Straight from the source — Dark_AleX verbatim…
When the PSP boots, the boot code loads the ipl from either the nand or memory stick. The IPL is splitted into pieces of 0×1000 bytes.
First 0xA0 bytes of each block is a header for the kirk hardware command 1. It contains keys, the size of the cipher data, and two hashes, one for part the header itself, and another one for the body. The 0xF60 remaining bytes are the ciphered body, which will decrypt to 0xF60 plain bytes… if the hashes, which are checked by kirk hardware itself, are OK. (Note: ciphered body can actually be less than 0xF60, in this case, remaining bytes are ignored… before TA88v3)
What has Sony added to fix this?
The answer can be found in 4.00+ slim ipl’s. They decreased the size of the ciphered body to 0xF40 to leave 0×20 bytes at the end of each block (at offset 0xFE0). In newest pre-ipl’s, these 0×20 bytes have a meaning.
This protection also destroys any possibility of downgrading below 4.00, as these new cpu’s won’t be able to boot previous firmwares ipl’s.
Summary: basically, all security of newest psp cpu’s rely on the secrecy of the calculation of those 0×20 bytes. If pre-ipl were dumped somehow, the security would go down TOTALLY.
And you know the real kicker? The yet-to-be released PSP-3000 will likely sport the new TA88v3 board.
- source / full article: dark-alex.org
Why PSP TA88v3 cannot be Hacked, yet…
at 3:19 PM