The Difference between HEN, M33, Devhook, IPL, Pre-IPL, user, and kernel Exploits

Discussion in 'PSP Homebrew' started by Erland, Apr 24, 2009.

  1. Erland

    Erland New Member

    Please read this carefully.
    Please read this carefully.
    Please read this carefully.

    Lets answer some well meaning questions here. I don't even come to this board but due to HEN coming out and Davee being on this board i'm here...

    I keep seeing people asking some of the stupidest questions here and they need to be answered.

    Mods clean up my language as you see fit.

    I'm well known on MaxConsole and a Mod on Dark_Alex's Forum if you want my credentials.

    Lets start with

    Official firmware is the firmware or the operating system that is on your PSP that SONY has shipped with the PSP it's self or you have downloaded from them to upgrade your PSP.

    Currently the highest PSP Official Firmware is 5.50. This cannot run homebrew or ISO's without the help of an exploit.

    Custom Firmware
    Custom Firmware was given birth to by Dark_Alex. He got the inspiration from Humma Kavula's UMDEmulator and how it saved it's self from sleep mode. (The Thread that started it) I wish I can find the thread where he said it.

    Dark_Alex then went on and made a Proof of Concept 1.50 that he made with HEN built in.

    Since then he has taken every worthy version of Sony's firmware and made it custom so he added the following to them:

    4 Different ISO loaders
    Custom "new" firmware downloader
    Recovery menu
    VSH menu
    A NID translator
    Ability to change speed of CPU

    As far as I know that is all he puts into the custom firmwares. What this does is allow the following:

    Playing of Homebrew by using HEN-D
    Playing of ISO's with one of the 4 ISO Loaders: OE, M33, Sony's, Original
    Playing of Playstation 1 Games using PopsLoader.

    What is Hen and what does it do.

    HEN stands for "HomeBrew Enabler". What it does is allow the use of homebrew on Official firmware. What it does is it exploits the firmware using a kernel exploit and then runs arbitrary code to allow the use of unsigned EBOOTS. The Current version of HEN is HEN-D

    This means anybody that knows how can make a homebrew application to run on the PSP. This homebrew that is now made for this specific exploit can do anything that the PSP can do. Including an ISO loader.

    HEN it's self does not allow for the use of ISO's. It allows for the use of unsigned EBOOTs that is all.

    For someone to stop the ability to make an ISO loader for that particular version of HEN takes the ability to block calls to the whatever the ISO loader uses, which might also stop some other homebrew as well. I'm not saying it's not possible but it's normally not worth the time. However if "he's" truly against piracy then it's possible.


    Devhook is a emulator that runs on HEN. Devhook is an unsigned EBOOT.

    What Devhook does is it emulates an official firmware that adds in HEN and an ISO loader. That is all.

    Currently the newest version of Devhook is 0.6F which currently only runs on 3.10 OE and only emulates OFW's 2.71 - 3.11. It might be able to emulate up to 3.40 but that is it. Why because the encryption and the nids in 3.50 and up have changed and no one has updated DevHook to work with these changes. Currently Devhook only works on the PSP-100x's AFAIK due to there being no reason to run it since CFW came out.

    The reason Devhook has not been updated is because CFW has come out. The reason why Devhook was created is because newer firmwares would come out, as well as games. These games require the newer firmware to run. Well M33 took this requirement out so if the new game requires OFW 10 to run you can still run it on 5.00 M33-6 unless there is something that is physically in 10 that it has to have to run.

    The future of Devhook. Mathieulh has the Devhook sources and has provided them to Team C+D and the Prometheus developers on Booster's behalf, if one of them update it, it can be used on the HEN that is coming out for TA-088v3 or PSP-300x. Devhook can then be used to allow these PSP's to run the newer firmware's 5.50+ by using Devhook and still allow for ISO and HEN usage. However I doubt this will happen. Why because 5.00 M33-6 is out and I'm sure 5.50 M33 will be out soon. Also because I don't think Booster will be coming out of retirement anytime soon and I don't think anyone will get the source code.

    User Mode Exploit
    A user mode exploit is an exploit that allows for access to the PSP's firmware that is currently in RAM as well as a few choice NID's in the firmware. However it does not allow for the ability to access the hardware.

    Just because a PSP or any other firmware, game, or program doesn't function properly when you screw with it doesn't mean you have found an exploit

    Kernal Mode Exploit
    A kernel mode exploit allows for access to the hardware. Which in turn gives access to the Flash0,1,2,3. This means that a new CFW can be installed. It also means that HEN can be used to allow for the usage of unsigned EBOOTs.

    A kernel exploit allows for full access to the PSP. Without the kernel exploit HEN cannot be used.

    What the pre-ipl does is when the PSP is turned on it's the first thing that runs. It's what tells the processor where to look for the program to start loading the firmware. This is built into the PSP it's self. This cannot be updated by a firmware update. It's hard coded into the PSP it's self.

    This is the program that allows the PSP to either boot from the NAND or the Memory stick.

    Currently the PSP-100x, and PSP-200x, pre-ipl's have been exploited or cracked. The PSP-300x or TA-088v3 is using the same pre-ipl and has not been dumped to be allowed to be examined to be able to be cracked or exploited.

    The IPL is called the "Initial Program Loader" What this does is when the PSP turns on. This can be updated with a firmware update. I don't really know how much more information you need on this one so I'll leave it here until someone asks.


    I hope this clears up a lot of stuff for a lot of people.

    Please read this carefully.
  2. seanix

    seanix New Member

    Useful information.Thanks to post all these.
  3. january39

    january39 eXo Staff

    Yes, very useful. I knew most of it all ready but Devhook i have little knowledge about.

    Having read the Tiff-Hen thread here i can see why this has been posted though.

  4. Mathieulh

    Mathieulh Developer

    Why are only Alex and Booster credited here, what happened to Nem, Tyranid, and lost of other great devs ? have people forgotten them already?

    Also about devhook sources, I have them all but I am certainly not about to leak them (sorry about that). I have also distributed those to c+d/Prometheus developers on Booster's behalf, so the sources are not lost so to speak.

    Also about custom firmware (at least from 2.71SE to 3.52M33 (the later not included)) the idea had NOTHING to do with umdemulator (despite its code surviving loadexec) it was based on using the fact that 1.50 kernel did not check the elf signatures to replace vshmain (which was executed/bootstrapped by the kernel) with an elf containing our own code, this code was basically based on Devhook and executed reboot.bin allowing to (transparantly for the user) reboot to your own (hacked) kernel, (which unlike devhook, was no longer stored on ms0:/ but directly into flash0:/)

    Later on the bootstrapping of our own reboot.bin execution code was "accelerated" by using the "simple prx" exploit (as we called it inside Prometheus), basically old kernels (up to 1.52 if I recall well) allowed loading of unsigned prxs
    as long as they had no imports and were loaded after loadcore.prx but before init.prx

    Finally starting with 3.52M33, we started using our own forged IPL block to run the custom firmware which rendered the use of the devhook code and the old 1.50 kernel useless.
  5. MiKeY188

    MiKeY188 S For So Not Mature

    Tyranid was an epic PSP dev in the days :) he deserves credit just as much as the rest.
  6. Hardrive

    Hardrive Contributor

    I love reading these tidbits about early PSP development. It's interesting seeing how it was all done, especially when I was just using the exploits without understanding how they work.
  7. MiKeY188

    MiKeY188 S For So Not Mature

    I agree its really interesting to find our what & how they did things back then. Shame i wasnt really around back then :(
  8. Erland

    Erland New Member


    I know there are a lot of people who deserve credit. I however was not trying to sit here and list everyone's credentials and what they have done. They know who they are and what they have done. I am not trying to give a history of the scene just explain what the differences were between these "things". I do apologize if I have offended you or anyone else.

    It was 3 o'clock in the morning when I wrote that thing and most of it came off the top of my head not researching. I have only been in the scene since 3.10 OE so anything before it is a little fuzzy due to me not being there.

    As far as the 1.50 POC. There is a thread out there on Maxconsole I believe it's on MaxConsole, it was where Dark_AleX stated that he got the idea of 1.50 POC from Humma.Kuvula's UMDEmulator when he reversed it and the way it survived XXXXXX. I don't exactly remember what X was though. I was looking for that damn thread for 30 minutes last night to back myself up and couldn't find it but, I know it's there. Sorry.

    As far as Devhook goes I did not realize that anyone had the source code short of Booster, which you saying that Team C+D, and the Prometheus dev's however I still don't believe a new version will be out unless there is a great need for it a rises. I will correct this above.


    Hey Mathieulh,

    Sorry I got board and I don't mean to offend.

    If this makes you feel better I have put together a list of dev's and what they have done. Now This list is not complete by far. Also when It comes to Custom Firmware There is more than D_A that contributed to it, however I do not know exactly who helped. Please feel free to add or edit as needed. Everyone on this list is a known dev and has contributed in one way or another. Weather you like them or not is another subject as well as how much they contributed may be under review as well.

    However I'm sure I'm missing people and please don't get pissed if I have. There are just too many to list.



    Custom Firmware
    Despertar del Cementerio

    Dark_AleX (moonlight)

    Prometheus / Team C+D

    Adrahil (VoidPointer)
    Cswindle (Caretaker)
    Dark_AleX (Malyot)
    Fanjita (FullerMonty)
    Joek2100 (CosmicOverSoul)
    Mathieulh (WiseFellow)
    Nem (h1ckeyph0rce)
    TyRaNiD (bockscar)


    Nand Tool
    Open Source Pandora Battery Tool


    Elf Menu


    You also have:

    Chilly Willy
    Team N00bz
  9. Seth

    Seth MD Party Room

    I think everyone forgot about great old Nem otherwise know as the guy who started it all.
  10. zaza

    zaza New Member

    good use
    wonder the tiff exploit is...kernel exploit or user exploit...
    im newbie
  11. Seth

    Seth MD Party Room

    It a user exploit...
  12. Slasher

    Slasher Suck It

    The tiff exploit is a usermode exploit, but Davee has furthermore found a Kernel exploit that works with it. We have full kernel mode.
  13. NoEffex

    NoEffex Seth's On A Boat.

    What slasher said^^

    Basically, this is how it works. User mode exploits are used to trigger the kernel mode exploit.

    This means, say they have a kernel mode exploit and have had it for a while, but don't have any way to use it, because it requires unsigned code in the first place. This is how the user mode exploit comes into effect. It allows the initial unsigned code to be ran, then the kernel mode exploit is used within that and it allows kernel access, and when you have ALL of that, you have pretty much whatever access you want.

    All in all, you generally can't have HEN without one of them both.
  14. Zero

    Zero ~

    Thanks Erland for this post, it really clears things up and helps people undertsand what's going on. +rep

    Heh, I do the same thing. I love reading on how these exploits work, and how they found them. I've spent loads of time on HackMii recently for the Wii exploits.
  15. Guest

    Erland, you didn't write that much about IPL, so I will tell you.

    IPL boots the firmware (mostly the kernel). It's what "gives life" life to the PSP.

    You should read this about IPL. Really good.

  16. january39

    january39 eXo Staff

    That is good, i hope he/she finishes it. Very interesting.

    if that internal cell battery fails and all power is cut to SYSCON i am assuming that the PSP simply will not load until a 'proper' battery is inserted.

    I do know that the cell battery is responsible for remembering time & date settings etc etc and is easily replaced.

    Silverspring is very knowledgable about PSP, i would love to know more about the person silverspring. Mind you i spse so would Sony :eek:
  17. kenlc

    kenlc New Member

    very useful for newbee,thanks
  18. golemer

    golemer New Member

    to my understanding, if someone update NID referenced by devhook, does it mean devhook can work on the FW after 3.50??

    need any patch to kernel?
  19. LocutusEstBorg

    LocutusEstBorg Contributor

    Also the kernel exploit should be callable from the context of the user exploit. If you have a function X that is used for a kernel exploit, X should be reachable somehow from the user application you've exploited (either from its imports table or some other way). Just having a random kernel exploit isn't always useful.
  20. Erland

    Erland New Member

    Yes Devhook can be updated to work with even 5.55 if someone wanted to take the time to update it.

Share This Page