Problem in digging sys API..

[poison]

Now, we can dig all methods provided by modules through listing the module exports, but I cant use most of them, because of I dont know the number and the type of the arguments passing to those methods...

then, here is my questions:
1. How to find out how many arguments passing to a methods and the type of them? I tried disasm the prx and read through the assembly... but maybe its too hard for me, I failed to get the infomation I need...

2. How to get the real name of a method like the great work moonlight had done... Its easy to know the funtion of a API if we get its real name...

,/)/)
(- -) /)Many thanks.

[hlide]

by disassembly code.

arguments for functions are by order : a0, a1, a2, a3, t0, t1, t2, t3

just after entering a function, just try to track registers which are used and not yet assigned when entering function.

example :

function1:
addi %sp, %sp, -12
sw $ra, 0(sp)
mov $a2, $a0
add $a0, $a0, $a1
...

as you can see this function first reads $a0 and $a1, so you know they are arguments. $a2 cannot be argument since it is assigned with $a0 whereas it wasn't read beforehand.

so this function has two arguments. To retrieve their types is less evident.

basic types are : int r, long long r, char *r, unsigned char *r, short *r, unsigned short *r, int *r, long long *r.

if you have :
- sb/lb rt, ?(r) ==> char *r
- sb/lbu rt, ?(r) ==> uchar *r
- sh/lh rt, ?(r) ==> short *r
- sh/lhu rt, ?(r) ==> ushort *r
- sw/lw rt, ?(r) ==> int/uint *r
- sw/lw rt1, ?(r);...; sw/lw rt2, 4+?(r) ==> long long *r

and this is not not necessarily true since :

- sw/lw rt1, ?(r);...;sw/lw rt2,4+?(r) ==> struct { int x; int y; } *r :((( !!!!

and so on...

[J.F.]

Well, if the code uses one of the args as the base reg in an indirect addressing mode, you know at least that it's a pointer. :)

[poison]

Thanks, hlide and J.F., it helps me a lot...I tried to read through the funtion File_AllocLoad in scePaf again, but there is no special instruction you just mention, so I still cant get its argument info..
Actually I just want to know the way system loading resource files such as .rco, .pmf, It seems that there is no sceIoXXX call while that files load, so I turn to File_Allocload. anyway, thanks a lot..

btw do you know how to dig the real funtion name?

[SilverSpring]

What do you mean?? paf.prx does use sceIoxxx functions.

As for File_AllocLoad (in 1.50 fw):

...
move s3, t0
...


Since this is the first metion of t0, this tells you that arguments go upto at least t0.
So File_AllocLoad(int a0, int a1, int a2, int a3, int t0);
(Not sure about type but I always just use int first until I find real type).

EDIT:

Use nidattack to bruteforce the fucntion names, the src is in svn somewhere (I think).

Function names in paf.prx are notoriously hard to find. Even knowing exactly what the function does still couldnt find the name.

Here are some examples (note do not know the real names):

scePaf_F95EA3F1 memcpy
scePaf_6829D7AF memset
scePaf_3FBD9639 memcmp
scePaf_296897BC sinf
scePaf_DEDF238F cosf
scePaf_44AAF96C acosf
scePaf_7BED034E sqrtf
scePaf_B3D58D25 floorf
scePaf_F1B52E86 pow
scePaf_FEAFC77A fabs

Bruteforcing upto 7 letters didnt produce anything.....Im guessing it doesnt follow the sce naming.

Btw, are new nids still being updated?? Is anyone interested?? Because I have a huge list of new ones found but never really bothered to post them since I didnt think anyone cared.

[adrahil]

Hey :)
You can post them here, and dark_alex/moonlight will put them up in his list. ( http://moonlight.lan.st )

[SilverSpring]

Yes, but his list hasnt been updated in awhile so not sure he has been updating it. Is the svn libdoc still being updated ??

Anyway, here are some (I have more but they're scattered all around my pc so I'll add them as I find them.):

emc_sm
0xc29da136 sceNandDoMarkAsBadBlock

idstorage
0x37833CB8 sceIdStorageGetFreeLeaves

memlmd
0x185F0A2A sceUtilsGetLoadModuleABLengthByPolling

display
0xBF79F646 sceDisplayGetResumeMode (2.00)
0x21038913 sceDisplayIsVsync (2.00)

lcdc
0xF6F413C5 sceLcdcGetMode (2.80)
0x3107417C sceLcdcGetVsyncFreq (1.50)
0xB3BA421A sceLcdcGetHsyncFreq (1.50)
0x965D1633 sceLcdcGetPixelClockFreq
0x236095AC sceLcdcGetLcdcClockFreq (2.70)

power
0xFD18A0FF scePowerGetBatteryFullCapacity (1.50)
0xA9D22232 scePowerSetCallbackMode
0xBAFA3DF0 scePowerGetCallbackMode
0xD24E6BEB scePowerLimitScCpuClock
0x35B7662E scePowerLimitScBusClock
0xF9B4DEA1 scePowerLimitPllClock

sysreg
0xE8533DCA sceSysregApbTimerClkEnable
0xF6D83AD0 sceSysregApbTimerClkDisable
0x03340297 sceSysregApbTimerClkSelect
0xB21B6CBF sceSysregPllGetFrequency
0x53A6838B sceSysregPllGetBaseFrequency
0xBB3623DF sceSysregPllUpdateFrequency
0x4D4CE2B8 sceSysregAwRegABusClockEnable
0x789BD609 sceSysregAwRegABusClockDisable
0x391ce1c0 sceSysregAwRegBBusClockEnable
0x82d35024 sceSysregAwRegBBusClockDisable

clockgen
0x4EB657D5 sceClockgenAudioClkSetFreq
0x5F8328FD sceClockgenAudioClkEnable
0xB9FE99D1 sceClockgenAudioClkDisable
0x7FF82F6F sceClockgenLeptonClkEnable
0xDBE5F283 sceClockgenLeptonClkDisable

umdman
0x2787078E sceUmdManUnRegisterImposeCallback
0x4217E7F5 sceUmdManUnRegisterInsertEjectUMDCallBack

ata
0x12805193 sceAtaAhbSetupBus
0x7DE9E14A sceAtaAhbEnableIntr
0x298ddc3d sceAtaAhbInit (only 1.00)
0xf6ac2e5d sceAtaAhbTerm (only 1.00)
0xE3F01009 sceAtaAhbReadIntr (only 1.00)
0x01248DA2 sceAtaAhbClearIntr (only 1.00)
0xC10F87AB sceAtaAhbGetEventFlag (only 1.00)
0x1C29566B sceAtaGetIntrStateFlag
0x7F551D66 sceAtaSetIntrStateFlag
0x68DEA2FF sceAtaClearIntrStateFlag
0xD1E6E175 sceAtaEnableClkIo
0xAC800B1D sceAtaDisableClkIo
0x9D98086E sceAtaSetBusErrorIntr
0xDCC8A89E sceAtaIsUmdDrive
0xC4060B8A sceAtaExecDeviceResetCmd
0xB9C9F2E4 sceAtaExecSeekCmd

registry
0x0CAE832B sceRegCloseCategory
0x0D69BF40 sceRegFlushCategory

common_util later moved to vshmain
0x8727574A vshRegSysconfOpenRegistry
0x3E95607D vshRegSysconfCloseRegistry
0x53CF01CA vshRegSysconfGetRegistry
0x53120F49 vshRegSysconfSetRegistry
0x29278272 vshRegSysconfGetUserName
0x75477C22 vshRegSysconfSetUserName
0x3412B578 vshRegSysconfGetAuthPassword
0xCFB4A59E vshRegSysconfSetAuthPassword
0x79FF29A4 vshRegSysconfGetDisplayLanguage
0x1815FB1F vshRegSysconfSetDisplayLanguage
0x5A3449D5 vshRegSysconfGetParentalLockLevel
0x9845E69B vshRegSysconfGetSummerTimeMode
0x36BA6A54 vshRegSysconfGetDateTimeFormat
0xBA7237F4 vshRegSysconfGetTimezoneArea
0xDEB009C6 vshRegSysconfSetTimezoneArea
0xD9E2759B vshRegSysconfSetTimezoneOffset

vaudio
0xCBD4AC51 sceVaudioSetAlcMode

sysmem
0xAF3616C0 sceKernelGetGPO
0x29A5899B sceKernelSetRebootKernel
0x452E3696 sceKernelGetSystemStatus
0x95F5E8DA sceKernelSetSystemStatus
0x8C0CC205 sceKernelGetFilenameBlock
0xE9E4D851 sceKernelSetFilenameBlock
0x0D1D8AC8 sceKernelMemmoveWithFill

vshbridge
0xF4873F4D = vshKernelLoadExecVSHDisk
(a stupid typo from Sony since they spell vshKernelLoadExecVSHDiscUpdater correctly)


I have prototypes for a lot of these so I'll add them if anyones interested.

[moonlight]

thanks for the nids :D

I have to update it some day, i always forget it :p
I'll have tons of spare time in two weeks :)

[dot_blank]

thanx for

0x29A5899B sceKernelSetRebootKernel
and
vshRegSysconf******

:)

[SilverSpring]

Here are some interesting vars (after module_start etc.):

0x0F7C276C module_start_thread_parameter
0xCF0CC697 module_stop_thread_parameter
0xF4F4299D module_reboot_before_thread_parameter

Not sure if module_reboot_phase_thread_parameter & module_bootstart_thread_parameter exist since Ive never seen their nids used in a module before.

The thread parameters Ive seen are like this:

int *thread_paramater = {3, threadPriority, stackSize, attribute};

EDIT:

0x11B97506 module_sdk_version (pointer offset from .data segment)
eg. 0x3030010 for 3.30 etc.

[SilverSpring]

Some more:

openpsid.prx:

sceDdrdb_driver (2.00+)
0x05d50f41 sceDdrdbEncrypt (ie. sema op 4)
0xb33acb44 sceDdrdbDecrypt (ie. sema op 7)
0x40cb752a sceDdrdbHash (ie. sema op 0xB)


display.prx imports:

sceHibari_driver (2.70-3.11) (3.30+ nids changed)
0x8cd96fbc sceHibariGetDisplayStatus
0x8fa42787 sceHibariResetEnable
0x5f9f4128 sceHibariDisplayOn
0xc06ea555 sceHibariDisplayOff

sceDve_driver (2.80-3.11) (3.30+ nids changed)
0x0f74dcb0 sceDveGetDisplayMode
0xf51fabaa sceDveSetDisplayMode
0x1e044968 sceDveResetEnable
0xe3c80ef1 sceDveResetDisable
0x194aa1c8 sceDveDisplayOn
0x8e249d7f sceDvePowerOn
0xe9110b8f sceDvePowerOff


libhttp.prx imports:

sceBase64 (upto 1.52)
0x43543731 sceBase64Encoder
0x3AE99AAf sceBase64Decoder

[SilverSpring]

mediaman.prx

sceUmd_driver: (all fw)
0x7850f057 sceUmdRegisterGetUMDInfoCallBack
0x27A764A1 sceUmdUnRegisterGetUMDInfoCallBack
0x3d0decd5 sceUmdGetUserEventFlagId
0xeb56097e sceUmdGetDetectUMDCallBackId
0xD01B2DC6 sceUmdGetAssignedFlag
0x3925CBD8 sceUmdSetAssignedFlag

sceUmd_driver: (1.00 only)
0x725dfb14 sceUmdEnableUMDDetectIntr
0x7f40cc41 sceUmdDisableUMDDetectIntr
0x3ce40626 sceUmdGetIntrStateFlag
0x1e62cca3 sceUmdSetIntrStateFlag
0x1fb77367 sceUmdRegisterActivateDVDCallBack
0x7aa26c9a sceUmdUnRegisterActivateDVDCallBack
0x28355079 sceUmdRegisterSuspendResumeUMDCallBack
0xE71270FA sceUmdUnRegisterSuspendResumeUMDCallBack
0xbe17b77c sceUmdRegisterInsertEjectUMDCallBack
0x8EF268AC sceUmdUnRegisterInsertEjectUMDCallBack

sceUmd_driver: (1.50+)
0x086ddc0d sceUmdRegisterActivateCallBack
0x319ed97c sceUmdUnRegisterActivateCallBack
0x2d81508d sceUmdRegisterDeactivateCallBack
0xbbb5f05c sceUmdUnRegisterDeactivateCallBack
0x4832abf3 sceUmdRegisterReplaceCallBack
0x9b22aed7 sceUmdSetErrorStatus

sceUmd_driver: (2.00+)
0x71f81482 sceUmdGetErrorStatus
0x6af9b50a sceUmdCancelWaitDriveStat

[adrahil]

Code: Select all

0x05d50f41 sceDdrdbEncrypt (ie. sema op 4)
0xb33acb44 sceDdrdbDecrypt (ie. sema op 7)
0x40cb752a sceDdrdbHash (ie. sema op 0xB) 

Now this is niiice :) Would you be able to check what the other 5 sceDdrdb exports are? ;)

[SilverSpring]

Code: Select all

sceDdrdb_driver_E27CE4CB (sema op 0x11)
sceDdrdb_driver_370F456A (sema op 0x12)
sceDdrdb_driver_F970D54E (sema op 0xC)
sceDdrdb_driver_EC05300A (sema op 0xD)
sceDdrdb_driver_B24E1391 (sema op 0x10)
sceDdrdb_driver_B8218473 (sema op 0xE)

I dont know what those ops do though, so not sure about the names yet.

Code: Select all

/**
 * Encrypts buffer via block cipher sema 0x4
 * Buffer max size = 2048 bytes (16-byte aligned)
 *
 * The 20-byte header for buf into sema function:
 *   header[0] = 4;
 *   header[1] = 0;
 *   header[2] = 0;
 *   header[3] = 0xB;
 *   header[4] = size;
 *
 * Returns 0 on success.
 */
int sceDdrdbEncrypt(u8 *buf, int size);


/**
 * Decrypts buffer via block cipher sema 0x07 (reverse of above)
 * Buffer max size = 2048 bytes (16-byte aligned)
 *
 * The 20-byte header for buf into sema function:
 *   header[0] = 5;
 *   header[1] = 0;
 *   header[2] = 0;
 *   header[3] = 0xB;
 *   header[4] = size;
 *
 * Returns 0 on success.
 */
int sceDdrdbDecrypt(u8 *buf, int size);


/**
 * SHA1 hash of buffer via sema 0xB
 * Buffer max size = 2048 bytes
 * returns a 20-byte hash
 *
 * The 4-byte header for buf into sema function:
 *   header[0] = size;
 *
 * Returns 0 on success.
 */
int sceDdrdbHash(u8 *buf, int size, u8 *hash);

[adrahil]

Very nice, thanks :)

[SilverSpring]

FINALLY... Here are the semaphore crypto nids:

Code: Select all

semaphore_00eec06A sceUtilsBufferCopy
semaphore_8eeb7bf2 sceUtilsBufferCopyByPolling
semaphore_4C537C72 sceUtilsBufferCopyWithRange
semaphore_77e97079 sceUtilsBufferCopyByPollingWithRange

Yay!!

[SilverSpring]

emc_sm.prx (sceNand_driver):

Code: Select all

0xEBA0E6C6 sceNandCountChipMakersBBM (all fw)
0x88CC9F72 sceNandCorrectEcc (2.80+)
(Typo fix: Same function as sceNandCollectEcc, both exports exist)

modulemgr.prx (ModuleMgrForKernel):

Code: Select all

0x9F3AD1E9 sceKernelLoadModuleBufferForExitGame (1.52+)
0x5799EE32 sceKernelLoadModuleBufferForExitVSHKernel (1.52+)
0x667C1174 sceKernelLoadModuleBufferForExitVSHVSH (1.52+)
0x53CA70EE sceKernelLoadModuleBufferForRebootKernel (2.50+)

popsman.prx (scePopsMan) (3.00+):

Code: Select all

0x29B3FB24 scePopsManLoadModule
0x0090B2C8 scePopsManExitVSHKernel
0x92E9E38D scePopsManSetId
0x2E18E4E9 scePopsManCheckData
0x8666B52F scePopsManSuspend
0xF74199F8 scePopsManResume
0x53F9ABD2 scePopsManDocOpen
0x03971322 scePopsManDocClose
0xFC56480E scePopsManDocRead
0x875F4C05 scePopsManDocLseek

[adrahil]

Thanks ;)
Heh, one can always count on Sony for stupid spelling errors :D

Would you be able to check the remaining sceDdrdb nids?

[dot_blank]

0x53CA70EE sceKernelLoadModuleBufferForRebootKernel (2.50+)
:D :D :D

also what is your method for getting these nids so quick
ive been on these bloody Ddrdb NIDS for ages and nothing
comes up but false positives ...it is using alphabet checking
which is taking too long ...if you are using dictionary attacks
then i would understand ...if you are can you post or pm me
your dictionary and executable

[SilverSpring]

Well usually I revese the function first so I know what the function does. It's usually pretty easy to guess the name after that. Even a general understanding of the function helps tremendously, this saves you from reversing the function completely. Just have a browse and guess what type of function it is.

If I still cant correctly guess the name straight on, I use a dictionary with no more than usually 120-130 words. Any more, and it'll take too long as well as too many false positives. So the dictionary is the most important part, you have to keep it short and use VERY carefully selected words. I modify the dictionary for only the functions Im searching for.

I use the nidattack prog in svn, but modify it to search for any combination of 4 words instead of 3. This takes longer but it's better to have a small dictionary and search for more combinations than a large dictionary and search for a smaller combination.

I also vary the prefix for the functions to match what it does, eg. use the prefix sceUmdRegister when I know they are "register" functions, then search for any 4-word combo after that and get sceUmdRegisterSuspendResumeUMDCallBack, which you wouldnt be able to find normally just using a sceUmd prefix or just searching using 3 word combo's. Then of course I know they would probably be a sceUmdUnRegister version of the same function.

In the end, keep a small dictionary and use carefully selected words. And words related only to the functions your searching for. Delete any words not related to keep the dictionary small. My searches usually last no longer than a minute or two per run. If nothing comes up, just keep modifying the dictionary.

This is of course assuming you know the correct prefix. Without knowing the prefix you'll probably find nothing. Eg. I didnt know the prefix of those semaphore functions, though sceUtilsBufferCopy was already found. I was suspicious of the name but tried the sceUtils prefix anyway and found the rest.

So some function names might not ever be found until we find the correct prefix, eg. sceMemab_driver, Im pretty sure the prefix isnt sceMemab, so none of those names are currently known, and so its very hard to find.


Anyway, sorry for the long post, hope this helps others find remaining nids. Here are 2 more ddrdb nids:

Code: Select all

0xf970d54e sceDdrdbMul1 (ie. sema op 0xC)
0xec05300a sceDdrdbMul2 (ie. sema op 0xD)

Code: Select all

// sema op 0xC
// returns 60-byte buffer
// no inputs
int sceDdrdbMul1(u8 buf[60]);

// sema op 0xD
// buf0 & buf1 concat into 60-byte input
// output 40-byte buf2
int sceDdrdbMul2(u8 buf0[20], u8 buf1[40], u8 buf2[40]);

[adrahil]

Nice job :)
So, to summarise:

Code: Select all

0xb33acb44 sceDdrdbDecrypt (ie. sema op 7)
0x40cb752a sceDdrdbHash (ie. sema op 0xB)
sceDdrdb_driver_E27CE4CB (sema op 0x11)
sceDdrdb_driver_370F456A (sema op 0x12)
0xf970d54e sceDdrdbMul1 (ie. sema op 0xC)
0xec05300a sceDdrdbMul2 (ie. sema op 0xD)
sceDdrdb_driver_B24E1391 (sema op 0x10)
sceDdrdb_driver_B8218473 (sema op 0xE)

They're in alphabetical order ;) You could probably make your search more concentrated by saying that E27CE4CB and 370F456A are between sceDdrdbH* and sceDdrdbM* :) And B24E1391 and B8218473 are between sceDdrdbM* and sceDdrdbZ*. Probably even starting from sceDdrdbN*.

[SilverSpring]

Here's the proto's of the rest of the ddrdb functions:

Code: Select all

// sema op 0x11
// doesnt return any buffer
// inputs concat into 100-byte buffer
// not sure if the sha1 is the hash of buf0?
// seems to be some check, ie. return 0 if check is successful
int sceDdrdb_driver_E27CE4CB(u8 buf0[40], u8 sha1[20], u8 buf1[40]);

// sema op 0x12
// doesnt return any buffer
// inputs a 184-byte buffer (usu. from leafid 0x100)
// seems to be some check, ie. return 0 if check is successful
int sceDdrdb_driver_370F456A(u8 buf[184]);

// sema op 0x10
// input 52-byte buffer (inbuf concat with sha1)
// output 40-byte outbuf
// not sure if the sha1 is the hash of inbuf?
int sceDdrdb_driver_B24E1391(u8 inbuf[32], u8 sha1[20], u8 outbuf[40]);

// sema op 0xE
// no inputs
// returns 20-byte buf
// some id of some sort?? dbsvrgetdata??
int sceDdrdb_driver_B8218473(u8 buf[20]);

EDIT: False positive?? 0xB8218473 = sceDdrdbPrngen (pseudo random number generator??)

[moonlight]

Well i have updated (finally) the nids page.

At the moment, i have only updated the nids of 1.50 and 3.50

Hope i haven't forgot anyone. libhttp in 3.50 is broken because psar dumper decrypts it but doesn't decompress it (it is in the rlz format, i didn't bother to decompress it manually). pops is broken due to a prx problem.

It seems they have done some changes to this firmware. They have put a lot of low level io modules such as emc_sm, emc_ddr, gpio, dmacplus, etc in the file lowio.prx.

[Viper8896]

im a bit of a noob to this. i would like to get the nids for visualizer-plugin but having a bit of trouble. im doing what it says here http://forums.ps2dev.org/viewtopic.php? ... hlight=nid and that works fine for old prxs but i cant seem to find anything in visualizer_plugin and i suspect its something to do with the way sony is changing it.

[SilverSpring]

Well i have updated (finally) the nids page.

At the moment, i have only updated the nids of 1.50 and 3.50

Hope i haven't forgot anyone. libhttp in 3.50 is broken because psar dumper decrypts it but doesn't decompress it (it is in the rlz format, i didn't bother to decompress it manually). pops is broken due to a prx problem.

It seems they have done some changes to this firmware. They have put a lot of low level io modules such as emc_sm, emc_ddr, gpio, dmacplus, etc in the file lowio.prx.

Great, great...Many thanks...

libssl is also rlz compressed.

EDIT:

im a bit of a noob to this. i would like to get the nids for visualizer-plugin but having a bit of trouble. im doing what it says here http://forums.ps2dev.org/viewtopic.php? ... hlight=nid and that works fine for old prxs but i cant seem to find anything in visualizer_plugin and i suspect its something to do with the way sony is changing it.

visualizer_plugin.prx doesnt export any nid's (I'm pretty sure).

[Viper8896]

visualizer_plugin.prx doesn't export any nid's (I'm pretty sure).

does that mean its completely unusable? it would be cool to use it in my own media player.

[adrahil]

0xb8218473 sceDdrdbPrngen
0xb24e1391 sceDdrdbSiggen
0xe27ce4cb sceDdrdbSigvry
0x370f456a sceDdrdbCertvry

:)

[kururin]

visualizer_plugin.prx doesn't export any nid's (I'm pretty sure).

does that mean its completely unusable? it would be cool to use it in my own media player.

Most xxxx_plugin.prx don't export anything, e.g. they don't act as libraries at all, they just do their stuff, and no modules can use their functions (internal), unless doing odd stuff of course. There are some exception like the htmlviewer_plugin, though.

[SilverSpring]

0xb8218473 sceDdrdbPrngen
0xb24e1391 sceDdrdbSiggen
0xe27ce4cb sceDdrdbSigvry
0x370f456a sceDdrdbCertvry

:)

Thanks much!!

So sceDdrdbPrngen isnt a false positive (so pseudo random number generator??).

Anyway, Ive updated the latest NID's http://silverspring.lan.st/update.html

Everyone else can now submit new NID's found at SilverSpringPSP [AT] gmail.com I'll be sure to add them promptly.