Console Hacking > Reverse Engineering
SceCompat reverse engineering
(1/1)
xerpi:
With the collaboration of TheFloW, we have been reverse-engineering the protocol ARM and MIPS use to communicate and boot. I pretty much focused on the ARM side (implemented in SceCompat), whereas TheFlow has mostly focused on the MIPS side.
The protocol is based on interrupts and a shared SRAM, which is accessible by both.
Here's a sequence diagram of it:
Initial state:
MIPS ARM
Consumer ready = true Producer ready = true
Response ready = false Command ready = false
Sequence diagram:
MIPS ARM
| | compat_wait_and_get_request()
| |<-----------------------------------------
| | - Wait command ready
| | (blocked)
Send command | |
--------------------------------->| |
- Wait consumer ready | |
- Write command to SRAM | |
- Send interrupt [68-70] |-------Interrupt-------->|************************
- Wait response ready (blocked) | | Push command to CQ *
*************************|<------Interrupt---------| Send interrupt [4-6] *
* Signal consumer ready | | Signal command ready *
*************************| |************************
| | - Wake from command ready
| | - Pop command from CQ and return
| | ---------------------------------------->
| |
| | compat_wait_intr()
| |<-----------------------------------------
| | - Wait producer ready
| |----------------------------------------->
| |
| | compat_return_value_ex()
| |<-----------------------------------------
| | - Write response to SRAM
**************************|<------Interrupt---------| - Send interrupt [7-9]
* Read response value | |----------------------------------------->
* Signal response ready | |
* Send interrupt [71-73] |-------Interrupt-------->|************************
**************************| | Signal producer ready *
- Wake from response ready | |************************
- Return response | |
<---------------------------------| |
| |
| |
I have also documented the registers used to trigger those interrupts to the Henkaku wiki:
* ARM side: https://wiki.henkaku.xyz/vita/SceCompatMailbox
* MIPS side: https://wiki.henkaku.xyz/vita/PSP_Emulator#Interrupt_manager
* F00D side: https://wiki.henkaku.xyz/vita/F00D_Commands#compat_sm.self
The C re-implementation of SceCompat functions can be found here: https://gist.github.com/xerpi/0e682d594c5def602750c523ee491098/
Navigation
[0] Message Index
Go to full version