Editing PRE-IPL
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
The iplloader, called "Lib-PSP iplloader" internally by Sony, also sometimes called PRE-IPL or BootROM, is the first code to run in PSP MIPS32 main CPU. Its role is to load the [[Initial Program Loader]]. iplloader contains the routines to boot into service mode and loads and decrypts the encrypted IPL from the NAND or Memory Stick. | |||
Its role is to load | |||
= Location = | = Location = | ||
Line 85: | Line 83: | ||
| style="background:#C3F500" | PSP (Retail) | | style="background:#C3F500" | PSP (Retail) | ||
| style="background:#C3F500" | Tachyon 0x00600000-0x00900000 | | style="background:#C3F500" | Tachyon 0x00600000-0x00900000 | ||
| style="background:#C3F500" | 10-09-2007 (build date in | | style="background:#C3F500" | 10-09-2007 (build date in the payload) | ||
| style="background:#C3F500" | 0xCE8 | | style="background:#C3F500" | 0xCE8 | ||
| style="background:#C3F500" | SHA-256: E511D3DC78A209610F5B3EFEA2BC64BF86B9DF14A9C279C4499FECBFD70E6BF9 (ROM) | | style="background:#C3F500" | SHA-256: E511D3DC78A209610F5B3EFEA2BC64BF86B9DF14A9C279C4499FECBFD70E6BF9 (ROM) | ||
|- | |- | ||
| style="background:#FF8B00" | PS Vita | | style="background:#FF8B00" | PS Vita | ||
| style="background:#FF8B00" | 0. | | style="background:#FF8B00" | 0.931.010-0.995.000 (inside PS Vita's Compatibility security module) | ||
| style="background:#FF8B00" | 11-17-2010 (last modified date for 0.940I compat_sm.self) | |||
| style="background:#FF8B00" | | |||
| style="background:#FF8B00" | 0x2C0 | | style="background:#FF8B00" | 0x2C0 | ||
| style="background:#FF8B00" | SHA-256: 6D75EC720739C53228B1CA1AFF6CE073AE542BBB38FCC9B8710EC5EB3889B942 (full binary) | | style="background:#FF8B00" | SHA-256: 6D75EC720739C53228B1CA1AFF6CE073AE542BBB38FCC9B8710EC5EB3889B942 (full binary) | ||
Line 194: | Line 186: | ||
== Memory mapping == | == Memory mapping == | ||
The PSP iplloader is mapped to | The PSP iplloader is mapped to 0xBFC00000 which is the reset vector of PSP's MIPS R4000 CPU. | ||
0.7.0 iplloader and onward are composed of two parts: | 0.7.0 iplloader and onward are composed of two parts: a loader from 0xBFC00000 to 0xBFC0027F and a payload from 0xBFC00280 and ending at the size specified at 0xBFC000034 (little endian 0x2 bytes). | ||
The PSP iplloader distributed in PS Vita System Software version 0.996 and onward has its payload starting at 0xBFC00180, rather than at 0xBFC00280 on previous PS Vita software and PSP hardware versions. | The PSP iplloader distributed in PS Vita System Software version 0.996 and onward has its payload starting at 0xBFC00180, rather than at 0xBFC00280 on previous PS Vita software and PSP hardware versions. | ||
Line 484: | Line 474: | ||
== PS Vita Compatibility mode behaviour == | == PS Vita Compatibility mode behaviour == | ||
On PS Vita, PSP iplloader is sent by the | On PS Vita, PSP iplloader is sent by the Compatibility security module (os0:sm/compat_sm.self) to the non-secure ARM kernel which writes it to 0xE8100000 (named CompatSharedSram and mapped to the 0xBFC00000 reset vector on the emulated PSP/Tachyon side). | ||
compat_sm then sends a specific 0x40-bytes XOR key to be used by the PS Vita's iplloader as a 0x40 bytes XOR mask against the IPL header. The IPL is stored in the pcbc.skprx kernel module. | |||
Kirk command 1 is then used on the result. Unlike on actual PSP units, the IPL is decrypted in a single large block rather than in multiple blocks. | |||
The 0x40 bytes key gets updated depending on the firmware version in use. | The 0x40 bytes key gets updated depending on the firmware version in use. | ||
A 0x40 bytes XOR mask is also part of the 3.50+ DTP-T1000 security | A 0x40 bytes XOR mask is also part of the 3.50+ DTP-T1000 security. See PSP iplloader section. | ||
= Dumper = | = Dumper = | ||
As of March 21st 2018, a dumper for DTP-T1000 iplloader has been made by mathieulh | As of March 21st 2018, a dumper for DTP-T1000 iplloader has been made available on github by mathieulh: | ||
* [https://github.com/mathieulh/DTP-T1000-Pre-IPL-dumper] | |||
= | = See also = | ||
* [https://web.archive.org/web/20090826053327/http://silverspring.lan.st/NPSPTD_01.txt iplloader and IPL descriptions by SilverSpring] | * [https://web.archive.org/web/20090826053327/http://silverspring.lan.st/NPSPTD_01.txt iplloader and IPL descriptions by SilverSpring] |