[Released] JigKick for PSP-2000 (TA-088v3 supported)

[akocmacky]

i don't actually understand the flow of jigkick and memory stick during service mode. is it possible to create a module or exploit to fake where the MSID?

Advertising

[m0skit0]

A module? Dude, there's no module code executing at that time....

An exploit? Well, maybe, but where/how? Talking is easy...

Advertising

[kgsws]

maybe try to exploit pspbtcnf.txt

[ErikPshat]

maybe try to exploit pspbtcnf.txt

What do you mean? Embed load in IPL?
On the TA-088v3 was added to the processor module PRE-IPL, who did not miss illegitimate files.

[m0skit0]

I think he means trying to find an exploit on how pspbtcnf.txt is processed.

[kgsws]

Exactly.There is bug in OFW's btcnf parser (6.20) which might be exploitable, but this service contains btcnf in text form.
It still might be exploitable anyway. And also FAT driver might be exploitable.
These two places are not bound to MSID, exploit here will allow to create 'extra' unbricker.
Well, it will still contain sony code, but it will work and save PSP's.

Anybody knows where will it fail if i try it on PSP-1000? I mean, will it fail at drivers stage (.enc files) or at IPL stage (in case of using pre-ipl as a key)?

[m0skit0]

I thought some time ago about searching exploits on the MS and FAT driver, and started reversing the PRXs but I got tired of PSP. They might be worth a look (but being drivers, only quite experienced developers could look at it).

[danielt3]

Let me try to clarify why it does not work. A memory stick is made of two major components: the memory controller and the flash memory chip. The memory chip is just a regular flash chip as Erik have found in non-Sony memory sticks (looks like that in Sony's sticks these are together in one chip but they are still there). The memory controller does the inteface between the memory itself and the PSP or card reader. This controller implements the commands specified by Sony in this page: https://www.oss-formats.org/en/memoryst ... e/pro.html. Of course, Sony does only show the complete specs for licensed developers and companies sorrounded with NDA signing and stuff like that. The memory controller is in the worst case a complete custom chip and in the not-so-worst a regular but remarked off-the-shelf microcontroller.

The important thing to remember is: no matter what, all the communication passes through the memory controller. One can request a write into a sector and the memory controller can response that it was correctly written but it was not. The "holly grail" of this would be to find a way to write the so called AttriB section of the memory controller. If you read the source code of the ms driver in the dumper source code you will notice that there is a command to read the AttriB but there is no command to write it. Question remains: does such a command exists? What Erik and Yoti made is completely different: they physically removed the memory chip and rewrote it entirely. No memory controller here. As Erik has pointed, the memory controller have no memory itself, so the AttriB area exists in the flash memory. But is this always the case? Maybe some crazy manufacturer choose an off-the-shelf microcontroller with some EEPROM and put the MSID there. This is speculation, we don't know about it.

There are some things left to be found:
1.) Is the AttriB area some kind of OTP memory? Does this depend on the particular flash memory chip used since each chip have their own quirks?
2.) Such a Write_AttriB command exists? How does it works?

Please, correct me if I missed something.

[Yoti]

1.) Is the AttriB area some kind of OTP memory? Does this depend on the particular flash memory chip used since each chip have their own quirks?

Via controller - may be. It may put "done" bit somewhere in nand.

2.) Such a Write_AttriB command exists? How does it works?

If it exist they may look like

Code: Select all

int pspMsWriteAttrB(int attr, void *addr);

danielt3,
did you ever saw microsd->msproduo adapters? They have msid in adapter's controller. For two my photofasts it's

Code: Select all

204D5350534E5930007828004B720000

. I think that manufacturer may program any msid. Include that what we need.

[JJS]

microsd->msproduo adapters

Would this work or does MagicGate support figure into this in any way so that only genuine Memory sticks are accepted? I don't know, just speculating.

Edit: Hmm, if I understand correctly that memory stick you modified is not genuine either so MagicGate is probably no concern. In that case, kindly ignore my comment.