SBORPS Random Fact 10

Support for NAND flash IC’s from Hynix has been added to the NAND driver. Specifically, three extra models from 1.8V family:

These are probably used for PSP GO models. The PSP now supports NAND’s from Samsung, Toshiba, ST Micro, and Hynix.

Posted in Random Facts | No Comments »

SBORPS Random Fact 09

Been awhile since my last post, been quite busy with other stuff (read ‘real life’). I’ll be posting more stuff from now though.

After searching for any new supported resolutions for the LCD controller I found a strange one (added in 6.xx):

Don’t know why it is missing one single row from the usual 720×480 resolution.

Here’s the full list of supported resolutions:

If you are wondering how the PSP can support resolutions higher than it’s native screen resolution of 480×272, it’s because the LCD controller needs to support PSP devkits as well which have VGA output to connect to an external LCD monitor.

Posted in Random Facts | No Comments »

SBORPS Random Fact 08

To find out the PSP model your code is running on you can call the function sceKernelGetModel(). People have been using it in homebrew to differentiate between 01g and 02g machines (fat and slim) to determine what their app will do depending on the model the user is running.

However, the sceKernelGetModel function can do a lot more than just determining whether you’re running fat or slim PSP, it can return values for:

That’s three more models after the PSP GO! As well as a 4000 model after 3000.

The fw for 04g models is already out, it’s included with normal fw updaters (6.xx) and can be decrypted using the 3K keys. There’s also code already in the fw supporting 06g and 08g models (which seem to be GO-like models).

So for people thinking the PSP GO was a waste of a update or there wouldn’t be any more updates, prepare for three more models…

Posted in Random Facts | 6 Comments »

SBORPS Random Fact 07

Beware of future fw updates, SCE are starting to make activity logs.

New registry categories/keys stored in flash1 registry (6.xx fw):

These new registry keys can still be accessed via the sceReg API, sceRegOpenCategory/sceRegGetKeyValue etc.

What other things will they be tracking in future updates? Maybe logging ISO games? Secretly ‘phoning-home’ with this info? Was any of this mentioned in the EULA?

Posted in Random Facts | 3 Comments »

In Memoriam…

My best friend for over 16 years, my loyal companion; deeply loved, and forever missed. You were given a great life yet you gave back so much more in return. I hope you are surrounded by all the toys you could possibly play with, the largest, juiciest bones to chew on, and a neverending stretch of grass to run on.

Rest In Peace, Snowy. I’ll always love you and I’ll never forget you. You will be dearly missed…

Posted in Uncategorized | 6 Comments »

Why “eggsploit” is random.

So, a lot of people have been complaining about the unstability of the TIFF “eggsploit” (and thus the successful booting of HEN). The exploit relies on hardcoded memory addresses to succeed however a piece of code in the firmware ensures that memory addresses can randomly change.

As the vshbridge.prx is loaded and starts, two fixed memory pools are created and used for nothing else but random padding. The size of these mem pools are randomly assigned based on the system time. This can therefore affect the memory addresses of where modules are loaded into ram and therefore affect the hardcoded addresses the TIFF exploit relies on.

The code for the random memory padding (executed on vshbridge module_start):

This bit of random padding code was added in 2.50 firmware and still exists in the latest firmwares.

Because HEN uses the TIFF exploit to run there is nothing the HEN could do to improve it’s chances of booting successfully. It may be that it’s simply random luck.

Note: there is no doubt there are also many other factors which could affect the stability of the TIFF “eggsploit”.

Posted in Uncategorized | 9 Comments »

SBORPS Random Fact 06

A nice hidden feature of the PSP firmware is the personalised credits screen. Just place any png picture under flash0:/vsh/resource/name_plate.png (important note: filename has to be all lower case) and it’ll show up in the System Settings -> About PSP menu. Make sure the pic is in the correct resolution (480 x 272) otherwise the PSP will stretch the image.

This feature was never documented by Sony but it has existed ever since the very first firmware v1.00. Sony typically used this feature to send personalised PSP’s as gifts to VIP’s. Now you can make your own personalised PSP too.

Posted in Random Facts | 4 Comments »

Blog Update

After being away from the PSP scene for several months (due to several factors such as illness etc.) I’ve decided to continue and will be starting to add some new content again.

I’ve realised that there has been many bits & pieces of info that I have posted around in several different places over the years (in forums etc.) that are useful however not conveniently accessible so I’ll be adding them here also. It may seem redundant since it may not necessarily be new info, however gathering all the public info together into one place will make the info more accessible to the people.

So, greets to all those who still continue to follow and be involved with the PSP community even though the PSP has passed its peak and now entering a declining stage.

SilverSpring

Posted in Uncategorized | 14 Comments »

Prx Decryption NID’s !!!!!

I never thought these would ever be cracked but finally here are the sceMesgLed NID’s (these are only valid upto 2.00 since the NID’s were later ‘randomised’ the following update in 2.50):

• 0x84a04017 sceUtilsGetLoadModuleCLength
• 0xa86d5005 sceUtilsGetLoadModuleCLengthByPolling
• 0xa4547df1 sceUtilsGetLoadModuleDLength
• 0x94eb1072 sceUtilsGetLoadModuleDLengthByPolling
• 0x198fd3be sceUtilsGetLoadModuleILength
• 0xfbc694c7 sceUtilsGetLoadModuleILengthByPolling
• 0x07e152be sceUtilsGetLoadModuleJLength
• 0x9906f33a sceUtilsGetLoadModuleJLengthByPolling
• 0x46ac0e78 sceUtilsGetLoadModuleKLength
• 0x55c8785e sceUtilsGetLoadModuleKLengthByPolling
• 0x67a5ecdf sceUtilsGetLoadModuleLLength
• 0x85b9d9f3 sceUtilsGetLoadModuleLLengthByPolling
• 0x951f4a5b sceUtilsGetLoadModuleMLength
• 0x58999d8e sceUtilsGetLoadModuleMLengthByPolling
• 0x9fc926a0 sceUtilsGetLoadModuleNLength
• 0x7a922276 sceUtilsGetLoadModuleNLengthByPolling

As you can see the naming is very cryptic, but the names do make a little bit of sense (more than some other crypto functions & libs). Each of these functions decrypts a particular ~PSP encrypted executable. The executable type is at offset 0x7C of a ~PSP file, and the executable type number corresponds to the letter listed in the above functions. For example, Type3 exe’s (vshmain modules) use the ‘C’ function to decrypt, Type4 exe’s (user modules) use the ‘D’ function, etc. There are no types 5,6,7,8 exe’s so those letters are missing. Other exe types that use the above functions include:

• Type09 UMD games (use ‘I’ to decrypt)
• Type10 Gamesharing games (use ‘J’ to decrypt)
• Type11 Debug Gamesharing games (use ‘K’ to decrypt)
• Type12 MS Updater (use ‘L’ to decrypt)
• Type13 MS Demo games (use ‘M’ to decrypt)
• Type14 Flash application eboots (use ‘N’ to decrypt)

Later fw added extra exe types also (such as POPS executables – Type20). So as you can see the numbering of the executable type corresponds to the letter of the alphabet used in the decryption functions naming.

Type1 exe’s are internal debug modules while Type2 exe’s are kernel modules, they are both decrypted the same way hence the ‘A’ and ‘B’ in the function sceUtilsGetLoadModuleABLength of memlmd.prx.

Here are also 2 more NID’s from memlmd (these ONLY exist in 2.00 which was when these functions were added into the fw, they were later ‘randomised’ the following update in 2.50):

• 0xc3a6f784 sceUtilsPrepareGetLoadModuleABLength
• 0xdf76975e sceUtilsPrepareGetLoadModuleABLengthByPolling

This function is similar to the ‘sigcheck’ functions in that they take an encrypted ~PSP file and ‘scrambles’ the ‘sig’ area (0xD0 Bytes from offset 0×80-0×150 of ~PSP binaries). The only difference is that this scrambling is not unique per PSP, whereas the normal sigchecking IS unique per PSP (using each PSP’s FuseID to flash the unique prxs, which is why files from different PSP’s are not compatible and therefore cannot be shared).

Posted in NID's | No Comments »

Another NID Update Again

From sceHttp:

• 0x739c2d79 sceHttpInitExternalCache
• 0xa461a167 sceHttpEndExternalCache
• 0x8046e250 sceHttpEnableExternalCache
• 0xb0257723 sceHttpFlushExternalCache
• 0x457d221d sceHttpFlushCookie
• 0x4e4a284a sceHttpCloneTemplate

From sceSsl:

• 0xf57765d3 sceSslGetKeyUsage

From sceLibUpdateDL (this completes the lib !!):

• 0xf7e66cb4 sceUpdateDownloadSetUrl
• 0x88ff3935 sceUpdateDownloadSetDestCode

From sceNetWispr (this completes the lib !!):

• 0xc856aaac sceNetWisprLogoffStart

From sceNetIfhandle_driver:

• 0xd5ad6dea sceNetGetIfhandleOpt
• 0xc6d14282 sceNetSetIfhandleOpt
• 0x955f2924 sceNetMCopypacket

From sceNetAdhocctl (new in 5.00):

• 0xb0b80e80 sceNetAdhocctlCreateEnterGameModeMin

From sceDNASCore_lib (this completes the lib !!):

• 0xba0d27f8 sceDNASCoreMakeProxyRequest

From sceVshNetconfAoss:

• 0x50df536d sceNetAOSSInit
• 0xd253b522 sceNetAOSSTerm
• 0x653d453f sceNetAOSSStart
• 0xac307152 sceNetAOSSStop
• 0x2aee9d4d sceNetAOSSGetState

From sceLibFont_HV:

• 0x33ffd07c sceFontIsElement

From sceUsbGps (new in 5.00):

• 0x5881c826 sceUsbGpsGetStaticNavMode
• 0xa8ed0bc2 sceUsbGpsSetStaticNavMode

From scePafHeaparea:

• 0xf50aae41 sce_paf_private_getheaparea1
• 0xacce25b2 sce_paf_private_getheaparea2

Posted in NID's | No Comments »

Another NID Update

From sceUmd (some in 1.xx only some in 3.xx only):

• 0xf8352373 sceUmdRegisterMediaPresentCallBack
• 0x5469dc37 sceUmdUnRegisterMediaPresentCallBack
• 0x84231fcf sceUmdRegisterPowerOnOffUMDCallBack
• 0x04d1aad9 sceUmdUnRegisterPowerOnOffUMDCallBack
• 0×18624052 sceUmdRegisterGetUMDPowerOnOffCallBack
• 0xa140dec2 sceUmdUnRegisterGetUMDPowerOnOffCallBack

From sceUmdMan_driver (some in 1.xx only some in 3.xx only):

• 0x5a302102 sceUmdManUMDDrivePreStart
• 0xb4692d7f sceUmdManUMDDrivePostStart
• 0×93539196 sceUmdManGetPowerOnOffStat
• 0xc8d45a7b sceUmdManSetPowerOnOffStat
• 0xb989e127 sceUmdManLeptonAliveOnOff
• 0xb511f821 sceUmdManLPNAssertWakeup
• 0x736ae133 sceUmdManLPNNegateWakeup
• 0x552f671a sceUmdManSPKRestart
• 0x405b48a5 sceUmdManSPKCheckAuth
• 0xf7c603a2 sceUmdManSPKAuthentication
• 0x60933ecd sceUmdManIsDvdDrive
• 0x2e49311e sceUmdManGetFmtVersion
• 0xcea5c857 sceUmdManSetCachedRead
• 0x8634ffc7 sceUmdManSetUnCachedRead

From sceMScm_driver:

• 0x34124b97 sceMScmTPCGetIntHelper
• 0x3ffe76e5 sceMScmTPCSetCmdHelper
• 0×36921225 sceMScmTPCReadShortData
• 0xef42a4a3 sceMScmTPCWriteShortData
• 0x494fb570 sceMScmTPCExSetCmdHelper
• 0xcbb2bf6f sceMScmReadMSRegHelper
• 0x6c8aef0b sceMScmWriteMSRegHelper

From scePspNpDrm_driver:

• 0x04618d16 sceNpDrmGetIDps (just gets the psid)
• 0x4478c033 sceNpDrmVerifyRifById
• 0xebb198ed sceNpDrmDecActivation

From sceNpInstall_driver (this completes the lib !!):

• 0x5847d8c7 sceNpInstallGetChallenge
• 0x91f9d50d sceNpInstallCheckActivation
• 0x0b039b36 sceNpInstallActivation
• 0x7ae4c8bc sceNpInstallDeactivation

From sceMlnBridge:

• 0xf9357984 sceMlnBridgeSetDKS

From scePsheet (this completes the lib !!):

• 0x3ba93cfa sceDRMInstallGetProgress

Posted in NID's | No Comments »

NID Update

I have been quite busy lately so here’s a little NID update.

From InitForKernel:

• 0xc4f1ba33 sceKernelStartIntrLogging

From KDebugForKernel:

• 0xffd2f2b9 sceKernelIsDevelopmentToolMode

From InterruptManagerForKernel:

• 0x43a7bbdc sceKernelSetIntrLogging
• 0x07e138ee sceKernelClearIntrLogging
• 0xdd55a192 sceKernelGetSyscallRA (used to exist in threadman)

From sceDisplay_driver:

• 0xae0e8972 sceDisplaySetPseudoVsync
• 0x92c8f8b7 sceDisplayIsPseudoField
• 0x40f1469c sceDisplayWaitVblankStartMulti
• 0x77ed8b3a sceDisplayWaitVblankStartMultiCB

From sceGe_driver:

• 0x7b481502 sceGeGetBreakpoint
• 0xaec21518 sceGePutBreakpoint
• 0xbad6e1ca sceGeRegisterLogHandler
• 0xc576e897 sceGeEdramGetHwSize
• 0x114e1745 sceGeEdramSetRefreshParam

From scePower_driver:

• 0xc23ac778 scePowerGetGeEdramRefreshMode
• 0xe0b7a95d scePowerSetGeEdramRefreshMode
• 0xe8e4e204 scePowerGetForceSuspendCapacity
• 0xe8685403 scePowerGetLedOffTiming
• 0xd66ef08d scePowerCheckWlanCondition

From sceSyscon_driver:

• 0xeb277c88 sceSysconReadScratchPad
• 0x65eb6096 sceSysconWriteScratchPad

From sceRtc_driver (new in 5.00):

• 0xf5fcc995 sceRtcGetCurrentNetworkTick

From sceAtrac3plus (this completes the lib !!):

• 0x2dd3e298 sceAtracGetBufferInfoForResetting

From sceAudiocodec:

• 0x59176a0f sceAudiocodecAlcExtendParameter

From sceMpeg:

• 0x0558b075 sceMpegAvcCopyYCbCr
• 0×01977054 sceMpegGetUserdataAu (accidently mislabelled as sceMpegQueryUserdataEsSize in libdocs)

From sceMpegbase:

• 0xbea18f91 sceMpegBasePESpacketCopy

From sceVaudio:

• 0x346fbe94 sceVaudioSetEffectType
• 0x82ef2f9d sceVaudioGetEffectString
• 0x27acc20b sceVaudioChReserveBuffering

Posted in NID's | No Comments »

Utilities…

The Utilities library was an excellent idea by SCE to allow ever increasing functionality to be available to Game developers (at the expense of user memory though, the Utilities is partly why a whopping 8MB is reserved for the kernel).

Anyway, on to the new NID’s (note not all are available under all firmwares)…

From libs under sceUtility_Driver:

• 0x943cba46 sceUtilityAuthDialogInitStart
• 0x0f3eeaac sceUtilityAuthDialogShutdownStart
• 0x147f7c85 sceUtilityAuthDialogUpdate
• 0x16a1a8d8 sceUtilityAuthDialogGetStatus

• 0xdde5389d sceUtilityDNASInitStart
• 0x149a7895 sceUtilityDNASShutdownStart
• 0x4a833ba4 sceUtilityDNASUpdate
• 0xa50e5b30 sceUtilityDNASGetStatus

• 0x04b24901 sceUtilityDdHelperInitStart
• 0x1b698f54 sceUtilityDdHelperShutdownStart
• 0xfd99af0a sceUtilityDdHelperUpdate
• 0x8fcabab9 sceUtilityDdHelperGetStatus

• 0x16d02af0 sceUtilityNpSigninInitStart
• 0xe19c97d6 sceUtilityNpSigninShutdownStart
• 0xf3fbc572 sceUtilityNpSigninUpdate
• 0x86abdb1b sceUtilityNpSigninGetStatus

• 0x42071a83 sceUtilityPS3ScanInitStart
• 0xd17a0573 sceUtilityPS3ScanShutdownStart
• 0xd852cdce sceUtilityPS3ScanUpdate
• 0x89317c8f sceUtilityPS3ScanGetStatus

• 0x81c44706 sceUtilityRssReaderInitStart
• 0xb0fb7ff5 sceUtilityRssReaderContStart
• 0xe7b778d8 sceUtilityRssReaderShutdownStart
• 0x6f56f9cf sceUtilityRssReaderUpdate
• 0x8326ab05 sceUtilityRssReaderGetStatus

• 0x4b0a8fe5 sceUtilityRssSubscriberInitStart
• 0x06a48659 sceUtilityRssSubscriberShutdownStart
• 0xa084e056 sceUtilityRssSubscriberUpdate
• 0x2b96173b sceUtilityRssSubscriberGetStatus

• 0x0251b134 sceUtilityScreenshotInitStart
• 0x86a03a27 sceUtilityScreenshotContStart
• 0xf9e0008c sceUtilityScreenshotShutdownStart
• 0xab083ea9 sceUtilityScreenshotUpdate
• 0xd81957b7 sceUtilityScreenshotGetStatus

• 0xda97f1aa sceUtilityStoreCheckoutInitStart
• 0x54a5c62f sceUtilityStoreCheckoutShutdownStart
• 0xb8592d5f sceUtilityStoreCheckoutUpdate
• 0x3aad51dc sceUtilityStoreCheckoutGetStatus

• 0x7635200e sceUtilityDialogGetGameInfo
• 0xef5bc2d1 sceUtilityDialogGetStructVersion
• 0x463ea95e sceUtilityAppletGetType (an amazing false positive for this nid is sceUtilityPspDialog !!)
• 0xab46a24f sceUtilityAppletGetParam
• 0x463ea95e sceUtilityAppletGetType
• 0x75ff798c sceUtilityAppletGetSpeed
• 0x4b677ba1 sceUtilityAppletGetStructVersion
• 0x00948e27 sceUtilityAppletLoadModule
• 0x4acd6532 sceUtilityAppletUnloadModule
• 0x97f922a3 sceUtilityAppletSetStatus
• 0x9bae7dce sceUtilityAppletSetThreadId
• 0x976f7805 sceUtilityAppletRegisterPowerCallback
• 0xe542e9d8 sceUtilityAppletUnregisterPowerCallback
• 0x8e8e3aa3 sceUtilitySetNetParamLatestID
• 0x3fd8ccfb sceUtilityGetNetParamInt
• 0x63c3e40c sceUtilitySetNetParamInt

A few previous Utilities had been added to the PSPSDK most notably the Message Dialogs as well as the Web Browser. Some of these newly discovered Utilities may be also worthwhile to add to PSPSDK especially the Screenshot one. While there are already unofficially screenshot libs, it would be more convenient as well as less memory consuming to use an official lib (for example using the official libmp3 to play mp3 files).

Posted in NID's | No Comments »

More, more, more…

Four more libs are now fully complete:

From sceGpio_driver:

• 0×95135905 sceGpioPortInvert
• 0x5691cefa sceGpioEnableTimerCapture
• 0x2cdc8edc sceGpioDisableTimerCapture
• 0x6b38b826 sceGpioSetCapturePort
• 0xc6928224 sceGpioGetCapturePort

That completes the GPIO lib !!

From scePwm_driver:

• 0xab6d2e36 scePwmChangeDuty
• 0xf624c1a0 scePwmReferDuty

That completes the PWM lib !!

From sceMp3:

• 0x8AB81558 sceMp3StartEntry
• 0x732B042A sceMp3EndEntry

That completes libmp3 !!

From sceAac:

• 0x6C05813B sceAacStartEntry
• 0x61AA43C9 sceAacEndEntry

That completes libaac !!

From sceAta_driver:

• 0x8cada96b sceAtaAhbGetDDRSize
• 0xb985f2b0 sceAtaAhbSetDDRSize
• 0x7c6b31d8 sceAtaDisplayIPD
• 0x9ca52f94 sceAtaExecIPDCmd

From sceClockgen_driver:

• 0xc6d4c843 sceClockgenSetProtocol

From InitForKernel:

• 0x7233b5bc sceKernelApplicationType

From IoFileMgrForKernel:

• 0x30e8abb3 sceIoValidateFd

From sceUsb1Seg_driver:

• 0xd799104f sceUsb1SegGetFirmVer

From sceUSB_Stor_Ms_driver:

• 0x7b810720 sceUsbstorMsSetWorkBuf
• 0xcf2af7b3 sceUsbstorMsGetNickname
• 0x16173d42 sceUsbstorMsSetNickname

From scePower_driver:

• 0xd7b9c925 scePowerGetWatchDog
• 0x442bfbac scePowerGetBacklightMaximum
• 0x23436a4a scePowerGetInnerTemp
• 0xf535d928 scePowerSetWakeupCondition
• 0x78a1a796 scePowerIsSuspendRequired

From sceAsfParser:

• 0xd2dd1778 sceAsfGetContentDescription
• 0xaa881a7b sceAsfGetExtContent
• 0xefc704c3 sceAsfGetHeaderExtension
• 0x5ec678cb sceAsfGetVariableObject

From sceUmdMan_driver:

• 0x1f9afff4 sceUmdManMediaPresent
• 0x84410a8e sceUmdManSetReadAheadSize
• 0x63acfd28 sceUmdManSetDisableReadAhead
• 0x39704b6e sceUmdManSetEnableReadAhead

From sceUmd:

• 0x08709f2d sceUmdAssertLeptonWakeup
• 0xad18c797 sceUmdNegateLeptonWakeup

From sceMgr_driver:

• 0xf26c410a sceMgrMSReadPoolPage
• 0xa85906fc sceMgrMSWritePoolPage

From sceMSAudio_driver:

• 0x66f19ca3 sceMSAudioUpdateIBD
• 0x22da9981 sceMSAudioInitFringe
• 0x9e37e51d sceMSAudioInitTrack
• 0x5d1c9867 sceMSAudioDecryptFringe
• 0x38178f2f sceMSAudioDecryptTrack
• 0x67e58c07 sceMSAudioEndFringe
• 0x135f2225 sceMSAudioEndTrack
• 0xda34ab8f sceMSAudioGetMediaType
• 0xa18a1df6 sceMSAudioClearMACEntry
• 0xe8b25d38 sceMSAudioCalculateICVn

And vshbridge equivalents:

• 0x04310D7C vshMSAudioUpdateIBD
• 0xB27C593F vshMSAudioInitFringe
• 0×14877197 vshMSAudioInitTrack
• 0x0D2CEAD2 vshMSAudioDecryptFringe
• 0xD907B6AA vshMSAudioDecryptTrack
• 0xD120667D vshMSAudioEndFringe
• 0x5BBB35E4 vshMSAudioEndTrack
• 0xB0FD5916 vshMSAudioGetMediaType
• 0x7A63BE73 vshMSAudioClearMACEntry
• 0x222A18C4 vshMSAudioCalculateICVn

Posted in NID's | 1 Comment »

Marlin DRM Platform (new nids)

Marlin is a DRM platform designed to provide interoperability across multiple devices. It’s developed by several big name corporations like Sony, Panasonic, Samsung, Philips, etc.

Naturally the PSP would be a suitable target. The library sceMlnBridge (mlnbridge.prx) has existed since 2.50 but only in the last few firmwares has the API really expanded:

From sceMlnBridge (this is not the full list of nids there are still more unknown):

• 0x13e68009 sceMlnBridgeAesEcbEncrypt
• 0x8d7e61dd sceMlnBridgeAesEcbDecrypt
• 0xde730a46 sceMlnBridgeAesCbcEncrypt
• 0x7770fc23 sceMlnBridgeAesCbcDecrypt
• 0x54edc552 sceMlnBridgeSHA1
• 0x3505ecce sceMlnBridgeHMAC
• 0x2fdf5639 sceMlnBridgeRandInit
• 0xd0790a37 sceMlnBridgeRandFin
• 0xe79622cd sceMlnBridgeRandGetBytes
• 0xadb4797e sceMlnBridgeRsaInit
• 0xb7e04efa sceMlnBridgeRsaFin
• 0x10c4fec6 sceMlnBridgeSha1MakeDigest
• 0xd455dd97 sceMlnBridgeSha256MakeDigest

Its features include a Public Key Encryption Algorithm, a Public Key Signature Algorithm, a Secret Key Encryption Algorithm, a Secret Key Signature Algorithm, a Digest Algorithm, and more. So here you have access to AES, RSA, SHA1, SHA256, & MT19937 algorithms all in a single usermode lib (though the api was stripped down again from 4.xx for some reason).

All the algorithms are done in software with the exception of AES, which it relies on MagicGate hardware to perform.

From sceMgr_driver:

• 0xA45A63B6 sceMgrAesEcbEncrypt
• 0x19B8F2D0 sceMgrAesEcbDecrypt
• 0xA44A5538 sceMgrAesCbcEncrypt
• 0xA1F6D85A sceMgrAesCbcDecrypt

These are just convenient wrappers over the sceMgrAESEncrypt/sceMgrAESDecrypt functions that were discovered earlier here.

Also, an interface through a USB driver (usbstormgr.prx).

From sceUsbstormln:

• 0x1f4ac19c sceUsbstormlnGetCommand
• 0x5821060d sceUsbstormlnNotifyResponse
• 0x382898de sceUsbstormlnRegisterBuffer
• 0x25b6f372 sceUsbstormlnUnregisterBuffer
• 0xdec0fe8c sceUsbstormlnWaitStatus
• 0xe11defdf sceUsbstormlnCancelWaitStatus

Posted in NID's | No Comments »

USB Host ??

Some new nids that may suggest that the PSP does in fact have USB Host capabilities:

• 0x3E961C02 sceSysregUsbhostResetEnable
• 0xACFA3764 sceSysregUsbhostResetDisable
• 0xDA4FCA1D sceSysregUsbhostClkEnable
• 0x228A73E1 sceSysregUsbhostClkDisable
• 0xE321F41A sceSysregUsbhostBusClockEnable
• 0x4D2FFC60 sceSysregUsbhostBusClockDisable
• 0xFFEB6E00 sceSysregUsbhostQueryIntr
• 0x87C2BA20 sceSysregUsbhostAcquireIntr

However, these nids were only added in 2.70. At the same time, sceSysregAtahdd___ nids were also added so it could be that this was for the unreleased HDD model PSP and not actually for any current model. Usb Host may have been destined for this new PSP which, along with the internal HDD+GSensor and Bluetooth, defintely would have been a dream handheld.

At one point it seemed that the new PSP-3000 would be the model to integrate these great features however that does not seem to be the case anymore. With the disappointing new features of the PSP-3000 let’s hope a PSP-4000 will finally be the time Sony releases this new model.

Another interesting fact that may mean something or may mean absolutely nothing at all:

0xBC1000B0 is the Usbhost Interrupt Status register. On normal boot this register is set to 1 however on service mode & test mode boot (ie. for battery serial 0xFFFFFFFF & 0×00000000 respectively) this register is set to 0. Whether this actually means something of significance is unknown however it is rumoured that during service mode the USB is actually plugged in (perhaps connected to a testing PC ?).

Posted in NID's | 3 Comments »

Another large bunch of new NID’s

Syscon G-Sensor
As I mentioned in previous entries, support for an internal HDD+GSensor had been added to the kernel from 2.80. It seems SCE had wanted to keep it a secret since when I had revealed the NID’s referencing these devices, the API had promptly been removed the following firmware. Hence the HDD & GSensor NID’s only exist from 2.80-3.60. When they actually plan on releasing this HDD is anyone’s guess, though I had hoped it would have happened with the release of the PSP-3000. Well, maybe for PSP-4000…

From sceSyscon_driver:

• 0x3357EE5C sceSysconIsFalling
• 0x565EF519 sceSysconGetFallingDetectTime

This literally detects whether or not the PSP is falling down (the G-Sensor has an accelerometer built in) and if it is, shuts down the HDD to protect from damage.

Link to previous post about the GSensor and HDD: http://my.malloc.us/silverspring/2007/11/16/the-psp-slim-couldve-been-a-gamers-dream-handheld/

Lightweight Mutex
Lightweight mutexs have recently been added to the kernel (3.80+ firmwares) however the majority of the API was placed in the sceKernelLibrary of usersystemlib.prx instead of sceThreadManager even though sceKernelCreateLwMutex/sceKernelDeleteLwMutex were still in sceThreadManager.

From Kernel_Library:

• 0xBEA46419 sceKernelLockLwMutex
• 0x1FC64E09 sceKernelLockLwMutexCB
• 0xDC692EE3 sceKernelTryLockLwMutex
• 0x15B6446B sceKernelUnlockLwMutex
• 0xC1734599 sceKernelReferLwMutexStatus

From ThreadManForUser:

• 0x4C145944 sceKernelReferLwMutexStatusByID

Low-level Sound Library
From 1.00-2.60 a low-level sound library was available as the scePEQ_Library_driver (peq.prx).

From scePEQ_driver:

• 0xF7EA0632 scePeqInit
• 0x213DE849 scePeqEntry
• 0xED13C3B5 scePeqProc

From 2.70+ this library was replaced with sceSAScore (sc_sascore.prx – SC being the shorthand for the main cpu as opposed to ME the Media Engine cpu).

From sceSasCore_driver:

• 0xB0F9F98F sceSasCoreInit
• 0xE143A1EA sceSasCoreExit

For the usermode library the usual naming convention changed (no wonder there were never any hits for these nids, they used a stupid underscore, and two of them!!)

From sceSasCore:

• 0x019B25EB __sceSasSetADSR
• 0x07F58C24 __sceSasGetAllEnvelopeHeights
• 0x267A6DD2 __sceSasRevParam
• 0x2C8E6AB3 __sceSasGetPauseFlag
• 0x33D4AB37 __sceSasRevType
• 0x42778A9F __sceSasInit
• 0x440CA7D8 __sceSasSetVolume
• 0x50A14DFC __sceSasCoreWithMix
• 0x5F9529F6 __sceSasSetSL
• 0x68A46B95 __sceSasGetEndFlag
• 0x74AE582A __sceSasGetEnvelopeHeight
• 0x76F01ACA __sceSasSetKeyOn
• 0x787D04D5 __sceSasSetPause
• 0×99944089 __sceSasSetVoice
• 0x9EC3676A __sceSasSetADSRmode
• 0xA0CF2FA4 __sceSasSetKeyOff
• 0xA232CBE6 __sceSasSetTrianglarWave
• 0xA3589D81 __sceSasCore
• 0xAD84D37F __sceSasSetPitch
• 0xB7660A23 __sceSasSetNoise
• 0xBD11B7C2 __sceSasGetGrain
• 0xCBCD4F79 __sceSasSetSimpleADSR
• 0xD1E0A01E __sceSasSetGrain
• 0xD5A229C9 __sceSasRevEVOL
• 0xD5EBBBCD __sceSasSetSteepWave
• 0xE175EF66 __sceSasGetOutputmode
• 0xE855BF76 __sceSasSetOutputmode
• 0xF983B186 __sceSasRevVON

Under the same prx another sound lib, the Positional 3D Audio Library, was added in 2.80+.

From sceP3da:

• 0x374500A5 sceP3daBridgeInit
• 0x43F756A2 sceP3daBridgeExit
• 0x013016F3 sceP3daBridgeCore

User Log
Added from 2.80+, can only be used on devkits.

From UtilsForKernel:

• 0x92282A47 sceKernelRegisterUserLogHandler
• 0x87E81561 sceKernelPutUserLog

NP DRM
As people may know SCE added their own official UMD Emulator to load official PSP ISO’s bought from PSN Store (such as “Beats” and many others). The scePspNpDrm_Driver (npdrm.prx) is what protects these legit ISO’s. This prx was added in 3.00 way before the actual UMD Emulator (np9660.prx) was added in 3.50 which was even quite a while before it was actually officially enabled. It was unofficially enabled beforehand under M33 CFWs as the NP9660 No-UMD ISO Loader.

From scePspNpDrm_driver:

• 0x17E3F4BB sceNpDrmVerifyAct
• 0x37B9B10D sceNpDrmVerifyRif
• 0x00AD67F8 sceNpDrmGetFixedKey
• 0x5667B7B9 sceNpDrmGetContentKey
• 0xD36B4E6D sceNpDrmGetModuleKey
• 0x0F9547E6 sceNpDrmGetVersionKey (incorrectly listed as scePspNpDrmInitFromGameIdMs4 on the libdocs)
• 0xA1336091 sceNpDrmSetLicenseeKey
• 0x9B745542 sceNpDrmClearLicenseeKey
• 0x275987D1 sceNpDrmRenameCheck
• 0x08D98894 sceNpDrmEdataSetupKey
• 0x219EF5CC sceNpDrmEdataGetDataSize

VSH System Config
The vshRegSysconf lib was previously under the sceVshCommonUtil_Module upto 1.50. From 2.00 the lib was moved to the the vsh_module.

From vshmain:

• 0x03BB4503 vshRegSysconfGetCharacterSetOem
• 0x67BFD9C0 vshRegSysconfSetCharacterSetOem
• 0x0FE13026 vshRegSysconfGetCharacterSetAnsi
• 0x032D663E vshRegSysconfSetCharacterSetAnsi
• 0xF859FC3C vshRegSysconfGetThemeSystemColor
• 0xEE3D8305 vshRegSysconfSetThemeSystemColor

Note: I have yet to add these new NID’s to the libdoc site. I will do so when I get some spare time.

Posted in NID's | 4 Comments »

SBORPS Random Fact 05

SCE make typo’s too.

In the sceRtc lib I noticed an export sceRtc_029CA3B3 that was mapped to the same function that the export sceRtcGetAccumulativeTime was mapped to. Researching some more I noticed that sceRtc_029CA3B3 had existed ever since 1.00 but sceRtcGetAccumulativeTime was only added in 1.50. They are both mapped to the same function. I then realised that the cause of this might be because of a misspelling of the original function and that sceRtcGetAccumulativeTime was the corrected version added in 1.50.

So then, how to crack this NID.

It is not easy to try to guess a misspelling. A per-letter bruteforce would’ve taken too long so I simply tried the most common typo’s and, after many many permutations, I eventually guessed correctly:

• 0x029CA3B3 sceRtcGetAccumlativeTime (it’s missing a ‘u’)

This is not the only typo either. More than once they have spelt “register” as “regitser”.

• 0xDB9D28DD scePowerUnregitserCallback
• 0xDFA8BAF8 scePowerUnregisterCallback

And problems obviously stemming from the fact that the programmers are Japanese:

• 0xB795D2ED sceNandCollectEcc
• 0x88CC9F72 sceNandCorrectEcc

You’ll also notice that the old misspelled entry still exists even though a corrected version was added. The reason for this is for compatibility. Older apps had used the original misspelled function so the NID couldn’t be changed. This is somewhat fixed now that kernel NID’s are randomised in newer firmwares. There will only be one entry for each function now that the NID isn’t derived from the name of the function.

So, sometimes when it seems that an NID is impossible to crack it may simply be because of a stupid SCE typo :p.

Posted in Random Facts | No Comments »

PAF NID’s !!

PAF NID’s have been very difficult to crack, the majority of exports are C++ mangled names and the ones that aren’t do not follow the standard SCE naming format. But here is a large portion of paf.prx NID’s that will now make VSH modules many more times easier to RE. This should be the complete list of sce_paf_private functions:

Posted in NID's | No Comments »

PSP LibDoc update

Another large update to the libdocs: http://silverspring.lan.st/update.html

Finally added the 4.05 firmware and updates to 1.50 and 3.52 only.

Some of the more noteworthy NID’s include:

• 0x96cfac38 sceDisplayGetBacklightSel
• 0xe55f0d50 sceDisplaySetBacklightSel

Newer method to get/set the brightness levels.

• 0x42f954d4 sceIoAddHook

This is the function used to implement the CipherIO system (the cphio pseudo IO driver) used by things such as the DNAS IO lib as well as other DRM libs. It hooks the IO functions to be able to implement cipher routines which can then used by simply calling ioctls of this pseudo IO driver.

• 0x19d579f0 sceOpenPSIDGetPSID

Note, this is NOT the same as sceOpenPSIDGetOpenPSID, plus this is a kernel-only export.

• 0xe7735df4 sceUsb1SegEEPROMParamRead
• 0xa68a6c72 sceUsb1SegEEPROMParamWrite

Access to the EEPROM of the 1Seg TV Tuner.

• 0xc72ed6d3 sceUsbCamEnterFwUpdateMode

Updating the USB Camera firmware.

• 0xf9ecfddd scePcactAuth1BB
• 0x08bb9677 scePcactAuth2BB
• 0x8523e178 sceMlnpsnlAuth1BB
• 0x6885f392 sceMlnpsnlAuth2BB

Yes another DRM api.

There are plenty more NID’s of various usefulness as well. In general, this was quite a good update, lot’s of great NID’s were cracked.

Posted in NID's | 3 Comments »