SceKernelModulemgr is in charge of loading both user modules and kernel modules. SceSblAuthMgr facilitates the SELF decryption process and this library loads the ELF programs into memory along with linking with NIDs and relocation of ELF in position independent executables.
Module
This module exists only in non-secure world. The SELF can be found in os0:kd/modulemgr.skprx
.
Known NIDs
Version |
Name |
World |
Privilege |
NID
|
1.69 |
SceKernelModulemgr |
Non-secure |
Kernel |
0xAFDA75C2
|
3.60 |
SceKernelModulemgr |
Non-secure |
Kernel |
0x726C6635
|
3.65 |
SceKernelModulemgr |
Non-secure |
Kernel |
0x781C6F50
|
Libraries
This module exports kernel and user libraries.
Known NIDs
Types
//these types are defined in elfutils
typedef Elf32_Ehdr Elf32_Ehdr;
typedef Elf32_Phdr Elf32_Phdr;
typedef struct SCE_header
{
uint32_t magic; /* 53434500 = SCE\0 */
uint32_t version; /* header version 3*/
uint16_t sdk_type; /* */
uint16_t header_type; /* 1 self, 2 unknown, 3 pkg */
uint32_t metadata_offset; /* metadata offset */
uint64_t header_len; /* self header length */
uint64_t elf_filesize; /* ELF file length */
uint64_t self_filesize; /* SELF file length */
uint64_t unknown; /* UNKNOWN */
uint64_t self_offset; /* SELF offset */
uint64_t appinfo_offset; /* app info offset */
uint64_t elf_offset; /* ELF #1 offset */
uint64_t phdr_offset; /* program header offset */
uint64_t shdr_offset; /* section header offset */
uint64_t section_info_offset; /* section info offset */
uint64_t sceversion_offset; /* version offset */
uint64_t controlinfo_offset; /* control info offset */
uint64_t controlinfo_size; /* control info size */
uint64_t padding;
} SCE_header;
typedef struct SCE_appinfo
{
uint64_t program_authority_id; /* program authority id */
uint32_t vendor_id; /* vendor id */
uint32_t self_type; /* app type */
uint64_t version; /* app version */
uint64_t padding; /* UNKNOWN */
} SCE_appinfo;
typedef struct segment_info
{
uint64_t offset;
uint64_t length;
uint64_t compression; // 1 = uncompressed, 2 = compressed
uint64_t encryption; // 1 = encrypted, 2 = plain
} segment_info;
typedef struct self_data_buffer
{
SCE_header sce_header;
SCE_appinfo sce_appinfo;
Elf32_Ehdr elf_hdr;
//... data goes
} self_data_buffer;
typedef struct self_data_ctx //size is 0x30
{
self_data_buffer* self_header; // aligned buffer - based on (buffer_unaligned).
// points at SCE_header followed by SCE_appinfo
// size is usually 0x1000
uint32_t self_header_length;
Elf32_Ehdr* elf_ptr; // pointer constructed with elf_offset
Elf32_Phdr* phdr_ptr; // pointer constructed with phdr_offset
uint8_t type; // ex: 2
uint8_t init_completed;
uint8_t unk_12;
uint8_t unk_13;
segment_info* section_info_ptr; // pointer constructed with section_info_offset
void* buffer_unaligned; // SELF header data - size 0x103F - raw data read from file
int sm_ctx; // obtained with sceSblAuthMgrSmStartForKernel
SceSblSmCommContext130* context_130;
SceUID fd; // file descriptor of SELF file - obtained with sceIoOpenForDriver
SceUID pid;
uint32_t max_size;
} self_data_ctx;
typedef int(segment_decrypt_callback_t)(void* unk);
typedef struct self_decrypter_ctx //size is unknown
{
uint32_t unk_0;
uint32_t unk_4;
uint32_t unk_8;
uint32_t unk_C;
uint32_t unk_10;
uint32_t unk_14;
uint32_t unk_18;
uint32_t unk_1C;
self_data_ctx* data_ctx;
SceUID evid; // SceModuleMgrSelfDecryptComm event flag
SceUID tid; // SceModuleMgrSelfDecrypter thread
uint32_t unk_2C;
uint32_t unk_30;
uint32_t unk_34;
uint16_t segment_number;
uint16_t unk_3A;
uint32_t unk_3C; // = 0x10
uint32_t unk_40;
uint32_t unk_44;
segment_decrypt_callback_t* dec_callback;
//... data goes on
} self_decrypter_ctx;
Data segment layout
Address |
Size |
Description
|
0x0000 |
0x340 |
unknown
|
0x0340 |
at least 0x4C |
self_decrypter_ctx data
|
? |
? |
unknown
|
Loading Sequence
When loading a module the sequence creates a SceModule structure to represent it.
typedef struct
{
const char *filename; // 0x64
Elf32_Ehdr ehdr; // 0x74
Elf32_Phdr phdr; // 0xA8
void *text_addr; // 0x108
SceUID text_uid; // 0x10C
u32 text_size; // 0x110
void *kernel_addr; // 0x114
SceUID kernel_uid; // 0x118
unsigned int parent_pid; // 0x3E4
SceSblSmCommContext130* context_130;
} SceModule;
SELF Decryption
The following code can decrypt a SELF located at path
. Set user
to 1 if decrypting a user module else 0 for kernel. Set pathid
to 0 if you're decrypting the SELF at the right location (for example decrypting sysmem.skprx
located in os0:
). If you have copied the SELF elsewhere, you need to set the pathid
to the right value for where the real path was. usecdram
is for modules that are too large and won't fit in contiguous regular memory.
int decrypt_self(const char *path, const char *outprefix, int pathid, int usecdram, int user)
{
char outpath[256];
int ctx;
int ret;
int pid;
int fd = 0, wfd = 0;
char *somebuf = NULL;
char *hdr_buf = NULL, *hdr_buf_aligned;
char *data_buf = NULL, *data_buf_aligned;
int phdr;
unsigned int hdr_size;
// set up SBL decrypt context
ret = SceSblAuthMgrForKernel_0xA9CD2A09(&ctx);
printf("SceSblAuthMgrForKernel_0xA9CD2A09: 0x%08X, CTX: 0x%08X\n", ret, ctx);
if (ret < 0)
return 1;
// set up this weird buffer
somebuf = SceModulemgrForKernel_0xB4A1DE31_malloc(0x10005, 0x130);
printf("Weird buffer: 0x%08X\n", somebuf);
if (somebuf == NULL)
goto fail;
memset(somebuf, 0, 0x130);
if (ret < 0)
goto fail;
*(int *)(somebuf + 0x4) = user;
*(u64_t *)(somebuf + 0x8) = 0x2808000000000001LL;
*(u64_t *)(somebuf + 0x10) = 0xF000C000000080LL;
*(u64_t *)(somebuf + 0x18) = 0xFFFFFFFF00000000LL;
*(u64_t *)(somebuf + 0x30) = 0xC300003800980LL;
*(u64_t *)(somebuf + 0x38) = 0x8009800000LL;
*(u64_t *)(somebuf + 0x48) = 0xFFFFFFFF00000000LL;
if (pathid)
{
*(int *)(somebuf + 0x128) = pathid;
}
else
{
ret = SceIofilemgrForDriver_0x9C220246(0x10005, path, 1, somebuf + 0x128);
printf("SceIofilemgrForDriver_0x9C220246: 0x%08X\n", ret);
if (ret < 0)
goto fail;
}
// read header
fd = sceIoOpenForDriver(path, 1, 0);
printf("sceIoOpenForDriver: 0x%08X\n", fd);
if (fd < 0)
goto fail;
hdr_buf = SceModulemgrForKernel_0xB4A1DE31_malloc(0x10005, 0x1000+63);
hdr_buf_aligned = (char *)(((int)hdr_buf + 63) & 0xFFFFFFC0);
printf("Header buffer: 0x%08X, aligned: 0x%08X\n", hdr_buf, hdr_buf_aligned);
if (hdr_buf == NULL)
goto fail;
ret = sceIoReadForDriver(fd, hdr_buf_aligned, 0x1000);
printf("Header read: 0x%08X\n", ret);
hdr_size = *(unsigned int *)(hdr_buf_aligned + 0x10);
if (hdr_size > 0x1000)
{
printf("Header too large: 0x%08X\n", hdr_size);
goto fail;
}
ret = sceIoLseekForDriver(fd, 0LL, 0);
printf("Header rewind: 0x%08X\n", ret);
// set up SBL decryption for this SELF
ret = SceSblAuthMgrForKernel_0xF3411881(ctx, hdr_buf_aligned, hdr_size, somebuf);
printf("SceSblAuthMgrForKernel_0xF3411881: 0x%08X\n", ret);
if (ret < 0)
{
goto fail;
}
// set up read buffer
data_buf = SceModulemgrForKernel_0xB4A1DE31_malloc(0x10005, 0x10000+63);
data_buf_aligned = (char *)(((int)data_buf + 63) & 0xFFFFFFC0);
printf("Data buffer: 0x%08X, aligned: 0x%08X\n", data_buf, data_buf_aligned);
if (data_buf == NULL)
goto fail;
// get sections
int elf_offset = *(int*)(hdr_buf_aligned + 0x40);
int num_segs = *(short*)(hdr_buf_aligned + elf_offset + 0x2C);
printf("Number of segments to read: 0x%04X\n", num_segs);
int info_offset = *(int*)(hdr_buf_aligned + 0x58);
struct seg_info *segs = (struct seg_info *)(hdr_buf_aligned + info_offset);
int phdr_offset = *(int*)(hdr_buf_aligned + 0x48);
struct e_phdr *phdrs = (struct e_phdr *)(hdr_buf_aligned + phdr_offset);
// decrypt sections
int i;
int total, to_read, num_read, off;
int aligned_size;
int blkid = 0;
void *pgr_buf;
for (i = 0; i < num_segs; i++)
{
sprintf(outpath, "%s.seg%u", outprefix, i);
sceIoCloseForDriver(wfd);
wfd = sceIoOpenForDriver(outpath, 0x602, 6);
printf("sceIoOpenForDriver(%s): 0x%08X\n", outpath, wfd);
if (wfd < 0)
break;
if (blkid)
sceKernelFreeMemBlockForKernel(blkid);
aligned_size = (phdrs[i].p_filesz + 4095) & 0xFFFFF000;
if (usecdram)
blkid = sceKernelAllocMemBlockForKernel("self_decrypt_buffer", 0x40404006, 0x4000000, NULL);
else
blkid = sceKernelAllocMemBlockForKernel("self_decrypt_buffer", 0x1020D006, aligned_size, NULL);
printf("sceKernelAllocMemBlockForKernel: 0x%08X, size: 0x%08X\n", blkid, aligned_size);
ret = sceKernelGetMemBlockBaseForKernel(blkid, &pgr_buf);
printf("sceKernelGetMemBlockBaseForKernel: 0x%08X, base: 0x%08X\n", ret, pgr_buf);
if (ret < 0)
break;
// setup buffer for output
ret = SceSblAuthMgrForKernel_0x89CCDA2C(ctx, i, (u32_t)segs[i].length, pgr_buf, phdrs[i].p_filesz);
printf("SceSblAuthMgrForKernel_0x89CCDA2C: 0x%08X\n", ret);
if (ret < 0)
{
break;
}
ret = sceIoLseekForDriver(fd, segs[i].offset, 0);
printf("sceIoLseekForDriver(0x%08X): 0x%08X\n", (u32_t)segs[i].offset, ret);
if (ret < 0)
break;
total = (u32_t)segs[i].length;
to_read = total > 0x10000 ? 0x10000 : total;
off = 0;
while (total > 0 && (num_read = sceIoReadForDriver(fd, data_buf_aligned+off, to_read)) > 0)
{
off += num_read;
total -= num_read;
if (num_read < to_read)
{
to_read -= num_read;
continue;
}
ret = SceSblAuthMgrForKernel_0xBC422443(ctx, data_buf_aligned, off); // decrypt buffer
printf("SceSblAuthMgrForKernel_0xBC422443: 0x%08X\n", ret);
if (ret < 0)
printf("!!! ERROR !!!\n");
ret = SceSblAuthMgrForKernel_0x15248FB4(ctx, data_buf_aligned, off); // copy buffer to output
printf("SceSblAuthMgrForKernel_0x15248FB4: 0x%08X\n", ret);
if (ret < 0)
{
printf("!!! ERROR !!!\n");
}
off = 0;
to_read = total > 0x10000 ? 0x10000 : total;
}
// write buffer
off = 0;
while ((off += sceIoWriteForDriver(wfd, pgr_buf+off, phdrs[i].p_filesz-off)) < phdrs[i].p_filesz);
}
if (blkid)
sceKernelFreeMemBlockForKernel(blkid);
sceIoCloseForDriver(wfd);
fail:
SceSblAuthMgrForKernel_0x026ACBAD(ctx);
if (fd)
sceIoCloseForDriver(fd);
if (somebuf)
SceModulemgrForKernel_0xF4B2D8B8_free(somebuf);
if (hdr_buf)
SceModulemgrForKernel_0xF4B2D8B8_free(hdr_buf);
if (data_buf)
SceModulemgrForKernel_0xF4B2D8B8_free(data_buf);
return 1;
}
Module decryption and signature checks ("HENkaku patches" on 1.60)
SELF_Loading.
The code below will patch signature checks and bypass module decryption and allow homebrew to run. The idea is to hook SceSblAuthMgr* calls that are imported to SceKernelModulemgr. The offsets are from 1.60, you will probably need to modify hook_resume_sbl_* defines (set them to addresses of functions) and INSTALL_HOOK second arguments (set to addresses of imports in SceKernelModulemgr). As a bonus there's also patch_npdrm functions that patches SceNpDrm to bypass some DRM checks and allow unsigned packages to be installed, which you also need to modify, see SceNpDrm#Package_integrity_checks.
#define G_OUR_EBOOT *(unsigned*)(0x01e60000 - 20)
#define G_BUF *(unsigned*)(0x01e60000 - 12)
#define G_WRITTEN *(unsigned*)(0x01e60000 - 16)
#define Func(addr) ((unsigned(*)())(addr))
#define hook_resume_sbl_F3411881 Func(0x4BC6C9)
#define hook_resume_sbl_89CCDA2C Func(0x4BC851)
#define hook_resume_sbl_BC422443 Func(0x4BC909)
#define hook_resume_sbl_15248FB4 Func(0x4BCA89)
// setup file decryption
unsigned hook_sbl_F3411881(unsigned a1, unsigned a2, unsigned a3, unsigned a4) {
unsigned res = hook_resume_sbl_F3411881(a1, a2, a3, a4);
if (res == 0x800f0624 || res == 0x800f0616 || res == 0x800f0024) {
G_OUR_EBOOT = 1;
// patch somebuf so our module actually runs
unsigned *somebuf = (unsigned*)a4;
somebuf[42] = 0x40;
return 0;
} else {
G_OUR_EBOOT = 0;
}
return res;
}
// setup output buffer
unsigned hook_sbl_89CCDA2C(unsigned a1, unsigned a2, unsigned a3, unsigned a4, unsigned a5) {
G_BUF = a4;
G_WRITTEN = 0;
if (G_OUR_EBOOT == 1) {
return 0;
}
return hook_resume_sbl_89CCDA2C(a1, a2, a3, a4, a5);
}
// decrypt
unsigned hook_sbl_BC422443(unsigned a1, unsigned a2, unsigned a3) {
if (G_OUR_EBOOT == 1) {
return 0;
}
return hook_resume_sbl_BC422443(a1, a2, a3);
}
// copy to output
unsigned hook_sbl_15248FB4(unsigned a1, unsigned a2, unsigned a3) {
if (G_OUR_EBOOT == 1) {
memcpy((void*)(G_BUF + G_WRITTEN), (void*)a2, a3);
G_WRITTEN += a3;
return 0;
}
return hook_resume_sbl_15248FB4(a1, a2, a3);
}
#define INSTALL_HOOK(func, addr) \
{ unsigned *target; \
target = (unsigned*)addr; \
*target++ = 0xE59FF000; /* ldr pc, [pc, #0] */ \
*target++; /* doesn't matter */ \
*target = (unsigned)func; \
}
void hook_install(void) {
INSTALL_HOOK(hook_sbl_BC422443, 0x5BAA0C);
INSTALL_HOOK(hook_sbl_15248FB4, 0x5BA9CC);
INSTALL_HOOK(hook_sbl_F3411881, 0x5BAA1C);
INSTALL_HOOK(hook_sbl_89CCDA2C, 0x5BA9DC);
}
unsigned get_module_base(const char *name) {
int * modlist[MOD_LIST_SIZE];
int modlist_records;
int res;
SceModInfo modinfo;
memset(modlist, 0, sizeof(modlist));
modlist_records = MOD_LIST_SIZE;
sceKernelGetModuleListForKernel(0x10005, 0x7FFFFFFF, 1, modlist, &modlist_records);
for(int j = 0; j < modlist_records; j++) {
memset(&modinfo, 0, sizeof(modinfo));
res=sceKernelGetModuleInfoForKernel(modlist[j], &modinfo);
if (strcmp(modinfo.name, name) == 0)
return (unsigned)modinfo.module_top;
}
return 0;
}
void patch_npdrm(unsigned base) {
unsigned *patch;
// check where check_func[0] is called
patch = (unsigned*)(base + 0x310);
*patch = 0x47702001;
// check where check_func[1] is called
patch = (unsigned*)(base + 0xaa4);
*patch = 0x47702001;
// always return 1 in install_allowed
patch = (unsigned*)(base + 0x2d64);
*patch = 0x47702001;
// patch error code 0x80870003
patch = (unsigned*)(base + 0x4856);
*patch = 0x2500;
// second same error code
patch = (unsigned*)(base + 0x35fe);
*patch = 0x2600;
}
// call this from a thread
int hook(void) {
fprintf("Hook start\n");
unsigned prev_dacr;
__asm__ volatile("mrc p15, 0, %0, c3, c0, 0" : "=r" (prev_dacr));
__asm__ volatile("mcr p15, 0, %0, c3, c0, 0" : : "r" (-1));
unsigned base_npdrm = get_module_base("SceNpDrm");
fprintf("SceNpDrm base: 0x%08x\n", base_npdrm);
patch_npdrm(base_npdrm);
hook_install();
__asm__ volatile("MCR p15, 0, %0, c7, c5, 0" : : "r" (0)); // flush icache
__asm__ volatile("mcr p15, 0, %0, c3, c0, 0" : : "r" (prev_dacr));
sceKernelDelayThread(4000000);
return 0;
}
SceModulemgrForKernel
sceKernelDecryptSelfByPathForKernel
Version
|
NID
|
1.69
|
0x448810D5
|
3.60
|
0x448810D5
|
int sceKernelDecryptSelfByPathForKernel(const char *path, int e_phnum, void *buffer, uint32_t bufsize, int zero_unk, uint32_t *bytes_read);
This is an easy way of decrypting SELFs but you are limited to the kinds of SELFs you can load in the current context (for example, you can't load user libraries from kernel context). It is also susceptible to limitations of where the SELF can be loaded from. For example, you are not allowed to load SELFs found in os0
from ux0
. This is because it checks the PathId.
sceKernelGetModuleListForKernel
Version |
NID
|
1.60 |
0x97CF7B4E
|
3.60 |
0x97CF7B4E
|
sceKernelGetModuleList2ForKernel
Version |
NID
|
3.60 |
0x410E1D2E
|
Found by Princess
sceKernelGetModuleUidForKernel
Version |
NID
|
3.60 |
0x3B93CF88
|
Found by Princess
sceKernelGetModuleUidListForKernel
Version |
NID
|
3.60 |
0x1FDEAE16
|
Found by Princess
sceKernelGetModuleInfoForKernel
Version |
NID
|
3.60 |
0xD269F915
|
sceKernelGetModuleInfo2ForKernel
Version |
NID
|
3.60 |
0x6A655255
|
Found by Princess
sceKernelGetModuleInternalForKernel
Version |
NID
|
3.60 |
0xFE303863
|
sceKernelGetModuleLibraryInfoForKernel
Version |
NID
|
3.60 |
0xD4BF409C
|
Found by Princess
sceKernelGetProcessMainModuleForKernel
Version |
NID
|
3.60 |
0x20A27FA9
|
/**
* @brief Get the main module for a given process.
* @param pid The process to query.
* @return the UID of the module else < 0 for an error.
*/
SceUID sceKernelGetProcessMainModuleForKernel(SceUID pid);
sceKernelGetProcessMainModulePathForKernel
Version |
NID
|
3.60 |
0x779A1025
|
Found by Princess
sceKernelMountBootfsForKernel
Version |
NID
|
3.60 |
0x01360661
|
sceKernelUmountBootfsForKernel
Version |
NID
|
3.60 |
0x9C838A6B
|
sceKernelLoadModuleForPidForKernel
Version |
NID
|
3.60 |
0xFA21D8CB
|
sceKernelStartModuleForPidForKernel
Version |
NID
|
3.60 |
0x6DF745D5
|
sceKernelStopModuleForPidForKernel
Version |
NID
|
3.60 |
0x7BB4CE54
|
sceKernelUnloadModuleForPidForKernel
Version |
NID
|
3.60 |
0x5972E2CC
|
sceKernelLoadStartDefaultSharedModulesForPidForKernel
Version |
NID
|
1.69 |
0x3AD26B43
|
3.60 |
0x3AD26B43
|
This loads the default shared modules for a process (only the ones that are actually imported). This includes, for example, SceLibKernel
. Modules are loaded with flags 0x10000000
meaning that text pages can be shared. If dipsw 210 is set, then flag 0x1000
is set, meaning that if the existing page is found, do not share it but instead make a copy.
int sceKernelLoadStartDefaultSharedModulesForPidForKernel(int pid, void *unk_buf, int flags);
SceModulemgrForDriver
sceKernelGetModuleInfoForDriver
sceKernelSearchModuleByNameForDriver
Version |
NID
|
3.60 |
0xBBE1771C
|
sceKernelGetSystemSwVersionForDriver
Version |
NID
|
1.69 |
0x5182E212
|
3.60 |
0x5182E212
|
sceKernelSetSystemSwVersionForDriver
Version |
NID
|
1.69 |
0x912AEB73
|
3.60 |
non existent
|
sceKernelLoadStartModuleForDriver
Version |
NID
|
1.69 |
0x189BFBBB
|
3.60 |
0x189BFBBB
|
int sceKernelLoadStartModuleForDriver(const char *path, SceSize args, void *argp, int flags, SceKernelLMOption *option, int *status);
sceKernelLoadStartModuleForPidForDriver
Version |
NID
|
3.60 |
0x9D953C22
|
ceUID sceKernelLoadStartModuleForPidForDriver(SceUID pid, const char *path, SceSize args, void *argp, int flags, SceKernelLMOption *option, int *status);
sceKernelLoadStartSharedModuleForPidForDriver
Version |
NID
|
3.60 |
0xE2ADEF8D
|
SceUID sceKernelLoadStartSharedModuleForPidForDriver(SceUID pid, const char *path, SceSize args, void *argp, int flags, SceKernelLMOption *option, int *status);
sceKernelLoadModuleWithoutStartForDriver / sceKernelLoadModuleForDriver
Version |
NID
|
1.69 |
0x86D8D634
|
3.60 |
0x86D8D634
|
int opt = 4; // must be set
SceUID sceKernelLoadModuleForDriver(const char *path, int flags, SceKernelLMOption *option);
Returns int modid (to use with sceKernelStartModuleForDriver).
sceKernelStartModuleForDriver
Version |
NID
|
1.69 |
0x0675B682
|
3.60 |
0x0675B682
|
// flags must be 0
// opt can be null
int sceKernelStartModuleForDriver(SceUID modid, SceSize args, void *argp, int flags, SceKernelLMOption *option, int *status);
sceKernelStopUnloadModuleForDriver
Version |
NID
|
1.69 |
0x03B30B7E
|
3.60 |
0x03B30B7E
|
// flags must be 0
// opt can be null
int sceKernelStopUnloadModuleForDriver(SceUID modid, SceSize args, void *argp, int flags, SceKernelULMOption *option, int *status);
sceKernelStopUnloadModuleForPidForDriver
Version |
NID
|
3.60 |
0x49A3EDC7
|
int sceKernelStopUnloadModuleForPidForDriver(SceUID pid, SceUID modid, SceSize args, void *argp, int flags, SceKernelULMOption *option, int *status);
sceKernelStopUnloadSharedModuleForPidForDriver
Version |
NID
|
3.60 |
0x02D3D0C1
|
int sceKernelStopUnloadSharedModuleForPidForDriver(SceUID pid, SceUID modid, SceSize args, void *argp, int flags, SceKernelULMOption *option, int *status);
sceKernelStopModuleForDriver
Version |
NID
|
1.69 |
0x100DAEB9
|
3.60 |
0x100DAEB9
|
int sceKernelStopModuleForDriver(SceUID modid, SceSize args, void *argp, int flags, SceKernelULMOption *option, int *status);
sceKernelUnloadModuleForDriver
Version |
NID
|
1.69 |
0x728E72A6
|
3.60 |
0x728E72A6
|
// flags must be 0
int sceKernelUnloadModuleForDriver(SceUID modid, int flags, SceKernelULMOption *option);
SceModulemgr
__sceKernelLoadModuleWithoutStart
Version |
NID
|
1.69 |
0xA4E6DA4D
|
3.60 |
non existent
|
_sceKernelLoadModule
Version |
NID
|
1.69 |
non existent
|
3.60 |
0xB4C5EF9E
|
_sceKernelLoadStartModule
Version |
NID
|
1.69 |
non existent
|
3.60 |
0x60647592
|
__sceKernelStartModule
Version |
NID
|
1.69 |
0x1FD99C9F
|
3.60 |
non existent
|
_sceKernelStartModule
Version |
NID
|
1.69 |
non existent
|
3.60 |
0x72CD301F
|
__sceKernelStopModule
Version |
NID
|
1.69 |
0xBA49EA5C
|
3.60 |
non existent
|
_sceKernelStopModule
Version |
NID
|
1.69 |
non existent
|
3.60 |
0x086867A8
|
_sceKernelStopUnloadModule
Version |
NID
|
1.69 |
non existent
|
3.60 |
0x86EAEA0A
|
__sceKernelUnloadModuleWithoutStop
Version |
NID
|
1.69 |
0xE439E26B
|
3.60 |
non existent
|
_sceKernelUnloadModule
Version |
NID
|
1.69 |
non existent
|
3.60 |
0x8E4A7716
|
__sceKernelOpenModule
Version |
NID
|
1.69 |
0x9C2A9A49
|
3.60 |
non existent
|
_sceKernelOpenModule
Version |
NID
|
1.69 |
non existent
|
3.60 |
0x9D674F45
|
__sceKernelCloseModule
Version |
NID
|
1.69 |
0x5303C52F
|
3.60 |
non existent
|
_sceKernelCloseModule
Version |
NID
|
1.69 |
non existent
|
3.60 |
0x849E78BE
|
sceKernelKttyWrite
Version |
NID
|
1.69 |
0x4D76CF9E
|
3.60 |
non existent
|
sceKernelPutc
Version |
NID
|
1.69 |
0x9D2FE122
|
3.60 |
non existent
|
sceKernelGetSystemSwVersion
Version |
NID
|
1.69 |
0x5182E212
|
3.60 |
0x5182E212
|
sceKernelSetSystemSwVersion
Version |
NID
|
1.69 |
0x912AEB73
|
3.60 |
non existent
|
sceKernelGetAllowedSdkVersionOnSystem
Version |
NID
|
1.69 |
0x4397FC4E
|
3.60 |
0x4397FC4E
|
sceKernelGetModuleList
Version |
NID
|
1.69 |
0x2EF2581F
|
3.60 |
0x2EF2581F
|
sceKernelGetModuleIdByAddr
Version |
NID
|
1.69 |
0xF5798C7C
|
3.60 |
0xF5798C7C
|
sceKernelGetModuleInfo
Version |
NID
|
1.69 |
0x36585DAF
|
3.60 |
0x36585DAF
|
sceKernelGetLibraryInfoByNID
Version |
NID
|
1.69 |
0xEAEB1312
|
3.60 |
0xEAEB1312
|
sceKernelIsCalledFromSysModule
Version |
NID
|
1.69 |
non existent
|
3.60 |
0x85E6D2BB
|
sceKernelInhibitLoadingModule
Version |
NID
|
1.69 |
non existent
|
3.60 |
0x6CED1F63
|
Added somewhere between 3.30 an 3.60 to prevent loading Sysmodules from webbrowser. (see Vitasploit 2.00-3.36 and h-encore 3.65)
SceBacktraceForDriver
sceKernelBacktraceForDriver
Version |
NID
|
3.60 |
0x166B9C8C
|
// a4 size = 0x10
int _sceKernelBacktrace(int a1, int a2, int a3, char* a4);
SceBacktraceForDriver_7C878F90
Version |
NID
|
3.60 |
0x7C878F90
|
SceBacktraceForDriver_888E99B8
Version |
NID
|
3.60 |
0x888E99B8
|
SceBacktrace
_sceKernelBacktrace
Version |
NID
|
3.60 |
0xBF371A98
|
Calls sceKernelBacktraceForDriver().
// a4 size = 0x10
int _sceKernelBacktrace(int a1, int a2, int a3, char* a4);