ISO Loaders & why they don’t work on HBL

The most requested feature ever for the HBL, is an iso loader: many “developers” promised the release of an iso loader for HBL, but nobody managed to code one so far. To understand what an iso loader is and why it won’t work on HBL, first, we have to know what a .iso file is.

What are isos?

The ISO 9660 is a filesystem standard for optical discs (CDs, DVDs, and even UMDs use it). It’s pretty simple to implement if you’re a developer, and it’s widely documented.

An .iso file is just a raw disc image, that you can burn on a disc, or mount with some software, that does nothing but implement the ISO 9660 filesystem.

If you have a CFW, and your CFW can run isos and has a vsh menu, you’ll notice an option in your vsh menu called “ISO Driver”: usually, a custom firmware has more than just one implementation of the filesystem (driver), each one can have its advantages and works differently (some implement caching, other implement .cso support, and so on).

The OFW itself has an ISO driver, as UMDs use that filesystem aswell: some CFW drivers just patch that driver to make it work with your .iso files.

Now you may be asking yourself “Can’t HBL do the same?”

Well, it can’t patch the OFW driver as it is a kernel module, it’s in kernel memory, and HBL runs in usermode: it can’t just write to kernel memory! It can’t implement a kernel mode driver (like the ones CFWs have) because that requires access to some kernel-only functions (such as sceIoAddDrv).

Yet, an .iso dumped from an UMD contains some resource files and…an EBOOT.BIN, what’s that?

Couldn’t HBL implement the iso specifications?

The EBOOT.bin inside your iso is just a usermode executable (ELF or PRX), so HBL could technically implement the 9660 filesystem, get that EBOOT.BIN and load it?
Not so fast! First of all, the executable is encrypted, and decryption requires kernel access. But this could be easily bypassed by decrypting the executable on a hacked PSP.

The main problem is that some games come with some kernel modules bundled with them (not sure why, backwards compatibility probably).

When the PSP system executes a game from an UMD, it looks for those modules, and allows the game to load them in order to override some OFW modules.

Doesn’t that make the system somewhat vulnerable? Probably, but since only certified software houses should be able to burn images onto UMDs, it’s not very risky.

The HBL just can’t load those modules, as loading kernel modules requires kernel permissions; mounting the ISO as a “legit” UMD would make the OFW do that for us, but that requires a kernel mode driver.

So, when HBL executes a game which requires some of those “extra” modules, the game will just not work, as it will most likely check if those modules were loaded or not.

Conclusion

I hope now you understand why we developers, find so annoying such requests. Also, let’s face it, most people who ask for an iso loader are pirates: I’m not saying people who really backup their own games to protect them don’t exist, but they’re just a small part of the “group”.

Again, I tried to keep this as simple as possible, if you didn’t understand something, let me know in the comments :)

– Freddy

  1. wololo’s avatar

    Theoretically, couldn’t we also hijack the LoadModule functions to load equivalent user-mode modules? Random example, if the game is trying to load an old mp3 module in kernel, couldn’t we hook all the logic for that? This would be a workaround for the impossibility to load those kernel modules?

    Reply

    1. freddy_156’s avatar

      Well, I’ve seen some games override modules such as ifhandle which should require kernel permissions. User modules could be theoretically loaded, but they are signed too.

      Reply

  2. StepS’s avatar

    not to mention that VHBL only has access to 24 MB RAM, which makes the implementation of this close to impossible :)

    Reply

    1. freddy_156’s avatar

      That is a critical problem too, games already use most resources.

      Reply

  3. Andrew’s avatar

    What about signed eboots of psp games?

    Reply

    1. freddy_156’s avatar

      You don’t need an isoloader for those, as you said, they are signed, you can just buy them from PSN and run them.

      Reply

      1. StepS’s avatar

        he meant the Fake NP trick for signed games.
        Well, the version 1.0 supports signing of them for 6.60.
        But the problem is that we can’t copy eboots inside a psp emulator, and we can’t launch it without the vita itself helping us to do so (and from livearea). Although someone else might look into it, but I think it’s like this.

        Reply

        1. freddy_156’s avatar

          Oh, I thought he meant digital copies of games

          Reply

          1. StepS’s avatar

            i remember that Davee used a digital PSN psp game in his “Vita PSP HEN” video. So i suppose it’s meant to be only kernel-possible, if the psp or vita itself doesn’t run it for us

          2. StepS’s avatar

            also, all these “signed eboots” are in fact digital copies of games too. Just not of the paid ones, but of the demos. a demo header is used to make psp think it’s a valid game

      2. StepS’s avatar

        in other words, making a “signed game” to run is equivalent to make Super Collapse 3 Eboot to run from within VHBL.

        Reply

  4. z3r01’s avatar

    lets just keep the psvita like it is now loading hombrews :D

    Reply

    1. Mr. Awsome’s avatar

      + Emulators. Can’t leave out the classics. I still have a PSP 1000 from 2006 just for that.

      Reply

  5. garrei’s avatar

    shoot me down if this is a stupid question, but could it be possible to store a “virtual kernel” of some sort and get HBL to load that so we dont have to get access to the real one?

    Reply

    1. dimy93’s avatar

      StepS on June 12, 2012 at 2:39 pm
      not to mention that VHBL only has access to 24 MB RAM, which makes the implementation of this close to impossible

      So no free RAM-sorry

      Reply

    2. wololo’s avatar

      In essence, that is what VHBL already is. It overrides the functions that cannot be accessed with fake ones. Some of them work well, some of them don’t.

      Reply

  6. dimy93’s avatar

    Wouldn’t it be possible to use the signed eboots(both for games and homebrews) on a Vita if a “custom” memory stick/memory stick reader is produced and does anyone knows what hardware securities are applied to them so that they are not yet available

    Reply

  7. Wololo supporter’s avatar

    Do you guys have a twitter I want to be updated on everything you guys release. I work 7 days a week and don’t wanna miss the next exploit when and if it comes out

    Reply

  8. Boooler’s avatar

    I remember a very good and smart hack on psp when hackers took a demoversion (which was signed eboot) and replaced all game content from this eboot with another info

    The left “package” so the psp could recognize and run it

    it was like a trojan Eboot

    Reply

  9. wynd’s avatar

    So we need a kernel exploit to have full kernel/filesystem read/write and ram read/write access right? Sigh… hope wololo can find one! that would be great!
    Good luck :)

    Reply

    1. wololo’s avatar

      Remember that we’re only talking of the PSP here, this wouldn’t give us access to more than what the PSP emulator can do.

      Reply

      1. wynd’s avatar

        Could you rephrase that please?

        Reply

        1. wololo’s avatar

          The “Kernel exploit” we would have for now (for example, the one discussed here: http://wololo.net/2012/06/14/psx-on-the-vita-an-interview-with-the-mysterious-vita-hacker/ ) is a PSP Kernel exploit.

          It means, once run in the Vita, that we have access to everything the PSP emulator lets us access, which is not much: we are still “inside” the PSP sandbox. So, we have access to the PSP emulated hardware and the PSP emulated ram. In particular, a PSP kernel exploit would not give us access to the full Vita Ram, or to the touch screen, for example.

          A “vita Kernel exploit” is still a very blurry concept and I don’t think it makes sense to talk about such a thing for now.

          Reply

          1. wynd’s avatar

            Oh I think I understand now. we have a PSP kernel exploit that works in the vita, but we need a PSVita kernel exploit for the full access of all the hardware in the vita.

          2. wololo’s avatar

            Yes.

  10. PureMagic’s avatar

    I’m pretty sure a partial compatibility ISO Loader can be developed.
    The EBOOT.BIN encryption is not a real problem, and some of the games with custom kernel modules might work just fine with the OFW modules.

    Reply

Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>