NSKBL: Difference between revisions

From Vita Development Wiki
Jump to navigation Jump to search
m (→‎sceKernelSysrootIofilemgrStartForKernel: Mark NID as valid down to 0.940)
Line 270: Line 270:
! Version !! NID
! Version !! NID
| 0.990-3.60 || 0xC7B77991
| 0.940-3.60 || 0xC7B77991

Revision as of 21:34, 27 May 2022

Non-Secure Kernel Boot Loader (NSKBL) is a Non-Secure world program that performs eMMC setup, base kernel modules loading, etc. during PSVita boot.


The NSKBL contains subroutines that are stripped versions of the non-secure kernel ones found in SceSysmem, SceKernelModulemgr, SceSblSmschedProxy, SceExcpmgr, SceKernelIntrMgr, SceSblAuthMgr, SceProcessmgr (maybe), SceSdif, SceIofilemgr (simple version?), and some other core drivers.


How to debug NSKBL

NSKBL supports sd0: for debugging. pKblParam->boot_type_indicator_1 = 0x40000 is required.

sceIoOpen(?) error code 0x803FF007

This error can occur if the file is fragmented.


typedef struct SceNskblModuleInfo {
    char* moduleName;    //Raw SKPRX name (e.g. "sysmem.skprx") - modules are loaded either from os0:kd/ or host0:module/
    SceUID moduleId;     //SCE_UID_INVALID_UID, gets filled when loading
    SceUInt32 loadFlags; //Passed as flags to sceKernelLoadModuleWithoutStart
} SceNskblModuleInfo;

/* Many pointers are NSKBL heap relationships */
typedef struct SceNskblSysrootInfo { // size is at least 0xC8 on FW 3.60
	SceUID unk_0x00; // maybe some PID. ex: 0x10089
	int unk_0x04;
	void *unk_0x08;
	void *unk_0x0C;
	void *unk_0x10;
	void *unk_0x14;
	void *unk_0x18;
	void *unk_0x1C;
	void *unk_0x20;
	void *unk_0x24;
	void *unk_0x28;
	void *unk_0x2C;
	SceUID unk_0x30; // maybe some PID. ex: 0x1000B
	const void *unk_0x34; // mapped paddr in vaddr
	const void *unk_0x38; // mapped paddr in vaddr
	void *unk_0x3C;
	int unk_0x40; // ex: 0x80000000
	int unk_0x44; // ex: 0x20000000
	void *unk_0x48;
	void *unk_0x4C;
	void *unk_0x50;
	void *unk_0x54;
	void *unk_0x58;
	void *unk_0x5C;
	void *unk_0x60;
	void *unk_0x64;
	void *unk_0x68;
	void *unk_0x6C;
	void *unk_0x70;
	void *unk_0x74;
	void *unk_0x78;
	void *unk_0x7C;
	void *unk_0x80;
	void *unk_0x84;
	void *unk_0x88;
	void *unk_0x8C;
	void *unk_0x90;
	void *unk_0x94;
	void *unk_0x98;
	SceUInt32 magic; // 0x 19442EA8
	int unk_0xA0; // ex: 0x1000
	int unk_0xA4; // ex: 0x1000
	int unk_0xA8; // ex: 0x40000
	int unk_0xAC; // ex: 0x200000
	int unk_0xB0; // ex: 7
	int unk_0xB4;
	int unk_0xB8; // ex: 0x80
	sysroot_t *pSysroot;
	void *unk_0xC0;
	void *unk_0xC4;
	// more...?
} SceNskblSysrootInfo; // 3.60

SceNskblSysrootInfo *nskbl_sysroot_info = (SceNskblSysrootInfo *)(0x51000000 + 0x138980); // 3.60


Known NIDs

Version Name World Visibility NID
0.940-3.65 SceKblForKernel Non-secure Kernel 0xD0FC2991



Version NID
0.940-0.990 0x230456F3
3.60 not present


Version NID
0.940-0.990 0x29A8524D
3.60 not present

Requires DIPSW 193.

SceInt32 sceSDbgSdioStartForKernel(void);


Version NID
0.940-0.990 0x99B2F981
3.60 not present

On 0.940, calls a routine that simple does cpsid i then returns 0.


Version NID
0.940-0.990 0xA7D60F71
3.60 not present

Runs the entrypoint of all modules in provided list. The list end is marked by an entry with moduleId = SCE_UID_INVALID_UID.

//If run_boot_entry is SCE_TRUE, module_start is executed on core 0 and
//module_bootstart is executed on all cores
SceInt32 BootModules(SceNskblModuleInfo* module_list, SceSize args, const void* argp, SceBool run_boot_entry);


Version NID
0.940-0.990 0xAA8005E4
3.60 not present


Version NID
0.940-0.990 0xFAE33FDD
3.60 not present

Load all modules from the provided list. The list end is marked by an entry with moduleName = NULL. Module GUIDs are populated into the list, so it must be writeable.

SceInt32 LoadModules(SceNskblModuleInfo* module_list);


Version NID
0.940-3.60 0x08E9FAEB

This is a guessed name. This function is at 0x510172BD in 3.60 and at 0x51003BE0 in 0.940.040.

int sceKblPutcharForKernel(void *args, char c);


Version NID
0.940-3.60 0x13A5ABEF

In 3.60 this function is at 0x510137A9

int sceKernelPrintfForKernel(const char *fmt, ...);


Version NID
0.940 Not present
0.990-3.60 0x752E7EEC

In 3.60 this function is at 0x51013841.

int sceKernelPrintfLevelForKernel(int level, const char *fmt, ...);


Version NID
0.940-3.60 0xC011935A

Temp name was sceKblGetMinimumLogLevel.

In 3.60 this function is at 0x51013921.

int sceKernelGetDebugLevelForKernel(void);


Version NID
0.940-3.60 0x9B868276

In 3.60 this function is at 0x51013765.

void *sceKernelGetDebugPutcharForKernel(void);


Version NID
0.940-3.60 0x161D6FCC

In 3.60 this function is at 0x510123DD.

int sceKernelSysrootProcessmgrStart2ForKernel(void);


Version NID
0.940-3.60 0x1DB28F02

In 3.60 this function is at 0x510123A1.

int sceKernelSysrootThreadMgrStartAfterProcessForKernel(void);


Version NID
0.940-3.60 0xC7B77991

In 3.60 this function is at 0x5101297D.

int sceKernelSysrootIofilemgrStartForKernel(void);


Version NID
0.990-3.60 0x314AA770

In 3.60 this function is at 0x510124FD.

void sceKernelSysrootCorelockUnlockForKernel(void);


Version NID
0.990-3.60 0x807B4437

In 3.60 this function is at 0x510124E5.

void sceKernelSysrootCorelockLockForKernel(SceUInt32 core);


Version NID
0.990 not present
3.60 0xDDB3A1A8

In 3.60 this function is at 0x51003554.

Temp name was sceKblCpuSwitchInterruptsForKernel.

void sceKblCpuDisableIrqInterruptsForKernel(void);


Version NID
0.990-3.60 0x8A416887

In 3.60 this function is at 0x510171B5.

int sceSblAimgrIsCEXForKernel(void);


Version NID
0.990-3.60 0xC3DDDE15

In 3.60 this function is at 0x51017175.

int sceSblAimgrIsDiagForKernel(void);


Version NID
0.990 not present
3.60 0x5945F065

In 3.60 this function is at 0x51017159.

int sceSblAimgrIsDEXForKernel(void);


Version NID
0.990 not present
3.60 0xB6C9ACF1

In 3.60 this function is at 0x51017139.

int sceSblAimgrIsToolForKernel(void);


Version NID
0.990 not present
3.60 0x943E7537

In 3.60 this function is at 0x5101711D.

int sceSblAimgrIsTestForKernel(void);


Version NID
0.990 not present
3.60 0x838466E9

In 3.60 this function is at 0x51017299.

int sceSblAimgrIsVITAForKernel(void);


Version NID
0.990 not present
3.60 0xA7BD4417

In 3.60 this function is at 0x510172A1.

int sceSblAimgrIsDolceForKernel(void);


Version NID
0.990 not present
3.60 0xB6D00D6D

In 3.60 this function is at 0x510171E5.

int sceSblAimgrIsGenuineDolceForKernel(void);


Version NID
0.990 not present
3.60 0x6D7A1F18

In 3.60 this function is at 0x51001551.

typedef struct SceModuleLoadList {
  const char *filename;
} __attribute__((packed)) SceModuleLoadList;

int sceKblLoadModuleForKernel(const SceModuleLoadList *pList, SceUID *pUidList, SceUInt32 count, SceBool use_tool_extended_memory);


Version NID
0.990 not present
3.60 0x9A92436E

In 3.60 this function is at 0x51001571

int sceKblStartModuleForKernel(SceUID *pUidList, SceUInt32 count, SceSize args, void *argp);


Version NID
0.990 not present
3.60 0x79241ACF

In 3.60 this function is at 0x51001345.

int sceKblAuthMgrCloseForKernel(void);


Version NID
0.990 not present
3.60 0x9F4F3F98

In 3.60 this function is at 0x51001561.

int sceKblSetNonSyncModuleStartForKernel(void);


Version NID
0.990-3.60 0xB506A10E

In 3.60 this function is at 0x510147C9.

int sceKernelCpuIdForKernel(void);


Version NID
0.990-3.60 0xC8F4DE71

In 3.60 this function is at 0x51015851.

int sceKernelCheckDipswForKernel(int bit);


Version NID
0.990-3.60 0xCE94F329

In 3.60 this function is at 0x51016FD1

int sceSblQafManagerIsAllowKernelDebugForKernel(void);


Version NID
0.990 not present
3.60 0xD3A516D5

get some device flags function

In 3.60 this function is at 0x510128AD

typedef struct SceSysrootHardwareFlags {
	uint32_t data[4];
} __attribute__((packed)) SceSysrootHardwareFlags;

int sceKblGetHardwareFlagsForKernel(SceSysrootHardwareFlags *data);


Version NID
0.990-3.60 0xF7AF8690

some device init function

In 3.60 this function is at 0x5100124D.

int sceKblInitDeviceForKernel(void);


Version NID
0.990-3.60 0x261F2747

In 3.60 this function is at 0x51001321.

int sceKblFreeFileSystemCtxForKernel(void);