This article is mostly based on my guess, so there could be some errors.
IPL overview
Within the on-board flash ROM, there exist non fat organized area which contains encrypted bootstrap code, or IPL; Initial Program Loader. While booting up CPU reads the area, decrypt it, store to main memory, and run it. IPL itself is located at 0x40000..0x73fff (system1.00) and its flash ROM block numbers at 0x10000..0x13fff. Upon power-up CPU reads 0x10000..0x101ff, then 0x4000..0x73fff.
Code: Select all
00010000..00013fff  block numbers of IPL
00010000  10 00 11 00 12 00 13 00 14 00 15 00 16 00 17 00 
00010010  18 00 19 00 1A 00 1B 00 1C 00 00 00 00 00 00 00 
  remaining is all 00  Code: Select all
00040000..00073fff  encrypted IPL
every 0x1000 bytes following pattern exists, 
i.e. 0x00040060..0x0004008f, 0x00041060..0x0004108f, 0x00042060..0x0004208f, ... 
 +60  01 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF 
 +70  60 0F 00 00 10 00 00 00 00 00 00 00 00 00 00 00 
 +80  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
others seems to be random-looking dataHow to decrypt IPL
IPL is organized as series of 0x1000 byte blocks, each block contains 0xf60 byte of unencrypted data which includes loading address and so on. Every block can be decrypted by following code;
Code: Select all
//IPL block decryption
unsigned char iplbuf[0x80000] __attribute__((aligned(64)));
unsigned long (*semaphore_2)(void *a0,unsigned long a1, void *a2,
  unsigned long a3, unsigned long a4)
  =(void *)0x880571CC;  //system 1.00, possibly same as PspPet's g_mangleProc
//returns zero if successed
unsigned long decrypt_iplblock(void *iplblock)
{
  _memcpy(iplbuf+0x40,iplblock,0x1000);
  return semaphore_2(iplbuf,0x1040,iplbuf+0x40,0x1000,1);
}
Code: Select all
offset   size   description
+0x000    4     address to load
+0x004    4     size of data body
+0x008    4     ordinally zero, nonzero for entry point??
+0x00c    4     unknown, check digit??
+0x010   0xf50  unencrypted data body
Organization of unencrypted IPL of system 1.00
Unencrypted IPL consists of three part. (1) plaintext mips code starts from offset +0, (2) gzip'ed loader program named main_led.bin from offset +0xcc0, and (3) again encrypted 'iplpayload' from offset +0x10000. Plaintext mips code initializes the system and unpack main_led.bin to address 0x04000000 and jump to this address. Possiblly main_led.bin decrypt and load the iplpayload, not confirmed yet though. And iplpayload seems to load everything rest.
Iplpayload can be decrypted by following code;
Code: Select all
//iplpayload decryption for 1.00
//uipl should point offset +0 of unencrypted IPL, size is size of unencrypted IPL
//returns zero if successed, you get unencrypted iplpayload in iplbuf
unsigned long decrypt_iplpayload(void *uipl, unsigned long size)
{
  _memcpy(iplbuf+0x40,uipl+0x10000,size-0x10000);
  return semaphore_2(iplbuf,size+0x40,iplbuf+0x40,size,1);
}
Iplpayload have decryption routine of prx, ~PSP format, along with the table which is the base of PspPet's "step1_result".
Discussion
IPL is decrypted by CPU onchip boot ROM, which may have limited function. Theoretically, decryption of IPL enables us to decrypt all files on further versions, until sony thinks out something spechial anti-hack measure. If sony do not have some sort of secret weapon, this could be difficult to achieve.
hanya-n :)


