Secure Modules: Difference between revisions

From Vita Development Wiki
Jump to navigation Jump to search
Line 31: Line 31:


This is the common handler for all incoming commands. It reads paddr from 0xE0000014 and ANDs it with 1 to check validity. It checks that size is valid (>= 0x40 and < 0x1000), copies command buffer into private f00d memory and executes an appropriate command handler.
This is the common handler for all incoming commands. It reads paddr from 0xE0000014 and ANDs it with 1 to check validity. It checks that size is valid (>= 0x40 and < 0x1000), copies command buffer into private f00d memory and executes an appropriate command handler.
== is_addr_range_arm_NS(addr, size) ==
This is used by cmd_handler to check if the input address of command buffer is safe. The allowed address ranges are:
* Non-secure DRAM (starting at 0x40200000). Note: this is weird because if configuration (word at 0xE0062260) results in overflow, it does some crazy shit.
* ScePowerScratchPad32KiB
* SceVeneziaSpram

Revision as of 03:06, 7 March 2018

sm common code

sm modules are loaded to 0x80B000, then code from that addr is executed.

There is a lot of common code shared between sm: entry, cmd handler, cmd setup, etc

Entry

This is the first code executed in sm. It's located at 0x80B000. It does the following:

  • Get random value (stack cookie?)
  • call_ctors()
  • sm_main()
  • call_dtors()
  • syscall 1: Unload
  • while(1) sleep()

call_ctors/call_dtors

These just call function pointers, basically libc_init_array.

sm_main

It has a memory pool allocated on stack. It's filled with structures for command handlers. Then, it calls main_loop.

main_loop

This uses syscall 4 (RegisterIrqHandler) to register a common handler for incoming commands (cmd_handler). Then it loops while sm is "active". Then it sets handler for commands = null pointer.

cmd_handler

This is the common handler for all incoming commands. It reads paddr from 0xE0000014 and ANDs it with 1 to check validity. It checks that size is valid (>= 0x40 and < 0x1000), copies command buffer into private f00d memory and executes an appropriate command handler.

is_addr_range_arm_NS(addr, size)

This is used by cmd_handler to check if the input address of command buffer is safe. The allowed address ranges are:

  • Non-secure DRAM (starting at 0x40200000). Note: this is weird because if configuration (word at 0xE0062260) results in overflow, it does some crazy shit.
  • ScePowerScratchPad32KiB
  • SceVeneziaSpram