Page 1 of 5
VSH plugin for Bluetooth
Posted: Thu Dec 30, 2010 7:28 am
by JJS
I was trying to get more functionality out of the Bluetooth function on the GO. A problem is that the device registration rejects devices based on their class. This means a PC will not show up in the device list, but e.g. a cell phone does. So I wrote a small plugin that patches the Bluetooth VSH module in memory to remove this early device rejection. This is only effective for the pairing phase, so the plugin can be disabled after a device was registered and it will still remain working.
main.c
Code: Select all
#include <pspsdk.h>
#include <pspkernel.h>
#include <systemctrl.h>
#include <psploadcore.h>
#include <string.h>
PSP_MODULE_INFO("btfree", 0x1000, 0, 0);
STMOD_HANDLER previousStartModuleHandler = NULL;
int on_module_start(SceModule2* mod)
{
// Get active on the Bluetooth VSH plugin
if (strcmp(mod->modname, "bluetooth_plugin_module") == 0)
{
// There is a check for the device type that goes something like this:
//
// if (((descriptor & 0x000000FF) == 0x00000005) || (...) || (...)))
//
// It gets changed to:
//
// if (((descriptor & 0x000000FF) != 0x0000FFFF) || (...) || (...)))
//
// The result is obviously that the statement always evaluates as true,
// therefore no devices are rejected early.
// write "li $t6, 0xFFFF", was "li $t6, 0x5"
*(u32*)(mod->text_addr + 0x000094A8) = 0x240EFFFF;
// write "bne $v0, $t6, loc_000094E4", was "beq $v0, $t6, loc_000094E4"
*(u32*)(mod->text_addr + 0x000094D4) = 0x144E0003;
}
// Call previously set start module handler if necessary
if (previousStartModuleHandler)
return previousStartModuleHandler(mod);
else
return 0;
}
int module_start(SceSize args, void* argp)
{
// Establish a handler that gets called before any modules "module_start" function is called.
// A previous handler gets saved.
previousStartModuleHandler = sctrlHENSetStartModuleHandler(on_module_start);
return 0;
}
int module_stop(SceSize args, void* argp)
{
// Restore the previous start module handler if there was one
if (previousStartModuleHandler)
sctrlHENSetStartModuleHandler(previousStartModuleHandler);
return 0;
}
Makefile and exports.exp are in the attachment. As well as the binary.
I never wrote a CFW plugin before, so comments are welcome.
I hope to get more out of this in the future. At the moment my PC shows up as an audio device and I can reroute the PSP GO audio through it (the PC acts like a headset). It shows DUN (dial-up network) and SSP (serial port profile = RS232 over BT) but I cannot use the PC as a modem for the GO. This is probably because the PC is discovered as an audio device and not a phone. I will try to patch the detected device class next to see if this can be influenced.
Re: VSH plugin for Bluetooth
Posted: Thu Dec 30, 2010 7:41 am
by ruyor
Awesome work JJS
It would be cool if somebody could get a Wiimote working. The PSP Go sees it, but when trying to pair it says "An error occurred during the register operation. This device is not supported." Maybe a custom driver is needed for something like this?
Re: VSH plugin for Bluetooth
Posted: Thu Dec 30, 2010 7:57 am
by JJS
From the disassembly I can see that the only supported device profiles are:
- SSP that all BT devices must support
- DUN for using a phone as a modem
- HID probably only for the PS3 controller
- AVRCP, audio remote control
- HSP for headsets
- A2DP for stereo audio output
So for anything not supported a custom driver will be needed, yes.
There's also something interesting with pairing a PS3 controller. If you enter the respective option, the PSP will load a USB driver for a game pad. I tried to load that driver in a homebrew, which succeeds. But I cannot press any buttons or anything. There are only two exported functions by the driver, one always returns 0, the other either crashes the thread or waits infinitly. I cannot tell as I cannot use PSPLink through that.
Re: VSH plugin for Bluetooth
Posted: Thu Dec 30, 2010 3:57 pm
by Draan
@JJS: good work!
A small tip: there is an _sw macro commonly used for patching, you don't need to do casting to u32, etc... for many many patches, it's a lot cleaner to read & less characters to type
Your patches would look in that way then:
Code: Select all
// write "li $t6, 0xFFFF", was "li $t6, 0x5"
_sw(0x240EFFFF, mod->text_addr + 0x94A8);
// write "bne $v0, $t6, loc_000094E4", was "beq $v0, $t6, loc_000094E4"
_sw(0x144E0003, mod->text_addr + 0x94D4);
Re: VSH plugin for Bluetooth
Posted: Thu Dec 30, 2010 4:49 pm
by Strangelove
Oooh, nice.
It did indeed allow my laptop to be found on a BT scan. *thumbs up*
Edit: Is there a chance you can set the bluetooth LED to blink only like once or twice per minute?
Re: VSH plugin for Bluetooth
Posted: Thu Dec 30, 2010 7:19 pm
by KaZ
Nice work, ill try getting the wii remote to work, by trying to modify the src
Great work though.
Re: VSH plugin for Bluetooth
Posted: Fri Dec 31, 2010 10:11 am
by JJS
@Draan: Thanks for the advice!
Strangelove wrote:It did indeed allow my laptop to be found on a BT scan.
As what device did it show up and could you connect to it?
Strangelove wrote:Is there a chance you can set the bluetooth LED to blink only like once or twice per minute?
It can surely be turned off completely with sceSysconCtrlLED(), maybe it can also be forced to blink at a different frequency with sceLedSetMode(). There is a
good thread about this on ps2dev. I can try doing that.
So, small update on this:
- That function in the game controller driver hangs because it waits for a semaphore. It probably waits for receiving a challenge from the host. It also has a different USB PID than the PS3 controller, so the PS3 might do some special handling when it is plugged in.
- I did hook that checking function I patched in the original source. This allowed me to extract some information about the struct used to describe a bluetooth device. I also spoofed the device class and this indeed allowed the PC to be added as a phone. Then the option to use it as a modem becomes available. Unfortunately it doesn't work. The bluetooth connection gets established, but it doesn't dial. I tried with the built in modem, but it doesn't receive anything. Another try with a fake software modem driver actually receives and sends some bytes, but then stops the connection.
I have a question: If I want to hook a function of a user mode module by rewriting the jal instruction, does the function I jump to has to be in user memory too? I tried jumping into my kernel module, but it only crashed the PSP. So I ended up writing a user mode module that contains the target function.
Edit: Another question, did someone try to register a PS3 controller? I mean directly, not the regular way through the PS3. If so, what happened?
Re: VSH plugin for Bluetooth
Posted: Fri Dec 31, 2010 10:36 am
by Strangelove
JJS wrote:Strangelove wrote:It did indeed allow my laptop to be found on a BT scan.
As what device did it show up and could you connect to it?
laptop w/ linux:
type: hid
profile: hsp, a3dp, avrcp
i could connect and i got up a dialogue where i could choose to accept the connection, however before i could press yes, the PSP already showed an error. I also got a message that the PSP attempted to start a service on my computer. only the service id was given I'm guessing it tried to ask for a sony-specific service.
and while i'm at it, my smart-phone:
type: hid
profile: dun
Re: VSH plugin for Bluetooth
Posted: Fri Dec 31, 2010 6:53 pm
by Dr. Soup
@JJS:
Using a usermode PRX is the easiest to do. You could however also copy the hooking function into user memory and patch the jal to point at your function. This isn't that much useful if you don't write that function in raw ASM to alloc the exact size of the function in user memory though (otherwise you'd waste some user memory). So in the end you see it depends on the situation
Re: VSH plugin for Bluetooth
Posted: Fri Dec 31, 2010 7:20 pm
by JJS
If I were to copy a function into memory myself I would have to also resolve any syscall it needs manually, right? But this might be ok for simple functions that don't have to call anything from outside.
An idea I had was to make the function an export in my kernel module so that it can be called with a syscall. It should be possible to then allocate 8 byte in user memory, write the "jr $ra; syscall <myfunction>;" in there and then have the patched jal jump into this.
There are two thing I am not sure about though:
1. Does the kernel assign syscalls to libraries that are not currently imported by a usermode module?
2. How to get the syscall number for a function?
Edit: Heh, should have searched before asking. The exact same thing got posted on
ps2dev. I am such a noob
.