Firmware file system access via wipeout browser

[nem]

As Vampire posted at dev forum, UMD file system can be accessed via wipeout browser using file://disk0:/...
Firmware, or on-board flash chip file system can be accessed by same way using flash0 as drive string.

Code: Select all

<a HREF="file&#58;//flash0&#58;/vsh/etc/version.txt">version.txt</a><br>

Only .txt can be accessed. .cer .prx .rco .bmp unreachable maybe because browser does not follow link if extention is not txt or png or so. I tried some but I can not, but there could be a way.
flash0: is system file volume. config file volume also can be accessed i think but i have not tried.

It is pretty useless but for your interest.

[nem]

I should post some specimen.

Firmware version 1.00

release:1.00:
build:228,0,3,1,0:root@psp-vsh
system:17919@release_103a,0x01000300:
vsh:p4029@special_day1,v9972@special_day1,20041201:

Firmware version 1.50, updated from 1.00

release:1.50:
build:376,0,3,1,0:root@psp-vsh
system:20182@release_150,0x01050001:
vsh:p4201@release_150,v11079@release_150,20050201:

version.txt of Leaked firmware. Not obtained by browser. FYI :)

release:1.00:
build:106,1:root@psp-vsh
system:16214,0x00100000:
vsh:2004_1104_s16214_p3883_v8335:

[Drakonite]

Has anyone tried setting up a link that posts a file?

I would assume the browser probably doesn't support the right HTTP stuff, but assumptions are dangerous and I don't have one here to try with..

[ooPo]

Leaked firmware, eh? How did you manage that? :)

[vvuk]

Leaked firmware, eh? How did you manage that? :)

Is this the leaked breaks-your-PSP firmware? Or another? If it's the leaked one, it certainly seems like someone packaged together a 1.0 firmware... perhaps it's the firmware for the PSP development boxen?

[Warren]

ooPo: I think by leaked firmware he's referring to the same FW that killed your PSP

[ooPo]

I'm impressed he took the effort of flashing with it to dump it off the chip.

[Warren]

Nem: have you tried the elf loader from 1.0 on a 1.5 system?

[nem]

Ah, I already menthioned flashing in another thread. I need more sleep. my head sucks.

I have not try to replace loader after I can execute some PBPs on 1.0. Listed in TODO list.

[Herman]

I tried using the Network Update function with this and http://forums.ps2dev.org/viewtopic.php?t=1606, but it only seems to download files if the URI is http:// (not file://).

[lmx]

theres firmware images in the official sdk, for devkit, most likely will hang consumer units.

don't forget umds contain firmware updates too, so flash your firmware, play a game off umd, and patch mismatch skullduggery beckons

[Pikoro]

Has anyone tried setting up a link that posts a file?

I would assume the browser probably doesn't support the right HTTP stuff, but assumptions are dangerous and I don't have one here to try with..

Yah, volksport (pspirc.com) and I spent about 4 hours going over this and trying to find a way to get the psp to send a file. Sony has blocked text input into a file input box.

On top of that, you can't autofill the field with either value= or any type of javascript.

This is to prevent people from automatically downloading files from people's systems.

But the little extra of not allowing anyone to fill in the inputbox at all was extremely frustrating.

here's the link to my test stuff: http://www.psphacks.net/forums/viewtopic.php?t=718

[Phour20]

i havent sent a file but using a form on my website that can be found in a dif link, I was able to have the a Text file that i filled out on my PSP sent to the webserver.. Not sure if this is much help but the form was something that frontpage had set up for me.. I just left it.. It prob creates it server side.. But I did find it interesting that it did indeed work..

edit - just wanted to add a link to the text file that was created using the form..

http://home.new.rr.com/pspscene/feedback.txt

[Shine]

On top of that, you can't autofill the field with either value= or any type of javascript.

You can send data created by javascript, see for example this thread. But this may not help in sending files from the PSP to a server.

[Phour20]

playing w/ the script above I am able to look at the new text files posted from the file list dump of the 1.0

in //flash0:/KD/

pspbtcnf.txt
pspbtcnf_game.txt
pspbtcnf_updater.txt
pspcnf_tbl.txt

what I found is anywhere there is a space in the file name.. UNDERSCORE must be used.. I was getting the Network Connection screen when just using spaces.. These files can be viewed and exist on the 1.5 firmware also but I have know clue what happens if you view them on 1.0.. in 1.5 they seem to be encrypted cuz I dont get plain text and they arent readable..

I wanted to see what was contain'd in them due to the fact that they seem to hold config data for button configurations (thats my guess from the names)

Hope this can be of some help.. prob not but anyways..

Thanks NEM for givin us so much to play with..

[skippy911]

playing w/ the script above I am able to look at the new text files posted from the file list dump of the 1.0

in //flash0:/KD/

pspbtcnf.txt
pspbtcnf_game.txt
pspbtcnf_updater.txt
pspcnf_tbl.txt

what I found is anywhere there is a space in the file name.. UNDERSCORE must be used.. I was getting the Network Connection screen when just using spaces.. These files can be viewed and exist on the 1.5 firmware also but I have know clue what happens if you view them on 1.0.. in 1.5 they seem to be encrypted cuz I dont get plain text and they arent readable..

I wanted to see what was contain'd in them due to the fact that they seem to hold config data for button configurations (thats my guess from the names)

Hope this can be of some help.. prob not but anyways..

Thanks NEM for givin us so much to play with..

They are encrypted on the 1.0 firmware as well.

[Phour20]

thanks for checkin that out skippy...

[laichung]

I have a question.
if we got the same name file on firmware 1.0 and firmware 1.5
and if we know that two files should have same content.

if we can decrypted file from 1.5 to 1.0 , is that mean we found the key?

and if all the file on firmware 1.5 is encrypted but 1.0 not, the loading speed of 1.5 should be much slower than 1.0 since machine need time to decode the file. is that right?

[Cogboy]

I'm not sure if the loading times would be that different as the psp uses a hardware decoder which is a lot faster than doing it through software. as for comparing two similar files in order to extrapolate the key, the above is pretty much the limit of my knowledge on the subject. Maybe someone else knows something?

[laichung]

hardware decode must consume some time , since all the files need decode , but we dont know how much they need. I just assume it will double the time. Anyway , it doesnt matter , the true is that most files inside 1.5 is encoded.

And I hope someone can extract the key soon so that we can run app in 1.5 too.

I'm not sure if the loading times would be that different as the psp uses a hardware decoder which is a lot faster than doing it through software. as for comparing two similar files in order to extrapolate the key, the above is pretty much the limit of my knowledge on the subject. Maybe someone else knows something?

[Shine]

hardware decode must consume some time , since all the files need decode , but we dont know how much they need. I just assume it will double the time. Anyway , it doesnt matter , the true is that most files inside 1.5 is encoded.

Why do you think that hardware decoding must consume some time? It could be simply one more element in the pipeline from memory, cache etc. to CPU and because it is optimized hardware, it could run at full DMA speed, so there may be perhaps some microseconds latency at start for the addtional pipeline element, but encrypted continuous memory transfer could be as fast as unencrypted.

[laichung]

why I think that decode must consume time , because it will need few more cpu instructions before it can run.

consider two cases:
case 1 : before PSP app run , it will decode all the files it need to run , and then put it into the main memory to run , then the boot time of the app. should be longer that that dont need decode. In this case , the app will run at normal speed , since the file is already decode when in run.

case 2 : those files decode JIT(just in time) , what i mean is , those file will decode when it use , or when PSP access to it.
Then some cpu power will be used to decode the file. But this will make some error if the cpu power is heavily used by other process.

OK , if PSP have a extra chip to decode , and it can decode JIT, this extra cpu should have same clock to the core cpu (or faster , if not , the core cpu may need to wait the decode cpu , this should not be happen)

hardware decode must consume some time , since all the files need decode , but we dont know how much they need. I just assume it will double the time. Anyway , it doesnt matter , the true is that most files inside 1.5 is encoded.

Why do you think that hardware decoding must consume some time? It could be simply one more element in the pipeline from memory, cache etc. to CPU and because it is optimized hardware, it could run at full DMA speed, so there may be perhaps some microseconds latency at start for the addtional pipeline element, but encrypted continuous memory transfer could be as fast as unencrypted.

[pixel]

Nowadays, decoding is like just as fast as a badly coded memcpy. So, when the console reads the crypted module from disc/bios/whatever and load it in memory, the loading could be done via simple crypto (note that rsa is usually employed to do the crypto of a big key which in turn is used in a simplier crypto layer) without too much trouble via an unencryption routine similar to what memcpy should do when loading an unencrypted module.

And if it's an external chip which does the crypto work (just like on ps2 mind you) nowadays some people are able to code rc4 on a quarter of a small asic's surface which work full speed basically.


So, your "it would be much slower" is wrong, human-wise speaking (it's right though, machine-wise speaking: 15ms is much slower than 1ms for a device)

[iedoc]

i don't know if you guys have figured anything out, but im pretty good at decrypting code, so if you gave me the encrypted code from one file on the v1.0 version, and encrypted code from the same file that should have the same contents from v1.5, i might be able to write a program or just figure out how to decrypt it.

[pixel]

Wow.

[zigzag]

i don't know if you guys have figured anything out, but im pretty good at decrypting code, so if you gave me the encrypted code from one file on the v1.0 version, and encrypted code from the same file that should have the same contents from v1.5, i might be able to write a program or just figure out how to decrypt it.

Anything to back up a claim like that?

[iedoc]

sorry, i thought it was worth a try. i don't have any proof to back it up, but im not very good at this hacking stuff, i know im pretty good at decifering things though. i don't have a v1.0 psp, so i couldn't get a file from that, but i have a v1.5 psp, and if i knew how, i might be able to get a file off of it.

[Shine]

i might be able to write a program or just figure out how to decrypt it.

Ok, maybe it is AES encrypted. I don't have the PSP code, but just a quick warm-up for you:

Code: Select all

unencrypted: This is a secret text
encrypted: lpclfmgfjddoelfdpnhdhjeokbmoolfmfdckldakbbijknegnahimbbcelfpjndj

And something you don't get as easy from the PSP, some Java code, which created the encryption (I've omitted trivial things like class declaration, imports etc.):

Code: Select all

public static String asciiEncodeBytes(byte[] bytes) {
	StringBuffer out = new StringBuffer(bytes.length * 2);
	for &#40;int i = 0; i < bytes.length; i++&#41; &#123;
		int high = &#40;&#40;&#40;int&#41; bytes&#91;i&#93;&#41; & 0xf0&#41; >> 4;
		int low = bytes&#91;i&#93; & 0xf;
		out.append&#40;&#40;char&#41; &#40;high + 'a'&#41;&#41;;
		out.append&#40;&#40;char&#41; &#40;low + 'a'&#41;&#41;;
	&#125;
	return out.toString&#40;&#41;;
&#125;

public static byte&#91;&#93; asciiDecodeBytes&#40;String bytes&#41; &#123;
	int len = bytes.length&#40;&#41; / 2;
	byte&#91;&#93; result = new byte&#91;len&#93;;
	int j = 0;
	for &#40;int i = 0; i < len; i++&#41; &#123;
		int high = &#40;int&#41; &#40;bytes.charAt&#40;j++&#41; - 'a'&#41;;
		int low = &#40;int&#41; &#40;bytes.charAt&#40;j++&#41; - 'a'&#41;;
		result&#91;i&#93; = &#40;byte&#41; &#40;&#40;high << 4&#41; | low&#41;;
	&#125;
	return result;
&#125;

private static Cipher cip;

private static Key key;

private static void initAes&#40;&#41; throws InvalidKeySpecException, NoSuchAlgorithmException, NoSuchPaddingException &#123;
	if &#40;cip == null&#41; &#123;
		// create key
		final byte keyArray&#91;&#93; = &#123; 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 &#125;;
		key = new Key&#40;&#41; &#123;
			public byte&#91;&#93; getEncoded&#40;&#41; &#123;
				return keyArray;
			&#125;

			public String getAlgorithm&#40;&#41; &#123;
				return "AES";
			&#125;

			public String getFormat&#40;&#41; &#123;
				return "RAW";
			&#125;
		&#125;;

		// create cipher object
		cip = Cipher.getInstance&#40;"AES/ECB/PKCS5Padding"&#41;;
	&#125;
&#125;

public static String aesEncrypt&#40;String text&#41; throws IOException, GeneralSecurityException &#123;
	if &#40;text == null&#41;
		return text;
	initAes&#40;&#41;;
	cip.init&#40;Cipher.ENCRYPT_MODE, key&#41;;
	byte&#91;&#93; input = text.getBytes&#40;"utf8"&#41;;
	ByteArrayOutputStream outs = new ByteArrayOutputStream&#40;&#41;;
	CipherOutputStream cout = new CipherOutputStream&#40;outs, cip&#41;;
	cout.write&#40;input&#41;;
	cout.close&#40;&#41;;
	return asciiEncodeBytes&#40;outs.toByteArray&#40;&#41;&#41;;
&#125;

public static String aesDecrypt&#40;String text&#41; throws IOException, GeneralSecurityException &#123;
	if &#40;text == null&#41;
		return text;
	initAes&#40;&#41;;
	cip.init&#40;Cipher.DECRYPT_MODE, key&#41;;
	byte&#91;&#93; input = asciiDecodeBytes&#40;text&#41;;
	ByteArrayOutputStream out = new ByteArrayOutputStream&#40;&#41;;
	CipherOutputStream cout = new CipherOutputStream&#40;out, cip&#41;;
	cout.write&#40;input&#41;;
	cout.close&#40;&#41;;
	return new String&#40;out.toByteArray&#40;&#41;, "utf8"&#41;;
&#125;

Now you only have to find the right keyArray values. Bonus: encrypt some own text, I'll verify it. If you've managed this, you can start to think about the PSP crypting.

[iedoc]

i don't do java

[iedoc]

i almost had it, but i guess not. i might be able to figure it out if i know what out.append((char) was and & 0xf was, im sorry, but i don't anything about java, except it seems to be alot like c++.