More SCE Mind Games™…

January 26th, 2008 silverspring

Have you ever booted up your psp or resumed from sleep and have it appeared bricked (psp freezes then shutoffs)?

Well you can blame SCE for that. You see, if you have corrupt idstorage (keys 4, 5, 6, or 7) there’s an exactly 12.5% chance that on boot the psp will appear bricked. The IPL will check for corrupt keys but will only randomly do so. The check is based on the time, if the current time (in millisecs) is a multiple of (approx.) 8, the IPL will check your idstorage keys and if they are corrupt (ie. if the header for those keys dont match what they should be), the psp will shut itself off.

What is even worse is that this check also occurs during resuming from sleep mode. So one could theoretically boot up the psp fine, sleep, then fail on resume. All of this is to confuse us devs by trying to obscure the problem…very sneaky in my opinion.

Technically, it checks like this:

view plain
C:
  1. // a 32/256 (12.5%) chance this check will occur
  2. // errorExit() shuts down the psp
  3. if ((time>>4 ^ time) & 7 == 0)
  4. {
  5.     if ((*(u32*)&leaf4[0] != 0) &&
  6.         (*(u32*)&leaf4[0] != 0x4272796E)) // Bryn
  7.             errorExit();
  8.  
  9.     if ((*(u32*)&leaf5[0] != 0) &&
  10.         (*(u32*)&leaf5[0] != 0x436C6B67)) // Clkg
  11.             errorExit();
  12.  
  13.     if ((*(u32*)&leaf6[0] != 0) &&
  14.         (*(u32*)&leaf6[0] != 0x4D446472)) // MDdr
  15.             errorExit();
  16.  
  17.     if ((*(u32*)&leaf7[0] != 0) &&
  18.         (*(u32*)&leaf7[0] != 0×41506144)) // APaD
  19.             errorExit();
  20. }

So, what do people think of this new trick?

Sneaky? Absolutely. Suprised? Well, this is SCE we’re talking about here.

Another day, another mind game…

EDIT: Slight correction, the time is actually in 500ms intervals (0.5second intervals), not milliseconds.

Posted in Misc | 3 Comments »

03g model PSP …revisited…

January 18th, 2008 silverspring

More proof of the HDD.

Just how the first fat firmware (1.00) was rushed to be released, it seems the first slim firmware (3.60) was also rushed. A certain module that came only on original 3.60 retail slims was (incredibly stupidly) compiled with full debug info intact. Extracted from the debug info was this:

view plain
C:
  1. typedef enum {
  2.     SCE_MGVIDEO_DEV_HDD0 = 0×10,
  3.     SCE_MGVIDEO_DEV_MS0 = 0×20
  4. } SceMgVideoDeviceUnit;

From the debug info, there are ways to stream MagicGate protected video from HDD.

There is a tonne of useful debug info extracted, also noteworthy were references to Skype and the boot mode “app” (other modes “vsh”, “game”, “updater”, “pops”, etc) with which Skype boots into. There seems to be plans to release more of these ‘app’s in the future. Perhaps more towards a full pda…(03g).

Posted in Uncategorized | 2 Comments »