How to Hook into LV2 Memory!

[garyopa]

PS3mrengigma has updated his blog with a tutorial on how to hook into LV2.

In this tutorial he utilizes, the undocumented, SYSCALL 867 for his hook.

SYSCALL 867, which he explained previously, controls the PS3′s model information (retail, debug, reference tool etc).

In his tutorial he walks us through the process of making his debug PS3, thinking its a Retail unit (there is no benefit to making it think its a retail, its simply a learning exercise).

Author's Blog: COMO REALIZAR HOOKS EN EL LV-2 @ PS3mrenigma's Blog

News Source: How to Hook into LV2 Memory (via) PSGroove.com

For those interested in the tutorial, here is the translated version:

In this post we will see how to make hooks (hooks) in the LV-2 SYSCALL.

The possibilities are endless da hook, only to be limited to our imagination
and what we want to achieve with the hook.

For this section we should bear in mind that we need to meet the following requirements:

- Take a dump of the entire LV-2, possibly without being modified in any way by a payload.
– Knowledge of assembler to understand the original SYSCALL to create our hooks.
– Understand how the / s SYSCALL we will modify.

For this post we will take the example of a LV-2 3.41 Debug (for it is that I work mostly), but can be applied just as in a LV-2 Retail.

The first thing you need to know is the beginning of the SYSCALL_TABLE, and the number of SYSCALL we want to put a hook.

For example put a hook to the SYSCALL 0 × 363 (867) to alter the machine model that we will return.

The SYSCALL_TABLE is at position 0x303130 (at any position in the LV-2 assume that they add the base address 0x8000 …), knowing the number of the SYSCALL (867) and taking into account that each table entry is 8 bytes in the address pointed to multiply 867 * 8 = 6936, so we add that to the SYSCALL_TABLE, 0x303130 + 0x1B18 = 0x304C48.

In this direction we find another memory address, 0x348FB0, we go to the second and we have another memory address, 0x27A368. In this direction starts the code of the SYSCALL.

Point out the direction where is the address where the SYSCALL would begin, in this case, 0x348FB4.

Enter the code in the SYSCALL, knowing that the SYSCALL has 2 parameters, the first command of the operation to be performed and the second a pointer to a buffer to store the result of the call, we can try to see how the SYSCALL.

The SYSCALL 867 with the command 0x19004 returned in the output buffer at position 3 (starting from 0) the byte that indicates the machine model, knowing that we can make our hook inject this value in the output buffer.

We started writing our hook, for it wrote the preamble to the SYSCALL basing in the original code:

Code:

STDU% sp,-0xB0 (% sp)
mflr% r0
std% r30, 0xA0 (% sp)
std% r31, 0xA8 (% sp)
std% r29, 0 × 98 (% sp)
std% r0, 0xC0 (% sp)

Having echo the preamble, we see that we have stored on the stack the registers% r30,% r31,% r29 pudiendolos use for what we need in our hook, as we have in store the Link Register so you could use our hook subllamadas smooth caller to return to the code.

Need to check that the command you want to modify is the 0x19004, so we proceed to create a check:

Code:

lis% r31, 1
ori% r31,% r31, 0 × 9004
cmpw% r31,% r3
bne _salir_sin_nada

At this point we have two possible flows, which is our command or it may not be. Start by it to be:

Code:

li% r30, 0 × 85
li% r29, 1

stb% r29, 1 (% r4)
stb% r30, 3 (% R4)
stb% r29, 5 (% r4)
stb% r29, 7 (% r4)

li% r3, 0

ld% r0, 0xC0 (% sp)
ld% r29, 0 × 98 (% sp)
ld% r31, 0xA8 (% sp)
ld% r30, 0xA0 (% sp)
mtlr% r0
addi% sp,% sp, 0xB0

BLR

_salir_sin_nada:

With this code will always let a European Retail of the first sub-models.

Now to implement the code in the event that the command is not checked:

b {address} , here we have to calculate a memory address where the branch is unconditional distance to the target memory address where we go, in this case 0x27A380.

We will explain the code, if the command was desired, modify the destination buffer filling with a retail eur forced model, the first sub-models, after which he managed the preamble of the function and return without going through the SYSCALL original caller of the SYSCALL code. In the event that is not the command, do an unconditional jump to the original SYSCALL after its preamble already done in our code, so as the original parameters are untouched, as the SYSCALL finish and proceed to return to its caller, would return to the code the original name, because the code itself will correct the preamble SYSCALL ours.

Once you create the hook, just have to copy it to a memory region in the LV-2 proper, in the case of the debug start in 0x54408, while retail 0x50B44.

Do not forget that the unconditional jump performed at the end of the hook has to be recalculated at the address where the copied.

Once copied, you need to install the hook so that when the modules call the SYSCALL call our code, in our case as we know where to start our code (0x54408), proceed to write this direction in the second memory address that points that indicate the SYSCALL_TABLE, ie 0x348FB4.

Once done, any module, homebrew, etc to call that SYSCALL go through our hook, and if the command is 0x19004, we will refund a forced Retail Eur.

For this sample, a produce debug it from the XMB can not launch applications without signing, returning the error VSH not allowed (this problem is patched by PSGROOVE as we will explain in a future post).

[xbox1513]

Can this be used to make kiosk ps3 act as a retail ps3.

[Dark Scyth]

He is doing the opposite of what needs to be done. It needs to make retail think its a debug . I would have to assume if it'll make debugs think they are retail, then it should theoretically work the same with Kiosk to retail. Of course you may want to wait for someone else to try this, could be some bricking problems.

[xbox1513]

He is doing the opposite of what needs to be done. It needs to make retail think its a debug . I would have to assume if it'll make debugs think they are retail, then it should theoretically work the same with Kiosk to retail. Of course you may want to wait for someone else to try this, could be some bricking problems.

Yeah good idea, i remeber bricking my psp fat when 2.60 downgrade was being tested.

[mihakase]

Aren't there debug PUPs that downgrade the firmware? So you could use syscall 867 to spoof your firmware and then use those to downgrade it?

[Dark Scyth]

Yeah good idea, i remeber bricking my psp fat when 2.60 downgrade was being tested.

At least it was a fat, Pandora can rescue it no matter what. Of course for it being 2.60 you probably don't even have a PSP anymore.

[xbox1513]

At least it was a fat, Pandora can rescue it no matter what. Of course for it being 2.60 you probably don't even have a PSP anymore.

I had gamespot warranty, and downgraded successfully on the new one.

[MRDOCA]

so... is this good? sort of all went over my head

[bigd5783]

so I wonder what the syscalls are for telling psn what version firmware we are on...

[subcon959]

I need the syscall for increasing my bank balance.