PSP Hacks: pspdecrypt (PSARDumper for PC) released, And Mathieulh discloses iplloader exploit
Some news for the many people out here who still follow the scene on Sony’s best handheld device:
Pspdecrypt is a command line tool by John-K (with contributions from artart78) to decrypt PSP binaries and firmware updates, without the need for a PSP.
Historically, decrypting such binaries was done with PSARDumper, a tool that required to run on a hacked PSP in order to grab the necessary decryption keys to do the job. Hackers have extracted many of these keys over the years, so a tool such as PSPDecrypter allows tinkerers to extract and decrypt those files directly on their PC.
As far as I can tell, there is no groundbreaking reveal in pspdecrypt itself, it reuses past knowledge and code from emulator ppsspp and libkirk, but does it in a way that provides people with a useful tool.
And yes, we completely missed this, and had to have Zecoxao wake us up to talk about it (Thanks sir!).
You can download the source code for pspdecrypt on the project’s github here. No binary release, you’ll have to compile it yourself.
Iplloader “Jump Slide” PoC Release
Hacker Mathieulh published a proof of concept for a 14 year old Lib PSP
exploit iplloader. According to the hacker, this exploit was used to dump an unencrypted version of the IPL block, allowing hackers to get access to some of the PSP’s encryptions keys the 3.5.0 devkit pre-ipl xor key before it was cleared from memory.
Lib-PSP iplloader will not control the location at which it will load/copy the block, it will happily attempt to perform a memcpy (at a rate of 1 dword per cycle) to whatever load address is specified in the IPL header, assuming the header passes the checks (kirk1 hashes, HMAC-SHA1 (on 03g+)…) this allows to potentially write a payload at arbitrary locations.
You can get Mathieulh’s recently released files on his github here.