The PRE-IPL, called "Lib-PSP iplloader" internally by sony, is the first code to run in PSP MIPS32 main CPU. Its role is to load the [[Initial Program Loader]]. PRE-IPL is where the routines to boot into service mode are and loads & decrypts the encrypted IPL from the nand/MS).

On retail PSP units PRE-IPL is read from the Tachyon (Allegrex MIPS R4000 based SOC) boot rom. On DTP-T1000 it is loaded externally.

The PSP main CPU is a custom-made Sony CPU with a MIPS32 core and has an embedded mask rom device (like most embedded systems do) which is exactly 4KB in size. This device holds the PRE-IPL. This PRE-IPL mask rom device is mapped to physical address 0x1FC00000 (this is the address of reset exception vector on MIPS CPUs), and this is where the CPU starts executing from coldboot.

The PRE-IPL is made up of 2 parts, the "loader", and the "payload".

 

= PRE-IPL Versions =

A few example of PRE-IPL payload sizes and hashes are:

| style="background:#C3F500" | 10-09-2007 (build date in the payload)

| style="background:#FF8B00" | 0.931-0.995 (inside PSVita Compatibility Secure Module)

| style="background:#FF8B00" | 11-17-2010 (last modified date for 0.940I compat_sm.self)

| style="background:#FF8B00" | SHA-256: 6D75EC720739C53228B1CA1AFF6CE073AE542BBB38FCC9B8710EC5EB3889B942 (Full Binary)

| style="background:#FF8B00" | 0.996.070-0.996.090 (inside PSVita Compatibility Secure Module)

| style="background:#FF8B00" | SHA-256: E09B36DE655A441D2C94D39EF7BBC505EAB1722E9380EBE73E9E6A7DC88D9731 (Full Binary)

| style="background:#FF8B00" | 1.000.041-1.06 (inside PSVita Compatibility Secure Module)

| style="background:#FF8B00" | 1.50-1.81 (inside PSVita Compatibility Secure Module)

| style="background:#FF8B00" | SHA-256: 522851781DD82F89D69EBFE0F25C3E7CFE5899A53E850F2F979AD1B0E53376F9 (Full Binary)

| style="background:#FF8B00" | 2.00-2.05 (inside PSVita Compatibility Secure Module)

| style="background:#FF8B00" | SHA-256: A9A097ED8925B83A210202AA4C943011C05FE48028BA6E05E85E1494143B0100 (Full Binary)

| style="background:#FF8B00" | 2.06-2.12 (inside PSVita Compatibility Secure Module)

| style="background:#FF8B00" | 2.50-3.01 (inside PSVita Compatibility Secure Module)

| style="background:#FF8B00" | 3.10-3.20 (inside PSVita Compatibility Secure Module)

| style="background:#FF8B00" | 3.30-3.35 (inside PSVita Compatibility Secure Module)

| style="background:#FF8B00" | 3.36-3.50 (inside PSVita Compatibility Secure Module)

| style="background:#FF8B00" | SHA-256: 7E66976C311F5D3797A30B09DC608A0FA2E67EAA060097423CFD2E5FC89A57D9 (Full Binary)

| style="background:#FF8B00" | 3.51-3.55 (inside PSVita Compatibility Secure Module)

| style="background:#FF8B00" | SHA-256: 6E869E08CCE41E0AA0D386DE8936F81F66CABB20B964C3EF2159548852F39F30 (Full Binary)

| style="background:#FF8B00" | 3.57-3.63 (inside PSVita Compatibility Secure Module)

| style="background:#FF8B00" | SHA-256: 047366634210449C62FD813B3BFDA6267A1FA8683BA17901A214FC32E473A35F (Full Binary)

| style="background:#FF8B00" | 3.65-3.73 (inside PSVita Compatibility Secure Module)

| style="background:#FF8B00" | SHA-256: B5EF4FB2C84D629B2BDC9A70A4B8E5A7EC31CD9EA330E309361C80A9A96B65C5 (Full Binary)

== PRE-IPL Boot Sequence ==

=== Part1 PRE-IPL (the loader) ===

Because the PRE-IPL is stored in non-volatile read-only memory it cannot use variables, so the Part1 PRE-IPL code (the loader) copies the Part2 PRE-IPL (the payload) to the CPU's scratchpad RAM (the only RAM available at this time, along with another 4KB block of RAM and the 2MB EDRAM - normal DDR SDRAM hasnt been initialised yet). The scratchpad RAM is mapped to physical address 0x00010000, and after Part1 has finished copying Part2 to it, it jumps to this new address.

=== Part2 PRE-IPL (the payload) ===

Now the CPU is executing from the scratchpad RAM (the PRE-IPL payload). The PRE-IPL payload inits the nand hardware and reads the IPL nand-block-table (a table with the physical block numbers of the encrypted IPL's location on the nand). The table is located at the 4th physical block of the nand (offset 0x10000), and is repeated for the next 7 blocks. This is so that if a bad block occurs in any of these blocks, the table can still be read. Though if all 8 blocks become bad blocks, its a non-recoverable brick as the PRE-IPL can no longer locate the IPL's location (the only solution to this problem is to either boot from MS instead, or use a custom IPL to patch the PRE-IPL to remap the table - both of which would still require Pandora).

The entire raw IPL is stored on the nand encrypted. The PRE-IPL payload uses a 4KB RAM (this RAM is mapped to physical address 0x1FD00000, but will later be remapped to 0x1FC00000 to be used for the ME CPU reset exception vector) as a temporary location to load & decrypt each encrypted IPL block. Because this RAM is only 4KB in size, the encrypted IPL is organised as 4KB blocks on the nand. As the PRE-IPL decrypts each of the 4KB IPL blocks, it loads the decrypted blocks to the IPL entry address 0x040F0000 (this address is located in the 2MB EDRAM which is normally used as VRAM, normal DDR RAM still has not been initialised yet). When the PRE-IPL has finished decrypting and loading all the encrypted IPL blocks, it jumps to the IPL entry address.

The PRE-IPL is mapped to 0xBFC00000 which is the reset vector of PSP's MIPS R4000 CPU.

0.7.0 PRE-IPL and onward are composed of two parts: a loader from 0xBFC00000 to 0xBFC0027F and a payload from 0xBFC00280 and ending at the size specified at 0xBFC000034 (little endian 0x2 bytes).

PSVita's PRE-IPL from version 0.996 and onward's payload starts at 0xbfc00180, rather than 0xbfc00280 on previous and PSP hardware versions.

== Devkit behaviour ==

bloadp is used to send kbooti binaries (encrypted PRE-IPL data from 0x0 to 0x1000 and IPL blocks at 0x1000) to the DTP-T1000.

bloadp will (through tachsm) initialize the 0x1D600000 memory (from /dev/mem or 0x00000000 from /dev/tachsm0 ; /dev/tachsm1 is mapped from 0x1D400000 to 0x1D5FFFFF) on the [http://www.psdevwiki.com/ps3/Communication_Processor Communication Processor] side (0x200000 in size, 0x100000 on the tachsm0 device) which is the DTP-T1000 PSP Shared memory, on the psp/tachyon side it is mapped to 0xBFE00000, it will then write the kbooti binary at 0x1D600000, however on SDK 0.5.0 and below dstdb (which bloadp was originally a part of), it was possible to specify the address to which kbooti would be loaded (default address to be specified was 0xbfc00000, the allowed range was 0xbfc00000-0xbfc10000), this in effect would write kbooti to 0x1D600000/0xBFE00000 + the address specific in the range -0xbfc00000, so for instance if 0xbfc02000 was specified, this would write kbooti to 0xBFE02000, keep in mind that the actual 0xBFC00000 memory mirrors itself every 0x1000 segments.

Prototype PRE-IPL will read the IPL blocks in place from 0xBFE01000 and decrypts them to 0x88400000 before jumping there. IPL blocks have no metadata in prototype IPLs. Instead PRE-IPL uses 0x88400000 as a hardcoded entry point (see code samples below). In fact the IPL payload/part3, nested inside current IPL revisions and loaded by main.bin are using the prototype format, so the prototype PRE-IPL loads the IPL part 3/payload directly.

It is also worthy of note that prototype PRE-IPL for DEM-1000 (for 0.4.0 and 0.6.0 firmwares) does not make use of paddr 0xa0010000 as their payload location. The PRE-IPL payload is instead executed in place at 0xBFC00000. As such the PRE-IPL data is not wiped and can be dumped in its entirety using a custom IPL (please note that the IPL format is different than later revision IPLs: prototype IPLs are loaded in a single raw KIRK commmand 1 block).

// 0.4 PRE-IPL

// 0.6 PRE-IPL

The 0.7.0+ PRE-IPL will copy its PRE-IPL payload (stored at 0xBFC000280) to 0x80010000 (physical address 0xa0010000) and jump there. Because on DTP-T1000 0xBFC00000 is writable during PRE-IPL execution and because 0xBFD00000 is an invalid range on DTP-T1000, the payload will use the 0xBFC00000 memory (which originally contains the whole PRE-IPL loader+payload) as work ram. It will however not wipe itself so you can dump the important part (the payload) from 0xa0010000 (assuming you gain execution at IPL time).

IPL blocks are then loaded from 0xBFE01000 by PRE-IPL and copied to 0xBFC00000 where they are decrypted in place and copied to the location of load address specified in the metadata.

Because a hash of the data stored between 0xbfc00040 and 0xbfc002c0 is used in an additional step by 2.60+ IPLs to decrypt main.bin, from 2.60 and onward the payload will overwrite 0xbfc00000 with an identical copy of first 0x2C0 bytes of the original psp-1000(01g) PRE-IPL rom data (stored at 0xBFC00BB0 in the 2.60 and 2.71 kbooti, 0x80010930 in the payload) (it memsets 0x1000 bytes at 0xbfc00000 to 0 and writes the chunk there) before jumping to the IPL entrypoint, if bootstrapping the 1.50 firmware using the 2.60/2.71 PRE-IPL part, data from the retail rom addresses 0xBFC00200 to 0xBFC002C0 is retrievable, please note that this would not have been enough to generate the hash required to decrypt 2.60+ main.bin in any case and dumping using a custom IPL would be required to retrieve enough of the data even on a DTP-T1000.

Please note that starting from the 3.5.0 kbooti, the chunk of data written to 0xbfc00000 (which is hashed to be used as a seed for IPL part 2 decryption) changes and no longer matches any lib-pspiplloader code (in fact it is no longer code and totally random data).

2.6.0 kbooti also appears to fix one of the PRE-IPL flaws that allowed to load the Pandora time attacked block. It checks for the entrypoint not to be in the 0xb* range, it does not however check for the data size of the block.

The code that copies 0x2C0 bytes from 0x80010930 to 0xbfc0 verbatim from the 2.6.0 PRE-IPL payload.

Please note that neither the 0xbfc00000 (on DTP-T1000) nor 0xa0010000 memory locations survive reboots.

PRE-IPL adds a step using a 0x40 bytes xor key to decrypt the CMAC hash and data keys from the IPL block headers. As a result you cannot decrypt using KIRK command 1 the IPL blocks meant for the new PRE-IPL.

The xor key is overwritten early using a memset to 0 whenever the special JIG emulation mode is used (so the IPL block is xored by 0), this makes it impossible to obtain without glitching, knowing the kbooti CBC encryption key, knowing the xor key beforehand or using an IPL Loader exploit.

=== Development Tool JIG Memory Stick Emulation Mode ===

Starting from kbooti 0.7.0, a special JIG test mode exists, it will read an IPL block at 0x2000 on the Memory Stick instead of address 0xBFE01000 if the specific condition is met:  

Writing 0xFFFFFFFF at 0xBFEFFFFC does indeed enable the pseudo service mode and reads the block from the Memory stick, this mode is used by Sony Engineers to debug JIG Memory sticks by writing a kbooti using bloadp and then using reset parameters to set the flag at0xBFEFFFFC using the sbootp param/arg from the reset command of either dstdb or bsreset (dspreset) such as follows:  

/usr/local/sony/bin/bootdispi/dspreset 80000000 (FFFEFFFF for example sets all boot flags to 0xFF), to set the DTP-T1000 into JIG emulation mode.  

Because flags are incremental only the only way to clear the JIG flag using official SDK tools is to run the bloadp command again as this clears the whole tachsm0 memory including the flags.

In kbooti revision 3.5.0 this mode skips the XOR step (overwrites the xor key with 00s in the scratchpad) on the kirk header, allowing to use a regular IPL block to achieve code execution and dump the payload (without the xor key).

=== 01g/02g ===

// decrypt the ipl block in place (uh oh...)

// first block will have zero as its checksum since there is no previous block (another uh oh...)

if (block->checksum != checksum)

while(1);

 

// load the 'data' section of the ipl block to the specified address (0x040Fxxxx range)

if (block->loadaddr)

checksum = memcpy(block->loadaddr, block->data, block->blocksize);

 

// reached the end of the ipl, jump to the entry address (0x040F0000)

{

// clear caches

Dcache();

Icache();

 

block->entry();

Tachyon revisions 0x00140000 to 0x00300000 PRE-IPL pseudo code:

PSP Disassembler Ver.0.20 Copyright(c)2005,2006 BOOSTER

incl. elf-lib 0.1r2 copyright (c) 2005 djhuevo

:file name '0x80010000.bin',size = 4096

;copied by pre-ipl bootcode, from 0xbfc00280-0xbfc00d78

;here code is 0x80010000 to 0x80010af8

;$bfd00000-$bfd00fff : sector read buffer

;-------------------------------------------------------

;recovery mode selector

; bit4 : device select ,0=NAND Flash,  1= rec-dev

;

;recovery boot device (rec-dev) HW assign

00009007 : read request (write size = 8)

00002200 : read sector buffer (read size=200)

00008004 : ? status (write size = 8 , read size=8)

00004000 : ? status (read size=8)

;bd200034 data register (read / write)

;bd200038 status register

; bit13:parameter wirte ready

; bit12:transmit finish ?

if(r8[$68]>>16 == 0) $80010034

r9 = r8[$78]

r8 = [$be240004] & 0x10 // GPIO bit 4

r9 = $80010194 // NAND read BLOCK entry

r10= $80010130 // NAND initialize(read FAT) entry

;------------------------------------------------------------------------

r2 = $80010334(r16+r18,r17 + (r18<<9),80010810)

L80010230:

;rec-dev initialize

return $800103B4()

 

[$80010$800] = r31

;

r2 = $80010418(r18+0x10+r16<<3 ,r17 + r18<<9)

if(r2<0) $8001025c

}while(r18<8);

;

r31 = [$80010$800]

 

;------------------------------------------------------------------------

;------------------------------------------------------------------------

  mfc0  r8,Config                          ;800102A0[40088000,'...@']

  addiu  r9,0,$1000                        ;800102A4[24091000,'...$']

  dc.l  $7d081240 [invalid]                ;800102A8[7D081240,'@..}']

  sllv  r9,r9,r8                          ;800102AC[01094804,'.H..']

  mtc0  0,TagLo                            ;800102B0[4080E000,'...@']

  mtc0  0,TagHi                            ;800102B4[4080E800,'...@']

  addu  r8,0,0                            ;800102B8[00004021,'!@..']

;

  cache  $01,r8($0)                         ;800102BC[BD010000,'....']

  cache  $03,r8($0)                         ;800102C0[BD030000,'....']

  addiu  r8,r8,$40                          ;800102C4[25080040,'@..%']

  mfc0  r8,Config                          ;800102D8[40088000,'...@']

[$bd101008] = 0xff

while( [$bd101004] & 1 ==0);

[$bd101014] = 0x01

;----------------------------------------------------------------------------

  lui    r8,$bff0                          ;80010370[3C08BFF0,'...<']

;  jr    r24                                ;80010410[03000008,'....']

;a1:sector address

[$bd200034] = r4

if(r9 & $0100) return -1;

}while(r9 & $4000 == 0);

r2 = [$bd200034]

r5 -= 4

}while(r5 >=0);

;----------------------------------------------------------------------------

if(r9 & $0300) return -1// $80010528

;  addu  r15,r31,0                         ;80010530[03E07821,'!x..']

if(r2<0) return -1

$800105A4($80010a1c,8);

return $800104cc(r4,r5)

;r25 = $bd200000

L80010608:

r9 = [$bd200038]

}while( (r9 & $2000) == 0);

;decrypt 1000H block

  dc.l  $7ca8e000 [invalid]                ;8001062C[7CA8E000,'...|']

  dc.l  $7c88e000 [invalid]                ;80010634[7C88E000,'...|']

;return : 32bit check sum (add)

r2 = 0 ; clear check sum

}while(r6>=0);

; 5  : delay  | for(cnt=VALUE*96;cnt;cnt--)

;addu  r25,r31,0

r4 = ( (r4 << 4)>>4 ) | $b0000000

r5 = r4[4]

r4[0]=r5

r4[0] = r4[0] | r5

if(r9==2) // $8001073c

r4[0] = r4[0] & r5

if(r9==3) $8001074c

r1 = $ffffffff ;  nor    r1,0,0

;  addiu  r10,r10,-$4

; if(r9==5) //$80010714

r8 += 8

r9 = (r4[0] ^ r1) & r5

}while(r9!=0);

r1 = ((r4 << 1) + r4)<<5 // * 96

while(r1) r1--;

;--------------------------------------------------------------------------

  nop                                      ;800107D4[00000000,'....']

  nop                                      ;800107D8[00000000,'....']

  nop                                      ;800107FC[00000000,'....']

L80010804:

;read block number

  mfhi  0                                  ;8001081C[00110010,'....']

  mflo  0                                  ;80010820[00130012,'....']

  dsllv  0,r21,0                            ;80010824[00150014,'....']

  nop                                      ;800108D4[00000000,'....']