CBPS Forums

Console Hacking => PS Vita => Reverse Engineering => Topic started by: dots_tb on April 12, 2020, 01:47:23 PM

Title: SceCompat - Trick to write to the MIPS Reset Vector
Post by: dots_tb on April 12, 2020, 01:47:23 PM

I was watching that PSP Homebrew conference thing and thought the ME processor accelerating Minecraft from 15fps to 60fps was cool.

So I thought it'd be cool to do something similar with the Vita with the MIPS processor.

However, it seems TheFlow has achieved this (https://github.com/TheOfficialFloW/VitaMips (https://github.com/TheOfficialFloW/VitaMips)). But I'll just document this if it hasn't been documented already:

The idea was to write to the MIPS reset vector as was done in the ME example Motolegacy linked (https://github.com/pspdev/pspsdk/tree/master/src/samples/me (https://github.com/pspdev/pspsdk/tree/master/src/samples/me)).

The reset vector should be the first thing that is executed by the processor, which before command 0x30006, is held in SceCompatSharedSram.

Normally, if you try to peak at the SceCompatSharedSram, it will cause a crash until command 0x30006 on compat_sm.self is called. However, on accident by putting the wrong amount of arguments on a hook, I found that passing 0 size on 0x10006 allows you to write to the reset vector once through some f00d glitch. Maybe I'm wrong, try for yourself.

This was tested on 3.60.

To prove this theory:

• A hook is made set the 0x10006 command to fail with 0 size on SceCompat
• This hook will then read "ux0:/data/mips_rst.bin" to the reset vector. I will attach the the pre-ipl + challenge mips_rst.bin to the post.
• Adrenaline is then loaded (it seems to only work once for Adrenaline?) with the mips_rst.bin loaded into the Reset Vector.
• Adrenaline is then loaded without  mips_rst.bin, causing error c1-2650-3
• Adrenaline is then loaded with the continue commented out, which causes kpanic.
• Change the hook to pass the size, and it should crash.
• Uncomment write_reset_vector(); in the standalone func, it should crash.

https://gist.github.com/dots-tb/0357e1a66db98e81153d0e8204ffce64 (https://gist.github.com/dots-tb/0357e1a66db98e81153d0e8204ffce64)

I will be posting more findings relating to SceCompat if they are not already documented.

Thanks to Mathieulh for his Wiki information, Motolegacy for linking the ME example, Celesteblue and Princess of Sleeping for being fappers and helping a ton, teakhanirons, and Sysie for method of testing

TheFlow for adrenaline.

Anyways, in what has become standard for me, I just found this and have no idea how it works. Hopefully, someone will find it useful.