SceKernelModulemgr

SceKernelModulemgr is in charge of loading both user modules and kernel modules. SceSblAuthMgr facilitates the SELF decryption process and this library loads the ELF programs into memory along with linking with NIDs and relocation of ELF in position independent executables.

Module
This module exists only in non-secure world. The SELF can be found in.

Libraries
This module exports kernel and user libraries.

module_start failed
module_start should not normally return SCE_KERNEL_START_FAILED, so if for some reason the flow fails and module_start returns SCE_KERNEL_START_FAILED, a kernel panic will be triggered.

module_start no resident
If module_start returns SCE_KERNEL_START_NO_RESIDENT, the module will start successfully, but it will be unloaded after the module_start call.

However, if the module_start of the module where the syscall export exists is called after boot and returns SCE_KERNEL_START_NO_RESIDENT, then a kernel panic is triggered.

How to get module info
modid and SceUIDModuleClass are required to get module information.

Simply call sceGUIDReferObjectForDriver(sceKernelGetObjectForUidForDriver) with these parameters.

Module decrypt threads
SceKernelModulemgr_func_8100910D

This thread keeps waiting at sceKernelWaitEventFlagForDriver until a module decrypt request comes.

bits of sceKernelWaitEventFlagForDriver is 3.

Common functions
Decrypt module to membase with current ctx.

Called whenever a module is loaded.

Reads the header from the passed fd and performs some checks.

Data segment layout
Offsets are for FW 3.60.

Data section size is 0x203C0.

Loading Sequence
When loading a module the sequence creates a SceModule structure to represent it.

SELF Decryption
The following code can decrypt a SELF located at.

Set  to 1 if decrypting a usermode module else 0 for kernel (2 for SM but maybe not allowed).

Set  to 0 if you're decrypting the SELF at the right location (for example decrypting   located in  ). If you have copied the SELF elsewhere, you need to set the  to the right value for where the real path was.

is for modules that are too large and won't fit in contiguous regular memory.

Module decryption and signature checks ("HENkaku patches" on 1.60)
See also SELF_Loading to see how these SceSblAuthMgr functions are used to decrypt SELFs.

The code below will patch signature checks and bypass module decryption and allow homebrews to run. The idea is to hook SceSblAuthMgr* calls that are imported to SceKernelModulemgr. The offsets are from 1.60, you will probably need to modify functions defines (set to addresses of functions) and INSTALL_HOOK second arguments (set to addresses of imports in SceKernelModulemgr). For old FWs like 1.60, as there is no kASLR, you can set hardcoded addresses, else take HENkaku code. As a bonus there's also patch_npdrm functions that patches SceNpDrm to bypass some DRM checks and allow unsigned packages to be installed, which you also need to modify addresses. See SceNpDrm.

sceKernelFinalizeKblForKernel
unload the ScePsp2BootConfig

0.990

3.60

sceKernelLoadPtLoadSegForFwloaderForKernel
Temp name is sceKernelDecryptSelfByPathForKernel

This is an easy way of decrypting SELFs but you are limited to the kinds of SELFs you can load in the current context (for example, you can't load user modules from kernel context). It is also susceptible to limitations of where the SELF can be loaded from. For example, you are not allowed to load SELFs found in  from   because Secure Kernel checks the Media Type.

On FW 3.60, statically compiled SELF gives an error.

sceKernelLoadPreloadingModulesForKernel
Temp name was sceKernelLoadProcessModulesForKernel. Was wrongly named sceKernelLoadStartDefaultSharedModulesForPidForKernel.

This loads the default shared modules for a process (only the ones that are actually imported). This includes, for example,. Modules are loaded with flags  meaning that text pages can be shared. If dipsw 210 is set, then flag  is set, meaning that if the existing page is found, do not share it but instead make a copy.

sceKernelUnloadProcessModulesForKernel
Temp name was sceKernelStopUnloadPreloadingModulesForKernel.

sceKernelStartPreloadingModulesForKernel
Temp name was sceKernelStartProcessModulesForKernel.

sceKernelGetProcessEntryPointForKernel
Temp name was sceKernelGetModuleInternalForKernel, sceKernelGetModuleCBForDebugger.

0.990:

3.60:

sceKernelGetProcessLibraryIdListForKernel
wrong temp name is sceKernelGetModuleUidListForKernel, sceKernelGetModuleExportLibraryListForKernel

sceKernelGetModuleExportListForKernel
wrong temp name is sceKernelGetModuleLibraryIdListForKernel

sceKernelGetModuleListByImportForKernel
wrong temp name is sceKernelGetModuleUidForKernel

SceModulemgrForKernel_FB251B7A
maybe sceKernelGetModuleLibImportListForKernel

sceKernelGetModulePathForKernel
wrong name is sceKernelGetProcessMainModulePathForKernel

sceKernelGetModuleInternalByAddrForKernel
Used by sceKernelPrintBacktraceForDriver.

SceModulemgrForKernel_B73BE671
maybe sceKernelGetModuleLibStubInfoForKernel

sceKernelRegisterDebugCBForKernel
used by SceDeci4pDtracep

sceKernelUnregisterDebugCBForKernel
Old wrong name is sceKernelRegisterDebugCBCheckForKernel

SceModulemgrForKernel_29CB2771
Related to process switch?

SceModulemgrForKernel_4865C72C
Related to non-linked?

SceModulemgrForKernel_F3CD647F
set two param

sceKernelLoadcoreKfreeForKernel
Calls sceKernelFreeHeapMemoryForDriver.

sceKernelGetModuleInfoByAddrForDriver
note : kernel only.

sceKernelRegisterLibaryForDriver
note : kernel only.

sceKernelReleaseLibaryForDriver
note : kernel only.

sceKernelUnloadModuleForDriver
In 1.69 existed in SceModulemgrForKernel

sceKernelInhibitLoadingModule
Added somewhere between 3.30 an 3.60 to prevent loading Sysmodules from webbrowser (see Vitasploit 2.00-3.36 and h-encore 3.65-3.68 writeup).

sceKernelBacktraceInternalForDriver
not has devmode/qaf check.

allow kernel trace.

_sceKernelBacktrace
Calls sceKernelBacktraceForDriver.

_sceKernelPrintBacktrace
Calls sceKernelPrintBacktraceForDriver.