PDA

View Full Version : On Hacking the PSP



hai_ok
March 14th, 2005, 22:10
There will be exploits in the PSP. of this I have no doubt.
As long as hardware is controlled by software, we will have the power to make the hardware do anything we want.

What I'm sharing here, is meant to be some insight into what we're probably going to be dealing with.
Do not treat this as fact.
I don't have a PSP in my hands yet.
Just some friendly discussion.

First of all, the PSP is designed to do what we want it to do; run games and apps and music and movies and slideshows, and stuff like that. Just think about all the great things that we don't have to hack here. This system already does so much more than any other system, the really is no comparison. So there really is only one goal before us. How do we get this thing to run homebrew code?

Second, there is an sdk. Sony wants people to develop for it.
A bigger dev community = bigger share of the market = more sales = everybody's happy.
The sdk is reported to include a (slow) emulator.
Please tell me that you realize what this means.
We don't have to use a real one, to see if our exploits/homebrew code works on it.
Fool the emu and you'll probably be able to fool the real machine.

Third, Sony made a wise decision to do away with region encoding this time around. It means we do not have to mod our PSPs in order to play imported games! Thank you Sony! It also takes away one of the few legitimate reasons we have for modding our consoles to begin with.

Third and a half:
I support the development of homebrew code, and the emulation scene especially. Without them, the long dead systems of years past, would be gone. Because of homebrewed emus I can now play games I never knew existed. They were released for systems that I still own, but are now minimally functional (if at all) due to decades of normal and even careful use. Almost all of these games and their systems are no longer made, and if available at all, they are sold in only partially working condition at best. A sad way to relive a memory.

Third and three quarters:
Why the emu scene is so important. Have you even purchased a remake or a collection of resurrected titles so that you could play your old favorites again? Some facet of game play is nearly always lost in the translation. It may be an accurate translation of the code, but on new hardware, something doesn't run right. This usually makes the quality of game play suffer significantly. For some reason though, the emu community does not consider a game to be working until it plays, looks and sounds exactly as it did in it's original form. Even going as far as emulating the original hardware. And only a few games are re-released as retail collections or titles. What about the rare ones I never had a chance to buy? And the ones I did own, but no longer work, or can no longer buy?

o.k. Fourth, I'm not endorsing piracy. Do what you want. I am a loving and adoring fan of Sony's work. I buy the games that I like to play. So I support the developers who write them. What I want is emulation of my favorite old consoles on this sweet portable screen!

hai_ok
March 14th, 2005, 22:11
Let's examine the factors that we know about this so far.

- There is already at least one title which supports game sharing via wifi.
Once there is a thriving community of homebrew developers, it may be remarkably easy to share our apps and games with others. More is required before this will work. So more on this later.

- We should all be aware that there is a network update feature.
You can apparently run updates from your memory card. This was wise of Sony because it is a little like updating a bios. If you're updating from a wifi connection and you lose your connection in the middle of the update, you could end up with a paperweight. This is also good news for us. It means we can examine how legitimate code is packaged and distributed, what these updates do, why they are allowed to run, and how they update the machine.
In fact there is an update floating around for dl.
WARNING: This particular update will kill your PSP. So it is useful to look at it, but don't try anything unless you know what you are doing.
However...

- This update is bootable. That's right. If it is on your memory card, and you start your PSP, it will launch this application. While that is not useful this time around, at some point in the future, all we may need to do to mod our PSP (or launch our homebrew emu) is download it, put it on our memory card, and boot from it. Lets hope it turns out to be this easy...

Someone has already written a dumper to extract the contents of this bad update.
I've done it and seen the contents. Very interesting. (good work btw!)

Add to this, the PSP sdk and the diligent efforts of our industrious hackers and this gets interesting.

- We will eventually get our grubby little hands on a complete and fully functional update.

How do we take advantage of this?

- If the OS is modular, then we could replace something like the photo manager with our own golden nugget of a homebrew app.

- Or perhaps duplicate a legitimate submenu option in the system settings menu code, but assign it's instruction to run an app on the memory card.

Let's look at the language menu for example.
- If the Japanese menu is a duplicate of the English menu (it's probably not), and it only uses different characters, we could overwrite the entire Japanese menu structure with many different homebrew instructions. So that, to access the hacks, you simply "change languages". Then you would have a completely functional menu system without losing a single function (unless you want to read Japanese and English), and you would have a complete menu system full of homebrew options. Have your cake and eat it too.

More is required before we can attempt things like this. Right now though, not knowing exactly what we're dealing with, all of this is only theoretically possible. But here's an ideal situation...

We get our network update and extract it.
If, after some careful examination and some plain old reckless experimentation, we discover that we are able to manipulate it, we can then try to replace part of it.
We then repack the update and Install it.

One of two things may become possible here:

1: It hiccups or otherwise exposes an exploitable design feature which allows us to launch the app/game of our choice, quite possibly from the location of our choice.
(this is what happens when you softmod an xbox)

2: Or, (joy of joys) it actually runs the file or homebrew code we've included in the network update. This could be anything from a game, to a custom gui app... to an emulator!

The trick is to fool it into thinking that it is allowed to run. And if we sneak it in there, when the PSP isn't looking, it just may work. More on this later.

or...

We get the PSP to dump a shared (wifi) game from ram (as of yet they do not store on the memory card, they are in ram. So when you turn off your PSP they are gone).
We find out what makes the PSP want to play this game.
If it is not encrypted, then this will be easier.

"Yeah but the files we've seen so far, are encrypted!"
So was the xbox disc format. But we got around it because the system had to have permission to read from the device, and the data had to make scene to the unit itself or no games would be possible on that system at all. If we have to break the encryption, then we have some hard work ahead of us. But it's possible that the system will do it for us. Even the Gamecube format was encrypted, but we got around that too.

Using the sdk to write a shell, or bootable OS may be possible. Then, the whole system should open up to us because we're already on the "inside".

"Isn't that the Chicken before the Egg?"
That depends on when the apps/games get encrypted.
How and when they are digitally signed.
If the sdk can do it, or the PSP itself can open it up for us, or we break it and write an app to do it, then we're in business. There is, no doubt, some measure of crc at work here, I'd imagine. But that is also, no doubt, a part of this process.

- So we already know that you can launch applications from the memory card. The memory card is even described as a place you can store games that you have downloaded!
In fact there appears to be a game called "Big Bang Bang" included with the bad network update. It looks like a Mahjong game with a horse racing theme. Imagine replacing that with the app of our choice...

Let's not forget that a PSP "formatted" memory card is not encrypted. This is a huge advantage!

Now because this venture has been compared to doing similar things on other systems, I'll examine what is known about a few of them.

- If I remember correctly, the gameshark for the PS2 uses some of the "crazy taxi" game id (file name/volume label/data?) as part of it's ability to run on that system. It runs because we fool it into thinking that it is allowed to run. It is not licensed or endorsed by Sony, but it runs on a non-modded system. It is technically homebrew code. It runs because "crazy taxi" is allowed to run.

- Most titles run from the PS2 hard drive because the system believes that it is native media. That is, it expects that anything found on the hard drive, is there because it is legitimate (FFXI for example). With few exceptions, the only games that do not run from the hard drive are those that are simply trying to access the CD/DVD device directly. It fails an online verification because Sony got wise to the HD trend and watched closely for this when people started playing online. Even most of the homebrew code I've tried will run from the hard drive. This is because the system believes that it should be allowed to run anything that it finds there. No screwdriver or modchip needed (unless you count screwing in the hd when you install it).

- Running games from the CD/DVD could be done by swapping discs. But that's because you didn't have access to any underlying process. In the case of the PSP, we might. While it's not advisable to swap UMDs, it illustrates that we simply have to fool the system into thinking that it's playing by the rules.

- The GBA runs anything it finds on the cart, that has the proper file name. Very different from the PSP, but with the right file characteristics, (ala crazy taxi) we may be in business.

- There is even a similarity here between the PSP and the xbox. They both have a software updatable OS. The xbox turns out to be easily exploitable. And you do not need a mod chip, even to add bigger hard drives. A few games happen to allow the running of unsigned code during their saved game loading routines. Quite by accident. And Bam! You have a modded box. There was even an app that signed xbe files so that homebrew apps could run on an xbox. I never needed it though. And MS does ban users of home brew code from online play. They've even gone so far as overwriting or erasing it remotely. Food for thought.

hai_ok
March 14th, 2005, 22:12
- For the record, the PS2 is emu friendly, if you know what you are doing. If you don't, you just need to find someone who does. I've got quite a few emulators running on mine. They are out there. It just takes real programmers to write them. MS can't make a machine without making it so stinking similar to a wintel platform, that it has a software os that runs from a hard drive. Writing for the psx and PS2 requires a pretty hard core skill level. You just have to be a better programmer to code for Sony's machines.

We do have a lot going for us:
There are many very talented hackers and developers out there with loads of experience. I don't want to offend any of them. After all, I'm not one of them. I tinker and enjoy the results, but you guys kick ass! So I depend heavily on your hard work, and owe you all many thanks. If I am incorrect about any of this posting, please correct me.

We have a unified cause. There really is only one common goal here. Running Homebrew Code! With there being so many people in the dev scene, our work, though hard and probably slow at times, will likely yield impressive and unstoppable results.

- Very little is known so far about the PSPs encryption/permission scheme. A memory exploit like the one described above is not out of the question. Just unlikely. Sony probably does some Crash Testing to see how their unit holds up to unexpected hoo-ha. Which is to say, something in memory (RAM) bombing out, or an overflowing buffer that exposes their precious data to unwelcome eyes. But they will always see the PSP for how it was designed to work. So they will never try the things we are about to do to ours...

Here is what stands in our way:
The network update. Yes, the network itself.
Lets just say that we mod a network update and, poof! We all get everything we want.
The next update will no doubt, undo our hard work.
So we mod that one, too?
Sony may get wise to us and change the rules.
It's not impossible to rewrite something so that it works identically to it's predecessor, but so that the underlying code is completely different. We would be back to square one.
Sony could ban online players who's system was updated with unofficial patchwork like we're describing here.
They could prevent these users from running future updates.
How far will they go?
It's hard to say.

What I'll venture to guess/suggest:

I am pretty long-winded.

We probably won't need mod chips.
They will probably happen anyway.
Why?
Because someone makes money when you buy one.

I prefer to soft-mod instead of installing a chip.
You shouldn't do anything to your PSP that you can't undo.
If you're not sure, ask someone who is.

I hope this helps those who need it.

xXpurplepanzy56Xx
March 15th, 2005, 00:13
hai ok do you no alot about the connections and stufff on the psp??? if you do tell me because i need to know about it

wraggster
March 15th, 2005, 02:15
hey im impressed about your knowledge ;)

leggy
March 15th, 2005, 11:25
Great post!

I only wish I knew what you were talking about but it does make pretty interesting reading :D

Any chance of condensing it down to a few lines of 'English' for us non techy people :confused:

What is homebrew??

Again, very interesting.

hai_ok
March 15th, 2005, 16:11
thanks for the kind words.

homebrew= people writing their own games and applications that run on a console.

OK, here is the short version:

Part 1:
As long as hardware is controlled by software, we will have the power to make the hardware do anything we want. The PSP runs a software operating system. The software controls the hardware. The hardware plays the games. If we can control the software, we can control the hardware! So, as soon as we ger our hands on the PSP SDK, we can probably get it to do anything we want it to do.

I have recently learned that the emulator in the PSP SDK is not slow. In fact it runs at full speed! Though I'd like to see it with my own eyes.

Recent News: The SDK is $25,000. That is a lot of cash.

Emulators always run the original game better than when someone tries to rewrite the game to run on a new console.

Part 2:

The PSP connects to and can get new media through Wireless Access Points and USB. This means it will be easy to get stuff onto it.

The PSP already does 90% of what we want. So we only have to hack %10. Yay!
But it may not be easy. Boo!

There are several possible ways to hack our PSPs. All of it that I discuss is software related. I don't like the idea of using a mod chip on a PSP. Hopefully we can trick the PSP into giving us access to it's secrets. Better yet, it will let us fool it into playing stuff it isn't supposed to play. There are a few ways that this works on other systems also. So it may be possible. Plus, we have access to a lot of the things we will need in order to hack the PSP.

Part 3:

For more on emulation on the PSP, visit:
http://ps2emu.dcemu.co.uk

Sony will never try the things we are about to do to PSPs. So they don't know how we will do it. But we will hack these wonderful little machines!

It's hard to put most of it into simpler terms. But if you have specific questions, Please ask! I'd be happy to explain what I can.

hai_ok
April 6th, 2005, 16:47
Well, the first few steps have happened, to a lesser degree.

We have extracted files and we can examine, hex edit and read them. Someone even bit-flipped a switch that turned on region protection. So we an see that the files are able to be manipulated.

Now we have a tool for repacking them.
Look for a tool called PSPunpacker.

It will let you select each of the different components that we have seen that comprise a legitimate distribution. Then you just pack it right up and bam.

Now we need to be able to write and compile these components. This is where we need the SDK.

This didn't take long. It's nice to know that when the time comes, we should be able to build our own distributions of properly packaged homebrew code.

psplover
April 6th, 2005, 17:22
I stopped reading it when you said Sony made a SDK so obviously they want people to devolope on it. Dude everyone makes a SDK for there system. SDK are supposed to be bought and money is made off of the liscening. Sony doesn't want some mature coder giving away free things. Hell they dont care if you code a emulator as long as you're paying them for there software use.

Second theres only really one option for HB. Sony added a feature for downloadable demos to be played off your psp and upgrades. The run game from memory stick. As soon as they release a demo you're gonna see hackers probably edit the boot files from the demo and try to boot there own code using that. I see this as being the only way to get stuff done. Even with a dual layed dvd with the data ring that could be read in a umd case isnt enough for games really. It's 1.05GB.

hai_ok
April 6th, 2005, 17:47
@psplover.

um... glad you love psps.

If you loved reading, you would have read that I said pretty much the same thing you did.

I agree that they aren't going to be friendly to the idea of just anyone writing stuff for their hardware.

I think the point about Sony wanting people to develop for their system was sort of lost on you (when you stopped reading). The point I wanted to make was that the PSP want's to run code (that's what it does). That is to say, the nature of the beast is in our favor. When we get ourselves an SDK, it will want to run what we write. As opposed to trying to make a toaster oven do our calculus homework for us. Aside from encryption and anything else standing in our way, we are starting with a machine that already wants to do our bidding.

And I went into some detail about how we might get HB code running. One of them was specifically about running the code off of the memory card.

And I'm not sure what you're getting at with the dual layer data ring stuff. The UMD drive that comes with the SDK is a reader. I kind of hoped it was a writer when I saw the pictures of the kit, but as it turns out, it isn't.

Sony is one of the few companies in the US who owns their own media (disc) manufacturing facility. I think the UMD was their way of making sure that they were the only ones making the discs. Um, antipiracy.

Also, keep in mind that the beginning of this post was written before the release of the PSP (in the US). So I was speculating based on what we knew then. I dont think I was too far off.

Next time, keep reading. I'd love to hear your thoughts.

psplover
April 6th, 2005, 18:05
I'm saying if UMD is a DVD format and there's ever a hack to make UMD drives read dvds its still even impratical.

http://img190.exs.cx/my.php?loc=img190&image=example7ms.png
The reason why you can't make custom Mini DVD's without the plastic area is because personal use burners laser cant move in that close to burn in the section.

hai_ok
April 6th, 2005, 18:22
I'm not suggesting that we make our own UMDs.
I wish I could though. ;)
I actually agree with you on this one. The memory Stick is our best option.

Maybe you'll find this interesting also.
http://www.psphacks.net/content/view/144/2/

Thanks for your reply.

Vimes220
April 6th, 2005, 18:29
hey someone who speaks the same language as psplover :p

hai_ok
April 11th, 2005, 16:46
Well if you've been reading up on all your PSP news, then you already know that the reputable "Code Warrior" wrapper for PSP ver 1.1 was accidentally leaked.

What this means?
It is unlikely that this compiles directly to code you can run on a PSP. It more likely translates the code from c++ to PSP optimised code. If I'm wrong, oops. But this would appear to be stride forward for our community. From what I understand about how Code Warrior works, you would still need the PSP SDK to take advantage of this fine tool. This may be a quick way to port emulators. It may not be the most efficient way, as more experienced programmers will likely tell you, but it may also allow us to port some other kinds of interesting applications. Like memory dumpers...

Who knows...