Kernel

The PS Vita has a purely modular kernel. All components of the kernel are .skprx files found in the  partition and are listed in Modules.

CEX
The most common type installed on commercial vitas.

So nothing special is accessed unless there is a qaf or something. For example ★Debug settings.

Also cannot load self for DEX/Tool. (i.e. no CEX allowed bit)

Diag
Functionally it is 99% the same as CEX, but without the inability to update the system and rejection of self for DEX/Tool.

DEX
The Testing Kit.

It comes with minimal Debug stuff. (Debug store x2, ★Package Installer, ★Mini Debug Settings, ★Debug Settings in Settings, home ★Debug Utility)

Unlike CEX, you can downgrade system software. (SCE still calls it a system update)

You can also trigger Show mode with some button combos. But this requires DEX shell.self.

Tool
The Development Kit with additional PC interactive debugger. (It's called a Communications Processor. or CP)

In addition some debuggers are enabled in the kernel as well.

It basically has the same functionality as the DEX, but also has an extra LED and mini USB/HDMI in the hardware.

Also, the Development Kit does not have a battery and is always powered by a 5V Adapter. (CP also has a small coin cell battery for the CP-RTC)

ToolDVT1
Functionally it should be the same as Tool.

However, Uses a different button combo than Tool's in SceSblPostSsMgr.

ToolDVT2
Functionally it should be the same as Tool.

However, Uses a different button combo than Tool's in SceSblPostSsMgr.

ToolRev4
Functionally it should be the same as Tool.

However, Uses a different button combo than Tool's in SceSblPostSsMgr.

CEXPrototypeRev2
Unknown

However, Uses a different button combo than Tool's in SceSblPostSsMgr.

CEXPrototypeRev7
Unknown

However, Uses a different button combo than Tool's in SceSblPostSsMgr.

Temp
TODO: move these to the appropriate place

UID Attr
Mask  Description 0x70000 |  vis_level 0x300000 |  act entry

GUID
Global UID.

0  0   00 0000 0000 0001   0000 0000 0000 000   1

Error bit. should be 0.

PUID bit. should be 0.

Sub UID. 14-bits wide. Has no effect directly for core uid. Somewhat random values are used for security (With increase method).

Core UID. 15-bits wide. Value to identify the object.

UID bit. should be 1.

The Core UID is 15-bits so in theory the system can create to 0x8000 (32768) objects

Example : 0x10005, 0x10007, 0x10547, 0x2DF84A9

PUID
Process UID.

0  1   00 0000 0000 0001   0000 0000 0000 000   1

Error bit. should be 0.

PUID bit. should be 1.

Unknown. maybe sub UID. 14-bits wide.

Unknown. maybe core UID. 15-bits wide.

UID bit. should be 1.

Example : 0x40010001

KASLR
Since PS Vita FW 1.80 or so, the kernel implements kernel address space layout randomization to discourage ROP attacks.

Canaries
Since PS Vita FW 1.80 or so, the kernel makes use of stack canaries to detect stack buffer overflows and halts the system when an overflow is detected.

Memory Domains
Memory domains is a feature in ARM MMU that provides an easy way of showing and hiding groups of addresses as well as their permissions. When a syscall is made, the handler disables all access to memory domains for user memory so kernel code cannot directly access user memory. This means if a user pointer is passed in and the kernel forgets to check it and dereferences it directly, it will abort. In order to access user memory, special functions are used that temporarily enables all domains and the access is implemented with the ARM unprivileged access instructions  and   to make sure the access functions cannot read or write in kernel memory space. As long as the domain disable code in the syscall hander is secure and the user memory access functions are secure, there is no need for additional checks implemented per function. Additionally all non-code pages are marked as "execute never" (XN) in both kernel and usermode.

Syscall Randomization
The numbers assigned to syscalls change on each boot but the delta between the same functions exported by the same module will stay consistent.

NID Poisoning
Since PS Vita FW 2.10, SceKernelModulemgr replace the NIDs entries in the module import tables with junk data. This means that you can no longer map syscall numbers to NIDs.

Usermode stack pivoting protection
Since unknown PS Vita FW version (seen on 3.18) the kernel terminates an application if it notices that its stack pointer register (SP) is not pointing into the stack memory. This is commonly named "SMAP" on Linux where it crashes when Kernel stack pointer points to usermode memory.

User and kernel heap overflow protection
dlmalloc, used for heap allocations, is compiled with -DFOOTERS=1 to enable more heap overflow checks. Additionally, a custom SceNetPs malloc implementation also does some heap overflow checks on its own.

List of kernel modules
For a list of all kernel modules, check out Modules.