forums.ps2dev.org

You can use PRXTool to do disasm of the main binary executable of the game, it will give you the stub adresses for everything the game imports.

You can the use those to call the functions the game imports.

That's what has been done for the Sparta-SDK by Freeplay and MaTiAz.

But when you need to write code, such as code which an exploit jumps into, how would external calls be resolved then? In such cases you would need to manually find the functions right? THAT exactely is my situation in this case! The MIPS itself isn't the problem, finding the function tables is. Whe...

Thanks :) That already helps alot!

What I don't get is, when I just do a "jal sceKernelDelayThread", where and how does it get the actual address of "sceKernelDelayThread" to jump to?

Anyway, this is enough to get started already, I think, thanks again! :)

I know I'm probably going to be stoned to death, but I'll take my chance and ask anyway.... Let's say I have a small block of raw ASM code, injected to somewhere in the PSPs RAM and jumped in to. Is there a good and known way of calling syscalls (like sceIoOpen and stuff) from there? Since I'm not h...

If you just compile it to an EBOOT and send it to them, they will know the second the signing process starts due to that fixed, always the same, game ID "our" SDK puts into the EBOOTs: UCJS10041 Again, that can be fixed easiely by adding an option to provide an own (maybe that option even ...

The Sony keys that are stored in files ARE found (w/o we wouldn't have PSARDumper and the such). Some keys are embedded in the crypto hardware of the PSP and have NOT been found (but the functions to use it have :p) AES/RSA is asymetric, so even when you have found the key embedded in some other fil...

You can't. It's only a hash, not the complete encrypted data. However SHA-1 is more or less broken, so if you got the tool and powerfull machines to do it, you could generate data that results in the same has value - if it's what you are looking for is another thing then.... (could only be a "c...

The XMB uses a pre-made extra graphic for every icons glow effect.
It just puts the "glow" gfaphic under the icon and fades it in and out in a loop.

Take a look at the .RCOs in /vsh/resource, you'll see those glow-images in there.

Did the Dopen succeed? WHAT error number is it giving you? Any code snippets of what you're doing? What are you trying to do at all? (besides reading a dir, which one?)

Carefully check any compiler errors or warnings.
Got any?

Here's some good, old, well known xD USB code snipped, that I had modified a while back for checking USB access and counting the ammount of data.

Not too nice, but does the job.

http://pb.area-42.net/?show=22

I remember doing this, including counting the ammount of data transfered, im my old pandora menu.... I hooked somewhere in the IoRead/IoWrite functions of the driver IIRC, set a flag to tell my other functions about a transfer in progress and counted the bytes in a global variable.... The solution I...

Isn't the signcheck performed when the module is already completely loaded into memory?
If so, what good would altering the MS data do after the signcheck has been done?

Most certainly software exploits.... but a small hole in the PreIPL would be sweet as sugar :D

As far as I got dcPatchModule: void dcPatchModule( char* modName, int unk, int value, int offset); Given unk is "1" (it's only used that way, so far) it does this: mod = (u32)sceFindModuleByName( modName ); _sh( value, mod+offset &...

AFAIK he loads dcman at boot time (pspbtcfg).

The format function indeed seems to be only a bridge, the more magic thing is dcPatchModule - but I have yet to inderstand why he also patches when OFW is to be installed....

/** * Set Bus Frequency * @param busfreq - new BUS frequency, valid values are 1 - 167 */ int scePowerSetBusClockFrequency(int busfreq); That should be the one for setting the CPU, but something happened in 3.71 and later, not sure if it still works propperly.... worth a try :) The display getting ...

One question while we're at it:

Are you using the original functions of the FW to show the GUI (paf.prx and the such) or did you re-code it based on your reversal?

1.50 or 3.xx kernel?

1.50 can not handle > 4G, in 3.xx kernel it should work....

The archive of the .PRX also contains it's source. So if you'd rather do stuff in your own code, than loading several .PRXs, you can look there how and what to do to achive the same result. Anyway, if still wanted, I can post my WriteFile snipped, that uses the sctrlSetUserLeverl call to get the nec...

Thanx again!

I just tried, and it works perfectly!
Didn't load the entire .PRX, just wrapped the SetUserlevel calls around my file IO, and everything is fine now!

Great that you put the source in the archive as well, so I can incorporate rge bits I need into my existing kernel module :)

I think the header include is all the documentation you need. The parameters of the functions are briefly, but to the point, explained and the struct definitions are present in their full beauty :) If you have any questions left, don't hasitate to ask, I used those functions a lot myself lately for ...

Oh, this is GREAT :)

Many, many thanks, I will give it a try as soon as possible and report back :)


Once this bit works, I can finally finish the first version of my app :)

RightDirection* ThereYouGo; There you have your pointer :p Yah, bad joke, I know, sorry.... here something (hopefulle) more helpfull ;) You can use sceIoDopen() to open a directory and sceIoDread() to "scan" through the directories entries. (every call of sceIoDread() puts the next entry i...

@pspZorba: That's worth a try, will do once I get home. However, I'd like to avoid M33 specific special functions, as my app might run on CFWs not containing them (older OEs, or such). Are the main thread flags set to PSP_THREAD_ATTR_VSH aswell? Aye! They are.... :-/ Weird thing.... Do I have to &qu...

can you tell us more on hb mode ( kernel , vsh ?)and on cfw version? The main binary is VSH (0x800), tried both, calling from there or from my kernel mode .PRX that get loaded/started by the main module (didn't forget the SetK1 as well). FW I so far tried is 4.01-M33 Use vsh mode (flags 0x800), unl...

Hi there :) In my little app, I am currently finishing, I want to WRITE a file to flash2:/ (NO, not via USB, only from inside the app) (NO, I am NOT trying to hack anything, only RESTORING the PSN activation data) The usual unassing and reassign chain doesn't seem to work: sceIoUnassign( &qu...

The max. value I have tested myself so far is 22.5 MB - working on Fat and Slim.

I think I even did 23MB once, but I'm not sure yet....

Hi! First off: - Yes, I am using the updater modules, yes they are from the right FW/Updater - Yes, the IPL in the NAND is the correct one for the flashed FW - No, I did not forget the M33 additional files So, now my issue: I made an app (or at lease I'm trying to) that flashes a fresh CFW onto the ...

You can make a kernel mode module, load that and kill the VSH from there - or at least try. And here comes a problem of my own, similar to this one: - I am in 3.xx kernel (4.01 ATM, to be precise) - I am in kernel mode (kernel .PRX, loaded from my VSH mode one (0x800)) - I did sceIoUnassign() flash0...