The (New) PSP Tech Docs – Article01

November 22nd, 2007 silverspring

This is just the first draft just to give you an idea of what these “tech docs” are going to be like. It’s on the PSP Boot Sequence.

And to quote before:

“It will be fairly technical but it is aimed at the general psp user and explained in a way that everyone can understand while at the same time trying to be as detailed as possible. Though I will assume that the reader has a general knowledge of terms like ‘Nand’, ‘IPL’, ‘Idstorage’, etc.

Hopefully, this will be useful for not only general users wanting to gain a better understanding of the PSP, but also devs looking for some detailed reference material.”

http://silverspring.lan.st/NPSPTD_01.txt

EDIT: First drafts of Articles 02 & 03 will be posted soon. Topic will be “2.60+ IPL Encryption” & “3.00+ Nand Encryption” respectively. Future articles I’m planning to write will include Idstorage Keys, the KIRK crypto engine, and that “other secret” crypto engine.

Posted in Tech Docs | 5 Comments »

The PSP Slim could’ve been a gamer’s dream handheld…

November 16th, 2007 silverspring

Cracked a few very interesting nids the other day. More proof that the HDD wasnt just a rumour.

  • 0xc68f1573 sceSysconCtrlGSensor
  • 0x3ab3aeef sceSysconReadGSensorReg
  • 0x07a0c260 sceSysconWriteGSensorReg
  • 0x72eda9af sceSysconGetGSensorVersion
  • 0x58531e69 sceSysconSetGSensorCallback

The G-Sensor is already used on Sony’s Vaio laptop and also their HDD based Walkman’s. To quote Sony:

The innovative G-Sensor system automatically and instantly reacts to changes in gravity and velocity by releasing the recording head. This helps protect the hard disk surface, preventing crashes and loss of data, ultimately improving long term reliability.

These new nids along with the new HDD nids cracked just last week provides pretty conclusive proof that the PSP Slim does in fact natively support a HDD.

  • 0x8b95c17f sceSysregAtahddIoEnable
  • 0xccf911c0 sceSysregAtahddIoDisable
  • 0xa23bc2c4 sceSysregAtahddResetEnable
  • 0xf5ea8570 sceSysregAtahddResetDisable
  • 0x8ce2f97a sceSysregAtahddClkSelect
  • 0xb59db832 sceSysregAtahddClkEnable
  • 0x9155812C sceSysregAtahddClkDisable
  • 0xe45bed6a sceSysregAtahddBusClockEnable
  • 0x681b35c4 sceSysregAtahddBusClockDisable
  • 0xa975f224 sceSysconCtrlHddPower
  • 0x051186F3 sceSysconGetHddPowerCtrl
  • 0xF9FDAFA5 sceSysconGetHddPowerStatus
  • 0x04EEFD03 sceSysconSetHddPowerCallback

This along with the (also missing) Bluetooth features (sceSysconCtrlBtPower etc.) could’ve made the PSP Slim a very attractive handheld indeed. What you are left with instead is a slightly ‘slimmer’, ‘lighter’ model with very ordinary additions (TV out, USB charge, UMD cache, larger flash space etc).

So why did Sony decide in the end to skimp on these features (Im sure there’s a few more features still hidden – there’s still about 20 more syscon nids that havent been cracked yet). Well the two main factors are a) battery life (the slim battery is already at a lower capacity than the fat) and b) cost (the slim was released at the same price as the current fat).

So even though these are dream features to have on a PSP (and in fact these features are still supported natively on a HW level – just need to connect the HDD and write the drivers for it) could you justify the sacrifice in battery life and increase in purchase price to have these features?

Posted in NID's | 6 Comments »

Finally…

November 7th, 2007 silverspring

0xb4560c45 sceSysregPllGetOutSelect
0xdca57573 sceSysregPllSetOutSelect

I’ve been trying to crack these 2 nids for awhile. These are used to get/set the PLL index that multiplies with the base frequency to change the PLL freq (to change cpu & bus freq). The index is as follows:

view plain
C:
  1. const float pll_table[0×10] =
  2. {
  3.     1/9.0,    // 0.1…
  4.     4/9.0,    // 0.4…
  5.     4/7.0,    // 0.571428…
  6.     6/9.0,    // 0.6…
  7.     4/5.0,    // 0.8
  8.     9/9.0,    // 1.0
  9.     0.0,
  10.     0.0,
  11.  
  12.     1/18.0,   // 0.05…
  13.     4/18.0,   // 0.2…
  14.     4/14.0,   // 0.285714…
  15.     6/18.0,   // 0.3…
  16.     4/10.0,   // 0.4
  17.     9/18.0,   // 0.5
  18.     0.0,
  19.     0.0
  20. };

Although the index is from 0-15, sceSysregPllSetOutSelect limits it to 0-5 only. The default is 3 (ie. 0.666666…). So default PLL freq is (multiplier*BASE_FREQ) * pll_table[index] = 9*37 * 0.66666 = 222MHz. To set to 333MHz just call sceSysregPllSetOutSelect(5) (which will also make the cpu freq 333MHz).

EDIT: For completeness, here’s what I had originally written about it: http://lan.st/showthread.php?t=854

Posted in NID's | No Comments »

The (New) PSP Technical Docs

November 5th, 2007 silverspring

Because there is a general lack of detailed PSP System documentation available (YAPSPD is excellent and is the definitve PSP HW docs http://hitmen.c02.at/files/yapspd/psp_doc/frames.html, but unfortunately is no longer updated), I’ll be writing up some technical articles for the general public. Topics will vary but will generally be detailed low level information that isnt publically available anywhere else.

It will be fairly technical but it is aimed at the general psp user and explained in a way that everyone can understand while at the same time trying to be as detailed as possible. Though I will assume that the reader has a general knowledge of terms like ‘Nand’, ‘IPL’, ‘Idstorage’, etc.

Hopefully, this will be useful for not only general users wanting to gain a better understanding of the PSP, but also devs looking for some detailed reference material.

Posted in Tech Docs | 1 Comment »

Idstorage Keys (0×0004-0×0008) – Generating hash

November 5th, 2007 silverspring

The idstorage area stores low level info on the PSP. Keys 4-8 are used for config data for various components (the battery, clock generator, LCD, etc.) and are in a different format to all the other keys.

Here is the code to generate the hash for these particular keys:

view plain
C:
  1. /*
  2. Idstorage Leaf Hash Gen Sample – SilverSpring 2007
  3.  
  4. The idstorage area stores low level info on the PSP.
  5. Keys 4-8 are used for config data for various components
  6. (the battery, clock generator, LCD, etc.)
  7. and are in a different format to all the other keys.
  8.  
  9. Specifically the format is as follows:
  10.  
  11. typedef struct
  12. {
  13.     u32 signature;
  14.     int type;
  15.     int datalen;
  16.     u32 hash;
  17.     u8 databuf[0x1F0];
  18.  
  19. } SceIdStorageLeaf;
  20.  
  21. Here’s the code to regenerate the hash for those keys.
  22. */
  23.  
  24. #include <stdio.h>
  25.  
  26. #define POLY (0xEDB88320)
  27.  
  28. #define LEAF_0x0004_HASH    (0x1FAB01BB)
  29. #define LEAF_DATA_SIZE  (0x1F0)
  30.  
  31. unsigned int gen_hash(unsigned int seed, unsigned char buf[], int size);
  32. void gen_table(void);
  33.  
  34.  
  35. unsigned int table[256];
  36.  
  37.  
  38. unsigned char leaf_0x0004_data[LEAF_DATA_SIZE] =
  39. {
  40.     0xD8, 0×00, 0×24, 0×00, 0×14, 0×31, 0×14, 0×00, 0×94, 0×01, 0×48, 0×00, 0xD8, 0×00, 0×00, 0×00,
  41.     0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
  42.     0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
  43.     0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
  44.     0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
  45.     0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
  46.     0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
  47.     0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
  48.     0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
  49.     0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
  50.     0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
  51.     0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
  52.     0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
  53.     0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
  54.     0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
  55.     0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
  56.     0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
  57.     0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
  58.     0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
  59.     0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
  60.     0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
  61.     0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
  62.     0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
  63.     0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
  64.     0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
  65.     0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
  66.     0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
  67.     0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
  68.     0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
  69.     0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
  70.     0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
  71. };
  72.  
  73.  
  74. int main()
  75. {
  76.     unsigned int hash;
  77.  
  78.     gen_table();
  79.     hash = gen_hash(0xFFFFFFFF, leaf_0x0004_data, LEAF_DATA_SIZE);
  80.  
  81.     if (hash != LEAF_0x0004_HASH)
  82.         printf("error: hash not match \n");
  83.  
  84.     printf("leaf_0x0004 hash: 0x%08X", hash);
  85.  
  86.     return 0;
  87. }
  88.  
  89.  
  90. unsigned int gen_hash(unsigned int seed, unsigned char buf[], int size)
  91. {
  92.     unsigned int hash = ~seed;
  93.     unsigned char index;
  94.     int i;
  95.  
  96.     for (i=0; i!=size; i++)
  97.     {
  98.         index = buf[i] ^ hash;
  99.         hash>>= 8;
  100.         hash ^= table[index];
  101.     }
  102.  
  103.     return(~hash);
  104. }
  105.  
  106. void gen_table(void)
  107. {
  108.     unsigned int i, j, x;
  109.  
  110.     for (i=0; i<256; i++)
  111.     {
  112.         x = i;
  113.  
  114.         for (j=0; j<8; j++)
  115.         {
  116.             if (x & 1)
  117.                 x = (x>>1) ^ POLY;
  118.             else
  119.                 x = (x>>1);
  120.         }
  121.  
  122.         table[i] = x;
  123.     }
  124. }

Note: this is a PC app (though you could run it on the PSP as well if you wanted).

Posted in Code Snippets | No Comments »