Let's examine the factors that we know about this so far.
- There is already at least one title which supports game sharing via wifi.
Once there is a thriving community of homebrew developers, it may be remarkably easy to share our apps and games with others. More is required before this will work. So more on this later.
- We should all be aware that there is a network update feature.
You can apparently run updates from your memory card. This was wise of Sony because it is a little like updating a bios. If you're updating from a wifi connection and you lose your connection in the middle of the update, you could end up with a paperweight. This is also good news for us. It means we can examine how legitimate code is packaged and distributed, what these updates do, why they are allowed to run, and how they update the machine.
In fact there is an update floating around for dl.
WARNING: This particular update will kill your PSP. So it is useful to look at it, but don't try anything unless you know what you are doing.
However...
- This update is bootable. That's right. If it is on your memory card, and you start your PSP, it will launch this application. While that is not useful this time around, at some point in the future, all we may need to do to mod our PSP (or launch our homebrew emu) is download it, put it on our memory card, and boot from it. Lets hope it turns out to be this easy...
Someone has already written a dumper to extract the contents of this bad update.
I've done it and seen the contents. Very interesting. (good work btw!)
Add to this, the PSP sdk and the diligent efforts of our industrious hackers and this gets interesting.
- We will eventually get our grubby little hands on a complete and fully functional update.
How do we take advantage of this?
- If the OS is modular, then we could replace something like the photo manager with our own golden nugget of a homebrew app.
- Or perhaps duplicate a legitimate submenu option in the system settings menu code, but assign it's instruction to run an app on the memory card.
Let's look at the language menu for example.
- If the Japanese menu is a duplicate of the English menu (it's probably not), and it only uses different characters, we could overwrite the entire Japanese menu structure with many different homebrew instructions. So that, to access the hacks, you simply "change languages". Then you would have a completely functional menu system without losing a single function (unless you want to read Japanese and English), and you would have a complete menu system full of homebrew options. Have your cake and eat it too.
More is required before we can attempt things like this. Right now though, not knowing exactly what we're dealing with, all of this is only theoretically possible. But here's an ideal situation...
We get our network update and extract it.
If, after some careful examination and some plain old reckless experimentation, we discover that we are able to manipulate it, we can then try to replace part of it.
We then repack the update and Install it.
One of two things may become possible here:
1: It hiccups or otherwise exposes an exploitable design feature which allows us to launch the app/game of our choice, quite possibly from the location of our choice.
(this is what happens when you softmod an xbox)
2: Or, (joy of joys) it actually runs the file or homebrew code we've included in the network update. This could be anything from a game, to a custom gui app... to an emulator!
The trick is to fool it into thinking that it is allowed to run. And if we sneak it in there, when the PSP isn't looking, it just may work. More on this later.
or...
We get the PSP to dump a shared (wifi) game from ram (as of yet they do not store on the memory card, they are in ram. So when you turn off your PSP they are gone).
We find out what makes the PSP want to play this game.
If it is not encrypted, then this will be easier.
"Yeah but the files we've seen so far, are encrypted!"
So was the xbox disc format. But we got around it because the system had to have permission to read from the device, and the data had to make scene to the unit itself or no games would be possible on that system at all. If we have to break the encryption, then we have some hard work ahead of us. But it's possible that the system will do it for us. Even the Gamecube format was encrypted, but we got around that too.
Using the sdk to write a shell, or bootable OS may be possible. Then, the whole system should open up to us because we're already on the "inside".
"Isn't that the Chicken before the Egg?"
That depends on when the apps/games get encrypted.
How and when they are digitally signed.
If the sdk can do it, or the PSP itself can open it up for us, or we break it and write an app to do it, then we're in business. There is, no doubt, some measure of crc at work here, I'd imagine. But that is also, no doubt, a part of this process.
- So we already know that you can launch applications from the memory card. The memory card is even described as a place you can store games that you have downloaded!
In fact there appears to be a game called "Big Bang Bang" included with the bad network update. It looks like a Mahjong game with a horse racing theme. Imagine replacing that with the app of our choice...
Let's not forget that a PSP "formatted" memory card is not encrypted. This is a huge advantage!
Now because this venture has been compared to doing similar things on other systems, I'll examine what is known about a few of them.
- If I remember correctly, the gameshark for the PS2 uses some of the "crazy taxi" game id (file name/volume label/data?) as part of it's ability to run on that system. It runs because we fool it into thinking that it is allowed to run. It is not licensed or endorsed by Sony, but it runs on a non-modded system. It is technically homebrew code. It runs because "crazy taxi" is allowed to run.
- Most titles run from the PS2 hard drive because the system believes that it is native media. That is, it expects that anything found on the hard drive, is there because it is legitimate (FFXI for example). With few exceptions, the only games that do not run from the hard drive are those that are simply trying to access the CD/DVD device directly. It fails an online verification because Sony got wise to the HD trend and watched closely for this when people started playing online. Even most of the homebrew code I've tried will run from the hard drive. This is because the system believes that it should be allowed to run anything that it finds there. No screwdriver or modchip needed (unless you count screwing in the hd when you install it).
- Running games from the CD/DVD could be done by swapping discs. But that's because you didn't have access to any underlying process. In the case of the PSP, we might. While it's not advisable to swap UMDs, it illustrates that we simply have to fool the system into thinking that it's playing by the rules.
- The GBA runs anything it finds on the cart, that has the proper file name. Very different from the PSP, but with the right file characteristics, (ala crazy taxi) we may be in business.
- There is even a similarity here between the PSP and the xbox. They both have a software updatable OS. The xbox turns out to be easily exploitable. And you do not need a mod chip, even to add bigger hard drives. A few games happen to allow the running of unsigned code during their saved game loading routines. Quite by accident. And Bam! You have a modded box. There was even an app that signed xbe files so that homebrew apps could run on an xbox. I never needed it though. And MS does ban users of home brew code from online play. They've even gone so far as overwriting or erasing it remotely. Food for thought.
Bookmarks