CCAPI
ControlConsoleAPI is an API for PS3 and PC similar to TMAPI on DEX console, But this one "CCAPI" works for CEX and DEX.
External Sources:
http://frenchmoddingteam.com/shop/application/20-control-console-api-2-60-rev2-rte-cex-dex (Official) http://consolecrunch.com/threads/control-console-api-ccapi-v2-60-released.9055/ http://www.nextgenupdate.com/forums/ps3-cheats-customization/693857-update-controlconsoleapi-2-50-ccapi-37.html http://www.nextgenupdate.com/forums/ps3-cheats-customization/701574-tutorial-how-rtm-ccapi-cex-dex.html http://psx-scene.com/forums/content/controllconsoleapi-v2-50-adds-4-53-4-55-cfw-support-4350/
- Features:
- Compatible CEX/DEX/SEX/(TOOL ?)
- Debug non-fself & fself in real time (vsh.self for example can be debugged in rte, or any game with non debug eboot)
- Debug kernel in real time(lv2_kernel.self and lv1.self)
- Classic functions (RTE on CEX + DEX):
- getProcessMemory
- setProcessMemory
- shutdown/reboot
- work with Wireless connection
- bypass exec pages writing restriction
- bypass lv2 memory protection
- getProcessMemory
- new functionalities like:
- peek/poke lv1 and lv2
- setConsoleID at anytime/anywhere
- setConsoleLed
- ringBuzzer
- getTemperature
- VSH module loading
- notify
- peek/poke lv1 and lv2
- Supported Firmware:
- CFW 4.21,4.30,4.40,4.41,4.46,4.50, 4.53, 4.55, 4.60, 4.65 CEX or DEX (+ 4.66CEX)
- How to install CCAPI:
Just download and run this pkg on your ps3.
It will tell you to reboot, and it's done. You only need to do this once.
- How to uninstall CCAPI
Just run again the pkg.
- Is it risky
In the worst case, you could need to reinstall your firmware.
VSH module loading:
create a plugins directory and put all your sprx plugins into it.
/dev_usb000/plugins
/dev_usb000/plugins/prx_name1.sprx
/dev_usb000/plugins/prx_name2.sprx
All of the sprx that are present in this folder, will be loaded at ps3 boot.
Important:
If some games refuse to work, just don't use plugins, delete plugins folder from /dev_usb000
- 2.50
- http://www.mediafire.com/download/1xjkdzl77gz4meq/CcApi_package_2.50.rar
- 2.60
- http://www.mediafire.com/download/fz4leo4iov9ut4z/CcApi_package_2.60_Rev2.rar
CCAPI 2.60
Installation
When installing, CCAPI (the ps3 application) creates a config file (/dev_flash/sys/internal/config.cfg) in which some data, depending on the console, is stored. This file has a size of 240 (0xF0) bytes.
- Example from fw 4.46 dex:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 04 04 60 00 D4 6F F4 09 80 00 00 00 00 36 6B D0 ..`.Ôoô.€....6kÐ 00000010 80 00 00 00 00 07 22 5C 80 00 00 00 00 08 F9 98 €....."\€.....ù˜ 00000020 80 00 00 00 00 06 68 90 80 00 00 00 00 01 00 C0 €.....h.€......À 00000030 80 00 00 00 00 29 E7 5C 80 00 00 00 00 06 6C CC €....)ç\€.....lÌ 00000040 80 00 00 00 00 01 1F C0 80 00 00 00 00 29 E8 E8 €......À€....)èè 00000050 80 00 00 00 00 00 FE A4 E9 22 AA 78 00 01 C3 38 €.....þ¤é"ªx..Ã8 00000060 80 00 00 00 00 01 1A BC 80 00 00 00 00 01 1B 34 €......¼€......4 00000070 80 00 00 00 00 08 F9 D4 80 00 00 00 00 37 CF E8 €.....ùÔ€....7Ïè 00000080 80 00 00 00 00 3F A8 B0 80 00 00 00 00 49 6F 3C €....?¨°€....Io< 00000090 80 00 00 00 00 4C 99 8C 00 00 00 00 00 00 00 00 €....L™Œ........ 000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000D0 00 00 00 00 00 00 00 03 00 00 00 00 00 61 D5 E8 .............aÕè 000000E0 00 00 00 00 00 61 DB F4 00 00 00 00 00 04 41 64 .....aÛô......Ad
Usage | Offset | Size | Value | Notes | Used in |
---|---|---|---|---|---|
- | 0x00 | 0x04 | 04 04 60 00 | Firmware: 4.46 | - |
- | 0x04 | 0x04 | D4 6F F4 09 | Console type ? (DEX/CEX) | - |
- | 0x08 | 0x08 | 80 00 00 00 00 36 6B D0 | Address of the lv2 toc (stored at 0x8000000000003000 in lv2) | - |
- | 0x10 | 0x08 | 80 00 00 00 00 07 22 5C | A subroutine inside lv2(extend_kstack(), fixed branch to enable syscall 200/201 read and write) | ccapi.sprx |
- | 0x18 | 0x08 | 80 00 00 00 00 08 F9 98 | A subroutine inside lv2(fixed branch to enable syscall 200/201 read and write) | ccapi.sprx |
- | 0x20 | 0x08 | 80 00 00 00 00 06 68 90 | A subroutine inside lv2(alloc(), fixed branch to enable syscall 200/201 read and write) | ccapi.sprx |
- | 0x28 | 0x08 | 80 00 00 00 00 01 00 C0 | A subroutine inside lv2(copy_from_user(), fixed branch to enable syscall 200/201 read and write) | ccapi.sprx |
- | 0x30 | 0x08 | 80 00 00 00 00 29 E7 5C | A subroutine inside lv2(fixed branch to enable syscall 200/201 read and write) | ccapi.sprx |
- | 0x38 | 0x08 | 80 00 00 00 00 06 6C CC | A subroutine inside lv2(dealloc(), fixed branch to enable syscall 200/201 read and write) | ccapi.sprx |
- | 0x40 | 0x08 | 80 00 00 00 00 01 1F C0 | A subroutine inside lv2(fixed branch to enable syscall 200/201 read and write) | ccapi.sprx |
- | 0x48 | 0x08 | 80 00 00 00 00 29 E8 E8 | A subroutine inside lv2(fixed branch to enable syscall 200/201 read and write) | ccapi.sprx |
- | 0x50 | 0x08 | 80 00 00 00 00 00 FE A4 | A subroutine inside lv2(copy_to_user(), fixed branch to enable syscall 200/201 read and write) | ccapi.sprx |
- | 0x58 | 0x04 | E9 22 AA 78 | - | - |
- | 0x5C | 0x04 | 00 01 C3 38 | - | - |
- | 0x60 | 0x08 | 80 00 00 00 00 01 1A BC | A subroutine inside lv2 | - |
- | 0x68 | 0x08 | 80 00 00 00 00 01 1B 34 | A subroutine inside lv2 | - |
Allow sys_dbg syscalls | 0x70 | 0x08 | 80 00 00 00 00 08 F9 D4 | Ccapi edits the branch at that address to modify the code flow | ccapi.sprx |
Get SysTable from pc dll | 0x78 | 0x08 | 80 00 00 00 00 37 CF E8 | Address of the syscall table | ccapi.sprx |
Set ConsoleID | 0x80 | 0x08 | 80 00 00 00 00 3F A8 B0 | Address of one of the console IDs in lv2 | ccapi.sprx |
Set ConsoleID | 0x88 | 0x08 | 80 00 00 00 00 49 6F 3C | Address of one of the console IDs in lv2 | ccapi.sprx |
Set ConsoleID | 0x90 | 0x08 | 80 00 00 00 00 4C 99 8C | Address of one of the console IDs in lv2 | ccapi.sprx |
Set ConsoleID | 0x98 | 0x08 | 00 00 00 00 00 00 00 00 | Address of one of the console IDs in lv2 | ccapi.sprx |
Set ConsoleID | 0xA0 | 0x08 | 00 00 00 00 00 00 00 00 | Address of one of the console IDs in lv2 | ccapi.sprx |
Set ConsoleID | 0xA8 | 0x08 | 00 00 00 00 00 00 00 00 | Address of one of the console IDs in lv2 | ccapi.sprx |
Set ConsoleID | 0xB0 | 0x08 | 00 00 00 00 00 00 00 00 | Address of one of the console IDs in lv2 | ccapi.sprx |
Set ConsoleID | 0xB8 | 0x08 | 00 00 00 00 00 00 00 00 | Address of one of the console IDs in lv2 | ccapi.sprx |
Set ConsoleID | 0xC0 | 0x08 | 00 00 00 00 00 00 00 00 | Address of one of the console IDs in lv2 | ccapi.sprx |
Set ConsoleID | 0xC8 | 0x08 | 00 00 00 00 00 00 00 00 | Address of one of the console IDs in lv2 | ccapi.sprx |
Set ConsoleID | 0xD0 | 0x08 | 00 00 00 00 00 00 00 03 | Console ID count | ccapi.sprx |
- | 0xD8 | 0x08 | 00 00 00 00 00 61 D5 E8 | Address of sys_prx_load_module in vsh | - |
- | 0xE0 | 0x08 | 00 00 00 00 00 61 DB F4 | Address of sys_prx_start_module in vsh | - |
- | 0xE8 | 0x08 | 00 00 00 00 00 04 41 64 | - | - |
Commands
When calling a ccapi function, a packet containing a command id is sent to the ps3. The ps3 then analyzes the packet and makes a switch on the command id.
Command ID | Action | Prototype(s) |
---|---|---|
1 | SetConsoleID | int32_t SetConsoleID(uint8_t *cid) |
2 | ReadProcessMemory | int32_t ReadProcessMemory(sys_pid_t pid, uint64_t address, void *data, size_t size) |
3 | WriteProcessMemory | int32_t WriteProcessMemory(sys_pid_t pid, uint64_t address, const void *data, size_t size) |
4 | Unknown | |
5 | GetProcessInfo | int32_t GetProcessInfo(sys_pid_t pid, sys_process_info_t *info) |
6 | GetTemperature | int32_t GetTemperature(int32_t type, uint32_t *temperature) |
7 | ControlLed | int32_t ControlLed(int32_t ledColor, int32_t ledAction) |
8 | GetLv2Memory | int32_t GetLv2Memory(uint64_t address, size_t num, uint8_t *buffer) |
9 | SetLv2Memory | int32_t SetLv2Memory(uint64_t address, int32_t size, const uint8_t *data) |
10 | GetLv1Memory | int32_t GetLv1Memory(uint64_t address, size_t size, uint8_t *buffer) |
11 | SetLv1Memory | int32_t SetLv1Memory(uint64_t address, size_t size, const uint8_t *data) |
12 | GetFirmwareInfo | int32_t GetFirmware(); int32_t GetCcapiVersion(); int32_t GetConsoleType(uint64_t *type) |
13 | RingBuzzer | int32_t RingBuzzer(int32_t mode) |
14 | Unknown | |
15 | Shutdown | int32_t Shutdown(int32_t mode) |
16 | Notify | int32_t Notify(int32_t texture, const wchar_t *text) |
CCAPI 2.70 - 2.80 rev5
Location of ccapi.sprx
ccapi.sprx is renamed to sys_audio.sprx and is located to /dev_flash/sys/internal/sys_audio.sprx
Ports used by CCAPI
Port:80 Communication: HTTP Port:1979 PS3 Communication: TCP/UDP
CCAPI uses a unique PPC instruction that it implemented it. I named it "ccsc" as it works similarly to "sc" the syscall instruction in PPC. Here is the HEX value that represents "ccsc".
"ccsc" = 0xEF455314
#define CcxCall uint64_t __attribute__((naked))
static CcxCall CCAPIWriteProcessMemory(int command_id,sys_pid_t pid, void* destination, const void* source, size_t size) { __asm__(/*"li %r3, 0x123;" R3 is your command_id write */"sc;" /*You must replace this 4 byte instruction by 0xEF455314*/"blr;"); }
R3 or the first argument will be the value of the Command ID that will be processed by a kernel in a function implemented by CCAPI.
Command ID | Description | Arguments |
---|---|---|
0x241 | Enable CCAPI Syscalls | int32_t unk() |
0x785 | CCAPIReadProcessMemory | int32_t CCAPIReadProcessMemory(int command_id, sys_pid_t pid, void* destination, void* source, size_t size) |
0x123 | CCAPIWriteProcessMemory | int32_t CCAPIWriteProcessMemory(int command_id,sys_pid_t pid, void* destination, const void* source, size_t size) |
0x357 | CCAPICreateProcessThread | int32_t CCAPICreateProcessThread(int command_id,sys_pid_t pid, thread_t* thread, void* entry, uint64_t arg, int prio, size_t stacksize, const char* threadname) |
0x977 | CCAPIAllocatePage | int32_t CCAPIAllocatePage(int command_id,sys_pid_t pid, uint64_t size, uint64_t page_size, uint64_t flags, uint64_t is_executable, uint64_t* kernel_page_adr, uint64_t* game_page_adr) |
Reference for this info : offset 0x448 ccapi.prx in ccapi 2.80 rev5 this is the function called to use ccsc(command id, ... );