PSP Hacks: pspdecrypt (PSARDumper for PC) released, And Mathieulh discloses iplloader exploit
Some news for the many people out here who still follow the scene on Sony’s best handheld device:
Pspdecrypt
Pspdecrypt is a command line tool by John-K (with contributions from artart78) to decrypt PSP binaries and firmware updates, without the need for a PSP.
Historically, decrypting such binaries was done with PSARDumper, a tool that required to run on a hacked PSP in order to grab the necessary decryption keys to do the job. Hackers have extracted many of these keys over the years, so a tool such as PSPDecrypter allows tinkerers to extract and decrypt those files directly on their PC.
As far as I can tell, there is no groundbreaking reveal in pspdecrypt itself, it reuses past knowledge and code from emulator ppsspp and libkirk, but does it in a way that provides people with a useful tool.
And yes, we completely missed this, and had to have Zecoxao wake us up to talk about it (Thanks sir!).
Download pspdecrypt
You can download the source code for pspdecrypt on the project’s github here. No binary release, you’ll have to compile it yourself.
Iplloader “Jump Slide” PoC Release
Hacker Mathieulh published a proof of concept for a 14 year old Lib PSP exploit iplloader. According to the hacker, this exploit was used to dump an unencrypted version of the IPL block, allowing hackers to get access to some of the PSP’s encryptions keys the 3.5.0 devkit pre-ipl xor key before it was cleared from memory.
Lib-PSP iplloader will not control the location at which it will load/copy the block, it will happily attempt to perform a memcpy (at a rate of 1 dword per cycle) to whatever load address is specified in the IPL header, assuming the header passes the checks (kirk1 hashes, HMAC-SHA1 (on 03g+)…) this allows to potentially write a payload at arbitrary locations.
Download Lib-PSP-iplloader-Jump-Slide-POC
You can get Mathieulh’s recently released files on his github here.
Source: Mathieulh
It’s surprising to hear more PSP hacking is being done, but it’s certainly a good sign; that kind of devotion is always refreshing to see… Also, I wonder, are you still looking for guest bloggers? If so, I’m your man! I own pretty much every non-Microsoft console and, aside from the Switch (got a later model on that one, sadly), they’ve all been cracked wide open. I also consider myself a good writer, though that’s for you to judge!
Hopefully automatic builds will be merged to master soon 😀
https://github.com/John-K/pspdecrypt/pull/10
Spent the afternoon doing so, if anyone wants the latest version they can download here: https://github.com/krystalgamer/pspdecrypt/actions/runs/552579125
Thanks for the article !
There are two things on the PSAR decryption tool which are brand new :
– KL3E/KL4E native decompression, which never had been done before on PC
– IPL stage2/stage3 descrambling/decryption for all firmware versions (worked only for up to 2.50 in the original PSP-run PSARDumper)
Hope you like it!
“According to the hacker, this exploit was used to dump an unencrypted version of the IPL block” that’s not what I said.
This exploit was used to dump the 3.5.0 devkit pre-ipl xor key before it was cleared from memory. This is not a “Lib PSP exploit” this is a Lib-PSP iplloader, this is Sony’s official name to what we know as pre-ipl, basically this is allows cpu rom code execution (this is the code that runs before the IPL).
This is the earliest you can get code execution on a PSP, ever.
Apologies about that. Tried to use my own words and I shouldn’t, as clearly I misunderstood. I fixed the article.
This has absolutely nothing to do with the post, but I have no idea where else I’d ask about this –
I can’t seem to register for your forums, clicking “Submit” does nothing, and I’ll make an educated guess and say it has something to do with the fact that in the bottom right it says “This site key is not enabled for the invisible captcha.”. Just figured I should point that out if you guys don’t already know.
Hi Jake1702. Thanks for letting me know and sorry about the issue. This should be fixed now. Feel free to contact me at wagic.the.homebrew at gmail dot com if you still run into issues when registering.