Communication Processor Update Package: Difference between revisions

From Vita Development Wiki
Jump to navigation Jump to search
m (→‎CP version: mislabeling fixed)
Tags: mobile edit mobile web edit
(→‎psp2ctrl info: Added DEM-3000L)
Tags: mobile edit mobile web edit
Line 125: Line 125:
     ProtocolVersion: 1.0.5.0
     ProtocolVersion: 1.0.5.0
     Flags: 0x1
     Flags: 0x1
DEM-3000L in normal mode
  CP:
    BoardVersion: 4
    PackageVersion: 1.0.3.0
    RecoveryPackageVersion: 0.9.6.4
    ProtocolVersion: 1.0.7.0
    Flags: 0x0


PDEL-1001 in normal mode
PDEL-1001 in normal mode

Revision as of 20:15, 15 January 2019

Updates to the communication processor are stored within a special CPUP package contained within Development kit (DEM or PDEL) PUP files.

In firmware .940 and .945 (and their subsets) exclusively, the CPUP are embedded within encrypted Update Packages.

CPUP Structure

Each CPUP shares a common header, in little-endian.

Offset Size Description
0x0 u32 MAGIC "CpUp"
0x4 u32 Version
0x10 u32 Unknown, always 0x01000000
0x14 u32 Full CPUP size
0x18 u32 Payload/data start address
0x1C u32 Extracted/decrypted CPUP size

Every CP updates below version 1000 (found in firmware 1.00) are divided in 2 parts (2 distinct CPUP files sharing the same version value).

Every version after version 1000 is only comprised of a single part.

CP board id

  • DEM-3000H has the CP board id 3
  • DEM-3000L has the CP board id 4
  • PDEL-100x has the CP board id 4

CP version

Here are the different CP versions identified as of today:

CPUP Header CP Version System Software Version
00060004 0604 0.902
00080508 0858 0.931
00090100 0910 0.940
00090200 0920 DEM-3000H Recovery
00090203 0923 0.945
00090501 0951 0.990
00090600 0960 0.995.000
00090604 0964 DEM-3000L Recovery
00090700 0970 0.995.070
00090708 0978 0.996
01000000 1000 1.000.041
01000001 1001 1.000.071
01000002 1002 1.030 / PDEL-1001 Recovery
01000106 1016 1.500
01000300 1030 1.600
01000800 1080 1.800
01010000 1100 2.000
01010702 1172 2.120
01010904 1194 2.500
01020001 1201 3.000
01030001 1301 3.100

Kernel Boot Loader logs

The Kernel Boot Loader and Non-secure Kernel Boot Loader respectively reference the current CP version in their bootlog (the version issued by KBL appears in the console output), this follows the below standard:

KBL:

Starting PSP2 Kernel Boot Loader [0x%08x]: %d...revision   : %d.build date : %s.....cp info.   : bid.%x ver.%04x

NSKBL:

Starting PSP2 Kernel Boot Loader (Non-secure) [0x%08x]: %d...BOOTSW.......%d: 0x%08x....: CP time...: CP bid & version

Where bid. is the Board id and ver. is the CP firmware version For example "bid.4 ver.1301" stands for board id 4, CP version 1301

in NSKBL format the information is logged in the following format: "0x00041301 [0x00041301]: CP bid & version" Where 0x0004 is the mask for bid (Board id 4) and 0x1301 is the mask for version (Version 1301).


These version information appear to most likely be read from sysroot at offset 0x44 (length u32 in little endian, 0x01130400 for bid.4 ver.1301, or 0x00041301 with the proper endianness)

psp2ctrl info

You can get additional information by using the sdk's psp2ctrl info command. Information is displayed as such:

DEM-3000H in normal mode

 CP:
   BoardVersion: 3
   PackageVersion: 0.9.6.0
   RecoveryPackageVersion: 0.9.2.0
   ProtocolVersion: 1.0.7.0
   Flags: 0x0

DEM-3000H in recovery mode

 CP:
   BoardVersion: 3
   PackageVersion: 0.9.6.0
   RecoveryPackageVersion: 0.9.2.0
   ProtocolVersion: 1.0.5.0
   Flags: 0x1

DEM-3000L in normal mode

 CP:
   BoardVersion: 4
   PackageVersion: 1.0.3.0
   RecoveryPackageVersion: 0.9.6.4
   ProtocolVersion: 1.0.7.0
   Flags: 0x0

PDEL-1001 in normal mode

 CP:
   BoardVersion: 4
   PackageVersion: 1.3.0.1
   RecoveryPackageVersion: 1.0.0.2
   ProtocolVersion: 1.0.7.0
   Flags: 0x0

PDEL-1001 in recovery mode

 CP:
   BoardVersion: 4
   PackageVersion: 1.3.0.1
   RecoveryPackageVersion: 1.0.0.2
   ProtocolVersion: 1.0.7.0
   Flags: 0x1

Note: The flag exposed in the above examples is the recovery mode flag, while the flag is set to 0x1, recovery mode is active and the CP is running from the recovery bank.

Update

The Communication Processor is updated through the use of the SceDeci4pCpup module.

Downgrade

The Communication Processor on PS Vita Development units is not downgradable within normal operations (even when downgrading the unit itself using a PUP). It may be possible to downgrade by using the psp2ctrl recover-cp cpupdate.bin command while in recovery mode where cpupdate.bin is a CPUP of a version equal or higher to the RecoveryPackageVersion, it may also be possible to downgrade from the vita side by patching or bypassing the version check performed by SceDeci4pCpup.

Recovery mode

In the event that the CP becomes unresponsive a special recovery mode exists, to enter this mode you need to press the "init" button (physically located at the bottom of the CP) while the AC is plugged in, the CP will then reboot into recovery mode (the led will turn blue, then green). If your unit is connected, you will get disconnected from TM server until you reconnect the usb, you may still experience timeouts when running the psp2ctrl info command, if so your SDK binaries might not be compatible with the version used in the recovery bank and you may need to use older ones.

While in recovery mode, until the AC gets disconnected, the CP will be running its recovery package firmware, while this essentially acts as a downgrade, the version located in the active bank will not change, the version reported by the CP is not the running version but rather the version that's currently flashed in the normal/active bank, it is therefore not possible to downgrade a unit by updating to a PUP while in recovery mode because the version reported will still be higher than the CPUP present inside the PUP.

While this does not permanantly downgrades your CP firmware, this is however useful in the attempts of triggering a possible vulnerability that would have been patched on a later revision.