SceSysmem is a kernel module that acts as the heart of the kernel. It exports multiple libraries for different functionalities (one of the few modules that do so). SceSysmem is the first module that is loaded in the kernel load sequence and its libraries are imported by almost all other modules. See Memory for more details on the memory subsystem.
Module
This module exists in both non-secure and secure world. The non-secure world SELF can be found in os0:kd/sysmem.skprx
. It also can be found in the Boot Image.
Known NIDs
Version |
Name |
World |
Privilege |
NID
|
1.69 |
SceSysmem |
Non-secure |
Kernel |
0xB93950C6
|
3.60 |
SceSysmem |
Non-secure |
Kernel |
0x3380B323
|
3.61 |
SceSysmem |
Non-secure |
Kernel |
0x3380B323
|
1.69 |
SceSysmem |
Secure |
Kernel |
0x502BE0E5
|
Libraries
This module only exports kernel libraries.
Known NIDs
Memory Block Type
The type
parameter indicates what kind of memory to allocate. Here is a mapping of type
flags to ARM MMU flags. Higher bits are used for other options including where to allocate from. Not all flag values are valid, there is a table of valid types in the kernel. You cannot, for example, allocate RWX memory.
Mask |
Value |
Description
|
0x10000 |
0x10000 |
Global. nG bit NOT set
|
0xFF00 |
0x800 |
B bit set. Sharable device memory.
|
0xFF00 |
0x2000 |
TEX[2] and TEX[0] bit set. Outer cache Write-back, Write-Allocate. Inner cache non-cachable.
|
0xFF00 |
0x4000 |
TEX[2] and B bit set. Outer cache non-cachable. Inner cache Write-back, Write-Allocate
|
0xFF00 |
0x8000 |
TEX[0] bit set. S bit unset. Outer and inner non-cachable. Not sharable.
|
0xFF00 |
0xD000 |
TEX[0] bit set. C,B bits set. Outer and inner Write-back, Write-Allocate.
|
0xFF |
0x4 |
AP[2:0] = 5 , XN=1 . Privileged RO, User NA.
|
0xFF |
0x5 |
AP[2:0] = 5 . Privileged RX, User NA.
|
0xFF |
0x6 |
AP[2:0] = 1 , XN=1 . Privileged RW, User NA.
|
0xFF |
0x7 |
AP[2:0] = 1 . Privileged RWX, User NA. (Never used)
|
0xFF |
0x50 |
AP[2:0] = 7 . Privileged RX, User RX.
|
0xFF |
0x60 |
AP[2:0] = 3 , XN=1 . Privileged RW, User RW.
|
0xFF |
0x40 |
AP[2:0] = 7 , XN=1 . Privileged RO, User RO.
|
Mask |
Value |
Name
|
0x0F000000 |
0x09000000 |
SceKernelUserCdram
|
0x0F000000 |
0x0A000000 |
SceKernelUserShared
|
0x0F000000 |
0x0B000000 |
SceKernelUserIO
|
0x0F000000 |
0x0C000000 |
SceKernelUserMain
|
0x0F000000 |
0x0D000000 |
SceKernelUserUncache
|
0x0F000000 |
0x0E000000 |
SceKernelUserCDialog
|
0x0F000000 |
0x0F000000 |
SceKernelUserCDialogNC
|
SceSysmemForKernel
sceKernelRxMemcpyKernelToUserForPidForKernel
Version |
World |
NID
|
1.69 |
non-secure |
0x30931572
|
3.60 |
non-secure |
0x30931572
|
Unrestricted memcpy to the virtual address space for process pid
. Both dst
and src
must be in the address space of pid
but src
must also be accessible in the address space of the caller. This is normally used for resolving stubs in module loads. Same as write to RO but does a cache flush.
int sceKernelRxMemcpyKernelToUserForPidForKernel(SceUID pid, uintptr_t dst, const void *src, size_t len);
sceKernelFindClassByNameForKernel
Version |
World |
NID
|
3.60 |
Non-secure |
0x62989905
|
int sceKernelFindClassByNameForKernel(const char *name, SceClass **class);
SceSysmemForDriver
sceKernelMemcpyKernelToUserForDriver
Version |
World |
NID
|
1.69 |
non-secure |
0x6D88EF8A
|
3.60 |
non-secure |
0x6D88EF8A
|
int sceKernelMemcpyKernelToUserForDriver(uint32_t uaddr, const void *kaddr, uint32_t len);
sceKernelMemcpyUserToKernelForDriver
Version |
World |
NID
|
1.69 |
non-secure |
0xBC996A7A
|
3.60 |
non-secure |
0xBC996A7A
|
int sceKernelMemcpyUserToKernelForDriver(void *kaddr, uint32_t uaddr, uint32_t len);
sceKernelMemcpyUserToKernelForPidForDriver
Version |
World |
NID
|
3.60 |
non-secure |
0x605275F8
|
int sceKernelMemcpyUserToKernelForPidForDriver(SceUID pid, void *kaddr, uint32_t uaddr, uint32_t len);
Same as above, but copies from the specified process.
sceKernelStrncpyKernelToUserForDriver
Version |
World |
NID
|
1.69 |
non-secure |
0x80BD6FEB
|
3.60 |
non-secure |
0x80BD6FEB
|
int sceKernelStrncpyKernelToUserForDriver(uint32_t uaddr, const void *kaddr, uint32_t maxlen);
sceKernelStrncpyUserToKernelForDriver
Version |
World |
NID
|
1.69 |
non-secure |
0xDB3EC244
|
3.60 |
non-secure |
0xDB3EC244
|
int sceKernelStrncpyUserToKernelForDriver(void *kaddr, uint32_t uaddr, uint32_t maxlen);
sceKernelStrnlenUserForDriver
Version |
World |
NID
|
1.69 |
non-secure |
0xB429D419
|
3.60 |
non-secure |
0xB429D419
|
int sceKernelStrnlenUserForDriver(uint32_t uaddr, uint32_t maxlen);
sceKernelGetPaddrForDriver
Version |
World |
NID
|
1.69 |
secure |
0x1DEADF6C
|
1.69 |
non-secure |
0x8D160E65
|
3.60 |
non-secure |
0x8D160E65
|
int sceKernelGetPaddrForDriver(void *vaddr, void **result);
This will write the physical address for a virtual address vaddr
to memory pointed to by result
.
Returns <0 on error, values >=0 indicate success.
sceKernelGetPaddrListForDriver
Version |
World |
NID
|
1.69 |
non-secure |
0xE68BEEBD
|
3.60 |
non-secure |
0xE68BEEBD
|
typedef struct SceKernelAddrPair {
uint32_t addr;
uint32_t length;
} SceKernelAddrPair;
typedef struct SceKernelPaddrListReq {
uint32_t size; // 0x14
uint32_t output_buffer_size;
uint32_t unk;
uint32_t ret_count;
SceKernelAddrPair *output_buffer;
} SceKernelPaddrListReq;
input.addr = vaddr;
input.length = length;
int sceKernelGetPaddrListForDriver(SceKernelAddrPair *input, SceKernelPaddrListReq *req);
This function takes in two parameters: an array of length 2 specifying the virtual address and the size of the block of memory and a request information. The function will write into output_buffer
an array of addr_pair
that encompasses the block of memory specified in the input. req->ret_count
will contain the number of entries written. If output_buffer
is null, it will just write the count.
sceKernelAllocMemBlockForDriver
Version |
World |
NID
|
1.69 |
secure |
0x402EB970
|
1.69 |
non-secure |
0xC94850C9
|
3.60 |
non-secure |
0xC94850C9
|
typedef enum SceKernelAllocMemBlockAttr {
SCE_KERNEL_ALLOC_MEMBLOCK_ATTR_HAS_PADDR = 0x00000002U,
SCE_KERNEL_ALLOC_MEMBLOCK_ATTR_HAS_ALIGNMENT = 0x00000004U,
SCE_KERNEL_ALLOC_MEMBLOCK_ATTR_HAS_MIRROR_BLOCKID = 0x00000040U,
SCE_KERNEL_ALLOC_MEMBLOCK_ATTR_HAS_PID = 0x00000080U,
SCE_KERNEL_ALLOC_MEMBLOCK_ATTR_HAS_PADDR_LIST = 0x00001000U
} SceKernelAllocMemBlockAttr;
struct SceKernelAllocMemKernelBlockOpt_old {
uint32_t size; // 0x34
uint32_t unk;
uint32_t attr;
uint32_t unk2;
uint32_t paddr;
uint32_t align;
uint32_t unk3[3];
uint32_t processid;
uint32_t unk4[3];
};
// specific to 3.60
typedef struct SceKernelAllocMemBlockKernelOpt {
SceSize size; //!< sizeof(SceKernelAllocMemBlockKernelOpt)
SceUInt32 field_4;
SceUInt32 attr; //!< OR of SceKernelAllocMemBlockAttr
SceUInt32 field_C;
SceUInt32 paddr;
SceSize alignment;
SceUInt32 field_18;
SceUInt32 field_1C;
SceUInt32 mirror_blockid;
SceUID pid;
SceKernelPaddrList *paddr_list;
SceUInt32 field_2C;
SceUInt32 field_30;
SceUInt32 field_34;
SceUInt32 field_38;
SceUInt32 field_3C;
SceUInt32 field_40;
SceUInt32 field_44;
SceUInt32 field_48;
SceUInt32 field_4C;
SceUInt32 field_50;
SceUInt32 field_54;
} SceKernelAllocMemBlockKernelOpt;
int sceKernelAllocMemBlockForDriver(const char *name, int32_t type, uint32_t vsize, struct SceKernelAllocMemKernelBlockOpt *pOpt);
The interface is the same as the user version of this call, however more types can be specified and more options are in the pOpt argument.
To allocate a kernel RW block of memory, specify type = 0x6020D006
.
To allocate a block of memory with a specific physical address, specify type = 0x20100206
or type = 0x20100806
, pOpt->attr = 2
, and pOpt->paddr = physical address
.
To allocate a block of memory that is kernel executable, specify type = 0x1020D005
.
To allocate a block of memory that is physically contiguous, specify type = 0x30808006
, pOpt->attr = 0x200004
and an alignment to pOpt->alignment
.
To allocate a block of memory inside the CDRAM, specify type = 0x40404006
.
pOpt->attr bitmask
Bitmask
|
Uses
|
0x00000001
|
field_C
|
0x00000002
|
paddr
|
0x00000004
|
alignment
|
0x00000008
|
field_18
|
0x00000010
|
field_1C
|
0x00000020
|
??
|
0x00000040
|
mirror_blockid
|
0x00000080
|
pid
|
0x00001000
|
paddr_list
|
0x00002000
|
field_2C
|
0x00010000
|
field_30
|
sceKernelGetMemBlockBaseForDriver
Version |
World |
NID
|
1.69 |
non-secure |
0xA841EDDA
|
3.60 |
non-secure |
0xA841EDDA
|
int sceKernelGetMemBlockBaseForDriver(int blkid, void **base);
sceKernelFindMemBlockByAddrForDriver
Version |
World |
NID
|
1.69 |
non-secure |
0x8A1742F6
|
3.60 |
non-secure |
0x8A1742F6
|
int sceKernelFindMemBlockByAddrForDriver(void *base, int);
sceKernelRemapBlockForDriver
Version |
World |
NID
|
1.05 |
non-secure |
0x8D332AE1
|
1.69 |
non-secure |
0xDFE2C8CB
|
3.60 |
non-secure |
0xDFE2C8CB
|
int sceKernelRemapBlockForDriver(int blkid, int type);
This is used to remap RW memory as RX. To do this, first allocate a memory block of type 0x1020D006
. After you are done writing, call this with type
set to 0x1020D005
.
sceKernelCreateHeapForDriver
Version |
World |
NID
|
1.69 |
non-secure |
0x9328E0E8
|
3.60 |
non-secure |
0x9328E0E8
|
typedef struct {
int size; // 28
int flags; // usually 0x1
int unk;
int unk;
int block_type;
int unk;
int unk;
} pool_arg_t;
int sceKernelCreateHeapForDriver(const char *name, int size, pool_arg_t *opt); // opt can be NULL
The heap pool is thread safe.
sceKernelDeleteHeapForDriver
Version |
World |
NID
|
1.69 |
non-secure |
0xD6437637
|
3.60 |
non-secure |
0xD6437637
|
int sceKernelDeleteHeapForDriver(int pool_uid);
sceKernelAllocHeapMemoryForDriver
Version |
World |
NID
|
1.69 |
non-secure |
0x7B4CB60A
|
3.60 |
non-secure |
0x7B4CB60A
|
void* sceKernelAllocHeapMemoryForDriver(SceUID uid, SceSize size);
sceKernelAllocHeapMemory2ForDriver
Version |
World |
NID
|
3.60 |
non-secure |
0xB415B5A8
|
Same as sceKernelAllocHeapMemoryForDriver
but does not set unk2
to 0.
void* sceKernelAllocHeapMemory2ForDriver(SceUID uid, SceSize size, void* unk2);
sceKernelAllocHeapMemory3ForDriver
Version |
World |
NID
|
3.60 |
non-secure |
0x49D4DD9B
|
Same as sceKernelAllocHeapMemoryForDriver
but does not set unk2
to 0.
void* sceKernelAllocHeapMemory3ForDriver(SceUID uid, SceSize size, void* unk2);
sceKernelAllocHeapMemoryFromGlobal1ForDriver
Version |
World |
NID
|
3.60 |
non-secure |
0x7750CEA7
|
Same as sceKernelAllocHeapMemoryForDriver
but uses global uid
.
void* sceKernelAllocHeapMemoryFromGlobal1ForDriver(SceSize size);
sceKernelAllocHeapMemoryFromGlobal2ForDriver
Version |
World |
NID
|
3.60 |
non-secure |
0x0B4ED16A
|
Same as sceKernelAllocHeapMemoryForDriver
but does not set unk2
to 0 and uses global uid
.
void* sceKernelAllocHeapMemoryFromGlobal2ForDriver(SceSize size, void *unk);
sceKernelFreeHeapMemoryForDriver
Version |
World |
NID
|
1.69 |
non-secure |
0x3EBCE343
|
3.60 |
non-secure |
0x3EBCE343
|
int sceKernelFreeHeapMemoryForDriver(int pool_uid, void *ptr);
sceKernelMapUserBlockForDriver
Version |
World |
NID
|
1.69 |
non-secure |
0x7D4F8B5F
|
3.60 |
non-secure |
0x7D4F8B5F
|
Permission is either "1" for read only, no execute or "2"/"3" for read write, no execute. Type is either 0, 1, or 17 and affects the block type. 0 is default. This will allocate kernel memory starting at kernel_page. To get the same memory as the user pointer, add the kernel_offset. kernel_size is how much is allocated.
//this signature is for 1.69
int sceKernelMapUserBlockForDriver(int permission, int type, void *user_buf, int size, void **kernel_page, int *kernel_size, int *kernel_offset);
//this signature is for 3.60 - now allows to give a name
int sceKernelMapUserBlockForDriver(char *name, int permission, int type, void *user_buf, int size, void **kernel_page, int *kernel_size, int *kernel_offset);
sceKernelMapUserBlockDefaultTypeForDriver
Version |
World |
NID
|
3.60 |
non-secure |
0x278BC201
|
Assigns type 0.
int sceKernelMapUserBlockDefaultTypeForDriver(char *name, int permission, void *user_buf, int size, void **kernel_page, int *kernel_size, int *kernel_offset);
sceKernelMapUserBlockDefaultType2ForDriver
Version |
World |
NID
|
3.60 |
non-secure |
0x0091D74D
|
Assigns type 0.
int sceKernelMapUserBlockDefaultType2ForDriver(int unk0, char *name, int permission, void *user_buf, int size, void **kernel_page, int *kernel_size, int *kernel_offset);
Switch TTB For PID
Version |
World |
NID
|
1.69 |
non-secure |
0x6F2ACDAE
|
3.60 |
non-secure |
N/A
|
Changes the TTBR to point to the tables for a given PID.
int switch_ttb_for_pid(SceUID pid);
sceKernelRoMemcpyKernelToUserForPidForDriver
Version |
World |
NID
|
1.69 |
non-secure |
0x571D2739
|
3.60 |
non-secure |
0x571D2739
|
int sceKernelRoMemcpyKernelToUserForPidForDriver(SceUID pid, void *dst, const void *src, SceSize size);
sceKernelFirstDifferentIntUserForPidForDriver
Version |
World |
NID
|
1.69 |
non-secure |
0x8334454F
|
3.60 |
non-secure |
0x8334454F
|
Looks for an integer in userspace.
int sceKernelFirstDifferentIntUserForPidForDriver(SceUID pid, void *haystack, int needle, SceSize size);
sceKernelStrnlenUserForPidForDriver
Version |
World |
NID
|
1.69 |
non-secure |
0x9929EB07
|
3.60 |
non-secure |
0x9929EB07
|
int sceKernelStrnlenUserForPidForDriver(SceUID pid, char *ptr, SceSize size);
sceKernelStrncpyUserForPidForDriver
Version |
World |
NID
|
1.69 |
non-secure |
0x75AAF178
|
3.60 |
non-secure |
0x75AAF178
|
int sceKernelStrncpyUserForPidForDriver(SceUID pid, char *dst, const char *kern_src, SceSize size);
sceKernelMemcpyKernelToUserForPidUncheckedForDriver
Version |
World |
NID
|
1.69 |
non-secure |
0xFED82F2D
|
3.60 |
non-secure |
0xFED82F2D
|
int sceKernelMemcpyKernelToUserForPidUncheckedForDriver(SceUID pid, void *dst, const void *kern_src, SceSize size);
sceKernelMemcpyKernelToUserForPidForDriver
Version |
World |
NID
|
1.69 |
non-secure |
0x6B825479
|
3.60 |
non-secure |
0x6B825479
|
This will not crash on invalid user pointers, but instead return error.
int sceKernelMemcpyKernelToUserForPidForDriver(SceUID pid, void *dst, const void *kern_src, SceSize size);
sceKernelMemcpyUserToUserForPidForDriver
Version |
World |
NID
|
1.69 |
non-secure |
0x8E086C33
|
3.60 |
non-secure |
0x8E086C33
|
int sceKernelMemcpyUserToUserForPidForDriver(SceUID pid, void *dst, const void *src, SceSize size);
create_event
Version |
World |
NID
|
3.60 |
non-secure |
0x56A13E90
|
SceUID create_event(SceClass *cls, const char *name, SceObjectBase **obj);
sceKernelMemRangeRetainWithPermForDriver
Version |
World |
NID
|
3.60 |
non-secure |
0xBC0A1D60
|
Increase references to pages.
int sceKernelMemRangeRetainWithPermForDriver(int perm, const void *addr, unsigned int size);
sceKernelMemRangeReleaseWithPermForDriver
Version |
World |
NID
|
3.60 |
non-secure |
0x22CBE925
|
Decrease references to pages.
int sceKernelMemRangeReleaseWithPermForDriver(int perm, const void *addr, unsigned int size);
sceKernelAllocMemBlockExtForDriver
Version |
World |
NID
|
3.60 |
non-secure |
0xD44F464D
|
int sceKernelAllocMemBlockExtForDriver(const char *name, int type, unsigned int size, SceKernelAllocMemBlockKernelOpt *opt, SceKernelPaddrList *out_paddr_list);
sceKernelFindMemBlockForDriver
Version |
World |
NID
|
3.60 |
non-secure |
0x9C78064C
|
int sceKernelFindMemBlockForDriver(int flags, void *base, SceSize size);
SceSysmemForDriver_98C15666
Version |
World |
NID
|
3.60 |
non-secure |
0x98C15666
|
Returns the paddr and size (addrpair) of the memblock if it's physically continuous.
int SceSysmemForDriver_98C15666(SceUID uid, SceKernelAddrPair *addrpair)
SceSysmem
The SceSysmem library is responsible for both low-level and high-level memory management. There are functions for allocating raw blocks of memory (similar to Linux sbrk
) as well as functions for maintaining a heap-like structure (similar to malloc
) for kernel, however SceLibKernel implements a proper heap and that is used for user code.
sceKernelGetMemBlockInfoByRange
Version |
NID
|
1.69 |
0x6F3DB4
|
sceKernelSyncVMDomain
Version |
NID
|
1.69 |
0x19D2A81A
|
sceKernelRemapMemBlock
Version |
NID
|
1.69 |
0x3B29E0F5
|
sceKernelGetMemBlockInfoByAddr
Version |
NID
|
1.69 |
0x4010AD65
|
sceKernelMapMemBlock
Version |
NID
|
1.69 |
0x7B763A21
|
sceKernelGetSubbudgetInfo
Version |
NID
|
1.69 |
0x832B4A65
|
sceKernelGetFreeMemorySize
Version |
NID
|
1.69 |
0x87CC580B
|
sceKernelOpenMemBlock
Version |
NID
|
1.69 |
0x8EB8DFBB
|
sceKernelOpenVMDomain
Version |
NID
|
1.69 |
0x9CA3EB2B
|
sceKernelFindMemBlockByAddr
Version |
NID
|
1.69 |
0xA33B99D1
|
sceKernelFreeMemBlock
Version |
NID
|
1.69 |
0xA91E15EE
|
sceKernelCloseMemBlock
Version |
NID
|
1.69 |
0xB680E3A0
|
sceKernelGetMemBlockBase
Version |
NID
|
1.69 |
0xB8EF5818
|
sceKernelAllocMemBlock
Version |
NID
|
1.69 |
0xB9D5EBDE
|
sceKernelPartialMapMemBlock
Version |
NID
|
1.69 |
0xC0A59868
|
sceKernelPartialUnmapMemBlock
Version |
NID
|
1.69 |
0xCA99929B
|
sceKernelCloseVMDomain
Version |
NID
|
1.69 |
0xD6CA56CA
|
sceKernelAllocMemBlockForVM
Version |
NID
|
1.69 |
0xE2D7E137
|
sceKernelUnmapMemBlock
Version |
NID
|
1.69 |
0xEE30D976
|
SceDipsw
SceCpu
This library provides wrapper for much ARM CP15 co-processor access as well as low level support of spinlocks and other synchronization primitives.
SceDipsw
sceKernelCheckDipsw
Version |
NID
|
1.69 |
0x1C783FB2
|
sceKernelClearDipsw
Version |
NID
|
1.69 |
0x800EDCC1
|
sceKernelSetDipsw
Version |
NID
|
1.69 |
0x817053D4
|
SceDipswForDriver
ksceKernelCheckDipsw
Version |
NID
|
3.60 |
0xA98FC2FD
|
ksceKernelClearDipsw
Version |
NID
|
3.60 |
0xF1F3E9FE
|
ksceKernelSetDipsw
Version |
NID
|
3.60 |
0x82E45FBF
|
SceUartForKernel
SceUartForKernel_41973874
Version |
NID
|
3.60 |
0x41973874
|
int ksceUartWrite(int device, unsigned char data);
SceUartForKernel_38DB7629
Version |
NID
|
3.60 |
0x38DB7629
|
Returns the number of words available to read from the read FIFO.
int ksceUartReadAvailable(int device);
SceUartForKernel_9BBF1255
Version |
NID
|
3.60 |
0x9BBF1255
|
int ksceUartRead(int device);
SceUartForKernel_A9C74212
Version |
NID
|
3.60 |
0xA9C74212
|
It initializes the clock generator registers for the device
.
The default baud rate is 115200 for devices 0-5 and 250000 for the device 6.
int ksceUartInit(int device);
SceCpu
sceKernelCpuId
Version |
NID
|
1.69 |
0x2704CFEE
|
SceCpuForKernel
void SceCpuForKernel_1BB2BB8D(void); // BPIALLIS, Branch predictor invalidate all (IS)
void SceCpuForKernel_264DA250(void); // ICIALLUIS, Instruction cache invalidate all (PoU, IS)
void SceCpuForKernel_2F3BF020(void); //DCISW, Data cache invalidate by set/way (all the cache)
void SceCpuForKernel_470EAE1E(int mva); //DCIMVAC, Data cache invalidate by MVA (PoC)
void SceCpuForKernel_4C4C7D6B(void); //BPIALL, Branch predictor invalidate all
void SceCpuForKernel_583F30D1(void *addr, unsigned int size); //DCIMVAC, Data cache invalidate by MVA (PoC)
void SceCpuForKernel_6BA2E51C(void *addr, unsigned int size); // DCCIMVAC, Data cache clean and invalidate by MVA (PoC)
void SceCpuForKernel_73A30DB2(void); // DCCSW, Data cache clean by set/way (all the cache)
void SceCpuForKernel_76DAB4D0(void); // DCCISW, Data cache clean and invalidate by set/way (all the cache)
void SceCpuForKernel_AEE0B489(void); //ICIALLU, Instruction cache invalidate all (PoU)
void SceCpuForKernel_C5C1EE4E(void *addr, unsigned int size); // DCCMVAC, Data cache clean by MVA (PoC)
void SceCpuForKernel_C8E8C9E9(int mva); //DCCIMVAC, Data cache clean and invalidate by MVA (PoC)
void SceCpuForKernel_F4C7F578(void *addr, unsigned int size); // ICIMVAU, Instruction cache invalidate by MVA (PoU)
void SceCpuForKernel_F7159B55(int mva); // DCCMVAC, Data cache clean by MVA (PoC)
Unrestricted Write for Kernel
Unrestricted memcpy by first setting the DACR
register to 0xFFFF0000
and then doing a memcpy.
Version
|
NID
|
1.69
|
0x8C683DEC
|
int unrestricted_memcpy_for_kernel(void *dst, void *src, size_t len);
get_paddr_2
Version |
World |
NID
|
3.60 |
? |
0x67343a07
|
int get_paddr_2(int maskPAR, void *vaddr, void **result);
get_paddr_3
Version |
World |
NID
|
3.60 |
? |
0x2a46e800
|
int get_paddr_3(void *vaddr, void **result);
SceCpuForKernel_D0D85FF8
Version |
NID
|
3.60 |
0xD0D85FF8
|
int invalidate_unknown_coprocessor_cache(void);
SceCpuForDriver
SceCpuForDriver_BF82DEB2_lock
Version |
NID
|
1.60 |
0xBF82DEB2
|
int SceCpuForDriver_BF82DEB2_lock(int *addr);
SceCpuForDriver_D6ED0C46_unlock
Version |
NID
|
1.60 |
0xD6ED0C46
|
int SceCpuForDriver_D6ED0C46_unlock(int *addr);
These two functions implement a simple mutual exclusive access on a resource addr using LDREX/STREX.
SceCpuForDriver_D32ACE9E_lock_int
Version |
NID
|
3.35 |
0xD32ACE9E
|
int SceCpuForDriver_D32ACE9E_lock_int(int *addr);
SceCpuForDriver_7BB9D5DF_unlock_int
Version |
NID
|
3.35 |
0x7BB9D5DF
|
void SceCpuForDriver_7BB9D5DF_unlock_int(int *addr, int prev_state);
Same as the pair above, but while mutex is held, interrupts are disabled. Used like this:
int prev_state = SceCpuForDriver_D32ACE9E_lock_int(mutex);
// do work
SceCpuForDriver_7BB9D5DF_unlock_int(mutex, prev_state);
SceCpuForDriver_4C38CE4D_lock_int_2
Version |
NID
|
3.35 |
0x4C38CE4D
|
SceCpuForDriver_9EC91017_unlock_int_2
Version |
NID
|
3.35 |
0x9EC91017
|
Same as the pair above, but stores 0x80000000 as the addr value instead of LR.
SceCpuForDriver_821FC0EE_disable_irq
Version |
NID
|
1.60 |
0x821FC0EE
|
int SceCpuForDriver_821FC0EE_disable_irq(void);
Disables irq (but not fiq) and returns previous interrupt bit status (so either 0 or 0x80).
SceCpuForDriver_F5BAD43B_restore_irq
Version |
NID
|
1.60 |
0xF5BAD43B
|
void SceCpuForDriver_F5BAD43B_restore_irq(int previous_state);
Restores previous irq state, pass either 0 or 0x80.
SceCpuForDriver_5E4D5DE1_get_multproc_id_reg
Version |
NID
|
1.50 |
0x5E4D5DE1
|
Return the CPU ID of the current core.
SceSysclibForKernel
SceSysclibForDriver
__aeabi_idiv
Version |
NID
|
3.60 |
0x2518CD9E
|
__aeabi_uidiv
Version |
NID
|
3.35 |
0xA9FF1205
|
__aeabi_uidivmod
Version |
NID
|
3.35 |
0xA46CB7DE
|
__aeabi_ldivmod
Version |
NID
|
3.60 |
0x7554ab04
|
memcpy
Version |
NID
|
1.60 |
0x40C88316
|
memset
Version |
NID
|
1.60 |
0x0AB9BF5C
|
strchr
Version |
NID
|
3.35 |
0x38463759
|
strncmp
Version |
NID
|
1.60 |
0x12CEE649
|
memcmp
Version |
NID
|
3.60 |
B5A4D745
|
timing constant memcmp
SceSysrootForKernel
sceSysrootGetSelfInfoForKernel
Version |
NID
|
3.60 |
0xF10AB792
|
typedef struct self_info_pair
{
uint32_t size; // 0x0C
char* elf_data;
uint32_t elf_size;
} self_info_pair;
int sceSysrootGetSelfInfoForKernel(int index, self_info_pair* state);
Index |
SELF
|
0 |
gcauthmgr_sm.self
|
1 |
rmauth_sm.self
|
2 |
encdec_w_portability_sm.self
|
SceSysrootForKernel_CC85905B
Version |
NID
|
3.60 |
0xCC85905B
|
Returns the exception vectors base address. The address of the exception vectors for the CPU i
is: SceSysrootForKernel_CC85905B() + 0x40 * i
.
sceSysrootGetSysrootBufferForKernel
Version |
NID
|
3.60 |
0x9DB56D1F
|
Returns pointer to Sysroot buffer.
void *sceSysrootGetSysrootBufferForKernel(void);
sceSysrootGetSysbaseForKernel
Version |
NID
|
3.60 |
0x3E455842
|
sceSysrootGetProcessTitleIdForPidForKernel
Version |
NID
|
3.60 |
0xEC3124A3
|
int sceSysrootGetProcessTitleIdForPidForKernel(SceUID pid, char *titleid, size_t len);
sceSysrootIsAuCodecIcConexantForKernel
Version |
NID
|
3.60 |
0x46E72428
|
int sceSysrootIsAuCodecIcConexantForKernel(void);
sceSysrootIsBsodRebootForKernel
Version |
NID
|
3.60 |
0x4373AC96
|
int sceSysrootIsBsodRebootForKernel(void);
sceSysrootIsExternalBootModeForKernel
Version |
NID
|
3.60 |
0x89D19090
|
int sceSysrootIsExternalBootModeForKernel(void);
sceSysrootIsManufacturingModeForKernel
Version |
NID
|
3.60 |
0x55392965
|
int sceSysrootIsManufacturingModeForKernel(void);
sceSysrootIsSafeModeForKernel
Version |
NID
|
3.60 |
0x834439A7
|
int sceSysrootIsSafeModeForKernel(void);
sceSysrootIsUpdateModeForKernel
Version |
NID
|
3.60 |
0xB0E1FC67
|
int sceSysrootIsUpdateModeForKernel(void);
sceSysrootIsUsbEnumWakeupForKernel
Version |
NID
|
3.60 |
0x79C9AE10
|
int sceSysrootIsUsbEnumWakeupForKernel(void);
sceSysrootUseInternalStorageForKernel
Version |
NID
|
3.60 |
0x50FE3B4D
|
int sceSysrootUseInternalStorageForKernel(void);
sceSysrootGetNidNameForKernel
Version |
NID
|
3.60 |
0x0B79E220
|
int sceSysrootGetNidNameForKernel(unsigned int nid, const char **name);
SceSysrootForKernel_FF9F80FF
Version |
NID
|
3.60 |
0xFF9F80FF
|
int SceSysrootForKernel_FF9F80FF(SceUID pid, const void *addr, unsigned int *info); // info[0] = 0x3C
Returns export info at address for pid (contains module, lib and NID and their names).
SceKernelUtilsForDriver
sceAesDecrypt1ForDriver
Decrypt with AES.
Version |
NID
|
1.69 |
0xD8678061
|
3.60 |
0xD8678061
|
int sceAesDecrypt1ForDriver(void *ctx, const unsigned char* src, unsigned char* dst);
sceAesDecrypt2ForDriver
Version |
NID
|
3.60 |
0xE39CD272
|
int sceAesDecrypt2ForDriver(void *ctx, const unsigned char* src, unsigned char* dst);
sceAesEncrypt1ForDriver
Encrypt with AES. There are two functions that are the same on 1.69.
Version |
NID
|
1.69 |
0xC2A61770
|
3.60 |
0xC2A61770
|
int sceAesEncrypt1ForDriver(void *ctx, const unsigned char* src, unsigned char* dst);
sceAesEncrypt2ForDriver
Encrypt with AES. There are two functions that are the same on 1.69.
Version |
NID
|
1.69 |
0x302947B6
|
3.60 |
0x302947B6
|
int sceAesEncrypt2ForDriver(void *ctx, const unsigned char* src, unsigned char* dst);
sceAesInit1ForDriver
This sets up the AES engine. ctx
is a 960 byte buffer (int 1.69). blocksize
and keysize
is the security in bits. 128/196/256 are supported values.
Version |
NID
|
1.69 |
0xF12B6451
|
3.60 |
0xF12B6451
|
last arg to subroutine is 0
int sceAesInit1ForDriver(void *ctx, int blocksize, int keysize, const unsigned char* key);
sceAesInit2ForDriver
Version |
NID
|
3.60 |
0xEDA97D6D
|
last arg to subroutine is 1
int sceAesInit2ForDriver(void *ctx, int blocksize, int keysize, const unsigned char* key);
sceAesInit3ForDriver
Version |
NID
|
3.60 |
0x72408E29
|
last arg to subroutine is 2
int sceAesInit3ForDriver(void *ctx, int blocksize, int keysize, const unsigned char* key);
sceDeflateDecompressForDriver
Version |
NID
|
3.60 |
0x8AF1FAD4
|
sceDeflateDecompressPartialForDriver
Version |
NID
|
3.60 |
0x3D74CCDF
|
sceGzipDecompressForDriver
Version |
NID
|
3.60 |
0x367EE3DF
|
Version |
NID
|
3.60 |
0xCD3AE08F
|
sceGzipGetCompressedDataForDriver
Version |
NID
|
3.60 |
0x63619124
|
sceGzipGetInfoForDriver
Version |
NID
|
3.60 |
0xFFC6A10F
|
sceGzipGetNameForDriver
Version |
NID
|
3.60 |
0xF901FD3E
|
sceGzipIsValidForDriver
Version |
NID
|
3.60 |
0xD8FAEFD4
|
sceHmacSha1DigestForDriver
Version |
NID
|
3.60 |
0x29A28957
|
int sceHmacSha1DigestForDriver(const unsigned char* key, int key_len, const unsigned char* data, int data_len, unsigned char* digest);
sceHmacSha224DigestForDriver
Version |
NID
|
3.60 |
0x7F2A7B99
|
int sceHmacSha224DigestForDriver(const unsigned char* key, int key_len, const unsigned char* data, int data_len, unsigned char* digest);
sceHmacSha256DigestForDriver
Version |
NID
|
3.60 |
0x83EFA1CC
|
int sceHmacSha256DigestForDriver(const unsigned char* key, int key_len, const unsigned char* data, int data_len, unsigned char* digest);
sceMt19937GlobalInitForDriver
Version |
NID
|
3.60 |
0xD428CC2A
|
sceMt19937GlobalUninitForDriver
Version |
NID
|
3.60 |
0x875B2A1C
|
sceMt19937InitForDriver
Version |
NID
|
3.60 |
0x4C9A5730
|
sceMt19937UIntForDriver
Version |
NID
|
3.60 |
0x92AEDFBC
|
sceSfmt19937FillArray32ForDriver
Version |
NID
|
3.60 |
0x2B30548B
|
sceSfmt19937FillArray64ForDriver
Version |
NID
|
3.60 |
0x49B41540
|
sceSfmt19937GenRand32ForDriver
Version |
NID
|
3.60 |
0xBBE4701A
|
sceSfmt19937GenRand64ForDriver
Version |
NID
|
3.60 |
0x45DEAAD6
|
sceSfmt19937InitByArrayForDriver
Version |
NID
|
3.60 |
0x33AE1203
|
sceSfmt19937InitGenRandForDriver
Version |
NID
|
3.60 |
0xAB48C3CA
|
sceSha1BlockInitForDriver
Version |
NID
|
3.60 |
0xE4390FFA
|
int sceSha1BlockInitForDriver(void* ctx);
sceSha1BlockResultForDriver
Version |
NID
|
3.60 |
0x48F24106
|
int sceSha1BlockResultForDriver(void* ctx, unsigned char* digest);
sceSha1BlockUpdateForDriver
Version |
NID
|
3.60 |
0x478A6F3C
|
int sceSha1BlockUpdateForDriver(void* ctx, const unsigned char* data, int size);
sceSha1DigestForDriver
Version |
NID
|
3.60 |
0x87DC7F2F
|
int sceSha1DigestForDriver(unsigned char *data, int size, unsigned char* digest);
sceSha224BlockInitForDriver
Version |
NID
|
3.60 |
0xC762EA6D
|
int sceSha224BlockInitForDriver(void* ctx);
sceSha224BlockResultForDriver
Version |
NID
|
3.60 |
0xFBF2A442
|
int sceSha224BlockResultForDriver(void* ctx, unsigned char* digest);
sceSha224BlockUpdateForDriver
Version |
NID
|
3.60 |
0x7556E611
|
int sceSha224BlockUpdateForDriver(void* ctx, const unsigned char* data, int size);
sceSha224DigestForDriver
Version |
NID
|
3.60 |
0x9EA9D4DC
|
int sceSha224DigestForDriver(unsigned char *data, int size, unsigned char* digest);
sceSha256BlockInitForDriver
Version |
NID
|
3.60 |
0xD909FA2C
|
int sceSha256BlockInitForDriver(void* ctx);
sceSha256BlockResultForDriver
Version |
NID
|
3.60 |
0x4899CD4B
|
int sceSha256BlockResultForDriver(void* ctx, unsigned char* digest);
sceSha256BlockUpdateForDriver
Version |
NID
|
3.60 |
0x236A9097
|
int sceSha256BlockUpdateForDriver(void* ctx, const unsigned char* data, int size);
sceSha256DigestForDriver
Version |
NID
|
3.60 |
0xA773A6A8
|
int sceSha256DigestForDriver(unsigned char *data, int size, unsigned char* digest);
sceZlibDecompressForDriver
Version |
NID
|
3.60 |
0x900148DB
|
sceZlibGetCompressedDataForDriver
Version |
NID
|
3.60 |
0x01EB6C45
|
sceZlibGetInfoForDriver
Version |
NID
|
3.60 |
0x5B9BCD75
|
SceZlibForDriver
zlib compression library.
Firmware |
zlib version
|
1.60 |
1.2.5
|
inflate
Version |
NID
|
1.60 |
0xE4F34A68
|
deflate
Version |
NID
|
1.60 |
0xE859D60F
|
deflateReset
Version |
NID
|
1.60 |
0x68CFEA45
|
crc32
Version |
NID
|
1.60 |
0xE0CE06C0
|
adler32
Version |
NID
|
1.60 |
0x98619620
|
inflateSetDictionary
Version |
NID
|
1.60 |
0x7B16DBD6
|
SceKernelSuspendForDriver
Used to register callbacks for handling suspend/resume related events.
sceKernelRegisterSysEventHandlerForDriver
Version |
NID
|
1.69 |
0x04C05D10
|
3.60 |
0x04C05D10
|
typedef struct {
uint32_t size; // 24
uint32_t unk1;
uint32_t unk2;
uint32_t unk3;
uint32_t unk4;
uint32_t unk5;
} suspend_args_t;
typedef int (suspend_callback_t)(int resume, int event_id, suspend_args_t *args, void *opt);
int sceKernelSuspendRegisterCallbackForDriver(const char *name, suspend_callback_t *callback_func, void *opt);
Registers a function for handling suspend/resume. resume
is 0 if we are currently suspending and 1 if we are currently resuming. opt
is passed from the registration. Registration adds an entry to a linked list and returns the block id for the new entry.
Returns the suspend_callback_id.
sceKernelUnregisterSysEventHandlerForDriver
Version |
NID
|
1.69 |
0xDD61D621
|
3.60 |
0xDD61D621
|
int sceKernelUnregisterSysEventHandlerForDriver(int id);
Call with the id returned from suspend_register_callback
to remove the entry from the linked list and free the memory.
sceKernelSysEventDispatchForDriver
Version |
NID
|
1.69 |
0xD4622EA8
|
3.60 |
0xD4622EA8
|
int sceKernelSysEventDispatchForDriver(int resume, int eventid, suspend_args_t *args, int stop_on_error);
This will go through the linked list and call each callback. If stop_on_error
is set, then the first callback that returns a negative value will stop the call chain and return the block id of the callback that broke the chain. Otherwise, this function will invoke each callback and return zero.
sceKernelPowerTickForDriver
Version |
NID
|
3.60 |
0xE0489831
|
typedef enum SceKernelPowerTickType {
/** Cancel all timers */
SCE_KERNEL_POWER_TICK_DEFAULT = 0,
/** Cancel automatic suspension timer */
SCE_KERNEL_POWER_TICK_DISABLE_AUTO_SUSPEND = 1,
/** Cancel OLED-off timer */
SCE_KERNEL_POWER_TICK_DISABLE_OLED_OFF = 4,
/** Cancel OLED dimming timer */
SCE_KERNEL_POWER_TICK_DISABLE_OLED_DIMMING = 6
} SceKernelPowerTickType;
int sceKernelPowerTickForDriver(int type);
Cancel specified idle timers to prevent entering in power save processing.
Returns 0 on success.
SceQafMgrForDriver
Provides many device permission checks including Vita model checks, running app privilege checks, and so on.
ScePmMgrForDriver
scePmGetBootTypeIndicatorBit2ForDriver
Version |
World |
NID
|
3.60 |
non-secure |
0x2AC815A2
|
gets data using ksceKernelGetSysrootBuffer
int scePmGetBootTypeIndicatorBit2ForDriver(char* result);
scePmGetBootTypeIndicatorBit2_2ForDriver
Version |
World |
NID
|
3.60 |
non-secure |
0xBD1F193B
|
gets data using ksceKernelGetSysrootBuffer
int scePmGetBootTypeIndicatorBit2_2ForDriver(char* result);
SceSblAIMgrForDriver
SceProcEventForDriver
SceSysrootForDriver
SceSysrootForDriver_930B1342
Version
|
World
|
NID
|
3.60
|
non-secure
|
0x930B1342
|
int sceSysrootInitI2c?(void);
SceDebugLed
SceDebugLedForDriver
SceDebugForKernel
SceDebugForKernel_82D2EDCE
Version |
NID
|
3.60 |
0x82D2EDCE
|
Print character.
int SceDebugForKernel_82D2EDCE(int character);
SceDebugForKernel_E783518C
Version |
NID
|
3.60 |
0xE783518C
|
Returns pointer to current debug print char handler.
void *SceDebugForKernel_E783518C(void);
SceDebugForKernel_E6115A72
Version |
NID
|
3.60 |
0xE6115A72
|
Set debug print char handler.
int SceDebugForKernel_E6115A72(int (*func)(void *arg, char c), void *args);
SceDebugForKernel_082B8D6A
Version |
NID
|
3.60 |
0x082B8D6A
|
Print kernel exception information
//name can be:
//UNDEF - ?
//PABT - Prefetch Abort
//DABT - Data Abort
//NEST - ?
int SceDebugForKernel_082B8D6A(void *unk, void *ctx, int index, char *name);
SceDebugForDriver
SceSysmemForTZS
SceSysmemForTZS_0028E26C
Version
|
World
|
NID
|
1.69
|
Secure
|
0x0028E26C
|
int sceKernelAllocMemBlockForPidForTZS(int pid, const char *name, SceKernelMemBlockType type, int size, SceKernelAllocMemBlockKernelOpt *optp);
SceSysrootForTZS
SceSysrootForTZS_29C1049E
Version
|
World
|
NID
|
1.69
|
secure
|
0x29C1049E
|
Get sysroot buffer.