February 23rd, 2008 silverspring
There is a very interesting import used in the 3.90 updater. From a prx called batemu_inst.prx there is a function used, batemu_inst_4E31BC31. The library name batemu_inst is short for Battery Emulator Install, and the nid is:
0x4E31BC31 sceUpdateBatteryEmulator
The function installs a battery emulator. Unforturnately, it seems the prx is used only on a devkit and doesnt seem to be found anywhere in the retail updater itself. Which is a shame, would’ve been nice to see what it does exactly.
Posted in NID's | 2 Comments »
February 21st, 2008 silverspring
All clocks used by the PSP hardware are derived from a single clock generator IC. It uses a single 27MHz input crystal (there are 2 other crystals, a 4MHz & a 32.768KHz, but is purely for the syscon chip) and can output the following frequencies:
- 37MHz (Spread Spectrum Configurable, used for CPU/PLL freq)
- 48MHz (used for USB freq)
- 27MHz reference (used for video clock on slim)
- 22.5792MHz (used for Lepton clock)
- 22.5792/24.576MHz selectable (used for Audio Codec IC, for audio freq 44.1KHz/48KHz)
The clockgen IC is accessible on the I2C bus on slave address 0xD2. It has 3 registers:
Reg0: Vendor ID/Revision Code Register
Reg1: Output Control Register
Reg2: Spread Spectrum Control Register
Special Note:
Why TA-082/086 motherboards ‘bricked’ on 1.50 was because the clock generator IC was from a different manufacturer on those boards and so had a different Vendor ID/Revision Code than on TA-079/081 boards. The 1.50 IPL doesnt recognise the new Vendor ID/Revision Code so it freezes (which caused the ‘brick’).
The Spread Spectrum Control register is configured depending on the revision, the 1.50 IPL only recognises revisions 0×4 and 0×8 of that IC, the new IC of TA-082 boards had a revision of 0xF. Interestingly, revision 0xF IC’s are supported starting from 2.00 so in all likelyhood TA-082/086 boards could be downgraded to as low as 2.00 without brick. The TA-082/086 boards do NOT ‘blacklist’ firmwares lower than 2.50 like some people have stated. It was NOT designed to ‘block out’ the 1.50 firmware.
So how come the TA-082 downgraders work then? The configuration of the clock generator IC is based on paramaters stored in idstorage key5 (header is “Clkg” – short for Clockgen). If key5 is corrupt the configuration of the clock generator is simple skipped altogether (only the header needs to be modified for the key to appear invalid – ie. if the header is not “Clkg” it is considered corrupt).
So corrupt key5 -> clockgen config is skipped -> 1.50 IPL continues to run.
EDIT: added some extra info on 1.50 downgrader
Posted in Random Facts | 5 Comments »
February 18th, 2008 silverspring
I figured because this blog was SilverSpring’s Bunch of Random PSP Stuff, it needs more…well…random PSP stuff.
SBORPS Random Fact 01
SCE uses (intentionally) fake misleading names to protect the most important part of their firmware (ie. everything crypto related). The library & function names for their crypto modules are fake, take for example a library they named “semaphore”. What that library is, is a direct interface to the KIRK crypto engine. Or the function “sceUtilsGetLoadModuleABLength” (not a false nid btw), what it actually does is decrypt kernel prxs.
Posted in Random Facts | No Comments »
