Rest assured, there will be no MMU interface. The machine is so incredibly
well-locked-down, especially the newer versions, that they must have done
that for a purpose (probably to stop pirated/cracked games from running).
All software that is going to run on the PSP is cryptographically signed
(probably also encrypted). The kernel is signed and encrypted, too. There
were some loopholes in 1.0 but nobody found any in 1.5 or later.
I'd suggest attacking the hardware to see what goes on in SDRAM. This is
going to be (relatively) expensive and (very) complex, and the result is
not guaranteed as there is some embedded DRAM inside the processors
(scary). However, if any kernel code is ever placed in external SDRAM, it
would be pretty doable to subvert it (would require stopping the CPU
accesses to the SDRAM, which we can probably do, more or less - for
instance running in a tight loop will probably place everything, including
parts of the timer IRQ, in cache, so no external accesses will be
happening). We can perform some writes to SDRAM then. I see a problem with
this method that it requires overpowering some signals on the bus.
Alternatively, we might want to multiplex those signals although it's not
gonna be easy with DDR at 100-200 MHz (probably - the routing on PCB looks
vaguely high-speedey and there is a nice differential clock pair, so DDR
is likely, and the memory chip itself is rated 6 ns, so DDR333).
Mucking with DDR is a hell of a job, even if you have really good hardware
at your disposal. I wonder how much would it be possible to slow it down
by changing the clock oscillator (probably less than 2x, unfortunately).
Monitoring DDR333 is doable but it is not easy.
That said, I'm seriously thinking about getting myself a PSP. I've already
got some serious digital hardware...