New NAND Flash device support added

July 19th, 2008 silverspring

Support for new nand IC’s from ST Micro (upto 128MB) have been added to the nand driver in newer firmwares. Previously only Samsung (retail PSP) and Toshiba (devkit PSP) nands were supported.

C:
  1. const struct {
  2.     u8 id[2]; // [manufacturer ID, device ID]
  3.     u8 type[2];
  4.     u16 bytesPerPage;
  5.     u16 pagesPerBlock;
  6.     u32 blocksPerDevice;
  7.  
  8. } nandIdTable[] = {
  9.  
  10.     // Toshiba 3.3V NAND Flash family
  11.     { {0×98, 0xE6}, {3, 1}, 512, 16, 1024  }, // 8MB
  12.     { {0×98, 0×73}, {3, 1}, 512, 32, 1024  }, // 16MB
  13.     { {0×98, 0×75}, {3, 1}, 512, 32, 2048  }, // 32MB
  14.     { {0×98, 0×76}, {3, 1}, 512, 32, 4096  }, // 64MB
  15.     { {0×98, 0×79}, {3, 1}, 512, 32, 8192  }, // 128MB
  16.  
  17.     // Samsung 3.3V NAND Flash family
  18.     { {0xEC, 0xE6}, {3, 2}, 512, 16, 1024  }, // 8MB
  19.     { {0xEC, 0×73}, {3, 2}, 512, 32, 1024  }, // 16MB
  20.     { {0xEC, 0×75}, {3, 2}, 512, 32, 2048  }, // 32MB (default TA-079/081 PSP NAND)
  21.     { {0xEC, 0×76}, {3, 2}, 512, 32, 4096  }, // 64MB
  22.     { {0xEC, 0×79}, {3, 2}, 512, 32, 8192  }, // 128MB
  23.     { {0xEC, 0×71}, {3, 2}, 512, 32, 16384 }, // 256MB
  24.     { {0xEC, 0xDC}, {3, 2}, 512, 32, 32768 }, // 512MB
  25.  
  26.     // Samsung 1.8V NAND Flash family
  27.     { {0xEC, 0×39}, {1, 2}, 512, 16, 1024  }, // 8MB
  28.     { {0xEC, 0×33}, {1, 2}, 512, 32, 1024  }, // 16MB
  29.     { {0xEC, 0×35}, {1, 2}, 512, 32, 2048  }, // 32MB (default TA-082/086 PSP NAND)
  30.     { {0xEC, 0×36}, {1, 2}, 512, 32, 4096  }, // 64MB (default TA-085/088 PSP NAND)
  31.     { {0xEC, 0×78}, {1, 2}, 512, 32, 8192  }, // 128MB
  32.    
  33.     // ST Micro 1.8V NAND Flash family
  34.     { {0×20, 0×35}, {1, 2}, 512, 32, 2048  }, // 32MB
  35.     { {0×20, 0×36}, {1, 2}, 512, 32, 4096  }, // 64MB
  36.     { {0×20, 0×39}, {1, 2}, 512, 32, 8192  }, // 128MB
  37. };

More SCE Mind Games™…

January 26th, 2008 silverspring

Have you ever booted up your psp or resumed from sleep and have it appeared bricked (psp freezes then shutoffs)?

Well you can blame SCE for that. You see, if you have corrupt idstorage (keys 4, 5, 6, or 7) there’s an exactly 12.5% chance that on boot the psp will appear bricked. The IPL will check for corrupt keys but will only randomly do so. The check is based on the time, if the current time (in millisecs) is a multiple of (approx.) 8, the IPL will check your idstorage keys and if they are corrupt (ie. if the header for those keys dont match what they should be), the psp will shut itself off.

What is even worse is that this check also occurs during resuming from sleep mode. So one could theoretically boot up the psp fine, sleep, then fail on resume. All of this is to confuse us devs by trying to obscure the problem…very sneaky in my opinion.

Technically, it checks like this:

C:
  1. // a 32/256 (12.5%) chance this check will occur
  2. // errorExit() shuts down the psp
  3. if ((time>>4 ^ time) & 7 == 0)
  4. {
  5.     if ((*(u32*)&leaf4[0] != 0) &&
  6.         (*(u32*)&leaf4[0] != 0x4272796E)) // Bryn
  7.             errorExit();
  8.  
  9.     if ((*(u32*)&leaf5[0] != 0) &&
  10.         (*(u32*)&leaf5[0] != 0x436C6B67)) // Clkg
  11.             errorExit();
  12.  
  13.     if ((*(u32*)&leaf6[0] != 0) &&
  14.         (*(u32*)&leaf6[0] != 0x4D446472)) // MDdr
  15.             errorExit();
  16.  
  17.     if ((*(u32*)&leaf7[0] != 0) &&
  18.         (*(u32*)&leaf7[0] != 0×41506144)) // APaD
  19.             errorExit();
  20. }

So, what do people think of this new trick?

Sneaky? Absolutely. Suprised? Well, this is SCE we’re talking about here.

Another day, another mind game…

EDIT: Slight correction, the time is actually in 500ms intervals (0.5second intervals), not milliseconds.

The mind games SCE play…

December 2nd, 2007 silverspring

We are all familiar with the various tricks SCE use to fool devs, though I recently came across one that has annoyed me the most.

When 3.40 was released, a ‘special’ prx was flashed with the rest of the firmware that didnt seem to be used at all. It was special in that not only was it not used nor referred to once in the entire firmware, it also could NOT be decrypted (the keys to decrypt it simply did not exist in the firmware). Because of this and the fact that the prx was promptly removed from all future firmware (it only exists in 3.40) it was assumed to be a remnant of a debug prx used during testing and they had simply forgot to remove it. Or was it?

The prx was “idcheck.prx”. The module name sounded interesting and on first glance it was assumed to be the debug version of the embedded prx SCE hid in 3.30+ updaters to check for corrupt idstorage in their updaters (the one that refuses to update the PSP if either your keys 4, 5, 6, 7 & 8 were corrupt).

Long story short, the prx has been decrypted and the result was far from expected. It seems that the original module has been taken out and replaced with a dummy instead. The only remains left of the original module was the module name “sceIdCheck” and the data segment, which included the strings “Illegal idstoarge” (SCE always misspell ‘idstorage’), “flash is corrupted”, and “cannot restore PSP system”. The rest of the module (including all the code) had been dummied with another module from the firmware.

Now why would SCE do this? If it were a debug prx that was accidently left in, why would they bother going to the trouble of dummying the code?

Some accidental mistake on their part, or more of their ridiculous mind games at play……