hexkyz

## sharedmem_pseudocode_1.50.txt
// Set shared memory region
sub_40D284()
{
	// Do some Sysroot stuff
	...

	// Gets address 0x00400000 from Sysroot
	u32 **phys_addr_ptr;
	u32 *mem_addr = SceSysrootForKernel_C8C8C321(0x100);


## sharedmem_block_1.50.txt
0x00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00000010: F9 80 85 00 09 81 2A 00 02 10 00 00 0A 00 00 00
0x00000020: 01 00 00 00 00 00 08 28 80 00 00 00 C0 00 F0 00
0x00000030: 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00
0x00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

## smsched_pseudocode_1.50.c
sceSblSmSchedProxyGetStatus(u32 sm_handle, u32 *out_buf)
{
	// Check global status var
	u32 state = SMSCHED_STATUS;

	// SmSched is not initialized
	if (state != 0x01)
		return 0x800F0426;

	// NULL pointer

## smc_handler_1.50.txt
ROM:005161C0                 ANDEQ           R0, R0, R0
ROM:005161C4                 ANDEQ           R0, R0, R0
ROM:005161C8                 CLREX
ROM:005161CC                 STR             LR, [SP,#-8]
ROM:005161D0                 MRS             LR, SPSR
ROM:005161D4                 STR             LR, [SP,#-4]
ROM:005161D8                 SUB             SP, SP, #8
ROM:005161DC                 CMP             R12, #0x500        -> Max R12 value is 0x500 :(
ROM:005161E0                 BCS             loc_516208
ROM:005161E4                 CMP             R12, #0x100

## prsh_prst.c
typedef struct {
  char name[0x100];
  void* data;
  u32 size;
  u32 unk;
  u8 hash[0x14];
  u8 padding[0x0C];
} prsh_section;

typedef struct {

## 0x10000000.txt
0x10000000: 12 34 56 78 9A BC DE F0 12 34 56 78 9A BC DE F0
...
0x100003F0: 12 34 56 78 9A BC DE F0 12 34 56 78 9A BC DE F0
0x10000400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
...
0x10005A40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005A50: 00 00 00 00
0x10005A54: PRSH XOR checksum
0x10005A58: "PRSH"      // magic
0x10005A5C: 0x00000001  // version (0 or 1)

## prsh_sections.txt
Name:     "boot_info"
Address:  0x10008000
Size:     0x00000058
UNK:      0x80000000

Name:     "mcp_crash_region"
Address:  0x100F7F60
Size:     0x000080A0
UNK:      0x80000000


## boot_info.txt
0x00000000: 0x00000001	// Always 1 (set by boot1 on coldboot)
0x00000004: 0xA6000000	// Boot flags (0x80 means data is set)
0x00000008: 0x00000000	// Boot state
0x0000000C: 0x00000001	// Boot count (increased by boot1 on reset)
0x00000010: 0x00100000	// Set to 0 by boot1 on coldboot
0x00000014: 0x00000000	// Set to 0 by boot1 on coldboot
0x00000018: 0xFFFFFFFF	// Set to -1 by boot1 on coldboot
0x0000001C: 0xFFFFFFFF	// Set to -1 by boot1 on coldboot
0x00000020: 0xFFFFFFFF	// Set to -1 by boot1 on coldboot
0x00000024: 0xFFFFFFFF	// Set to -1 by boot1 on coldboot

## boot1_boot_info_pseudocode.c
// Do some boring stuff
...

// Decrypt PRSH/PRST with Starbuck ancast key
sub_D400320(0x10000400, 0x7C00, iv);

// Parse PRSH/PRST
sub_D40B030(0x10000400, 0x7C00);

// Locate or create new "boot_info"

## boot1_target.txt
0D40AC6C                 MOVS            R0, #0
0D40AC6E                 POP             {R1-R3}
0D40AC70                 MOV             R11, R2
0D40AC72                 MOV             SP, R3
0D40AC74                 BX              R1
	// Set shared memory region
	sub_40D284()
	{
	// Do some Sysroot stuff
	...

	// Gets address 0x00400000 from Sysroot
	u32 **phys_addr_ptr;
	u32 *mem_addr = SceSysrootForKernel_C8C8C321(0x100);
	0x00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	0x00000010: F9 80 85 00 09 81 2A 00 02 10 00 00 0A 00 00 00
	0x00000020: 01 00 00 00 00 00 08 28 80 00 00 00 C0 00 F0 00
	0x00000030: 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00
	0x00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	0x00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	0x00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	0x00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	sceSblSmSchedProxyGetStatus(u32 sm_handle, u32 *out_buf)
	{
	// Check global status var
	u32 state = SMSCHED_STATUS;

	// SmSched is not initialized
	if (state != 0x01)
	return 0x800F0426;

	// NULL pointer
	ROM:005161C0 ANDEQ R0, R0, R0
	ROM:005161C4 ANDEQ R0, R0, R0
	ROM:005161C8 CLREX
	ROM:005161CC STR LR, [SP,#-8]
	ROM:005161D0 MRS LR, SPSR
	ROM:005161D4 STR LR, [SP,#-4]
	ROM:005161D8 SUB SP, SP, #8
	ROM:005161DC CMP R12, #0x500 -> Max R12 value is 0x500 :(
	ROM:005161E0 BCS loc_516208
	ROM:005161E4 CMP R12, #0x100
	typedef struct {
	char name[0x100];
	void* data;
	u32 size;
	u32 unk;
	u8 hash[0x14];
	u8 padding[0x0C];
	} prsh_section;

	typedef struct {
	0x10000000: 12 34 56 78 9A BC DE F0 12 34 56 78 9A BC DE F0
	...
	0x100003F0: 12 34 56 78 9A BC DE F0 12 34 56 78 9A BC DE F0
	0x10000400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	...
	0x10005A40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	0x10005A50: 00 00 00 00
	0x10005A54: PRSH XOR checksum
	0x10005A58: "PRSH" // magic
	0x10005A5C: 0x00000001 // version (0 or 1)
	Name: "boot_info"
	Address: 0x10008000
	Size: 0x00000058
	UNK: 0x80000000

	Name: "mcp_crash_region"
	Address: 0x100F7F60
	Size: 0x000080A0
	UNK: 0x80000000
	0x00000000: 0x00000001 // Always 1 (set by boot1 on coldboot)
	0x00000004: 0xA6000000 // Boot flags (0x80 means data is set)
	0x00000008: 0x00000000 // Boot state
	0x0000000C: 0x00000001 // Boot count (increased by boot1 on reset)
	0x00000010: 0x00100000 // Set to 0 by boot1 on coldboot
	0x00000014: 0x00000000 // Set to 0 by boot1 on coldboot
	0x00000018: 0xFFFFFFFF // Set to -1 by boot1 on coldboot
	0x0000001C: 0xFFFFFFFF // Set to -1 by boot1 on coldboot
	0x00000020: 0xFFFFFFFF // Set to -1 by boot1 on coldboot
	0x00000024: 0xFFFFFFFF // Set to -1 by boot1 on coldboot
	// Do some boring stuff
	...

	// Decrypt PRSH/PRST with Starbuck ancast key
	sub_D400320(0x10000400, 0x7C00, iv);

	// Parse PRSH/PRST
	sub_D40B030(0x10000400, 0x7C00);

	// Locate or create new "boot_info"
	0D40AC6C MOVS R0, #0
	0D40AC6E POP {R1-R3}
	0D40AC70 MOV R11, R2
	0D40AC72 MOV SP, R3
	0D40AC74 BX R1