PlayStation Portable homebrew: Difference between revisions

This article is in list format but may read better as prose. You can help by converting this article, if appropriate. Editing help is available.

PlayStation Portable homebrew refers to the process of executing unsigned code on the PlayStation Portable.

Origins

In April of 2005, a DNS redirection trick was discovered in the game Wipeout Pure's content-downloading feature that allowed regular HTML web pages to be displayed in its place. Using this trick, and with a bit of guess work, hackers spotted that navigating to addresses such as file:///disc0:/ would allow files from the UMD to be viewed, thus the discovery of PSPs executable format, the EBOOT, was figured. Using a dumped PSP system ROM image, and the knowledge discovered from the Wipeout disc, the layout of the executable format was successfully cracked by a hacker "NEM" and the "Saturn Expedition Committee".

In May of the same year, PSPs using the 1.00 version of the firmware were able to execute unsigned code packed in the same format as EBOOT.BIN from Wipeout, but from the /PSP/GAME folder on a Memory Stick. This meant that PSPs could be used to run homebrew software, as there was no mechanism to check if the code had been digitally signed by Sony in this firmware revision (as was similar with the PlayStation and PlayStation 2 consoles - missing security features in first revisions). A proof-of-concept "Hello World" was released to demonstrate this. This resulted in the release of a number of homebrew software, which were all built with the GNU GCC and GNU Binutils, modified to produce code for the PS2 and PSP (MIPS processor devices).

In addition, it became possible to dump Universal Media Discs (UMDs) using a homebrew technique. These dumped UMD images can be written to a Memory Stick Duo and executed, performing in exactly the same way as if they were being read from a UMD.

1.50 homebrew

It was discovered in June 2005 that unsigned code could be run on a firmware with version 1.50. The discovery allowed early US PSP adopters to run homebrew which quickly led to articles appearing in the mainstream.^[1]

Two ways were developed to run unsigned code. First, through the use of an exploit known as "Swaploit", and later, via the safer 'KXPloit'.

Swaploit

Swaploit was released on June 15 2005. It was created by a Spanish team and involved swapping between two memory sticks at the launch of the game, before it crashed with an error, to run the selected homebrew. There were reports of failing memory sticks using this method, but none have been verified.

KXploit

Developed by the Spanish Killer-X, KXploit exploited a misuse of the sprintf function of the PSP by having another folder named exactly the same with a percentage sign after the file name (eg game and game%). The percentage folder contained no data aside from images and a PARAM.SFO. The folder without the % had only a DATA.PSP, the file containing the code. The problem with this exploit was that corrupted data would show on the memory stick (as well as the normal data). This was because the PSP would only see the program that had a PARAM.SFO file in it, the file inside the % folder. The file with just the program data would be seen as corrupted. However, this was shortly overcome by using two tricks. One would exploit the FAT16 system of the memory stick, and the other involved putting __SCE__ before the name of corrupted folder and %__SCE__ before the name of the normal folder (with the percentage sign at the end removed). Both tricks would remove the corrupted data, because the non-% folder would be invisible to the PSP, and still allow the EBOOT to be run. Many tools exist, like PSP Brew, Sei PSP Tool, and more, that automatically hide the corrupted data and organize your previously installed programs.

No-KXploit Patch

Some users and developers of homebrew complained about having the secondary folders for homebrew, and the corrupted icons that were shown. While there are ways to hide the icons, it is considered a nuisance. One piece of homebrew, called the No-KXploit patch, modified the PSP's firmware in memory (in the RAM), allowing non-KXploited homebrew to be executed directly. The No-KXploit patch itself is KXploited, to allow it to be run.

The patch does not modify the firmware of the PSP or write to the flash (specifically flash0). It is now (mostly) rendered obsolete by custom firmware, which is designed to allow the execution of homebrew.

1.51 and 1.52 homebrew

For slightly over two years there was no method of launching homebrew on firmwares 1.51 and 1.52, this changed when the Noobz released the Illuminati exploit on 23rd June 2007. This exploit works on all firmwares as it is launched from the Lumines UMD which will play on all firmwares 1.00+

Before the Illuminati exploit was found there were many rumours about running homebrew which were claimed as fact, usually involving the DATA.PSAR file from an official update to 1.51. However, nothing came from these rumours.

2.00 homebrew

Sony, seeing that not many people were updating their PSPs to 1.51 or 1.52, decided to release an update with features that would give people an incentive to update. The main feature was an official web browser, revealed at the 2005 PlayStation Meeting on June 20, 2005. The Japanese version of the update was released a week later, on June 27, 2005. In addition to a web browser, it also had support for high-quality MPEG-4 AVC video and the ability to change the wallpaper. As 2.00 contained a web browser, it became possible to write programs that would take advantage of the PSP's HTML rendering ability, and its newfound ability to connect to a server on a wireless network.

On September 23, 2005, an exploit, a buffer overrun in the image rendering libraries, was discovered, allowing execution of an unsigned binary file. The method involved the user setting a PNG image as their background and a TIFF file in their photo directory. When the Photo menu was accessed, the binary file was loaded.

Two days later, the first "Hello World" program was released. The size of the binary was limited to 64kb, and the PSP could not yet read unencrypted ELF files, so further experimentation was required before any kind of homebrew software could be run. A day later, the first playable game using the exploit was released, titled "TIFF Pong 2.00".

On September 28, 2005, a successful downgrader, the mph Downgrader, was released. This would change the system's version number to 1.00, tricking the PSP into allowing the 1.50 update.

A PSP developer by the name of Fanjita created a program called eLoader using the same exploit as the MPH Downgrader, allowed the user to run unsigned user mode homebrew launched from a menu. This was an alternative to downgrading the PSP to 1.5 using the MPH Downgrader.

Soon after, a new TIFF exploit was found that works with all firmwares up to 2.80.

2.01 - 2.60 homebrew

Moving quickly to fix this exploit, Sony released the version 2.01 firmware on October 3, 2005. This was only a security update and offered no new features.

On the September 28, 2005, Cheat Device was released for GTA: Liberty City Stories which exploited a memory bug during saving. It ran behind Liberty City Stories allowing for various modifications to the game, such as infinite health and the ability to "spawn" any of the vehicles in the game. Based on the proof-on-concept provided by the Cheat Device, a "Hello World" was created in December, 2005. A day later, the first playable homebrew for version 2.01 was released, titled "Tetris for Firmware 2.01". (Despite the name, this game was not authorized by The Tetris Company.)

Two days later, the exploit was released for 2.60 firmware, leading to the creation of Tetris for version 2.50 and 2.60. A developers kit was later released. In January, 2006, an EBOOT Loader for 2.01+, and then, a version of the eLoader which supported version 2.60 were released. WiFi connectivity was added on April 2, 2006, due to the discovery of a function that allowed the eLoader to initialize WiFi without kernel mode.

On June 27, 2006, another exploit was discovered in the 2.50 and 2.60 firmware that allowed for kernel mode to be utilized. GTA: Liberty City Stories is still required. The exploit takes advantage of another buffer overflow bug that was added when Sony included an additional security check in the 2.50 firmware. Three days later, a fully functioning 2.50/2.60 to 1.50 downgrader was released. If the PSP had the TA-082 PCB, the downgrader would not work, and would "brick" the PSP.^[2] This was due to a protection implemented in newer motherboards. It is now possible to downgrade TA-82s on other firmwares including 2.71, 2.80 and 3.03

In August, it was reported that a successful downgrade on a TA-082 to the 1.50 firmware was achieved. It takes 45 minutes and an image must be dumped that is specific to one's own PSP device. No other details have been announced.^[2].

Furthermore, during June 2006, Rockstar started shipping a version of GTA:LCS that patches the memory bug. The patched UMD also contains a compulsory upgrade to firmware 2.60. It was met with a change of serial number and graphical layout, in the PAL regions.

On 21 August 2006 it was announced that homebrew is possible on 2.0-2.80 by loading a TIFF image. This resulting in launching homebrew on 2.00-2.60 without GTA:LCS using full kernel access. Contrary to popular belief, the exploit itself will not allow code to be executed under the kernel space, but does in fact use the sceKernelLoadExec exploit present in 2.50-2.71, hence why 2.80+ cannot use this exploit.

On 5 September 2006, an EBOOT loader that does not require GTA:LCS, and uses the new TIFF exploit, was released for the 2.00-2.60 firmwares. It still has the same compatibility rate as previous loaders, due to the user mode limitations.

On 9 September 2006, an easier way of downgrading firmware 2.01 was released. It functioned in the exact same way as the 2.00 downgrade (swapping index.dat from flash0 to the index.dat from the 1.00 firmware, tricking the PSP into launching the 1.50 update EBOOT) however, it uses the new TIFF exploit (as the one used to downgrade firmware 2.00 was patched in 2.01)

2.70 - 2.71 homebrew

On 25 April 2006, Sony released firmware version 2.70, which directly was believed to have patched the exploit in the GTA savegame. Currently, the libTIFF exploit talked about below is now supported by 2.00-2.80 allowing homebrew to be executed. With 2.70 came Macromedia Flash support, and hence a number of PSP Flash games have been created. There have also been various flash portals released to allow flash games and applications to easily be run without adding them to bookmarks.

On 16 August 2006, a vulnerability in libtiff was found and a Proof of Concept program was released. This new exploit opened the doors for Firmware 2.00 through 2.80 to play homebrew, and was met with the Noobz team whom made a homebrew loader (eLoader) for these firmwares using this exploit.

On 21 August 2006, it was announced that a new overflow had been discovered in the LibTIFF image libraries of the PSP, in all versions upwards of 2.00.

In late August 2006, the first Hello World program working through the LibTIFF exploit was released. It runs in kernel mode on firmwares up to 2.71, and user mode in 2.80. Throughout September 2006, hackers released downgraders and homebrew loaders for firmware version 2.71.

2.80 homebrew

On 12 September 2006, Tetris for firmware 2.80 was released, along with an SDK, Tetris being the first homebrew available on 2.80. This was followed just hours later by TIFF pong (edited one day later), followed two days later by more TIFF homebrew. Later the NOOBZ team released eLoader v0.995 "Kriek" with 2.80 support, alongside with xLoader, allowing homebrew EBOOTs to run on 2.80 firmware PSPs.

On 20 December 2006, a new exploit that unlocks kernel access in 2.80 was found by Team C+D and a Proof of Concept program was released.

So far, homebrew can only be run using a port HEN for 2.80 firmware, eLoader v0.995 "Kriek" or later, or xLoader, which patches the PSP to launch homebrew directly from the XMB Game Menu. A downgrader has also been created for this firmware.

2.81 - 3.03 homebrew

On 25 January 2007, a user-mode exploit was discovered, affecting all PSP firmwares from 2.00 to 3.03. A "Hello World" application, called the Goofy Exploit, was subsequently released by the Noobz team, proving that unsigned code could be run on a 2.81+ PSP. The exploit requires an un-patched copy of Grand Theft Auto: Liberty City Stories (it is a variation of the old LCS exploit, exploiting the fact that Sony's patch only affected the save slots 0 - 7 however auto load also loads save games in slot 8 and 9, allowing the same exploit to be used if it's stored in either of these 2 slots).

On 28 January 2007,The Noobz team released the 3.03 HEN and downgrader. However, this wasn't until after a beta version had been leaked earlier on the web. It is highly encouraged to stay away from this "sure-brick" and only use the files listed on team Noobz's official website.

Also released alongside the downgrader was a release of HEN (Homebrew Enabler) for 3.03 users who did not wish to downgrade but wanted the benefits of homebrew on a 3.03 system. This also requires the use of an unpatched Grand Theft Auto: Liberty City Stories UMD. To check if your copy of Grand Theft Auto: Liberty City Stories is unpatched, place the UMD into the drive, and under the UMD symbol, it gives you the option to update. If it says 2.00, it is unpatched. If it has anything else, it's patched.

3.10 - 3.50 homebrew

On 23 June 2007, a new exploit that works on all firmwares up to 3.50 called the "Illuminati exploit" was found. This exploit requires a copy of the game Lumines for it to work. Later NOOBZ released HEN and a downgrader for 3.50.^[3]This downgrader only downgrades firmware 3.50, therefore, any PSP with firmware above 3.03 needs to be upgraded to 3.50 before it can be downgraded.

On 29 June 2007, Sony released PSP update 3.51, which was only available through network update. It includes a security patch for the Illuminati exploit and an icon for Playstation Store(when clicked it displays coming soon in fall 2007).

3.51+ homebrew

There is no homebrew for 3.51. This is the only firmware that can not be downgraded.

On July 1, 2007, it was mentioned on PSPGen.com that MathieuLH and Dark~AleX have already started work to create custom firmware version 3.51 OE and will have 100% No-UMD support. Dark~AleX will also implement a patch to utilize the np9660.prx module which is apparently an official ISO loader.

On July 2, 2007, Dark_Alex posted on his website he decided to end his homebrew development fearing pressure from Sony.

Decryption

Decryption allows disassembling firmware modules, which in turn allows custom hybrid firmwares to be made, such as the SE/OE firmwares made by Dark AleX, and for firmware emulation using Booster's DevHook. Decryption of firmwares is different from being able to downgrade them; decryption allows developers to search through the firmware's system files to look for possible exploits in the code, but decryption on its own does not lead to a downgrader.

The decryption of firmwares 3.10 and 3.11 was done in record time, as they were both decrypted by Team C+D on the day of release despite new encryption keys being used by Sony (on firmware 3.10).^[4] Firmware 3.30 was decrypted by Team C+D just a few days after it was released. Firmwares 3.40 and 3.50 use the same encryption keys as 3.30 so this was decrypted as soon as it was released, using the same program requiring a minor adjustment to the source.

Custom firmwares

1.50 Proof of Concept

In July 2006, a limited 1.50 custom firmware (named a proof of concept) was released by Dark AleX, allowing the execution of version 1.00 EBOOTs, access to a limited recovery mode, and ability to automatically load an application upon start. Other custom firmwares have since been released. Today, there are more developed versions such as "Casual V3" and the SE/OE firmwares.

2.71 SE

On 8 October 2006 Dark_Alex's custom firmware 2.71 SE-A was released, which utilizes the features of the 2.71 web browser, video features, RSS feeds, WMA capabilities and flash capabilities for the web browser as well as full 1.50 user and kernel homebrew usage and full 2.71 user and kernel homebrew, as well as adding a recovery mode for unbricking "semi-bricked" PSP from bad flashing etc.

An update to this new custom firmware came out on the 24th of the same month. In this update the 2.71 SE-B the major feature is the loading of ISOs and CSOs from the game menu in the XMB. And just two days later was updated to 2.71 SE-B' which includes NO-UMD ISO loading. A few days later, 2.71 SE-B" was released. It allowed the ability to run 2.80+ games, including GTA VCS and it fixed some bugs found in 2.71 SE-B'. The latest version is 2.71 SE-C, which allows to load PRX files directly from the memory stick, enabling the option to safely add new functions to your PSP (like listening to MP3 files while showing photos).

3.XX OE

3.02 OE

On 21 December 2006 A new custom firmware called "3.02 OE-A" was released by Dark_AleX. It contains the same features of 2.71 SE-C, but also includes all 3.02 features excluding the Location Free player and the Korean fonts. New features added to this custom firmware include WMA and Flash Player enabling through the Recovery Menu and cracking the DRM of the PSX emulator, allowing users to share PSX games to other PSP systems.

On 25 December 2006.^[5] An update to the 3.02 OE-A Firmware was released called "3.02 OE-B." It's main feature was the ability to run PSX games from a memory stick using a ripping utility called "popstation" released alongside the new firmware.

3.03 OE

On 4 January 2007 The custom firmware "3.03 OE-A" was released by Dark_AleX. It has the same features of 3.02 OE-B along with the ability to run compressed PSX games and support for custom manuals in PSX games. Later on 6 January 2007 3.03 OE-A' also known as 3.03 OE-A2 was released. A new feature in this release is the ability to change the CPU/Bus speed in UMD/ISO games.

On 10 January 2007 A "3.03 OE-B" custom firmware was released by Dark_AleX. This custom firmware required 3.03 OE-A/A' firmware to be installed first. A new feature in this release is the ability to play full screen (480 X 272) MP4-AVC videos.

On 25 January 2007 Dark_AleX released "3.03 OE-C" custom firmware. This was a major update and thus required a full install. Among the features are using WiFi at 333 MHz, maximum bit-rate limit of MP4-AVC videos is raised from 768 kbit/s to 16384 kbit/s (16 Mbit/s), ability to change the CPU/Bus speed of the XMB, faster cold-boot, as well as several other new features.

3.10 OE

On 4 February 2007 A "3.10 OE-A" custom firmware was released by Dark_AleX, allowing screen brightness to the 4th level without having to connect the AC adapter along with the ability to run static ELF homebrew with the 3.10 kernel.

On 6 February 2007 A "3.10 OE-A' / A2" custom firmware was released by Dark_AleX, fixing a simple bug in the execution of PSP games including Metal Slug 6 and others. The bug was caused by the incorrect patching of a static ELF in some cases. This was only a minor update, however, and therefore was not needed by everyone running the custom firmware.

3.30 OE

3.30 OE-A was released on April 15 2007 It offers all past features from other custom firmwares, such as all features (except LocationFree Player) built into the official 3.30, functionality as well as 1.50 features, such as ISO/CSO loading and homebrew support. A 3.30 OE-A' update was released on April 20 2007 This release includes a fix to security bug that overwrites certain parts of the RAM and also reintroduces the auto-boot program feature

3.40 OE

3.40 OE was released on April 20 2007 This release includes the same changes made in 3.30 OE-A' except it now uses the 3.40 firmware. It fixed a bug that caused data to be written to random addresses in the PSP's RAM. If the bug caused memory writes to certain kernel functions, the console would possibly rendered unusable if the certain functions were accessed. Autoboot, which has been broken since 3.03OE, has been reimplemented. Improvements in the flasher now check that the DATA.DXAR file is the correct for the update, thus preventing people using wrong firmware version data files and rendering their PSP units useless.

1.53 Custom Firmware

On 19 February 2007 A custom firmware was released by Eiffel56. This firmware was called 1.53 to avoid confusion between the official 1.51 and 1.52 firmwares compared to this custom version. This version is built for firmware 1.50 loyalists as not every user wished to upgrade to the SE or OE firmwares. This firmware offered many features offered in the 1.50 Proof of Concept firmware by Dark_AleX such as a limited recovery mode, autoboot option, custom PRX loading, launching 1.00 Homebrew eBoots, hiding corrupt data icons and starting ISO files from the XMB.

1.62 IE Custom Firmware

In March 2007, user becus25 released 1.62 IE-A. The latest version is 1.62 IE-D. Like custom firmware 1.53, it is based off the 1.5 kernel. Earlier versions of 1.62 IE would often cause bricks when the flash was modified. But updates were soon released fixing the problem. Currently though, 1.62 IE is only compatible with TA-079 motherboards and will brick on TA-082 and later motherboards. Features are similar to other firmwares including recovery mode, autoboot, and flash access. Becus25 has also modified the popular app by Booster, Devhook which allows firmwares to run from the memory stick, virtually removing the chance of bricking.

3.02 IE-A Custom Firmware

In July 2007, user becus25 released 3.02 IE-A which incorporated 3.02 OE with some improvements of IE. He later released an update which resolved certain bugs in the initial release.

Downgraders

The very first downgrader created for the PSP was one that would allow users of the 2.00 firmware version to go back to 1.50 using a tiff exploit in the PSP's photo section. This works by changing the version number in the firmware to 1.00 tricking the 1.50 update to think the PSP has a lower firmware than it actually has.

In July 2006 a downgrader was released, allowing 1.50 users to downgrade their PSPs to 1.00. This was a major breakthrough as people believed it would lead to custom firmwares on 1.50, which could allow 2.71+ features with 1.00 EBOOT execution. Many people did not attempt the downgrade, due to decreased compatibility of running homebrew with the older firmware, compared to 1.50.

2.71

This was released on September 01 2006 by Dark_AleX. This downgrader used an exploit that took advantage of a "libtiff" file bug in the PSP.

2.71 (TA-082)

This was released on 27 December 2006 by Dark_AleX, harleyg and Mathieulh and is similar to the 2.71 downgrader. This downgrader allowed the installation of 1.50 on TA-082 motherboards with 2.71 already installed was released. Previously, this was impossible due to an incompatibility with some IDstorage keys, attempting to write it would brick the PSP.

2.80

The first 2.80 downgrader was released by PSP developer Ookm on 23 December 2006. Many people at first thought that this experimental downgrader would brick PSPs. This was incorrect as many people reported back with success.

On 24 December 2006, a 2.80 easy downgrader was released by csfreakno1 which had far better instructions, in both German & English, its interface also had improvements with its ease of use. The downgrading files it used were the same as 0okm's, but it was put together in such a way to make it more user-friendly. As of this date, the latest version is 0.3 and it has to be run from xLoader. It has been confirmed as working. There are still some improvements needed as it will brick a PSP if it is run from eLoader! (An un-official leak was found on 23rd December, but this only featured German instructions, but it was still the same downgrader, but with different languages)

On 2 January 2007, a 2.80 -> 2.71 downgrader for TA-082/TA-086 was released by 0okm, allowing PSPs in 2.80 to downgrade to 2.71 then use the Dark_AleX TA-082 downgrader to downgrade to 1.50 firmware.

Later the NOOBZ team released a port of Dark_AleX's HEN and generic downgrader for firmware 2.80 which was safer than the previous downgraders for 2.80. This downgrader also features TA-082 downgrading by detecting if the motherboard is a TA-082 and change the IDStorage keys if needed before flashing the firmware.

3.03

It had been one month since the 2.71 downgrader and the next expected downgrader was for 2.81, but to everyone's surprise N00bz came out with the 3.03 downgrader. But the problem was that you required an unpatched version (with 2.0 firmware on it) of Grand Theft Auto: Liberty City Stories. This allows anybody who owns a PSP to downgrade to 1.5 and access homebrew.

All firmwares up to 3.03 have the ability to downgrade, either through upgrading and downgrading, or straight downgrading. The PSP 1007 has not yet been proven to downgrade. Currently using the 3.03 downgrader on PSP 1007 may brick the PSP.

3.50

On the 25th of June, a video was filmed at a store in Shenzhen, China, and apparently shows a PSP with Firmware 3.50 being downgraded. The exact method by which the downgrade was achieved is still unclear. In fact, the authenticity of the the downgrade itself is still in doubt, as the person performing the downgrade gave instructions to the one filming about certain areas he did not want to show in the footage.

On 26 June 2007, the NOOBZ Team released a downgrader using the Illuminati(Lumines) Exploit and an undisclosed kernel exploit for firmware 3.50 PSPs.

On 29 June 2007, Sony released PSP update 3.51, which includes a security patch and a Playstation Store icon, which when clicked displays "Coming in Fall of 2007". As of now it can only be downloaded through network update. This patches the Illuminati exploit, and is the only firmware that cannot be downgraded.

Motherboards

Before Sony saw the 2.50/2.60 downgrader they made a new motherboard for the PSP called TA-082 which, when downgrading below firmware 2.50 is tried will get a corrupt firmware and the PSP will become un-bootable (bricked).

Recently it has been discovered by 0okm that Sony has released a new motherboard called TA-086 but it is still unclear what changes it has from the TA-082 motherboard.

A method of checking whether or not a TA-082 motherboard is installed on a PSP without voiding the warranty is shown here.

On 27 December 2006, a TA-082 downgrader was released by Dark_AleX, Mathieulh and harleyg allowing PSPs with 2.71 firmware and TA-082 or TA-086 motherboard to downgrade to 1.50. It appears that the downgraded units behave like any other non-TA-082s and after this process it is possible to upgrade to 2.71 SE, 3.XX OE or any other version of firmware, custom or official. However, problems do exist as a side effect of the downgrade. In order to allow the motherboard accept the 1.50 IPL some keys in the motherboards IDStorage are corrupted. This has lead to many problems in downgraded PSP's.

These range from:

• Connection errors in AD-HOC.
• Brightness issues. (Upon the initial boot up of a downgraded TA-082 PSP, users may be greeted by a blank screen. Pressing the brightness button will resolve this issue)
• Battery issues. (If a PSP is shut off under 12% battery the PSP will not restart until the AC adapter is plugged in.)

One of the problems faced was the USBHOSTFS function of the PSP was corrupted after a TA-082 downgrade. The USBHOSTFS function is used in some homebrew programs and communication with the PS3. This however has been fixed in a release from a homebrew developer.Here. Also Using the NOOBZ 2.80 and 3.03 downgraders does not create this problem since they do not change the IDStorage keys associated with the USBHOSTFS function. Only the 2.71 downgrader corrupts the USBHOSTFS IDStorage keys.

There is a reported fix for these problems found here. The latest version of this is idreset v7 (for people who downgraded using the Dark_AleX 2.71 TA-082 downgrader) which is found here or idcopy v1 (for people who downgraded with NOOBZ 2.80 TA-082 downgrader) which is found here. This has been reported to fix most or all of the problems associated with these downgraders. These fixes are for TA-082 and TA-086 PSPs only.

The official Sony updates 3.30+ now check for these corrupted keys, and will refuse to install if it finds them. Users on homebrew enabled PSP's can restore the keys and then upgrade to 3.30+, but those who have corrupt keys and have upgraded to firmwares 3.10 or 3.11 are now stuck. They cannot upgrade to any newer firmware but also cannot use homebrew to change the keys or downgrade. Now that a user-mode exploit has been found on these firmwares (with the Illuminati exploit) it is hoped that this may pave the way towards a kernel mode exploit which would be able to reset the IDStorage keys to allow upgrading. If a kernel mode exploit can not be found the only solution would be to purchase and install a mod-chip.

TA-079 up to TA-081 motherboards are not affected by these problems.

Multi Firmware Module / Modchip

Multi Firmware Module

Multi Firmware Module was announced on Apr 24 2006 [1]. Multi Firmware Module contains a different PSP firmware to the one onboard the PSP itself and can be booted from, or copied to, the PSP's original NAND flash chip, unbricking the PSP. It is planned for release upon the acquisition of a suitable manufacturer.render

Undiluted Platinum

The PSP modchip ("Undiluted Platinum") was announced on May 28 2006. It allows the user to run two separate firmwares, one on the PSP itself, and one on the modchip. It also allows the restoration of corrupted firmware ("unbricking"), and so may lead to the creation of custom firmwares, allowing the full range of homebrew, while still being able to play the latest games. However, this chip may not run on all PSP hardware, due to the lower voltage of newer, TA-082, PSP boards.

Undiluted Platinum was released on June 26 2006. However its installation required some very careful soldering, and many users did not wish to install this modchip. On July 23 2006 the custom firmware Epsilon Bios was released, it required the Undiluted Platinum to be used.

The day after Undiluted Platinum's release, a kernel exploit for 2.50 and 2.60 was revealed, aggravating many users who purchased the modchip just to downgrade from those versions.

PSP-Devolution

A new modchip called "PSP-Devolution" is in development state. It seems that it has similar features from the Undiluted Platinum chip, and it will compatible with all motherboards (TA-079 to TA-086), also providing TA-082 recovery. This modchip may be a fake however because there is no official announcement other than a simple website on the web. People who have a psp TA-082 model which is bricked the only solution for now may be just to buy a new motherboard.

According to PSP-Devolution.com, sales of the PSP-Devolution modchip should have commenced on April 16 2007 [2].

A (TA-079 to TA-081) version is now available which runs on 3.3V and on June 6 2007 a version for TA-082+ motherboards was made available which runs on 1.8V. Info at mod-chip.com

ISO image loader

UMDs can be run from the Memory Stick Duo by utilizing a ripped ISO image. The legality of the loaders used to run these ISOs, and indeed, ripping the ISOs in the first place, is questionable at best, as the only UMDs available are retail versions.

Three methods of loading ISOs are available: generic loaders, which trick the PSP into thinking the ISO is in fact a UMD in the PSP's drive; and game-specific booters, which only allow a particular game to be run, and more recently the advent of 3.02 OE-B allows the loading of ISOs requiring 3.02 and under with no UMD in the drive.

Through homebrew, developers have also enabled the PSP to load modified versions of ISOs using specially developed programs. Both the DAX and CSO (Compressed ISO) formats are compressions of an ISO image and can be loaded with DaxzISO, 2.71SE-C including all the new OE versions, and DevHook.

On 1 July 2007, it was discovered that firmwares 3.50 and 3.51 contained an official ISO loader found in one of the firmware modules called "np9660.prx". The purpose of this ISO loader appears to be for use of games downladed form the PSN service.^[6]

Trojans / Brickers

Trojan. PSPBrick

On October 2, 2005, an alternative downgrader was released. The "downgrader" was actually a trojan that, if run on PSP, destroys the firmware and BIOS, resulting in the PSP becoming un-bootable. This was officially reported by Symantec as Trojan.PSPBrick. After the release, many PSP homebrew sites came to a screeching halt to check every bit of homebrew for the trojan, to ensure safety for their users. Normal operation resumed shortly thereafter.

Any files that are based on the toc2rta TIFF exploit (including the EBOOT Loader and the MPH Downgrader) are now seen as trojans by anti-virus programs, even if they are perfectly legitimate.

Trojan. PSPbrick.B

A PSP bricker (see 'Trojan. PSPBrick' above), known as 'SDL test' has recently come into circulation. Its effects are the same as above, but is not detected by anti-virus programs, due to the fact that it is new.

Unbrickers

Apparently, a person sent a bricked PSP to Sony. The PSP was returned with a memory stick inside with the following files:

• Binary encrypted full NAND image.
• Required modules for system control for use by IPL of debug hardware.
• Logging module for debug log review (log is saved after full write).
• A file used for testing that the system plays well (usually a demo of a PSP game).

According to nicodemus82, the said memory stick is useless without a special battery that internet hamsters dubbed the "Sony JigKick" (After researching a bit, we found that the jigkick is actually a "special" move that targets a certain place). Reportedly, the battery accesses the third battery pin that "enables writing to the IPL from the memory stick". This Unbricker has been found using a special Battery

Game compatibility

In order to force users to update to their latest firmware, Sony has increasingly made games firmware specific. GTA: Liberty City Stories requires firmware functions only present in 2.00+, and so will not run on lower firmwares. In February 2006, a loader was released, allowing GTA:LCS (and other games required 2.00+) to be run on PSPs below 2.00. In June 2006, a firmware emulator was released, allowing games requiring up to version 2.50 to be run on firmware 1.50. Almost all games made for the PSP now require a firmware update. They require certain files known as PRX's that are in the PSP's flash memory to run. Some games do not require these PRX's and can be executed on lower firmwares by using a version changer. The more common method is to use custom firmware, which allows a more accurate gameplay.

Version changer

A utility was released circumventing the version number check. This utility tricked games by setting the firmware version to a high number (eg 9.99). The UMD would assume its version (usually 2.00+) was older, and so would not attempt to update.

A different standpoint is taken with the "No Update UMD Starter", which instructs the PSP to ignore the update when booting a UMD, and to boot directly into the game.

These methods do not work for games requiring 2.00+, as they depend on modules (.PRX files) included within the firmware in order to function.

Firmware loaders

It is possible to run games specifically for firmware versions 2.00 and above (such as GTA: Liberty City Stories) on previous firmware versions. This is done by using a firmware loader.

The PSP has eight drives:

• ms0 - Memory Stick
• flash0 - Flash Memory (Contains all the firmware files)
• flash1 - Flash Memory (Used to the store XMB settings)
• flash2 - Flash Memory In firmwares 3.00 and up, this contains the half of the DRM for Sony's official PS1 emulator(the other half being in the flash0)^[7]
• flash3 - Flash Memory Currently unused and about 1mb in size although in custom firmwares it can be used along with flash2 to redirect firmware elements such as fonts.
• disc0 - UMD Drive
• ipl - Initial Program Load
• irda0 - Infrared Port

Files from the BIOS and flash memory (of a different version) are copied to separate folders on the memory stick. The firmware loader proceeds to load these files. Recently, the release of a homebrew program (Devhook) has enabled loading firmware versions 1.50 through 3.11 entirely. It can then load/play UMD games requiring that particular firmware, as well as use the built-in Internet Browser with Macromedia Flash support, LocationFree, RSS feeds, ATRAC3/ATRAC3plus, WMA and AVC playback. More information may be found here.

Notable homebrew

DevHook

This application, created by "Booster", can load alternate firmware versions from dumps without affecting the PSP's actual firmware by mounting flash0, flash1 (where the firmware is stored) and the IPL to a directory on the memory stick pro duo, then executing a firmware reboot, which then loads the emulated firmware, without the PSP even knowing. Hence, there is a significantly reduced risk of bricking or damaging the PSP. The user can access all the features of the emulated firmware, including UMDs requiring the firmware version. The latest version of DevHook (v0.52.0100) allows for emulation of 3.11 firmware, and supports limited homebrew launching on said firmware. This emulation of the firmware allows users to have all of the features of the new firmware while keeping the ability to run homebrew on 1.50 or Custom Firmware PSPs. Note: To save space on the memory stick, newer versions of DevHook allow much of the emulated firmware to be stored in the PSP's flash memory.Many people now argue that devhook has been made pointless by the SE/OE firmwares, which has the features of the most recently decrypted firmware, and also supports ISO loading direct from the XMB[3]

SE/OE Custom Firmware

A custom firmware created by "Dark AleX" uses a subset of the commonly known 1.50 firmware to launch a newer firmware with homebrew capabilities, similar to DevHook, but instead is loaded directly from the PSP's NAND flash chip. Some less used features are removed in newer versions including "LocationFree Player" and Korean fonts in order to save on internal memory. These features can be accessed, however, through the installation and execution of DevHook. The firmware adds support for native 1.50 homebrew loading in addition to loading official Sony EBOOT's, integrating an ISO/CSO loader launched from the XMB system menu, and a recovery Menu accessible upon boot-up. Two of Dark_AleX's custom firmware are currently in wide use. 3.03 OE-C is popular for it's icons, sounds, battery meters, and other components of the XMB. The formats in which these are saved are currently known, leading to custom XMB replacements one can flash to their PSP in order to give it a more "custom" look. 3.10 OE-A' is the sequel, of sorts, to 3.03 OE-C. It contains updated features, like a 4th brightness setting (Without the AC adapter plugged in), and the ability to play games requiring the 3.10 official firmware. POPS has also been improved. For these reasons, 3.10 OE-A' is popular with those who want to stay on the cutting edge. 3.03 OE-C, while mildly out-of-date, is used by those who want to give their PSP a more "personal" feel.

A major perk about the OE firmwares if a user messes up while messing around with the flash files (eg. while personalizing the XMB), the recovery menu allows users to access their PSP to undo the change and even flash their firmware back to the OE's original form, essentially allowing users to unbrick a semi-bricked PSP.

uClinux 2.4.19

A very preliminary port of the uClinux 2.4.19 kernel has been released. It uses the serial port located next to the headphone jack for console + ttyS0 IO, and boots into a very minimal statically-linked userland built on uClibC and the uclinux-dist userland sources. [4]

CWCheat

It is the first cheating program on the PSP. It allows cheating in UMD Games as well as PSX games (through POPStation on 3.XX OE firmwares) on the PSP. It is functionally similar to legacy cheating devices such as Gameshark and Action Replay. It is also currently the only known homebrew application that allows the conversion of PSP-format PSX memory card files into the format used by popular PC PSX emulators such as ePSXe, allowing a user to migrate their savegames between their desktop PC and PSP.

References

External links

• PSP Spot
• PSP Brew
• PSP Homebrew Database
• PSP News
• PSP Updates