Secure Modules

From Vita Development Wiki
Jump to navigation Jump to search

sm common code

sm modules are loaded to 0x80B000, then code from that addr is executed.

There is a lot of common code shared between sm: entry, cmd handler, cmd setup, etc

Entry

This is the first code executed in sm. It's located at 0x80B000. It does the following:

  • Get random value (stack cookie?)
  • call_ctors()
  • sm_main()
  • call_dtors()
  • syscall 1: Unload
  • while(1) sleep()

call_ctors/call_dtors

These just call function pointers, basically libc_init_array.

sm_main

It has a memory pool allocated on stack. It's filled with structures for command handlers. Then, it calls main_loop.

main_loop

This uses syscall 4 (RegisterIrqHandler) to register a common handler for incoming commands (cmd_handler). Then it loops while sm is "active". Then it sets handler for commands = null pointer.

cmd_handler

This is the common handler for all incoming commands. It reads paddr from 0xE0000014 and ANDs it with 1 to check validity. It checks that size is valid (>= 0x40 and < 0x1000), copies command buffer into private f00d memory and executes an appropriate command handler.

is_addr_range_arm_NS(addr, size)

This is used by cmd_handler to check if the input address of command buffer is safe. The allowed address ranges are:

  • Non-secure DRAM (starting at 0x40200000). Note: this is weird because if configuration (word at 0xE0062260) results in overflow, it does some crazy shit.
  • ScePowerScratchPad32KiB
  • SceVeneziaSpram