PlayStation Portable homebrew: Difference between revisions

The PlayStation Portable homebrew scene is a community in which programmers run their own code on Sony's PSP handheld gaming system.

In May 2005, it was found that PSPs using the 1.00 version of the firmware (meaning Japanese PSPs that were not updated to the latest firmware) could execute unsigned code. What this meant in practice was that these PSPs could run homebrew software, as the mechanism for checking to make sure that software has been approved by Sony hadn't yet been activated. A proof-of-concept "Hello World" program was released to demonstrate this. This resulted in a number of pieces of homebrew software including Game Boy, Game Boy Advance, NES, Neo Geo CD, PC Engine, Sega Genesis, and SNES emulators; various small games; and a number of simple applications such as a calendar and a calculator. All of these were built with the GNU GCC and GNU Binutils, modified to produce code for the PS2 and PSP (MIPS processor devices).

In addition, the UMDs that games and movies are pressed on were recently dumped using a homebrew technique that allowed the discs to be read to files over USB. These dumped UMD images can be written to a Memory Stick and executed, performing in exactly the same way as if they were being read from a UMD. Execution of such images still requires a firmware of 1.5 or 1.0. UMD images of PSP games are as widely available on the internet as any other. The image of Burnout Legends was leaked before its sell date, allowing people to play it (illegally) over a week before release.

While the version 1.00 firmware has been dumped from the Japanese PSPs (by desoldering the firmware flash chip and reading it), there is currently no way to revert to previous firmware versions after updating, save for desoldering the equivalent flash chip, reprogramming it, and resoldering it. Thus, PSP owners who updated their firmware, or purchased their device in the US were temporarily unable to use homebrew software.

Homebrew software cannot be run on versions 1.51, or 1.52 of the PSP firmware. Users wishing to run such software can choose not to upgrade, but future game titles for the PSP will require version 2.00 (though much homebrew can now be made to work on firmware version 2.00 with Fanjita's EBOOT Loader) and possibly above, and the upgrade will be included with the games themselves. This has been partially circumvented by an application that can trick the PSP into showing a desired version but acting as a 1.5 machine. However, such a hack is unsuccessful in games which require certain files that are only available on later versions of the PSP firmware.

It has been found that 1.5X-2.00 firmware versions can execute unsigned code. If the PSP version is 1.51 or 1.52, the EBOOT.PBP can have a DATA.PSAR file added onto the PBP file to tell the PSP it is an update and to edit the PARAM.SFO to add a key stating that the firmware update is version 3.00. On 2.00 however, because of the security barrier that only applications on the UPDATE folder can go through, and several other combinations, it is nearly impossible to run homebrew on 1.5X and 2.01 versions.

Two famous European hacking groups, PSP-DEV and WAB, best known for the 1.5 Xploit hack and the Universal Loader, were rumoured to be making a downgrader that would reflash the firmware to version 1.50 from versions 1.51,1.52, and 2.00. Both websites, psp-dev.1emulation.com for PSP-DEV and wab.com for WAB claimed that they were indeed creating the downgrade. A few videos were released showing footage of claimed progress; it is now known for a fact that the videos were faking any apparent progress the groups had claimed, as evidenced by the 2.00 to 1.50 downgrader which eventually surfaced (which relied on a buffer overflow whose utility was unknown to the groups at the time).

On the 16th of September 2005, the groups announced that the development of the downgrader was stopped. Many believe though that the development never started. The groups made the following statement:

The Homebrew Groups announced in September 2005 that due to apparent legal threats and disruption to their activities from Sony: We want to announce that the collaboration between the two groups has been completely finished without success. We also want to announce that WAB has been dissolved. The relationship between the two groups were vanishing days ago (some of our members were banned from their server) and there is no progress with the collaboration. In addition, the downgrader project (never finished) is immediately cancelled (it is not an excuse, we can’t explain our reasons, but are enough to do this).

On the 18th of September 2005, PSPCrazy.com posted an article with a link to download a beta downgrader. Since Yoshihiro, the co-leader of WAB cancelled the project, they decided to give it out to other people so they can continue working on it. The Beta Downgrader does not work in any of the 2 methods he states, so it really isn't anything to download, unless a PSP hacking group wishes to take over and become famous for succeeding software reflashing. Several groups are already tinkering with many combinations with the EBOOT.PBP files encoded to run the downgrader.

A user named 'CBMaster' has stated in PSP hacking forums: "In versions 1.5X-2.00, Sony has not added a security barrier that tells to double-check the UPDATER_VER in PARAM.SFO to see if they are both correct. When WAB released the beta, the 1.50 firmware does launch successfully when swapping memory sticks because of the fact that the latest PSP firmware still does not cover the security. Future updates may enable Sony to add a type of security layer like that. The only reason why 1.50 launched successfully, but still cannot Start, is because the MEM STICK 1 HAS A UPGRADE_VER NUMBER OF 3.00, WHILE THE MEM STICK 2 HAS A UPGRADER_VER NUMBER OF 1.50".

In the latest version of the firmware, an exploit was found in the PSP's image viewing software that could use buffer overflow to run small pieces of code, including PONG. This exploit was used to create a downgrader, so that version 2.0 PSPs could return to 1.50 state and run homebrew software.

An exploit has been found in GTA that allows unsigned code to be run through a savegame on versions 2.00-2.60. The author has made a CheatDevice which executes when you load the game, and then you can load another game after and use the CheatDevice with your own save.

While not an unsigned code exploit per se, PSP homebrew began when hackers discovered a web browser embedded in Wipeout Pure, originally used to download free expansion packs for that game. It turned out to be a trivial matter to hijack this web browser and use it to view legitimate webpages and search via Google.

This merely involves setting up the PSP's primary DNS server to a specially set-up PSP webportal (example) and the secondary DNS server to the router's IP address. Whenever the downloads section of Wipeout Pure is accessed, the PSP's browser will be redirected to the webportal.

In order to activate the web browser, simply change your primary DNS to 67.171.70.72 (or the IP address of any other webportal) and go to the downloads section on the game.

In January, 2005, a firmware update was leaked from Sony. However, this update is a "dummy" file, and will "brick" your PSP if you use it. Why it will render your PSP useless is unknown, as with a homebrew tool called "MPH Firmware Launcher" which launches other firmware from the memory stick, the firmware runs fine, but none of the updates it said it would add are there. In firmware 1.5 and up the "update" registers as corrupt data, and cannot be started. This "update" when run on a 1.0 PSP would say before the update, that it would add:

• RSS Feed Reader
• Portable Calculator
• Email software
• Spreadsheet software
• Small word processor
• Web Browser
• Scheduler
• Bug Fixes

Currently the RSS Feed feature has been added, but only to play sound, not read RSS news or view videos, the web browser has been added, and lastly bug fixes have been added.

On June 15 2005, a team called PSP-DEV released an exploit, called the "Swaploit", that allowed version 1.50 PSPs to run homebrew applications. The trick involves 2 Memory Stick Duo cards: one with an empty trick loader, and one with the actual homebrew application; the former is swapped with the latter as soon as the trick loader is started (which is when the white start-up screen is displayed). On June 22 2005, PSP-DEV solved this problem using a bug of the FAT system of the Memory Stick Duo, making the loading of homebrew software possible with a single Memory Stick Duo. This exploit is commonly known as "KXploit."[1]

Ironically enough, on the same date, June 15, 2005, Sony released a minor PSP firmware update, version 1.52, which disables all known exploits and adds one new feature: direct access to UMD Music from the main menu. Newer PSP games will force this upgrade in order to play, and will include it on the UMD itself to install when the game is booted for the first time. The upcoming European, Australian, and New Zealand launch PSPs have been confirmed to include firmware version 1.52 (with 2.0 on the accompanying UMD) to try to minimize the homebrew PSP scene. It is now possible to downgrade because of MPH[2], who used the toc2rta[3]hack. In the future, Sony may open up PSP development as they did with the PlayStation 2 Linux kit (though it was very limited). They have already discussed running Linux on the PlayStation 3 and using the PSP as a secondary controller for it, similar to the Game Boy Advance + GameCube link, so it would seem logical to open up the PSP as well.

The PSP homebrew capability currently relies on firmware version 1.00, 1.50, or 2.00 through Fanjita's EBOOT Loader. There is also an exploit in GTA savedata that allows unsigned code be run on 2.00-2.50 and 2.60. The author has now found support for 2.60, and the only unsigned code it runs currently is a cheat device. Some games, (Coded Arms, Death, Jr.) require and includes version 1.50 firmware, suggesting that future games may also require firmware upgrades. However, methods exist to bypass the 1.50 firmware requirement, and these methods may be created for future games as well. However, if the game actually relies on added functions in newer firmware versions (as was the case for some games that required an update to 1.50), these methods may not work.

By utilizing the ISO image dumped from Universal Media Disc, some homebrew application called fastloader can be used as the boot loader for the ISO image, it almost makes the PSP can execute any dumped UMD games or Video.

Another ISO Image Loader was made by the makers of Fastloader, called UMD Emulator. This loader, instead of running the ISO, Emulates the ISO as a UMD in the drive, so then you can run the game via the XMB.

There are many other ISO Loaders, such as Devhook. The loaders are mainly concerned with piracy, and thus mentioning them in some forums is not tolerated. Speculations were made that after the MPH Downgrader was released, more and more PSP Owners were gaining access to ISO Loaders, that in the near future, UMD Game sales will go down and larger sized Memory Stick Duo/PRO Duos will increase.

There are also Booters/Loaders which only run one certain game. Some run an ISO, whereas some others run the psp_game directory (found in the UMD) from the boot of the Memory Stick. Most Loaders require a disc to be put in the drive. Any disc would do, including the Sample Disc. Most of the psp_game runners require the folder to be renamed (in the case of Coded Arms, coa_game).

Many PSP games can be found on Bittorrent servers, and torrents can be found off sites such as torrentreactor.net. When the torrents are downloaded, they can be run with torrent programs such as BitComet, and the file would be downloaded. Most torrents download a RAR Archive, similar to Zip, Ace and 7z files, and require WinRAR or WinAce to extract. Then, the ISO or the psp_game would be found in the archive.

ISO Image Loaders do not work with the newer games such as GTA Liberty City Stories and SOCOM, as these games only work on Firmware version 2.0 and force you to upgrade. Currently the loaders do not work on Firmware version 2.0.

At the current moment there are ten games that require 2.00, some of which include: GTA, SOCOM, The HUSTLE, and King Kong. Here is a list of Games Working on 1.50 which do or do not run with Emulators on Firmware 1.50

Emulators for the following systems are currently available for 1.00 or 1.50 firmware PSPs:

• Amiga 500
• Atari ST
• Game Boy Color
• Game Boy Advance
• Sega Genesis
• MAME
• MSX
• NeoGeo
• NES
• PC Engine
• PC-9801
• PlayStation
• PC
• Sega Master System
• Super NES
• Windows
• WonderSwan
• ZX Spectrum

Emulators, and other software, can easily be downloaded at PSP hacking websites such as PSP Updates PSPBrew or PSP Vault. Homebrew games are also available at Games Depot supporting multiple players. PSP hacking websites also document how to place these files onto your PSP and run them.

As some newly released PSP games required an updated PSP firmware version, there is a need to upgrade the firmware in order to play new games. Usually, the firmware is included inside the UMD disc. To tackle this issue, homebrew team SonyXTeam's Yoshihiro (former W.A.B member) released the utility called "SXT Version Changer" to change the version number (Physically, not actually changing the revision) for the PSP to read.

The Version Changer 2.0 for 2.0 PSP's is used to launch the MPH Downgrader, since it changes the version to 1.00, therefore launching the 1.50 firmware update.

There is a program called "No Update UMD Starter" which is far better than a version changer that actually looks for the UMD0:/PSP_GAME/SYSDIR/BOOT.BIN and skips the update which is in UMD0:/PSP_GAME/SYSDIR/UPDATE/BOOT.BIN to allow the game to load.

Sony, seeing that not many people were updating their PSPs to 1.51 or 1.52, had to release an update with something that would give people an incentive to update. This feature was an official web browser, revealed at the Playstation Meeting 2005 on June 20. The Japanese version of the update was released a week later, on the 27th. In addition to a web browser, it also has support for higher-quality AVC MPEG-4 video, the ability to change the wallpaper for the system, and many other features. When the update arrived, many people, not wanting to wait for an official US release, updated their US PSPs with the Japanese upgrade, despite Sony’s warning about upgrading a non-Japanese PSP with the Japanese version. A few days later, Sony announced that 2.0 would be released in the US on August 12th, at which point Sony announced the upgrade would be delayed to August 15th. In fact, it wasn’t until the 24th that the US 2.0 was released, almost two weeks after it was due. However, users who updated to the JP update could not overwrite it with the US version. The US 2.0 was delayed because Sony found more security holes in the JP version of 2.0 and had to delay the US version to patch the holes. The JP version was also re-released.

Normally, on a 2.0 PSP, unsigned code will appear as corrupted data, thus shutting the door for standard homebrew. But, since 2.0 has a web browser, it can view HTML files, so, right after 2.0 was initially released, people immediately started work on games and applications that run through 2.0's browser. Some examples include: WinPSPortal (A collection of many games, links, and apps), IE2PSP, which converts Internet Explorer bookmarks to PSP bookmarks, and an E-Book reader "hack", that allows you to view text files through the browser. On August 5th, a person named realritzcracker, found a way to get past the corrupt data icon and get a program to boot, but it would crash. He did it by changing the game so that it looks like a 2.10 update. There have been many other advances, but none of them have been successful.

On September 23rd 2005, a buffer overun in the image rendering was discovered, allowing an unsigned binary file to be executed. The method involves the user setting a png image as their background, and then placing a special .tif file in their Photo directory. When the Photo menu is accessed, the binary file (h.bin) is loaded.

On September 25th 2005, the first "Hello World" program was released. The size of the binary is limited to 64kb, and the Psp cannot yet read unencrypted ELF (a PSP homebrew program) files, so further experimention is required before any kind of homebrew software can be run.

On September 26th 2005, the first playable game using the toc2rta TIFF exploit was released, called "TIFF Pong 2.00." It was the first actual playable 2.00 homebrew game, where the left paddle was controlled by the Up and Down buttons and the right paddle with the Triangle and X buttons.

On September 28th 2005, a successful downgrade method for 2.0 PSP users was released by a modding group known as MPH. Using the buffer overflow exploit discovered earlier, it's now possible to install 1.50 firmware onto a 2.0 firmware PSP, thus downgrading it and allowing for execution of unsigned code.

Moving quickly to fix the buffer overflow exploit found in version 2.0 firmware, on October 3rd 2005 Sony released the firmware version 2.01. It should be noted that firmware version 2.01 offers nothing new in the way of features and only closes the hole in 2.0 that allows users to downgrade. PSP users are warned not to update their firmware to 2.01 if they wish to continue running homebrew applications on their PSP.

Currently a GTA exploit, and a Tetris game from said exploit, are the only homebrew that can be run on 2.01/2.50. The exploit, with it's newest version (0.4), can be run on 2.60.

A claimed "overflow" by PSP3D is just a crash. It is not an exploit as claimed, and can not be further exploited. Several crashes have been created by various people, and none of them lead to an exploit. A similar "overflow" made by viewing savegames (the PSP3D "exploit" had the crash caused by viewing an "update" in the GAMES section).

A vulnerability was found from libungif at version below 4.1.4 and it was fixed at (2005-10-19 08:54), which was after the time when the 2.01 Firmware update was released. It has been tested on some PSPs to cause crashes. Currently there is no idea if this can be turned into an exploit that can load unsigned code.

It would be possible to be able to run 2.00+ specific games such as GTA and be able to run Homebrew using a Firmware Loader, such as the ones made by MPH and SonyXTeam. The PSP has four drives: ms0:\ (the Memory Stick), flash0:\ and flash1:\ (The BIOS and the flash memory) and disc0:\ (the UMD Drive). The Firmware is located on flash0:\ and flash1:\. All the files from flash0:\ would be copied to ms0:\FA and the files from flash1:\ would be copied to ms0:\FB and then the Firmware Loader would load the Firmware from the Memory Stick instead of the flash memory and BIOS. On 1.50, homebrew can be run and to play games such as GTA, 2.00 would be run from the Memory Stick. If a Firmware Loader is developed for Firmware 2.00's TIFF Exploit, then 1.50 would be loaded and homebrew would be able to run. Currently the Firmware Launchers aren't stable enough to give a 100% exact load.

On 28 November 2005, EdisonCarter, the same person who searched (by brute force) and released the list of cheat codes for GTA: Liberty city stories, released a homebrew application that was executed by loading a saved game file, and ran behind GTA allowing for various modifications to the game, such as infinite health, wanted level/weather/time editing, and the ability to "spawn" any of the vehicles in the game. He would later release an update that included more cheats.

On 13 December 2005, a PSP coder known as Fanjita (who was also responsible for the 2.00 EBOOT Loader) managed to create a "Hello World" for the GTA exploit, to prove that it would work.

On 14 December 2005, PSP3D created the first playable Homebrew for Firmware 2.01, "Tetris for Firmware 2.01". It was based on the GTA exploit HelloWorld script by Fanjita and EdisonCarter.

On 16 December 2005, Edison Carter had found support for his GTA exploit for the 2.60 firmware, meaning it may soon be possible to run arbitrary unsigned code even on PSPs with the 2.60 firmware.

The following programs are the Jewels of Homebrew and will work only with firmware version 1.5 and under. Though, currently a 2.0 eboot loader is under development by Fanjita wherein many of the programs listed would work on a 2.0 firmware. To get an updated list of the working programs on firmware 2.0 please check out Fanjita's working 2.0 homebrew list

• PSPRadio - a client for streaming (Shoutcast) Internet radio
• Peldet v0.7 - a Telnet and IRC client
• PSP Millionaire 1.07 - the Who wants to be a Millionaire game on the PSP
• Attack of the Mutants v0.4a - a space shooter (Modable) game
• Portable VNC 1.1 - a VNC Client for the PSP
• PSPacman 1.3 - Pacman game
• pspChess ver 0.31 - Chess for the PSP
• File Assistant v1.0 - File Assistant is a very nice file management program in which you can transfer files to and from the assistant, run, play files and more..
• Psp-httpd V0.2 Web Server - What this does is basically let you download files from your PSP using your wireless network connection. You can browse through the files on your web browser, as if you're surfing a website.
• Callisto v0.1 - A great side scrolling space shooter game.
• OSS-PSP v0.1 BETA - An Open-Source Operating System/Shell/GUI, currently in Beta version.
• Sudoku v2.0 - An excellent Sudoku game for the PSP.

All of these above programs can be downloaded from PSPUpdates, you may find tutorials for the above programs at PSPUpdate Forums

• Team PSPcrazy - creators of PSP Millionaire, PSP Monopoly, and many more upcoming homebrew.
• MPH - creators of the MPH Downgrader and MPH Firmware Loader.
• WAB - creators of the WAB Launcher and WAB Version Changer. Attempted (unsuccessfully) a downgrader. Consists of Alonetrio and (fmr.) Yoshihiro. Currently the WAB website is being sold, meaning that WAB is out of the picture.
• PSP-DEV - attempted the downgrader along with WAB. Created the Lumines Launcher.
• SXT - SonyXTeam, consists of Yoshihiro (from WAB). Creators of the SXT Firmware BFM Launcher and the SXT Firmware Version Changer, as well as a modification of the MPH Downgrader. Claims to have taken part in everything.
• Team Emergency Exit - Created PSPSet, attempting Dual-BIOS Dual-Load PSP Motherboard. Working on Quake 2 for PSP.
• PSP Team - Creators of the so-called PSP Team Downgrader, which is really Trojan. PSPBrick.
• ESPAL-PSP - Creators of Fastloader, UMD Emulator and various standalone loaders. Consists of (fmr.) Humma Kavula.
• toc2rta - Creators of the toc2rta TIFF Exploit. Consists of Saotome and Fanjita. Main site is a Wiki. Fanjita's site at http://www.fanjita.org/
• PSP3D - Claimed the Firmware 2.50 "overflow exploit" and the 1.50 to 1.00 Downgrader (which bricks your PSP. After numerous brickings, they then claimed that it only works on "virgin" 1.50 PSPs which are PSPs that were originally 1.50 and havent been upgraded/downgraded.)
• DST - Team DST claimed to have created a PSP modchip that allows Homebrew on all Firmwares. They said that they would release and sell the first batch in November 2005 on eBay. So far there is no sign of this so-called modchip.

On October 2, 2005, somebody under the name "PSP Team" released a homebrew program that was supposed to be another version of the downgrader. It turns out that this program was actually a trojan written for the PSP that, if run, would destroy the firmware and BIOS. In turn, the PSP would be un-bootable and turn into a "Brick". After the release of this program, many PSP homebrew sites were brought to a standstill making sure that every program was safe to use. This was officially reported by Symantec as Trojan. PSPBrick.

Any files that were based on the toc2rta TIFF exploit, such as the true Downgraders (MPH and all forms and modifications, such as SonyXTeam's) and the EBOOT Loader would be seen as Trojan. PSPBrick, even if they are perfectly safe.

• PSPBrew.com – Everything Homebrew. Has a Custom Brew Pack Generator which creates a custom pack with the homebrew you want ready for your PSP, just extract!
• iPSP – Converts and installs movies, music, and images onto a Memory Stick for use in a PSP; includes backup and restore for Game Saves.
• PSPware – Converts and installs movies, music, and images for use on a PSP; includes synchronization functionality (currently has Mac and Windows versions)
• PSP Video 9 – Free video conversion and management (Windows)
• Mobile Media Maker - Direct DVD-to-PSP conversion software. Also supports AVI, MPEG and Quicktime source movies.
• PocketMac – Sync Entourage or Address Book contacts, music & photos from your Mac to your PSP using iSync
• PSP Multimedia Extender – Convert video files (avi, mpeg, divx, etc.) into MPEG4, images (bmp, png, gif) and txt/HTML files to JPEG, and CD Audio to MP3 to be viewed on PSP. And mass file copying to the PSP while maintaining the directory and naming structures (Windows)
• XBConnect – provides free online multiplayer for the PSP in addition to the Xbox.
• XLink Kai – also provides free online multiplayer for PSP & Xbox.

• PSP Updates – The largest and most frequently updated homebrew news site. Also reports on new PSP games.
• PSP Hacks – Another frequently updated news website, focused more on just homebrew and hacking. Has all the available hacking tools on the site as downloads.
• PSPCrazy – News about PSP Games, Homebrew, videos. also known for receiving homebrew news first, posting it and then creating many tutorials on them to help out people.
• PSP Files – News about PSP hacks and exploits. Also hosts Conga Lines to earn free consoles including the PSP.
• PSP Wire – Information about games and homebrew. Accompanied by a growing archive of homebrew software and applications.
• PSP-Spot – An up-and-coming PSP scene website that has information and news about the latest games, homebrew and news related to the PSP. Rewarded number one website by PSP E-Mag's third issue PSP E Mag
• PD Roms – Covers homebrew news for many systems, also PSP. Updated daily and frequently.
• PSP News – Reports on homebrew news and commercial releases, such as games and accessories. Also has a database of nearly every PSP application ever released.
• Team X Hack An up and coming exploit team who is trying to defeat Sony.

• PSP Compatibility Lists – Wiki style compatibility list of PSP home brew games and emulators.