I've some questions:
- What's to first fw file loaded from the flash?
Does it load the pspbtcnf.bin ( and pspbtcnf_02g.bin for the Slims I think ) and than load the modules in the list?
Why in the M33 cfw there's 3 btcnf files?
( pspbtjnf_02g.bin, pspbtknf_02g.bin, pspbtlnf_02g.bin)
- All the patch in the M33 cfw are on the fly?
I've see that sysconf_plugin or paf or some other modules that have to be patched for a cfw isn't patched, so all the patches are made in the RAM, right?
Sorry for my english
PSP Boot sequence
-
Dariusc123456
- Posts: 388
- Joined: Tue Aug 12, 2008 12:46 am
I think its vshmain.prx that loads first.
Back, before the PSP Fat was release, the testing fw was nothing more than a Hello World program(it was more like DC3-5). Now these days, sony use service mode to check for any type of bug, how the psp operates,etc. Even when testing new developed fw, service mode is use. I know this information isnt answering your the rest of your questions, its just a small heads up.
Back, before the PSP Fat was release, the testing fw was nothing more than a Hello World program(it was more like DC3-5). Now these days, sony use service mode to check for any type of bug, how the psp operates,etc. Even when testing new developed fw, service mode is use. I know this information isnt answering your the rest of your questions, its just a small heads up.
-
sauron_le_noir
- Posts: 203
- Joined: Sat Jul 05, 2008 8:03 am
The IPL/reboot.bin loads a different pspbt?nf.bin depending on the No-UMD mode. In that, depending on the game mode/ vsh mode etc it will load the corresponding modules in order.
If you want to put a custom module here, anything complex should be put after mediasync.prx as most of the modules before that are required for most programs.
If you want to put a custom module here, anything complex should be put after mediasync.prx as most of the modules before that are required for most programs.
As phobox said, it's not completed...sauron_le_noir wrote:Look here for ipl info
Anyway, the reboot.bin where's is placed?
So IPL "Part 3" load up the reboot.bin that check the current SE config (???) and run the pspbt*nf.bin that load up the FW\CFW?
So the reboot.bin is started also on loadexec, right?
Get Xplora!
-
Super Sheep
- Posts: 31
- Joined: Sun Mar 23, 2008 2:16 am
- Contact:
When reboot.bin is decompressed from loadexec (which call is hooked), rebootex is loaded from systemctrl and gzip decompressed. The decompressed data is stored at 0x88FC0000 and the jump into the reboot.bin is patched to jump to systemctrl's rebootex.
From here various patches (including psp*.bin) and hooks are placed in the Sony reboot.bin and then jumps into it.
From here various patches (including psp*.bin) and hooks are placed in the Sony reboot.bin and then jumps into it.
-
SilverSpring
- Posts: 110
- Joined: Tue Feb 27, 2007 9:43 pm
- Contact:
Again, a post which makes absolutely no sense (btw just so you know, vshmain.prx is actually the very LAST fw file to be loaded).Dariusc123456 wrote:I think its vshmain.prx that loads first.
Back, before the PSP Fat was release, the testing fw was nothing more than a Hello World program(it was more like DC3-5). Now these days, sony use service mode to check for any type of bug, how the psp operates,etc. Even when testing new developed fw, service mode is use. I know this information isnt answering your the rest of your questions, its just a small heads up.
Reboot.bin is only used for kernel reboots (ie. anytime a loadexec occurs), it doesn't reboot the hw like a cold reset does and is not even used on normal boot ups (it's just, as the name suggests, for warm reboots only). Reboot.bin is embedded in the loadexec.prx but is essentially the same as the IPL part3 (iplpayload) which is basically just a sysmem+loadcore binary with an lfat driver.
They both start booting the modules from the pspbtcnf file, first being sysmem+loadcore; loadcore as the name suggests then "loads the core of the fw", everything upto init.prx; init.prx then loads the rest of the fw as listed in the pspbtcnf. On a normal boot, this ends with the loading of the vshmain.prx module. Both the reboot.bin & iplpayload only load/starts the two prxs sysmem+loadcore (SCE seems to like doing things in three, 3 stages of the IPL, 3 stages of the fw: sysmem+loadcore, upto init.prx, then rest of the modules).
I've pretty much finished it, just in a rough draft point form. I need to do a proper rewrite of it and clean up, then I'll promise to publish it (hopefully soon-ish).phobox wrote:that should be completed, its a pity it is not, what we can read is well done!
Thanks very much SilverSpring,
so when I startup the PSP after hw initialization, start "IPL3", it loadup sysmem and loadcore than does some things and loadup "init.prx", than init loadup the fw modules list stored in pspbtjnf.bin.
On loadexec the same thing appens, (but there no hardware, hardware is initialized with IPL part 1, 2),
this is being done by "reboot.bin", that is loaded in memory by "loadexec.prx" at address 0x88FC0000.
Then jump to addr, reboot.bin loadup sysmem+loadcore that load init.prx and all the modules on pspbt?nf.bin.
This is what I've understand, it's right?
Anyway I've another question, on M33 fw there's some btcnf files, why?
It's for UMD Mode, POPS and HB?
Thanks again SilverSpring!
so when I startup the PSP after hw initialization, start "IPL3", it loadup sysmem and loadcore than does some things and loadup "init.prx", than init loadup the fw modules list stored in pspbtjnf.bin.
On loadexec the same thing appens, (but there no hardware, hardware is initialized with IPL part 1, 2),
this is being done by "reboot.bin", that is loaded in memory by "loadexec.prx" at address 0x88FC0000.
Then jump to addr, reboot.bin loadup sysmem+loadcore that load init.prx and all the modules on pspbt?nf.bin.
This is what I've understand, it's right?
Anyway I've another question, on M33 fw there's some btcnf files, why?
It's for UMD Mode, POPS and HB?
Thanks again SilverSpring!
Last edited by ne0h on Sat Jan 17, 2009 12:59 am, edited 1 time in total.
Get Xplora!
The C file is not used in CFW.
By default I think it boots in K file in XMB. If you extract one of them, its like this. For a given file, which modules to load in what mode. Basically if you want to flash a module to use in game mode, you will need to add it to all the files so that it works in all No-UMD modes.
By default I think it boots in K file in XMB. If you extract one of them, its like this. For a given file, which modules to load in what mode. Basically if you want to flash a module to use in game mode, you will need to add it to all the files so that it works in all No-UMD modes.
Code: Select all
$/kd/sysmem.prx VGUPA
$/kd/loadcore.prx VGUPA
$/kd/exceptionman.prx VGUPA
$/kd/interruptman.prx VGUPA
$/kd/threadman.prx VGUPA
$/kd/dmacman.prx VGUPA
$/kd/systimer.prx VGUPA
$/kd/iofilemgr.prx VGUPA
$/kd/memlmd_02g.prx VGUPA
$/kd/modulemgr.prx VGUPA
$/kd/systemctrl_02g.prx VGUPA
$/kd/init.prx VGUPA
$/kd/loadexec_02g.prx VGUPA
$/kd/lowio.prx VGUPA
$/kd/ge.prx VGUPA
$/kd/idstorage.prx VGUPA
$/kd/syscon.prx VGUPA
$/kd/rtc.prx VGUPA
$/kd/lfatfs.prx VGUPA
$/kd/clockgen.prx VGUPA
$/kd/codec.prx VGUPA
$/kd/audio.prx VGUA
$/kd/display_02g.prx VGUPA
$/kd/ctrl.prx VGUPA
$/kd/led.prx VGUPA
$/kd/hpremote_02g.prx VGUPA
$/kd/power.prx VGUPA
$/kd/openpsid.prx VGPA
$/kd/usb.prx VGA
$/kd/mediaman.prx VGU
$/kd/ata.prx VGU
$/kd/umdman.prx VGU
$/kd/umdcache_02g.prx G
$/kd/umd9660.prx VGU
$/kd/isofs.prx VGU
$/kd/msstor.prx VGUPA
$/kd/fatms.prx VGUPA
$/kd/wlan.prx VGUPA
$/kd/wlanfirm_02g.prx VGUPA
$/kd/registry.prx VGUPA
$/kd/mgr.prx VPA
$/kd/msaudio.prx V
$/kd/chkreg.prx VUP
$/kd/mesg_led_02g.prx VGUPA
$/kd/semawm.prx V
$/kd/amctrl.prx VGPA
$/kd/npdrm.prx VPA
$/kd/idcanager.prx P
$/kd/iofilemgr_dnas.prx VGPA
$/kd/np9660.prx A
$/kd/isofs.prx A
$/kd/chnnlsv.prx VP
$/kd/utility.prx VGUPA
$/kd/popsman.prx P
$/kd/mediasync.prx VGUPA
$/kd/me_wrapper.prx VGUA
$/kd/vaudio.prx VU
$/kd/impose.prx VGUPA
$/kd/popcorn.prx P
$/kd/avcodec.prx V
$/kd/vshbridge.prx VU
$/kd/vshctrl.prx V
$%/kd/usersystemlib.prx VGUPA
$%/vsh/module/libfont_hv.prx P
$%/vsh/module/pafmini.prx P
%%/kd/dummy_anchor_IhariUafaayk98.prx GUA
$%/kd/libatrac3plus.prx V
$%/vsh/module/paf.prx V
$%/vsh/module/common_gui.prx V
$%/vsh/module/common_util.prx VP
$%/vsh/module/libpspvmc.prx P
%%/kd/dummy_anchor_IhariUafaayk98.prx P
$%%/vsh/module/vshmain.prx V
No need to post the file, I don't need it, I don't want to add a module, only want to learn, nothing else...
Thanks anyway...
EDIT:
XMB boots with pspbtjnf*, there's some library as pafmini and lib_font that it's used in xmb...
EDIT AGAIN:
There's a way to dump the IPL Part 3?
Thanks anyway...
EDIT:
XMB boots with pspbtjnf*, there's some library as pafmini and lib_font that it's used in xmb...
EDIT AGAIN:
There's a way to dump the IPL Part 3?
Get Xplora!
Yes it uses the pandora exploit. The custom IPL/reboot.in ignores the pspbtcnf.bin and loads the other ones that include further M33 modules.ne0h wrote:Sorry but I've another question, the M33 cfw was based on a custom IPL, right?
How can cfw run unsigned IPL?
Does it use the Pandora expoit?
Thanks again
Ok, so M33 IPL is very similar to the Sony one, but is loads a different boot file, "pspbtjnf.bin" instead of "pspbtcnf.bin" and what else?
The sign-check "process" are patched in the IPL?
Sorry, I'm still a noob on this things...
Thanks
The sign-check "process" are patched in the IPL?
Sorry, I'm still a noob on this things...
Thanks
Get Xplora!
I don't know what the M33 patches are. Better you ask moonlight.
AFAIK the NAND IPL is rewritten such that the M33 IPL comes first (uses pandora exploit) followed by the Sony IPL. The pre-IPL is such that it loads the complete IPL, and then jumps to the entry point that is specified. Hence the Sony IPL is already in memory, but the entry point is M33 IPL. So M33 IPL executes first, then patches the Sony IPL to disable whatever protections (I have no idea), and continues to boot normally from the pspbtjnf.bin. Almost the same patches are done in M33 reboot.bin.
AFAIK the NAND IPL is rewritten such that the M33 IPL comes first (uses pandora exploit) followed by the Sony IPL. The pre-IPL is such that it loads the complete IPL, and then jumps to the entry point that is specified. Hence the Sony IPL is already in memory, but the entry point is M33 IPL. So M33 IPL executes first, then patches the Sony IPL to disable whatever protections (I have no idea), and continues to boot normally from the pspbtjnf.bin. Almost the same patches are done in M33 reboot.bin.
I've tried to dump the IPL with PSARDUMPER but...
Now I've ten mysterious files:
1000_files_table.bin ( and 200_* )
nandipl_01g.bin ( and 02g )
part1_nandipl_01g.bin
part2_nandipl_01g.bin
part3_nandipl_01g.bin ( 0 bytes???? )
I've seen that the part3 is empty!
0 bytes! why?
and nandipl has the same size of part1, what's it?
Can someone explain what's these files?
Now I've ten mysterious files:
1000_files_table.bin ( and 200_* )
nandipl_01g.bin ( and 02g )
part1_nandipl_01g.bin
part2_nandipl_01g.bin
part3_nandipl_01g.bin ( 0 bytes???? )
I've seen that the part3 is empty!
0 bytes! why?
and nandipl has the same size of part1, what's it?
Can someone explain what's these files?
Get Xplora!
-
SilverSpring
- Posts: 110
- Joined: Tue Feb 27, 2007 9:43 pm
- Contact:
Did you at least try searching?ne0h wrote:Have anyone the sceNandLib documented ?
Expecially I need:sceNandEraseBlockWithRetry
sceNandReadPagesRawAll
sceNandReadBlockWithRetry
sceNandWriteBlockWithVerify
http://forums.ps2dev.org/viewtopic.php?t=6898
-
Dariusc123456
- Posts: 388
- Joined: Tue Aug 12, 2008 12:46 am