Loading updater modules in USER MODE

Discuss the development of new homebrew software, tools and libraries.

Moderators: cheriff, TyRaNiD

Post Reply
moonlight
Posts: 567
Joined: Wed Oct 26, 2005 7:46 pm

Loading updater modules in USER MODE

Post by moonlight »

Yes, they can be loaded in user mode.

I'm talking about "libpsar.prx", "update_ipl.prx", etc, the kernel modules that are inside the updates.

To extrac those modules from a 1.50 firmware update use this kernel program (it's hardcoded only for the 1.50 update eboot):

(you need the 1.50 update EBOOT.PBP to be in ms0:/PSP/GAME/UPDATE, the modules will be also extrated in that directory)

http://rapidshare.de/files/19585672/upd ... t.rar.html

Once that the modules are extracted, they can be loaded in user mode, even if the modules are kernel ones.

The other day when someone posted this idea (and then i think he deleted the topic) i thought it was not possible because the sceKernelLoadModule fails when trying to load from the ms... but i just forgot that we have a function called sceKernelLoadModuleMs that can succesfull load encrypted modules from the memory stick.

Unfortunaly, the main updater file (the DATA.PSP of the update) cannot be loaded... it will give always a UNSUPPORTED_PRX error).

Here it's the user mode program:
http://rapidshare.de/files/19586357/use ... e.zip.html

In 1.50, it would be easy to find the syscalls to use the (dangerous) functions from those modules in user mode, but i suppose that finding them in 2.00+ won't be easy...

Also i noticed that in user mode loading an encrypted module (kernel or user ones) from the flash gives an illegal device error code, but if it's copied to the mem stick and then loaded with sceKernelLoadModuleMs it works like a charm :)

I don't know if people working in 2.00+ knew this already, but i put it here with the hopes that it can be used to access USB in the gta exploit.
Top
kuroitenchi
Posts: 10
Joined: Sun Apr 23, 2006 12:22 am

Post by kuroitenchi »

That was me, I think Drakonite removed the post for an unknown reason, it was talking about how to write to the flash in game mode. I think he deleted it because it was containing some plain text of one of the updater's modules.
Although it would be as legal as posting a version.txt content.

I was saying that sceLflashFatfmt could actually access to flash0 if it was used with the right arguments (the arguments can be seen in plaintext on the decrypted module version)
I was also saying that even if it is untested, the probability for this module(the encrypted version) to run on game mode was high. (as it runs in vsh mode from the updater).
Top
TyRaNiD
Posts: 907
Joined: Sun Jan 18, 2004 12:23 am

Post by TyRaNiD »

Do encrypted user ones actually work like a charm ? I am sure I tested this before and LoadModuleMs would only load encrypted kernel modules not encrypted kernel modules. To add insult to injury apply the various kernel patches to remove the device check from things like flash and try and load something from flash in a user mode thread. It has always just crashed for me which looks like a bug in the kernel.

But then I could be wrong and this could all be issues with 1.0 firmware :)
Top
moonlight
Posts: 567
Joined: Wed Oct 26, 2005 7:46 pm

Post by moonlight »

TyRaNiD wrote:Do encrypted user ones actually work like a charm ? I am sure I tested this before and LoadModuleMs would only load encrypted kernel modules not encrypted kernel modules. To add insult to injury apply the various kernel patches to remove the device check from things like flash and try and load something from flash in a user mode thread. It has always just crashed for me which looks like a bug in the kernel.

But then I could be wrong and this could all be issues with 1.0 firmware :)
In 1.50 i could load and start those modules without problem. But i haven't tried yet to use them, the "works like a charm" meant that i was able to load and start the modules succesfully, not use them :)
I'll go to make some tests to see if they can be used.

P.S.: sorry i didn't read well. I haven't test encrypted user prx's, i supposed that since kernel ones can be loaded, there wouldn't be a problem with user ones, i may be wrong, i'll check it.
Top
moonlight
Posts: 567
Joined: Wed Oct 26, 2005 7:46 pm

Post by moonlight »

You were right Tyranid.

I tried loading audiocodec.prx and libatrac3plus from user mode.
No problem with audiocodec.prx (kernel module), but trying to load libatrac3 crashed the psp.

So, it seems that these guys of sony are not so fool... they know what they do...
Well, at least USB can be loaded in 2.01+ through the memstick with loadms since they are kernel modules, but really that's not a thing that concerns me too much.
Top
User avatar
dot_blank
Posts: 498
Joined: Wed Sep 28, 2005 8:47 am
Location: Brasil

Post by dot_blank »

thank you for this :)

UPDATE: the loader has dumb error checking
for successful loading/failed laoding

this

Code: Select all

for &#40;i = 0; i < N_MODULES; i++&#41;  &#123;
      SceUID mod;

		if &#40;&#40;mod = LoadStartModuleMs&#40;modnames&#91;i&#93;&#41;&#41; < 0&#41;
			printf&#40;"LoadModuleMs/StartModule %s failed with error=%08X\n", modnames&#91;i&#93;, mod&#41;;

		printf&#40;"Module %s loaded/started succesfully with UID %08X\n", modnames&#91;i&#93;, mod&#41;;
&#125;
the above would output that it has succeded a with uid code
it will also print it failed using the same uid code from success
and that code is then used as failed error number/module
and there are no modules in PSP/GAME/UPDATE/
quick fix ;)

Code: Select all

for &#40;i = 0; i < N_MODULES; i++&#41;  &#123;
      SceUID mod;

		if &#40;&#40;mod = LoadStartModuleMs&#40;modnames&#91;i&#93;&#41;&#41; > 0&#41;
			printf&#40;"Module %s loaded/started succesfully with UID %08X\n", modnames&#91;i&#93;, mod&#41;;
		else
			printf&#40;"LoadModuleMs/StartModule %s failed with error=%08X\n", modnames&#91;i&#93;, mod&#41;;			

&#125;
10011011 00101010 11010111 10001001 10111010
Top
Post Reply

Return to “PSP Development”