forums.ps2dev.org Forum Index forums.ps2dev.org
Homebrew PS2, PSP & PS3 Development Discussions
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Service mode by power supply pins?
Goto page Previous  1, 2, 3
 
Post new topic   Reply to topic    forums.ps2dev.org Forum Index -> PSP Development
View previous topic :: View next topic  
Author Message
groepaz



Joined: 01 Sep 2005
Posts: 305

PostPosted: Wed Aug 29, 2007 12:49 pm    Post subject: Reply with quote

haha :)
_________________
http://www.hitmen-console.org
http://hitmen.c02.at/files/yapspd/
Back to top
View user's profile Send private message Visit poster's website
jimparis



Joined: 10 Jun 2005
Posts: 1180
Location: Boston

PostPosted: Wed Aug 29, 2007 1:04 pm    Post subject: Reply with quote

Of course the real secret is how the pre-IPL code was first dumped and how the custom MS IPL was signed, but I'm not sure of all the details at the moment :) With moonlight's custom IPL example posted here though, you can dump the pre-IPL easily, and run unsigned code at IPL time.
Back to top
View user's profile Send private message
Art



Joined: 09 Nov 2005
Posts: 652

PostPosted: Wed Aug 29, 2007 2:22 pm    Post subject: Reply with quote

So there IS a battery firmware serial matchng that on the outside printed
label?
Well aren't I the moron. (see post above).
Art.
Back to top
View user's profile Send private message
nem



Joined: 13 Jan 2005
Posts: 73

PostPosted: Thu Sep 06, 2007 1:10 am    Post subject: Reply with quote

Long time passed after I appeared the scene.
Here is how I find to get into service mode. Pretty long. ;)

There was a rumor that battery may be involved to service mode, so firstly I examined battery communication. Text below was written long time ago and includes some obsolete descriptions.


Battery communication reversed

I used a microcontroller to sniff communications between PSP and battery.

Electrical
Not much investigated.
One-wire time-divided bi-directional serial.


Data format and protocol
Asynchronous serial communication. 19200bps, NRZ, LSB-first, 8 bit data, even parity, 1 stop bit.
Always initiated by PSP and battery replys. Break signal is issued by PSP as start-up of communication. Packet format is same in both direction.

Variable sized packet formatted as;
Code:
start mark     (1)    0x5a:psp->battery  0xa5:battery->psp
packet size    (1)    bytesize of packet excluding start mark and packet size
type           (1)    packet type
data           (*)    optional
bcc            (1)    sum of all octet in packet to be 0xFF, from start mark to bcc



Packet type and meanings, reply format
Code:
type  description          data    reply from battery   remark
0x01  request status       none    unknown_flag:u8     
                                   energyleft_mAh:u16   
0x02  request temperature  none    temperature:u8       cercius degree, min/max value unknown
0x03  request voltage      none    voltage_mV:u16       
0x04  request current      none    current_mA:short     positive if charging battery
0x07  request capacity     none    capacity_mAh:u16
0x09  request timeleft     none    timeleft_min:u16     XMB showing not this value
0x0c  request serialno     none    serialno:u32         suspected
0x80  request auth?        9byte   16byte               encrypted data/reply
0x81  request auth?        8byte   8byte                encrypted data/reply

Code:
type  description          data    remark
0x05  reply from battery   none    NAK, BCC error and so on??
0x06  reply from battery   *       ACK, with reply data


unknown_flag may involve in/out currents. Note that the value is not consistent with this guess when battery is full charged, PSP power off and DC connected, so there would be other meanings.
Type 0x80/0x81 for battery authentication??
First byte of data of type 0x80 request is 0x00, others are random-looking.


Typical sequences
When battery placed : 01, 0C, 80, 81, 01, 80, 81
Every 30 seconds with DC in : 01, 80, 81
Every 30 seconds without DC in : 01, 0C, 80, 81
Cold start : 01, 07, 09, 02, 04, 03, 01


Which to craft?
Possible candidate at this time:

reply to type 01 : non-usual value
reply to type 0C : some special region of value
reply to type 80 : need to know about encryption
reply to type 81 : need to know about encryption
others : non-usual value



Faking the communication

Added some circuit to fake battery communication. Original battery is needed because authentication algorithm is unknown. I interrupted the serial line and changed specific text. For some third party make unlicensed battery, the algorithm would be already cracked by someone, or not;).

Authentication
Authentication is still unknown. Here is some specimen of chosen text request.
Code:
Text 0x80 data part : reply from battery
00 00 00 00 00 00 00 00 00 : A5 12 06 31 A9 81 78 95 41 0C 63 4A 0F 0D B4 30 99 B0 26 71
00 00 00 00 00 00 00 00 01 : A5 12 06 A7 AA C2 5F E1 ED 17 3E 7E 4F 9B 7D D7 E1 6F 1A 87
00 00 00 00 00 00 00 00 02 : A5 12 06 F6 08 B1 51 5B 88 7D CF 86 C2 47 A7 1F 31 64 14 15
00 00 00 00 00 00 00 00 03 : A5 12 06 11 2C 35 79 D3 E8 6E A5 31 42 DB 00 A2 5E 00 9E 9D
00 00 00 00 00 00 00 00 04 : A5 12 06 C4 C8 8D FE B9 3E D3 3A 42 EA 8F 55 2E 0A F8 0F D8
00 00 00 00 00 00 00 00 05 : A5 12 06 90 A3 50 6D 67 71 3F B8 FB 49 E1 C6 BD B6 AD EC 8C
00 00 00 00 00 00 00 00 06 : A5 12 06 5A 57 BE 60 CD 95 07 83 01 6F 2D CA F0 10 05 80 9B
00 00 00 00 00 00 00 00 07 : A5 12 06 A4 A9 A6 6F 01 5D 91 A3 37 C0 8A 07 B1 93 4B 5B DC
00 00 00 00 00 00 00 00 08 : A5 12 06 18 F3 46 6E C6 3C D2 58 A5 D8 DE B0 CD AA F3 6C 76
00 00 00 00 00 00 00 00 09 : A5 12 06 75 C3 88 58 0C 23 C8 8B 2F 5A 46 EF C9 17 3D A8 25
00 00 00 00 00 00 00 00 0A : A5 12 06 BD 40 B2 CA 77 AA 15 14 35 09 D3 A3 FB 2C 39 98 D3
00 00 00 00 00 00 00 00 0B : A5 12 06 0B 51 80 3E 2F 0E 07 87 B2 6B 54 B4 2E BC 26 EC 3C
00 00 00 00 00 00 00 00 0C : A5 12 06 A9 7A A7 44 19 61 07 4F BD 86 A3 BD A3 57 86 E2 5F
00 00 00 00 00 00 00 00 0D : A5 12 06 3E 46 97 E2 4D DE 5C D0 2D 51 7A E6 01 27 E6 06 FC
00 00 00 00 00 00 00 00 0E : A5 12 06 9B DB 06 3D 89 56 89 99 AC E1 90 B5 61 E1 B5 90 2F
00 00 00 00 00 00 00 00 0F : A5 12 06 10 D1 2E FD 71 30 22 72 B0 57 18 A5 00 8C 27 21 69



Emergency shutdown?
Reply from battery for 0x01 text with first byte of data part having 0x40 bit(bit6) set will cause immidiate shutdown of PSP. The bit would mean critical failure of the battery, or something like that I guess.


Special battery serial number to force behavior of PSP
Trying some text faked and I found the way to service mode.
Serial number request is text type 0x0c and battery will reply by text 0x06 with 4 byte serial number. Faking serial number would cause special behavior of PSP. At this time I needed a hardware to rewrite serial number reply text.
Code:
type  description          data    reply from battery
0x0c  request serialno     none    serialno:u32     


Serial number 0x00000000 will force PSP to power on with normal mode when placing the battery.
Serial number 0xffffffff will force PSP to power on with service mode when placing the battery.



Investigate circuit board inside the battery

There are at least two types of circuit board inside PSP battery module. I have not investigated new styled battery module which have smaller circuit board. Both have same model number, PSP-110, but seems to have different part code and serial number format on the label. On bottom right of the label, '2-177-077-01' would be old styled, 'CGA-4B101A' would be new styled.

Old-style circuit board within battery have 2048-bit serial EEPROM, organized as 16bit data x 7bit address. S93C56, indicated as IC04. It is 8 pin SOP with pin configuration 'GR'.
Code:
Pin assign of IC04
1  CS    Chip select, active high
2  SK    Serial data clock, DIN latched at positive edge, DOUT changes on positive edge
3  DIN   Serial data in
4  DOUT  Serial data out
5  GND   Ground
6  NC    Not connected
7  NC    Not connected
8  Vcc   Power (2.5V??)   

Code:
DIN/DOUT connection
 IC05(pull-up inside??) --- DIN(3pin) --- 10kohm(R21) -- DOUT(4pin) 


I looked into how this EEPROM is accessed while placed on PSP, and found this EEPROM is the storage of serial number, which is accessed just before replying serial number request from PSP. Word(16bit) address 0x07 reads lower half with MSB first, address 0x09 reads upper half. Address value is something weird but I have no idea for that. I have not observed other address/data access while my brief analysis.

Next I peeled off the EEPROM and dumped it to confirm serial number is actually in it.



Modifying battery circuit board to make 'service mode battery'

I found another way which does not need special hardware. It can be done by modifying circuit board inside battery. There would be some risk, so I recommend this method is for emergency use only. Rewriting the responsible data for serial number inside the EEPROM is the best way.

The idea to make 'service mode battery' is to force serial number as 0xffffffff. For DIN/DOUT seems to be pulled-up, all you need to do is just cut DOUT. I made IC04-4pin floated from the circuit board and confirmed the battery works as 'service mode battery'. Note that the chip is always powered and pins are hot, be careful while doing attempts.

This method is just a hack and may cause battery brick or malfunction including overcharge in specific condition. The EEPROM have other information like total capacity which would be read on some time.



Service mode is within 'software land'

I looked into sceSyscon_driver functions and found API to read/write EEPROM inside the battery which stores serial number. Both old-styled and new-styled battery is supported by this.

sceSyscon_driver stub
Code:
   STUB_START   "sceSyscon_driver",0x00010000,0x00020005
   STUB_FUNC   0x1165C864,sceSyscon_driver_1165C864
   STUB_FUNC   0x68EF0BEF,sceSyscon_driver_68EF0BEF
   STUB_END



C prototype
Code:
// text 0x13 - write battery EEPROM
// addr:00..7f  data:0000..ffff
// return error code
u32 sceSyscon_driver_1165C864(u8 addr, u16 data);

// text 0x14 - read battery EEPROM
// addr:00..7f 
// return error code or data(0000xxxx)
//   0x802500b8 : battery not in place
u32 sceSyscon_driver_68EF0BEF(u8 addr);



Read EEPROM
Code:
// battery EEPROM : 16bit data x 7bit address
u16 eepromdump[0x80];

   // read entire EEPROM.  store it somewhere to backup.
   u32 address, data;
   for (address=0; address<0x80; i++) {
      data=sceSyscon_driver_68EF0BEF(address);
      if (data & 0xffff0000) fatalerror();
      eepromdump[address]=data;
   }
   writetofile(eepromdump);



Patch battery EEPROM
Code:
   // overwrite serial number to 0xffffffff to make service mode battery
   // serial number is stored at address 0x07 and address 0x09
   r=sceSyscon_driver_1165C864(0x07, 0xffff);   // lower 16bit
   if (r) fatalerror();
   r=sceSyscon_driver_1165C864(0x09, 0xffff);   // upper 16bit
   if (r) fatalerror();


Note that battery EEPROM can also be read/written by hardware direct serial communication to battery. Actually I used this method before I found the functions. Text 0x13 is for writing, text 0x14 is for reading battery EEPROM. This will require some hardware though.



The box opened

Bit4 of 0xbe240004 is affected by the special serial number 0xffffffff, and this is the trigger to service mode. I do not know yet how this work like this.

By this time I made up a method to bypass IPL block decryption/authentication and to run plaintext mips code, that is first 0xb0 bytes of the block. With enormous efforts of the Prometheus members, Pandora is out now.

'Forging IPL block' is another long story, may be told sometime somewhere.
Back to top
View user's profile Send private message Visit poster's website
danzel



Joined: 04 Nov 2005
Posts: 182

PostPosted: Thu Sep 06, 2007 7:02 am    Post subject: Reply with quote

Awesome stuff nem, always interesting to see the process :-)
I'm eagerly awaiting further stories down the IPL path.
Back to top
View user's profile Send private message
Hellcat



Joined: 24 Jan 2007
Posts: 84

PostPosted: Thu Sep 06, 2007 5:08 pm    Post subject: Reply with quote

danzel wrote:
I'm eagerly awaiting further stories down the IPL path.

Awsome read, ineed!

I'd have much interest in more IPL stories and info :)
Back to top
View user's profile Send private message
memturbo



Joined: 11 Sep 2007
Posts: 2

PostPosted: Tue Sep 11, 2007 11:50 pm    Post subject: Reply with quote

Could you tell us where to cut the DOUT I cant seem to find it on the board

Thanks
Back to top
View user's profile Send private message
memturbo



Joined: 11 Sep 2007
Posts: 2

PostPosted: Wed Sep 12, 2007 5:54 am    Post subject: Reply with quote

I found it and it worked great
used it on my 3.52 and downgraded just fine thanks
Back to top
View user's profile Send private message
Kreationz



Joined: 18 May 2008
Posts: 54

PostPosted: Sun May 18, 2008 11:07 am    Post subject: DOUT Pin on the small board Reply with quote

My battery is the type on the 2nd page. The one with chip 780102h. Where is the DOUT pin located for that style of board? I'm a noob where electronics are concerned, but all I need is chip and pin number and I can get it from there. My skills lie in programming. Any help is greatly appreciated.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    forums.ps2dev.org Forum Index -> PSP Development All times are GMT + 10 Hours
Goto page Previous  1, 2, 3
Page 3 of 3

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group