Skip to content

The new PSP Technical Documentation

Jump to bottom
Mathieu HERVAIS (Mathieulh) edited this page Jul 9, 2016 · 1 revision

CONTENTS:

Todo:

  • Part3 IPL
  • Firmware load sequence
  • clean up!! (and stuff)

  1. Version History

  2. Introduction

  3. Pre-IPL Boot Sequence 3.1. Part1 Pre-IPL (the loader) 3.2. Part2 Pre-IPL (the payload)

  4. IPL Boot Sequence 4.1. Part1 IPL (the loader) 4.2. Part2 IPL (main.bin) 4.3. Part3 IPL (the payload)

  5. Firmware Boot Sequence

  6. Obligatory Legal Stuff

  1. Version History

    0.1 - (05/11/07) first draft 0.2 - (07/09/16) Initial github publication.

  1. Introduction

When the PSP is the in the default off state, the only hardware running is the SYSCON chip. SYSCON controls most of the PSP's hardware, including the power & battery. It runs off the internal cell battery on the motherboard so even without the main PSP battery inserted, the SYSCON chip is still running. The SYSCON chip is responsible for monitoring the power switch, and when this power switch is activated, SYSCON applies power to the main CPU.

The main CPU is a custom-made Sony CPU with a MIPS32 core and has an embedded mask rom (like most embedded systems do) which is exactly 4KB in size. This holds the "preipl" (this is where the routines to boot into service mode are and loads & decrypts the encrypted IPL from the nand/MS). This preipl mask rom device is mapped to physical address 0x1FC00000 (this is the address of reset exception vector on MIPS CPUs), and this is where the CPU starts executing from on coldboot.

  1. Pre-IPL Boot Sequence

3.1. Part1 Pre-IPL (the loader)

The preipl is made up of 2 parts, the "loader", and the "payload". Because the preipl is stored in non-volatile read-only memory it cannot use variables, so the Part1 preipl code (the loader) copies the Part2 preipl (the payload) to the CPU's scratchpad RAM (the only RAM available at this time, along with another 4KB block of RAM and the 2MB EDRAM - normal DDR SDRAM hasnt been initialised yet). The scratchpad RAM is mapped to physical address 0x00010000, and after Part1 has finished copying Part2 to it, it jumps to this new address.

3.2. Part2 Pre-IPL (the payload)

Now the CPU is executing from the scratchpad RAM (the preipl payload). The preipl payload inits the nand hardware and reads the IPL nand-block-table (a table with the physical block numbers of the ecnrypted IPL's location on the nand). The table is located at the 4th physical block of the nand (offset 0x10000), and is repeated for the next 7 blocks. This is so that if a bad block occurs in any of these blocks, the table can still be read. Though if all 8 blocks become bad blocks, its a non-recoverable brick as the preipl can no longer locate the IPL's location (the only solution to this problem is to either boot from MS instead, or use a custom IPL to patch the preipl to remap the table - both of which would still require Pandora).

The entire raw IPL is stored on the nand encrypted. The preipl payload uses a 4KB RAM (this RAM is mapped to physical address 0x1FD00000, but will later be remapped to 0x1FC00000 to be used for the ME CPU reset exception vector) as a temporary location to load & decrypt each encrypted IPL block. Because this RAM is only 4KB in size, the encrypted IPL is organised as 4KB blocks on the nand. As the preipl decrypts each of the 4KB IPL blocks, it loads the decrypted blocks to the IPL entry address 0x040F0000 (this address is located in the 2MB EDRAM which is normally used as VRAM, normal DDR RAM still has not been initialised yet). When the preipl has finished decrypting and loading all the encrypted IPL blocks it jumps to the IPL entry address.

  1. IPL Boot Sequence

The decrypted IPL is composed of 3 parts: Part1 - the 'loader', Part2 - 'main.bin', and Part3 - the 'payload'. Part1 is plaintext MIPS code, Part2 is gzip compressed, and Part3 is again encrypted (from 2.60 onwards, parts 2 & 3 are further encrypted again).

4.1. Part1 IPL (the loader)

One of the first things Part1 IPL does is reset the main CPU. After reset the preipl mask ROM device is no longer mapped to memory at all (the 0x1FC00000 address range is then remapped to the 4KB RAM mentioned above to be used for the ME reset vector). This is why the preipl is no longer accessable once the IPL has booted. The Part1 IPL does some very basic hardware inits and decompresses the gzipped Part2 IPL (main.bin) to address 0x04000000 (still in EDRAM). Part1 IPL then jumps to the entry address of main.bin (0x04000000) to initialise the hardware.

4.2. Part2 IPL (main.bin)

Part2 IPL (main.bin) is responsible for initialising the PSP hardware. It has copies of it's own driver libraries similar to the drivers found in the firmware (including: sceNAND_Driver, sceDDR_Driver, sceIdStorage_Service, sceSYSREG_Driver, sceSYSCON_Driver, sceGPIO_Driver, sceClockgen_Driver, & sceI2C_Driver). Some of the initialisation of the hardware depends on data stored in idstorage keys (for example keys 4,5,6). Note this is where TA082/086 motherboards 'brick' on 1.50 firmware. The clockgen hardware was changed on TA082/086 motherboards so the functions used to initialise it does not recognise the new hardware. And because part of the initialisation depends on data stored in key5, simply by invalidating key5 (by corrupting the header), the initialisation is skipped allowing the firmware to continue to boot. After initialising the hardware (including the DDR RAM), Part2 IPL decrypts the Part3 IPL (the payload) and loads it to address 0x08400000 (which is located in normal DDR RAM now that it has been initialised). It then jumps to the entry address of the Part3 IPL (0x08400000) to boot the firmware.

4.3. Part3 IPL (the payload) - todo

  1. Firmware Boot Sequence - todo
  1. Obligatory Legal Stuff

This document is currently under the GNU GPL License v3

Initial author of this documentation: SilverSpring E-mail: silverspringpsp [at] gmail [dot] com

Clone this wiki locally