CCAPI: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
(Added more infos on ccapi and some theoretical code to call CCAPI syscalls. (Not verified to work, see it as example code.))
Line 266: Line 266:
https//pastebin.com/RqnvPZ0j
https//pastebin.com/RqnvPZ0j


== Use CCAPI Syscall from sprx ==
The codes below are not verified to work (well, jo-milks approach isn't complete), these are just example codes for you,
so you can get a theoretical understanding, on how you could call a CCAPI Syscall.
 
== Use CCAPI Syscall from SPRX (Jo-Milks Approach) ==


CCAPI uses a unique PPC instruction that it implemented it. I named it "ccsc" as it works similarly to "sc" the syscall instruction in PPC. Here is the HEX value that represents "ccsc".
CCAPI uses a unique PPC instruction that it implemented it. I named it "ccsc" as it works similarly to "sc" the syscall instruction in PPC. Here is the HEX value that represents "ccsc".
Line 283: Line 286:
} </code>
} </code>


== Use CCAPI Syscall from SPRX (PHTNC Approach) ==
<code>#define CCAPICall uint64_t __attribute__((naked))</code>
<code>static CCAPICall WriteProcessMemory(uint32_t pid, void* address, size_t size, const void* buffer)<br>
{<br>
register uint64_t p1 __asm__ ("3") = 0x123;<br>
register uint64_t p2 __asm__ ("4") = (uint64_t)pid;<br>
register uint64_t p3 __asm__ ("5") = address;<br>
register uint64_t p4 __asm__ ("6") = (uint64_t)buffer;<br>
register uint64_t p5 __asm__ ("7") = (uint64_t)size;<br>
register uint64_t p6 __asm__ ("8");<br>             
register uint64_t p7 __asm__ ("9");<br>                                       
register uint64_t p8 __asm__ ("10");<br>
register uint64_t p9 __asm__ ("11");<br>
__asm__ volatile (0xEF455314<br>                                                   
: "=r" (p1), "=r" (p2), "=r" (p3), "=r" (p4),<br>
"=r" (p5), "=r" (p6), "=r" (p7), "=r" (p8), "=r" (n)<br> 
: "r" (p1), "r" (p2), "r" (p3), "r" (p4),<br>
"r" (p5), "r" (n)<br>                                     
: "0", "12", "lr", "ctr", "xer", "cr0", "cr1", "cr5", "cr6", "cr7", "memory");<br>
return (int)p1;<br>
}<br>
</code>


R3 or the first argument will be the value of the Command ID that will be processed by a kernel in a function implemented by CCAPI.
R3 or the first argument will be the value of the Command ID that will be processed by a kernel in a function implemented by CCAPI.<br>
CCAPI Syscalls do not seem use R11 to provide a syscall number like LV2 syscalls do. Not every function of CCAPI is called through its<br>
own environment. CCAPI makes a lot of use of regular LV2 Syscalls like RingBuzzer, Shutdown, or ControlLED. It only makes use of its own<br>
environment, when these LV2 functions are not available for all environments. (WriteProcessMemory, ReadProcessMemory in CEX for example.)<br>
We cannot say how exactly CCAPI initializes itself and its environment, however, I (PHTNC) believe, that CCAPI probably takes a similar approach like Mamba.<br>
Right now, I cannot say, which system file(s) CCAPI does modify to load itself. Mamba for example loads itself from a modified sys_init_osd.self file.<br>
Cobra loads itself from lv2kernel.self.<br>


{| class="wikitable sortable"
{| class="wikitable sortable"

Revision as of 15:53, 22 September 2021

Intro

ControlConsoleAPI is an API for PS3 and PC similar to TMAPI on DEX console, But this one "CCAPI" works for CEX and DEX.

External Sources:

 http://frenchmoddingteam.com/shop/application/20-control-console-api-2-60-rev2-rte-cex-dex (Official)
 http://consolecrunch.com/threads/control-console-api-ccapi-v2-60-released.9055/
 http://www.nextgenupdate.com/forums/ps3-cheats-customization/693857-update-controlconsoleapi-2-50-ccapi-37.html
 http://www.nextgenupdate.com/forums/ps3-cheats-customization/701574-tutorial-how-rtm-ccapi-cex-dex.html
 http://psx-scene.com/forums/content/controllconsoleapi-v2-50-adds-4-53-4-55-cfw-support-4350/


  • Features:
    • Compatible CEX/DEX/SEX/(TOOL ?)
    • Debug non-fself & fself in real time (vsh.self for example can be debugged in rte, or any game with non debug eboot)
    • Debug kernel in real time(lv2_kernel.self and lv1.self)
  • Classic functions (RTE on CEX + DEX):
    • getProcessMemory
    • setProcessMemory
    • shutdown/reboot
    • work with Wireless connection
    • bypass exec pages writing restriction
    • bypass lv2 memory protection
  • new functionalities like:
    • peek/poke lv1 and lv2
    • setConsoleID at anytime/anywhere
    • setConsoleLed
    • ringBuzzer
    • getTemperature
    • VSH module loading
    • notify
  • Supported Firmware:
    • CFW 4.21,4.30,4.40,4.41,4.46,4.50, 4.53, 4.55, 4.60, 4.65 CEX or DEX (+ 4.66CEX)


  • How to install CCAPI:
    Just download and run this pkg on your ps3.
    It will tell you to reboot, and it's done. You only need to do this once.
  • How to uninstall CCAPI
    Just run again the pkg.
  • Is it risky
    In the worst case, you could need to reinstall your firmware.


VSH module loading:
create a plugins directory and put all your sprx plugins into it.
/dev_usb000/plugins
/dev_usb000/plugins/prx_name1.sprx
/dev_usb000/plugins/prx_name2.sprx

All of the sprx that are present in this folder, will be loaded at ps3 boot.

Important:
If some games refuse to work, just don't use plugins, delete plugins folder from /dev_usb000

Changelog 2.80
(rev7) Added 4.86 CEX support
(rev6) Added 4.85 CEX support
(rev5) Added 4.84 DEX support
(rev5) Added 4.84 CEX support
(rev4) Added 4.83 CEX support
(rev3) Added 4.82 DEX support
(rev2) Reduced memory use
Added ps3 TOOL support (with DEX/CEX kernel only)
Added console finder into consolemanager
Added vsh menu
Added 4.82 CEX support
2.70
(rev6) Added 4.81 DEX support
(rev5) Added 4.81 CEX support
(rev4) Added 4.80 DEX support
(rev4) Added 4.80 CEX support
(rev3) Added 4.78 DEX support
(rev2) Added 4.78 CEX support
(rev2) Added 4.76 DEX support
Added other platform support
Optimized network bitrate
2.60
(rev7) Added 4.76 CEX support
(rev6) Added 4.75 DEX support
(rev5) Added 4.75 CEX support
(rev4) Added 4.70 DEX support
(rev3) Added 4.70 CEX support
(rev2) Added 4.66 CEX support
Added 4.60/4.65 support
Added Cobra support
Added SetBootPsid/SetBootIdps/SetPsid
2.50
Added 4.53/4.55 support
Added a console list
2.00
Reduced memory use
DLL (C++ / C#) released to build programs for ccapi
1.00
Original version

CCAPI 2.00-2.50

You may find information in PrimeTime00 alt source about older encryption used on the tcp packets sent to ccapi v2.00-2.50

CCAPI PrimeTime00 alt source

https//pastebin.com/x12kqNaQ

https//pastebin.com/G9hx9pch

CCAPI 2.60

Installation

When installing, CCAPI (the ps3 application) creates a config file (/dev_flash/sys/internal/config.cfg) in which some data, depending on the console, is stored. This file has a size of 240 (0xF0) bytes.

  • Example from fw 4.46 dex:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000  04 04 60 00 D4 6F F4 09 80 00 00 00 00 36 6B D0  ..`.Ôoô.€....6kÐ
00000010  80 00 00 00 00 07 22 5C 80 00 00 00 00 08 F9 98  €....."\€.....ù˜
00000020  80 00 00 00 00 06 68 90 80 00 00 00 00 01 00 C0  €.....h.€......À
00000030  80 00 00 00 00 29 E7 5C 80 00 00 00 00 06 6C CC  €....)ç\€.....lÌ
00000040  80 00 00 00 00 01 1F C0 80 00 00 00 00 29 E8 E8  €......À€....)èè
00000050  80 00 00 00 00 00 FE A4 E9 22 AA 78 00 01 C3 38  €.....þ¤é"ªx..Ã8
00000060  80 00 00 00 00 01 1A BC 80 00 00 00 00 01 1B 34  €......¼€......4
00000070  80 00 00 00 00 08 F9 D4 80 00 00 00 00 37 CF E8  €.....ùÔ€....7Ïè
00000080  80 00 00 00 00 3F A8 B0 80 00 00 00 00 49 6F 3C  €....?¨°€....Io<
00000090  80 00 00 00 00 4C 99 8C 00 00 00 00 00 00 00 00  €....L™Œ........
000000A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000D0  00 00 00 00 00 00 00 03 00 00 00 00 00 61 D5 E8  .............aÕè
000000E0  00 00 00 00 00 61 DB F4 00 00 00 00 00 04 41 64  .....aÛô......Ad
Usage Offset Size Value Notes Used in
- 0x00 0x04 04 04 60 00 Firmware: 4.46 -
- 0x04 0x04 D4 6F F4 09 Console type ? (DEX/CEX) -
- 0x08 0x08 80 00 00 00 00 36 6B D0 Address of the lv2 toc (stored at 0x8000000000003000 in lv2) -
- 0x10 0x08 80 00 00 00 00 07 22 5C A subroutine inside lv2(extend_kstack(), fixed branch to enable syscall 200/201 read and write) ccapi.sprx
- 0x18 0x08 80 00 00 00 00 08 F9 98 A subroutine inside lv2(fixed branch to enable syscall 200/201 read and write) ccapi.sprx
- 0x20 0x08 80 00 00 00 00 06 68 90 A subroutine inside lv2(alloc(), fixed branch to enable syscall 200/201 read and write) ccapi.sprx
- 0x28 0x08 80 00 00 00 00 01 00 C0 A subroutine inside lv2(copy_from_user(), fixed branch to enable syscall 200/201 read and write) ccapi.sprx
- 0x30 0x08 80 00 00 00 00 29 E7 5C A subroutine inside lv2(fixed branch to enable syscall 200/201 read and write) ccapi.sprx
- 0x38 0x08 80 00 00 00 00 06 6C CC A subroutine inside lv2(dealloc(), fixed branch to enable syscall 200/201 read and write) ccapi.sprx
- 0x40 0x08 80 00 00 00 00 01 1F C0 A subroutine inside lv2(fixed branch to enable syscall 200/201 read and write) ccapi.sprx
- 0x48 0x08 80 00 00 00 00 29 E8 E8 A subroutine inside lv2(fixed branch to enable syscall 200/201 read and write) ccapi.sprx
- 0x50 0x08 80 00 00 00 00 00 FE A4 A subroutine inside lv2(copy_to_user(), fixed branch to enable syscall 200/201 read and write) ccapi.sprx
- 0x58 0x04 E9 22 AA 78 - -
- 0x5C 0x04 00 01 C3 38 - -
- 0x60 0x08 80 00 00 00 00 01 1A BC A subroutine inside lv2 -
- 0x68 0x08 80 00 00 00 00 01 1B 34 A subroutine inside lv2 -
Allow sys_dbg syscalls 0x70 0x08 80 00 00 00 00 08 F9 D4 Ccapi edits the branch at that address to modify the code flow ccapi.sprx
Get SysTable from pc dll 0x78 0x08 80 00 00 00 00 37 CF E8 Address of the syscall table ccapi.sprx
Set ConsoleID 0x80 0x08 80 00 00 00 00 3F A8 B0 Address of one of the console IDs in lv2 ccapi.sprx
Set ConsoleID 0x88 0x08 80 00 00 00 00 49 6F 3C Address of one of the console IDs in lv2 ccapi.sprx
Set ConsoleID 0x90 0x08 80 00 00 00 00 4C 99 8C Address of one of the console IDs in lv2 ccapi.sprx
Set ConsoleID 0x98 0x08 00 00 00 00 00 00 00 00 Address of one of the console IDs in lv2 ccapi.sprx
Set ConsoleID 0xA0 0x08 00 00 00 00 00 00 00 00 Address of one of the console IDs in lv2 ccapi.sprx
Set ConsoleID 0xA8 0x08 00 00 00 00 00 00 00 00 Address of one of the console IDs in lv2 ccapi.sprx
Set ConsoleID 0xB0 0x08 00 00 00 00 00 00 00 00 Address of one of the console IDs in lv2 ccapi.sprx
Set ConsoleID 0xB8 0x08 00 00 00 00 00 00 00 00 Address of one of the console IDs in lv2 ccapi.sprx
Set ConsoleID 0xC0 0x08 00 00 00 00 00 00 00 00 Address of one of the console IDs in lv2 ccapi.sprx
Set ConsoleID 0xC8 0x08 00 00 00 00 00 00 00 00 Address of one of the console IDs in lv2 ccapi.sprx
Set ConsoleID 0xD0 0x08 00 00 00 00 00 00 00 03 Console ID count ccapi.sprx
- 0xD8 0x08 00 00 00 00 00 61 D5 E8 Address of sys_prx_load_module in vsh -
- 0xE0 0x08 00 00 00 00 00 61 DB F4 Address of sys_prx_start_module in vsh -
- 0xE8 0x08 00 00 00 00 00 04 41 64 - -

Commands

When calling a ccapi function, a packet containing a command id is sent to the ps3. The ps3 then analyzes the packet and makes a switch on the command id.

Command ID Action Prototype(s)
1 SetConsoleID int32_t SetConsoleID(uint8_t *cid)
2 ReadProcessMemory int32_t ReadProcessMemory(sys_pid_t pid, uint64_t address, void *data, size_t size)
3 WriteProcessMemory int32_t WriteProcessMemory(sys_pid_t pid, uint64_t address, const void *data, size_t size)
4 Unknown
5 GetProcessInfo int32_t GetProcessInfo(sys_pid_t pid, sys_process_info_t *info)
6 GetTemperature int32_t GetTemperature(int32_t type, uint32_t *temperature)
7 ControlLed int32_t ControlLed(int32_t ledColor, int32_t ledAction)
8 GetLv2Memory int32_t GetLv2Memory(uint64_t address, size_t num, uint8_t *buffer)
9 SetLv2Memory int32_t SetLv2Memory(uint64_t address, int32_t size, const uint8_t *data)
10 GetLv1Memory int32_t GetLv1Memory(uint64_t address, size_t size, uint8_t *buffer)
11 SetLv1Memory int32_t SetLv1Memory(uint64_t address, size_t size, const uint8_t *data)
12 GetFirmwareInfo int32_t GetFirmware(); int32_t GetCcapiVersion(); int32_t GetConsoleType(uint64_t *type)
13 RingBuzzer int32_t RingBuzzer(int32_t mode)
14 Unknown
15 Shutdown int32_t Shutdown(int32_t mode)
16 Notify int32_t Notify(int32_t texture, const wchar_t *text)

CCAPI 2.70 - 2.80 rev5

Location of ccapi.sprx

ccapi.sprx is renamed to sys_audio.sprx and is located to /dev_flash/sys/internal/sys_audio.sprx


Packets and http Requests


Port:6333
Communication: HTTP

Port:1979 PS3
Communication: TCP/UDP

static int connect_to_CAPPI(void)
{
struct sockaddr_in sin;
int s;
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = 0x7F000001; //127.0.0.1 (localhost)
sin.sin_port = htons(6333);
s = socket(AF_INET, SOCK_STREAM, 0);
if (s < 0)
{
return -1;
}
if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0)
{
return -1;
}
return s;
}

void DoNotify(char *szFormat,int id = 0)
{
char _notify_buffer[512];
snprintf(_notify_buffer, 512, "/ccapi/notify?id=%i&msg=%s",id,szFormat);
send_CCAPI_request(_notify_buffer);
}

void ShutDownPS3()
{
char _notify_buffer[512];
snprintf(_notify_buffer, 512, "/ccapi/shutdown?mode=1");
send_CCAPI_request(_notify_buffer);
}

void RestartPS3()
{
char _notify_buffer[512];
snprintf(_notify_buffer, 512, "/ccapi/shutdown?mode=2");
send_CCAPI_request(_notify_buffer);
}

void Buzzer(int snd = 1)
{
char _notify_buffer[512];
snprintf(_notify_buffer, 512, "/ccapi/ringbuzzer?type=%i",snd);
send_CCAPI_request(_notify_buffer);
}

Source : CCAPI && Webman Http requests for sprx - Jo-Milk https//pastebin.com/RqnvPZ0j

The codes below are not verified to work (well, jo-milks approach isn't complete), these are just example codes for you, so you can get a theoretical understanding, on how you could call a CCAPI Syscall.

Use CCAPI Syscall from SPRX (Jo-Milks Approach)

CCAPI uses a unique PPC instruction that it implemented it. I named it "ccsc" as it works similarly to "sc" the syscall instruction in PPC. Here is the HEX value that represents "ccsc".

"ccsc" = 0xEF455314

#define CcxCall uint64_t __attribute__((naked))

static CcxCall CCAPIWriteProcessMemory(int command_id,sys_pid_t pid, void* destination, const void* source, size_t size)
{
__asm__(
/*"li %r3, 0x123;" R3 is your command_id write */
"sc;" /*You must replace this 4 byte instruction by 0xEF455314*/
"blr;"
);
}

Use CCAPI Syscall from SPRX (PHTNC Approach)

#define CCAPICall uint64_t __attribute__((naked))

static CCAPICall WriteProcessMemory(uint32_t pid, void* address, size_t size, const void* buffer)
{
register uint64_t p1 __asm__ ("3") = 0x123;
register uint64_t p2 __asm__ ("4") = (uint64_t)pid;
register uint64_t p3 __asm__ ("5") = address;
register uint64_t p4 __asm__ ("6") = (uint64_t)buffer;
register uint64_t p5 __asm__ ("7") = (uint64_t)size;
register uint64_t p6 __asm__ ("8");
register uint64_t p7 __asm__ ("9");
register uint64_t p8 __asm__ ("10");
register uint64_t p9 __asm__ ("11");

__asm__ volatile (0xEF455314
: "=r" (p1), "=r" (p2), "=r" (p3), "=r" (p4),
"=r" (p5), "=r" (p6), "=r" (p7), "=r" (p8), "=r" (n)
: "r" (p1), "r" (p2), "r" (p3), "r" (p4),
"r" (p5), "r" (n)
: "0", "12", "lr", "ctr", "xer", "cr0", "cr1", "cr5", "cr6", "cr7", "memory");

return (int)p1;
}

R3 or the first argument will be the value of the Command ID that will be processed by a kernel in a function implemented by CCAPI.
CCAPI Syscalls do not seem use R11 to provide a syscall number like LV2 syscalls do. Not every function of CCAPI is called through its
own environment. CCAPI makes a lot of use of regular LV2 Syscalls like RingBuzzer, Shutdown, or ControlLED. It only makes use of its own
environment, when these LV2 functions are not available for all environments. (WriteProcessMemory, ReadProcessMemory in CEX for example.)
We cannot say how exactly CCAPI initializes itself and its environment, however, I (PHTNC) believe, that CCAPI probably takes a similar approach like Mamba.
Right now, I cannot say, which system file(s) CCAPI does modify to load itself. Mamba for example loads itself from a modified sys_init_osd.self file.
Cobra loads itself from lv2kernel.self.

Command ID Description Arguments
0x241 Enable CCAPI Syscalls int32_t unk()
0x785 CCAPI Read ProcessMemory int32_t CCAPIReadProcessMemory(int command_id, sys_pid_t pid, void* destination, void* source, size_t size)
0x123 CCAPI Write ProcessMemory int32_t CCAPIWriteProcessMemory(int command_id,sys_pid_t pid, void* destination, const void* source, size_t size)
0x357 CCAPI Create Process Thread int32_t CCAPICreateProcessThread(int command_id,sys_pid_t pid, thread_t* thread, void* entry, uint64_t arg, int prio, size_t stacksize, const char* threadname)
0x977 CCAPI Allocate Page int32_t CCAPIAllocatePage(int command_id,sys_pid_t pid, uint64_t size, uint64_t page_size, uint64_t flags, uint64_t is_executable, uint64_t* kernel_page_adr, uint64_t* game_page_adr)

Reference for this info : offset 0x448 ccapi.prx in ccapi 2.80 rev5 this is the function called to use ccsc(command id, ... );