Advertising (This ad goes away for registered users. You can Login or Register)

Simple IPL Sample link

Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
Post Reply
User avatar
Zecoxao
Posts: 281
Joined: Mon Sep 27, 2010 7:27 pm

Simple IPL Sample link

Post by Zecoxao » Tue Aug 30, 2016 1:38 pm

http://lukasz.dk/mirror/forums.ps2dev.o ... tml?t=8850
Does anyone have the link for the file mentioned in this thread?
I need it for some research.
Advertising
My sig is original :D

iCEQB
Posts: 57
Joined: Thu Jan 16, 2014 3:54 pm

Re: Simple IPL Sample link

Post by iCEQB » Tue Aug 30, 2016 1:43 pm

http://pspguides.exelements.net/Files/P ... le_IPL.rar

This ??
Advertising

User avatar
Zecoxao
Posts: 281
Joined: Mon Sep 27, 2010 7:27 pm

Re: Simple IPL Sample link

Post by Zecoxao » Tue Aug 30, 2016 1:49 pm

yep, that's it. only missing the src now (i believe he also released it)
My sig is original :D

Mathieulh
Guru
Posts: 49
Joined: Thu Jan 06, 2011 6:17 am
Contact:

Re: Simple IPL Sample link

Post by Mathieulh » Tue Aug 30, 2016 1:49 pm

It looks like it, although it was originally supplied with the source, do you happen to have it? there is only the installer in your archive.
---
PGP Fingerprint: DF46 8C79 5D1A 76FF 75B2 C345 4679 EDEF 1B5B B192
Public Key: https://pgp.mit.edu/pks/lookup?op=get&search=0x1B5BB192

Proof: https://keybase.io/mathieulh

iCEQB
Posts: 57
Joined: Thu Jan 16, 2014 3:54 pm

Re: Simple IPL Sample link

Post by iCEQB » Tue Aug 30, 2016 1:52 pm

It's unfortuantely the only active download link I could find on the internet :/
I'm still looking tho, but don't hold your breath.

User avatar
Arkanite
Posts: 25
Joined: Fri Aug 19, 2016 3:21 am

Re: Simple IPL Sample link

Post by Arkanite » Tue Aug 30, 2016 3:23 pm

pretty sure the source code is included in ProCFW's source archive.
i'll see if i can find a link.

edit:
here ya go. go HERE and click on source. download the archive and see if it's included.

Mathieulh
Guru
Posts: 49
Joined: Thu Jan 06, 2011 6:17 am
Contact:

Re: Simple IPL Sample link

Post by Mathieulh » Wed Aug 31, 2016 9:48 am

Sadly it's been heavily modified, it's not the same code at all :/
---
PGP Fingerprint: DF46 8C79 5D1A 76FF 75B2 C345 4679 EDEF 1B5B B192
Public Key: https://pgp.mit.edu/pks/lookup?op=get&search=0x1B5BB192

Proof: https://keybase.io/mathieulh

User avatar
Rahim-US
Guru
Posts: 95
Joined: Thu Jun 30, 2011 8:53 pm
Contact:

Re: Simple IPL Sample link

Post by Rahim-US » Sun Sep 11, 2016 7:23 pm

Hi,
Here is it with the source code included, hope it can help you ;)
Attachments
simple_ipl.rar
(41.5 KiB) Downloaded 162 times

User avatar
fidelcastro
Posts: 215
Joined: Sat Oct 02, 2010 1:34 pm

Re: Simple IPL Sample link

Post by fidelcastro » Tue Sep 27, 2016 10:36 am

to find something as old perhaps here
http://web.archive.org/web/200701030655 ... -alex.org/

It would be something like this?

Code: Select all

// most of code from moonlight & PspPet

#include <pspkernel.h>
#include <psptypes.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <pspdebug.h>

PSP_MODULE_INFO("FW100_ipl_update", 0x1000, 1, 1);

PSP_MAIN_THREAD_ATTR(0);

PSP_HEAP_SIZE_KB(0);

#define printf pspDebugScreenPrintf

int (* sceIplUpdateClearIpl)(void);
int (* sceIplUpdateSetIpl)(void);

/*** This function from PspPet PSARDUMPER ***/
static u32 FindProc(const char* szMod, const char* szLib, u32 nid)
{
    SceModule* modP = sceKernelFindModuleByName(szMod);
    if (modP == NULL)
    {
        printf("Failed to find mod '%s'\n", szMod);
        return 0;
    }
    SceLibraryEntryTable* entP = (SceLibraryEntryTable*)modP->ent_top;
    while ((u32)entP < ((u32)modP->ent_top + modP->ent_size))
    {
        if (entP->libname != NULL && strcmp(entP->libname, szLib) == 0)
        {
            // found lib
            int i;
            int count = entP->stubcount + entP->vstubcount;
            u32* nidtable = (u32*)entP->entrytable;
            for (i = 0; i < count; i++)
            {
                if (nidtable[i] == nid)
                {
                    u32 procAddr = nidtable[count+i];
                    printf("entry found: '%s' '%s' = $%x\n", szMod, szLib, (int)procAddr);
                    return procAddr;
                }
            }
            printf("Found mod '%s' and lib '%s' but not nid=$%x\n", szMod, szLib, nid);
            return 0;
        }
        entP++;
    }
    printf("Found mod '%s' but not lib '%s'\n", szMod, szLib);
    return 0;
}

void ErrorExit(char *error)
{
    printf("%s\n", error);
    sceKernelDelayThread(30 * 1000 * 1000);
    sceKernelExitGame();    
}

int main()
{
    pspDebugScreenInit();

    SceKernelModuleInfo modinfo;
    u32 base;
    SceUID fd;
    SceUID mod;

    mod = sceKernelLoadModule("ms0:/UPDATE/FW150_ipl_update.prx", 0, NULL);
    if (mod < 0)
        ErrorExit("Error loading update module.\n");

    if (sceKernelQueryModuleInfo(mod, &modinfo) < 0)
        ErrorExit("Cannot query module info.\n");

    base = modinfo.text_addr;
    printf("modinfo.text_addr : %.8X\n", modinfo.text_addr);

        fd = sceIoOpen("ms0:/UPDATE/FW100_ipl.bin", PSP_O_RDONLY, 0777);
        if (fd < 0)
            ErrorExit("Cannot read IPL Data\n");
        printf("Reading IPL Data...\n\n");
        sceIoRead(fd, (void *)(base+0x900), 0x37000);
        sceIoClose(fd);

        fd = sceIoOpen("ms0:/UPDATE/FW100_ipl_update.elf", PSP_O_WRONLY | PSP_O_CREAT | PSP_O_TRUNC, 0777);
        if (fd < 0)
            ErrorExit("Cannot save ELF\n");
        printf("Writing ELF...\n\n");
        sceIoWrite(fd, (void *)(base), 0x40000);
        sceIoClose(fd);

    mod = sceKernelStartModule(mod, 0, NULL, NULL, NULL);
    if (mod < 0)
        ErrorExit("Error Start update module.\n");
    sceIplUpdateClearIpl = (void *)FindProc("IplUpdater", "sceIplUpdate_driver", 0x26093B04);
    sceIplUpdateSetIpl = (void *)FindProc("IplUpdater", "sceIplUpdate_driver", 0xEE7EB563);

    printf("start sceIplUpdateClearIpl & sceIplUpdateSetIpl\n");
    sceIplUpdateClearIpl();
    sceIplUpdateSetIpl();

    ErrorExit("Finished. Exiting in 30 seconds\n");

    return 0;
}

Code: Select all

moonlight wrote:
Also, the 1.50 updater call to these functions from iplupdate.prx:

sceIplUpdateClearIpl() -- no parameters, it erases the blocks of the ipl.

sceIplUpdateSetIpl() -- no parameters. it writes the 1.50 ipl which is embedded in the own iplupdater.prx (contrary to the +2.00 updaters, where the ipl is in the psar)

The iplupdater also exports sceIplUpdateUpdateIpl, but the updater doesn't import it, and it seems that it's not called, it doesn't seem to be an export available for vsh mode. (maybe it's called inside the iplupdater, but i haven't seen that call). Looking at the dissasembly, that function doesn't write to the flash, not at least using the sceNand functions.

Another difference between the 1.50 updater and the 2.XX updaters, is that the iplupdater from 1.50 doesn't use any verification function from sceNand, like sceNandVerifyEcc, etc. (I don't know if it does another kind of verification).

In theory, and only in theory, we can use the following procedure for a 1.00 downgrader:

- Extract iplupdater.prx and flashfmt.prx from the 1.50 update.
- Load them, and hack in ram the iplupdater.prx writing the 1.00 ipl on its "iplbuffer", which is easy to locate looking at the disassembly.
- call sceLflashFatfmtStartFatfmt
- Write the flash0 files of an 1.00 dump using sceIo
- call sceIplUpdateClearIpl
- call sceIplUpdateSetIpl

Using sony code to write the ipl and formatting the flash prior to writing the files should be safer, but it won't be me who tries it :)

Post Reply

Return to “Programming and Security”