SceSysmem

SceSysmem is a kernel module that acts as the heart of the kernel. It exports multiple libraries for various features. SceSysmem is the first module that is loaded in the kernel load sequence and its libraries are imported by almost all other modules. See Virtual Memory and Physical Memory for more details on the memory subsystem.

Module
This module exists in both non-secure and secure world. The non-secure world SELF can be found in. It also can be found in the Boot Image.

Memory Block Type
The  parameter indicates what kind of memory to allocate. Here is a mapping of  flags to ARM MMU flags. Higher bits are used for other options including where to allocate from. Not all flag values are valid, there is a table of valid types in the kernel. You cannot, for example, allocate RWX memory.

memory allocate test.

Types to reverse
from 0.990:

sceKernelGrowPhyMemPartForKernel
Calls sceKernelGrowPhyMemPartWithFlagsForKernel with flags = 0.

sceKernelGrowPhyMemPartWithFlagsForKernel
Grows physical memory partition with flags.

sceKernelGetGrownPhyMemPartSizeForKernel
This is a temp name.

Returns a global variable. This global variable is either a size or offset or address and is incremented by sceKernelGrowPhyMemPartWithFlagsForKernel.

sceKernelGetPhyPartKernelForKernel
return gpPhyPartKernel;

SceSysmemForKernel_66636970
Return *class.

sceUIDRegisterForKernel
Calls sceGUIDRegisterForKernel.

sceKernelCreatePhyMemPartForKernel
Calls sceKernelCreatePhyMemPartByPbaseForKernel with pbase = 0.

sceGUIDKernelCreateForKernel
Create a GUID with default attribute (0x30000).

sceGUIDKernelCreateWithAttrForKernel
Create a GUID with the specified attribute.

scePUIDKernelCreateWithAttrForKernel
Temp name was sceKernelCreateUidObjForKernel.

sceKernelPhysicalMemReadForKernel
Temp name was memcpy_from_paddr.

dest must be a vaddr and src must be a paddr. Return copied size on success.

sceKernelAllocPartitionMemBlockForKernel
Temp name was sceKernelAllocSystemCallTableForKernel.

sceGUIDGetObjectWithClassForKernel
Possible name are sceUIDGetObjectWithClassForKernel or sceUIDtoProcessForKernel.

SceSysmemForKernel_C38D61FC
Calls SceSysmemForDriver_89A44858.

sceUIDGetObjectForKernel
Calls sceGUIDGetObjectForDriver.

SceSysmemForKernel_7C797940
Calls SceSysmemForKernel_620E00E7 or SceSysmemForDriver_0F5C84B7.

sceKernelRxMemcpyKernelToUserForPidForKernel
Unrestricted memcpy to the virtual address space for process. Both  and   must be in the address space of   but   must also be accessible in the address space of the caller. This is normally used for resolving stubs in module loads. Same as write to RO but does a cache flush.

sceUIDtoObjectForKernel
Calls SceSysmem.

sceUIDGetUIDVectorByClassForKernel
It is simply a wrapper for sceGUIDGetUIDVectorByClassForKernel.

sceKernelAddressSpaceUnmapForKernel
3.60:

Example: in SceSysStateMgr:

3.60

SceSysmemForKernel_F8E95A5A
Certainly returns address to a structure.

SceSysmemForKernel_54E85275
Uses result from SceSysmem.

SceSysmemForKernel_7BD56D6D
Used by SceProcessmgr.

SceSysmemForDriver_65B9B393
Return *class.

sceUIDCloseForDriver
if (a2 & 0x40000000) == 0 calls sceGUIDCloseForDriver else scePUIDCloseForDriver.

SceSysmemForDriver_F09A7D09
Calls sceGUIDCloseForDriver.

Switch TTB For PID
Changes the TTBR to point to the tables for a given PID.

sceKernelAllocHeapMemoryForDriver
Temp name was sceKernelMemPoolAlloc.

Calls sceKernelAllocHeapMemoryWithOptionForDriver with a3 = 0.

sceKernelAllocHeapMemoryFromGlobalHeapForDriver
Calls sceKernelAllocHeapMemoryForDriver with uid = -1 (global heap ).

sceKernelAllocHeapMemoryFromGlobalHeapWithOptForDriver
Calls sceKernelAllocHeapMemoryWithOptionForDriver with uid = -1 (global heap ).

sceKernelAllocHeapMemoryWithOptForDriver
Same as  but uses.

sceKernelAllocHeapMemoryWithOptionForDriver
Temp name was sceKernelAllocHeapMemoryWithOpt2ForDriver.

Same as  but uses.

sceKernelAllocMemBlockWithInfoForDriver
Temp name was sceKernelAllocMemBlockExtForDriver.

sceKernelAllocMemBlockForDriver
The interface is the same as the userland version of this function, however more types can be specified and more options are in the pOpt argument.

To allocate a kernel RW block of memory, specify.

To allocate a block of memory with a specific physical address, specify  or ,  , and.

To allocate a block of memory that is kernel executable, specify.

To allocate a block of memory that is physically contiguous, specify,   and an alignment to.

To allocate a block of memory inside the CDRAM, specify.

sceKernelAllocMemBlockForDebuggerForDriver
Same as sceKernelAllocMemBlockForDriver but with null pOpt.

sceKernelCreateHeapForDriver
The heap pool is thread safe.

sceUIDKernelCreateForDriver
Calls sceGUIDKernelCreateForKernel.

Create a UID with default attribute (0x30000).

sceUIDKernelCreate2ForDriver
Temp name was sceKernelCreateUidObj2ForDriver.

Create a UID with default attribute (0x30000).

sceGUIDCreateForDriver
Temp name was sceKernelCreateUidObjForUidForDriver.

Create a GUID with default attribute (0x30000) for the specified UID.

scePUIDOpenByGUIDForDriver
Temp name was sceKernelCreateUserUidForDriver.

scePUIDOpenByGUIDWithFlagsForDriver
Temp name was sceKernelCreateUserUidForClassForDriver.

scePUIDOpenByNameForDriver
Temp name was sceKernelCreateUserUidForNameForDriver.

sceGUIDCloseForDriver
Temp name was sceKernelDeleteUidForDriver.

scePUIDCloseForDriver
Temp name was sceKernelDeleteUserUidForDriver.

sceKernelGetMemBlockMemtypeByAddrForDriver
Temp name was sceKernelFindMemBlockByAddrForDefaultSizeForDriver.

sceKernelFindProcMemBlockByAddrForDriver
Temp name was sceKernelFindMemBlockByAddrForPidForDriver.

sceKernelFindMemBlockProcForDriver
Temp name was sceKernelFindMemBlockForPidForDriver.

sceKernelFirstDifferentBlock32UserForPidForDriver
Looks for an integer in userspace.

sceKernelFreeHeapMemoryForDriver
Temp name was sceKernelMemPoolFreeForDriver.

scePUIDGetClassForDriver
Temp name was sceKernelGetClassForPidForUidForDriver.

sceGUIDGetClassForDriver
Temp name was sceKernelGetClassForUidForDriver.

sceKernelGetMemBlockPARangeForDriver
Previous name was sceKernelGetMemBlockAddrPairForUidForDriver

Returns the paddr and size (pRange) of the memory block if it is physically continuous.

sceKernelGetMemBlockVBaseForDriver
Wrongly named sceKernelGetMemBlockKernelPageForDriver.

sceKernelGetMemBlockPAVectorForDriver
Temp name was sceKernelGetMemBlockPaddrListForUidForDriver.

scePUIDGetEntryHeapNameForDriver
Temp name was sceKernelGetNameForPidByUidForDriver. Real name might be scePUIDGetEntryHeapNameForDriver.

sceUIDtoObjectForDriver
Calls sceUIDtoObjectForKernel.

sceGUIDGetObjectForDriver
Temp name was sceKernelGUIDGetObjectForDriver.

scePUIDGetObjectForDriver
Temp name was sceKernelGetObjectForPidForUidForDriver.

sceGUIDReferObjectForDriver
Temp name was sceKernelGetObjectForUidForDriver.

sceGUIDReferObjectWithLevelForDriver
Temp name was sceKernelGetObjectForUidForAttrForDriver.

sceGUIDReferObjectWithClassAttrForDriver
Temp name was sceKernelGetObjectForUidForClassForAttrForDriver.

sceGUIDReferObjectWithClassForDriver
Temp name was sceKernelGetObjForUidForDriver.

sceGUIDReferObjectWithSubclassForDriver
Temp name was sceKernelGetObjectForUidForClassTreeForDriver.

sceKernelVAtoPAForDriver
Temp name was sceKernelGetPaddrForDriver.

This will write the physical address for a virtual address  to memory pointed to by.

Returns <0 on error, values >=0 indicate success.

sceKernelProcModeVAtoPAForDriver
Temp name was sceKernelGetPaddrForPidForDriver.

sceKernelVARangeToPAVectorForDriver
Temp name was sceKernelGetPaddrListForDriver.

This function writes into  an array of   that encompasses the block of memory specified in the input. will contain the number of entries written. If  is null, it will just write the count.

sceKernelVARangeToPARangeForDriver
Temp name was sceKernelGetPaddrPairForDriver.

sceKernelVAtoPABySWForDriver
Temp name was sceKernelGetPaddrWithSectionTypeCheckForDriver. Wrong name was sceKernelAddressSpaceVAtoPABySWForDriver.

scePUIDtoGUIDForDriver
Temp name was sceKernelKernelUidForUserUidForDriver.

Process UID to Global UID.

sceKernelPartitionMapMemBlockForDriver
Temp name was sceKernelMapBlockUserVisibleForDriver.

sceKernelUserMapForDriver
Wrongly named sceKernelMapUserBlockDefaultTypeForDriver.

Assigns type 0.

sceKernelProcUserMapForDriver
Wrongly named sceKernelMapUserBlockForDefaultTypeForPidForDriver. sceKernelProcUserMapForDriver is certainly real name.

Assigns type 0.

sceKernelMapUserBlockForDriver
Permission is either "1" for read only, no execute or "2"/"3" for read write, no execute. Type is either 0, 1, or 17 and affects the block type. 0 is default. This will allocate kernel memory starting at kernel_page. To get the same memory as the user pointer, add the kernel_offset. kernel_size is how much is allocated.

sceKernelDecRefCountMemBlockForDriver
Temp name was sceKernelMemBlockDecRefCounterAndReleaseUidForDriver.

sceKernelGetMemBlockInfoForDriver
Temp name was sceKernelMemBlockGetInfoExForVisibilityLevelForDriver.

sceKernelIncRefCountMemBlockForDriver
Temp name was sceKernelMemBlockIncRefCounterAndReleaseUidForDriver.

sceKernelUserUnmapForDriver
Temp name was sceKernelMemBlockReleaseForDriver.

sceKernelMemRangeReleaseWithPermForDriver
Decrease references to pages.

sceKernelMemRangeRetainWithPermForDriver
Increase references to pages.

sceKernelCopyToUserForDriver
Temp name was sceKernelMemcpyKernelToUserForDriver.

sceKernelProcCopyToUserForDriver
Temp name was sceKernelMemcpyKernelToUserForPidForDriver. Possible name is sceKernelCopyoutProcForDriver.

This will not crash on invalid user pointers, but instead return error.

sceKernelCopyFromUserForDriver
Temp name was sceKernelMemcpyUserToKernelForDriver.

sceKernelProcCopyFromUserForDriver
Temp name was sceKernelMemcpyUserToKernelForPidForDriver.

sceKernelUserCopyForDriver
Temp name was sceKernelMemcpyUserToUserForDriver.

sceKernelProcUserCopyForDriver
Temp name was sceKernelMemcpyUserToUserForPidForDriver.

sceKernelUserStrncpyForDriver
Return 0 on success.

sceKernelProcStrncpyToUserForDriver
Temp name was sceKernelMemcpyKernelToUserForPidUncheckedForDriver.

sceUIDOpenByNameForDriver
Calls sceGUIDOpenByNameForDriver.

sceGUIDOpenByNameForDriver
Temp name was sceKernelOpenUidForNameForDriver.

sceKernelRemapMemBlockForDriver
This can be used to remap RW memory as RX. To do this, first allocate a memory block of type. After you are done writing, call sceKernelRemapMemBlockForDriver with type.

sceKernelPartialRemapMemBlockForDriver
Temp name was sceKernelRemapBlockForDriver, sceKernelRemapMemBlockForDriver.

This can be used to remap RW memory as RX. To do this, first allocate a memory block of type. After you are done writing, call sceKernelPartialRemapMemBlockForDriver with type.

scePUIDSetNameForDriver
Temp name was sceKernelSetNameForPidForUidForDriver.

scePUIDSetNameForDriver
Temp name was sceKernelSetObjectForUidForDriver.

sceGUIDReleaseObjectForDriver
Temp name was sceKernelUidReleaseForDriver.

sceKernelGetPhysicalMemoryTypeForDriver
Temp name was sceKernelVaddrMaybeGetSectionTypeForDriver

some_memblock_operation
Same as above but with different flags.

some_memblock_operation
Same as above but with different flags.

some_memblock_operation
Same as above but with different flags.

some_memblock_operation
Same as above but with different flags.

some_memblock_operation
Same as above but with different flags.

SceSysmemForDriver_856FA2E3
Seems related to heap.

SceSysmemForDebugger
This library was removed somewhere between 1.692 and 3.60.

sceKernelGetPhysicalAddressSpaceForDebugger
In FW 0.931 calls sceKernelPhysicalAddressSpaceStartForDebugger.

SceSysmem
The SceSysmem library is responsible for both low-level and high-level memory management. There are functions for allocating raw blocks of memory (similar to Linux ) as well as functions for maintaining a heap-like structure (similar to  ) for kernel, however SceLibKernel implements a proper heap and that is used for user code.

sceKernelGetDipswInfoForDriver
return *(int *)(dipsw_addr + 4 * info_id);

0	0x40	0x4	DevKit CP timestamp 1

1	0x44	0x2	DevKit CP Version

2	0x46	0x2	DevKit CP Build ID

3	0x48	0x4	DevKit CP timestamp 2 (strangely also set on Retail and TesKit)

sceKernelUartInitForKernel
Temp name was sceUartInitForKernel.

It initializes the clock generator registers for the. The default baud rate is 115200 for ports 0-5 and 250000 for port 6.

sceKernelUartReadAvailableForKernel
Temp name was sceUartReadAvailableForKernel.

Returns the number of words available to read from the read FIFO.

sceKernelUartReadForKernel
Temp name was sceUartReadForKernel.

sceKernelUartWriteForKernel
Temp name was sceUartWriteForKernel.

SceCpu
This library provides wrapper for much ARM CP15 co-processor access as well as low level support of spinlocks and other synchronization primitives.

sceKernelCpuGetCpuId
Return the CPU ID of the current core.

sceKernelRoundupDCacheLineForKernel
Calls the function previously registered by sceKernelGetRoundupDCacheLineFuncForKernel.

sceKernelGetRoundupDCacheLineFuncForKernel
Uses CTR and CTR-DMINLINE to determine which function to return.

SceCpuForKernel_CA4124DE
Returns 1, 2 or 6 based on some page/section properties.

sceKernelMMUGetContextForKernel
Temp name was sceKernelCpuSaveContextForKernel.

sceKernelMMUChangeContextForKernel
Temp name was sceKernelCpuRestoreContextForKernel.

sceKernelMMUVAtoPAWithModeForKernel
Temp name was sceKernelCpuGetPaddrWithMaskForKernel.

mode (maskPAR) is usually 0x33, sometimes 2.

sceKernelMMUCheckRangeWithModeForKernel
Return 0 if all pages are valid, < 0 else.

sceKernelMMUVAtoPAForKernel
Temp name was sceKernelCpuGetPaddrForKernel.

Uses mode (maskPAR) 0x33.

This will write the physical address for a virtual address  to memory pointed to by.

Returns <0 on error, values >=0 indicate success.

sceKernelCpuGetCONTEXTIDRForKernel
The CONTEXTIDR, bits [31:0] contain the process ID number.

sceKernelDcacheWritebackInvalidateRangeForKernel
Temp name was sceKernelCpuDcacheCleanInvalidateMVACRangeForKernel, sceKernelCpuDcacheWritebackInvalidateRangeForKernel.

sceKernelCpuIcacheInvalidateMVAURangeForKernel
Temp name was sceKernelCpuIcacheInvalidateRangeForKernel.

sceKernelIcacheInvalidateRangeForKernel
Temp name was sceKernelCpuIcacheAndL2InvalidateMVAURangeForKernel, sceKernelCpuIcacheAndL2WritebackInvalidateRangeForKernel.

sceKernelCpuPreloadEngineKill

 * NSACR (Non-Secure Access Control Register)
 * Test bit NS access to the Preload Engine resources
 * [>] PLEFF (Preload Engine FIFO flush operation)
 * [>] PLEKC (Preload Engine kill channel operation)
 * [<] PLEASR (Preload Engine Activity Status Register)

sceKernelCpuUnrestrictedMemcpyForKernel
Unrestricted memcpy by first setting the  register to   and then doing a memcpy.

sceKernelCpuForKernel_9B8173F4
Might be get_vaddr_memory_type.

Return value can be:
 * 2
 * 8
 * 0x40
 * 0x80
 * 0xD0
 * 0x80022007 (SCE_KERNEL_ERROR_VA2PA_FAULT)

SceCpuForKernel_A5C9DBBA
Changes addr.cpuId and addr.unk_4.

SceCpuForKernel_9D72DD1B
Overrides cpuId in addr structure. Maybe changes core.

SceCpuForKernel_4CD4D921
aka write 01 00 00 00 04 00 04 00 at addr.

SceCpuForKernel_43CC6E20
DACR off

Does some memory copies between the args.

sceCpuUnrestrictedBzeroIntForKernel
DACR off

SceCpuForKernel_337473B5
DACR off

If addr.unk_0 equals 0, changes addr.unk_0 to new_val, else increase addr.unk_4.

sceKernelCpuAtomicSubIfGreater64ForKernel
DACR is not disabled

sceKernelCpuAtomicLimit64ForKernel
DACR is not disabled

sceKernelCpuAtomicAdd32AndGet64InRangeForKernel
DACR is not disabled

sceKernelCpuAtomicAdd32AndGet64InHiLoRangeForKernel
DACR is not disabled

sceKernelCpuAtomicGet32AndSet64ForKernel
DACR is not disabled

sceKernelCpuAtomicGet32AndSet64_2ForKernel
Exact same code as SceCpuForKernel_4553FBDE.

DACR is not disabled

sceKernelCpuAtomicDecIfLowPositive32ForKernel
DACR is not disabled

sceKernelCpuAtomicHiLoAlgorithmForKernel
DACR is not disabled

Returns current value (high + low), and sets it to max_low.

sceKernelCpuAtomicAddAndGetPositive32InRangeForKernel
DACR is not disabled

If val is negative, returns 2 and does not override val.

SceCpuForKernel_AED8F8D7
Initialize TTBR.

SceCpuForKernel_9A3281C0
Gets addresses to 2 functions.

sceKernelCpuGetCpuIdForDriver
Return the CPU ID of the current core.

sceKernelDcacheInvalidateRangeForDriver
1

Temp name was sceKernelCpuDcacheAndL2InvalidateMVACRange_1ForDriver, sceKernelCpuDcacheAndL2InvalidateRangeForDriver.

sceKernelCpuDcacheAndL2InvalidateMVACRange_10ForDriver
0x10

sceKernelCpuDcacheAndL2InvalidateMVACRange_20ForDriver
0x20

Temp name was sceKernelCpuDcacheInvalidateRangeForDriver.

sceKernelDcacheCleanInvalidateRangeForDriver
1

Temp name was sceKernelCpuDcacheAndL2CleanInvalidateMVACRange_1ForDriver, sceKernelCpuDcacheAndL2WritebackInvalidateRangeForDriver.

sceKernelCpuDcacheAndL2CleanInvalidateMVACRange_20ForDriver
0x20

sceKernelDcacheCleanRangeForDriver
1

Temp name was sceKernelCpuDcacheAndL2CleanMVACRange_1ForDriver, sceKernelCpuDcacheAndL2WritebackRangeForDriver.

sceKernelCpuDcacheAndL2CleanMVACRange_20ForDriver
Also named sceKernelCpuDcacheWritebackRangeForDriver, flush_dcache.

0x20

SceCpuForDriver_E813EBB2
Cleans L2 memory.

sceKernelCpuIsVaddrMappedForDriver
These functions implement a simple mutual exclusive access on a resource address using LDREX/STREX.

sceKernelCpuUnlockStoreFlagForDriver
These functions implement a simple mutual exclusive access on a resource addr using LDREX/STREX.

LR is stored as addr value.

While mutex is held, interrupts are disabled.

Used like this:

sceKernelCpuLockSuspendIntrStoreLRForDriver
Temp name was sceKernelCpuSuspendIntrForDriver.

sceKernelCpuUnlockResumeIntrStoreLRForDriver
Temp name was sceKernelCpuResumeIntrForDriver.

These functions implement a simple mutual exclusive access on a resource addr using LDREX/STREX.

0x80000000 is stored as addr value.

While mutex is held, interrupts are disabled.

Used like this:

sceKernelCpuDisableInterruptsForDriver
Disable irq (but not fiq) and returns previous interrupt bit status (so either 0 or 0x80).

sceKernelCpuEnableInterruptsForDriver
Restore previous irq state, pass either 0 or 0x80.

SceSysclibForKernel
Was present on 1.69. Doesn't exist on 3.60.

SceSysclibForKernel_E38E7605
Looks like vprintf.

SceSysclibForDriver
The C standard library for use in kernel only. (Userland have SceLibKernel, which confusingly is userland only).

Include standard string functions (no insecure variants like ).

timingsafe_memcmp
timing constant memcmp

memmove
On 1.69, this seems to be implemented incorrectly.

SceSysrootForKernel_DD7821AA
Register SceSysrootForKernel_340575CB callback.

SceSysrootForKernel_340575CB
Return some PID.

SceSysrootForKernel_AE55B7CC
Calls SceCpuForKernel_A5C9DBBA. Related to cpuId.

SceSysrootForKernel_21F5790B
Registers a callback related to kernel panic.

SceSysrootForKernel_4D98B15B
Gets the callback related to kernel panic set by SceSysrootForKernel_21F5790B.

SceSysrootForKernel_0DF574A9
Calls the callback related to kernel panic set by SceSysrootForKernel_21F5790B.

SceSysrootForKernel_1D84C4D4
Get some info for the provided syscallFrameEntry.

SceSysrootForKernel_E20F6FC8
Related to SceDebug Kernel Exceptions handlers.

SceSysrootForKernel_8E4B61F1
Calls SceCpuForKernel_9D72DD1B.

SceSysrootForKernel_7385CADE
Get current syscall PID.

get_SceKernelSysrootClass_itemsize
On FW 0.990 return hardcoded value 0x470.

On FW 3.60 return hardcoded value 0x41C.

sceKernelSysrootAssertSysrootForKernel
Check sysroot->magic (offset 0xC must be 0xBA97F5A1) and sysroot->magic2 (offset 0x20C must be 0xA008B0C3‬).

sceKernelSysrootGetCurrentProcessForKernel
Return the current process id.

sceKernelSysrootGetCurrentUIDEntryHeapCBForKernel
F9FB9A2A

sceKernelSysrootGetProcessSelfAuthInfoForKernel
Temp name was sceSysrootGetSelfAuthInfoForKernel.

sceKernelSysrootGetProcessTitleIdForKernel
Temp name was sceSysrootGetProcessTitleIdForPidForKernel.

SceSysrootForKernel_26458702
Register some callbacks.

SceSysrootForKernel_B171CC2D
Seems to be used to register some callbacks.

sceKernelSysrootGetVbaseResetVectorForKernel
Returns the exception vectors base address. The address of the exception vectors for the CPU  is:.

sceSysrootCallLicMgrGetLicenseStatusForKernel
Calls sceSblLicMgrGetLicenseStatusForDriver of SceSblPostSsMgr.

Returns 0 on success, -1 if sceSblLicMgrGetLicenseStatusForDriver is not registered.

Called by sceSblAuthMgrAuthHeaderForKernel before F00D request.

sceSysrootGetSysbaseForKernel
Temp name was sceKernelGetSysbaseForKernel.

sceKernelSysrootGetKblParamForKernel
Temp name was sceSysrootGetSysrootBufferForKernel.

Returns pointer to Sysroot buffer.

sceSysrootGetFactorySystemSwVersionForKernel
return (int)(sysroot_buffer->factory_fw_version);

sceSysrootGetUnkCForKernel
return (int)(sysroot_buffer->unk_C);

sceSysrootGetUnk10ForKernel
return (int)(sysroot_buffer->unk_C + 4);

sceSysrootGetUnkC0ForKernel
return sysroot_buffer->unk_C0;

sceSysrootGetWakeupFactorForKernel
return sysroot_buffer->wakeup_factor;

sceSysrootGetHardwareInfoForKernel
return sysroot_buffer->hardware_info;

sceSysrootGetSessionIdForKernel
Writes sysroot_buffer->session_id to buffer.

Buffer size is 0x10.

sceSysrootGetHardwareFlagsForKernel
Writes sysroot_buffer->hardware_flags to buffer.

Buffer size is 0x10.

sceSysrootIsExternalBootModeForKernel
return *(int *)(sysroot_buffer->boot_type_indicator_1) & 1;

sceKernelIsSomeBootModeForKernel
return (*(int *)(sysroot_buffer->boot_type_indicator_1) >> 19) & 1;

sceSysrootIsSomeBootMode2ForKernel
return sysroot_buffer->boot_type_indicator_1[2] & 1;

sceSysrootIsSomeModeForKernel
Returns true if (sysroot->boot_flags[0x1] != 0xFF).

Is used to check if UART must be initialized or not.

sceSysrootIsBsodRebootForKernel
return (*(int *)(sysroot_buffer->wakeup_factor) & 0x7Fu) <= 0x17;

sceSysrootIsUsbEnumWakeupForKernel
if ( *(int *)(sysroot_buffer->unk_C0) & 0x90000 ) result = 1; else result = (*(int *)(sysroot_buffer->wakeup_factor) & 0x7Fu) <= 0xF; return result;

sceSysrootIsUnknownRebootForKernel
return (*(int *)(sysroot_buffer->wakeup_factor) & 0x7Fu) <= 1;

sceSysrootUseExternalStorageForKernel
When returns true it allows loading sd0:psp2config.skprx.

Returns true when Manufacturing Mode flag is set:

return (*(int *)(sysroot_buffer->boot_type_indicator_1) >> 2) & 1;

sceSysrootUseInternalStorageForKernel
Returns true when use internal storage flag is not set:

return *(char *)(sysroot_buffer->boot_flags[5]) & 1 ^ 1;

sceSysrootRegisterLicMgrGetLicenseStatusForKernel
Write value at sysroot_ctx + 0x380 (on FW 3.60).

Normally, sceSblLicMgrGetLicenseStatusForDriver of SceSblPostSsMgr module is registered.

sceKernelSysrootGetThreadAccessLevelForKernel
Calls int (__cdecl *GetThreadAccessLevel); // 0x344 on 3.60

sceKernelSysrootAllocRemoteProcessHeapForKernel
Temp name was sceKernelAllocHeapMemoryForKernel.

Same as  but does set   to 0x1000B.

Checks that pid is 0x10013 or 0x10005.

sceKernelSysrootGetSecureStatusForKernel
return *(uint *)some_buf->field_0x28 & 1;

sceKernelIsSecureStateForKernel
return (*(uint *)some_buf->field_0x28 ^ 1) & 1;

sceKernelIsColdBootForKernel
return (*(uint *)some_buf->field_0x28 & 10; // IDA PRO FW 3.60

return ((*(uint *)some_buf->field_0x28 ^ 0x10) << 0x1b) >> 0x1f; // Ghidra FW 0.940

SceSysrootForDriver_26AA237C
Calls the callback registered by SceSysrootForDriver_E25D2FD5.

SceSysrootForDriver_E25D2FD5
Registers the callback called by SceSysrootForDriver_26AA237C.

SceSysrootForDriver_EE934615
return sceKernelCpuAtomicGetAndAdd32ForDriver(&someflag_from_kbl_param, 0x10);

SceSysrootForDriver_EEF091A7
return sceKernelCpuAtomicGetAndAdd32ForDriver(&someflag_from_kbl_param, 0xfffffff0);

sceKernelInvokeInitCallbackForDriver
idx

5 : disable nskbl, more...?

SceSysrootForDriver_421EFC96
Patched by HENkaku payload.c and update365 by TheFloW.

sceKernelSysrootRegisterGetSystemSwVersionForDriver
Temp name was sceKernelSysrootSetSystemSwVersionForDriver.

sceKernelSysrootGetSystemSwVersionForDriver
Returns System Software version as int from SceSysmem memory. For exemple: 0x0365000 on 3.65.

sceKernelSysrootUtMgrHasNpTestFlagForDriver
Calls int (__cdecl *sceSblUtMgrHasNpTestFlagForDriver);

SceSysrootForDriver_56D85EB0
Used by SceSblACMgr.

sceAesDecrypt1ForDriver
Perform normal AES decrypt.

sceAesDecrypt2ForDriver
Perform AES decrypt using encryption round key.

sceAesEncrypt1ForDriver
Perform AES encrypt. There are two functions that are the same on 1.69.

sceAesEncrypt2ForDriver
Perform AES encrypt. Similar to sceAesEncrypt1ForDriver.

sceAesInit1ForDriver
This sets up the AES engine. is a 960 byte buffer (int 1.69). and  is the security in bits. 128/196/256 are supported values.

last arg to subroutine is 0

sceAesInit2ForDriver
last arg to subroutine is 1

sceAesInit3ForDriver
last arg to subroutine is 2

SceKernelUtilsForDriver_C76A7685
Looks like it relates to AES InvMixColumns.

SceKernelUtilsForDriver_60ED6EA9
Equivalent to AES getSBox32Value

SceZlibForDriver
zlib compression library.

SceZlibForDriver_20A122F8
used by SceCoredump

maybe init function

SceZlibForDriver_5492B3F2
used by SceCoredump

SceZlibForDriver_5B718E55
used by SceCoredump

SceKernelSuspendForDriver
Used to register callbacks for handling suspend/resume related events.

sceKernelRegisterSysEventHandlerForDriver
Previous name was sceKernelSuspendRegisterCallbackForDriver

Registers a function for handling suspend/resume. is 0 if we are currently suspending and 1 if we are currently resuming. is passed from the registration. Registration adds an entry to a linked list and returns the block id for the new entry.

Returns the suspend_callback_id.

sceKernelUnregisterSysEventHandlerForDriver
Call with the id returned from  to remove the entry from the linked list and free the memory.

sceKernelSysEventDispatchForDriver
This will go through the linked list and call each callback. If  is set, then the first callback that returns a negative value will stop the call chain and return the block id of the callback that broke the chain. Otherwise, this function will invoke each callback and return zero.

sceKernelPowerTickForDriver
Cancel specified idle timers to prevent entering in power save processing.

Returns 0 on success.

SceQafMgrForDriver
Provides many device permission checks including running app privilege checks, debugging enabled checks, and so on.

SceQafMgrForDriver_41E04800
Only used by SceAppMgr.

SceQafMgrForDriver_7B14DC45
Only used by SceAppMgr.

return ((unsigned int)*(char *)(sceKernelSysrootGetKblParamForKernel + 0x2D) >> 1) & 1; // = 0x2D + BIT number 30

SceQafMgrForDriver_082A4FC2
Used by sceSblFwLoaderLockForDriver, SceKernelModulemgr, SceSysStateMgr and SceSblPostSsMgr.

Used by sceSblSpsfoMgrOpenForDriver.

When this flag is set, it allows for example to load spsfo from host0:, and host0:psp2config.skprx.

SceQafMgrForDriver_694D1096
Only used by SceSblACMgr.

SceQafMgrForDriver_0E588747
Only used by SceRegistryMgr.

Returns true if the PSVita is an "Internal system".

sceSblQafMgrIsAllowSystemAppDebugForDriver
Used by SceDeci4pDtracep and SceSblACMgr.

If it returns false, syscalls debug trace printf is disabled.

sceQafMgrIsAllowKernelDebugForDriver
Used by SceKernelModulemgr, SceExcpmgr, SceCrashDump, SceHdmi

return *(uint8_t *)((int)kbl_param + 0x2D) & 1;

sceQafMgrIsAllowQAUpdateForDriver
Only used by SceSblUpdateMgr.

SceQafMgrForDriver_52B4E164
Only used by SceWlanBt.

SceQafMgrForDriver_883E9465
Used by SceSysStateMgr.

Allows loading unencrypted psp2config.txt.

sceSblQafMgrIsAllowForceUpdateForDriver
Only used by SceSblUpdateMgr.

SceQafMgrForDriver_AE033133
Only used by SceNpDrm.

SceQafMgrForDriver_DEC6DF4E
Only used by SceNpDrm.

SceQafMgrForDriver_B9770A13
Used by SceKernelModulemgr and SceSysmodule.

scePmMgrGetProductModeForDriver
Returns 0 on success, 0x800f0a29 on failure.

Gets kbl_param using sceKernelSysrootGetKblParamForKernel.

result = ((int *)(kbl_param->boot_type_indicator_1) >> 2) & 1; // manufacturing mode flag

scePmMgrIsExternalBootModeForDriver
Gets kbl_param using sceKernelSysrootGetKblParamForKernel.

return (int *)(kbl_param->boot_type_indicator_1) & 1; // external boot mode flag

sceSblAIMgrGetSMIForDriver
SMI means Service / Manufacturing Information.

shipped_fw_version is gotten from SceKblParam.

sceSblAIMgrGetProductCodeForDriver
Temp name was sceSblAIMgrGetTargetIdForDriver.

Product Code = Target Id

sceSblAIMgrGetProductSubCodeForDriver
Product Sub Code = model revision

sceSblAIMgrIsTestForDriver
TEST = Internal Test Unit

Returns true if PsCode Product Code <= 0x100.

sceSblAIMgrIsToolOrTestForDriver
TOOL = DevKit

Returns true if PsCode Product Code <= 0x101.

sceSblAIMgrIsNonCEXForDriver
Returns true if PsCode Product Code <= 0x102.

sceSblAIMgrIsCEXForDriver
Returns true if PsCode Product Code <= 0x111 AND sceSblAIMgrIsJapaneseFatForDriver returns false.

sceSblAIMgrIsVITAForDriver
Returns sceSblAIMgrIsGenuineVITAForDriver.

sceSblAIMgrIsDolceForDriver
Returns sceSblAIMgrIsGenuineDolceForDriver if returns true else returns sceKernelCheckDipswForDriver(0x98).

sceSblAIMgrIsGenuineVITAForDriver
Returns true if:
 * PsCode Product Code <= 0x111 AND sceSblAIMgrIsGenuineDolceForDriver returns false
 * sceSblAIMgrIsJapaneseFatForDriver returns true AND HardwareInfo != 0x700000 != 0x720000 != 0x510000

sceSblAIMgrIsJapaneseFatForDriver
Returns true if PsCode Product Code == 0x103 (Japanese), PsCode Product Sub Code == 0x10 (FAT) and PsCode Factory Code == 0x24 (refurbished).

sceSblAIMgrIsToolDVT1ForDriver
Returns true if PsCode Product Code == 0x101 and PsCode Product Sub Code <= 3.

sceSblAIMgrIsToolRev4ForDriver
Returns true if PsCode Product Code == 0x101 and PsCode Product Sub Code <= 4.

sceSblAIMgrIsToolRev5ForDriver
Returns true if PsCode Product Code == 0x101 and PsCode Product Sub Code <= 5.

sceSblAIMgrIsPrototypeRev2ForDriver
Returns true if PsCode Product Code == 0x103 and PsCode Product Sub Code <= 2.

sceSblAIMgrIsPrototypeRev7ForDriver
Returns true if PsCode Product Code == 0x103 and PsCode Product Sub Code <= 7.

sceKernelUnregisterProcEventHandlerForDriver
Previous name was sceProcEventDeleteUidForDriver.

Wrapper to sceGUIDCloseForDriver.

sceKernelRegisterProcEventHandlerForDriver
Previous name was sceProcEventCreateEventForDriver

Uses sceKernelCreateEventForDriver.

Returns uid.

sceKernelInvokeProcEventHandlerForDriver
Uses suspend/resume LR.

sceKernelGetGPIForDriver
Only SceDebugLedForDriver function used by SceCoredump.

sceKernelRegisterKprintfHandlerForKernel
Temp name was sceDebugSetHandlersForKernel.

sceKernelGetDebugPutcharForKernel
Temp name was sceDebugGetPutcharHandlerForKernel.

Returns pointer to current debug putchar handler.

sceKernelRegisterDebugPutcharForKernel
Temp name was sceDebugRegisterPutcharHandlerForKernel.

Set debug print char handler.

sceKernelDebugPutcharForKernel
Temp name was sceDebugPutcharForKernel.

Print character.

print_kernel_excp_info
Prints Kernel Exception information, and certainly calls SceCoredump.

register_unk_handler
handler definition:

set_info_dump_flag
Temp name was sceDebugDisableInfoDumpForKernel.

start_logging
Returns 1 if logging has been started successfully, -1 else.

stop_logging
If state is not zero, stops logging and return 1, else does nothing and return 0.

Returns 1 if logging has been stopped, 0 else.

_sceKernelPrintDebugLogForKernel
If a2 is not zero, the current log buffer address is updated, else it is unchanged.

maxNum is guessed to be either the number of entries or the index of the chosen entry. Entry size is 0x40 bytes.

Uses sceKernelPrintfLevelForDriver to print.

sceKernelPrintDebugLogForKernel
Calls _sceKernelPrintDebugLogForKernel with maxNum = (log_buf_end - log_buf_start) / 0x40.

sceKernelPrintfCore0ForKernel
Same as sceKernelPrintfForDriver but only prints if CPU ID is 0.

sceKernelPrintfLevelCore0ForKernel
Same as sceKernelPrintfLevelForDriver but only prints if CPU ID is 0.

sceKernelGetMinimumLogLevelForKernel
Returns the minimumLogLevel set by sceKernelSetMinimumLogLevelForKernel.

sceKernelSetMinimumAssertionLevelForKernel
Overrides in memory the minimumAssertionLevel set by DIP switches 201 and 202.

sceKernelGetMinimumAssertionLevelForKernel
Returns the minimumAssertionLevel from memory.

register_unk_cb
The callback has this definition:

If unk_cb runs successfully (return >= 0), pOut is used as third argument of unk_cb2, else unk_cb2 is not called at all.

register_unk_cb2
The callback has this definition:

sceKernelVprintfLevelWithCtxForDriver
Temp name was sceDebugPrintf2ForDriver.

sceKernelAssertForDriver
Temp name was sceDebugPrintKernelAssertionForDriver.

sceKernelGetMinimumAssertionLevelForDriver
Returns the minimumAssertionLevel from memory.

sceKernelPanicForDriver
Temp name was sceDebugPrintKernelPanicForDriver.

SceDebugForDriver_62466B0A
Copy some exception information from memory to the provided buffer.

sceKernelAllocPartitionMemBlockForTZS
Temp name was sceKernelAllocMemBlockForPidForTZS.

sceKernelVAtoPAForTZS
This will write the physical address for a virtual address  to memory pointed to by.

Returns <0 on error, values >=0 indicate success.

sceKernelDebugPutcharForTZS
Print character.

sceKernelGetMinimumAssertionLevelForTZS
Returns the minimumAssertionLevel from memory.

sceKernelPrintfCore0ForTZS
Same as sceKernelPrintfForTZS but only prints if CPU ID is 0.

sceKernelPrintfLevelCore0ForTZS
Same as sceKernelPrintfLevelForTZS but only prints if CPU ID is 0.

stop_logging
If state is not zero, stops logging and return 1, else does nothing and return 0.

Returns 1 if logging has been stopped, 0 else.

register_unk_cb
The callback has this definition:

If unk_cb runs successfully (return >= 0), pOut is used as third argument of unk_cb2, else unk_cb2 is not called at all.

register_unk_cb2
The callback has this definition:

SceCpuForTZS

 * 0.931: 0xE0B34336: unknown, same as SceCpuForKernel_9D72DD1B
 * 0.931-0.990: 0x40DEC1B6: sceKernelWaitForEvent
 * 0.931-0.990: 0xF42F079B: sceKernelSendEvent
 * 0.940: 0x1266F962: sceKernelAbort
 * 0.931-0.940: 0x98BF47D3: sceKernelGetVmaccessRange
 * 0.931: 0x49AD8B60: sceKernelSetFIQModeStack
 * 0.931: 0xC2A428F3: sceKernelSetMonModeStack
 * 0.931: 0xD9013440: sceKernelSetIRQModeStack
 * 0.931: 0xDF17E4A3: sceKernelSetUndModeStack
 * 0.931: 0xF832C341: sceKernelSetAbtModeStack
 * 0.931: 0xFB1D3114: sceKernelSetSvcModeStack
 * 0.931: 0xF6CE21EA: sceKernelPrintCpuMode

1.80:     NID 0: 0x0A15B41C: sceKernelL1DcacheCleanInvalidateAll NID 1: 0x17A88E69: sceKernelL1DcacheCleanRange NID 2: 0x190D96D5: sceKernelDcacheCleanRange NID 3: 0x2A0A3DC6 NID 4: 0x2B6403F8 NID 5: 0x2FE24445: sceKernelCpuAtomicSet32 NID 6: 0x308D7ABE: sceKernelCpuDcacheInvalidateMVACRange NID 7: 0x324727D1: sceKernelGetCpsr NID 8: 0x39FCFCC2: sceKernelDomainTextMemcpy NID 9: 0x44C423D3: sceKernelCpuId NID 10: 0x49B11FF8 NID 11: 0x71FD9AB5: sceKernelSpinlockLowLock NID 12: 0x72CA4F7A: sceKernelGetSpsr NID 13: 0x75D87321: sceKernelCpuAtomicOrAndGet32 NID 14: 0x7A5373EB: sceKernelDcacheCleanInvalidateRange NID 15: 0x7CCE9480: sceKernelDcacheCleanInvalidateAll NID 16: 0x864E3DED NID 17: 0x9E4C0D0D NID 18: 0xA5965CBF: sceKernelL1IcacheInvalidateEntireAllCore NID 19: 0xACF209F3: sceKernelSpinlockLowTrylockCpuSuspendIntr NID 20: 0xB421FAFD: sceKernelL1IcacheInvalidateRange NID 21: 0xB8F00FBE: sceKernelSpinlockLowUnlockCpuResumeIntr NID 22: 0xC4137AED: sceKernelPleFlushRequest NID 23: 0xCD98416C: sceKernelSpinlockLowUnlock NID 24: 0xCDD46655: sceKernelDcacheInvalidateRange NID 25: 0xD67A4356: sceKernelSpinlockLowLockCpuSuspendIntr NID 26: 0xEFD6F289: sceKernelCpuAtomicCompareAndSet8

SceSysclibForTZS_361850BB
maybe_strncpy

sceKernelSysrootGetKblParamForTZS
Returns pointer to Sysroot buffer.

sceSblQafManagerIsAllowKernelDebugForTZS
return *(char *)(sceKernelSysrootGetKblParamForTZS + 0x2D) & 1;