forums.ps2dev.org Homebrew PS2, PSP & PS3 Development Discussions    FAQ   Search   Memberlist   Usergroups   Register   Profile   Log in to check your private messages   Log in  Service mode by power supply pins? Goto page Previous  1, 2, 3          forums.ps2dev.org Forum Index -> PSP Development View previous topic :: View next topic   Author Message groepaz Joined: 01 Sep 2005 Posts: 305 Posted: Wed Aug 29, 2007 12:49 pm    Post subject: haha :) _________________ http://www.hitmen-console.org http://hitmen.c02.at/files/yapspd/ Back to top jimparis Joined: 10 Jun 2005 Posts: 1180 Location: Boston Posted: Wed Aug 29, 2007 1:04 pm    Post subject: Of course the real secret is how the pre-IPL code was first dumped and how the custom MS IPL was signed, but I'm not sure of all the details at the moment :) With moonlight's custom IPL example posted here though, you can dump the pre-IPL easily, and run unsigned code at IPL time. Back to top Art Joined: 09 Nov 2005 Posts: 652 Posted: Wed Aug 29, 2007 2:22 pm    Post subject: So there IS a battery firmware serial matchng that on the outside printed label? Well aren't I the moron. (see post above). Art. Back to top nem Joined: 13 Jan 2005 Posts: 73 Posted: Thu Sep 06, 2007 1:10 am    Post subject: Long time passed after I appeared the scene. Here is how I find to get into service mode. Pretty long. ;) There was a rumor that battery may be involved to service mode, so firstly I examined battery communication. Text below was written long time ago and includes some obsolete descriptions. Battery communication reversed I used a microcontroller to sniff communications between PSP and battery. Electrical Not much investigated. One-wire time-divided bi-directional serial. Data format and protocol Asynchronous serial communication. 19200bps, NRZ, LSB-first, 8 bit data, even parity, 1 stop bit. Always initiated by PSP and battery replys. Break signal is issued by PSP as start-up of communication. Packet format is same in both direction. Variable sized packet formatted as; Code: start mark     (1)    0x5a:psp->battery  0xa5:battery->psp packet size    (1)    bytesize of packet excluding start mark and packet size type           (1)    packet type data           (*)    optional bcc            (1)    sum of all octet in packet to be 0xFF, from start mark to bcc Packet type and meanings, reply format Code: type  description          data    reply from battery   remark 0x01  request status       none    unknown_flag:u8                                         energyleft_mAh:u16    0x02  request temperature  none    temperature:u8       cercius degree, min/max value unknown 0x03  request voltage      none    voltage_mV:u16        0x04  request current      none    current_mA:short     positive if charging battery 0x07  request capacity     none    capacity_mAh:u16 0x09  request timeleft     none    timeleft_min:u16     XMB showing not this value 0x0c  request serialno     none    serialno:u32         suspected 0x80  request auth?        9byte   16byte               encrypted data/reply 0x81  request auth?        8byte   8byte                encrypted data/reply Code: type  description          data    remark 0x05  reply from battery   none    NAK, BCC error and so on?? 0x06  reply from battery   *       ACK, with reply data unknown_flag may involve in/out currents. Note that the value is not consistent with this guess when battery is full charged, PSP power off and DC connected, so there would be other meanings. Type 0x80/0x81 for battery authentication?? First byte of data of type 0x80 request is 0x00, others are random-looking. Typical sequences When battery placed : 01, 0C, 80, 81, 01, 80, 81 Every 30 seconds with DC in : 01, 80, 81 Every 30 seconds without DC in : 01, 0C, 80, 81 Cold start : 01, 07, 09, 02, 04, 03, 01 Which to craft? Possible candidate at this time: reply to type 01 : non-usual value reply to type 0C : some special region of value reply to type 80 : need to know about encryption reply to type 81 : need to know about encryption others : non-usual value Faking the communication Added some circuit to fake battery communication. Original battery is needed because authentication algorithm is unknown. I interrupted the serial line and changed specific text. For some third party make unlicensed battery, the algorithm would be already cracked by someone, or not;). Authentication Authentication is still unknown. Here is some specimen of chosen text request. Code: Text 0x80 data part : reply from battery 00 00 00 00 00 00 00 00 00 : A5 12 06 31 A9 81 78 95 41 0C 63 4A 0F 0D B4 30 99 B0 26 71 00 00 00 00 00 00 00 00 01 : A5 12 06 A7 AA C2 5F E1 ED 17 3E 7E 4F 9B 7D D7 E1 6F 1A 87 00 00 00 00 00 00 00 00 02 : A5 12 06 F6 08 B1 51 5B 88 7D CF 86 C2 47 A7 1F 31 64 14 15 00 00 00 00 00 00 00 00 03 : A5 12 06 11 2C 35 79 D3 E8 6E A5 31 42 DB 00 A2 5E 00 9E 9D 00 00 00 00 00 00 00 00 04 : A5 12 06 C4 C8 8D FE B9 3E D3 3A 42 EA 8F 55 2E 0A F8 0F D8 00 00 00 00 00 00 00 00 05 : A5 12 06 90 A3 50 6D 67 71 3F B8 FB 49 E1 C6 BD B6 AD EC 8C 00 00 00 00 00 00 00 00 06 : A5 12 06 5A 57 BE 60 CD 95 07 83 01 6F 2D CA F0 10 05 80 9B 00 00 00 00 00 00 00 00 07 : A5 12 06 A4 A9 A6 6F 01 5D 91 A3 37 C0 8A 07 B1 93 4B 5B DC 00 00 00 00 00 00 00 00 08 : A5 12 06 18 F3 46 6E C6 3C D2 58 A5 D8 DE B0 CD AA F3 6C 76 00 00 00 00 00 00 00 00 09 : A5 12 06 75 C3 88 58 0C 23 C8 8B 2F 5A 46 EF C9 17 3D A8 25 00 00 00 00 00 00 00 00 0A : A5 12 06 BD 40 B2 CA 77 AA 15 14 35 09 D3 A3 FB 2C 39 98 D3 00 00 00 00 00 00 00 00 0B : A5 12 06 0B 51 80 3E 2F 0E 07 87 B2 6B 54 B4 2E BC 26 EC 3C 00 00 00 00 00 00 00 00 0C : A5 12 06 A9 7A A7 44 19 61 07 4F BD 86 A3 BD A3 57 86 E2 5F 00 00 00 00 00 00 00 00 0D : A5 12 06 3E 46 97 E2 4D DE 5C D0 2D 51 7A E6 01 27 E6 06 FC 00 00 00 00 00 00 00 00 0E : A5 12 06 9B DB 06 3D 89 56 89 99 AC E1 90 B5 61 E1 B5 90 2F 00 00 00 00 00 00 00 00 0F : A5 12 06 10 D1 2E FD 71 30 22 72 B0 57 18 A5 00 8C 27 21 69 Emergency shutdown? Reply from battery for 0x01 text with first byte of data part having 0x40 bit(bit6) set will cause immidiate shutdown of PSP. The bit would mean critical failure of the battery, or something like that I guess. Special battery serial number to force behavior of PSP Trying some text faked and I found the way to service mode. Serial number request is text type 0x0c and battery will reply by text 0x06 with 4 byte serial number. Faking serial number would cause special behavior of PSP. At this time I needed a hardware to rewrite serial number reply text. Code: type  description          data    reply from battery 0x0c  request serialno     none    serialno:u32      Serial number 0x00000000 will force PSP to power on with normal mode when placing the battery. Serial number 0xffffffff will force PSP to power on with service mode when placing the battery. Investigate circuit board inside the battery There are at least two types of circuit board inside PSP battery module. I have not investigated new styled battery module which have smaller circuit board. Both have same model number, PSP-110, but seems to have different part code and serial number format on the label. On bottom right of the label, '2-177-077-01' would be old styled, 'CGA-4B101A' would be new styled. Old-style circuit board within battery have 2048-bit serial EEPROM, organized as 16bit data x 7bit address. S93C56, indicated as IC04. It is 8 pin SOP with pin configuration 'GR'. Code: Pin assign of IC04 1  CS    Chip select, active high 2  SK    Serial data clock, DIN latched at positive edge, DOUT changes on positive edge 3  DIN   Serial data in 4  DOUT  Serial data out 5  GND   Ground 6  NC    Not connected 7  NC    Not connected 8  Vcc   Power (2.5V??)    Code: DIN/DOUT connection  IC05(pull-up inside??) --- DIN(3pin) --- 10kohm(R21) -- DOUT(4pin)  I looked into how this EEPROM is accessed while placed on PSP, and found this EEPROM is the storage of serial number, which is accessed just before replying serial number request from PSP. Word(16bit) address 0x07 reads lower half with MSB first, address 0x09 reads upper half. Address value is something weird but I have no idea for that. I have not observed other address/data access while my brief analysis. Next I peeled off the EEPROM and dumped it to confirm serial number is actually in it. Modifying battery circuit board to make 'service mode battery' I found another way which does not need special hardware. It can be done by modifying circuit board inside battery. There would be some risk, so I recommend this method is for emergency use only. Rewriting the responsible data for serial number inside the EEPROM is the best way. The idea to make 'service mode battery' is to force serial number as 0xffffffff. For DIN/DOUT seems to be pulled-up, all you need to do is just cut DOUT. I made IC04-4pin floated from the circuit board and confirmed the battery works as 'service mode battery'. Note that the chip is always powered and pins are hot, be careful while doing attempts. This method is just a hack and may cause battery brick or malfunction including overcharge in specific condition. The EEPROM have other information like total capacity which would be read on some time. Service mode is within 'software land' I looked into sceSyscon_driver functions and found API to read/write EEPROM inside the battery which stores serial number. Both old-styled and new-styled battery is supported by this. sceSyscon_driver stub Code:    STUB_START   "sceSyscon_driver",0x00010000,0x00020005    STUB_FUNC   0x1165C864,sceSyscon_driver_1165C864    STUB_FUNC   0x68EF0BEF,sceSyscon_driver_68EF0BEF    STUB_END C prototype Code: // text 0x13 - write battery EEPROM // addr:00..7f  data:0000..ffff // return error code u32 sceSyscon_driver_1165C864(u8 addr, u16 data); // text 0x14 - read battery EEPROM // addr:00..7f  // return error code or data(0000xxxx) //   0x802500b8 : battery not in place u32 sceSyscon_driver_68EF0BEF(u8 addr); Read EEPROM Code: // battery EEPROM : 16bit data x 7bit address u16 eepromdump[0x80];    // read entire EEPROM.  store it somewhere to backup.    u32 address, data;    for (address=0; address<0x80; i++) {       data=sceSyscon_driver_68EF0BEF(address);       if (data & 0xffff0000) fatalerror();       eepromdump[address]=data;    }    writetofile(eepromdump); Patch battery EEPROM Code:    // overwrite serial number to 0xffffffff to make service mode battery    // serial number is stored at address 0x07 and address 0x09    r=sceSyscon_driver_1165C864(0x07, 0xffff);   // lower 16bit    if (r) fatalerror();    r=sceSyscon_driver_1165C864(0x09, 0xffff);   // upper 16bit    if (r) fatalerror(); Note that battery EEPROM can also be read/written by hardware direct serial communication to battery. Actually I used this method before I found the functions. Text 0x13 is for writing, text 0x14 is for reading battery EEPROM. This will require some hardware though. The box opened Bit4 of 0xbe240004 is affected by the special serial number 0xffffffff, and this is the trigger to service mode. I do not know yet how this work like this. By this time I made up a method to bypass IPL block decryption/authentication and to run plaintext mips code, that is first 0xb0 bytes of the block. With enormous efforts of the Prometheus members, Pandora is out now. 'Forging IPL block' is another long story, may be told sometime somewhere. Back to top danzel Joined: 04 Nov 2005 Posts: 182 Posted: Thu Sep 06, 2007 7:02 am    Post subject: Awesome stuff nem, always interesting to see the process :-) I'm eagerly awaiting further stories down the IPL path. Back to top Hellcat Joined: 24 Jan 2007 Posts: 84 Posted: Thu Sep 06, 2007 5:08 pm    Post subject: danzel wrote: I'm eagerly awaiting further stories down the IPL path. Awsome read, ineed! I'd have much interest in more IPL stories and info :) Back to top memturbo Joined: 11 Sep 2007 Posts: 2 Posted: Tue Sep 11, 2007 11:50 pm    Post subject: Could you tell us where to cut the DOUT I cant seem to find it on the board Thanks Back to top memturbo Joined: 11 Sep 2007 Posts: 2 Posted: Wed Sep 12, 2007 5:54 am    Post subject: I found it and it worked great used it on my 3.52 and downgraded just fine thanks Back to top Kreationz Joined: 18 May 2008 Posts: 54 Posted: Sun May 18, 2008 11:07 am    Post subject: DOUT Pin on the small board My battery is the type on the 2nd page. The one with chip 780102h. Where is the DOUT pin located for that style of board? I'm a noob where electronics are concerned, but all I need is chip and pin number and I can get it from there. My skills lie in programming. Any help is greatly appreciated. Back to top Display posts from previous: All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year Oldest FirstNewest First         forums.ps2dev.org Forum Index -> PSP Development All times are GMT + 10 Hours Goto page Previous  1, 2, 3 Page 3 of 3   Jump to: Select a forum Forum Administration----------------AnnouncementsPatch SubmissionsGeneral DiscussionHelp Wanted RequestsThe Incredible Hall Of Shame Development Forums----------------PS1 DevelopmentPS2 DevelopmentPS3 DevelopmentPS3 Linux DevelopmentPSP DevelopmentPSP Lua Player DevelopmentOther Development Project Forums----------------spu-medialib  You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum Powered by phpBB © 2001, 2005 phpBB Group