1.00 Bogus Firmware

From PSP Developer wiki
Jump to navigation Jump to search

Description

This is an official testbench firmware update that was added to the Network Update servers in early January 2005. Sony did this to perform QA tests of the network update feature before the official 1.50 update launch.

As people started looking into the update server URLs and searched for possible updates. People started guessing possible URLs that may be hosting updates (only a dummy update file was hosted on regular servers at the time), one of those update URLs had an update list that pointed to a test update in PBP format that was eventually dubbed as the "1.00 Bogus Firmware". Source: [Network Update Tricks]

Installing this firmware update, as-is, would cause a brick, Sony Public Relations at the time indicated that servicing these devices would not be covered by the warranty.

There were several theories as to why the bricking happened were made, such as the bootloader (IPL) being deleted due to missing a IPL driver in the updater. What actually happened was that the registry/user settings were not downgraded from the Release 1.00 (1.0.3) and the older system software (1.0.0) was not able to read it. In 1.0.2+ the system will give the "blue screen of death" when the registry is corrupted and automatically fix itself.

In order to properly install it, you will need to install the system software, and then clear out the registry after booting. You can also utilize the registry patcher application to patch the 1.0.3 registry to have it downgrade to the older settings version.

While it can be installed over 1.0.3, the system will need a hard reset each time it is suspended. This is due to the power method being changed in 1.0.3 and thus its' IPL will break sleeping on older firmwares. This can be fixed by either replacing power.prx from 1.0.3 or using the correct IPL. The 1.0.0 IPL (kbooti.bin) leaked on the game NBA Street Showdown. The 0.9.0 IPL also works and can be found on a few UMD games: two of these are Ridge Racers and Shutokou Battle, located in the PRX folder as kbooti.bin.

To make it run on retail units, you will need to remove the pre-ipl (first 0x1000 bytes) and make the following change to main.bin:

0x04000714 -> 0x3224007F (masks some check used in the Baryon leaf like in newer IPLs)

Optional, for compatibility with TA-082/86 motherboards:

0x04000730 -> 0x1000FF47 (clockgen fix)

You can then use ipltool to reencrypt the IPL. Alternatively (not recommended) you can also patch IdStorage by changing byte 0x18 in leaf 4 (Baryon) from 0x94 -> 0x14. This will allow the IPL to boot without modifying it.

Version Differences from Release 1.0.3

This firmware is known to most as 1.00 "bogus" also known as 1.0.0 bogus, this was a Pre-release 1.00 with some development/debug modules mixed in to specifically assist in the development of VSH modules.

The few modules that were left in for development purposes was 'loadcorei', 'rebooti', and 'dlgsample_plugin'. There are some modules that were modified for development purposes to provide more debug information. Most of the firmware contains kernel messages that would not normally be seen by the typical user.

It does not contain a DECI2P debugging module so its not certain how these messages would be seen, possibly through another active host file system receiving the TTY information.

The firmware uses loadcorei by default to allow plain modules to be loaded during runtime, and 'dlgsample_plugin' was a development sample for the dialog utility. Unlike the regular reboot, rebooti allows the loading of a decrypted loadcore/sysmem and pspbtcnf files. Both loadcorei/rebooti still enforce encryption checks for user/vsh PRX, but enable unsigned kernel PRX. All ELF may run unsigned just like in 1.0.3.

The reset combo (Start+Select+Square+Triangle) does not work on 1.0.0, this was implemented later on with 1.0.3.

System Version Information

[ 1.00 Bogus ]

release:1.00:
build:106,1:root@psp-vsh
system:16214,0x00100000:
vsh:2004_1104_s16214_p3883_v8335:


[ 1.00 Release ]

release:1.00:
build:228,0,3,1,0:root@psp-vsh
system:17919@release_103a,0x01000300:
vsh:p4029@special_day1,v9972@special_day1,20041201:

XMB Menu Differences

TODO: Screenshots/sounds.

Due to the early revision of the firmware, there are some major differences with the firmware compared to the launch 1.00. Early assets such as XMB navigation sounds/icons were present in the firmware but later removed or changed around.

Probably the most notable difference is the boot up sound:

XMB Menu Bugs

As with any in-development software, the XMB kernel comes with several bugs that are not found under normal conditions.

  • GAME Category
  1. UMD/Memory Stick Firmware Updates do not work, this is probably due to the startup information from the firmware's updates that contain more information than what the VSH is trying to read.
  2. All EBOOTs show up corrupt, as with the issue from above, this can only be mediated by using the bogus firmware PARAM.SFO since it matches the information that the XMB needs or patch the firmware's game_plugin to allow it to read the new information.
  3. Loading any game/application from the Memory Stick will cause a lower default memory allocation and current working directory error when the system reboots.
  • VIDEO Category
  1. While playing an hour long MPEG4 video from the Memory Stick, the video starts to desync the audio/video. The video starts slowing down but the audio continues to play in a normal speed.
  2. Playing an MPEG4 video, and jumping an hour using the control panel options causes the same symptoms as above. This likely might be due to how the firmware buffers videos rather than seeking from UMD.
  • MUSIC Category
  1. Minor codec changes were made that cause specific MP3's from showing under [MUSIC].
  • PHOTO Category
  1. If you delete the Digital Cameras folder it will cause the system to lock up immediately after exiting the category.
  2. Loading a large photo causes the viewer to act up, such as zooming into a photo will causing a 200% increase in size.
  • SETTINGS Category
  1. The Network Update servers are different than the release, they're using test dummy servers for the updates.
  2. Daylight Savings does not stay persistent in display. By setting the option to on, and rebooting the firmware will cause the time/date to display without daylight savings. By going to the setting again will cause it to correct itself.
  3. The 'Network Settings' icon does not have an animation when highlighted on, the assets for the shadow/fade does exist but are not being used.
  4. The 'Internet Connection Test' in the 'Network Settings' fails immediately when using a Static IP address, but works when connecting within a game/application.

System Kernel Differences

The firmware is an early revision of the Release 1.00 (1.0.3), containing a mixture of in-development XMB modules as well as some internal debug kernel drivers providing assistance for developing the firmware.

Development Modules

One of the internal kernel modules 'loadcorei.prx' allows plain (user or kernel) modules to be loaded either VSH or kernel. This would allow Sony to keep updating the firmware overtime without needing to encrypt it for every revision. There is a 'loadcore.prx' module in the firmware which is similar to the release 1.0.3 loadcore.

API Differences

There is alot of missing API that is normally called in Release 1.0.3 such as 'sceKernelDevkitVersion', which returns the system software version. This would usually report '0x01000300' on Release 1.00 but in the event it did exist, it would've returned: 0x00100000 (note the position of the numbers.)

There are also some API calls are do not work or are unfinished to some degree, specifically 'sceKernelExitGame' will cause the system to reboot rather than exit to the XMB. This is likely due to how parameters are being passed through the VSH main module.

This is also intentional as the XMB is was not intended to be seen by game developers of the SDK release, as with the later revision '1.0.2 Development Firmware' which shows a balloon SDK sample instead of the VSH. It wasn't until '1.0.3 Firmware' that developers were able to access the System Software menu.

Querying for the total available memory size does not exist yet in the firmware and must be done manually with other kernel functions.

Alot of API calls when in development on the firmware tend to be a kernel mode export. 'sceKernelLoadModuleMs' from modulemgr.prx is a kernel mode export on 1.0.0 but a user-mode export on 1.0.3. As well as sceKernelLoadModuleBufferUsbWlan which is used for loading modules from a Gameshare executable (or at least intended to) as well as a USB-based Gamesharing functionality that was intended later on via PS2.

System Kernel Bugs

  1. When loading a game/application from the Memory Stick will be allocated a very default low memory pool, this is fixed by patching the 'sceSystemMemoryManager' with one from 1.0.3 or specifying a heap size in the development of the application/game.
  2. When loading a game/application from the Memory Stick, the current working directory (CWD) will not be set on boot causing application using the main argv variables to fail. This can be fixed by loading the application again via sceKernelLoadExec. The issue likely lies with the VSH equivalent of sceKernelLoadExec (vshKernelLoadExec).
  3. When loading a UMD game, no audio will be outputted, this is due to the Media Engine API not being fully developed and causing the ATRAC3 audio to fail. This can be *only* fixed by patching in the 'me_wrapper' from 1.03 into the firmware.
  4. Network Setting Configurations are not indexed properly, where the first network connection is indexed as '-1' not '0'.

Oddities / Unfinished Functionality

  1. If a UMD (or DVD) does not have a PARAM.SFO in the root "disc0:/PSP_GAME/" directory, it will try to load a PARAM.SFO from "disc0:/PSP_GAME/SYSTEM/PARAM.SFO". (Note the SYSTEM directory VS the usual SYSDIR directory.)
  2. ATRAC3 is available to use for [MUSIC] but requires specifically a MemoryStickDuo, anything else will not work.
  3. You can have multiple video folders under MP_ROOT. Where normally you'd have a 100MNV01 folder, and put in all your MP4 videos, with the bogus firmware, you can have multiple videos named such as 100MNV02, 100MNV03, etc. This would allow you to be able to categorize the videos in some way. They all show up normally under the VIDEO category regardless.
  4. The ability to load executables via USB "usb:" was implemented (the same way as with Gameshare) but not called, this may have been planned to use with PS2 USB Communication early on.
  5. Wallpaper Theme Settings were in place but the API was not called, assets like the dialog/registry checks were already programmed.
  6. A check was in-place where a *.THM (MP4 Thumbnail / JPG) is detected in ms0:/MP_ROOT.
  7. The ability to download MP4 videos over WiFi (similar to gameshare) was implemented but not used. This may have been used in conjunction with the multiple video directories and the above thumbnail detection.

Leftover Modules from Development

  1. A VSH module 'dlgsample_plugin.prx' was left in the firmware from the SCE firmware engineers, as a way to test dialogs in the firmware.
  1. Multiple kernel modules left in the firmware:
  2. rinit.prx (registry initialize), resets the registry/settings on the PSP. (As if you went to Reset Default Settings in the settings category), this is normally included in official PSP SDK setups under kmodule.
  3. loadcorei.prx (sceKernelLoaderCoreInternal), an internal development variation of sceLoaderCore (loadcore.prx), which includes several missing security checks like allowing plain PRX/ELFs to be loaded.
  4. rebooti.prx (sceKernelRebootInternal), an internal development variation of sceKernelReboot (reboot.prx) (unsure of what this does for now.)