Initial Program Loader: Difference between revisions

From PSP Developer wiki
Jump to navigation Jump to search
(Credits to SilverSpring for the info)
 
No edit summary
Line 1: Line 1:
IPL is loaded by [[PRE-IPL]].
= Tools =
[https://github.com/zecoxao/ipltool]
= IPL Boot Sequence =
= IPL Boot Sequence =


<pre>
The decrypted IPL is composed of 3 parts: Part1 - the 'loader', Part2 - 'main.bin', and Part3 - the 'payload'.
The decrypted IPL is composed of 3 parts:
 
Part1 - the 'loader', Part2 - 'main.bin', and Part3 - the 'payload'.
Part1 is plaintext MIPS code, Part2 is gzip compressed, and Part3 is again encrypted (from 2.60 onwards, parts 2 & 3 are further encrypted again).
Part1 is plaintext MIPS code, Part2 is gzip compressed, and Part3 is
again encrypted (from 2.60 onwards, parts 2 & 3 are further encrypted  
again).
</pre>


== Part1 IPL (the loader) ==
== Part1 IPL (the loader) ==


<pre>
One of the first things Part1 IPL does is reset the main CPU.
One of the first things Part1 IPL does is reset the main CPU.
After reset the preipl mask ROM device is no longer mapped to memory at
 
all (the 0x1FC00000 address range is then remapped to the 4KB RAM
After reset the PRE-IPL mask ROM device is no longer mapped to memory at all (the 0x1FC00000 address range is then remapped to the 4KB RAM mentioned above to be used for the ME reset vector). This is why the PRE-IPL is no longer accessible once the IPL has booted.
mentioned above to be used for the ME reset vector). This is why the  
 
preipl is no longer accessable once the IPL has booted. The Part1 IPL  
Part1 IPL does some very basic hardware inits and decompresses the gzipped Part2 IPL (main.bin) to address 0x04000000 (still in EDRAM).
does some very basic hardware inits and decompresses the gzipped Part2  
 
IPL (main.bin) to address 0x04000000 (still in EDRAM). Part1 IPL then  
Part1 IPL then jumps to the entry address of main.bin (0x04000000) to initialize the hardware.
jumps to the entry address of main.bin (0x04000000) to initialise the  
hardware.
</pre>


== Part2 IPL (main.bin) ==
== Part2 IPL (main.bin) ==


<pre>
Part2 IPL (main.bin) is responsible for initializing the PSP hardware.
Part2 IPL (main.bin) is responsible for initialising the PSP hardware.
 
It has copies of it's own driver libraries similar to the drivers found  
It has copies of it's own driver libraries similar to the drivers found in the firmware (including: sceNAND_Driver, sceDDR_Driver, sceIdStorage_Service, sceSYSREG_Driver, sceSYSCON_Driver, sceGPIO_Driver, sceClockgen_Driver, & sceI2C_Driver). Some of the initialisation of the hardware depends on data stored in IDStorage leaves (for example leaves 4, 5, 6). Note this is where TA082/086 motherboards 'brick' on 1.50 firmware. The clockgen hardware was changed on TA082/086 motherboards so the functions used to initialise it does not recognise the new hardware. And because part of the initialization depends on data stored in leaf 5, simply by invalidating leaf 5 (by corrupting the header), the initialization is skipped allowing the firmware to continue to boot.
in the firmware (including: sceNAND_Driver, sceDDR_Driver,  
 
sceIdStorage_Service, sceSYSREG_Driver, sceSYSCON_Driver,  
After initializing the hardware (including the DDR RAM), Part2 IPL decrypts Part3 IPL (the payload) and loads it to address 0x08400000 (which is located in normal DDR RAM now that it has been initialised).
sceGPIO_Driver, sceClockgen_Driver, & sceI2C_Driver). Some of the  
 
initialisation of the hardware depends on data stored in idstorage keys
It then jumps to the entry address of the Part3 IPL (0x08400000) to boot the firmware.
(for example keys 4,5,6). Note this is where TA082/086 motherboards  
'brick' on 1.50 firmware. The clockgen hardware was changed on TA082/086
motherboards so the functions used to initialise it does not recognise  
the new hardware. And because part of the initialisation depends on data
stored in key5, simply by invalidating key5 (by corrupting the header),  
the initialisation is skipped allowing the firmware to continue to boot.
After initialising the hardware (including the DDR RAM), Part2 IPL  
decrypts the Part3 IPL (the payload) and loads it to address 0x08400000  
(which is located in normal DDR RAM now that it has been initialised).
It then jumps to the entry address of the Part3 IPL (0x08400000) to boot
the firmware.
</pre>


== Part3 IPL (the payload) ==
== Part3 IPL (the payload) ==


TODO
TODO

Revision as of 23:59, 17 February 2020

IPL is loaded by PRE-IPL.

Tools

[1]

IPL Boot Sequence

The decrypted IPL is composed of 3 parts: Part1 - the 'loader', Part2 - 'main.bin', and Part3 - the 'payload'.

Part1 is plaintext MIPS code, Part2 is gzip compressed, and Part3 is again encrypted (from 2.60 onwards, parts 2 & 3 are further encrypted again).

Part1 IPL (the loader)

One of the first things Part1 IPL does is reset the main CPU.

After reset the PRE-IPL mask ROM device is no longer mapped to memory at all (the 0x1FC00000 address range is then remapped to the 4KB RAM mentioned above to be used for the ME reset vector). This is why the PRE-IPL is no longer accessible once the IPL has booted.

Part1 IPL does some very basic hardware inits and decompresses the gzipped Part2 IPL (main.bin) to address 0x04000000 (still in EDRAM).

Part1 IPL then jumps to the entry address of main.bin (0x04000000) to initialize the hardware.

Part2 IPL (main.bin)

Part2 IPL (main.bin) is responsible for initializing the PSP hardware.

It has copies of it's own driver libraries similar to the drivers found in the firmware (including: sceNAND_Driver, sceDDR_Driver, sceIdStorage_Service, sceSYSREG_Driver, sceSYSCON_Driver, sceGPIO_Driver, sceClockgen_Driver, & sceI2C_Driver). Some of the initialisation of the hardware depends on data stored in IDStorage leaves (for example leaves 4, 5, 6). Note this is where TA082/086 motherboards 'brick' on 1.50 firmware. The clockgen hardware was changed on TA082/086 motherboards so the functions used to initialise it does not recognise the new hardware. And because part of the initialization depends on data stored in leaf 5, simply by invalidating leaf 5 (by corrupting the header), the initialization is skipped allowing the firmware to continue to boot.

After initializing the hardware (including the DDR RAM), Part2 IPL decrypts Part3 IPL (the payload) and loads it to address 0x08400000 (which is located in normal DDR RAM now that it has been initialised).

It then jumps to the entry address of the Part3 IPL (0x08400000) to boot the firmware.

Part3 IPL (the payload)

TODO