PlayStation Portable homebrew: Difference between revisions

This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "PlayStation Portable homebrew" – news · newspapers · books · scholar · JSTOR (September 2007) (Learn how and when to remove this message)

PlayStation Portable homebrew refers to the process of executing unsigned code on the PlayStation Portable.

History of homebrew

In April 2005, a DNS redirection trick was discovered in the game Wipeout Pure's content-downloading feature that allowed regular HTML web pages to be displayed in its place. Using this trick, and with a bit of guess work, hackers spotted that navigating to addresses such as file:///disc0:/ would allow files from the UMD to be viewed, thus the discovery of PSPs executable format, the EBOOT, was figured. Using a dumped PSP system ROM image, and the knowledge discovered from the Wipeout disc, the layout of the executable format was successfully reverse-engineered by a hacker "NEM" and the "Saturn Expedition Committee".

In May of the same year, PSPs using the 1.00 version of the firmware were able to execute unsigned code packed in the same format as EBOOT.BIN from Wipeout, but from the /PSP/GAME folder on a Memory Stick. This meant that PSPs could be used to run homebrew software, as there was no mechanism to check if the code had been digitally signed by Sony in this firmware revision (as was similar with the PlayStation and PlayStation 2 consoles - missing security features in first revisions). A proof-of-concept "Hello World" was released to demonstrate this. This resulted in the release of a number of homebrew software, which were all built with the GNU GCC and GNU Binutils, modified to produce code for the PS2 and PSP (MIPS processor devices).

In addition, it became possible to dump Universal Media Discs (UMDs) using a homebrew technique. These dumped UMD images can be written to a Memory Stick Duo and executed, performing in exactly the same way as if they were being read from a UMD.

1.50 homebrew

It was discovered in June 2005 that unsigned code could be run on a firmware with version 1.50. The discovery allowed early US PSP adopters to run homebrew which quickly led to articles appearing in the mainstream.^[1]

Two ways were developed to run unsigned code. First, through the use of an exploit known as "Swaploit", and later, via the safer 'KXPloit'.

Swaploit

Swaploit was released on June 15 2005. It was created by a Spanish team and involved swapping between two memory sticks at the launch of the game, before it crashed with an error, to run the selected homebrew. There were reports of failing memory sticks using this method, but none have been verified.

KXploit

Developed by the Spanish Killer-X, KXploit exploited a misuse of the sprintf function of the PSP by having another folder named exactly the same with a percentage sign after the file name (eg game and game%). The percentage folder contained no data aside from images and a PARAM.SFO. The folder without the % had only a DATA.PSP renamed to EBOOT.PBP, the file containing the code. The problem with this exploit was that corrupted data would show on the memory stick (as well as the normal data). This was because the PSP would only see the program that had a PARAM.SFO file in it, the file inside the % folder. The file with just the program data would be seen as corrupted. However, this was shortly overcome by using two tricks. One would exploit the FAT16 system of the memory stick, and the other involved putting __SCE__ before the name of corrupted folder and %__SCE__ before the name of the normal folder (with the percentage sign at the end removed). Both tricks would remove the corrupted data, because the non-% folder would be invisible to the PSP, and still allow the EBOOT to be run. Many tools exist, like PSP Brew, Sei PSP Tool, and more, that automatically hide the corrupted data and organize any previously installed programs.

No-KXploit Patch

Some users and developers of homebrew complained about having the secondary folders for homebrew, and the corrupted icons that were shown. While there are ways to hide the icons, it is considered a nuisance. One piece of homebrew, called the No-KXploit patch, modified the PSP's firmware in memory (in the RAM), allowing non-KXploited homebrew to be executed directly. The No-KXploit patch itself uses KXploit, to allow it to be run.

The patch does not modify the firmware of the PSP or write to the flash (specifically flash0). It is now (mostly) rendered obsolete by custom firmware, which is designed to allow the execution of homebrew along with the features of the latest firmware.

1.51 and 1.52 homebrew

For slightly over two years there was no method of launching homebrew on firmwares 1.51 and 1.52. Both of these firmwares were very secure at the time and never saw the light of homebrew. There was no way to downgrade these firmwares until Sony released firmware version 2.00 which was later hacked via a .tiff exploit in the photo libraries.

2.00 homebrew

Sony, seeing that not many people were updating their PSPs to 1.51 or 1.52, decided to release an update with features that would give people an incentive to update^{[citation needed]}. The main feature was an official web browser, revealed at the 2005 PlayStation Meeting on June 20, 2005. The Japanese version of the update was released a week later, on June 27, 2005. In addition to a web browser, it also had support for high-quality MPEG-4 AVC video and the ability to change the wallpaper. As 2.00 contained a web browser, it became possible to write programs that would take advantage of the PSP's HTML rendering ability, and its newfound ability to connect to a server on a wireless network.

On September 23, 2005, an exploit, a buffer overrun in the image rendering libraries, was discovered, allowing execution of an unsigned binary file. The method involved the user launching a TIFF file in their photo directory. When the Photo menu was accessed, the binary file was loaded.

Two days later, the first "Hello World" program was released. The size of the binary was limited to 64kb, and the PSP could not yet read unencrypted ELF files, so further experimentation was required before any kind of homebrew software could be run. A day later, the first playable game using the exploit was released, titled "TIFF Pong 2.00".

A PSP developer by the name of Fanjita created a program called eLoader using the same exploit as the MPH Downgrader, which allowed the user to run unsigned user mode homebrew launched from a menu. This was an alternative to downgrading the PSP to 1.5 using the MPH Downgrader.

Soon after, a new TIFF exploit was found that works with all firmwares up to 2.80.

2.01 - 2.60 homebrew

Moving quickly to fix this exploit, Sony released the version 2.01 firmware on October 3, 2005. This was only a security update and offered no new features.

On September 28, 2005, Cheat Device was released for GTA: Liberty City Stories which exploited a memory bug during loading of save game data. It ran behind Liberty City Stories allowing for various modifications to the game, such as infinite health and the ability to "spawn" any of the vehicles in the game. Based on the proof-on-concept provided by the Cheat Device, a "Hello World" was created in December, 2005. A day later, the first playable homebrew for version 2.01 was released, titled "Tetris for Firmware 2.01".

Two days later, the exploit was released for 2.60 firmware, leading to the creation of Tetris for version 2.50 and 2.60. A developers kit was later released. In January, 2006, an EBOOT Loader for 2.01+, and then, a version of the eLoader which supported version 2.60 were released. WiFi connectivity was added on April 2, 2006, due to the discovery of a function that allowed the eLoader to initialize WiFi without kernel mode.

On June 27, 2006, another exploit was discovered in the 2.50 and 2.60 firmware that allowed for kernel mode to be utilized. GTA: Liberty City Stories is still required. The exploit takes advantage of another buffer overflow bug that was added when Sony included an additional security check in the 2.50 firmware.

Furthermore, during June 2006, Rockstar started shipping a version of GTA:LCS that patches the memory bug. The patched UMD also contains a compulsory upgrade to firmware 2.60. It was met with a change of serial number and graphical layout, in the PAL regions.

On August 21, 2006 it was announced that homebrew is possible on 2.0-2.80 by loading a TIFF image. This resulting in launching homebrew on 2.00-2.60 without GTA:LCS using full kernel access. Contrary to popular belief, the exploit itself will not allow code to be executed under the kernel space, but does in fact use the sceKernelLoadExec exploit present in 2.50-2.71, hence why 2.80+ cannot use this exploit.

On September 5, 2006, an EBOOT loader that does not require GTA:LCS, and uses the new TIFF exploit, was released for the 2.00-2.60 firmwares. It still has the same compatibility rate as previous loaders, due to the user mode limitations.

2.70 - 2.71 homebrew

On 25 April 2006, Sony released firmware version 2.70, which directly was believed to have patched the exploit in the GTA savegame. Currently, the libtiff exploit talked about below is now supported by 2.00-2.80 allowing homebrew to be executed. With 2.70 came Macromedia Flash support, and hence a number of PSP Flash games have been created. There have also been various flash portals released to allow flash games and applications to easily be run without adding them to bookmarks.

On 16 August 2006, a vulnerability in libtiff was found and a proof of concept program was released. This new exploit opened the doors for Firmware 2.00 through 2.80 to play homebrew, and was met with the Noobz team whom made a homebrew loader (eLoader) for these firmwares using this exploit.

In late August 2006, the first Hello World program working through the libtiff exploit was released. It runs in kernel mode on firmwares up to 2.71, and user mode in 2.80. Throughout September 2006, hackers released downgraders and homebrew loaders for firmware version 2.71.

2.80 homebrew

On 12 September 2006, Tetris for firmware 2.80 was released, along with an SDK, Tetris being the first homebrew available on 2.80. This was followed just hours later by TIFF pong (edited one day later), followed two days later by more TIFF homebrew. Later the NOOBZ team released eLoader v0.995 "Kriek" with 2.80 support, alongside with xLoader, allowing homebrew EBOOTs to run on 2.80 firmware PSPs.

On 20 December 2006, a new exploit that unlocks kernel access in 2.80 was found by Team C+D and a proof of concept program was released.

So far, homebrew can only be run using a port HEN (Homebrew Enabler) for 2.80 firmware, eLoader v0.995 "Kriek" or later, or xLoader, which patches the PSP to launch homebrew directly from the XMB Game Menu. A downgrader has also been created for this firmware.

2.81 - 3.03 homebrew

On 25 January 2006, a user-mode exploit was discovered, affecting all PSP firmwares from 2.00 to 3.03. A "Hello World" application, called the Goofy Exploit, was subsequently released by the Noobz team, proving that unsigned code could be run on a 2.81+ PSP. The exploit requires an un-patched copy of Grand Theft Auto: Liberty City Stories (it is a variation of the old LCS exploit, exploiting the fact that Sony's patch only affected the save slots 0 - 7 however auto load also loads save games in slot 8 and 9, allowing the same exploit to be used if it's stored in either of these 2 slots).

On 28 January 2006,The Noobz team released the 3.03 HEN for 3.03 users who did not wish to downgrade but wanted the benefits of homebrew on a 3.03 system. This also requires the use of an unpatched Grand Theft Auto: Liberty City Stories UMD. To check if a copy of Grand Theft Auto: Liberty City Stories is unpatched, place the UMD into the drive, and under the UMD symbol, it gives you the option to update. If it says 2.00, it is unpatched. If it has anything else, it's patched.

3.10 - 3.50 homebrew

On 23 June 2007, a new exploit that works on all firmwares up to 3.50 called the "Illuminati exploit" was found. This exploit requires a copy of the game Lumines for it to work.^[2] 3 days later, Noobz made a downgrader which also needed Lumines. Japanese versions of Lumines have been patched and include the 3.51 firmware update.^[3].

3.51+ homebrew

Pandora's Battery & Despertar del Cementerio v1 was released mid-2007. The mechanics of it is simple. The Pandora's Battery is an ordinary battery with the serial code in its EEPROM changed to 0xFFFFFFFF, upon booting the PSP reads this and enables Service Mode. In Service mode, the PSP would boot to the memory stick as its primary source. This allowed users to downgrade any Firmware to 1.50. Soon afterwards, Dark AleX (now known as Team M33) released 3.51 M33. Until his official release of 3.52 M33, he created 7 updates that patched his 3.51 M33. These updates included small patches to fix various errors. Within two months of releasing 3.52 M33, he had created four updates, with the fourth creating one of the most stable and popular custom Firmware's since 3.40 OE-A. Around this time, Sony unveiled the PSP-200x series (PSP Slim). It came standard with 3.60 Firmware. Since the new model PSP did not support any homebrew applications it could not be downgraded just yet. When Sony released 3.71 Firmware, Dark_AleX created Despertar del Cementerio v3. This version of Pandora's Battery allowed any PSP, regardless of model, region, or Firmware, to be upgraded to 3.71 M33-2. Today, there are over six different version of Pandora's Battery, that vary between a GUI, features, and homebrew apps built-in, that are all built on top of Despertar del Cementerio v3. Dark_AleX has also released 3.80 M33, which supports various new features, from official Sony firmwares and also his own additions. The Internet Radio, from official 3.80 firmware works on 3.80 M33. Also, the PS3 connectivity plugins, premo_plugin.prx and premo_plugin.rco can now be used to connect to a PS3 with a firmware 2.10, without the use of 3.71/3.72/3.73 or 3.80 PS3 plugins in firmware 3.71 M33. The new firmware 3.80 M33 also supports downloading official M33 updates via the System Software Update feature on the PSP XMB, previously used for Sony firmware updates. 3.90 m-33 has been released by Dark_AleX incorporating the new skype features.

Decryption

Decryption allows disassembling firmware modules, which in turn allows custom hybrid firmwares to be made, such as the SE/OE/M33 firmwares made by Dark_AleX, and for firmware emulation using Booster's DevHook. Decryption of firmwares is different from being able to downgrade them; decryption allows developers to search through the firmware's system files to look for possible exploits in the code, but decryption on its own does not lead to a downgrader.

Custom firmwares

Custom firmwares used a subset of the commonly known 1.50 firmware to launch a newer firmware with homebrew capabilities, while newer custom firmwares use a custom IPL to launch the firmware and patch it. On firmwares with 1.50 kernel, some less used features are removed in newer versions including "LocationFree Player" and Korean fonts in order to save on internal memory. The firmware adds support for homebrew loading in addition to loading official Sony EBOOTs, integrating an ISO/CSO loader launched from the XMB game menu, and a recovery menu accessible upon boot-up.

1.50 Proof of Concept

In July 2006, a limited 1.50 custom firmware (named a proof of concept) was released by Dark AleX, allowing the execution of version 1.00 EBOOTs, access to a limited recovery mode, and ability to automatically load an application upon start. Other custom firmwares have since been released. Today, there are more developed versions such as "Casual V3" and the SE/OE/M33 firmwares.

2.71 SE (Special Edition)

On 8 October 2006 Dark AleX's custom firmware 2.71 SE-A was released, which utilizes the features of the 2.71 web browser, video features, RSS feeds, WMA capabilities and flash capabilities for the web browser as well as full 1.50 user and kernel homebrew usage and full 2.71 user and kernel homebrew, as well as adding a recovery mode for unbricking "semi-bricked" PSP from bad flashing etc.

An update to this new custom firmware came out on the 24th of the same month. In this update the 2.71 SE-B the major feature is the loading of ISOs and CSOs from the game menu in the XMB. And just two days later was updated to 2.71 SE-B' which includes NO-UMD ISO loading. A few days later, 2.71 SE-B" was released. It allowed the ability to run 2.80+ games, including GTA VCS and it fixed some bugs found in 2.71 SE-B'. The latest version is 2.71 SE-C, which allows to load PRX files directly from the memory stick, enabling the option to safely add new functions to your PSP (like listening to MP3 files while showing photos).

Open Edition versions

3.02 OE

On 21 December 2006 A new custom firmware called "3.02 OE-A" was released by Dark AleX. It contains the same features of 2.71 SE-C, but also includes all 3.02 features excluding the Location Free player and the Korean fonts. New features added to this custom firmware include WMA and Flash Player enabling through the Recovery Menu and cracking the DRM of the PSX emulator, allowing users to share PSX games to other PSP systems.

On 25 December 2006.^[4] An update to the 3.02 OE-A Firmware was released called "3.02 OE-B." Its main feature was the ability to run PSX games from a memory stick using a ripping utility called "popstation" released alongside the new firmware.

3.03 OE

On 4 January 2007 The custom firmware "3.03 OE-A" was released by Dark AleX. It has the same features of 3.02 OE-B along with the ability to run compressed PSX games and support for custom manuals in PSX games. Later on 6 January 2007 3.03 OE-A' also known as 3.03 OE-A2 was released. A new feature in this release is the ability to change the CPU/Bus speed in UMD/ISO games.

On 10 January 2007 A "3.03 OE-B" custom firmware was released by Dark AleX. This custom firmware required 3.03 OE-A/A' firmware to be installed first. A new feature in this release is the ability to play full screen (480 X 272) MP4-AVC videos.

On 25 January 2007 Dark AleX released "3.03 OE-C" custom firmware. This was a major update and thus required a full install. Among the features are using WiFi at 333 MHz, maximum bit-rate limit of MP4-AVC videos is raised from 768 kbit/s to 16384 kbit/s (16 Mbit/s), ability to change the CPU/Bus speed of the XMB, faster cold-boot, as well as several other new features.

3.10 OE

On 4 February 2007 A "3.10 OE-A" custom firmware was released by Dark AleX, allowing screen brightness to the 4th level without having to connect the AC adapter along with the ability to run static ELF homebrew with the 3.10 kernel.

On 6 February 2007 A "3.10 OE-A' / A2" custom firmware was released by Dark AleX, fixing a simple bug in the execution of PSP games including Metal Slug 6 and others. The bug was caused by the incorrect patching of a static ELF in some cases. This was only a minor update, however, and therefore was not needed by everyone running the custom firmware.

3.30 OE

3.30 OE-A was released on April 15 2007 It offers all past features from other custom firmwares, such as all features (except LocationFree Player) built into the official 3.30, functionality as well as 1.50 features, such as ISO/CSO loading and homebrew support. A 3.30 OE-A' update was released on April 20 2007 This release includes a fix to security bug that overwrites certain parts of the RAM and also reintroduces the auto-boot program feature

3.40 OE

3.40 OE was released on April 20 2007 This release includes the same changes made in 3.30 OE-A' except it now uses the 3.40 firmware. It fixed a bug that caused data to be written to random addresses in the PSP's RAM. If the bug caused memory writes to certain kernel functions, the console could potentially be rendered unusable if those functions were accessed. Autoboot, which had been broken since 3.03 OE, was reimplemented. Improvements in the flasher were made to check that the correct DATA.DXAR file is used for an update, thus preventing people using incorrect firmware version data files from rendering their PSP units useless.

Increasing Edition versions

1.62 IE Custom Firmware

In March 2007, user becus25 released 1.62 IE-A. The latest version is 1.62 IE-D. Like custom firmware 1.53, it is based off the 1.5 kernel. Earlier versions of 1.62 IE would often cause bricks when the flash was modified. But updates were soon released fixing the problem. Currently though, 1.62 IE is only compatible with TA-079 motherboards and will brick on TA-082 and later motherboards. Features are similar to other firmwares including recovery mode, autoboot, and flash access. becus25 has also modified the popular app by Booster, Devhook which allows firmwares to run from the memory stick, virtually removing the chance of bricking.

3.02 IE-A Custom Firmware

In July 2007, user becus25 released 3.02 IE-A which incorporated 3.02 OE with some improvements of IE. He later released an update which resolved certain bugs in the initial release.

3.40 IE Custom Firmware

In July 2007 becus25 released his modification of 3.40 OE which includes a new "recovery menu" to use along with the OE one, called 3.40 IE-A. Several days later, becus25 released 3.40 IE-A2, with less chance of bricking, and some bug fixes in the recovery menu. It was met with much negative feedback from the homebrew community, due to the fact that it was, essentially, useless. Because of this, as well as personal issues, becus25 quit making firmware and homebrew.

M33 versions

3.51 M33

On July 14, 2007, Dark_AleX (under the pseudonym "Team M33", claiming to be a Russian hacking team) released a custom firmware called "3.51 M33". This custom firmware was as the time believed to be made by reverse engineering Dark AleX's custom firmwares, thus it includes all the original features of 3.XX-OE, but it runs 3.51 firmware, allowing users to play future games that will one day require 3.51 firmware.

On July 18, 2007, Team M33 released an update called 3.51 M33-4. It added a new No-UMD ISO loading mode and added support for 1.50 plugin loading. It also included earlier bug fixes for ISO loading and WLAN. The next day, 3.51 M33-6 update was released. It added a new No-UMD ISO loading mode using the official ISO loader from Sony, bringing almost 100% No-UMD compatibility. To be compatible, the ISO/CSO in the memory stick has to have less than 56 characters. On July 21, 2007, 3.51 M33-7 was released, which included more bug fixes, mainly in the ISO-loading of various games, however also fixed brightness issues on TA-082/TA-086 motherboards when launching homebrew. A small WiFi patch was also included.

3.51 M33 Expansions and Patches

Several developers have released expansions for 3.51 M33 which feature bugfixes and added features. For example, one such expansion, 3.51 LE-A or "Light Edition" added support for dumping the BOOT.BIN file from UMDs and flash dumping.

3.52 M33

On July 25, 2007, Team M33 released an update to their custom firmware, dubbed 3.52 M33. This update now uses the 3.52 kernel and fixes a bug which prevented Go!Cam, GPS and sceKernelLoadExecVSH from working in GAME mode. It also improves No-UMD compatibility and allows official downloaded PSN titles to play properly, as these weren't supported by 3.51 M33 and some 3.XX OE custom firmwares.

On July 30, 2007, Team M33 released the second edition of 3.52 M33, 3.52 M33-2. Changes are added to this Firmware, which includes; Wi-Fi can work properly now, Chinese is available in the language section, added "Format flash1 and restore settings" option under Advanced, speed option 20 and 100 are added under CPU Speed, PSP cannot be turned off or hibernate in USB mode. document.dat (game manual) can be read in PSX games (was not possible in the first version). The update has also fixed compatibility issues with IrShell (a popular homebrew program).

On August 19, 2007, Team M33 released the third edition of 3.52 M33, 3.52 M33-3. Changes are added to this firmware, which includes: USB access to flash2 and flash3, added processor speeds 75 and 133, added vshmenu which can be used to dump UMDs or access other storage areas from recovery or by pressing menu on XMB, added support for UMD video ISOs, added support for popsloader 3.30. This update included a mechanism to cause the PSP to brick during updating if it detected the update had been modified, this was done in retaliation to the website ps3news rebranding the custom firmware releases as their own work. The website ps3news kept the bricking update on their website for more than 24 hours while censoring forum comments reporting bricked PSPs caused by the modified update.

On August 21, 2007, Team M33 released the fourth edition of 3.52 M33, 3.52 M33-4. Changes are added to this firmware, which includes mainly bugfixes: Fixed the bug that caused CRC error when writing to flash USB in the XMB. The new speeds added in the third edition (75 MHz and 133 MHz) are actually accessible now via the vshmenu and core as they were (and still are) missing in the recovery menu.

3.60 M33

On September 10, 2007 Team M33 released custom firmware 3.60 M33 for the PSP Slim. It was released after the NAND of the PSP Slim was dumped.

Due to incompatibilities with the new motherboard, 3.60 M33 does not contain a 1.50 kernel and thus cannot run homebrew written for 1.50. Currently it can only run homebrew made for the 3.60 kernel but Team M33 stated they would make it compatible with 2.xx kernel homebrew in the near future (Team n00bz later released eLoader 1.000 which could could run most homebrew requiring the 1.50 kernel on the PSP Slim).

3.60 M33 is installed by using a modified version of Pandora's Battery. Special files are written to the "magic" memory stick that is used in conjunction with the battery.

3.71 M33

On September 20, 2007, Team M33 announced that they would be taking "a break", due to the OE leak. The break didn't last long however, and Team M33 (who was revealed to be Dark_AleX along with a group of members)[1] released 3.71 M33 on September 23, 2007 for the original PSP-1000 and the PSP Slim PSP-2000. Once again, 1.50 homebrew is incompatible on the slim, but a kernel patch has been released for the PSP-1000 allowing execution of 1.50 kernel mode homebrew. Also, due to kernel changes in the original firmware, many plugins made for previous firmwares are incompatible. A version 2 of both the 3.71 M33 and the 1.50 add-on were released on October 2, 2007. It fixed some bugs in the previous firmware. On November 8, 2007, Dark_AleX (Team M33) released version 3 of 3.71 again featuring various bug fixes along with an updater POPSloader to include POPS from FW3.71 and FW3.72. On December 12, 2007, Dark_Alex released update 4 for FW3.71 along with a new multi-disc popsloader.

3.80 M33

On January 14, 2008, Team M33 released the 3.80 M33 Custom Firmware . This update features a new network update feature that when enabled will check for M33 firmware updates. When the feature is disabled through the recovery menu, the network update feature operates as it normally does checking for Sony firmware updates. The update also included a "NID Resolver" to improve compatibility of code calling kernel mode functions by re-mapping the old kernel NIDs to the new kernel NIDs. Team M33 also released update 2 on the same day which fixes the scePowerGetClockFrequencyInt NID not being resolved properly. Update 2 additionally fixes a problem with the way PSX eboot icons are displayed if they are 80x80 pixels. a 1.50 Kernel update was also released.

Update 3 was released on January 16, 2008; It fixed a synchronization issue that the plugins check code cause in PSN NP9660 original games. Additional libraries were added to the NID resolver and some internal changes required for the new version of the popsloader which was released on the same day. Update 4 was released on the same day to address a quick bugfix, galaxy.prx was updated because it was causing a problem with slow memory sticks.

Update 5 was released on January 20, 2008; This update fixed an issue where custom CPU clock speed would not be set for games that restart using sceKernelLoadExec (e.g. Castlevania). Additionally an option was added to recovery to hide PIC0.PNG and PIC1.PNG from the XMB, this can improve speed when browsing the games list in XMB.

3.90 M33

3.90 M33 was released on January 31, 2008. This new firmware uses the 3.90 kernel and includes a bug fix for March33 NO UMD. The installer was also improved with the ability to download the 3.90.PBP file as returning a way for the user to bypass the battery check during updating. The 1.50 kernel add-on for PSP-1000 was also released the same day.An update for the M33 version was released on February 08, 2008.

Update 2 was released on February 13, 2008. It involved improvements in plugins loading code which fixed some problems with problematic cards due to filesystem not getting mounted. Also rest of the regions were added to the recovery fake region. Changes were also made in the updater which allowed for stable and faster reading from memory stick.

HX versions

3.72HX-1

On November 06 2007, homebrew developer "_HellDashX_" released the 3.72HX-1 custom firmware. This custom firmware was made by reverse engineering Dark~AleX's 3.71 M33-2 and the adapting it to the 3.72 firmware. It contains all features from 3.71 M33-2 except the 1.50 kernel extension, which was released shortly after. Also a version 2 called 3.72HX-2 has now been released.

3.73HX-1

On November 30 2007, "_HellDashX_" issued a statement that 3.73 HX-1 was created and released on December 12, 2007.

This firmware will have access to the official PSP features and changes, as well the “custom” factor enabling homebrew, etc

Other custom firmwares

1.53 Custom Firmware

On 19 February 2007 A custom firmware was released by Eiffel56. This firmware was called 1.53 to avoid confusion between the official 1.51 and 1.52 firmwares compared to this custom version. This version is built for firmware 1.50 loyalists as not every user wished to upgrade to the SE or OE firmwares. This firmware offered many features offered in the 1.50 Proof of Concept firmware by Dark AleX such as a limited recovery mode, autoboot option, custom PRX loading, launching 1.00 Homebrew eBoots, hiding corrupt data icons and starting ISO files from the XMB.

3.40* LE (Leaked Edition)

On August 08 2007 Team Wildcard released a reverse engineered version to the OE Custom firmware source code. The firmware was released after it was leaked from Team Wildcard's servers. The firmware contains all the features of 3.40 OE but contains features such as a new recovery menu and in XMB recovery access. Many users complained, since it was not 100% complete, it contained many bugs and glitches. The vast majority of the bugs were addressed in subsequent patches to the original firmware, which also added features such as the automatic detection of which kernel should be used to run a program.

1.50 UE

On 12 January 2008 DeathCradle made a Custom Firmware based off of Dark_AleX's 1.50 Proof Of Concept, This Custom Firmware provided a new Recovery, with access to flash0, Flash1 & ms0 (Memory Stick) via USB. It also featured everything of Dark_AleX's 1.50 Proof Of Concept and was also made to take the building pressure off of Team M33 (Dark_AleX & his Crew). It also provided the use of 1.00 Eboots to run and the original 1.50 Eboots.

Downgraders

Downgrader to 1.00

In July 2006 a downgrader was released, allowing 1.50 users to downgrade their PSPs to 1.00. This was a major breakthrough as people believed it would lead to custom firmwares on 1.50, which could allow 2.71+ features with 1.00 EBOOT execution. Many people did not attempt the downgrade, due to decreased compatibility of running homebrew with the older firmware, compared to 1.50.

2.00

The first downgrader created for the PSP was one that would allow users of the 2.00 firmware version to go back to 1.50 using a tiff exploit in the PSP's photo section. This works by changing the version number in the firmware to 1.00 tricking the 1.50 update to think the PSP has a lower firmware than it actually has.

2.01

On 9 September 2006, another way of downgrading firmware 2.01 was released. It functioned in the exact same way as the 2.00 downgrade (swapping index.dat from flash0 to the index.dat from the 1.00 firmware, tricking the PSP into launching the 1.50 update EBOOT) however, it uses a later TIFF exploit (as the one used to downgrade firmware 2.00 was patched in 2.01)

2.50/2.60

On July 1, 2006, a fully functioning 2.50/2.60 to 1.50 downgrader was released. If the PSP had the TA-082 or TA-086 PCB, the downgrader would not work, and would "brick" the PSP.

2.71

This was released on September 01 2006 by Dark AleX. This downgrader used an exploit that took advantage of the libtiff bug in the PSP.

2.71 (TA-082)

This was released on 27 December 2006 by Dark AleX, harleyg and Mathieulh and is similar to the 2.71 downgrader. This downgrader allowed the installation of 1.50 on TA-082 motherboards with 2.71 already installed was released. Previously, this was impossible due to an incompatibility with some IDstorage keys, attempting to write it would brick the PSP.

2.80

The first 2.80 downgrader was released by PSP developer 0okm on 23 December 2006. Many people at first thought that this experimental downgrader would brick PSPs. This was incorrect as many people reported back with success.

On 24 December 2006, a 2.80 easy downgrader was released by csfreakno1 which had far better instructions, in both German & English, its interface also had improvements with its ease of use. The downgrading files it used were the same as 0okm's, but it was put together in such a way to make it more user-friendly. As of this date, the latest version is 0.3 and it has to be run from xLoader. It has been confirmed as working. There are still some improvements needed as it will brick a PSP if it is run from eLoader! (An unofficial leak was found on 23rd December, but this only featured German instructions, but it was still the same downgrader, but with different languages)

On 2 January 2007, a 2.80 -> 2.71 downgrader for TA-082/TA-086 was released by 0okm, allowing PSPs in 2.80 to downgrade to 2.71 then use the Dark AleX TA-082 downgrader to downgrade to 1.50 firmware.

Later the NOOBZ team released a port of Dark AleX's HEN and generic downgrader for firmware 2.80 which was safer than the previous downgraders for 2.80. This downgrader also features TA-082 downgrading by detecting if the motherboard is a TA-082 and change the IDStorage keys if needed before flashing the firmware.

3.03

It had been one month since the 2.71 downgrader and the next expected downgrader was for 2.81, but to everyone's surprise N00bz came out with the 3.03 downgrader. But the problem was that you required an unpatched version (with 2.0 firmware on it) of Grand Theft Auto: Liberty City Stories. This allows anybody who owns a PSP to downgrade to 1.5 and access homebrew.

This exploit, known as the "Goofy" exploit, was also used in the early 2.50/2.60 downgraders, which Sony never patched properly in 3.03. It worked because Sony only patched save slots 1-7 which the user could choose from the Load Game menu. The only thing NOOBZ had to do was move the "hacked" save data to the 8th slot, which was the auto-load slot that was used by the game on startup to automatically load the last saved game.

3.11

In 10 September 2007, Fanjita and the Noobz! team created a 3.11 downgrader, using the Lumines exploit. This downgrader was made for PSPs with patched IdStorage that were unable to upgrade to firmware 3.50.

3.50

On 26 June 2007, the Team released a downgrader using the Illuminati (Lumines) Exploit and an undisclosed kernel exploit for firmware 3.50 PSPs.

All firmwares up to 3.50 have the ability to downgrade, either through upgrading and downgrading, or straight downgrading. The PSP 1007 has not yet been proven to downgrade. Currently using the 3.50 downgrader on PSP 1007 may brick the PSP.

Pandora's Battery

On August 22 2007, Team C+D released the "Pandora's Battery" that can convert a spare Memory Stick Pro Duo and battery into a "Magic Memory Stick" (also known as a JigKick) and a "Pandora Battery". The Memory Stick and battery can then be used to downgrade any PSP of any version or to recover from a brick. To convert the Memory Stick and battery another PSP which is able to run 1.50 homebrew is needed. The Memory Stick can also be converted without using a homebrew PSP by using a Pandora's battery program, such as Pandora Easy GUI. After the downgrade/unbrick service has been completed, the Memory Stick and battery can be restored for normal usage.

A "Pandora Battery" is a battery with the serial number changed to 0xFFFFFFFF. This unlocks the service mode of the PSP and launches the IPL from the Memory Stick (instead of from flash0). A "Magic Memory Stick" consists of a reverse-engineered IPL and a minimal subset of the firmware 1.50 stored on a Memory Stick Pro Duo. This downgrader can downgrade all firmware versions. The original version is incompatible with the PSP Slim & Lite due to the 1.50 IPL being incompatible with PSP Slim & Lite hardware. However, on September 28 2007, a version that works on both the old style PSP and the Slim & Lite was released. The new debricker is called Despertar del Cementerio, and is also known as the Universal Unbricker, which was developed by Dark_Alex. Instead of installing firmware version 1.50, it installs a custom firmware.^[5]

The "Pandora" battery can also be created by lifting the fifth lead of the EEPROM in the battery, circled here. This is somewhat dangerous because it disables the EEPROM entirely, and may have side effects such as overheating.

The battery that is included with the PSP Slim can also be converted into a "Pandora" battery by using the hardware modification method mentioned above. [2]

There is now a method that will enable users of custom firmware above 3.71 M33 which does not automatically have the 1.50 firmware kernel to create a Pandora battery. This method can be found here.

Though Sony advocates against use of any homebrew, representatives have said that the Pandora's Battery will not physically harm the PSP in any manner, As this is the same method used by Sony when customers sent in their bricked PSP's for repair.

Motherboards

Before Sony saw the 2.50/2.60 downgrader they made a new motherboard for the PSP called TA-082 which, when downgrading below firmware 2.50 will result in a corrupted firmware and the PSP will become un-bootable (bricked).

A method of checking whether or not a TA-082 motherboard is installed on a PSP without voiding the warranty is shown here.

On 27 December 2006, a TA-082 downgrader was released by Dark AleX, Mathieulh and harleyg allowing PSPs with 2.71 firmware and TA-082 or TA-086 motherboard to downgrade to 1.50. It appears that the downgraded units behave like any other non-TA-082s and after this process it is possible to upgrade to 2.71 SE, 3.XX OE or any other version of firmware, custom or official. However, problems do exist as a side effect of the downgrade. In order to allow the motherboard accept the 1.50 IPL some keys in the motherboards IDStorage are corrupted. This has led to many problems in downgraded PSPs.

These range from:

• Connection errors in AD-HOC.
• Brightness issues. (Upon the initial boot up of a downgraded TA-082 PSP, users may be greeted by a blank screen. Pressing the brightness button will resolve this issue)
• Battery issues. (If a PSP is shut off under 12% battery the PSP will not restart until the AC adapter is plugged in.)

One of the problems faced was the USBHOSTFS function of the PSP was corrupted after a TA-082 downgrade. The USBHOSTFS function is used in some homebrew programs and communication with the PS3. This however has been fixed in a release from a homebrew developer here. Also Using the NOOBZ 2.80 and 3.03 downgraders does not create this problem since they do not change the IDStorage keys associated with the USBHOSTFS function. Only the 2.71 downgrader corrupts the USBHOSTFS IDStorage keys.

There is a reported fix for these problems found here. The latest version of this is idreset v7 (for people who downgraded using the Dark AleX 2.71 TA-082 downgrader) which is found here or idcopy v1 (for people who downgraded with NOOBZ 2.80 TA-082 downgrader) which is found here. This has been reported to fix most or all of the problems associated with these downgraders. These fixes are for TA-082 and TA-086 PSPs only. It is also possible to use a modified 1.50 IPL to boot the 1.50 on TA-082/TA-086 without modifying IdStorage.

The official Sony updates 3.30+ now check for these corrupted keys, and will refuse to install if it finds them. Users on homebrew enabled PSPs can restore the keys and then upgrade to 3.30+, but those who have corrupt keys and have upgraded to firmwares 3.10 or 3.11 are now stuck. They cannot upgrade to any newer firmware but also cannot use homebrew to change the keys or downgrade. Now that a user-mode exploit has been found on these firmwares (with the Illuminati exploit) it is hoped that this may pave the way towards a kernel mode exploit which would be able to reset the IDStorage keys to allow upgrading. If a kernel mode exploit can not be found the only solutions would be to purchase and install a mod-chip or use the Pandora's Battery as a downgrader.

3.71 M33 Custom Firmware fixes the IDStorage before upgrading. It automatically checks if it is a TA-082/TA-086 before fixing it.

Newer downgraders have been built with these issues in mind. The only problem that remains with the latest downgrader (3.50 "Illuminati" exploit) is the brightness issue. However, a fix (which makes the PSP read from firmware 2.71 files when controlling brightness) can be applied to downgraded PSPs, thereby eliminating this problem as well (However, one must remove these added files prior to using the recovery downgrade / official update otherwise it can results in a brick). Alternatively, some have suggested this could be fixed with keycleaner, it has been reported not resolving the brightness issue. TA-079 up to TA-081 motherboards are not affected by these problems.

The currently released PSP Slim is known to use a TA-085 motherboard, with the recent release of the TA-085 v2 motherboard. The only extra security in this motherboard revision is the inability to write to the PSP battery's EEPROM, so a Pandora battery cannot be created on a TA-085 v2. However, a battery already with the Pandora EEPROM code can still be used, allowing regular custom firmware installation. No other abilities have been discovered yet.

Multi Firmware Module / Modchip

Multi Firmware Module

Multi Firmware Module was announced on April 24 2006 [3]. Multi Firmware Module contained a different PSP firmware to the one onboard the PSP itself and can be booted from, or copied to, the PSP's original NAND flash chip, unbricking the PSP. It was planned for release upon the acquisition of a suitable manufacturer, but it seems like it will never be released.

Undiluted Platinum

The PSP modchip ("Undiluted Platinum") was announced on May 28 2006. It allows the user to run two separate firmwares, one on the PSP itself, and one on the modchip. It also allows the restoration of corrupted firmware ("unbricking"), and so may lead to the creation of custom firmwares, allowing the full range of homebrew, while still being able to play the latest games. However, this chip may not run on all PSP hardware, due to the lower voltage of newer, TA-082, PSP boards.

Undiluted Platinum was released on June 26 2006. However its installation required some very careful soldering, and many users did not wish to install this modchip. On July 23 2006 the custom firmware Epsilon Bios was released, it required the Undiluted Platinum to be used.

The day after Undiluted Platinum's release, a kernel exploit for 2.50 and 2.60 was revealed, aggravating many users who purchased the modchip just to downgrade from those versions.

PSP-Devolution

A new modchip called "PSP-Devolution" is in development state. It seems that it has similar features from the Undiluted Platinum chip, and it will be compatible with all motherboards (TA-079 to TA-086), also providing TA-082 recovery.

According to PSP-Devolution.com, sales of the PSP-Devolution modchip should have commenced on April 16 2007 [4].

A (TA-079 to TA-081) version is now available which runs on 3.3V and on June 6 2007 a version for TA-082+ motherboards was made available which runs on 1.8V. Info at mod-chip.com

PSP modchips have been made obsolete with the creation of Pandora's battery. Many modchip adopters bought their chips to unbrick or downgrade, both functions now available free.

ISO image loader

UMDs can be run from the Memory Stick Duo by utilizing a ripped ISO image.

Three methods of loading ISOs are available: generic loaders, which trick the PSP into thinking the ISO is in fact a UMD in the PSP's drive; game-specific booters, which only allow a particular game to be run; and custom firmware versions since 3.02 OE-B allow the loading of ISOs requiring their respective versions and under with no UMD in the drive.

Through homebrew, developers have also enabled the PSP to load modified versions of ISOs using specially developed programs. Both the DAX and CSO (Compressed ISO) formats are compressions of an ISO image and can be loaded with DaxzISO, 2.71SE-C including all the new OE versions, and DevHook.

On 1 July 2007, it was discovered that firmwares 3.50 and 3.51 contained an official ISO loader found in one of the firmware modules called "np9660.prx". The purpose of this ISO loader appears to be for use of games downloaded from the PSN service.^[6]

Trojans / Brickers

Trojan. PSPBrick

On October 2, 2005, an alternative downgrader was released. The "downgrader" was actually a trojan that, if run on PSP, destroys the firmware and BIOS, resulting in the PSP becoming un-bootable. This was officially reported by Symantec as Trojan.PSPBrick. After the release, many PSP homebrew sites came to a screeching halt to check every bit of homebrew for the trojan, to ensure safety for their users. Normal operation resumed shortly thereafter.

Any files that are based on the toc2rta TIFF exploit (including the EBOOT Loader and the MPH Downgrader) are now seen as trojans by anti-virus programs, even if they are perfectly legitimate.

All in all, there are no viruses that a PSP can catch while using the browser. Many users believe you can, but the viruses that have been released require you to put them on your PSP using a computer.

Trojan. PSPBrick.B

A PSP bricker (see 'Trojan. PSPBrick' above), known as 'SDL test' was circulating for a while. Its effects are the same as above, but is not detected by anti-virus programs. It is now of no threat.

Game compatibility

GTA: Liberty City Stories requires firmware functions only present in 2.00+, and so will not run on lower firmwares. In February 2006, a loader was released, allowing GTA:LCS (and other games required 2.00+) to be run on PSPs below 2.00. In June 2006, a firmware emulator was released, allowing games requiring up to version 2.50 to be run on firmware 1.50. Almost all games made for the PSP now require a firmware update. They require certain files known as PRX's that are in the PSP's flash memory to run. Some games do not require these PRX's and can be executed on lower firmwares by using a version changer. The more common method is to use custom firmware, which allows a more accurate gameplay.

Version changer

A utility was released circumventing the version number check. This utility tricked games by setting the firmware version to a high number (eg 9.99). The UMD would assume its version (usually 2.00+) was older, and so would not attempt to update.

A different standpoint is taken with the "No Update UMD Starter", which instructs the PSP to ignore the update when booting a UMD, and to boot directly into the game.

These methods do not work for games requiring 2.00+, as they depend on modules (.PRX files) included within the firmware in order to function.

Firmware loaders

It is possible to run games specifically for firmware versions 2.00 and above (such as GTA: Liberty City Stories) on previous firmware versions. This is done by using a firmware loader.

The PSP has 11 drives, three of which are external drives, the other being partitions on the NAND:

• ms0 - Memory Stick
• flash0 - Flash Memory (Contains all the firmware files)
• flash1 - Flash Memory (Used to store the XMB settings, network configurations and the background image in 2.00 and above)
• flash2 - Flash Memory In firmwares 3.00 and up, this contains the half of the DRM for Sony's official PS1 emulator (the other half being in the flash0)^[7]
• flash3 - Flash Memory Currently unused and about 1 MiB in size although in custom firmwares it can be used along with flash2 to redirect firmware elements such as fonts.
• flash4 - Upon examination of the 3.71 firmware, it was discovered that there were references to a flash4 and flash5. However, they cannot be mounted. It is suspected that they are unformatted and may be for future use hence why they cannot be read.
• flash5 - same as flash4
• disc0 - UMD Drive
• ipl - Initial Program Load
• irda0 - Infrared Port (Not present in PSP 2000)
• idstorage - Contains the IDStorage keys specific to the PSP hardware. Damage to the keys can result in homebrew and UMDs no longer running.

Files from the BIOS and flash memory (of a different version) are copied to separate folders on the memory stick. The firmware loader proceeds to load these files. Recently, the release of a homebrew program (Devhook) has enabled loading firmware versions 1.50 through 3.11 entirely. It can then load/play UMD games requiring that particular firmware, as well as use the built-in Internet Browser with Adobe Flash support, LocationFree, RSS feeds, ATRAC3/ATRAC3plus, WMA and AVC playback. More information may be found here.

Notable homebrew

Daedalus

Daedalus is a Nintendo 64 emulator written by "StrmnNrmn". When it was initially released, it received a lot of flaming on multiple PSP websites because it ran poorly. Currently, StrmnmNrmn has released 13 editions of Daedalus, which is running well. In his blog, he noted that in R14 (release 14), he would be implementing a media engine that would allow audio to be played along with the game.

iR Shell

iR Shell is an application created by "AhMan". When properly installed on a PSP, it can completely replace the PSP's usual XMB. iR Shell can run applications while using it, and switch back to the iR Shell menu instantly. This means one can combine application's functionality with iR Shell's functionality. iR Shell itself can play MP3s, overclock the PSP, mute other applications' audio, and play its own MP3s while other applications are running. iR Shell comes with a PDF and text reader (Bookr), an unzipping/unraring program, and various other programs. It can launch the PSP's internal web browser, or the XMB and retain the ability to switch programs. iR Shell is named as such because it can use the infrared port on the PSP, making the PSP able to function as a remote control for various IrDA devices. iR Shell can also run dumped images of games. To enable better homebrew access, iR Shell now has two versions of the application, which work together. One version is the 1.5 version of iR Shell, which permits users to run any application as they would normally with a PSP that has firmware version 1.5. The other is the higher firmware version, which permits newer game discs and homebrew to be run. iR Shell can also switch between the two version relatively quickly if a plugin is installed.

DevHook

This application, created by "Booster", can load alternate firmware versions from dumps without affecting the PSP's actual firmware by mounting flash0, flash1 (where the firmware is stored) and the IPL to a directory on the memory stick pro duo, then executing a firmware reboot, which then loads the emulated firmware, without the PSP even knowing. Hence, there is a significantly reduced risk of bricking or damaging the PSP. The user can access all the features of the emulated firmware, including UMDs requiring the firmware version. The latest version of DevHook (v0.52.0100) allows for emulation of 3.11 firmware, and supports limited homebrew launching on said firmware. This emulation of the firmware allows users to have all of the features of the new firmware while keeping the ability to run homebrew on 1.50 or Custom Firmware PSPs. Note: To save space on the memory stick, newer versions of DevHook allow much of the emulated firmware to be stored in the PSP's flash memory. Many people now argue that devhook has been made pointless by the SE/OE/LE/HX/M33 firmwares, which has the features of the most recently decrypted firmware, and also supports ISO loading direct from the XMB[5]

uClinux

A very preliminary port of the uClinux 2.4.19 kernel has been released by Chris Mulhearn. It uses the serial port located next to the headphone jack for console + ttyS0 IO, and boots into a very minimal statically-linked userland built on uClibC and the uclinux-dist userland sources. Currently it has support for the graphics hardware (through a Framebuffer driver supporting both a console as well as SDL for graphics) as well as a Palm IR keyboard. [6]

A port of uClinux 2.6.22-uc2 has been released by Jackson Mo. [7]

CWCheat

It is the first cheating program on the PSP. It allows cheating in UMD Games & ISOs, as well as PSX games (through POPStation on 3.XX OE, 3.XX M33, 3.XX LE & 3.XX HX firmwares) on the PSP. It is functionally similar to legacy cheating devices such as Gameshark and Action Replay. It is also currently the only known homebrew application that allows the conversion of PSP-format PSX memory card files into the format used by popular PC PSX emulators such as ePSXe, allowing a user to migrate their savegames between their desktop PC and PSP.

PSP DOSBOX

PSP DOSBOX allows users to run classic dos titles that they own on their psp. The program has been made to run fairly light on a psp, and will play many classic DOS games. The program also feature the ability to map keys, and run homemade batch files. PSP DOSBOX is a project of the GPL, and is being coded by a user known as crazyc.

Lua Player

Lua for the PlayStation Portable is interpreted with Lua Player. Lua Player can run lua scripts and display them on the Sony PSP. Lua is an easy programming language to learn, that can be used for many different things, but is usually used to make games and applications.

Time Machine

Created by Dark_AleX, Time Machine enables the booting of various firmwares on the PSP utilizing the Pandora's Battery. Currently support firmwares include 1.50 (on the PSP-1000 only), a 1.50/3.40 mix, 3.40 OE (on the PSP-1000 only) and 3.60 M33 (on the PSP-2000 only).It was loaded using a IPL Multiloader, similar to the one that was made by Booster. Therefore, users can choose between which firmware to boot. If no keys were pressed during boot, the loader will boot into the PSP's internal NAND Memory. However, Slim users can only do this if they have the custom firmware 3.90 m33-2 or higher. The IPL Multiloader was loaded using the Pandora battery.

PSPTube

PSPTube for the PSP, as the name implies, allows Youtube playback through WLAN on homebrew-enabled PSP systems. The application supports searching for videos by keyword and saving them to a Memory Stick Pro Duo. Furethermore, it currently allows playback and saving of videos from websites DailyMotion, YouKu, Onsen and Stage6, although the latter has jittery playback. As the application is still in development, new websites may be added.

References

External links

• Dark_AleX (Team M33) Homepage
• LAN.ST PSP development resources forum, Team Wildc*rd forum
• N00bz Website
• PS2DEV Forums PSP development resources forum
• PSP Brew
• PSP Homebrew Database
• PSP News
• PSP Updates
• PSP Vault
• PSP 3D
• Offical "Project4" forum