Custom Firmware - The proof of concept

[DeMoN X]

rename vshmain.prx from ms0:\dh\150\flash0\vsh\mo dule\ to vshmain.prx
copy vshmain.prx to ms0:\dh\150\flash0\vsh\mo dule\
copy recovery.elf to ms0:\dh\150\flash0\kd\

That should be :

rename *ORIG* vshmain.prx from ms0:\dh\150\flash0\vsh\mo dule\ to vshmain_real.prx
copy *CUSTOM* vshmain.prx to ms0:\dh\150\flash0\vsh\mo dule\
copy recovery.elf to ms0:\dh\150\flash0\kd\

[Ralan]

Lol freeplay was wrong the 3rd time :ROFL: :ROFL: :ROFL:

[DeMoN X]

Lol freeplay was wrong the 3rd time :ROFL: :ROFL: :ROFL:

I won't be taking his word again, EVER!

[Nevada]

Actually he wasn't, if you call this a custom firmware then you'd have to be an idiot.

[mathieulh]

Yeah, I'm wrong. But here's one thing to consider: every time someone proves me wrong, it's a good thing for the community I'm your classic anti-hero! YAY!

First a 2.5/2.6 downgrader, then a 1.50 downgrader, then custom firmware. Keep proving me wrong and we eventually might have a TA-082 downgrader XD

Didn't I told you that it was possible ? lol

About TA-082 I am more sceptical, I have done some researches (thanks to Groepaz for the hint ), it seems that unlike what I and everyone tough the IPLs are not blacklisted, the problem seems to lie in the nand chip ID itself which is not recognised by older IPLs because the nand chip model changed in TA-082 is no in the id list until 2.50 IPL.

So we wont even be able to use IPLs such as the one in Ridge Racers afaik.

I feel very sorry for TA-082 owners.

[hexecal]

but it IS custom firmware - it is an edited version of the 1.50 firmware on the flash drive therefore making it custom

[DeMoN X]

Actually he wasn't, if you call this a custom firmware then you'd have to be an idiot.

What would you call it then?

[enterman]

Very nice work Dark_AleX.

[jaxxster]

i have to agree with everyone, it is indeed custom. Its a 1.0 firmware with customable features

[DarkDragon-X]

Well got it working with DevHook....

Instead of trying out inumerous mumbo-jumbo's, I just dumped my Firmware, and copied into DevHook's 1.5 folder, presto and working.

[Nevada]

but it IS custom firmware - it is an edited version of the 1.50 firmware on the flash drive therefore making it custom

By those standards, anything that modifys data on flash0 or flash1 is "custom" firmware.
As far as the firmwares operations go itself, it isn't, i ask, does it add menu items?, no, does it add functionality? no (don't say yes because patching like nokxploit isn't adding a feature).
vshmain.prx is one of the FEW modules that the psp actually executes upon bootup, rather than just loading, but it's also one of the last to load on bootup, and still requires the original prx to be loaded afterwards so the psp does not brick.

This is proof that piggybacking code on the firmware is possible, if ever a modification was made to run decrypted/modified firmware, it would need to do so from the memory stick (much like devhook), because to execute the code, the psp needs to run all of it's modules right up until vshmain.prx before it will run your own code.

This is a small step towards custom firmwares as far as work required to do it is concerned, so don't get your hopes up and run around in circles wetting yourselves over the prospect of flashing a completely hacked firmware to the psp.

i have to agree with everyone, it is indeed custom. Its a 1.0 firmware with customable features

It's this kind of crap that i'm talking about, it is NOT 1.0 firmware, it is simply loading an elf file, which patches some functions then loads the file it replaced to prevent the psp bricking.

[Ralan]

By those standards, anything that modifys data on flash0 or flash1 is "custom" firmware.
As far as the firmwares operations go itself, it isn't, i ask, does it add menu items?, no, does it add functionality? no (don't say yes because patching like nokxploit isn't adding a feature).
vshmain.prx is one of the FEW modules that the psp actually executes upon bootup, rather than just loading, but it's also one of the last to load on bootup, and still requires the original prx to be loaded afterwards so the psp does not brick.

This is proof that piggybacking code on the firmware is possible, if ever a modification was made to run decrypted/modified firmware, it would need to do so from the memory stick (much like devhook), because to execute the code, the psp needs to run all of it's modules right up until vshmain.prx before it will run your own code.

This is a small step towards custom firmwares as far as work required to do it is concerned, so don't get your hopes up and run around in circles wetting yourselves over the prospect of flashing a completely hacked firmware to the psp.

Yes, More like a huge step, the first real modifyed flash 0 PRX running is a HUGE step

[Art]

It adds a feature in X-Flash... the feature of flashing it :) lol.

The recovery mode is a new feature, it's a dual boot, even if it's the effect of
a dirty hack, or the absence of something.
It also means those pictures you flashed over didn't matter in the long run.

Hmm, I thought the makers of shells would be most excited over this.

[Nevada]

Yes, More like a huge step, the first real modifyed flash 0 PRX running is a HUGE step

it's not a modifying prx for crying out loud, WE CANNOT EDIT SONY'S PRX'S TO DO WHAT WE WANT, it renames the real prx and loads it after it has loaded itself.
i repeat, we CANNOT EDIT THE REAL PRX's

[Eternal-Cowboy]

The digg post

DIGG IT

YEH!!

[Master-Chief]

It adds a feature in X-Flash... the feature of flashing it :) lol.

The recovery mode is a new feature, it's a dual boot, even if it's the effect of
a dirty hack, or the absence of something.
It also means those pictures you flashed over didn't matter in the long run.

Hmm, I thought the makers of shells would be most excited over this.

Yeah, time that those shells come in handy. :)

[DeMoN X]

it's not a modifying prx for crying out loud, WE CANNOT EDIT SONY'S PRX'S TO DO WHAT WE WANT, it renames the real prx and loads it after it has loaded itself.
i repeat, we CANNOT EDIT THE REAL PRX's

But we can create our own ones to do what we want, Correct? Such as the recovery.elf for example.

[EM1L]

i have to agree with everyone, it is indeed custom. Its a 1.0 firmware with customable features

No its not. I dont see 2-3 sec gameboot screens.

[jaxxster]

jesus fluff, no need to go off on one. Seems like you're really upset about it. Didnt realise people calling this a custom firmware could upset someone so deeply.

[Nevada]

But we can create our own ones to do what we want, Correct? Such as the recovery.elf for example.

But can you replace the original firmware completly with it?

Don't get me wrong, i appreciate alex's work and think he's doing a great job with it, i just think his definition of what it actually is, was a bad choice of words.

[Ralan]

it's not a modifying prx for crying out loud, WE CANNOT EDIT SONY'S PRX'S TO DO WHAT WE WANT, it renames the real prx and loads it after it has loaded itself.
i repeat, we CANNOT EDIT THE REAL PRX's

O.0 I just came home i i havn't been monitering this but if this it true we could make a fully "Custom firmware".

[DarkDragon-X]

Testing the features from the POC in DevHook, I can say that SCE skip works, no corrupt icons works as well, and the screenshot feature (added via POC, not Devhook) worked as well.

Now for the weird part:
Normal Auto-Eboot load doesn't work, it always loads into the emulated XMB. However, when trying to go into Recovery mode (which doesn't work, the light just keeps flashing and flashing) when I let go of the R button, the emulated firmware loaded the application (in my case, PSP Osx).

[DJShrimpy]

I don't want to risk my PSP just to get rid of my % folders.

[dasurfrdude27]

But we can create our own ones to do what we want, Correct? Such as the recovery.elf for example.

No, I'm sorry, its not a PRX, but an ELF.

I'm probably wrong, but I skimmed across the readme and what I think I read is that he made an ELF, and simply renamed it to a PRX and the PSP loaded it.

Again though, I'm probably wrong, I barely read it.

Could someone correct me?

Thanks!

Peace.

[Nevada]

O.0 I just came home i i havn't been monitering this but if this it true we could make a fully "Custom firmware".

clearly i have to repeat myself again.
You can load your own SHELLS on boot, maybe even one day an emulator to run decrypted firmwares off of the memory stick

but you cannot, and will never be able to flash a completely decrypted firmware to the psp.

[gangsta_psp]

Ok, so I stop playing Conquer Online and now I see this!? :Jump:

[Networkgamer]

it doesnt only rid you of % folders,it allows you to autoboot anything so you can show off to your freinds

[muratcan]

I don't want to risk my PSP just to get rid of my % folders.

There Is no risk as long as you do not turn your PSP off for the few seconds it flashes the files to the firmware!

And recovery mode works great for me! Saying that I don't have anything on autostart

[DJShrimpy]

You meen like when you turn it on, the XMB just pops up, as if your exiting sleep mode?

[gangsta_psp]

Im still kind of amazed. :dj: