Hi.
Yesterday I've had an idea of how to dump the preipl on these mb.
When the PSP powers up, the preipl gets copied to the scrathpad RAM (0x00010000).
My idea is this: we power up the PSP with a pandora battery without any MS. The preipl doesn't find the ipl and falls into a infinite cycle.
Now we can dump the ram externally using a pc connected to the psp mb. Dumping the RAM is easier than dumping the ROM directly from the CPU.
However, we can't just dump the RAM while the PSP is running. But, if we power down the PSP and IMMEDIATELY power up only the RAM using the pc, the RAM doesn't get cleared and we can read it without any problem (the power down can be also controlled by the pc).
We still need to cut some mb traces to connect the RAM to the pc. But we can use some pc-controlled bridges to connect the traces when psp is running and to disconnect them when we have to access the RAM from the pc.
Uhm, scratchpad ram? You mean the piece of sh*t which noone uses, not even sony? I don't recall seeing any copy to scratchpad, but only to BFC/BFD memory areas which get remapped for the occasion.
adrahil wrote:Uhm, scratchpad ram? You mean the piece of sh*t which noone uses, not even sony? I don't recall seeing any copy to scratchpad, but only to BFC/BFD memory areas which get remapped for the occasion.
Torch wrote:Seriously though, how DO you go about dumping the pre-IPL without an exploit in a working IPL ??
I just went through the 2.70 IPL thread, where you were working on dumping the pre-IPL using 1.50 D: D: D: D:
Doesn't look like its humanly possible on new firmware!
