Advertising (This ad goes away for registered users. You can Login or Register)

VSH plugin for Bluetooth

Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
JJS
Big Beholder
Posts: 1416
Joined: Mon Sep 27, 2010 2:18 pm
Contact:

VSH plugin for Bluetooth

Post by JJS » Thu Dec 30, 2010 7:28 am

I was trying to get more functionality out of the Bluetooth function on the GO. A problem is that the device registration rejects devices based on their class. This means a PC will not show up in the device list, but e.g. a cell phone does. So I wrote a small plugin that patches the Bluetooth VSH module in memory to remove this early device rejection. This is only effective for the pairing phase, so the plugin can be disabled after a device was registered and it will still remain working.

main.c

Code: Select all

#include <pspsdk.h> 
#include <pspkernel.h> 
#include <systemctrl.h> 
#include <psploadcore.h>
#include <string.h>


PSP_MODULE_INFO("btfree", 0x1000, 0, 0);

STMOD_HANDLER previousStartModuleHandler = NULL; 


int on_module_start(SceModule2* mod) 
{
	// Get active on the Bluetooth VSH plugin
	if (strcmp(mod->modname, "bluetooth_plugin_module") == 0) 
	{ 
		// There is a check for the device type that goes something like this:
		//
		// if (((descriptor & 0x000000FF) == 0x00000005) || (...) || (...)))
		//
		// It gets changed to:
		//
		// if (((descriptor & 0x000000FF) != 0x0000FFFF) || (...) || (...)))
		//
		// The result is obviously that the statement always evaluates as true,
		// therefore no devices are rejected early.

		// write "li $t6, 0xFFFF", was "li $t6, 0x5"
		*(u32*)(mod->text_addr + 0x000094A8) = 0x240EFFFF;

		// write "bne $v0, $t6, loc_000094E4", was "beq $v0, $t6, loc_000094E4"
		*(u32*)(mod->text_addr + 0x000094D4) = 0x144E0003;
	} 

	// Call previously set start module handler if necessary
	if (previousStartModuleHandler)
		return previousStartModuleHandler(mod);
	else
		return 0;
} 



int module_start(SceSize args, void* argp)
{
	// Establish a handler that gets called before any modules "module_start" function is called.
	// A previous handler gets saved.
	previousStartModuleHandler = sctrlHENSetStartModuleHandler(on_module_start);

	return 0;
}





int module_stop(SceSize args, void* argp)
{
	// Restore the previous start module handler if there was one
	if (previousStartModuleHandler)
		sctrlHENSetStartModuleHandler(previousStartModuleHandler);

	return 0;
}
Makefile and exports.exp are in the attachment. As well as the binary.


I never wrote a CFW plugin before, so comments are welcome.

I hope to get more out of this in the future. At the moment my PC shows up as an audio device and I can reroute the PSP GO audio through it (the PC acts like a headset). It shows DUN (dial-up network) and SSP (serial port profile = RS232 over BT) but I cannot use the PC as a modem for the GO. This is probably because the PC is discovered as an audio device and not a phone. I will try to patch the detected device class next to see if this can be influenced.
Advertising
Attachments
btfree.zip
(2.5 KiB) Downloaded 469 times

User avatar
ruyor
Retired Mod
Posts: 776
Joined: Wed Nov 03, 2010 2:29 am
Location: USA
Contact:

Re: VSH plugin for Bluetooth

Post by ruyor » Thu Dec 30, 2010 7:41 am

Awesome work JJS :D

It would be cool if somebody could get a Wiimote working. The PSP Go sees it, but when trying to pair it says "An error occurred during the register operation. This device is not supported." Maybe a custom driver is needed for something like this?
Advertising
PCH-1001 - 3.60 - VHBL+PBubbles+HENkaku
PCH-1001 - 3.60 - VHBL+PBubbles+HENkaku
VTE-1001 - 3.60 - VHBL+PBubbles+HENkaku
My PSPs
01g:TA-079v1
01g:TA-086
02g:TA-085v1
02g:TA-085v2
04g:TA-093
09g:TA-095
05g:TA-091

JJS
Big Beholder
Posts: 1416
Joined: Mon Sep 27, 2010 2:18 pm
Contact:

Re: VSH plugin for Bluetooth

Post by JJS » Thu Dec 30, 2010 7:57 am

From the disassembly I can see that the only supported device profiles are:
- SSP that all BT devices must support
- DUN for using a phone as a modem
- HID probably only for the PS3 controller
- AVRCP, audio remote control
- HSP for headsets
- A2DP for stereo audio output

So for anything not supported a custom driver will be needed, yes.


There's also something interesting with pairing a PS3 controller. If you enter the respective option, the PSP will load a USB driver for a game pad. I tried to load that driver in a homebrew, which succeeds. But I cannot press any buttons or anything. There are only two exported functions by the driver, one always returns 0, the other either crashes the thread or waits infinitly. I cannot tell as I cannot use PSPLink through that.

Draan
Posts: 72
Joined: Tue Dec 21, 2010 9:49 pm

Re: VSH plugin for Bluetooth

Post by Draan » Thu Dec 30, 2010 3:57 pm

@JJS: good work!
A small tip: there is an _sw macro commonly used for patching, you don't need to do casting to u32, etc... for many many patches, it's a lot cleaner to read & less characters to type :)

Your patches would look in that way then:

Code: Select all

      // write "li $t6, 0xFFFF", was "li $t6, 0x5"
      _sw(0x240EFFFF, mod->text_addr + 0x94A8);

      // write "bne $v0, $t6, loc_000094E4", was "beq $v0, $t6, loc_000094E4"
      _sw(0x144E0003, mod->text_addr + 0x94D4);

Strangelove
Posts: 286
Joined: Thu Nov 25, 2010 6:32 pm

Re: VSH plugin for Bluetooth

Post by Strangelove » Thu Dec 30, 2010 4:49 pm

Oooh, nice.

It did indeed allow my laptop to be found on a BT scan. *thumbs up*

Edit: Is there a chance you can set the bluetooth LED to blink only like once or twice per minute?
"If you have specific questions ... don't hesitate to ask as the more generic the question is the more philosophic the answer will be" - PSPWizard

KaZ
Posts: 158
Joined: Wed Sep 29, 2010 5:36 pm
Location: Flash0:/kd/PF0.prx

Re: VSH plugin for Bluetooth

Post by KaZ » Thu Dec 30, 2010 7:19 pm

Nice work, ill try getting the wii remote to work, by trying to modify the src :D
Great work though.

JJS
Big Beholder
Posts: 1416
Joined: Mon Sep 27, 2010 2:18 pm
Contact:

Re: VSH plugin for Bluetooth

Post by JJS » Fri Dec 31, 2010 10:11 am

@Draan: Thanks for the advice!
Strangelove wrote:It did indeed allow my laptop to be found on a BT scan.
As what device did it show up and could you connect to it?
Strangelove wrote:Is there a chance you can set the bluetooth LED to blink only like once or twice per minute?
It can surely be turned off completely with sceSysconCtrlLED(), maybe it can also be forced to blink at a different frequency with sceLedSetMode(). There is a good thread about this on ps2dev. I can try doing that.


So, small update on this:

- That function in the game controller driver hangs because it waits for a semaphore. It probably waits for receiving a challenge from the host. It also has a different USB PID than the PS3 controller, so the PS3 might do some special handling when it is plugged in.

- I did hook that checking function I patched in the original source. This allowed me to extract some information about the struct used to describe a bluetooth device. I also spoofed the device class and this indeed allowed the PC to be added as a phone. Then the option to use it as a modem becomes available. Unfortunately it doesn't work. The bluetooth connection gets established, but it doesn't dial. I tried with the built in modem, but it doesn't receive anything. Another try with a fake software modem driver actually receives and sends some bytes, but then stops the connection.


I have a question: If I want to hook a function of a user mode module by rewriting the jal instruction, does the function I jump to has to be in user memory too? I tried jumping into my kernel module, but it only crashed the PSP. So I ended up writing a user mode module that contains the target function.

Edit: Another question, did someone try to register a PS3 controller? I mean directly, not the regular way through the PS3. If so, what happened?

Strangelove
Posts: 286
Joined: Thu Nov 25, 2010 6:32 pm

Re: VSH plugin for Bluetooth

Post by Strangelove » Fri Dec 31, 2010 10:36 am

JJS wrote:
Strangelove wrote:It did indeed allow my laptop to be found on a BT scan.
As what device did it show up and could you connect to it?
laptop w/ linux:
type: hid
profile: hsp, a3dp, avrcp

i could connect and i got up a dialogue where i could choose to accept the connection, however before i could press yes, the PSP already showed an error. I also got a message that the PSP attempted to start a service on my computer. only the service id was given I'm guessing it tried to ask for a sony-specific service.

and while i'm at it, my smart-phone:
type: hid
profile: dun
"If you have specific questions ... don't hesitate to ask as the more generic the question is the more philosophic the answer will be" - PSPWizard

Dr. Soup
Posts: 4
Joined: Sun Nov 14, 2010 9:44 pm

Re: VSH plugin for Bluetooth

Post by Dr. Soup » Fri Dec 31, 2010 6:53 pm

@JJS:
Using a usermode PRX is the easiest to do. You could however also copy the hooking function into user memory and patch the jal to point at your function. This isn't that much useful if you don't write that function in raw ASM to alloc the exact size of the function in user memory though (otherwise you'd waste some user memory). So in the end you see it depends on the situation ;)

JJS
Big Beholder
Posts: 1416
Joined: Mon Sep 27, 2010 2:18 pm
Contact:

Re: VSH plugin for Bluetooth

Post by JJS » Fri Dec 31, 2010 7:20 pm

If I were to copy a function into memory myself I would have to also resolve any syscall it needs manually, right? But this might be ok for simple functions that don't have to call anything from outside.

An idea I had was to make the function an export in my kernel module so that it can be called with a syscall. It should be possible to then allocate 8 byte in user memory, write the "jr $ra; syscall <myfunction>;" in there and then have the patched jal jump into this.

There are two thing I am not sure about though:
1. Does the kernel assign syscalls to libraries that are not currently imported by a usermode module?
2. How to get the syscall number for a function?

Edit: Heh, should have searched before asking. The exact same thing got posted on ps2dev. I am such a noob :roll:.

Post Reply

Return to “Programming and Security”