- 精华
- 0
- 帖子
- 86
- 威望
- 0 点
- 积分
- 86 点
- 种子
- 0 点
- 注册时间
- 2011-1-1
- 最后登录
- 2020-1-8
|
本帖最后由 hokamping 于 2011-9-2 09:32 编辑
原帖地址:http://bbs.duowan.com/thread-20411201-1-1.html
使用有风险,同志需谨慎!
“Chronoswitch” Downgrader 5.0. Advanced 09g Support!
Chronoswitch这个词不知道该翻译成什么好,就叫他时间机器吧... 降级工具5.0版本。增加09g的支持。
(之所以这样讲,是因为DAVEE的原本降级工具就是为了降级到6.20版本,而后来其他人在那基础上才增加了6.35降级的功能,原版是不支持09g的)
As an ongoing project, me and some1 have been enhancing this downgrader from birth on the 6.31/6.35 firmwares. This multi-firmware downgrader allows you to install a lower (or higher) firmware without any fuss. No complex flash0 sharing, just running the firmware update.
However, there comes restriction with PSP models and compatible firmware. For example, a PSPgo cannot run 1.50 as there are no drivers for the system and the IPL format is incompatible. Much like this, the PSP 3000 09g is unable to install firmwares < 6.30 which removes it's ability to appreciate the flexibility of permanent custom firmware.
作为一个正在进行中的项目,我(DAVEE)和some1已经将此降级工具在原有的6.31/6.35固件的版本的基础上进行了优化。这个多系统版本的降级工具允许你没有任何麻烦地安装一个低版本(或者高版本)的固件。没有复杂的F0问题,仅仅需要运行固件升级程序。然而,主板型号和固件之间是有限制的。比如,一台PSPgo是不能运行1.50系统的,因为它(1.50系统)没有这个机型对应的驱动,此外IPL的格式也是不兼容的。同理,09g的PSP3000是不能安装小于6.30的固件的,它(高于6.30的固件)已经移除了安装固化自制固件的功能(或者讲,安装固化补丁利用到的相关漏洞已经被修正了)。
This is no longer the case.
但是,现在已经不是那样了。(这话说的,让人泪牛满面啊!)
It started off with rumours of 09g systems being “converted” to 04g systems with some sort of Sony equipment. I explored the firmware comparing 04g and 09g and there is little difference between the modules, so I looked into what makes a 04g and 09g different. I got various testers (named below) to give me information on their IDStorage and internal system data (baryon/tachyon). From this I can conclude that the only (effective) difference between a 04g and 09g is:
早有传闻说利用SONY的设备可以将09g的系统转换成04g的。我(DAVEE)仔细比较了04g和09g,发现两个型号之间的区别很小,于是我研究了是什么造成04g和09g直接的差异的。我得到了测试者(名字列在后面)给我的他们的IDStorage和内部系统数据 (baryon/tachyon)的信息。由此我得出这样的结论,04g和09g之间(起作用的)差异只有:
Idstorage Certificates Idstorage 证书
Baryon Version Baryon版本
名词解释:
Idstorage:
IDStorage is located after the IPL on the nand at 0xC0000, and is used to store low-level information on the PSP, such as the serial, MAC address, UMD, WLAN and region.
IDStorage 位于NAND的IPL中0xC0000后,用来储存PSP底层信息,如序列号、MAC地址、无线局域网、UMD和地区。
Baryon:PSP的Syscon(系统控制) 芯片
Nothing more.
没有其他的了。
下面开始介绍整个研究过程,我就不翻译了,今天好累啊!
Now, it was time to see what it did with these values. I looked up the Idstorage certificates, it’s used in Chkreg and used internally to generate a model number. I found out that 6.20 and 6.39 sets the model of 09g to 04g, lovely.
The big game was the value that is returned from sceKernelGetModel(). Where is this taken from? Well, rooting back from the IPL, there is some code used to determine the model. This code used some strange code which turned out to be syscon code to obtain the Baryon version! The model number is determined from the Baryon.
Here is a little explanation of the Baryon version. When shifted 16 bits to the left, the least significant byte is the data used to determine a model number. the most significant nybble contains the SKU (PHAT, SLIM/3000, GO) and the lower specifies the model of that SKU. However, it got me thinking… Sony don’t know how many revision they will produce in the future. Checking 6.39 firmware, Sony does this: [0x2C -> 0x2E] = 04g, [0x2E -> 0x30] = 09g. Rightfully so, the Baryon version from the 04g’s I had was 0x2C and the 09g had 0x2E. Then i though, if they didn’t know the future, then what does 6.20 IPL do? After analysing I found this: [0x2C -> 0x30] = 04g.
So, if for some reason you find your 09g on 6.20, the IPL is gonna think it is a 04g. Ok, we can work with that, Chkreg sets the certificate based model to 04g and the IPL sets Baryon based model to 04g. Now, lets get some 04g firmware in there!
After a bit of thought, I was sitting at the Downgrader source thinking “how can I install 6.20 on a 09g”. Obviously, run the update and spoof the model. However, changing sceKernelGetModel() did nothing. The model must be determined by some other way. So, 123 and I find Baryon code, yay. Once again, the 6.20 updater has the 09g Baryon as a 04g so if it could run on it’s own, it will flash 04g modules. But why did it error?
IDXFFFFFFFF. That’s the error, it’s to do with error opening INDEX.dat. Wait, a second, why is this happening? Oh wait, it thinks it’s a 04g, so it’s looking for index_04g.dat, doh!
Now, we got a new error. This is weird, it originates from a module called “sceChkuppkg”. Heh, cool. After a brief look at the internals a wild idstorage certificate check appeared. It checked a PSAR block against a list of data composing a PSCode. Easy fix, now the 6.20 could run. Once it had run, it rebooted.
Then it bricked.
Yes i **ed up. By only hooking the usermode version of “sceChkuppkg” caused the updater to validate the blocks until it started to do something important… like read the rest of the firmware after wiping flash clean. Everybody, thank “Gamefreeak100″ for the first brave and bold steps into a 09g permanent patch world, he sacrificed his PSP for it.
A lot of reading later, I identified the problem, fixed it and handed it to another brave tester. This time, it worked! 09g was running firmware 6.20 and for the last 12-ish hours it has been running fine. It retains the ability to update to >= 6.30 and seems very stable!
A word of advice though, this is still experimental. The idstorage certificates do NOT belong to a 04g PSP and upgrading and downgrading from <= 6.20 to another <= 6.20 will NOT WORK. It is possible to resign the idstorage with a compatible 04g donor so this is possible, but the effects are unknown.
This would not be possible without the combined efforts of:
没有以下人的共同努力下,这一切将不复存在:
some1
Gamefreeak100
Chris10Lyn
snailface
XxGodOfWar2xX
mint
ponso21
Ryone
ROE-UR-BOAT
diggory
下载在2L,有兴趣的朋友可以测试下
|
|