PlayStation Portable homebrew

PlayStation Portable homebrew refers to the process of executing unsigned code on the PlayStation Portable.

In May 2005, it was discovered that PSPs using the 1.00 version of the firmware could execute unsigned code. PSPs could now run homebrew software, as there was no mechanism to check if the code had been digitally signed by Sony. A proof-of-concept "Hello World" was released to demonstrate this. This resulted in the release of a number of homebrew software, which were all built with the GNU GCC and GNU Binutils, modified to produce code for the PS2 and PSP (MIPS processor devices).

In addition, it became possible to dump Universal Media Discs (UMDs) using a homebrew technique. These dumped UMD images can be written to a Memory Stick and executed, performing in exactly the same way as if they were being read from a UMD.

While the version 1.00 firmware had been ripped (by de-soldering the firmware flash chip and reading it), there is currently no way to revert to this firmware from any version higher than 1.00. If you have 1.00 PSP, a homebrew program is available to save your 1.00 firmware, update your PSP to 1.5, and later downgrade again, using the saved firmware. and wish to update it to 1.5 while keeping the option to later revert to 1.00. The saved firmware is unique to each PSP, and so only PSPs of 1.00 can ever upgrade and return to 1.00.

It was discovered in June 2005 that unsigned code could be run on a firmware with version 1.5. The discovery allowed early US PSP adopters to run homebrew which quickly led to articles appearing in the mainstream.^[1]

Two ways were developed to run unsigned code, swapping memory sticks, and later, a safer exploit known as 'KXPloit'.

Swaploit was released on June 15 2005. It was created by a Spanish team and involved swapping two memory sticks to run the selected homebrew.

KXploit exploited a bug in the sprintf function of the PSP by having another folder named exactly the same with a percentage sign on the end. The original folder contained no data aside from images and a PARAM.SFO. The problem with this exploit was that corrupted data would show on the memory stick (as well as the normal data). However, this was shortly overcome by using two tricks. One would exploit the FAT16 system of the memory stick, and the other involved putting __SCE__ before the name of corrupted folder and __SCE__% before the name of the normal folder (with the percentage sign at the end removed). Both tricks would remove corrupted data and still allow the EBOOT to be run.

There are no known ways to run homebrew for versions 1.51 and 1.52.

Sony, seeing that not many people were updating their PSPs to 1.51 or 1.52, had to release an update with features that would give people an incentive to update. The main feature was an official web browser, revealed at the 2005 PlayStation Meeting on June 20, 2005. The Japanese version of the update was released a week later, on June 27, 2005. In addition to a web browser, it also had support for high-quality MPEG-4 AVC video and the ability to change the wallpaper.

When released, it was not possible to run homebrew. However, as 2.0 contained a web browser, it became possible to write programs that would take advantage of the PSP's HTML rendering ability, and its newfound ability to connect to a server on a wireless network.

On the September 23, 2005, a buffer overrun in the image rendering was discovered by toc2rta, allowing execution of an unsigned binary file. The method involved the user setting a PNG image as their background and a TIFF file in their photo directory. When the Photo menu was accessed, the binary file was loaded.

Two days later, the first "Hello World" program was released. The size of the binary was limited to 64kb, and the PSP could not yet read unencrypted ELF files, so further experimentation was required before any kind of homebrew software could be run. A day later, the first playable game using the exploit was released, titled "TIFF Pong 2.00".

On the September 28, 2005, a successful downgrader, the MPH Downgrader, was released. This would change the system's version to 1.00, tricking the PSP into allowing a 1.5 update, thus downgrading it and allowing for execution of unsigned code.

Moving quickly to fix this exploit, on October 3, 2005 Sony released the version 2.01 firmware. This was a pure security update and offers nothing new in the way of features.

On October 2, 2005, an alternative downgrader was released. The "downgrader" was actually a trojan that, if run on PSP, would destroy the Firmware and BIOS, resulting in the PSP becoming un-bootable. This was officially reported by Symantec as Trojan.PSPBrick. After the release, many PSP homebrew sites checked every homebrew release for the trojan, to ensure safety for their users.

Any files that are based on the toc2rta TIFF exploit (including the EBOOT Loader and the MPH Downgrader) are now seen as trojans by anti-virus programs, even if they are perfectly legitimate.

On the September 28, 2005, a cheat device was released for GTA: Liberty City Stories which exploited a memory bug during saving. It ran behind Liberty City Stories allowing for various modifications to the game, such as infinite health and the ability to "spawn" any of the vehicles in the game.

A "Hello World" was created in December, 2005. A day later, the first playable homebrew for version 2.01 was released, titled "Tetris for Firmware 2.01".

Two days later, the exploit was released for 2.60 firmware, leading to the creation of Tetris for version 2.50 and 2.60. A developers kit was later released.

In January, 2006, an EBOOT Loader for 2.01+, and then, a version of the eLoader which supported version 2.60 were released

WiFi connectivity was added on April 2, 2006, due to the discovery of system calls allowing it to initialize without kernel mode.

On June 27, 2006, another exploit was discovered in the 2.50 and 2.60 firmware that allowed for kernel mode to be utilized. Like the previous EBOOT Loader, GTA: Liberty City Stories is still required. The exploit takes advantage of another buffer overflow bug that was added when Sony included an additional security check in the 2.50 firmware. So far, this exploit is proof of concept, and no homebrew has been run using it. Just one day later, on June 28, a downgrader test attempt for 2.50 and 2.60 PSPs was released. Currently this downgrader bricks the vast majority of PSPs, and should therefore be for developer use only.

On 25 April 2006, Sony released firmware version 2.70, which directly patched the exploit in the GTA savegame. As a result, there is curently no homebrew support for this version. With 2.7 came Macromedia Flash support, and hence a number of flash games have been created. The most recent firmware update is currently version 2.71 (as of June 23 2006).

The first PSP modchip ("Undiluted Platinum") was announced on May 28 2006. It allows the user to run two separate firmwares, one on the PSP itself, and one on the modchip. It also allows the restoration of corrupted firmware ("bricking"), and so may lead to the creation of custom firmwares, allowing the full range of homebrew, while still being able to play the latest games. However, this chip may not run on all PSP hardware, due to the lower voltage of newer PSP boards.

A second modchip has been announced, by a separate group, allowing the reflashing on the PSP's firmware, which in turn allows 'unbricking'.

UMDs can be run from the Memory Stick by utilizing a ripped ISO image. The legality of the loaders used to run these ISOs, and indeed, ripping the ISOs in the first place, is questionable at best, as the only UMDs available are retail versions.

Two methods of loading ISOs are available: generic loaders, which trick the PSP into thinking the ISO is in fact a UMD in the PSP's drive; and game-specific booters, which only allow a particular game to be run.

In order to force users to update to their latest firmware, Sony has increasingly made games firmware specific. GTA: Liberty City Stories requires a video codec present in 2.00+, and so will not run on lower firmwares. In February 2006, a loader was released, allowing GTA:LCS (and other games required 2.00+) to be run on PSPs below 2.00. In June 2006, a firmware emulator was released, allowing games requiring up to version 2.5 to be run on firmware 1.5.

Often, games request 2.00+ firmware, but do not depend on 2.00 features to operate, and so can be easily circumvented using a version changer.

A utility was released circumventing the version number check. This utility tricked games by setting the firmware version to a high number (eg 3.00). The UMD would assume its version (usually 2.00+) was older, and so would not attempt to update.

A different standpoint is taken with the "No Update UMD Starter", which instructs the PSP to ignore the update when booting a UMD, and to boot directly into the game.

These methods do not work for games requiring 2.00+, as they depend on functionality added by this firmware in order to function.

It is possible to run games specifically for Firmware versions 2.00 and above (such as GTA: Liberty City Stories) on previous Firmware versions. This is done by using a Firmware Loader.

The PSP has five drives:

• ms0 - Memory Stick
• flash0 - BIOS
• flash1 - Flash Memory
• disc0 - UMD Drive
• ipl - Initial Program Load

Files from the BIOS and Flash Memory (of a different version) are copied to separate folders on the Memory Stick. The Firmware Loader proceeds to load these files. Recently, the release of a homebrew program has enabled loading firmware versions 2.00 and 2.50 entirely. It can therefore play UMD games while emulating that particular firmware, as well as use the built-in Internet Browser and AVC video playback.

The PlayStation Portable includes a variety of emulators. Due to processor speeds, the handheld has a large list of systems it can emulate, from as simple as the Atari 2600 to as advanced as the Nintendo 64. Currently, the most advanced system to be emulated full-speed is the Sega Genesis.

Due to the limitation of the PSP's firmware, homebrew shells were sought after. The first interation was MbShell, which included audio and graphical capabilities. This led to many other shells being released, most implementing combinations of other homebrew features.

Bochs, the open-source x86 emulator was ported to the PSP in 2005. It ran DLX Linux and Windows 95 at respectable speeds (though they took several minutes to boot). Unfortunately, it was never very useful as the mouse was difficult to move and had no keyboard built in.

• PSP Homebrew Database
• PSP News
• PSP Updates