NSKBL
Non-Secure Kernel Boot Loader (NSKBL) is a Non-Secure world program that performs eMMC setup, base kernel modules loading, etc. during PSVita boot.
Module
The NSKBL contains subroutines that are stripped versions of the non-secure kernel ones found in SceSysmem, SceKernelModulemgr, SceSblSmschedProxy, SceExcpmgr, SceKernelIntrMgr, SceSblAuthMgr, SceProcessmgr (maybe), SceSdif, SceIofilemgr (simple version?), and some other core drivers.
Notes
How to debug NSKBL
NSKBL supports sd0: for debugging. pKblParam->boot_type_indicator_1 = 0x40000 is required.
sceIoOpen(?) error code 0x803FF007
This error can occur if the file is fragmented.
Types
typedef struct SceNskblModuleInfo { // size is 0xC on FWs 0.940-0.990
char* filename; // Raw SKPRX file name (e.g. "sysmem.skprx"). Modules are loaded either from os0:kd/ or host0:module/.
SceUID moduleId; // SCE_UID_INVALID_UID. It gets filled when loading.
SceUInt32 loadFlags; // Passed as flags to sceKernelLoadModule.
} __attribute__((packed)) SceNskblModuleInfo;
typedef struct SceNskblModuleInfo2 { // size is 4 on FW 3.60
const char* filename;
} __attribute__((packed)) SceNskblModuleInfo2;
typedef struct SceHardwareFlags { // size is 0x10 on FW 3.60
uint32_t data[4];
} __attribute__((packed)) SceHardwareFlags;
/* Many pointers are NSKBL heap relationships */
typedef struct SceNskblSysrootInfo { // size is at least 0xC8 on FW 3.60
SceUID unk_0x00; // maybe some PID. ex: 0x10089
int unk_0x04;
void *unk_0x08;
void *unk_0x0C;
void *unk_0x10;
void *unk_0x14;
void *unk_0x18;
void *unk_0x1C;
void *unk_0x20;
void *unk_0x24;
void *unk_0x28;
void *unk_0x2C;
SceUID unk_0x30; // maybe some PID. ex: 0x1000B
const void *unk_0x34; // mapped paddr in vaddr
const void *unk_0x38; // mapped paddr in vaddr
void *unk_0x3C;
int unk_0x40; // ex: 0x80000000
int unk_0x44; // ex: 0x20000000
void *unk_0x48;
void *unk_0x4C;
void *unk_0x50;
void *unk_0x54;
void *unk_0x58;
void *unk_0x5C;
void *unk_0x60;
void *unk_0x64;
void *unk_0x68;
void *unk_0x6C;
void *unk_0x70;
void *unk_0x74;
void *unk_0x78;
void *unk_0x7C;
void *unk_0x80;
void *unk_0x84;
void *unk_0x88;
void *unk_0x8C;
void *unk_0x90;
void *unk_0x94;
void *unk_0x98;
SceUInt32 magic; // 0x 19442EA8
int unk_0xA0; // ex: 0x1000
int unk_0xA4; // ex: 0x1000
int unk_0xA8; // ex: 0x40000
int unk_0xAC; // ex: 0x200000
int unk_0xB0; // ex: 7
int unk_0xB4;
int unk_0xB8; // ex: 0x80
sysroot_t *pSysroot;
void *unk_0xC0;
void *unk_0xC4;
// more...?
} SceNskblSysrootInfo; // 3.60
SceNskblSysrootInfo *nskbl_sysroot_info = (SceNskblSysrootInfo *)(0x51000000 + 0x138980); // 3.60
Libraries
Known NIDs
Version | Name | World | Visibility | NID |
---|---|---|---|---|
0.940-3.65 | SceKblForKernel | Non-secure | Kernel | 0xD0FC2991 |
SceKblForKernel
sceSDrfpStartForKernel
Version | NID |
---|---|
0.940-0.990 | 0x230456F3 |
3.60 | not present |
sceSDbgSdioStartForKernel
Version | NID |
---|---|
0.940-0.990 | 0x29A8524D |
3.60 | not present |
Requires DIPSW 193.
SceInt32 sceSDbgSdioStartForKernel(void);
sceSDfMgrStartForKernel
Version | NID |
---|---|
0.940-0.990 | 0xAA8005E4 |
3.60 | not present |
sceKblPutcharForKernel
Version | NID |
---|---|
0.940-3.60 | 0x08E9FAEB |
This is a guessed name.
This function is at 0x510172BD in FW 3.60 and at 0x51003BE0 in FW 0.940.040.
int sceKblPutcharForKernel(void *args, char c);
sceKernelPrintfForKernel
Version | NID |
---|---|
0.940-3.60 | 0x13A5ABEF |
In FW 3.60 this function is at 0x510137A9.
int sceKernelPrintfForKernel(const char *fmt, ...);
sceKernelPrintfLevelForKernel
Version | NID |
---|---|
0.940 | Not present |
0.990-3.60 | 0x752E7EEC |
In FW 3.60 this function is at 0x51013841.
int sceKernelPrintfLevelForKernel(int level, const char *fmt, ...);
sceKernelGetDebugLevelForKernel
Version | NID |
---|---|
0.940-3.60 | 0xC011935A |
Temp name was sceKblGetMinimumLogLevel.
In FW 3.60 this function is at 0x51013921.
int sceKernelGetDebugLevelForKernel(void);
sceKernelGetDebugPutcharForKernel
Version | NID |
---|---|
0.940-3.60 | 0x9B868276 |
In FW 3.60 this function is at 0x51013765.
void *sceKernelGetDebugPutcharForKernel(void);
sceKernelSysrootProcessmgrStart2ForKernel
Version | NID |
---|---|
0.940-3.60 | 0x161D6FCC |
In FW 3.60 this function is at 0x510123DD.
int sceKernelSysrootProcessmgrStart2ForKernel(void);
sceKernelSysrootThreadMgrStartAfterProcessForKernel
Version | NID |
---|---|
0.940-3.60 | 0x1DB28F02 |
In FW 3.60 this function is at 0x510123A1.
int sceKernelSysrootThreadMgrStartAfterProcessForKernel(void);
sceKernelSysrootIofilemgrStartForKernel
Version | NID |
---|---|
0.940-3.60 | 0xC7B77991 |
In FW 3.60 this function is at 0x5101297D.
int sceKernelSysrootIofilemgrStartForKernel(void);
sceKernelSysrootCorelockUnlockForKernel
Version | NID |
---|---|
0.940-3.60 | 0x314AA770 |
In FW 3.60 this function is at 0x510124FD.
void sceKernelSysrootCorelockUnlockForKernel(void);
sceKernelSysrootCorelockLockForKernel
Version | NID |
---|---|
0.940-3.60 | 0x807B4437 |
In FW 3.60 this function is at 0x510124E5.
void sceKernelSysrootCorelockLockForKernel(SceUInt32 core);
SceKblForKernel_99B2F981
Version | NID |
---|---|
0.940-0.990 | 0x99B2F981 |
3.60 | not present |
On FW 0.940, it calls a routine that simply executes cpsid i
then returns 0.
CPSID i ; Disable all interrupts except NMI (set PRIMASK)
Disables IRQ interrupts by setting the I-bit in the CPSR.
sceKblCpuDisableIrqInterruptsForKernel
Version | NID |
---|---|
0.940-0.990 | Not present |
3.60 | 0xDDB3A1A8 |
This is a guessed name. Temp name was sceKblCpuSwitchInterruptsForKernel.
In FW 3.60 this function is at 0x51003554.
void sceKblCpuDisableIrqInterruptsForKernel(void);
sceSblAimgrIsCEXForKernel
Version | NID |
---|---|
0.940-3.60 | 0x8A416887 |
In FW 3.60 this function is at 0x510171B5.
int sceSblAimgrIsCEXForKernel(void);
sceSblAimgrIsDiagForKernel
Version | NID |
---|---|
0.940-3.60 | 0xC3DDDE15 |
In FW 3.60 this function is at 0x51017175.
int sceSblAimgrIsDiagForKernel(void);
sceSblAimgrIsDEXForKernel
Version | NID |
---|---|
0.940-0.990 | Not present |
3.60 | 0x5945F065 |
In FW 3.60 this function is at 0x51017159.
int sceSblAimgrIsDEXForKernel(void);
sceSblAimgrIsToolForKernel
Version | NID |
---|---|
0.990 | not present |
3.60 | 0xB6C9ACF1 |
In FW 3.60 this function is at 0x51017139.
int sceSblAimgrIsToolForKernel(void);
sceSblAimgrIsTestForKernel
Version | NID |
---|---|
0.990 | not present |
3.60 | 0x943E7537 |
In FW 3.60 this function is at 0x5101711D.
int sceSblAimgrIsTestForKernel(void);
sceSblAimgrIsVITAForKernel
Version | NID |
---|---|
0.990 | not present |
3.60 | 0x838466E9 |
In FW 3.60 this function is at 0x51017299.
int sceSblAimgrIsVITAForKernel(void);
sceSblAimgrIsDolceForKernel
Version | NID |
---|---|
0.990 | not present |
3.60 | 0xA7BD4417 |
In FW 3.60 this function is at 0x510172A1.
int sceSblAimgrIsDolceForKernel(void);
sceSblAimgrIsGenuineDolceForKernel
Version | NID |
---|---|
0.990 | not present |
3.60 | 0xB6D00D6D |
In FW 3.60 this function is at 0x510171E5.
int sceSblAimgrIsGenuineDolceForKernel(void);
LoadModulesForKernel
Version | NID |
---|---|
0.940-0.990 | 0xFAE33FDD |
3.60 | not present |
Load all modules from the provided list. The list end is marked by an entry with moduleName = NULL
.
Module GUIDs are populated into the list, so it must be writeable.
SceInt32 LoadModules(SceNskblModuleInfo* module_list);
sceKernelBootLoadModulesForKernel
Version | NID |
---|---|
0.990 | not present |
3.60 | 0x6D7A1F18 |
Temp name was sceKblLoadModulesForKernel.
In FW 3.60 this function is at 0x51001551.
int sceKernelBootLoadModulesForKernel(const SceNskblModuleInfo2 *pList, SceUID *pUidList, SceUInt32 count, SceBool use_tool_extended_memory);
BootModulesForKernel
Version | NID |
---|---|
0.940-0.990 | 0xA7D60F71 |
3.60 | not present |
Runs the entrypoint of all modules in provided list. The list end is marked by an entry with moduleId = SCE_UID_INVALID_UID
.
// If run_boot_entry is SCE_TRUE, module_start is executed on core 0 then
// module_bootstart is executed on all cores. Otherwise, module_start is executed on all cores and
// module_bootstart is not executed.
SceInt32 BootModules(SceNskblModuleInfo* module_list, SceSize args, const void* argp, SceBool run_boot_entry);
sceKernelBootBootModulesForKernel
Version | NID |
---|---|
0.990 | not present |
3.60 | 0x9A92436E |
Temp name was sceKblBootModulesForKernel.
In FW 3.60 this function is at 0x51001571.
int sceKernelBootBootModulesForKernel(SceUID *pUidList, SceUInt32 count, SceSize args, void *argp);
sceAuthMgrExitForKernel
Version | NID |
---|---|
0.990 | not present |
3.60 | 0x79241ACF |
Temp name was sceKblAuthMgrCloseForKernel.
In FW 3.60 this function is at 0x51001345.
int sceAuthMgrExitForKernel(void);
sceKblSetNonSyncModuleStartForKernel
Version | NID |
---|---|
0.990 | not present |
3.60 | 0x9F4F3F98 |
This is a guessed name.
In FW 3.60 this function is at 0x51001561.
int sceKblSetNonSyncModuleStartForKernel(void);
sceKernelCpuIdForKernel
Version | NID |
---|---|
0.940-3.60 | 0xB506A10E |
In FW 3.60 this function is at 0x510147C9.
int sceKernelCpuIdForKernel(void);
sceKernelCheckDipswForKernel
Version | NID |
---|---|
0.990-3.60 | 0xC8F4DE71 |
In FW 3.60 this function is at 0x51015851.
int sceKernelCheckDipswForKernel(int bit);
sceSblQafManagerIsAllowKernelDebugForKernel
Version | NID |
---|---|
0.940-3.60 | 0xCE94F329 |
In FW 3.60 this function is at 0x51016FD1.
int sceSblQafManagerIsAllowKernelDebugForKernel(void);
sceKblGetHardwareFlagsForKernel
Version | NID |
---|---|
0.990 | not present |
3.60 | 0xD3A516D5 |
This is a guessed name.
In FW 3.60 this function is at 0x510128AD.
int sceKblGetHardwareFlagsForKernel(SceHardwareFlags *pFlags);
sceSdStandaloneInitForKernel
Version | NID |
---|---|
0.940-3.60 | 0xF7AF8690 |
Temp name was sceKblInitDeviceForKernel.
Some device init function. On FW 0.940 it initializes and mounts os0:
(eMMC) and sd0:
(GCSD).
In FW 3.60 this function is at 0x5100124D.
int ceSdStandaloneInitForKernel(void);
sceSdStandaloneExitForKernel
Version | NID |
---|---|
0.940-3.60 | 0x261F2747 |
Temp name was sceKblFreeFileSystemCtxForKernel.
Cleanup state created by sceSdStandaloneInit.
In FW 3.60 this function is at 0x51001321.
int sceSdStandaloneExitForKernel(void);