Beginners Guide To PSP

1
Beginners Guide To PSP

• Information on the PSP-1000, PSP-2000, PSP-3000,
  and the PSP Go!

Created Sunday, March 29, 2009 Updated Sunday,
December 06, 2009
Version 5.3.1
2
Basic Info For This PowerPoint

• If you see one of these , please read the note
  at the bottom, most of them are very important
• Internal flash refers to the NAND/LFlash, where
  the firmware is stored. This is not the same as
  the RAM.
• Hackable refers to the ability to unbrick and/or
  install custom firmware using Pandora/Despertar
  del Cementerio
• If a link will not open normally, right-click and
  select Open Hyperlink
• Original Firmware OFW, Custom Firmware CFW
• HEN Homebrew ENabler temporary CFW that goes
  away with a full shutdown and restart, used with
  an exploit that has kernel access to allow most
  (if not all) homebrew to run, can sometimes
  enable other CFW features
• Most apps talked about have a download link on
  the Downloads page

This is an important note
3
The Reason For Custom Firmware

• Everybody new to the PSP scene needs to know
  this, so read it.
• If you are only getting CFW so you can go
  download official games for free, then you
  shouldnt use CFW.
• The only reason CFW even has an ISO loader in it
  is so people can use their LEGAL BACKUP COPIES OF
  UMDS THEY ALREADY OWN!!!, not so people can
  pirate games.
• The real reason CFW was created was to completely
  open the PSP so people can play homebrew games or
  use applications that are otherwise blocked by
  OFW, and use the hardware to its full potential.

This is my opinion, what you do with CFW is your
own business. Just know that dark-alex.org does
NOT support piracy. This is a known fact and is
NOT my opinion.
4
Table of Contents

• Basic Info For This PowerPoint 2
• The Reason For Custom Firmware 3
• Table Of Contents 4
• Regions And Model Numbers 5
• Fake CFW Warning 6
• Exploits and How To Find Them 7
• User And Kernel Mode 8
• PSP-1000 Series Comparison 9
• PSP-1000 Motherboards 12
• PSP-2000 Series Comparison 13
• PSP-2000 Motherboards 16
• About The TA-088v3 17
• How To Tell If Its A TA-088v3 18
• PSP-3000 Series Comparison 19
• PSP-3000 Motherboards 22

• About the PSP-3000 - 23
• PSP-3000/TA-088v3 Compatible Exploits 24
• PSP Go! Series Comparison 25
• PSP Go! Motherboards 28
• Downgrading Without Pandora 29
• Battery Info And Pandora Battery Creation 30
• Now What? (Hackable) 31
• Now What? (Unhackable) 32
• ISO to EBOOT Explanation 33
• Downloads 34
• OFW Changelogs 35
• CFW Version Information 42
• PowerPoint Change Log 43
• Credits - 44

5
Regions And Model Numbers

• It doesnt matter if you have a PSP-3004 or a
  PSP-3001, its still a PSP-3000 in relation to
  what model it is. The only difference between a
  PSP-3001 and a PSP-3004 is where it was sold, so
  in other words the last 1 or 2 numbers designates
  region. Here is a list of all the different model
  numbers and the region they belong to
• PSP-1000/2000/3000/N1000 Japan
• PSP-1001/2001/3001/N1001 North America
• PSP-1002/2002/3002/N1002 Australia/New Zealand
• PSP-1003/2003/3003/N1003 UK
• PSP-1004/2004/3004/N1004 Europe
• PSP-1005/2005/3005/N1005 Korea
• PSP-1006/2006/3006/N1006 Hong Kong/Singapore
• PSP-1007/2007/3007/N1007 Taiwan
• PSP-1008/2008/3008/N1008 Russia
• PSP-1009/2009/3009/N1009 China
• PSP-1010/2010/3010/N1010 Mexico

6
Fake CFW Warning

• Lately, there have been a lot of fake Custom
  Firmwares popping up on YouTube, mostly 5.55 and
  6.00 (these are the easiest to fake), these are
  usually just people looking for their 5 minutes
  of fame.
• There are a few ways to tell if someone is faking
  or not
• 1. Know the OFW they are trying to customize, if
  one thing seems off, its probably fake.
• 2. Do a Google search on their username, if
  nothing good turns up, theres a chance theyre
  faking
• 3. If they make multiple excuses/postpone the
  release multiple times, its probably a fake
• I have made a fake CFW myself just to show people
  how easy it is to make a fake 6.00 CFW without
  any coding experience, I only used 7 files from
  6.10 and 2 plugins and it looks exactly like 6.00
  to the untrained eye, see it here.

7
Exploits and How To Find Them

• What is an exploit?
• To put it into simpler words, an exploit is
  basically a piece of software, or code that takes
  advantage of a bug or vulnerability in a piece of
  software or hardware.
• If a user-mode exploit is found on the PSP, it
  will enable a good amount of homebrew to run.
  Possibly allowing an eLoader to be coded.
• If the user-mode exploit is supplied with a
  kernel-mode one, you will be able to make a HEN.
• For more info on User and Kernel-Mode, refer to
  slide 5.
• Please refer to slide 18 for more info regarding
  current exploits that work with the TA-088v3 and
  the 3000, and slide 22 for info on past exploits
  used on the Phat.
• Here are some tutorials about exploits
• Finding gamesaves exploits on the PSP
• Looking for vulnerabilities in the PSP Firmware

8
User And Kernel Mode

• Kernel-mode is much like administrator rights on
  a PC. It has more access over the computer than a
  normal user would have.
• A "Kernel" is actually the interface between
  software and hardware. The kernel tells the
  hardware what to do, and it receives data from
  the software/firmware.
• With a Kernel-mode exploit you can access program
  functions that are normally only available to
  Sony-signed code, or Sony technicians.The
  kernel-mode would have more access to functions
  that would allow the control of the Hardware and
  firmware.
• User-mode is simply the normal mode that a
  software (a game) would be able to access. In a
  way, it only allows access to what a game or a
  typical user has access to.
• Basically, a kernel-mode exploit would allow
  access to hardware and firmware functions, while
  the user-mode exploits would deny access to those
  things.
• Kernel-mode exploits are harder to find in-game
  than in-XMB
• Both a user-mode and a kernel-mode exploit are
  needed to make a HEN.

9
PSP-1000 Series

• This PSP is also known as the Phat

• How To Tell If Its A Phat
• Speaker holes are at the bottom of this PSP
• The WLan switch is on the left side
• The UMD drive is opened by a latch on the top
• The back of the Phat has humps on both sides

10
PSP-1000 Series Pros

• All versions of the 1000 are hackable
• Is compatible with the 1.50 kernel, which is used
  in older homebrew
• Is built strong with an internal metal frame
• Has a built-in IR port

11
PSP-1000 Series Cons

• Small internal flash (32MB)
• Low amount of RAM (32MB)
• Heavy
• No TV-Out
• Not compatible with Skype

12
PSP-1000 Motherboards

• To find out which motherboard you have, use
  PSPIdent v0.4

13
PSP-2000 Series

• This PSP is also known as the Slim

• How To Tell If Its A Slim
• The speaker holes are at the top
• The WLan switch is on top
• The UMD drive is opened manually
• The back of the Slim is flat with a slight curve
  at each end

14
PSP-2000 Series Pros

• Large internal flash space (64MB)
• Large amount of RAM (64MB)
• Lighter than 1000 Series
• Has a TV-Out feature for HDTVs
• Certain homebrew is designed to use the Slims
  extra RAM, this type of homebrew only works on
  the Slim or higher
• As of OFW 3.90, the Slim has the ability to use
  Skype

15
PSP-2000 Series Cons

• Not all Slims are hackable, Slims with the
  motherboard TA-088v3 cannot be hacked yet
• The only way to run homebrew on a TA-088v3 is to
  use exploits/HEN/CFW Enabler
• Uses a plastic frame, easier to break
• No IR port
• Easily shows fingerprints
• PSP games cant be played using TV-Out on
  standard TVs, only HDTVs

16
PSP-2000 Motherboards

• To find out which motherboard you have, use
  PSPIdent v0.4

17
About The TA-088v3

• This motherboard has a new CPU, this CPU holds a
  new Pre-IPL, the new Pre-IPL blocks all current
  custom IPLs used for custom firmware, this is the
  reason the TA-088v3 cannot be hacked yet.
• For more info, visit this page

18
How To Tell If Its A TA-088v3

• If you purchased a new PSP-2000, how can you tell
  if its hackable? Well there are many ways to
  tell!
• Look for your box letter, if its a G or
  higher, its most likely a TA-088v3 (Fig. A)
• Check to see which firmware it came with, if it
  came with Version 4.01 or higher, its most
  likely a TA-088v3 (Fig. B)
• If it was used and has firmware 5.03 or under ,
  the easiest way to tell if its a TA-088v3 is to
  run PSPIdent v0.4 thru ChickHEN, this also works
  on new PSP-2000s as well (Fig. C)

Fig. A
Fig. B
Fig. C
This method only works on NEW PSPs, if you
purchased it used, the original owner could have
updated the firmware
19
PSP-3000 Series

• This PSP is also known as the Brite

• How To Tell If Its A Brite
• The Home button is now a PS button
• The PS, Select, and Start buttons are oval
  instead of half-circles
• The metal ring on the UMD drive is thinner
• The D-Pad and Action buttons now sit in a small
  crater
• The edges are rounded
• There is a mic hole next to the PSP logo under
  the screen

20
PSP-3000 Series Pros

• Large internal flash space (64MB)
• Large amount of RAM (64MB)
• Lighter than 1000 Series
• Has a new screen with better color
• Has a built-in microphone
• TV-Out is enhanced, PSP games can be played on
  any TV
• Can use Skype

21
PSP-3000 Series Cons

• None of the PSP-3000 Series systems can be hacked
  yet
• Some people can see interlacing lines on the new
  screen
• The only way to currently run homebrew is to use
  exploits/HEN/CFW Enabler
• Uses a plastic frame, easier to break
• No IR port

22
PSP-3000 Motherboards

• To find out which motherboard you have, use
  PSPIdent v0.4

23
About the PSP-3000

• This motherboard has a new CPU, this CPU holds a
  new Pre-IPL, the new Pre-IPL blocks all current
  custom IPLs used for custom firmware, this is the
  reason the PSP-3000 cannot be hacked yet.
• For more info, visit this page
• Also, the PSP-3000 has no reaction to current
  jigkick (also known as Pandora) batteries, making
  it even harder to hack.

24
PSP-3000/TA-088v3/Go Compatible Exploits

• Lately, the PSP-3000 has started a search for
  exploits that allow unsigned code to be run on
  Official firmware, this is a list of known user
  mode exploits for the PSP-3000/
  TA-088v3/Go
• Format Exploit Name firmware supported info
• Gripshift Exploit 1.52-5.02 This exploit uses
  the UMD game Gripshift to launch homebrew using a
  hacked savegame, the homebrew this exploit
  launches must be coded specifically for this
  exploit, this exploit was patched in 5.03
• Easter Eggsploit (Also known as the Laughing
  Man TIFF Exploit) 5.00-5.05 This exploit was
  found by MaTiAz, it uses a bug in the way Sony
  implemented libtiff to run unsigned code. A HEN
  (named ChickHEN) was created for 5.03 by Davee,
  who found the kernel exploit needed for a HEN.
  Using the ChickHEN, PSP Slims with the TA-088v3
  Motherboard and the PSP-3000 are able to use most
  homebrew. Using a homebrew called CFW Enabler,
  the TA-088v3 and the PSP-3000 can run 5.03
  M33/MHU on top of the HEN. This exploit was
  patched in 5.50
• MOHH Exploit 3.03-5.55 This exploit uses the
  UMD game Metal of Honor Heroes to launch
  homebrew using a hacked savegame, the exploit
  happens when you kill yourself in an adhoc
  multiplayer mode. Currently, the homebrew this
  exploit launches must be coded specifically for
  this exploit, but an eLoader is currently being
  coded for it, this exploit was patched in 6.00
• Mercury Exploit - ?.??-6.10 This exploit uses
  the game Archer Macleans Mercury to launch
  homebrew using a hacked savegame. The homebrew
  this exploit launches must be coded specifically
  for this exploit .See this page for more info.
  This exploit was patched in 6.20

This does not mean you can now install CFW on an
unhackable motherboard, it just makes the HEN
more CFW-like, DO NOT TRY TO INSTALL CFW ON
TA-088v3 OR PSP-3000, YOU WILL GET A BRICK!!!
25
PSP Go! Series

• This PSPs model number is PSP-N1000

• How To Tell If Its A Go!
• The PS button is located on the left side of the
  screen
• This system has no UMD Drive
• This system can slide up and down to hide/reveal
  buttons
• The speaker holes are four dots in a diamond
  pattern beside the screen
• This system has a Bluetooth indicator light on
  the right of the screen, and a Wi-Fi indicator
  light on the left
• There is a mic hole between the analog stick and
  the start/select buttons

26
PSP Go! Pros

• Has 16 GB Internal Flash Memory
• Smaller and lighter than PSP-2000/3000
• Game Sleep Function (Save State)
• Bluetooth Compatibility
• - Can be paired with a PS3 controller
• - Can connect to a cell phone and use it to
  connect to the internet
• - Can use a Bluetooth headset

A PS3 is required to pair a PS3 controller with
the PSP Go!
27
PSP Go! Cons

• No UMD Drive
• Smaller Screen (3.8 inch)
• Uses a custom USB/AV Out/Charge port, AV Out
  cable for 2000/3000 will not work, chargers for
  1000/2000/3000 will not work, special USB cable
  needed
• Uses M2 memory cards, so MS Pro Duo will not work
  with the PSP Go!
• There is no current way to run homebrew on the Go!

28
PSP Go! Motherboards
29
Downgrading Without Pandora

• Before Pandora existed, installing CFW involved
  downgrading to 1.50 thru exploits then upgrading
  to CFW, exploits can still be used to install CFW
  with the help of Hellcats Recovery Flasher,
  this is a list of all user mode exploits that
  have the ability to downgrade/install CFW (a
  kernel mode exploit is needed for HEN)
• Format Exploit Name (Game Used) Type
  firmware supported info
• TIFF Exploit eLoader 2.00 Used a bug in
  libtiff to run unsigned code, this exploit was
  patched in 2.01
• GTALCS Exploit (GTALCS) eLoader 2.00 to
  2.60 Used a modified savegame to run unsigned
  code, can be used to downgrade in 2.50, 2.60,
  save slots 1-7 were patched to prevent this
  exploit in 2.70
• TIFF Exploit eLoader/HEN 2.01 to 2.80 Used a
  bug in libtiff to run unsigned code, can be used
  to downgrade in 2.01, 2.71, 2.80, this exploit
  was patched in 2.81
• Goofy Exploit (GTALCS) HEN 2.00 to 3.03
  Used a modified savegame to run unsigned code,
  this exploit is different than the one for
  firmwares 2.00 to 2.60 as it uses save slot 8
  instead of slots1-7, Sony patched slots 1-7 but
  not slot 8, can be used to downgrade in 3.03,
  this exploit was completely patched in 3.10
• Illuminati Exploit (Lumines) HEN 1.50 to
  3.50 Used a modified savegame to run unsigned
  code, can be used to downgrade in 3.11,3.50, this
  exploit was patched in 3.51
• Easter Eggsploit HEN 5.00 to 5.05 Also
  called the Laughing Man Exploit, uses a bug in
  the way Sony implemented libtiff to run unsigned
  code, can be used to install CFW on 5.03, this
  exploit was patched in 5.50

Do not try this on a PSP-2000 with the TA-088v3
motherboard or on a PSP-3000, you will end up
with an unrecoverable brick!! You have been
warned!
30
Battery Info And Pandora Battery Creation

• There are three types of official Sony batteries
  for the Phat, Slim, and Brite 1200 mAh
  (PSP-S110), 1800 mAh (PSP-110), and 2200 mAh
  (PSP-280)
• Phat compatible 1800 mAh, 2200mAh
• Slim compatible 1200 mAh, 1800 mAh, 2200 mAh
• Brite compatible 1200 mAh, 1800 mAh, 2200 mAh
• Only certain PSPs have the ability to create
  Jigkick (also known as Pandora) batteries, if you
  get a PSP that doesnt have this ability, you
  will have to ask someone to make one for you,
  hardmod one, or buy a pre-made one
• All PSP Phats can make Pandora Batteries
• The only Slims that are capable of making
  Pandoras are ones with a TA-085v1 motherboard,
  these Slims were found in early Daxter
  Entertainment Packs and are silver
• Later versions of the Daxter pack PSP have
  TA-085v2 motherboards and are also silver, all
  PSP Slims with a TA-085v2 motherboard and up
  cannot create Pandora batteries
• Newer 1200 mAh batteries cannot be changed into
  jigkick/Pandora batteries at all
• The PSP-3000 can not create Pandora batteries
• OSPBT 0.52 is a good program to make Softmodded
  Pandora Batteries

The Slim and Brite require a special battery
cover to use these batteries
31
Now What? (Hackable)

• So you found the PSP you wanted and its
  hackable, now what do you do to get it hacked?
  Here is a list of helpful tutorials to get you
  started
• How to make Jigkick Battery (Softmod) Here
• How to make Jigkick Battery (Hardmod) Here
• Using The Universal Unbricker To
  Unbrick/Downgrade Here
• Installing CFW via OFW 5.03 on 100x 200x Here

NOTE DO NOT USE HELLCATS RECOVERY FLASHER ON
TA-088V3 OR PSP-3000, YOU WILL BRICK IT AND THERE
IS NO WAY TO UNBRICK IT AT THIS POINT!!! You have
been warned!
32
Now What? (Unhackable)

• So you found the PSP you wanted and its
  unhackable, now what do you do to get homebrew on
  it?
• If you have firmware 5.03 or below, your best bet
  is to upgrade to 5.03 and use ChickHEN, if you
  really want CFW, there is a homebrew called CFW
  Enabler that makes HEN act like CFW. You still
  have to run it every time you hard reset your
  PSP, though.
• If you have firmware above 5.03, then there
  currently isnt a way to run homebrew on your
  PSP, if you have firmware 5.55 or below, your
  best bet is to wait for the MOHH eLoader, if you
  have a firmware above 5.55, youll have to wait
  for a new exploit.
• Step by Step tutorial Installing ChickHEN
  CFWEnabler Here

This does not mean you can now install CFW on an
unhackable motherboard, it just makes the HEN
more CFW-like, DO NOT TRY TO INSTALL CFW ON
TA-088v3 OR PSP-3000, YOU WILL GET A BRICK!!!
33
ISO to EBOOT Explanation

• It is possible to take a PS1 ISO file that was
  ripped from a disc you own and convert it into an
  EBOOT.PBP file so you can play it on a
  CFW-Enabled PSP, it is NOT possible to convert a
  PSP ISO/CSO into an EBOOT.PBP
• Why cant I convert a PSP ISO into an EBOOT?
  This is a common question that gets asked all the
  time, why can you convert PSX ISOs to eboots, and
  not PSP ISOs to eboots?
• The simple answer is, PSP ISOs are encrypted, PSX
  ones are not. So how can I convert PSX ISOs to
  eboots?
• There are tons of guides available, as well as
  easy-to-use tools that make converting PS1 games
  a snap
• The best tools out there are PSX2PSP for Windows
  and iPoPS for Mac
• Here are a few guides to get you started
• Tutorial Quickly Convert PSX to EBOOT (Uses
  AutoPopstation 4)
• PS1 2 PSP (PSX) TUTORIAL (Uses PSX2PSP)

In my opinion
34
Downloads

• ChickHEN R2 (m0skit0 Mod) Here
• CFW Enabler (3.60) Here
• PSPIdent v0.4 Here
• Recovery Flasher v1.60 Here
• OSPBT 0.52 Here
• PS1 to PSP Windows Mac

Note If you are having problems opening the
links, right-click them and select Open
Hyperlink
35
OFW Changelogs Part 1
36
OFW Changelogs Part 2
37
OFW Changelogs Part 3
38
OFW Changelogs Part 4
39
OFW Changelogs Part 5
40
OFW Changelogs Part 6
41
OFW Changelogs Part 7
42
CFW Version Information

• For a list of many different CFW versions, info,
  and downloads, see this page on the PSPWiki
• That list contains info on OE, M33, GEN, and many
  other CFWs from other people

43
PowerPoint Change Log

• For earlier changelogs, see this page on my
  website.
• 5.0 Edited User And Kernel Mode, Added
  multiple OFW Changelogs pages, Added Table Of
  Contents page, Added CFW Version Information
  page
• 5.1 PowerPoint Change Log format changed,
  Changed alignment of dates on the Title page
• 5.2 Added note to PowerPoint Change Log,
  Added 6.20 to OFW Changelogs
• 5.3 Changed PSP-3000/TA-088v3 Compatible
  Exploits to PSP-3000/TA-088v3/Go Compatible
  Exploits, Edited PSP-3000/TA-088v3/Go
  Compatible Exploits, Added Fake CFW Warning
  page
• 5.3.1 Edited PSP-3000/TA-088v3/Go Compatible
  Exploits

Note Changes made to Table of Contents will
not be logged
44
Credits

• Author Ruyor
• Contributors mortalinstincts, wololo, leq,
  DarkestVoid, Rolen47, raing3, SifJar, n00b81
• Sources dark-alex.org, PSP Wiki, Many websites I
  dont remember, My Brain ?
• Thanks Jonatan10, jeerum

If you have any suggestions or find any errors
please go to upsp.ws, a site with a dedicated
section to this PowerPoint If you found this
PowerPoint helpful, please go to ruyor.upsp.ws
and donate something ?