Something odd struct me today (and no it didn't hurt).
On the 1.0 firmware, from what I can tell ALL the .prx modules in the kernel directory are encrypted ~PSP files. There doesn't appear to be any executable code on there that isn't.
If this is the case, where the heck is the code that is decoding these files??? It can't be encrypted the same way itself, or it wouldn't be able to decode itself. So if we have a dump of Flash0 and Flash1 and it ain't there, then there must be another area we are missing.
Steddy
Some part of the firmware is still hidden!
http://forums.ps2dev.org/viewtopic.php?t=1623nem wrote:There is bootstrap area with equipment serial IDs in the flash chip, and the area is unreachable by this software.
"bootstrap area with equipment serial IDs in the flash chip"
What is the equipment serial ID? Is it a hardware matter or a software matter? Can this area be read by electrical means?
If there is really no code to perform decryption, maybe there is some hardware implemented decryption protocol between the psp system and the firmware files.
What is the equipment serial ID? Is it a hardware matter or a software matter? Can this area be read by electrical means?
If there is really no code to perform decryption, maybe there is some hardware implemented decryption protocol between the psp system and the firmware files.
Thanks for the link to PSPDUMP and apologies for covering something mentioned at the top of that thread. Its so long since I read that one I forgot all about it.
How are you so sure its no in the lflash mrbrown? The forum post referenced is only talking about the flash0 / flash1 device interface, not the block interface that was uncovered in the 'list of known devices' thread.
Has anyone got the source to a piece of code that will read the lflash block level device that I can compile? I have a 1.0 PSP now and I would like to dump my own flash. Sorry guys I won't post this up if I do it since thats against the rules.
Cheers
Steddy
How are you so sure its no in the lflash mrbrown? The forum post referenced is only talking about the flash0 / flash1 device interface, not the block interface that was uncovered in the 'list of known devices' thread.
Has anyone got the source to a piece of code that will read the lflash block level device that I can compile? I have a 1.0 PSP now and I would like to dump my own flash. Sorry guys I won't post this up if I do it since thats against the rules.
Cheers
Steddy
I'd love to :) Do you have the source you used to dump it please?I've dumped lflash, and there's no bootstrap information there. We've also discussed this at length with nem, who will also confirm that the bootstrap is inaccessible from lflash. However, you're more than welcome to go ahead and examine it :).
Cheers
Steddy
My test harness isn't it a state where I can give it out. Here's the relevant code:
Because I have only a 32MB memory stick, I dumped out 16MB at a time. Dumping past 32MB (actually a bit earlier than that) won't break anything, but will only read zeros from the device. At 0xffffffff it wraps around to 0.
The only thing this nets you different than flash0: and flash1: is the underlying FAT filesystem itself. There is nothing else of interest here.
Code: Select all
int fd = sceIoOpen("lflash:", O_RDONLY, 0);
if (fd < 0) {
scr_printf("Error during open: %x", fd);
goto done;
}
int chunk_size = 32 * 1024;
void *buf = malloc(chunk_size);
if (!buf) {
scr_printf("Error alloc'ing read buffer");
goto done;
}
int bytes_requested = 16 * 1024 * 1024;
int read_offset = 0;//2 * 1024 * 1024 * 1024;
int total_read = sceIoLseek(fd, read_offset, SEEK_SET);
int size = 0;
int fd2 = sceIoOpen("ms0:/flash-part1.bin", O_CREAT | O_WRONLY | O_TRUNC, 0777);
if (fd2 < 0) {
scr_printf("Error opening ms file: %x", fd2);
goto done;
}
while (bytes_requested > 0) {
int read_size = bytes_requested;
if ((total_read >= read_offset && read_size > chunk_size) || (total_read < read_offset)) {
read_size = chunk_size;
}
res = sceIoRead(fd, buf, read_size);
if (res < 0) {
scr_printf(str, "Error during read: %x", res);
sceIoClose(fd2);
break;
}
if (total_read >= read_offset) {
bytes_requested -= res;
read_offset += res;
sceIoWrite(fd2, buf, res);
}
total_read += res;
}
sceIoClose(fd2);
done:
if (fd >= 0) {
sceIoClose(fd);
}
The only thing this nets you different than flash0: and flash1: is the underlying FAT filesystem itself. There is nothing else of interest here.
Thanks, At least you gave me a start to hack it out myself.mrbrown wrote:Hmm, I don't think it's a good idea for me to post code I reversed from a game. The reasons are a bit complicated, and more than I care to explain, sorry. But malloc() is easily found if you look at the routines calling into the "SysMemUserForUser" library.