Custom Firmware - The proof of concept

[Dark_AleX]

Download at

http://dax.psp-tuts.net/

I copy and paste from the readme.
Custom Firmware - The proof of concept by Dark_AleX

There has been lately some discussion about if custom firmware in the psp are posible (note: custom in the sense of writing our own executable code in the system, and not only data like fonts, videos,...)

Even a lot of developers doubt that this is possible due to the protections in the psp.
Well, i'm here with this simple proof of concept to show the contrary :P

Instructions:
(Note: this thing only works for 1.50)

- Copy the PSP folder to the root of your memstick.
- Execute the program "Custom Firmware - The proof of concept"
It will write to the flash some executable files.

Now you are done.

This program has ben tested on my psp. However, as all programs that write to the flash, there is always some risk of bricking the psp. Use it at your own risk.
IMPORTANT (to avoid confussion): the program includes a file called vshmain.prx. This file is NOT of Sony, it comes from me, the source of everything is released.

The features of this custom firmware - proof of concept are:

- Execution of normal pbp's (1.00 ones, no-kxploited)
- Posibility of hiding corrupt icons. (note: by default it's not enabled, look at the file /PSP/SYSTEM/config.txt to see how to enable it)
- Posibility of skipping the SCE logo at the startup. (and in this way avoid the annoying auto-execution of the UMD). Like the previous one, this is not enabled by default.
- "Recovery mode:". If you keep R pressed while starting the psp, it will enter in "Recovery mode".
Recovery mode is not more than a simple application that will let you to use the usb, and execute a program under ms0:/PSP/GAME/UPDATE/EBOOT.PBP, that could be, for example, a sony updater or the 1.50 -> 1.00 downdater.

This would allow to recover potential bricks caused by the writing of bad fonts/videos/sounds... to the flash.
(Note that this wouldn't allow to recover critical things like the overwriting of critical prx's)

- Autoexecution of a program at the startup. See the configuration file at /PSP/SYSTEM/config.txt to see how to use it.


Technical Details for Developers - Why and how this work.

Consider vshmain.prx like the executable of the firmware.
You should know that either in 1.00 or 1.50 we CANNOT execute our own prx's.
However, you should know that we can execute our own elf's :)

Just creating an elf, renaming it to vshmain.prx and flashing the file does the job :)

However, notice a VERY IMPORTANT thing. By default, static elf's created by the pspsdk are linked to the address 0x08900000. This address is already taken by a prx of those that are loaded before vshmain.prx.
It's necesary to relocate the elf to a different address not already taken.
This proof of concept use the address 0x09CD3000.

[nesianstyles]

awesome! Great work dark_alex!

[Skate3214]

Good work, but does this actually work? Like does it allow you to run eboots without kxploit on 1.5 and those other things or are you saying that it may be possible in the future.

[Moose]

Wow, well done, nice work!

[Dark_AleX]

Good work, but does this actually work? Like does it allow you to run eboots without kxploit on 1.5 and those other things or are you saying that it may be possible in the future.

Yes, it actually works.

[Skate3214]

Wow thats so awesome, so you've flashed it to your psp yes? And this works on 1.5 right? Sorry for all the questions but i want to try this out.

[Ibanez32]

Nice work. I'll have to try this.

[Moose]

I'll give it a try, lets pray that a brick does not come of it. Is it like a firmware emulator or does it change your current f/w flash?

[thunderchild214]

Yeah congrats, although I'l wait to try this until other people confirm it works...

tc214

[Dark_AleX]

Wow thats so awesome, so you've flashed it to your psp yes? And this works on 1.5 right? Sorry for all the questions but i want to try this out.

Yes, it's tested in my psp. And it only works in 1.50.

[muratcan]

omfg this is incredible! Dark_Alex you are honestly...Im ****ing speechless!

Im downloading now.

OMFG recovery mode?!?!?!?! You are a ****ing...again im spechless Dark_Alex!

[Skate3214]

Well im about to try it now, i hope it works.

[Forte]

Looks like FreePlay loses again, great work Dark_AleX :)

[Skate3214]

Well it didn't brick which is good lol.

[muratcan]

Looks like FreePlay loses again, great work Dark_AleX :)

lol you got that right!

Now one thing that will be annoying is to choose which custom firmware you want! (when they get popular and other devs release them!)

[Moose]

I am going to give it a try, well done Alex! how do you change this:

Code:

# Specify a program to autoexecute at startup. 
# Example1:
#autoboot = "ms0:/PSP/GAME/IRSHELL/EBOOT.PBP";
# Example2:
#autoboot = "ms0:/PSP/GAME/DEVHOOK/EBOOT.PBP";

to actually autoboot? is it like this:

Code:

# Specify a program to autoexecute at startup. 
#autoboot = "ms0:/PSP/GAME/DEVHOOK/EBOOT.PBP";

????????????????????????? ????????????????

[Skate3214]

Wow it works it actually did skip the little boot up video thing. Now trying out some of the other things. Heres one confirmation by me, awesome, awesome work Dark_Alex

[Moose]

loading onto ms....................... .

[Dark_AleX]

I am going to give it a try, well done Alex! how do you change this:

Code:

# Specify a program to autoexecute at startup. 
# Example1:
#autoboot = "ms0:/PSP/GAME/IRSHELL/EBOOT.PBP";
# Example2:
#autoboot = "ms0:/PSP/GAME/DEVHOOK/EBOOT.PBP";

to actually autoboot? is it like this:

Code:

# Specify a program to autoexecute at startup. 
#autoboot = "ms0:/PSP/GAME/DEVHOOK/EBOOT.PBP";

????????????????????????? ????????????????

Simply quit the "#", which is a comment, and leave it as this:
autoboot = "ms0:/PSP/GAME/DEVHOOK/EBOOT.PBP";

[Nightcrawler]

Dark_AleX did/do you work for sony?
Your one brilliant man my hat off to you!
Your exactly what this scene needs keep up the good work!

[Moose]

Confirmed working, testing other features

So far tested:
SCE logo removed - YES (much quicker load up time)
Recovery Mode - YES (Amazing, lets you flash index.dat to flash0, and, lets you run an f/w update from the normal directory, and, lets you enable USB Mass)
Corrupt Icon remover - YES (works like a charm)


I will edit this with all the astuff that works!

[Piny]

ok tested it. works like a charm. Dark_AleX you are a genius, i love your work.
now we need a way to turn off the gameboot animation, that way we could load our homebrew faster.

[Moose]

Ok, by saying it runs 1.00 pbp's does that mean that you don't need the % folder anymore?

[Evil_duck]

Will this work with a TA-082 board, or do they same restrictions apply as before?

[Skate3214]

confirmed that 1.0 eboots work on it this is awesome!!

[Piny]

Will this work with a TA-082 board, or do they same restrictions apply as before?

dude, it only works on 1.5. so, no it doesnt work on TA-082 ;)

[Nightcrawler]

Will this work with a TA-082 board, or do they same restrictions apply as before?

Dude you cant even get a TA-082 board a 1.5 so what do you think! :Argh:

[Evil_duck]

dude, it only works on 1.5. so, no it doesnt work on TA-082 ;)

I figured as much, ohh well Ill just keep praying

Freak Awsome job though Dark_Alex

[Siouxsie]

Alex man, you're rather a legend. I'm going to make a new part of my sig about you.

I'm also going to rush to switch my PSP for anything under 2.7 as quickly as I can. WIN!

[cyclone9]

do u mean if SCE removed from psp flash?
so it wont have SCE anymore?