forums.ps2dev.org

Hiya, I don't do much PSP hacking anymore but I finally finished up my reverse of the sceNand-module and I figured out one more NID: eba0e6c6 = sceNandCountChipMakersBBM The only one remaining now is c29da136. I've reversed this function and what it does is mark a block as invalid (sets the block_st...

flash0 is formatted as 24MB and flash1 as 4MB, as far as I recall. Might have changed in later fws (especially 3.00 I'm guessing).

They are talking about the nand, not ms0 :)
Encrypted would be my uninformed guess too :)

I meant that the map might terminate each line with "\r\n" (common on windows) as opposed to just a '\n" (UNIX method). So that's two bytes instead of just one.

Make sure the map is not using CRLF. The size of the array suggests this (592 = 19 * 31 + 3).

Heh, that's funny! In my reversed source I accidentally called it sceNandWriteProtect, and above I mistakenly typed sceNandProtect! Sloppy me...I hope I didn't make more serious mistakes...

Um, what new nids? :)

I don't know if that's a dig, dot_blank :) but I admit that my use of datatypes could be better. When I start to reverse I usually put void* for pointers and u32 for integers in declarations, and only go back and fix to proper types when it seems necessary, after I've got the definitions worked out....

Here are most declarations for exported sceNand functions together with short explanations: /* Initializes the nand-module */ int sceNandInit(); /* Enables/disables write protection for the nand * protect = TRUE, write protect nand * protect = FALSE, enable writing to nand */ int sce...

Hello everyone, I do not own a TA-082 motherboard myself, but I was recently contacted by someone who wanted some help with reflashing a bricked TA-082 motherboard to 1.5. I naturally gave the advice that it wasn't possible, but it turns out that I was wrong. They managed to flash a 1.5 dump onto th...

Groepaz and Moonlight asked if I could provide some additional information regarding the PSP nand controller, and below I present some info on the nand hardware registers. The information is probably not 100% correct, obviously. I simply looked over my reversed source code and tried to dechipher the...

Oops, I had a closer look on my source, and I realize I'm missing pretty significant chunks of the callback routine that handles the hardware access. I'll have a look at the psp-doc and see if I can add something though. Moonlight: do you mean hardware register writing or just using the sceNandWrite...

Here's the relevant code from my reversed source :) s32 sceNandReadId&#40;void *buf, s32 len&#41; &#123; char *p = &#40;char *&#41;buf; int i; *&#40;u32 *&#41;0xbd101008 = 0x0000090; *&#40;u32 *&#41;0xbd10100c = 0x0000000; for &#40;i = 0; i < len; i++&#41;...

from what I understand PSP has hardware 128-AES Crypto and if I had to install F/W in a possibly compromised system vulnerable to monitoring I would like to use the hardware Crypto system and the keys passed to the hardware will have to change at least twice They are not using the cipher-hw for dec...

Intercepting a 333MHz DDR with strict latency/timing requirements is at least a little bit hard for this poor Usagi :)

Software wise, well, can we run code with kernel priviliges on 2.60+ yet?

Yes, as far as I know, dumping RAM after boot should be able to reveal prx keys. And it doesn't even need to be hardware based :)

I have had a look at the IPL for 2.70 and here's what I have found. TyRaNiD already revealed [1] that for 2.60+ IPL Sony added a new protection that is based on data that is gone by the time the PSP has booted. Here are some more details on that, but first a little recap (courtesy Nem [2] ): 1) On-c...

I don't need it, and I don't think those other guys do either. I would try to get it replaced/fixed and then be much more careful in future!

0x141 doesn't exist in my 1.5 either. Did you upgrade?

FreePlay: http://forums.ps2dev.org/viewtopic.php?t=3573

Fanjita wrote:More experiments later to try to find out just what pattern the API is trying to detect.

I don't know any details of the flaw in GTA but it would be stupid if the patch did something other than check the length of the input data that causes the overflow.

Maybe serial number/UMD/region identification. Reports say that switching motherboards has had the effect of disabling the UMD drive. The people laichung referred to earlier in this thread apparently flashed a Japanese 1.5 fw onto their Chinese 2.60 PSPs which also disabled the UMD drive. One part o...

Cool work Nem! I think the board could use a little more glue though ;)

I wanna get back into the hardware-side myself...

By the way, dot_blank and other interested parties, opcode 18 appears to be an integrity/signature check.

Hello everyone, Within the nand-flash there exists at least three distinct areas: * the ipl * the two fat filesystems flash0 and flash1 * the idstorage area The id-storage area begins at 0xc0000 and appears to be used to store low-level information. The id-storage area is an associative array and in...

Not much more than what I wrote. I have seen opcode 18 used to manipulate data taken from that nand area. That's about all I currently know...

Yes of course block-mapping must be considered. And yes the 6th byte of the spare area identifies an initial invalid block if it's different from 0xff. I would hope they write more intelligently than simply copy bit-for-bit. I would expect more disasterous results from bad blocks otherwise. However,...

sceNand is used by the lfat driver and I would assume the lfat driver is used to handle the "flash0", "flash1" devices, no? Something interesting to look into: patch sceNand to redirect read/writes from internal nand to ms :)

Did they rewrite the whole nand? I think some characteristics of the nand/psp might be stored in one place in the nand which means it might not be a good idea to blindly overwrite everything. According to Mathieulh, the official updater doesn't touch this area....

I too am getting ready to try my hand in some hardware funnies :) I've got my psp wired up and ready to go:



Now I just need to find the time and energy to finish my vhdl nand-interface...Which could be a while :(

Here is a program to read/write the IPL. I have not tested this for real as I cannot yet reflash the nand if something should go wrong, and I renounce any responsibility for the use of this progam. It is in fact very likely to brick the PSP... A couple of notes: the spare area of the IPL appears to ...