I dumped the firmware of PSP by electrical means. Peel off the memory chip from PSP mainboard, connect wires to the chip, find which ball is what, and dumped. In the dumped firmware, there are executables. They are mostly encrypted but there does exist unencrypted executables, by which I learned how dynamic link is done.Orion_ wrote:I can't understand how work the call to kernel function.
does the numbers in startup.s are the address of the functions in kernel/memory ?
how did you find them and what was their parameters ?
Another key stayed in 'PBP Exploit Success... but only on 1.0 psp :(' thread. The posts in the thread brought to me inspiration and valuable information. I want to express my best thanks to them all. Unless they point out that ELF file can be executed, it would take more time.
Importing system call seems to be done by loader of PSP system as follows:
- Module or system call group is choosed by ascii string 'module' of STUB_START
- Systemcall is specified by 32bit ID, 'funcid' of STUB_FUNC, and loader searchs from the list
- Loader patches nop in .text.stub to syscall