How to boot a FW

[slasher2661996]

How can i boot a firmware from my app?
Like how can i boot a firmware from the MS?

[m0skit0]

Run a FW from an app? That's nonsense, as your app needs a FW to run :P And you can't run a FW on top of another FW.

To boot a FW you need to do it at console boot.

[jojojoris]

Run a FW from an app? That's nonsense, as your app needs a FW to run :P And you can't run a FW on top of another FW.

To boot a FW you need to do it at console boot.

Try timemachine. That enables you to start your psp by running a FW from the MS. It even enables you to run 1.50 homebrew on a slim.

[slasher2661996]

I know that, i just want to know how to. I know all the logic and and stuff behind it, i just want to know HOW to do it.

No offense ;)

Slasher

[m0skit0]

You need to forge your own IPL that remaps flashes to MS files. This way you trick the FW into believing that it's running on flash even if it's not.

[slasher2661996]

How would i do that

[jojojoris]

download timemachine which is made by dark_alex

downlaod the firmware eboots which needed. (150.pbp, 340.pbp 360.psar<-hard to find try torrents, and another)

Run the timemachine eboot on your psp <- but before check you have enough space on your ms.

After time machine is installed boot your psp using a hacked battery.

If you press nothing your psp will boot normal. If you press CROSS/TRIANGLE/SQUARE or CIRCLE it will boot the FW defined by that button.

[Dariusc123456]

To make your own ipl to run form service mode, download the psp ipl sdk.

[slasher2661996]

Thanks Dariusc

--EDIT

I downloaded it but im not sure how it works, i've read the readme's but i need some help. If anyone is willing to help, please tell me

[Dariusc123456]

You'll might want to be careful because if you do it wont, sometimes on a slim, it could cause the fw not to boot at all until you install the ipl back into the memory stick.

[slasher2661996]

yes ok, can anyone enlighten me on how i can make my own ipl

[jojojoris]

Why would you ever make a new ipl.
[sarcasm]Or are you a new genius hacker who had found a way to hack a psp3000 using magic memorystick[/sarcasm]

I mean... no average programmer needs his own ipl.

[m0skit0]

Well you need some knowledge about PSP inner workings to program such things. You better start here:

http://hitmen.c02.at/files/yapspd/psp_doc/
http://silverspring.lan.st/NPSPTD_01.txt

Then if you dont understand something, come asking.

[Torch]

It might be feasible to make your application directly reboot into a memory stick firmware such as one installed by Time Machine (Or a "Test M33" firmware from DC if you want a later firmware like 5.00M33).

You'll probably have to do something along these lines :/

You'll need a custom IPL which modifies the Time Machine IPL for this. You should already be running it in service mode.Time Machine can boot normally to flash0 from service mode. I'm assuming that if you store a variable at a fixed address in RAM, you can access it at IPL time when you suspend and resume the PSP. Make your app store a variable at a hard coded location and then suspend and restart the PSP. You could use the RTC alarm function to make it automatically power on again. When the PSP powers on it will execute the IPL again. You should have a custom IPL on the memory stick. In the IPL you can detect whether the PSP was cold booted or whether its resuming from a suspend. If it was previously suspended then you should look for your variable at your memory location too see whether your app wants to boot another firmware. If it does then your IPL should patch the TimeMachine IPL to directly start which ever memory stick firmware IPL instead of waiting for a button press. If it is coldboot then your IPL should directly start the Time Machine IPL so the PSP boots normally.

Or you can just make it reboot and hold the corresponding button for Time Machine =.=

[Davee]

To be honest, If you are asking HOW to do it, then you do not know sufficient amounts to drive the project.

[slasher2661996]

Yea i know Davee, but everyone has to start somewhere.


What i want to do, is a user chooses one option, then it boots into one firmware, if they press another it boots into another firmware (flash or MS)

[Torch]

What i want to do, is a user chooses one option, then it boots into one firmware, if they press another it boots into another firmware (flash or MS)

Easiest way to do this is by extending the Time Machine IPL with a custom IPL that reads commands left by your application.

[slasher2661996]

ok i got the timemachine ipl, but how do i edit it

[Torch]

ok i got the timemachine ipl, but how do i edit it

You need to reverse engineer it....

The starting IPL on the memory stick needs to be your own custom IPL which loads the TM IPL after making the necessary patches.

[slasher2661996]

prx's i can decompile, but an ipl, how exactly?

[m0skit0]

MIPS disassembler

[cory1492]

prx's i can decompile, but an ipl, how exactly?

Never tried it on ipl code, but prxtool has the option to disassemble plain binary segments. Keep in mind also that IPL is contsructed in chunks with header and hash data for each chunk, you'd have to look to see how closely the IPL exploit follows that outline once the initial block(s) with exploit are passed.

example:
prxtool -b -n psplibdoc.xml -w -i mw -o output.dis.txt yourfile.bin

GCC's as should also have tools/ability to disassemble binary chunks.

[Davee]

Yea i know Davee, but everyone has to start somewhere.


What i want to do, is a user chooses one option, then it boots into one firmware, if they press another it boots into another firmware (flash or MS)

Do swimmers start off in the deep end?
Do guitarists start off learning insane solos?
Do low level programmers start off attempting to replicate another firmware via reboot?

Also the whole, IPL thing ain't really that good for his description.

I don't mean to be an arse and bursting your bubble, but you really don't do this unless you know how the PSP works. I suggest reversing parts of the kernel so you get an understanding of how the executables are treated, how the chain of trust operates and especially how executables are decrypted ;)

From a software point of view, your reboot doesn't want to touch the IPL at all. Have a look of reboot.bin it's loaded by loadexec. M33 hooks this to control reboots, you'll need to do the same.

I'm no expert myself as I've never attempted such a task but thats definately the way to reboot into an external firmware.

[Torch]

From a software point of view, your reboot doesn't want to touch the IPL at all. Have a look of reboot.bin it's loaded by loadexec. M33 hooks this to control reboots, you'll need to do the same.

I'm no expert myself as I've never attempted such a task but thats definately the way to reboot into an external firmware.

Aren't there are IPL patches as well for the booting from memory stick firmware?!? I don't think simply restarting with a Time Machine memory stick firmware's reboot.bin is going to make it boot from the memory stick!

Even if reboot works, what about suspend & resume? How would the TM IPL know which IPL's resume to run when you suspend and resume the PSP?

[slasher2661996]

Ok well can someone give me a clear answer of what i should do to answer my question (scroll up)!

[Davee]

From a software point of view, your reboot doesn't want to touch the IPL at all. Have a look of reboot.bin it's loaded by loadexec. M33 hooks this to control reboots, you'll need to do the same.

I'm no expert myself as I've never attempted such a task but thats definately the way to reboot into an external firmware.

Aren't there are IPL patches as well for the booting from memory stick firmware?!? I don't think simply restarting with a Time Machine memory stick firmware's reboot.bin is going to make it boot from the memory stick!

Even if reboot works, what about suspend & resume? How would the TM IPL know which IPL's resume to run when you suspend and resume the PSP?

olol.
SE/OE firmwares ring any bells?

You're right with the suspend and resume though. That will have to properly be dealt with.

[Torch]

SE/OE firmwares ring any bells?

You're right with the suspend and resume though. That will have to properly be dealt with.

You mean the lflash emulation is completely transparent and boots 1.50/3.40OE firmware with the stock IPL in TM??
What about the 1.50 Slim version through TM?

[Dariusc123456]

SE/OE firmwares ring any bells?

You're right with the suspend and resume though. That will have to properly be dealt with.

You mean the lflash emulation is completely transparent and boots 1.50/3.40OE firmware with the stock IPL in TM??
What about the 1.50 Slim version through TM?

Torch, the nand o the psp slim have been patch to "emulate" 1.50 on the Sony PSP Slim/Lite. Its not just the IPL that comes with the 1.50, its the patch it self that completly allow 1.50 on psp slim via TM (isnt it?).

[Torch]

Torch, the nand o the psp slim have been patch to "emulate" 1.50 on the Sony PSP Slim/Lite. Its not just the IPL that comes with the 1.50, its the patch it self that completly allow 1.50 on psp slim via TM (isnt it?).

TM doesn't touch the nand...
I doubt the 1.50 IPL would even recognize half the hardware in the Slim while initializing. I dunno how it would work without extensive patching.

[Dariusc123456]

Torch, the nand o the psp slim have been patch to "emulate" 1.50 on the Sony PSP Slim/Lite. Its not just the IPL that comes with the 1.50, its the patch it self that completly allow 1.50 on psp slim via TM (isnt it?).

TM doesn't touch the nand...
I doubt the 1.50 IPL would even recognize half the hardware in the Slim while initializing. I dunno how it would work without extensive patching.

I remember reading something about the Time Machine patches the psp slim to use 1.50, and something else. You'll have to ask dax (thats if he ever come back online again).