Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
HENkaku - Stage 3 (Pseudo-code)
// Allocate a new memory block
char* memblock_name = "Magic";
uint32_t memblock_type = 0x1020D006;
uint32_t memblock_size = 0xA0000;
void* memblock_opts = 0x00000000;
uint32_t memblock_id = kern_memblock_alloc(memblock_name, memblock_type, memblock_size, memblock_opts, 0);
// Retrieve the memory block's address into a buffer
uint32_t *out_buf;
kern_memblock_getaddr(memblock_id, out_buf);
// Read out the address
uint32_t memblock_addr = (uint32_t)out_buf[0];
// Generate AES-256-ECB key using SceSysmem code!
void* k_buf = (void *)memblock_addr + 0x240; // Output buffer to store the key
uint32_t key_type = 0x80; // Key type?
uint32_t key_size = 0x100; // Key size (0x80 is 128-bit, 0x100 is 256-bit)
void* key = (void *)scesysmem_base + 0x39EB + 0x02; // The key is code!
uint32_t mode = 0x00000000; // Encryption mode (0 is ECB, 1 is CBC, 2 is CFB1)
AES_setkey(k_buf, key_type, key_size, key, mode);
// Decrypt the HENkaku's kernel loader
void *in_buf = (void *)kx_loader_addr + 0x10;
void *out_buf = (void *)memblock_addr + 0x10;
AES_decrypt(k_buf, in_buf, out_buf);
// Execute the kx_loader
kx_loader();
// Clean up?
sce_sysmemfordriver_call0(memblock_addr, 0, 0, 0);
sce_sysmemfordriver_call1(memblock_addr, 0x1020D005);
// Probably cache flush
sce_cpufordriver_call0(memblock_addr, 0x00000200);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.