Communication Processor Update Package: Difference between revisions

From Vita Development Wiki
Jump to navigation Jump to search
(Undo revision 17430 by Dangji (talk) No proof of existence and contributor unknown.)
Tag: Undo
 
(24 intermediate revisions by 3 users not shown)
Line 1: Line 1:
Updates to the communication processor are stored within a special CPUP package contained within Development kit (DEM or PDEL) PUP files.
Communication Processor update files are stored in a .tar.gz encrypted within a CpUp file, encrypted into a SPKG contained within Development kit (DEM or PDEL) PUP files.


In firmware .940 and .945 (and their subsets) exclusively, the CPUP are embedded within encrypted Update Packages.
Every Playstation Update Package (PUP) up to version 0.996.090 ship with 2 distinct CpUp files of the same version for platforms ES1 and ES2 (and later) respectively. Every TOOL PUP since 1.00 only contains a single CpUp.


=== CPUP Structure ===
= CpUp Structure =


Each CPUP shares a common header.
CpUp file is made of a header followed by a data area.
 
== Header ==


{| class="wikitable"
{| class="wikitable"
! Offset !! Size !! Description !! Endianness
! Offset !! Size !! Description
|-
| 0x0 || u32 || Magic "CpUp" byte-reversed ("pUpC")
|-
| 0x4 || u32 || Version. Ex: 01 00 03 01 (1.3.0.1)
|-
|-
| 0x0 || u32 || MAGIC "CpUp" || Little Endian
| 0x8 || u64 || Reserved. Always zeroed.
|-
|-
| 0x4 || u32 || Version || Little Endian
| 0x10 || u32 || Unknown. Always 0x01000000. Maybe CpUp format version or type.
|-
|-
| 0x10 || u32 || Unknown, always 0x01000000 || Little Endian
| 0x14 || u32 || Size. Full CpUp size. 0x10 aligned.
|-
|-
| 0x14 || u32 || Full CPUP Size || Little Endian
| 0x18 || u32 || Header size. Always 0x20.
|-
|-
| 0x18 || u32 || payload/data start address || Little Endian
| 0x1C || u32 || Unpacked data size. tar.gz size.
|-
|-
| 0x1C || u32 || Extracted/Decrypted CPUP size || Little Endian
| EOF-0x100 || 0x100 || RSA Encrypted AES-128-CBC KeyBlob. 0x00-0x10 = IV, 0x10-0x20 = Key, 0x20-0x34 = Sha1
|}
|}


Every CP updates below version 1000 (found in firmware 1.00) are divided in 2 parts (2 distinct CPUP files sharing the same version value).
= CP Information =
 
Every version after version 1000 is only comprised of a single part.


=== CP board id ===
== CP board id ==


* DEM-300xH has the CP board id 3
* DEM-3000H has CP board GCP-001 (0-835-185-02) -> CP board id 3
* PDEL-100x has the CP board id 4
* DEM-3000L has CP board GCP-002 (0-851-147-03) -> CP board id 4
* DEM-3000P has CP board GCP-002 (0-851-147-07) -> CP board id 4
* PDEL-100x has CP board GCP-002 (1-884-532-11) -> CP board id 4


=== CP version ===
== CP version ==


Here are the different CP versions identified as of today:
Here are the known CP firmware versions:


{| class="wikitable"
{| class="wikitable"
|-
|-
! CPUP Header !! CP Version !! System Software Version
! CP Version !! PUP System Software Version !! CP Platform !! cpupdate.bin SHA256
|-
|-
| 00060004 || 0604 || 0.902  
| 0.6.0.4 || 0.902 || ES1 || ada895a81cc6c71382eb8e84444d9b512f9349999636f8baa921919c02a51ee3
|-
|-
| 00080508 || 0858 || 0.931
| 0.6.0.4 || 0.902 || ES2 || ad10843589b88ba63438cd7a0ef2fd42f3e4d22ff5917ff845c8d80f030c386e
|-
|-
| 00090100 || 0910 || 0.940
| 0.8.5.8 || 0.931 || ES1 || 11861ef73bebd95653dcdaa77454a7b3520c890a043b831d07a0b68389af1ab2
|-
|-
| 00090200 || 0920 || DEM-3000H Recovery
| 0.8.5.8 || 0.931 || ES2 || 2aaf8610f306385d395ccb8aaeaa245388f58ee4b2bf689dc40b99e9e4a5a10f
|-
|-
| 00090203 || 0923 || 0.945
| 0.9.1.0 || 0.940 internal-0.940.050 external || ES1 || 7452fadcd867861bf5c852f8019814fd063ea46276391234e4a3b38ef4473352
|-
|-
| 00090501 || 0951 || 0.990
| 0.9.1.0 || 0.940 internal-0.940.050 external || ES2 || de98625e0bb2410c9e3aa775b6968cfdfeebdbe186b4af29c8ce620d29b9a68d
|-
|-
| 00090600 || 0960 || 0.995.000
| 0.9.2.0 || DEM-3000H Recovery || ES2 || n/a
|-
|-
| 00090700 || 0970 || 0.995.070
| 0.9.2.3 || 0.945 || ES1 || 9cf6da719c78f5674a0b0bb7042a2b4eac599a93afe75a04d573af1e69763c3e
|-
|-
| 00090708 || 0978 || 0.996
| 0.9.2.3 || 0.945 || ES2 || d774e280067950c69e6ebaf585ee636ae0bfc7078d3261186e5ee000fa8ef863
|-
|-
| 01000000 || 1000 || 1.000
| 0.9.5.1 || 0.990.030 internal-0.990.140 external || ES1 || aef385dd3651b94df6ab61a6ae5578e2f0e5361efabb08ca243734a2e463348e
|-
|-
| 01000001 || 1001 || 1.030
| 0.9.5.1 || 0.990.030 internal-0.990.140 external || ES2 || fc47823201ba6ce2b4010db64ec4001fc807166c1a3a732629abedcbd6c94afd
|-
|-
| 01000002 || 1002 || 1.040 / PDEL-1001 Recovery
| 0.9.6.0 || 0.995.000 internal || ES1 || f0ed013839eb9e69c73ec0308b341078d6c5f46984355c9b8ef11e098eae5814
|-
|-
| 01000106 || 1016 || 1.500
| 0.9.6.0 || 0.995.000 internal || ES2 || 71c15860ef68b6ab0bff8d44776d47fad592ec3efaa8fe6cfd80a351fd0a9422
|-
|-
| 01000300 || 1030 || 1.600
| 0.9.6.4 || DEM-3000L Recovery || ES2 || n/a
|-
|-
| 01000800 || 1080 || 1.800
| 0.9.7.0 || 0.995.070 external || ES1 || 91d41950af1c619663455d79430ac9fde2f2bbfce9ca32c612fbbbe7f318a6cd
|-
|-
| 01010000 || 1100 || 2.000
| 0.9.7.0 || 0.995.070 external || ES2 || 9197cb159aebec2e1ea39e879ab7ecf1222df6f36e75548f5c4821c7a2fbd1f6
|-
|-
| 01010702 || 1172 || 2.120
| 0.9.7.8 || 0.996 || ES1 || b3bc194db1a07d7a2165b94a6f9031bcf3f6232c31d2e7e0c49f5869d6610db6
|-
|-
| 01010904 || 1194 || 2.500
| 0.9.7.8 || 0.996 || ES2 || 31bd4495f97311b5eec636c4eb7744604c76d535ffe707cbac590f54158726cb
|-
|-
| 01020001 || 1201 || 3.000
| 1.0.0.0 || 1.000.041 || ES2 || 0a97fec5726dd2588cdb3e388d6f6bbb4780001269afca58ea6f4ace9ff50c48
|-
|-
| 01030001 || 1301 || 3.100
| 1.0.0.1 || 1.000.071 || ES2 || b8554c110b7ab1bc26476c417fdf0eca3b37afaf513009ff9331529e39b76e6b
|-
| 1.0.0.2 || 1.030 / PDEL-1001 Recovery || ES2 || d863715a2733aca58f8ec17d96079ba3150d31df35738a3e287739babdd161e4
|-
| 1.0.1.6 || 1.500 || ES2 || ce654edc6801709e35ee80df6224ede77a072073dc7772293398ed518e165788
|-
| 1.0.3.0 || 1.600 || ES2 || eb96c2e1e45d5e95b975e9f07e90f9e38d1d69a9041aa9d06f90f8f13a91392c
|-
| 1.0.8.0 || 1.800 || ES2 || f8caa537dddd4a4a0c90276c9d718dd2262a91addda9bdccbb410aa85e2cc1a3
|-
| 1.1.0.0 || 2.000-2.060 || ES2 || f92e3c497cc9d8e729442463b11f7c93759a23fb3e2f14d05142f7bc9a08a7e6
|-
| 1.1.7.2 || 2.100-2.120 || ES2 || bcf9551a8d8c0b64d3d7a5ea5e861ded24cab4eee37cdc352d615b8310a063c5
|-
| 1.1.9.4 || 2.500 || ES2 || ff175d1b5806794c4c1d5bdc111f6b04bdb18b031a73ac51e94d95e6c6e30d9e
|-
| 1.2.0.1 || 3.000 || ES2 || f9faa70d20263179cfea0d5f95684148a2de12dffa7dbe187aafc4a2dcfb8676
|-
| 1.3.0.1 || 3.100-3.680 || ES2 || dc1320f5a3c98ba4ad80d4a9c04a957641a44167bbfac30b2597cff3cac49af4
|}
|}


=== Kernel Boot Loader logs ===
== Kernel Boot Loader logs ==


The Kernel Boot Loader and Non-secure Kernel Boot Loader respectively reference the current CP version in their bootlog (the version issued by KBL appears in the console output), this follows the below standard:  
The Kernel Boot Loader and Non-Secure Kernel Boot Loader respectively reference the current CP version in their bootlogs (the version issued by KBL appears in the console output). This follows the following standard:


KBL:  
KBL:
<source>Starting PSP2 Kernel Boot Loader [0x%08x]: %d...revision  : %d.build date : %s.....cp info.  : bid.%x ver.%04x</source>
<source>Starting PSP2 Kernel Boot Loader [0x%08x]: %d...revision  : %d.build date : %s.....cp info.  : bid.%x ver.%04x</source>


Line 94: Line 118:
For example "bid.4 ver.1301" stands for board id 4, CP version 1301
For example "bid.4 ver.1301" stands for board id 4, CP version 1301


in NSKBL format the information is logged in the following format: "0x00041301 [0x00041301]: CP bid & version"
In NSKBL format the information is logged in the following format: "0x00041301 [0x00041301]: CP bid & version"
Where 0x0004 is the mask for bid (Board id 4) and 0x1301 is the mask for version (Version 1301).
where 0x0004 is the mask for bid (Board id 4) and 0x1301 is the mask for version (Version 1301).


This version information appear to most likely be read from [[KBL Param#DIP Switches]].


These version information appear to most likely be read from sysroot at offset 0x44 (length u32 in little endian, 0x01130400 for bid.4 ver.1301, or 0x00041301 with the proper endianness)
== psp2ctrl info ==
 
=== psp2ctrl info ===


You can get additional information by using the sdk's psp2ctrl info command.  
You can get additional information by using the sdk's psp2ctrl info command.  
Line 122: Line 145:
     ProtocolVersion: 1.0.5.0
     ProtocolVersion: 1.0.5.0
     Flags: 0x1
     Flags: 0x1
DEM-3000L in normal mode
  CP:
    BoardVersion: 4
    PackageVersion: 1.0.3.0
    RecoveryPackageVersion: 0.9.6.4
    ProtocolVersion: 1.0.7.0
    Flags: 0x0
DEM-3000L in recovery mode: MISSING


PDEL-1001 in normal mode
PDEL-1001 in normal mode
Line 142: Line 176:
Note: The flag exposed in the above examples is the recovery mode flag, while the flag is set to 0x1, recovery mode is active and the CP is running from the recovery bank.
Note: The flag exposed in the above examples is the recovery mode flag, while the flag is set to 0x1, recovery mode is active and the CP is running from the recovery bank.


=== Update ===
= Update Protocol =


The Communication Processor is updated through the use of the SceDeci4pCpup module.
The Communication Processor is updated through the use of the [[SceDeci4pCpup]] kernel module.


=== Downgrade ===
== Downgrade ==


The Communication Processor on PS Vita Development units is not downgradable within normal operations (even when downgrading the unit itself using a PUP).
The Communication Processor on PS Vita Development units is not downgradable within normal operations (even when downgrading the unit itself using a PUP).
It may be possible to downgrade by using the '''psp2ctrl recover-cp cpupdate.bin''' command while in recovery mode where cpupdate.bin is a CPUP of a version equal or higher to the RecoveryPackageVersion, it may also be possible to downgrade from the vita side by patching or bypassing the version check performed by SceDeci4pCpup.
It may be possible to downgrade by using the '''psp2ctrl recover-cp cpupdate.bin''' command while in recovery mode where cpupdate.bin is a CPUP of a version equal or higher to the RecoveryPackageVersion, it may also be possible to downgrade from the vita side by patching or bypassing the version check performed by SceDeci4pCpup.


=== Recovery mode ===
= CP Recovery Mode =


In the event that the CP becomes unresponsive a special recovery mode exists, to enter this mode you need to press the "init" button (physically located at the bottom of the CP) while the AC is plugged in, the CP will then reboot into recovery mode (the led will turn blue, then green).  
In the event that the CP becomes unresponsive, a special recovery mode exists. To enter this mode you need to press the "init" button (physically located at the bottom of the CP) while the AC is plugged in. The CP will then reboot into recovery mode (the LED will turn blue, then green). If your unit is connected, you will get disconnected from TM server until you reconnect the USB cable. You may still experience timeouts when running the psp2ctrl info command, if so your SDK binaries might not be compatible with the version used in the recovery bank and you may need to use older ones.
If your unit is connected, you will get disconected from TM server until you reconnect the usb, you may still experience timeouts when running the psp2ctrl info command, if so your SDK binaries might not be compatible with the version used in the recovery bank and you may need to use older ones.


While in recovery mode, until the AC gets disconnected, the CP will be running its recovery package firmware, while this essentially acts as a downgrade, the version located in the active bank will not change, the version reported by the CP is not the running version but rather the version that's currently flashed in the normal/active bank, it is therefore not possible to downgrade a unit by updating to a PUP while in recovery mode because the version reported will still be higher than the CPUP present inside the PUP.  
While in recovery mode, until the AC gets disconnected, the CP will be running its recovery package firmware. While this essentially acts as a downgrade, the version located in the active bank will not change. The version reported by the CP is not the running version but rather the version that is currently flashed in the normal/active bank. It is therefore not possible to downgrade a unit by updating to a PUP while in recovery mode because the version reported will still be higher than the CPUP present inside the PUP.  


While this does not permanantly downgrades your CP firmware, this is however useful in the attempts of triggering a possible vulnerability that would have been patched on a later revision.
While this does not permanently downgrades your CP firmware, this is however useful in the attempts of triggering a possible vulnerability that would have been patched on a later revision.

Latest revision as of 13:19, 7 January 2023

Communication Processor update files are stored in a .tar.gz encrypted within a CpUp file, encrypted into a SPKG contained within Development kit (DEM or PDEL) PUP files.

Every Playstation Update Package (PUP) up to version 0.996.090 ship with 2 distinct CpUp files of the same version for platforms ES1 and ES2 (and later) respectively. Every TOOL PUP since 1.00 only contains a single CpUp.

CpUp Structure

CpUp file is made of a header followed by a data area.

Header

Offset Size Description
0x0 u32 Magic "CpUp" byte-reversed ("pUpC")
0x4 u32 Version. Ex: 01 00 03 01 (1.3.0.1)
0x8 u64 Reserved. Always zeroed.
0x10 u32 Unknown. Always 0x01000000. Maybe CpUp format version or type.
0x14 u32 Size. Full CpUp size. 0x10 aligned.
0x18 u32 Header size. Always 0x20.
0x1C u32 Unpacked data size. tar.gz size.
EOF-0x100 0x100 RSA Encrypted AES-128-CBC KeyBlob. 0x00-0x10 = IV, 0x10-0x20 = Key, 0x20-0x34 = Sha1

CP Information

CP board id

  • DEM-3000H has CP board GCP-001 (0-835-185-02) -> CP board id 3
  • DEM-3000L has CP board GCP-002 (0-851-147-03) -> CP board id 4
  • DEM-3000P has CP board GCP-002 (0-851-147-07) -> CP board id 4
  • PDEL-100x has CP board GCP-002 (1-884-532-11) -> CP board id 4

CP version

Here are the known CP firmware versions:

CP Version PUP System Software Version CP Platform cpupdate.bin SHA256
0.6.0.4 0.902 ES1 ada895a81cc6c71382eb8e84444d9b512f9349999636f8baa921919c02a51ee3
0.6.0.4 0.902 ES2 ad10843589b88ba63438cd7a0ef2fd42f3e4d22ff5917ff845c8d80f030c386e
0.8.5.8 0.931 ES1 11861ef73bebd95653dcdaa77454a7b3520c890a043b831d07a0b68389af1ab2
0.8.5.8 0.931 ES2 2aaf8610f306385d395ccb8aaeaa245388f58ee4b2bf689dc40b99e9e4a5a10f
0.9.1.0 0.940 internal-0.940.050 external ES1 7452fadcd867861bf5c852f8019814fd063ea46276391234e4a3b38ef4473352
0.9.1.0 0.940 internal-0.940.050 external ES2 de98625e0bb2410c9e3aa775b6968cfdfeebdbe186b4af29c8ce620d29b9a68d
0.9.2.0 DEM-3000H Recovery ES2 n/a
0.9.2.3 0.945 ES1 9cf6da719c78f5674a0b0bb7042a2b4eac599a93afe75a04d573af1e69763c3e
0.9.2.3 0.945 ES2 d774e280067950c69e6ebaf585ee636ae0bfc7078d3261186e5ee000fa8ef863
0.9.5.1 0.990.030 internal-0.990.140 external ES1 aef385dd3651b94df6ab61a6ae5578e2f0e5361efabb08ca243734a2e463348e
0.9.5.1 0.990.030 internal-0.990.140 external ES2 fc47823201ba6ce2b4010db64ec4001fc807166c1a3a732629abedcbd6c94afd
0.9.6.0 0.995.000 internal ES1 f0ed013839eb9e69c73ec0308b341078d6c5f46984355c9b8ef11e098eae5814
0.9.6.0 0.995.000 internal ES2 71c15860ef68b6ab0bff8d44776d47fad592ec3efaa8fe6cfd80a351fd0a9422
0.9.6.4 DEM-3000L Recovery ES2 n/a
0.9.7.0 0.995.070 external ES1 91d41950af1c619663455d79430ac9fde2f2bbfce9ca32c612fbbbe7f318a6cd
0.9.7.0 0.995.070 external ES2 9197cb159aebec2e1ea39e879ab7ecf1222df6f36e75548f5c4821c7a2fbd1f6
0.9.7.8 0.996 ES1 b3bc194db1a07d7a2165b94a6f9031bcf3f6232c31d2e7e0c49f5869d6610db6
0.9.7.8 0.996 ES2 31bd4495f97311b5eec636c4eb7744604c76d535ffe707cbac590f54158726cb
1.0.0.0 1.000.041 ES2 0a97fec5726dd2588cdb3e388d6f6bbb4780001269afca58ea6f4ace9ff50c48
1.0.0.1 1.000.071 ES2 b8554c110b7ab1bc26476c417fdf0eca3b37afaf513009ff9331529e39b76e6b
1.0.0.2 1.030 / PDEL-1001 Recovery ES2 d863715a2733aca58f8ec17d96079ba3150d31df35738a3e287739babdd161e4
1.0.1.6 1.500 ES2 ce654edc6801709e35ee80df6224ede77a072073dc7772293398ed518e165788
1.0.3.0 1.600 ES2 eb96c2e1e45d5e95b975e9f07e90f9e38d1d69a9041aa9d06f90f8f13a91392c
1.0.8.0 1.800 ES2 f8caa537dddd4a4a0c90276c9d718dd2262a91addda9bdccbb410aa85e2cc1a3
1.1.0.0 2.000-2.060 ES2 f92e3c497cc9d8e729442463b11f7c93759a23fb3e2f14d05142f7bc9a08a7e6
1.1.7.2 2.100-2.120 ES2 bcf9551a8d8c0b64d3d7a5ea5e861ded24cab4eee37cdc352d615b8310a063c5
1.1.9.4 2.500 ES2 ff175d1b5806794c4c1d5bdc111f6b04bdb18b031a73ac51e94d95e6c6e30d9e
1.2.0.1 3.000 ES2 f9faa70d20263179cfea0d5f95684148a2de12dffa7dbe187aafc4a2dcfb8676
1.3.0.1 3.100-3.680 ES2 dc1320f5a3c98ba4ad80d4a9c04a957641a44167bbfac30b2597cff3cac49af4

Kernel Boot Loader logs

The Kernel Boot Loader and Non-Secure Kernel Boot Loader respectively reference the current CP version in their bootlogs (the version issued by KBL appears in the console output). This follows the following standard:

KBL:

Starting PSP2 Kernel Boot Loader [0x%08x]: %d...revision   : %d.build date : %s.....cp info.   : bid.%x ver.%04x

NSKBL:

Starting PSP2 Kernel Boot Loader (Non-secure) [0x%08x]: %d...BOOTSW.......%d: 0x%08x....: CP time...: CP bid & version

Where bid. is the Board id and ver. is the CP firmware version For example "bid.4 ver.1301" stands for board id 4, CP version 1301

In NSKBL format the information is logged in the following format: "0x00041301 [0x00041301]: CP bid & version" where 0x0004 is the mask for bid (Board id 4) and 0x1301 is the mask for version (Version 1301).

This version information appear to most likely be read from KBL Param#DIP Switches.

psp2ctrl info

You can get additional information by using the sdk's psp2ctrl info command. Information is displayed as such:

DEM-3000H in normal mode

 CP:
   BoardVersion: 3
   PackageVersion: 0.9.6.0
   RecoveryPackageVersion: 0.9.2.0
   ProtocolVersion: 1.0.7.0
   Flags: 0x0

DEM-3000H in recovery mode

 CP:
   BoardVersion: 3
   PackageVersion: 0.9.6.0
   RecoveryPackageVersion: 0.9.2.0
   ProtocolVersion: 1.0.5.0
   Flags: 0x1

DEM-3000L in normal mode

 CP:
   BoardVersion: 4
   PackageVersion: 1.0.3.0
   RecoveryPackageVersion: 0.9.6.4
   ProtocolVersion: 1.0.7.0
   Flags: 0x0

DEM-3000L in recovery mode: MISSING

PDEL-1001 in normal mode

 CP:
   BoardVersion: 4
   PackageVersion: 1.3.0.1
   RecoveryPackageVersion: 1.0.0.2
   ProtocolVersion: 1.0.7.0
   Flags: 0x0

PDEL-1001 in recovery mode

 CP:
   BoardVersion: 4
   PackageVersion: 1.3.0.1
   RecoveryPackageVersion: 1.0.0.2
   ProtocolVersion: 1.0.7.0
   Flags: 0x1

Note: The flag exposed in the above examples is the recovery mode flag, while the flag is set to 0x1, recovery mode is active and the CP is running from the recovery bank.

Update Protocol

The Communication Processor is updated through the use of the SceDeci4pCpup kernel module.

Downgrade

The Communication Processor on PS Vita Development units is not downgradable within normal operations (even when downgrading the unit itself using a PUP). It may be possible to downgrade by using the psp2ctrl recover-cp cpupdate.bin command while in recovery mode where cpupdate.bin is a CPUP of a version equal or higher to the RecoveryPackageVersion, it may also be possible to downgrade from the vita side by patching or bypassing the version check performed by SceDeci4pCpup.

CP Recovery Mode

In the event that the CP becomes unresponsive, a special recovery mode exists. To enter this mode you need to press the "init" button (physically located at the bottom of the CP) while the AC is plugged in. The CP will then reboot into recovery mode (the LED will turn blue, then green). If your unit is connected, you will get disconnected from TM server until you reconnect the USB cable. You may still experience timeouts when running the psp2ctrl info command, if so your SDK binaries might not be compatible with the version used in the recovery bank and you may need to use older ones.

While in recovery mode, until the AC gets disconnected, the CP will be running its recovery package firmware. While this essentially acts as a downgrade, the version located in the active bank will not change. The version reported by the CP is not the running version but rather the version that is currently flashed in the normal/active bank. It is therefore not possible to downgrade a unit by updating to a PUP while in recovery mode because the version reported will still be higher than the CPUP present inside the PUP.

While this does not permanently downgrades your CP firmware, this is however useful in the attempts of triggering a possible vulnerability that would have been patched on a later revision.