Release: Parse-DREG - PSP registry parser

[FreePlay]

I've been getting lots of help from Skylark of toc2rta, one of the three behind the TIFF exploit :P

Together we (well, mostly him) have put together a program that reads your PSP's system registry and spits out an XML document. I wrote a quick little XSL stylesheet that turns that XML document into a web page.

We've only tested this on a 1.50 and a 2.00 DREG file so far...

There's only one bit of data we haven't gotten yet: the checksum that the PSP stores for each piece of data. Skylark's hard at work hacking away at that, though, and once we figure that out, we should be able to put any data into the settings that we want without the PSP immediately noticing anything.

From the readme:

PSP Registry Parser by Skylark (with minimal help from FreePlay :-P)
--------------------------------------------------------------------

ABOUT
-----

This is a command-line program that you can use to view the contents of your SYSTEM.DREG/SYSTEM.IREG files, which are the PSP's system registry. These files contain all sorts of information about system settings, network connection setup, etc.

SETUP
-----

Installation is simple; just copy all of the files in this ZIP file to a folder somewhere on your computer. It doesn't matter where, so long as you copy all of them.

To set the program up, you'll need to use something like FileAssistant to copy the two files from flash1:/REGISTRY into the same folder as this program. FileAssistant v0.4 works on any PSP up to v2.60, and you can get that from http://psp-news.dcemu.co.uk/fileasistant.shtml .

To copy flash1 using that program, press L until "Disk" is highlighted at the bottom, then press R, then pick Flash 1, then press O. Then Press L until "Copy" is highlighted, then press [] to highlight the SYSTEM.DREG and SYSTEM.IREG files, then press R to copy them to the MS.

USING
-----

There are two main ways of running the program:

1. Display-only mode. Open up a command prompt, change over to the folder that has the programs in it, and just type "parsedreg". It should spit out an XML-formatted file to the console.

2. File output mode. Performed exactly as #1, but you instead type "parsedreg > insert_a_filename_here.xm l". It'll save the file to whatever name you put into 'insert_a_filename_here'.

There's not really much to do with this yet, but we obsessed over it for a few days on Fanjita's IRC channel :)

HELP!
-----

If you have any questions about this, I'm sure one of us will be online. Go to www.fanjita.org and click "Live Chat", or use your favorite IRC client to connect to irc.toc2rta.com , channel #fanjita. You can also e-mail FreePlay at [email protected] . He's a bit addicted to the IRC channel :P

NOTES
-----

There's something in the "pspreghtmlizer" folder that can turn the XML output into a nicely-formatted web page. Check it out.

The "src" folder contains the source code, for those of you on who are on Linux or who just want to modify the program.

Get it here!

[Kevtav]

So if the checksum is hacked, arbitrary code can be ran? Will this benefit FW 2.01+ users? Sorry just curious.

[FreePlay]

It's possible that figuring out how to make the checksum could lead to a hack, yes. Once we can do it, we'll try to inject code into different parts of the file, and hopefully some part will have a weakness.

[cyanide]

you go get em ;)
im too sleepy to ask anything intelligent.

[ChrisK]

This is an interesting app, good work!

[TeamOverload]

works fine with the 2.6 registry file. Nice work!

[DevilShadow]

GOOD WORK

I'l will test this when i get back my gta:lcs

[gracz54]

doesnt work with 2.50 files

[TeamOverload]

Thats wierd..why would it work with 2.6 but not 2.5?

[Master Inuyasha]

Maybe 2.6 have a weakness? That 2.50 doesn't?

[FreePlay]

Maybe it's operator error >_>

[TeamOverload]

I just tried a 2.01 system.dreg and got an error like the one described

[SG57]

Well, 2.6 does have different sys calls and things like that, look at the cheat device, some dont work on 2.6 cause of different locations of sys calls

An educated guess.

[FreePlay]

Well, that's a good guess, but the IREG and DREG files are just data, not anything executable. The syscalls shouldn't matter.

Skylark and I did notice some differences between the 1.50 and 2.00 files, though. It's possible that they've been rearranged for later versions.

In that case... If anyone could upload a copy of their flash1 from 2.01, 2.50, or 2.60, that would be most helpful. Don't worry about legality issues; it's user-generated content, so it's not copyrighted.

[TeamOverload]

Like i said though, my 2.6 dreg worked fine....so i think only a 2.01/2.5 flash1 dump are needed

[Bronx]

i can smell a exploit -sniff, sniff- this might be way off but if gain access to the data u said in the release and u find the weakness is there a possible exploit that could be used to downgrade?

[AkiraPsychic]

Ok here it is

http://s44.yousendit.com/d.aspx?id=3...42CIL1DAUDGJHX

Copied from a friend of mine if anyone is suspicious

[FreePlay]

Ok here it is

http://s44.yousendit.com/d.aspx?id=3...42CIL1DAUDGJHX

Copied from a friend of mine if anyone is suspicious

Thanks!

It worked just fine, but I can't tell which firmware version this is. I did notice the wma_play value, so I assume it's from a 2.60.

[TeamOverload]

Ya thats a 2.60 firmware

[JollyRoger]

i can smell a exploit -sniff, sniff- this might be way off but if gain access to the data u said in the release and u find the weakness is there a possible exploit that could be used to downgrade?

If (hypothetically speaking) this gives us enough access to our beloved PSP's, (you know memory, kernal, WiFi, etc) then why even downgrade?

[FreePlay]

FYI: There was some turmoil tonight over at PSP3D. Some kid used TO's guide about replacing 0x00 with 0x20 and claimed that he had a working font exploit on 2.50. Unfortunately for him, he only uploaded the SYSTEM.DREG file - no SYSTEM.IREG - and every 0x00 in the file was replaced with 0x20.

Anyways, I had to step in and call his bluff. There was a bunch of flaming and insults, but I generally kept pretty cool and just gave him some evidence that he was lying and we're the ones who are doing this.

Also FYI: Skylark managed to figure out the checksums and we've had some awesome progress.

Regarding the 2.5 font hack thread:

I'd like to know whats what here, and honestly. I've seen noob hex fragments before, and you seem to have legit files (edu folder too), but who came up with the entire hack originally?

I hate to watch an immature fight between you and kid101, so, please, explain it all truthfully.

I'll then take the appropriate action.

The idea for the font hack came from TeamOverload, a member over at PSPUpdates. He realized that the PSP's registry contains a path to a FONT folder stored in the firmware.

After a bunch of tinkering, he managed to change the path without the PSP crashing right away. However, he couldn't access a lot of his system options.

As a regular visitor to Fanjita's IRC channel, I've gotten to know Skylark, one of the three toc2rta members who created the 2.00 TIFF exploit. I presented the problem to him. He asked me for some registry dumps and I gladly obliged.

Within a single day, he managed to put together a program (in C) that could not only read the registry, but spit out all the contents within it. I asked him to make an XML version, and so he tweaked it to spit out an XML page. The program is right here.

I then made an XML transformation stylesheet (in XSLT) that turned it into a web page. Example here. It seems to display properly in Firefox, if you want to check it out.

The one barrier we hit was that the data in the registry is validated by a checksum. We didn't know what type of checksum it was. He tried out simple CRCs and things like that, but things died for a few days because he couldn't figure it out.

Then today, both of us realized that the checksum function had to be referenced in the REGISTRY.PRX file in the firmware. We noticed that this file imported a PSP system function for the SHA1 algorithm.

After about an hour, Skylark coded up another version of the program that calculated the SHA1 checksums for the registry file and checked to see if the data was valid. He then adjusted this so that it could also write valid checksums. This program is right here.

At this point, we could edit the PSP's registry by inserting any data we wanted through a hex editor, then run Skylark's program to mark all the data as valid.

I tested out some modified registries on a simulated 2.00 using the MPH firmware loader, and noticed a few funny things (e.g. that a network connection's name can only be 15 characters, but you can store about 48 characters in its place in the registry).

Examples: modified 2.00 registry before being fixed, and the same one after being fixed.

Edit: Note that there are blocks in the "unfixed" file marked in red. These are the blocks that were edited, and would thus show up as corrupt. Now, note that the same blocks in the "fixed" file are not marked in red. That's because Skylark's program fixed the blocks with a proper SHA1 and made them valid :)

I then decided to take a leap and modify the registry of my actual PSP. I changed the path that TeamOverload had noticed to point to ms0:/fontmod . I ran Skylark's program. I copied the fonts from flash0:/font to my MS in a folder called 'fontmod', then I copied my modified registry to my PSP and rebooted.

It loaded perfectly fine. I noticed that some parts of the XMB took a little while to load. For example, the Network Update screen took about 10 seconds to load, and the MS light was blinking the whole time.

Then I decided to mess around in the System Language menu, and the results were pretty obvious. You can check them out here.

We're still not sure what we have. We have a long way to go before there is a viable exploit here, but we're now able to load files from the MS that are only intended to be loaded by the PSP's firmware itself.

[FreePlay]

Skylark has put together an excellent piece of documentation about the research thus far. Check it out here.

[pacopad]

It's just a suposition,

I try to load the font from the Ms and it worked, if we could modify a font file and replace all "2" by "1" , a 2.50 PSP would become a 1.50...

Would it be suffisant to start the Firmware 2.00 Upgrade ?

I repeat it's just a thougt, don't throw me tomatoes :humped:

PacoPad

[FreePlay]

It's just a suposition,

I try to load the font from the Ms and it worked, if we could modify a font file and replace all "2" by "1" , a 2.50 PSP would become a 1.50...

Would it be suffisant to start the Firmware 2.00 Upgrade ?

I repeat it's just a thougt, don't throw me tomatoes :humped:

PacoPad

...

The version number of the PSP is stored in an encrypted file on flash0, not in the font. That's a cute suggestion, though :P

[TeamOverload]

i was looking at the guide now, and this program can now sign make the system.dreg not be corrupt????

[FreePlay]

Exactly.

[Josey Wales]

First thing I read when seeing pspupdates was Font Hack on the way and my pants lit up like the torch bowl in Toreno.

[TheEmulatorGuy]

Whee, hacking!

[1magus]

If this works and gets far, and people can run Homebrew on 2.6 or any version PSP with no limitations and no GTA than that’s great. But there still is one reason to not upgrade. 2.6 PSPs run wireless slower than the lower versions cause of all the space the flash memory is being used up, just a FYI it happened to me though it might of just been my PSP being crappy but that ones dead now.
PS: keep up the good work this gives me hope for homebrew again.

[FreePlay]

If this works and gets far, and people can run Homebrew on 2.6 or any version PSP with no limitations and no GTA than that’s great. But there still is one reason to not upgrade. 2.6 PSPs run wireless slower than the lower versions cause of all the space the flash memory is being used up, just a FYI it happened to me though it might of just been my PSP being crappy but that ones dead now.
PS: keep up the good work this gives me hope for homebrew again.

Yyyeah... except, not really. The PSP doesn't use flash1 for anything wifi-related, other than storing the network connection settings...

Thanks for the support, though :)