I made a new loader to replace Toc2rta's h.bin loader.
Why?
The main advantage of this loader is that the TIFF thread can return cleanly to libtiff and the system continues running as if nothing happened. This allows some more reverse-engineering, for instance dumping memory after entering web browser or some other program of interest.
The hello world 2 program used as example also demonstrates how to kill some VSH threads to achieve solid, flickerless screen. This may be useful if someone wants to implement a (user-space-only) homebrew loader compatible with pspsdk.
How?
This is a complete rewrite.
- Completely new loader code. Wallpaper PNG contains all of the program loader. Source code for generating PNG's from assembly is included.
- Completely new TIFF image to do the overflow. It contains only what is necessary (150 bytes). Perl code for producing the TIFF is included. Instead of BitsPerSample tag, this one uses Compression tag. It is processed earlier in libtiff, so repairing stack is easier.
- Load address changed to 0x08556000
- Hello world 2 kills VSH threads by overwriting syscalls in user memory with jump instructions. VSH threads will jump to hijacker function that calls sceKernelExitThread().
Where?
You can download it at http://sunkone.cjb.net/psp/loader2/.
Source for everything is included.
An example of background threads is here: http://sunkone.cjb.net/psp/dumper2/
Note: the loader hasn't been widely tested - nobody seems to have firmware 2.0 these days :P
