Vita Guides: Difference between revisions
No edit summary |
|||
| Line 24: | Line 24: | ||
=== CEX (Retails) === | === CEX (Retails) === | ||
Dumping NVS or using Apps to check and display the token name. (eg: PSVident or QAFUtility [PCSI90043]) | Dumping NVS or using Apps to check and display the token name. (eg: [https://github.com/Freakler/vita-PSVident PSVident] or QAFUtility [PCSI90043]) | ||
| Line 62: | Line 62: | ||
=== via Software === | === via Software === | ||
Download [http://wiki.corcovado.info/downloads/psp2ctrl.exe psp2ctrl.exe]<br> | Download this custom [http://wiki.corcovado.info/downloads/psp2ctrl.exe psp2ctrl.exe] (might require .net 4.5.2)<br> | ||
<code>psp2ctrl.exe get-setting kernel:/bootparam</code> will return something <code>45 03 C7 63 01 13 04 00 45 03 C7 63 00 00 00 00 01 00 00 80 00 00 00 01 00 00 04 00 18 00 00 38 <binary>:System.Byte[]</code> | <code>psp2ctrl.exe get-setting kernel:/bootparam</code> will return something <code>45 03 C7 63 01 13 04 00 45 03 C7 63 00 00 00 00 01 00 00 80 00 00 00 01 00 00 04 00 18 00 00 38 <binary>:System.Byte[]</code> | ||
where "45 03 C7 63" is the CP Unix timestamp that you need to replace. Use / calculate one that is earlier than the CP timestamp! Then write back via <code>psp2ctrl.exe set-setting binary kernel:/bootparam "XX XX XX XX XX XX .."</code> | where "45 03 C7 63" is the CP Unix timestamp that you need to replace. Use / calculate one that is earlier than the CP timestamp! Then write back via <code>psp2ctrl.exe set-setting binary kernel:/bootparam "XX XX XX XX XX XX .."</code> | ||
| Line 68: | Line 68: | ||
=== via Hardware === | === via Hardware === | ||
remove the Battery for a couple seconds and set the earliest possible date. (You can re-de-activate via setting time via Internet) | remove the Battery for a couple seconds and set the earliest possible date in setup. (You can re-de-activate via setting time via Internet) | ||
== How to re-activate a TestKit == | == How to re-activate a TestKit == | ||
via | via [http://wiki.corcovado.info/downloads/reAct.vpk reAct.vpk]<br> | ||
(You can re-de-activate via button combo to reset timer: POWER + PSButton + START + SELECT) | (You can re-de-activate via button combo to reset timer: <code>POWER + PSButton + START + SELECT</code>) | ||
| Line 86: | Line 86: | ||
=== without activation === | === without activation === | ||
use Henkaku / Henlo | use Henkaku / Henlo | ||
load devdumper skprx via plugin loader for example | |||
| Line 96: | Line 97: | ||
=== via Vita === | === via Vita === | ||
SD2Vita required + StorageMgr | SD2Vita required + StorageMgr | ||
== How to unpack a MemoryCard raw dump == | |||
Download [http://wiki.corcovado.info/downloads/mkfs.exe mkfs.exe] | |||
Use <code>mkfs.exe extract mc.img out</code> to unpack ux0 partition and then OSFMount to mount the partition files on Windows. | |||
== How to fix a Devkit stuck in PSTV + release mode == | == How to fix a Devkit stuck in PSTV + release mode == | ||
| Line 101: | Line 108: | ||
<code>psp2ctrl set-setting integer bootparam:/release_check_mode_console 0</code><br> | <code>psp2ctrl set-setting integer bootparam:/release_check_mode_console 0</code><br> | ||
<code>psp2ctrl set-setting integer bootparam:/development_mode 1</code><br> | <code>psp2ctrl set-setting integer bootparam:/development_mode 1</code><br> | ||
== How to downgrade a PDEL below 1.692 == | == How to downgrade a PDEL below 1.692 == | ||
Install a Henkaku/Henlo hackable firmware and then use modoru v1.0 (since it provides its own spkg keys when decryption fails) | Install a Henkaku/Henlo hackable firmware and then use [https://github.com/TheOfficialFloW/modoru/releases/tag/v1.0 modoru v1.0] (since it provides its own spkg keys when decryption fails) | ||
| Line 113: | Line 121: | ||
=== DEM-3000G/H === | === DEM-3000G/H === | ||
[https://dem3000g.github.io/] | [https://dem3000g.github.io/ Teardown Guide] | ||
== How to unpack an emmc/nand dump == | == How to unpack an emmc/nand dump == | ||
Use <code>psp2scefstool -x emmc.img out</code> to unpack and then OSFMount to mount the partition files on Windows. | Use <code>psp2scefstool -x emmc.img out</code> to unpack and then OSFMount to mount the partition files on Windows. | ||
== How to check emmc/ud0 partition for leftover | |||
Hex search for "SCEUF" | == How to check emmc/ud0 partition for leftover PUP == | ||
Hex search for "SCEUF" and check if all segments are still there. | |||
== How to extract a Firmware PUP == | == How to extract a Firmware PUP == | ||
use pup_fiction | use pup_fiction | ||
Revision as of 13:29, 29 June 2023
How to check if a DevKit's Firmware is Internal/External
Activate and try run a game cartridge. If there is an error it is most likely internal. To confirm it needs to be dumped and the modules checked.
On emmc dumps you can hex-search for 83 FF AD 6D 24 F3 39 64 A0 61 78 8D A0 68 3B 19 which the start of a metadata block only present in Internal Firmwares.
How to check if a DevKit has been activated before & when
via Neighborhood
Download this custom psp2ctrl.exe (might require .net 4.5.2)
Running psp2ctrl.exe get-setting kernel:/bootparam will return something like
45 03 C7 63 01 13 04 00 45 03 C7 63 00 00 00 00 01 00 00 80 00 00 00 01 00 00 04 00 18 00 00 38 <binary>:System.Byte[]
where "45 03 C7 63" is the CP Date (here 17/01/2023) If its 00 00 00 00 the kit has never been activated!
via Homebrew
via act.dat
Open tm0:activate/act.dat with a HexEditor.
At 0x8 is the (int) counter of activations.
At 0xC the start date in Unix format and at 0x10 the end date in Unix format.
How to check if there is a QAF token installed
In any case dumping NVS is the savest way to tell for sure if and which kind of token is installed!
CEX (Retails)
Dumping NVS or using Apps to check and display the token name. (eg: PSVident or QAFUtility [PCSI90043])
DEX (TestKits)
When the Kit is activated for a very long time there most likely is an active QA Token installed.
TOOL (DevKits)
When the Kit is activated for a very long time there most likely is an active QA Token installed. For DevKits you can often tell from the Console Output alone as it will have additional debug output. It is however possible that there is an inactive token still installed while the firmware was reverted to external for example. In that case only dumping NVS can tell.
What kind of QAF Tokens are there and what do they do
| Name | Flags | Notes |
|---|---|---|
| QAF_QATEAM_E | 01 00 00 00 00 00 0D 04 64 00 00 00 04 00 00 03 | for "QualityAssurance Team" units (early) |
| QAF_QATEAM_MINI_E | 01 00 00 00 00 00 0D 04 64 00 00 00 04 00 00 03 | for "QualityAssurance Team" units |
| QAF_QATEAM_FULL_E | 11 00 00 00 00 00 0F 04 64 00 00 00 04 00 00 03 | for "QualityAssurance Team" units |
| QAF_SYS_DEV_I | 33 00 00 00 00 00 07 05 73 01 00 01 06 03 03 01 | for DevKits used for "System Development" |
| QAF_MGVIDEO_DEV_I | 33 00 00 00 00 00 07 05 73 01 00 11 06 02 03 01 | for DevKits used for "MagicGate Video Development" |
| QAF_MGVIDEO_ADV_I | 33 00 00 00 00 00 07 05 73 01 00 11 06 03 03 01 | for DevKits used for "MagicGate Video Development" |
The "_E" / or "_I" suffix indicates the Firmware the token is for. (External / Internal)
How to fake re-activate a DevKit
The CP Battery cannot be empty!
via Software
Download this custom psp2ctrl.exe (might require .net 4.5.2)
psp2ctrl.exe get-setting kernel:/bootparam will return something 45 03 C7 63 01 13 04 00 45 03 C7 63 00 00 00 00 01 00 00 80 00 00 00 01 00 00 04 00 18 00 00 38 <binary>:System.Byte[]
where "45 03 C7 63" is the CP Unix timestamp that you need to replace. Use / calculate one that is earlier than the CP timestamp! Then write back via psp2ctrl.exe set-setting binary kernel:/bootparam "XX XX XX XX XX XX .."
via Hardware
remove the Battery for a couple seconds and set the earliest possible date in setup. (You can re-de-activate via setting time via Internet)
How to re-activate a TestKit
via reAct.vpk
(You can re-de-activate via button combo to reset timer: POWER + PSButton + START + SELECT)
How to dump a DevKit
with activation via Neighborhood
1) rename "devdump_xxxxxx.skprx" to "bootstrap.skprx" and put into local file serving directory (host0)
2) enable devmode (via for example psp2ctrl set-setting integer bootparam:/development_mode 1)
3) run "ngs_exploit_XXX.self"
NGS Exploit files: https://www.mediafire.com/folder/7h2n6rqu5rqks/NGS
Devdumpers: https://github.com/SKGleba/VitaTools/tree/main/devdumper/build
without activation
use Henkaku / Henlo load devdumper skprx via plugin loader for example
How to dump a MemoryCard
If it is a "Sample" MemoryCard they will only work for Firmwares earlier than 1.692!
via (activated/hacked) DevKit
neighborhood + devdumper
via Vita
SD2Vita required + StorageMgr
How to unpack a MemoryCard raw dump
Download mkfs.exe
Use mkfs.exe extract mc.img out to unpack ux0 partition and then OSFMount to mount the partition files on Windows.
How to fix a Devkit stuck in PSTV + release mode
psp2ctrl set-setting integer bootparam:/platform_emulation_dolce 0
psp2ctrl set-setting integer bootparam:/release_check_mode_console 0
psp2ctrl set-setting integer bootparam:/development_mode 1
How to downgrade a PDEL below 1.692
Install a Henkaku/Henlo hackable firmware and then use modoru v1.0 (since it provides its own spkg keys when decryption fails)
How to replace a CP Battery
They all use a CR2032
PDEL / new DEM
Open the shell and remove all screws from the CP board. The battery is located on its front.
DEM-3000G/H
How to unpack an emmc/nand dump
Use psp2scefstool -x emmc.img out to unpack and then OSFMount to mount the partition files on Windows.
How to check emmc/ud0 partition for leftover PUP
Hex search for "SCEUF" and check if all segments are still there.
How to extract a Firmware PUP
use pup_fiction