by FAPS Team (and other developers if they add their tools there)
Every tool provided here will be licensed under GPLv3.0 unless stated otherwise.
What is this?
This toolkit provides tools that aid in the development of PS Vita homebrews and plugins, as well as PC tools and even emulators, by providing tools that speed up development through automation of processes and gives a more friendly view into complex things of PS Vita OS.
These tools heavily contribute to Wiki and open source SDK improvements.
These tools aided in the development of plugins such as: ReStore, ReNpDrm, repatch, reF00D, NoAVLS, rebgdl.
Remember: IF YOU DO NOT UNDERSTAND WHAT THESE TOOLS DO, IT MAY NOT BE FOR YOU!
Disable a Address Space Layout Randomization of PS Vita
A modified version of PrincessLog to use the USB serial drivers provided by the PSM SDK. This allows for serial stdout without hardware modification.
Credits: dots_tb, SilicaAndPina (idea), Sysie
Req: Yifan Lu, SonicMastr, teakhanirons
A complete logging solution for any homebrew, user plugin, kernel plugin.
It is more efficient and overall nicer than ShipLog. This logger works similarly to ShipLog in that it captures all stdout with ease (with better accuracy also). Please upgrade to this if you have been using ShipLog. While being much faster than ShipLog, if there is massive amounts of logs the logger may not be able to process them completely and will freeze (ex: taiHEN hexdump). This is unlikely in normal usage.
A complete logging solution for any homebrew, user plugin, kernel plugin. It can use network or file logging.
+ Added kernel network, removed user plugin dependency
+ Added ability to select which logging methods.
- Removed all user plugin dependency
- USB removed because it causes problem with Shell and CMA (Content Manager Assistant), it is fast but not stable
A PC tool that hooks specified NIDS automatically.
A free alternative to IDA PRO. It has a great pseudo-C decompilation that offers a quick view thanks to text file exporting.
Compared to original @TheFlow's version we added a few features such as:
+ More strings (EVEN MORE), including data section. (homebrew strings now work)
+ Generates .c, .h, .txt (NIDs), and db_lookup (<module_name>.yml)
+ ELF and fSELF support
+ Compressed fSELF support
+ Fixed issues with NIDS being improperly found
+ Includes offsets and vaddr
+ Automatic entry point (the entry point is retrieved properly from ELF header)
+ Automatic entry point location (for badly generated ELFs)
+ Relocation support
+ There might be more ?
An alternative to VitaDecompilerMod: prxtool cannot decompile to pseudo-C but it can decompiles ASM very well.
A PC tool that decompresses an unencrypted SELF file (.skprx, .suprx, .self, eboot.bin) into an ELF file (.elf, .velf).
This tool can't decompress NPDRM encrypted SELF nor System encrypted SELF. That means that you will have to use FAGDec or sceutils to first get a unencrypted SELF. Read SELFtoELF documentation for more informations.
A PC tool that injects an ELF (made by FAGDec or vita-unmake-fself) into a decrypted eboot.bin.
DEPRECATED - A PC tool that rebuilds ELF from decrypted modules' segments. To be used after using vitaDecrypt (never released).
A PS Vita homebrew that decrypts easily PS Vita user/kernel and games modules and can generate .ppk (compatibility pack for low FWs).
A PS Vita kernel plugin that allows more IO operations in userland. Fast, simpler, and efficient alternative to kuio (by @Rinnegatamante) (3x smaller). It allows elevated IO permissions of user applications and plugins using the original sceIo functions. This includes reading, writing, opening, and folder management within applications such as official games. It may also include getting stats, not sure.
Version 0.2 is much more inefficient, but supports decryption of files within devices that may open such as PFS devices. (WARNING THIS PLUGIN MAY BYPASS SAFE-MODE)
A PS Vita kernel plugin that dumps Non-Secure World (NS kernel + userland) memory using RAM physical range: from 0x40200000 to 0x5FD00000.
See wiki for more information on PS Vita's physical memory: https://wiki.henkaku.xyz/vita/Physical_Memory.
The output dump stored in ur0:dump/physmem-dump.bin is aimed to be loaded in IDA PRO using https://github.com/xyzz/vita-ida-physdump.
A PC program that can use the PS Vita error_table.bin to translate error codes.
A PC program that extracts kernel modules ELF files from bootimage.elf or PSPemu flash files from pcff.elf.
A PC program that extracts embedded secure kernel modules ELF and Kernel Boot Loader (Non-secure) files from kernel_boot_loader.elf.
A PC program that extracts the functions NIDs-names table from syslibtrace.elf to stdout.
A PC program that extracts ARZL compressed file.
A PS Vita fSELF to run on any activated TestKit/DevKit running FW <=3.67 in order to dump its kernel!
Confirmed working between 3.50 and 3.67. Will need some changes for lower FWs (sceMotionDevGetEvaInfo is only on FW >= 3.50).
Credits: TheFloW for the kernel exploits, CelesteBlue for the many improvements, Mathieulh and LemonHaze for SceNgsUser code.
A PC program that finds and extracts segment 0 of a kernel module from a continous kernel memory dump. It outputs a .elf that can be used for RE (see vitadecompiler), for extracting NIDs (see nids-extract). It is to be used in conjunction with Kdumper on PS Vita side.
Some lists of functions names / NIDs / libraries / modules to be used with vitadump IDA plugin, vitaldr IDA plugin, VitaDecompilerMod or prxtool for PS Vita.
In the application you wish to log use:
ksceDebugPrintf, printf (when SceLibc is included such as in games), or sceClibPrintf
Note:
PSMUSBLog will try to end any other USB service, except the the one used in VitaShell for Usb Mass Storage(UMS) mounting. So this will naturally create incompatibilities with plugins such as vita-udcd-uvc.
When using UMS, the serial will be interrupted, however will auto-start up after the UMS service has ended.
The serial device will also be disconnected on reboot and will only restart until the plugin is re-initialized (usually right when Taihen launches)
Serial Monitoring Programs:
You may use any serial monitor program. However, because of the constant reconnecting, I'd recommend kiTTY. <http://www.9bis.net/kitty/#!pages/download.md>
This program allows easy auto reconnect (Connection > Attempt to reconnect on connection failure)
You may also want to enable newline mode: (Terminal > Implicit CR in every LF)
Finally, to find your COM number, look at the "Device Manager" in Windows. It will be under "Ports (COM & LPT)"
Why use PrincessLog over this:
If you are working with USB or are using a Linux dev enviroment (have not checked if Linux has drivers), you may still want to consider PrincessLog.
NetDbgLogPc.exe <port>
nc -kl -w 3 <port>
.
4.5. To use on Linux, cuevavirus has provided the following netcat command: nc -kl <port>
In the application you wish to log use:
ksceDebugPrintf, printf (when SceLibc is included such as in games), or sceClibPrintf
QAF Settings:
There is options to make more verbose logs used in QA. You can enable these in the manager app.
Note: While being much faster than ShipLog, if there is massive amounts of logs the logger may not be able to process them completely and will freeze (ex: taiHEN hexdump). This is unlikely in normal usage.
Each application must built individually with cmake.
When building the kernel plugin, use "make install" to automatically install the stubs. This must be done before building the manager app.
The PC app does not have a dependency on order.
ShipLog v2.0 is obsolete. Please use PrincessLog instead.
Dependencies: zlib, libyaml
Run: ./THGN binary <all/library_name/exports/imports> <kernel/user> db.yml <sys:1/0>
Options:
All: Every NID will be hooked. This will try to hook as an export at first, then attempt hook it as an import.
Library_name: Every NID of a library (such as “SceCtrl”) within the module specified will be hooked. This will try to hook as an export at first, then attempt hook it as an import.
Exports: Every export NID will be hooked.
Imports: Every import NID will be hooked.
Kernel: The generated code will work in kernel space.
User: The generated code will work in user space.
Sys: You may choose 1 or 0 to enable or disable syscall mode. You may omit this argument. Some functions will not log unless it enters syscall mode. If you do not see anything within your logs, you may try this option. Try not to use it.
Dependencies:
VitaDecompiler requires capstone (a disassembler) libraries and libyaml. (On Windows, capstone must be compiled from sources). Make sure you install the *.a and header files to the right directories.
Run: ./vitadecompiler binary db.yml
It will create 4 files:
<binary>.c (The decompiled code)
<binary>.nids.txt (A detailed list of imports and exports)
<binary>.yml (a db_lookup or exports in yml format)
<binary>.h (Prototypes/list of all functions in the source code.
Interpreting the output:
The top section is a printed NIDS table which gives the exports and imports of a module. This information will provide the offsets, virtual address, NID, library name, library NID, and the NID name (or generated name).
Each function has a virtual address and offset displayed next to it. This offset given (if not for a function that has a NID) maybe hooked with Taihen.
Most strings or values are accompanied by a s_text/s_data which gives you the original address. The address is then checked repeatedly until a non-address is found.
Put the module ELF and db.yml in the same folder as prxtool.exe.
The provided build is compatible with Windows. Simply open command line and:
Run: prxtool -n db.yml -w <module_name>.elf > <module_name>.S
The source code and building instructions are available on TheFloW's github repository:
https://github.com/TheOfficialFloW/prxtool
Run: ./vita-unmake-fself.exe input_fself
(you most likely will be able to drag-and-drop also)
The output will be produced in the same folder with .elf appended on to the end of the original file name.
Dependencies: zlib
make
Run: ./vita-elf-inject.exe input_fself input_elf
(you most likely will be able to drag-and-drop also)
1. Run FAGDec to obtain a SELF.
2. Use vita-unmake-fself to extract the elf from the self.
3. Make required modifications to the elf.
4. Use vita-elf-inject to inject this modified elf back into the self.
The original eboot will be replaced with the product of injection. Please make a backup to plan accordingly.
NOTE: The product will run, however it will have slight changes that differentiates it from a eboot made with the official make-fself.
Dependencies: zlib
make
Arguments: <mode> <input>
Modes:
-d Decode hex code to shortcode
-b Bruteforce hex code from shortcode
No arguments = interactive
In decode it simply looks up the shortcode for the provided hex code.
However, in bruteforce mode, it will try every hex code in the table until it finds a match which takes about 2 seconds.
PSVita-error-code-resolver -b C2-9779-2
would return 80102601 as this is the hex code for C2-9779-2.
Dependencies: none
make all
Install the .vpk on a PS Vita.
Left/Right switches panels. Holding down each key will expand that pane to fullscreen.
On the Modules list panel, you may hit "Circle" twice to delete a module. "Cross" cancels this action. You can hold down circle.
On a menu with special option that can be jumped to with a button, the button that executes this option is indicated to the right of that specifc option.
Decrypt to...:
SELF - These are verified against the original ELF and can be ran directly on the PS Vita. Big ELFs (50MB+) may have trouble verifying.
ELF - These are not verified to increase speed. The product must be make_fself'd on the computer or by another method. However, the sha256 is saved to be verified later if you wish.
1) Obtain the leaked SDK make_fself.exe (YOU CANNOT USE THE VITASDK VERSION).
2) Run: make_fself.exe -c -e <modulename>.elf <modulename>
3) Open self_auth.bin/<modulename>.auth and copy the first 8 bytes to offset 0x80 of the output SELF of make_fself.exe. These 8 bytes data is the program-authority-id.
NOTE: If you do not wish to use illegally obtained material or want a cross-platform solution, use vita-elf-inject
Just select the title from the screen, and select the modules you wish to be decrypted.
vs0/os0 - Drop the module into the vs0:/vs0_em or os0:/os0_em and it will decrypt as if it was the respective device.
app/patch (YOU DO NOT NEED ASSETS TO USE THIS MODE) - Drop the game module into ux0:/app_em/<titleid> or ux0:/patch_em/<TITLEID>. They must be in their respective folder. They also must be PFS decrypted.
NOTE: IN ORDER FOR A NPDRM GAME TO BE DECRYPTED, appropriate work.bin must be located at ux0:/app_em/<titleid>/sce_sys/package/work.bin. This applies to both patches and base games.
To reverse PS Vita OS, you need some dumps of the PS Vita modules. These dumps are either memory dumps (St4rk's vitadump) or decrypted SELF (vitaDecrypt).
Now you also have a ALL IN ONE solution: vDump. But in case you want to decrypt quickly a lot of SELFs, you will keep using vitaDecrypt.
vitaDecrypt outputs only compressed decrypted segments. But you have to decompress these segments, or better, convert to ELF file format. This is the aim of this tool.
The output .elf are valid for RE and they can also be rebuilded into SELF using vita-make-fself.
1) In os0-, ud0- and vs0-, place the REAL files of your PS Vita filesystem. 2) In ux0-/dump/, place the out folder that you got using vitadecrypt. 3) To rebuild ELF, on Windows run _RUNME.BAT. 4) After having rebuilded ELF, to rebuild SELF, on Windows run BATCH_MAKE_FSELF.BAT. 5) You can now use the ELFs in vitadecompiler, IDA, or radare2 or simply use an hexadecimal editor to look into them.
You can also hexedit as you want the ELFs then transform them into SELFs.
This is a kernel plugin and so it must be added to the taihen config.txt under the *KERNEL section. Once installed, you may use the standard sceIo functions such as sceIoOpen in user plugins and applications as normal.
Using PFS decryption on ioPlus 0.2: to use decryption, use the “iop-decrypt:” device.
Ex: to open app0:/Media/level0 ----> iop-decrypt:/Media/level0
NOTE: an opened device with the file decrypted must be currently opened in order for this to work.
mkdir build
cd build
cmake ..
make all
Put physmem_dumper.skprx in ur0:tai/. You have 3 ways to start this kernel module:
The output dump stored in ur0:dump/physmem-dump.bin is aimed to be loaded in IDA PRO using https://github.com/xyzz/vita-ida-physdump.
See README.md in the psp2-kernel-bootimage-extract folder.
Obtain kernel_boot_loader.elf file using sceutils.
Run:
./psp2-kbl-elf-extract kernel_boot_loader.elf
Then you can look in the current folder as it now embeds the extracted secure kernel modules ELF and Kernel Boot Loader (Non-secure) files.
Obtain syslibtrace.elf using sceutils.
Run:
./psp2-syslibtrace-nids-extract syslibtrace.elf > out.txt
Then you can look in the current folder that now embeds out.txt file with the extracted functions NIDs-names table.
Obtain a ARZL compressed file.
Run:
./unarzl arzl_compressed_file.bin output_file.bin
or simply:
./unarzl arzl_compressed_file.bin
Then you can look in the current folder that now embeds the extracted file.
Before compiling, you have to change IP address to the one of your PC in main.c. After compiling, install the application on an activated TestKit/DevKit running a System Software on version stricly lower than 3.68. On PC listen TCP on port 9023. Run the PS Vita application. Follow the instructions on screen. The kernel dump is sent to PC through socket.
Obtain a kernel dump from Kdumper. Be sure that the vaddr of SceSysmem seg0 is at offset 0x0 of the kdump. Kdumper will write it to the file, but you must remove preceeding information.
Run:
./kdump_extract kdump.bin
zecoxao, xerpi, Team_molecule (yifanlu, Davee, Proxima, xyz), Hykem, St4rk, mr.gas, MajorTom, TheFloW, Rinnegatamante, cpasjuste, Freakler, sys (yasen), Nkekev, SilicaAndPina, motoharu, mathieulh, aerosoul, SKGleba, frangarcj, velocity, der0ad (wargio), SKFU, Vita3K, devnoname120, LemonHaze, SocraticBliss, PrincessOfSleeping, Sorvigolova, 173210, qwikrazor87, ColdBird