Coldbird and VF, The Big Interview, Part 2
Missed the first part of the interview? You can find it here
Coldbird and Virtuous Flame are the talented devs behind CFW Pro, a (Light) Custom Firmware that is progressively becoming the most mainstream CFW solution for most PSP Owners. I had the privilege to discuss with them about their ongoing work a few days ago, here is the second part of this interview.
What was the hardest challenge you had to deal with while working on CFW PRO?
coldbird: Easy one. Haters. Next question please
Well… if you want technical aspects, I can give that too. Our very first problem was that the exploit used on 6.20… wasn’t usable on 6.3X
Wololo: you mean the user mode exploit
coldbird: Nah… the Power Kernel Exploit. We have spent several days trying to figure out how to use the exploit (which was still there) in a way we can get kernel access.
Wololo: I see…so it was still here, but not usable in the same way
coldbird: Well… TN was very very lucky… Because Sony’s compiler shifted functions in a way he could easily exploit em.
Wololo: I remember VF dealing with many issues, involving the AC Adaptor
Virtuous Flame: Yep. Even 5.03 kernel have to find a new way to exploit
coldbird: The alignment of functions (4byte alignment) is very important for TN’s code to work. otherwise he cant trigger a callback In 6.3X… we had the problem that Sony’s compiler shifted functions differently, aligning them in the worst possible way.
After 2 days of thinking I had a brilliant idea which even caught my pro-mate over here offguard. I figured out that on PSP Go… it was possible to use the power exploit, to null whole buffer ranges on a 16byte alignment. I then analyzed 6.3X sysmem.prx, to find a suitable exploitable dynamic jal instruction, and we just nulled a user accessible syscall using the psp go exploit i discovered. We then setup a proper wrapper code to pass exploitable arguments and bruteforce a exploitable callback id (required for nulling big ranges of memory in kernel), which allowed us to reach a dynamic jal instruction from a user available sysmem callback. [Kids, I hope you're taking notes ]
Virtuous Flame: When Davee released his downgrade he used sceKernelUtilsMd5BlockInit for the exploit. It is nicer but we still used our own way to exploit… that took us several days
coldbird: this is also the easiest proof that Pro is not a copy. Everyone who is too lazy to look at our assembly is just a random brainless flamer
Wololo: ah, that’s a very nice transition, because that was actually my next question
Some people have been claiming that you are mostly “stealing” other people’s work. I’m sure you are aware of these accusations, is there anything you want to reply to that?
coldbird: Well… if we are stealers, then so is every CFW out there… cause we all reversed the m33 sysctrl module at some point. The only component in our cfw which is not ours (coded from scratch) is the m33 iso driver.
Virtuous Flame: not only. The usbdevice.prx as well comes from M33
coldbird: Yeah. for the usb mounting.
Virtuous Flame: During our reversing of older CFW prx, we had the idea to open source a CFW.
coldbird: Yeah… the world’s rotting but this is why we wanna go the way PRO is going right now…
Thanks for the transition,you stated that CFW PRO will become open source soon. What’s your goal with open-sourcing? Is that also a way to reply to the “stealing” accusations?
coldbird: Nah… the people saying we steal would still say we do, even if we opensourced it. We are doing it because with every new generation of CFW, it was always the same problem: due to the closed source behaviour, every new iteration required a full reinventing of the wheel. With a fully working and proper CFW source being open, this will improve future CFW development a lot. And killer features like online mode will ensure the PSP stays alive, (even after NGP is out) as a online themed multiplayer portable device, which is fully open and the source viewable by everyone.
Wololo: Aren’t you afraid this will also give away some precious information to Sony?
Virtuous Flame: It may increase the risk of leaking CFW secrets to Sony etc, but since PSP is dying the risk is mininized.
coldbird: Why do you think we timed it like this?
Can you talk about the recent work on “permanent patch” for new PSP models? Don’t you think it’s a bit dangerous to permanently patch unhackable motherboards?
coldbird: Yes, but DA did it too before Pandora was out.
Wololo: Wow, that’s true, didn’t even remember that!
coldbird: Besides the only danger lies in idiots popping the battery out while flashing.
Virtuous Flame: Yes. It’s controlable for now. Now with a bit of work, devs could program tools that would safely go to OFW, recovery mode, etc…
[Note by Wololo: you can follow the ongoing developments of permanemt CFW on unchackable motherboard on our forums here, credits go to kgsws for the initial research :)]
You mentioned it several times in your blog, can you describe in a few words the concept of the Online CFW (CFW PRO-C)? I think everybody’s excited, and would love to know what this will bring to end users
coldbird: xbox live for psps. just free.
I’m sure you know xlink kai [Note by wololo: see wikipedia here]. Its a tunneling software, grabbing airwaves and tunneling the ethernet frames over udp to the other peers to “enable online play”. Our online mode does the same, just that it isnt grabbing airwaves, but instead replacing the sony adhoc modules with a identical copy which uses infrastructure to do the tunneling.
Basically it is a adhoc module emulator, providing a copy of the adhoc functions. The game itself will think it operates on adhoc, while it really connects to our master server for peer matching, and then uses peer 2 peer transmissions to contact all the other players necessary for a game.
Ignoring the technical yada yada it allows all psp multiplayer games to play online.
the master server is in fact extremely lightweight, cross plattform compilable, and c++ based. Running on standby, the master server eats less than 5mb memory, with only about 1kb of data in memory for each user connected. Which means that even a lowend vserver with lets say, 128mb ram, can easily house several thousand users.
wololo: I’m gonna run my copy of the master server on my PSP
coldbird: you will be laughing, but indeed the master server can even run on a psp. Its a cross plattform app which runs fine on psp, linux (32 and 64bit) and windows (only tested on 32bit). The master server operates on tcp connections, while the peers run on udp.
The only important thing bout online mode is to be close to your wifi router, due to the nature of udp not having error correction, and airwaves being unrelyable the distance to the router is important for lagfree gaming
wololo: Ok, now I really can’t wait. This basically means that even when Sony stops supporting the PSP, we will still have a very lively community… I didn’t imagine such a bright future for our beloved console
How many hours did you both roughly spend so far working on CFW PRO?
coldbird: uff…how many hours… we have been working on it for how many months now? 8? 9? several hundred hours – for sure.
date: Fri Jan 07 08:42:22 2011 +0800
summary: Add basic framework
This is where PRO-A begins
coldbird: that sums up the creation of our repository, but we worked a lot without a dedicated repository before that. That kinda falsifies the results cause most of the time went into early coding, creation of a suitable exploit suite, etc…
Virtuous Flame: 2010/11 we created 6.31 hen repo
Coldbird: well if it has to be hours. the several hundreds should do its job as a answer i think. We didnt really count em but it was a lot
That’s it for this second part of the interview. Last but not least, in the 3rd part, we will discuss the hacking of future firmwares, and the NGP. Stay tuned