Editing Initial Program Loader

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
Initial Program Loader, abbreviated as IPL, is a PSP program that runs on boot and loads Kernel. IPL is loaded by [[iplloader]]. IPL can be stored either on the NAND or on a [[Magic Memory Stick]], depending on the iplloader code and if a [[JigKick Battery]] is inserted or not.
Initial Program Loader, abbreviated as IPL, is a PSP program that runs on boot and loads Kernel. IPL is loaded by [[PRE-IPL]]. IPL can be stored either on the NAND or on a [[Magic Memory Stick]], depending on the PRE-IPL code and if a [[JigKick Battery]] is inserted or not.
 
On DevKits, the file is embedded after the iplloader, named [[Kbooti.bin]].


= Tools =
= Tools =
Line 24: Line 22:


= Location =
= Location =
Offset 0x40000 in the NAND (or NAND dump without ECC).


= Structure =
= Structure =
Line 34: Line 31:
== Decrypted form ==
== Decrypted form ==


=== Retail ===
The decrypted IPL is composed of 3 parts: Part1 - the 'loader', Part2 - 'main.bin', and Part3 - the 'payload'.
 
The decrypted IPL is composed of 3 parts: Part1 - the 'loader', Part2 - 'main.bin', and Part3 - the 'payload', aka 'kbooti_for_ipl'.


Part1 is plaintext MIPS code, Part2 is gzip compressed, and Part3 is again encrypted (from 2.60 onwards, parts 2 & 3 are further encrypted again). Part3 is what actually loads the kernel modules from flash and begins the kernel boot process.
Part1 is plaintext MIPS code, Part2 is gzip compressed, and Part3 is again encrypted (from 2.60 onwards, parts 2 & 3 are further encrypted again).


=== Prototype 0.4.0-0.6.0 (23-07-2004 or older) ===
== Prototype 0.4.0-0.6.0 (23-07-2004 or older) ==


The decrypted IPL only contains the 'payload'
The decrypted IPL only contains the 'payload'
Line 50: Line 45:
One of the first things Part1 IPL does is reset the main CPU.
One of the first things Part1 IPL does is reset the main CPU.


After reset the iplloader mask ROM device is no longer mapped to memory at all (the 0x1FC00000 address range is then remapped to the 4KB RAM mentioned above to be used for the ME reset vector). This is why the iplloader is no longer accessible once the IPL has booted.
After reset the PRE-IPL mask ROM device is no longer mapped to memory at all (the 0x1FC00000 address range is then remapped to the 4KB RAM mentioned above to be used for the ME reset vector). This is why the PRE-IPL is no longer accessible once the IPL has booted.


Part1 IPL does some very basic hardware inits and decompresses the gzipped Part2 IPL (main.bin) to address 0x04000000 (still in EDRAM).
Part1 IPL does some very basic hardware inits and decompresses the gzipped Part2 IPL (main.bin) to address 0x04000000 (still in EDRAM).
Line 68: Line 63:
== Part3 IPL (the payload) ==
== Part3 IPL (the payload) ==


Part 3 is really the IPL equivalent of reboot.bin. Since part2 kindly initialized main DDR memory, part3 is the first to actually run inside DDR. On most modern firmwares this will load to 0x88600000.
TODO
 
After some initial clean up of the co-processsors, this begins by loading /kd/sysmem.prx and /kd/loadcore.prx from flash0. Part3 contains a kernel version of the main prx decrypt routines as well as the keys for decrypting the prx tags for this version of the kernel. This is very similar to what you would find in mesg_led.prx.
 
At the conclusion of the load, part3 sets a series of useful function pointers for loadcore.prx and transfers control to loadcore for the rest of the kernel load process.


= Custom IPL =
= Custom IPL =


It is possible to load a custom IPL by either:
It is possible to load a custom IPL by either:
* exploiting iplloader to run unsigned IPL (never done)
* exploiting PRE-IPL to run unsigned IPL (never done)
* crafting a fake IPL using bruteforce (since 2007 thanks to [[Prometheus Project]])
* crafting a fake IPL using bruteforce (since 2007 thanks to [[Prometheus Project]])
* crafting a valid encrypted and signed IPL using recovered keys (since 2018 thanks to PS3 hacks and mathieulh)
* crafting a valid encrypted and signed IPL using recovered keys (since 2018 thanks to PS3 hacks and mathieulh)


See [[iplloader]] and [[Pandora]].
See [[PRE-IPL]] and [[Pandora]].


= See also =
= See also =
Please note that all contributions to PSP Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PSP Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)