Sony PlayStationPortable Documentation
  1. Manuals
  2. Brands
  3. Sony Manuals
  4. Game Console
  5. PlayStationPortable
  6. Documentation

Sony PlayStationPortable Documentation

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
yet another PlayStationPortable Documentation
(not quite worth printing - yet)
16th January 2006
this is the result of myself pasting together various freely available documents aswell as adding some of my own findings. have fun...
additions and corrections welcome :)
THIS IS WORK IN PROGRESS! INFORMATION CONTAINED IN THIS DOCUMENT MAY BE MISSING, INCOMPLETE
OR EVEN PLAIN WRONG! NO F****N' WARRANTY IMPLIED! IF THE USE OF THE INFORMATION CONTAINED
HERE RESULTS IN ULTRA REALISTIC SMOKE EFFECTS, BRAIN DAMAGE OR LOSS OF PHYSICAL AND/OR MEN-
TAL HEALTH PLEASE DON'T COME BACK AND SAY YOU HAVEN'T BEEN WARNED! YOU SHOULDN'T BE USING
THIS IN THE FIRST PLACE!
groepaz/hitmen (groepaz@gmx.net)
Hitmen-Console
http://www.hitmen-console.org
1

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the PlayStationPortable and is the answer not in the manual?

Questions and answers

Related Manuals for Sony PlayStationPortable

Summary of Contents for Sony PlayStationPortable

  • Page 1 PlayStationPortable Documentation (not quite worth printing - yet) 16th January 2006 this is the result of myself pasting together various freely available documents aswell as adding some of my own findings. have fun... additions and corrections welcome :) THIS IS WORK IN PROGRESS! INFORMATION CONTAINED IN THIS DOCUMENT MAY BE MISSING, INCOMPLETE OR EVEN PLAIN WRONG! NO F****N’...

  • Page 2: Table Of Contents

    CONTENTS Contents 1 Introductional Rant Things that are in this document ..........Things that are not in this document .
  • Page 3 CONTENTS 4.8.5 vmzero ............4.8.6 vmidt .
  • Page 4 CONTENTS 9 Exception and Interupt Processing Exception Cause ............Reset Vector? .
  • Page 5 CONTENTS 11.5.35 XSCALE ............11.5.36 YSCALE .
  • Page 6 CONTENTS 11.5.84 LYD3 ............11.5.85 LZD3 .
  • Page 7 CONTENTS 11.5.133 TBW2 ............11.5.134 TBW3 .
  • Page 8 CONTENTS 11.5.182 ALPHA ............11.5.183 SFIX .
  • Page 9 CONTENTS 22 Memory Stick Structure 22.1 Root Directory ............22.1.1 PSP Subdirectory .
  • Page 10 CONTENTS 26.6.4 Type A Section (Data Block) ..........26.6.5 Type B Section (compressed Data Block) .
  • Page 11 CONTENTS 30 Appendix 30.1 GCC Quick How To ........... . . 30.1.1 compile ASM to object: .

  • Page 12: Introductional Rant

    (since it is little endian). if known (from patents or other freely available sources) we use the same terminology as Sony does, in particular we try to use the same names and abbreviations for hardware registers, signals and the like as a weak attempt of providing consistency with other existing documentation.
  • Page 13 1 INTRODUCTIONAL RANT Description Symbol logical or bitwhise AND & logical or bitwhise OR logical or bitwhise exclusive OR logical or bitwhise NOT (inverse) equality or assignment addition substraction multiplication division please notice that -outside code- we do not make a difference between logical and bitwhise operations. if in doubt the opera- tion is bitwhise, it should however be clearly visible from the context.

  • Page 14: System Overview

    2 SYSTEM OVERVIEW 2 System Overview 2.1 Playstation Portable Main Unit Main CPU (System clock frequency 1~333MHz), MIPS32R2 ’Allegrex’ core (little endian) Media Engine CPU (System clock frequency 1~333MHz), MIPS32R2 core (little endian) Main Memory 32MB (DDR SDRAM) Flash Memory 32MB Embedded DRAM 4MB 4.3 inch wide 16:9 high resolution TFT LCD screen, 480 x 272 pixel, 16.77 million colors, backlight, Maximum luminance 180 / 130 / 80cd/m2 (when using battery pack), 200 / 180 / 80cd/m2 (when using AC adaptor)

  • Page 15: Modells/Revisions

    2 SYSTEM OVERVIEW Keys/Switches: Directional buttons (Up/Down/Right/Left) , Analog Stick, Enter keys (Triangle, Circle, Cross, Square), Left, Right buttons, START button, SELECT button, HOME button, POWER/HOLD switch x, Display button, Sound button, Volume +/- buttons, Wireless LAN switch (ON/OFF), OPEN latch (UMD) Power Lithium-ion Battery AC Adaptor Recommended Retail Price 19,800 yen (20,790 yen tax inclusive), 249euro...

  • Page 16: Supplied Accessories

    2 SYSTEM OVERVIEW 2.3 Supplied accessories AC adaptor (PSP-100) Battery pack (PSP-110) 2.4 Separately Sold Accessories 2.4.1 Memory Stick Duo (PSP-M32) Copyright protection technology : MagicGateTM Capacity: 32MB to 32GB supported Recommended Retail Price 2,800 yen (2,940 yen tax inclusive) Dimensions: Approximately 20mm (W) x 1.6mm (H) x 31mm (D) Weight: Approximately 2g 2.4.2 AC adaptor (PSP-100)

  • Page 17: Usb Microphone (Psp-240(X))

    6 grams Dimensions: 50x10x10mm 2.5 Development Hardware (DEM-100) 64MB Main Memory instead of 32MB 3 Hardware Overview 3.1 Semiconductors SONY A2707GL 504C28H Manufacturer: Sony Part Number: A2703GL National Semiconductors JM49SW L00053B SN10 5257 TI 52W Z422 Fairchild Semiconductors...
  • Page 18 Manufacturer: Fujitsu Part Number: MB44C001 Freescale semiconductors Freescale semiconductors SC901583EP SC901583EP MXAJ0450 MXAA0445 Manufacturer: Motorola Part Number: SC901583EP Graphics Processor Chip (MIPS CPU, 2MB embedded RAM) Sony Computer Sony Computer Entertainment Inc. Entertainment Inc. CXD2962GG CXD2962GG (C)2004SCEI (C)2004SCEI 509E90E 445801E 644031...
  • Page 19 3 HARDWARE OVERVIEW R0...RH - Nineteen tuned-path traces leading over to the main processor. These appear to be address/control lines? D0...D7 - 8-bit bus that leads from main processor, past button-cell and up from below (south of) the NAND chip.This could be an 8-bit data bus? J0...J6 - 7-bit bus emerging from VIAs near button cell, leading around to the north side of the NAND chip.

  • Page 20: Other

    3 HARDWARE OVERVIEW g - Indicates pins that are connected directly to the ground plane. Media Engine (MIPS CPU, 2MB embedded RAM) Sony Computer Entertainment Inc. CXD1876 (C)2004SCEI -102GG 508C10E 280221 Manufacturer: Sony Part Number: CXD1876 RTC, ... (C)2004 BAR14...

  • Page 21: Headphones/Remote Control

    3 HARDWARE OVERVIEW Crystal oscillator 27 MHz 2700L E52QA Crystal 4 MHz [M] 4.00B Crystal 32.768 KHz A507Y 3.3 Headphones/Remote Control The headphone jack is a standard 3.5mm stereo, but there is also a small 6 pin connector next to it for the "remote control" that is included in the Value Pack.
  • Page 22 3 HARDWARE OVERVIEW Signal Description IN, Serial protocol bus state signal IN/OUT, Serial protocol data signal unused/reserved Stick insertion/extraction detect unused/reserved SCLK IN, Serial protocol clock signal...

  • Page 23: Cpu Overview

    4 CPU OVERVIEW 4 CPU Overview 4.1 Registers 32 32bit General Purpose Integer Registers (R0-R31) zero wired zero assembler temp return value argument registers caller saved (o32 old style names: default) caller saved callee saved caller saved kernel temporary global pointer stack pointer fp/s8 frame pointer...

  • Page 24: Cop0 (System Control)

    4 CPU OVERVIEW 4.2 COP0 (System Control) 4.2.1 mfc/mtc badvaddr virtual address of last error/exception count system counter compare counter comparison value status system status cause exception cause exception program counter prid processor revision id config configuration SC-code SC-code < < 2 CPU ID (0=Main, 1=ME) Ebase virtual address of exception vector...

  • Page 25: Cfc/Ctc

    4 CPU OVERVIEW 4.2.2 cfc/ctc COP0.EPC COP0.ErrorEPC COP0.Status COP0.Cause GPR.v0 |GPR.v1 GPR.v0 GPR.v1 EXC vector table EXC_31_ERROR handler EXC_8_SYSCALL handler (1st) syscalls table (1st) max syscall code GPR.sp KERNEL/intr GPR.sp USER current TCB ?!? NMI vector table COP0.Status COP0.Cause profiler hw base addr Ex.GPR.v0 4.3 COP1 (FPU) 32 32bit General Purpose Floatingpoint Registers (FPR0-FPR31)
  • Page 26 4 CPU OVERVIEW 2x2 matrix 3x3 matrix 4x4 matrix And if that weren’t enough, it can work with matrices in normal or transposed orders. The registers are grouped into 8 blocks of 16 registers each. This gives you enough room to work with 8 4x4 matrices, 8 3x3 matrices, 32 2x2 matrices.

  • Page 27: Instruction Format

    4 CPU OVERVIEW Pair Columns Pair Rows C000 C010 C020 C030 R000 ..R020 ....R001 ..R021 ..C002 C012 C022 C032 R002 ..R022 ....R003 ..R023 ..2*2 Matrix 2*2 Transpose Matrix M000 ..

  • Page 28: Addiu

    4 CPU OVERVIEW 4.6.1 lw LoadWord Relative to Address in General Purpose Register %rt <- word_at_address (offset + %base) lw %rt, offset(%base) GPR Target Register (0...31) GPR, specifies Source Address Base %base signed Offset added to Source Address Base offset 4.6.2 sw StoreWord Relative to Address in General Purpose Register word_at_address (offset + %base) <- %rt...

  • Page 29: Mfic / Mtic

    4 CPU OVERVIEW 4.7.1 ??? 4.7.2 mfic / mtic mfic move from IC (Interrupt) register mfic rt,rd mtic move to IC (Interrupt) register mtic rt,rd mfic $v0, zero to save the interrupt state in v0 mtic zero, zero to disable them mtic $a0, zero to renable based on the original mask in a0 4.8 VFPU Instructions...
  • Page 30 4 CPU OVERVIEW vadd.s rd,rs,rt 0x60000000 011000 000 ttttttt 0 sssssss 0 ddddddd vadd.p rd,rs,rt 0x60000080 011000 000 ttttttt 0 sssssss 1 ddddddd vadd.t rd,rs,rt 0x60008000 011000 000 ttttttt 1 sssssss 0 ddddddd vadd.q rd,rs,rt 0x60008080 011000 000 ttttttt 1 sssssss 1 ddddddd vsub.s rd,rs,rt 0x60800000 011010 000 ttttttt 0 sssssss 0 ddddddd...
  • Page 31 4 CPU OVERVIEW vsin.p rs,rd 0xd0120080 110100 000 0010010 0 sssssss 1 ddddddd vsin.t rs,rd 0xd0128000 110100 000 0010010 1 sssssss 0 ddddddd vsin.q rs,rd 0xd0128080 110100 000 0010010 1 sssssss 1 ddddddd vcos.s rs,rd 0xd0130000 110100 000 0010011 0 sssssss 0 ddddddd vcos.p rs,rd 0xd0130080 110100 000 0010011 0 sssssss 1 ddddddd...

  • Page 32: Vzero

    4 CPU OVERVIEW *1) bit 5 of rs is inverted VFPU load/store instructions seem to support only 16-byte-aligned accesses (similiar to Altivec and SSE). 4.8.1 lv LoadVector Quadword Relative to Address in General Purpose Register fpu_vtr <- vector_at_address (offset + %gpr) lv.q %vfpu_rt, offset(%base) VFPU Vector Target Register (column0-31/row32-63) %fpu_rt...

  • Page 33: Vone

    4 CPU OVERVIEW 4.8.4 vone vone SetVectorOne (Single/Pair/Triple/Quad) vfpu_regs[%vfpu_rt] <- 0.0f Set 1 Vector Component to 1.0f vone.s %vfpu_rt Set 2 Vector Components to 1.0f vone.p %vfpu_rt Set 3 Vector Components to 1.0f vone.t %vfpu_rt Set 4 Vector Components to 1.0f vone.q %vfpu_rt VFPU Vector Target Register ([s|p|t|q]reg 0..127) %vfpu_rt...

  • Page 34: Vrcp

    4 CPU OVERVIEW 4.8.8 vrcp vrcp Reciprocal (Single/Pair/Triple/Quad) vfpu_regs[%vfpu_rd] <- 1.0 / vfpu_regs[%vfpu_rs] calculate reciprocal (1/z) on single vrcp.s %vfpu_rd, %vfpu_rs calculate reciprocal (1/z) on pair vrcp.p %vfpu_rd, %vfpu_rs calculate reciprocal (1/z) on triple vrcp.t %vfpu_rd, %vfpu_rs calculate reciprocal (1/z) on quad vrcp.q %vfpu_rd, %vfpu_rs VFPU Vector Target Register ([s|p|t|q]reg 0..127) %vfpu_rd...

  • Page 35: Vrsq

    4 CPU OVERVIEW 4.8.12 vrsq vrsq ReciprocalSquareRoot (Single/Pair/Triple/Quad) vfpu_regs[%vfpu_rd] <- 1.0 / sqrt(vfpu_regs[%vfpu_rs]) calculate reciprocal sqrt (1/sqrt(x)) on single vrsq.s %vfpu_rd, %vfpu_rs calculate reciprocal sqrt (1/sqrt(x)) on pair vrsq.p %vfpu_rd, %vfpu_rs calculate reciprocal sqrt (1/sqrt(x)) on triple vrsq.t %vfpu_rd, %vfpu_rs calculate reciprocal sqrt (1/sqrt(x)) on quad vrsq.q %vfpu_rd, %vfpu_rs VFPU Vector Target Register ([s|p|t|q]reg 0..127)

  • Page 36: Vasin

    4 CPU OVERVIEW 4.8.15 vasin vasin ArcSin (Single/Pair/Triple/Quad) vfpu_regs[%vfpu_rd] <- arcsin(vfpu_regs[%vfpu_rs]) calculate arcsin vasin.s %vfpu_rd, %vfpu_rs calculate arcsin vasin.p %vfpu_rd, %vfpu_rs calculate arcsin vasin.t %vfpu_rd, %vfpu_rs calculate arcsin vasin.q %vfpu_rd, %vfpu_rs VFPU Vector Target Register ([s|p|t|q]reg 0..127) %vfpu_rd VFPU Vector Source Register ([s|p|t|q]reg 0..127) %vfpu_rs 4.8.16 vnrcp vnrcp...

  • Page 37: Vcst

    4 CPU OVERVIEW 4.8.19 vcst vcst StoreConstant (Single/Pair/Triple/Quad) vfpu_regs[%vfpu_rd] <- constants[%a] store constant into single vcst.s %vfpu_rd, %a store constant into pair vcst.p %vfpu_rd, %a store constant into triple vcst.t %vfpu_rd, %a store constant into quad vcst.q %vfpu_rd, %a VFPU Vector Destination Register ([s|p|t|q]reg 0..127) %vfpu_rd VFPU Constant Constant...

  • Page 38: Vsub

    4 CPU OVERVIEW 4.8.21 vsub vsub VectorSub (Single/Pair/Triple/Quad) vfpu_regs[%vfpu_rd] <- vfpu_regs[%vfpu_rs] - vfpu_regs[%vfpu_rt] Sub Single vsub.s %vfpu_rd, %vfpu_rs, %vfpu_rt Sub Pair vsub.p %vfpu_rd, %vfpu_rs, %vfpu_rt Sub Triple vsub.t %vfpu_rd, %vfpu_rs, %vfpu_rt Sub Quad vsub.q %vfpu_rd, %vfpu_rs, %vfpu_rt VFPU Vector Source Register ([s|p|t|q]reg 0..127) %vfpu_rt VFPU Vector Source Register ([s|p|t|q]reg 0..127) %vfpu_rs...

  • Page 39: Vhdp

    4 CPU OVERVIEW 4.8.25 vhdp vhdp VectorHomogenousDotProduct (Pair/Triple/Quad) vfpu_regs[%vfpu_rd] <- homogenousdotproduct(vfpu_regs[%vfpu_rs], vfpu_regs[%vfpu_rt]) Dot Product Pair vhdp.p %vfpu_rd, %vfpu_rs, %vfpu_rt Dot Product Triple vhdp.t %vfpu_rd, %vfpu_rs, %vfpu_rt Dot Product Quad vhdp.q %vfpu_rd, %vfpu_rs, %vfpu_rt VFPU Vector Source Register ([s|p|t|q]reg 0..127) %vfpu_rt VFPU Vector Source Register ([s|p|t|q]reg 0..127) %vfpu_rs VFPU Vector Destination Register ([s|p|t|q]reg 0..127)

  • Page 40: Vsgn

    4 CPU OVERVIEW 4.8.29 vsgn vsgn Sign.(Single/Pair/Triple/Quad ) vfpu_regs[%vfpu_rd] <- sign(vfpu_regs[%vfpu_rs]) Get Sign Single vsgn.s %vfpu_rd, %vfpu_rs Get Sign Pair vsgn.p %vfpu_rd, %vfpu_rs Get Sign Triple vsgn.t %vfpu_rd, %vfpu_rs Get Sign Quad vsgn.q %vfpu_rd, %vfpu_rs VFPU Vector Destination Register (m[p|t|q]reg 0..127) %vfpu_rd VFPU Vector Source Register (m[p|t|q]reg 0..127) %vfpu_rs...

  • Page 41: Vhtfm

    4 CPU OVERVIEW 4.8.33 vhtfm vhtfm VectorHomogeneousTransform (Pair/Triple/Quad) vfpu_regs[%vfpu_rd] <- homeogenoustransform(vfpu_matrix[%vfpu_rs], vfpu_vector[%vfpu_rt]) Homogeneous transform quad vector by pair matrix vhtfm2.p %vfpu_rd, %vfpu_rs, %vfpu_rt Homogeneous transform quad vector by triple matrix vhtfm3.t %vfpu_rd, %vfpu_rs, %vfpu_rt Homogeneous transform quad vector by quad matrix vhtfm4.q %vfpu_rd, %vfpu_rs, %vfpu_rt VFPU Vector Source Register (qreg 0..127) %vfpu_rt...

  • Page 42: Media Engine

    5 MEDIA ENGINE 5 Media Engine 5.1 Overview System RAM is mapped at 0x88000000 and is all accessable Local RAM is mapped at 0x80000000 Video RAM appears to be inaccessable, at least at the usual address. looks like the exception handler location is set by loading cop0 register 25 (usually perfcnt) with the address of your handler...

  • Page 43: Vme

    6 VME 6 VME The VME (Virtual Mobile Engine) is a reconfigurable processor to decode audio/video. in 2002, Sony developed the Virtual Mobile Engine? as a method for achieving significant power reductions and miniaturization in LSIs for audio/visual products. This circuit technology, which can reduce power consumption by approximately 1/4 over conventional general-purpose digital signal processors (DSP), was adopted for use in the CXR704060 LSI used in the Network Walkman "NW-MS70D".

  • Page 44: Memory Map

    7 MEMORY MAP 7 Memory Map 7.1 Segments virtual address physical address size type comment mode(s) 1024 MB cached user/supervisor/kernel 0x0..0x0..0x4..0x0..1024 MB uncached user/supervisor/kernel 512 MB cached kernel 0x8..0x0..512 MB uncached kernel 0xA..0x0..512 MB K2/KS cached...

  • Page 45: Hardware

    7 MEMORY MAP 7.4 Hardware start size description memory interface ?? (mpeg_vsh, sysmem, sysreg, threadman, usb) 0xbc000000 exception ?? (dmacman, emc_ddr, memlmd, mscm, syscon, sysmem, sysreg, exceptionman, ata, meb 0xbc100000 irq?? (sysreg) 0xbc200000 irq?? (interruptman) 0xbc300000 Hardware Profiler (threadman, utils) 0xbc400000 irq, Timer? (systimer) 0xbc500000...

  • Page 46: Hardware Registers

    8 HARDWARE REGISTERS 8 Hardware Registers 8.1 Profiler Registerblock Base Size of Registerblock common access size 32 bit 0xbc400000 ENABLE 0xbc400000 ........ bit(s) description profiling disabled profiling enabled first clear all counter registers by writing 0 to them, then enable profiling. counter registers are as follows: Address Unit Description...

  • Page 47: Command Set

    8 HARDWARE REGISTERS Command 0xbd101008 ........ bit(s) description Address 0xbd10100c ........ bit(s) description Data (read) ? 0xbd101300 ........ bit(s) description 8.2.1 Command Set Function...
  • Page 48 8 HARDWARE REGISTERS FIFO 0xbe4c0000 ........ bit(s) description read byte from recieve buffer write byte to transmit buffer STATUS 0xbe4c0018 ........ bit(s) description TXFULL 1 if transmit buffer full RXEMPTY 1 if recieve buffer empty DIV1 - upper bits of Baudrate Divisor...

  • Page 49: Gpio

    8 HARDWARE REGISTERS 0xbe4c0030 ........ bit(s) description 0xbe4c0034 ........ bit(s) description 0xbe4c0044 ........ bit(s) description 8.4 GPIO Registerblock Base Size of Registerblock common access size 32 bit...

  • Page 50: Headphone/Remote Sio

    8 HARDWARE REGISTERS Port Clear 0xbe24000C ........ bit(s) description 8.5 Headphone/Remote SIO Registerblock Base Size of Registerblock common access size 32 bit 0xbe500000 FIFO 0xbe500000 ........ bit(s) description read byte from recieve buffer...
  • Page 51 8 HARDWARE REGISTERS CONTROL 0xbe50002c ........ bit(s) description ? (set to 1 if you want to set baudrate) ? (set to 1 if you want to set baudrate)

  • Page 52: Exception And Interupt Processing

    9 EXCEPTION AND INTERUPT PROCESSING 9 Exception and Interupt Processing 9.1 Exception Cause The cause of the exception that was raised can be determined by the value of the cause register (causereg > > 2 to be specific) which has the following meaning: Interrupt TLB modification...
  • Page 53 9 EXCEPTION AND INTERUPT PROCESSING 8801CDCC: 00 68 02 40 mfc0 $v0, $13 ; get c0.13 (Cause) 8801CDD0: 00 F0 03 40 mfc0 $v1, $30 ; get c0.30 (ErrorEPC) get Error Exception Program Counter 8801CDD4: 00 A0 C2 40 ctc0 $v0, $20 ; save v0 (Cause) in cc0.20 8801CDD8: 00 08 C3 40 ctc0 $v1, $1 ;...

  • Page 54: Me Reset Handler

    9 EXCEPTION AND INTERUPT PROCESSING 88021E74 (interruptman:0x3174) 8801D130 (hang)while(1); 8801D130 (hang)while(1); 8801D130 (hang)while(1); 8801D130 (hang)while(1); 8801D130 (hang)while(1); 8801D130 (hang)while(1); 8801D130 (hang)while(1); 8801D130 (hang)while(1); 8801D130 (hang)while(1); 8801D130 (hang)while(1); 8801D130 (hang)while(1); 8801D130 (hang)while(1); 8801D130 (hang)while(1); 8801D130 (hang)while(1); 8801D130 (hang)while(1); 8801D130 (hang)while(1); 8801D130 (hang)while(1); 8801D130 (hang)while(1);...

  • Page 55: Exception Vectors

    9 EXCEPTION AND INTERUPT PROCESSING bfc0008c: 00 08 1b 24 li $k1, 0x0800 bfc00090: 04 d8 1b 01 sllv $k1, $k1, $t0 ; k1=0x8000< < ? bfc00094: c0 ff 7b 23 addi $k1, $k1, 0xffc0 bfc00098: fe ff 60 17 bne $k1, $zero, 0xbfc00094 bfc0009c: 00 00 71 bf cache 0x11, 0($k1) ;...
  • Page 56 9 EXCEPTION AND INTERUPT PROCESSING bfc01700 bfc01800 (me_wrapper) bfc01900 bfc01a00 bfc01b00 bfc01c00 bfc01d00 bfc01e00 bfc01f00 8801ce30 (exceptionman:0x0730)

  • Page 57: Video Processing

    10 VIDEO PROCESSING 10 Video Processing 10.1 Overview vram is located at 0x04000000 Pixel format is 16 bit BGR (ABBBBBGGGGGRRRRR.) or 32 bit visible Screen is 480*272 pixel virtual Screensize is 512*272 pixel...

  • Page 58: Graphics Processing

    11 3D GRAPHICS PROCESSING 11 3D Graphics Processing 11.1 GE Command Format Each command word is divided into two parts, a 8-bit command and a 24-bit argument. The command is in the upper part of the word, and the argument in the lower. The argument can be either integer of a special kind of float that the GE supports (described below). 11.2 GE Floats Floats processed in the command-stream are 24 bits instead of 32 that are used by the CPU.
  • Page 59 11 3D GRAPHICS PROCESSING Texture Mapping Enable 0x1E Fog Enable 0x1F Dither Enable 0x20 Alpha Blend Enable 0x21 Alpha Test Enable 0x22 Depth Test Enable 0x23 Stencil Test Enable 0x24 Anitaliasing Enable 0x25 Patch Cull Enable 0x26 Color Test Enable 0x27 Logical Operation Enable 0x28...
  • Page 60 11 3D GRAPHICS PROCESSING Ambient Model Alpha 0x58 0x59 0x5A Specular Power 0x5B SPOW Ambient Light Color 0x5C Ambient Light Alpha 0x5D Light Model 0x5E LMODE Light Type 0 0x5F Light Type 1 0x60 Light Type 2 0x61 Light Type 3 0x62 Light X Position 0 0x63...
  • Page 61 11 3D GRAPHICS PROCESSING Ambient Light Color 1 0x92 ALC1 Diffuse Light Color 1 0x93 DLC1 Specular Light Color 1 0x94 SLC1 Ambient Light Color 2 0x95 ALC2 Diffuse Light Color 2 0x96 DLC2 Specular Light Color 2 0x97 SLC2 Ambient Light Color 3 0x98 ALC3...
  • Page 62 11 3D GRAPHICS PROCESSING Texture Sync 0xCC TSYNC Fog Far (???) 0xCD FFAR Fog Range 0xCE FDIST Fog Color 0xCF FCOL Texture Slope 0xD0 TSLOPE 0xD1 Frame Buffer Pixel Storage Mode 0xD2 Clear Flags 0xD3 CLEAR Scissor Region Start 0xD4 SCISSOR1 Scissor Region End 0xD5...

  • Page 63: Vaddr

    11 3D GRAPHICS PROCESSING 11.5.1 VADDR VADDR - Vertex List (BASE) 0x01 ........ bit(s) description 0-23 24 least significant bits of pointer 11.5.2 IADDR IADDR - Index List (BASE) 0x02 ....

  • Page 64: Spline

    11 3D GRAPHICS PROCESSING 11.5.5 SPLINE SPLINE - Spline Surface Kick 0x06 ........ bit(s) description 18-19 V Edges Close/Close Open/Close Close/Open Open/Open 16-17 U Edges Close/Close Open/Close Close/Open Open/Open 8-15 V Count U Count 11.5.6 BBOX BBOX - Bounding Box 0x07...

  • Page 65: Call

    11 3D GRAPHICS PROCESSING 11.5.9 CALL CALL - Call Address (BASE) 0x0A ........ bit(s) description 0-23 24 least significant bits of pointer 11.5.10 RET RET - Return From Call 0x0B ....

  • Page 66: Base

    11 3D GRAPHICS PROCESSING 11.5.14 BASE BASE Base Address Register 0x10 ........ bit(s) description 16-20 4 most significant bits for address (28 bits total)

  • Page 67: Vtype

    11 3D GRAPHICS PROCESSING 11.5.15 VTYPE VTYPE - Vertex Type 0x12 ........ bit(s) description Bypass Transform Pipeline Transformed Coordinates Raw Coordinates 18-20 Number of vertices (Morphing) 000-111: 1-8 vertices 14-16 Number of weights (Skinning) 000-111: 1-8 weights 11-12 Index Format...

  • Page 68: Region1

    11 3D GRAPHICS PROCESSING 11.5.16 REGION1 REGION1 - Draw Region Start 0x15 ........ bit(s) description 10-19 Y Start X Start 11.5.17 REGION2 REGION2 - Draw Region End 0x16 ......

  • Page 69: Mw0

    11 3D GRAPHICS PROCESSING 11.5.20 MW0 MW0 - Morph Weight 0 0x2c ........ bit(s) description 0-23 Morph Value (GE float) 11.5.21 MW1 MW1 - Morph Weight 1 0x2d ......

  • Page 70: Mw5

    11 3D GRAPHICS PROCESSING 11.5.25 MW5 MW5 - Morph Weight 5 0x31 ........ bit(s) description 0-23 Morph Value (GE float) 11.5.26 MW6 MW6 - Morph Weight 6 0x32 ......

  • Page 71: Pprim

    11 3D GRAPHICS PROCESSING 11.5.29 PPRIM PPRIM - Patch Primitive 0x37 ........ bit(s) description Triangles Lines Points 11.5.30 PFACE PFACE - Patch Front Face 0x38 ........ bit(s) description Clockwise...

  • Page 72: Proj

    11 3D GRAPHICS PROCESSING 11.5.33 PROJ PROJ - Projection Matrix upload 0x3f ........ bit(s) description 0-23 Matrix Value (GE Float) Write 4*4 values for complete matrix 11.5.34 TMA TMATRIX - Texture Matrix Upload 0x41 ..

  • Page 73: Zscale

    11 3D GRAPHICS PROCESSING 11.5.37 ZSCALE ZSCALE - Depth Scale 0x44 ........ bit(s) description 0-23 Scale Value (GE Float) 11.5.38 XPOS XPOS - Viewport X Position 0x45 ......

  • Page 74: Vscale

    11 3D GRAPHICS PROCESSING 11.5.42 VSCALE VSCALE - Texture Scale V 0x49 ........ bit(s) description 0-23 Scale Value (GE Float) 11.5.43 UOFFSET UOFFSET - Texture Offset U 0x4a ......

  • Page 75: Shade

    11 3D GRAPHICS PROCESSING 11.5.47 SHADE SHADE - Shade Model 0x50 ........ bit(s) description Shading type Flat Smooth 11.5.48 CMAT CMAT - Color Material 0x53 ........ bit(s) description Material flags (OR together)

  • Page 76: Amc

    11 3D GRAPHICS PROCESSING 11.5.50 AMC AMC - Ambient Model Color 0x55 ........ bit(s) description 16-23 Blue Component 8-15 Green Component Red Component 11.5.51 DMC DMC - Diffuse Model Color 0x56 ....

  • Page 77: Spow

    11 3D GRAPHICS PROCESSING 11.5.54 SPOW SPOW - Specular Power 0x5b ........ bit(s) description 0-23 Power (GE Float) 11.5.55 ALC ALC - Ambient Light Color 0x5c ........

  • Page 78: Lt0

    11 3D GRAPHICS PROCESSING 11.5.58 LT0 LT0 Light Type 0 0x5f ........ bit(s) description Light Type Directional Light Point Light Spot Light Light Components Ambient & Diffuse Diffuse & Specular Unknown (diffuse color, affected by specular power) 11.5.59 LT1 LT1 Light Type 1 0x60...

  • Page 79: Lt2

    11 3D GRAPHICS PROCESSING 11.5.60 LT2 LT2 Light Type 2 0x61 ........ bit(s) description Light Type Directional Light Point Light Spot Light Light Components Ambient & Diffuse Diffuse & Specular Unknown (diffuse color, affected by specular power) 11.5.61 LT3 LT3 Light Type 3 0x62...

  • Page 80: Lyp0

    11 3D GRAPHICS PROCESSING 11.5.63 LYP0 LYP0 - Light Y Position 0 0x64 ........ bit(s) description 0-23 Vector Component (GE Float) 11.5.64 LZP0 LZP0 - Light Z Position 0 0x65 ....

  • Page 81: Lxp2

    11 3D GRAPHICS PROCESSING 11.5.68 LXP2 LXP2 - Light X Position 2 0x69 ........ bit(s) description 0-23 Vector Component (GE Float) 11.5.69 LYP2 LYP2 - Light Y Position 2 0x6a ....

  • Page 82: Lzp3

    11 3D GRAPHICS PROCESSING 11.5.73 LZP3 LZP3 - Light Z Position 3 0x6e ........ bit(s) description 0-23 Vector Component (GE Float) 11.5.74 LXD0 LXD0 - Light X Direction 0 0x6f ....

  • Page 83: Lyd1

    11 3D GRAPHICS PROCESSING 11.5.78 LYD1 LYD1 - Light Y Direction 1 0x73 ........ bit(s) description 0-23 Vector Component (GE Float) 11.5.79 LZD1 LZD1 - Light Z Direction 1 0x74 ....

  • Page 84: Lxd3

    11 3D GRAPHICS PROCESSING 11.5.83 LXD3 LXD3 - Light X Direction 3 0x78 ........ bit(s) description 0-23 Vector Component (GE Float) 11.5.84 LYD3 LYD3 - Light Y Direction 3 0x79 ....

  • Page 85: Lqa0

    11 3D GRAPHICS PROCESSING 11.5.88 LQA0 LQA0 - Light Quadratic Attenuation 0 0x7d ........ bit(s) description 0-23 Attenuation Factor (GE Float) 11.5.89 LCA1 LCA1 - Light Constant Attenuation 1 0x7e ....

  • Page 86: Lla2

    11 3D GRAPHICS PROCESSING 11.5.93 LLA2 LLA2 - Light Linear Attenuation 2 0x82 ........ bit(s) description 0-23 Attenuation Factor (GE Float) 11.5.94 LQA2 LQA2 - Light Quadratic Attenuation 2 0x83 ....
  • Page 87 11 3D GRAPHICS PROCESSING 11.5.98 ??? ??? Spot light 0 exponent 0x87 ........ bit(s) description 0-23 Spotlight exponent 11.5.99 ??? ??? Spot light 1 exponent 0x88 ........

  • Page 88: Alc0

    11 3D GRAPHICS PROCESSING 11.5.103 ??? ??? Spot light 1 cutoff 0x8c ........ bit(s) description 0-23 Spotlight cutoff angle (cosine of angle) 11.5.104 ??? ??? Spot light 2 cutoff 0x8d ....

  • Page 89: Dlc0

    11 3D GRAPHICS PROCESSING 11.5.107 DLC0 DLC0 - Diffuse Light Color 0 0x90 ........ bit(s) description 16-23 Blue Component 8-15 Green Component Red Component 11.5.108 SLC0 SLC0 - Specular Light Color 0 0x91 ..

  • Page 90: Slc1

    11 3D GRAPHICS PROCESSING 11.5.111 SLC1 SLC1 - Specular Light Color 1 0x94 ........ bit(s) description 16-23 Blue Component 8-15 Green Component Red Component 11.5.112 ALC2 ALC2 - Ambient Light Color 2 0x95 ..

  • Page 91: Alc3

    11 3D GRAPHICS PROCESSING 11.5.115 ALC3 ALC3 - Ambient Light Color 3 0x98 ........ bit(s) description 16-23 Blue Component 8-15 Green Component Red Component 11.5.116 DLC3 DLC3 - Diffuse Light Color 3 0x99 ..

  • Page 92: Fbp

    11 3D GRAPHICS PROCESSING 11.5.119 FBP FBP - Frame Buffer Pointer 0x9c ........ bit(s) description 0-23 24 least significant bits of pointer (see FBW) 11.5.120 FBW FBW - Frame Buffer Width 0x9d ..

  • Page 93: Tbp0

    11 3D GRAPHICS PROCESSING 11.5.123 TBP0 TBP0 - Texture Buffer Pointer 0 0xa0 ........ bit(s) description 0-23 24 least significant bits of pointer (see TBW0) 11.5.124 TBP1 TBP1 - Texture Buffer Pointer 1 0xa1 ..

  • Page 94: Tbp5

    11 3D GRAPHICS PROCESSING 11.5.128 TBP5 TBP5 - Texture Buffer Pointer 5 0xa5 ........ bit(s) description 0-23 24 least significant bits of pointer (see TBW5) 11.5.129 TBP6 TBP6 - Texture Buffer Pointer 6 0xa6 ..

  • Page 95: Tbw1

    11 3D GRAPHICS PROCESSING 11.5.132 TBW1 TBW1 - Texture Buffer Width 1 0xa9 ........ bit(s) description 16-20 4 most significant bits of pointer (see TBP1) 0-15 Buffer width in pixels 11.5.133 TBW2 TBW2 - Texture Buffer Width 2 0xaa ..

  • Page 96: Tbw5

    11 3D GRAPHICS PROCESSING 11.5.136 TBW5 TBW5 - Texture Buffer Width 5 0xad ........ bit(s) description 16-20 4 most significant bits of pointer (see TBP5) 0-15 Buffer width in pixels 11.5.137 TBW6 TBW6 - Texture Buffer Width 6 0xae ..

  • Page 97: Cbph

    11 3D GRAPHICS PROCESSING 11.5.140 CBPH CBPH - CLUT Buffer Pointer H 0xb1 ........ bit(s) description 16-20 4 most significant bits of pointer (see CBP) 11.5.141 TRXSBP TRXSBP - Transmission Source Buffer Pointer 0xb2 ..

  • Page 98: Trxdbw

    11 3D GRAPHICS PROCESSING 11.5.144 TRXDBW TRXDBW - Transmission Destination Buffer Width 0xb5 ........ bit(s) description 16-23 8 most significant bits of pointer (see TRXDBP) 0-15 Destination Buffer Width 11.5.145 TSIZE0 TSIZE0 - Texture Size Level 0 0xb8 ..

  • Page 99: Tsize3

    11 3D GRAPHICS PROCESSING 11.5.148 TSIZE3 TSIZE3 - Texture Size Level 3 0xbb ........ bit(s) description 8-15 Height = 2^TH Width = 2^TW 11.5.149 TSIZE4 TSIZE4 - Texture Size Level 4 0xbc ..

  • Page 100: Tsize7

    11 3D GRAPHICS PROCESSING 11.5.152 TSIZE7 TSIZE7 - Texture Size Level 7 0xbf ........ bit(s) description 8-15 Height = 2^TH Width = 2^TW 11.5.153 TMAP TMAP - Texture Projection Map Mode + Texture Map Mode 0xc0 ..

  • Page 101: Tpsm

    11 3D GRAPHICS PROCESSING 11.5.156 TPSM TPSM - Texture Pixel Storage Mode 0xc3 ........ bit(s) description 0-23 Pixel Storage Mode 16-bit BGR 5650 16-bit ABGR 5551 16-bit ABGR 4444 32-bit ABGR 8888 4-bit indexed 8-bit indexed 16-bit indexed 32-bit indexed...

  • Page 102: Tflt

    11 3D GRAPHICS PROCESSING 11.5.159 TFLT TFLT - Texture Filter 0xc6 ........ bit(s) description 8-10 Magnifying filter Nearest Linear Nearest; Mipmap Nearest Linear; Mipmap Nearest Nearest; Mipmap Linear Linear; Mipmap Linear Minifying filter 11.5.160 TWRAP TWRAP - Texture Wrapping 0xc7...

  • Page 103: Tfunc

    11 3D GRAPHICS PROCESSING 11.5.162 TFUNC TFUNC - Texture Function 0xc9 ........ bit(s) description Fragment Double Enable Fragment color is untouched Fragment color is doubled Texture Color Component Texture alpha is ignored Texture alpha is read 0-2: Texture Effect Modulate...

  • Page 104: Tsync

    11 3D GRAPHICS PROCESSING 11.5.165 TSYNC TSYNC - Texture Sync 0xcc ........ bit(s) description Sync with texture transfer (see TRXKICK) 11.5.166 FDIST FDIST - Fog Range 0xce ......

  • Page 105: Psm

    11 3D GRAPHICS PROCESSING 11.5.169 PSM PSM - Frame Buffer Pixel Storage Mode 0xd2 ........ bit(s) description Pixel Storage Mode 16-bit BGR 5650 16-bit ABGR 5551 16-bit ABGR 4444 32-bit ABGR 8888 11.5.170 CLEAR CLEAR - Clear Flags 0xd3 ..

  • Page 106: Scissor2

    11 3D GRAPHICS PROCESSING 11.5.172 SCISSOR2 SCISSOR2 - Scissor Region End 0xd5 ........ bit(s) description 10-19 Y End X End 11.5.173 NEARZ NEARZ - Near Depth Range 0xd6 ......

  • Page 107: Cref

    11 3D GRAPHICS PROCESSING 11.5.176 CREF CREF - Color Reference 0xd9 ........ bit(s) description 0-23 Color Reference Value 11.5.177 CMSK CMSK - Color Mask 0xda ........ bit(s) description 0-23...

  • Page 108: Stst

    11 3D GRAPHICS PROCESSING 11.5.179 STST STST - Stencil Test 0xdc ........ bit(s) description 16-23 Stencil Mask 8-15 Stencil Reference Value Stencil Function Never pass stencil test Always pass stencil test Pass test if match Pass test if difference Pass test if less Pass test if less or equal...

  • Page 109: Ztst

    11 3D GRAPHICS PROCESSING 11.5.181 ZTST ZTST - Depth Test Function 0xde ........ bit(s) description Function Never pass pixel Always pass pixel Pass pixel when depth is equal Pass pixel when depth is not equal Pass pixel when depth is less Pass pixel when depth is less or equal Pass pixel when depth is greater...

  • Page 110: Sfix

    11 3D GRAPHICS PROCESSING 11.5.183 SFIX SFIX - Source Fix Color 0xe0 ........ bit(s) description 16-23 Blue Component 8-15 Green Component Red Component 11.5.184 DFIX DFIX - Destination Fix Color 0xe1 ....

  • Page 111: Dth2

    11 3D GRAPHICS PROCESSING 11.5.187 DTH2 DTH2 - Dither Matrix Row 2 0xe4 ........ bit(s) description 12-15 Column 3 8-11 Column 2 Column 1 Column 0 11.5.188 DTH3 DTH3 - Dither Matrix Row 3 0xe5 ..

  • Page 112: Zmsk

    11 3D GRAPHICS PROCESSING 11.5.190 ZMSK ZMSK - Depth Mask 0xe7 ........ bit(s) description 0-15 Depth Write Mask 11.5.191 PMSKC PMSKC - Pixel Mask Color 0xe8 ........

  • Page 113: Trxspos

    11 3D GRAPHICS PROCESSING 11.5.194 TRXSPOS TRXSPOS - Transfer Source Position 0xeb ........ bit(s) description 10-19 Y Position X Position 11.5.195 TRXDPOS TRXDPOS - Transfer Destination Position 0xec ......

  • Page 114: Audio Processing

    12 AUDIO PROCESSING 12 Audio Processing 12.1 Overview 44100 Hz Sample Frequency...

  • Page 115: Infrared Port

    13 INFRARED PORT 13 Infrared Port The PSP comes with support for IRDA and Sony’s "SIRCS" protocol (useful for Sony devices only)

  • Page 116: Wlan

    14 WLAN 14 WLAN...

  • Page 117: Usb Port

    15 USB PORT 15 USB Port...

  • Page 118: Umd

    16 UMD 16 UMD...

  • Page 119: Memory Stick

    17 MEMORY STICK 17 Memory Stick...

  • Page 120: Headphone/Remote Control

    18 HEADPHONE/REMOTE CONTROL 18 Headphone/Remote Control 18.1 Audio Input 18.2 Serial Communications The PSP communicates with the microcontroller inside the remote control using RS232 serial communication (although the voltages are different of course, 0V and +2.5V) using 8N1 framing at 4800bps. The protocol consists of command packages which can be send by either the PSP or the remote control.

  • Page 121: Flash Memory

    19 FLASH MEMORY 19 Flash Memory start size description 0x00000000 0x017FC1FF 24MB flash0: 0x01800000 0x01BFC1FF flash1: 0x01C00000 0x01CFC1FF 0x01D00000 0x01DEC1FF Only FAT organized area of on-board flash chip, system file volume and configuration file volume, can be accessed via FAT Filesystem. There is a bootstrap area with equipment serial IDs in the flash chip, and the area is unreachable by the flash and lflash drivers.

  • Page 122: Flash Memory Structure (Flash0)

    So code signatures are done by the developer, while encryption is done by Sony. The trust can still be verified by checking the signed game certificate, seeing that it belongs to SCE_CA0x, and then seeing /that/ belongs to Verisign, which is the root trust node.

  • Page 123: Dic Subdirectory

    20 FLASH MEMORY STRUCTURE (FLASH0) This as a whole is a trust tree, to setup a base list of trusted certificates for the PSP. Anything signed directly by the owners of these certificates, or using a key which has been signed by the owners of these certificates will be trusted. (I.E. can the certificate presented by the game/software to be run be verified as to be connected to these certificates?) 20.2 DIC Subdirectory apotp.dic...
  • Page 124 20 FLASH MEMORY STRUCTURE (FLASH0) gpio.prx sceGPIO_Driver [PSP] 3184 hpremote.prx sceHP_Remote_Driver [PSP] 6800 i2c.prx sceI2C_Driver [PSP] 4368 idstorage.prx sceIdStorage_Service [PSP] 7072 ifhandle.prx sceNetIfhandle_Service [PSP] 10848 impose.prx sceImpose_Driver [PSP] 32480 init.prx sceInit [PSP] 7056 interruptman.prx sceInterruptManager [PSP] 9872 iofilemgr.prx sceIOFileManager [PSP] 11520 isofs.prx sceIsofs_driver...

  • Page 125: Vsh Subdirectory

    20 FLASH MEMORY STRUCTURE (FLASH0) semawm.prx sceSemawm [PSP] 34768 sircs.prx sceSIRCS_IrDA_Driver [PSP] 6464 stdio.prx sceStdio [PSP] 3744 sysclib.prx sceSysclib [PSP] 6032 syscon.prx sceSYSCON_Driver [PSP] 9936 sysmem.prx sceSystemMemoryManager [PSP] 72304 sysmem_uart4.prx sceSystemMemoryManager [PSP] 27536 sysreg.prx sceSYSREG_Driver [PSP] 5808 systimer.prx sceSystimer [PSP] 2736 threadman.prx sceThreadManager...

  • Page 126: Module Subdirectory

    20 FLASH MEMORY STRUCTURE (FLASH0) 20.5.2 MODULE Subdirectory v1.0 v1.5 size version size version auth_plugin.prx auth_plugin_module [PSP] 5856 chnnlsv.prx sceChnnlsv [PSP] 8464 common_gui.prx sceVshCommonGui_Module [PSP] 16944 common_util.prx sceVshCommonUtil_Module [PSP] 15392 dialogmain.prx sceDialogmain_Module [PSP] 22784 game_plugin.prx game_plugin_module [PSP] 33168 heaparea1.prx scePafHeaparea_Module [PSP] 1952 heaparea2.prx...

  • Page 127: Resource Subdirectory

    20 FLASH MEMORY STRUCTURE (FLASH0) 20.5.3 RESOURCE Subdirectory 01.bmp 6176 02.bmp 6176 03.bmp 6176 04.bmp 6176 05.bmp 6176 06.bmp 6176 07.bmp 6176 08.bmp 6176 09.bmp 6176 10.bmp 6176 11.bmp 6176 12.bmp 6176 auth_plugin.rco 4556 game_plugin.rco 57148 gameboot.pmf 200704 impose_plugin.rco 87828 msgdialog_plugin.rco 7028 msvideo_plugin.rco...

  • Page 128: Flash Memory Structure (Flash1)

    21 FLASH MEMORY STRUCTURE (FLASH1) 21 Flash Memory Structure (flash1) /DIC /REGISTRY /VSH /THEME...

  • Page 129: Memory Stick Structure

    22 MEMORY STICK STRUCTURE 22 Memory Stick Structure /PSP /GAME /MUSIC /PHOTO /SAVEDATA /SYSTEM /BROWSER /MP_ROOT /100MNV01 /01MAQ100 /HIFI /CONTROL /PACKAGES /PKGxxxxx /DCIM /101MSDCF /MISC 22.1 Root Directory In the root directory there are three entries which are of relevance to the PSP. The first is the file memstick.ind which just seems to be a indication that the stick is formatted (it is not specific to the PSP).

  • Page 130: Mp_Root Subdirectory

    22.1.4.1.1 PKGxxxxx Subdirectory package.xml Song information in XML format similar in function to ID3V2 tags 22.1.5 DCIM Subdirectory used by the Sony Cybershot Camera for Photos in jpg format 22.1.6 MISC Subdirectory used by the Sony Cybershot Camera, ignored by the PSP...

  • Page 131: Umd Game Structure

    23 UMD GAME STRUCTURE 23 UMD Game Structure /PSP_GAME /SYSDIR /USRDIR 23.1 Root Directory UMD_DATA.BIN 23.1.1 PSP_GAME Subdirectory ICON0.PNG ICON1.PMF PARAM.SFO SND0.AT3 PIC0.PNG PIC1.PNG note: the files in this directory resemble the contents of the PBP fileformat (see fileformats section) 23.1.1.1 Sysdir Subdirectory EBOOT.BIN encrypted main executable...

  • Page 132: Umd Video Structure

    24 UMD VIDEO STRUCTURE 24 UMD Video Structure /UMD_VIDEO /RESOURCE /CLIPINF /STREAM 24.1 Root Directory 24.1.1 UMD_VIDEO Subdirectory PARAM.SFO ICON1.PMF SND0.AT3 ICON0.PNG PIC0.PNG PIC1.PNG PLAYLIST.UMD 24.1.1.1 RESOURCE Subdirectory EN100000.RCO 24.1.1.2 CLIPINF Subdirectory xxxxx.CLP (x = 0...9) 24.1.1.3 STREAM Subdirectory xxxxx.MPS (x = 0...9)

  • Page 133: Umd Audio Structure

    25 UMD AUDIO STRUCTURE 25 UMD Audio Structure /UMD_AUDIO /RESOURCE /CLIPINF /STREAM 25.1 Root Directory 25.1.1 UMD_VIDEO Subdirectory PARAM.SFO ICON1.PMF SND0.AT3 ICON0.PNG PIC0.PNG PIC1.PNG PLAYLIST.UMD 25.1.1.1 RESOURCE Subdirectory EN100000.RCO 25.1.1.2 CLIPINF Subdirectory xxxxx.CLP (x = 0...9) 25.1.1.3 STREAM Subdirectory xxxxx.MPS (x = 0...9)

  • Page 134: File Formats

    26.2 PRX (PSP Relocation eXecutable?) Sony’s PRX (PSP Relocation eXecutable?) format is a relocation executable based on the standard ELF format. It is distinguised from a normal ELF file by having customised Program Headers, Non-standard MIPS relocation sections and a unique ELF type.

  • Page 135: Unique Elf Type

    26 FILE FORMATS 26.2.3 Unique ELF type PRX files report the value 0xFFA0 as their type in the header instead of 0x0002 which is usual for normal MIPS ELF files. 26.3 PBP A PBP file collects the files needed for a game executable from a MemoryStick into a single file, for easier transfer. The files are simply concatenated with a small index at the start.
  • Page 136 26 FILE FORMATS The last part of the file is the value table, again at an offset indicated in the file header. Since value data is required to be aligned, zero padding may exist between the key table and the value table. The offset in the file header will indicate the true start of the value table though.

  • Page 137: Psp

    26 FILE FORMATS 26.5 PSP start size description ’~PSP’ 0x00 0x04 attribute SCE_MODULE_ATTR_CANT_STOP SCE_MODULE_ATTR_LOAD SCE_MODULE_ATTR_START comp_attribute 0x06 FLAG_COMPRESS FLAG_NORELOC (ie. norel=PFX; rel=PRX) module version lo 0x08 module version hi 0x09 name 0x0a fileformat version (=1) 0x26 nsegments 0x27 elf_size 0x28 0x2c psp_size entry...

  • Page 138: Header

    26.7 PMF (PSMF) PSMF, or PlayStation Movie Format, is a proprietary movie format created by Sony for the PSP. PSMF videos can be as small as 64x64 pixels, and have a framerate of 29.97fps. The video codec used is H.264, also known as MPEG-4 Part 10 AVC. The audio codec is the Sony proprietary ATRAC3plus.

  • Page 139: Mp4

    26 FILE FORMATS 26.9 MP4 note: this refers to MP4 files as required by the player in the VSH Video Limitation Resolution: 320 x 240 (QVGA), Nonstandard resolutions can be used but are still limited to the 76,800 pixel resolution of QVGA. Codec: MPEG-4 SP (Simple Profile), which has different headers than the more common MPEG-4 formats.

  • Page 140: Graphic Formats

    27 GRAPHIC FORMATS 27 Graphic Formats 27.1 1555 ABGR 27.2 4444 ABGR 27.3 8888 ARGB 27.4 swizzling Internally, the GE processes textures as 16 bytes by 8 rows blocks (independent of actual pixelformat, so a 32*32 32-bit texture is a 128*32 texture from the swizzlings point of view).

  • Page 141: Ipl

    28 IPL 28 IPL...

  • Page 142: Kernel

    29 KERNEL 29 Kernel 29.1 Devices 29.1.1 Block Devices Name blocksize seekable description msstor: Memory Stick (whole; mbr, partition1,...) msstor0: alias for msstor: msstor0p0: partition 0 msstor0p1: partition 1 mscm: Memory Stick mscm0: mscmhc: mscmhc0: umd: 2048 umd1: alias for umd: umd00: alias for umd: umd01:...

  • Page 143: Error Codes

    29 KERNEL 29.2 Error Codes 29.2.1 Structure ........ bit(s) description Error normal critical 28-29 reserved/unused 16-27 facility 0-15 type of error 29.2.2 Facilities code description 0x000 General 0x001 Errno 0x002 Kernel 29.2.3 General Errors code description 29.2.4 Errnos...

  • Page 144: Unspecified Errors

    29 KERNEL 29.2.7 unspecified Errors code description 0xFFFFFEDO unknown (might be decryption error) 0xfffffed3 29.3 Versions 29.3.1 1.0 The first batch of PSPs was shipped with this firmware in Japan. 1.0 will run an unsigned binary in a PBP file without worry. 29.3.2 1.5 1.5 will refuse to run an unsigned binary in a PBP file, but will execute a bare elf file if you can provide that file after the PSP has already loaded the PBP.
  • Page 145 29 KERNEL flash0:/kd/lfatfs.prx flash0:/kd/lflash_fatfmt.prx flash0:/kd/libatrac3plus.prx flash0:/kd/libhttp.prx flash0:/kd/libparse_http.prx flash0:/kd/libparse_uri.prx flash0:/kd/libupdown.prx flash0:/kd/loadcore.prx flash0:/kd/loadexec.prx flash0:/kd/me_for_vsh.prx flash0:/kd/me_wrapper.prx flash0:/kd/mebooter.prx flash0:/kd/mebooter_umdvideo.prx flash0:/kd/mediaman.prx flash0:/kd/mediasync.prx flash0:/kd/memab.prx flash0:/kd/memlmd.prx flash0:/kd/mesg_led.prx flash0:/kd/mgr.prx flash0:/kd/modulemgr.prx flash0:/kd/mpeg_vsh.prx flash0:/kd/mpegbase.prx flash0:/kd/msaudio.prx flash0:/kd/mscm.prx flash0:/kd/msstor.prx flash0:/kd/openpsid.prx flash0:/kd/peq.prx flash0:/kd/power.prx flash0:/kd/pspbtcnf.txt flash0:/kd/pspbtcnf_game.txt flash0:/kd/pspbtcnf_updater.txt flash0:/kd/pspcnf_tbl.txt flash0:/kd/pspnet.prx flash0:/kd/pspnet_adhoc.prx flash0:/kd/pspnet_adhoc_auth.prx flash0:/kd/pspnet_adhoc_download.prx flash0:/kd/pspnet_adhoc_matching.prx flash0:/kd/pspnet_adhocctl.prx flash0:/kd/pspnet_ap_dialog_dummy.prx flash0:/kd/pspnet_apctl.prx flash0:/kd/pspnet_inet.prx...
  • Page 146 29 KERNEL flash0:/kd/sysclib.prx flash0:/kd/syscon.prx flash0:/kd/sysmem.prx flash0:/kd/sysmem_uart4.prx (removed, only in 1.00-JP) flash0:/kd/sysreg.prx flash0:/kd/systimer.prx flash0:/kd/threadman.prx flash0:/kd/uart4.prx flash0:/kd/umd9660.prx flash0:/kd/umdman.prx flash0:/kd/usb.prx flash0:/kd/usbstor.prx flash0:/kd/usbstorboot.prx flash0:/kd/usbstormgr.prx flash0:/kd/usbstorms.prx flash0:/kd/usersystemlib.prx flash0:/kd/utility.prx flash0:/kd/utils.prx flash0:/kd/vaudio.prx flash0:/kd/vaudio_game.prx flash0:/kd/videocodec.prx flash0:/kd/vshbridge.prx flash0:/kd/wlan.prx flash0:/kd/resource/impose.rsc (only in 1.50-US ) flash0:/vsh/etc/index.dat flash0:/vsh/etc/jis2ucs.bin flash0:/vsh/etc/jis2ucs.cbin flash0:/vsh/etc/version.txt flash0:/vsh/module/auth_plugin.prx flash0:/vsh/module/chnnlsv.prx flash0:/vsh/module/common_gui.prx flash0:/vsh/module/common_util.prx flash0:/vsh/module/dialogmain.prx...

  • Page 147: Kxploit

    29 KERNEL flash0:/vsh/module/savedata_plugin.prx flash0:/vsh/module/savedata_utility.prx flash0:/vsh/module/sysconf_plugin.prx flash0:/vsh/module/update_plugin.prx flash0:/vsh/module/video_plugin.prx flash0:/vsh/module/vshmain.prx flash0:/vsh/resource/auth_plugin.rco flash0:/vsh/resource/game_plugin.rco flash0:/vsh/resource/impose_plugin.rco flash0:/vsh/resource/msgdialog_plugin.rco flash0:/vsh/resource/msvideo_plugin.rco flash0:/vsh/resource/music_plugin.rco flash0:/vsh/resource/netconf_dialog.rco flash0:/vsh/resource/netplay_plugin.rco flash0:/vsh/resource/opening_plugin.rco flash0:/vsh/resource/osk_plugin.rco flash0:/vsh/resource/osk_utility.rco flash0:/vsh/resource/photo_plugin.rco flash0:/vsh/resource/savedata_plugin.rco flash0:/vsh/resource/savedata_utility.rco flash0:/vsh/resource/sysconf_plugin.rco flash0:/vsh/resource/system_plugin.rco flash0:/vsh/resource/system_plugin_bg.rco flash0:/vsh/resource/system_plugin_fg.rco flash0:/vsh/resource/topmenu_plugin.rco flash0:/vsh/resource/update_plugin.rco flash0:/vsh/resource/video_plugin.rco flash0:/vsh/resource/video_plugin_videotoolbar.rco 29.3.2.1 kxploit All kxploit does is create two directories, like this: /MYPROG% /MYPROG or, to hide the ’broken data’...

  • Page 148: New Features

    29 KERNEL MYPROG~2 is the short name for MYPROG~1% The second case works properly. The first does not. Remember why the kxploit trick works at all: the vsh sees a nicely formed file in "MYPROG~1%", but then passes "MYPROG~1" to the bootstrap, which executes the bare ELF. If "MYPROG~1" is the short name for the wrong directory, of course it won’t work.

  • Page 149: Updated Files

    file containing a buffer overflow. Since the data from the wallpaper is in a known location(VRAM) we can use the TIFF overflow to jump to the known VRAM location and execute code. 29.3.6 2.01 29.3.6.1 new Features This was a quick release by Sony to fix the TIFF overflow exploit found in the previous version paf.prx 29.3.6.2 updated Files index.dat...

  • Page 150: New Features

    29 KERNEL Unicode support in the Browser with automatic Encoding Detection Save your text size settings in the Browser Save your Browser input history (URLs) Videos with DRM can be played NTP (Network Time Protocol) support WPA and PSK have been added to network setting Korean input keyboard method 29.3.8 2.6 29.3.8.1 new Features...

  • Page 151: Network Test

    29 KERNEL American PSP (US Region) fetches from http://fj01.psp.update.playstation.org/update/us/psp-updatelist.txt # US Dest=01;ImageVersion=000002d5;CDN=http://du01.psp.update.playstation.org/update/us/ 2005_0824_50c7032754835b588319c1a6c652cdc0/EBOOT.PBP;CDN_Timeout=30; European PSP (EU Region) fetches from http://fj01.psp.update.playstation.org/update/eu/psp-updatelist.txt # EU Dest=02;ImageVersion=000002d5;CDN=http://de01.psp.update.playstation.org/update/eu/ 2005_0824_50c7032754835b588319c1a6c652cdc0/EBOOT.PBP;CDN_Timeout=30; If an image with a higher version than what is currently installed is available, the PSP can download it from the URL specified after CDN= and install it.

  • Page 152: Appendix

    30 APPENDIX 30 Appendix 30.1 GCC Quick How To note: the instructions in this chapter are only for dyhards that want to bootstrap their own GCC from vanilla sources. For everyone else a toolchain containing allegrex specific patches is highly recommended. For short: you dont need this :) 30.1.1 compile ASM to object: <GCCROOT>/bin/???-elf-as -c \ -I <GCCROOT>/???-elf/include -I <additional includes>...

  • Page 153: Linker Script

    30 APPENDIX --enable-languages=c --disable-shared --disable-nls --with-newlib note: a specialised ’allegrex’ port is highly recommended. r4000 (or r5900) will work, but is suboptimal 30.1.9 Linker Script to do 30.1.10 Startup Code to do 30.2 Games AC Formula Front - FromSoftware Ape Escape - SCEJ Axel Impact - Axis Entertainment Inc.
  • Page 154 30 APPENDIX Mahjong - Koei Makai Wars - Nippon Ichi Software Metal Gear Acid - Konami Mobile Suit Gundam - Bandai Moji-Pittan - Namco Monkey Games - SCEJ Need For Speed Underground - EA New Ridge Racer - Namco Pilot Academy - Marvelous Interactive Popolocrois Story - SCEJ Powerful Proyakyu - Konami Pro-wrestling - Yuke’s\~~~...

  • Page 155: Developers

    30 APPENDIX 30.3 Developers FromSoftware Axis Entertainment Inc. SEED9 WorkJam Capcom Dorasu Corp. CyberFront Corp. Now Production Success Corp Nippon Ichi Software Bandai Yuke’s\~~~ Sega Taito Spike Hudson Soft Koei Idea Factory Marvelous Interactive Genki Banpresto Namco Akira SCEJ Zepetto Studios Konami UBI Soft...

  • Page 156: References

    U.S. Pat. Application 20040266529 (Methods and systems for remote execution of game content and presentation on a wireless portable device) - PS3 to PSP connection Debug Information in ’Puzzle Bobble’ (Error Codes, Kernel API Names etc...) WM8750 Datasheet 31.1 Sources http://www.uspto.gov http://www.mips.com http://www.sdmi.org http://www.sony.com http://www.sony.net http://www.lik-sang.com/psp.html http://www.chipworks.com http://www.extremetech.com http://www.rsasecurity.com http://pinouts.ru http://www.edcheung.com/automa/sircs.htm http://www.hifi-remote.com/sony/...

  • Page 157: Credits

    32 CREDITS 32 Credits besides freely available datasheets and patents, this document was created based on information provided by the following people. if you think you are missing in this list, please keep me informed so i can add you immediately. Marcus Comstedt (http://mc.pp.se/psp/) Memstick Layout, PBP and PSF Format, Network update, some other misc stuff...

Table of Contents