Extracting the Firmware Electronically

[apsd]

][eBerg, DarkFader, br33zy (me), and others (sorry if I didn't mention) had a disucssion in the #pspdev channel on an approach to electronically extract the firmware, and this is pretty much the sum of it:

* Sony took the Mips R4000 microprocessor (or one from the series), developed and packaged it into their own microcontroller, with 4MB DRAM *embedded*. This is where the firmware is stored (we assume). The model number of this chip is CXD2962GG.
( http://www.chipworks.com/WebReports/Sho ... ortID=2362 )

* I assume the firmware is stored raw in the 4MB embedded DRAM.

* The R4000 series microprocessors have a JTAG interface.
psphacks has the manual for the microprocessor for download.

* If the pin layout of the Sony uC is revealed, a JTAG probe could be hooked up and data could be written/read/etc.

* The slightly bigger chip near the uC is labeled "CXD1876", ][eBerg assumed this was the graphics chip.

* The chips are in a fugly package (BGA?).

The model numbers were taken from the disassembly pics which can be found at liksang, here: http://www.google.com/translate?u=http% ... en&ie=UTF8 , and other places.

* It was definitely smart of Sony to develop their own microcontroller based on the R4000 [series] with embedded storage for the firmware.

Please feel free to correct, speculate, discuss, etc. this information.

[ooPo]

Stored in DRAM? Not likely.

How about the samsung chip in there with the 32MB ram & 32MB flash?

This has already been discussed on these forums, as well.

( http://forums.ps2dev.org/viewtopic.php?t=935 )

[apsd]

Hmm, that's a good point ooPo...

I didn't know it was both 32mb SDRAM and flash.

Then what's the purpose of the DRAM? A loader to the main firmware?

Or maybe there is code on it that can flash the flash half of the samsung chip?

[ooPo]

Why not read about what DRAM is?

http://en.wikipedia.org/wiki/DRAM

DRAM is a type of random access memory that stores each bit of data in a separate capacitor. The number of electrons stored in the capacitor determines whether the bit is considered 1 or 0. As the capacitor leaks electrons, the information gets lost eventually, unless the charge is refreshed periodically. Because it must be refreshed periodically, it is a dynamic memory as opposed to SRAM and other static memory. Also, since DRAM loses its data when the power supply is removed, it is in the class of volatile memory devices. DRAM is also in the class of solid-state memory.

Basically, its just ram.

[apsd]

My question was what could be stored on it?

Just generic OS memory?

[ooPo]

Nothing is actually stored in it as it would be cleared when the PSP is powered off.

[Guest]

The firmware/OS routines are stored in the 32MB flash.

The system/OS operates from the 32MB sdram.

Standard embedded system environment here.

[apsd]

Yeah, that all makes more sense...

I guess I never understood DRAM from the start. :-)

[Guest]

Yeah, that all makes more sense...

I guess I never understood DRAM from the start. :-)

Think of your PC as an analogy...

You got (hopefully) 512MB memory in there right ? Thats RAM. It might be SDRAM, DDR, RDRAM, or whatever technology, but its ram.

The OS uses that RAM to operate.

Your PC also has a BIOS and a hard drive. The BIOS is normally stored on a flash, it configures the system using a minimal operating system (normally referred to as an "embedded" operating system) that ultimately boots the real OS (linux or windows) from harddrive or possibly cdrom.

The key departure here for the PSP is that its entire OS is contained within the flash rom. It only loads application softwares or multi-media files from UMD or memstick.

Just like you can update your flash BIOS on the PC mainboard, or reload your windows OS on the hard drive, the PSP has the capability to replace its OS on its own internal flash.

[apsd]

Right gorim, I understand.

What is the difficulty in extracting the flash?

I understand that the package for the memory is a pain in the ass, but I'm sure it could be eventually desoldered, or even accessed while onboard.

Is there any additional known documentation on the memory chip apart from the link on the other post ooPo mentioned?

[mrbrown]

Where did you get 4MB DRAM from anyway?

[andy0482]

edit

[apsd]

andy is probably right, it would make sense for the 4mb to be simply cache.

andy0482, see hte link that ooPo posted:
http://forums.ps2dev.org/viewtopic.php?t=935
The samsung chip that holds the 32mb SDRAM also happens to hold 32mb flash ... just all on one chip.

MrBrown, http://www.chipworks.com/WebReports/Sho ... ortID=2362 ... There it is said that the chip has built in DRAM, and by specifications the PSP is supposed to have 4mb of it.

[Guest]

That 4MB of embedded DRAM could be the video framebuffer ?

It would make sense, the display should not require a larger framebuffer.

I don't think it would be CPU cache... 4MB of cache would is unheard of outside high-end server CPU's due to the huge expense (and space) of static ram. If there was 4MB of CPU cache would make the cost of the one chip alone be in the hundreds of dollars.

Of course, there could be some other kinds of cheaper "on-chip caches" (the PS2 has a 16Kb scratch-pad "cache") but this wouldn't be the same thing as processor L1/2/3 caches, and it would be surprising if it amounted as high as 4MB, much less more than a fraction of 1MB.

[apsd]

4mb does sound a little high... and now that I think of it, it doesn't make much sense. Most CPUs on our PCs have caches up to 1mb, and that's it.

But if it were the video framebuffer, why didn't they put it near/in the graphics controller itself?

Maybe it's a scratchpad for decryption of the encrypted instructions?

[Guest]

Ok, all is now known.

Review this thread, pay attention to the Extremetech link:

http://forums.ps2dev.org/viewtopic.php?t=1086

Specifically, this slide:

http://www.extremetech.com/slideshow_vi ... o=2,00.asp

Basically, there is a total of 4MB eDRAM, but its not all in one place. Its
divided between the CPU/GPU and the Media engines.

Only 2MB is used for the framebuffer.

[andy0482]

edit

[apsd]

Ah, nice find gorim. That explains all the DRAM stuff.

Andy, yeah, I guess in the end it all works out :-D

Back to the post topic, given the firmware is stored raw (presuming it is) in the 32mb flash, what is the obstacle in the way other than the physical access?

I'm going to do some more research and see if I can pull anything up about access the flash electronically... (being a chip combining both memories- different from standalone flash chips I bet)

However, if the firmware is encrypted and getting the key is out of reach, then I guess you'd have to resort to a software method (some vulnerability to exploit), to run your own code and what not. :-/

I like that most of this phsyical hardware stuff is sorted out though, good job :-)

[Naota]

This is what was done for the xbox. The bios was extracted and moddified, then the chip reflashed (softmodded) with a modified version of the original xbox bios using most of the microsoft script minus the disk verification stuff etc. Or the chip onboard is bypassed all together by using a modchip wich is basically a flashable chip that with either a linux based bios (legal) or a hacked microsoft version of the original.
So yeah if some savy hackers decide to go this route and the bios/firmware is extracted and decrypted then I think we'll see homebrew or linux not to far after.

[pixel]

I don't know why, but I sense that if sony went to be a little bit smart, they'd put the firmware encrypted, and got it decrypted on the fly when the psp boots as the firmware gets copied to the main ram.

Just my two cents though, people could still try to salvage the firmware out of the various electronic parts there.

[Guest]

I don't know why, but I sense that if sony went to be a little bit smart, they'd put the firmware encrypted, and got it decrypted on the fly when the psp boots as the firmware gets copied to the main ram.

I have heard through the grapevine that is indeed the case.

[skyfox01_99]

I doubt that the whole OS will be encrypted. It's more likely that it will have certain sections compressed a lá microsoft's Windows Mobile OS. Pocket PC ROM structure contains a small unencrypted, uncompressed boot-strap in the first few blocks of FLASH. This allows the device to decompress whatever part it needs to RAM (DRAM?) to run (termed execute-in-place or XIP).

... just a thought.

JTAG is probably going to be the best bet...

[Guest]

Well, encrypting it IS the smart thing to do, and if the capability exists, no doubt they will do it, since the PSP has such a high focus on security. Its an inevitable way to go about things.

The xbox is not a good comparison, neither is the ps2. Even the PS2 had things compressed in its bios, so one is mindful of that possibility for the PSP. But we are talking new technology here.

[skyfox01_99]

It just seems that the PSP boots from cold too quickly to have to decrypt ROM data.

[Guest]

It just seems that the PSP boots from cold too quickly to have to decrypt ROM data.

Depends on the algorithm and how its implemented. AES encryption is super-fast, and the PSP has the crypto in hardware.

Think about it, nearly everything the PSP does is encrypted - network communications (even between competing game players), save games, firmware updates, etc...

Speed is no problem here.

[Yoorah]

Sure, but do you have a basis for comparison of what "too quickly" is? Maybe if people had access to detailed information about the PSP's data processing performance, making such a claim would be much easier...

Silly idea: Look up specs for that R4000 processor, estimate how fast it can process (decrypt?) data; estimate how large the BIOS image is (or is it known info?); calculate the approximate time it would take, and compare it to the actual time. Worst scientific experiment, ever... I apologise. XD

[Guest]

Sure, but do you have a basis for comparison of what "too quickly" is? Maybe if people had access to detailed information about the PSP's data processing performance, making such a claim would be much easier...

I think you missed what I said. The PSP is even encrypting in real time the acts of people playing network games head-to-head against each other...
Save games are encrypted.

I am also very aware of the AES algorithm. It is public, code is available for it. Its a very simple and very fast algorithm. Have you looked at it ? A 300mhz system should churn through 8MB in no time, and thats just with a software-based implementation. A hardware based implementation, as exists in the PSP, would be near real-time.

I would say based on the above information my claim is more compelling, short of an actual experiment. At least I base my claim on real facts.

[Yoorah]

Oh, sorry; I was replying to: "It just seems that the PSP boots from cold too quickly to have to decrypt ROM data.", and did not see your post. After reading yours, I quickly realised that my idea was more nonesense than I though.

[Guest]

Oh, sorry; I was replying to: "It just seems that the PSP boots from cold too quickly to have to decrypt ROM data.", and did not see your post. After reading yours, I quickly realised that my idea was more nonesense than I though.

Ah, well postings have been coming fast an furious, easy to miss a few ;) No prob.

[andy0482]

edit