CBPS Forums

Console Hacking => PS Vita => Reverse Engineering => Topic started by: xerpi on April 14, 2020, 12:26:36 PM

Title: SceCompat reverse engineering
Post by: xerpi on April 14, 2020, 12:26:36 PM

With the collaboration of TheFloW, we have been reverse-engineering the protocol ARM and MIPS use to communicate and boot. I pretty much focused on the ARM side (implemented in SceCompat (https://wiki.henkaku.xyz/vita/SceCompat)), whereas TheFlow has mostly focused on the MIPS side (https://github.com/TheOfficialFloW/VitaMips).

The protocol is based on interrupts and a shared SRAM, which is accessible by both.
Here's a sequence diagram of it:
Initial state: MIPS ARM Consumer ready = true Producer ready = true Response ready = false Command ready = false Sequence diagram: MIPS ARM | | compat_wait_and_get_request() | |<----------------------------------------- | | - Wait command ready | | (blocked) Send command | | --------------------------------->| | - Wait consumer ready | | - Write command to SRAM | | - Send interrupt [68-70] |-------Interrupt-------->|************************ - Wait response ready (blocked) | | Push command to CQ * *************************|<------Interrupt---------| Send interrupt [4-6] * * Signal consumer ready | | Signal command ready * *************************| |************************ | | - Wake from command ready | | - Pop command from CQ and return | | ----------------------------------------> | | | | compat_wait_intr() | |<----------------------------------------- | | - Wait producer ready | |-----------------------------------------> | | | | compat_return_value_ex() | |<----------------------------------------- | | - Write response to SRAM **************************|<------Interrupt---------| - Send interrupt [7-9] * Read response value | |-----------------------------------------> * Signal response ready | | * Send interrupt [71-73] |-------Interrupt-------->|************************ **************************| | Signal producer ready * - Wake from response ready | |************************ - Return response | | <---------------------------------| | | | | |

I have also documented the registers used to trigger those interrupts to the Henkaku wiki:

ARM side: https://wiki.henkaku.xyz/vita/SceCompatMailbox
MIPS side: https://wiki.henkaku.xyz/vita/PSP_Emulator#Interrupt_manager
F00D side: https://wiki.henkaku.xyz/vita/F00D_Commands#compat_sm.self

The C re-implementation of SceCompat functions can be found here: https://gist.github.com/xerpi/0e682d594c5def602750c523ee491098/