Prx Decryption NID’s !!!!!

January 10th, 2009 silverspring

I never thought these would ever be cracked but finally here are the sceMesgLed NID’s (these are only valid upto 2.00 since the NID’s were later ‘randomised’ the following update in 2.50):

  • 0x84a04017 sceUtilsGetLoadModuleCLength
  • 0xa86d5005 sceUtilsGetLoadModuleCLengthByPolling
  • 0xa4547df1 sceUtilsGetLoadModuleDLength
  • 0x94eb1072 sceUtilsGetLoadModuleDLengthByPolling
  • 0x198fd3be sceUtilsGetLoadModuleILength
  • 0xfbc694c7 sceUtilsGetLoadModuleILengthByPolling
  • 0x07e152be sceUtilsGetLoadModuleJLength
  • 0x9906f33a sceUtilsGetLoadModuleJLengthByPolling
  • 0x46ac0e78 sceUtilsGetLoadModuleKLength
  • 0x55c8785e sceUtilsGetLoadModuleKLengthByPolling
  • 0x67a5ecdf sceUtilsGetLoadModuleLLength
  • 0x85b9d9f3 sceUtilsGetLoadModuleLLengthByPolling
  • 0x951f4a5b sceUtilsGetLoadModuleMLength
  • 0x58999d8e sceUtilsGetLoadModuleMLengthByPolling
  • 0x9fc926a0 sceUtilsGetLoadModuleNLength
  • 0x7a922276 sceUtilsGetLoadModuleNLengthByPolling

As you can see the naming is very cryptic, but the names do make a little bit of sense (more than some other crypto functions & libs). Each of these functions decrypts a particular ~PSP encrypted executable. The executable type is at offset 0x7C of a ~PSP file, and the executable type number corresponds to the letter listed in the above functions. For example, Type3 exe’s (vshmain modules) use the ‘C’ function to decrypt, Type4 exe’s (user modules) use the ‘D’ function, etc. There are no types 5,6,7,8 exe’s so those letters are missing. Other exe types that use the above functions include:

  • Type09 UMD games (use ‘I’ to decrypt)
  • Type10 Gamesharing games (use ‘J’ to decrypt)
  • Type11 Debug Gamesharing games (use ‘K’ to decrypt)
  • Type12 MS Updater (use ‘L’ to decrypt)
  • Type13 MS Demo games (use ‘M’ to decrypt)
  • Type14 Flash application eboots (use ‘N’ to decrypt)

Later fw added extra exe types also (such as POPS executables – Type20). So as you can see the numbering of the executable type corresponds to the letter of the alphabet used in the decryption functions naming.

Type1 exe’s are internal debug modules while Type2 exe’s are kernel modules, they are both decrypted the same way hence the ‘A’ and ‘B’ in the function sceUtilsGetLoadModuleABLength of memlmd.prx.

Here are also 2 more NID’s from memlmd (these ONLY exist in 2.00 which was when these functions were added into the fw, they were later ‘randomised’ the following update in 2.50):

  • 0xc3a6f784 sceUtilsPrepareGetLoadModuleABLength
  • 0xdf76975e sceUtilsPrepareGetLoadModuleABLengthByPolling

This function is similar to the ‘sigcheck’ functions in that they take an encrypted ~PSP file and ‘scrambles’ the ‘sig’ area (0xD0 Bytes from offset 0×80-0×150 of ~PSP binaries). The only difference is that this scrambling is not unique per PSP, whereas the normal sigchecking IS unique per PSP (using each PSP’s FuseID to flash the unique prxs, which is why files from different PSP’s are not compatible and therefore cannot be shared).

Another NID Update Again

December 19th, 2008 silverspring

From sceHttp:

  • 0x739c2d79 sceHttpInitExternalCache
  • 0xa461a167 sceHttpEndExternalCache
  • 0x8046e250 sceHttpEnableExternalCache
  • 0xb0257723 sceHttpFlushExternalCache
  • 0x457d221d sceHttpFlushCookie
  • 0x4e4a284a sceHttpCloneTemplate

From sceSsl:

  • 0xf57765d3 sceSslGetKeyUsage

From sceLibUpdateDL (this completes the lib !!):

  • 0xf7e66cb4 sceUpdateDownloadSetUrl
  • 0x88ff3935 sceUpdateDownloadSetDestCode

From sceNetWispr (this completes the lib !!):

  • 0xc856aaac sceNetWisprLogoffStart

From sceNetIfhandle_driver:

  • 0xd5ad6dea sceNetGetIfhandleOpt
  • 0xc6d14282 sceNetSetIfhandleOpt
  • 0x955f2924 sceNetMCopypacket

From sceNetAdhocctl (new in 5.00):

  • 0xb0b80e80 sceNetAdhocctlCreateEnterGameModeMin

From sceDNASCore_lib (this completes the lib !!):

  • 0xba0d27f8 sceDNASCoreMakeProxyRequest

From sceVshNetconfAoss:

  • 0x50df536d sceNetAOSSInit
  • 0xd253b522 sceNetAOSSTerm
  • 0x653d453f sceNetAOSSStart
  • 0xac307152 sceNetAOSSStop
  • 0x2aee9d4d sceNetAOSSGetState

From sceLibFont_HV:

  • 0x33ffd07c sceFontIsElement

From sceUsbGps (new in 5.00):

  • 0x5881c826 sceUsbGpsGetStaticNavMode
  • 0xa8ed0bc2 sceUsbGpsSetStaticNavMode

From scePafHeaparea:

  • 0xf50aae41 sce_paf_private_getheaparea1
  • 0xacce25b2 sce_paf_private_getheaparea2

Another NID Update

December 17th, 2008 silverspring

From sceUmd (some in 1.xx only some in 3.xx only):

  • 0xf8352373 sceUmdRegisterMediaPresentCallBack
  • 0x5469dc37 sceUmdUnRegisterMediaPresentCallBack
  • 0x84231fcf sceUmdRegisterPowerOnOffUMDCallBack
  • 0x04d1aad9 sceUmdUnRegisterPowerOnOffUMDCallBack
  • 0×18624052 sceUmdRegisterGetUMDPowerOnOffCallBack
  • 0xa140dec2 sceUmdUnRegisterGetUMDPowerOnOffCallBack

From sceUmdMan_driver (some in 1.xx only some in 3.xx only):

  • 0x5a302102 sceUmdManUMDDrivePreStart
  • 0xb4692d7f sceUmdManUMDDrivePostStart
  • 0×93539196 sceUmdManGetPowerOnOffStat
  • 0xc8d45a7b sceUmdManSetPowerOnOffStat
  • 0xb989e127 sceUmdManLeptonAliveOnOff
  • 0xb511f821 sceUmdManLPNAssertWakeup
  • 0x736ae133 sceUmdManLPNNegateWakeup
  • 0x552f671a sceUmdManSPKRestart
  • 0x405b48a5 sceUmdManSPKCheckAuth
  • 0xf7c603a2 sceUmdManSPKAuthentication
  • 0x60933ecd sceUmdManIsDvdDrive
  • 0x2e49311e sceUmdManGetFmtVersion
  • 0xcea5c857 sceUmdManSetCachedRead
  • 0x8634ffc7 sceUmdManSetUnCachedRead

From sceMScm_driver:

  • 0x34124b97 sceMScmTPCGetIntHelper
  • 0x3ffe76e5 sceMScmTPCSetCmdHelper
  • 0×36921225 sceMScmTPCReadShortData
  • 0xef42a4a3 sceMScmTPCWriteShortData
  • 0x494fb570 sceMScmTPCExSetCmdHelper
  • 0xcbb2bf6f sceMScmReadMSRegHelper
  • 0x6c8aef0b sceMScmWriteMSRegHelper

From scePspNpDrm_driver:

  • 0x04618d16 sceNpDrmGetIDps (just gets the psid)
  • 0x4478c033 sceNpDrmVerifyRifById
  • 0xebb198ed sceNpDrmDecActivation

From sceNpInstall_driver (this completes the lib !!):

  • 0x5847d8c7 sceNpInstallGetChallenge
  • 0x91f9d50d sceNpInstallCheckActivation
  • 0x0b039b36 sceNpInstallActivation
  • 0x7ae4c8bc sceNpInstallDeactivation

From sceMlnBridge:

  • 0xf9357984 sceMlnBridgeSetDKS

From scePsheet (this completes the lib !!):

  • 0x3ba93cfa sceDRMInstallGetProgress

NID Update

December 17th, 2008 silverspring

I have been quite busy lately so here’s a little NID update.

From InitForKernel:

  • 0xc4f1ba33 sceKernelStartIntrLogging

From KDebugForKernel:

  • 0xffd2f2b9 sceKernelIsDevelopmentToolMode

From InterruptManagerForKernel:

  • 0x43a7bbdc sceKernelSetIntrLogging
  • 0x07e138ee sceKernelClearIntrLogging
  • 0xdd55a192 sceKernelGetSyscallRA (used to exist in threadman)

From sceDisplay_driver:

  • 0xae0e8972 sceDisplaySetPseudoVsync
  • 0x92c8f8b7 sceDisplayIsPseudoField
  • 0x40f1469c sceDisplayWaitVblankStartMulti
  • 0x77ed8b3a sceDisplayWaitVblankStartMultiCB

From sceGe_driver:

  • 0x7b481502 sceGeGetBreakpoint
  • 0xaec21518 sceGePutBreakpoint
  • 0xbad6e1ca sceGeRegisterLogHandler
  • 0xc576e897 sceGeEdramGetHwSize
  • 0x114e1745 sceGeEdramSetRefreshParam

From scePower_driver:

  • 0xc23ac778 scePowerGetGeEdramRefreshMode
  • 0xe0b7a95d scePowerSetGeEdramRefreshMode
  • 0xe8e4e204 scePowerGetForceSuspendCapacity
  • 0xe8685403 scePowerGetLedOffTiming
  • 0xd66ef08d scePowerCheckWlanCondition

From sceSyscon_driver:

  • 0xeb277c88 sceSysconReadScratchPad
  • 0x65eb6096 sceSysconWriteScratchPad

From sceRtc_driver (new in 5.00):

  • 0xf5fcc995 sceRtcGetCurrentNetworkTick

From sceAtrac3plus (this completes the lib !!):

  • 0x2dd3e298 sceAtracGetBufferInfoForResetting

From sceAudiocodec:

  • 0x59176a0f sceAudiocodecAlcExtendParameter

From sceMpeg:

  • 0x0558b075 sceMpegAvcCopyYCbCr
  • 0×01977054 sceMpegGetUserdataAu (accidently mislabelled as sceMpegQueryUserdataEsSize in libdocs)

From sceMpegbase:

  • 0xbea18f91 sceMpegBasePESpacketCopy

From sceVaudio:

  • 0x346fbe94 sceVaudioSetEffectType
  • 0x82ef2f9d sceVaudioGetEffectString
  • 0x27acc20b sceVaudioChReserveBuffering


October 24th, 2008 silverspring

The Utilities library was an excellent idea by SCE to allow ever increasing functionality to be available to Game developers (at the expense of user memory though, the Utilities is partly why a whopping 8MB is reserved for the kernel).

Anyway, on to the new NID’s (note not all are available under all firmwares)…

From libs under sceUtility_Driver:

  • 0x943cba46 sceUtilityAuthDialogInitStart
  • 0x0f3eeaac sceUtilityAuthDialogShutdownStart
  • 0x147f7c85 sceUtilityAuthDialogUpdate
  • 0x16a1a8d8 sceUtilityAuthDialogGetStatus
  • 0xdde5389d sceUtilityDNASInitStart
  • 0x149a7895 sceUtilityDNASShutdownStart
  • 0x4a833ba4 sceUtilityDNASUpdate
  • 0xa50e5b30 sceUtilityDNASGetStatus
  • 0x04b24901 sceUtilityDdHelperInitStart
  • 0x1b698f54 sceUtilityDdHelperShutdownStart
  • 0xfd99af0a sceUtilityDdHelperUpdate
  • 0x8fcabab9 sceUtilityDdHelperGetStatus
  • 0x16d02af0 sceUtilityNpSigninInitStart
  • 0xe19c97d6 sceUtilityNpSigninShutdownStart
  • 0xf3fbc572 sceUtilityNpSigninUpdate
  • 0x86abdb1b sceUtilityNpSigninGetStatus
  • 0x42071a83 sceUtilityPS3ScanInitStart
  • 0xd17a0573 sceUtilityPS3ScanShutdownStart
  • 0xd852cdce sceUtilityPS3ScanUpdate
  • 0x89317c8f sceUtilityPS3ScanGetStatus
  • 0x81c44706 sceUtilityRssReaderInitStart
  • 0xb0fb7ff5 sceUtilityRssReaderContStart
  • 0xe7b778d8 sceUtilityRssReaderShutdownStart
  • 0x6f56f9cf sceUtilityRssReaderUpdate
  • 0x8326ab05 sceUtilityRssReaderGetStatus
  • 0x4b0a8fe5 sceUtilityRssSubscriberInitStart
  • 0x06a48659 sceUtilityRssSubscriberShutdownStart
  • 0xa084e056 sceUtilityRssSubscriberUpdate
  • 0x2b96173b sceUtilityRssSubscriberGetStatus
  • 0x0251b134 sceUtilityScreenshotInitStart
  • 0x86a03a27 sceUtilityScreenshotContStart
  • 0xf9e0008c sceUtilityScreenshotShutdownStart
  • 0xab083ea9 sceUtilityScreenshotUpdate
  • 0xd81957b7 sceUtilityScreenshotGetStatus
  • 0xda97f1aa sceUtilityStoreCheckoutInitStart
  • 0x54a5c62f sceUtilityStoreCheckoutShutdownStart
  • 0xb8592d5f sceUtilityStoreCheckoutUpdate
  • 0x3aad51dc sceUtilityStoreCheckoutGetStatus
  • 0x7635200e sceUtilityDialogGetGameInfo
  • 0xef5bc2d1 sceUtilityDialogGetStructVersion
  • 0x463ea95e sceUtilityAppletGetType (an amazing false positive for this nid is sceUtilityPspDialog !!)
  • 0xab46a24f sceUtilityAppletGetParam
  • 0x463ea95e sceUtilityAppletGetType
  • 0x75ff798c sceUtilityAppletGetSpeed
  • 0x4b677ba1 sceUtilityAppletGetStructVersion
  • 0x00948e27 sceUtilityAppletLoadModule
  • 0x4acd6532 sceUtilityAppletUnloadModule
  • 0x97f922a3 sceUtilityAppletSetStatus
  • 0x9bae7dce sceUtilityAppletSetThreadId
  • 0x976f7805 sceUtilityAppletRegisterPowerCallback
  • 0xe542e9d8 sceUtilityAppletUnregisterPowerCallback
  • 0x8e8e3aa3 sceUtilitySetNetParamLatestID
  • 0x3fd8ccfb sceUtilityGetNetParamInt
  • 0x63c3e40c sceUtilitySetNetParamInt

A few previous Utilities had been added to the PSPSDK most notably the Message Dialogs as well as the Web Browser. Some of these newly discovered Utilities may be also worthwhile to add to PSPSDK especially the Screenshot one. While there are already unofficially screenshot libs, it would be more convenient as well as less memory consuming to use an official lib (for example using the official libmp3 to play mp3 files).

More, more, more…

October 17th, 2008 silverspring

Four more libs are now fully complete:

From sceGpio_driver:

  • 0×95135905 sceGpioPortInvert
  • 0x5691cefa sceGpioEnableTimerCapture
  • 0x2cdc8edc sceGpioDisableTimerCapture
  • 0x6b38b826 sceGpioSetCapturePort
  • 0xc6928224 sceGpioGetCapturePort

That completes the GPIO lib !!

From scePwm_driver:

  • 0xab6d2e36 scePwmChangeDuty
  • 0xf624c1a0 scePwmReferDuty

That completes the PWM lib !!

From sceMp3:

  • 0x8AB81558 sceMp3StartEntry
  • 0x732B042A sceMp3EndEntry

That completes libmp3 !!

From sceAac:

  • 0x6C05813B sceAacStartEntry
  • 0x61AA43C9 sceAacEndEntry

That completes libaac !!

From sceAta_driver:

  • 0x8cada96b sceAtaAhbGetDDRSize
  • 0xb985f2b0 sceAtaAhbSetDDRSize
  • 0x7c6b31d8 sceAtaDisplayIPD
  • 0x9ca52f94 sceAtaExecIPDCmd

From sceClockgen_driver:

  • 0xc6d4c843 sceClockgenSetProtocol

From InitForKernel:

  • 0x7233b5bc sceKernelApplicationType

From IoFileMgrForKernel:

  • 0x30e8abb3 sceIoValidateFd

From sceUsb1Seg_driver:

  • 0xd799104f sceUsb1SegGetFirmVer

From sceUSB_Stor_Ms_driver:

  • 0x7b810720 sceUsbstorMsSetWorkBuf
  • 0xcf2af7b3 sceUsbstorMsGetNickname
  • 0x16173d42 sceUsbstorMsSetNickname

From scePower_driver:

  • 0xd7b9c925 scePowerGetWatchDog
  • 0x442bfbac scePowerGetBacklightMaximum
  • 0x23436a4a scePowerGetInnerTemp
  • 0xf535d928 scePowerSetWakeupCondition
  • 0x78a1a796 scePowerIsSuspendRequired

From sceAsfParser:

  • 0xd2dd1778 sceAsfGetContentDescription
  • 0xaa881a7b sceAsfGetExtContent
  • 0xefc704c3 sceAsfGetHeaderExtension
  • 0x5ec678cb sceAsfGetVariableObject

From sceUmdMan_driver:

  • 0x1f9afff4 sceUmdManMediaPresent
  • 0x84410a8e sceUmdManSetReadAheadSize
  • 0x63acfd28 sceUmdManSetDisableReadAhead
  • 0x39704b6e sceUmdManSetEnableReadAhead

From sceUmd:

  • 0x08709f2d sceUmdAssertLeptonWakeup
  • 0xad18c797 sceUmdNegateLeptonWakeup

From sceMgr_driver:

  • 0xf26c410a sceMgrMSReadPoolPage
  • 0xa85906fc sceMgrMSWritePoolPage

From sceMSAudio_driver:

  • 0x66f19ca3 sceMSAudioUpdateIBD
  • 0x22da9981 sceMSAudioInitFringe
  • 0x9e37e51d sceMSAudioInitTrack
  • 0x5d1c9867 sceMSAudioDecryptFringe
  • 0x38178f2f sceMSAudioDecryptTrack
  • 0x67e58c07 sceMSAudioEndFringe
  • 0x135f2225 sceMSAudioEndTrack
  • 0xda34ab8f sceMSAudioGetMediaType
  • 0xa18a1df6 sceMSAudioClearMACEntry
  • 0xe8b25d38 sceMSAudioCalculateICVn

And vshbridge equivalents:

  • 0x04310D7C vshMSAudioUpdateIBD
  • 0xB27C593F vshMSAudioInitFringe
  • 0×14877197 vshMSAudioInitTrack
  • 0x0D2CEAD2 vshMSAudioDecryptFringe
  • 0xD907B6AA vshMSAudioDecryptTrack
  • 0xD120667D vshMSAudioEndFringe
  • 0x5BBB35E4 vshMSAudioEndTrack
  • 0xB0FD5916 vshMSAudioGetMediaType
  • 0x7A63BE73 vshMSAudioClearMACEntry
  • 0x222A18C4 vshMSAudioCalculateICVn

Marlin DRM Platform (new nids)

October 15th, 2008 silverspring

Marlin is a DRM platform designed to provide interoperability across multiple devices. It’s developed by several big name corporations like Sony, Panasonic, Samsung, Philips, etc.

Naturally the PSP would be a suitable target. The library sceMlnBridge (mlnbridge.prx) has existed since 2.50 but only in the last few firmwares has the API really expanded:

From sceMlnBridge (this is not the full list of nids there are still more unknown):

  • 0x13e68009 sceMlnBridgeAesEcbEncrypt
  • 0x8d7e61dd sceMlnBridgeAesEcbDecrypt
  • 0xde730a46 sceMlnBridgeAesCbcEncrypt
  • 0x7770fc23 sceMlnBridgeAesCbcDecrypt
  • 0x54edc552 sceMlnBridgeSHA1
  • 0x3505ecce sceMlnBridgeHMAC
  • 0x2fdf5639 sceMlnBridgeRandInit
  • 0xd0790a37 sceMlnBridgeRandFin
  • 0xe79622cd sceMlnBridgeRandGetBytes
  • 0xadb4797e sceMlnBridgeRsaInit
  • 0xb7e04efa sceMlnBridgeRsaFin
  • 0x10c4fec6 sceMlnBridgeSha1MakeDigest
  • 0xd455dd97 sceMlnBridgeSha256MakeDigest

Its features include a Public Key Encryption Algorithm, a Public Key Signature Algorithm, a Secret Key Encryption Algorithm, a Secret Key Signature Algorithm, a Digest Algorithm, and more. So here you have access to AES, RSA, SHA1, SHA256, & MT19937 algorithms all in a single usermode lib (though the api was stripped down again from 4.xx for some reason).

All the algorithms are done in software with the exception of AES, which it relies on MagicGate hardware to perform.

From sceMgr_driver:

  • 0xA45A63B6 sceMgrAesEcbEncrypt
  • 0x19B8F2D0 sceMgrAesEcbDecrypt
  • 0xA44A5538 sceMgrAesCbcEncrypt
  • 0xA1F6D85A sceMgrAesCbcDecrypt

These are just convenient wrappers over the sceMgrAESEncrypt/sceMgrAESDecrypt functions that were discovered earlier here.

Also, an interface through a USB driver (usbstormgr.prx).

From sceUsbstormln:

  • 0x1f4ac19c sceUsbstormlnGetCommand
  • 0x5821060d sceUsbstormlnNotifyResponse
  • 0x382898de sceUsbstormlnRegisterBuffer
  • 0x25b6f372 sceUsbstormlnUnregisterBuffer
  • 0xdec0fe8c sceUsbstormlnWaitStatus
  • 0xe11defdf sceUsbstormlnCancelWaitStatus

USB Host ??

October 12th, 2008 silverspring

Some new nids that may suggest that the PSP does in fact have USB Host capabilities:

  • 0x3E961C02 sceSysregUsbhostResetEnable
  • 0xACFA3764 sceSysregUsbhostResetDisable
  • 0xDA4FCA1D sceSysregUsbhostClkEnable
  • 0x228A73E1 sceSysregUsbhostClkDisable
  • 0xE321F41A sceSysregUsbhostBusClockEnable
  • 0x4D2FFC60 sceSysregUsbhostBusClockDisable
  • 0xFFEB6E00 sceSysregUsbhostQueryIntr
  • 0x87C2BA20 sceSysregUsbhostAcquireIntr

However, these nids were only added in 2.70. At the same time, sceSysregAtahdd___ nids were also added so it could be that this was for the unreleased HDD model PSP and not actually for any current model. Usb Host may have been destined for this new PSP which, along with the internal HDD+GSensor and Bluetooth, defintely would have been a dream handheld.

At one point it seemed that the new PSP-3000 would be the model to integrate these great features however that does not seem to be the case anymore. With the disappointing new features of the PSP-3000 let’s hope a PSP-4000 will finally be the time Sony releases this new model.

Another interesting fact that may mean something or may mean absolutely nothing at all:

0xBC1000B0 is the Usbhost Interrupt Status register. On normal boot this register is set to 1 however on service mode & test mode boot (ie. for battery serial 0xFFFFFFFF & 0×00000000 respectively) this register is set to 0. Whether this actually means something of significance is unknown however it is rumoured that during service mode the USB is actually plugged in (perhaps connected to a testing PC ?).

Another large bunch of new NID’s

October 10th, 2008 silverspring

Syscon G-Sensor
As I mentioned in previous entries, support for an internal HDD+GSensor had been added to the kernel from 2.80. It seems SCE had wanted to keep it a secret since when I had revealed the NID’s referencing these devices, the API had promptly been removed the following firmware. Hence the HDD & GSensor NID’s only exist from 2.80-3.60. When they actually plan on releasing this HDD is anyone’s guess, though I had hoped it would have happened with the release of the PSP-3000. Well, maybe for PSP-4000…

From sceSyscon_driver:

  • 0x3357EE5C sceSysconIsFalling
  • 0x565EF519 sceSysconGetFallingDetectTime

This literally detects whether or not the PSP is falling down (the G-Sensor has an accelerometer built in) and if it is, shuts down the HDD to protect from damage.

Link to previous post about the GSensor and HDD:

Lightweight Mutex
Lightweight mutexs have recently been added to the kernel (3.80+ firmwares) however the majority of the API was placed in the sceKernelLibrary of usersystemlib.prx instead of sceThreadManager even though sceKernelCreateLwMutex/sceKernelDeleteLwMutex were still in sceThreadManager.

From Kernel_Library:

  • 0xBEA46419 sceKernelLockLwMutex
  • 0x1FC64E09 sceKernelLockLwMutexCB
  • 0xDC692EE3 sceKernelTryLockLwMutex
  • 0x15B6446B sceKernelUnlockLwMutex
  • 0xC1734599 sceKernelReferLwMutexStatus

From ThreadManForUser:

  • 0x4C145944 sceKernelReferLwMutexStatusByID

Low-level Sound Library
From 1.00-2.60 a low-level sound library was available as the scePEQ_Library_driver (peq.prx).

From scePEQ_driver:

  • 0xF7EA0632 scePeqInit
  • 0x213DE849 scePeqEntry
  • 0xED13C3B5 scePeqProc

From 2.70+ this library was replaced with sceSAScore (sc_sascore.prx – SC being the shorthand for the main cpu as opposed to ME the Media Engine cpu).

From sceSasCore_driver:

  • 0xB0F9F98F sceSasCoreInit
  • 0xE143A1EA sceSasCoreExit

For the usermode library the usual naming convention changed (no wonder there were never any hits for these nids, they used a stupid underscore, and two of them!!)

From sceSasCore:

  • 0x019B25EB __sceSasSetADSR
  • 0x07F58C24 __sceSasGetAllEnvelopeHeights
  • 0x267A6DD2 __sceSasRevParam
  • 0x2C8E6AB3 __sceSasGetPauseFlag
  • 0x33D4AB37 __sceSasRevType
  • 0x42778A9F __sceSasInit
  • 0x440CA7D8 __sceSasSetVolume
  • 0x50A14DFC __sceSasCoreWithMix
  • 0x5F9529F6 __sceSasSetSL
  • 0x68A46B95 __sceSasGetEndFlag
  • 0x74AE582A __sceSasGetEnvelopeHeight
  • 0x76F01ACA __sceSasSetKeyOn
  • 0x787D04D5 __sceSasSetPause
  • 0×99944089 __sceSasSetVoice
  • 0x9EC3676A __sceSasSetADSRmode
  • 0xA0CF2FA4 __sceSasSetKeyOff
  • 0xA232CBE6 __sceSasSetTrianglarWave
  • 0xA3589D81 __sceSasCore
  • 0xAD84D37F __sceSasSetPitch
  • 0xB7660A23 __sceSasSetNoise
  • 0xBD11B7C2 __sceSasGetGrain
  • 0xCBCD4F79 __sceSasSetSimpleADSR
  • 0xD1E0A01E __sceSasSetGrain
  • 0xD5A229C9 __sceSasRevEVOL
  • 0xD5EBBBCD __sceSasSetSteepWave
  • 0xE175EF66 __sceSasGetOutputmode
  • 0xE855BF76 __sceSasSetOutputmode
  • 0xF983B186 __sceSasRevVON

Under the same prx another sound lib, the Positional 3D Audio Library, was added in 2.80+.

From sceP3da:

  • 0x374500A5 sceP3daBridgeInit
  • 0x43F756A2 sceP3daBridgeExit
  • 0x013016F3 sceP3daBridgeCore

User Log
Added from 2.80+, can only be used on devkits.

From UtilsForKernel:

  • 0x92282A47 sceKernelRegisterUserLogHandler
  • 0x87E81561 sceKernelPutUserLog

As people may know SCE added their own official UMD Emulator to load official PSP ISO’s bought from PSN Store (such as “Beats” and many others). The scePspNpDrm_Driver (npdrm.prx) is what protects these legit ISO’s. This prx was added in 3.00 way before the actual UMD Emulator (np9660.prx) was added in 3.50 which was even quite a while before it was actually officially enabled. It was unofficially enabled beforehand under M33 CFWs as the NP9660 No-UMD ISO Loader.

From scePspNpDrm_driver:

  • 0x17E3F4BB sceNpDrmVerifyAct
  • 0x37B9B10D sceNpDrmVerifyRif
  • 0x00AD67F8 sceNpDrmGetFixedKey
  • 0x5667B7B9 sceNpDrmGetContentKey
  • 0xD36B4E6D sceNpDrmGetModuleKey
  • 0x0F9547E6 sceNpDrmGetVersionKey (incorrectly listed as scePspNpDrmInitFromGameIdMs4 on the libdocs)
  • 0xA1336091 sceNpDrmSetLicenseeKey
  • 0x9B745542 sceNpDrmClearLicenseeKey
  • 0x275987D1 sceNpDrmRenameCheck
  • 0x08D98894 sceNpDrmEdataSetupKey
  • 0x219EF5CC sceNpDrmEdataGetDataSize

VSH System Config
The vshRegSysconf lib was previously under the sceVshCommonUtil_Module upto 1.50. From 2.00 the lib was moved to the the vsh_module.

From vshmain:

  • 0x03BB4503 vshRegSysconfGetCharacterSetOem
  • 0x67BFD9C0 vshRegSysconfSetCharacterSetOem
  • 0x0FE13026 vshRegSysconfGetCharacterSetAnsi
  • 0x032D663E vshRegSysconfSetCharacterSetAnsi
  • 0xF859FC3C vshRegSysconfGetThemeSystemColor
  • 0xEE3D8305 vshRegSysconfSetThemeSystemColor

Note: I have yet to add these new NID’s to the libdoc site. I will do so when I get some spare time.

PAF NID’s !!

September 2nd, 2008 silverspring

PAF NID’s have been very difficult to crack, the majority of exports are C++ mangled names and the ones that aren’t do not follow the standard SCE naming format. But here is a large portion of paf.prx NID’s that will now make VSH modules many more times easier to RE. This should be the complete list of sce_paf_private functions:

  1. 0xC9831AFF  sce_paf_private_printf
  2. 0xBFE9E90B  sce_paf_private_wprintf
  3. 0x5FAC9869  sce_paf_private_malloc
  4. 0xFCB4E053  sce_paf_private_malloc2
  5. 0x26DE971C  sce_paf_private_mtrim
  6. 0x613E9AA2  sce_paf_private_mtrim2
  7. 0x40C95283  sce_paf_private_check_leak
  8. 0xB61E88F2  sce_paf_private_check_leak2
  9. 0x545FE2DA  sce_paf_private_free
  10. 0x7EC15225  sce_paf_private_free2
  11. 0x60DECA7E  sce_paf_private___assert
  12. 0xFD4C9F47  sce_paf_private_wcslen
  13. 0x71B4AC50  sce_paf_private_memchr
  14. 0xF95EA3F1  sce_paf_private_memcpy
  15. 0x6829D7AF  sce_paf_private_memset
  16. 0xCA79D58B  sce_paf_private_strlen
  17. 0x66FE90D7  sce_paf_private_strcmp
  18. 0x980228BA  sce_paf_private_strcpy
  19. 0x296897BC  sce_paf_private_sinf
  20. 0xDEDF238F  sce_paf_private_cosf
  21. 0x7BED034E  sce_paf_private_sqrtf
  22. 0xB3D58D25  sce_paf_private_floorf
  23. 0x302F609D  sce_paf_private_ceilf
  24. 0x44AAF96C  sce_paf_private_acosf
  25. 0x49A81B18  sce_paf_private_swprintf
  26. 0xFF2F98C6  sce_paf_private_strncpy
  27. 0x77D981F5  sce_paf_private_strrchr
  28. 0x45D851D1  sce_paf_private_wcscpy
  29. 0×71712601  sce_paf_private_sprintf
  30. 0x71460F7C  sce_paf_private_vsprintf
  31. 0x6F092DF6  sce_paf_private_vsnprintf
  32. 0xABBBB335  sce_paf_private_fopen
  33. 0x07A5F495  sce_paf_private_fputc
  34. 0xF1552447  sce_paf_private_fwrite
  35. 0×83944053  sce_paf_private_fclose
  36. 0x0B4C0DB6  sce_paf_private_ferror
  37. 0x2FDC80B3  sce_paf_private_wcscmp
  38. 0xFCFAA39F  sce_paf_private_wcscasecmp
  39. 0xD121F409  sce_paf_private_wcsrchr
  40. 0x993E9FDC  sce_paf_private_strchr
  41. 0x3188E7DB  sce_paf_private_strstr
  42. 0x7CD438D9  sce_paf_private_strtok
  43. 0xDC38941B  sce_paf_private_strtok_r
  44. 0xF0B4CAE7  sce_paf_private_strncmp
  45. 0x6C234A6A  sce_paf_private_atoi
  46. 0x37A98AE9  sce_paf_private_atol
  47. 0xB4E3A16C  sce_paf_private_abs
  48. 0x3DD2A27B  sce_paf_private_bsearch
  49. 0x9870A25B  sce_paf_private_fgetc
  50. 0x503BA324  sce_paf_private_fread
  51. 0x2FA84441  sce_paf_private_fseek
  52. 0x84BD418F  sce_paf_private_ftell
  53. 0x902515FB  sce_paf_private_look_ctype_table
  54. 0x3586BE05  sce_paf_private_memalign
  55. 0x2FA0EDDC  sce_paf_private_memalign2
  56. 0x8FC65EB0  sce_paf_private_realloc
  57. 0x29BAA830  sce_paf_private_realloc2
  58. 0x3FBD9639  sce_paf_private_memcmp
  59. 0x6BA9C299  sce_paf_private_memmove
  60. 0xF1B52E86  sce_paf_private_powf
  61. 0x10B901E7  sce_paf_private_qsort
  62. 0x4370175A  sce_paf_private_rand
  63. 0x809A4F83  sce_paf_private_snprintf
  64. 0xA82E3C19  sce_paf_private_srand
  65. 0xED2B47FA  sce_paf_private_strcasecmp
  66. 0xDEB2D1C9  sce_paf_private_strncasecmp
  67. 0x26168DD3  sce_paf_private_strcat
  68. 0x626D68A1  sce_paf_private_strncat
  69. 0xFBA47E77  sce_paf_private_strtol
  70. 0x2394D451  sce_paf_private_strtoul
  71. 0x44A0BCE4  sce_paf_private_tanf
  72. 0x4B1A374C  sce_paf_private_tolower
  73. 0x1D5D9A68  sce_paf_private_toupper
  74. 0x51AAAAF4  sce_paf_private_wcschr
  75. 0x54C0DD23  sce_paf_private_wcsncmp
  76. 0x9F10613F  sce_paf_private_longjmp
  77. 0x8F12B63A  sce_paf_private_setjmp
  78. 0x9D0192FD  sce_paf_private_atan2f
  79. 0xFEAFC77A  sce_paf_private_fabsf
  80. 0x77EB25F5  sce_paf_private_bcopy
  81. 0x99A5CD38  sce_paf_private_bzero
  82. 0xCE699963  sce_paf_private_calloc
  83. 0xCB2198AB  sce_paf_private_wcsncpy
  84. 0x11EF5210  sce_paf_private_logf
  85. 0x680513D9  sce_paf_private_feof
  86. 0x9C483594  sce_paf_private_fflush
  87. 0x1E088F41  sce_paf_private_strpbrk

PSP LibDoc update

August 21st, 2008 silverspring

Another large update to the libdocs:

Finally added the 4.05 firmware and updates to 1.50 and 3.52 only.

Some of the more noteworthy NID’s include:

  • 0x96cfac38 sceDisplayGetBacklightSel
  • 0xe55f0d50 sceDisplaySetBacklightSel

Newer method to get/set the brightness levels.

  • 0x42f954d4 sceIoAddHook

This is the function used to implement the CipherIO system (the cphio pseudo IO driver) used by things such as the DNAS IO lib as well as other DRM libs. It hooks the IO functions to be able to implement cipher routines which can then used by simply calling ioctls of this pseudo IO driver.

  • 0x19d579f0 sceOpenPSIDGetPSID

Note, this is NOT the same as sceOpenPSIDGetOpenPSID, plus this is a kernel-only export.

  • 0xe7735df4 sceUsb1SegEEPROMParamRead
  • 0xa68a6c72 sceUsb1SegEEPROMParamWrite

Access to the EEPROM of the 1Seg TV Tuner.

  • 0xc72ed6d3 sceUsbCamEnterFwUpdateMode

Updating the USB Camera firmware.

  • 0xf9ecfddd scePcactAuth1BB
  • 0x08bb9677 scePcactAuth2BB
  • 0x8523e178 sceMlnpsnlAuth1BB
  • 0x6885f392 sceMlnpsnlAuth2BB

Yes another DRM api.

There are plenty more NID’s of various usefulness as well. In general, this was quite a good update, lot’s of great NID’s were cracked.

SBORPS Random Fact 04

August 16th, 2008 silverspring

SCE media reports have always stated that the PSP has AES capabilities. These are apparently referring to the fact that the UMD format discs are AES encrypted. This means that SPOCK (the crypto engine responsible for UMD decryption) has AES decryption capabilities. KIRK on the other hand (the main crypto engine responsible for prx/eboot decryption) also has a block cipher but is unknown which algorithm it uses, though it is almost certainly AES as well. Currently what is known about the cipher is that it is:

  • a block cipher operating in CBC mode
  • an all zero 128-bit initialization vector
  • 128-bit block and key sizes
  • cmd4/7 uses a static key that is identical in all PSP’s
  • cmd5/8 uses a key based off the fuseID making all operations unique per PSP
  • cmd6/9 uses a user-defined 128-bit key
  • cmd1/2/3 uses the block cipher but also signature algorithms
  • the remaining KIRK cmd’s do not use the block cipher (sig, hash, & prng algo’s)

Interfacing with KIRK for general-purpose encryption is cumbersome and using a software-based lib is both slow and memory-consuming. Fortunately, there is another method: using the MagicGate hardware. The API provides both standard DES and AES algorithms.

  • 0x2DAD213D sceMgrDESEncrypt
  • 0xF5DFD97B sceMgrDESDecrypt
  • 0x8A916574 sceMgrAESEncrypt
  • 0x3054F8F1 sceMgrAESDecrypt

The prototypes are as follows:

  1. /*
  2. dst:  output buffer
  3. src:  input buffer
  4. size: input size
  5. key:  encryption/decryption key (64-bit for DES, 128-bit for AES)
  6. iv:   initialization vector for CBC mode (pass NULL for ECB mode) (64-bit for DES, 128-bit for AES)
  7. */
  8. int sceMgrDESEncrypt(u8 *dst, u8 *src, int size, u8 *key, u8 *iv);
  9. int sceMgrDESDecrypt(u8 *dst, u8 *src, int size, u8 *key, u8 *iv);
  10. int sceMgrAESEncrypt(u8 *dst, u8 *src, int size, u8 *key, u8 *iv);
  11. int sceMgrAESDecrypt(u8 *dst, u8 *src, int size, u8 *key, u8 *iv);

NID’s – SCE trickery & fake names

August 11th, 2008 silverspring

In a previous post I wrote about SCE using fake names for their functions especially for their crypto libraries.

Here is another classic example, from the sceChnnlsv lib – the savegame encryption library (chnnlsv is also a meaningless jumble of letters just like the names of the other crypt libs):

  • 0xe7833020 sceSdSetIndex
  • 0xf21a1fca sceSdRemoveValue
  • 0xc4c494f8 sceSdGetLastIndex
  • 0xabfdfc8b sceSdCreateList
  • 0x850a7fa1 sceSdSetMember
  • 0x21be78b4 sceChnnlsv_21BE78B4 (not yet cracked)

The names have nothing to do with what the actual functions do and actually should be named something like this:

  • sceSdSetIndex – sceSdCipherInit
  • sceSdRemoveValue – sceSdCipherUpdate
  • sceSdGetLastIndex – sceSdCipherFinal
  • sceSdCreateList – sceSdMacInit
  • sceSdSetMember – sceSdMacUpdate
  • sceChnnlsv_21BE78B4 – sceSdMacFinal

The sceChnnlsv lib is already in the PSPSDK and the prototypes worked out. Now we have the correct names for them; however they are intentionally fake (I suspect in the SCESDK they may use more meaningful names in their code which their toolchain later converts to these fake names that you see in the exports table).

Almost every crypto lib uses fake function names. Which is why the nids for them are so much more difficult to crack. There are several crypto libs still with completely unknown names: sceMcctrl, sceMemab, sceMemlmd, sceMesgLed, sceSemawm.

Some very significant NID’s

July 25th, 2008 silverspring

Here are 2 very important nids found:

  • 0x4F46EEDE sceSysregGetFuseId
  • 0x8F4F4E96 sceSysregGetFuseConfig

These 2 functions serve quite significant purposes.

And some other not so significant ones:

  • 0xBF91FBDA sceSysregMsifQueryConnectIntr
  • 0x36A75390 sceSysregMsifAcquireConnectIntr


Due to some interest with regard to the above two functions I listed, here is some more info:

  1. u64 sceSysregGetFuseId();
  2. u32 sceSysregGetFuseConfig();

These are hardcoded values located in the CPU IC – TACHYON (presumably on an OTP PROM on the die).

The FuseID is a completely unique 48-bit internal ID and as such is referenced quite a bit. Most notably being used as the seed for the idstorage encryption on slim PSP’s as well as the lflash encryption on 3.00+ firmwares. It is probably also widely used for other purposes as well since it is the only one true internal serial number.

The FuseConfig holds hardcoded configuration data for the TACHYON IC. For example, when the PSP is shutdown (or put to sleep) the config data is used to control the TACHYON voltages to power the devices off.

More NID’s

July 21st, 2008 silverspring

From sceCtrl_driver lib:

  • 0x5E77BC8A sceCtrlGetButtonIntercept
  • 0x7CA723DC sceCtrlSetButtonIntercept

These ctrl functions are already in pspsdk – under pspctrl_kernel.h (though with unknown names – labelled Get/Set Button Mask):

  1. void sceCtrlSetButtonIntercept(unsigned int mask, unsigned type);
  2. int sceCtrlGetButtonIntercept(unsigned int mask);

From SysMemForKernel lib:

  • 0xA262FEF0 sceKernelGetAllowReplaceUmd
  • 0xCBB05241 sceKernelSetAllowReplaceUmd

From sceUSB_Stor_Ms_driver lib:

  • 0xABE9F2C7 sceUsbstorMsGetApInfo
  • 0x576E7F6F sceUsbstorMsSetProductInfo


June 20th, 2008 silverspring

Some new nids:

  • 0x5e335df6 sceHVAuthOpen
  • 0x816a5f92 sceHVAuthAuth
  • 0x9db7de7c sceHVAuthClose

The sceHVAuth lib seems to be used for proxy config settings for the Html Viewer.

  1. /*
  2. Creates an 80 char alphanumeric password
  3. (randomly generated via a time-seeded Mersenne Twister)
  4. */
  5. int sceHVAuthOpen(char *pass);
  7. /*
  8. Verifies the password.
  9. hmac is 20-Byte SHA1 HMAC in ascii format
  10. */
  11. int sceHVAuthAuth(char *pass, const char *hmac);
  13. /*
  14. Clears the password
  15. */
  16. int sceHVAuthClose(char *pass);

More DevKit NID’s

May 29th, 2008 silverspring

SysMemForKernel library (from 2.50 fw onwards):

  • 0x071d9804 sceKernelApiEvaluationInit
  • 0x049CC735 sceKernelApiEvaluationReport
  • 0×02786087 sceKernelRegisterApiEvaluation

All these functions just return 0 in the retail sysmem.prx which suggests it’s used in devkits only. Sounds like a reporting tool but no idea what kind of data it will log.

UtilsForKernel library:

  • 0x136f2419 sceKernelSetPTRIGMask

PTRIG is some sort of switch on a devkit similar to the dipswitches. Do not know what it controls.

Last remaining sceIdStorage nid

May 20th, 2008 silverspring

The final remaining idstorage nid:

  • 0x99ACCB71 sceIdStorageCreateAtomicLeaves

As the name suggests, this function creates multiple leaves as an atomic operation. Because each leaf is only one nand page in size (0×200 Bytes), data requiring more than 0×200 bytes will need more than one leaf. This function allows you to create multiple leaves as a single operation. This saves from having to sceIdStorageCreateLeaf each individual leaf.

A good example of this are the umd keys (0×102-0×106), which hold a single continuous stream of data split over 5 seperate leaves:

  1. // leafid is an array of leaf ID’s to be created
  2. // numLeaves is the number of leaves to create
  3. int sceIdStorageCreateAtomicLeaves(u16 *leafId, int numLeaves);
  5. u16 umdKey[5] = {0×102, 0×103, 0×104, 0×105, 0×106};
  7. sceIdStorageCreateAtomicLeaves(umdKey, 5);

That finally completes the idstorage lib !!

New 3.95 lib NID’s

May 7th, 2008 silverspring

Completed 2 libs new in 3.95.

Complete libaac (except for 2 which aren’t really needed anyway since they are just module_start/module_stop aliases):

  • 0x6c05813b (module_start alias)
  • 0x61aa43c9 (module_stop alias)
  • 0xe0c89aca sceAacInit
  • 0x33b8c009 sceAacExit
  • 0x5cffc57c sceAacInitResource
  • 0x23d35cae sceAacTermResource
  • 0x7e4cfee4 sceAacDecode
  • 0x523347d9 sceAacGetLoopNum
  • 0xbbdd6403 sceAacSetLoopNum
  • 0xd7c51541 sceAacCheckStreamDataNeeded
  • 0xac6dcbe3 sceAacNotifyAddStreamData
  • 0x02098c69 sceAacGetInfoToAddStreamData
  • 0x6dc7758a sceAacGetMaxOutputSample
  • 0x506bf66c sceAacGetSumDecodedSample
  • 0xd2da2bba sceAacResetPlayPosition

Completed G.729 lib (new exports added in 3.95):

  • 0xaa1e5462 sceG729EncodeInitResource
  • 0x94714d50 sceG729EncodeTermResource
  • 0x8c87a2ca sceG729EncodeReset
  • 0x17c11696 sceG729DecodeInitResource
  • 0x890b86ae sceG729DecodeTermResource
  • 0x74804d93 sceG729DecodeReset

PSP LibDoc update

May 2nd, 2008 silverspring

Finally got around to updating the libdocs (

Thanks to Insert_Witty_Name for the full sceNetAdhocTransInt_Library nids, and WosRet for some very nice sysmem/kdebug nids:

  • 0x24C32559 sceKernelDipsw (devkit dip switch settings)
  • 0x39F49610 sceKernelGetPTRIG (I don’t know what these are, more devkit stuff?)
  • 0xCE8D3DB3 sceKernelGetQTGP2
  • 0x6D8E0CDF sceKernelGetQTGP3

Some nids from brand new modules like the 1seg TV Tuner and the G729 Audio Compression algorithm used for Skype:

  • 0xf8e2cedc sceUsb1SegScanCh
  • 0x5f62e0b5 sceUsb1SegChangeCh
  • 0xcfcd367c sceG729EncodeInit
  • 0x55e14f75 sceG729DecodeInit

And an unusual change from the standard naming conventions:

  • 0xfa6de6a6 _sce_pspnet_if_up
  • 0xedb11cb4 _sce_pspnet_if_down
  • 0x701dddc3 _sce_pspnet_if_attach
  • 0xd5a03bc0 _sce_pspnet_if_detach

Also added 3.95 firmware (, not surprisingly nids were changed again from the 3.90/3.93 firmware, but at least there’s some new modules (like libaac).

I will probably only update firmwares 1.50 & 3.52 (as well when a new firmware comes along) from now. !.50 for obvious reasons since 1.50 homebrew is still strong, and 3.52 since that was the last update before SCE started randomising the nids.