Advertising (This ad goes away for registered users. You can Login or Register)

Reverse of TN HEN main function

Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
exploitcrash
Banned
Posts: 13
Joined: Wed Feb 23, 2011 10:31 am

Re: Reverse of TN HEN main function

Post by exploitcrash »

the hen works ok and it loads homebrews but i cant when i press select nothing appears
Advertising
juggernaut6613
Posts: 29
Joined: Tue Jan 18, 2011 7:32 am

Re: Reverse of TN HEN main function

Post by juggernaut6613 »

exploitcrash wrote:the hen works ok and it loads homebrews but i cant when i press select nothing appears
Did you compile the satelite.prx and copy it in the root of your memorystick... :roll:
Advertising
PSP 3000 6.20 PRO-B5 Permanent Patch :D
exploitcrash
Banned
Posts: 13
Joined: Wed Feb 23, 2011 10:31 am

Re: Reverse of TN HEN main function

Post by exploitcrash »

nope
but thnx
kgsws
Guru
Posts: 77
Joined: Wed Jan 05, 2011 9:51 am

Permanent HEN

Post by kgsws »

I made this HEN permanent, it will go on even after reboot. :)

I renamed original vshmain.prx to vshorig.prx, replaced original vshmain.prx with HEN loader (modified to use power imports and not HTML hack), and modified rebootex code to this:

Code: Select all

void
rename_module(void *a0, char *mod_name, char *neu_mod_name)
{
	ModuleEntry *pmod;
	int i, len;
	char *modules_start, *names_start;
	BtcnfHeader *hdr = a0;

	modules_start = (char *) a0 + hdr->modules_start;
	names_start = (char *) a0 + hdr->names_start;

	pmod = (ModuleEntry *) modules_start;
	len = __strlen(mod_name) + 1;

	if (hdr->modules_nr < 0)
		return;

	/* search mod by name */
	for (i = 0; i < hdr->modules_nr; i++) {
		if (!__memcmp(names_start + pmod->name, mod_name, len))
			break;
		pmod++;
	}
	if (i == hdr->modules_nr)
		return;

	__memcpy(names_start + pmod->name, neu_mod_name, len);
}

int
sceBootDecryptPSP_Patched(void *a0, void *a1)
{
	int r;
	
	r = sceBootDecryptPSP(a0, a1);
	inject_module(a0, "/kd/init.prx", HEN_STR, 255);
	rename_module(a0, "/vsh/module/vshmain.prx", "/vsh/module/vshorig.prx");

	return r;
}
You have to pack fake vshmain.prx like explained here, of course use original vshmain.prx as base and not lfatfs.

Tested on PSP-1000, TA-079.
jigsaw
Posts: 255
Joined: Sat Dec 18, 2010 12:49 pm

Re: Reverse of TN HEN main function

Post by jigsaw »

@kgsws Fantastic!!!!!!!!! :o I think it deserves a branch. However it will be difficult for me to commit it coz I have only PSP3004 and I'm still in need of OFW. I'll see how I can test and commit it.

FYI
I'm still working on the HEN coz I started LFTV protocol reverse.
I added 2 exports to systemctrl so that it's convenient to add hooks to vsh modules (e.g. lftv module).

Code: Select all

/* SystemCtrlForUser_62CAC4CF */
extern void sctrlPatchModule(char *name, u32 patch, u32 offset);

/* SystemCtrlForUser_2A868045 */
extern u32 sctrlModuleTextAddr(char *name);
EDITED for sctrlPatchModule
Last edited by jigsaw on Sat Mar 05, 2011 10:21 pm, edited 2 times in total.
Valantin
Posts: 89
Joined: Mon Jan 03, 2011 3:11 pm

Re: Reverse of TN HEN main function

Post by Valantin »

@jigsaw if needed I can test on my PSP1000 :D
jigsaw
Posts: 255
Joined: Sat Dec 18, 2010 12:49 pm

Re: Reverse of TN HEN main function

Post by jigsaw »

Valantin wrote:@jigsaw if needed I can test on my PSP1000 :D
Yes please. And once it's done pls let me know. :D
kgsws
Guru
Posts: 77
Joined: Wed Jan 05, 2011 9:51 am

Re: Reverse of TN HEN main function

Post by kgsws »

I think now it can be better to just copy systemcontrol.prx (and all other CFW PRXes) to flash0. It will make sceBootLfat patches obsolete.
Now i will try to make simple installer (that will do all encryption on each PSP, to be safe).

Also, it is possible to add recovery menu to fake vshmain.prx, and maybe "CFW logo", sice it shows debug text on first boot.
Valantin
Posts: 89
Joined: Mon Jan 03, 2011 3:11 pm

Re: Reverse of TN HEN main function

Post by Valantin »

jigsaw wrote:
Valantin wrote:@jigsaw if needed I can test on my PSP1000 :D
Yes please. And once it's done pls let me know. :D
LOL. there was a misunderstanding ..
I'm currently working there.
if you posted a sample, test it, and maybe I can help in the development

I have no experience with the kirk-engine, and I do not know where to start.

@kgsws do not understand why to use the hen? if you can pretend that the hen loader is the original vshmain.prx why not use directly systemctrl?
jigsaw
Posts: 255
Joined: Sat Dec 18, 2010 12:49 pm

Re: Reverse of TN HEN main function

Post by jigsaw »

Just a reminder to those who are interested in extending this HEN:

Please update your local revision up to rev 231, coz from rev 232 on lftv patch is introduced. I guess most of you won't be interested in that, which is for debugging/testing lftv protocol only.
I'm considering adding a branch which sticks to pure HEN (w/o lftv), a second branch for flash0, and the trunk keeps going with lftv.

EDIT:

2 branches added. both based on rev 231.

branches/original is for original HEN. This branch is for bug fixing to original HEN only. Any bug fix will be merged to other branch(es) and trunk.

branches/cfw is for permanent CFW. This branch is for kgsws's CFW.

trunk will be playground for other new features such as lftv.
Post Reply

Return to “Programming and Security”