Anyone who has a 2.80 please come in

[gbj1]

Important:
If you are not familiar with psp devel, plz don't try to understand what I'm saying below. Have a nice day and wait for a downgrader.
------------------------------------------------------------------------

Through the datasheet of MIPS r4000, I noticed that the status registers are always accessable wether the processor is working in user-mode or in kernel-mode. So we can change it and turn the processor into kernel-mode. Then, we can access upper mem 0x88000000 and above.
Some people said that this will not work, I'm just wondering how they were so quite sure. The processor is single-threaded. Binary opcodes doesn't have any marks indicating that it's running state. If status registers not accessable in user-mode, how can it swich back? It's not a one-way street!
But, while we manually swich the processor into kernel-mode, any interrupt or exception will swich us back since the firmware itself has a privillage management. The firmware is multi-threaded, so it must have an interrupt handler to swich between threads. This process will reset the running state of the processor.
We must disable interrupts and exceptions while we are in kernel-mode.
Any API calls will be unavailable since it relies on the kernel dispatcher.
What we can do is to copy upper mem to user mem by clean binary opcodes, and we must not overwrite any API stubs in user mem that we may use to write data into ms.
After copying memory, we must swich back to user mode and enable interrupts, then, just do a mem dump of user mem...
If you still confused, mail to alexgbj@msn.com
If you think this will brick your psp.........you can
If you are a skilled programmer, try is, it may help to make a downgrader.

Some useful stuff:
---------------------------------------------
swich to kernel and disable interrupts:

mfc0 t0,CP0_STATUS
li t1,ST0_CU0|0x1f
or t0,t1
xori t0,0x1f
mtc0 t0,CP0_STATUS
nop
nop
nop
--------------------------------------------
swich to user and enable interrupts:

mfc0 t0,CP0_STATUS
li t1,ST0_CU0|0x1f
or t0,t1
xori t0,0x1e
mtc0 t0,CP0_STATUS
nop
nop
nop
--------------------------------------------
Boot Mem 0xBFC00000 -> 0xBFD00000 0x100000
Kernel Mem 0x88000000 -> 0x883FFFFF 0x400000

[psp4life]

lol, you can't just change modes but whatever i'm no dev

[gbj1]

there is a memory management unit in the processor....
If it is running in user mode, mapped address will return error.
that's why even clean binary codes would hang while accessing upper mem.
you know, clean binary codes cannot be limited by firmware

[canalaiz]

Are there any developers willing to look into this?
It sounds quite interesting...

[Fanjita]

What would be the point in the kernel privilege model if user mode was allowed to switch to kernel mode like that?

The kernel privilege model is enforced within the processor.

This has been tried before.

[gbj1]

The kernel model is used to prevent unexpected modifications to the upper mem and for handling execution exceptions. Our PC has a MMU module too, if you are able to execute binary codes, don't you feel free to dump the whole mem?(There are a little different, the MIPS processors have a built-in priv. management while PC MMU is fully controlled by software.)
If you can't swich back to kernel-mode, how psp update itself?
The tiff exploits just halt the original firmware and execute a binary file, by using some firmware functions left in memory. It is something like you execute a exe file on a computer. That is to say, you can even start a completely different operation system/firmware through this(but hardware level drivers needed).
So, don't post sth like: it is unable to swich...etc, think about how the user-mode vsh loads a kernel module like an updater, you think about it.

Current psp developers are still getting around with software exploits, why don't you look sth into hardware. Understanding a hardware architecure will have great help with programming. There is no priv. limits, no task swicher, no threads, only binary opcodes, stacks, mapped memory access, drivers....

If someone has a JTAG device to debug the processor, it is even possible to record the whole write-flash process. Just save it, then, connect a bricked and send these opcodes to the processor via the debugger, may have the bricked psp fixed.

and something more.....
Do you know why some kernel functions can be located where we can access? It should be above 0x88000000, right? They are used during boot and initilize. Why they are left in user mem area? If sce want's to prevent the unsigned code execution, why don't they wipe these functions out?
The reasons are:
~Some threads containing these functions were put into stacks by the task swicher, after pop-up, their bodies were left in the stack area, if we halt the firmware by tiff, we halt new data being written into stack too.;

: We can save and change the stack pointer in the tiff file, then we can dump the whole stack made by the firmware.;

~Some other threads need hardware access or functions provided by a kernel module but they themselves are in user-mode, so these functions are copied into user-mem segments.
: These are what we are using currently.

[Fanjita]

Quote:

Originally Posted by gbj1

So, don't post sth like: it is unable to swich...etc, think about how the user-mode vsh loads a kernel module like an updater, you think about it.

We know how this works. It is via controlled access to kernel mode using the syscall mechanism.

It's obvious you know the general theory of all this stuff, but I think you haven't looked into how it applies to the PSP. What I would recommend is searching forums.ps2dev.org for previous technical discussions about various of your ideas, and also reading this document.

Alternatively, just try some of these ideas out in practice...

[chrisw92]

what on earth did all that gibberish mean? that some day we can have a downgrager for v2.80?

[FreePlay]

Quote:

Originally Posted by gbj1

there is a memory management unit in the processor....

No, there isn't. Not in the PSP. Not a standard TLB-based one, at least.

[The PANIC.]

Fanjita has spoken. =]
Nice idea though.