Changes

Jump to navigation Jump to search
1,352 bytes added ,  03:28, 15 June 2018
no edit summary
Line 367: Line 367:     
There's evidence that the bootloaders are re-encrypted with probably per-console keys during the update process. <code>second_loader.enp</code> and <code>second_loader.enc</code> are transformed into <code>second_loader.enp_</code> and <code>second_loader.enp</code> respectively by F00D before flashing (and the same thing is done to <code>secure_kernel</code>).
 
There's evidence that the bootloaders are re-encrypted with probably per-console keys during the update process. <code>second_loader.enp</code> and <code>second_loader.enc</code> are transformed into <code>second_loader.enp_</code> and <code>second_loader.enp</code> respectively by F00D before flashing (and the same thing is done to <code>secure_kernel</code>).
 +
 +
== Some useful notes ==
 +
 +
<code>SceSblSsUpdateMgr</code> exports function with NID <code>0x6E8DDAC4</code> that does the bulk of the work decrypting and flashing all the update parts. There appears to be two ways to skip the version checks (but not revokion checks). First is to patch the import from <code>SceQafMgrForDriver</code> function NID <code>0x8C423C18</code> (takes no arguments) to return 1. Alternatively, patch [[Sysroot]] offset 0x2C+3 and set bit 0x2. This will bypass ALL version checks, including the peripherals which might be dangerous.
 +
 +
The second way is to patch <code>SceVshBridge</code> export of <code>vshSblAimgrIsCEX</code> (takes no arguments) to return 0. Alternatively patch <code>ScePsp2Swu</code>'s import of that function. This flag is set by psp2swu.self to indicate bypassing of version checks on the bootloader and system partitions. All other components will be updated if at higher version. This is what devkits do by default. You can also patch the flags directly. In <code>0x6E8DDAC4</code>, <code>0x1A39F6EE</code>, and <code>0xC1792A1C</code> (in order: flash, dry run, decrypt only) you can patch the flags argument directly and set <code>0x8</code> to indicate skipping version check on bootloader and system partitions. The flags argument found in R1 (second argument) as a user memory pointer offset 0x10.
    
[[Category:Applications]]
 
[[Category:Applications]]
 
[[Category:Kernel]]
 
[[Category:Kernel]]

Navigation menu