PSP Network Update Tricks

[ooPo]

So, the PSP is able to grab a new firmware image on the net. So, I loaded up ethereal to see what it was doing:

Code: Select all

1) DHCP for an IP.
2) Grabs a webpage: http://fj01.psp.update.playstation.org/update/jp/psp-updatelist.txt
3) Releases its DHCP lease.

Going to the webpage gives:

Code: Select all

#JP 
Dest=00;ImageVersion=00000000;CDN=http://dj01.psp.update.playstation.org/update/jp/nodata;CDN_Timeout=30;

Then GiGaHeRz had the idea of trying the us region:

http://fj01.psp.update.playstation.org/ ... telist.txt

Which gave:

Code: Select all

# Timout(sec) URI(Max 10) 
Dest=01;ImageVersion=0000000A;CDN=http://dj02.psp.update.playstation.org/update/jp/update-image01;CDN_Timeout=30;

But there was no image there. So then he tried:

http://dj01.psp.update.playstation.org/ ... te-image01

And down came a file. All by changing dj02 to dj01. But! This is what we got:

Code: Select all

# cat update-image01 | sort | uniq -c
  499999 DummyImageDataDummy
       1 DummyImageData  End

10 megs of a dummy file. So that's the trick so far... enjoy!

[ooPo]

Doing a search on google for 'update-image01' brought up this site:

http://www.geocities.jp/psp_net/

He seems to have done the same stuff, but must have done it earlier because he came up with some other info from the updatelist text. But, he got this file:

http://www.geocities.jp/psp_net/update-image01.zip

Which has some interesting contents:

Code: Select all

BOOTABLE
CATEGORY
DISC_ID
DISC_VERSION
DRIVER_PATH
LANGUAGE
PARENTAL_LEVEL
PSP_SYSTEM_VER
REGION
TITLE
ABCD-00000
1.00
1.00
APP00(balloon)
IHDR
        pHYs
MiCCPPhotoshop ICC profile

Probably fake considering the 'photoshop' stuff, but interesting anyway.

[ooPo]

While yakking with Drakonite, we both hit on the same idea of there being embedded images. He extracted them first, and here's what he found:

Image 1:


Image 2:


Image 3:


It gets stranger and stranger... I even found a blog talking about it:

http://samurai.pose.jp/ryn/blog/archive ... /index.php

Hmm... Big Bang Entertainment did a N64 version of Lode Runner, are they related? Are these ads shown while the PSP updates? Is someone fooling around with a fake update image?

Stay tuned.

[ooPo]

Go to IGN's site where they dumped the savegames on their card:

http://psp.ign.com/articles/571/571405p1.html

Take a look at some of the pics with the savegames. They're the same resolution as the extracted ones. Then take a look at some of the other files. They contain the same kind of text as in this update image. It looks to me like someone took save data from a mahjong game on the PSP and munged it together.

Bah.

[Drakonite]

So far there doesn't seem to be anything that stands out and screams "THIS IS FAKE!" but it does seem to be extremely questionable and have a lot of parts that are suspect...

So bottom line, at this point it seems like it's most likely fake but we haven't found anything to prove it one way or another.

[ooPo]

Its got to be a savegame from Mahjong Fight Club. It apparently saves HUGE amounts of stats and records games... and will only save once per card.

[pixel]

I took a short look at the file, par curiosité. Here is a little hacky ugly little piece of software that is able to split this dumped update file into subfiles. There is an obvious index at the beginning. This most probably looks like a custom SONY archive tar-like file format (PBP? this is in the first 4 bytes)

http://www.nobis-crew.org/split-update.c

First file == a PSF file, looks like directory entries or something, but it's the same format as the PARAM.SF0 in the IGN's file.
Second file == a PNG file, as previously dumped
Third file == "PSMF0012", seems to be the same format as the IGN's ICON1.PMF file.
Fourth file == another PNG
Fifth file == PNG
Sixth file == WAV file, as the IGN's SND0.AT3 file.
Seventh file == Aaaaah, now this is interesting. It says in the header "PSP updater". Ho, great :) Nothing like this in IGN's. Rest looks compressed or crypted.
Heighth file == PSAR file (AR as in ARchive?), nothing like this in IGN's. Rest looks compressed or crypted.


So, this PBP looks like it's containing subfiles, first beeing some files from a savegame, and the two last beeing "something" (but remember we didn't get any "data" as in "no savegame data"). So, we have three options now:

-) It's a fake thingy built by somebody quite good.
-) It's a real savegame, with the two last files beeing the 'data' of the game, shipped as a "bundle". Only problem is: where are the filenames? I mean, if it's a SONY compressed "savegame", it would need directories and filenames. There are none here.
-) It's a real update file, with sony having some dummy savegame data before, either by mistake, or with the intention to mess up with our minds. Or maybe the update has to go thru the "savegame" system to work. No idea.


Sooo, that's all for today; I've got lots of other things to do :) Somebody would need to try some heuristic method to uncompress the two last files, but I'd bet my two cents that this is crypted (remember the RSA logo somewhere beneath the PSP?). Just as a hint, these two files compress VERY badly (even with dictionnary algo such as bzip2). Which means that there is a huge entropy in the bytes distribution.

Have a nice day ;)

[Drakonite]

Pixel: You are overlooking a possibility. You are assuming the unknown regions are crypted data, however it's a fake it's entirely possible it's randomly generated data carefully placed to look like important binary data.

[pixel]

Yeah, thus my first "option": it's a fake built by somebody really good :)

[moose]

Here's what a simple WHOIS gives for playstation.org, the domain where the URL points:

Registrant:
PlayStation Network Project (PLAYSTATION2-DOM)
c/o Sony Computer
Entertaiment Inc 1-1, Akasaka 7-chome,
Minato-ku,
Tokyo 107-0052
JP

Domain Name: PLAYSTATION.ORG

Administrative Contact:
Sony Computer Entertainment Inc. (WA3767-ORG) [email protected]
1-1, Akasaka 7-chome, Minato-ku
Tokyo, Tokyo
JP
+81-3-5413-8000

Technical Contact:
Sony Computer Entertainment Inc. (WT1877-ORG) [email protected]
1-1, Akasaka 7-chome, Minato-ku
Tokyo, Tokyo
JP
+81-3-5413-8000

Record expires on 10-Sep-2006.
Record created on 09-Sep-2002.
Database last updated on 4-Jan-2005 14:26:18 EST.

Domain servers in listed order:

NS01.PLAYSTATION.ORG 202.213.243.152
NS02.PLAYSTATION.ORG 202.213.243.216

so it IS a Sony website... it's probably meant as a test for the upadte system... Apple does that with the Auto updates of its OS beta versions developper previews, sending dummy OS updates just to check the system works

[DiGiTaLeX]

hmmmm quite interesting!
Did your PSP actually DOWNLOAD anything, or just go to that text file with the download url, and then disconnect?

[ooPo]

Well, it downloads the text file and parses it... but doesn't do anything after that since it determines from the version number in that text file that there's no newer firmware to download.

[Synthaxx R-or]

Hi guys, i tried the same thing a couple of days ago with about the same results. I have the ethereal save for anyone who wants to take a look. I'll post it when i get home.

Something I also found is that when the PSP is done updating, the connection remains open, and it responds to ping requests. This gave me the idea of running a port scan. To my surprise if found 3 open ports, 389 (LDAP - Lightweight Directory Access Protocol), 1007 (don't know, can't find anything specific) and port 1720 (seems to deal with H323 video calls?).

Being the semi-network-noob that i am i tried telnetting to all of these. Port 389 and 1007 disconnect as soon as they receive any input, but 1720 remains open. What this means exactly i don't know but I thought i'd pick your brains about it.

[ooPo]

Hmm, that's odd. I figured that once it told the dhcp server to release the ip the it wouldn't keep responding. I'll have to play with it.

[Guest]

Hmm, that's odd. I figured that once it told the dhcp server to release the ip the it wouldn't keep responding. I'll have to play with it.

May be a bug. Certainly, there is no technical requirement that, after sending a DHCP release to the server, the TCP/IP stack unconfigures that IP from its network interface, but it SHOULD.

[ooPo]

Yes, quite true... but unexpected. :)

[ZeZu]

It should be easy enough to check if this stuff is real, if someone creates a static route to these servers in their internal network and modifies the version number it should download the files. I'm sure the PSP will not allow its firmware to be updated with garbage. You may even get some free little flashcard shooting game out of the deal.

[Synthaxx R-or]

Ok some more info.

I tried the portscan trick on two different configurations, one on my router, and one on a laptop connected to the router via wired ethernet and with it's wlan card set in adhoc (with the psp manually configured).
Both configurations leave the connection wide open, so you indeed looks like it's a fault in the ip stack, although with the laptop it doesn't even capture a dhcp release request (probably because of the manual configuration).

Another thing is the network test ( settings > network settings > infrastructure mode > [ /\ on the connection you want to test ] > test connection )
This seems to do pretty much the same thing as the network update with the difference that it connects to fj00.psp.update.playstation.org and gets the file /networktest/trail.txt (as far as i can see the whole file only says "p")
Just thought you should know ;)

[ooPo]

Ahhh, so you're not even using dhcp... that's probably why...

As for the network testing, are you sure that this is the right url?

( http://fj00.psp.update.playstation.org/ ... /trail.txt )

[Synthaxx R-or]

pretty sure

[ooPo]

Through some fake DNS stuff, I've made it try to download the dummyfile update...

'Network Update has found a later version.'
'To download, insert a Memory Stick(tm) with at least 10 MB free space and press the O button.'

What the heck, I'll try it...

Downloading...
Do not turn off the power or remove
the Memory Stick(tm).
(progress bar)

Its at 25% now. Hope it doesn't fry. :)

[ooPo]

100%...

Download completed.
The update is now available on your
Memory Stick(tm).
To install now, press the O button.
To install later. go to [Game].

Not being nuts, I went to update later, then scrolled over to game. Select Memory Stick, and I get an icon labeled 'Corrupted Data'.

This game cannot be started.
The data is corrupted.

Oh well, at least it didn't break. Strange that it calls it a game, though... hmm.

I'll take a look at it when I get a usb cable tomorrow.

[ooPo]

So for fun, I tried loading up the other update file we have.

It rebooted and I saw...

The following updates will be added:
pending

Review the terms of the User Agreement
(blah blah blah blah)
Quicktime, Aris/Solana/4C, Unicode, IBM, Macromedia Flash, etc...

Do you accept the User Agreement?
Do Not Accept
Accept

Press the O button to install the update.

Installing...
Do not turn off the power or remove
the Memory Stick(tm).
(progress bar...)

Update completed.
Press the O button to restart.

And now it just sits there with a black screen. Wah!

It turns on, backlight comes on with a black screen... makes a few accesses to the memorycard, spins up the drive for a bit, spins down the drive, turns itself off.

I wonder how I can fix this..

[ooPo]

Well, I think its officially dead. Unless I can get some miracle cure this PSP has lost its mind and is never coming back...

Perhaps a lobotomy in the future may help.

So boys and girls, remember what I did for you here this day!

[Guest]

So for fun, I tried loading up the other update file we have.

And now it just sits there with a black screen. Wah!

It turns on, backlight comes on with a black screen... makes a few accesses to the memorycard, spins up the drive for a bit, spins down the drive, turns itself off.

I wonder how I can fix this..

Ok, this is a longshot...but this might help... *cross fingers*

I saw the exact same symptoms when I put the PSP in sleep mode in the middle of a game, and then removed the UMD disk. When I turned the unit back on it "black screened" then turned itself back off. Memstick accesses along the way and everything....

It didn't work again until I popped the UMD disk back in.

So...play around with combinations of removing/inserting memory sticks and UMD disks.

[ooPo]

No go. I've been popping things in and out and pressing different combinations of buttons. It does the same every time.

[Drakonite]

Ouch, my condolences ooPo. Perhaps Sony will have information about fixing corrupted updates when they officially release an update. Or if you want you can donate the whole mess to me to try to fix ;) heh

[TarKin]

ooPo ...i had the same prob.

a) remove the battery
b) remove the mem stick
c) insert an emtpy (non psp formated) stick
d) reinsert the battery
e) power on

...fixed it for me

crossing fingers that it also helps for you

[ooPo]

By 'same prob', did you try the same update? :)

I only have the one card so I'll have to get a reader if I want to reformat it.

[ooPo]

So I went out tonight and picked up a new memory stick (256MB Pro Duo), a USB cable and a card reader...

1) Removed the battery, plugged in the new card, put the battery back in. No change.

2) Hooked up the USB cable. No change, nothing shows up in windows or linux. I'm unsure of how to scan for USB devices... is there a way to query the bus?

3) Read the contents of the card. There's a /PSP/GAME/UPDATE/EBOOT.PBP file which is the exact same size as the oopobane update file.

4) Fired up ethereal to see if it was attempting anything with the wireless network. It isn't.

So, I'm left hoping for some sort of recovery mode. Maybe whenever they release a real update I'll be able to put it in a special directory on the memorystick and do a failsafe flash, or something like that...

...if not, I wonder if I can get it replaced under waranty? :)