Rest assured, there will be no MMU interface. The machine is so incredibly well-locked-down, especially the newer versions, that they must have done that for a purpose (probably to stop pirated/cracked games from running). All software that is going to run on the PSP is cryptographically signed (probably also encrypted). The kernel is signed and encrypted, too. There were some loopholes in 1.0 but nobody found any in 1.5 or later. I'd suggest attacking the hardware to see what goes on in SDRAM. This is going to be (relatively) expensive and (very) complex, and the result is not guaranteed as there is some embedded DRAM inside the processors (scary). However, if any kernel code is ever placed in external SDRAM, it would be pretty doable to subvert it (would require stopping the CPU accesses to the SDRAM, which we can probably do, more or less - for instance running in a tight loop will probably place everything, including parts of the timer IRQ, in cache, so no external accesses will be happening). We can perform some writes to SDRAM then. I see a problem with this method that it requires overpowering some signals on the bus. Alternatively, we might want to multiplex those signals although it's not gonna be easy with DDR at 100-200 MHz (probably - the routing on PCB looks vaguely high-speedey and there is a nice differential clock pair, so DDR is likely, and the memory chip itself is rated 6 ns, so DDR333). Mucking with DDR is a hell of a job, even if you have really good hardware at your disposal. I wonder how much would it be possible to slow it down by changing the clock oscillator (probably less than 2x, unfortunately). Monitoring DDR333 is doable but it is not easy. That said, I'm seriously thinking about getting myself a PSP. I've already got some serious digital hardware... Hmmm. Stanislaw
