*Originally posted by Wololo
When HBL runs, it needs some info that is specific to the exploit it was launched with. For example, a list of threads to delete, etc...
Here I'm trying to summarize the Game specific data and how to obtain it. Please help me filling the voids
- basic SDK. This one is used when we create the game exploit. Explanations on how to generate it can be found here. this is sdk_loader.S in HBL
- list of threads / semaphores / events to delete. The game we run created a bunch of objects that we want to get rid of, otherwise they could interfere with HBL (especially threads). PSPLink is useful to retrieve those. with evlist/semlist/thlist, you get a list of them. Each of them has a "UID". This UID changes everytime the game runs, but not the place where it is defined. So what I usually do is look for each UID in user Ram. The value we want in HBL is the address where the UID is defined
- Address of allocated memory. Some games (not patapon) allocate a huge chunk of memory when they start. This value can be catched by writing a plugin that will hook the sceAllocPartition... function.
- Address of stubs. A list of modules can be obtained by typing "modlist" in psplink. Then, looking for the modules' names in the Ram, you can find where the stub entry can be found. I found that it looks like: moduleName (28bytes) + 12 bytes + [stub address]. Could be easily automated, maybe m0skit0 already has a tool for this. These are different for each firmware. Once we get them, they are put in config files (see eLoaderconf.rb)
- Detect PSP firmware/model. For Patapon, there was no specific rule for that. I retrieved a bunch if user ram dumps from various models, and compared them with a script. I then found a few values in Ram which seemed to be "constants" for firmwares or models, and I used that.
Advertising
