How to use Peek/Poke syscalls?

[stoker25]

Can anybody help me with using these syscalls? I'm trying to write an app that redirects /app_home to /dev_usbxxx, the code I'm using for the syscalls is:

Code:

uint64_t lv2Read64(uint64_t address)
{
	register uint64_t p1 __asm__ ("3") = address;
	register uint64_t n  __asm__ ("11") = 6;

	__asm__ volatile (
		"sc" : "=r" (p1) : "r" (p1), "r" (n) : "0", "12", "lr", "ctr", "xer", "cr0", "cr1", "cr5", "cr6", "cr7", "memory");

	return p1;
}

void lv2Write64(uint64_t address, uint64_t data)
{
	register uint64_t p1 __asm__ ("3") = address;
	register uint64_t p2 __asm__ ("4") = data;
	register uint64_t n  __asm__ ("11") = 7;

	__asm__ volatile (
		"sc" : : "r" (p2), "r" (p1), "r" (n) : "0", "12", "lr", "ctr", "xer", "cr0", "cr1", "cr5", "cr6", "cr7", "memory");
}

The read method I found on a public pastebin, the write one I wrote myself. Through testing using this code:

Code:

			uint64_t addr = start;
			bool found = false;
			while( addr != end )
			{
				if(lv2Read64(addr) == appHome)
				{
					found = true;
					lv2Write64(addr - 3, devUsb0);
					lv2Write64(addr, devUsb006);
				}
				else if(lv2Read64(addr) == devUsb006)
				{
					found = true;
					lv2Write64(addr - 3, appHomeFull);
					lv2Write64(addr, appHome);
				}
				addr += 0x100;
			}

I found that the read method doesn't work, it seems to return garbage.

The payload I'm using definitely has the syscalls, seeing as LV2Dump works.

Has anybody here tried to use the syscalls and managed to do it successfully? If so can you give me a hand

Many thanks

[user]

peek reads 8 bytes per call. most probably the string "app_home" gets peeked in two parts by your app ("....app_" and "home..." for example). so you have to keep the last value you get, combine it with your new value, strip it down to a string and then compare it with "/app_home".
please excuse my bad english

EDIT:
you could use PL3's syscall 35 instead

EDIT 2:

Code:

static inline uint64_t lv2Write(uint64_t address, uint64_t data)
{
	register uint64_t p1 asm("3") = address;
	register uint64_t p2 asm("4") = data;

	register uint64_t n  __asm__ ("11") = 7;
	asm volatile("sc"
		: "=r"(p1), "=r"(p2), "=r"(n)
		: "r"(p1), "r"(p2), "r"(n)
		: "0", "2", "12", "lr", "ctr", "xer", "cr0", "cr1", "cr5", "cr6", "cr7", "memory");
	return p1;
}

corrected lv2Write (untested)

[stoker25]

thanks for the correction user, but I managed to find a much better way to use them for reference:

Code:

static inline void poke( uint64_t addr, uint64_t val)
{
	system_call_2(7, addr, val); 
}

static inline uint64_t peek(uint64_t address)
{
	system_call_1(6, address);
	return_to_user_prog(uint64_t);
}

I found out the reason I was getting garbage data was because of my payload :P blackb0x' LV2Dump uses its own way to read the kernel. By using a new payload I was able to get the peek/poke syscalls working

I've managed to make my own clone of JaicraB's loader, since his old one didn't like me. It lets you choose the usb you want to redirect, instead of hardcoding it like JaicraB. I'll release it and the source in the next few days.

[Jon Salat]

deanrr released a modified version of Jaicrab's FW loader;

1) I modified JaiC USB Firm Loader to load /dev_flash from MemoryStick card (and from SDHC card and from USB) so now I can use the tool with custom DEV_FLASH without wasting USB ports

It's quite useful to use it from SD card as it's not really used for anything else so it frees up all the USB ports.

Is it possible to use syscall35 instead? Jaicrab's FW loader isn't compatible with PL3 unfortunately.

[user]

I've managed to make my own clone of JaicraB's loader, since his old one didn't like me. It lets you choose the usb you want to redirect, instead of hardcoding it like JaicraB. I'll release it and the source in the next few days.

nice!

Is it possible to use syscall35 instead? Jaicrab's FW loader isn't compatible with PL3 unfortunately.

yes, most probably

[stoker25]

Here we go: http://psx-scene.com/forums/f149/[ps3-src]-cfwload-1-0-a-69947/

Syscall 35 only lets you redirect paths, not sure if that would work with dev_flash. The way dev_flash is redirected with the loader is by changing the mount points in the LV2 memory. I'll have to make a syscall 35 version sometime just to see if it works.

If your using PL3 though just change to the dev payload like I use for some peek and poke action