Advertising
[Released] JigKick for PSP-2000 (TA-088v3 supported)
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
Forum rule Nº 15 is strictly enforced in this subforum.
Re: [Released] JigKick for PSP-2000 (TA-088v3 supported)
i don't actually understand the flow of jigkick and memory stick during service mode. is it possible to create a module or exploit to fake where the MSID?
Re: [Released] JigKick for PSP-2000 (TA-088v3 supported)
A module? Dude, there's no module code executing at that time....
An exploit? Well, maybe, but where/how? Talking is easy...
An exploit? Well, maybe, but where/how? Talking is easy...
Advertising
I wanna lots of mov al,0xb
"just not into this RA stuffz"
"just not into this RA stuffz"
Re: [Released] JigKick for PSP-2000 (TA-088v3 supported)
maybe try to exploit pspbtcnf.txt
Re: [Released] JigKick for PSP-2000 (TA-088v3 supported)
What do you mean? Embed load in IPL?kgsws wrote:maybe try to exploit pspbtcnf.txt
On the TA-088v3 was added to the processor module PRE-IPL, who did not miss illegitimate files.
Re: [Released] JigKick for PSP-2000 (TA-088v3 supported)
I think he means trying to find an exploit on how pspbtcnf.txt is processed.
I wanna lots of mov al,0xb
"just not into this RA stuffz"
"just not into this RA stuffz"
Re: [Released] JigKick for PSP-2000 (TA-088v3 supported)
Exactly.There is bug in OFW's btcnf parser (6.20) which might be exploitable, but this service contains btcnf in text form.
It still might be exploitable anyway. And also FAT driver might be exploitable.
These two places are not bound to MSID, exploit here will allow to create 'extra' unbricker.
Well, it will still contain sony code, but it will work and save PSP's.
Anybody knows where will it fail if i try it on PSP-1000? I mean, will it fail at drivers stage (.enc files) or at IPL stage (in case of using pre-ipl as a key)?
It still might be exploitable anyway. And also FAT driver might be exploitable.
These two places are not bound to MSID, exploit here will allow to create 'extra' unbricker.
Well, it will still contain sony code, but it will work and save PSP's.
Anybody knows where will it fail if i try it on PSP-1000? I mean, will it fail at drivers stage (.enc files) or at IPL stage (in case of using pre-ipl as a key)?
Re: [Released] JigKick for PSP-2000 (TA-088v3 supported)
I thought some time ago about searching exploits on the MS and FAT driver, and started reversing the PRXs but I got tired of PSP. They might be worth a look (but being drivers, only quite experienced developers could look at it).
I wanna lots of mov al,0xb
"just not into this RA stuffz"
"just not into this RA stuffz"
Re: [Released] JigKick for PSP-2000 (TA-088v3 supported)
Let me try to clarify why it does not work. A memory stick is made of two major components: the memory controller and the flash memory chip. The memory chip is just a regular flash chip as Erik have found in non-Sony memory sticks (looks like that in Sony's sticks these are together in one chip but they are still there). The memory controller does the inteface between the memory itself and the PSP or card reader. This controller implements the commands specified by Sony in this page: https://www.oss-formats.org/en/memoryst ... e/pro.html. Of course, Sony does only show the complete specs for licensed developers and companies sorrounded with NDA signing and stuff like that. The memory controller is in the worst case a complete custom chip and in the not-so-worst a regular but remarked off-the-shelf microcontroller.
The important thing to remember is: no matter what, all the communication passes through the memory controller. One can request a write into a sector and the memory controller can response that it was correctly written but it was not. The "holly grail" of this would be to find a way to write the so called AttriB section of the memory controller. If you read the source code of the ms driver in the dumper source code you will notice that there is a command to read the AttriB but there is no command to write it. Question remains: does such a command exists? What Erik and Yoti made is completely different: they physically removed the memory chip and rewrote it entirely. No memory controller here. As Erik has pointed, the memory controller have no memory itself, so the AttriB area exists in the flash memory. But is this always the case? Maybe some crazy manufacturer choose an off-the-shelf microcontroller with some EEPROM and put the MSID there. This is speculation, we don't know about it.
There are some things left to be found:
1.) Is the AttriB area some kind of OTP memory? Does this depend on the particular flash memory chip used since each chip have their own quirks?
2.) Such a Write_AttriB command exists? How does it works?
Please, correct me if I missed something.
The important thing to remember is: no matter what, all the communication passes through the memory controller. One can request a write into a sector and the memory controller can response that it was correctly written but it was not. The "holly grail" of this would be to find a way to write the so called AttriB section of the memory controller. If you read the source code of the ms driver in the dumper source code you will notice that there is a command to read the AttriB but there is no command to write it. Question remains: does such a command exists? What Erik and Yoti made is completely different: they physically removed the memory chip and rewrote it entirely. No memory controller here. As Erik has pointed, the memory controller have no memory itself, so the AttriB area exists in the flash memory. But is this always the case? Maybe some crazy manufacturer choose an off-the-shelf microcontroller with some EEPROM and put the MSID there. This is speculation, we don't know about it.
There are some things left to be found:
1.) Is the AttriB area some kind of OTP memory? Does this depend on the particular flash memory chip used since each chip have their own quirks?
2.) Such a Write_AttriB command exists? How does it works?
Please, correct me if I missed something.
Re: [Released] JigKick for PSP-2000 (TA-088v3 supported)
Via controller - may be. It may put "done" bit somewhere in nand.danielt3 wrote:1.) Is the AttriB area some kind of OTP memory? Does this depend on the particular flash memory chip used since each chip have their own quirks?
If it exist they may look likedanielt3 wrote:2.) Such a Write_AttriB command exists? How does it works?
Code: Select all
int pspMsWriteAttrB(int attr, void *addr);
did you ever saw microsd->msproduo adapters? They have msid in adapter's controller. For two my photofasts it's
Code: Select all
204D5350534E5930007828004B720000
IF SOMEONE HAS AN 07G PSP-3000 PLZ CONTACT ME VIA PM.
Do not forget about adb kill-server. Really.
Do not forget about adb kill-server. Really.
Re: [Released] JigKick for PSP-2000 (TA-088v3 supported)
Would this work or does MagicGate support figure into this in any way so that only genuine Memory sticks are accepted? I don't know, just speculating.Yoti wrote:microsd->msproduo adapters
Edit: Hmm, if I understand correctly that memory stick you modified is not genuine either so MagicGate is probably no concern. In that case, kindly ignore my comment.