AV Testing Tool PS3 (DECHS-XXXX) or PSP (DTP-LXXXX)

I have a PSP AV Tool (i have other means of playing PSP games anyways, so it doesn't bother me if it's not possible) but not an AV Tool PS3 but was curious if other members of the community had any luck with them being able to be converted (or have firmware converted for them) to run some form of what one would know as CFW (Even just one of the two) so they can be used as a closer to a normal (Jailbroken) PS3/PSP

Basically what an AV Testing Tool is it allows one to test UMD Movies (PSP) and Blu-Ray Movies (PS3) prior to release on non pressed discs, that's basically all they can do in their default state, they cannot run ANY games intended for their hardware (even original pressed games like standard PS3/PSP development hardware can) but was wondering if they can be converted in a sense to run a CFW from their respective platforms to extend the functionality. (obv. couldn't be done on say on some DECHS-25xx or newer for example though)

Again, this is of little priority to me in the sense that i want to play games on them as i have access to a PS3/PSP anyways but was curious if it's possible to make the hardware more useful and more just sheer curiosity if can be done for the heck of trying.

 

What firmware is your DTP-L1500 on? Are you selling it (I am interested), I have yet to dump the firmware/nand from one of these.

DECHS in theory should have target id 0x82 (unlike what the wiki says, although I am not 100% positive on this) but the vsh will not run your typical debugging station update so you'd need to set one to service mode (on 3.55 or earlier) and flash a DECH update on it to convert it. I have never tested this, I would need one such unit to know for sure, or at least a nand dump, if the target id is different you would need to dump the idps root key and change the target in eid0 to 0x82 by either reencrypting a donor's real dech idps (better) or changing the target and reencrypting (no psn, brick on 4.30+ except on specific cfw like rebug)

 

I'll confirm what FW (DTP-L1500) it's running when i get home from work, I'm likely not interested in selling it, but that doesn't leave the door completely closed.

For the PS3 AV Tool I was thinking they'd have the target ID 0x80 according to the psdevwiki, sadly, i don't have one so i cannot get a dump to confirm this.

 

Is there a software way to tell on the DECHS I have one of those, just would rather not open it.

 

The sticker should show you, a standard debugging station has DECH-XXXX whilst an AV Tool has DECHS-XXXX usually.

 

I know that, I’m talking about the target id, I have an av testing tool, I believe on 2.60.
It’s a 60gb and it does have the other os capability, never checked to see if that feature actually works on this model

 

Can you run any software at all on the unit?
I would assume running updates is possible, have you tried installing a custom firmware onto the thing?

 

I’d rather dump the firmware on it first.
The only thing it seems to be able to read is burned Blu-ray Discs

 

I am guessing the only way would be by using a lv2diag.self from service mode to dump the nand.

I will check if others are interested in helping you with that. (I've been kinda busy lately :/ )

 

Okay, i finally had a look and it's currently running Version 1.50.

 

Wow! If I send you a UMD image with a NAND dumper would you burn it to a DVD and run it? I have been looking for the 1.50 DTP-L1500 firmware for years.

Do they issue updates for these units at all? Would you happen to have one?
Do you see the game category at all in the vsh (I am trying to find out how to write that UMD image in a way that'd work on DTP-L1500)

UPDATE: I created files to burn on DVD so you can dump the NAND, I have successfully tested the UMDGAME image on my DTP-T1000 on 1.50. Unfortunately I do not own a DTP-L1500 so I can't test if the images work for sure

Can you burn the content of the DUMPER1_UMDGAME folder (4 files) to the root of a DVD, insert it in your unit and see if the update shows up? If so run it with a memory stick inserted and it will create a nanddump.bin file on the root of your memory stick

If you do not see the update, can you burn the files contained in the DUMPER2_UMDVIDEO folder at the root of a DVD (5 files) and tell me if that works? If not I will attempt to fix the UMD Video format which might take some trial and error.

https://drive.google.com/open?id=1i4cF411fVU-X2LrRu3RiWN1QQ3hXaos2

Can you share the nand dump with me afterwards, I just want to extract the firmware from it (the firmware itself does not contain any identifiers to your device) and find out what the target id is for DTP-L1500 units.

Your help would be greatly appreciated.

P.S. This dumper will only work on firmware 1.50

 

Answering you questions in order on a paragraph by paragraph basis:

Sure, I'll give it a try.

I sadly don't have any update files for these units (I do for the standard test/dev units however as i also have a standard DTP-T1000 and DTP-H1500) The game category is visible in the XMB.

Okay dumper 1 (UMD Game) shows "The disc cannot be started. The region code is not correct." That's it, no other options after dismissing the message or any visible signs the disc is in.

Dumper 2 shows the fake update and running it executed your dumper.

Here's the file it produced:

http://rapt0r.xyz:8081/nand-dump.bin

Could you please send the FW file back so i have a backup myself? Let me know how it goes!

 

I wonder if its just a general purpose 1.50 TestingTool firmware but with the target id dictating what sort of "mode" to boot into? Unless they'd make a different variation with specific modules to remove and a different VSH

 

I just downloaded the file, however the dump should have been 69,206,016 bytes in size and yours is only 32,145,408, is it the size you got on your memory card? I suspect it to be incomplete, I will attempt to get the firmware from it though.

UPDATE:
The file system entries for the FAT12 partition seem corrupt so it will take some time for me to manually extract the files

Can you attempt to do another dump?

 

Whoops! I used a 32 MB memory stick (my bad) for the dump (It's the only one i had laying around) Let me acquire a larger one and I'll attempt the dump again.

 

Can you run this as well?

This should create a flash0 dump in ms0:/DOWNDATER/DUMP/ (just upload the DOWNDATER folder at the root of your memory stick)

extracting flash0 files one by one from the FAT12 partition in the NAND dump is rather tedious. You can run this with a 32MB memory stick.

https://drive.google.com/open?id=1oaenypQktJ7ciDgKqjKY3sxuJlWiU7x0

 

Okay, done!

In the next few days when i get my hands on a bigger memory stick I'll do the full raw NAND dump again, let me know what you find with this though.

http://rapt0r.xyz:8081/DOWNDATER.rar

 

The dump is proper, I have managed to manually install the firmware successfully onto my DTP-T1000 (see pictures below)
The games do not ever show up however Updates do, obviously this unit mounts UMD Game as opposed to UMD Video as I have not modified the idstorage to make it behave like a true DTP-L1500 (although I could probably load a UMD Video within a UMD Game image on this firmware)

The firmware itself seems to be the exact same kernel as the DTP-T1000 version without Development tool specific modules (no legacy modules, no sm1, no deci2p) the pspbtcnf_game file has been modified to reflect these changes even though the DTP-L1500 never runs any games at all, so technically you could just flash the DTP-T1000 kernel as-is and it would run since all the kernel modules that run in vsh and updater modes are present. the vsh is however different from its development tool and retail counterparts though I have not analyzed the changes yet
This is what version.txt has to say:

DTP-L1500:

release:1.50:
build:436,0,7,1,0:root@psp-vsh
system:21189@release_150,0x01050010:
vsh4201@release_150,v11641@release_150,20050315:

Retail:

release:1.50:
build:376,0,3,1,0:root@psp-vsh
system:20182@release_150,0x01050001:
vsh4201@release_150,v11079@release_150,20050201:

Development Tool (DTP-T1000):

release:1.50:
build:416,0,5,1,0:root@psp-vsh
system:21189@release_150,0x01050010:
vsh4201@release_150,v11092@release_150,20050301:

The unit uses its own specific IPL, it matches the revision of the devkit payload, but it is actually different!:
$LastChangedRevision: 19980 $

(in the retail IPL payload it is $LastChangedRevision: 19196 $, but the payload itself is actually identical to the devkit one.)


Here is a link to the extracted IPL https://drive.google.com/open?id=1ploINfGBJ0GWp7pF-2C266H1rBjMlDmf
(located at 0x40000 in the NAND dump after stripping the spare data)

Using the DOWNDATER folder (and the downdater app) and the provided IPL, you can flash the firmware to any unit on your own if you would like.

00 00 00 01 00 0E 00 01 04 XX XX XX XX XX XX is the idps for the DTP-L1500 (target ID is 0x0E, I didn't know the target id for these units so that's a nice touch), the XX values are console unique data which I did not include just in case RAPTOR115X doesn't want me to.

P.S. I'd still very much like the proper NAND dump for this






I could technically craft a DTP-H1500 compatible firmware from this and flash it using an exploit but I wouldn't want to risk it since we can't enable service mode on those units.

 

Interesting to note that the retail 1.50 build date is way before the Dev / AV Tool dates.

I was able to get the AV Tool firmware on a retail unit with some hackery, the nand-dump.bin is not compatible with any of the NAND tools that are out there (due to the smaller size), it did involve some padding some bytes, then still trying to flash it.

This ended up breaking some of the partition layouts, causing a registry BSOD boot loop, but the flash0 was in tact enough for me to extract the firmware then flash it with just the retail 1.50 IPL

(I was able to repair the layouts by doing a physical format though and get back to my original firmware)

 

@RAPTOR115X have you gotten the chance to acquire that larger memory stick by any chance? I am still interested in a full NAND dump from the DTP-L1500