The NAND Dump AND NAND Basics

Moderadores: Kravenbcn, largeroliker, pspCaracas, m0skit0

Avatar de Usuario
Kravenbcn
Administrador
Administrador
Mensajes: 16291
Registrado: 01 Sep 2009, 21:27
PSN ID: Kravenbcn
Twitter: Kravenbcn
Ubicación: Barcelona
Contactar:

The NAND Dump AND NAND Basics

Mensaje por Kravenbcn »

Published by Erland in dark-alex.org forum

Recovered thanks to Alek, webmaster of dark-alex.org


The NAND Dump AND NAND Basics

This tutorial is for people who do not understand what the NAND is or why it's so important. This tutorial should also let people know why it's so important not to use someone else's NAND dump. I have removed the advanced section of this tutorial being that I do not want to be responsible for people ruining their PSP.

I have made most of this from memory without looking things up. I may have mixed up some names and references. Please point out any mistakes I have made. With proof if possible.

When dealing with the NAND there are several things that you need to know. We are going to break them down in several sections.

01. Definition
02. Technical Breakdown
--- A. IPL
--- B. IDStorage
--- C. lflash
03. Dumping the NAND
04. Restoring the NAND
05. DOs and DON'Ts
06. Downloads

01. NAND Dump

What is it? Well a NAND dump is a physical back up of the chip inside your PSP that stores all the files that the PSP needs to start up. It contains the IPL, the IDStorage, and the lflash. A NAND dump if used properly can be used to quickly unbrick your PSP. This means that you cannot screw up the PSP unless something goes wrong hardware-wise.

02. Technical Breakdown

The contents of the NAND comprise 3 sections: The IPL, the IDStorage, and the lflash.

The NAND Does not contain the RAM. The RAM and NAND are 2 different chips.

More SH*T To Read


--- A. The IPL

The IPL is the "Initial Program Loader".
When the PSP starts up the pre-IPL looks on the NAND for the IPL and loads it - if the inserted battery has a serial of 0xFFFFFFFF it is at this stage that the PSP loads the IPL from the memory stick rather than from the NAND - this is the first step in the booting process.
The IPL decrypts and unpacks itself, and starts loading everything else off of the lflash (the firmware)

There are as of this writing and as far as I know of 6 types of IPLs.

1.50 (1.00-1.52)
This will work on any PSP Classic from the 1.0 - 2.60 without modifying anything. If you modify the IDStorage and change "key 5" you will be able to load it on 1.50 - 3.52. Only the Classic PSP's with the TA-082+ motherboards needed to patch "key 5".

The older custom firmwares (2.71 SE to 3.52 M33) all used a 1.50 IPL to bootstrap the 2.xx/3.xx firmware with patches.

This is no longer the case with 3.71 M33 onwards, as the 1.50 IPL was removed to maintain functionality on the Slim PSP. However, there is a 1.50 kernel add-on for this and newer Custom Firmwares which can be used on the Classic PSP.

1.50 "Simple IPL"
This is an IPL patch that was made by Dark_Alex - it removes the check for IdStorage key 5 from the 1.50 IPL, which allows it to boot on all Classic PSPs. This IPL cannot be used on the Slim.

1.50 Multi-Boot
A person by the name of Booster made a multi-boot IPL that allowed you to use Pandora to boot to either your memory card or boot directly from the NAND. This IPL cannot be used on the Slim.

3.xx M33 custom IPL
This is an IPL that was made up entirely by Dark_AleX and the rest of Team M33. This was used for an add-on feature for Pandora to allow Pandora to run on the Slim because the 1.50 IPL does not work on the Slim. This IPL is also used in 3.XX M33, and DCv3/4.

3.xx
The encryption of the lflash changed during the 3.xx firmwares. In turn they also changed the IPL that loads up. The main reasons for doing this was first because the slim PSP was on the way out the door and second because they were trying to stop homebrew. Mainly it's because of the Slim PSP.

3.90 Multiboot / Time Machine / DCv5+
Starting in 3.90 M33 Dark Alex has made his own multiboot IPL. You have to have the 3.90 M33 IPL installed for Time machine to work. Time Machine will allow you to boot from 1 of 5 OS's.

1.5 Official Firmware
1.5/3.40 OE - Mixup
3.40 OE
3.60 M33
4.01 M33-2 (With the use of DCv7)
Straight from the Nand

To have the Slim PSP boot from the NAND while using Time machine you will need to have 3.90 M33-2 installed on the NAND. You can verify this by reading the readme that came with Time Machine. I'm not sure if the 3.90 M33-2 IPL is the same as Time Machine or if it's just setup to accept booting from the Memorystick.

--- B. IDStorage

I will not get into this too much because most people will not need to know. However there are some things that you need to know about it.

IF YOU USE THE IDSTORAGE OF PSP THAT IS NOT YOURS OR DID NOT COME ON THE PSP WHEN IT WAS MADE, YOU WILL LOSE SEVERAL FEATURES OF YOUR PSP.

This is including but not limited to the following:

Ad-hoc
UMD and UMD video
Homebrew
MagicGate
Wifi
USB to PS3

There are some keys that are not specific to the PSP. They common to all PSPs with either the same motherboard or model. e.g. PSP-1000/2000 or TA-079/81/82/85/86/88/90.

Just remember that if you use someone else's IDStorage you CAN PERMANENTLY AND IRRECOVERABLY MESS UP YOUR PSP. DO NOT USE SOMEONE ELSE'S IDStorage.

Despertar del Cementerio v7 now has the ability to restore IDStorage. THIS IS THE ONLY PROGRAM THAT HAS THIS ABILITY.

What does IDStorage do?

IDStorage keeps several hundred keys with information about your PSP on each key.
These keys hold information like the following:

Serial Number
UMD drive serial number
WLAN MAC address
Some decryption keys
Video region information
WLAN region information
Unique keys and original firmware version
Battery power settings
LCD power settings

As you can see there are several things in your IDStorage that are specific to your PSP. If these things change to something that they are not supposed to be then you can brick your PSP.

Backing up your IDStorage is not hard. There are at several ways to do it.

1. Chilly Willy's "Key Cleaner". This program will dump your keys for you in several .bin files for you. They can be restored using Chilly Willy's "IDStorage Manager". This is the preferred method of backing up your keys if you do not have Pandora.
2. Cory149's "Des Cem M8" this is a NAND tool that also has the ability to dump your keys.
3. "Pandora" - See next option for more information.
4. "Despertar del Cementerio" if you have made a NAND Dump, the NAND Dump contains a backup of the IdStorage.

Pick one of these tools to back up your IDStorage.

You can use those same programs to restore your IDStorage once you have corrupted it. Most of those programs will work on DCv3/4 with jas0nuk's "ELF menu". Cory's Nandtool/Dec Cem M8 is now compatible with DCv7+.

And remember Despertar del Cementerio v7 now has the ability to restore IDStorage. THIS IS THE ONLY PROGRAM THAT HAS THIS ABILITY.

Here is how:

"KeyCleaner" will make a backup of your IDStorage Keys. It does not matter what firmware you were on when you dumped them. As long as you have "Despertar del Cementerio" on a memory stick with the "ELF menu" and "Des Cem M8" then you are set to go.

You can use Des Cem M8 to repartition the whole NAND and then use KeyCleaner from the ELF Menu and restore the IDStorage. At that point you can use "Despertar del Cementerio" to install your Firmware.

--- C. lFlash

The lflash is comprised of flash 0, 1, 2, and 3. They are all FAT12 partitions of the NAND. They are each separate partitions and each one of the can get corrupted all at once or each one by themselves. For instance you can have a corrupted flash2 or flash3 and never know it until you go to the PlayStation store and try to download something and next thing you know your PSP has bricked. Despertar del Cementerio v7+ has the ability to repartition the lflash as well as change it's size. Dec Cem M8 can repartition it as well.

Flash0
Holds the actual firmware files. These files are encrypted and sig-checked. This means that when they were installed they were encrypted just for your PSP.

In other words you cannot use someone else's flash0 files on your PSP.

The only exception to this is if you remove the sigcheck from the files before flashing them to your PSP. Some files may need to be decrypted first.

Flash1
Holds all of your system settings. Things like your wallpaper of choice, your PSP user name, Network settings, Flash player and other settings. On here you will find a config.se which is the file that holds the settings for the "recovery" menu. If you delete this file then you will be resetting the settings for the recovery menu. You will also find the following folder on there:

flash1:/dic/atok10.dic
flash1:/gps
flash1:/net/http/auth.dat
flash1:/net/http/cookie.dat
flash1:/registry/system.dreg
flash1:/registry/system.ireg
flash1:/updater/u.log
flash1:/vsh/theme/custom_theme.dat
flash1:/vsh/theme/wallpaper.bmp

If you use "Despertar del Cementerio" and your psp locks up in the xmb then you have created your "Despertar del Cementerio" with a theme/wall paper installed and must use the format flash1 option in the recovery menu. Doing this will not recreate all of the aforementioned folders. Make sure they all exist.

Flash2
Holds cert.dat/act.dat DRM stuff for the PlayStation Network. This will only show up once you have connected your psp to a PS3 or a PC for the Playstation Network downloads. This also gets backed up by "Despertar del Cementerio" when installing firmwares. The worst part about loosing this file is the fact you will have to re-download whatever it was you downloaded to begin with.

Flash3
3.60 it was used to store the tv usb1seg application "1SEG.PBP". This has since been moved to flash0 with all other programs. On the phat psp this is empty. Dark_AleX speculates that it will be used to store more "downloadable" content like "Go Messenger" but only on the Slim where the Classic will use the memory stick to download it.

Each "lflash" area is a different partition on the NAND itself. These partitions have been known to get corrupted for various reasons. The most known reason is by using the usb option on 3.71 M33 to 3.71 M33-2. This has been fixed in 3.71 M33-4.

To fix this you have 3 options.

1. Restore a NANDdump with your favorite tool.
2. Repartition the lflash using Cory's Nandtool
3. Repartition the lflash using Despertar del Cementerio v7+.

03. Dumping the NAND.

There are 3 programs out right now that will allow for dumping of your NAND.

1. The original Pandora does not run on the slim. Version 2 does but runs blindly.
2. Despertar del Cementerio
3. Cory's "Des Cem M8" / NAND Tool. Cory's program is by far the best tool to use to work with your NAND by far.

When dumping your NAND it is normal to see bad blocks appear. Sony is allowed to ship out the PSP's whose NAND has a certain percentage of bad blocks. I have personally seen one brand new get shipped with 3 bad blocks. This is normal. They include a reasonable amount of extra blocks to use in this type of situation.

I personally make my dumps with whatever version of "Despertar del Cementerio" I'm using. All of the programs dumps are universal. It does not matter which one you make the dump with however it does matter which one you restore it with technically.

To verify that your NAND dump is in good condition

cory149 escribió:This windows PC tool verifies the consistency of a dumps data (slim or fat); when a dump is dropped onto the exe, there should never be a size error, ECC error (every 512bytes is checksummed after a fashion in the spare page) or bad blocks. Up to you to decide if it is useful, I know there are at least a couple slim PSPs that seem to consistently give erroneous dumps (seems to be "stray" data in empty blocks' spares.)


04. Restoring the NAND dump

"Despertar Del Cementerio" will restore the dump physically. This means if you had a bad block when dumping then it will restore that bad block. The bad part about this is if you managed to get a new bad block since you made the dump you may not be able to properly restore your dump. The reason being is the "Despertar del Cementerio" will restore good data to bad blocks because of the way it's restored.

Cory's "Des Cem M8", and the old version of Pandora (only works on Classic PSP) will restore the dumps logically. This means it will check for bad blocks and will not restore good data to a bad block. It will in turn restore good data to the extra good blocks Sony included for this reason. Of course if there are too many bad blocks on the NAND then the restore will fail.

05. DOs and DON'Ts

"DOs"

Do make yourself a nand dump as soon as you have the opportunity. This can make or break your PSP.
Do make several backup copies of your NAND dump. Then zip it up and rename it to something you will understand. Mine are named:

3r14nd.v1.50.TA-079.Original.zip
3r14nd.v3.52.M33-4.TA-079.zip
3r14nd.v3.71.M33-4.TA-079.zip
3r14nd.v3.80.M33-4.TA-079.zip

I also carry them on my Pandora stick in the folder used for Cory's "Des Cem M8".

Some people also add the serial number of the PSP to the file name. The serial number can be located on the black sticker under the battery. (The warranty sticker). e.g. TA-82_4.01M33_34ER2K342ED34.bin

If you use "Dec Cem M8" it will make the file name with the following:

1. Motherboard Model
2. PSP Version
3. Some number - I can't remember at the moment but, It's specific to the PSP.
4. NAND Size

e.g. "TA-085_V2_Slim_447fa8b4_64M.bin"

"DONT's"

DON'T restore someone else's Flash0 files. They are encrypted for their PSP and not yours they will not work.
DON'T restore someone else's IDStorage. It will screw up your PSP.
DON'T restore someone else's NAND dump in to your PSP.

There are exactly 2 NAND dumps I know of that are fine to restore to any PSP. One of them is a NAND Dump of a Classic PSP that contains nothing but empty data and the correct partitions. The other is the exact same thing but for the Slim. These are still not good to restore unless you have a dump of your keys or a good dump of your IDStorage.

06. Downloads

Here are the links to Everything I have mentioned in this Tutorial

Download Chilly Willy's "Key Cleaner" v1.4
Download Chilly Willy's "IdStorage" v1.3
Download Cory's "nandTool"/"Des Cem M8" v4.0
Download Team C+D's Prometheus Project "Pandora's Battery" v1.0
Download Dark Alex's "Despertar del Cementerio" v7
Download jas0nuk's "Elf/PBP Menu" v0.4

This tutorial was put together by 3r14nd. Contributions made by: cory149, jas0nuk, Dark_AleX, and Chilly Willy.

Edited By: jas0nuk, cory149

Thank yous are in order for all of the greatest devs of the PSP scene. You know who you are and there is no need to say names. I thank each and everyone of you who help this scene continue.

I hope this helps with keeps some of the noobs off of your PM box for a few.

If you know of anything that should be added to this tutorial, keep in mind it's for the noobz to get to know more about the NAND and not getting to know how to program for it, just PM me and I shall add it in.

Remember I have never stated that i'm a know it all when it comes to the NAND just someone who has payed attention. This means there may be mistakes in this TUT just point them out and I shall correct them.


Thank you.

3r14nd
No te pierdas nada, sigue a DaXHordes en Twitter, Facebook, Google+ y Youtube

Imagen
¿Quieres formar parte del equipo de DaXHordes.org? Esta es tu oportunidad.
PS3 · PS Vita · PSP

Responder