sceWlanChipInit... can be useful?

Discuss the development of new homebrew software, tools and libraries.

Moderators: cheriff, TyRaNiD

Post Reply
ab5000
Posts: 74
Joined: Tue May 06, 2008 2:37 am

sceWlanChipInit... can be useful?

Post by ab5000 »

Hi.

Today, while I was disassembling the Sony wlan driver (wlan.prx), i found a STRANGE string. It's "sceWlanChipInit" (0x00018F08, in the .rodata section of the prx). I jumped at the address where it's used (0x00003D30) and i found that the string is used as the first argument of sceKernelCreateThread (the name of the thread). I found the second argument (adress of the thread main function), i jumped at that address (0x00004A98) and i found the thread main function. I've written to a file the main routine and all the called routines etc.

Can this be useful? I can send the file. You can ask me it by PM.

Bye!

P.S. Sorry for my bad english!
Top
User avatar
jean
Posts: 489
Joined: Sat Jan 05, 2008 2:44 am

Post by jean »

I don't know if people around here will claim you as an hero or as evil itself (for some reasons other people searching for possible wlan tweaks -oriented to packet sniffing, of course- where treated in a very ugly way), but for me you are more the first one than the second! In both cases, you provided a clear and straight explanation of how functions are hunted in the FW jungle (at least one of the possible ways). Good work...Many thanks!!
Top
adrahil
Posts: 274
Joined: Thu Mar 16, 2006 1:55 am

Post by adrahil »

Well, it's not useful as such, it just performs the hardware initialization of the wireless driver... If you want to compare, I have looked around 3.52 wlan.prx and got something like this:

Code: Select all

int _sceWlanPerformChipInit(SceWlanParam* config){
  do{
    ret = _sceWlanHWInit(config->hal);
    if &#40;ret < 0&#41; return -1;

    old_intr = sceKernelCpuSuspendIntr&#40;&#41;;

    priority = &#40;config->unk1&0x2000&#41;?0x10&#58;0x78;
    th_id = sceKernelCreateThread&#40;"SceWlanChipInit", _sceWlanInitChipThread, priority, 0xC00, 0x100001, 0&#41;;

    sceKernelCpuResumeIntr&#40;old_intr&#41;;

    config->chip_init_thid = th_id;

    ret = sceKernelStartThread&#40;th_id, 4, config&#41;;
    if &#40;ret != 0&#41; return -1;

    th_ret = sceKernelWaitThreadEnd&#40;r17, 0&#41;;
    if &#40;th_ret == 0x800201AC&#41;&#123;
      sub_0000D1CC&#40;config->hal, 0x80000002, 0&#41;;
    &#125;

    sceKernelDeleteThread&#40;th_id&#41;;
    config->chip_init_thid = 0;
  &#125; while&#40;th_ret == 1&#41;;

  return th_ret;
&#125;

//...

int _sceWlanInitChipThread&#40;int args, void* argv&#41;&#123;
  SceWlanParam *config = argv&#91;0&#93;; // r16
  r4 = config->hal;
  ret = *&#40;config->hal.unkc0&#41;&#40;config->hal&#41;;

  if &#40;ret < 0&#41;&#123;
    th_ret = 1;
  &#125; else &#123;
    *&#40;r29+0x0&#41; = 0;
    *&#40;r29+0x4&#41; = 0;
    *&#40;r29+0x8&#41; = 0;
    *&#40;r29+0xc&#41; = 0;
    *&#40;r29+0x10&#41; = 0;

    sub_0000D1CC&#40;config->hal, 0x201, r29&#41;;

    hal->unkb8 = *&#40;r29+0x6&#41;;
    hal->region = _sceWlanGetWlanRegion&#40;&#41;;

    ret = sub_00001224&#40;config&#41;;
    th_ret = &#40;ret < 0&#41;?1&#58;0;
  &#125;

  sceKernelExitThread&#40;th_ret&#41;;
  return 0;
&#125;

int _sceWlanGetWlanRegion&#40;void&#41;&#123;
  u16 tmp16;
  ret = sceIdStorageLookup&#40;0x45, 0, &tmp16, 2&#41;;

  if &#40;ret != 0&#41; return 0x10<<8;
  if &#40;tmp16&0xFFF == 1&#41; return 0x10<<8;
  if &#40;tmp16 == 0&#41; return 0x10<<8;
  if &#40;tmp16&0xFFF == 2&#41; return 0x30<<8;
  if &#40;tmp16&0xFFF == 3&#41; return 0x40<<8;

  return 0x10<<8;
&#125;

//some internal ioctls probably...
int sub_0000D1CC&#40;SceWlanHal *hal, int command, void* buf&#41;&#123;
  if &#40;hal->unk0&1 == 0&#41; return 0x80410D0C;

  if &#40;&#40;command == 0x202&#41; && &#40;*&#40;u32*&#41;&#40;buf+0&#41; == 1&#41;&#41;&#123;
    ret = _sceWlanHWInit&#40;hal&#41;;
    switch&#40;ret&#41;&#123;
      case  0&#58; return 0;
      case -1&#58;
      default&#58; return 0x80410D0D;
    &#125;
  &#125;

  if &#40;command == 0x80000002&#41;&#123;
    sceKernelSignalSema&#40;hal->mshostlocksema, 1&#41;;
  &#125;

  if &#40;command == 0x201&#41;&#123;
    *&#40;u16*&#41;&#40;buf+0&#41; = hal->unk78;
    *&#40;u16*&#41;&#40;buf+2&#41; = hal->unk7A;
    *&#40;u16*&#41;&#40;buf+4&#41; = hal->unk7C;
  &#125;

  if &#40;hal->unkd0 == 0&#41; return 0x80410D0E;

  ret = *&#40;hal->unkd0&#41;&#40;hal, command, buf&#41;;

  switch&#40;ret&#41;&#123;
    case  0&#58; return 0;
    case -1&#58; return 0x80410D0D;
    case -2&#58; return 0x80410D04;
    case -3&#58; return 0x80410D11;
    case -4&#58; return 0x80410D0D;
    case -5&#58; int* message = 0x0001A150;
             message&#91;2&#93; = 0xC0000000;
             if &#40;message&#91;6&#93;&1 == 0&#41;&#123;
               message&#91;6&#93; = 3;
               sceKernelSendMbx&#40;hal->g_config->mac_mbx, message&#41;;
             &#125;
             return 0x80410D0C;
    case -6&#58; return 0x80410D84;
    case -7&#58; return 0x80410D85;
    default&#58; return 0x80410D0D;
  &#125;
&#125;
Top
ab5000
Posts: 74
Joined: Tue May 06, 2008 2:37 am

Post by ab5000 »

The function that creates the thread is called from the module_start, alias sceWlanDevInit. I can hook the ExitThread or some used functions, then dump the memory: probably we can read the WlanParam structure (where do you find it?).
Top
adrahil
Posts: 274
Joined: Thu Mar 16, 2006 1:55 am

Post by adrahil »

By doing some RE on wlan.prx... I didn't find many elements, though. Anyways, you'd be better off looking in the direction of the HAL. Here's my module_start code, btw:

Code: Select all

int module_start&#40;void&#41;&#123;
  SceWlanParam *wlan_conf = 0;
  u16 tmp16;
  u8 tmp16_1,tmp16_2;

  old_k1 = pspSetK1&#40;pspGetK1&#40;&#41;>>16&#41;;

  if &#40;g_WlanConf != 0&#41;&#123;
    pspSetK1&#40;old_k1&#41;;
    return 1;
  &#125;

  g_heap = _sceWlanCreateHeap&#40;0xE800&#41;;
  if &#40;g_heap < 0&#41;&#123;
    pspSetK1&#40;old_k1&#41;;
    return 1;
  &#125;

  ret = sceKernelAllocateVpl&#40;g_heap, 0x1f0, wlan_conf, 0&#41;;
  wlan_conf = &#40;ret == 0&#41;?wlan_conf&#58;0;
  if &#40;wlan_conf == 0&#41;&#123;
    pspSetK1&#40;old_k1&#41;;
    return 1;
  &#125;

  memset&#40;wlan_conf, 0, 0x1f0&#41;;

  wlan_conf->main_heap = g_heap;
  wlan_conf->unk1d0 = 0x10000;
  wlan_conf->iflock_sema = sceKernelCreateSema&#40;"SceWlanMacIfLock", 0x101, 1, 1, 0&#41;;
  wlan_conf->mac_mbx = sceKernelCreateMbx&#40;"SceWlanMac", 1, 0&#41;;

  _sceWlanDWZero&#40;&wlan_conf->unk1b0&#41;;
  _sceWlanDWZero&#40;&wlan_conf->unk1b8&#41;;

  wlan_conf->unk1ptr = _sceWlanVplAlloc&#40;wlan_conf, 0x79E0&#41;;

  memset&#40;wlan_conf->unk1ptr, 0, 0x79E0&#41;;

  for&#40;i = 0x13; i >= 0; i--&#41;&#123;
    wlan_conf->unk1ptr->index&#91;i&#93;.unk0 = 0;
    wlan_conf->unk1ptr->index&#91;i&#93;.next = wlan_conf->unk1ptr->index&#91;i+1&#93;;
    wlan_conf->unk1ptr->index&#91;i&#93;.data_ptr = wlan_conf->unk1ptr->data&#91;i&#93;;
  &#125;

  wlan_conf->unk1ptr->index&#91;i&#93;.next = wlan_conf->unk1ptr.index&#91;0&#93;;


  wlan_conf->unk1_datasize = 0x604;
  wlan_conf->unk1_count = 0x14;
  wlan_conf->unk1ptr_2 = wlan_conf->unk1ptr;

  wlan_conf->unk1c0 = _sceWlanVplAlloc&#40;param_base, 0x93A&#41;;

  wlan_conf->unk2ptr = _sceWlanVplAlloc&#40;param_base, 0xC8&#41;;

  for&#40;i = 0; i < 0x18; i++&#41;&#123;
    wlan_conf->unk2ptr->index&#91;i&#93;.unk1 = 0;
    wlan_conf->unk2ptr->index&#91;i&#93;.unk2 = 0;
    wlan_conf->unk2ptr->index&#91;i&#93;.next = wlan_conf->unk2ptr->index&#91;i+1&#93;;
  &#125;

  wlan_conf->unk2ptr->index&#91;i&#93;.unk1 = 0;
  wlan_conf->unk2ptr->index&#91;i&#93;.unk2 = 0;
  wlan_conf->unk2ptr->index&#91;i&#93;.next = wlan_conf->unk2ptr->index&#91;0&#93;;

  wlan_conf->unk1ec = 0x32;
  *&#40;wlan_conf->unk158&#41; = *&#40;wlan_conf->unk158&#41; | 2;

  wlan_conf->unk158 = wlan_conf->unk154;
  wlan_conf->unk1e4 = 0x8;
  wlan_conf->unk1e8 = 0xF;


  ret = sceIdStorageLookup&#40;0x45, 0, &tmp16, 2&#41;;
  if &#40;ret < 0&#41;&#123;
    wlan_conf->unk1d4 = 0;
  &#125; else &#123;
    wlan_conf->unk1d4 = tmp16 & 0xF000;
  &#125;


  ret1 = sceIdStorageLookup&#40;0x45, 3, &tmp8_1, 1&#41;;
  ret2 = sceIdStorageLookup&#40;0x45, 4, &tmp8_2, 1&#41;;

  if &#40;&#40;ret1 >= 0&#41; && &#40;tmp8_1 == 1&#41; && &#40;ret2 >= 0&#41; &#41;&#123;
    wlan_conf->unk1d6 = 0xF;
    wlan_conf->unk1d7 = tmp8_2;
  &#125; else &#123;
    wlan_conf->unk1d6 = 0;
  &#125;

  if &#40;&#40;wlan_conf->unk1d4 == 0x1000&#41; && &#40;wlan_conf->unk1d6 != 1&#41;&#41;&#123;
    wlan_conf->unk1d6 = 1;
    wlan_conf->unk1d7 = 2;
  &#125;

  _sceWlanSetupParam&#40;wlan_conf&#41;;

  _sceWlanStartMacThread&#40;wlan_conf&#41;;

  sceKernelRegisterSysEventHandler&#40;0x000197D0&#41;;

  g_WlanConf = wlan_conf;
  pspSetK1&#40;old_k1&#41;;

  return 0;
&#125;
As you can see in the following code, starting from "unkb8" of the HAL param struct, there are some callbacks which might be worth investigating if you're searching to do packet capture.

Code: Select all

struct SceWlanParam&#123;
u32 unk0;
u32 unk4;
u32 unk8;
u32 unkc;
u32 unk10;
u32 unk14;
u32 unk18;
u32 unk1c;
u32 unk20;
u32 unk24;
u32 unk28;
u32 unk2c;
u32 unk30;
u32 unk34;
u32 unk38;
u32 unk3c;
u32 unk40;
u32 unk44;
u32 unk48;
u32 unk4c;
u32 unk50;
u32 unk54;
u32 unk58;
u32 unk5c;
u32 unk60;
u32 unk64;
u32 unk68;
u32 unk6c;
u32 unk70;
u32 unk74;
u32 unk78;
u32 unk7c;
u32 unk80;
u32 unk84;
u32 unk88;
u32 unk8c;
u32 unk90;
u32 unk94;
u32 unk98;
u32 unk9c;
u32 unka0;
u32 unka4;
u32 unka8;
u32 unkac;
u16 unkb0;
u16 unkb2;
u32 unkb4;
u32 unkb8;
u32 unkbc;
u32 unkc0;
u32 unkc4;
u16 unkc8;
u16 unkca;
u8  unkcc;
u8  unkcd;
u16 unkce;
u16 unkd0;
u16 unkd2;
u32 unkd4;
u32 unkd8;
u32 unkdc;
u32 unke0;
u32 unke4;
u32 unke8;
u32 unkec;
u32 unkf0;
u32 unkf4;
u32 unkf8;
u32 unkfc;
u32 unk100;
u32 unk104;
u32 unk108;
u32 unk10c;
u32 unk110;
u32 unk114;
u32 unk118;
u32 unk11c;
u32 unk120;
u32 unk124;
u32 unk128;
u32 unk12c;
u32 unk130;
u32 unk1_datasize; //134
u32 unk1_count; //138
SceWlanUnk1 *unk1ptr; //13c
SceWlanUnk1 *unk1ptr_2; //140
u32 unk144;
u32 unk148;
u32 unk14c;
u32 unk150;
SceWlanUnk2 *unk2ptr; //154
u32 unk158;
u32 unk15c;
u32 unk160;
u32 unk164;
u32 mac_thid
u32 chip_init_thid; //0x16C
u32 iflock_sema; //0x170
u32 mac_mbx;     //0x174
u32 main_heap;   //0x178
u32 unk17c;
SceWlanHalStruct *hal; //0x180
u32 unk184;
u32 unk188;
u32 unk18c;
u32 unk190;
u32 unk194;
u32 unk198;
u32 unk19c;
u32 unk1a0;
u32 unk1a4;
u32 unk1a8;
u32 unk1ac;
u32 unk1b0;
u32 unk1b4;
u32 unk1b8;
u32 unk1bc;
u32 unk1c0;
u32 unk1c4;
u32 unk1c8;
u32 unk1cc;
u32 unk1d0;
u16 unk1d4;
u8  unk1d6;
u8  unk1d7;
u32 unk1d8;
u32 unk1dc;
u32 unk1e0;
u32 unk1e4;
u32 unk1e8;
u32 unk1ec;
&#125;
================================================================
struct SceWlanUnk1&#123;
  SceWlanUnk1Index index&#91;0x14&#93;;
  SceWlanUnk1Data data&#91;0x14&#93;;
&#125;
struct SceWlanUnk1Index&#123;
  int unk1;
  SceWlanUnk1Index *next;
  int unk3;
  int unk4;
  int data_ptr
&#125;
struct SceWlanUnk1Data&#123;
  u8 data&#91;0x604&#93;;
&#125;
================================================================
struct SceWlanUnk2&#123;
  SceWlanUnk2Index index&#91;0x19&#93;;
&#125;

struct SceWlanUnk2Index&#123;
  u16 unk1;
  u16 unk2;
  SceWlanUnk2Index *next;
&#125;
================================================================
struct SceWlanHWAccess&#123;
u32 mshostlocksema; //c
u32 ev_flag; //10
u32 reg01; //14
u32 reg02; //18
u32 reg03; //1c
u32 reg04; //20
u32 reg05; //24
u32 reg06; //28
u32 reg07; //2c
u32 reg08; //30
u32 reg09; //34
u32 reg10; //38
u32 reg11; //3c
u32 reg12; //40
u32 reg13; //44
u32 reg14; //48
u32 reg15; //4c
u32 reg16; //50
u32 reg17; //54
u32 reg18; //58
u32 reg19; //5c
u32 reg20; //60
u32 reg21; //64
&#125;
================================================================
struct SceWlanHal&#123;
u32 unk0;
u32 unk4;
u32 unk8;
SceWlanHWAccess hw;
u32 unk68;
u32 unk6c;
u32 unk70;
u32 unk74;
//
u16 unk78;
u16 unk7a;
u16 unk7c;
u16 unk7e;
u32 unk80;
u32 unk84;
u32 unk88;
u32 unk8c;
u32 unk90;
u32 unk94;
u32 unk98;
u32 unk9c;
u32 unka0;
u32 unka4;
u32 unka8;
u32 unkac;
u16 region; //b0
u16 unkb2;
//u16 unkb4 + u16 unkb6??
u32 unkb4;
//callbacks start?
u32 unkb8;
u32 unkbc;
u32 unkc0;
u32 unkc4;
u32 unkc8;
u32 unkcc;
u32 unkd0;
u32 unkd4;
u32 unkd8;
u32 unkdc;
u32 unke0;
u32 unke4;
//callbacks end?
u32 dma_op; //e8
u32 unkbuf80; //ec
u32 unkf0;
u32 hal_thid; //f4
u32 mshostlockflag; //f8
u32 mbx;  //fc
SceWlanParam *g_config; //100
void* buf1; //104
void* buf2; //108
u32 unk10c;
u32 unk110;
u32 unk114;
u32 unk118;
u32 unk11c;
u32 unk120;
u32 unk124;
u32 unk128;
u32 unk12c;
u32 unk130;
u32 unk134;
u32 unk138;
u32 unk13C;
u32 unk140;
u32 unk144;
u32 unk148;
u32 unk14c;
u32 unk150;
u32 unk154;
u32 unk158;
u32 unk15c;
u32 unk160;
u32 unk164;
u32 unk160;
u32 unk16c;
u32 unk170;
u32 unk174;
u32 unk178;
u32 unk17c;
u32 unk180;
u32 unk184;
u32 unk188;
u32 unk18c;
u32 unk190;
u32 unk194;
u32 unk198;
u32 unk19c;
u32 unk1a0;
u32 unk1a4;
u32 unk1a8;
u32 unk1ac;
u32 unk1b0;
&#125;
Top
KickinAezz
Posts: 328
Joined: Sun Jun 03, 2007 10:05 pm

Post by KickinAezz »

0x45 = Region code?

i.e. the channel restriction 1-11 ?

----

54G hack. Anyone?
Intrigued by PSP system Since December 2006.
Use it more for Development than for Gaming.
Top
adrahil
Posts: 274
Joined: Thu Mar 16, 2006 1:55 am

Post by adrahil »

Yes ^^
I think it's something like europe, US and japan - as they got some different channels allowed...
Top
Post Reply

Return to “PSP Development”