PSP Firmware/Bios Dumped! (split from hello world thread)

nem · Post by **nem** » Sat May 07, 2005 3:35 pm

Orion_ wrote:I can't understand how work the call to kernel function.
does the numbers in startup.s are the address of the functions in kernel/memory ?
how did you find them and what was their parameters ?

I dumped the firmware of PSP by electrical means. Peel off the memory chip from PSP mainboard, connect wires to the chip, find which ball is what, and dumped. In the dumped firmware, there are executables. They are mostly encrypted but there does exist unencrypted executables, by which I learned how dynamic link is done.

Another key stayed in 'PBP Exploit Success... but only on 1.0 psp :(' thread. The posts in the thread brought to me inspiration and valuable information. I want to express my best thanks to them all. Unless they point out that ELF file can be executed, it would take more time.

Importing system call seems to be done by loader of PSP system as follows:

- Module or system call group is choosed by ascii string 'module' of STUB_START
- Systemcall is specified by 32bit ID, 'funcid' of STUB_FUNC, and loader searchs from the list
- Loader patches nop in .text.stub to syscall

Orion_ · Post by **Orion_** » Sat May 07, 2005 4:05 pm

thanks for the answer :)
my utmost respect !

Neila · Post by **Neila** » Sat May 07, 2005 4:18 pm

seriously cool ! =)
how about flashing the chip back with firmware ver1.0? Is that possible?
(ie flash a 1.5 with 1.0)

nem · Post by **nem** » Sat May 07, 2005 4:22 pm

Grover wrote:Another q. To the people who made this - is the elf a normal ps2 elf? Or something a little modified?

Not same. Please refer to outpatch.cpp and startup.s of the source code package, and the executable itself.

Jordan wrote:I've been using Elf2PBP to convert a few PS2 apps this morning, and haven't had any success

This seems to be a common pitfall. Let me explain.
PBP is a sort of archive format like tar, and it contains eight files. PBP is not executable file but something like a package. We need to pack app info, images, and executable file into PBP to execute something on a PSP from memory stick.
Though PSP executable can be compiled by PS2 toolchain, with some special options for compiler, PS2 app is not compatible with PSP. Basically, PS2 and PSP share machine code architecture because they are both MIPS CPU. In detail they are different. PS2 is R5900 and PSP is R4000. Along with hardware and system software architecture difference, PS2 executable binary is not compatible with PSP.
You need to discover some hardware architecture of PSP and system call APIs, patch gcc compiler to make it more suitable for PSP, gather them to PSP SDK, and port/recompile the app.

Busby wrote:Can I ask in what direction your going now with this? any other idea's you are working on?

The Hello World is so simple and has very limited access to the PSP hardware/system software. We need to discover much more information like above mentioned. And, big big big problem to execute own code on 1.50 PSP...
Hmm, what's next to do is also a big problem. :)

Orion_ · Post by **Orion_** » Sat May 07, 2005 4:34 pm

I tried to do something fast but can't test on my psp, cos I flashed it to 1.5 :'(
could someone with a 1.0 psp test it ? thanks :)
http://perso.wanadoo.fr/onori/yn/EBOOT.zip

nem · Post by **nem** » Sat May 07, 2005 4:40 pm

Neila wrote:how about flashing the chip back with firmware ver1.0? Is that possible?

It is possbile but difficult, and need a lot of effort to do so.

First, you need to get firmware dump of 1.00 PSP. Sacrifice a 1.00 PSP and get dumped by means of previously mentioned.
Please, please do not ask me to copy/share/post the firmware. ooPo gets angry and kicks off me :(

Second, peel off the memory chip from 1.50 PSP, connect it to some circuit, and reflash.

Third, put the chip back to mainboard. Some BGA rework is needed, which is not easy thing. Refer to related sites.

And now, you get 1.00 PSP. :)
As usual, there could be easier way but I do not know now.

Neila · Post by **Neila** » Sat May 07, 2005 4:50 pm

I was a just curious (theoretical quastion)... not asking for anything. :)
maybe in a year or two, if there are still no other solutions ;)

Guest · Post by **Guest** » Sat May 07, 2005 8:09 pm

I split this off because I felt this was important news. :)

Yes, this is the real thing. Nem has had this working for awhile now from what I understand. Homebrew dev on PSP owes much to his hard work. :)

ale275 · Post by **ale275** » Sat May 07, 2005 10:10 pm

probably there're some via that allow us to work on bios without desolder it??

LiquidIce · Post by **LiquidIce** » Sat May 07, 2005 10:30 pm

ale275, it's quite possible now that the dump of the original firmware is in the capable hands of a few really good programmers that we might see some tricks posted on how to update firmware on our 1.5's without cracking open the case. However this is just speculation, and don't count on the 1.0 firmware being posted anywhere on these boards.

nem you are the frickin man! You will be my PSP hero forever if you get everyone's 1.5 to do homebrew. I have faith, keep up the good work!

pokeman1019 · Post by **pokeman1019** » Sat May 07, 2005 10:34 pm

I tried to do something fast but can't test on my psp, cos I flashed it to 1.5 :'(
could someone with a 1.0 psp test it ? thanks :)
http://perso.wanadoo.fr/onori/yn/EBOOT.zip

Yep it works.

Orion_ · Post by **Orion_** » Sat May 07, 2005 10:44 pm

pokeman1019 > thanks !
what does it show ?
I hope the graphics and colors are right.

beefyoxo · Post by **beefyoxo** » Sat May 07, 2005 11:21 pm

It looks fantasic Colours seem to consist of Turquise,purple blue green and yellow. Hmm i can make a small psp vid if some one can host it

Orion_ · Post by **Orion_** » Sat May 07, 2005 11:23 pm

I would be glad if someone could make a screencapture, It should be like this (this is the pc version)

beefyoxo : I can host it :)

silkworm · Post by **silkworm** » Sat May 07, 2005 11:26 pm

probably there're some via that allow us to work on bios without desolder it??

These tracks, in particular, look interesting to me:

The pinout image is from a datasheet of a different Samsung IC, KD5657 which is a 32MB/32MB SDR+NAND multi-chip package. The KE5658 is a DDR+NAND combo, also 32MB/32MB. If I'm correct the location of the NAND pins would be similiar.

beefyoxo · Post by **beefyoxo** » Sat May 07, 2005 11:34 pm

I have a PSP vid of PSPlasma running it's 5.5MB just pm me if you want to host it

Shahel · Post by **Shahel** » Sat May 07, 2005 11:44 pm

Orion_ · Post by **Orion_** » Sat May 07, 2005 11:46 pm

thanks for the pictures !
unfortunatly , the colors are all wrong :(

Orion_ · Post by **Orion_** » Sun May 08, 2005 12:12 am

here is the video, thanks to beefyoxo
http://perso.wanadoo.fr/onori/yn/M4V10006.MP4
anyway, the colors are all wrong, even with a correct version, I can't understand why :(

Shapyi · Post by **Shapyi** » Sun May 08, 2005 12:45 am

Orion_ wrote:here is the video, thanks to beefyoxo
http://perso.wanadoo.fr/onori/yn/M4V10006.MP4
anyway, the colors are all wrong, even with a correct version, I can't understand why :(

Because the PSP Hello World demo has the colors BGR instread of RGB. Thats why the colors are wrong. Hope that helps.

Orion_ · Post by **Orion_** » Sun May 08, 2005 12:48 am

nope, I use BGR :)

neckarb · Post by **neckarb** » Sun May 08, 2005 12:49 am

very cool dude i was wondering would it be possible to change the only update that works we have i.e. v1.5 back to someof the v1.00 stuff so that we could run homebrew apps ie if we could make the new update 1.5a or somethin like that any ideas? if im talking rubbish feel free to tell me, just an idea.

fobbio18 · Post by **fobbio18** » Sun May 08, 2005 1:01 am

Can't we trick the system into thinking the 1.00 firmware is an update? Maybe modify the param.sfo or so?

Quick! Somebody port an SNES/MAME emulator to the PSP! :)

Orion_ · Post by **Orion_** » Sun May 08, 2005 1:04 am

looking at the video, the effect is very slow, and it should be faster than that ! (I use fixed point precalc table)
I guess the cpu don't run at fullspeed. if you want a good emulator, we must found how to overclock the psp to its max speed ^^

neckarb · Post by **neckarb** » Sun May 08, 2005 1:20 am

would it be possible to change the only update that works we have i.e. v1.5 back to someof the v1.00 stuff so that we could run homebrew apps ie if we could make the new update 1.5a or somethin like that any ideas? if im talking rubbish feel free to tell me, just an idea.

Orion_ · Post by **Orion_** » Sun May 08, 2005 1:28 am

no, even if we have a dumped 1.0 bios, the 1.5 update program contain an encrypted bios, so we should encrypt the 1.0 bios to replace the 1.5 one, and we still don't know how to do that, and if someone find how to encrypt things for psp, then we don't need 1.0 bios anymore because we could encrypt the homebrew program directly and run it on 1.5 ^^

neckarb · Post by **neckarb** » Sun May 08, 2005 1:31 am

oh ok just an idea

Guest · Post by **Guest** » Sun May 08, 2005 1:50 am

ale275 wrote:probably there're some via that allow us to work on bios without desolder it??

There are no vias on the PSP mainboard that I could see. There are many effin tiny pads however.

Orion_ · Post by **Orion_** » Sun May 08, 2005 2:51 am

thanks a lot to beefyoxo for beta testing my little demo
after some test, here is the final version with correct colors :)
http://perso.wanadoo.fr/onori/yn/EBOOTv5.zip

and photo by beefyoxo:
http://perso.wanadoo.fr/onori/yn/DSC00099.JPG

Thanhda · Post by **Thanhda** » Sun May 08, 2005 3:22 am

Neila wrote:seriously cool ! =)
how about flashing the chip back with firmware ver1.0? Is that possible?
(ie flash a 1.5 with 1.0)

man, we shouldnt be thinking of how to go from 1.5 to 1.0, we should be thinking how can we go from 1.0 code to 1.5 code.

To: Nem, when do you think this will be posible?