31 AC C6 67 82 E0 F3 0A 62 0D F0  Ç.™.é1¬Æg‚àó.b.ð
00000040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000060  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000070  14 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00  ................
00000080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000090  66 E9 4B D4 EF 8A 2C 3B 88 4C FA 59 CA 34 2B 2E  féKÔïŠ,;ˆLúYÊ4+.
000000A0  EE E2 51 4C 7C 0C A2 F0 2C B4 D9 7C 47 F0 24 D4  îâQL|.¢ð,´Ù|Gð$Ô
000000B0  FC 0E E6 DE 16 42 A6 FC 79 2A 95 9D B1 EB 6A 96  ü.æÞ.B¦üy*•.±ëj–
000000C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Retail flagged IPL with entrypoint set to 0xBFC00100 (only works on DTP-T1000/DEM-1000!):


Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  00 8F B0 52 CB AE 94 F9 04 D8 30 3E 6D 21 9B 91  ..°RË®”ù.Ø0>m!›‘
00000010  D8 F6 D0 17 AD 37 05 E2 B0 8B 2C 5E D3 0F 73 7A  ØöÐ..7.â°‹,^Ó.sz
00000020  D0 F9 88 F7 09 93 B7 B5 6C 37 6E 85 87 17 A5 34  Ðùˆ÷.“·µl7n…‡.¥4
00000030  F9 93 88 D8 32 EE 21 95 97 A4 0F 6E 28 40 42 05  ù“ˆØ2î!•—¤.n(@B.
00000040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000060  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000070  14 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00  ................
00000080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000090  66 E9 4B D4 EF 8A 2C 3B 88 4C FA 59 CA 34 2B 2E  féKÔïŠ,;ˆLúYÊ4+.
000000A0  5B 31 9E 6C DF 78 01 CD 2E 45 65 EB 92 9E 85 98  [1žlßx.Í.Eeë’ž…˜
000000B0  5B 6A E9 AF 53 B2 17 5A 1E 55 1E 39 27 9E 68 53  [jé¯S².Z.U.9'žhS
000000C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

All these blocks have been properly tested and are confirmed to be working (the dev blocks have been successfully tested on kbooti 0.7.0 and should work up to revision 2.7.1)

These are available in binary format here:

[3]

The 0xBFD00100 version of these blocks work as-is by replacing the time attacked forged block with the properly encrypted ones supplied. The 0xBFE01100 and 0xBFCD00100 version (which only works on Development Tool units), may require you to rebuild/recompile your custom IPLs using 0xBFE01100 or 0xBFCD00100 as the entrypoints respectively, it may be wiser to rebuild it as a fully valid IPL instead using ipltool [4],although using the Pandora compatible IPL block instead would allow you to port retail custom IPL projects on devkit with minimal efforts. Keep in mind that under normal circumstances neither the Memory Stick, not the NAND devices are initialized by the DTP-T1000 Lib-PSP iplloader, reading or writing to and from either of these devices will require you to add the initialization routine to your IPL. The IPL SDK (available here: [5] ) contains full low-level driver implementation for both devices which you can use in your projects.