/data/cert/class1_pca_g2_v2.cer identical
/data/cert/class1_pca_g3v2.cer identical
/data/cert/class1_pca_ss_v4.cer identical
/data/cert/class2_pca_g2_v2.cer identical
/data/cert/class2_pca_g3v2.cer identical
/data/cert/class2_pca_ss_v4.cer identical
/data/cert/class3_pca_g2_v2.cer identical
/data/cert/class3_pca_g3v2.cer identical
/data/cert/class3_pca_ss_v4.cer identical
/data/cert/class4_pca_g2_v2.cer identical
/data/cert/class4_pca_g3v2.cer identical
/data/cert/rsa1024_v1.cer identical
/data/cert/rsa2048_v3.cer identical
/data/cert/rsa_secureserver.cer identical
/data/cert/sce_ca01.cer identical
/data/cert/sce_ca02.cer identical
/data/cert/sce_ca03.cer identical
/data/cert/sce_ca04.cer identical
/data/cert/sce_ca05.cer identical
/data/cert/verisign_tsa_ca.cer identical
/dic/apotp.dic identical
/dic/atokp.dic identical
/dic/aux0.dic identical
/dic/aux1.dic identical
/dic/aux2.dic identical
/dic/aux3.dic identical
/font/jpn0.pgf identical
/font/ltn0.pgf identical
/font/ltn1.pgf identical
/font/ltn10.pgf identical
/font/ltn11.pgf identical
/font/ltn12.pgf identical
/font/ltn13.pgf identical
/font/ltn14.pgf identical
/font/ltn15.pgf identical
/font/ltn2.pgf identical
/font/ltn3.pgf identical
/font/ltn4.pgf identical
/font/ltn5.pgf identical
/font/ltn6.pgf identical
/font/ltn7.pgf identical
/font/ltn8.pgf identical
/font/ltn9.pgf identical
/kd/ata.prx different
/kd/audio.prx different
/kd/audiocodec.prx different
/kd/blkdev.prx different
/kd/chkreg.prx different
/kd/clockgen.prx different
/kd/codec.prx different
/kd/ctrl.prx different
/kd/display.prx different
/kd/dmacman.prx different
/kd/dmacplus.prx different
/kd/emc_ddr.prx different
/kd/emc_sm.prx different
/kd/exceptionman.prx different
/kd/fatmsmod.prx different
/kd/ge.prx different
/kd/gpio.prx different
/kd/hpremote.prx different
/kd/i2c.prx different
/kd/idstorage.prx different
/kd/ifhandle.prx different
/kd/impose.prx different
/kd/init.prx different
/kd/interruptman.prx different
/kd/iofilemgr.prx different
/kd/isofs.prx different
/kd/lcdc.prx different
/kd/led.prx different
/kd/lfatfs.prx different
/kd/lflash_fatfmt.prx different
/kd/libatrac3plus.prx different
/kd/libhttp.prx different
/kd/libparse_http.prx different
/kd/libparse_uri.prx different
/kd/libupdown.prx different
/kd/loadcore.prx different
/kd/loadexec.prx different
/kd/me_for_vsh.prx different
/kd/me_wrapper.prx different
/kd/mebooter.prx different
/kd/mebooter_umdvideo.prx different
/kd/mediaman.prx different
/kd/mediasync.prx different
/kd/memab.prx different
/kd/memlmd.prx different
/kd/mesg_led.prx different
/kd/mgr.prx different
/kd/modulemgr.prx different
/kd/mpeg_vsh.prx different
/kd/mpegbase.prx different
/kd/msaudio.prx different
/kd/mscm.prx different
/kd/msstor.prx different
/kd/openpsid.prx different
/kd/peq.prx different
/kd/power.prx different
/kd/pspbtcnf.txt different
/kd/pspbtcnf_game.txt different
/kd/pspbtcnf_updater.txt different
/kd/pspcnf_tbl.txt different
/kd/pspnet.prx different
/kd/pspnet_adhoc.prx different
/kd/pspnet_adhoc_auth.prx different
/kd/pspnet_adhoc_download.prx different
/kd/pspnet_adhoc_matching.prx different
/kd/pspnet_adhocctl.prx different
/kd/pspnet_ap_dialog_dummy.prx different
/kd/pspnet_apctl.prx different
/kd/pspnet_inet.prx different
/kd/pspnet_resolver.prx different
/kd/pwm.prx different
/kd/reboot.prx different
/kd/registry.prx different
/kd/rtc.prx different
/kd/semawm.prx different
/kd/sircs.prx different
/kd/stdio.prx different
/kd/sysclib.prx different
/kd/syscon.prx different
/kd/sysmem.prx different
/kd/sysmem_uart4.prx only in 1.00-JP
/kd/sysreg.prx different
/kd/systimer.prx different
/kd/threadman.prx different
/kd/uart4.prx different
/kd/umd9660.prx different
/kd/umdman.prx different
/kd/usb.prx different
/kd/usbstor.prx different
/kd/usbstorboot.prx different
/kd/usbstormgr.prx different
/kd/usbstorms.prx different
/kd/usersystemlib.prx different
/kd/utility.prx different
/kd/utils.prx different
/kd/vaudio.prx different
/kd/vaudio_game.prx different
/kd/videocodec.prx different
/kd/vshbridge.prx different
/kd/wlan.prx different
/kd/resource/impose.rsc only in 1.50-US
/vsh/etc/index.dat different
/vsh/etc/jis2ucs.bin different
/vsh/etc/jis2ucs.cbin different
/vsh/etc/ucs2jis.bin identical
/vsh/etc/ucs2jis.cbin identical
/vsh/etc/version.txt different
/vsh/module/auth_plugin.prx different
/vsh/module/chnnlsv.prx different
/vsh/module/common_gui.prx different
/vsh/module/common_util.prx different
/vsh/module/dialogmain.prx different
/vsh/module/game_plugin.prx different
/vsh/module/heaparea1.prx different
/vsh/module/heaparea2.prx different
/vsh/module/impose_plugin.prx different
/vsh/module/msgdialog_plugin.prx different
/vsh/module/msvideo_plugin.prx different
/vsh/module/music_plugin.prx different
/vsh/module/netconf_plugin.prx different
/vsh/module/netplay_client_plugin.prx different
/vsh/module/netplay_server_utility.prx different
/vsh/module/opening_plugin.prx different
/vsh/module/osk_plugin.prx different
/vsh/module/paf.prx different
/vsh/module/pafmini.prx different
/vsh/module/photo_plugin.prx different
/vsh/module/savedata_auto_dialog.prx different
/vsh/module/savedata_plugin.prx different
/vsh/module/savedata_utility.prx different
/vsh/module/sysconf_plugin.prx different
/vsh/module/update_plugin.prx different
/vsh/module/video_plugin.prx different
/vsh/module/vshmain.prx different
/vsh/resource/01.bmp identical
/vsh/resource/02.bmp identical
/vsh/resource/03.bmp identical
/vsh/resource/04.bmp identical
/vsh/resource/05.bmp identical
/vsh/resource/06.bmp identical
/vsh/resource/07.bmp identical
/vsh/resource/08.bmp identical
/vsh/resource/09.bmp identical
/vsh/resource/10.bmp identical
/vsh/resource/11.bmp identical
/vsh/resource/12.bmp identical
/vsh/resource/auth_plugin.rco different
/vsh/resource/game_plugin.rco different
/vsh/resource/gameboot.pmf identical
/vsh/resource/impose_plugin.rco different
/vsh/resource/msgdialog_plugin.rco different
/vsh/resource/msvideo_plugin.rco different
/vsh/resource/music_plugin.rco different
/vsh/resource/netconf_dialog.rco different
/vsh/resource/netplay_plugin.rco different
/vsh/resource/opening_plugin.rco different
/vsh/resource/osk_plugin.rco different
/vsh/resource/osk_utility.rco different
/vsh/resource/photo_plugin.rco different
/vsh/resource/savedata_plugin.rco different
/vsh/resource/savedata_utility.rco different
/vsh/resource/sysconf_plugin.rco different
/vsh/resource/system_plugin.rco different
/vsh/resource/system_plugin_bg.rco different
/vsh/resource/system_plugin_fg.rco different
/vsh/resource/topmenu_plugin.rco different
/vsh/resource/update_plugin.rco different
/vsh/resource/video_plugin.rco different
/vsh/resource/video_plugin_videotoolbar.rco different
comparison of 1.00 and 1.50 flash0
comparison of 1.00 and 1.50 flash0
Last edited by Vampire on Sun Jul 31, 2005 12:46 am, edited 3 times in total.
-
TerryMathews
- Posts: 19
- Joined: Thu Mar 31, 2005 5:35 am
I haven't fooled around with an exploited PSP, so excuse me if this is beyond the capabilities we have today...
Instead of just comparing the files, can you run a diff on them? I imagine you'd probably have to copy the contents of flash0 onto a MS or something to that effect - I do not know if this is even possible at this time.
If diff doesn't deal with ASM properly by default, I'll find the right command line options or write a small patch to help it understand ASM field length.
Done properly, PS2DIS should be able to translate the output from diff.
Along the same lines, is the contents of the ROM encrypted? If they are, this is all for naught. :)
My gut tells me the gremlin we're looking for lies in the kd directory, and is probably \kd\iofilemgr.prx or \kd\ifhandle.prx
Instead of just comparing the files, can you run a diff on them? I imagine you'd probably have to copy the contents of flash0 onto a MS or something to that effect - I do not know if this is even possible at this time.
If diff doesn't deal with ASM properly by default, I'll find the right command line options or write a small patch to help it understand ASM field length.
Done properly, PS2DIS should be able to translate the output from diff.
Along the same lines, is the contents of the ROM encrypted? If they are, this is all for naught. :)
My gut tells me the gremlin we're looking for lies in the kd directory, and is probably \kd\iofilemgr.prx or \kd\ifhandle.prx
the version numbers of the 1.50 modules:
sceATA_ATAPI_driver 1.2
sceAudio_Driver 1.2
sceAudiocodec_Driver 1.1
sceBLK_driver 1.1
sceChkreg 1.2
sceClockgen_Driver 1.1
sceWM8750_Driver 1.2
sceController_Service 1.2
sceDisplay_Service 1.2
sceDMAManager 1.2
sceDMACPLUS_Driver 1.2
sceDDR_Driver 1.1
sceNAND_Driver 1.1
sceExceptionManager 1.2
sceMSFAT_Driver 1.2
sceGE_Manager 1.2
sceGPIO_Driver 1.2
sceHP_Remote_Driver 1.2
sceI2C_Driver 1.1
sceIdStorage_Service 1.1
sceNetIfhandle_Service 1.1
sceImpose_Driver 1.2
sceInit 1.2
sceInterruptManager 1.2
sceIOFileManager 1.2
sceIsofs_driver 1.2
sceLCDC_Driver 1.1
sceLED_Service 1.1
sceLFatFs_Driver 1.2
sceLflashFatfmt 1.1
sceATRAC3plus_Library 1.1
SceHttp_Library 1.1
SceParseHTTPheader_Library 1.1
SceParseURI_Library 1.1
SceUpdateDL_Library 1.1
sceLoaderCoreTool 1.2
sceLoadExec 1.2
me_for_vsh 1.1
sceMeCodecWrapper 1.1
sceMeBooter 1.1
sceMeBooter 1.1
sceUmd_driver 1.2
sceMediaSync 1.2
sceMemab 1.2
sceMemlmd 1.2
sceMesgLed 1.2
sceMgr_Driver 1.2
sceModuleManager 1.2
sceMpeg_library 1.2
sceMpegbase_Driver 1.2
sceMsAudio_Service 1.2
sceMScm_Driver 1.2
sceMSstor_Driver 1.2
sceOpenPSID_Service 1.2
scePEQ_Library_driver 1.1
scePower_Service 1.2
sceNet_Library 1.1
sceNetAdhoc_Library 1.2
sceNetAdhocAuth_Service 1.2
sceNetAdhocDownload_Library 1.1
sceNetAdhocMatching_Library 1.1
sceNetAdhocctl_Library 1.2
sceNetApDialogDummy_Library 1.1
sceNetApctl_Library 1.2
sceNetInet_Library 1.2
sceNetResolver_Library 1.1
scePWM_Driver 1.1
sceReboot 1.2
sceRegistry_Service 1.2
sceRTC_Service 1.2
sceSemawm 1.2
sceSIRCS_IrDA_Driver 1.1
sceStdio 1.2
sceSysclib 1.2
sceSYSCON_Driver 1.1
sceSystemMemoryManager 1.2
sceSYSREG_Driver 1.1
sceSystimer 1.1
sceThreadManager 1.2
sceUart4 1.2
sceUmd9660_driver 1.2
sceUmdMan_driver 1.2
sceUSB_Driver 1.2
sceUSB_Stor_Driver 1.1
sceUSB_Stor_Boot_Driver 1.2
sceUSB_Stor_Mgr_Driver 1.2
sceUSB_Stor_Ms_Driver 1.1
sceKernelLibrary 1.1
sceUtility_Driver 1.2
sceKernelUtils 1.2
sceVaudio_driver 1.1
sceVaudio_driver 1.1
sceVideocodec_Driver 1.1
sceVshBridge_Driver 1.1
sceWlan_Driver 1.2
auth_plugin_module 1.1
sceChnnlsv 1.2
sceVshCommonGui_Module 1.1
sceVshCommonUtil_Module 1.1
sceDialogmain_Module 1.1
game_plugin_module 1.1
scePafHeaparea_Module 1.1
scePafHeaparea_Module 1.1
impose_plugin_module 1.1
sceVshMSDPlugin_Module 1.1
msvideo_plugin_module 1.1
music_plugin_module 1.1
sceVshNetconf_Module 1.1
sceVshGSPlugin_Module 1.1
sceVshGSUtility_Module 1.2
opening_plugin_module 1.1
sceVshOSK_Module 1.1
scePaf_Module 1.1
scePaf_Module 1.1
photo_plugin_module 1.1
sceVshSDAuto_Module 1.1
sceVshSDPlugin_Module 1.1
sceVshSDUtility_Module 1.1
sysconf_plugin_module 1.1
update_plugin_module 1.1
video_plugin_module 1.1
vsh_module 1.1
sceATA_ATAPI_driver 1.2
sceAudio_Driver 1.2
sceAudiocodec_Driver 1.1
sceBLK_driver 1.1
sceChkreg 1.2
sceClockgen_Driver 1.1
sceWM8750_Driver 1.2
sceController_Service 1.2
sceDisplay_Service 1.2
sceDMAManager 1.2
sceDMACPLUS_Driver 1.2
sceDDR_Driver 1.1
sceNAND_Driver 1.1
sceExceptionManager 1.2
sceMSFAT_Driver 1.2
sceGE_Manager 1.2
sceGPIO_Driver 1.2
sceHP_Remote_Driver 1.2
sceI2C_Driver 1.1
sceIdStorage_Service 1.1
sceNetIfhandle_Service 1.1
sceImpose_Driver 1.2
sceInit 1.2
sceInterruptManager 1.2
sceIOFileManager 1.2
sceIsofs_driver 1.2
sceLCDC_Driver 1.1
sceLED_Service 1.1
sceLFatFs_Driver 1.2
sceLflashFatfmt 1.1
sceATRAC3plus_Library 1.1
SceHttp_Library 1.1
SceParseHTTPheader_Library 1.1
SceParseURI_Library 1.1
SceUpdateDL_Library 1.1
sceLoaderCoreTool 1.2
sceLoadExec 1.2
me_for_vsh 1.1
sceMeCodecWrapper 1.1
sceMeBooter 1.1
sceMeBooter 1.1
sceUmd_driver 1.2
sceMediaSync 1.2
sceMemab 1.2
sceMemlmd 1.2
sceMesgLed 1.2
sceMgr_Driver 1.2
sceModuleManager 1.2
sceMpeg_library 1.2
sceMpegbase_Driver 1.2
sceMsAudio_Service 1.2
sceMScm_Driver 1.2
sceMSstor_Driver 1.2
sceOpenPSID_Service 1.2
scePEQ_Library_driver 1.1
scePower_Service 1.2
sceNet_Library 1.1
sceNetAdhoc_Library 1.2
sceNetAdhocAuth_Service 1.2
sceNetAdhocDownload_Library 1.1
sceNetAdhocMatching_Library 1.1
sceNetAdhocctl_Library 1.2
sceNetApDialogDummy_Library 1.1
sceNetApctl_Library 1.2
sceNetInet_Library 1.2
sceNetResolver_Library 1.1
scePWM_Driver 1.1
sceReboot 1.2
sceRegistry_Service 1.2
sceRTC_Service 1.2
sceSemawm 1.2
sceSIRCS_IrDA_Driver 1.1
sceStdio 1.2
sceSysclib 1.2
sceSYSCON_Driver 1.1
sceSystemMemoryManager 1.2
sceSYSREG_Driver 1.1
sceSystimer 1.1
sceThreadManager 1.2
sceUart4 1.2
sceUmd9660_driver 1.2
sceUmdMan_driver 1.2
sceUSB_Driver 1.2
sceUSB_Stor_Driver 1.1
sceUSB_Stor_Boot_Driver 1.2
sceUSB_Stor_Mgr_Driver 1.2
sceUSB_Stor_Ms_Driver 1.1
sceKernelLibrary 1.1
sceUtility_Driver 1.2
sceKernelUtils 1.2
sceVaudio_driver 1.1
sceVaudio_driver 1.1
sceVideocodec_Driver 1.1
sceVshBridge_Driver 1.1
sceWlan_Driver 1.2
auth_plugin_module 1.1
sceChnnlsv 1.2
sceVshCommonGui_Module 1.1
sceVshCommonUtil_Module 1.1
sceDialogmain_Module 1.1
game_plugin_module 1.1
scePafHeaparea_Module 1.1
scePafHeaparea_Module 1.1
impose_plugin_module 1.1
sceVshMSDPlugin_Module 1.1
msvideo_plugin_module 1.1
music_plugin_module 1.1
sceVshNetconf_Module 1.1
sceVshGSPlugin_Module 1.1
sceVshGSUtility_Module 1.2
opening_plugin_module 1.1
sceVshOSK_Module 1.1
scePaf_Module 1.1
scePaf_Module 1.1
photo_plugin_module 1.1
sceVshSDAuto_Module 1.1
sceVshSDPlugin_Module 1.1
sceVshSDUtility_Module 1.1
sysconf_plugin_module 1.1
update_plugin_module 1.1
video_plugin_module 1.1
vsh_module 1.1
Last edited by Vampire on Thu Jul 21, 2005 9:19 am, edited 3 times in total.
-
TerryMathews
- Posts: 19
- Joined: Thu Mar 31, 2005 5:35 am
-
TerryMathews
- Posts: 19
- Joined: Thu Mar 31, 2005 5:35 am
I was thinking with the PSP doing real-time decryption, that the files might be broken up into smaller sections for the purpose of encryption/decryption, but you are probably right.MrHTFord wrote:The nature of encryption is such that a change of even a single bit in the pre-encrypted data will likely end up with every byte being different in the encrypted data.
i was just doing the same thing on my own..
anyway, the question is, what happens if you overwrite loadexec.prx (or is it update_plugin.prx?) with the 1.0 version? ;)
anyway, the question is, what happens if you overwrite loadexec.prx (or is it update_plugin.prx?) with the 1.0 version? ;)
Chaosmachine Studios: High Quality Homebrew.
If i had a spare 1.50 PSP i would do the following:
Copy the 8106 bytes small 1.0 "flash0\kd\loadexec.prx" to my 1.5 psp flash (still assuming that it's possible to write to the flash FAT system).
The new 1.5 "loadexec.prx" is about 60k big so sony must have added all "security enhancements" here to this file. The "loadcore.prx" (the 2nd prx where i would think all loader-related functions are inside) has nearly the same size so i don't think sony changed much in here.
My guess is that after copying the loadexec.prx, the 1.5 psp will again act like a 1.0 psp when it goes to loading unencrypted apps.
So, anyone willing to code / test this? Is it possible to open the flash0 for writing and just save the new prx to the flash? I think i'll try it if someone tells me if this is possible or not - i'd get me a refurbished unit for testing then ;)
-mc
Copy the 8106 bytes small 1.0 "flash0\kd\loadexec.prx" to my 1.5 psp flash (still assuming that it's possible to write to the flash FAT system).
The new 1.5 "loadexec.prx" is about 60k big so sony must have added all "security enhancements" here to this file. The "loadcore.prx" (the 2nd prx where i would think all loader-related functions are inside) has nearly the same size so i don't think sony changed much in here.
My guess is that after copying the loadexec.prx, the 1.5 psp will again act like a 1.0 psp when it goes to loading unencrypted apps.
So, anyone willing to code / test this? Is it possible to open the flash0 for writing and just save the new prx to the flash? I think i'll try it if someone tells me if this is possible or not - i'd get me a refurbished unit for testing then ;)
-mc
Kewl.madcake wrote:If i had a spare 1.50 PSP i would do the following:
Copy the 8106 bytes small 1.0 "flash0\kd\loadexec.prx" to my 1.5 psp flash (still assuming that it's possible to write to the flash FAT system).
The new 1.5 "loadexec.prx" is about 60k big so sony must have added all "security enhancements" here to this file. The "loadcore.prx" (the 2nd prx where i would think all loader-related functions are inside) has nearly the same size so i don't think sony changed much in here.
My guess is that after copying the loadexec.prx, the 1.5 psp will again act like a 1.0 psp when it goes to loading unencrypted apps.
So, anyone willing to code / test this? Is it possible to open the flash0 for writing and just save the new prx to the flash? I think i'll try it if someone tells me if this is possible or not - i'd get me a refurbished unit for testing then ;)
-mc
Jioh L. Jung
Seoul, Republic of Korea.
Korean(Native), Japanese(a little), English(somehow).
MMORPG Game Designer.
PSP 1.0 Jap. / iBook OSX 10.4
Seoul, Republic of Korea.
Korean(Native), Japanese(a little), English(somehow).
MMORPG Game Designer.
PSP 1.0 Jap. / iBook OSX 10.4
see here for some discussion of writing to the flash..
http://forums.ps2dev.org/viewtopic.php?t=1950
http://forums.ps2dev.org/viewtopic.php?t=1950
Chaosmachine Studios: High Quality Homebrew.
I might be willing to sacrifice a PSP for the cause.....madcake wrote:
So, anyone willing to code / test this? Is it possible to open the flash0 for writing and just save the new prx to the flash? I think i'll try it if someone tells me if this is possible or not - i'd get me a refurbished unit for testing then ;)
-mc
Then next time do that before posting. Put some research into it before you have folks heading off in the wrong direction, breaking their PSPs.madcake wrote:Well, if it's not loadexec.prx then it's loadcore.prx they modified (propably something inside loadelf code) ... i'll find out... i reversed much more difficult stuff in the past ... :)
Instead of guessing which modules responsible for signed code checking. Why not simply replace all different modules via lflash: device? That is, overwrite/inject all modules on fw 1.0 that are different from 1.5. This way, the risk of running into inconsistency will be reduced. Although we're still unable to replace the hidden files, my guess is that the hidden files for the new fw 1.5 may still be compatible with 1.0. Anyone is daring to try this out?
[Edit] Someone at psphacks.net has dumped the hidden file. Maybe we can overwirte this to 1.5. Here is the link:
http://www.psphacks.net/forums/viewtopi ... sc&start=0
[Edit] Someone at psphacks.net has dumped the hidden file. Maybe we can overwirte this to 1.5. Here is the link:
http://www.psphacks.net/forums/viewtopi ... sc&start=0
I thing you better think carefully before you replace any file , or ask someone to replace files from firmware.
Because while booting up the PSP , the bootstrap MAY do the sign check too. So if you replace the core file which is needed for booting up the PSP , you can say "BYE BYE" to you PSP.
(Bootstrap can be save at the other place inside the PSP just like your computer BIOS, when your computer booting up , the motherboard will load the bios first , and then loading windows.)
And please remember that , you can access flash0 and flash1 doesnt mean you already having all the file you need to run the PSP. (BIOS and WINDOWS , got it?)
Because while booting up the PSP , the bootstrap MAY do the sign check too. So if you replace the core file which is needed for booting up the PSP , you can say "BYE BYE" to you PSP.
(Bootstrap can be save at the other place inside the PSP just like your computer BIOS, when your computer booting up , the motherboard will load the bios first , and then loading windows.)
And please remember that , you can access flash0 and flash1 doesnt mean you already having all the file you need to run the PSP. (BIOS and WINDOWS , got it?)
Phantom8 wrote:Instead of guessing which modules responsible for signed code checking. Why not simply replace all different modules via lflash: device? That is, overwrite/inject all modules on fw 1.0 that are different from 1.5. This way, the risk of running into inconsistency will be reduced. Although we're still unable to replace the hidden files, my guess is that the hidden files for the new fw 1.5 may still be compatible with 1.0. Anyone is daring to try this out?
[Edit] Someone at psphacks.net has dumped the hidden file. Maybe we can overwirte this to 1.5. Here is the link:
http://www.psphacks.net/forums/viewtopi ... sc&start=0
Yes, I understand there are great risks in doing all these firmware downgrade experiment. I think your BIOS & WINDOWS analogy is quite inappropriate. Windows located on harddisk & Bios are in flash memory. PSP only got flash memory, there is no other place to store another updatable image. I can understand the PSP flash memory can have an area for bootstrap code which may not be accessible via lfash:. However, most bootstrap code not necessarily needs to be updated while the main bios are being updated. This is true on most systems. There was a post in psphacker.com forum that a guy named Methix actually did replace the fw 1.5 with 1.0, but he didn't include the hidden files. I will say the end result is quite encouraging, although his PSP is only half workable. His PSP now can only boot UMDs and he can't get to PSP's home menu. If there is some kind of check being done at bootstrap, his PSP shouldn't be able to boot UMDs. As the bootstrap check that you claimed existed, it should already halt his PSP while there is any discrepency found. Here is the post from Methix.laichung wrote:I thing you better think carefully before you replace any file , or ask someone to replace files from firmware.
Because while booting up the PSP , the bootstrap MAY do the sign check too. So if you replace the core file which is needed for booting up the PSP , you can say "BYE BYE" to you PSP.
(Bootstrap can be save at the other place inside the PSP just like your computer BIOS, when your computer booting up , the motherboard will load the bios first , and then loading windows.)
And please remember that , you can access flash0 and flash1 doesnt mean you already having all the file you need to run the PSP. (BIOS and WINDOWS , got it?)
http://www.psphacker.com/forum/showthread.php?t=1128
His PSP can only boot from UMD is the proof of existance of the bootstrap.
That's why I said BOOTSTRAP like BIOS. Your computer can booting up from different media(floppy or harddisk) and with different os (linux or windows) , right?
Is that any way to access the BOOTSTRAP(BIOS) from your PROGRAM ? Of course yes , that's how $ony update your PSP! But how ? Nobody know now.
And $ony wouldnt use any standard library function(sceIORead() !?) to access the BOOT area of course , if they really do that, they are really really stupid.
Anyway , we have to say thanks to everyone who have guts to try. THANKS
That's why I said BOOTSTRAP like BIOS. Your computer can booting up from different media(floppy or harddisk) and with different os (linux or windows) , right?
Is that any way to access the BOOTSTRAP(BIOS) from your PROGRAM ? Of course yes , that's how $ony update your PSP! But how ? Nobody know now.
And $ony wouldnt use any standard library function(sceIORead() !?) to access the BOOT area of course , if they really do that, they are really really stupid.
Anyway , we have to say thanks to everyone who have guts to try. THANKS