Custom IPL sample

August 30th, 2007, 15:48 Posted By: wraggster

Moonlight posted this a few days ago, (only of note to coders and hackers):

This is an example (with source) of a very simple custom ipl with only 2 features

The custom ipl extends the 1.50 one. The copyrighted material (sony 1.50 original ipl) has to be provided by the user in form of the 1.50 updater.

Download:

http://www.megaupload.com/?d=A0SN4362

Feature for user:

- It bypasses ta-082+ brick, so you can have a ta-082+ without any key patched running 1.50 kernel based firmwares.

Feature for programmer:

- It dumps 0xbfc00000, the psp boot code prior to ipl, to the address 0x883e0000 (which is not touched by 1.50 kernel). To get the boot code in a 1.50 original firmware, just run kdumper, and extract 0x3e0000-0x3effff from the kmem.bin file -> that's the psp boot code. If you are in a cfw, you will have to execute the kdumper as a recovery or autoboot, because the 3.XX kernel overwrites the 0x883e0000 memory.

Note that this ipl is flashed to the nand, not written to the ms.

Some info about the ipl, etc.

- The first instruction executed by the PSP at boot is 0xbfc00000. This memory address is not the same than the 0xbfc00000 that can be accesed when the system has booted.

- The memory is read only, so variables cannot be written. Because of this, the psp boot code copies code from itself to the scratchpad memory (0x80010000).

- There is memory section 0xbfd00000-0xbfd01000. This is the one that will be converted later in the 0xbfc00000 that programmers usually know.

- One of the first things SCE ipl's do is to reset the main cpu. In the 1.50 ipl, this happen at address 0x040f0070-0x040f0084. When the cpu is reseted, what 0xbfc00000 memory was cannot be accesed anymore. The 0xbfd00000 memory gets remapped as 0xbfc00000, and 0xbfd00000 is now an invalid memory address.

- Since 2.60, SCE aproached that fact to encrypt their ipl's: they used as a seed for a prng the 0xbfc00000 memory before the reset, to decrypt main.bin (main.gz), knowing that it would be impossible to dump it after the reset. They also played with the two meanings of 0xbfc00000 to cause confussion.
While it appeared to be an intelligent move to hide their ipl's, it wasn't really that intelligent: they made us to have much curiosity for that memory, and we didn't stop until we dumped it

That curiosity ended in service mode. If they hadn't hidden their ipl's... maybe Pandora wouldn't exist today, who knows.

- IPL is executed when returning from sleep mode too. Main.bin follows two different branches depending if it is plain boot or sleep mode return, as obviously the kernel is not booted again. The code branch can be seen at address 0x04000490 in main.bin of the 1.50 ipl:

Code:

u32 x;
func04005074(&x);

if (x & 0x80)
sleep mode return;
else
plain boot;

The function 0x04005074 is equivalent to the syscon function sceSyscon_driver_F775BC34.

- When not in service mode, the memory stick power is off, and the memory stick routines causes an infinite loop. To use the memory stick in a nand ipl, you have to power on the ms yourself.

- The service mode conditional can be found beginning at address 0x8001004c in the psp boot code:

Code:

if ((*(u32 *)0xbe240004) & 0x10)
{
use memory stick ipl routines;
}
else
{
use nand ipl routines;
}