This post is meant for the more advanced developers out there. PS3mrengigma has updated his blog with a tutorial on how to hook into LV2. In this tutorial he utilizes, the undocumented, SYSCALL 867 for his hook. SYSCALL 867, which he explained previously, controls the PS3′s model information (retail, debug, reference tool etc). In his tutorial he walks us through the process of making his debug PS3, thinking its a Retail unit (there is no benefit to making it think its a retail, its simply a learning exercise). For those interested in the tutorial, check it out after the jump.
In this post we will see how to make hooks (hooks) in the LV-2 SYSCALL. The possibilities are endless da hook, only to be limited to our imagination
and what we want to achieve with the hook.
For this section we should bear in mind that we need to meet the following requirements:
- Take a dump of the entire LV-2, possibly without being modified in any way by a payload.
– Knowledge of assembler to understand the original SYSCALL to create our hooks.
– Understand how the / s SYSCALL we will modify.
For this post’ll take the example of a LV-2 3.41 Debug (for it is that I work mostly), but can be applied just as in a LV-2 Retail.
The first thing you need to know is the beginning of the SYSCALL_TABLE, and the number of SYSCALL we want to put a hook.
For example put a hook to the SYSCALL 0 × 363 (867) to alter the machine model that we will return.
The SYSCALL_TABLE is at position 0 × 303130 (at any position in the LV-2 assume that they add the base address 0 × 8000 …), knowing the number of the SYSCALL (867)
and taking into account that each table entry is 8 bytes in the address pointed to multiply 867 * 8 = 6936, so we add that to the SYSCALL_TABLE, 0 × 303130 + 0x1B18 = 0x304C48.
In this direction we find another memory address, 0x348FB0, we go to the second and we have another memory address, 0x27A368. In this direction starts the code of the SYSCALL.
Point out the direction where is the address where the SYSCALL would begin, in this case, 0x348FB4.
Enter the code in the SYSCALL, knowing that the SYSCALL has 2 parameters, the first command of the operation to be performed and the second a pointer to a buffer to store the result
of the call, we can try to see how the SYSCALL.
The SYSCALL 867 with the command 0 × 19004 returned in the output buffer at position 3 (starting from 0) the byte that indicates the machine model, knowing that we can make our hook
inject this value in the output buffer.
We started writing our hook, for it wrote the preamble to the SYSCALL basing in the original code:
STDU% sp,-0xB0 (% sp)
mflr% r0
std% r30, 0xA0 (% sp)
std% r31, 0xA8 (% sp)
std% r29, 0 × 98 (% sp)
std% r0, 0xC0 (% sp)
Having echo the preamble, we see that we have stored on the stack the registers% r30,% r31,% r29 pudiendolos use for what we need in our hook, as we have in store
the Link Register so you could use our hook subllamadas smooth caller to return to the code.
Need to check that the command you want to modify is the 0 × 19004, so we proceed to create a check:
lis% r31, 1
ori% r31,% r31, 0 × 9004
cmpw% r31,% r3
bne _salir_sin_nada
At this point we have two possible flows, which is our command or it may not be. Start by it to be:
li% r30, 0 × 85
li% r29, 1
stb% r29, 1 (% r4)
stb% r30, 3 (% R4)
stb% r29, 5 (% r4)
stb% r29, 7 (% r4)
li% r3, 0
ld% r0, 0xC0 (% sp)
ld% r29, 0 × 98 (% sp)
ld% r31, 0xA8 (% sp)
ld% r30, 0xA0 (% sp)
mtlr% r0
addi% sp,% sp, 0xB0
BLR
_salir_sin_nada:
With this code will always let a European Retail of the first sub-models.
Now to implement the code in the event that the command is not checked:
b
, here we have to calculate a memory address where the branch is unconditional distance to the target memory address where we go, in this case 0x27A380.
We will explain the code, if the command was desired, modify the destination buffer filling with a retail eur forced model, the first sub-models, after which he managed
the preamble of the function and return without going through the SYSCALL original caller of the SYSCALL code. In the event that is not the command, do an unconditional jump to the original SYSCALL
after its preamble already done in our code, so as the original parameters are untouched, as the SYSCALL finish and proceed to return to its caller, would return to the code
the original name, because the code itself will correct the preamble SYSCALL ours.
Once you create the hook, just have to copy it to a memory region in the LV-2 proper, in the case of the debug start in 0 × 54408, while retail 0x50B44.
Do not forget that the unconditional jump performed at the end of the hook has to be recalculated at the address where the copied.
Once copied, you need to install the hook so that when the modules call the SYSCALL call our code, in our case as we know where to start our code (0 × 54 408), proceed to write
this direction in the second memory address that points that indicate the SYSCALL_TABLE, ie 0x348FB4.
Once done, any module, homebrew, etc to call that SYSCALL go through our hook, and if the command is 0 × 19004, we will refund a forced Retail Eur.
For this sample, a produce debug it from the XMB can not launch applications without signing, returning the error VSH not allowed (this problem is patched by PSGROOVE as
we will explain in a future post).
