Discussion On The PBP File Format

[ooPo]

/PSP/GAME/UPDATE/EBOOT.PBP - What is it?

We know it is the file the PSP saves its downloaded network updates as. We also know it is an uncompressed archive of files. These files seem to be similar to an everyday PSP savegame... well, maybe some of them.

A PBP file starts with a simple header. Here's what it looks like to me:

Code: Select all

typedef struct { char signature[4]; int version; int offset[8]; } HEADER;

A simple signature ("\0PBP"), a version number (0x00010000), and the offsets for the eight embedded files. Next follows the actual data of each embedded file. But what are these files? Well, there's no other information given in the header. Taking a few hints from the PSP savegame filenames, we can guess at the following:

Code: Select all

char *filename[8] = { "PARAM.SFO", "ICON0.PNG", "ICON1.PMF", "UKNOWN.PNG", "PIC1.PNG", "SND0.AT3", "UNKNOWN.PSP", "UNKNOWN.PSAR" };

The ones named UNKNOWN are the most interesting. They do not have any equivalent in a normal savegame so most likely they contain the update itself. Their extensions are named by their signatures - three or four letters located at the beginning of each file. Let's take a look at them:

UNKNOWN.PNG - This is a simple PNG file, most likely used in the main menu to display a picture of what this file does to the user. (85299 bytes)

UNKNOWN.PSP - This is most likely an executable file. It contains the text 'UPDATER' but doesn't appear to be uncompressed or unencrypted. (3387376 bytes)

UNKNOWN.PSAR - Maybe an archive, maybe the actual firmware for the updater program to use. Who knows? It is fairly large, though. (11183216 bytes)

So, where do we go from here? Well, it would be nice to see if we can decode the PSP and PSAR files. Looking around at various press releases we can see that the PSP supports two types of encryption: MagicGate and 128bit AES. There's a few interviews that say you only need a MagicGate card if you're going to use the card for more than standard game saves.

So, feel free to take a stab at it. Any brilliant ideas out there?

I've written a program to unpack the PBP files. It can be found at: http://www.oopo.net/consoledev/files/unpack-pbp.c

[ooPo]

Information on AES:

http://en.wikipedia.org/wiki/AES

There's a nice, clean implementation of AES available at:

http://www.cr0.net:8040/code/crypto/aes

Not that I'd suggest brute forcing it, but its good info to know. :)

[Guest]

UNKNOWN.PSAR is definitely an archive. Pixel and I worked on decoding the format a few days back, but the information contained on the archive segments within is still elusive. However, what we discovered about the format itself is still quite interesting. :)

I will post up the details shortly.

[Drakonite]

I'd just like to point out the file we are trying to parse still could be a fake ;)

[Guest]

I'd just like to point out the file we are trying to parse still could be a fake ;)

And if we can determine that, that is STILL useful information. However, only by examination will we hopefully find such useful information, one way or the other. :)

[Drakonite]

I'd just like to point out the file we are trying to parse still could be a fake ;)

And if we can determine that, that is STILL useful information. However, only by examination will we hopefully find such useful information, one way or the other. :)

Absolutely. I just wanted to point that out for those that are just tuning in.

[mc]

Looking around at various press releases we can see that the PSP supports two types of encryption: MagicGate and 128bit AES. There's a few interviews that say you only need a MagicGate card if you're going to use the card for more than standard game saves.

AFAIK, MagicGate is for DRM, so it is probably not applicable. Also, I think the encryption key for MagicGate is unique for each memory stick, so pre-encryption of a file to be downloaded over the Internet would probably not work. (The PSP could encrypt the file when storing it on the stick, but that does not seem to happen, nor would there be much point.)

Anyway, the benefit from encypting the binary at all would be rather limited; since the PSP can run it it would have to contain the decryption key, so anyone who wants it bad enough could get it (remove the flash chip with a hot-air gun and put it in a reader). What would make sense would be cryptographically signing the binary, but that is typically done by just signing a hash of the file contents, so it would not change the data itself. Thus, my money is on compression rather than encryption. (Of course, there could be some simple obscurity measure as well, like the scrambling used on Dreamcast CD-ROM binaries, but real cryptographic encryption would be a waste of computrons IMO.)

Of the two "mystery files", I think UNKNOWN.PSP is the more interresting one. We know that it is "real" in the sense that the PSP will actually run it, resulting in display of some text and an option to toast the PSP. :-)

The compressed (encrypted, whatever, we know it's not clear text anyway since we can't find the messages that the program displays) part seems to start at offset 0xd3 at the earlist, because there are long sequences of 0-bytes before that which should not occur in compressed or encrypted data. So anything before that should be some kind of header. In particular, I found these:

000020 00 00 00 00 00 00 01 02 a0 ae 33 00 f0 af 33 00

The last two 32-bit words are 0x33aea0 and 0x33aff0. This is 3387040 and 3387376 respectively. The significance of these particular numbers become evident if you look at the file size: 3387376 bytes. So the last number is the size of the entire file. The first one is 336 less, possibly the size of just the compressed/encrypted data. This would indicate that this data must start no later than at offset 0x150.

This shorter size occurs once more before the "header" part ends:

0000b0 a0 ae 33 00 80 00 00 00 00 00 00 00 00 00 00 00

Could be an offset this time?

[beatwho]

I wrote a little program to make it easier for me to replace individual files in a pbp file

http://b2.nakedinjapan.net/pbpview.exe

so far i've only been playing with replacing tga files and it's worked ok, maybe it'll be of some use to you.

to replace a file load the PBP file, click on the file you want to replace, click on "Replace File" then select the new file, when you've finished replacing files click on save and save it to EBOOT.PBP under a dir in the game dir.

e.g. /PSP/GAME/aaa/EBOOT.PBP

here is a test file if you wanna try replacing a graphic
http://b2.nakedinjapan.net/PIC1.PNG

and a replacement audio file
http://b2.nakedinjapan.net/SND0.AT3

[ooPo]

Looking at the PSP file, I see the following:

Code: Select all

~PSP
0x00080000 (version? number of sections?)
0x0101 (section 1, or maybe type 101?)
updater, terminated by 21 nulls (char[28]?)
0x0102 (section 2, or maybe type 102?)
long = 3387040 (total file size - 336)
long = 3387376 (total file size)
long = 8108 (??)
long = 988840 (??)
long = 221044 (??)
short = 64 (??)
short = 64 (??)

I noticed there's also no large occurences of 0000 after offset 212, which could mean the encrypted/compressed data starts possibly there, or at 336. I dunno...

[Guest]

One might speculate, based on Uspual's experiments, and give the two options in the update image:

• "reboot to play a game"
  "flash to destroy your PSP"

...that the PSP image is the firmware update flasher program which also contains the firmware code itself, and the PSAR image is a bootable game image.

Maybe someday we will figure out for sure. :)

[florinsasu]

UNKNOWN.PNG - This is a simple PNG file, most likely used in the main menu to display a picture of what this file does to the user. (85299 bytes)

That would be PIC0.PNG

btw: if you chop the eboot.pbp to the point unknown.psp file starts (ie. removing "dangerous" last 2 files), you can place it in game\update directory and "see" it in the browser.

[Klendathu]

we know that bios space is scarce, so an inbuilt flasher programm would not be a necessity if you could run code from stick or drive.

sony starting a "service" where you can send your deadflashed psp in and have it repaired at some costs tells me one thing:
they wouldn't do it if they had to open the psp manually

http://www.sony.net/Products/SC-HP/cx_n ... pdf/tw.pdf

from this I would say it is enough if the files are encrypted once and then spread out. so users with no wlan access coud receive updates on umd or usb link. hardware extensions like keyboard etc, also might require an update of the bios and I can't imagine these being limited to Wlan owners.

[zigzag]

Very interesting discussion. My two cents: perhaps the .PSP file is not an actual application that is excuted, but rather a datafile that the PSP system software recognizes and knows what to do with? Ie. It looks at the file contents and determines that this is an update file. I think that's a possibility.

[Lain_OTN]

I make an "stupid" experiment, I tried to compress the .PSP file and the .PSAR file on RAR with maximum compression, the result; the "rared" .PSP file was 71KB greater. And the PSAR file experiment very low compression ratio. If the PSP file is an executable the file must be compressed (besides encrypted).

[zigzag]

Actually that is a decent way of testing it. But, from my understanding, encrypted data is also usually not very compressable... right?

[pixel]

Actually that is a decent way of testing it. But, from my understanding, encrypted data is also usually not very compressable... right?

Definately.

[florinsasu]

I make an "stupid" experiment, I tried to compress the .PSP file and the .PSAR file on RAR with maximum compression, the result; the "rared" .PSP file was 71KB greater. And the PSAR file experiment very low compression ratio. If the PSP file is an executable the file must be compressed (besides encrypted).

hey, has anyone heard of entropy? :P
[Definition: A measure of the disorder of a system.]
By compression one removes the redundancy in a stream of data. Also encryption aims for maximum disorder. So it is correct to say that when a file has a high entropy (ie. it is not compressable any further:)) it is somehow encrypted or compressed.
It seems that .psp file is compressed and .psar is scrambled.
As an archive it has to have a structure to be easily accessible. So it probably does not have a time-consuming decoding/parsing procedure.

[PinkPeach]

Anyone tried to make an Histogram analysis of the PSP file bytes ? That s usualy a great way to know if it s compression or cryptology.

Btw, anyone know where i could get those bios files ?

[pixel]

Discussions about enthropy and histograms of these files were already made in previous threads.

[bpoint]

Does anybody know how big the flash ROM is on the PSP? I remember reading somewhere the OS requires 8Mb of the 32Mb of RAM, but is that 8Mb mapped directly to ROM space?

Or do we not know that yet either? :)

[Guest]

Does anybody know how big the flash ROM is on the PSP? I remember reading somewhere the OS requires 8Mb of the 32Mb of RAM, but is that 8Mb mapped directly to ROM space?

Or do we not know that yet either? :)

We know, you can search the forums for this topic for a great deal more info. :) Just look down on the PSP topics list.

In short, it is a samsun multi-chip module with 32MB ram and 32MB of flash.

[bpoint]

We know, you can search the forums for this topic for a great deal more info. :) Just look down on the PSP topics list.

Whoops! That must have been one of the threads I must have skimmed over too quickly. :(

Thanks, though...

[IceBerg]

Ok, so that Im not doing something stupid... Is it the general thought that the unknown.psp is probably the flasher, and UNKNOWN.PSAR is a compresed archive of the bios being flashed?

If so we need only decypher what UNKNOWN.psp is doing to figure out how to uncompress the .pasr correct?

[ooPo]

In theory, but that's easier said than done.

[IceBerg]

It's always easier said then done. I just wanted to make sure I was on the right track.

I'll be doing some packet captures of all my wifi gaming sessions soon to, if anyone thinks that will be ov any help at all?

[TerryMathews]

Has anyone looked to see if the code in either of the unknown files correlates to normal MIPS ASM?

If someone can post or e-mail to me the files, I'll look up the opcodes and compare them myself (if no one else has).