Vita Guides: Difference between revisions
No edit summary |
No edit summary |
||
| Line 62: | Line 62: | ||
Download [http://wiki.corcovado.info/downloads/psp2ctrl.exe psp2ctrl.exe]<br> | Download [http://wiki.corcovado.info/downloads/psp2ctrl.exe psp2ctrl.exe]<br> | ||
<code>psp2ctrl.exe get-setting kernel:/bootparam</code> will return something <code>45 03 C7 63 01 13 04 00 45 03 C7 63 00 00 00 00 01 00 00 80 00 00 00 01 00 00 04 00 18 00 00 38 <binary>:System.Byte[]</code> | <code>psp2ctrl.exe get-setting kernel:/bootparam</code> will return something <code>45 03 C7 63 01 13 04 00 45 03 C7 63 00 00 00 00 01 00 00 80 00 00 00 01 00 00 04 00 18 00 00 38 <binary>:System.Byte[]</code> | ||
where "45 03 C7 63" is the | where "45 03 C7 63" is the CP timestamp that you need to replace. Use / calculate one that is earlier than the CP timestamp. Then write back via <code>psp2ctrl.exe set-setting binary kernel:/bootparam "XX XX XX XX XX XX .."</code> | ||
| Line 70: | Line 70: | ||
== How to re-activate a TestKit == | == How to re-activate a TestKit == | ||
via Homebrew<br> | via Homebrew<br> | ||
(You can re-de-activate via button combo to reset timer) | (You can re-de-activate via button combo to reset timer: POWER + PSButton + START + SELECT) | ||
Revision as of 20:16, 28 June 2023
How to check if a DevKit's Firmware is Internal/External
Activate and try run a game cartridge. If there is an error it is most likely internal. To confirm it needs to be dumped and the modules checked.
On emmc dumps you can hex-search for 83 FF AD 6D 24 F3 39 64 A0 61 78 8D A0 68 3B 19 which the start of a metadata block only present in Internal Firmwares.
How to check if a DevKit has been activated before & when
via Neighborhood
Download psp2ctrl.exe
Running psp2ctrl.exe get-setting kernel:/bootparam will return something like
45 03 C7 63 01 13 04 00 45 03 C7 63 00 00 00 00 01 00 00 80 00 00 00 01 00 00 04 00 18 00 00 38 <binary>:System.Byte[]
where "45 03 C7 63" is the date (here 17/01/2023)
via Homebrew
via act.dat
How to check if there is a QAF token installed
In any case dumping NVS is the savest way to tell for sure if and which kind of token is installed!
CEX (Retails)
Dumping NVS or using Apps to check and display the token name. (eg: PSVident or QAFUtility [PCSI90043])
DEX (TestKits)
When the Kit is activated for a very long time there most likely is an active QA Token installed.
TOOL (DevKits)
When the Kit is activated for a very long time there most likely is an active QA Token installed. For DevKits you can often tell from the Console Output alone as it will have additional debug output. It is however possible that there is an inactive token still installed while the firmware was reverted to external for example. In that case only dumping NVS can tell.
What kind of QAF Tokens are there and what do they do
| Name | Flags | Notes |
|---|---|---|
| QAF_QATEAM_E | 01 00 00 00 00 00 0D 04 64 00 00 00 04 00 00 03 | for "QualityAssurance Team" units (early) |
| QAF_QATEAM_MINI_E | 01 00 00 00 00 00 0D 04 64 00 00 00 04 00 00 03 | for "QualityAssurance Team" units |
| QAF_QATEAM_FULL_E | 11 00 00 00 00 00 0F 04 64 00 00 00 04 00 00 03 | for "QualityAssurance Team" units |
| QAF_SYS_DEV_I | 33 00 00 00 00 00 07 05 73 01 00 01 06 03 03 01 | for DevKits used for "System Development" |
| QAF_MGVIDEO_DEV_I | 33 00 00 00 00 00 07 05 73 01 00 11 06 02 03 01 | for DevKits used for "MagicGate Video Development" |
| QAF_MGVIDEO_ADV_I | 33 00 00 00 00 00 07 05 73 01 00 11 06 03 03 01 | for DevKits used for "MagicGate Video Development" |
The "_E" / or "_I" suffix indicates the Firmware the token is for. (External / Internal)
How to fake re-activate a DevKit
The CP Battery cannot be empty!
via Software
Download psp2ctrl.exe
psp2ctrl.exe get-setting kernel:/bootparam will return something 45 03 C7 63 01 13 04 00 45 03 C7 63 00 00 00 00 01 00 00 80 00 00 00 01 00 00 04 00 18 00 00 38 <binary>:System.Byte[]
where "45 03 C7 63" is the CP timestamp that you need to replace. Use / calculate one that is earlier than the CP timestamp. Then write back via psp2ctrl.exe set-setting binary kernel:/bootparam "XX XX XX XX XX XX .."
via Hardware
remove the Battery for a couple seconds and set the earliest possible date. (You can re-de-activate via setting time via Internet)
How to re-activate a TestKit
via Homebrew
(You can re-de-activate via button combo to reset timer: POWER + PSButton + START + SELECT)
How to dump a DevKit
with Activation via Neighborhood
0) Re-Activate
1) rename "devdump_xxxxxx.skprx" to "bootstrap.skprx" and put into local file serving directory (host0)
2) enable devmode (via for example psp2ctrl set-setting integer bootparam:/development_mode 1)
3) run "ngs_exploit_XXX.self"
NGS Exploit files: https://www.mediafire.com/folder/7h2n6rqu5rqks/NGS
Devdumpers: https://github.com/SKGleba/VitaTools/tree/main/devdumper/build
without activation
use Henkaku / Henlo
How to dump a MemoryCard
If it is a "Sample" MemoryCard they will only work for Firmwares earlier than 1.692!
via (activated/hacked) DevKit
neighborhood + devdumper
via Vita
SD2Vita required + StorageMgr
How to fix a Devkit stuck in PSTV + release mode
psp2ctrl set-setting integer bootparam:/platform_emulation_dolce 0
psp2ctrl set-setting integer bootparam:/release_check_mode_console 0
psp2ctrl set-setting integer bootparam:/development_mode 1
How to downgrade a PDEL below 1.692
Install a Henkaku/Henlo hackable firmware and then use modoru v1.0 (since it provides its own spkg keys when decryption fails)
How to replace a CP Battery
They all use a..
PDEL / new DEM
Lorem Ipsum
DEM-3000G/H
Lorem Ipsum
How to unpack an emmc/nand dump
Use psp2scefstool -x emmc.img out to unpack and then OSFMount to mount the partition files on Windows.
How to check emmc/ud0 partition for leftover PUPs
Hex search for "SCEUF"
How to extract a Firmware PUP
use pup_fiction