pre-IPL again

hnaves · Post by **hnaves** » Tue Feb 03, 2009 3:33 am

I am a new member of this forum and I currently studying how the PSP boot process works. I think the best way to learn is by doing experiments, so, I downloaded the booster's IPL SDK. I am very curious about the pre-IPL code, and I tried to dump it. But (unfortunately) I could not use the SDK because I don't have a Jigkick battery (and I can't turn mine a Jigkick one, because my motherboard is a TA-085v2).

My question is: does anybody have a dump of the pre-IPL code for the PSP slim 2000 (motherboard TA-085v2)? I have already saw all the posts related to this subject, including:

1)http://forums.ps2dev.org/viewtopic.php?t=11586
2)http://forums.ps2dev.org/viewtopic.php?t=8850

But no one posted a dump.

My other question is: Is it possible to simulate the PSP cold boot process? Maybe by using a smart trick to overcome the changing memory mapping of the address 0xbfc00000 while doing a soft reset...

Thanks in advance...
And yes, I know that I must get hands on a Jigkick as soon as possible...

Torch · Post by **Torch** » Tue Feb 03, 2009 4:37 am

I couldn't get moonlight's custom 1.50 IPL sample+dumper working on the Slim though TimeMachine. I successfully dumped it on my friends Phat PSP by installing it on the NAND like the sample said.

hnaves · Post by **hnaves** » Tue Feb 03, 2009 4:46 am

Hi Torch, thank for your reply. Is it possible to post the file (the dump) here? Or it is against the rules of this forum? I saw on other posts that the dump from the slim and phat are quite the same, with very few differences...

moonlight · Post by **moonlight** » Tue Feb 03, 2009 5:33 am

The differences are in some hardware addresses, but the code itself is identical, with functions being exactly at same offset.

Torch · Post by **Torch** » Tue Feb 03, 2009 5:38 am

moonlight wrote:The differences are in some hardware addresses, but the code itself is identical, with functions being exactly at same offset.

Can you make your sample compatible with TM?

moonlight · Post by **moonlight** » Tue Feb 03, 2009 5:45 am

Torch wrote:
moonlight wrote:The differences are in some hardware addresses, but the code itself is identical, with functions being exactly at same offset.
Can you make your sample compatible with TM?

I don't even know where is my sample :)

Torch · Post by **Torch** » Tue Feb 03, 2009 5:48 am

moonlight wrote:I don't even know where is my sample :)

http://www.megaupload.com/?d=A0SN4362
In this one, it copies 0xbfc00000 to 0x440EF000 which must then be dumped from the firmware.

I assume what I copied from memory is the pre-IPL :P :P
I tried to reverse it but my MIPS is so bad i couldn't understand the logic after 10 instructions... It may not even be the pre-IPL :O

hnaves · Post by **hnaves** » Tue Feb 03, 2009 7:00 am

Very Nice! Is it the custom IPL from moonlight?

If I got it right, the "installer/ipl.h" contains a custom IPL code that will be flashed into my PSP by the cipl_flasher app. The custom IPL code will copy the pre-IPL code to 0x440EF000[iplboot/iplboot.c] and then to 0x483E0000[patch_main/main.s](that will be later remapped to 0x883E0000) and then perform a normal boot, right?

But I am little worried, because the cipl_flasher app needs the official 1.50 IPL code to work (it uses the 150.PBP updater file) and my PSP's firmware version is "5.00 M33". The original post http://forums.ps2dev.org/viewtopic.php?t=8850 says nothing about firmwares above 3.XX. So, maybe my PSP will brick if I flash that custom IPL, and I don't have the JigKick battery to "unbrick" my PSP again.

If I am not asking too much, could someone get the 4Kb of the dumped pre-IPL using this app?

hnaves · Post by **hnaves** » Tue Feb 03, 2009 7:06 am

Hehehe, sorry for repeating
(you already said that It did not work on TimeMachine :-)

hnaves · Post by **hnaves** » Sat Feb 28, 2009 1:28 am

The actual dump for my model (pre-IPL dumped using prxtool)

Code: Select all

; ==== Section .text - Address 0xBFC00000 Size 0x00000008 Flags 0x0006

loc_BFC00000&#58;
	0xBFC00000&#58; 0x08000000 - j 0xBFC00000
	0xBFC00004&#58; 0x00000000 - nop

hnaves · Post by **hnaves** » Sat Feb 28, 2009 1:30 am

OMG! Sorry jbit for making you edit my posts when you should be working on coolz0r code! I promise I won't post copyrighted material again!!!

hnaves · Post by **hnaves** » Sat Feb 28, 2009 1:31 am

One question: is it legal to post the dump of the pre-IPL?

SilverSpring · Post by **SilverSpring** » Sat Feb 28, 2009 1:50 am

hnaves wrote:One question: is it legal to post the dump of the pre-IPL?

Whether it's legal or not doesn't matter (it is not), it's against the rules of this board. I would edit the above posts before it gets deleted (the disassembly).

The fact that you dumped the preipl successfully means that the above instructions do work so anyone that wants it can just follow the instructions and dump it for themselves.

Feel free to discuss the contents of the dump though.

cheriff · Post by **cheriff** » Sat Feb 28, 2009 3:16 am

hnaves wrote:One question: is it legal to post the dump of the pre-IPL?

; Strings
0xBFC00F80: "Copyright (C) 2004,2005 Sony Computer Entertainment Inc. All rights reserved."

Question & Answer

Post by **jbit** » Sat Feb 28, 2009 4:02 am

Edited posts, as stated above posting stuff like this is against the forum rules, regardless of whether it's legal in certain countries or not.
Also any links to such material will be removed too, repeat offenders will be banned.
Asking for it will be considered the same as asking for ISO images of games or ROMs for emulators.

hnaves · Post by **hnaves** » Sat Feb 28, 2009 4:44 am

sorry for that