|
forums.ps2dev.org Homebrew PS2, PSP & PS3 Development Discussions
|
View previous topic :: View next topic |
Author |
Message |
groepaz
Joined: 01 Sep 2005 Posts: 305
|
|
Back to top |
|
|
jimparis
Joined: 10 Jun 2005 Posts: 1179 Location: Boston
|
Posted: Wed Aug 29, 2007 1:04 pm Post subject: |
|
|
Of course the real secret is how the pre-IPL code was first dumped and how the custom MS IPL was signed, but I'm not sure of all the details at the moment :) With moonlight's custom IPL example posted here though, you can dump the pre-IPL easily, and run unsigned code at IPL time. |
|
Back to top |
|
|
Art
Joined: 09 Nov 2005 Posts: 647
|
Posted: Wed Aug 29, 2007 2:22 pm Post subject: |
|
|
So there IS a battery firmware serial matchng that on the outside printed
label?
Well aren't I the moron. (see post above).
Art. |
|
Back to top |
|
|
nem
Joined: 13 Jan 2005 Posts: 73
|
Posted: Thu Sep 06, 2007 1:10 am Post subject: |
|
|
Long time passed after I appeared the scene.
Here is how I find to get into service mode. Pretty long. ;)
There was a rumor that battery may be involved to service mode, so firstly I examined battery communication. Text below was written long time ago and includes some obsolete descriptions.
Battery communication reversed
I used a microcontroller to sniff communications between PSP and battery.
Electrical
Not much investigated.
One-wire time-divided bi-directional serial.
Data format and protocol
Asynchronous serial communication. 19200bps, NRZ, LSB-first, 8 bit data, even parity, 1 stop bit.
Always initiated by PSP and battery replys. Break signal is issued by PSP as start-up of communication. Packet format is same in both direction.
Variable sized packet formatted as;
Code: | start mark (1) 0x5a:psp->battery 0xa5:battery->psp
packet size (1) bytesize of packet excluding start mark and packet size
type (1) packet type
data (*) optional
bcc (1) sum of all octet in packet to be 0xFF, from start mark to bcc |
Packet type and meanings, reply format
Code: | type description data reply from battery remark
0x01 request status none unknown_flag:u8
energyleft_mAh:u16
0x02 request temperature none temperature:u8 cercius degree, min/max value unknown
0x03 request voltage none voltage_mV:u16
0x04 request current none current_mA:short positive if charging battery
0x07 request capacity none capacity_mAh:u16
0x09 request timeleft none timeleft_min:u16 XMB showing not this value
0x0c request serialno none serialno:u32 suspected
0x80 request auth? 9byte 16byte encrypted data/reply
0x81 request auth? 8byte 8byte encrypted data/reply |
Code: | type description data remark
0x05 reply from battery none NAK, BCC error and so on??
0x06 reply from battery * ACK, with reply data |
unknown_flag may involve in/out currents. Note that the value is not consistent with this guess when battery is full charged, PSP power off and DC connected, so there would be other meanings.
Type 0x80/0x81 for battery authentication??
First byte of data of type 0x80 request is 0x00, others are random-looking.
Typical sequences
When battery placed : 01, 0C, 80, 81, 01, 80, 81
Every 30 seconds with DC in : 01, 80, 81
Every 30 seconds without DC in : 01, 0C, 80, 81
Cold start : 01, 07, 09, 02, 04, 03, 01
Which to craft?
Possible candidate at this time:
reply to type 01 : non-usual value
reply to type 0C : some special region of value
reply to type 80 : need to know about encryption
reply to type 81 : need to know about encryption
others : non-usual value
Faking the communication
Added some circuit to fake battery communication. Original battery is needed because authentication algorithm is unknown. I interrupted the serial line and changed specific text. For some third party make unlicensed battery, the algorithm would be already cracked by someone, or not;).
Authentication
Authentication is still unknown. Here is some specimen of chosen text request.
Code: | Text 0x80 data part : reply from battery
00 00 00 00 00 00 00 00 00 : A5 12 06 31 A9 81 78 95 41 0C 63 4A 0F 0D B4 30 99 B0 26 71
00 00 00 00 00 00 00 00 01 : A5 12 06 A7 AA C2 5F E1 ED 17 3E 7E 4F 9B 7D D7 E1 6F 1A 87
00 00 00 00 00 00 00 00 02 : A5 12 06 F6 08 B1 51 5B 88 7D CF 86 C2 47 A7 1F 31 64 14 15
00 00 00 00 00 00 00 00 03 : A5 12 06 11 2C 35 79 D3 E8 6E A5 31 42 DB 00 A2 5E 00 9E 9D
00 00 00 00 00 00 00 00 04 : A5 12 06 C4 C8 8D FE B9 3E D3 3A 42 EA 8F 55 2E 0A F8 0F D8
00 00 00 00 00 00 00 00 05 : A5 12 06 90 A3 50 6D 67 71 3F B8 FB 49 E1 C6 BD B6 AD EC 8C
00 00 00 00 00 00 00 00 06 : A5 12 06 5A 57 BE 60 CD 95 07 83 01 6F 2D CA F0 10 05 80 9B
00 00 00 00 00 00 00 00 07 : A5 12 06 A4 A9 A6 6F 01 5D 91 A3 37 C0 8A 07 B1 93 4B 5B DC
00 00 00 00 00 00 00 00 08 : A5 12 06 18 F3 46 6E C6 3C D2 58 A5 D8 DE B0 CD AA F3 6C 76
00 00 00 00 00 00 00 00 09 : A5 12 06 75 C3 88 58 0C 23 C8 8B 2F 5A 46 EF C9 17 3D A8 25
00 00 00 00 00 00 00 00 0A : A5 12 06 BD 40 B2 CA 77 AA 15 14 35 09 D3 A3 FB 2C 39 98 D3
00 00 00 00 00 00 00 00 0B : A5 12 06 0B 51 80 3E 2F 0E 07 87 B2 6B 54 B4 2E BC 26 EC 3C
00 00 00 00 00 00 00 00 0C : A5 12 06 A9 7A A7 44 19 61 07 4F BD 86 A3 BD A3 57 86 E2 5F
00 00 00 00 00 00 00 00 0D : A5 12 06 3E 46 97 E2 4D DE 5C D0 2D 51 7A E6 01 27 E6 06 FC
00 00 00 00 00 00 00 00 0E : A5 12 06 9B DB 06 3D 89 56 89 99 AC E1 90 B5 61 E1 B5 90 2F
00 00 00 00 00 00 00 00 0F : A5 12 06 10 D1 2E FD 71 30 22 72 B0 57 18 A5 00 8C 27 21 69 |
Emergency shutdown?
Reply from battery for 0x01 text with first byte of data part having 0x40 bit(bit6) set will cause immidiate shutdown of PSP. The bit would mean critical failure of the battery, or something like that I guess.
Special battery serial number to force behavior of PSP
Trying some text faked and I found the way to service mode.
Serial number request is text type 0x0c and battery will reply by text 0x06 with 4 byte serial number. Faking serial number would cause special behavior of PSP. At this time I needed a hardware to rewrite serial number reply text.
Code: | type description data reply from battery
0x0c request serialno none serialno:u32 |
Serial number 0x00000000 will force PSP to power on with normal mode when placing the battery.
Serial number 0xffffffff will force PSP to power on with service mode when placing the battery.
Investigate circuit board inside the battery
There are at least two types of circuit board inside PSP battery module. I have not investigated new styled battery module which have smaller circuit board. Both have same model number, PSP-110, but seems to have different part code and serial number format on the label. On bottom right of the label, '2-177-077-01' would be old styled, 'CGA-4B101A' would be new styled.
Old-style circuit board within battery have 2048-bit serial EEPROM, organized as 16bit data x 7bit address. S93C56, indicated as IC04. It is 8 pin SOP with pin configuration 'GR'.
Code: | Pin assign of IC04
1 CS Chip select, active high
2 SK Serial data clock, DIN latched at positive edge, DOUT changes on positive edge
3 DIN Serial data in
4 DOUT Serial data out
5 GND Ground
6 NC Not connected
7 NC Not connected
8 Vcc Power (2.5V??) |
Code: | DIN/DOUT connection
IC05(pull-up inside??) --- DIN(3pin) --- 10kohm(R21) -- DOUT(4pin) |
I looked into how this EEPROM is accessed while placed on PSP, and found this EEPROM is the storage of serial number, which is accessed just before replying serial number request from PSP. Word(16bit) address 0x07 reads lower half with MSB first, address 0x09 reads upper half. Address value is something weird but I have no idea for that. I have not observed other address/data access while my brief analysis.
Next I peeled off the EEPROM and dumped it to confirm serial number is actually in it.
Modifying battery circuit board to make 'service mode battery'
I found another way which does not need special hardware. It can be done by modifying circuit board inside battery. There would be some risk, so I recommend this method is for emergency use only. Rewriting the responsible data for serial number inside the EEPROM is the best way.
The idea to make 'service mode battery' is to force serial number as 0xffffffff. For DIN/DOUT seems to be pulled-up, all you need to do is just cut DOUT. I made IC04-4pin floated from the circuit board and confirmed the battery works as 'service mode battery'. Note that the chip is always powered and pins are hot, be careful while doing attempts.
This method is just a hack and may cause battery brick or malfunction including overcharge in specific condition. The EEPROM have other information like total capacity which would be read on some time.
Service mode is within 'software land'
I looked into sceSyscon_driver functions and found API to read/write EEPROM inside the battery which stores serial number. Both old-styled and new-styled battery is supported by this.
sceSyscon_driver stub
Code: | STUB_START "sceSyscon_driver",0x00010000,0x00020005
STUB_FUNC 0x1165C864,sceSyscon_driver_1165C864
STUB_FUNC 0x68EF0BEF,sceSyscon_driver_68EF0BEF
STUB_END |
C prototype
Code: | // text 0x13 - write battery EEPROM
// addr:00..7f data:0000..ffff
// return error code
u32 sceSyscon_driver_1165C864(u8 addr, u16 data);
// text 0x14 - read battery EEPROM
// addr:00..7f
// return error code or data(0000xxxx)
// 0x802500b8 : battery not in place
u32 sceSyscon_driver_68EF0BEF(u8 addr); |
Read EEPROM
Code: | // battery EEPROM : 16bit data x 7bit address
u16 eepromdump[0x80];
// read entire EEPROM. store it somewhere to backup.
u32 address, data;
for (address=0; address<0x80; i++) {
data=sceSyscon_driver_68EF0BEF(address);
if (data & 0xffff0000) fatalerror();
eepromdump[address]=data;
}
writetofile(eepromdump); |
Patch battery EEPROM
Code: | // overwrite serial number to 0xffffffff to make service mode battery
// serial number is stored at address 0x07 and address 0x09
r=sceSyscon_driver_1165C864(0x07, 0xffff); // lower 16bit
if (r) fatalerror();
r=sceSyscon_driver_1165C864(0x09, 0xffff); // upper 16bit
if (r) fatalerror(); |
Note that battery EEPROM can also be read/written by hardware direct serial communication to battery. Actually I used this method before I found the functions. Text 0x13 is for writing, text 0x14 is for reading battery EEPROM. This will require some hardware though.
The box opened
Bit4 of 0xbe240004 is affected by the special serial number 0xffffffff, and this is the trigger to service mode. I do not know yet how this work like this.
By this time I made up a method to bypass IPL block decryption/authentication and to run plaintext mips code, that is first 0xb0 bytes of the block. With enormous efforts of the Prometheus members, Pandora is out now.
'Forging IPL block' is another long story, may be told sometime somewhere. |
|
Back to top |
|
|
danzel
Joined: 04 Nov 2005 Posts: 182
|
Posted: Thu Sep 06, 2007 7:02 am Post subject: |
|
|
Awesome stuff nem, always interesting to see the process :-)
I'm eagerly awaiting further stories down the IPL path. |
|
Back to top |
|
|
Hellcat
Joined: 24 Jan 2007 Posts: 84
|
Posted: Thu Sep 06, 2007 5:08 pm Post subject: |
|
|
danzel wrote: | I'm eagerly awaiting further stories down the IPL path. |
Awsome read, ineed!
I'd have much interest in more IPL stories and info :) |
|
Back to top |
|
|
memturbo
Joined: 11 Sep 2007 Posts: 2
|
Posted: Tue Sep 11, 2007 11:50 pm Post subject: |
|
|
Could you tell us where to cut the DOUT I cant seem to find it on the board
Thanks |
|
Back to top |
|
|
memturbo
Joined: 11 Sep 2007 Posts: 2
|
Posted: Wed Sep 12, 2007 5:54 am Post subject: |
|
|
I found it and it worked great
used it on my 3.52 and downgraded just fine thanks |
|
Back to top |
|
|
Kreationz
Joined: 18 May 2008 Posts: 53
|
Posted: Sun May 18, 2008 11:07 am Post subject: DOUT Pin on the small board |
|
|
My battery is the type on the 2nd page. The one with chip 780102h. Where is the DOUT pin located for that style of board? I'm a noob where electronics are concerned, but all I need is chip and pin number and I can get it from there. My skills lie in programming. Any help is greatly appreciated. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|