int main(int argc, char *argv[]) {
SceUID mod;
char s[255];
int r;
int SDCB1, SDCB2;
sceKernelDelayThread(7000000);
mod = pspSdkLoadStartModule("ms0:/seplugins/deemerd.prx", PSP_MEMORY_PARTITION_KERNEL);
if (mod < 0) {
sprintf(s, "Error 0x%08X loading/starting deemerd.prx.\n", mod);
debugIssueError(s);
}
SDCB1 = sceKernelCreateCallback("SaveDataStartCallback", hcDeemerCapturedSDParamsCallback, NULL );
SDCB2 = sceKernelCreateCallback("SaveDataGetStatusCallback", hcDeemerSavedataGetStatusCallback, NULL );
hcDeemerDriverSetupCallbackCapturedSDParams(SDCB1, SDCB2);
r = hcDeemerDriverPatchSavedataInitStart();
sceKernelSleepThreadCB();
return 0;
}
// Callback thread
int CallbackThread(SceSize args, void *argp) {
int cbid;
cbid = sceKernelCreateCallback("Exit Callback", (void *) exit_callback, NULL);
sceKernelRegisterExitCallback(cbid);
cbid = sceKernelCreateCallback("Power Callback", (void *) power_callback, NULL);
scePowerRegisterCallback(0, cbid);
sceKernelSleepThreadCB();
return 0;
}
// Thread to create the callbacks and then begin polling
int CallbackThread (int args, void *argp)
{
int cbid;
cbid = sceKernelCreateCallback ("Exit Callback", (SceKernelCallbackFunction)ExitCallback, NULL);
sceKernelRegisterExitCallback (cbid);
cbid = sceKernelCreateCallback ("Power Callback", (SceKernelCallbackFunction)PowerCallback, NULL);
scePowerRegisterCallback (0, cbid);
sceKernelSleepThreadCB ();
}
int
psp_callback_thread(SceSize args, void *argp)
{
int cid;
cid = sceKernelCreateCallback("Exit Call Back", psp_exit_callback, NULL);
sceKernelRegisterExitCallback(cid);
cid = sceKernelCreateCallback("Power Call Back", psp_power_callback, NULL);
//scePowerRegisterCallback(0,cid);
sceKernelSleepThreadCB();
return 0;
}
void PowerCallback (int unknown, int pwrflags)
{
if (pwrflags & PSP_POWER_CB_HOLD_SWITCH)
{
extern bool8 g_bShowProfilerIno;
g_bShowProfilerInfo = (! g_bShowProfilerInfo);
}
if (pwrflags & PSP_POWER_CB_POWER_SWITCH){
if (g_bROMLoaded) {
scePowerSetClockFrequency (222, 222, 111);
S9xSetSoundMute (TRUE);
g_bSleep = true;
save_config ();
Memory.SaveSRAM (S9xGetFilename ("srm"));
}
} else if (pwrflags & PSP_POWER_CB_RESUME_COMPLETE) {
g_bSleep = false;
}
if (pwrflags & PSP_POWER_CB_BATTERY_LOW){
scePowerSetClockFrequency (222,222,111);
S9xSetInfoString ("WARNING: PSP Battery is Low! (Automatically Throttling CPU)");
}
int cbid;
cbid = sceKernelCreateCallback ("Power Callback", (SceKernelCallbackFunction)PowerCallback, NULL);
scePowerRegisterCallback (0, cbid);
}
/* Callback thread */
static int callback_thread(SceSize args, void *argp)
{
int cbid;
lprintf("callback_thread started with id %08x, priority %i\n",
sceKernelGetThreadId(), sceKernelGetThreadCurrentPriority());
cbid = sceKernelCreateCallback("Exit Callback", exit_callback, NULL);
sceKernelRegisterExitCallback(cbid);
cbid = sceKernelCreateCallback("Power Callback", power_callback, NULL);
scePowerRegisterCallback(0, cbid);
sceKernelSleepThreadCB();
return 0;
}
static int xCallbackThread(SceSize args, void *argp)
{
int cbid = sceKernelCreateCallback("xExitCallback", xExitCallback, 0);
sceKernelRegisterExitCallback(cbid);
sceKernelSleepThreadCB();
return 0;
}
extern "C" int main(int argc, char *argv[]) {
SceUID cb = sceKernelCreateCallback("refer", &cbFunc, (void *)0xDEADBEEF);
SceKernelCallbackInfo info;
info.size = sizeof(info);
// Crashes.
//testRefer("NULL info", cb, NULL);
testRefer("Normal", cb, &info);
checkpointNext("Sizes:");
int sizes[] = {0, 1, 2, 4, 8, 44, 48, 52, 56, 60, 64, 68, 72, 128, 256, 1024, 0xFF00, 0xFF0000, 0x80000001, 0xCCCCCCCC, 0xFFFFFFFF};
int i, result;
for (i = 0; i < sizeof(sizes) / sizeof(sizes[0]); ++i) {
info.size = sizes[i];
result = sceKernelReferCallbackStatus(cb, &info);
checkpoint(" %08x => %08x (result=%08x)", sizes[i], info.size, result);
}
sceKernelDeleteCallback(cb);
info.size = sizeof(info);
checkpointNext("Objects:");
testRefer("NULL", 0, &info);
testRefer("Invalid", 0xDEADBEEF, &info);
testRefer("Deleted", cb, &info);
return 0;
}
/* Callback thread */
int CallbackThread(SceSize args, void *argp)
{
int cbid = sceKernelCreateCallback("Exit Callback", exit_callback, NULL);
sceKernelRegisterExitCallback(cbid);
sceKernelSleepThreadCB();
return 0;
}
static
int update_thread (SceSize args, void *argp)
{
int cbid = sceKernelCreateCallback("Exit Callback", exit_callback, (void *) 0);
sceKernelRegisterExitCallback(cbid);
sceKernelSleepThreadCB();
return 0;
}
/* Callback thread */
int CallbackThread(SceSize /*size*/, void *arg) {
int cbid;
cbid = sceKernelCreateCallback("Exit Callback", (SceKernelCallbackFunction)exit_callback, NULL);
sceKernelRegisterExitCallback(cbid);
/* Set up callbacks for PSPIoStream */
cbid = sceKernelCreateCallback("Power Callback", (SceKernelCallbackFunction)power_callback, 0);
if (cbid >= 0) {
if (scePowerRegisterCallback(-1, cbid) < 0) {
PSP_ERROR("Couldn't register callback for power_callback\n");
}
} else {
PSP_ERROR("Couldn't create a callback for power_callback\n");
}
sceKernelSleepThreadCB();
return 0;
}
int callbacks_thread(unsigned int, void*)
{
int id;
id = sceKernelCreateCallback("exit_cb", callbacks_exit, NULL);
sceKernelRegisterExitCallback(id);
sceKernelSleepThreadCB();
return 0;
}
int main(int argc, char **argv) {
SceUID cb_id;
cb_id = sceKernelCreateCallback("MSCB", ms_callback, (void *)0x777);
printf("cb_id: %08X\n", (cb_id > 0) ? 1 : 0);
printf("MScmRegisterMSInsertEjectCallback: %08X\n", MScmRegisterMSInsertEjectCallback(cb_id));
printf("sceKernelCheckCallback: %08X\n", sceKernelCheckCallback());
printf("MScmUnregisterMSInsertEjectCallback: %08X\n", MScmUnregisterMSInsertEjectCallback(cb_id));
printf("sceKernelDeleteCallback: %08X\n", sceKernelDeleteCallback(cb_id));
return 0;
}
// this function gets called by PspThread when starting the new thread
void MasterGuRenderer::threadFunction() {
DEBUG_ENTER_FUNC();
// Create the callback. It should always get the pointer to MasterGuRenderer
_callbackId = sceKernelCreateCallback("Display Callback", guCallback, this);
if (_callbackId < 0) {
PSP_ERROR("failed to create display callback\n");
}
PSP_DEBUG_PRINT("created callback. Going to sleep\n");
sceKernelSleepThreadCB(); // sleep until we get a callback
}
/* Callback thread */
int CallbackThread(SceSize args, void *argp)
{
int cbid;
printf("\nCallback Thread Status:\n");
dump_threadstatus();
cbid = sceKernelCreateCallback("Exit Callback", exit_callback, NULL);
sceKernelRegisterExitCallback(cbid);
sceKernelSleepThreadCB();
return 0;
}
/* Callback thread */
int CallbackThread(SceSize args, void *argp)
{
int cbid;
//SceKernelThreadInfo info;
//info.size = sizeof(SceKernelThreadInfo);
//sceKernelReferThreadStatus (0, &info);
//printf("thread '%-12s' sp %p w %08x START\n", info.name, info.stack, info.waitId);
cbid = sceKernelCreateCallback("Exit Callback", exit_callback, NULL);
sceKernelRegisterExitCallback(cbid);
sceKernelSleepThreadCB();
return 0;
}
int main(int argc, char **argv) {
int umdCbCallbackId;
int result;
umdCbCallbackId = sceKernelCreateCallback("umdHandler", umdHandler, (void *)0x1234);
result = sceUmdRegisterUMDCallBack(umdCbCallbackId);
printf("%08X\n", result);
printf("%d\n", sceKernelCheckCallback());
result = sceUmdUnRegisterUMDCallBack(umdCbCallbackId);
printf("%08X\n", result);
result = sceUmdUnRegisterUMDCallBack(umdCbCallbackId);
printf("%08X\n", result);
return 0;
}
// Power callback
int power_callback(int unknown, int pwrflags) {
int cbid;
if (pwrflags & POWER_CB_POWER || pwrflags & POWER_CB_SUSPEND || pwrflags & POWER_CB_EXT) {
// Put game in paused state if game is running
if (_gameState == GAME_RUNNING) {
HandlePauseGame();
} else if (_gameState == GAME_CONTINUE) {
// If game is in continue state, wait until it enters the running state
// before pausing. Game is only in continue state for about 1 second,
// and it cannot be paused from this sate
while (_gameState == GAME_CONTINUE ) { sceKernelDelayThread(1000); }
HandlePauseGame();
}
}
// Re-register power callback so it executes again the next time a power event occurs.
cbid = sceKernelCreateCallback("Power Callback", (void *) power_callback, NULL);
scePowerRegisterCallback(0, cbid);
return 0;
}
static int hookEntry(SceSize args, void *argp)
{
SceKernelSemaInfo info;
globals_t *globals;
SceUID uid;
int res;
uid = sceKernelGetThreadId();
globals = getGlobals();
sceKernelLockMutexCB(globals->threadmgrMutex, 1, NULL);
info.size = sizeof(info);
res = sceKernelGetSemaInfo(globals->threadmgrSema, &info);
if (res)
goto fail;
while (globals->threadmgrTable[info.currentCount].uid != uid) {
if (info.currentCount >= info.maxCount) {
res = SCE_KERNEL_ERROR_ERROR;
goto fail;
}
info.currentCount++;
}
globals->threadmgrTable[info.currentCount].exitDeleteCb
= sceKernelCreateCallback("vhlUserExitDeleteCb", 0, exitDeleteCb, NULL);
sceKernelUnlockMutex(globals->threadmgrMutex, 1);
return globals->threadmgrTable[info.currentCount].entry(args, argp);
fail:
sceKernelUnlockMutex(globals->threadmgrMutex, 1);
return res;
}
int main(int argc, char *argv[])
{
SceCtrlData pad;
int result;
int oldButtons = 0;
int cbid = -1;
int waitStatThid = -1;
pspDebugScreenInit();
if (argc > 0) {
printf("Bootpath: %s\n", argv[0]);
}
printf("Triangle - Exit\n");
printf("Left - sceUmdActivate\n");
printf("Right - sceUmdDeactivate\n");
printf("Cross - Delay CB\n");
printf("Circle - Display umd info\n");
printf("Square - Refer umd callback\n");
printf("L-Trigger - IO test\n");
printf("R-Trigger - Start/Stop wait stat test\n");
SetupCallbacks();
sceCtrlSetSamplingCycle(0);
sceCtrlSetSamplingMode(PSP_CTRL_MODE_ANALOG);
{
printUmdInfo();
// result:
// callback events are generated if we launch from iso or immediately after psplink has reset
cbid = sceKernelCreateCallback("UMD Callback (not active)", umd_callback, (void*)0x34343434);
result = sceUmdRegisterUMDCallBack(cbid);
printf("sceUmdRegisterUMDCallBack result %08X\n", result);
// Register a second UMD callback: it will overwrite the first one.
cbid = sceKernelCreateCallback("UMD Callback", umd_callback, (void*)0x11111111);
result = sceUmdRegisterUMDCallBack(cbid);
printf("sceUmdRegisterUMDCallBack result %08X\n", result);
}
while (!done)
{
sceCtrlReadBufferPositive(&pad, 1); // context switch in here
//sceCtrlPeekBufferPositive(&pad, 1); // no context switch version
int buttonDown = (oldButtons ^ pad.Buttons) & pad.Buttons;
if (buttonDown & PSP_CTRL_LEFT)
{
result = sceUmdActivate(1, "disc0:");
printf("sceUmdActivate result %08x\n", result);
}
if (buttonDown & PSP_CTRL_RIGHT)
{
result = sceUmdDeactivate(1, "disc0:");
printf("sceUmdDeactivate result %08x\n", result);
}
if (buttonDown & PSP_CTRL_CROSS)
{
printf("sceKernelDelayThreadCB ...\n");
sceKernelDelayThreadCB(10000);
}
if (buttonDown & PSP_CTRL_CIRCLE)
{
printUmdInfo();
}
if (buttonDown & PSP_CTRL_SQUARE)
{
SceKernelCallbackInfo info;
memset(&info, 0xee, sizeof(info));
info.size = sizeof(info);
result = sceKernelReferCallbackStatus(cbid, &info);
printf("sceKernelReferCallbackStatus result %08x\n", result);
printf(" size %d (%d)\n", info.size, sizeof(info));
printf(" name '%s'\n", info.name);
printf(" threadId %08x (%08x)\n", info.threadId, sceKernelGetThreadId());
printf(" callback %p common %p\n", info.callback, info.common);
printf(" notifyCount %08x\n", info.notifyCount);
printf(" notifyArg %08x\n", info.notifyArg);
}
if (buttonDown & PSP_CTRL_LTRIGGER)
{
test_io();
}
if (buttonDown & PSP_CTRL_RTRIGGER)
{
if (waitStatThid >= 0)
{
printf("Cleaning up wait stat test ...\n");
referThread(waitStatThid);
result = sceUmdCancelWaitDriveStat();
printf("sceUmdCancelWaitDriveStat result %08x\n", result);
referThread(waitStatThid);
result = sceKernelDeleteThread(waitStatThid);
printf("sceKernelDeleteThread result %08x\n", result);
//result = sceKernelTerminateDeleteThread(waitStatThid);
//printf("sceKernelTerminateDeleteThread result %08x\n", result);
waitStatThid = -1;
}
else
{
printf("Starting wait stat test ...\n");
// test timeout:
// Press Right (deactivate UMD)
// Press R-Trigger:
// - Press R-Trigger again before 3 seconds:
// 0x800201a9 wait cancelled
// - Or wait 3 seconds:
// 0x800201a8 wait timeout
struct WaitStatParams params = { 0x20, 3000000 };
// test internal workings:
// - (wantStat & curStat) == wantStat
// - (wantStat & curStat) != 0 <-- looks like this is the correct one
//struct WaitStatParams params = { 0xFF, 3000000 };
waitStatThid = sceKernelCreateThread("WaitUMDStat", waitstat_thread, 0x20, 0x4000, 0, 0);
printf("sceKernelCreateThread result %08x\n", waitStatThid);
if (waitStatThid >= 0)
{
result = sceKernelStartThread(waitStatThid, sizeof(params), ¶ms);
printf("sceKernelStartThread result %08x\n", result);
}
}
}
if (buttonDown & PSP_CTRL_TRIANGLE)
done = 1;
oldButtons = pad.Buttons;
sceDisplayWaitVblank(); // only catch callback when we press Cross (sceKernelDelayThreadCB)
//sceDisplayWaitVblankCB(); // catch all callback events
}
sceKernelExitGame();
return 0;
}
static int ExitCallbackThread(SceSize args, void *argp)
{
sceKernelRegisterExitCallback(sceKernelCreateCallback("HOME button Callback", exit_callback, NULL));
sceKernelSleepThreadCB();
return 0;
}
/* for 6.20/6.35 */
void do_exploit(void)
{
u32 power_buf_address = 0;
//create empty callback
int cbid = -1;
int result;
#ifdef CONFIG_635
if(psp_fw_version == FW_635) {
//create a fitting one
while(!is_intr_OK((u32)cbid)) {
//sceKernelDeleteCallback(cbid);
cbid = sceKernelCreateCallback("", NULL, NULL);
}
}
#endif
#ifdef CONFIG_620
if (psp_fw_version == FW_620) {
cbid = sceKernelCreateCallback("", NULL, NULL);
}
#endif
printk("Got a CBID: 0x%08X\r\n", cbid);
//Davee $v1 trick, $v1 would leak the power_buf_address when called on an registered slot 0
scePowerRegisterCallbackPrivate(0, cbid);
power_buf_address = get_power_address(cbid);
scePowerUnregisterCallbackPrivate(0);
printk("power_buf_address 0x%08X\r\n", (uint)power_buf_address);
#ifdef CONFIG_635
if(psp_fw_version == FW_635 && !is_pspgo()) {
patch_power_arg(cbid, power_buf_address);
}
#endif
//override sysmem function
unsigned int smpos = g_offs->patchRangeStart; for(; smpos < g_offs->patchRangeEnd; smpos += 16)
{
//calculate slot
unsigned int slot = get_power_slot_by_address(((u32)0x88000000)+smpos, power_buf_address);
//wipe memory with -1... else overriding fails.
scePowerUnregisterCallbackPrivate(slot);
//register dummy callback (override memory ^^)
result = scePowerRegisterCallbackPrivate(slot, cbid);
//patching error
if(result) break;
}
//flush changes to memory
sync_cache();
//restoring instructions and patching loadexec
unsigned int interrupts = pspSdkDisableInterrupts();
#ifdef CONFIG_635
if(psp_fw_version == FW_635) {
result = SysMemUserForUser_D8DE5C1E(0xC01DB15D, 0xC00DCAFE, kernelSyscall, 0x12345678, -1);
}
#endif
#ifdef CONFIG_620
if (psp_fw_version == FW_620) {
u32 kernel_entry, entry_addr;
kernel_entry = (u32) &kernel_permission_call;
entry_addr = ((u32) &kernel_entry) - 16;
result = sceKernelPowerLock(0, ((u32) &entry_addr) - 0x4234);
}
#endif
pspSdkEnableInterrupts(interrupts);
}
