Service mode by power supply pins?

[groepaz]

haha :)

[jimparis]

Of course the real secret is how the pre-IPL code was first dumped and how the custom MS IPL was signed, but I'm not sure of all the details at the moment :) With moonlight's custom IPL example posted here though, you can dump the pre-IPL easily, and run unsigned code at IPL time.

[Art]

So there IS a battery firmware serial matchng that on the outside printed
label?
Well aren't I the moron. (see post above).
Art.

[nem]

Long time passed after I appeared the scene.
Here is how I find to get into service mode. Pretty long. ;)

There was a rumor that battery may be involved to service mode, so firstly I examined battery communication. Text below was written long time ago and includes some obsolete descriptions.


Battery communication reversed

I used a microcontroller to sniff communications between PSP and battery.

Electrical
Not much investigated.
One-wire time-divided bi-directional serial.


Data format and protocol
Asynchronous serial communication. 19200bps, NRZ, LSB-first, 8 bit data, even parity, 1 stop bit.
Always initiated by PSP and battery replys. Break signal is issued by PSP as start-up of communication. Packet format is same in both direction.

Variable sized packet formatted as;

Code: Select all

start mark     (1)    0x5a:psp->battery  0xa5:battery->psp 
packet size    (1)    bytesize of packet excluding start mark and packet size 
type           (1)    packet type 
data           (*)    optional 
bcc            (1)    sum of all octet in packet to be 0xFF, from start mark to bcc 

Packet type and meanings, reply format

Code: Select all

type  description          data    reply from battery   remark 
0x01  request status       none    unknown_flag:u8      
                                   energyleft_mAh:u16   
0x02  request temperature  none    temperature:u8       cercius degree, min/max value unknown 
0x03  request voltage      none    voltage_mV:u16       
0x04  request current      none    current_mA:short     positive if charging battery 
0x07  request capacity     none    capacity_mAh:u16 
0x09  request timeleft     none    timeleft_min:u16     XMB showing not this value 
0x0c  request serialno     none    serialno:u32         suspected
0x80  request auth?        9byte   16byte               encrypted data/reply 
0x81  request auth?        8byte   8byte                encrypted data/reply 

Code: Select all

type  description          data    remark 
0x05  reply from battery   none    NAK, BCC error and so on??
0x06  reply from battery   *       ACK, with reply data 

unknown_flag may involve in/out currents. Note that the value is not consistent with this guess when battery is full charged, PSP power off and DC connected, so there would be other meanings.
Type 0x80/0x81 for battery authentication??
First byte of data of type 0x80 request is 0x00, others are random-looking.


Typical sequences
When battery placed : 01, 0C, 80, 81, 01, 80, 81
Every 30 seconds with DC in : 01, 80, 81
Every 30 seconds without DC in : 01, 0C, 80, 81
Cold start : 01, 07, 09, 02, 04, 03, 01


Which to craft?
Possible candidate at this time:

reply to type 01 : non-usual value
reply to type 0C : some special region of value
reply to type 80 : need to know about encryption
reply to type 81 : need to know about encryption
others : non-usual value



Faking the communication

Added some circuit to fake battery communication. Original battery is needed because authentication algorithm is unknown. I interrupted the serial line and changed specific text. For some third party make unlicensed battery, the algorithm would be already cracked by someone, or not;).

Authentication
Authentication is still unknown. Here is some specimen of chosen text request.

Code: Select all

Text 0x80 data part : reply from battery 
00 00 00 00 00 00 00 00 00 : A5 12 06 31 A9 81 78 95 41 0C 63 4A 0F 0D B4 30 99 B0 26 71 
00 00 00 00 00 00 00 00 01 : A5 12 06 A7 AA C2 5F E1 ED 17 3E 7E 4F 9B 7D D7 E1 6F 1A 87 
00 00 00 00 00 00 00 00 02 : A5 12 06 F6 08 B1 51 5B 88 7D CF 86 C2 47 A7 1F 31 64 14 15 
00 00 00 00 00 00 00 00 03 : A5 12 06 11 2C 35 79 D3 E8 6E A5 31 42 DB 00 A2 5E 00 9E 9D 
00 00 00 00 00 00 00 00 04 : A5 12 06 C4 C8 8D FE B9 3E D3 3A 42 EA 8F 55 2E 0A F8 0F D8 
00 00 00 00 00 00 00 00 05 : A5 12 06 90 A3 50 6D 67 71 3F B8 FB 49 E1 C6 BD B6 AD EC 8C 
00 00 00 00 00 00 00 00 06 : A5 12 06 5A 57 BE 60 CD 95 07 83 01 6F 2D CA F0 10 05 80 9B 
00 00 00 00 00 00 00 00 07 : A5 12 06 A4 A9 A6 6F 01 5D 91 A3 37 C0 8A 07 B1 93 4B 5B DC 
00 00 00 00 00 00 00 00 08 : A5 12 06 18 F3 46 6E C6 3C D2 58 A5 D8 DE B0 CD AA F3 6C 76 
00 00 00 00 00 00 00 00 09 : A5 12 06 75 C3 88 58 0C 23 C8 8B 2F 5A 46 EF C9 17 3D A8 25 
00 00 00 00 00 00 00 00 0A : A5 12 06 BD 40 B2 CA 77 AA 15 14 35 09 D3 A3 FB 2C 39 98 D3 
00 00 00 00 00 00 00 00 0B : A5 12 06 0B 51 80 3E 2F 0E 07 87 B2 6B 54 B4 2E BC 26 EC 3C 
00 00 00 00 00 00 00 00 0C : A5 12 06 A9 7A A7 44 19 61 07 4F BD 86 A3 BD A3 57 86 E2 5F 
00 00 00 00 00 00 00 00 0D : A5 12 06 3E 46 97 E2 4D DE 5C D0 2D 51 7A E6 01 27 E6 06 FC 
00 00 00 00 00 00 00 00 0E : A5 12 06 9B DB 06 3D 89 56 89 99 AC E1 90 B5 61 E1 B5 90 2F 
00 00 00 00 00 00 00 00 0F : A5 12 06 10 D1 2E FD 71 30 22 72 B0 57 18 A5 00 8C 27 21 69 

Emergency shutdown?
Reply from battery for 0x01 text with first byte of data part having 0x40 bit(bit6) set will cause immidiate shutdown of PSP. The bit would mean critical failure of the battery, or something like that I guess.


Special battery serial number to force behavior of PSP
Trying some text faked and I found the way to service mode.
Serial number request is text type 0x0c and battery will reply by text 0x06 with 4 byte serial number. Faking serial number would cause special behavior of PSP. At this time I needed a hardware to rewrite serial number reply text.

Code: Select all

type  description          data    reply from battery
0x0c  request serialno     none    serialno:u32      

Serial number 0x00000000 will force PSP to power on with normal mode when placing the battery.
Serial number 0xffffffff will force PSP to power on with service mode when placing the battery.



Investigate circuit board inside the battery

There are at least two types of circuit board inside PSP battery module. I have not investigated new styled battery module which have smaller circuit board. Both have same model number, PSP-110, but seems to have different part code and serial number format on the label. On bottom right of the label, '2-177-077-01' would be old styled, 'CGA-4B101A' would be new styled.

Old-style circuit board within battery have 2048-bit serial EEPROM, organized as 16bit data x 7bit address. S93C56, indicated as IC04. It is 8 pin SOP with pin configuration 'GR'.

Code: Select all

Pin assign of IC04
1  CS    Chip select, active high
2  SK    Serial data clock, DIN latched at positive edge, DOUT changes on positive edge
3  DIN   Serial data in
4  DOUT  Serial data out
5  GND   Ground
6  NC    Not connected
7  NC    Not connected
8  Vcc   Power (2.5V??)   

Code: Select all

DIN/DOUT connection
 IC05(pull-up inside??) --- DIN(3pin) --- 10kohm(R21) -- DOUT(4pin)  

I looked into how this EEPROM is accessed while placed on PSP, and found this EEPROM is the storage of serial number, which is accessed just before replying serial number request from PSP. Word(16bit) address 0x07 reads lower half with MSB first, address 0x09 reads upper half. Address value is something weird but I have no idea for that. I have not observed other address/data access while my brief analysis.

Next I peeled off the EEPROM and dumped it to confirm serial number is actually in it.



Modifying battery circuit board to make 'service mode battery'

I found another way which does not need special hardware. It can be done by modifying circuit board inside battery. There would be some risk, so I recommend this method is for emergency use only. Rewriting the responsible data for serial number inside the EEPROM is the best way.

The idea to make 'service mode battery' is to force serial number as 0xffffffff. For DIN/DOUT seems to be pulled-up, all you need to do is just cut DOUT. I made IC04-4pin floated from the circuit board and confirmed the battery works as 'service mode battery'. Note that the chip is always powered and pins are hot, be careful while doing attempts.

This method is just a hack and may cause battery brick or malfunction including overcharge in specific condition. The EEPROM have other information like total capacity which would be read on some time.



Service mode is within 'software land'

I looked into sceSyscon_driver functions and found API to read/write EEPROM inside the battery which stores serial number. Both old-styled and new-styled battery is supported by this.

sceSyscon_driver stub

Code: Select all

	STUB_START	"sceSyscon_driver",0x00010000,0x00020005
	STUB_FUNC	0x1165C864,sceSyscon_driver_1165C864
	STUB_FUNC	0x68EF0BEF,sceSyscon_driver_68EF0BEF
	STUB_END 

C prototype

Code: Select all

// text 0x13 - write battery EEPROM
// addr:00..7f  data:0000..ffff
// return error code
u32 sceSyscon_driver_1165C864(u8 addr, u16 data);

// text 0x14 - read battery EEPROM
// addr:00..7f  
// return error code or data(0000xxxx)
//   0x802500b8 : battery not in place
u32 sceSyscon_driver_68EF0BEF(u8 addr); 

Read EEPROM

Code: Select all

// battery EEPROM : 16bit data x 7bit address 
u16 eepromdump[0x80];

	// read entire EEPROM.  store it somewhere to backup. 
	u32 address, data;
	for &#40;address=0; address<0x80; i++&#41; &#123;
		data=sceSyscon_driver_68EF0BEF&#40;address&#41;;
		if &#40;data & 0xffff0000&#41; fatalerror&#40;&#41;;
		eepromdump&#91;address&#93;=data;
	&#125;
	writetofile&#40;eepromdump&#41;; 

Patch battery EEPROM

Code: Select all

	// overwrite serial number to 0xffffffff to make service mode battery 
	// serial number is stored at address 0x07 and address 0x09 
	r=sceSyscon_driver_1165C864(0x07, 0xffff);	// lower 16bit
	if (r) fatalerror();
	r=sceSyscon_driver_1165C864(0x09, 0xffff);	// upper 16bit
	if (r) fatalerror(); 

Note that battery EEPROM can also be read/written by hardware direct serial communication to battery. Actually I used this method before I found the functions. Text 0x13 is for writing, text 0x14 is for reading battery EEPROM. This will require some hardware though.



The box opened

Bit4 of 0xbe240004 is affected by the special serial number 0xffffffff, and this is the trigger to service mode. I do not know yet how this work like this.

By this time I made up a method to bypass IPL block decryption/authentication and to run plaintext mips code, that is first 0xb0 bytes of the block. With enormous efforts of the Prometheus members, Pandora is out now.

'Forging IPL block' is another long story, may be told sometime somewhere.

[danzel]

Awesome stuff nem, always interesting to see the process :-)
I'm eagerly awaiting further stories down the IPL path.

[Hellcat]

I'm eagerly awaiting further stories down the IPL path.

Awsome read, ineed!

I'd have much interest in more IPL stories and info :)

[memturbo]

Could you tell us where to cut the DOUT I cant seem to find it on the board

Thanks

[memturbo]

I found it and it worked great
used it on my 3.52 and downgraded just fine thanks

[Kreationz]

My battery is the type on the 2nd page. The one with chip 780102h. Where is the DOUT pin located for that style of board? I'm a noob where electronics are concerned, but all I need is chip and pin number and I can get it from there. My skills lie in programming. Any help is greatly appreciated.