SBORPS Random Fact 10

October 8th, 2010 silverspring

Support for NAND flash IC’s from Hynix has been added to the NAND driver. Specifically, three extra models from 1.8V family:

  1. ManufacturerID = 0xAD (Hynix)
  2. ChipID = 0×35 (32MB)
  3. ChipID = 0×36 (64MB)
  4. ChipID = 0×39 (128MB)

These are probably used for PSP GO models. The PSP now supports NAND’s from Samsung, Toshiba, ST Micro, and Hynix.

SBORPS Random Fact 09

October 8th, 2010 silverspring

Been awhile since my last post, been quite busy with other stuff (read ‘real life’). I’ll be posting more stuff from now though.

After searching for any new supported resolutions for the LCD controller I found a strange one (added in 6.xx):

  1. 720×479 @ 29.97Hz

Don’t know why it is missing one single row from the usual 720×480 resolution.

Here’s the full list of supported resolutions:

  1. 320×180 @ 119.88Hz VSYNC, 23.376KHz HSYNC
  3. 480×272 @  59.83Hz VSYNC, 17.110KHz HSYNC
  4. 480×272 @  59.94Hz VSYNC, 17.142KHz HSYNC (native PSP res)
  5. 480×272 @ 119.65Hz VSYNC, 34.220KHz HSYNC
  6. 480×272 @ 119.88Hz VSYNC, 34.285KHz HSYNC
  8. 640×480 @  59.94Hz VSYNC, 31.468KHz HSYNC
  9. 640×480 @  59.94Hz VSYNC, 31.468KHz HSYNC (larger borders)
  11. 720×240 @  59.83Hz VSYNC, 15.734KHz HSYNC
  12. 720×240 @  60.05Hz VSYNC, 15.734KHz HSYNC
  14. 720×479 @  29.97Hz VSYNC, 15.734KHz HSYNC
  15. 720×480 @  59.83Hz VSYNC, 31.468KHz HSYNC
  16. 720×480 @  59.94Hz VSYNC, 31.468KHz HSYNC
  18. 720×505 @  29.97Hz VSYNC, 15.734KHz HSYNC

If you are wondering how the PSP can support resolutions higher than it’s native screen resolution of 480×272, it’s because the LCD controller needs to support PSP devkits as well which have VGA output to connect to an external LCD monitor.

SBORPS Random Fact 08

November 24th, 2009 silverspring

To find out the PSP model your code is running on you can call the function sceKernelGetModel(). People have been using it in homebrew to differentiate between 01g and 02g machines (fat and slim) to determine what their app will do depending on the model the user is running.

However, the sceKernelGetModel function can do a lot more than just determining whether you’re running fat or slim PSP, it can return values for:

  1. 01g – fat PSP
  2. 02g – slim PSP
  3. 03g – 3K PSP
  4. 04g – ??? (an updated 3K model? 4K perhaps?)
  5. 05g – PSP GO
  6. 06g – ???
  7. 07g – ???
  8. 08g – ???
  10. /*
  11. sceKernelGetModel() actually returns a value
  12. from 0-7 to represent each model,
  13. 0 being the PSP fat,
  14. 1 being the PSP slim, etc.
  15. all the way upto 7 for the 08g model.
  16. */

That’s three more models after the PSP GO! As well as a 4000 model after 3000.

The fw for 04g models is already out, it’s included with normal fw updaters (6.xx) and can be decrypted using the 3K keys. There’s also code already in the fw supporting 06g and 08g models (which seem to be GO-like models).

So for people thinking the PSP GO was a waste of a update or there wouldn’t be any more updates, prepare for three more models…

SBORPS Random Fact 07

November 23rd, 2009 silverspring

Beware of future fw updates, SCE are starting to make activity logs.

New registry categories/keys stored in flash1 registry (6.xx fw):

  1. /DATA/COUNT/boot_count (number of times booted)
  2. /DATA/COUNT/game_exec_count (number of games run)
  3. /DATA/COUNT/slide_count (number of times slide open, for the GO only)
  4. /DATA/COUNT/usb_connect_count (number of times you connect usb)
  5. /DATA/COUNT/wifi_connect_count (number of times you connect wifi)
  6. /DATA/COUNT/psn_access_count (number of times you logon psn)

These new registry keys can still be accessed via the sceReg API, sceRegOpenCategory/sceRegGetKeyValue etc.

What other things will they be tracking in future updates? Maybe logging ISO games? Secretly ‘phoning-home’ with this info? Was any of this mentioned in the EULA?

In Memoriam…

September 13th, 2009 silverspring

My best friend for over 16 years, my loyal companion; deeply loved, and forever missed. You were given a great life yet you gave back so much more in return. I hope you are surrounded by all the toys you could possibly play with, the largest, juiciest bones to chew on, and a neverending stretch of grass to run on.


Rest In Peace, Snowy. I’ll always love you and I’ll never forget you. You will be dearly missed…

Why “eggsploit” is random.

July 9th, 2009 silverspring

So, a lot of people have been complaining about the unstability of the TIFF “eggsploit” (and thus the successful booting of HEN). The exploit relies on hardcoded memory addresses to succeed however a piece of code in the firmware ensures that memory addresses can randomly change.

As the vshbridge.prx is loaded and starts, two fixed memory pools are created and used for nothing else but random padding. The size of these mem pools are randomly assigned based on the system time. This can therefore affect the memory addresses of where modules are loaded into ram and therefore affect the hardcoded addresses the TIFF exploit relies on.

The code for the random memory padding (executed on vshbridge module_start):

  1. int _vshVshBridgeStart()
  2. {
  3.     _vshPowerCallbackInit();
  4.     sceImposeSetStatus(4);
  5.     sceUmdSetSuspendResumeMode(1);
  7.     int size;
  8.     int time = sceKernelGetSystemTimeLow(); // time since system start
  10.     if (time & 3 == 0)
  11.     {
  12.         size = 0×400; // 1 KByte
  13.     }
  14.     else if (time & 3 == 1)
  15.     {
  16.         size = 0×300; // 768 Bytes
  17.     }
  18.     else if (time & 3 == 2)
  19.     {
  20.         size = 0×200; // 512 Bytes
  21.     }
  22.     else if (time & 3 == 3)
  23.     {
  24.         size = 0×100; // 256 Bytes
  25.     }
  27.     sceKernelCreateFpl("SceVshRandomTopPadding", 2, 0, size, 1, NULL);
  30.     if ((time & 0xF)>> 2 == 0)
  31.     {
  32.         size = 0×400; // 1 KByte
  33.     }
  34.     else if ((time & 0xF)>> 2 == 1)
  35.     {
  36.         size = 0×300; // 768 Bytes
  37.     }
  38.     else if ((time & 0xF)>> 2 == 2)
  39.     {
  40.         size = 0×200; // 512 Bytes
  41.     }
  42.     else if ((time & 0xF)>> 2 == 3)
  43.     {
  44.         size = 0×100; // 256 Bytes
  45.     }
  47.     sceKernelCreateFpl("SceVshRandomBottomPadding", 2, 0×4000, size, 1, NULL);
  49.     return 0;
  50. }

This bit of random padding code was added in 2.50 firmware and still exists in the latest firmwares.

Because HEN uses the TIFF exploit to run there is nothing the HEN could do to improve it’s chances of booting successfully. It may be that it’s simply random luck.

Note: there is no doubt there are also many other factors which could affect the stability of the TIFF “eggsploit”.

SBORPS Random Fact 06

May 22nd, 2009 silverspring

A nice hidden feature of the PSP firmware is the personalised credits screen. Just place any png picture under flash0:/vsh/resource/name_plate.png (important note: filename has to be all lower case) and it’ll show up in the System Settings -> About PSP menu. Make sure the pic is in the correct resolution (480 x 272) otherwise the PSP will stretch the image.

This feature was never documented by Sony but it has existed ever since the very first firmware v1.00. Sony typically used this feature to send personalised PSP’s as gifts to VIP’s. Now you can make your own personalised PSP too.

Blog Update

May 8th, 2009 silverspring

After being away from the PSP scene for several months (due to several factors such as illness etc.) I’ve decided to continue and will be starting to add some new content again.

I’ve realised that there has been many bits & pieces of info that I have posted around in several different places over the years (in forums etc.) that are useful however not conveniently accessible so I’ll be adding them here also. It may seem redundant since it may not necessarily be new info, however gathering all the public info together into one place will make the info more accessible to the people.

So, greets to all those who still continue to follow and be involved with the PSP community even though the PSP has passed its peak and now entering a declining stage.


Prx Decryption NID’s !!!!!

January 10th, 2009 silverspring

I never thought these would ever be cracked but finally here are the sceMesgLed NID’s (these are only valid upto 2.00 since the NID’s were later ‘randomised’ the following update in 2.50):

  • 0x84a04017 sceUtilsGetLoadModuleCLength
  • 0xa86d5005 sceUtilsGetLoadModuleCLengthByPolling
  • 0xa4547df1 sceUtilsGetLoadModuleDLength
  • 0x94eb1072 sceUtilsGetLoadModuleDLengthByPolling
  • 0x198fd3be sceUtilsGetLoadModuleILength
  • 0xfbc694c7 sceUtilsGetLoadModuleILengthByPolling
  • 0x07e152be sceUtilsGetLoadModuleJLength
  • 0x9906f33a sceUtilsGetLoadModuleJLengthByPolling
  • 0x46ac0e78 sceUtilsGetLoadModuleKLength
  • 0x55c8785e sceUtilsGetLoadModuleKLengthByPolling
  • 0x67a5ecdf sceUtilsGetLoadModuleLLength
  • 0x85b9d9f3 sceUtilsGetLoadModuleLLengthByPolling
  • 0x951f4a5b sceUtilsGetLoadModuleMLength
  • 0x58999d8e sceUtilsGetLoadModuleMLengthByPolling
  • 0x9fc926a0 sceUtilsGetLoadModuleNLength
  • 0x7a922276 sceUtilsGetLoadModuleNLengthByPolling

As you can see the naming is very cryptic, but the names do make a little bit of sense (more than some other crypto functions & libs). Each of these functions decrypts a particular ~PSP encrypted executable. The executable type is at offset 0x7C of a ~PSP file, and the executable type number corresponds to the letter listed in the above functions. For example, Type3 exe’s (vshmain modules) use the ‘C’ function to decrypt, Type4 exe’s (user modules) use the ‘D’ function, etc. There are no types 5,6,7,8 exe’s so those letters are missing. Other exe types that use the above functions include:

  • Type09 UMD games (use ‘I’ to decrypt)
  • Type10 Gamesharing games (use ‘J’ to decrypt)
  • Type11 Debug Gamesharing games (use ‘K’ to decrypt)
  • Type12 MS Updater (use ‘L’ to decrypt)
  • Type13 MS Demo games (use ‘M’ to decrypt)
  • Type14 Flash application eboots (use ‘N’ to decrypt)

Later fw added extra exe types also (such as POPS executables – Type20). So as you can see the numbering of the executable type corresponds to the letter of the alphabet used in the decryption functions naming.

Type1 exe’s are internal debug modules while Type2 exe’s are kernel modules, they are both decrypted the same way hence the ‘A’ and ‘B’ in the function sceUtilsGetLoadModuleABLength of memlmd.prx.

Here are also 2 more NID’s from memlmd (these ONLY exist in 2.00 which was when these functions were added into the fw, they were later ‘randomised’ the following update in 2.50):

  • 0xc3a6f784 sceUtilsPrepareGetLoadModuleABLength
  • 0xdf76975e sceUtilsPrepareGetLoadModuleABLengthByPolling

This function is similar to the ‘sigcheck’ functions in that they take an encrypted ~PSP file and ‘scrambles’ the ‘sig’ area (0xD0 Bytes from offset 0×80-0×150 of ~PSP binaries). The only difference is that this scrambling is not unique per PSP, whereas the normal sigchecking IS unique per PSP (using each PSP’s FuseID to flash the unique prxs, which is why files from different PSP’s are not compatible and therefore cannot be shared).

Another NID Update Again

December 19th, 2008 silverspring

From sceHttp:

  • 0x739c2d79 sceHttpInitExternalCache
  • 0xa461a167 sceHttpEndExternalCache
  • 0x8046e250 sceHttpEnableExternalCache
  • 0xb0257723 sceHttpFlushExternalCache
  • 0x457d221d sceHttpFlushCookie
  • 0x4e4a284a sceHttpCloneTemplate

From sceSsl:

  • 0xf57765d3 sceSslGetKeyUsage

From sceLibUpdateDL (this completes the lib !!):

  • 0xf7e66cb4 sceUpdateDownloadSetUrl
  • 0x88ff3935 sceUpdateDownloadSetDestCode

From sceNetWispr (this completes the lib !!):

  • 0xc856aaac sceNetWisprLogoffStart

From sceNetIfhandle_driver:

  • 0xd5ad6dea sceNetGetIfhandleOpt
  • 0xc6d14282 sceNetSetIfhandleOpt
  • 0x955f2924 sceNetMCopypacket

From sceNetAdhocctl (new in 5.00):

  • 0xb0b80e80 sceNetAdhocctlCreateEnterGameModeMin

From sceDNASCore_lib (this completes the lib !!):

  • 0xba0d27f8 sceDNASCoreMakeProxyRequest

From sceVshNetconfAoss:

  • 0x50df536d sceNetAOSSInit
  • 0xd253b522 sceNetAOSSTerm
  • 0x653d453f sceNetAOSSStart
  • 0xac307152 sceNetAOSSStop
  • 0x2aee9d4d sceNetAOSSGetState

From sceLibFont_HV:

  • 0x33ffd07c sceFontIsElement

From sceUsbGps (new in 5.00):

  • 0x5881c826 sceUsbGpsGetStaticNavMode
  • 0xa8ed0bc2 sceUsbGpsSetStaticNavMode

From scePafHeaparea:

  • 0xf50aae41 sce_paf_private_getheaparea1
  • 0xacce25b2 sce_paf_private_getheaparea2

Another NID Update

December 17th, 2008 silverspring

From sceUmd (some in 1.xx only some in 3.xx only):

  • 0xf8352373 sceUmdRegisterMediaPresentCallBack
  • 0x5469dc37 sceUmdUnRegisterMediaPresentCallBack
  • 0x84231fcf sceUmdRegisterPowerOnOffUMDCallBack
  • 0x04d1aad9 sceUmdUnRegisterPowerOnOffUMDCallBack
  • 0×18624052 sceUmdRegisterGetUMDPowerOnOffCallBack
  • 0xa140dec2 sceUmdUnRegisterGetUMDPowerOnOffCallBack

From sceUmdMan_driver (some in 1.xx only some in 3.xx only):

  • 0x5a302102 sceUmdManUMDDrivePreStart
  • 0xb4692d7f sceUmdManUMDDrivePostStart
  • 0×93539196 sceUmdManGetPowerOnOffStat
  • 0xc8d45a7b sceUmdManSetPowerOnOffStat
  • 0xb989e127 sceUmdManLeptonAliveOnOff
  • 0xb511f821 sceUmdManLPNAssertWakeup
  • 0x736ae133 sceUmdManLPNNegateWakeup
  • 0x552f671a sceUmdManSPKRestart
  • 0x405b48a5 sceUmdManSPKCheckAuth
  • 0xf7c603a2 sceUmdManSPKAuthentication
  • 0x60933ecd sceUmdManIsDvdDrive
  • 0x2e49311e sceUmdManGetFmtVersion
  • 0xcea5c857 sceUmdManSetCachedRead
  • 0x8634ffc7 sceUmdManSetUnCachedRead

From sceMScm_driver:

  • 0x34124b97 sceMScmTPCGetIntHelper
  • 0x3ffe76e5 sceMScmTPCSetCmdHelper
  • 0×36921225 sceMScmTPCReadShortData
  • 0xef42a4a3 sceMScmTPCWriteShortData
  • 0x494fb570 sceMScmTPCExSetCmdHelper
  • 0xcbb2bf6f sceMScmReadMSRegHelper
  • 0x6c8aef0b sceMScmWriteMSRegHelper

From scePspNpDrm_driver:

  • 0x04618d16 sceNpDrmGetIDps (just gets the psid)
  • 0x4478c033 sceNpDrmVerifyRifById
  • 0xebb198ed sceNpDrmDecActivation

From sceNpInstall_driver (this completes the lib !!):

  • 0x5847d8c7 sceNpInstallGetChallenge
  • 0x91f9d50d sceNpInstallCheckActivation
  • 0x0b039b36 sceNpInstallActivation
  • 0x7ae4c8bc sceNpInstallDeactivation

From sceMlnBridge:

  • 0xf9357984 sceMlnBridgeSetDKS

From scePsheet (this completes the lib !!):

  • 0x3ba93cfa sceDRMInstallGetProgress

NID Update

December 17th, 2008 silverspring

I have been quite busy lately so here’s a little NID update.

From InitForKernel:

  • 0xc4f1ba33 sceKernelStartIntrLogging

From KDebugForKernel:

  • 0xffd2f2b9 sceKernelIsDevelopmentToolMode

From InterruptManagerForKernel:

  • 0x43a7bbdc sceKernelSetIntrLogging
  • 0x07e138ee sceKernelClearIntrLogging
  • 0xdd55a192 sceKernelGetSyscallRA (used to exist in threadman)

From sceDisplay_driver:

  • 0xae0e8972 sceDisplaySetPseudoVsync
  • 0x92c8f8b7 sceDisplayIsPseudoField
  • 0x40f1469c sceDisplayWaitVblankStartMulti
  • 0x77ed8b3a sceDisplayWaitVblankStartMultiCB

From sceGe_driver:

  • 0x7b481502 sceGeGetBreakpoint
  • 0xaec21518 sceGePutBreakpoint
  • 0xbad6e1ca sceGeRegisterLogHandler
  • 0xc576e897 sceGeEdramGetHwSize
  • 0x114e1745 sceGeEdramSetRefreshParam

From scePower_driver:

  • 0xc23ac778 scePowerGetGeEdramRefreshMode
  • 0xe0b7a95d scePowerSetGeEdramRefreshMode
  • 0xe8e4e204 scePowerGetForceSuspendCapacity
  • 0xe8685403 scePowerGetLedOffTiming
  • 0xd66ef08d scePowerCheckWlanCondition

From sceSyscon_driver:

  • 0xeb277c88 sceSysconReadScratchPad
  • 0x65eb6096 sceSysconWriteScratchPad

From sceRtc_driver (new in 5.00):

  • 0xf5fcc995 sceRtcGetCurrentNetworkTick

From sceAtrac3plus (this completes the lib !!):

  • 0x2dd3e298 sceAtracGetBufferInfoForResetting

From sceAudiocodec:

  • 0x59176a0f sceAudiocodecAlcExtendParameter

From sceMpeg:

  • 0x0558b075 sceMpegAvcCopyYCbCr
  • 0×01977054 sceMpegGetUserdataAu (accidently mislabelled as sceMpegQueryUserdataEsSize in libdocs)

From sceMpegbase:

  • 0xbea18f91 sceMpegBasePESpacketCopy

From sceVaudio:

  • 0x346fbe94 sceVaudioSetEffectType
  • 0x82ef2f9d sceVaudioGetEffectString
  • 0x27acc20b sceVaudioChReserveBuffering


October 24th, 2008 silverspring

The Utilities library was an excellent idea by SCE to allow ever increasing functionality to be available to Game developers (at the expense of user memory though, the Utilities is partly why a whopping 8MB is reserved for the kernel).

Anyway, on to the new NID’s (note not all are available under all firmwares)…

From libs under sceUtility_Driver:

  • 0x943cba46 sceUtilityAuthDialogInitStart
  • 0x0f3eeaac sceUtilityAuthDialogShutdownStart
  • 0x147f7c85 sceUtilityAuthDialogUpdate
  • 0x16a1a8d8 sceUtilityAuthDialogGetStatus
  • 0xdde5389d sceUtilityDNASInitStart
  • 0x149a7895 sceUtilityDNASShutdownStart
  • 0x4a833ba4 sceUtilityDNASUpdate
  • 0xa50e5b30 sceUtilityDNASGetStatus
  • 0x04b24901 sceUtilityDdHelperInitStart
  • 0x1b698f54 sceUtilityDdHelperShutdownStart
  • 0xfd99af0a sceUtilityDdHelperUpdate
  • 0x8fcabab9 sceUtilityDdHelperGetStatus
  • 0x16d02af0 sceUtilityNpSigninInitStart
  • 0xe19c97d6 sceUtilityNpSigninShutdownStart
  • 0xf3fbc572 sceUtilityNpSigninUpdate
  • 0x86abdb1b sceUtilityNpSigninGetStatus
  • 0x42071a83 sceUtilityPS3ScanInitStart
  • 0xd17a0573 sceUtilityPS3ScanShutdownStart
  • 0xd852cdce sceUtilityPS3ScanUpdate
  • 0x89317c8f sceUtilityPS3ScanGetStatus
  • 0x81c44706 sceUtilityRssReaderInitStart
  • 0xb0fb7ff5 sceUtilityRssReaderContStart
  • 0xe7b778d8 sceUtilityRssReaderShutdownStart
  • 0x6f56f9cf sceUtilityRssReaderUpdate
  • 0x8326ab05 sceUtilityRssReaderGetStatus
  • 0x4b0a8fe5 sceUtilityRssSubscriberInitStart
  • 0x06a48659 sceUtilityRssSubscriberShutdownStart
  • 0xa084e056 sceUtilityRssSubscriberUpdate
  • 0x2b96173b sceUtilityRssSubscriberGetStatus
  • 0x0251b134 sceUtilityScreenshotInitStart
  • 0x86a03a27 sceUtilityScreenshotContStart
  • 0xf9e0008c sceUtilityScreenshotShutdownStart
  • 0xab083ea9 sceUtilityScreenshotUpdate
  • 0xd81957b7 sceUtilityScreenshotGetStatus
  • 0xda97f1aa sceUtilityStoreCheckoutInitStart
  • 0x54a5c62f sceUtilityStoreCheckoutShutdownStart
  • 0xb8592d5f sceUtilityStoreCheckoutUpdate
  • 0x3aad51dc sceUtilityStoreCheckoutGetStatus
  • 0x7635200e sceUtilityDialogGetGameInfo
  • 0xef5bc2d1 sceUtilityDialogGetStructVersion
  • 0x463ea95e sceUtilityAppletGetType (an amazing false positive for this nid is sceUtilityPspDialog !!)
  • 0xab46a24f sceUtilityAppletGetParam
  • 0x463ea95e sceUtilityAppletGetType
  • 0x75ff798c sceUtilityAppletGetSpeed
  • 0x4b677ba1 sceUtilityAppletGetStructVersion
  • 0x00948e27 sceUtilityAppletLoadModule
  • 0x4acd6532 sceUtilityAppletUnloadModule
  • 0x97f922a3 sceUtilityAppletSetStatus
  • 0x9bae7dce sceUtilityAppletSetThreadId
  • 0x976f7805 sceUtilityAppletRegisterPowerCallback
  • 0xe542e9d8 sceUtilityAppletUnregisterPowerCallback
  • 0x8e8e3aa3 sceUtilitySetNetParamLatestID
  • 0x3fd8ccfb sceUtilityGetNetParamInt
  • 0x63c3e40c sceUtilitySetNetParamInt

A few previous Utilities had been added to the PSPSDK most notably the Message Dialogs as well as the Web Browser. Some of these newly discovered Utilities may be also worthwhile to add to PSPSDK especially the Screenshot one. While there are already unofficially screenshot libs, it would be more convenient as well as less memory consuming to use an official lib (for example using the official libmp3 to play mp3 files).

More, more, more…

October 17th, 2008 silverspring

Four more libs are now fully complete:

From sceGpio_driver:

  • 0×95135905 sceGpioPortInvert
  • 0x5691cefa sceGpioEnableTimerCapture
  • 0x2cdc8edc sceGpioDisableTimerCapture
  • 0x6b38b826 sceGpioSetCapturePort
  • 0xc6928224 sceGpioGetCapturePort

That completes the GPIO lib !!

From scePwm_driver:

  • 0xab6d2e36 scePwmChangeDuty
  • 0xf624c1a0 scePwmReferDuty

That completes the PWM lib !!

From sceMp3:

  • 0x8AB81558 sceMp3StartEntry
  • 0x732B042A sceMp3EndEntry

That completes libmp3 !!

From sceAac:

  • 0x6C05813B sceAacStartEntry
  • 0x61AA43C9 sceAacEndEntry

That completes libaac !!

From sceAta_driver:

  • 0x8cada96b sceAtaAhbGetDDRSize
  • 0xb985f2b0 sceAtaAhbSetDDRSize
  • 0x7c6b31d8 sceAtaDisplayIPD
  • 0x9ca52f94 sceAtaExecIPDCmd

From sceClockgen_driver:

  • 0xc6d4c843 sceClockgenSetProtocol

From InitForKernel:

  • 0x7233b5bc sceKernelApplicationType

From IoFileMgrForKernel:

  • 0x30e8abb3 sceIoValidateFd

From sceUsb1Seg_driver:

  • 0xd799104f sceUsb1SegGetFirmVer

From sceUSB_Stor_Ms_driver:

  • 0x7b810720 sceUsbstorMsSetWorkBuf
  • 0xcf2af7b3 sceUsbstorMsGetNickname
  • 0x16173d42 sceUsbstorMsSetNickname

From scePower_driver:

  • 0xd7b9c925 scePowerGetWatchDog
  • 0x442bfbac scePowerGetBacklightMaximum
  • 0x23436a4a scePowerGetInnerTemp
  • 0xf535d928 scePowerSetWakeupCondition
  • 0x78a1a796 scePowerIsSuspendRequired

From sceAsfParser:

  • 0xd2dd1778 sceAsfGetContentDescription
  • 0xaa881a7b sceAsfGetExtContent
  • 0xefc704c3 sceAsfGetHeaderExtension
  • 0x5ec678cb sceAsfGetVariableObject

From sceUmdMan_driver:

  • 0x1f9afff4 sceUmdManMediaPresent
  • 0x84410a8e sceUmdManSetReadAheadSize
  • 0x63acfd28 sceUmdManSetDisableReadAhead
  • 0x39704b6e sceUmdManSetEnableReadAhead

From sceUmd:

  • 0x08709f2d sceUmdAssertLeptonWakeup
  • 0xad18c797 sceUmdNegateLeptonWakeup

From sceMgr_driver:

  • 0xf26c410a sceMgrMSReadPoolPage
  • 0xa85906fc sceMgrMSWritePoolPage

From sceMSAudio_driver:

  • 0x66f19ca3 sceMSAudioUpdateIBD
  • 0x22da9981 sceMSAudioInitFringe
  • 0x9e37e51d sceMSAudioInitTrack
  • 0x5d1c9867 sceMSAudioDecryptFringe
  • 0x38178f2f sceMSAudioDecryptTrack
  • 0x67e58c07 sceMSAudioEndFringe
  • 0x135f2225 sceMSAudioEndTrack
  • 0xda34ab8f sceMSAudioGetMediaType
  • 0xa18a1df6 sceMSAudioClearMACEntry
  • 0xe8b25d38 sceMSAudioCalculateICVn

And vshbridge equivalents:

  • 0x04310D7C vshMSAudioUpdateIBD
  • 0xB27C593F vshMSAudioInitFringe
  • 0×14877197 vshMSAudioInitTrack
  • 0x0D2CEAD2 vshMSAudioDecryptFringe
  • 0xD907B6AA vshMSAudioDecryptTrack
  • 0xD120667D vshMSAudioEndFringe
  • 0x5BBB35E4 vshMSAudioEndTrack
  • 0xB0FD5916 vshMSAudioGetMediaType
  • 0x7A63BE73 vshMSAudioClearMACEntry
  • 0x222A18C4 vshMSAudioCalculateICVn

Marlin DRM Platform (new nids)

October 15th, 2008 silverspring

Marlin is a DRM platform designed to provide interoperability across multiple devices. It’s developed by several big name corporations like Sony, Panasonic, Samsung, Philips, etc.

Naturally the PSP would be a suitable target. The library sceMlnBridge (mlnbridge.prx) has existed since 2.50 but only in the last few firmwares has the API really expanded:

From sceMlnBridge (this is not the full list of nids there are still more unknown):

  • 0x13e68009 sceMlnBridgeAesEcbEncrypt
  • 0x8d7e61dd sceMlnBridgeAesEcbDecrypt
  • 0xde730a46 sceMlnBridgeAesCbcEncrypt
  • 0x7770fc23 sceMlnBridgeAesCbcDecrypt
  • 0x54edc552 sceMlnBridgeSHA1
  • 0x3505ecce sceMlnBridgeHMAC
  • 0x2fdf5639 sceMlnBridgeRandInit
  • 0xd0790a37 sceMlnBridgeRandFin
  • 0xe79622cd sceMlnBridgeRandGetBytes
  • 0xadb4797e sceMlnBridgeRsaInit
  • 0xb7e04efa sceMlnBridgeRsaFin
  • 0x10c4fec6 sceMlnBridgeSha1MakeDigest
  • 0xd455dd97 sceMlnBridgeSha256MakeDigest

Its features include a Public Key Encryption Algorithm, a Public Key Signature Algorithm, a Secret Key Encryption Algorithm, a Secret Key Signature Algorithm, a Digest Algorithm, and more. So here you have access to AES, RSA, SHA1, SHA256, & MT19937 algorithms all in a single usermode lib (though the api was stripped down again from 4.xx for some reason).

All the algorithms are done in software with the exception of AES, which it relies on MagicGate hardware to perform.

From sceMgr_driver:

  • 0xA45A63B6 sceMgrAesEcbEncrypt
  • 0x19B8F2D0 sceMgrAesEcbDecrypt
  • 0xA44A5538 sceMgrAesCbcEncrypt
  • 0xA1F6D85A sceMgrAesCbcDecrypt

These are just convenient wrappers over the sceMgrAESEncrypt/sceMgrAESDecrypt functions that were discovered earlier here.

Also, an interface through a USB driver (usbstormgr.prx).

From sceUsbstormln:

  • 0x1f4ac19c sceUsbstormlnGetCommand
  • 0x5821060d sceUsbstormlnNotifyResponse
  • 0x382898de sceUsbstormlnRegisterBuffer
  • 0x25b6f372 sceUsbstormlnUnregisterBuffer
  • 0xdec0fe8c sceUsbstormlnWaitStatus
  • 0xe11defdf sceUsbstormlnCancelWaitStatus

USB Host ??

October 12th, 2008 silverspring

Some new nids that may suggest that the PSP does in fact have USB Host capabilities:

  • 0x3E961C02 sceSysregUsbhostResetEnable
  • 0xACFA3764 sceSysregUsbhostResetDisable
  • 0xDA4FCA1D sceSysregUsbhostClkEnable
  • 0x228A73E1 sceSysregUsbhostClkDisable
  • 0xE321F41A sceSysregUsbhostBusClockEnable
  • 0x4D2FFC60 sceSysregUsbhostBusClockDisable
  • 0xFFEB6E00 sceSysregUsbhostQueryIntr
  • 0x87C2BA20 sceSysregUsbhostAcquireIntr

However, these nids were only added in 2.70. At the same time, sceSysregAtahdd___ nids were also added so it could be that this was for the unreleased HDD model PSP and not actually for any current model. Usb Host may have been destined for this new PSP which, along with the internal HDD+GSensor and Bluetooth, defintely would have been a dream handheld.

At one point it seemed that the new PSP-3000 would be the model to integrate these great features however that does not seem to be the case anymore. With the disappointing new features of the PSP-3000 let’s hope a PSP-4000 will finally be the time Sony releases this new model.

Another interesting fact that may mean something or may mean absolutely nothing at all:

0xBC1000B0 is the Usbhost Interrupt Status register. On normal boot this register is set to 1 however on service mode & test mode boot (ie. for battery serial 0xFFFFFFFF & 0×00000000 respectively) this register is set to 0. Whether this actually means something of significance is unknown however it is rumoured that during service mode the USB is actually plugged in (perhaps connected to a testing PC ?).

Another large bunch of new NID’s

October 10th, 2008 silverspring

Syscon G-Sensor
As I mentioned in previous entries, support for an internal HDD+GSensor had been added to the kernel from 2.80. It seems SCE had wanted to keep it a secret since when I had revealed the NID’s referencing these devices, the API had promptly been removed the following firmware. Hence the HDD & GSensor NID’s only exist from 2.80-3.60. When they actually plan on releasing this HDD is anyone’s guess, though I had hoped it would have happened with the release of the PSP-3000. Well, maybe for PSP-4000…

From sceSyscon_driver:

  • 0x3357EE5C sceSysconIsFalling
  • 0x565EF519 sceSysconGetFallingDetectTime

This literally detects whether or not the PSP is falling down (the G-Sensor has an accelerometer built in) and if it is, shuts down the HDD to protect from damage.

Link to previous post about the GSensor and HDD:

Lightweight Mutex
Lightweight mutexs have recently been added to the kernel (3.80+ firmwares) however the majority of the API was placed in the sceKernelLibrary of usersystemlib.prx instead of sceThreadManager even though sceKernelCreateLwMutex/sceKernelDeleteLwMutex were still in sceThreadManager.

From Kernel_Library:

  • 0xBEA46419 sceKernelLockLwMutex
  • 0x1FC64E09 sceKernelLockLwMutexCB
  • 0xDC692EE3 sceKernelTryLockLwMutex
  • 0x15B6446B sceKernelUnlockLwMutex
  • 0xC1734599 sceKernelReferLwMutexStatus

From ThreadManForUser:

  • 0x4C145944 sceKernelReferLwMutexStatusByID

Low-level Sound Library
From 1.00-2.60 a low-level sound library was available as the scePEQ_Library_driver (peq.prx).

From scePEQ_driver:

  • 0xF7EA0632 scePeqInit
  • 0x213DE849 scePeqEntry
  • 0xED13C3B5 scePeqProc

From 2.70+ this library was replaced with sceSAScore (sc_sascore.prx – SC being the shorthand for the main cpu as opposed to ME the Media Engine cpu).

From sceSasCore_driver:

  • 0xB0F9F98F sceSasCoreInit
  • 0xE143A1EA sceSasCoreExit

For the usermode library the usual naming convention changed (no wonder there were never any hits for these nids, they used a stupid underscore, and two of them!!)

From sceSasCore:

  • 0x019B25EB __sceSasSetADSR
  • 0x07F58C24 __sceSasGetAllEnvelopeHeights
  • 0x267A6DD2 __sceSasRevParam
  • 0x2C8E6AB3 __sceSasGetPauseFlag
  • 0x33D4AB37 __sceSasRevType
  • 0x42778A9F __sceSasInit
  • 0x440CA7D8 __sceSasSetVolume
  • 0x50A14DFC __sceSasCoreWithMix
  • 0x5F9529F6 __sceSasSetSL
  • 0x68A46B95 __sceSasGetEndFlag
  • 0x74AE582A __sceSasGetEnvelopeHeight
  • 0x76F01ACA __sceSasSetKeyOn
  • 0x787D04D5 __sceSasSetPause
  • 0×99944089 __sceSasSetVoice
  • 0x9EC3676A __sceSasSetADSRmode
  • 0xA0CF2FA4 __sceSasSetKeyOff
  • 0xA232CBE6 __sceSasSetTrianglarWave
  • 0xA3589D81 __sceSasCore
  • 0xAD84D37F __sceSasSetPitch
  • 0xB7660A23 __sceSasSetNoise
  • 0xBD11B7C2 __sceSasGetGrain
  • 0xCBCD4F79 __sceSasSetSimpleADSR
  • 0xD1E0A01E __sceSasSetGrain
  • 0xD5A229C9 __sceSasRevEVOL
  • 0xD5EBBBCD __sceSasSetSteepWave
  • 0xE175EF66 __sceSasGetOutputmode
  • 0xE855BF76 __sceSasSetOutputmode
  • 0xF983B186 __sceSasRevVON

Under the same prx another sound lib, the Positional 3D Audio Library, was added in 2.80+.

From sceP3da:

  • 0x374500A5 sceP3daBridgeInit
  • 0x43F756A2 sceP3daBridgeExit
  • 0x013016F3 sceP3daBridgeCore

User Log
Added from 2.80+, can only be used on devkits.

From UtilsForKernel:

  • 0x92282A47 sceKernelRegisterUserLogHandler
  • 0x87E81561 sceKernelPutUserLog

As people may know SCE added their own official UMD Emulator to load official PSP ISO’s bought from PSN Store (such as “Beats” and many others). The scePspNpDrm_Driver (npdrm.prx) is what protects these legit ISO’s. This prx was added in 3.00 way before the actual UMD Emulator (np9660.prx) was added in 3.50 which was even quite a while before it was actually officially enabled. It was unofficially enabled beforehand under M33 CFWs as the NP9660 No-UMD ISO Loader.

From scePspNpDrm_driver:

  • 0x17E3F4BB sceNpDrmVerifyAct
  • 0x37B9B10D sceNpDrmVerifyRif
  • 0x00AD67F8 sceNpDrmGetFixedKey
  • 0x5667B7B9 sceNpDrmGetContentKey
  • 0xD36B4E6D sceNpDrmGetModuleKey
  • 0x0F9547E6 sceNpDrmGetVersionKey (incorrectly listed as scePspNpDrmInitFromGameIdMs4 on the libdocs)
  • 0xA1336091 sceNpDrmSetLicenseeKey
  • 0x9B745542 sceNpDrmClearLicenseeKey
  • 0x275987D1 sceNpDrmRenameCheck
  • 0x08D98894 sceNpDrmEdataSetupKey
  • 0x219EF5CC sceNpDrmEdataGetDataSize

VSH System Config
The vshRegSysconf lib was previously under the sceVshCommonUtil_Module upto 1.50. From 2.00 the lib was moved to the the vsh_module.

From vshmain:

  • 0x03BB4503 vshRegSysconfGetCharacterSetOem
  • 0x67BFD9C0 vshRegSysconfSetCharacterSetOem
  • 0x0FE13026 vshRegSysconfGetCharacterSetAnsi
  • 0x032D663E vshRegSysconfSetCharacterSetAnsi
  • 0xF859FC3C vshRegSysconfGetThemeSystemColor
  • 0xEE3D8305 vshRegSysconfSetThemeSystemColor

Note: I have yet to add these new NID’s to the libdoc site. I will do so when I get some spare time.

SBORPS Random Fact 05

September 3rd, 2008 silverspring

SCE make typo’s too.

In the sceRtc lib I noticed an export sceRtc_029CA3B3 that was mapped to the same function that the export sceRtcGetAccumulativeTime was mapped to. Researching some more I noticed that sceRtc_029CA3B3 had existed ever since 1.00 but sceRtcGetAccumulativeTime was only added in 1.50. They are both mapped to the same function. I then realised that the cause of this might be because of a misspelling of the original function and that sceRtcGetAccumulativeTime was the corrected version added in 1.50.

So then, how to crack this NID.

It is not easy to try to guess a misspelling. A per-letter bruteforce would’ve taken too long so I simply tried the most common typo’s and, after many many permutations, I eventually guessed correctly:

  • 0x029CA3B3 sceRtcGetAccumlativeTime (it’s missing a ‘u’)

This is not the only typo either. More than once they have spelt “register” as “regitser”.

  • 0xDB9D28DD scePowerUnregitserCallback
  • 0xDFA8BAF8 scePowerUnregisterCallback

And problems obviously stemming from the fact that the programmers are Japanese:

  • 0xB795D2ED sceNandCollectEcc
  • 0x88CC9F72 sceNandCorrectEcc

You’ll also notice that the old misspelled entry still exists even though a corrected version was added. The reason for this is for compatibility. Older apps had used the original misspelled function so the NID couldn’t be changed. This is somewhat fixed now that kernel NID’s are randomised in newer firmwares. There will only be one entry for each function now that the NID isn’t derived from the name of the function.

So, sometimes when it seems that an NID is impossible to crack it may simply be because of a stupid SCE typo :p.

PAF NID’s !!

September 2nd, 2008 silverspring

PAF NID’s have been very difficult to crack, the majority of exports are C++ mangled names and the ones that aren’t do not follow the standard SCE naming format. But here is a large portion of paf.prx NID’s that will now make VSH modules many more times easier to RE. This should be the complete list of sce_paf_private functions:

  1. 0xC9831AFF  sce_paf_private_printf
  2. 0xBFE9E90B  sce_paf_private_wprintf
  3. 0x5FAC9869  sce_paf_private_malloc
  4. 0xFCB4E053  sce_paf_private_malloc2
  5. 0x26DE971C  sce_paf_private_mtrim
  6. 0x613E9AA2  sce_paf_private_mtrim2
  7. 0x40C95283  sce_paf_private_check_leak
  8. 0xB61E88F2  sce_paf_private_check_leak2
  9. 0x545FE2DA  sce_paf_private_free
  10. 0x7EC15225  sce_paf_private_free2
  11. 0x60DECA7E  sce_paf_private___assert
  12. 0xFD4C9F47  sce_paf_private_wcslen
  13. 0x71B4AC50  sce_paf_private_memchr
  14. 0xF95EA3F1  sce_paf_private_memcpy
  15. 0x6829D7AF  sce_paf_private_memset
  16. 0xCA79D58B  sce_paf_private_strlen
  17. 0x66FE90D7  sce_paf_private_strcmp
  18. 0x980228BA  sce_paf_private_strcpy
  19. 0x296897BC  sce_paf_private_sinf
  20. 0xDEDF238F  sce_paf_private_cosf
  21. 0x7BED034E  sce_paf_private_sqrtf
  22. 0xB3D58D25  sce_paf_private_floorf
  23. 0x302F609D  sce_paf_private_ceilf
  24. 0x44AAF96C  sce_paf_private_acosf
  25. 0x49A81B18  sce_paf_private_swprintf
  26. 0xFF2F98C6  sce_paf_private_strncpy
  27. 0x77D981F5  sce_paf_private_strrchr
  28. 0x45D851D1  sce_paf_private_wcscpy
  29. 0×71712601  sce_paf_private_sprintf
  30. 0x71460F7C  sce_paf_private_vsprintf
  31. 0x6F092DF6  sce_paf_private_vsnprintf
  32. 0xABBBB335  sce_paf_private_fopen
  33. 0x07A5F495  sce_paf_private_fputc
  34. 0xF1552447  sce_paf_private_fwrite
  35. 0×83944053  sce_paf_private_fclose
  36. 0x0B4C0DB6  sce_paf_private_ferror
  37. 0x2FDC80B3  sce_paf_private_wcscmp
  38. 0xFCFAA39F  sce_paf_private_wcscasecmp
  39. 0xD121F409  sce_paf_private_wcsrchr
  40. 0x993E9FDC  sce_paf_private_strchr
  41. 0x3188E7DB  sce_paf_private_strstr
  42. 0x7CD438D9  sce_paf_private_strtok
  43. 0xDC38941B  sce_paf_private_strtok_r
  44. 0xF0B4CAE7  sce_paf_private_strncmp
  45. 0x6C234A6A  sce_paf_private_atoi
  46. 0x37A98AE9  sce_paf_private_atol
  47. 0xB4E3A16C  sce_paf_private_abs
  48. 0x3DD2A27B  sce_paf_private_bsearch
  49. 0x9870A25B  sce_paf_private_fgetc
  50. 0x503BA324  sce_paf_private_fread
  51. 0x2FA84441  sce_paf_private_fseek
  52. 0x84BD418F  sce_paf_private_ftell
  53. 0x902515FB  sce_paf_private_look_ctype_table
  54. 0x3586BE05  sce_paf_private_memalign
  55. 0x2FA0EDDC  sce_paf_private_memalign2
  56. 0x8FC65EB0  sce_paf_private_realloc
  57. 0x29BAA830  sce_paf_private_realloc2
  58. 0x3FBD9639  sce_paf_private_memcmp
  59. 0x6BA9C299  sce_paf_private_memmove
  60. 0xF1B52E86  sce_paf_private_powf
  61. 0x10B901E7  sce_paf_private_qsort
  62. 0x4370175A  sce_paf_private_rand
  63. 0x809A4F83  sce_paf_private_snprintf
  64. 0xA82E3C19  sce_paf_private_srand
  65. 0xED2B47FA  sce_paf_private_strcasecmp
  66. 0xDEB2D1C9  sce_paf_private_strncasecmp
  67. 0x26168DD3  sce_paf_private_strcat
  68. 0x626D68A1  sce_paf_private_strncat
  69. 0xFBA47E77  sce_paf_private_strtol
  70. 0x2394D451  sce_paf_private_strtoul
  71. 0x44A0BCE4  sce_paf_private_tanf
  72. 0x4B1A374C  sce_paf_private_tolower
  73. 0x1D5D9A68  sce_paf_private_toupper
  74. 0x51AAAAF4  sce_paf_private_wcschr
  75. 0x54C0DD23  sce_paf_private_wcsncmp
  76. 0x9F10613F  sce_paf_private_longjmp
  77. 0x8F12B63A  sce_paf_private_setjmp
  78. 0x9D0192FD  sce_paf_private_atan2f
  79. 0xFEAFC77A  sce_paf_private_fabsf
  80. 0x77EB25F5  sce_paf_private_bcopy
  81. 0x99A5CD38  sce_paf_private_bzero
  82. 0xCE699963  sce_paf_private_calloc
  83. 0xCB2198AB  sce_paf_private_wcsncpy
  84. 0x11EF5210  sce_paf_private_logf
  85. 0x680513D9  sce_paf_private_feof
  86. 0x9C483594  sce_paf_private_fflush
  87. 0x1E088F41  sce_paf_private_strpbrk

PSP LibDoc update

August 21st, 2008 silverspring

Another large update to the libdocs:

Finally added the 4.05 firmware and updates to 1.50 and 3.52 only.

Some of the more noteworthy NID’s include:

  • 0x96cfac38 sceDisplayGetBacklightSel
  • 0xe55f0d50 sceDisplaySetBacklightSel

Newer method to get/set the brightness levels.

  • 0x42f954d4 sceIoAddHook

This is the function used to implement the CipherIO system (the cphio pseudo IO driver) used by things such as the DNAS IO lib as well as other DRM libs. It hooks the IO functions to be able to implement cipher routines which can then used by simply calling ioctls of this pseudo IO driver.

  • 0x19d579f0 sceOpenPSIDGetPSID

Note, this is NOT the same as sceOpenPSIDGetOpenPSID, plus this is a kernel-only export.

  • 0xe7735df4 sceUsb1SegEEPROMParamRead
  • 0xa68a6c72 sceUsb1SegEEPROMParamWrite

Access to the EEPROM of the 1Seg TV Tuner.

  • 0xc72ed6d3 sceUsbCamEnterFwUpdateMode

Updating the USB Camera firmware.

  • 0xf9ecfddd scePcactAuth1BB
  • 0x08bb9677 scePcactAuth2BB
  • 0x8523e178 sceMlnpsnlAuth1BB
  • 0x6885f392 sceMlnpsnlAuth2BB

Yes another DRM api.

There are plenty more NID’s of various usefulness as well. In general, this was quite a good update, lot’s of great NID’s were cracked.