SceKernelModulemgr

SceKernelModulemgr is in charge of loading both user modules and kernel modules. SceKernelModulemgr calls SceSblAuthMgr functions for the SELF decryption process. SceKernelModulemgr loads the ELF programs into memory along with linking with NIDs and relocation of ELF in position independent executables.

Module
The SELF can be found in.

Functions of this module are also embedded in NSKBL.

Libraries
This module exports kernel and user libraries.

0x8002D018
The shared module is not importable be non-shared module and non-syscall.

0x8002D01E
Attempted to load a module with a start entry as bootfs.

Attempted to load a module that has syscall exports to usermode.

module_start no resident/failed
If module_start returns SCE_KERNEL_START_NO_RESIDENT, the module will start successfully, but it will be unloaded after the module_start call.

However, if the module_start of the module where the syscall export exists is called after boot and returns SCE_KERNEL_START_NO_RESIDENT/SCE_KERNEL_START_FAILED, then a kernel panic is triggered.

How to get module info
modid and SceUIDModuleClass are required to get module information.

Simply call sceGUIDReferObjectForDriver(sceKernelGetObjectForUidForDriver) with these parameters.

Module decrypt threads
SceKernelModulemgr_func_8100910D

This thread keeps waiting at sceKernelWaitEventFlagForDriver until a module decrypt request comes.

bits of sceKernelWaitEventFlagForDriver is 3.

Common functions
Decrypt module to membase with current ctx.

Called whenever a module is loaded.

Reads the header from the passed fd and performs some checks.

Data segment layout
Offsets are for FW 3.60.

Data section size is 0x203C0.

Loading Sequence
When loading a module the sequence creates a SceModule structure to represent it.

SELF Decryption
The following code can decrypt a SELF located at.

Set  to 1 if decrypting a usermode module else 0 for kernel (2 for SM but maybe not allowed).

Set  to 0 if you're decrypting the SELF at the right location (for example decrypting   located in  ). If you have copied the SELF elsewhere, you need to set the  to the right value for where the real path was.

is for modules that are too large and won't fit in contiguous regular memory.

Module decryption and signature checks ("HENkaku patches" on FW 1.60)
See also SELF_Loading to see how these SceSblAuthMgr functions are used to decrypt SELFs.

The code below will patch signature checks and bypass module decryption and allow homebrews to run. The idea is to hook SceSblAuthMgr* calls that are imported to SceKernelModulemgr. The offsets are from FW 1.60, you will probably need to modify functions defines (set to addresses of functions) and INSTALL_HOOK second arguments (set to addresses of imports in SceKernelModulemgr). For old FWs like 1.60, as there is no kASLR, you can set hardcoded addresses, else take HENkaku code. As a bonus there is also patch_npdrm functions that patches SceNpDrm to bypass some DRM checks and allow unsigned packages to be installed, which you also need to modify addresses. See SceNpDrm.

sceKernelRegisterModulesAfterBootForKernel
Temp name was sceKernelSetupForModulemgrForKernel.

sceKernelFinalizeKblForKernel
Unloads ScePsp2BootConfig.

sceKernelRegisterSyscallForKernel
This is a guessed name.

sceKernelLoadPtLoadSegForFwloaderForKernel
This is an easy way of decrypting SELF files but you are limited to the kinds of SELF files that you can load in the current context (for example, you cannot load user modules from kernel context). It is also susceptible to limitations of where the SELF can be loaded from. For example, you are not allowed to load SELFs found in  from   because Secure Kernel checks the Media Type.

On FW 3.60, statically compiled SELF files give an error.

sceKernelMountBootimageFSForKernel
Temp name was sceKernelMountBootfsForKernel.

sceKernelUmountBootimageFSForKernel
Temp name was sceKernelUmountBootfsForKernel.

sceKernelLoadRemoteModuleForKernel
Temp name was sceKernelLoadModuleForPidForKernel.

sceKernelUnloadRemoteModuleForKernel
Temp name was sceKernelUnloadModuleForPidForKernel.

sceKernelStartRemoteModuleForKernel
Temp name was sceKernelStartModuleForPidForKernel.

sceKernelStopRemoteModuleForKernel
Temp name was sceKernelStopModuleForPidForKernel.

sceKernelModuleUnloadMySelfForKernel
This is a guessed name.

sceKernelLoadPreloadingModulesForKernel
Temp name was sceKernelLoadProcessModulesForKernel, sceKernelLoadStartDefaultSharedModulesForPidForKernel.

Loads the preloading modules for a process. This includes, for instance,.

If dipsw 210 is set, it checks if the preloading module flag and 0x8 are set, OR the flag 0x20 of sceKernelLoadModule. If that is the case, the module is loaded into DevKit Additional Memory (DRAM).

sceKernelUnloadProcessModulesForKernel
Temp name was sceKernelStopUnloadPreloadingModulesForKernel.

sceKernelStartPreloadingModulesForKernel
Temp name was sceKernelStartProcessModulesForKernel.

sceKernelGetModuleListForKernel
This is a guessed name.

sceKernelGetModuleInfoForKernel
This is a guessed name.

sceKernelGetModuleInfoForDebuggerForKernel
Temp name was sceKernelGetModuleList2ForKernel.

sceKernelGetModuleInfoMinByAddrForKernel
This is a guessed name.

sceKernelGetModuleCBForKernel
This is a guessed name. Temp name was sceKernelGetModuleInternalForKernel, sceKernelGetModuleCBForDebuggerForKernel.

This function returns a pointer to the "ModuleCB" (module control block) for specified module UID.

0.990:

3.60:

sceKernelGetModuleIsSharedByAddrForKernel
This is a guessed name.

sceKernelGetModulePathForKernel
This is a guessed name. Temp name was sceKernelGetProcessMainModulePathForKernel.

sceKernelGetModuleFingerprintForKernel
This is a guessed name.

sceKernelGetModuleCBByAddrForKernel
This is a guessed name. Temp name was sceKernelGetModuleInternalByAddrForKernel, sceKernelGetProcessEntryPointByAddrForKernel.

Used by sceKernelPrintBacktraceForDriver.

sceKernelGetModuleIdByAddrForDebuggerForKernel
Temp name was sceKernelGetModuleIdByAddrForKernel.

sceKernelGetModuleEntryPointForKernel
This is a guessed name.

sceKernelGetLibraryListForKernel
This is a guessed name. Temp name was sceKernelGetModuleUidListForKernel, sceKernelGetProcessLibraryIdListForKernel.

sceKernelGetLibraryDBFlagsForKernel
Temp name was sceKernelGetModuleInhibitStateForKernel.

sceKernelGetLibraryClientListForKernel
Temp name was sceKernelGetModuleUidForKernel.

sceKernelGetLibraryInfoForDebuggerForKernel
Temp name was sceKernelGetModuleLibraryInfoForKernel.

sceKernelRegisterDebugCBForKernel
This is a guessed name.

Used by SceDeci4pDtracep.

sceKernelUnregisterDebugCBForKernel
This is a guessed name.

SceModulemgrForKernel_F3CD647F
Set two param. Maybe related to syscall.

Used by SceSysLibTrace.

sceKernelLoadcoreKfreeForKernel
Calls sceKernelFreeHeapMemoryForDriver.

sceKernelGetModuleInfoByAddrForDriver
Note that this function is for kernel only.

sceKernelRegisterLibaryForDriver
Note that this function is for kernel only.

sceKernelUnregisterLibraryForDriver
In old firmware versions (<= 1.70 - maybe even later), this function is named  instead.

Note that this function is for kernel only.

sceKernelGetSystemSwVersionForDriver
Used in SceError.

sceKernelUnloadModuleForDriver
In 1.69 existed in SceModulemgrForKernel

sceKernelSetSystemSwVersion
This function can only be called in System program.

This function was maybe removed because it represented a security threat: an exploit giving usermode code execution in a System program (for example PSPemu sandbox escape) could change the System Software version in SceKernelModulemgr data segment. The impact depends on which modules relied on that version buffer.

sceKernelGetLibraryInfoByNID
Note that NONAME libraries (NID 0) are not supported by this function. sceKernelGetLibraryInfoByNID lookups the process libdb but libdb does not keep NONAME libraries.

Note also that due to a bug, pInfo->libname is a pointer to kernel memory so dereferencing it causes an exception.

sceKernelInhibitLoadingModule
Introduced in System Software version 3.50 to prevent loading Sysmodules from the webbrowser. It is a security feature that makes kernel exploitation harder because it reduces the number of accessible syscalls from a WebKit usermode exploit.

See also Vitasploit 2.00-3.36 post-WebKit-exploit API and h-encore 3.65-3.68 writeup by TheFloW.

In Trinity source code, a module is loaded with flags = 0x10 to bypass sceKernelInhibitLoadingModule(0x20) restriction.

Used in ScePspemu (probably level 0x20), SceWebKitProcess, SceWebKitProcessMini.

Returns 0 on success. Returns 0x80020005 if level is invalid.

Level must be strictly increasing: loading a module becomes more and more inhibited.

sceKernelPrintBacktraceForDriver
This is a guessed name.

sceKernelPrintBacktrace2ForDriver
This is a guessed name.

sceKernelBacktraceForKernelForDriver
This is a guessed name. Temp name was sceKernelBacktraceInternalForDriver.

It does not have devmode/QAF check. It allows kernel trace.

sceKernelBacktraceForKernel2ForDriver
This is a guessed name. Temp name was sceKernelBacktraceInternal2ForDriver.

It does not have devmode/QAF check. It allows kernel trace.

_sceKernelBacktrace
Calls sceKernelBacktraceForDriver.

_sceKernelPrintBacktrace
Calls sceKernelPrintBacktraceForDriver.