SceSysmem

SceSysmem is a kernel module that acts as the heart of the kernel. It exports multiple libraries for various features. SceSysmem is the first module that is loaded in the kernel load sequence and its libraries are imported by almost all other modules. See Virtual Memory and Physical Memory for more details on the memory subsystem.

Module
This module exists in both non-secure and secure world. The non-secure world SELF can be found in. It also can be found in the Boot Image.

Memory Block Type
The  parameter indicates what kind of memory to allocate. Here is a mapping of  flags to ARM MMU flags. Higher bits are used for other options including where to allocate from. Not all flag values are valid, there is a table of valid types in the kernel. You cannot, for example, allocate RWX memory.

SceSysmemForKernel
ED221825 Calls SceSysmemForDriver_0FC24464.

sceKernelRxMemcpyKernelToUserForPidForKernel
Unrestricted memcpy to the virtual address space for process. Both  and   must be in the address space of   but   must also be accessible in the address space of the caller. This is normally used for resolving stubs in module loads. Same as write to RO but does a cache flush.

Switch TTB For PID
Changes the TTBR to point to the tables for a given PID.

sceKernelAllocHeapMemoryFromGlobalHeapForDriver
Same as  but uses global pool.

sceKernelAllocHeapMemoryFromGlobalHeapWithOptForDriver
Same as  but uses   and uses global pool.

sceKernelAllocHeapMemoryWithOpt1ForDriver
Same as  but uses.

sceKernelAllocHeapMemoryWithOpt2ForDriver
Same as  but uses.

sceKernelAllocMemBlockForDriver
The interface is the same as the user version of this call, however more types can be specified and more options are in the pOpt argument.

To allocate a kernel RW block of memory, specify.

To allocate a block of memory with a specific physical address, specify  or ,  , and.

To allocate a block of memory that is kernel executable, specify.

To allocate a block of memory that is physically contiguous, specify,   and an alignment to.

To allocate a block of memory inside the CDRAM, specify.

sceKernelCreateHeapForDriver
The heap pool is thread safe.

sceKernelFirstDifferentBlock32UserForPidForDriver
Looks for an integer in userspace.

sceKernelFreeHeapMemoryForDriver
Other name sceKernelMemPoolFree.

sceKernelGetMemBlockPARangeForDriver
Previous name was sceKernelGetMemBlockAddrPairForUidForDriver

Returns the paddr and size (addrpair) of the memblock if it's physically continuous.

sceKernelGetMemBlockVBaseForDriver
Wrongly named sceKernelGetMemBlockKernelPageForDriver.

sceGUIDReferObjectWithClassLevelForDriver
Temp name was sceKernelGetObjectForUidForClassForAttrForDriver.

sceKernelVAtoPAForDriver
Wrongly named sceKernelGetPaddrForDriver.

This will write the physical address for a virtual address  to memory pointed to by.

Returns <0 on error, values >=0 indicate success.

sceKernelGetPaddrListForDriver
This function takes in two parameters: an array of length 2 specifying the virtual address and the size of the block of memory and a request information. The function will write into  an array of   that encompasses the block of memory specified in the input. will contain the number of entries written. If  is null, it will just write the count.

sceKernelAddressSpaceVAtoPABySWForDriver
Previous name was sceKernelGetPaddrWithSectionTypeCheckForDriver

sceKernelUserMapForDriver
Wrongly named sceKernelMapUserBlockForDefaultTypeForDriver.

Assigns type 0.

sceKernelMapUserBlockForDefaultTypeForPidForDriver
Assigns type 0.

sceKernelMapUserBlockForDriver
Permission is either "1" for read only, no execute or "2"/"3" for read write, no execute. Type is either 0, 1, or 17 and affects the block type. 0 is default. This will allocate kernel memory starting at kernel_page. To get the same memory as the user pointer, add the kernel_offset. kernel_size is how much is allocated.

sceKernelMemRangeReleaseWithPermForDriver
Decrease references to pages.

sceKernelMemRangeRetainWithPermForDriver
Increase references to pages.

sceKernelMemcpyKernelToUserForDriver
Real name might be sceKernelCopyToUserForDriver.

sceKernelMemcpyKernelToUserForPidForDriver
This will not crash on invalid user pointers, but instead return error.

sceKernelMemcpyUserToKernelForDriver
Real name is sceKernelCopyFromUserForDriver.

sceKernelMemcpyUserToKernelForPidForDriver
Same as, but copies from the specified process.

sceKernelRemapBlockForDriver
This is used to remap RW memory as RX. To do this, first allocate a memory block of type. After you are done writing, call this with  set to.

sceKernelGetPhysicalMemoryTypeForDriver
Previous name was sceKernelVaddrMaybeGetSectionTypeForDriver

some_memblock_operation
Same as above but with different flags.

some_memblock_operation
Same as above but with different flags.

some_memblock_operation
Same as above but with different flags.

some_memblock_operation
Same as above but with different flags.

some_memblock_operation
Same as above but with different flags.

SceSysmemForDebugger
This library was removed somewhere between 1.692 and 3.60.

SceSysmem
The SceSysmem library is responsible for both low-level and high-level memory management. There are functions for allocating raw blocks of memory (similar to Linux ) as well as functions for maintaining a heap-like structure (similar to  ) for kernel, however SceLibKernel implements a proper heap and that is used for user code.

sceKernelGetDipswInfoForDriver
return *(int *)(dipsw_addr + 4 * info_id);

0	0x40	0x4	DevKit CP timestamp 1

1	0x44	0x2	DevKit CP Version

2	0x46	0x2	DevKit CP Build ID

3	0x48	0x4	DevKit CP timestamp 2 (strangely also set on Retail and TesKit)

sceUartReadAvailableForKernel
Returns the number of words available to read from the read FIFO.

sceUartInitForKernel
It initializes the clock generator registers for the. The default baud rate is 115200 for devices 0-5 and 250000 for the device 6.

SceCpu
This library provides wrapper for much ARM CP15 co-processor access as well as low level support of spinlocks and other synchronization primitives.

sceKernelCpuGetCpuId
Return the CPU ID of the current core.

sceKernelCpuGetCONTEXTIDRForKernel
The CONTEXTIDR, bits [31:0] contain the process ID number.

sceKernelCpuPreloadEngineKill

 * NSACR (Non-Secure Access Control Register)
 * Test bit NS access to the Preload Engine resources
 * [>] PLEFF (Preload Engine FIFO flush operation)
 * [>] PLEKC (Preload Engine kill channel operation)
 * [<] PLEASR (Preload Engine Activity Status Register)

sceKernelCpuUnrestrictedMemcpyForKernel
Unrestricted memcpy by first setting the  register to   and then doing a memcpy.

sceKernelMMUVAtoPAWithModeForKernel
Temp name was sceKernelCpuGetPaddrWithMaskForKernel.

maskPAR is usually 0x33, sometimes 2.

sceKernelCpuGetPaddrForKernel
Uses maskPAR 0x33.

sceKernelCpuForKernel_9B8173F4
Might be get_vaddr_memory_type.

Return value can be:
 * 2
 * 8
 * 0x40
 * 0x80
 * 0xD0
 * 0x80022007 (SCE_KERNEL_ERROR_VA2PA_FAULT)

SceCpuForKernel_A5C9DBBA
Uses sceKernelCpuGetCpuIdForDriver, sceKernelCpuAtomicGetAndSub16ForDriver and sceKernelCpuUnlockStoreLRForDriver.

SceCpuForKernel_9D72DD1B
Uses sceKernelCpuGetCpuIdForDriver and sceKernelCpuLockStoreLRForDriver.

SceCpuForKernel_4CD4D921
aka write 01 00 00 00 04 00 04 00 at addr.

SceCpuForKernel_43CC6E20
Only used by SceKernelThreadmgr.

DACR off

Does some memory copies between the args.

SceCpuUnrestrictedBzeroIntForKernel
Only used by SceKernelThreadmgr.

DACR off

SceCpuForKernel_337473B5
Only used by SceKernelThreadmgr.

DACR off

SceCpuForKernel_37FBFD12
Only used by SceKernelThreadmgr.

same as SceCpuForKernel_337473B5 but DACR is not disabled

SceCpuForKernel_D37AABE5
Only used by SceKernelThreadmgr.

similar as SceCpuForKernel_37FBFD12 but with a3

DACR is not disabled

SceCpuForKernel_4553FBDE
Only used by SceKernelThreadmgr.

DACR is not disabled

SceCpuForKernel_6190A018
Only used by SceKernelThreadmgr.

similar as SceCpuForKernel_37FBFD12

DACR is not disabled

SceCpuForKernel_D8A7216C
Only used by SceKernelThreadmgr.

similar as SceCpuForKernel_37FBFD12

DACR is not disabled

SceCpuForKernel_7FB4E7AC
Only used by SceKernelThreadmgr.

similar as SceCpuForKernel_37FBFD12

DACR is not disabled

SceCpuForKernel_8510FA52
Only used by SceKernelThreadmgr.

similar as SceCpuForKernel_37FBFD12

DACR is not disabled

SceCpuForKernel_5F64E5ED
Only used by SceKernelThreadmgr.

similar as SceCpuForKernel_37FBFD12

DACR is not disabled

SceCpuForKernel_98E91C1C
Only used by SceKernelThreadmgr.

similar as SceCpuForKernel_37FBFD12

DACR is not disabled

sceKernelCpuGetCpuIdForDriver
Return the CPU ID of the current core.

sceKernelCpuDcacheAndL2InvalidateMVACRange_1ForDriver
1

sceKernelCpuDcacheAndL2InvalidateMVACRange_20ForDriver
0x20

sceKernelCpuDcacheAndL2CleanInvalidateMVACRange_1ForDriver
1

sceKernelCpuDcacheAndL2CleanInvalidateMVACRange_20ForDriver
0x20

sceKernelDcacheCleanRangeCoreForDriver
Temp named sceKernelCpuDcacheAndL2CleanMVACRange_1ForDriver.

1

sceKernelCpuDcacheAndL2CleanMVACRange_20ForDriver
also called ksceKernelCpuDcacheWritebackRange, flush_dcache.

0x20

sceKernelCpuIsVaddrMappedForDriver
These functions implement a simple mutual exclusive access on a resource addr using LDREX/STREX.

sceKernelCpuUnlockStoreFlagForDriver
These functions implement a simple mutual exclusive access on a resource addr using LDREX/STREX.

LR is stored as addr value.

While mutex is held, interrupts are disabled.

Used like this:

sceKernelCpuUnlockResumeIntrStoreLRForDriver
These functions implement a simple mutual exclusive access on a resource addr using LDREX/STREX.

0x80000000 is stored as addr value.

While mutex is held, interrupts are disabled.

Used like this:

sceKernelCpuDisableInterruptsForDriver
Disable irq (but not fiq) and returns previous interrupt bit status (so either 0 or 0x80).

sceKernelCpuEnableInterruptsForDriver
Restore previous irq state, pass either 0 or 0x80.

SceSysclibForKernel
Was present on 1.69. Doesn't exist on 3.60.

SceSysclibForDriver
The C standard library for use in kernel only. (Userland have SceLibKernel, which confusingly is userland only).

Include standard string functions (no insecure variants like ).

memcmp
timing constant memcmp

memmove
On 1.69, this seems to be implemented incorrectly.

sceSysrootGetModuleInfoForPidForKernel
Returns export info at address for pid (contains module, lib and NID and their names).

SceSysrootForKernel_CC85905B
Returns the exception vectors base address. The address of the exception vectors for the CPU  is:.

SceSysrootForKernel_377895EB
Returns 0 on success, 0xFFFFFFFF on error.

a1 usually takes value 1 after this function is called.

Called by sceSblAuthMgrAuthHeaderForKernel before F00D request.

sceKernelSysrootGetKblParamForKernel
Temp name was sceSysrootGetSysrootBufferForKernel.

Returns pointer to Sysroot buffer.

sceSysrootGetFactorySystemSwVersionForKernel
return (int)(sysroot_buffer->factory_fw_version);

sceSysrootGetUnkCForKernel
return (int)(sysroot_buffer->unk_C);

sceSysrootGetUnk10ForKernel
return (int)(sysroot_buffer->unk_C + 4);

sceSysrootGetUnkC0ForKernel
return sysroot_buffer->unk_C0;

sceSysrootGetWakeupFactorForKernel
return sysroot_buffer->wakeup_factor;

sceSysrootGetHardwareInfoForKernel
return sysroot_buffer->hardware_info;

sceSysrootGetSessionIdForKernel
Writes sysroot_buffer->session_id to buffer.

Buffer size is 0x10.

sceSysrootGetHardwareFlagsForKernel
Writes sysroot_buffer->hardware_flags to buffer.

Buffer size is 0x10.

sceSysrootIsExternalBootModeForKernel
return *(int *)(sysroot_buffer->boot_type_indicator_1) & 1;

sceKernelIsSomeBootModeForKernel
return (*(int *)(sysroot_buffer->boot_type_indicator_1) >> 19) & 1;

sceKernelIsColdBootForKernel
return (*(int *)(sysroot_buffer) + 0x28) & 10;

sceSysrootIsSomeBootMode2ForKernel
return sysroot_buffer->boot_type_indicator_1[2] & 1;

sceSysrootIsSomeModeForKernel
Returns true if (sysroot->boot_flags[0x1] != 0xFF).

sceSysrootIsSomeModeForKernel
Returns true if (sysroot->boot_flags[0x1] != 0xFF).

sceSysrootIsBsodRebootForKernel
return (*(int *)(sysroot_buffer->wakeup_factor) & 0x7Fu) <= 0x17;

sceSysrootIsUsbEnumWakeupForKernel
if ( *(int *)(sysroot_buffer->unk_C0) & 0x90000 ) result = 1; else result = (*(int *)(sysroot_buffer->wakeup_factor) & 0x7Fu) <= 0xF; return result;

sceSysrootIsUnknownRebootForKernel
return (*(int *)(sysroot_buffer->wakeup_factor) & 0x7Fu) <= 1;

sceSysrootUseExternalStorageForKernel
Returns true when Manufacturing Mode flag is set:

return (*(int *)(sysroot_buffer->boot_type_indicator_1) >> 2) & 1;

sceSysrootUseInternalStorageForKernel
Returns true when use internal storage flag is not set:

return *(char *)(sysroot_buffer->boot_flags[5]) & 1 ^ 1;

sceSysrootRegisterLicMgrGetLicenseStatusForKernel
Write value at sysroot_ctx + 0x380.

sceSysrootExecuteUnk344ForKernel
Calls int (__cdecl *unk344);

sceSysrootUtMgrHasNpTestFlagForKernel
Calls int (__cdecl *sceSblUtMgrHasNpTestFlagForDriver);

sceKernelAllocHeapMemoryForKernel
Same as  but does set   to 0x1000B.

Checks that uid is 0x10013 or 0x10005

SceSysrootForDriver_421EFC96
Patched by HENkaku payload.c and update365 by TheFloW.

sceSysrootSetSystemSwVersionForDriver
Set System Software version as int in SceSysmem memory. For exemple: 0x3650000 on 3.65.

sceSysrootGetSystemSwVersionForDriver
Returns System Software version as int from SceSysmem memory. For exemple: 0x3650000 on 3.65.

sceAesDecrypt1ForDriver
Decrypt with AES.

sceAesEncrypt1ForDriver
Encrypt with AES. There are two functions that are the same on 1.69.

sceAesEncrypt2ForDriver
Encrypt with AES. There are two functions that are the same on 1.69.

sceAesInit1ForDriver
This sets up the AES engine. is a 960 byte buffer (int 1.69). and  is the security in bits. 128/196/256 are supported values.

last arg to subroutine is 0

sceAesInit2ForDriver
last arg to subroutine is 1

sceAesInit3ForDriver
last arg to subroutine is 2

SceZlibForDriver
zlib compression library.

SceKernelSuspendForDriver
Used to register callbacks for handling suspend/resume related events.

sceKernelRegisterSysEventHandlerForDriver
Previous name was sceKernelSuspendRegisterCallbackForDriver

Registers a function for handling suspend/resume. is 0 if we are currently suspending and 1 if we are currently resuming. is passed from the registration. Registration adds an entry to a linked list and returns the block id for the new entry.

Returns the suspend_callback_id.

sceKernelUnregisterSysEventHandlerForDriver
Call with the id returned from  to remove the entry from the linked list and free the memory.

sceKernelSysEventDispatchForDriver
This will go through the linked list and call each callback. If  is set, then the first callback that returns a negative value will stop the call chain and return the block id of the callback that broke the chain. Otherwise, this function will invoke each callback and return zero.

sceKernelPowerTickForDriver
Cancel specified idle timers to prevent entering in power save processing.

Returns 0 on success.

SceQafMgrForDriver
Provides many device permission checks including PSVita model checks, running app privilege checks, debugging enabled checks, and so on.

SceQafMgrForDriver_7B14DC45
Used by SceAppMgr.

return ((unsigned int)*(char *)(SceSysrootGetSysrootBufferForKernel + 0x2D) >> 1) & 1; // = 0x2D + BIT number 30

SceQafMgrForDriver_082A4FC2
Used by SceSblFwLoader.

scePmMgrGetProductModeForDriver
Returns 0 on success.

Gets sysroot_buffer using sceKernelGetSysrootBufferForDriver.

result = ((int *)(sysroot_buffer->boot_type_indicator_1) >> 2) & 1; // manufacturing mode flag

scePmMgrIsExternalBootModeForDriver
Gets sysroot_buffer using sceKernelGetSysrootBufferForDriver.

return (int *)(sysroot_buffer->boot_type_indicator_1) & 1;

sceSblAIMgrGetProductCodeForDriver
Product Code = Target Id

sceSblAIMgrGetProductSubCodeForDriver
Product Sub Code = Model revision

sceSblAIMgrIsTestForDriver
TEST = Internal Test Unit

Returns true if PsCode Product Code <= 0x100.

sceSblAIMgrIsToolOrTestForDriver
TOOL = DevKit

Returns true if PsCode Product Code <= 0x101.

sceSblAIMgrIsNonCEXForDriver
Returns true if PsCode Product Code <= 0x102.

sceSblAIMgrIsCEXForDriver
Returns true if PsCode Product Code <= 0x111 AND sceSblAIMgrIsJapaneseFatForDriver returns false.

sceSblAIMgrIsVITAForDriver
Returns sceSblAIMgrIsGenuineVITAForDriver.

sceSblAIMgrIsDolceForDriver
Returns sceSblAIMgrIsGenuineDolceForDriver if returns true else returns sceKernelCheckDipswForDriver(0x98).

sceSblAIMgrIsGenuineVITAForDriver
Returns true if:
 * PsCode Product Code <= 0x111 AND sceSblAIMgrIsGenuineDolceForDriver returns false
 * sceSblAIMgrIsJapaneseFatForDriver returns true AND HardwareInfo != 0x700000 != 0x720000 != 0x510000

sceSblAIMgrIsToolRev3ForDriver
Returns true if PsCode Product Code == 0x101 and PsCode Product Sub Code <= 3.

sceSblAIMgrIsToolRev4ForDriver
Returns true if PsCode Product Code == 0x101 and PsCode Product Sub Code <= 4.

sceSblAIMgrIsToolRev5ForDriver
Returns true if PsCode Product Code == 0x101 and PsCode Product Sub Code <= 5.

sceSblAIMgrIsPrototypeRev2ForDriver
Returns true if PsCode Product Code == 0x103 and PsCode Product Sub Code <= 2.

sceSblAIMgrIsPrototypeRev7ForDriver
Returns true if PsCode Product Code == 0x103 and PsCode Product Sub Code <= 7.

sceKernelUnregisterProcEventHandlerForDriver
Previous name was sceProcEventDeleteUidForDriver.

Wrapper to sceKernelDeleteUidForDriver.

sceKernelRegisterProcEventHandlerForDriver
Previous name was sceProcEventCreateEventForDriver

Uses sceKernelCreateEventForDriver.

Returns uid.

sceKernelInvokeProcEventHandlerForDriver
Uses suspend/resume LR.

sceKernelGetGPIForDriver
Only SceDebugLedForDriver function used by SceCoredump.

sceDebugPutcharForKernel
Print character.

sceDebugGetPutcharHandlerForKernel
Returns pointer to current debug print char handler.

sceDebugRegisterPutcharHandlerForKernel
Set debug print char handler.

SceDebugForKernel_082B8D6A
Print kernel exception information.

invoke_some_callback
Uses sceKernelCpuLockSuspendIntrStoreLRForDriver and sceKernelCpuLockResumeIntrStoreLRForDriver.

Calls SceSysclibForDriver_E38E7605.

Maybe invoke debug handler.

sceSysrootGetSysrootBufferForTZS
Returns pointer to Sysroot buffer.