How does a Homebrew Enabler work?

I believe everybody who visits this blog at least knows what a homebrew is, and knows that the only way to launch certain homebrews on his PSP is using a Homebrew Enabler (HEN). So, what exactly is a HEN? Most of you will probably answer “a homebrew that allows me to launch other homebrews”, correct, but how does it work exactly? It may look like black magic, but it’s not, in fact, most of the time spent coding a HEN is updating patches since big part of the mechanism is pretty much always the same. To understand better how a homebrew enabler works, we have to split it in three parts: the exploit, the payload, and systemctrl.

– Part 0 – Modules? –

To understand this, you first need to understand what a module is. A module is basically an executable. The PSP system is made by a lot of modules, each one of them accomplishes different tasks. A module can run in three different levels: user, vsh and kernel.

User level is the level of homebrews, it can’t do nothing special, just normal tasks. Vsh level (also known as updater mode) is the level of the VSH (you don’t say?), it is like user level, but has some “extra” permissions, it can load modules and reassign flashes for writing. Kernel level is the highest, it has no limits, a module running in kernel mode can do anything.

With HBL we can load homebrews that run only in user level, while a HEN allows you to run executables that require any permission level. All official modules are signed, you may know we can “sign” usermode homebrews (it’s a dirty trick, but works great, props to the guys who figured this out!), especially kernel modules, the system checks signatures of all executables, if one isn’t valid, the system will refuse to execute it. That’s exactly what a HEN does: modifies the system to make our executables look “valid” even if they’re not signed.

– Part 1 – The Exploit –

Let’s say you’re a hacker, you have found a kernel exploit (I assume you already know what a kernel exploit is, in case you don’t, I will give just a brief explanation: it’s a vulnerability in the PSP kernel that allows you to execute code with kernel permissions a.k.a. you can do whatever you want in the system) and you can run your own code (a homebrew), this is all you need to start working on a Homebrew Enabler.

The first thing a HEN does, is acquiring kernel permissions with the kernel exploit. Once you have kernel permissions you can write to kernel memory (the part of protected RAM where the “important stuff” is).

What exactly do we want to write to kernel memory and why? We want to write a few “patches” to loadexec. LoadExec a the part of the system responsible for many important tasks, like launching executables, it is also responsible of exiting an application. The process of exiting and executing an application is pretty simple:

  1. LoadExec is told to execute/exit from an application
  2. LoadExec loads in memory a raw binary executable called “reboot.bin” and jumps to it, leaving all the control to reboot (if it’s told to launch an application, it loads it in memory first)
  3. reboot.bin parses a file called pspbtcnf, which contains a list of modules that need to be loaded
  4. All the modules in the list are loaded, reboot gives control back to the system

– Part 2 – The Payload –

Why is this so important to us? Well, to keep our HEN alive in memory, we have to hack this simple process. After patching LoadExec in memory, this is what the process looks like:

  1. LoadExec is told to execute/exit from an application
  2. LoadExec loads in memory TWO raw binaries “reboot.bin” and “rebootex” (which is injected by us) and jumps to rebootex
  3. Rebootex injects a module called “systemctrl” (the core of our HEN) in pspbtcnf, and patches reboot to allow loading of our unsigned module, then it jumps to reboot
  4. reboot.bin parses pspbtcnf and loads all the modules, including our systemctrl, then gives control back to the system.

What is rebootex? Rebootex is our payload, nothing more than a raw binary that needs to accomplish two easy tasks: inject an entry in pspbtcnf that points to our systemctrl and patch the system in order to load systemctrl, even if it’s not signed.

– Part 3 – Systemctrl –

Systemctrl, finally, is the core of a Homebrew Enabler, it’s a module always running in kernel mode (as long as the HEN is loaded, of course) that does a lot of different things: takes care of the vshmenu, allows you to load plugins and many others, but most important: it patches the system.

More patches? Yes, more patches, systemctrl patches loadexec again to load rebootex (otherwise the HEN would be lost every time you launch an application), and other parts of the system to allow you to run unsigned code (homebrews and plugins) that otherwise wouldn’t be loaded, as I explained earlier.

Conclusion

Of course, this is just a general explanation of how a Homebrew Enabler works; this does not apply to every HEN, some developers may design it differently, but these are the core concepts of every enabler. I tried to keep this explanation as simple as possible for normal users, if you’re a dev, you may find some parts “too easy”, I know, but again, you’re not a normal user, aren’t you? ;) — Freddy

  1. Cercata’s avatar

    I’m a dev, and it sounds quite difficult anaway ;-)

    Reply

  2. whitey_mcguee’s avatar

    Im not a dev but I wish I was. I honestly dont know where to start to learn.

    Reply

    1. codestorm’s avatar

      learn programming

      Reply

      1. UnknowablE’s avatar

        Herp lol… love this comment… it implies that there is only one language and that once you learn it you will instantly know how to develop software for any system… have fun with that

        Reply

        1. flashmozzg’s avatar

          He didn’t say “learn c++ or c# or java or smth”. He said “learn programming”. It’s like “learn swimming”, then you can start swimming crawl,butterfly etc. You need to understand the basics of programming so choose one of the languages that have a lot of good learning literature (c is good and it will be easier to learn c++, c# and java after it). Anyway – just do something. Don’t sit doing nothing. You have the internet – the source of almost infinite knwoledge. There are a lot of good sites for the people like you.

          Reply

  3. romain337’s avatar

    Yeah it sounds difficult for me too but its really cool to read this kind of article :)

    Reply

  4. Dovahkiin’s avatar

    Sure concept is easy but programming it in low level like MIPS it’s another different story.

    Reply

  5. jigsaw’s avatar

    Knowledge of HEN is still kept in a quite small group of people. This is a good starting point for greenhands who would like to join the group.

    I remember when I started reversing TN’s HEN I had absolutely no idea of what is reboot/rebootex/LoadExec or even what is module. That was quite difficult for me to move on by reading just raw MIPS. And now I look back, I wouldn’t have finished the RE without Freddy’s help.

    Hopefully Freddy will post more excellent blogs like this one.

    Reply

  6. toBsucht’s avatar

    But why we (me with my 300x) can not writte plugins to flash.
    Isn´t it “just” sign it? I mean we got permant patch and such stuff.. to have a special “recovery”-prx at flash
    would be great. I still remember most people say to signing a hen isn´t possible because it´s kernel mode.

    Idk if a recovery.prx is kernel/user or whatever i know some hb.prx are “user”-mode and they are not signed to work with all PSPs and ofw :D

    Nice article.

    Reply

    1. Iono’s avatar

      Xian Nox: Fiuck yeur mader

      Reply

      1. Xian Nox’s avatar

        Always fun to give you a permaban. ^_^

        Reply

    2. freddy_156’s avatar

      That’s how Permanent Patch works basically, a “signed” user module is used to replace an official module (usually vshmain.prx), what this module does is triggering the kernel exploit when it’s loaded (vshmain it’s one of the first user modules loaded, that’s why) in order to launch the HEN again, then it loads the original module.

      Reply

      1. toBsucht’s avatar

        Thanks for your answer.

        Reply

    3. UnknowablE’s avatar

      -facepalm-

      Reply

  7. Yoti’s avatar

    Happy blogging, freddy!

    Reply

  8. auron’s avatar

    Thank you for the info. I suppose This will be a while away to be possible on the vita.

    Reply

  9. svenn’s avatar

    knowledge is power, thx for sharing!

    Reply

  10. xcanox’s avatar

    I was impressed when I read this article.
    You guys really know what you’re doing.
    Keep up the good work!

    Reply

  11. jlo138’s avatar

    I wonder why the explanation…. Maybe a Vita HEN coming soon? IDK, but I do like reading this stuff.

    Reply

  12. thecobra’s avatar

    Wololo, Nice work with the explanation. I found it nice that even i who never did a CFW or a REAL HEN could understand this quite easy.

    To everyone else interested in understanding this. I recommend to learn what wololo VHBL does first and then try understanding this one. Since there been somewhat many discusion of VHBL, you have more resource to learn from. after that, it shouldn’t be to hard to understand this :)

    Reply

    1. wololo’s avatar

      The explanation on the HEN is not by me, but by Freddy.

      Reply

      1. thecobra’s avatar

        oh, sorry Freddy, my mistake.

        thanks Freddy for this post :-)

        Reply

  13. romain337’s avatar

    why these explanation? Maybe because for some people, programming and/or the hacking is a passion. I would die if I can’t program anymore, seriously.

    Reply

  14. Dovahkiin’s avatar

    Freddy can you explain NIDS, how it’s very important in CFW/HEN and what happens if they are not present on HENs

    please please please. XD

    Reply

    1. freddy_156’s avatar

      I was already thinking about that :) will be my next post probably

      Reply

  15. Omega Weapon’s avatar

    You have been the only dev (that I know off/read about) whom has taken the time to explain in detail how things work with regards to homebrew apps, etc in my time spent on learning/understanding homebrew. Also respect to your colleagues!

    Thank you very much for the simple-straightforward-explanation! You are awesome, man! You really know how to deliver your message, reach out and get feedback! Keep up the great work…now…about that other dev who enabled that PS1 game on the Vita…any luck on an interview or more details??

    Even another video of a different game would be really cool to see! :)

    Reply

    1. the clit tickler’s avatar

      No :-)

      Reply

  16. the clit tickler’s avatar

    No. :-)

    Reply

  17. fLaSh’s avatar

    I already started psp programming a short time brings .. I learned this for myself with the open source PRO CFW :)

    Very nice article.. is very complete and easy to understand how the software works on PSP..

    Reply

  18. Wololo supporter’s avatar

    Thanks for explaining everything sounds hard lol and I thought I knew some programming

    Reply

  19. KnuxTheTurtle’s avatar

    I think this is a “recruitment” post to try to get people on board with hacking on the Vita. Interesting stuff.

    Reply

  20. Griwwjack’s avatar

    Freddy, thanks for clarification. i study the C programming language, shortly before i programmed in Basic, already managed to make a homebrew (just a Hello World :P) but I am still in the early studies.
    I´d like know if involves pointers or suddenly something in Assembly? Thank you!
    Sorry my bad english, i am also studying. :P

    Reply

  21. ChaosAgent’s avatar

    First time poster, long time lurker (I have been lurking since this was a site about a card game :) )
    I love the more tech posts! I love to learn about the processes involved in security (primarily, the bits about circumventing said security). Although, I couldn’t hack my way out of a paper bag without a tut and links :) ! I just thought it was time to break my silence in order to say thank you and ask that the tech posts continue or at the very least, links be given whenever possible to lead people like me to forums where we can learn more about the topics.
    I do have one question that the great Google hasn’t been able to answer for me, what happened to the complete demise of Sony’s security? When OverFlow found the random number 4 responsible for the security of the PS3, everyone said that Sony couldn’t fix it. It took what, 3-4 system updates to fix it (greedy TrueBlue notwithstanding)? After all the media attention, I figured someone would explain how they managed to resecure the OS, but I can’t find a word about HOW they pulled it off. Anyone point me in the right direction? Sorry for the off-topic-ness, this has just been driving me insane!

    Reply

Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>