[News][Downgrad] Les cartes meres TA 088 v3 hackés !!!

الموضوع في 'أخبار عالم ألعاب الفيديو' بواسطة exerses, بتاريخ ‏8 ديسمبر 2008.

  1. exerses

    exerses كبار الشخصيات

    إنضم إلينا في:
    ‏1 أفريل 2006
    المشاركات:
    4.229
    الإعجابات المتلقاة:
    8.414
      08-12-2008 03:52
    [​IMG]



    [​IMG]

    Les récentes cartes mères (TA 088 v3) étaient connues pour être les seules à résister au DDC7 de Dark alex, et pourtant un programmeur encore inconnu (pseudo:Brokencodes) dans le monde de l'underground PSP à réussi à faire sauter ces sécurités!

    Pour le moment, encore personne ne peut flasher les PSP contenant cette carte mère, mais attendez vous à voir arriver un nouveau DDC qui permettra de flasher ces cartes mères (qui equiperont les PSP3000).

    Voila ce que disait dark à propos des cartes mere TA 088 v3 :
    (citation en anglais)
    [​IMG]
    Citation:
    This is an explanation of the security that was added in TA88v3, and which will be likely in PSP3000.

    When the PSP boots, the boot code (aka pre-ipl or ipl loader) loads the ipl from either the nand or memory stick. The IPL is splitted into pieces of 0x1000 bytes.

    First 0xA0 bytes of each block is a header for the kirk hardware command 1. It contains keys,
    the size of the cipher data, and two hashes, one for part the header itself, and another one for the body. The 0xF60 remaining bytes are the ciphered body, which will decrypt to 0xF60 plain bytes... if the hashes, which are checked by kirk hardware itself, are OK. (Note: ciphered body can actually be less than 0xF60, in this case, remaining bytes are ignored... before TA88v3) Fir

    The security of kirk hashes was destroyed by a timing attack, and the IPL became unprotected.
    What has Sony added to fix this?

    The answer can be found in 4.00+ slim ipl's. They decreased the size of the ciphered body to 0xF40 to leave 0x20 bytes at the end of each block (at offset 0xFE0).
    As stated before, these remaining bytes are ignored... in pre-ipl's of psp's prior to TA88v3, and in fact, they can be randomized and ipl will still boot in those psp's. In newest pre-ipl's, these 0x20 bytes have a meaning.

    The first 0x10 bytes is an unknown hash calculated from the decrypted block. It is deduced that is calculated from the decrypted block and not the ciphered one due to the fact that 4.01 and 4.05 have a lot of ipl blocks in common, which, when decrypted, are similar, but they are totally different in its encrypted form. In these two ipl's, this hash is same, as seen in the picture:

    0o
    [​IMG]


    The second 0x10 bytes seem also to be dependent of the decrypted body (maybe dependent of the previous 0x10 bytes too?). In the picture it can be seen that they are different in 4.01 and 4.05, but they can actually be interchanged, you can move those 0x10 bytes from the same block in 4.05 ipl to the 4.01 ipl and it will still boot; however it cannot be randomized.

    This protection also destroys any possibility of downgrading below 4.00, as these new cpu's won't be able to boot previous firmwares ipl's.

    Summary: basically, all security of newest psp cpu's rely on the secrecy of the calculation of those 0x20 bytes. If pre-ipl were dumped somehow, the security would go down TOTALLY.

    Graphic summary
    :
    0o
    [​IMG]
    [​IMG]

    Allez encore un peu de patience un nouveau DDC va arriver
    إن شاء الله

    [​IMG]


     
    4 شخص معجب بهذا.
جاري تحميل الصفحة...

مشاركة هذه الصفحة

جاري تحميل الصفحة...