Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
HENkaku - Stage 3 (Kernel loader)
// Entry point
sub_00000010(scesysmem_base, payload_addr)
{
r4 = scesysmem_base
sub_00000356();
r5 = scesysmem_base >> 0x20
sub_0000035A();
// Decrypt and launch HENkaku's payload
sub_00000020(scesysmem_base, payload_addr);
sub_00000538();
}
// Decrypt and launch HENkaku's payload
sub_00000020(scesysmem_base, payload_addr)
{
sp = (sp - 0x1C)
r4 = 0
r8 = sp + 0x18
r7 = scesysmem_base + 0xA500
r5 = scesysmem_base
r7 = scesysmem_base + 0xA521
0x0F(sp) = 0
r11 = payload_addr
r6 = scesysmem_base + 0x1F00
r9 = scesysmem_base + 0x23000
r10 = scesysmem_base + 0x1BA00
r1 = 0x1020D006
r2 = 0xB000
r3 = 0
r0 = sp + 0x18
// Allocate memblock1
r0 = kern_memblock_alloc(sp + 0x18, 0x1020D006, 0xB000, 0);
r2 = 0xB000
r3 = 0
0x04(sp) = r0 // memblock1_id
r0 = sp + 0x18
r1 = 0x1020D005
r6 = scesysmem_base + 0x1F15 // sub_A61F14
// Allocate memblock2
r0 = kern_memblock_alloc(sp + 0x18, 0x1020D005, 0xB000, 0);
r12 = 0x04(sp) // memblock1_id
r7 = r0 // memblock2_id
r1 = sp + 0x10
r9 = scesysmem_base + 0x23095
r10 = scesysmem_base + 0x1BAF5
r0 = memblock1_id
// Get memblock1's address
r0 = kern_memblock_getaddr(memblock1_id, sp + 0x10);
r0 = memblock2_id
r1 = sp + 0x14
// Get memblock2's address
r0 = kern_memblock_getaddr(memblock2_id, sp + 0x14);
r3 = scesysmem_base + 0x8200
r0 = 0x10(sp) // memblock1_addr
r3 = scesysmem_base + 0x825D
r1 = payload_addr
r2 = 0xA000
r7 = scesysmem_base + 0x1D800
// Call copy_from_user to read the HENkaku's payload
// into our new memory block
copy_from_user(memblock1_addr, payload_addr, 0xA000);
r6 = 0x10(sp) // memblock1_addr
r1 = 0x80
r3 = 0x40
r7 = scesysmem_base + 0x1D8D9
r2 = 0x80
r6 = memblock1_addr + 0xA000
r0 = memblock1_addr + 0xA000
r3 = payload_key
// Set the HENkaku's payload key (AES-128-ECB)
AES_setkey(memblock1_addr + 0xA000, 0x80, 0x80, payload_key, 0);
while (r4 != 0xA000)
{
r1 = 0x10(sp) // memblock1_addr
r0 = memblock1_addr + 0xA000
r1 = memblock1_addr + r4
r4 = r4 + 0x10
r2 = memblock1_addr + r4
// Decrypt the payload in place
AES_decrypt(memblock1_addr + 0xA000, memblock1_addr + r4, memblock1_addr + r4);
}
r0 = 0x14(sp) // memblock2_addr
r2 = 0xB000
r1 = 0x10(sp) // memblock1_addr
// Copy from data memory block to executable memory block
kern_memcpy(memblock2_addr, memblock1_addr, 0xB000);
r3 = 0x14(sp) // memblock2_addr
r2 = 0x10(sp) // memblock1_addr
r3 = memblock2_addr + 0x01
r2 = memblock1_addr + 0xAF00
// Set PC
r4 = memblock2_addr + 0x01 // payload()
// Set SP
sp = memblock1_addr + 0xAF00
r0 = scesysmem_base
// Call payload
payload(scesysmem_base);
sp = (sp + 0x1C)
return;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.