PlayStation Portable homebrew
PlayStation Portable homebrew refers to the process of executing unsigned code on the PlayStation Portable.
Origins
In May 2005, it was discovered that PSPs using the 1.00 version of the firmware could execute unsigned code. This meant that PSPs could be used to run homebrew software, as there was no mechanism to check if the code had been digitally signed by Sony. A proof-of-concept "Hello World" was released to demonstrate this. This resulted in the release of a number of homebrew software, which were all built with the GNU GCC and GNU Binutils, modified to produce code for the PS2 and PSP (MIPS processor devices).
In addition, it became possible to dump Universal Media Discs (UMDs) using a homebrew technique. These dumped UMD images can be written to a Memory Stick and executed, performing in exactly the same way as if they were being read from a UMD. A primitive homebrew program was made available to revert from 1.50 to 1.00, but this was only possible if the PSP was originally a 1.00 model, as the firmware dump required was unique to each PSP. In July 2006, a downgrader for 1.50 to 1.00 was released, allowing any 1.50 PSP to downgrade to 1.00
1.50 homebrew
It was discovered in June 2005 that unsigned code could be run on a firmware with version 1.50. The discovery allowed early US PSP adopters to run homebrew which quickly led to articles appearing in the mainstream.[
Two ways were developed to run unsigned code, swapping memory sticks, and later, a safer exploit known as 'KXPloit'.
1.51 and 1.52 homebrew
It is not possible to run homebrew on 1.51 or 1.52 without upgrading the firmware. Many possibilities have been claimed as fact, usually involving the DATA.PSAR file from an official update with 1.51. However, all remain unproven.
2.00 homebrew
Sony, seeing that not many people were updating their PSPs to 1.51 or 1.52, decided to release an update with features that would give people an incentive to update. The main feature was an official web browser, revealed at the 2005 PlayStation Meeting on June 20, 2005. The Japanese version of the update was released a week later, on June 27, 2005. In addition to a web browser, it also had support for high-quality MPEG-4 AVC video and the ability to change the wallpaper. As 2.00 contained a web browser, it became possible to write programs that would take advantage of the PSP's HTML rendering ability, and its newfound ability to connect to a server on a wireless network.
On September 23, 2005, an exploit, a buffer overrun in the image rendering, was discovered, allowing execution of an unsigned binary file. The method involved the user setting a PNG image as their background and a TIFF file in their photo directory. When the Photo menu was accessed, the binary file was loaded.
Two days later, the first "Hello World" program was released. The size of the binary was limited to 64kb, and the PSP could not yet read unencrypted ELF files, so further experimentation was required before any kind of homebrew software could be run. A day later, the first playable game using the exploit was released, titled "TIFF Pong 2.00".
On September 28, 2005, a successful downgrader, the MPH Downgrader, was released. This would change the system's version to 1.00, tricking the PSP into allowing the 1.50 update.
Moving quickly to fix this exploit, on October 3, 2005 Sony released the version 2.01 firmware. This was a pure security update and offers nothing new in the way of features.
2.01 - 2.60 homebrew
On the September 28, 2005, Cheat Device was released for GTA: Liberty City Stories which exploited a memory bug during saving. It ran behind Liberty City Stories allowing for various modifications to the game, such as infinite health and the ability to "spawn" any of the vehicles in the game.
A "Hello World" was created in December, 2005. A day later, the first playable homebrew for version 2.01 was released, titled "Tetris for Firmware 2.01". (Despite the name, this game was not authorized by The Tetris Company.)
Two days later, the exploit was released for 2.60 firmware, leading to the creation of Tetris for version 2.50 and 2.60. A developers kit was later released.
In January, 2006, an EBOOT Loader for 2.01+, and then, a version of the eLoader which supported version 2.60 were released
WiFi connectivity was added on April 2, 2006, due to the discovery of a function that allowed the eLoader to initialize WiFi without kernel mode.
On June 27, 2006, another exploit was discovered in the 2.50 and 2.60 firmware that allowed for kernel mode to be utilized. GTA: Liberty City Stories is still required. The exploit takes advantage of another buffer overflow bug that was added when Sony included an additional security check in the 2.50 firmware. Three days later, a fully functioning 2.50/2.60 to 1.50 downgrader was released. If the PSP had the TA-082 PCB, the downgrader would not work, and would "brick" the PSP. This was due to a protection implemented in newer motherboards. It is unknown as to what exactly is being blocked.
In August, it was reported that a successful downgrade on a TA-082 to the 1.50 firmware was achieved. It takes 45 minutes and an image must be dumped that is specific to one's own PSP device.
Furthermore, during June 2006, Rockstar started shipping a version of GTA:LCS that patches the memory bug. The patched UMD also contains a compulsory upgrade to firmware 2.60. It was met with a change of serial number and graphical layout, in the PAL regions.
On 21 August 2006 it was announced that homebrew is possible on 2.01-2.80 by loading a tiff image. This resulting in launching homebrew on 2.00-2.60 without GTA:LCS using full kernel access. Contrary to popular belief, the exploit itself wont allow code to be executed under the kernel space, but does in fact use the sceKernelLoadExec exploit present in 2.50-2.71, hence why 2.80+ cannot yet be downgraded.
On 5 September 2006, an EBOOT loader that does not require GTA:LCS, and uses the new TIFF exploit, was released for the 2.00-2.60 firmwares. It still has the same compatibility rate as previous loaders, due to the user mode limitations. A kernel mode version is being worked on.[3]
On 9 September 2006, an easier way of downgrading firmware 2.01 was released. It functioned in the exact same way as the 2.0 downgrade (swapping index.dat from flash0 to the index.dat from the 1.00 firmware, tricking the PSP into launching the 1.50 update EBOOT) however, it uses the new TIFF exploit (as the one used to downgrade firmware 2.00 was patched in 2.01).
2.70-2.80 homebrew
On 25 April 2006, Sony released firmware version 2.70, which directly patched the exploit in the GTA savegame. Currently, the libTIFF exploit talked about below is now supported by 2.00-2.80 allowing homebrew to be executed. With 2.70 came Macromedia Flash support, and hence a number of PSP Flash games have been created. There have also been various flash portals released to allow flash games and applications to easily be run without adding them to bookmarks. The most recent firmware update is currently version 3.03 - We have the custom firmware!
On 21 August 2006, it was announced that a new overflow had been discovered in the libTIFF image libraries of the PSP, in all versions upwards of 2.00.
In late August 2006, the first Hello World program working through the libTIFF exploit was released. It runs in kernel mode on firmwares up to 2.70, and user mode in 2.80.
On 1 September 2006, a downgrader for firmware 2.71 was released. Executing itself via the Photo menu (through an arbitrary TIFF), it expands itself into working memory, uses the PRX from the 1.50 Update EBOOT to write a new IPL and then formats the flash0 partition, then copies a dump of the 1.50 firmware, stored on the memory stick, to the flash0 partition. The flash1 settings partition is detected as "corrupted" when user first boots 1.50, and is then rewritten by pressing Circle.
On 2 September 2006, an update of the 2.71 downgrader was made public. This fixed an error in the previous downgrader which sometimes caused premature bricking.
On 12 September 2006, Tetris for firmware 2.80 was released, along with an SDK, Tetris being the first homebrew available on 2.80. This was followed just hours later by TIFF pong (edited one day later), followed two days later by TIFF Tron, TIFF Snake, TIFF Space Invaders, TIFF Font Hack, and TIFF Penguin Scramble. It is likely that many more games will be released under this SDK, as the Noobz team have confirmed (many times) the upcoming 2.70-2.80 eLoader, meaning most developers will be waiting for this opening, followed by what Noobz can do with the kernel exploit. Even though the Noobz team is working on an eLoader, many people are developing their own games using the 2.80 SDK.
On 21 September 2006, eLoader 0.99 was released. It had support for Firmware 2.70 and 2.71, with limited kernel access.
On 22 September 2006, A homebrew Launcher for Firmware 2.71 was released by Dark_AleX. This allowed to launch homebrew games from the XMB Game Menu. It worked by making a patch in memory that remained until the PSP was restarted
On 24 September 2006 A DevHook port for firmware 2.71 , it allowed users to emulate 1.50 firmware. It was reported that it is fully compatible with TA-082 motherboard.
On 29 September 2006 ISO files can be successfully launched under firmware 2.71 and TA-082 motherboard through Dark_AleX's Homebrew enabler revision C and DevHook 0.4x for 2.71 enabler. Although the libtiff exploit is operational in 2.80, an eloader is still under development and is expected to arrive soon. A certain file is missing from the 2.71 version in 2.80
On 8 October 2006, A 2.71 custom firmware was released by Dark_Alex. Uses the 1.50 firmware kernel to bootstrap to a custom 2.71 firmware. This firmware mod allows to run 1.00 and 1.50 homebrew, and 2.71 homebrew as well, all of them with kernel access. - We now have 3.03 OE-A!
On 15 November 2006, A new version of eLoader was released by the Noobz team. This now also works on 2.80 firmware by using the TIFF exploit, giving the ability launch user-mode EBOOTs on 2.80 firmware. Also released in this version is an experimental loader for 2.80 firmware called "xLoader". This new loader allows homebrew EBOOTs to be launched from the XMB Game Menu.
On 20 November 2006, It was confirmed that flash0 access on 2.80 is possible and custom gameboots have been flashed on to a psp running 2.80 firmware. Although a downgrader has not been made yet this has opened up the path to making one.
On 24 November 2006, There was a rumor on two well known sources, qj.net and dcemu, that there will be a downgrader for 2.80 in a matter of a days or a few weeks. This downgrader is supposed to not be run off of the xloader, the only known loader for 2.80.
On 25 November 2006, Dark_Alex released the newest version of his 2.71 Custom firmware named "2.71 SE-C". With this new version allowing support for .prx plugins that run directly from the memory stick, a whole new "sub" scene has emerged to create custom extensions for the public at large.- We now have 3.03 OE-A (Jan8th/07)
On 28 November 2006, It was announced that Booster, the creator of DevHook would soon release a new "0.50" version of his now famous DevHook Firmware Emulator and ISO loader. This new version will emulate either the new 2.8X or 3.X firmwares released by Sony. Since those firmwares have already been dumped and only await a program to use them, it seems a logical conclusion.
On 29 November 2006, Booster released DevHook 0.50, which supports up to firmware version 2.8x. Emulation of firmware 3.x is reported to be in the works.We now have it - Download 3.03 OE-A at Everything4PSP.
2.81+ Homebrew
As of this time there is no way to run homebrew, isos, emulators, or downgraders on firmwares 2.81 and 2.82. In 2.81, the latest exploit, a LibTIFF vulnerability, was patched. Shortly after the 3.00 update was released to add compatibility with the PlayStation 3, a 3.01 update was released to patch a security hole, leading all homebrew groups to begin searching for this hole. However, it was later confirmed that there was probably nothing more than a bug fix with one UMD game. There remains the possibility that a security hole has been patched, though, because one PRX file that manages security has been changed.
Exerpts from:
Cite: Wikipedia information about PlayStation Portable homebrew on Answers.com. Wikipedia Copyright © 2005 by Wikipedia. Published by Wikipedia.
