PSP Release: Baryon Sweeper lets you unbrick PSP 2000/3000, Pandora battery style
The Pandora battery was probably the most important release of the PS hack scene: a simple hack of the PSP battery, allowing the console to enter service mode. And from there tinker with the device, in particular to install and run custom firmwares, or flash a clean firmware on a bricked PSP.
But Sony fixed the PSP’s service mode process with new hardware revisions, making the Pandora battery useless on newer PSP Slim (PSP 2000) and all PSP Brite (PSP 3000) models. There were a few attempts at making Pandora work on these models (Datel at some point famously announced the Blue Lite tool, allegedly a Pandora battery for all PSPs, but the hacking device was never released).
More than a decade later, developer khubik and a bunch of other hackers on PSPx.Ru have just released Baryon Sweeper, a tool that finally makes a Pandora-like process possible on most (possibly all in the near future) PSPs.
The process is not for everyone, as it involves tinkering with a bit of hardware to create your own “advanced” Pandora Battery with an Arduino, and download some files that might or might not be based on Sony copyrighted material.
Nonetheless, people who have tried it confirmed that it works, and the list of contributors is impressive, for anyone who’s known the PSP scene for a while. This tool might not be for everyone at the moment (also, nobody would blame you at this point if you threw away, or sold, a PSP 3000 you bricked more than 10 years ago), but it’s possible we’ll see people starting to sell more “customer friendly” versions of the battery, or entrepreneurial folks might want to start buying bricked PSPs on eBay to try and revive them.
Baryon Sweeper Credits
Khubik credits the following people for the release (google translated from russian):
- M4j0r – help with the operation of the Voltage Fault Injection Siskon glitch;
- Wildcard, Sean Shablack – Glitch exploitation and siskon dump;
- Proxima – reverse engineering of the Siskon firmware, a script for generating responses to authentication requests;
- khubik – battery emulator code, script port for generating responses, interface design;
- dogecore – port of the script for generating responses, repairing streams, interface code;
- Mathieu Hervais – homebrew code decrypt_os2, decrypt_sp;
- SSL / Zerotolerance – reverse encryption capability for decrypted files;
- zecoxao – decrypt_os2 and decrypt_sp ports on the PC, provision of boards, help in the port of the script for generating responses;
- Yoti – improvements to decrypt-sp, instructions for creating a service card from a dump, MSID Dumper, PSP-3000 for tests (<3), participation in the Pandora PSP-3000 hack topic;
- EriKPshat – useful information about JigKick, participation in the Pandora PSP-3000 hack topic, instructions for creating Pandora’s kits, assistance with design;
- Boryan, lport3, dx3d, stasik007 and many more from the Pandora PSP-3000 hack theme – battery and PSP communication records, communication protocol reverse engineering, hardware schematics for communicating with PSP and much more
Downloads and How to use Baryon Sweeper
Disclaimer: The following is an automated translation from Russian with Google, and might contain errors. Please head over to the original thread at PSPx.ru for details, update, and support.
Creating the Hardware part of the Jigkick battery
For manufacturing, you need a microcircuit with NAND logic elements: K561LA7 / CD7400 or an analogue (option 1) or CD4011 (option 2), a USB to TTL converter (Arduino with closed RESET and GND is suitable), a resistor 1k ohm, 200-300 + ohm resistor, soldering iron / breadboard and probably medium straight arms …
A USB-TTL converter is defined in the system as a serial port, providing level matching and, in fact, communication with devices using UART (as in our case). It can be executed in similarity to a USB stick or as a cable.
Communication with devices occurs via the RX pins (usually white) and TX (usually green). It is also imperative to connect the ground. To communicate with the PSP, we need to combine 2 wires into 1 – for this we need to make an adapter to a single-wire UART. The diagrams are given below.
3.3 – 5V – power supply
Ground – ground
PSP middle contact – single-wire bus going to the middle contact of PSP
Do not forget about the pinout of the microcircuits (arc on the left). Do not forget to connect a 200-300 ohm resistor between the closed lower extreme two legs with the third upper leg from the right.
It is performed by analogy with the previous one, with the exception of a slightly different pinout.
If you put everything together correctly, made sure that there is a common ground between the adapter, the console and the computer, preferably everything rang out – try starting a COM terminal (for example, Termite), connecting to a USB-TTL and inserting a pseudo-battery (the preferred way is to use a native battery, isolating the middle contact and placing in its place the wiring from the single-wire bus). If you see packages of type 5A 02 01 A2 – congratulations, you have assembled correctly, you can proceed to the next step.
Creating the JigKick Memory Card
(Note from wololo: this is the “magic” memory stick that will, in combination with the battery emulator, enter to allow service mode)
Below is a google translation of Yoti’s original thread. Details on that can be found at https://www.pspx.ru/forum/showthread.php?t=111101
- Memory card of MS PRO Duo standard from 32 MB and higher (MS Micro and MicroSD cards in adapters are also suitable)
- A workable PSP system of any model with custom firmware for a one-time launch of a self-written program
- Original battery in service mode (soft-mod/hard mod) or battery with a choice of operating mode
- Personal or laptop computer running Windows operating system (tested on W10)
- Download and unzip to the root of your memory stick archive with the CardDump program
- Insert the memory card into a working PSP system and run “CardDump v3.1” in the “Game” menu
- When prompted, press the X button to save the card number, and then the O button to exit
- Download archive with files “magic” memory card and unpack it somewhere to disk (Note from Wololo: mirror)
- Copy the file “msid.bin” 16 bytes from the root of the memory card to the “dec” folder
- Run the file “! Encrypt.bat” and wait for the console utility to finish
- Delete the files “! Encrypt.bat”, “cygwin1.dll” and “decrypt_sp.exe”
- Connect the memory card to your computer using PSP and USB cable or card reader
- First of all, you need to format the memory card with a partition shift:
To do this, you need to open a command line on behalf of the Administrator.
Then we enter the following commands line by line, pressing the Enter button after each.
Attention! You do not need to enter explanations in brackets, but you need to read and understand!
- list disk
(Find the disk number of your card in the first column based on the disk size in the third)
- sel disk #
(Replace the # symbol with the disk number of your card that you just learned before)
- create partition primary offset 1024
- sel part 1
- format fs = fat32 quick
(After entering this command, a window will appear with the contents of your map, naturally empty)
- Run the program “rainsipl.exe” from the folder where the downloaded archive was unpacked
- Click “File -> Load IPL From File” and select the “ipl.bin” file from the same folder
- Make sure the correct letter of your memory card is selected in the “Target Drive” list
- Without changing anything in the program, press the big button “Execute Selected”
- After the program finishes (after a few seconds), close it
- Delete the files “ipl.bin” and “rainsipl.exe”
- Copy the folders “ID”, “JIG”, “PRX”, “VSH” and the file “PSPBTCNF.TXT” to the card
- Insert the prepared memory card into the bricked PSP
- Insert the battery in service mode into the bricked PSP
- Wait for the schematic inscription “OK” to appear in full screen
- Remove the memory card and battery, launch the PSP from the charger
- Return the battery to normal mode and format the card
Connect your USB-TTL converter, which will be connected via a single-wire UART (K-line) adapter to the PSP. Unpack the archive from the attachments and open baryonswp.exe. Make sure the earths of all three links in the chain are tied, otherwise nothing will work! Click on the Start Service button and connect your PSP. The connection will be logged in the Connection Monitor. To start in service mode, specify the serial number FFFFFFFF. If the PSP or COM port gets disconnected when the battery is connected to the PSP, there is probably not enough current. In service mode, wait for the “OK” message in full screen. The recovery process is complete.
PSP Pandora Battery, Baryon Sweeper: What’s Next
It is now theoretically possible to unbrick all PSP Models of motherboards, although this needs to be verified by adventurous testers. Additionally, we can maybe expect that some pre-made versions of the unbricking hardware might come to a store near you.