WPA2 on PSP
Written on August 13th, 2021 by Pierre LAfter the creation of the first TLS 1.3 test application, a logical question might be whether the PSP can ever be cajoled into supporting WPA2.
The detailed answer is below. The short one is that while it might be technically possible, the steps required are complex enough that it probably will not happen.
Official WPA-PSK, WPA-TKIP upgrades
The PSP originally only supported WEP encryption. The official 2.00 firmware upgrade added support for WPA-TKIP. Later on, firmware 2.50 added WPA-PSK support.
We don’t know if WPA was done in PSP-land or through firmware updates for the Marvell Wi-Fi chips (or both). If WPA was done in software, WPA2 could be done in software as well.
The wlan.prx kernel module
The assumption is that WPA was implemented in a prx, and just passes the negotiated key back up into WLAN firmware. So it should be possible to add a WPA2 implementation there.
wlan.prx
is one of the largest of the kernel modules, meaning:
- it’s not some tiny shim for the chip,
- it’s going to take ages to reverse it all.
The module does all of the actual authentication and key management. It can just report WPA to the PSP but do WPA2 internally.
wlanfirm_*g modules
wlanfirm_*g
modules were reversed in the uOFW project. They are basically just shells that upload data to wlan.prx.
The Wi-Fi chips
The PSP contains two Wi-Fi chips designed by Marvell Semiconductor:
88W8010 (RF transceiver chip)
The 88W8010 is an upgraded (802.11g) version of 88W8000 (which only supports 802.11b). So this chip is fine.
88W8380 (MAC)
The Wi-Fi controller is an ARM9 chip, the Marvell Libertas 88W8380.
If it is based on 88W8300, then it only supports 802.11b. But if it is based on 88W8310, then it is 802.11g capable. The 88W8310 chip also support 802.11i and 802.11e, which is AES (WPA) and QoS (quality of service).
Would the 88W8380 firmware need to be rewritten to support WPA2? According to the scheme above, the security engine (WEP, AES, CCM) is within the chip. WEP/WPA is handled directly inside the chip rather than the driver instructing the chip where and when to do encryption routines.
WPA is typically implemented in userspace - think wpa_supplicant on linux. Only key (re-)negotiation is typically done in the OS.
88W8686 (PSP slim)
The PSP 2000 has a 88W8686 chip. With this chipset, WPA2 can be done on the host processor (ie Allegrex). There are some blog posts on CSDN about doing it with an STM32.
Kirk
UMDs are encrypted to prevent manual dumping. Kirk was used for AES-128 encrypt/decrypt. Can Kirk do 128-bit key and 128bit block size AES?
Wired WPA2
A wired WPA2 connection through USB might be possible with a plugin that simulates an Ethernet device.