Page 1 of 2 12 Last
  1. #1
    Join Date
    Apr 2005
    Posts
    24,347

    PS3 Hypervisor Reverse Engineering Progress is Detailed

    A few days ago we reported on graf_chokolo's progress in decrypting PS3 Firmware 3.50, and today he has made available to the PlayStation 3 Wiki (linked above) his PS3 hypervisor reverse-engineering work to date, as follows:

    HSPRG
    The hypervisor stores a pointer to some structure per LPAR in HSPRG0 register. There are actually 2 HSPRG0 values: one for each thread of Cell CPU !!! There is a HSPRG0 array at 0x8(-0x69A0(HSPRG0)) + 0x20.

    LPAR
    LPAR = Logical Partition

    lpar1 starts at 0x<unknown>, and its believed to be the memory space wherre lv1 stores its variables, flags and other data.
    lpar2 starts at 0x80000000000 and it's believed to be the memory space where lv2 stores its variables, flags and other data.

    The pointer to active LPAR is stored at -0x67E8(HSPRG0).

    vtable
    0x0033CA40 (3.15)

    Member variables
    offset 0x38 - some pointer
    offset 0x50 - LPAR id (8 bytes)
    offset 0x70 - pointer to VAS id bitmap
    offset 0x78 - power of 2 of word size from VAS id bitmap (4 bytes), equal to 6
    offset 0x7C - number of 64-bit words in VAS id bitmap(4 bytes)

    Interrupt handling
    The pointer to the interrupt handler that is called e.g. when an external interrupt occurs is at -0x69F0(HSPRG0).

    0x00001930 (3.15 and 2.60)

    Interrupt vector tables
    There are 2 interrupt vector tables. One for each thread. The pointer to these tables is at -0x6950(HSPRG0).

    offset 0x8 - IIC memory base address (8 bytes)
    offset 0x10 - thread register offset (8 bytes)
    offset 0x18 - start of interrupt vector table (19 entries, each entry 32 bytes)

    Interrupt vector table entry
    offset 0x0 - pointer to interrupt handler
    offset 0x8 - TOC
    offset 0x10 - 0
    offset 0x18 - parameter to interrupt handler

    Interrupt handlers
    Spurious interrupt handler
    0x002BC174 (3.15)

    RSX
    0x00219A44 (3.15)
    0x002176FC (2.60)

    SB bus
    0x002B9CC4 (3.15)

    I/O address translation
    0x002CD7D8 (3.15)
    0x002C9214 (2.60)

    Performance monitor
    0x002F0584 (3.15)
    0x002EB1B0 (2.60)

    Token manager
    0x002BBA9C (3.15)
    0x002B754C (2.60)

    HV call
    The address of HV table is stored at -0x6FC8(HSPRG0).
    The address of HV table size is stored at -0x6FD0(HSPRG0).

    HV call


    [Register or Login to view code]

    Dump of all repository nodes from HV 3.15

    [Register or Login to view code]

    Buses

    SB bus
    type - 4
    index - 1

    num_devices - 4 (repository node says this but there are more devices !!!)

    Storage bus
    type - 5
    index - 4
    num_devices - 4

    SB bus subsystem
    vtable
    0x00352600 (3.15)

    Member variables
    offset 0x10 - MMIO memory base address

    offset 0x20 - array of 16 pointers to SB devices (0 - Gelic device, 1 - USB device)

    Objects
    0x00349528 - pointer to pointer to SB bus subsystem object

    Memory base address
    0x24000000000

    All SB bus device MMIO addresses are relative to this memory address.

    SB device MMIO/DMA memory region
    vtable
    0x000x352308 (3.15)

    Member variables
    offset 0x18 - pointer to previous bus memory region object
    offset 0x20 - pointer to next bus memory region object
    offset 0x30 - relative bus memory start address
    offset 0x38 - size of bus memory region

    SB bus device
    vtable
    0x00352620 (3.15)

    Member variables
    offset 0x18 - array of pointers to MMIO memory region objects owned by device (8 * 8 bytes)
    offset 0x60 - pointer to first DMA region object
    offset 0x6C - device opened flag (1 byte, 0 - not opened, 1 - already opened)
    offset 0x70 - id of LPAR that opened this device
    offset 0x90 - pointer to an object that contains the address of interrupt handler for this device and SB bus interrupt index

    Gelic device (Network Interface)
    device id = 0
    interrupt index = 8

    MMIO regions

    [Register or Login to view code]

    0x003A8050 (VAS id 3, LPAR 2)

    [Register or Login to view code]

    0x003BC510 (VAS id 48, LPAR 2)

    [Register or Login to view code]

    LPAR_change_HTAB
    This function changes currently active HTAB. It writes to SDR1 register where HTAB address and size is stored.

    0x002BE5D4 (3.15)

    Process SLB
    Each HV process has 16 SLB entries.

    Each SLB entry is 16 bytes large and is in format expected by opcode slbmte.

    Most of the entries are zero (invalid).

    Each process has 4 valid SLB entries: code, data, heap and stack.

    Process 3

    SLB entries
    0x0012D1F0 (3.15)


    [Register or Login to view code]

    12 - CONTROL_LED
    I have tested this service with PSGroove and GameOS is allowed to use it

    Packet Body

    [Register or Login to view code]

    Parameters
    I have tested the following parameters with this service:

    [Register or Login to view code]

    Parameters
    I have tested the following parameters with this service:

    field1 field2 field4 Description
    0x29 0x4 0x6 Makes a short single beep
    0x29 0xA 0x1B6 Makes a double beep
    0x29 0x7 0x36 -
    0x29 0xA 0xFFF Makes a continuous beep
    Active System Managers in HV dump 3.15
    There are 4 active SMs in HV dump.
    Index Name LPAR auth id LPAR image pathname Ability Bitmask (Hex)
    0 SCE_CELLOS_PME 0x1070000001000001 /flh/os/this_is_dummy 0x1
    1 SCE_CELLOS_SYSTEM_MGR 0x1070000002000001 /flh/os/lv2_kernel.self 0x3BF7EF
    2 SCE_CELLOS_SYSTEM_MGR_PS2_SW 0x1020000003000001 /local_sys0/ps2emu/ps2_softemu.self 0x1226D
    3 SCE_CELLOS_SYSTEM_MGR_LINUX 0x1080000004000001 /flh/lx/linux 0x40012
    GameOS file image lv2_kernel.self is stored on /dev/rflash1
    Linux file image is stored on /dev/rflash_1x or /dev/rflash_1xp

    Booting Linux LPAR through System Manager
    To boot Linux LPAR from GameOS when Linux support was not removed (Ability Mask of PS3 System Manager needs patching !!!):

    Send SID packet SET_NEXT_OP with operation OP_LPAR_REBOOT and the index of Linux system manager to System Manager (VUART 2)
    Send SID packet REQUEST with type SHUTDOWN to System Manager (VUART 2)
    Execute lv1_panic HV call in GameOS
    It should also work when Linux support was removed but Linux system manager was not removed from Process 9 and also assumed that a Linux kernel image is stored at the right place in /dev/rflash_1x.

    It's just a theory, nothing else, that i gathered during HV reversing. It needs a practical proof. Unfortunately, i don't have access to Hypervisor.

    AV Manager
    All data sent to VUART 0 in LPAR 2 is written into the data buffer of VUART 5 of LPAR 1.

    VUART 5 of LPAR 1 is accessed by Process 9 in LPAR 1 through the file /proc/partitions/2/vuart/0.

    During initialization, AV Manager opens /dev/ioif0 device and maps different address ranges of the device into address space of Process 9
    /dev/ioif0 is NOT opened and mapped if the value of repository node lv1.rsx.enable is less than 1
    /dev/ioif0 is mapped with READ/WRITE protection
    File descriptor of /dev/ioif0 in Process 9 is 4
    AV Manager supports a lot more commands than used on Linux
    Every command is implemented by a class

    Mapped Address Ranges From /dev/ioif0
    The base address of /dev/ioif0 is 0x28000000000. The device supports only mmap system call, it cannot be read or written. It also doesn't support ioctl.

    Index Absolute Address Range Size Mapped Address in Process 9 Address Space
    0 0x28000000000 - 0x28000002000 0x2000 0xA0019000
    1 0x28001800000 - 0x28001801000 0x1000 0xA0004000
    2 0x28000600000 - 0x28000604000 0x4000 0xA001A000
    3 0x28000680000 - 0x28000684000 0x4000 0xA0006000
    4 0x28000080000 - 0x28000088000 0x8000 0xA000A000
    5 0x28000088000 - 0x28000089000 0x1000 0xA000E000
    6 0x2800000C000 - 0x2800000D000 0x1000 0xA0016000
    7 0x2800008A000 - 0x2800008B000 0x1000 0xA0017000
    8 0x2800008C000 - 0x2800008D000 0x1000 0xA0018000
    Process socket services

    Function ID and Packet ID

    Processes 3, 5 and 6 provide services (functions) to other Processes through sockets (something like RPC).
    A service is identified by a function ID.
    Each process has a hash table which maps a function ID to socket port ID.
    Services (functions) can be further differentiated by a packet ID.
    To request a service, a Process sends a packet with specified function and packet ID to the Process that provides the service.
    A process that provides a service (function) has a table of objects which handle different packet IDs.
    Services are synchronous, a client sends a request and waits for a response.
    If a Process requests a service that is located in the same Process then the service is called directly and sockets are not used !!! (e.g. SLL requests from DM creating VUART port during GameOS loading, SLL and DM are in the same Process, so SLL calls DM directly)

    Port ID - Process ID mapping

    Port ID Process ID
    0x23 6
    0x24 5
    0x25 3
    PS3 Hypervisor Reverse Engineering Progress is Detailed

    More PlayStation 3 News...

  2. #2
    Join Date
    Apr 2005
    Posts
    24,347
    Continued from the first post...

    [Register or Login to view code]

    SS Service Return Values

    [Register or Login to view code]

    RL_FOR_PROGRAM.img 3.50

    [Register or Login to view code]

    RL_FOR_PACKAGE.img 3.41

    [Register or Login to view code]

    RL_FOR_PACKAGE.img 3.50

    [Register or Login to view code]

    CORE_OS_PACKAGE.pkg 3.15
    Here is a piece of data from decrypted and decompressed package.

    [Register or Login to view code]

    BDIT_FIRMWARE_PACKAGE.pkg 3.50
    Here is a piece of data from decrypted package.

    [Register or Login to view code]

    BDPT_FIRMWARE_PACKAGE_301R.pkg 3.50
    Here is a piece of data from decrypted package.

    [Register or Login to view code]

    BLUETOOTH_FIRMWARE.pkg 3.41

    [Register or Login to view code]

    SYS_CON_FIRMWARE_01050101.pkg 3.41

    [Register or Login to view code]

    0x6005 - Extract Package Tophalf
    The result of the request can be checked by reading the value of repository node ss.extract.request.<Request ID> periodically

    0x600B - Read EEPROM
    I have got read access to EEPROM of Update Manager through DM and tested it with PSGroove
    I read PRODUCT_MODE from it successfully, PRODUCT_MODE = 0x000000FF
    The service expects one additional parameter: offset (4 bytes)
    The service accepts only some predefined offsets
    The service returns the specified offset and the value at this offset

    0x600C - Write EEPROM
    Writting to EEPROM of Update Manager is also possible through DM
    Tested this service successfully with QA flag

    0x6010 - Check Integrity
    This service checks integrity of important files stored on /dev/rflash1, e.g. lv0 or lv1
    The service is used e.g. by System Manager
    When product mode is NOT 0xFF then check is skipped !!!

    0x6011 - Get Applicable Version
    I have got access to this service through DM and PSGroove and tested it
    The service expects one additional unknown parameter of size 4 bytes, it has to be 0x00000001 or else the service fails
    Here is the return value:

    [Register or Login to view code]

    0x9000 - SC Manager
    SC Manager cannot be accessed directly by using DM unfortunately (DM discards all requests) but it's used by other services that are accessable through DM

    E.g. Update Manager services "Read EEPROM" and "Write EEPROM" send requests to SC Manager services "Read EEPROM" and "Write EEPROM"
    SC Manager runs sc_iso.self

    [Register or Login to view code]

    Packet ID - SS ID Mapping
    Before DM routes a received request to a service provider (HV Process) it consults SPM
    DM sends a request to SPM
    Request contains SS ID and Subject ID (laid and paid)
    DM obtains SS ID by mapping Packet ID
    Here is the mapping table i extracted from HV Process 3 where SPM and DM run:

    [Register or Login to view code]


    [Register or Login to view code]


    [Register or Login to view code]

    [/code]
    0x24002 - Verify Response
    I have got access to this service and tested it with PSGroove
    The response body is 25 bytes large
    The first 3 bytes have to be 0x2E 0x02 0x02 or else the check fails
    The 16 bit at offset 3 is a dongle ID
    The dongle ID is checked if it's revoked or not
    When the verification succeedes then product mode is set to 1
    The service calculates USB Dongle Key from USB Dongle ID and USB Dongle Master Key by using HMAC SHA-1
    The service uses HMAC SHA-1 to calculate the correct response body from the challenge body and USB Dongle Key
    After that the service compares the calculated response body with the given one that was sent to the service
    It seems that laid and paid from SS packet header are used in decryption process

    USB Dongle Master Key
    USB Dongle Master Key is stored encrypted in Process 6
    The encrypted key is 64 bytes large
    The decrypted key is 20 bytes large
    The USB Dongle Master Key is decrypted first time the service 0x24002 is used
    The USB Dongle Master Key is decrypted by using the service 0x200E (Decrpyt Master) of Vitual TRM Manager
    The decrypted USB Dongle Master Key is stored in Process 6 in clear text (after first usage of this service)
    When decrpyption of USB Dongle Master Key fails then a dummy key is used
    Unfortunately, in the HV dump 3.15 the USB Dongle Master Key was not decrypted at the moment of dumping

    Here is the encrypted USB Dongle Master Key from HV 3.15:

    [Register or Login to view code]

    Here is the USB Dongle Master Dummy Key from HV 3.15:

    [Register or Login to view code]

    USB Dongle ID Revoke List
    Process 6 contains a revoke list for USB Dongle IDs
    The revoke list is 0x2000 bytes large. It's a bitmap.
    Each bit represents a USB Dongle ID. If bit is 0 then USB Dongle ID is revoked.
    The following USB Dongle IDs are revoked in HV 3.15:

    [Register or Login to view code]

    0x25000 - User Token Manager

    [Register or Login to view code]

    LPAR Memory Management

    Memory Region class
    This class is the base class for different memory region types.

    vtable
    0x003578B0 (3.15)

    Member variables
    offset 0x40 - pointer to LPAR object that owns this memory region
    offset 0x48 - type of memory region (8 bytes)
    offset 0x50 - LPAR start address of memory region
    offset 0x58 - size of memory region (8 bytes)
    offset 0x60 - flags (8 bytes)
    offset 0xA0 - log2 of page size

    Physical Memory Region class
    This type of memory region is created e.g. in lv1_allocate_memory HV call or in syscall 0x10000.

    vtable
    0x00357D08 (3.15)

    Member variables
    offset 0xB0 - pointer to object that stores a list of addresses of physical pages owned by this memory region
    offset 0xB8 - pointer to LPAR object that owns this memory region
    offset 0xC0 - reference counter (8 bytes)

    Objects
    Here is the list of physical memory region objects i found in HV 3.15.

    [Register or Login to view code]

    SPE MMIO Memory Region class
    This type of memory region represents MMIO memory region of a SPE. It's created e.g. in lv1_construct_logical_spe or in syscall 0x10040.

    vtable
    0x003583F8 (3.15)

    Member variables

    Objects
    Here is the list of SPE memory region objects i found in HV 3.15.

    [Register or Login to view code]

    Lv-2 syscalls

    Number Name Notes

    1 sys_process_getpid
    2 sys_process_wait_for_child
    4 sys_process_get_status
    5 sys_process_detach_child
    12 sys_process_get_number_of_object
    13 sys_process_get_id
    14 sys_process_is_spu_lock_line_reservation_address
    18 sys_process_getppid
    19 sys_process_kill
    23 sys_process_wait_for_child2
    25 sys_process_get_sdk_version
    43 sys_ppu_thread_yield
    44 sys_ppu_thread_join
    45 sys_ppu_thread_detach
    46 sys_ppu_thread_get_join_state
    47 sys_ppu_thread_set_priority
    48 sys_ppu_thread_get_priority
    49 sys_ppu_thread_get_stack_information
    56 sys_ppu_thread_rename
    57 sys_ppu_thread_recover_page_fault
    67 sys_trace_allocate_buffer
    68 sys_trace_free_buffer
    69 sys_trace_create2
    70 sys_timer_create
    71 sys_timer_destroy
    72 sys_timer_get_information
    73 sys_timer_start
    74 sys_timer_stop
    75 sys_timer_connect_event_queue
    76 sys_timer_disconnect_event_queue
    80 sys_interrupt_tag_create
    81 sys_interrupt_tag_destroy
    84 sys_interrupt_thread_establish
    88 sys_interrupt_thread_eoi
    89 sys_interrupt_thread_disestablish
    90 sys_semaphore_create
    91 sys_semaphore_destroy
    92 sys_semaphore_wait
    93 sys_semaphore_trywait
    94 sys_semaphore_post
    100 sys_mutex_create
    101 sys_mutex_destroy
    102 sys_mutex_lock
    103 sys_mutex_trylock
    104 sys_mutex_unlock
    105 sys_cond_create
    106 sys_cond_destroy
    107 sys_cond_wait
    108 sys_cond_signal
    109 sys_cond_signal_all
    110 sys_cond_signal_to
    114 sys_semaphore_get_value
    120 sys_rwlock_create
    121 sys_rwlock_destroy
    122 sys_rwlock_rlock
    123 sys_rwlock_tryrlock
    124 sys_rwlock_runlock
    125 sys_rwlock_wlock
    126 sys_rwlock_trywlock
    127 sys_rwlock_wunlock
    128 sys_event_queue_create
    129 sys_event_queue_destroy
    130 sys_event_queue_receive
    131 sys_event_queue_tryreceive
    133 sys_event_queue_drain
    134 sys_event_port_create
    135 sys_event_port_destroy
    136 sys_event_port_connect_local
    137 sys_event_port_disconnect
    138 sys_event_port_send
    140 sys_event_port_connect_ipc
    141 sys_timer_usleep
    142 sys_timer_sleep
    145 sys_time_get_current_time
    147 sys_time_get_timebase_frequency
    150 sys_raw_spu_create_interrupt_tag
    151 sys_raw_spu_set_int_mask
    152 sys_raw_spu_get_int_mask
    153 sys_raw_spu_set_int_stat
    154 sys_raw_spu_get_int_stat
    156 sys_spu_image_open
    160 sys_raw_spu_create
    161 sys_raw_spu_destroy
    163 sys_raw_spu_read_puint_mb
    165 sys_spu_thread_get_exit_status
    166 sys_spu_thread_set_argument
    167 sys_spu_thread_group_start_on_exit
    169 sys_spu_initialize
    170 sys_spu_thread_group_create
    171 sys_spu_thread_group_destroy
    172 sys_spu_thread_initialize
    173 sys_spu_thread_group_start
    174 sys_spu_thread_group_suspend
    175 sys_spu_thread_group_resume
    176 sys_spu_thread_group_yield
    177 sys_spu_thread_group_terminate
    178 sys_spu_thread_group_join
    179 sys_spu_thread_group_set_priority
    180 sys_spu_thread_group_get_priority
    181 sys_spu_thread_write_ls
    182 sys_spu_thread_read_ls
    184 sys_spu_thread_write_snr
    185 sys_spu_thread_group_connect_event
    186 sys_spu_thread_group_disconnect_event
    187 sys_spu_thread_set_spu_cfg
    188 sys_spu_thread_get_spu_cfg
    190 sys_spu_thread_write_spu_mb
    191 sys_spu_thread_connect_event
    192 sys_spu_thread_disconnect_event
    193 sys_spu_thread_bind_queue
    194 sys_spu_thread_unbind_queue
    196 sys_raw_spu_set_spu_cfg
    197 sys_raw_spu_get_spu_cfg
    198 sys_spu_thread_recover_page_fault
    199 sys_raw_spu_recover_page_fault
    244 sys_spu_thread_group_system_set_next_group
    245 sys_spu_thread_group_system_unset_next_group
    246 sys_spu_thread_group_system_set_switch_group
    247 sys_spu_thread_group_system_unset_switch_group
    251 sys_spu_thread_group_connect_event_all_threads
    252 sys_spu_thread_group_disconnect_event_all_threads
    260 sys_spu_image_open_by_fd
    327 sys_mmapper_enable_page_fault_notification
    329 sys_mmapper_free_shared_memory
    330 sys_mmapper_allocate_address
    331 sys_mmapper_free_address
    332 sys_mmapper_allocate_shared_memory
    333 sys_mmapper_set_shared_memory_flag
    334 sys_mmapper_map_shared_memory
    335 sys_mmapper_unmap_shared_memory
    336 sys_mmapper_change_address_access_right
    337 sys_mmapper_search_and_map
    338 sys_mmapper_get_shared_memory_attribute
    341 sys_memory_container_create
    342 sys_memory_container_destroy
    343 sys_memory_container_get_size
    348 sys_memory_allocate
    349 sys_memory_free
    350 sys_memory_allocate_from_container
    351 sys_memory_get_page_attribute
    352 sys_memory_get_user_memory_size
    378 sys_sm_get_ext_event2
    402 sys_tty_read
    403 sys_tty_write
    450 sys_overlay_load_module
    451 sys_overlay_unload_module
    452 sys_overlay_get_module_list
    453 sys_overlay_get_module_info
    454 sys_overlay_load_module_by_fd
    455 sys_overlay_get_module_info2
    456 sys_overlay_get_sdk_version
    457 sys_overlay_get_module_dbg_info
    461 sys_prx_get_module_id_by_address
    463 sys_prx_load_module_by_fd
    464 sys_prx_load_module_on_memcontainer_by_fd
    480 sys_prx_load_module
    481 sys_prx_start_module
    482 sys_prx_stop_module
    483 sys_prx_unload_module
    484 sys_prx_register_module
    485 sys_prx_query_module
    486 sys_prx_register_library
    487 sys_prx_unregister_library
    488 sys_prx_link_library
    489 sys_prx_unlink_library
    490 sys_prx_query_library
    494 sys_prx_get_module_list
    495 sys_prx_get_module_info
    496 sys_prx_get_module_id_by_name
    497 sys_prx_load_module_on_memcontainer
    498 sys_prx_start
    499 sys_prx_stop
    600 sys_storage_open
    601 sys_storage_close
    602 sys_storage_read
    603 sys_storage_write
    604 sys_storage_send_device_command
    605 sys_storage_async_configure
    606 sys_storage_async_read
    607 sys_storage_async_write
    608 sys_storage_async_cancel
    609 sys_storage_get_device_info
    610 sys_storage_get_device_config
    611 sys_storage_report_devices
    612 sys_storage_configure_medium_event
    613 sys_storage_set_medium_polling_interval
    614 sys_storage_create_region
    615 sys_storage_delete_region
    616 sys_storage_execute_device_command
    617 sys_storage_get_region_acl
    618 sys_storage_set_region_acl
    624 sys_io_buffer_create
    625 sys_io_buffer_destroy
    626 sys_io_buffer_allocate
    627 sys_io_buffer_free
    630 sys_gpio_set
    631 sys_gpio_get
    633 sys_fsw_connect_event
    634 sys_fsw_disconnect_event
    666 sys_rsx_device_open
    667 sys_rsx_device_close
    668 sys_rsx_memory_allocate
    669 sys_rsx_memory_free
    670 sys_rsx_context_allocate
    671 sys_rsx_context_free
    672 sys_rsx_context_iomap
    673 sys_rsx_context_iounmap
    674 sys_rsx_context_attribute
    675 sys_rsx_device_map
    676 sys_rsx_device_unmap
    677 sys_rsx_attribute
    871 sys_ss_access_control_engine
    872 sys_ss_get_open_psid
    873 sys_ss_get_cache_of_product_mode
    874 sys_ss_get_cache_of_flash_ext_flag
    875 sys_ss_get_boot_device
    876 sys_ss_disc_access_control
    878 sys_ss_ad_sign
    879 sys_ss_media_id
    880 sys_deci3_open
    881 sys_deci3_create_event_path
    882 sys_deci3_close
    883 sys_deci3_send
    884 sys_deci3_receive
    Network Syscall
    Networking uses syscalls 700-726
    Number Name Notes

    700 sys_net_bnet_accept
    701 sys_net_bnet_bind
    702 sys_net_bnet_connect
    703 sys_net_bnet_getpeername
    704 sys_net_bnet_getsockname
    705 sys_net_bnet_getsockopt
    706 sys_net_bnet_listen
    707 sys_net_bnet_recvfrom
    708 sys_net_bnet_recvmsg
    709 sys_net_bnet_sendmsg
    710 sys_net_bnet_sendto
    711 sys_net_bnet_setsockop
    712 sys_net_bnet_shutdown
    713 sys_net_bnet_socket
    714 sys_net_bnet_close
    715 sys_net_bnet_poll
    716 sys_net_bnet_select
    717 unknown
    718 unknown
    719 unknown
    720 unknown
    721 unknown
    722 unknown
    723 unknown
    724 sys_net_bnet_ioctl
    725 sys_net_bnet_sysctl
    726 unknown
    File Syscalls

    Number Name Notes

    801 lv2FsOpen
    802 lv2FsRead
    803 lv2FsWrite
    804 lv2FsClose
    805 lv2FsOpenDir
    806 lv2FsReadDir
    807 lv2FsCloseDir
    808 lv2FsStat
    809 lv2FsFstat
    810 lv2FsLink
    811 lv2FsMkdir
    812 lv2FsRename
    813 lv2FsRmdir
    814 lv2FsUnlink
    815 lv2FsUtime

    818 lv2FsLSeek

    820 lv2FsFSync

    831 lv2FsTruncate
    832 lv2FsFTruncate

    834 lv2FsChmod

  3. #3
    Join Date
    Sep 2010
    Posts
    10
    Got it. Witchcraft and Voodoo. I knew it all along!

  4. #4
    Join Date
    Nov 2009
    Posts
    507
    Oh, now I get it.... NOT!

    Well, its great progress

  5. #5
    Join Date
    Mar 2008
    Posts
    303
    this is a whole bunch of informations.
    'im happy that i know asm, otherwise i only would understand 1% of this o.O

    great work from this guy.
    it's funny that everytime new people gives informations out. before yesterday i never heared of this guy.

    greetings
    Warrorar

  6. #6
    Join Date
    Oct 2010
    Posts
    48
    i know what you meant to say but apparently he's not new lol

  7. #7
    Join Date
    Apr 2010
    Posts
    709
    you can make a novel out of this. geez enough info?

  8. #8
    Join Date
    Aug 2010
    Posts
    203
    Great news, now Devs can progress even more towards a CFW or at least a new FW with JB support!

  9. #9
    Join Date
    Jul 2005
    Posts
    15
    good info that was shared thanks

  10. #10
    Join Date
    Oct 2010
    Posts
    172
    i don't understand it but still i know it's a great step towards getting the jb for fw 3.50...

Page 1 of 2 12 Last

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Log in

Log in