UmdImageCreator

[sarami]

Looks like those functions might be meant for the DVD drive present on devkits? ... IsUmdDrive returns 0 or 1 if the (unsigned) value there is less than 1 (in other words a bool on whether the value is 0 or not.)  And both functions that later call sceUmdExecGetConfigurationCmd() and  sceUmdExecReadDiscInfoCmd(), first also call sceAtaIsUmdDrive() and exit out of it, if it doesn't return 0.

As you say, if sceAtaIsUmdDrive returns 0, that is NOT UMD DRIVE, sceUmdExecReadDiscInfoCmd is called.

Code: Select all

    0x0000C794: 0x0C003FA5 '.?..' - call func sceAtaIsUmdDrive(delay)
    0x0000C798: 0x00000000 '....' - nop        
    0x0000C79C: 0x1040000E '..@.' - if($v0 == 0) goto loc_0000C7D8 (delay)

loc_0000C7D8:        ; Refs: 0x0000C79C 
    0x0000C7D8: 0x3C060393 '...<' - $a2 = 0x393 << 16
    0x0000C7DC: 0x0C0029D6 '.)..' - call func sceUmdManSetAlarm(delay)
    0x0000C7E0: 0x34C48700 '...4' - $a0 = $a2 | 0x8700
 :
 :
    0x0000C824: 0x2405000C '...$' - $a1 = 12
    0x0000C828: 0x0C001368 'h...' - call func sceUmdExecReadDiscInfoCmd(delay)

[Edness]

Yeah, this would also probably explain why those two SCSI-like functions seem to either be removed or never referenced in newer PSP FW umdman.prx.

[sarami]

@Edness
Do you know what data is outputted by sceUmdExecMechaStatCmd? This func is called by umd9660.prx. https://github.com/saramibreak/UmdImage … asm352.txt

I think it's Mechanical Status of Mode Sense (5Ah) or Mechanism Status (BDh).

Code: Select all

    unsigned char bufMecha[16] = {};

    res = _sceUmdExecMechaStatCmd(pUmdDrive, 16, bufMecha);
    if (res < 0) {
        OutputPspError("_sceUmdExecMechaStatCmd", 0, res);
        sceKernelDelayThread(5 * 1000000);
    }
    else {
        uid = sceIoOpen("ms0:/_sceUmdExecMechaStatCmd.bin", PSP_O_CREAT | PSP_O_TRUNC | PSP_O_WRONLY, 0777);
        sceIoWrite(uid, bufMecha, sizeof(bufMecha));
        sceIoClose(uid);
        pspPrintf("_sceUmdExecMechaStatCmd.bin is generated\n");
    }

LocoRoco https://redump.info/disc/33078/

Code: Select all

 00 00 00 00 00 01 00 04 80 00 00 00 27 09 27 09

Jigen Kairou https://redump.info/disc/54489/
Changed the buf size to 30.

Code: Select all

 00 00 00 00 00 01 00 04 80 00 00 00 37 02 37 02
 37 02 37 02 37 02 37 02 37 02 37 02 37 02

Dissidia 012: Duodecim Final Fantasy https://redump.info/disc/25036/
Changed the buf size to 106.

Code: Select all

 00 00 0D 2C AF 01 00 04 80 00 00 00 22 D9 22 D9
 22 D9 22 D9 22 D9 22 D9 22 D9 22 D9 22 D9 22 D9
 22 D9 22 D9 22 D9 22 D9 22 D9 22 D9 22 D9 22 D9
 22 D9 22 D9 22 D9 22 D9 22 D9 22 D9 22 D9 22 D9
 22 D9 22 D9 22 D9 22 D9 22 D9 22 D9 22 D9 22 D9
 22 D9 22 D9 22 D9 22 D9 22 D9 22 D9 22 D9 22 D9
 22 D9 22 D9 22 D9 22 D9 22 D9

It seems the correct buf size is 14.

[Edness]

It sends the command 0xBD, so your 2nd assumption is correct.  umd9660.prx seems to set the 2nd argument to 16, but I agree with the visible padding data that it's likely meant to be 14.  They probably just set it bigger just to be safe from accidentally truncating data.

I noticed there's sceUmdExecReadUMDStructureCmd() here too, and here it actually does set the write size at 0x08 of the buffer to 0x800, which makes it kinda interesting that it crashed when you tried that size.  Although here it doesn't create the 2nd buffer on the stack, it seems to be likely pre-allocated in another function that would call this one with a pointer to it, but the preceding function doesn't exist anymore in FW 3.52.

[sarami]

It sends the command 0xBD, so your 2nd assumption is correct.  umd9660.prx seems to set the 2nd argument to 16, but I agree with the visible padding data that it's likely meant to be 14.  They probably just set it bigger just to be safe from accidentally truncating data.

Thank you.

I noticed there's sceUmdExecReadUMDStructureCmd() here too.

I changed the code and confirmed not to crash.

Code: Select all

    unsigned char bufStruct[2064] = {};
    bufStruct[9] = 8;
    res = _sceUmdExecReadUMDStructureCmd(pUmdDrive, bufStruct, &bufStruct[16]);
    if (res < 0) {
        OutputPspError("_sceUmdExecReadUMDStructureCmd", 0, res);
        sceKernelDelayThread(5 * 1000000);
    }
    else {
        uid = sceIoOpen("ms0:/_sceUmdExecReadUMDStructureCmd.bin", PSP_O_CREAT | PSP_O_TRUNC | PSP_O_WRONLY, 0777);
        sceIoWrite(uid, bufStruct, sizeof(bufStruct));
        sceIoClose(uid);
        pspPrintf("_sceUmdExecReadUMDStructureCmd.bin is generated\n");
    }

Dissidia 012: Duodecim Final Fantasy

Code: Select all

 00 00 00 00 00 00 00 00 FC 07 00 00 00 00 00 00
 08 00 00 00 80 00 31 E0 00 03 00 00 00 FC AB 2F
 00 09 C0 BF 00 01 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 :
 :
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

[Edness]

Nice.  Out of curiosity, is the PFI data dumping currently only limited to FW 3.52 (or rather any FW below 3.70 where NIDs weren't randomized?)  Because eventually I would like to dump that data from my UMDs too just for safekeeping.  (Although since the disc format info is now known, I could just fake generate it myself...)

If that's the case, is knowing the NID enough to make it possible on newer firmwares?  This did motivate me to look into a bit deeper in how PSP FW stuff works.  For example, in FW 6.60 and 6.61, sceUmdExecReadUMDStructureCmd() should use the NID 0x406E8F99 if my understanding is correct.

Otherwise, if it was possible to do on any FW regardless, or if it needs more than just the NID, then ignore the above, haha.

[sarami]

is the PFI data dumping currently only limited to FW 3.52 (or rather any FW below 3.70 where NIDs weren't randomized?)

Unfortunately yes.

in FW 6.60 and 6.61, sceUmdExecReadUMDStructureCmd() should use the NID 0x406E8F99 if my understanding is correct.

NID is correct but the correct function name is sceUmdExecReadUMDStructureCmd + 128 bits string.
https://uofw.github.io/upspd/docs/Silve … index.html

These new nids are not actually “random” but instead, they now append a new 128bit “randomising key” to the end of each string before the SHA1 hash is calculated. A 128bit value is almost impossible to bruteforce practically so these new nids cannot be cracked anymore.

For this reason, we cannot know the real function name. If quantum computers reach a practical level, they may solve the problem.

[Edness]

Yeah, I already read about the 128-bit addition for NID randomizing before, but in theory if just the NIDs were known across the 3.70+ FWs, would that also work for UmdImageCreator to dump the PFI?  Or do you specifically need the full name too?  Since the SCSI command is known to be 0xAD, it should be possible to search backwards.

I just wrote a proof of concept script that can do exactly that



Edit 1: Just scanned and retrieved all ReadUMDStructure NIDs from firmwares 3.70-6.61 out of interest.  This likely can work for other SCSI-like functions here too.  But now the bigger question is - is it possible to easily get the current firmware number via software, or is that also behind a NID hashed function?  (If it is possible, what format does it normally return?  BCD?  String?)

Edit 2: Well, I generated something.  I can at least confirm the accuracy of my script for <3.70 and 6.60, so anything in-between is (probably) correct too.  sceUmdExecReqSenseCmd() and sceUmdExecInquiryCmd() seem to actually never change their NIDs on any firmware, and always remain as 0x2CBE959B and 0x1B19A313 respectively.  sceUmdManGetUmdDrive() also seems to always remain as 0x47E2B6D8.

If this is of any use to you - great!  If not - it was a fun experiment for me, at least.  Do note that not every function exists in every firmware revision, but I did confirm the asm portion of all these firmware revision groups are identical.  Seems like the NIDs only change if the asm is different - could be the random 128-bit addition is some form of a hash of the asm data.  (Unlikely)

Code: Select all

    // the PRX modules store each FW digit as its own byte
    // e.g. FW 3.71 = 0x03070110 at 0x010F50 in umdman.prx
    // so here it's converted to a short BCD value, 0x371
    // fw >> 8 & 0xF | fw >> 12 & 0xF0 | fw >> 16 & 0xF00

    short firmware = 0x660;

    unsigned int sceUmdExecReqSenseCmd = 0x2CBE959B; // 0x03
    unsigned int sceUmdExecInquiryCmd  = 0x1B19A313; // 0x12
    unsigned int sceUmdExecStartStopUnitCmd     = 0; // 0x1B
    unsigned int sceUmdExecPreventAllowMediaCmd = 0; // 0x1E
    unsigned int sceUmdExecRead10Cmd            = 0; // 0x28
    unsigned int sceUmdExecSeekCmd              = 0; // 0x2B
    unsigned int sceUmdExecPrefetch10Cmd        = 0; // 0x34
    unsigned int sceUmdExecGetConfigurationCmd  = 0; // 0x46
    unsigned int sceUmdExecGetEventStatusCmd    = 0; // 0x4A
    unsigned int sceUmdExecReadDiscInfoCmd      = 0; // 0x51
    unsigned int sceUmdExecModSelectCmd         = 0; // 0x55
    unsigned int sceUmdExecModSenseCmd          = 0; // 0x5A
    unsigned int sceUmdExecReadUMDStructureCmd  = 0; // 0xAD
    unsigned int sceUmdExecMechaStatCmd         = 0; // 0xBD
    unsigned int sceUmdExecAllocateFromReadCmd  = 0; // 0xF0
    unsigned int sceUmdExecReadMKICmd           = 0; // 0xF1
    unsigned int sceUmdExecReportCacheCmd       = 0; // 0xF2
    unsigned int sceUmdExecClearCacheInfoCmd    = 0; // 0xF3
    unsigned int sceUmdExecGetMediaInfoCmd      = 0; // 0xF4
    unsigned int sceUmdExecSetAccessLimitCmd    = 0; // 0xF6
    unsigned int sceUmdExecSetLockLengthCmd     = 0; // 0xF7
    unsigned int sceUmdExecSetAreaLimitCmd      = 0; // 0xF8
    unsigned int sceUmdExecReadCapacityCmd      = 0; // Any?

    if (firmware < 0x370) {
        // FW 1.00 - 3.60
        sceUmdExecStartStopUnitCmd     = 0xE3F448E0; // 0x1B
        sceUmdExecPreventAllowMediaCmd = 0x2A08FE9A; // 0x1E
        sceUmdExecRead10Cmd            = 0x1B1BF9FD; // 0x28
        sceUmdExecSeekCmd              = 0x250E6975; // 0x2B
        sceUmdExecPrefetch10Cmd        = 0x18DE1880; // 0x34
        sceUmdExecGetConfigurationCmd  = 0xC25D7212; // 0x46
        sceUmdExecGetEventStatusCmd    = 0x65E1B97E; // 0x4A
        sceUmdExecReadDiscInfoCmd      = 0xD7A2F4A2; // 0x51
        sceUmdExecModSelectCmd         = 0xCEE55E3E; // 0x55
        sceUmdExecModSenseCmd          = 0x2A39569B; // 0x5A
        sceUmdExecReadUMDStructureCmd  = 0x3D44BABF; // 0xAD
        sceUmdExecMechaStatCmd         = 0xE5B7EDC5; // 0xBD
        sceUmdExecAllocateFromReadCmd  = 0x68577709; // 0xF0
        sceUmdExecReadMKICmd           = 0xF819E17C; // 0xF1
        sceUmdExecReportCacheCmd       = 0x98345381; // 0xF2
        sceUmdExecClearCacheInfoCmd    = 0x73E49F8F; // 0xF3
        sceUmdExecGetMediaInfoCmd      = 0x108B2322; // 0xF4
        sceUmdExecSetAccessLimitCmd    = 0x7094E3A7; // 0xF6
        sceUmdExecSetLockLengthCmd     = 0xD31DAD7E; // 0xF7
        sceUmdExecSetAreaLimitCmd      = 0x61C32A52; // 0xF8
        sceUmdExecReadCapacityCmd      = 0x5AA96415; // Any?
    }
    else if (firmware < 0x380) {
        // FW 3.70, 3.71, 3.72, 3.73
        sceUmdExecStartStopUnitCmd     = 0xD4132E08; // 0x1B
        sceUmdExecPreventAllowMediaCmd = 0xB629961F; // 0x1E
        sceUmdExecRead10Cmd            = 0x9E7564BC; // 0x28
        sceUmdExecSeekCmd              = 0xE8A768B5; // 0x2B
        sceUmdExecPrefetch10Cmd        = 0x9E722740; // 0x34
        sceUmdExecGetConfigurationCmd  = 0x607BF8CA; // 0x46
        sceUmdExecGetEventStatusCmd    = 0x84F3759A; // 0x4A
        sceUmdExecReadDiscInfoCmd      = 0x466839B7; // 0x51
        sceUmdExecModSelectCmd         = 0xDDB308E9; // 0x55
        sceUmdExecModSenseCmd          = 0x200810E8; // 0x5A
        sceUmdExecReadUMDStructureCmd  = 0x3D94D00C; // 0xAD
        sceUmdExecMechaStatCmd         = 0x6CEDA538; // 0xBD
        sceUmdExecAllocateFromReadCmd  = 0x9EE39B6A; // 0xF0
        sceUmdExecReadMKICmd           = 0xB157769B; // 0xF1
        sceUmdExecReportCacheCmd       = 0x9D9848F2; // 0xF2
        sceUmdExecClearCacheInfoCmd    = 0x0933B6FB; // 0xF3
        sceUmdExecGetMediaInfoCmd      = 0x92E6E273; // 0xF4
        sceUmdExecSetAccessLimitCmd    = 0xD5CC2085; // 0xF6
        sceUmdExecSetLockLengthCmd     = 0xB865CC4C; // 0xF7
        sceUmdExecSetAreaLimitCmd      = 0x928C1752; // 0xF8
        sceUmdExecReadCapacityCmd      = 0x5CD9ACF5; // Any?
    }
    else if (firmware < 0x395) {
        // FW 3.80, 3.90, 3.93
        sceUmdExecStartStopUnitCmd     = 0x62506AA0; // 0x1B
        sceUmdExecPreventAllowMediaCmd = 0x1B70C53F; // 0x1E
        sceUmdExecRead10Cmd            = 0x33072B62; // 0x28
        sceUmdExecSeekCmd              = 0x818506C1; // 0x2B
        sceUmdExecPrefetch10Cmd        = 0x8AF305CC; // 0x34
        sceUmdExecGetConfigurationCmd  = 0x3809B921; // 0x46
        sceUmdExecGetEventStatusCmd    = 0x5F37BD96; // 0x4A
        sceUmdExecReadDiscInfoCmd      = 0x3BF9BE3E; // 0x51
        sceUmdExecModSelectCmd         = 0xB6BCF945; // 0x55
        sceUmdExecModSenseCmd          = 0x05CF9760; // 0x5A
        sceUmdExecReadUMDStructureCmd  = 0x2A12BF44; // 0xAD
        sceUmdExecMechaStatCmd         = 0xD1FFD521; // 0xBD
        sceUmdExecAllocateFromReadCmd  = 0xCEBDE68B; // 0xF0
        sceUmdExecReadMKICmd           = 0x350EEA2B; // 0xF1
        sceUmdExecReportCacheCmd       = 0xE7D62A27; // 0xF2
        sceUmdExecClearCacheInfoCmd    = 0xECAF10D9; // 0xF3
        sceUmdExecGetMediaInfoCmd      = 0x81C55E67; // 0xF4
        sceUmdExecSetAccessLimitCmd    = 0x90746ECA; // 0xF6
        sceUmdExecSetLockLengthCmd     = 0xC945EE7E; // 0xF7
        sceUmdExecSetAreaLimitCmd      = 0xB9A0113D; // 0xF8
        sceUmdExecReadCapacityCmd      = 0x62473046; // Any?
    }
    else if (firmware < 0x420) {
        // FW 3.95, 3.96, 4.00, 4.01, 4.05
        sceUmdExecStartStopUnitCmd     = 0x57436030; // 0x1B
        sceUmdExecPreventAllowMediaCmd = 0x9DAD4CC0; // 0x1E
        sceUmdExecRead10Cmd            = 0x74F29ED7; // 0x28
        sceUmdExecSeekCmd              = 0x14EAAA28; // 0x2B
        sceUmdExecPrefetch10Cmd        = 0x9ABD6DE1; // 0x34
        sceUmdExecGetConfigurationCmd  = 0xFE0D2641; // 0x46
        sceUmdExecGetEventStatusCmd    = 0xF8912660; // 0x4A
        sceUmdExecReadDiscInfoCmd      = 0x67D4D414; // 0x51
        sceUmdExecModSelectCmd         = 0xE90AEA97; // 0x55
        sceUmdExecModSenseCmd          = 0xCA2EA0FF; // 0x5A
        sceUmdExecReadUMDStructureCmd  = 0x12BA4DDE; // 0xAD
        sceUmdExecMechaStatCmd         = 0x0925EE00; // 0xBD
        sceUmdExecAllocateFromReadCmd  = 0xD01B4969; // 0xF0
        sceUmdExecReadMKICmd           = 0x43FD7090; // 0xF1
        sceUmdExecReportCacheCmd       = 0x529635A7; // 0xF2
        sceUmdExecClearCacheInfoCmd    = 0x01B1AA7E; // 0xF3
        sceUmdExecGetMediaInfoCmd      = 0x4461C19E; // 0xF4
        sceUmdExecSetAccessLimitCmd    = 0x3E6B9E50; // 0xF6
        sceUmdExecSetLockLengthCmd     = 0xADA614C2; // 0xF7
        sceUmdExecSetAreaLimitCmd      = 0x376BFD4F; // 0xF8
        sceUmdExecReadCapacityCmd      = 0x965D8417; // Any?
    }
    else if (firmware < 0x500) {
        // FW 4.20, 4.21
        sceUmdExecStartStopUnitCmd     = 0x0EE48C15; // 0x1B
        sceUmdExecPreventAllowMediaCmd = 0xBDE7298B; // 0x1E
        sceUmdExecRead10Cmd            = 0xEC3FDCEF; // 0x28
        sceUmdExecSeekCmd              = 0x9E2FB7DF; // 0x2B
        sceUmdExecPrefetch10Cmd        = 0x4F2B52DC; // 0x34
        sceUmdExecGetConfigurationCmd  = 0x251AD684; // 0x46
        sceUmdExecGetEventStatusCmd    = 0xA17129C2; // 0x4A
        sceUmdExecReadDiscInfoCmd      = 0xB7CE4D74; // 0x51
        sceUmdExecModSelectCmd         = 0x2E730DEF; // 0x55
        sceUmdExecModSenseCmd          = 0x9430AFEF; // 0x5A
        sceUmdExecReadUMDStructureCmd  = 0xE006F0E9; // 0xAD
        sceUmdExecMechaStatCmd         = 0xBE559B33; // 0xBD
        sceUmdExecAllocateFromReadCmd  = 0x7A2B484B; // 0xF0
        sceUmdExecReadMKICmd           = 0xF9BBA21C; // 0xF1
        sceUmdExecReportCacheCmd       = 0x05FE3D00; // 0xF2
        sceUmdExecClearCacheInfoCmd    = 0xB88C1DF1; // 0xF3
        sceUmdExecGetMediaInfoCmd      = 0x361B88FE; // 0xF4
        sceUmdExecSetAccessLimitCmd    = 0xCDB02062; // 0xF6
        sceUmdExecSetLockLengthCmd     = 0x1BDFD70C; // 0xF7
        sceUmdExecSetAreaLimitCmd      = 0x531937DB; // 0xF8
        sceUmdExecReadCapacityCmd      = 0xB24480CB; // Any?
    }
    else if (firmware < 0x570) {
        // FW 5.00, 5.01, 5.02, 5.03, 5.05, 5.50, 5.51, 5.55
        sceUmdExecStartStopUnitCmd     = 0x1B2B8759; // 0x1B
        sceUmdExecPreventAllowMediaCmd = 0x66B4CC78; // 0x1E
        sceUmdExecRead10Cmd            = 0x98D75CC0; // 0x28
        sceUmdExecSeekCmd              = 0xAEC4DA2C; // 0x2B
        sceUmdExecPrefetch10Cmd        = 0x1BE0124C; // 0x34
        sceUmdExecGetConfigurationCmd  = 0x19BCD653; // 0x46
        sceUmdExecGetEventStatusCmd    = 0xF2B1A490; // 0x4A
        sceUmdExecReadDiscInfoCmd      = 0xBD102376; // 0x51
        sceUmdExecModSelectCmd         = 0x9FC2FD97; // 0x55
        sceUmdExecModSenseCmd          = 0x585F1728; // 0x5A
        sceUmdExecReadUMDStructureCmd  = 0xD4E51A75; // 0xAD
        sceUmdExecMechaStatCmd         = 0x8BDE7034; // 0xBD
        sceUmdExecAllocateFromReadCmd  = 0x32D89DA4; // 0xF0
        sceUmdExecReadMKICmd           = 0xF9C66D4A; // 0xF1
        sceUmdExecReportCacheCmd       = 0x7065FD6E; // 0xF2
        sceUmdExecClearCacheInfoCmd    = 0x1F0338FE; // 0xF3
        sceUmdExecGetMediaInfoCmd      = 0xBDF4842D; // 0xF4
        sceUmdExecSetAccessLimitCmd    = 0xFCA1A098; // 0xF6
        sceUmdExecSetLockLengthCmd     = 0xC7D14FBE; // 0xF7
        sceUmdExecSetAreaLimitCmd      = 0x16588BAA; // 0xF8
        sceUmdExecReadCapacityCmd      = 0xDD017FFE; // Any?
    }
    else if (firmware < 0x600) {
        // FW 5.70
        sceUmdExecStartStopUnitCmd     = 0x89AA72CD; // 0x1B
        sceUmdExecPreventAllowMediaCmd = 0xB6BE48A4; // 0x1E
        sceUmdExecRead10Cmd            = 0x6C0C6E60; // 0x28
        sceUmdExecSeekCmd              = 0x8AAE6940; // 0x2B
        sceUmdExecPrefetch10Cmd        = 0xB7089372; // 0x34
        sceUmdExecGetConfigurationCmd  = 0x62212597; // 0x46
        sceUmdExecGetEventStatusCmd    = 0x5361EBAF; // 0x4A
        sceUmdExecReadDiscInfoCmd      = 0xF4B80F3C; // 0x51
        sceUmdExecModSelectCmd         = 0xFA124BD3; // 0x55
        sceUmdExecModSenseCmd          = 0xA50AD929; // 0x5A
        sceUmdExecReadUMDStructureCmd  = 0x0D3372E8; // 0xAD
        sceUmdExecMechaStatCmd         = 0x8322DB90; // 0xBD
        sceUmdExecAllocateFromReadCmd  = 0xE2234907; // 0xF0
        sceUmdExecReadMKICmd           = 0x2DC746B5; // 0xF1
        sceUmdExecReportCacheCmd       = 0xE590AD02; // 0xF2
        sceUmdExecClearCacheInfoCmd    = 0x3C0ACB0D; // 0xF3
        sceUmdExecGetMediaInfoCmd      = 0x468AC548; // 0xF4
        sceUmdExecSetAccessLimitCmd    = 0xA78D71C3; // 0xF6
        sceUmdExecSetLockLengthCmd     = 0x6236483E; // 0xF7
        sceUmdExecSetAreaLimitCmd      = 0x57BD4866; // 0xF8
        sceUmdExecReadCapacityCmd      = 0xBBEA87FB; // Any?
    }
    else if (firmware < 0x630) {
        // FW 6.00, 6.10, 6.20
        sceUmdExecStartStopUnitCmd     = 0x5CF0DFAC; // 0x1B
        sceUmdExecPreventAllowMediaCmd = 0xCDA8E394; // 0x1E
        sceUmdExecRead10Cmd            = 0x319C9905; // 0x28
        sceUmdExecSeekCmd              = 0x849A4325; // 0x2B
        sceUmdExecPrefetch10Cmd        = 0x65FD0561; // 0x34
        sceUmdExecGetEventStatusCmd    = 0x48D85CEE; // 0x4A
        sceUmdExecReadDiscInfoCmd      = 0xB87FA807; // 0x51
        sceUmdExecModSelectCmd         = 0x6B92F9E8; // 0x55
        sceUmdExecModSenseCmd          = 0x57E17255; // 0x5A
        sceUmdExecReadUMDStructureCmd  = 0x806D66A7; // 0xAD
        sceUmdExecAllocateFromReadCmd  = 0xC54D7B8F; // 0xF0
        sceUmdExecReadMKICmd           = 0xD047DEBC; // 0xF1
        sceUmdExecClearCacheInfoCmd    = 0x04E5EFFA; // 0xF3
        sceUmdExecGetMediaInfoCmd      = 0xE2BAAD9C; // 0xF4
        sceUmdExecSetLockLengthCmd     = 0xBFDA8AC7; // 0xF7
        sceUmdExecReadCapacityCmd      = 0x2B79C006; // Any?
    }
    else if (firmware < 0x650) {
        // FW 6.30, 6.31, 6.35, 6.36, 6.37, 6.38, 6.39
        sceUmdExecStartStopUnitCmd     = 0x7B9C43C9; // 0x1B
        sceUmdExecPreventAllowMediaCmd = 0xC9509423; // 0x1E
        sceUmdExecRead10Cmd            = 0x5B0F6FC6; // 0x28
        sceUmdExecSeekCmd              = 0x64AEDFB3; // 0x2B
        sceUmdExecPrefetch10Cmd        = 0xAE3F99E2; // 0x34
        sceUmdExecGetEventStatusCmd    = 0x5D7C8F9E; // 0x4A
        sceUmdExecReadDiscInfoCmd      = 0x717EF202; // 0x51
        sceUmdExecModSelectCmd         = 0x047BCEA0; // 0x55
        sceUmdExecModSenseCmd          = 0x03DE43F5; // 0x5A
        sceUmdExecReadUMDStructureCmd  = 0x05C33243; // 0xAD
        sceUmdExecAllocateFromReadCmd  = 0xC447F257; // 0xF0
        sceUmdExecReadMKICmd           = 0x01EA806F; // 0xF1
        sceUmdExecClearCacheInfoCmd    = 0x87070DC7; // 0xF3
        sceUmdExecGetMediaInfoCmd      = 0x8F628DAF; // 0xF4
        sceUmdExecSetLockLengthCmd     = 0xFC40080F; // 0xF7
        sceUmdExecReadCapacityCmd      = 0x5802953B; // Any?
    }
    //else if (firmware < 0x660) {} // FW 6.50 (UNRELEASED)
    else {
        // FW 6.60, 6.61
        sceUmdExecStartStopUnitCmd     = 0x5219AF31; // 0x1B
        sceUmdExecPreventAllowMediaCmd = 0x5AC94A3C; // 0x1E
        sceUmdExecRead10Cmd            = 0xE3716915; // 0x28
        sceUmdExecSeekCmd              = 0xB01F65CE; // 0x2B
        sceUmdExecPrefetch10Cmd        = 0xC615D6C9; // 0x34
        sceUmdExecGetEventStatusCmd    = 0xBD974D70; // 0x4A
        sceUmdExecReadDiscInfoCmd      = 0xF861E69B; // 0x51
        sceUmdExecModSelectCmd         = 0x2C5F9A65; // 0x55
        sceUmdExecModSenseCmd          = 0xEB0841CE; // 0x5A
        sceUmdExecReadUMDStructureCmd  = 0x406E8F99; // 0xAD
        sceUmdExecAllocateFromReadCmd  = 0x8DA33BBD; // 0xF0
        sceUmdExecReadMKICmd           = 0x6D17FD57; // 0xF1
        sceUmdExecClearCacheInfoCmd    = 0x77E81350; // 0xF3
        sceUmdExecGetMediaInfoCmd      = 0x27C1869A; // 0xF4
        sceUmdExecSetLockLengthCmd     = 0xEEBF3121; // 0xF7
        sceUmdExecReadCapacityCmd      = 0xCC40BED8; // Any?
    }

[sarami]

but in theory if just the NIDs were known across the 3.70+ FWs, would that also work for UmdImageCreator to dump the PFI?  Or do you specifically need the full name too?

I assumed I needed a real function name, but it turned out that's not true. I confirmed that PFI can be dumped by 0x406E8F99.
Other functions have also already been analized by comparing the asm of 3.52 (Only 6.61).
https://github.com/saramibreak/UmdImage … alysis.txt

Edit 2

Thanks. Mostly as expected in relation to the opcode. I'm especially interested in sceUmdExecReadMKICmd. What is MKI? It's Media Key Identifier? Media Key Info???

[Edness]

The ReadMKI function itself seems pretty large, and the preceding functions that call it are a bit all over the place too.  It seems to take values from 2 functions above, the 1st of which calls the lower function that contains the ReadMKI call with (UMD drive, 0, 8, 0)

A 5 byte buffer is created on the stack, arg1 and arg2 being stored as int16s at 0x00 and 0x02, and arg3 as an int8 to 0x04.
If I am reading it correctly, you can just write 0x08 at buffer[0x2] and that's it.

sceUmdExecReadMKICmd() is called with 4 arguments:

• $a0 - UMD drive (as always)
• $a1 - Pointer to the buffer
• $a2 - Number 8 (from buffer[0x2])
• $a3 - Number 448 (0x1C0)

Overall, I would say this is it, if it weren't for some unusual calls between the buffer creation and the actual ReadMKI call.  It calls memset(0x1C0, 0x00, 0x8000) - I'm not sure if 0x1C0 a valid address.
And right after that, it calls sceKernelDcacheInvalidateRange(0x1C0, 0x4000), (the 2nd arg being 8 (from arg2) << 11 = 0x4000), implying the address 0x1C0 is somewhere in the CPU data cache region?  No idea.
Does that also mean it expects you to get the output back from d-cache too?