Firmware file system access via wipeout browser

Discuss the development of new homebrew software, tools and libraries.

Moderators: cheriff, TyRaNiD

nem
Posts: 73
Joined: Thu Jan 13, 2005 9:21 pm
Contact:

Firmware file system access via wipeout browser

Post by nem »

As Vampire posted at dev forum, UMD file system can be accessed via wipeout browser using file://disk0:/...
Firmware, or on-board flash chip file system can be accessed by same way using flash0 as drive string.

Code: Select all

<a HREF="file&#58;//flash0&#58;/vsh/etc/version.txt">version.txt</a><br>
Only .txt can be accessed. .cer .prx .rco .bmp unreachable maybe because browser does not follow link if extention is not txt or png or so. I tried some but I can not, but there could be a way.
flash0: is system file volume. config file volume also can be accessed i think but i have not tried.

It is pretty useless but for your interest.
nem
Posts: 73
Joined: Thu Jan 13, 2005 9:21 pm
Contact:

Post by nem »

I should post some specimen.
Firmware version 1.00

release:1.00:
build:228,0,3,1,0:[email protected]
system:[email protected]_103a,0x01000300:
vsh:[email protected]_day1,[email protected]_day1,20041201:
Firmware version 1.50, updated from 1.00

release:1.50:
build:376,0,3,1,0:[email protected]
system:[email protected]_150,0x01050001:
vsh:[email protected]_150,[email protected]_150,20050201:
version.txt of Leaked firmware. Not obtained by browser. FYI :)

release:1.00:
build:106,1:[email protected]
system:16214,0x00100000:
vsh:2004_1104_s16214_p3883_v8335:
User avatar
Drakonite
Site Admin
Posts: 989
Joined: Sat Jan 17, 2004 1:30 am
Contact:

Post by Drakonite »

Has anyone tried setting up a link that posts a file?

I would assume the browser probably doesn't support the right HTTP stuff, but assumptions are dangerous and I don't have one here to try with..
Shoot Pixels Not People!
Makeshift Development
ooPo
Site Admin
Posts: 2023
Joined: Sat Jan 17, 2004 9:56 am
Location: Canada
Contact:

Post by ooPo »

Leaked firmware, eh? How did you manage that? :)
vvuk
Posts: 13
Joined: Mon Apr 25, 2005 3:57 pm
Location: Foster City, CA

Post by vvuk »

ooPo wrote:Leaked firmware, eh? How did you manage that? :)
Is this the leaked breaks-your-PSP firmware? Or another? If it's the leaked one, it certainly seems like someone packaged together a 1.0 firmware... perhaps it's the firmware for the PSP development boxen?
Warren
Posts: 173
Joined: Sat Jan 24, 2004 8:26 am
Location: San Diego, CA

Post by Warren »

ooPo: I think by leaked firmware he's referring to the same FW that killed your PSP
ooPo
Site Admin
Posts: 2023
Joined: Sat Jan 17, 2004 9:56 am
Location: Canada
Contact:

Post by ooPo »

I'm impressed he took the effort of flashing with it to dump it off the chip.
Warren
Posts: 173
Joined: Sat Jan 24, 2004 8:26 am
Location: San Diego, CA

Post by Warren »

Nem: have you tried the elf loader from 1.0 on a 1.5 system?
nem
Posts: 73
Joined: Thu Jan 13, 2005 9:21 pm
Contact:

Post by nem »

Ah, I already menthioned flashing in another thread. I need more sleep. my head sucks.

I have not try to replace loader after I can execute some PBPs on 1.0. Listed in TODO list.
Herman
Posts: 13
Joined: Tue Apr 05, 2005 4:15 pm
Location: Montreal, Canada

Post by Herman »

I tried using the Network Update function with this and http://forums.ps2dev.org/viewtopic.php?t=1606, but it only seems to download files if the URI is http:// (not file://).
lmx
Posts: 25
Joined: Fri Apr 01, 2005 6:23 pm

Post by lmx »

theres firmware images in the official sdk, for devkit, most likely will hang consumer units.

don't forget umds contain firmware updates too, so flash your firmware, play a game off umd, and patch mismatch skullduggery beckons
Pikoro
Posts: 56
Joined: Thu Jan 13, 2005 9:57 am

Post by Pikoro »

Drakonite wrote:Has anyone tried setting up a link that posts a file?

I would assume the browser probably doesn't support the right HTTP stuff, but assumptions are dangerous and I don't have one here to try with..
Yah, volksport (pspirc.com) and I spent about 4 hours going over this and trying to find a way to get the psp to send a file. Sony has blocked text input into a file input box.

On top of that, you can't autofill the field with either value= or any type of javascript.

This is to prevent people from automatically downloading files from people's systems.

But the little extra of not allowing anyone to fill in the inputbox at all was extremely frustrating.

here's the link to my test stuff: http://www.psphacks.net/forums/viewtopic.php?t=718
Phour20
Posts: 26
Joined: Fri May 06, 2005 1:38 am

Post by Phour20 »

i havent sent a file but using a form on my website that can be found in a dif link, I was able to have the a Text file that i filled out on my PSP sent to the webserver.. Not sure if this is much help but the form was something that frontpage had set up for me.. I just left it.. It prob creates it server side.. But I did find it interesting that it did indeed work..

edit - just wanted to add a link to the text file that was created using the form..

http://home.new.rr.com/pspscene/feedback.txt
Shine
Posts: 728
Joined: Fri Dec 03, 2004 12:10 pm
Location: Germany

Post by Shine »

Pikoro wrote:On top of that, you can't autofill the field with either value= or any type of javascript.
You can send data created by javascript, see for example this thread. But this may not help in sending files from the PSP to a server.
Phour20
Posts: 26
Joined: Fri May 06, 2005 1:38 am

Post by Phour20 »

playing w/ the script above I am able to look at the new text files posted from the file list dump of the 1.0

in //flash0:/KD/

pspbtcnf.txt
pspbtcnf_game.txt
pspbtcnf_updater.txt
pspcnf_tbl.txt

what I found is anywhere there is a space in the file name.. UNDERSCORE must be used.. I was getting the Network Connection screen when just using spaces.. These files can be viewed and exist on the 1.5 firmware also but I have know clue what happens if you view them on 1.0.. in 1.5 they seem to be encrypted cuz I dont get plain text and they arent readable..

I wanted to see what was contain'd in them due to the fact that they seem to hold config data for button configurations (thats my guess from the names)

Hope this can be of some help.. prob not but anyways..

Thanks NEM for givin us so much to play with..
skippy911
Posts: 46
Joined: Fri May 06, 2005 10:20 am

Post by skippy911 »

Phour20 wrote:playing w/ the script above I am able to look at the new text files posted from the file list dump of the 1.0

in //flash0:/KD/

pspbtcnf.txt
pspbtcnf_game.txt
pspbtcnf_updater.txt
pspcnf_tbl.txt

what I found is anywhere there is a space in the file name.. UNDERSCORE must be used.. I was getting the Network Connection screen when just using spaces.. These files can be viewed and exist on the 1.5 firmware also but I have know clue what happens if you view them on 1.0.. in 1.5 they seem to be encrypted cuz I dont get plain text and they arent readable..

I wanted to see what was contain'd in them due to the fact that they seem to hold config data for button configurations (thats my guess from the names)

Hope this can be of some help.. prob not but anyways..

Thanks NEM for givin us so much to play with..
They are encrypted on the 1.0 firmware as well.
Phour20
Posts: 26
Joined: Fri May 06, 2005 1:38 am

Post by Phour20 »

thanks for checkin that out skippy...
laichung
Posts: 123
Joined: Fri May 06, 2005 2:02 pm

Post by laichung »

I have a question.
if we got the same name file on firmware 1.0 and firmware 1.5
and if we know that two files should have same content.

if we can decrypted file from 1.5 to 1.0 , is that mean we found the key?

and if all the file on firmware 1.5 is encrypted but 1.0 not, the loading speed of 1.5 should be much slower than 1.0 since machine need time to decode the file. is that right?
Cogboy
Posts: 45
Joined: Wed Jan 19, 2005 3:45 pm

Post by Cogboy »

I'm not sure if the loading times would be that different as the psp uses a hardware decoder which is a lot faster than doing it through software. as for comparing two similar files in order to extrapolate the key, the above is pretty much the limit of my knowledge on the subject. Maybe someone else knows something?
"the sony PSP was built by god, to determine who on earth had the best skills to defeat the armies of satan" - Saint Peter.
laichung
Posts: 123
Joined: Fri May 06, 2005 2:02 pm

Post by laichung »

hardware decode must consume some time , since all the files need decode , but we dont know how much they need. I just assume it will double the time. Anyway , it doesnt matter , the true is that most files inside 1.5 is encoded.

And I hope someone can extract the key soon so that we can run app in 1.5 too.

Cogboy wrote:I'm not sure if the loading times would be that different as the psp uses a hardware decoder which is a lot faster than doing it through software. as for comparing two similar files in order to extrapolate the key, the above is pretty much the limit of my knowledge on the subject. Maybe someone else knows something?
Shine
Posts: 728
Joined: Fri Dec 03, 2004 12:10 pm
Location: Germany

Post by Shine »

laichung wrote:hardware decode must consume some time , since all the files need decode , but we dont know how much they need. I just assume it will double the time. Anyway , it doesnt matter , the true is that most files inside 1.5 is encoded.
Why do you think that hardware decoding must consume some time? It could be simply one more element in the pipeline from memory, cache etc. to CPU and because it is optimized hardware, it could run at full DMA speed, so there may be perhaps some microseconds latency at start for the addtional pipeline element, but encrypted continuous memory transfer could be as fast as unencrypted.
laichung
Posts: 123
Joined: Fri May 06, 2005 2:02 pm

Post by laichung »

why I think that decode must consume time , because it will need few more cpu instructions before it can run.

consider two cases:
case 1 : before PSP app run , it will decode all the files it need to run , and then put it into the main memory to run , then the boot time of the app. should be longer that that dont need decode. In this case , the app will run at normal speed , since the file is already decode when in run.

case 2 : those files decode JIT(just in time) , what i mean is , those file will decode when it use , or when PSP access to it.
Then some cpu power will be used to decode the file. But this will make some error if the cpu power is heavily used by other process.

OK , if PSP have a extra chip to decode , and it can decode JIT, this extra cpu should have same clock to the core cpu (or faster , if not , the core cpu may need to wait the decode cpu , this should not be happen)


Shine wrote:
laichung wrote:hardware decode must consume some time , since all the files need decode , but we dont know how much they need. I just assume it will double the time. Anyway , it doesnt matter , the true is that most files inside 1.5 is encoded.
Why do you think that hardware decoding must consume some time? It could be simply one more element in the pipeline from memory, cache etc. to CPU and because it is optimized hardware, it could run at full DMA speed, so there may be perhaps some microseconds latency at start for the addtional pipeline element, but encrypted continuous memory transfer could be as fast as unencrypted.
pixel
Posts: 791
Joined: Fri Jan 30, 2004 11:43 pm

Post by pixel »

Nowadays, decoding is like just as fast as a badly coded memcpy. So, when the console reads the crypted module from disc/bios/whatever and load it in memory, the loading could be done via simple crypto (note that rsa is usually employed to do the crypto of a big key which in turn is used in a simplier crypto layer) without too much trouble via an unencryption routine similar to what memcpy should do when loading an unencrypted module.

And if it's an external chip which does the crypto work (just like on ps2 mind you) nowadays some people are able to code rc4 on a quarter of a small asic's surface which work full speed basically.


So, your "it would be much slower" is wrong, human-wise speaking (it's right though, machine-wise speaking: 15ms is much slower than 1ms for a device)
pixel: A mischievous magical spirit associated with screen displays. The computer industry has frequently borrowed from mythology. Witness the sprites in computer graphics, the demons in artificial intelligence and the trolls in the marketing department.
iedoc
Posts: 18
Joined: Thu May 12, 2005 12:26 pm

Post by iedoc »

i don't know if you guys have figured anything out, but im pretty good at decrypting code, so if you gave me the encrypted code from one file on the v1.0 version, and encrypted code from the same file that should have the same contents from v1.5, i might be able to write a program or just figure out how to decrypt it.
pixel
Posts: 791
Joined: Fri Jan 30, 2004 11:43 pm

Post by pixel »

Wow.
pixel: A mischievous magical spirit associated with screen displays. The computer industry has frequently borrowed from mythology. Witness the sprites in computer graphics, the demons in artificial intelligence and the trolls in the marketing department.
zigzag
Posts: 129
Joined: Wed Jan 26, 2005 2:11 pm

Post by zigzag »

iedoc wrote:i don't know if you guys have figured anything out, but im pretty good at decrypting code, so if you gave me the encrypted code from one file on the v1.0 version, and encrypted code from the same file that should have the same contents from v1.5, i might be able to write a program or just figure out how to decrypt it.
Anything to back up a claim like that?
iedoc
Posts: 18
Joined: Thu May 12, 2005 12:26 pm

Post by iedoc »

sorry, i thought it was worth a try. i don't have any proof to back it up, but im not very good at this hacking stuff, i know im pretty good at decifering things though. i don't have a v1.0 psp, so i couldn't get a file from that, but i have a v1.5 psp, and if i knew how, i might be able to get a file off of it.
Shine
Posts: 728
Joined: Fri Dec 03, 2004 12:10 pm
Location: Germany

Post by Shine »

iedoc wrote:i might be able to write a program or just figure out how to decrypt it.
Ok, maybe it is AES encrypted. I don't have the PSP code, but just a quick warm-up for you:

Code: Select all

unencrypted&#58; This is a secret text
encrypted&#58; lpclfmgfjddoelfdpnhdhjeokbmoolfmfdckldakbbijknegnahimbbcelfpjndj
And something you don't get as easy from the PSP, some Java code, which created the encryption (I've omitted trivial things like class declaration, imports etc.):

Code: Select all

public static String asciiEncodeBytes&#40;byte&#91;&#93; bytes&#41; &#123;
	StringBuffer out = new StringBuffer&#40;bytes.length * 2&#41;;
	for &#40;int i = 0; i < bytes.length; i++&#41; &#123;
		int high = &#40;&#40;&#40;int&#41; bytes&#91;i&#93;&#41; & 0xf0&#41; >> 4;
		int low = bytes&#91;i&#93; & 0xf;
		out.append&#40;&#40;char&#41; &#40;high + 'a'&#41;&#41;;
		out.append&#40;&#40;char&#41; &#40;low + 'a'&#41;&#41;;
	&#125;
	return out.toString&#40;&#41;;
&#125;

public static byte&#91;&#93; asciiDecodeBytes&#40;String bytes&#41; &#123;
	int len = bytes.length&#40;&#41; / 2;
	byte&#91;&#93; result = new byte&#91;len&#93;;
	int j = 0;
	for &#40;int i = 0; i < len; i++&#41; &#123;
		int high = &#40;int&#41; &#40;bytes.charAt&#40;j++&#41; - 'a'&#41;;
		int low = &#40;int&#41; &#40;bytes.charAt&#40;j++&#41; - 'a'&#41;;
		result&#91;i&#93; = &#40;byte&#41; &#40;&#40;high << 4&#41; | low&#41;;
	&#125;
	return result;
&#125;

private static Cipher cip;

private static Key key;

private static void initAes&#40;&#41; throws InvalidKeySpecException, NoSuchAlgorithmException, NoSuchPaddingException &#123;
	if &#40;cip == null&#41; &#123;
		// create key
		final byte keyArray&#91;&#93; = &#123; 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 &#125;;
		key = new Key&#40;&#41; &#123;
			public byte&#91;&#93; getEncoded&#40;&#41; &#123;
				return keyArray;
			&#125;

			public String getAlgorithm&#40;&#41; &#123;
				return "AES";
			&#125;

			public String getFormat&#40;&#41; &#123;
				return "RAW";
			&#125;
		&#125;;

		// create cipher object
		cip = Cipher.getInstance&#40;"AES/ECB/PKCS5Padding"&#41;;
	&#125;
&#125;

public static String aesEncrypt&#40;String text&#41; throws IOException, GeneralSecurityException &#123;
	if &#40;text == null&#41;
		return text;
	initAes&#40;&#41;;
	cip.init&#40;Cipher.ENCRYPT_MODE, key&#41;;
	byte&#91;&#93; input = text.getBytes&#40;"utf8"&#41;;
	ByteArrayOutputStream outs = new ByteArrayOutputStream&#40;&#41;;
	CipherOutputStream cout = new CipherOutputStream&#40;outs, cip&#41;;
	cout.write&#40;input&#41;;
	cout.close&#40;&#41;;
	return asciiEncodeBytes&#40;outs.toByteArray&#40;&#41;&#41;;
&#125;

public static String aesDecrypt&#40;String text&#41; throws IOException, GeneralSecurityException &#123;
	if &#40;text == null&#41;
		return text;
	initAes&#40;&#41;;
	cip.init&#40;Cipher.DECRYPT_MODE, key&#41;;
	byte&#91;&#93; input = asciiDecodeBytes&#40;text&#41;;
	ByteArrayOutputStream out = new ByteArrayOutputStream&#40;&#41;;
	CipherOutputStream cout = new CipherOutputStream&#40;out, cip&#41;;
	cout.write&#40;input&#41;;
	cout.close&#40;&#41;;
	return new String&#40;out.toByteArray&#40;&#41;, "utf8"&#41;;
&#125;
Now you only have to find the right keyArray values. Bonus: encrypt some own text, I'll verify it. If you've managed this, you can start to think about the PSP crypting.
iedoc
Posts: 18
Joined: Thu May 12, 2005 12:26 pm

Post by iedoc »

i don't do java
iedoc
Posts: 18
Joined: Thu May 12, 2005 12:26 pm

Post by iedoc »

i almost had it, but i guess not. i might be able to figure it out if i know what out.append((char) was and & 0xf was, im sorry, but i don't anything about java, except it seems to be alot like c++.
Post Reply