Heh. ARM's are much more common than ppl realize, and not just in the PSP. ;)
Anyhow, back when I was tracing the lines from the remote port down from the daughterboard it shares with (wifi IIRC) they appeared to head straight to the snap connector and then down to one of the main CPUs. I can't find that little board anymore, misplaced it somewhere, and my memory is fuzzy so don't quote me.
BIOS Recovery Mode
Heres some info about the ARM9 processor in the PSP and JTAG goodness.
It is most likely futile to attack the ARM9 for weaknesses but maybe someone will think of something.
Marvell Libertas 88W8010 (RF Transceiver)
Marvell Libertas 88W8380 (ARM9 Processor)
http://www.marvell.com/products/wireles ... 8W8510.pdf
Internal Images of the ARM9:
=====
http://pc.watch.impress.co.jp/docs/2004/1212/psp43.jpg
http://pc.watch.impress.co.jp/docs/2004/1212/psp53.jpg
JTAG:
====
http://jtag-arm9.sourceforge.net/
http://staff.philau.edu/barberej/dev/bo ... torial.pdf
http://www.elinux.org/wiki/BSDL
http://www.linux-hacker.net/cgi-bin/Ult ... 0&Session=
It is most likely futile to attack the ARM9 for weaknesses but maybe someone will think of something.
Marvell Libertas 88W8010 (RF Transceiver)
Marvell Libertas 88W8380 (ARM9 Processor)
http://www.marvell.com/products/wireles ... 8W8510.pdf
Internal Images of the ARM9:
=====
http://pc.watch.impress.co.jp/docs/2004/1212/psp43.jpg
http://pc.watch.impress.co.jp/docs/2004/1212/psp53.jpg
JTAG:
====
http://jtag-arm9.sourceforge.net/
http://staff.philau.edu/barberej/dev/bo ... torial.pdf
http://www.elinux.org/wiki/BSDL
http://www.linux-hacker.net/cgi-bin/Ult ... 0&Session=
SCPH-50001/N
HD SCPH-20401 U
Eyetoy SLEH-00031
Network Adaptor SCPH-10281
Logitech Z680 via FIber w00t!
Sony Wega TV + USB Keyboard
http://staff.philau.edu/barberej/
HD SCPH-20401 U
Eyetoy SLEH-00031
Network Adaptor SCPH-10281
Logitech Z680 via FIber w00t!
Sony Wega TV + USB Keyboard
http://staff.philau.edu/barberej/
Good post!
But from looking at this new information (and more pictures of the inside of the beast), I would tend to share gorim's opinion that the serial lines we're intersted in have nothing to do with the ARM9 CPU.
The more I look into it, the more I think the ARM9 is for WiFi and WiFi only, because:
- Sony would never have left another company (Marvell) handle something as sensitive as a serial line, let alone the other features I originally thought the ARM9 could be responsible for (like encryption). Given that Marvell specialize in wireless networking and that these chips bear a Marvell stamp (instead of a Sony one), it is doubtful they are used for serial.
- This WiFi daughterboard bears all the mark of something that was subcontracted by Sony for a single purpose (WiFi), and that is pretty much used as a stock component in the PSP (like a static connector for instance). It also seems Sony went as far as allowing a shut down of the whole WiFi daughterboard through the side switch, in order to extend battery life (even idle, an extra CPU draws power). I don't see anything else but the ARM9 chip that this switch would be meant to shut down.
Now, if that CPU was meant to handle something else than WiFi (like data access), it is unlikely that Sony would allow the PSP to run with the ARM9 off.
Therefore I agree with modman that looking into the ARM9 is probably futile, not because there are no weaknesses, but because I doubt it will tell us much about the system and how we could use the serial line.
What I don't get though is that the signal voltages on the extra connector are different from the CPU voltage. I don't see much point in increasing the voltage, unless Sony is having trouble coming up with external serial chips that can handle that low a voltage...
On the other hand, if the serial lines are going more or less straight through the MIPS and if the rumour about the audio/extra port reflash are true (but that's a lot of 'ifs'), this makes the whole firmware thing slightly easier to figure out, as it means that eveything comes down to the MIPS.
Oh, and while I'm at it, it seems that if you're wealthy enough, you can get some company to do SEM (Scanning Electron Microscope) images of the PSP's chips for you (See here).
Hope we won't have to come to that to figure out the internals of the PSP. ;)
But from looking at this new information (and more pictures of the inside of the beast), I would tend to share gorim's opinion that the serial lines we're intersted in have nothing to do with the ARM9 CPU.
The more I look into it, the more I think the ARM9 is for WiFi and WiFi only, because:
- Sony would never have left another company (Marvell) handle something as sensitive as a serial line, let alone the other features I originally thought the ARM9 could be responsible for (like encryption). Given that Marvell specialize in wireless networking and that these chips bear a Marvell stamp (instead of a Sony one), it is doubtful they are used for serial.
- This WiFi daughterboard bears all the mark of something that was subcontracted by Sony for a single purpose (WiFi), and that is pretty much used as a stock component in the PSP (like a static connector for instance). It also seems Sony went as far as allowing a shut down of the whole WiFi daughterboard through the side switch, in order to extend battery life (even idle, an extra CPU draws power). I don't see anything else but the ARM9 chip that this switch would be meant to shut down.
Now, if that CPU was meant to handle something else than WiFi (like data access), it is unlikely that Sony would allow the PSP to run with the ARM9 off.
Therefore I agree with modman that looking into the ARM9 is probably futile, not because there are no weaknesses, but because I doubt it will tell us much about the system and how we could use the serial line.
What I don't get though is that the signal voltages on the extra connector are different from the CPU voltage. I don't see much point in increasing the voltage, unless Sony is having trouble coming up with external serial chips that can handle that low a voltage...
On the other hand, if the serial lines are going more or less straight through the MIPS and if the rumour about the audio/extra port reflash are true (but that's a lot of 'ifs'), this makes the whole firmware thing slightly easier to figure out, as it means that eveything comes down to the MIPS.
Oh, and while I'm at it, it seems that if you're wealthy enough, you can get some company to do SEM (Scanning Electron Microscope) images of the PSP's chips for you (See here).
Hope we won't have to come to that to figure out the internals of the PSP. ;)
After reading this whole post ive became very intrested in jtaging my PSP.
After taking it apart there have been a few spots that have caught my eye but can't get a proper read from them.
What im woundering is this, does it use a Bios chip or two?
This could be like Dishnet 301.13 and or Sony XM radio which you need to remove the chip and throw it in a Dishnet IRD to reflash. I have yet found anything that has caught my eye. But will keep you all posted in my findings.
After taking it apart there have been a few spots that have caught my eye but can't get a proper read from them.
What im woundering is this, does it use a Bios chip or two?
This could be like Dishnet 301.13 and or Sony XM radio which you need to remove the chip and throw it in a Dishnet IRD to reflash. I have yet found anything that has caught my eye. But will keep you all posted in my findings.
r.i.p Utopia
Having seen this post from a supposed Sony employee:
http://forums.ps2dev.org/viewtopic.php?t=2026
Maybe the communication protocol we are seeing between the PSP and the remote is in "data" mode and by sending the "+++" string (allowing for 100ms delay between each "+" sent) the port is brought back to AT command mode and we find there is an AT command to flash the unit over the serial port.
Now do not ask me why the PSP will support the AT Hayes command set and what advantage it will suppose to a packet oriented protocol such as the one people have been observing on the remote control port.
Sounds like an easy thing to test if somebody has already plugged in an RS-232 driver to the remote control port, if not I will try and post the results.
gsa
http://forums.ps2dev.org/viewtopic.php?t=2026
At the risk of sounding silly and a little far fetched, and seeing that the remote control port supports RS-232 maybe this reference is to the Hayes AT "+++" command which basically takes a modem out of data mode and back to the AT command mode.3.) OR... Come to terms that someone will realize our Bios can be flashed, with the ++ script.<hint?>
Maybe the communication protocol we are seeing between the PSP and the remote is in "data" mode and by sending the "+++" string (allowing for 100ms delay between each "+" sent) the port is brought back to AT command mode and we find there is an AT command to flash the unit over the serial port.
Now do not ask me why the PSP will support the AT Hayes command set and what advantage it will suppose to a packet oriented protocol such as the one people have been observing on the remote control port.
Sounds like an easy thing to test if somebody has already plugged in an RS-232 driver to the remote control port, if not I will try and post the results.
gsa
I don't think that it is that easy, but now that the decrypted 1.0 kernel can be dumped (thanks to http://forums.ps2dev.org/viewtopic.php?t=2021), I think a buffer overflow exploit in kernel will be found within some days, which maybe works in 1.5, too.gsa wrote:At the risk of sounding silly and a little far fetched, and seeing that the remote control port supports RS-232 maybe this reference is to the Hayes AT "+++" command which basically takes a modem out of data mode and back to the AT command mode.
Let's throw some more fuel on the fire... No idea how far we can trust this source (if at all), but according to edepot.com:
At this early stage of course, anything is worth investigating... ;)
This seems to concur with the all the rumours we've heard about the capabilities Remote port (but it might just be the source for all of these).The remote control (PSP-120) of the Sony PSP is actually replaceable with a more feature rich version found on many Mini-Disc and Walkman Disc players. For example, you can substitute one of those remotes that actually display the songs being played on small LCD displays. However, on some of the remotes you may need to lop off the plug and rewire the lines to use the PSP-120 plug (which is 6-pin: 3 on top and 3 on bottom). Note that the remote control port on the PSP provides dual purposes. Besides providing headset and remote control functionality, it can be used to initiate special commands to the PSP. Provided you have the correct gear, and have sent the correct communication (via RS232 at 4800 baud) via the remote control port, you can even send new code for execution and put the PSP in a special diagnostic mode. It is known that via this port the PSP is reset to factory default state before it is shipped, and to restore bad firmware flashes. It is unlikely that whole firmware codes are transferred on the remote control port at 4800 baud because sending multi-megabyte code at 4800 baud would take too long. Flashing new firmware via the USB port (because of bad firmware install) is impossible because the USB port is off by default when you first turn on the PSP (this is why you need to select "SETTINGS->USB Connection" before you can use any USB devices; to turn on the USB port). So is it possible to create whole new operating systems by simply reflashing the PSP's firmware? Yes, but the firmware must be in the correct format and encrypted with the correct key (which only Sony knows). But since the firmware provides basic hardware operational functionality, the OS can reside on the UMD or memory stick, so re-flashing the firmware may be going a little overboard. The PSP can also function as a dummy UMD device (like a CD-ROM drive in a PC). You send commands via the remote control and the PSP would return data from different sectors of the UMD disc via the headset port.
At this early stage of course, anything is worth investigating... ;)
Actually it's just stuff he regurgitated from our forums and possibly others. It was Marcus Comstedt who figured out the pins on the headphone port, and the whole bit about flashing via that port is just speculation that originated here (just search for it). Lest we forget the edepot guy is the one who revealed this about the "PSP2":
That site was good for a laugh when he first posted here.Of course nothing is complete without mentioning the PS3 when discussing PlayStation devices. The PS3 is actually very similar to PSP2 (the next version of PSP). If you want to take a look at what the PSP2 will look like, just take a look at any standard notebook computer like the Sony VAIO S notebook. It has a widescreen (like the PSP), and you can fold it down to protect the screen (similar to Nintendo DS). Of course it may not be that big, but you get the idea. It will be able to play games and have all the standard fast graphical chips, but this time with a powerful operating system to do more than just games. After the "GAME" will come "COMPUTER" apps in the XMB menu. Note that the PSone comes with a portable LCD screen. If the PS3 comes with one, then it will actually be a bigger cousin of the PSP2, or even be the PSP2 if it is small enough.
yeah... that's why I was being cautious in the first place.
As soon as I get the proper hardware though, I'll be having a closer look at that serial line. AFAIK, nobody went any further than just snooping the serial communications between the remote and the PSP. Not to be dismissive of the work that's been done, but that is still tantalizingly wanting for more information:
- With the proper RS232 line drivers, can we emulate the remote control from the serial port of a PC?
- If this is possible (which is more than likely), can we then try to figure out additional commands that might be of interest?
As soon as I get the proper hardware though, I'll be having a closer look at that serial line. AFAIK, nobody went any further than just snooping the serial communications between the remote and the PSP. Not to be dismissive of the work that's been done, but that is still tantalizingly wanting for more information:
- With the proper RS232 line drivers, can we emulate the remote control from the serial port of a PC?
- If this is possible (which is more than likely), can we then try to figure out additional commands that might be of interest?