Epsilon BIOS Custom Flash Replacement For PSP

[Networkgamer]

Quote:

Originally Posted by ryoko_no_usagi

No, not in IPL. I have no hands-on reseach on 2.60+ stuff personally but what I've gathered is that for the 2nd decryption (of the real firmware loader code), the headers are unmangled with data from RAM. This data is overwritten by the time the PSP has booted, so it's not possible to read it back through a homebrew application. I don't know whether the data comes from the external DDR RAM or from embedded RAM. In the first case, it's possible to snoop the external databus to get it.

I hope you realize that ram has nothing in it on boot up,until something is loaded into it from flash.

[Peroxide]

I read the first two pages.

The concept is, they have the original BIOS on the PSP and simply bypass the checks and security.

Is it that hard to understand?

[FoxRacR17]

Quote:

Originally Posted by Peroxide

I read the first two pages.

The concept is, they have the original BIOS on the PSP and simply bypass the checks and security.

Is it that hard to understand?

That is exactly it. Just like the hacked xbox bios, you get a dump of the firmware, add whatever you want to it, take out all the checks, and then load it up. The only reason that we were unable to do this before was because we had to load the hacked 'firmware' onto the psp but this was not possible because the firmware is signed also and when you modify the firmware it loses its signiture. And when you go to update your psp with the modified firmware the old firmware that is already on your psp prevents it because it is not signed.

Its not hard folks or even fiction, it is perfectly possible. And i BETTER not hear anyone say "well i bet the next firmware version is going to block this out!" My God, does Sony have you guys all brainwashed or something?? This is just like the xbox, with the new U.P. chip coming out, you can disable it, just like the xbox chips, making it undectable. If U.P. turns out to be real, the only thing that sony will be able to do to try and prevent this is revisions to the HARDWARE, i.e. the psp mainboard, but even then the chip can be revised to accommadate the new mainboard.

What we all were doing before were software exploits, just like the softmods that came out for the xbox. Exploits were found in games and in the dashboard but they were patched up though updates via xbox live, but with a modchip this is nothing that M$ can do, they did motherboard revisions, but then the chip was revised to work on that new motherboard also. This chip, U.P. will be the best thing to ever happen to the PSP community.....if it turns out to be true

[home.grown.twinkie]

Any news on when this is going to come out, and what its going to cost? I hope its around 20$ and sold in stores and not online

[PSPHax0r9]

Quote:

Originally Posted by home.grown.twinkie

Any news on when this is going to come out, and what its going to cost? I hope its around 20$ and sold in stores and not online

It doesn't matter, this is most likely fake.

The modchip, however, is most likely real.

[NEvolution]

Quote:

Originally Posted by home.grown.twinkie

Any news on when this is going to come out, and what its going to cost? I hope its around 20$ and sold in stores and not online

I think you're confusing this with "Undiluted Platinum", which is the modchip required in order for this "Custom Flash Replacement" to work.

Edit: Beat by PSPHax0r9...

[ryoko_no_usagi]

Quote:

Originally Posted by Networkgamer

I hope you realize that ram has nothing in it on boot up,until something is loaded into it from flash.

Why do you think there is nothing in RAM?

[chronomaster5042]

Quote:

Originally Posted by ryoko_no_usagi

Why do you think there is nothing in RAM?

I think what he means is that the chances of it comming from "external DDR RAM or from embedded RAM" is non-existant.

[logicfrog]

The whole concept of edited BIOS is just too much forward thinking.
I mean we only heard of this "Modchip" *Fingers crossed its real* at end of May, and this "team" had been working on this for ages... somehow cracking the BIOS, removing security etc...... BUT! Why did they do this in the first place, its not like we could use it in another other fashion than this new "NAND Replacement"... Or! Did they know of this "Modchip" ages ago and have been working on this BIOS of theirs ever since... Puzzling...

[moonlight]

Quote:

Originally Posted by logicfrog

The whole concept of edited BIOS is just too much forward thinking.
I mean we only heard of this "Modchip" *Fingers crossed its real* at end of May, and this "team" had been working on this for ages... somehow cracking the BIOS, removing security etc...... BUT! Why did they do this in the first place, its not like we could use it in another other fashion than this new "NAND Replacement"... Or! Did they know of this "Modchip" ages ago and have been working on this BIOS of theirs ever since... Puzzling...

They are probably the same guys which make the chip.

Even the dumbest guy could realize that, also, because the news come from the same place.
It's obvious that the chip wouldn't sell so much without a custom flash, and they wouldn't wait to programmers to make one, they want to sell now

[newmikezilla2]

didint some guys claim to be working on psp modchip and to relase it may 05 ? dos any one remaber ?

[Networkgamer]

Quote:

Originally Posted by home.grown.twinkie

Any news on when this is going to come out, and what its going to cost? I hope its around 20$ and sold in stores and not online

you are WAY off.It says on psp updates that it will be around $90 and will only be online.
The bios will most likely be free,although you need the modchip to use it,and it cost 90 bucks and only available online.

[Networkgamer]

Quote:

Originally Posted by newmikezilla2

didint some guys claim to be working on psp modchip and to relase it may 05 ? dos any one remaber ?

that was a hoax

[Networkgamer]

Quote:

Originally Posted by ryoko_no_usagi

Why do you think there is nothing in RAM?

ram needs power to hold anything.ram is wiped out when you power the psp down or if you take out the battery.

[Goldrush]

Awsome

[Art]

Quote:

but what I've gathered is that for the 2nd decryption (of the real firmware loader code), the headers are unmangled with data from RAM.

He could be talking about some time after power up.
Something has to be done to decrypt the firmware files in flash.

[AnimeTheme]

With the appearing of Devhook 0.4, it seems this BIOS thingy may not be total BS. But then what's the point of doing it on an expensive (and somewhat risky) hardware modchip when you can already do so in software emulation on 1.5 (especially for 1.5 users)?

[steviedee]

Damn Straight, within the next 2 weeks, expect to see alot of programs popping up using and refining the method of Devhook 0.4. It is seriously a significant breakthrough!

Steviedee>>>

[Resso]

damnit this week is SLOW

[Art]

Quote:

But then what's the point of doing it on an expensive (and somewhat risky) hardware modchip when you can already do so in software emulation on 1.5 (especially for 1.5 users)?

Because devhook doesn't play every game.. SF3alpha, nfsur...
Just because piracy isn't allowed here, doesn't mean it doesn't exist, and is probably the
main driving force behind commercialising a modchip.

[Resso]

well Im officially loosing my mind

[ryoko_no_usagi]

Quote:

Originally Posted by Art

Quote:

He could be talking about some time after power up.
Something has to be done to decrypt the firmware files in flash.

Well, here's how it is:

Pre-IPL initial bootstrap code embedded in the CPU copies encrypted (and signed) IPL from flash to RAM at 0x040f00000. A little bit surprising since, unless I'm misreading something, this is embedded video RAM/framebuffer. The on-chip boot-code then runs the decryption hw on this code to decrypt and verify signature. Then execution jumps to 0x040f0000 and the code in IPL is finally beginning to execute.

For pre-2.60 IPLs, the next steps are to do some simple initialization and to decompress an embedded gzip file and then start executing the decompressed contents. Here more initializations take place and a second decryption process is initiated that decrypts the "real" IPL which is then used to bootstrap the firmware.

TyRaNiD wrote the following about how 2.60 IPL changed:

"You cannot decrypt the 2.6 3rd stage part of the IPL as it decodes it before the usual decryption and the decode key is based on what is in ram at powerup which we have been unable to determine (cause it is long gone before we get our hands on it). Might be something to put aside for the hardware hackers."

I have looked at 2.70 (and I assume 2.60 is the same) and here's my take on it:

The embedded gzip-file is now stored in encrypted form. The IPL decrypts the file using a software algorithm with a key created from RAM contents. After that it erases the key so that no one can later snoop in the PSP memory and find it.

I haven't dug deep enough to understand which cipher algo they are using nor how the key is constructed but I think it comes from the 0xbfc00000 area. This is embedded RAM for the Hardware Exception Vectors. That means it is NOT possible to attach a hardware-snooper and learn the key (unless one opens up the chip and probes the bare-die of course )

EDIT: It appears SHA-256 is used for something.

EDIT2: From the looks of it, it seems SHA-256 is run on data collected from 0xbfc00000 to produce a string of "randomized" bytes. These are then XOR'd with the encrypted gzip file to decrypt it.

EDIT3: The XOR decode stream seems to be generated by using the Mersenne Twister algorithm with the SHA-256'd data as input seed.

[Djhg2000]

Wait a minute! I think I've seriously misunderstood something...
Have the PSP got shared video/system RAM???
If it does, |\/|!cr0$0%7 is copying Sony...
Cuz X360 has shared RAM (also?)...

[Networkgamer]

no the psp does not have shared video memory.it has 32 megs of ram,4 megs of edram and 2 or 4 megs of video i dont remember which one though.and also is it true that you need U.P. to run this,because i keep hering that you can with devhook and if not,why?