Advertising (This ad goes away for registered users. You can Login or Register)

VSH plugin for Bluetooth

Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
JJS
Big Beholder
Posts: 1416
Joined: Mon Sep 27, 2010 2:18 pm
Contact:

Re: VSH plugin for Bluetooth

Post by JJS » Sat Jan 01, 2011 8:34 am

Have some code now :D

This version implements the "syscall stub in user memory" technique I wrote about in the last post. So now not only does the checking function get hooked now, it also writes out a logfile to "ef0:/btfree_log.txt" with the found devices. The function will get called repeatedly with the same values, so there will be duplicates in the file and it will grow every 5 seconds maybe.

Code: Select all

#include <pspsdk.h> 
#include <pspkernel.h> 
#include <systemctrl.h> 
#include <psploadcore.h>
#include <string.h>
#include <stdio.h>


PSP_MODULE_INFO("btfree", 0x1000, 0, 0);


// Prototype not in the PSPSDK
int sceKernelQuerySystemCall(void* function);


// Just some error codes I found in the bt module
#define PSP_ERROR_BLUETOOTH_ALREADY_REGISTERED 0x802F0131
#define PSP_ERROR_BLUETOOTH_UNSUPPORTED_DEVICE 0x802F0135


#define MAKE_CALL(f) (0x0c000000 | (((u32)(f) >> 2)  & 0x03ffffff))
#define MAKE_SYSCALL(n) (0x03ffffff & (((u32)(n) << 6) | 0x0000000c))


// Previous start module handler
STMOD_HANDLER previousStartModuleHandler = NULL; 

// Address for the syscall stub in user memory
int blockAddress = 0;

// This struct is passed to sub_09498 in bluetooth_plugin_module
typedef struct
{
	u32 stuct_size; // size of this struct = 0x54
	u16 item_number; // first item in array has 1, second has 2
	u16 name[32]; // in unicode
	u16 unknown1;
	u8 major_service_class; // probably this
	u8 major_device_class; // 1 = PC, 2 = phone, 4 = audio/video, 5 = peripheral device
	u8 minor_device_class; // different meaning depending on the major class
	u8 unknown2;
	u32 unknown3; // always the same for a given device
	u16 unknown4; // always the same for a given device
	u16 unknown5;
}
btDeviceInfo;


// Function pointer to the original sub_09498 in bluetooth_plugin_module
int (*bluetooth_plugin_module_sub_09498)(int, btDeviceInfo*, int) = NULL;


void fillBufferFromWidechar(unsigned short* inputBuffer, char* outputText)
{
  int i;
  for (i = 0; inputBuffer[i]; i++)
  {
    outputText[i] = inputBuffer[i];
  }

  outputText[i] = 0;
}


void logFilePrintf(char* format, int arg1)
{
	SceUID logfile = sceIoOpen("ef0:/btfree_log.txt", PSP_O_CREAT | PSP_O_WRONLY | PSP_O_APPEND, 0777);

	if (logfile > -1)
	{
		char buffer[100];
		sprintf(buffer, format, arg1);
		sceIoWrite(logfile, buffer, strlen(buffer));
		sceIoClose(logfile);
	}
}



int bluetooth_plugin_module_sub_09498_hook(int unknown, btDeviceInfo* devices, int count)
{
	int k1 = pspSdkSetK1(0);

	if (count > 0)
	{
		// Log the device info
		logFilePrintf("--------------------\n", 0);
		
		char name[32];
		int i;

		for (i = 0; i < count; i++)
		{
			fillBufferFromWidechar(devices[i].name, name);
			logFilePrintf("name         : %s\n", (u32)name);
			logFilePrintf("unknown1     : 0x%08lX\n", (u32)devices[i].unknown1);
			logFilePrintf("major_srv_cl : 0x%08lX\n", (u32)devices[i].major_service_class);
			logFilePrintf("major_dev_cl : 0x%08lX\n", (u32)devices[i].major_device_class);
			logFilePrintf("minor_dev_cl : 0x%08lX\n", (u32)devices[i].minor_device_class);
			logFilePrintf("unknown1     : 0x%08lX\n", (u32)devices[i].unknown2);
			logFilePrintf("unknown2     : 0x%08lX\n", (u32)devices[i].unknown3);
			logFilePrintf("unknown3     : 0x%08lX\n", (u32)devices[i].unknown4);
			logFilePrintf("unknown4     : 0x%08lX\n", (u32)devices[i].unknown5);
			logFilePrintf("\n", 0);

			// Device class can be changed here
			//devices[i].major_device_class = 2;
			//devices[i].minor_device_class = 4;
		}
	}

	pspSdkSetK1(k1);

	// Call the original function
	return bluetooth_plugin_module_sub_09498(unknown, devices, count);
}




int on_module_start(SceModule2* mod) 
{
	// Get active on the Bluetooth VSH plugin
	if (strcmp(mod->modname, "bluetooth_plugin_module") == 0) 
	{ 
		logFilePrintf("Entering on_module_start\n", 0);

		// Store function pointer to the original sub_09498
		bluetooth_plugin_module_sub_09498 = (void*)(mod->text_addr + 0x00009498);
		logFilePrintf("bluetooth_plugin_module_sub_09498 = 0x%08lX\n", (u32)bluetooth_plugin_module_sub_09498);

		// Setup a syscall stub in user memory
		if (blockAddress == 0)
		{
			SceUID blockId = sceKernelAllocPartitionMemory(2, "btfree_stub", PSP_SMEM_Low, 2 * sizeof(int), NULL);
			logFilePrintf("blockId = 0x%08lX\n", (u32)blockId);

			blockAddress = (int)sceKernelGetBlockHeadAddr(blockId);
			logFilePrintf("blockAddress = 0x%08lX\n", (u32)blockAddress);

			// Get syscall of the hook function
			int syscall = sceKernelQuerySystemCall(&bluetooth_plugin_module_sub_09498_hook);
			logFilePrintf("syscall = 0x%08lX\n", (u32)syscall);

			// Write syscall stub
			_sw(0x03E00008, blockAddress); // jr $ra
			_sw(MAKE_SYSCALL(syscall), blockAddress + sizeof(int)); // syscall
		}

		// Hook the call to the original function in bluetooth_plugin_module
		_sw(MAKE_CALL(blockAddress), mod->text_addr + 0x000095A4);


		// Now patch sub_09498 to accept any device class

		// There is a check for the device type that goes something like this:
		//
		// if (((descriptor & 0x000000FF) == 0x00000005) || (...) || (...)))
		//
		// It gets changed to:
		//
		// if (((descriptor & 0x000000FF) != 0x0000FFFF) || (...) || (...)))
		//
		// The result is obviously that the statement always evaluates as true,
		// therefore no devices are rejected early.

		// write "li $t6, 0xFFFF", was "li $t6, 0x5"
		_sw(0x240EFFFF, mod->text_addr + 0x000094A8);

		// write "bne $v0, $t6, loc_000094E4", was "beq $v0, $t6, loc_000094E4"
		_sw(0x144E0003, mod->text_addr + 0x000094D4);
	} 

	// Call previously set start module handler if necessary
	if (previousStartModuleHandler)
		return previousStartModuleHandler(mod);
	else
		return 0;
} 



int module_start(SceSize args, void* argp)
{
	// Establish a handler that gets called before any modules "module_start" function is called.
	// A previous handler gets saved.
	previousStartModuleHandler = sctrlHENSetStartModuleHandler(on_module_start);

	return 0;
}





int module_stop(SceSize args, void* argp)
{
	// Restore the previous start module handler if there was one
	if (previousStartModuleHandler)
		sctrlHENSetStartModuleHandler(previousStartModuleHandler);

	return 0;
}

Edit: I thought it was fishy that bluetooth and usb were mutually exclusive, but now it all makes sense. The bluetooth module is obviously attached to the USB port. The driver for it is usbbsmcdc.prx. I also found were the LED is blinked, you could patch it in there in the function sub_00A24().
Advertising
Attachments
btfree2.zip
(5.25 KiB) Downloaded 131 times

Strangelove
Posts: 286
Joined: Thu Nov 25, 2010 6:32 pm

Re: VSH plugin for Bluetooth

Post by Strangelove » Sat Jan 01, 2011 3:16 pm

thought i'd ask where you plan on taking this project. can't remember having seen much bluetooth plugins from before. yet the possibilities seem wast.

here's some ideas:
- redirect audio to stream over bluetooth.
- redirect HID devices input to the PSPs input
- implement a MSC (mass storage device) for file transfer.
- implement a serial console to be used for pretty much anything (shell, debug, file transfer, VNC etc.)

not being a wiz on blutooth or anything... it would seem that you can rely on standard protocols a lot so you can avoid the need for special drivers on the target BT device. this would be ideal.

if you want remote shell you'd probably have to look at porting dash+busybox to the PSP first. ssh would be another app worth looking into porting.
Advertising
"If you have specific questions ... don't hesitate to ask as the more generic the question is the more philosophic the answer will be" - PSPWizard

JJS
Big Beholder
Posts: 1416
Joined: Mon Sep 27, 2010 2:18 pm
Contact:

Re: VSH plugin for Bluetooth

Post by JJS » Sun Jan 02, 2011 9:26 am

Honestly I don't know if anything really useful will come out of this. I am no bluetooth wizard either, in fact I knew about nothing before I started looking into this.

There are several components to the bluetooth implementation on the GO: the hardware driver, a manager prx (massive in size), some sort of plugin for adding the dial-up feature to the network dialog and the management plugin for the VSH. So I am making baby steps right now in trying to understand how all fits together and what is done in certain functions.

KaZ
Posts: 158
Joined: Wed Sep 29, 2010 5:36 pm
Location: Flash0:/kd/PF0.prx

Re: VSH plugin for Bluetooth

Post by KaZ » Thu Jan 06, 2011 7:28 pm

JJS, can u register a PS3 controller without the use of the PS3 console via ur plugin? (dont have a ps3, have xbox 360 :D)

because if u can, im gonna go to the shops and buy a ps3 controller to use on my psp go :D

thedicemaster
Posts: 214
Joined: Mon Nov 15, 2010 1:35 pm

Re: VSH plugin for Bluetooth

Post by thedicemaster » Thu Jan 06, 2011 8:12 pm

i'm quite certain that's impossible with just a psp plugin.
you also need to register a mac-address in the controller itself, which can only be done with a device with a proper USB port and drivers.
although if the PSPgo-side of it could be done, there is a ps3-controller "driver" for the PC which allows you to write a mac-address to the controller.

KaZ
Posts: 158
Joined: Wed Sep 29, 2010 5:36 pm
Location: Flash0:/kd/PF0.prx

Re: VSH plugin for Bluetooth

Post by KaZ » Thu Jan 06, 2011 8:23 pm

thedicemaster wrote:i'm quite certain that's impossible with just a psp plugin.
you also need to register a mac-address in the controller itself, which can only be done with a device with a proper USB port and drivers.
although if the PSPgo-side of it could be done, there is a ps3-controller "driver" for the PC which allows you to write a mac-address to the controller.
Well then, ill wait for a proper answer wen some1 tested it and posts results here (:

JJS
Big Beholder
Posts: 1416
Joined: Mon Sep 27, 2010 2:18 pm
Contact:

Re: VSH plugin for Bluetooth

Post by JJS » Thu Jan 06, 2011 9:08 pm

Would indeed be great if someone could try to register a PS3 controller with the plugin enabled. Trying to register without the PS3 I mean. It would be interesting if the controller shows up in the device list and if it can be paired.

thedicemaster
Posts: 214
Joined: Mon Nov 15, 2010 1:35 pm

Re: VSH plugin for Bluetooth

Post by thedicemaster » Thu Jan 06, 2011 9:24 pm

it's impossible to even try, despite being bluetooth PS3 controllers have no pairing mode.
the only way a PS3 controller can be used through bluetooth is by writing a mac-address to a memory chip on the controller through usb.
EDIT: hm, seems the plugin doesn't work on 6.35pro, crashes when entering bluetooth settings.

JJS
Big Beholder
Posts: 1416
Joined: Mon Sep 27, 2010 2:18 pm
Contact:

Re: VSH plugin for Bluetooth

Post by JJS » Thu Jan 06, 2011 9:44 pm

Ok, thanks for the explanation. The plugin is written for 6.20, so it will probably not work on any other firmware. Adapting it would be quite easy, I will see about that.

thedicemaster
Posts: 214
Joined: Mon Nov 15, 2010 1:35 pm

Re: VSH plugin for Bluetooth

Post by thedicemaster » Thu Jan 06, 2011 9:48 pm

actually, it's not a complete failure on 6.35.
i don't know if it will help you with making it work for 6.35, but it did log this much:

Code: Select all

Entering on_module_start
bluetooth_plugin_module_sub_09498 = 0x0A56C898
blockId = 0x04D84F77
blockAddress = 0x00000100
syscall = 0x8002013A
Entering on_module_start
bluetooth_plugin_module_sub_09498 = 0x0A56C698
blockId = 0x04D9E065
blockAddress = 0x00000100
syscall = 0x8002013A

Post Reply

Return to “Programming and Security”