PSP [firmware] Dump [program]

Discuss the development of new homebrew software, tools and libraries.

Moderators: cheriff, TyRaNiD

nem
Posts: 73
Joined: Thu Jan 13, 2005 9:21 pm
Contact:

PSP [firmware] Dump [program]

Post by nem »

** WARNING **

This software accesses to system memory and firmware, which may cause
SEVERE DAMAGE TO YOUR EQUIPMENT. There are some possibilities of
PERMANENT DESTRUCTION OF THE PSP. NO WARRANTY. USE AT YOUR OWN RISK!

** WARNING **

PSP Dump released. Only for PSP 1.00. Firmware files can be dumped by software.
This software is for browsing only. If you want to get the files, please do NOT ask me.
Write your own code to do so. It's fun. :)

Some note:
Only FAT organized area of on-board flash chip, system file volume and configuration file volume, can be browsed.
There is bootstrap area with equipment serial IDs in the flash chip, and the area is unreachable by this software.
Bootstrap code is different between PSP 1.50 and PSP 1.00. If you want to reflash 1.50 to 1.00, files obtained by
this method may not be enough. When you try reflash, I recommend to beware this difference.

http://anon.ug.to/sec/pspdump.html
Last edited by nem on Mon May 09, 2005 7:04 am, edited 1 time in total.
Vampire
Posts: 138
Joined: Tue Apr 12, 2005 8:16 am

Post by Vampire »

nice work
User avatar
sq377
Posts: 87
Joined: Mon Apr 11, 2005 3:30 am

Post by sq377 »

when you say this may kill it, is that just saying im not responsible, or have you had it happen?
nem
Posts: 73
Joined: Thu Jan 13, 2005 9:21 pm
Contact:

Post by nem »

Not responsible.
So far I did not kill PSP by this software.
spz
Posts: 3
Joined: Tue Mar 29, 2005 2:41 am

Thank you

Post by spz »

Thanks again nem, you're the man!
I found your helloworld to be very interresting and useful as well, keep up the excellent work!
Vampire
Posts: 138
Joined: Tue Apr 12, 2005 8:16 am

Post by Vampire »

drive not ready ;-)
ichan
Posts: 7
Joined: Sun Apr 03, 2005 1:28 am

Post by ichan »

edited for noob-ness.
Last edited by ichan on Mon May 09, 2005 9:40 am, edited 1 time in total.
senas8
Posts: 56
Joined: Thu Feb 03, 2005 4:03 pm
Location: Romania/USA

Post by senas8 »

Nice Nem..very nice...
skippy911
Posts: 46
Joined: Fri May 06, 2005 10:20 am

Post by skippy911 »

Good stuff nem works great thanks.

File list of flash0 and flash1 note capital letters are directories:

flash0
->
DATA
DIC
FONT
KD
VSH

flash0\DATA\CERT
->
class1 pca g2 v2.cer
class1 pca g3v2.cer
class1 pca ss v4.cer
class2 pca g2 v2.cer
class2 pca g3v2.cer
class2 pca ss v4.cer
class3 pca g2 v2.cer
class3 pca g3v2.cer
class3 pca ss v4.cer
class4 pca g2 v2.cer
class4 pca g3v2.cer
rsa1024 v1.cer
rsa2048 v3.cer
rsa secureserver.cer
sce ca01.cer
sce ca02.cer
sce ca03.cer
sce ca04.cer
sce ca05.cer
verisign tsa ca.cer

flash0\DIC\
->
apotp.dic
atokp.dic
aux0.dic
aux1.dic
aux2.dic
aux3.dic

flash0\FONT\
->
jpn0.pgf
ltn0.pgf
ltn1.pgf
ltn10.pgf
ltn11.pgf
ltn12.pgf
ltn13.pgf
ltn14.pgf
ltn15.pgf
ltn2.pgf
ltn3.pgf
ltn4.pgf
ltn5.pgf
ltn6.pgf
ltn7.pgf
ltn8.pgf
ltn9.pgf

flash0\KD\
->
ata.prx
audio.prx
audiocodec.prx
blkdev.prx
chkreg.prx
clockgen.prx
codec.prx
ctrl.prx
display.prx
dmacman.prx
dmacplus.prx
emc ddr.prx
emc sm.prx
exceptionman.prx
fatmsmod.prx
ge.prx
gpio.prx
hpremote.prx
i2c.prx
idstorage.prx
ifhandle.prx
impose.prx
init.prx
interruptman.prx
iofilemgr.prx
isofs.prx
lcdc.prx
led.prx
lfatfs.prx
lflash fatfmt.prx
libatrac3plus.prx
libhttp.prx
libparse http.prx
libparse uri.prx
loadcore.prx
loadexec.prx
me for vsh.prx
me wrapper.prx
mebooter.prx
mebooter umdvideo.prx
mediaman.prx
mediasync.prx
memab.prx
memlmd.prx
mesg led.prx
mgr.prx
modulemgr.prx
mpeg vsh.prx
mpegbase.prx
msaudio.prx
mscm.prx
msstor.prx
openpsid.prx
pew.prx
power.prx
pspbtcnf.txt
pspbtcnf game.txt
pspbtcnf updater.txt
pspcnf tbl.txt
pspnet.prx
pspnet adhoc.prx
pspnet adhoc auth.prx
pspnet adhoc download.prx
pspnet adhoc matching.prx
pspnet adhocctl.prx
pspnet ap dialog dummy.prx
pspnet apctl.prx
pspnet inet.prx
pspnet resolver.prx
pwm.prx
reboot.prx
registry.prx
rtc.prx
semawm.prx
sircs.prx
stdio.prx
sysclib.prx
syscon.prx
sysmem.prx
sysmem uart4.prx
sysreg.prx
systimer.prx
threadman.prx
uart4.prx
umd9660.prx
umdman.prx
usb.prx
usbstor.prx
usbstorboot.prx
usbstormgr.prx
usbstorms.prx
usersystemlib.prx
utility.prx
utlis.prx
vaudio.prx
vaudio game.prx
videocodec.prx
vshbridge.prx
wlan.prx

flash0\vsh\etc\
->
index.dat
jis2ucs.bin
jis2ucs.cbin
ucs2jis.bin
ucs2jis.cbin
version.txt

flash0\vsh\module\
->
auth plugin.prx
chnnlsv.prx
common gui.prx
common util.prx
dialogmain.prx
game plugin.prx
heaparea1.prx
heaparea2.prx
impose plugin.prx
msgdialog plugin.prx
netconf plugin.prx
netplay client plugin.prx
netplay server utility.prx
opening plugin.prx
osk plugin.prx
paf.prx
pafmini.prx
photo plugin.prx
savedata auto dialog.prx
savedata plugin.prx
savedata utility.prx
sysconf plugin.prx
update plugin.prx
video plugin.prx
vshmain.prx

flash0\vsh\resource\
->
01.bmp
02.bmp
03.bmp
04.bmp
05.bmp
06.bmp
07.bmp
08.bmp
09.bmp
10.bmp
11.bmp
12.bmp
auth plugin.rco
game plugin.rco
gameboot.pmf
impose plugin.rco
msgdialog plugin.rco
msvideo plugin.rco
music plugin.rco
netconf dialog.rco
netplay plugin.rco
opening plugin.rco
osk plugin.rco
osk utility.rco
photo plugin.rco
savedata plugin.rco
savedata utility.rco
sysconf plugin.rco
system plugin.rco
system plugin bg.rco
system plugin fg.rco
topmenu plugin.rco
update plugin.rco
video plugin.rco
video plugin videotoolbar.rco

flash1
->
DIC
REGISTRY
VSH

flash1\DIC\
->
atokl0.dat

flash1\REGISTRY\
->
system.ireg
system.dreg

flash1\VSH\
->
THEME

flash1\VSH\THEME\
->
empty directory
Last edited by skippy911 on Mon May 09, 2005 9:19 am, edited 2 times in total.
Vampire
Posts: 138
Joined: Tue Apr 12, 2005 8:16 am

Post by Vampire »

all *.prx drivers/libraries/modules in the flash are encrypted except the sceVshMSDPlugin_Module
Vampire
Posts: 138
Joined: Tue Apr 12, 2005 8:16 am

Post by Vampire »

it's a pity that the font has only capital letters :-(
annerajb
Posts: 40
Joined: Thu Mar 31, 2005 6:16 am

Post by annerajb »

hey could you release the source code nem btw excelent work
PSP_killer
Posts: 16
Joined: Fri May 06, 2005 8:17 am

Post by PSP_killer »

wow nem you are the man. Thanx again
Krevnik
Posts: 71
Joined: Wed Mar 09, 2005 12:07 pm

Post by Krevnik »

Aha, the information on the file list does give a bit of information about the encryption system: it uses certificates. Verisign is involved, a few Sony-specific certificates it seems, and a few others which seem to be self-signed by Sony. Anyone take a peek at these certificates and checked them out for anything interesting? Are they standard RSA/SSL type certificates (X509-style)?
zigzag
Posts: 129
Joined: Wed Jan 26, 2005 2:11 pm

Post by zigzag »

Yes, nem, source code please!
laichung
Posts: 123
Joined: Fri May 06, 2005 2:02 pm

Post by laichung »

I really want to know , what is the total size of the file extracted?
is that around 8mb? as we know that sony reserve about 8mb space for the kenrel.

if that's smaller that 8mb , that mean sony still have room to add more application to the firmware , that's a good news

if that's bigger that 8mb , where are those files come from??haha~~
konfig
Posts: 68
Joined: Thu Jan 06, 2005 4:01 am

Post by konfig »

I guess the 8MB OS kernel(at least most of them, game related) is launched from the game disk other than the firmware.

This makes things easy when the low efficiency 8MB huge OS kernel becomes a burden for developers someday.
ModernRonin
Posts: 10
Joined: Sat May 07, 2005 5:19 pm
Location: Colorado
Contact:

Post by ModernRonin »

Hey nem, when you get some time, do you mind looking for symbols in the following files and tell us if you find anything interesting:

loadcore.prx
loadexec.prx
usbstorboot.prx

I'm particularly interested in knowing if "usbstorboot" means there's some way we can boot the PSP off a USB storage device...

Has anyone snooped the USB connection while the PSP is powering up?
Phour20
Posts: 26
Joined: Fri May 06, 2005 1:38 am

Post by Phour20 »

Konfig I think your onto something there.. might be the answer to this guys post..

http://forums.ps2dev.org/viewtopic.php?t=1629

so then the PSP might be reloading OS when the PSP splash screen shows.. only time you dont see it is when playing movie UMDs and the Sampler disc but that would be cuz its got what it needs right there.. That may also explain these "Firmware Update w/ Game" like GT4mobile is claimed to contain.. hmmm??
minddog
Posts: 4
Joined: Mon May 09, 2005 11:57 am
Contact:

Post by minddog »

My name's not nem, but as far as being able to see symbols in those files just isn't possible. Of course, this is based on information in a previous post on this thread. Only three files of all the prx's are not encrypted, these falling into the encrypted pool. Maybe nem has another way to scan the assemblies up his sleeve ;)
--
blargh!
laichung
Posts: 123
Joined: Fri May 06, 2005 2:02 pm

Post by laichung »

konfig wrote:I guess the 8MB OS kernel(at least most of them, game related) is launched from the game disk other than the firmware.

This makes things easy when the low efficiency 8MB huge OS kernel becomes a burden for developers someday.
I think some misunderstanging about os kernel.
if os kernel is load from game disk , psp firmware should just include the bios (just like computer , only bios is load when boot up , you can load any kind of OS on the bios)

but now the case is , psp has it own OS , and game developer need to develop their game for this OS. (just like developing a application on windows , you need to call some kernel/core function to access the machine). And we dont know game developer can write their own function to access the machine without using the kernel function or not. (for example , you cant direct access the parallel port in windows xp bypassing the xp kernel , but you can do it at linux and windows 98)

and if the kernel is load from disk , the speed will very very slow (imagine the different between the speed you boot linux from cd and the speed you boot from harddisk)

anyway , those file from the firmware give us some hints about PSP programming , that's a good thing. thank all people working on dumping the firmware and disk
konfig
Posts: 68
Joined: Thu Jan 06, 2005 4:01 am

Post by konfig »

laichung wrote:
konfig wrote:I guess the 8MB OS kernel(at least most of them, game related) is launched from the game disk other than the firmware.

This makes things easy when the low efficiency 8MB huge OS kernel becomes a burden for developers someday.
I think some misunderstanging about os kernel.
if os kernel is load from game disk , psp firmware should just include the bios (just like computer , only bios is load when boot up , you can load any kind of OS on the bios)

but now the case is , psp has it own OS , and game developer need to develop their game for this OS. (just like developing a application on windows , you need to call some kernel/core function to access the machine). And we dont know game developer can write their own function to access the machine without using the kernel function or not. (for example , you cant direct access the parallel port in windows xp bypassing the xp kernel , but you can do it at linux and windows 98)

and if the kernel is load from disk , the speed will very very slow (imagine the different between the speed you boot linux from cd and the speed you boot from harddisk)

anyway , those file from the firmware give us some hints about PSP programming , that's a good thing. thank all people working on dumping the firmware and disk
With the firmware updated, some OS function may be unavailable for games. That's why game disk includes these files.

As for why psp firmware not only includes the bios, I think the XMB and the application embodied (such as video player, mp3 player) need the OS.

So the psp firmware may includes these parts:
1) BIOS(maybe not)
2) OS (for XMB and the embodied application, may be unavailable for games in the future)
3) the XMB and the embodied application(updated simultaneously with the OS)

As I know, there is some difference between PC OS and the PSP OS

1) PC OS like windows supports both multi-thread and multi-process. but as for the PSP OS, multii-process is not need. When you are playing a game, it seems impossible to be downloading something for the internet.

2) PSP game is not and should not always based on the PSP OS. Every PC has different hardwares(even using the same OS). So the software must based on OS because they don't know on what kind of hardware they will run. But as for console platforms, they always have the same hardwares, so it is no problem that games can be completely independent of OS. They can be directly based on BIOS, or even the bottom level hardware, it is much more efficient than based on the OS.

I think the meaning of PSP OS for games is just to provide some function library(most important, I/O library) to reduce the development cost. But at the same time, the 8MB OS core is of low efficiency, so further games should not use this OS anylonger.
laichung
Posts: 123
Joined: Fri May 06, 2005 2:02 pm

Post by laichung »

What you say just bring me another idea about those files, thanks.
What I'm thinking is , actually those library file can be excluded from the firmware(since they are not BIOS/Core library). why they are there because some applications(XMB , etc) need it.

so game developer must include the library in the UMD, because they dont know those library file already existed inside the firmware.

What sony said about "8mb OS kernel" may be somethings else.

Anyway , we still need times to discover it. work hard everone~~thanks

konfig wrote:
laichung wrote:
konfig wrote:I guess the 8MB OS kernel(at least most of them, game related) is launched from the game disk other than the firmware.

This makes things easy when the low efficiency 8MB huge OS kernel becomes a burden for developers someday.
I think some misunderstanging about os kernel.
if os kernel is load from game disk , psp firmware should just include the bios (just like computer , only bios is load when boot up , you can load any kind of OS on the bios)

but now the case is , psp has it own OS , and game developer need to develop their game for this OS. (just like developing a application on windows , you need to call some kernel/core function to access the machine). And we dont know game developer can write their own function to access the machine without using the kernel function or not. (for example , you cant direct access the parallel port in windows xp bypassing the xp kernel , but you can do it at linux and windows 98)

and if the kernel is load from disk , the speed will very very slow (imagine the different between the speed you boot linux from cd and the speed you boot from harddisk)

anyway , those file from the firmware give us some hints about PSP programming , that's a good thing. thank all people working on dumping the firmware and disk
With the firmware updated, some OS function may be unavailable for games. That's why game disk includes these files.

As for why psp firmware not only includes the bios, I think the XMB and the application embodied (such as video player, mp3 player) need the OS.

So the psp firmware may includes these parts:
1) BIOS(maybe not)
2) OS (for XMB and the embodied application, may be unavailable for games in the future)
3) the XMB and the embodied application(updated simultaneously with the OS)

As I know, there is some difference between PC OS and the PSP OS

1) PC OS like windows supports both multi-thread and multi-process. but as for the PSP OS, multii-process is not need. When you are playing a game, it seems impossible to be downloading something for the internet.

2) PSP game is not and should not always based on the PSP OS. Every PC has different hardwares(even using the same OS). So the software must based on OS because they don't know on what kind of hardware they will run. But as for console platforms, they always have the same hardwares, so it is no problem that games can be completely independent of OS. They can be directly based on BIOS, or even the bottom level hardware, it is much more efficient than based on the OS.

I think the meaning of PSP OS for games is just to provide some function library(most important, I/O library) to reduce the development cost. But at the same time, the 8MB OS core is of low efficiency, so further games should not use this OS anylonger.
nem
Posts: 73
Joined: Thu Jan 13, 2005 9:21 pm
Contact:

Post by nem »

Thanks all :)
Now I'm away from our Titan base and have limited access to resources. Narrow connection to the net also prevents me from even reading the forum. Things go too fast to catch up. :(

Source code.
I need some brush-ups of the code. Maybe later.


skippy911:
Thanks for your list. Good work! Can I add some info to your list?

Code: Select all

files in flash0:

flash0:\
       <DIR>  data                           
       <DIR>  dic                            
       <DIR>  font                           
       <DIR>  kd                             
       <DIR>  vsh                            
                                                                               
flash0&#58;\data\                                                        
       <DIR>  cert                           
                                                                               
flash0&#58;\data\cert\                                                   
        1122  Class1_PCA_G2_v2.cer           
        1508  Class1_PCA_G3v2.cer            
         854  Class1_PCA_ss_v4.cer           
        1126  Class2_PCA_G2_v2.cer           
        1504  Class2_PCA_G3v2.cer            
         848  Class2_PCA_ss_v4.cer           
        1122  Class3_PCA_G2_v2.cer           
        1508  Class3_PCA_G3v2.cer            
         848  Class3_PCA_ss_v4.cer           
        1122  Class4_PCA_G2_v2.cer           
        1508  Class4_PCA_G3v2.cer            
        1066  RSA1024_v1.cer                 
        1233  RSA2048_v3.cer                 
         840  RSA_SecureServer.cer           
        1387  SCE_CA01.cer                   
        1387  SCE_CA02.cer                   
        1387  SCE_CA03.cer                   
        1387  SCE_CA04.cer                   
        1387  SCE_CA05.cer                   
        1402  VeriSign_TSA_CA.cer            
                                                               
flash0&#58;\dic\                                         
     1346880  apotp.dic                      
      939166  atokp.dic                      
       14886  aux0.dic                       
        9647  aux1.dic                       
        4631  aux2.dic                       
       13172  aux3.dic                       
                                             
flash0&#58;\font\                         
     1679100  jpn0.pgf                       
      123896  ltn0.pgf                       
      113200  ltn1.pgf                       
       58256  ltn10.pgf                      
       55924  ltn11.pgf                      
       61816  ltn12.pgf                      
       58788  ltn13.pgf                      
       64100  ltn14.pgf                      
       59924  ltn15.pgf                      
      129652  ltn2.pgf                       
      115940  ltn3.pgf                       
      132536  ltn4.pgf                       
      121548  ltn5.pgf                       
      138472  ltn6.pgf                       
      124868  ltn7.pgf                       
       56512  ltn8.pgf                       
       54484  ltn9.pgf                       
                                             
flash0&#58;\kd\                           
       13232  ata.prx                        &#91;PSP&#93; sceATA_ATAPI_driver             
        9040  audio.prx                      &#91;PSP&#93; sceAudio_Driver                 
        3248  audiocodec.prx                 &#91;PSP&#93; sceAudiocodec_Driver            
        3712  blkdev.prx                     &#91;PSP&#93; sceBLK_driver                   
        3488  chkreg.prx                     &#91;PSP&#93; sceChkreg                       
        2416  clockgen.prx                   &#91;PSP&#93; sceClockgen_Driver              
        4096  codec.prx                      &#91;PSP&#93; sceWM8750_Driver                
        5600  ctrl.prx                       &#91;PSP&#93; sceController_Service           
        7248  display.prx                    &#91;PSP&#93; sceDisplay_Service              
        6032  dmacman.prx                    &#91;PSP&#93; sceDMAManager                   
        8768  dmacplus.prx                   &#91;PSP&#93; sceDMACPLUS_Driver              
        2384  emc_ddr.prx                    &#91;PSP&#93; sceDDR_Driver                   
        8080  emc_sm.prx                     &#91;PSP&#93; sceNAND_Driver                  
        3248  exceptionman.prx               &#91;PSP&#93; sceExceptionManager             
       71760  fatmsmod.prx                   &#91;PSP&#93; sceMSFAT_Driver                 
        8720  ge.prx                         &#91;PSP&#93; sceGE_Manager                   
        3184  gpio.prx                       &#91;PSP&#93; sceGPIO_Driver                  
        6800  hpremote.prx                   &#91;PSP&#93; sceHP_Remote_Driver             
        4368  i2c.prx                        &#91;PSP&#93; sceI2C_Driver                   
        7072  idstorage.prx                  &#91;PSP&#93; sceIdStorage_Service            
       10848  ifhandle.prx                   &#91;PSP&#93; sceNetIfhandle_Service          
       32480  impose.prx                     &#91;PSP&#93; sceImpose_Driver                
        7056  init.prx                       &#91;PSP&#93; sceInit                         
        9872  interruptman.prx               &#91;PSP&#93; sceInterruptManager             
       11520  iofilemgr.prx                  &#91;PSP&#93; sceIOFileManager                
       23520  isofs.prx                      &#91;PSP&#93; sceIsofs_driver                 
        3328  lcdc.prx                       &#91;PSP&#93; sceLCDC_Driver                  
        2448  led.prx                        &#91;PSP&#93; sceLED_Service                  
       37472  lfatfs.prx                     &#91;PSP&#93; sceLFatFs_Driver                
        6192  lflash_fatfmt.prx              &#91;PSP&#93; sceLflashFatfmt                 
       10192  libatrac3plus.prx              &#91;PSP&#93; sceATRAC3plus_Library           
       36896  libhttp.prx                    &#91;PSP&#93; SceHttp_Library                 
        3008  libparse_http.prx              &#91;PSP&#93; SceParseHTTPheader_Library      
        8112  libparse_uri.prx               &#91;PSP&#93; SceParseURI_Library             
       10928  libupdown.prx                  &#91;PSP&#93; SceUpdateDL_Library             
       41168  loadcore.prx                   &#91;PSP&#93; sceLoaderCore                   
        8016  loadexec.prx                   &#91;PSP&#93; sceLoadExec                     
        1040  me_for_vsh.prx                 &#91;PSP&#93; me_for_vsh                      
       13008  me_wrapper.prx                 &#91;PSP&#93; sceMeCodecWrapper               
      285856  mebooter.prx                   &#91;PSP&#93; sceMeBooter                     
      126448  mebooter_umdvideo.prx          &#91;PSP&#93; sceMeBooter                     
        8240  mediaman.prx                   &#91;PSP&#93; sceUmd_driver                   
        2816  mediasync.prx                  &#91;PSP&#93; sceMediaSync                    
       15216  memab.prx                      &#91;PSP&#93; sceMemab                        
        8800  memlmd.prx                     &#91;PSP&#93; sceMemlmd                       
       14128  mesg_led.prx                   &#91;PSP&#93; sceMesgLed                      
       20720  mgr.prx                        &#91;PSP&#93; sceMgr_Driver                   
       13824  modulemgr.prx                  &#91;PSP&#93; sceModuleManager                
       19664  mpeg_vsh.prx                   &#91;PSP&#93; sceMpeg_library                 
        4304  mpegbase.prx                   &#91;PSP&#93; sceMpegbase_Driver              
        8112  msaudio.prx                    &#91;PSP&#93; sceMsAudio_Service              
       16048  mscm.prx                       &#91;PSP&#93; sceMScm_Driver                  
       20352  msstor.prx                     &#91;PSP&#93; sceMSstor_Driver                
        3136  openpsid.prx                   &#91;PSP&#93; sceOpenPSID_Service             
        1728  peq.prx                        &#91;PSP&#93; scePEQ_Library_driver           
       12608  power.prx                      &#91;PSP&#93; scePower_Service                
        1584  pspbtcnf.txt                   &#91;PSP&#93;                                 
        1376  pspbtcnf_game.txt              &#91;PSP&#93;                                 
        1600  pspbtcnf_updater.txt           &#91;PSP&#93;                                 
         432  pspcnf_tbl.txt                 &#91;PSP&#93;                                 
       27472  pspnet.prx                     &#91;PSP&#93; sceNet_Library                  
       20080  pspnet_adhoc.prx               &#91;PSP&#93; sceNetAdhoc_Library             
       10832  pspnet_adhoc_auth.prx          &#91;PSP&#93; sceNetAdhocAuth_Service         
        7904  pspnet_adhoc_download.prx      &#91;PSP&#93; sceNetAdhocDownload_Library     
        9088  pspnet_adhoc_matching.prx      &#91;PSP&#93; sceNetAdhocMatching_Library     
       17968  pspnet_adhocctl.prx            &#91;PSP&#93; sceNetAdhocctl_Library          
        2608  pspnet_ap_dialog_dummy.prx     &#91;PSP&#93; sceNetApDialogDummy_Library     
       22784  pspnet_apctl.prx               &#91;PSP&#93; sceNetApctl_Library             
      130944  pspnet_inet.prx                &#91;PSP&#93; sceNetInet_Library              
        6880  pspnet_resolver.prx            &#91;PSP&#93; sceNetResolver_Library          
        1904  pwm.prx                        &#91;PSP&#93; scePWM_Driver                   
       53136  reboot.prx                     &#91;PSP&#93; sceReboot                       
       16896  registry.prx                   &#91;PSP&#93; sceRegistry_Service             
       11136  rtc.prx                        &#91;PSP&#93; sceRTC_Service                  
       34768  semawm.prx                     &#91;PSP&#93; sceSemawm                       
        6464  sircs.prx                      &#91;PSP&#93; sceSIRCS_IrDA_Driver            
        3744  stdio.prx                      &#91;PSP&#93; sceStdio                        
        6032  sysclib.prx                    &#91;PSP&#93; sceSysclib                      
        9936  syscon.prx                     &#91;PSP&#93; sceSYSCON_Driver                
       72304  sysmem.prx                     &#91;PSP&#93; sceSystemMemoryManager          
       27536  sysmem_uart4.prx               &#91;PSP&#93; sceSystemMemoryManager          
        5808  sysreg.prx                     &#91;PSP&#93; sceSYSREG_Driver                
        2736  systimer.prx                   &#91;PSP&#93; sceSystimer                     
       44512  threadman.prx                  &#91;PSP&#93; sceThreadManager                
        2288  uart4.prx                      &#91;PSP&#93; sceUart4                        
       17504  umd9660.prx                    &#91;PSP&#93; sceUmd9660_driver               
       34864  umdman.prx                     &#91;PSP&#93; sceUmdMan_driver                
       29248  usb.prx                        &#91;PSP&#93; sceUSB_Driver                   
        8656  usbstor.prx                    &#91;PSP&#93; sceUSB_Stor_Driver              
       13088  usbstorboot.prx                &#91;PSP&#93; sceUSB_Stor_Boot_Driver         
       10720  usbstormgr.prx                 &#91;PSP&#93; sceUSB_Stor_Mgr_Driver          
        9328  usbstorms.prx                  &#91;PSP&#93; sceUSB_Stor_Ms_Driver           
        1168  usersystemlib.prx              &#91;PSP&#93; sceKernelLibrary                
        9216  utility.prx                    &#91;PSP&#93; sceUtility_Driver               
       10272  utils.prx                      &#91;PSP&#93; sceKernelUtils                  
        2784  vaudio.prx                     &#91;PSP&#93; sceVaudio_driver                
        1088  vaudio_game.prx                &#91;PSP&#93; sceVaudio_driver                
        3824  videocodec.prx                 &#91;PSP&#93; sceVideocodec_Driver            
        2704  vshbridge.prx                  &#91;PSP&#93; sceVshBridge_Driver             
      114480  wlan.prx                       &#91;PSP&#93; sceWlan_Driver                  
                                                               
flash0&#58;\vsh\                                         
       <DIR>  etc                            
       <DIR>  module                         
       <DIR>  resource                       
                                                                               
flash0&#58;\vsh\etc\                                                     
         480  index.dat                      
      131072  jis2ucs.bin                    
       16182  jis2ucs.cbin                   
      131072  ucs2jis.bin                    
       33672  ucs2jis.cbin                   
         135  version.txt                    
                                                                               
flash0&#58;\vsh\module\                                                  
        5856  auth_plugin.prx                &#91;PSP&#93; auth_plugin_module              
        8464  chnnlsv.prx                    &#91;PSP&#93; sceChnnlsv                      
       16944  common_gui.prx                 &#91;PSP&#93; sceVshCommonGui_Module          
       15392  common_util.prx                &#91;PSP&#93; sceVshCommonUtil_Module         
       22784  dialogmain.prx                 &#91;PSP&#93; sceDialogmain_Module            
       33168  game_plugin.prx                &#91;PSP&#93; game_plugin_module              
        1952  heaparea1.prx                  &#91;PSP&#93; scePafHeaparea_Module           
        1952  heaparea2.prx                  &#91;PSP&#93; scePafHeaparea_Module           
        4256  impose_plugin.prx              &#91;PSP&#93; impose_plugin_module            
        8996  msgdialog_plugin.prx                 sceVshMSDPlugin_Module
      149184  msvideo_plugin.prx             &#91;PSP&#93; msvideo_plugin_module           
      204608  music_plugin.prx               &#91;PSP&#93; music_plugin_module             
       39744  netconf_plugin.prx             &#91;PSP&#93; sceVshNetconf_Module            
       16432  netplay_client_plugin.prx      &#91;PSP&#93; sceVshGSPlugin_Module           
       10592  netplay_server_utility.prx     &#91;PSP&#93; sceVshGSUtility_Module          
        4960  opening_plugin.prx             &#91;PSP&#93; opening_plugin_module           
       35520  osk_plugin.prx                 &#91;PSP&#93; sceVshOSK_Module                
      599072  paf.prx                        &#91;PSP&#93; scePaf_Module                   
      513184  pafmini.prx                    &#91;PSP&#93; scePaf_Module                   
       79056  photo_plugin.prx               &#91;PSP&#93; photo_plugin_module             
       60224  savedata_auto_dialog.prx       &#91;PSP&#93; sceVshSDAuto_Module             
       61344  savedata_plugin.prx            &#91;PSP&#93; sceVshSDPlugin_Module           
       59344  savedata_utility.prx           &#91;PSP&#93; sceVshSDUtility_Module          
       42464  sysconf_plugin.prx             &#91;PSP&#93; sysconf_plugin_module           
       15840  update_plugin.prx              &#91;PSP&#93; update_plugin_module            
      137936  video_plugin.prx               &#91;PSP&#93; video_plugin_module             
       67040  vshmain.prx                    &#91;PSP&#93; vsh_module                      
                                                                               
flash0&#58;\vsh\resource\                                                
        6176  01.bmp                         
        6176  02.bmp                         
        6176  03.bmp                         
        6176  04.bmp                         
        6176  05.bmp                         
        6176  06.bmp                         
        6176  07.bmp                         
        6176  08.bmp                         
        6176  09.bmp                         
        6176  10.bmp                         
        6176  11.bmp                         
        6176  12.bmp                         
        4556  auth_plugin.rco                
       57148  game_plugin.rco                
      200704  gameboot.pmf                   
       87828  impose_plugin.rco              
        7028  msgdialog_plugin.rco           
      158124  msvideo_plugin.rco             
      220976  music_plugin.rco               
       68552  netconf_dialog.rco             
       12560  netplay_plugin.rco             
      254480  opening_plugin.rco             
      318548  osk_plugin.rco                 
      121384  osk_utility.rco                
      182604  photo_plugin.rco               
       68328  savedata_plugin.rco            
       64428  savedata_utility.rco           
      151540  sysconf_plugin.rco             
       98136  system_plugin.rco              
       10776  system_plugin_bg.rco           
       45508  system_plugin_fg.rco           
      216320  topmenu_plugin.rco             
       14048  update_plugin.rco              
       26464  video_plugin.rco               
      115888  video_plugin_videotoolbar.rco  

NB&#58; 
&#91;PSP&#93; is ~PSP type encrypted file.  Right column is module name.
pspbtcnf*.txt seems to be boot configuration file for each mode.
nn.bmp is background image of XMB. it's 60x34 bitmap

Krevnik:
Certificates.
Lots of certificates in flash0:\data\cert\. They are ordinal base64 encoded certificate, not encrypted. Their role is still unknown.

Code: Select all

Type and publisher of certificates 
Class1_PCA_G2_v2.cer    SHA1/RSA1024  VeriSign 
Class1_PCA_G3v2.cer     SHA1/RSA2048  VeriSign 
Class1_PCA_ss_v4.cer    MD2 /RSA1024  VeriSign 
Class2_PCA_G2_v2.cer    SHA1/RSA1024  VeriSign 
Class2_PCA_G3v2.cer     SHA1/RSA2048  VeriSign 
Class2_PCA_ss_v4.cer    MD2 /RSA1024  VeriSign 
Class3_PCA_G2_v2.cer    SHA1/RSA1024  VeriSign 
Class3_PCA_G3v2.cer     SHA1/RSA2048  VeriSign 
Class3_PCA_ss_v4.cer    MD2 /RSA1024  VeriSign 
Class4_PCA_G2_v2.cer    SHA1/RSA1024  VeriSign 
Class4_PCA_G3v2.cer     SHA1/RSA2048  VeriSign 
RSA1024_v1.cer          SHA1/RSA1024  ValiCert 
RSA2048_v3.cer          SHA1/RSA2048  RSA Security 
RSA_SecureServer.cer    MD2 /RSA1024  RSA Data Security 
SCE_CA01.cer            SHA1/RSA2048  SCEI 
SCE_CA02.cer            SHA1/RSA2048  SCEI 
SCE_CA03.cer            SHA1/RSA2048  SCEI 
SCE_CA04.cer            SHA1/RSA2048  SCEI 
SCE_CA05.cer            SHA1/RSA2048  SCEI 
VeriSign_TSA_CA.cer     SHA1/RSA1024  VeriSign, Time Stamping Authority 

laichung:
Total size of the files in flash0: is around 12MBytes. Where are those files come from? My obserbation/guess as follows:

- Memory chip on board contains 32MByte SDRAM and 32MByte FlashROM.
- 32MByte FlashROM consists of 1MByte bootstrap area and 31MByte disk storage area.
- Disk storage area have two partitions, 24MByte flash0: and 4MByte flash1:
- flash0: as system file volume, flash1: as configuration file volume

SONY says 32MByte SDRAM is divided to two parts, 8MByte kernel memory and 24MByte user memory.
User memory seems to be 0x08800000..0x09ffffff.

When system starts up, some files/modules are loaded to kernel memory, not all.
Pikoro
Posts: 56
Joined: Thu Jan 13, 2005 9:57 am

Post by Pikoro »

Code: Select all

13232  ata.prx                        &#91;PSP&#93; sceATA_ATAPI_driver   
Hmm.. possible umd drive removal / splice in a ribon cable or connector for a laptop harddrive? or a portable cd/dvd drive for that matter...

Interesting. Need to start checking pinouts...
pedroleite
Posts: 39
Joined: Sun Apr 10, 2005 8:31 am

Post by pedroleite »

I will regret asking for this...

But:

https://securitycenter.verisign.com/cel ... earchStart

Can anyone just check the serial number, or Name on certificate for those... and provide the information for the search...

A public certificate is public... somwhere...

At least knowing the dates issued and expired will reveal a game lifetime...

My games will expire? I can't let my great-great-great-granson's play Wipeout Pure?

:)

If those are regular certificates, and CA's, there should be some kind of signature or encoding...

One of those certificates will open a key somewhere, and allow decryption to occur...

One can't encrypt... but one can decrypt...

I couldn't find ASN.1 structures inside the EBOOT.PBP...

I will try a trick later, using the <script src=""> also... can't the browser be tricked by javascript, frames, or query, maybe pathinfo (/dir/file.cer/nowhere.txt) ?
skippy911
Posts: 46
Joined: Fri May 06, 2005 10:20 am

Post by skippy911 »

nem wrote: skippy911:
Thanks for your list. Good work! Can I add some info to your list?
Sure add anything you have :)
Krevnik
Posts: 71
Joined: Wed Mar 09, 2005 12:07 pm

Post by Krevnik »

nem wrote:Thanks all :) <...>

Krevnik:
Certificates.
Lots of certificates in flash0:\data\cert\. They are ordinal base64 encoded certificate, not encrypted. Their role is still unknown.


Allow me to shed some light then, based on some easy research by visiting the companies in question, and my own work dealing with CAs setting up my IMAP server. :)

Code: Select all

Class1_PCA_G2_v2.cer    SHA1/RSA1024  VeriSign 
Class1_PCA_G3v2.cer     SHA1/RSA2048  VeriSign 
Class1_PCA_ss_v4.cer    MD2 /RSA1024  VeriSign 
Class2_PCA_G2_v2.cer    SHA1/RSA1024  VeriSign 
Class2_PCA_G3v2.cer     SHA1/RSA2048  VeriSign 
Class2_PCA_ss_v4.cer    MD2 /RSA1024  VeriSign 
Class3_PCA_G2_v2.cer    SHA1/RSA1024  VeriSign 
Class3_PCA_G3v2.cer     SHA1/RSA2048  VeriSign 
Class3_PCA_ss_v4.cer    MD2 /RSA1024  VeriSign 
Class4_PCA_G2_v2.cer    SHA1/RSA1024  VeriSign 
Class4_PCA_G3v2.cer     SHA1/RSA2048  VeriSign 
These are relating to 'Primary Certificate Authority' certificates from VeriSign. They have specific groups that monitor and certify Certificate Authorities, providing direct trust to CA certificates. These form the root of the trust network for signed code. Pretty much every Windows machine has these for use in Internet Explorer and the like.

Code: Select all

RSA1024_v1.cer          SHA1/RSA1024  ValiCert 
RSA2048_v3.cer          SHA1/RSA2048  RSA Security 
RSA_SecureServer.cer    MD2 /RSA1024  RSA Data Security 
These are related to the BSAFE technology RSA Security provides. They are likely used for the wireless communications, as BSAFE has wireless security software packages aimed at systems like ARM for things like SSL over WiFi (sound familiar?). I don't know if they are linked through Verisign's PCAs or form their own root. It would make more sense if they were signed by either Verisign's PCAs or by one of Sony's CAs.

Code: Select all

SCE_CA01.cer            SHA1/RSA2048  SCEI 
SCE_CA02.cer            SHA1/RSA2048  SCEI 
SCE_CA03.cer            SHA1/RSA2048  SCEI 
SCE_CA04.cer            SHA1/RSA2048  SCEI 
SCE_CA05.cer            SHA1/RSA2048  SCEI 
A series of certificates in Sony's control, very likely signed by the PCA certificates mentioned above. These are probably used to sign code certificates for developers, and those certificates are included with the games themselves. So code signatures are done by the developer, while encryption is done by Sony. The trust can still be verified by checking the signed game certificate, seeing that it belongs to SCE_CA0x, and then seeing /that/ belongs to Verisign, which is the root trust node.

Code: Select all

VeriSign_TSA_CA.cer     SHA1/RSA1024  VeriSign, Time Stamping Authority 
Says exactly what it is on the tin, used to time-stamp things in such a way that it cannot be spoofed. (i.e, Verisign encrypts the time stamp of a signing with their private key, allowing everyone to verify the time stamp, but nobody can make a different time stamp that can be verified correctly without VeriSign's key)

This as a whole is a trust tree, to setup a base list of trusted certificates for the PSP. Anything signed directly by the owners of these certificates, or using a key which has been signed by the owners of these certificates will be trusted. (I.E. can the certificate presented by the game/software to be run be verified as to be connected to these certificates?)

This is very grim news indeed, especially after seeing the size of those suckers. 1-2 kilobit is pretty strong with 2 kilobit being military-grade as of 1996-2000.

However, there is some good news in this, since Verisign is included in the trust tree. Once someone figures out how binaries are signed/encrypted, it might be possible to 'short-cut' Sony's signing process and go through Verisign to get something signed. However, we cannot be certain that Verisign will use the same keys to sign a homebrew certificate, or that Sony won't cut Verisign out of the trust tree at some point if they deem it as required action.

Not to mention that becoming a CA through Verisign locks out anyone without gobs of money and a reputation that Verisign says they will 'trust' (i.e. whomever pays Verisign gobs of money is trusted).
blackdroid
Posts: 564
Joined: Sat Jan 17, 2004 10:22 am
Location: Sweden
Contact:

Post by blackdroid »

for those that crave for sources, WTF go code yourselves you lazy bastards, you already have the hellopsp source to start with.
Kung VU
User avatar
sq377
Posts: 87
Joined: Mon Apr 11, 2005 3:30 am

Post by sq377 »

Out of curiosity, what does this do on a 1.5?
Post Reply