PSP Release: Baryon Sweeper lets you unbrick PSP 2000/3000, Pandora battery style
The Pandora battery was probably the most important release of the PS hack scene: a simple hack of the PSP battery, allowing the console to enter service mode. And from there tinker with the device, in particular to install and run custom firmwares, or flash a clean firmware on a bricked PSP.
But Sony fixed the PSP’s service mode process with new hardware revisions, making the Pandora battery useless on newer PSP Slim (PSP 2000) and all PSP Brite (PSP 3000) models. There were a few attempts at making Pandora work on these models (Datel at some point famously announced the Blue Lite tool, allegedly a Pandora battery for all PSPs, but the hacking device was never released).
More than a decade later, developer khubik and a bunch of other hackers on PSPx.Ru have just released Baryon Sweeper, a tool that finally makes a Pandora-like process possible on most (possibly all in the near future) PSPs.
Important update: since this article was published, more updates have been brought to Baryon Sweeper, and more and more PSP models have been made compatible with it. More details here.
The process is not for everyone, as it involves tinkering with a bit of hardware to create your own “advanced” Pandora Battery with an Arduino, and download some files that might or might not be based on Sony copyrighted material.
Nonetheless, people who have tried it confirmed that it works, and the list of contributors is impressive, for anyone who’s known the PSP scene for a while. This tool might not be for everyone at the moment (also, nobody would blame you at this point if you threw away, or sold, a PSP 3000 you bricked more than 10 years ago), but it’s possible we’ll see people starting to sell more “customer friendly” versions of the battery, or entrepreneurial folks might want to start buying bricked PSPs on eBay to try and revive them.
Baryon Sweeper Credits
Khubik credits the following people for the release (google translated from russian):
- M4j0r – help with the operation of the Voltage Fault Injection Siskon glitch;
- Wildcard, Sean Shablack – Glitch exploitation and siskon dump;
- Proxima – reverse engineering of the Siskon firmware, a script for generating responses to authentication requests;
- khubik – battery emulator code, script port for generating responses, interface design;
- dogecore – port of the script for generating responses, repairing streams, interface code;
- Mathieu Hervais – homebrew code decrypt_os2, decrypt_sp;
- SSL / Zerotolerance – reverse encryption capability for decrypted files;
- zecoxao – decrypt_os2 and decrypt_sp ports on the PC, provision of boards, help in the port of the script for generating responses;
- Yoti – improvements to decrypt-sp, instructions for creating a service card from a dump, MSID Dumper, PSP-3000 for tests (<3), participation in the Pandora PSP-3000 hack topic;
- EriKPshat – useful information about JigKick, participation in the Pandora PSP-3000 hack topic, instructions for creating Pandora’s kits, assistance with design;
- Boryan, lport3, dx3d, stasik007 and many more from the Pandora PSP-3000 hack theme – battery and PSP communication records, communication protocol reverse engineering, hardware schematics for communicating with PSP and much more
Downloads and How to use Baryon Sweeper
Disclaimer: The following is an automated translation from Russian with Google, and might contain errors. Please head over to the original thread at PSPx.ru for details, update, and support.
Creating the Hardware part of the Jigkick battery
For manufacturing, you need a microcircuit with NAND logic elements: K561LA7 / CD7400 or an analogue (option 1) or CD4011 (option 2), a USB to TTL converter (Arduino with closed RESET and GND is suitable), a resistor 1k ohm, 200-300 + ohm resistor, soldering iron / breadboard and probably medium straight arms …
A USB-TTL converter is defined in the system as a serial port, providing level matching and, in fact, communication with devices using UART (as in our case). It can be executed in similarity to a USB stick or as a cable.
Communication with devices occurs via the RX pins (usually white) and TX (usually green). It is also imperative to connect the ground. To communicate with the PSP, we need to combine 2 wires into 1 – for this we need to make an adapter to a single-wire UART. The diagrams are given below.
An adapter circuit for a single-wire UART (K-Line) and connection to USB-TTL for option 1 (K561LA7, CD7400 and their full analogues)
3.3 – 5V – power supply
Ground – ground
PSP middle contact – single-wire bus going to the middle contact of PSP
Do not forget about the pinout of the microcircuits (arc on the left). Do not forget to connect a 200-300 ohm resistor between the closed lower extreme two legs with the third upper leg from the right.
Adapter circuit for a single-wire UART (K-Line) and connection to USB-TTL for option 2 (CD4200 and its full analogues)
It is performed by analogy with the previous one, with the exception of a slightly different pinout.
If you put everything together correctly, made sure that there is a common ground between the adapter, the console and the computer, preferably everything rang out – try starting a COM terminal (for example, Termite), connecting to a USB-TTL and inserting a pseudo-battery (the preferred way is to use a native battery, isolating the middle contact and placing in its place the wiring from the single-wire bus). If you see packages of type 5A 02 01 A2 – congratulations, you have assembled correctly, you can proceed to the next step.
Creating the JigKick Memory Card
(Note from wololo: this is the “magic” memory stick that will, in combination with the battery emulator, enter to allow service mode)
Below is a google translation of Yoti’s original thread. Details on that can be found at https://www.pspx.ru/forum/showthread.php?t=111101
Requirements:
- Memory card of MS PRO Duo standard from 32 MB and higher (MS Micro and MicroSD cards in adapters are also suitable)
- A workable PSP system of any model with custom firmware for a one-time launch of a self-written program
- Original battery in service mode (soft-mod/hard mod) or battery with a choice of operating mode
- Personal or laptop computer running Windows operating system (tested on W10)
Preparation:
- Download and unzip to the root of your memory stick archive with the CardDump program
- Insert the memory card into a working PSP system and run “CardDump v3.1” in the “Game” menu
- When prompted, press the X button to save the card number, and then the O button to exit
- Download archive with files “magic” memory card and unpack it somewhere to disk (Note from Wololo: mirror)
- Copy the file “msid.bin” 16 bytes from the root of the memory card to the “dec” folder
- Run the file “! Encrypt.bat” and wait for the console utility to finish
- Delete the files “! Encrypt.bat”, “cygwin1.dll” and “decrypt_sp.exe”
Creation:
- Connect the memory card to your computer using PSP and USB cable or card reader
- First of all, you need to format the memory card with a partition shift:
To do this, you need to open a command line on behalf of the Administrator.
Then we enter the following commands line by line, pressing the Enter button after each.
Attention! You do not need to enter explanations in brackets, but you need to read and understand!- diskpart
- list disk
(Find the disk number of your card in the first column based on the disk size in the third) - sel disk #
(Replace the # symbol with the disk number of your card that you just learned before) - clean
- create partition primary offset 1024
- sel part 1
- active
- format fs = fat32 quick
- assign
(After entering this command, a window will appear with the contents of your map, naturally empty) - exit
- Run the program “rainsipl.exe” from the folder where the downloaded archive was unpacked
- Click “File -> Load IPL From File” and select the “ipl.bin” file from the same folder
- Make sure the correct letter of your memory card is selected in the “Target Drive” list
- Without changing anything in the program, press the big button “Execute Selected”
- After the program finishes (after a few seconds), close it
- Delete the files “ipl.bin” and “rainsipl.exe”
- Copy the folders “ID”, “JIG”, “PRX”, “VSH” and the file “PSPBTCNF.TXT” to the card
Usage:
- Insert the prepared memory card into the bricked PSP
- Insert the battery in service mode into the bricked PSP
- Wait for the schematic inscription “OK” to appear in full screen
- Remove the memory card and battery, launch the PSP from the charger
- Return the battery to normal mode and format the card
Recovery Process
Connect your USB-TTL converter, which will be connected via a single-wire UART (K-line) adapter to the PSP. Unpack the archive from the attachments and open baryonswp.exe. Make sure the earths of all three links in the chain are tied, otherwise nothing will work! Click on the Start Service button and connect your PSP. The connection will be logged in the Connection Monitor. To start in service mode, specify the serial number FFFFFFFF. If the PSP or COM port gets disconnected when the battery is connected to the PSP, there is probably not enough current. In service mode, wait for the “OK” message in full screen. The recovery process is complete.
PSP Pandora Battery, Baryon Sweeper: What’s Next
It is now theoretically possible to unbrick all PSP Models of motherboards, although this needs to be verified by adventurous testers. Additionally, we can maybe expect that some pre-made versions of the unbricking hardware might come to a store near you.
What a load of bull5h!t. I’ve got 2 pandora batteries a 1000 and a 2000. (Phat and slim) Had them for many years.
Even got CFW which lets me boot with pandora batteries and choose what I do with switches.
So I dont need 2 batteries, I just mod the battery into a pandora battery and boot from there.
What I did was use the wireless switch, On is normal mode, off is service mode.
So depends on where the wireless switch is depends on how the console boots up.
I had it like this since before the PSP GO came out so many years ago so this bull5h!t about the 2000 not having pandora batteries is total BS..
This is funny as yesterday I just brought 2 PSP batteries, a 1000 and 2000 as my old ones are worn out. 🙂
Havent even modded them yet, thats how new they are. But later today will be turning them into pandora batteries THE OLD WAY then start using them.
There is NO NEED for hardware mods. All you need is the pandora app which changes the serial number of the battery. I cant remember as its been what 15 years? But its something like 00000000 is service mode, 11111111 is normal mode. But your battery has its own serial number so back it up first or its gone when you make a pandora battery.
iirc Sony patched newer revisions of the PSP 2000 so the pandora battery wouldnt work on them when previously the battery was patched so it couldnt become a Pandora battery
NakedFaerie, please read again. I specifically said “newer” PSP Slim models. You are right that earlier PSP Slim models are compatible with the Pandora battery. apologies if my choice of words didn’t make that clear.
You need a hardware mode because existing battery controllers do not implement the new IDs/keys used for the challenge response to enable service mode on TA-088v3 and newer boards (like psp-3000).
Fun fact, in Service Centers, Sony used a battery emulator all along and never actually used real batteries, challenge logs from service centers have leaked and show that the battery capacity reported by the Sony service center JIG battery is always static, which would not be possible on a real battery.
P.S. The serial for service mode is actually 0xFFFFFFFF, that along with 0x00000000 forces the battery authentication on TA-088v3 and newer to use a specific challenge ID which is not implemented in any retail batteries (OEM or clones alike). On previous boards all authentication challenges used ID 0, which is why just changing the serial to 0xFFFFFFFF did the trick.
Soo that nand chip is for enabling a cheap usb/ttl to do Dallas/Maxim 1-wire (MicroLan) right? I haven’t even downloaded the stuff but could we technically generate an arduino program to do the battery’s ID stuff so ppl only buys an arduino nano instead of usb/ttl + nand chip +soldering + burnt fingers and short circuits? .D thanks.
You need a hardware mode because existing battery controllers do not implement the new IDs/keys used for the challenge response to enable service mode on TA-088v3 and newer boards (like psp-3000).
Fun fact, in Service Centers, Sony used a battery emulator all along and never actually used real batteries, challenge logs from service centers have leaked and show that the battery capacity reported by the Sony service center JIG battery is always static, which would not be possible on a real battery.
P.S. The serial for service mode is actually 0xFFFFFFFF, that along with 0x00000000 forces the battery authentication on TA-088v3 and newer to use a specific challenge ID which is not implemented in any retail batteries (OEM or clones alike). On previous boards all authentication challenges used ID 0, which is why just changing the serial to 0xFFFFFFFF did the trick.
TA-88v2 was the last motherboard to support pandora battery. v3, introduced late 08′ was not compatabile with pandora or any of the hacks available at the time.
To be specific this does work on (most) psp-3000, psp-go and street are still worked on (though street challenge/response is technically implemented so it’s more of a case of following the motherboard trace to the right syscon serial pin to connect the battery emulator to (probably one of the USB pins)).
Missing psp-3000 and go will require a full dump of the syscon firmware on those, each syscon revision, due to vulnerability in use, requires 2 boards to dump the full firmware (the initial dump erases block 0 (0x400 bytes), to inject the payload that sends the firmware over serial, another dump is then required by injecting another payload in block 1 on another board (as to keep block 0 untouched).
Finding the right timing used for the glitch (that allows to disable the syscon IC security bits) was also quite the expensive endeavor, many boards were sacrificed to get this done.
You need a hardware mode because existing battery controllers do not implement the new IDs/keys used for the challenge response to enable service mode on TA-088v3 and newer boards (like psp-3000).
Fun fact, in Service Centers, Sony used a battery emulator all along and never actually used real batteries, challenge logs from service centers have leaked and show that the battery capacity reported by the Sony service center JIG battery is always static, which would not be possible on a real battery.
P.S. The serial for service mode is actually 0xFFFFFFFF, that along with 0x00000000 forces the battery authentication on TA-088v3 and newer to use a specific challenge ID which is not implemented in any retail batteries (OEM or clones alike). On previous boards all authentication challenges used ID 0, which is why just changing the serial to 0xFFFFFFFF did the trick.
we’ll probably have even more keys to estabilish communication with even the Go and the TA092 and TA093/095 brites. this is only revision 1. once we have more dumps we should be able to access service mode even on those models.
Bravo to the team. wish it had come out a few years earlier. It would be more useful.
So, i have a bricked psp that meets the criteria, but im having trouble on understanding the full process.
Do i have to emulate an Pandora battery? or do i just have to make one? memory stick?…
Still a little bit confusing. I would wish to try it mysel, anyone give me a hand?
By the way, I have a psp-3001 Datacode 8C
Right now it only works on TA-90!
Go find some list to see wich motherboard your unit has inside.
Also, you don’t need a pandora battery, you emulate some kind of sony service tool in the pc with the program and the usb adaptor.
when will TA-093 be supported? don’t delete this comment please.
What is the point of a Pandora battery? I have a 3000 and a GO both on pro-c 6.60. Works fine what am I missing here? Thank you
Maybe battery pandora for psp e1004 ?