PSP (Update) Baryon Sweeper: Unbrick PSP 1000, 2000, 3000 /PSP Slim 04g, 07g, 09g/ PSP Street 11g model

Discussion in 'CFW & Exploits' started by zecoxao, Jan 11, 2021.

By zecoxao on Jan 11, 2021 at 2:46 PM
  1. 776
    2,063
    322
    zecoxao

    zecoxao Developer

    Joined:
    Dec 9, 2014
    Messages:
    776
    Likes Received:
    2,063
    Trophy Points:
    322
    Update (May - 2023): Now PSP models Slim 04g, 07g, 09g models, & the PSP Street 11g model are now supported >> See Details from @zecoxao in the post via >> this link <<


    Original Article (Jan 2021): For more than ten years PSP-3000 owner's have been used to the fact that their device couldn't be restored (unbricked) at home. Many fear the brick as if it's the worst nightmare that could ever happen when experimenting with your device. Even worse in 2021, now because warranty for all PSPs are over, so bricked later (psp) models go either for parts or are doomed to dust in boxes and drawers they'd never return from... that is, if this thread didn't appear with the release of Baryon Sweeper R1 :^)



    s-l1600.jpg

    • Baryon Sweeper R1 Release
      JigKick service tool emulator with PSP-3000 TA-090 restore ability​


      Introduction
      After persistent efforts of known PlayStation scene hackers (zecoxao, Proxima, Mathieu Hervais) Boryan's efforts were continued on the bones of formerly closed PSPx.ru's PSP-3000 Pandora hacking thread - some syscons of later PSP models were dumped and battery 0x80 and 0x81 challenge keys were salvaged from them. Lack of those keys in consumer batteries put an end to easily accessible Pandora. But Proxima created a script to generate the challenge answers. You can apply this to PSP only if you have a proper emulator - here's what the crew wants to share with the world.



      BaryonSweeper is made possible by:
      • @M4j0r - Voltage Fault Injection glitch help;
      • Wildcard, Sean Shablack - glitching and dumping the syscon;
      • Proxima - firmware reverse engineering, battery auth challenge response generator script;
      • khubik - battery emulator code, auth script port, UI design
      • dogecore - auth script port, UI code, emulator threading fix
      • @mathieulh - decrypt_os2, decrypt_sp code;
      • SSL/Zerotolerance - encryption support for Mathieu's apps
      • @zecoxao - decrypt_os2 and decrypt_sp PC ports, boards supply, auth script port;
      • @Yoti - decrypt-sp mods, JigKick clone card creation guide, MSID Dumper, PSP-3000 for tests (❤️), contribution to pspx.ru's 3000 Pandora hacking thread
      • @ErikPshat - useful info about JigKick, contribution to pspx.ru's 3000 Pandora hacking thread, forum thread design
      • Boryan, lport3, dx3d, stasik007 and many more from pspx.ru's 3000 Pandora hacking thread - battery comm logs, protocol reversal, schematics for equipment and more


    • Crafting emulator's hardware part
      To do so, you need an IC with NAND logic gates: К561ЛА7 / CD7400 (schematic 1) or CD4011 (schematic 2), USB to TTL converter (or an Arduino with RESET and GND shorted), 10kOhm resistor, 200-300+ Ohm resistor, a soldering iron or a breadboard and some patience
      What is USB-TTL converter?

      USB-TTL is recognized as serial port, allowing you to communicate with UART devices that use different logical levels. They may look like a flash drive or like a cable.
      [​IMG]
      Communication with the device is done through RX (usually white) and TX (usually green) pins. It's also necessary to connect all the grounds together. To talk with PSP you need to combine RX and TX into one - you need to convert it to one wire UART. Schematics are as listed below:
      Schematic for one wire UART (K-line) and USB-TTL connection for CD7400/К561ЛА7

      [​IMG]

      Don't forget about key holes on ICs. Don't forget to connect two left connected legs on the bottom left through 200-300+ ohm resistor with the upper 3rd from the right leg (as the picture shows)

      Schematic for one wire UART (K-line) and USB-TTL connection for C4200
      [​IMG]
      Same as above except different layout.

      If you built it right you should try it in Termite. If it sees PSP's packets (5A 02 01 02) - then it's most likely works.

      JigKick clone memcard creation
      https://www.pspx.ru/forum/showthread.php?t=111112


    • Restore process
      Connect your USB-TTL converter with one wire UART (K-line) adapter attached. Unpack the archive from attachments and open baryonswp.exe. Make sure that grounds of PSP, UART adapter and USB-TTL are connected to eachother, otherwise it won't work! Push Start Service and connect your PSP. Connection will be logged to COM monitor. To boot into Service Mode use s/n FFFFFFFF. If PSP or COM port are turning off after connecting the battery there's most likely not enough current. In service mode, wait for big "OK" ASCII art. Restore successful.
      Good luck bringing cemeteries back, stay tuned for later models. Sources are in the archive and they're all yours.


    Update (May - 2023): Now PSP models Slim 04g, 07g, 09g models, & the PSP Street 11g model are now supported >> See Details from @zecoxao in the post via >> this link <<
     

    Attached Files:

    Last edited by a moderator: May 4, 2023

Comments

Discussion in 'CFW & Exploits' started by zecoxao, Jan 11, 2021.

Share This Page