Reverse of TN HEN main function

[wololo]

Congrats!
And for all those who don't understand why this thread is so important: those are the first necessary steps to porting the Hen to 6.35 without TN's help

Advertising

[Phillyphries]

dang you guys are great! Total_Noob just opened up heck for Sony
Keep up the excellent work!

Advertising

[Sirius]

Congrats

Have a HEN open source is a good idea

[Phillyphries]

Yep! So now as Total_Noob gets busy, the programmers on this site can ease the load
By the way, may I ask how far along this project is coming?

[Maddeath]

And for all those who don't understand why this thread is so important: those are the first necessary steps to porting the Hen to 6.35 without TN's help

Only for 6.35 HEN or for 4g with 6.20 too? Anyway great work guys keep it up!

[wololo]

I probably started that so apologies, but let's keep the discussions in this thread to a technical level from now on. We don't want pages of "congrats" or questions about this.

[jigsaw]

Got some other urgent thing to do in this week. Hopefully I can get back to it before weekend.
Just opened up a project on googlecode at http://code.google.com/p/hen/ . My English is terrible so pls stand with the wiki page.
If somebody is willing to join pls PM me.

[FrEdDy]

Finally got it working on PSP3004, g4. Here's the working code of VFlame version.
Many thanks to JJS and FrEdDy . The rebootex_bin is copied from FrEdDy. And the search for string sceVshHV is copied from JJS. Note that if I use the strncmp directly it just crashed.
Now it's time for me to start reading rebootex.

Code: Select all

#include <stdio.h>
#include <string.h>

#include "pspsdk.h"
#include "pspkernel.h"
#include "psputility.h"
#include "psputilsforkernel.h"

PSP_MODULE_INFO("TEST", 0, 1, 0);

#define REBOOT_BIN_SZ 29168

static unsigned char rebootex_bin[];
static int (*func_rebootex)(unsigned int, unsigned int, unsigned int, unsigned int, unsigned int);
static int model;

#define set_value(__addr, __value) do {\
	*((unsigned int *) (__addr)) = (unsigned int) (__value);\
} while (0)

/* sub_000002B4 */
static int
rebootex_callback(unsigned int a1, unsigned int a2, unsigned int a3, 
		unsigned int a4, unsigned int a5)
{
	char *s, *s2;

	s = (char *) 0x88FC0000;
	s2 = (char *) (rebootex_bin + 0x77040000 + 0x88FC0000);
	while (s < (char *) 0x88FC71F0) {
		*s = *s2;
		s++;
		s2++;
	}

	s = (char *) 0x88FB0000;
	while (s < (char *) 0x88FB0100) {
		*s = 0;
		s++;
	}

	set_value(0x88FB0004, REBOOT_BIN_SZ);
	set_value(0x88FB0000, model);

	return func_rebootex(a1, a2, a3, a4, a5);
}


/* sub_00000328 */
static int
power_callback(void)
{
	unsigned int (*f1)(char *) = (void *) 0x8801EB78;
	int (*f2)(void) = (void *) 0x8800A1C4;
	void (*f3)(void) = (void *) 0x88000E98;
	void (*f4)(void) = (void *) 0x88000744;
	unsigned int addr;
	unsigned int callback = (unsigned int) rebootex_callback;
	int m;

	addr = f1("sceLoadExec");
	addr += 108;
	addr = *(unsigned int *) addr;

	m = f2();

	if (m == 3)
		m = 2;
	model = m;
	m ^= 4;

	callback >>= 2;
	callback &= 0x03FFFFFF;
	callback |= 0x0C000000;
	set_value(addr + ((m == 0) ? 0x2F28 : 0x2CD8), callback);

	set_value(addr + ((m == 0) ? 0x2F74 : 0x2D24), 0x3C0188FC);

	set_value(0x8800CCB0, 0xACC24230);
	set_value(0x8800CCB4, 0x0A003322);
	set_value(0x8800CCB8, 0x00001021);
	set_value(0x8800CCBC, 0x3C058801);

	func_rebootex = (void *) addr;

	f3();
	f4();

	return 0;
}

static void
clear_cache(void)
{
	sceKernelIcacheInvalidateAll();
	sceKernelDcacheWritebackInvalidateAll();
}

int
main(void)
{
	char buf[168];
	pspUtilityHtmlViewerParam *param = (pspUtilityHtmlViewerParam *) buf;
	unsigned int *p = (unsigned int *) buf;
	SceUID sceuid;
	unsigned int intr;
	unsigned int* address_low = (unsigned int *) 0x08800000;
	unsigned int* address_high = (unsigned int *) 0x08800004;
	/* prototype of sceUtility_private_2DC8380C, scePower_driver_CE5D389B */
	int (*f1)(int);
	/* prototype of sceUtility_private_764F5A3C, scePower_driver_1A41E0ED */
	void *(*f2)(int, SceUID);

	memset(buf, 0, 168);
	*p = 168;
	p += 4;
	*p = 19;

	sceUtilityHtmlViewerInitStart(param);
	sceKernelDelayThread(1000000);

	while (address_high < (unsigned int *) 0x0A000000) {
		if ((*address_low == 0x56656373) && (*address_high == 0x56486873))
			goto found;

		address_low++;
		address_high++;
	}
	goto out;

found:
	memset((void *) 0x08800000, 0, 0x00100000);
	f1 = (void*) ((unsigned int) address_low - 648U); /* sceUtility_private_2DC8380C */
	f1(0x08080000);
	clear_cache();

	p = (unsigned int *) 0x08800000;

	do {
		if (*p == 0xFFFFFFFF)
			goto found2;
		p++;
	} while (p < (unsigned int *) 0x08900000);

	goto out;

found2:
	sceuid = sceKernelCreateCallback("test", 0, 0);
	f2 = (void *) ((unsigned int) address_low - 624U); /* sceUtility_private_764F5A3C */
	f2((0x0880CCB0U -(unsigned int) p) >> 4, sceuid);
	clear_cache();

	p = (unsigned int *) 0x08800010;
	*p = (unsigned int) power_callback;
	p = (unsigned int *) 0x08804234;
	*p = 0x08800000;
	clear_cache();

	intr = sceKernelCpuSuspendIntr();
	sceKernelPowerLock(0, 0x08800000);
	sceKernelCpuResumeIntr(intr);

out:
	sceKernelExitGame();
	sceKernelExitDeleteThread(0);

	return 1;
}

Your set_value function is kinda useless,you could use _sw and _lw

[jigsaw]

Your set_value function is kinda useless,you could use _sw and _lw

Thanks for noticing. I didn't know there are such macros. I'll fix it.

[m0skit0]

Nice job again! And nice idea to make open-sourced stuff. I just hope you won't change your mind like dridri

On the technical side, that C code can be improved, for example removing all the gotos, which are just horrible. On the other side, if you write your own strncmp() (which is very easy) it should work.

For people who aren't going to enter technical discussion, please abstain putting useless posts, let's keep this thread clean