pj1115's Firmware Autobooter released!

What did we say? The 1.00 Hacker/Flasher was unsafe, so we would innovate and create a safe and friendly version! That's exactly what I've done.
The Readme.txt file is the best source of information, so here it are the important parts (please read the whole thing before using):

- pj1115's firmware autobooter for OE firmwares - Designed for '1.00 Debug' firmware -
- Based on the source code of SonyXTeam BFM Firmware Launcher v1.00 - By Yoshihiro -
- This release is from TeamDarkWater; created by pj1115. -

~~~

* Will only work on a Dark_AleX custom OE firmware or 1.50 firmware.
* Will not flash anything to the PSP's flash; it's safe.
* This is designed for firmware 1.00 (debug), but will work with decrypred firmwares up to 2.50.

~~~

EXPLANATION:

This application, when placed in 'ms0:/PSP/GAME/BOOT/', and set to auto boot in
a custom firmware (such as Dark_AleX's OE firmware) via the recovery menu, will emulate a firware dump instead of the usual VSH. It is designed for use with a dump of the supposedly leaked 'bogus' or 'debug' 1.00 firmware.

As with the real BFM, some features don't work (namely, sleep mode).

Only tested with '1.00 bogus' PSP firmware; should work with up to 2.50 (decrypted).

~~~

KEEP IN MIND:

THIS PROGRAM IS FOR NOVELTY PURPOSES ONLY! TO BE HONEST, THE FEATURES AVAILIBLE IN THE EMULATED FIRMWARE ARE VIRTUALLY NIL. ALSO CONSIDERING YOU HAVE A CUSTOM FIRMWARE INSTALLED, MEANING YOU HAVE ANYTHING TO REALLY NEED. THIS IS ONLY REALLY FOR BOOTING THE 'BOGUS' 1.00 FIRMWARE (POSSIBLY OTHERS) SAFELY, AND FOR SHOW.

Note that the debug firmware is odd, and is silly when it comes to features. It will detect any EBOOTs that any other firmware will accept as invalid; the opposite goes for EBOOTs formatted for the debug firmware; any other XMBs detect it as corrupt. An example is the 1.00 DEBUG update EBOOT, which, to my knowledge, is the only EBOOT that has been created in the format that's only recoginised by the debug firmware itself.

Most UMD's won't run as the game will want a higher firmware. You could try replacing the index.dat of the dump with a 2.00 one or a spoofed one (you can obtain this by dumping the index.dat from a 1.50 firmware that has been altered to 9.99 or something). I'm not even sure if that will work.


~~~

HOW TO USE IT:

The program has no button input, no GUI, and nothing but a black screen during loading,
so you'll be zoomed right into the emulated VSH, sometimes even faster than the normal VSH would boot!

To exit the emulated VSH, restore default settings from the system menu (it will reboot into default). To disable it,
reboot the PSP manually, holding [R] at while booting, and disabling the homebrew autoboot in 'Configuration'. I know it's crude, but until I manage to load custom modules (and code a rebooter), that's the way it is.

--OR--

I haven't tried this, but a way to quit to the real XMB might be to install the VSH Rebooter by MaTiAz. This replaces the 'Network Update' icon with a feature that reboots the XMB by pressing it, or to shut down by holding [L] while pressing it. It *MIGHT* work in the debug firmware, but I have no PSP right now, so I can't test.
You can find the file here:
http://dl.qj.net/VSH-Rebooter-PRX-v0.2-without-installer-General-Apps-PSP-Homebrew-Applications/pg/12/fid/12301/catid/151

~~~

INSTALLATION:

1. Extract the contents of MS_ROOT to the root of your memory stick. This will over-write any existing auto-boot firmware for custom firmware in PSP\GAME\BOOT.

2. Obtain a dump or the EBOOT.PBP of the 1.00 bogus firmware (google "Download PSP Firmware Version 1.0 (14MB)". If the first, then put the folders "font", "KD", "VSH", and "Data" to the root of the memory stick.
If the second, download PSAR dumper v2B (the Noobz one is good, which can be found at http://noobz.eu). Extract the DATA.PSAR from the EBOOT with PBP unpacker or something to the root of the memory stick. Run PSAR dumper from the PSP and press [] to dump decrypted. When it's done move the folders "font", "KD", "VSH", and "Data" from the "f0" folder to the root of the memory stick.

3. Disconnect your PSP from USB. Hard reboot the PSP (or take out the battery) and boot again, holding [R]. In recovery mode, go to 'Configuration', and enable the option to boot from 'PSP/GAME/BOOT/EBOOT.PBP'.

4. Reboot the PSP, or press 'Exit' in recovery, and you should encounter lots of memory stick flashing. (The moment of truth). If all goes well, you should see the 'Sony Computer Entertainment' logo and a hear a lovely audio clip.
Now, because there's no Flash1 installed, there are some weird bugs in the XMB, such as missing text. To fix this, find the system settings icon, and press [O] on it. It will give you a blank error; just press [X] and you'll get a corrupted setting message. (It's a funny, different blue screen). Just press [O] to confirm.
You will be rebooted into your real firmware, and the Flash1 will have been created on the memory stick. Just hard reboot and you'll be in the debug XMB!

If you have any problems, please make a thread at http://www[dot]PSP3D[dot]com. Make sure you describe your problem accurately, and if you want, ask for pj1115. Other members may be able to help, though.

~~~

TECHNICAL EXPLANATION:

I've set both the back and text color to 0 (black), so you won't see any output until boot.
Therefore, unfortunately, any errors will just result in the PSP staying at a black screen. This is not a crash.
It usually means you have something wrong with your dump.

~~~

FUTURE RELEASES:

This program was intended to allow loading of custom PRX modules on boot, but unfortunately this seems to cause an error on the PSP. Here's the intended future changelog:

- Allows for up to three extra PRX modules to be loaded along with the emulated VSH. They must be located in 'Ms0:/SEplugins/bootmods/', and be named 'mod1.prx', 'mod2.prx', and 'mod3.prx'.

- Get rid of the need to have the firmware dump in the root of the memory stick, and have it in a folder. This is proving difficult as sceioassign only works with block devices, so I'm going to have to find a way around that...

- Not sure.


Well, that's it. Hope you enjoy it!
Download: http://www.sendspace.com/file/g4yg1o

Bogus 1.00 HackerFlasher: The safe version!

I was worried about releasing Hacker/Flasher to the public, so I'm literally one line of code away from finishing and releasing the safe version.
We've encountered 3 bricks through testing of the flashing program for hacker/flasher; we think they may have been caused by our home-made wait-to-flash function (it checks the MD5 of each written file after they're written and re-write them if it doesn't match), however due to nasty fluctuations in the writing of the files, the flasher gets stuck in a loop writing the file and it never stops.... that's bad if we decide to stop it by removing the battery and it's half way through writing a critical PRX.... (That's the theory, anyway).

So, like all good coders, I'm innovating. I'm making an EBOOT so that it can be set to load automatically on boot with an OE firmware. What it does is load the hacked 1.00 firmware (crossed with the bogus one) from the memory stick on boot... kinda like a standalone Devhook, but betterer. ;) It boots lightning fast, too; less time than it takes to boot the normal OE firmware.
The only thing about having this, or even the flashed version, is that the bogus firmware doesn't like any ordinary EBOOTs. It won't load updates, homebrew, demos, or anything... they just show as corrupted data. I'm working on that!

To boot into normal OE, you have to boot into recovery and deactivate the homebrew on boot loading feature.
The good news is, that this is the first TDW application EVER to have a FULL public release! Yep, the safe version will be downloadable to ANYONE!

As soon as I get this line of code sorted out, it'll be released. As it stands now, everything is loaded from the root of the memory stick, which isn't pretty. So, I'm attempting to mount a directory on the MS as Flash0 and Flash1 instead, but it's difficult.

Au revoir.

Woot! Bogus 1.00 Hacker/Flasher complete!

Success!

After several 'I can't be bothered' from a few of the TDW members, I've finished the application myself. Works like a charm.

This program requires the a firmware dump of a 1.00 PSP, which should be obtained using the dumper provided with the 1.50-1.00 downgrader. It also requires the PSAR file from the 1.00 bogus update EBOOT. This is only for 1.50 PSP's. Ensure you have 40mb free space on the memory stick. Freshly formatted is recommended.

Instructions:
1. Locate the 1.00 downgrader files. Get a friend to dump their 1.00 firmware for you, and place the dump in a folder named "hackflash" in the root of your memory stick.

2. Get the 1.00 bogus update EBOOT, extract the PSAR and place it in the hackflash folder.

3. Obtain our 'Hackflash.rar' program (password is 'DarkWaterProduce') and install the 'PSAR dumper v2B - HackFlash Mod' program, launch, and press [X] to dump the 1.00 bogus update.
When done, you will be sent to the main menu. Now, press [/\] to create the 1.00/Bogus firmware blend. It will create a new dump in the 'Hackflash folder', and delete the original files (including PSAR) after a prompt.

4. It will verify the dump and escort you to the menu.

5. Press [O] at the main menu to exit.

6. Run the modified 1.00 downgrader. Press [X] to confirm.

7. The 1.00/bogus blend will be flashed to the PSP.

8. Enjoy.

To unflash, simply run the 1.50 update. Bootiful. :)

2.80 UMD mount success!

TDW has finished our first major hack! We have successfully managed to emulate a UMD requiring firmware ver. 2.80 (Specificly 'Eragon'), on firmware ver. 2.80. We're still waiting for test results on a 3.XX requiring UMD, but the likelyhood is that they will work.


ISO games work too, but for a public realease (to our dev-friends only), that feature will not be included due to legal issues. ISO's tested so far are:
-Eragon (2.80) PARTIAL WORKING; LOCKS UP FREQUENTLY
-Lumines I (1.50)
-GTA:LCS (2.00)
-GTA:VCS (2.81) NOT WORKIN</span><span style="font-weight: bold;">G
-Value pack Demo UMD (2.00)
-Need for speed underground rivals (N/A)

All are working unless noted otherwise. We're still waiting on 3.XX UMD/ISO results.
Thanks for any support.

UPDATE: The results are in! We have successfully launched a UMD requiring firmware 3.01. Here are the details of the program [v0.5]:
MD5 of EBOOT.PBP - 3cfcd8b070c96ab18201dfef3dc6be11
PARAM.SFO of file - http://www.sendspace.com/file/hibtzb

Grr, TDW/PSPG/ trouble!

Before I start, I would like to say the following words: "F*ck your guides".

Those were the very words (without the asterisk) that Thrash0 spoke last night after refusing to support PSPG, amongst other very serious things.
He has since been booted from TeamDarkWater. Not solely because of the refusal to help, but he suddenly decided that he was going to stop coding for TDW simply because we denied him access to the PSP bricking program that MaX-OuT had coded. And why did he want it? To brick the PSP of a newbie who asked him a question. The next thing we knew, he was putting bricking code into our sources and was preparing to leak them!

Anyway, PSPG has been co-operating with PSP3D, so perhaps we can strike something good, I don't know.
The thing that's good to know is, that PSPG has been 100% seperated from this team, and TeamDarkWater is now back up and running.

TDW Bogus 1.00 update HackerFlasher

MaX-OuT has announced that once again, that she was bored. Wow, that's interesting.
Well, actually it is. The gal went home after a long, hard day at work and started on what she calls the 'Bogus 1.00 update hackerflasher'.

She won't say much just yet, only that she's going to try and modify the 1.00 bogus update (you know, the one that was leaked), hacking some of both the original 1.00, and the bogus 1.00's files.
What could this mean? Well, it means that it's a blend between the leaked, and more groovy update, and the original, to form a sort of 'filled-in' version of the bogus one. According to her, she's already about 1/3 of the way through it.

The great thing is, she seems to think that once she's finished, you'll be able to flash it to the PSP's NAND! That's right, for the first time ever, you can flash the bogus 1.00 update to the PSP... without bri</span><span style="font-weight: bold;">ck</span><span style="font-weight: bold;">ing!

None of us are sure if she'll be successful, but we are all hopeful! Stay tuned!

TeamDarkWater: Who are we?

Hey there!

Just in case you hdn't figured it out yet, this is the development blog for 'TeamDarkWater', our PSP coding crew. Our team, presently consisting of pj1115, MaX-OuT, and Lostprophet, is a small underground group dedicated to programming, debugging, and testing PSP applications that are either completely stupid and useless, or extremely useful and some-what groundbreaking; it's always one of the extremes.

We have made a vow that we will only ever release source code and binary versions of our applications to the public if it is urgently needed. We will only ever release our code to one or two people, never more; the only thing we will release is the param.sfo file from the EBOOT and the EBOOT's MD5 checksum. If you see something which claims to be a leak or a release on the web, and it hasn't been announced as public here, it's a fake. Period.

In the short but fruitful weeks that TDW has been alive, we've done the following:

• TDW 2.80 UMD loader POC (Thanks to team C+D for the exploit) - All it can do [so far] is read, dump, and display files from the disk. BETA 2 (In Progress) aims to actually launch the BOOT.BIN or EBOOT.BIN of the UMD. T<span style="font-weight: bold;">his app is by Thrash0 (No longer with us) and Lostprophet.
  

• TDW's TotalUSB - This is a module that effectively lets you access and manipulate the Flash0 and Flash1 sectors via USB. BETAs 1 & 2 only had read access because Windows had managed to corrupt the flash of 2 of our PSPs, but in v1.0F, the program had been swept bug-free and nowhas full R/W control. The program works by using a special PRX module that, when USB was activated in the XMB, would create 3 virtual directories, each indicating the place where access would be redirected. For example, in Windows explorer, one would open drive X:\ and be presented with the folders 'MS0', 'FLASH0', and 'FLASH1'. This is very useful for use when we need to do a quick flash without using PSPfiler... (ugh). No other areas of the NAND (like IdStorage) are accessible from USB, due to technical difficulty. This app is by pj1115 and lostprophet.
  

• TDW's Mr.Bricker - This is the first of our completely useless, unimaginably stupid, and completely selfish projects... :D What it basically did was put on a massive show before formatting flash0 for good. Why? MaX-OuT was bored. First, it tells you that if you press [X], you give permission to render your PSP unit unusable. It then plays heroic music, does a patriotic countdown, and there's a slideshow of random pictures of PSP's having a good time... By the way, as a second outlet for people who don't want to brick, there is a warning at the top saying: 'TURN OFF YOUR PSP NOW IF YOU DON'T WANT A BRICK'! right up until 5 seconds is left until brick, when that disappears. Unfortunately, this program and its source code are bundled inside an EXE which uses 448-bit encryption (we think) as protection, and only MaX-OuT knows the password, so it's pretty useless. She used a program called 'SecureIT' or something; if anyone knows how to bypass these protections, then please comment! =p THIS PROGRAM WILL NEVER BE SEEN BY THE PUBLIC! This app is by MaX-OuT.
  

As you can see, we havn't done much that's useful so far, but we're having a good time!
Thanks for coming to the blog and reading this, we're sure you're not that interested. Screenshots should be coming for each app sooner or later. For now, live bookmark us if you have Firefox to keep with progress!

Oh, and as a side note, PSPG (PSP Guides), my side-project, has been opened up to the rest of TDW. The projects have been 'stitched together'. (I'm not going to say they're merged, as they're too different).

Peace out!
pj1115.