RE on pspnet.prx...

Discuss the development of new homebrew software, tools and libraries.

Moderators: cheriff, TyRaNiD

Post Reply
ab5000
Posts: 74
Joined: Tue May 06, 2008 2:37 am

RE on pspnet.prx...

Post by ab5000 »

Hi.
I've done some RE on pspnet.prx (3.52) and i've discovered some interesting things. The first file I analysed was the "wlanscan" PSPSDK example. Then I've reversed the sceNetConfigUpInterface (also sceNet_lib_5216CBF5) function. In this function there are 2 IoCtls.
First the function saves the first argument $a0 (normally it's the string "wlan") to $s0. Then using memset it fills with 0 32 bytes from $a0 (so $a0 = 32 bytes). Using strncpy it inserts $s0 into the stack. then it does the first ioctl:

Code: Select all

a0 = 0 -> File Descriptor
a1 = &#40;0xC020 << 16&#41; | 0x6911 = 0xC0206911 -> Command
a2 = $sp -> Arguments &#40;in the stack, with strncpy, the function saved the first argument, normally "wlan"&#41;
if the ioctl fails (return code != 0) it returns. else do another ioctl:

Code: Select all

a0 = 0 -> File Descriptor
a1 = &#40;0x8020 << 16&#41; | 0x6910 = 0x80206910 -> Command
a2 = $sp -> Arguments &#40;normally "wlan"&#41;
a3 = 1
i've found an interesting page. simply google "C0206911 ioctl" and open the first result. then search "C0206911" on it. the two commands are in this page. can someone identify this page? another strange thing is the FD: 0 is a valid FD, but when was it opened? i think this FD is a "bridge" to the kernel. if it is, the argument "wlan" can be simply a way to tell the kernel on what device you want to control.
what do you think?

ab5000.
Last edited by ab5000 on Sun Jun 22, 2008 11:43 pm, edited 1 time in total.
Top
adrahil
Posts: 274
Joined: Thu Mar 16, 2006 1:55 am

Post by adrahil »

What you stumbled on on google is the OpenVMS TCP/IP services specification, which is probably the base of the PSP's networking system. (Is SCE so cheap that they hire retired OpenVMS engineers as system designers?)

Anyways, it's good you found that page, as now it will be possible to map the sceNet ioctls and probably find out a few more sceNet function names...
Top
ab5000
Posts: 74
Joined: Tue May 06, 2008 2:37 am

Post by ab5000 »

i've looked at other IoCtls on pspnet. The form of the command is the same:

Code: Select all

lui $v0, 0xAAAA
ori $a1, $v0, 0xBBBB
so:

Code: Select all

$v0 = 0xAAAA << 16
$a1 = $v0 | 0xBBB

Code: Select all

$a1 = &#40;0xAAAA << 16&#41; | 0xBBBB
Top
hlide
Posts: 739
Joined: Sun Sep 10, 2006 2:31 am

Post by hlide »

adrahil wrote:What you stumbled on on google is the OpenVMS TCP/IP services specification, which is probably the base of the PSP's networking system. (Is SCE so cheap that they hire retired OpenVMS engineers as system designers?)

Anyways, it's good you found that page, as now it will be possible to map the sceNet ioctls and probably find out a few more sceNet function names...
nah ! this command is SIOCGIFFLAGS and if you google it, you'll find it is present in several OSes like Linux/SOLARIS/HP-UX. So i'm doubtful Sony hire any OpenVMS engineers :P.
Top
adrahil
Posts: 274
Joined: Thu Mar 16, 2006 1:55 am

Post by adrahil »

http://starlet.deltatel.ru/sys$common/s ... netdef.for

This is from OpenVMS... Check out the link "OpenVMS SYS$LIBRARY directory" on http://starlet.deltatel.ru/tech-stuff.htm ...

And http://www.uni-giessen.de/faq/archiv/de ... 00000.html says that UCX is a TCP/IP stack on VMS...

You're right in saying that the SIO* ioctls are present in BSD sockets, but their values are different from the VMS implementation.
Top
ab5000
Posts: 74
Joined: Tue May 06, 2008 2:37 am

Post by ab5000 »

A partial list of commands:

Code: Select all

sceNet_lib_B755FA98

Command 1 = &#40;0xC020 << 16&#41; | 0x69D4 = 0xC02069D4
Command 2 = &#40;0xC018 << 16&#41; | 0x69D6 = 0xC01869D6

Code: Select all

sceNet_lib_D5B64E37

Command 1 = &#40;0xC020 << 16&#41; | 0x69D4 = 0xC02069D4
Command 2 = &#40;0xC018 << 16&#41; | 0x69D6 = 0xC01869D6
Command 3 = &#40;0xC020 << 16&#41; | 0x69D4 = 0xC02069D4
Command 4 = &#40;0xC018 << 16&#41; | 0x69D6 = 0xC01869D4
Command 5 = &#40;0xC018 << 16&#41; | 0x69D5 = 0xC01869D5

Code: Select all

sceNet_lib_DA02F383

Command 1 = &#40;0xC014 << 16&#41; | 0x69D8 = 0xC01469D8

Code: Select all

sceNet_lib_83FE280A

Command 1 = &#40;0x8014 << 16&#41; | 0x69DD = 0x801469DD
Note that:

Code: Select all

&#40;0xAAAA << 16&#41; | 0xBBB = 0xAAAABBBB
because:

Code: Select all

0xAAAA << 16 = 0xAAAA0000

1 OR 1 = 1
1 OR 0 = 1
0 OR 1 = 1
0 OR 0 = 0

0xAAAA0000 | 0x0000BBBB = 0xAAAABBBB
Top
hlide
Posts: 739
Joined: Sun Sep 10, 2006 2:31 am

Post by hlide »

and ?

why are you trying to teach us how to get a 32-bit constant through a LUI/ORI pair so hard ?
Note that:

Code:
(0xAAAA << 16) | 0xBBB = 0xAAAABBBB
i would say : 0xAAAA0BBB :P

more seriously, if you plan to give us a detail list, you should insist on getting their (hypothetical) associated names rather teaching us how to get those numbers.
Top
adrahil
Posts: 274
Joined: Thu Mar 16, 2006 1:55 am

Post by adrahil »

Try to find out what those commands DO.... It will be better :)
Top
ab5000
Posts: 74
Joined: Tue May 06, 2008 2:37 am

Post by ab5000 »

Look at this: http://starlet.deltatel.ru/disk$axpdocs ... l_commands

but I can't find the codes...
Top
Post Reply

Return to “PSP Development”