NSKBL: Difference between revisions

NSKBL is a program that performs emmc setup, base kernel module loading, etc. during PSVita boot.

Module

The non-secure kernel bootloader contains an embedded and likely stripped version of SceSysmem, SceKernelModulemgr, SceSblSmschedProxy, SceExcpmgr, SceKernelIntrMgr, SceSblAuthMgr, SceProcessmgr (maybe), SceSdif, SceIofilemgr (Simple version?), and some other core drivers.

How to debug NSKBL

NSKBL reads from sd0: instead, if a read error(?) occurs in os0: during PSVita startup.

But, in order to generate os0: read errors, os0: must be damaged in some way, so there must be a way to physically recover vita.

types

/* Many ptrs are NSKBL heap relationships */
typedef struct SceNskblSysrootInfo {
	SceUID unk_0x00; // ex:0x10089
	int unk_0x04;
	void *unk_0x08;
	void *unk_0x0C;
	void *unk_0x10;
	void *unk_0x14;
	void *unk_0x18;
	void *unk_0x1C;
	void *unk_0x20;
	void *unk_0x24;
	void *unk_0x28;
	void *unk_0x2C;
	SceUID unk_0x30; // ex:0x1000B
	const void *unk_0x34; // mapped paddr in vaddr
	const void *unk_0x38; // mapped paddr in vaddr
	void *unk_0x3C;
	int unk_0x40; // ex:0x80000000
	int unk_0x44; // ex:0x20000000
	void *unk_0x48;
	void *unk_0x4C;
	void *unk_0x50;
	void *unk_0x54;
	void *unk_0x58;
	void *unk_0x5C;
	void *unk_0x60;
	void *unk_0x64;
	void *unk_0x68;
	void *unk_0x6C;
	void *unk_0x70;
	void *unk_0x74;
	void *unk_0x78;
	void *unk_0x7C;
	void *unk_0x80;
	void *unk_0x84;
	void *unk_0x88;
	void *unk_0x8C;
	void *unk_0x90;
	void *unk_0x94;
	void *unk_0x98;
	uint32_t magic; // 0x19442EA8
	int unk_0xA0; // ex:0x1000
	int unk_0xA4; // ex:0x1000
	int unk_0xA8; // ex:0x40000
	int unk_0xAC; // ex:0x200000
	int unk_0xB0; // ex:7
	int unk_0xB4;
	int unk_0xB8; // ex:0x80
	sysbase360_t *sysbase;
	void *unk_0xC0;
	void *unk_0xC4;
	// more...?
} SceNskblSysrootInfo; // 3.60

SceNskblSysrootInfo *nskbl_sysroot_info = (SceNskblSysrootInfo *)(0x51000000 + 0x138980); // 3.60

Libraries

Known NIDs

SceKblForKernel

sceKblDebugPutcharForKernel

In 3.60 this function is at 0x510172BD

int sceKblDebugPutcharForKernel(void *args, char c);

sceKblDebugPrintfForKernel

In 3.60 this function is at 0x510137A9

int sceKblDebugPrintfForKernel(const char *fmt, ...);

SceKblForKernel_0x161D6FCC

Similar to SceKblForKernel_0x1DB28F02

In 3.60 this function is at 0x510123DD

SceKblForKernel_0x1DB28F02

Maybe call a thread related function, and if it fails, do a panic call.

In 3.60 this function is at 0x510123A1.

SceKblForKernel_0x261F2747

Related to initialization?

In 3.60 this function is at 0x51001321.

int SceKblForKernel_0x261F2747(void);

SceKblForKernel_0x314AA770

same to SceSysrootForKernel_AE55B7CC

In 3.60 this function is at 0x510124FD.

void SceKblForKernel_0x314AA770(void);

sceKblIsCEXForKernel

In 3.60 this function is at 0x510171B5.

int sceKblIsCEXForKernel(void);

sceKblIsCEXJpFatForKernel

In 3.60 this function is at 0x51017175.

int sceKblIsCEXJpFatForKernel(void);

sceKblIsDEXForKernel

In 3.60 this function is at 0x51017159.

int sceKblIsDEXForKernel(void);

sceKblIsToolForKernel

In 3.60 this function is at 0x51017139.

int sceKblIsToolForKernel(void);

sceKblIsTestForKernel

In 3.60 this function is at 0x5101711D.

int sceKblIsTestForKernel(void);

sceKblLoadModuleForKernel

In 3.60 this function is at 0x51001551.

typedef struct SceModuleLoadList {
  const char *filename;
} __attribute__((packed)) SceModuleLoadList;

int sceKblLoadModuleForKernel(const SceModuleLoadList *list, SceUID *uid, int count, int some_flag);

sceKblStartModuleForKernel

In 3.60 this function is at 0x51001571

int sceKblStartModuleForKernel(SceUID *uid_list, int count, SceSize args, void *argp);

SceKblForKernel_0x752E7EEC

Debug function, same to SceDebugForDriver_1A3F2AA4

In 3.60 this function is at 0x51013841.

SceKblForKernel_0x79241ACF

Related to initialization?

In 3.60 this function is at 0x51001345.

int SceKblForKernel_0x79241ACF(void);

SceKblForKernel_0x807B4437

same to SceSysrootForKernel_8E4B61F1

In 3.60 this function is at 0x510124E5.

void SceKblForKernel_0x807B4437(int a1);

sceKblIsVITAForKernel

In 3.60 this function is at 0x51017299.

int sceKblIsVITAForKernel(void);

sceKblIsDolceForKernel

In 3.60 this function is at 0x510172A1.

int sceKblIsDolceForKernel(void);

sceKblIsGenuineDolceForKernel

In 3.60 this function is at 0x510171E5.

int sceKblIsGenuineDolceForKernel(void);

SceKblForKernel_0x9B868276

return value is ptr?

In 3.60 this function is at 0x51013765.

int SceKblForKernel_9B868276(void);

SceKblForKernel_0x9F4F3F98 (set some state?)

set some state?

related to sceKblStartModuleForKernel

In 3.60 this function is at 0x51001561.

int SceKblForKernel_9F4F3F98(void);

sceKblGetCpuIdForKernel

In 3.60 this function is at 0x510147C9.

int sceKblGetCpuIdForKernel(void);

SceKblForKernel_0xC011935A

get some info?

In 3.60 this function is at 0x51013921.

int SceKblForKernel_C011935A(void);

SceKblForKernel_0xC7B77991

same to SceSysrootForKernel_F6A6D205

In 3.60 this function is at 0x5101297D.

sceKblCheckDipswForKernel

In 3.60 this function is at 0x51015851.

int sceKblCheckDipswForKernel(int bit);

sceKblIsAllowKernelDebugForKernel

same to sceQafMgrIsAllowKernelDebugForDriver

In 3.60 this function is at 0x51016FD1

int sceKblIsAllowKernelDebugForKernel(void);

sceKblGetHardwareFlagsForKernel

get some device flags function

In 3.60 this function is at 0x510128AD

typedef struct SceSysrootHardwareFlags {
	uint32_t data[4];
} __attribute__((packed)) SceSysrootHardwareFlags;

int sceKblGetHardwareFlagsForKernel(SceSysrootHardwareFlags *data);

sceKblCpuSwitchInterruptsForKernel

In 3.60 this function is at 0x51003554.

void sceKblCpuSwitchInterruptsForKernel(void);

sceKblInitDeviceForKernel

some device init function

In 3.60 this function is at 0x5100124D.

void sceKblInitDeviceForKernel(void);