hexkyz/henkaku_stage3_kxloader.c

## henkaku_stage3_kxloader.c
// Entry point
sub_00000010(scesysmem_base, payload_addr)
{
    r4 = scesysmem_base
    sub_00000356();

    r5 = scesysmem_base >> 0x20
    sub_0000035A();

    // Decrypt and launch HENkaku's payload
    sub_00000020(scesysmem_base, payload_addr);

    sub_00000538();
}

// Decrypt and launch HENkaku's payload
sub_00000020(scesysmem_base, payload_addr)
{
    sp = (sp - 0x1C)
    r4 = 0

    r8 = sp + 0x18

    r7 = scesysmem_base + 0xA500
    r5 = scesysmem_base
    r7 = scesysmem_base + 0xA521

    0x0F(sp) = 0

    r11 = payload_addr

    r6 = scesysmem_base + 0x1F00
    r9 = scesysmem_base + 0x23000
    r10 = scesysmem_base + 0x1BA00

    r1 = 0x1020D006
    r2 = 0xB000
    r3 = 0
    r0 = sp + 0x18

    // Allocate memblock1
    r0 = kern_memblock_alloc(sp + 0x18, 0x1020D006, 0xB000, 0);

    r2 = 0xB000
    r3 = 0

    0x04(sp) = r0    // memblock1_id

    r0 = sp + 0x18
    r1 = 0x1020D005
    r6 = scesysmem_base + 0x1F15    // sub_A61F14

    // Allocate memblock2
    r0 = kern_memblock_alloc(sp + 0x18, 0x1020D005, 0xB000, 0);

    r12 = 0x04(sp)    // memblock1_id
    r7 = r0    // memblock2_id

    r1 = sp + 0x10
    r9 = scesysmem_base + 0x23095
    r10 = scesysmem_base + 0x1BAF5
    r0 = memblock1_id

    // Get memblock1's address
    r0 = kern_memblock_getaddr(memblock1_id, sp + 0x10);

    r0 = memblock2_id
    r1 = sp + 0x14

    // Get memblock2's address
    r0 = kern_memblock_getaddr(memblock2_id, sp + 0x14);

    r3 = scesysmem_base + 0x8200

    r0 = 0x10(sp)    // memblock1_addr

    r3 = scesysmem_base + 0x825D
    r1 = payload_addr
    r2 = 0xA000
    r7 = scesysmem_base + 0x1D800

    // Call copy_from_user to read the HENkaku's payload
    // into our new memory block
    copy_from_user(memblock1_addr, payload_addr, 0xA000);

    r6 = 0x10(sp)    // memblock1_addr
    r1 = 0x80
    r3 = 0x40

    r7 = scesysmem_base + 0x1D8D9

    r2 = 0x80
    r6 = memblock1_addr + 0xA000
    r0 = memblock1_addr + 0xA000
    r3 = payload_key

    // Set the HENkaku's payload key (AES-128-ECB)
    AES_setkey(memblock1_addr + 0xA000, 0x80, 0x80, payload_key, 0);

    while (r4 != 0xA000)
    {
        r1 = 0x10(sp)    // memblock1_addr
        r0 = memblock1_addr + 0xA000
        r1 = memblock1_addr + r4
        r4 = r4 + 0x10
        r2 = memblock1_addr + r4

        // Decrypt the payload in place
        AES_decrypt(memblock1_addr + 0xA000, memblock1_addr + r4, memblock1_addr + r4);
    }

    r0 = 0x14(sp)    // memblock2_addr
    r2 = 0xB000
    r1 = 0x10(sp)    // memblock1_addr

    // Copy from data memory block to executable memory block
    kern_memcpy(memblock2_addr, memblock1_addr, 0xB000);

    r3 = 0x14(sp)    // memblock2_addr
    r2 = 0x10(sp)    // memblock1_addr
    r3 = memblock2_addr + 0x01
    r2 = memblock1_addr + 0xAF00

    // Set PC
    r4 = memblock2_addr + 0x01    // payload()

    // Set SP
    sp = memblock1_addr + 0xAF00

    r0 = scesysmem_base

    // Call payload
    payload(scesysmem_base);

    sp = (sp + 0x1C)
    return;
}
	// Entry point
	sub_00000010(scesysmem_base, payload_addr)
	{
	r4 = scesysmem_base
	sub_00000356();

	r5 = scesysmem_base >> 0x20
	sub_0000035A();

	// Decrypt and launch HENkaku's payload
	sub_00000020(scesysmem_base, payload_addr);

	sub_00000538();
	}

	// Decrypt and launch HENkaku's payload
	sub_00000020(scesysmem_base, payload_addr)
	{
	sp = (sp - 0x1C)
	r4 = 0

	r8 = sp + 0x18

	r7 = scesysmem_base + 0xA500
	r5 = scesysmem_base
	r7 = scesysmem_base + 0xA521

	0x0F(sp) = 0

	r11 = payload_addr

	r6 = scesysmem_base + 0x1F00
	r9 = scesysmem_base + 0x23000
	r10 = scesysmem_base + 0x1BA00

	r1 = 0x1020D006
	r2 = 0xB000
	r3 = 0
	r0 = sp + 0x18

	// Allocate memblock1
	r0 = kern_memblock_alloc(sp + 0x18, 0x1020D006, 0xB000, 0);

	r2 = 0xB000
	r3 = 0

	0x04(sp) = r0 // memblock1_id

	r0 = sp + 0x18
	r1 = 0x1020D005
	r6 = scesysmem_base + 0x1F15 // sub_A61F14

	// Allocate memblock2
	r0 = kern_memblock_alloc(sp + 0x18, 0x1020D005, 0xB000, 0);

	r12 = 0x04(sp) // memblock1_id
	r7 = r0 // memblock2_id

	r1 = sp + 0x10
	r9 = scesysmem_base + 0x23095
	r10 = scesysmem_base + 0x1BAF5
	r0 = memblock1_id

	// Get memblock1's address
	r0 = kern_memblock_getaddr(memblock1_id, sp + 0x10);

	r0 = memblock2_id
	r1 = sp + 0x14

	// Get memblock2's address
	r0 = kern_memblock_getaddr(memblock2_id, sp + 0x14);

	r3 = scesysmem_base + 0x8200

	r0 = 0x10(sp) // memblock1_addr

	r3 = scesysmem_base + 0x825D
	r1 = payload_addr
	r2 = 0xA000
	r7 = scesysmem_base + 0x1D800

	// Call copy_from_user to read the HENkaku's payload
	// into our new memory block
	copy_from_user(memblock1_addr, payload_addr, 0xA000);

	r6 = 0x10(sp) // memblock1_addr
	r1 = 0x80
	r3 = 0x40

	r7 = scesysmem_base + 0x1D8D9

	r2 = 0x80
	r6 = memblock1_addr + 0xA000
	r0 = memblock1_addr + 0xA000
	r3 = payload_key

	// Set the HENkaku's payload key (AES-128-ECB)
	AES_setkey(memblock1_addr + 0xA000, 0x80, 0x80, payload_key, 0);

	while (r4 != 0xA000)
	{
	r1 = 0x10(sp) // memblock1_addr
	r0 = memblock1_addr + 0xA000
	r1 = memblock1_addr + r4
	r4 = r4 + 0x10
	r2 = memblock1_addr + r4

	// Decrypt the payload in place
	AES_decrypt(memblock1_addr + 0xA000, memblock1_addr + r4, memblock1_addr + r4);
	}

	r0 = 0x14(sp) // memblock2_addr
	r2 = 0xB000
	r1 = 0x10(sp) // memblock1_addr

	// Copy from data memory block to executable memory block
	kern_memcpy(memblock2_addr, memblock1_addr, 0xB000);

	r3 = 0x14(sp) // memblock2_addr
	r2 = 0x10(sp) // memblock1_addr
	r3 = memblock2_addr + 0x01
	r2 = memblock1_addr + 0xAF00

	// Set PC
	r4 = memblock2_addr + 0x01 // payload()

	// Set SP
	sp = memblock1_addr + 0xAF00

	r0 = scesysmem_base

	// Call payload
	payload(scesysmem_base);

	sp = (sp + 0x1C)
	return;
	}