Quote Originally Posted by mihaikid View Post
Donely Ia ceva masuri contra acestor Useri Care Vorbesc Inainte sa caute ........Un Exemplu` bun Christien dark-alex a gasit nu am timpul necesar sa caut
Cu parere de rau tin sa te anunt ca pentru PSP cu plca de baza TA-88v3 nici macar @dark-alex nu a gasit nimic. Se "lucreaza" la Despertador21 care chipurile ar rezolva problema dar deocamdata nimic palpabil. Asa ca deocamdata trebuie sa ii dau dreptate lui @Christien.

Dark_AleX explains why TA88v3 cannot be hacked

You may have noticed that DA’s site has been down for a while. Now that’s its back up, Dark_AleX has provided some details to the situation of unhackable PSP’s.
The technical stuff in the full article.

Quote: Dark_AleX
When the PSP boots, the boot code (aka pre-ipl or ipl loader) loads the ipl from either the nand or memory stick. The IPL is splitted into pieces of 0�1000 bytes.
First 0xA0 bytes of each block is a header for the kirk hardware command 1. It contains keys,
the size of the cipher data, and two hashes, one for part the header itself, and another one for the body. The 0xF60 remaining bytes are the ciphered body, which will decrypt to 0xF60 plain bytes… if the hashes, which are checked by kirk hardware itself, are OK. (Note: ciphered body can actually be less than 0xF60, in this case, remaining bytes are ignored… before TA88v3) Fir
The security of kirk hashes was destroyed by a timing attack, and the IPL became unprotected.
What has Sony added to fix this?
The answer can be found in 4.00+ slim ipl’s. They decreased the size of the ciphered body to 0xF40 to leave 0�20 bytes at the end of each block (at offset 0xFE0).
As stated before, these remaining bytes are ignored… in pre-ipl’s of psp’s prior to TA88v3, and in fact, they can be randomized and ipl will still boot in those psp’s. In newest pre-ipl’s, these 0�20 bytes have a meaning.
The first 0�10 bytes is an unknown hash calculated from the decrypted block. It is deduced that is calculated from the decrypted block and not the ciphered one due to the fact that 4.01 and 4.05 have a lot of ipl blocks in common, which, when decrypted, are similar, but they are totally different in its encrypted form. In these two ipl’s, this hash is same, as seen in the picture:
The second 0�10 bytes seem also to be dependent of the decrypted body (maybe dependent of the previous 0�10 bytes too?). In the picture it can be seen that they are different in 4.01 and 4.05, but they can actually be interchanged, you can move those 0�10 bytes from the same block in 4.05 ipl to the 4.01 ipl and it will still boot; however it cannot be randomized.
This protection also destroys any possibility of downgrading below 4.00, as these new cpu’s won’t be able to boot previous firmwares ipl’s.
Summary: basically, all security of newest psp cpu’s rely on the secrecy of the calculation of those 0�20 bytes. If pre-ipl were dumped somehow, the security would go down TOTALLY.