Can the PSP be hacked any further? Interview with Davee and Proxima (part 1)
Gone are the days when we would fear an update from Sony. As Sony focuses on the PS Vita and cares less about the PSP security, PSP owners can now enjoy Custom Firmwares, homebrews and plugins on all models of PSP. The last updates by Sony were security patches related to the PSN but not directly to the PSP itself, and it seems Sony has finally accepted the idea of letting us enjoy our homebrews.
And yet… the PSP still has lots of secrets to reveal.
I had the chance to discuss with both Davee and Proxima about their recent work on Kirk (the encryption/decryption chip of the PSP), follow me and we’ll uncover a few secrets…
One of the big breakthroughs of the PSP scene, a long time ago, was the pandora battery. A tool that allowed people to downgrade and install custom firmwares, but which was also a universal unbricker tool, the only guarantee that we can mess up as much as we want with our PSP 1000 without turning it into a useless paperweight. But even with the recent progress on a (legally questionable) TA88V3 unbricker, we still don’t have a tool to fix a bricked PSP 3000 or PSP Go… yet we know Sony must have tools to quickly fix bricked PSPs…
Service mode on new PSP models is only one of the many secrets the PSP is still hiding from us.
A few weeks ago, developers Davee and Proxima publicly revealed lots of interesting information about Kirk, the chip in charge of encryption and decryption on the PSP. Although most people don’t realize the impact of such research until they see an actual “real life” use for it, the secrets hidden in Kirk could help us creating even better tools for new models of PSP, and, who knows, give useful hints on the type of security that will be used on the PSP Vita (nah… Sony messes up lots of stuff but they’re not that stupid).
I wanted to know more, and tried to get Davee and Proxima to dumb it down for mere mortals like me… you still need your brains to read this interview though!
1. It all began…
wololo: Davee, Proxima, who are you?
Davee:My name is Davee, I’m a Scottish Student studying Electrical Engineering.
Proxima:[ his true identity will remain a mystery 😉 ]
wololo:When did you get your first PSP, and when did you decide to start hacking/developing on it?
Davee: My first PSP was a good old PSP 1000 and I got it Christmas 2005 as a gift. I didn’t really understand hacking much then, I was too busy being a little webscripter and hello world person. I came across the scene when I went to “pspupdates.com” hoping to find an official firmware update. Then it went on I learned C, I learned the PSP API then I learned how the PSP worked.
Proxima: I got my first PSP in 2006 I think. One of the first Ta-082 1001 units. The very first app I ran on it was actually Tetris via the TGA exploit. I started writing little experiments with that SDK.
wololo: What was your first contribution to the scene?
Davee: My First Contribution to the scene was a Themeflasher. It was amazing, i’ll link it here: http://forums.qj.net/psp-development-forum/138660-universal-theme-flasher.html. By that point I knew a lot of C and it was more of a test of learning how the PSP API worked.
Proxima: There was so much development going on back in 2006, I never got publicly involved in the dev scene, rather I just kept digging in and learning how the different modules worked. I was already fluent in MIPS from my SGI days in the 90s.
wololo: what was the hack/homebrew that impressed you the most on the PSP?
Davee: The most impressive homebrew… does pandora count? I mean… shesh.
Proxima: I agree with Davee, Pandora was beautiful. Amazingly well executed. From a user perspective, my favorite was the Ultima7 port ExultPSP by thefoodsucks.com.
2. What is Kirk?
wololo: Straight to the point, I’ve seen you guys working on Kirk recently (http://wololo.net/talk/viewtopic.php?f=6&t=7224), and Davee went as far as coding an implementation that can encrypt/decrypt the Kirk0x10… can you explain what Kirk is, and what it does?
Davee: KIRK is a mystical box that eats up our data and spews out a bunch of numbers and other data 🙂 Really, it’s an external processor connected to the main processor through a DMA channel. It takes in crypto stuff, does a crypto thing and hands the resulting data or error back. KIRK is responsible for almost all of the secret stuff Sony doesn’t want us to know, and has operations such as AES, SHA1 and ECDSA.
Proxima: Davee covered this well.
wololo: Kirk has several encrypting/decrypting functions, and I believe some of them are already entirely reversed by the scene. Do you know concrete example of the scene using those Kirk functions (I’m thinking for example that some of them are used to encrypt/decrypt savegames in SED, is that correct, or am I completely wrong ?)
Proxima: Having a particular interest in ECDSA, I wanted to explore how the ECDSA implementation on the PSP was designed. It bugged me that the curve parameters were unknown, so through a little mathematics, I determined what they were. From a Homebrew perspective, having the ECDSA services defined allows developers to do secure things like signing things or key exchanges over a network. Just like devs use the SHA1 Kirk service to ensure people have the right EBOOT for downgrade, there are many situations where a developer would want to ensure other real authenticity of something and real ECDSA support is potentially helpful for that. The other big benefit is people learning about the mathematics. That’s always a good thing.
Davee: Well, the whole KIRK crypto thing is used in the signing of homebrew PSP games. Other than that, KIRK has reversible function for all the other features, and having the ability to encrypt/decrypt on the PC for normal users is really only for emulators and savedata editors on the PC.
There’s more to this interview. We covered the basics, but you know me, I want to know more about the possible uses for this ongoing research, stay tuned for the second half of this interview 🙂