SBORPS http://my.malloc.us/silverspring SilverSpring's bunch of random PSP stuff... Fri, 08 Oct 2010 01:13:30 +0000 en hourly 1 http://wordpress.org/?v=3.0.1 SBORPS Random Fact 10 http://my.malloc.us/silverspring/2010/10/sborps-random-fact-10/ http://my.malloc.us/silverspring/2010/10/sborps-random-fact-10/#comments Thu, 07 Oct 2010 22:45:34 +0000 silverspring http://my.malloc.us/silverspring/?p=165 Support for NAND flash IC's from Hynix has been added to the NAND driver. Specifically, three extra models from 1.8V family:

C:
  1. ManufacturerID = 0xAD (Hynix)
  2. ChipID = 0x35 (32MB)
  3. ChipID = 0x36 (64MB)
  4. ChipID = 0x39 (128MB)

These are probably used for PSP GO models. The PSP now supports NAND's from Samsung, Toshiba, ST Micro, and Hynix.

]]>
http://my.malloc.us/silverspring/2010/10/sborps-random-fact-10/feed/ 0
SBORPS Random Fact 09 http://my.malloc.us/silverspring/2010/10/sborps-random-fact-09/ http://my.malloc.us/silverspring/2010/10/sborps-random-fact-09/#comments Thu, 07 Oct 2010 22:34:26 +0000 silverspring http://my.malloc.us/silverspring/?p=159 Been awhile since my last post, been quite busy with other stuff (read 'real life'). I'll be posting more stuff from now though.

After searching for any new supported resolutions for the LCD controller I found a strange one (added in 6.xx):

C:
  1. 720x479 @ 29.97Hz

Don't know why it is missing one single row from the usual 720x480 resolution.

Here's the full list of supported resolutions:

C:
  1. 320x180 @ 119.88Hz VSYNC, 23.376KHz HSYNC
  2.  
  3. 480x272 @  59.83Hz VSYNC, 17.110KHz HSYNC
  4. 480x272 @  59.94Hz VSYNC, 17.142KHz HSYNC (native PSP res)
  5. 480x272 @ 119.65Hz VSYNC, 34.220KHz HSYNC
  6. 480x272 @ 119.88Hz VSYNC, 34.285KHz HSYNC
  7.  
  8. 640x480 @  59.94Hz VSYNC, 31.468KHz HSYNC
  9. 640x480 @  59.94Hz VSYNC, 31.468KHz HSYNC (larger borders)
  10.  
  11. 720x240 @  59.83Hz VSYNC, 15.734KHz HSYNC
  12. 720x240 @  60.05Hz VSYNC, 15.734KHz HSYNC
  13.  
  14. 720x479 @  29.97Hz VSYNC, 15.734KHz HSYNC
  15. 720x480 @  59.83Hz VSYNC, 31.468KHz HSYNC
  16. 720x480 @  59.94Hz VSYNC, 31.468KHz HSYNC
  17.  
  18. 720x505 @  29.97Hz VSYNC, 15.734KHz HSYNC

If you are wondering how the PSP can support resolutions higher than it's native screen resolution of 480x272, it's because the LCD controller needs to support PSP devkits as well which have VGA output to connect to an external LCD monitor.

]]>
http://my.malloc.us/silverspring/2010/10/sborps-random-fact-09/feed/ 0
SBORPS Random Fact 08 http://my.malloc.us/silverspring/2009/11/sborps-random-fact-08/ http://my.malloc.us/silverspring/2009/11/sborps-random-fact-08/#comments Tue, 24 Nov 2009 05:32:47 +0000 silverspring http://my.malloc.us/silverspring/?p=146 To find out the PSP model your code is running on you can call the function sceKernelGetModel(). People have been using it in homebrew to differentiate between 01g and 02g machines (fat and slim) to determine what their app will do depending on the model the user is running.

However, the sceKernelGetModel function can do a lot more than just determining whether you're running fat or slim PSP, it can return values for:

C:
  1. 01g - fat PSP
  2. 02g - slim PSP
  3. 03g - 3K PSP
  4. 04g - ??? (an updated 3K model? 4K perhaps?)
  5. 05g - PSP GO
  6. 06g - ???
  7. 07g - ???
  8. 08g - ???
  9.  
  10. /*
  11. sceKernelGetModel() actually returns a value
  12. from 0-7 to represent each model,
  13. 0 being the PSP fat,
  14. 1 being the PSP slim, etc.
  15. all the way upto 7 for the 08g model.
  16. */

That's three more models after the PSP GO! As well as a 4000 model after 3000.

The fw for 04g models is already out, it's included with normal fw updaters (6.xx) and can be decrypted using the 3K keys. There's also code already in the fw supporting 06g and 08g models (which seem to be GO-like models).

So for people thinking the PSP GO was a waste of a update or there wouldn't be any more updates, prepare for three more models...

]]>
http://my.malloc.us/silverspring/2009/11/sborps-random-fact-08/feed/ 6
SBORPS Random Fact 07 http://my.malloc.us/silverspring/2009/11/sborps-random-fact-07/ http://my.malloc.us/silverspring/2009/11/sborps-random-fact-07/#comments Mon, 23 Nov 2009 03:06:03 +0000 silverspring http://my.malloc.us/silverspring/?p=142 Beware of future fw updates, SCE are starting to make activity logs.

New registry categories/keys stored in flash1 registry (6.xx fw):

C:
  1. /DATA/COUNT/boot_count (number of times booted)
  2. /DATA/COUNT/game_exec_count (number of games run)
  3. /DATA/COUNT/slide_count (number of times slide open, for the GO only)
  4. /DATA/COUNT/usb_connect_count (number of times you connect usb)
  5. /DATA/COUNT/wifi_connect_count (number of times you connect wifi)
  6. /DATA/COUNT/psn_access_count (number of times you logon psn)

These new registry keys can still be accessed via the sceReg API, sceRegOpenCategory/sceRegGetKeyValue etc.

What other things will they be tracking in future updates? Maybe logging ISO games? Secretly 'phoning-home' with this info? Was any of this mentioned in the EULA?

]]>
http://my.malloc.us/silverspring/2009/11/sborps-random-fact-07/feed/ 3
In Memoriam… http://my.malloc.us/silverspring/2009/09/in-memoriam/ http://my.malloc.us/silverspring/2009/09/in-memoriam/#comments Sun, 13 Sep 2009 01:26:07 +0000 silverspring http://my.malloc.us/silverspring/?p=126 My best friend for over 16 years, my loyal companion; deeply loved, and forever missed. You were given a great life yet you gave back so much more in return. I hope you are surrounded by all the toys you could possibly play with, the largest, juiciest bones to chew on, and a neverending stretch of grass to run on.

snowy

Rest In Peace, Snowy. I'll always love you and I'll never forget you. You will be dearly missed...

]]>
http://my.malloc.us/silverspring/2009/09/in-memoriam/feed/ 6
Why “eggsploit” is random. http://my.malloc.us/silverspring/2009/07/why-eggsploit-is-random/ http://my.malloc.us/silverspring/2009/07/why-eggsploit-is-random/#comments Thu, 09 Jul 2009 09:29:40 +0000 silverspring http://my.malloc.us/silverspring/?p=120 So, a lot of people have been complaining about the unstability of the TIFF "eggsploit" (and thus the successful booting of HEN). The exploit relies on hardcoded memory addresses to succeed however a piece of code in the firmware ensures that memory addresses can randomly change.

As the vshbridge.prx is loaded and starts, two fixed memory pools are created and used for nothing else but random padding. The size of these mem pools are randomly assigned based on the system time. This can therefore affect the memory addresses of where modules are loaded into ram and therefore affect the hardcoded addresses the TIFF exploit relies on.

The code for the random memory padding (executed on vshbridge module_start):

C:
  1. int _vshVshBridgeStart()
  2. {
  3.     _vshPowerCallbackInit();
  4.     sceImposeSetStatus(4);
  5.     sceUmdSetSuspendResumeMode(1);
  6.    
  7.     int size;
  8.     int time = sceKernelGetSystemTimeLow(); // time since system start
  9.  
  10.     if (time & 3 == 0)
  11.     {
  12.         size = 0x400; // 1 KByte
  13.     }
  14.     else if (time & 3 == 1)
  15.     {
  16.         size = 0x300; // 768 Bytes
  17.     }
  18.     else if (time & 3 == 2)
  19.     {
  20.         size = 0x200; // 512 Bytes
  21.     }
  22.     else if (time & 3 == 3)
  23.     {
  24.         size = 0x100; // 256 Bytes
  25.     }
  26.  
  27.     sceKernelCreateFpl("SceVshRandomTopPadding", 2, 0, size, 1, NULL);
  28.  
  29.  
  30.     if ((time & 0xF)>> 2 == 0)
  31.     {
  32.         size = 0x400; // 1 KByte
  33.     }
  34.     else if ((time & 0xF)>> 2 == 1)
  35.     {
  36.         size = 0x300; // 768 Bytes
  37.     }
  38.     else if ((time & 0xF)>> 2 == 2)
  39.     {
  40.         size = 0x200; // 512 Bytes
  41.     }
  42.     else if ((time & 0xF)>> 2 == 3)
  43.     {
  44.         size = 0x100; // 256 Bytes
  45.     }
  46.  
  47.     sceKernelCreateFpl("SceVshRandomBottomPadding", 2, 0x4000, size, 1, NULL);
  48.    
  49.     return 0;
  50. }

This bit of random padding code was added in 2.50 firmware and still exists in the latest firmwares.

Because HEN uses the TIFF exploit to run there is nothing the HEN could do to improve it's chances of booting successfully. It may be that it's simply random luck.

Note: there is no doubt there are also many other factors which could affect the stability of the TIFF "eggsploit".

]]>
http://my.malloc.us/silverspring/2009/07/why-eggsploit-is-random/feed/ 9
SBORPS Random Fact 06 http://my.malloc.us/silverspring/2009/05/sborps-random-fact-06/ http://my.malloc.us/silverspring/2009/05/sborps-random-fact-06/#comments Fri, 22 May 2009 05:27:41 +0000 silverspring http://my.malloc.us/silverspring/?p=110 About PSP menu. Make sure the pic is in the correct resolution (480 x 272) otherwise the [...]]]> A nice hidden feature of the PSP firmware is the personalised credits screen. Just place any png picture under flash0:/vsh/resource/name_plate.png (important note: filename has to be all lower case) and it'll show up in the System Settings -> About PSP menu. Make sure the pic is in the correct resolution (480 x 272) otherwise the PSP will stretch the image.

This feature was never documented by Sony but it has existed ever since the very first firmware v1.00. Sony typically used this feature to send personalised PSP's as gifts to VIP's. Now you can make your own personalised PSP too.

]]>
http://my.malloc.us/silverspring/2009/05/sborps-random-fact-06/feed/ 4
Blog Update http://my.malloc.us/silverspring/2009/05/blog-update/ http://my.malloc.us/silverspring/2009/05/blog-update/#comments Thu, 07 May 2009 17:16:44 +0000 silverspring http://my.malloc.us/silverspring/?p=71 After being away from the PSP scene for several months (due to several factors such as illness etc.) I've decided to continue and will be starting to add some new content again.

I've realised that there has been many bits & pieces of info that I have posted around in several different places over the years (in forums etc.) that are useful however not conveniently accessible so I'll be adding them here also. It may seem redundant since it may not necessarily be new info, however gathering all the public info together into one place will make the info more accessible to the people.

So, greets to all those who still continue to follow and be involved with the PSP community even though the PSP has passed its peak and now entering a declining stage.

SilverSpring

]]>
http://my.malloc.us/silverspring/2009/05/blog-update/feed/ 14
Prx Decryption NID’s !!!!! http://my.malloc.us/silverspring/2009/01/prx-decryption-nids/ http://my.malloc.us/silverspring/2009/01/prx-decryption-nids/#comments Sat, 10 Jan 2009 04:43:17 +0000 silverspring http://my.malloc.us/silverspring/?p=68 I never thought these would ever be cracked but finally here are the sceMesgLed NID's (these are only valid upto 2.00 since the NID's were later 'randomised' the following update in 2.50):

  • 0x84a04017 sceUtilsGetLoadModuleCLength
  • 0xa86d5005 sceUtilsGetLoadModuleCLengthByPolling
  • 0xa4547df1 sceUtilsGetLoadModuleDLength
  • 0x94eb1072 sceUtilsGetLoadModuleDLengthByPolling
  • 0x198fd3be sceUtilsGetLoadModuleILength
  • 0xfbc694c7 sceUtilsGetLoadModuleILengthByPolling
  • 0x07e152be sceUtilsGetLoadModuleJLength
  • 0x9906f33a sceUtilsGetLoadModuleJLengthByPolling
  • 0x46ac0e78 sceUtilsGetLoadModuleKLength
  • 0x55c8785e sceUtilsGetLoadModuleKLengthByPolling
  • 0x67a5ecdf sceUtilsGetLoadModuleLLength
  • 0x85b9d9f3 sceUtilsGetLoadModuleLLengthByPolling
  • 0x951f4a5b sceUtilsGetLoadModuleMLength
  • 0x58999d8e sceUtilsGetLoadModuleMLengthByPolling
  • 0x9fc926a0 sceUtilsGetLoadModuleNLength
  • 0x7a922276 sceUtilsGetLoadModuleNLengthByPolling

As you can see the naming is very cryptic, but the names do make a little bit of sense (more than some other crypto functions & libs). Each of these functions decrypts a particular ~PSP encrypted executable. The executable type is at offset 0x7C of a ~PSP file, and the executable type number corresponds to the letter listed in the above functions. For example, Type3 exe's (vshmain modules) use the 'C' function to decrypt, Type4 exe's (user modules) use the 'D' function, etc. There are no types 5,6,7,8 exe's so those letters are missing. Other exe types that use the above functions include:

  • Type09 UMD games (use 'I' to decrypt)
  • Type10 Gamesharing games (use 'J' to decrypt)
  • Type11 Debug Gamesharing games (use 'K' to decrypt)
  • Type12 MS Updater (use 'L' to decrypt)
  • Type13 MS Demo games (use 'M' to decrypt)
  • Type14 Flash application eboots (use 'N' to decrypt)

Later fw added extra exe types also (such as POPS executables - Type20). So as you can see the numbering of the executable type corresponds to the letter of the alphabet used in the decryption functions naming.

Type1 exe's are internal debug modules while Type2 exe's are kernel modules, they are both decrypted the same way hence the 'A' and 'B' in the function sceUtilsGetLoadModuleABLength of memlmd.prx.

Here are also 2 more NID's from memlmd (these ONLY exist in 2.00 which was when these functions were added into the fw, they were later 'randomised' the following update in 2.50):

  • 0xc3a6f784 sceUtilsPrepareGetLoadModuleABLength
  • 0xdf76975e sceUtilsPrepareGetLoadModuleABLengthByPolling

This function is similar to the 'sigcheck' functions in that they take an encrypted ~PSP file and 'scrambles' the 'sig' area (0xD0 Bytes from offset 0x80-0x150 of ~PSP binaries). The only difference is that this scrambling is not unique per PSP, whereas the normal sigchecking IS unique per PSP (using each PSP's FuseID to flash the unique prxs, which is why files from different PSP's are not compatible and therefore cannot be shared).

]]>
http://my.malloc.us/silverspring/2009/01/prx-decryption-nids/feed/ 0
Another NID Update Again http://my.malloc.us/silverspring/2008/12/another-nid-update-again/ http://my.malloc.us/silverspring/2008/12/another-nid-update-again/#comments Thu, 18 Dec 2008 15:25:36 +0000 silverspring http://my.malloc.us/silverspring/?p=66 From sceHttp:

  • 0x739c2d79 sceHttpInitExternalCache
  • 0xa461a167 sceHttpEndExternalCache
  • 0x8046e250 sceHttpEnableExternalCache
  • 0xb0257723 sceHttpFlushExternalCache
  • 0x457d221d sceHttpFlushCookie
  • 0x4e4a284a sceHttpCloneTemplate

From sceSsl:

  • 0xf57765d3 sceSslGetKeyUsage

From sceLibUpdateDL (this completes the lib !!):

  • 0xf7e66cb4 sceUpdateDownloadSetUrl
  • 0x88ff3935 sceUpdateDownloadSetDestCode

From sceNetWispr (this completes the lib !!):

  • 0xc856aaac sceNetWisprLogoffStart

From sceNetIfhandle_driver:

  • 0xd5ad6dea sceNetGetIfhandleOpt
  • 0xc6d14282 sceNetSetIfhandleOpt
  • 0x955f2924 sceNetMCopypacket

From sceNetAdhocctl (new in 5.00):

  • 0xb0b80e80 sceNetAdhocctlCreateEnterGameModeMin

From sceDNASCore_lib (this completes the lib !!):

  • 0xba0d27f8 sceDNASCoreMakeProxyRequest

From sceVshNetconfAoss:

  • 0x50df536d sceNetAOSSInit
  • 0xd253b522 sceNetAOSSTerm
  • 0x653d453f sceNetAOSSStart
  • 0xac307152 sceNetAOSSStop
  • 0x2aee9d4d sceNetAOSSGetState

From sceLibFont_HV:

  • 0x33ffd07c sceFontIsElement

From sceUsbGps (new in 5.00):

  • 0x5881c826 sceUsbGpsGetStaticNavMode
  • 0xa8ed0bc2 sceUsbGpsSetStaticNavMode

From scePafHeaparea:

  • 0xf50aae41 sce_paf_private_getheaparea1
  • 0xacce25b2 sce_paf_private_getheaparea2
]]>
http://my.malloc.us/silverspring/2008/12/another-nid-update-again/feed/ 0