Toggle menu
Toggle personal menu
Not logged in
Your IP address will be publicly visible if you make any edits.

TaiHEN Vita: Difference between revisions

From GameBrew
m (Text replacement - "GameBrew!" to "GameBrew")
No edit summary
Line 8: Line 8:
|title=taiHen
|title=taiHen
|image=taihenvita.jpg
|image=taihenvita.jpg
|description=Advanced HEN which brings kernel access and plugins support.
|description=An advanced HEN which brings kernel access and plugins support.
|author=Team Molecule
|author=Team Molecule
|lastupdated=2018/02/21
|lastupdated=2018/02/21
Line 15: Line 15:
|license=MIT
|license=MIT
|download=https://dlhb.gamebrew.org/vitahomebrews/taihenvita.7z
|download=https://dlhb.gamebrew.org/vitahomebrews/taihenvita.7z
|website=
|website=https://tai.henkaku.xyz/
|source=https://github.com/yifanlu/taiHEN
|source=https://github.com/yifanlu/taiHEN
}}
}}
'''TaiHen''' is an advanced HEN which brings kernel access and plugins support.
== What is TaiHEN (大変)? ==
taiHEN is a CFW framework for PS Vita™. When loaded with a kernel exploit, it acts as a common substrate for patching the system. taiHEN provides three main facilities:
taiHEN is a CFW framework for PS Vita™. When loaded with a kernel exploit, it acts as a common substrate for patching the system. taiHEN provides three main facilities:


# It disables code signature checks to allow unsigned executables.
* It disables code signature checks to allow unsigned executables.
# It exposes kernel peek/poke syscalls to user applications and allows loading of kernel modules.
* It exposes kernel peek/poke syscalls to user applications and allows loading of kernel modules.
# Most importantly, it provides an API for hooking and replacing functions based off of [http://github.com/comex/substitute substitute].
* Most importantly, it provides an API for hooking and replacing functions based off of technology similar to [http://www.cydiasubstrate.com/ Cydia Substrate] (specifically thanks to [http://github.com/comex/substitute substitute]).


The last point means that developers can add custom patches to kernel, system applications, and games alike.
The last point means that developers can add custom patches to kernel, system applications, and games alike.


== How To Install TaiHEN? ==
==Installation==
taiHEN requires a separate kernel exploit to run. Once the exploit loads <code>taihen.skprx</code> to the kernel, taiHEN will take care of the rest. Please refer to documentations for the exploit for more information.
taiHEN requires a separate kernel exploit to run. Once the exploit loads taihen.skprx to the kernel, taiHEN will take care of the rest.  


==Media==
Please refer to https://vita.hacks.guide/, or documentations for the exploit for more information.
<youtube>rcpf7j6YEuI</youtube>


==Screenshot==
==User guide==
[[image:taihenvita.jpg|600px]]
=== Plugin configuration ===
Plugins are loaded either into kernel after taiHEN is loaded or on demand when an application is launched. taiHEN reads the configuration file in <code>ux0:tai/config.txt</code> (or <code>ur0:tai/config.txt</code>).


== Plugins ==
The configuration that determines the plugins to load and the load order can be found in <code>ux0:tai/config.txt</code> (or <code>ux0:tai/config.txt</code>). The format is very simple and self explanatory.
Plugins are loaded either into kernel after taiHEN is loaded or on demand when an application is launched. taiHEN reads the configuration file in <code>ux0:tai/config.txt</code>.


The configuration that determines the plugins to load and the load order can be found in <code>ux0:tai/config.txt</code>. The format is very simple and self explanatory.
<pre>
 
# ignored line starting with #
<pre># ignored line starting with #
# Kernel plugins are started with taiHEN and are in this section
# Kernel plugins are started with taiHEN and are in this section
*KERNEL
*KERNEL
Line 61: Line 56:
*main
*main
ux0:app/MLCL00001/henkaku.skprx
ux0:app/MLCL00001/henkaku.skprx
ux0:data/tai/shell_plgin.skprx</pre>
ux0:data/tai/shell_plgin.skprx
</pre>


The key things to note are:
The key things to note are:
# <code>#</code> begins a comment, <code>*</code> begins a section, and any other character begins a path.
* <code>#</code> begins a comment, <code>*</code> begins a section, and any other character begins a path.
# <code>KERNEL</code> is a special section name denoting to load a kernel plugin when taiHEN is started up. All other section names are the title id of the application/game in which to load the plugin at startup. Note that SceShell has a special title id of <code>main</code>.
* <code>KERNEL</code> is a special section name denoting to load a kernel plugin when taiHEN is started up. All other section names are the title id of the application/game in which to load the plugin at startup. Note that SceShell has a special title id of <code>main</code>.
# In each section, there is a list of plugin paths that will be loaded in order. Paths can be anywhere but it is recommended that plugins reside in <code>ux0:tai</code> or <code>ux0:data/tai</code>. It is valid to have one plugin in multiple sections but the developer must ensure that the plugin knows which application it is loaded in if it needs to do things differently.
* In each section, there is a list of plugin paths that will be loaded in order. Paths can be anywhere but it is recommended that plugins reside in <code>ux0:tai</code> or <code>ux0:data/tai</code>. It is valid to have one plugin in multiple sections but the developer must ensure that the plugin knows which application it is loaded in if it needs to do things differently.


== API ==
=== API ===
taiHEN exports an API interface both to kernel and to user. This interface is found in the [documentation pages](@ref taihen). You should also read the [https://github.com/yifanlu/taiHEN/blob/master/USAGE.md usage guide] for more details. You can either download the release or build taiHEN yourself. After that, you can include <code>taihen.h</code> in your project and link with <code>libtaihen_stub.a</code> (for user modules) or <code>libtaihen_kernel_stub.a</code> (for kernel modules).
taiHEN exports an API interface both to kernel and to user. This interface is found in the [documentation pages](@ref taihen). You should also read the [https://github.com/yifanlu/taiHEN/blob/master/USAGE.md usage guide] for more details. You can either download the release or build taiHEN yourself. After that, you can include <code>taihen.h</code> in your project and link with <code>libtaihen_stub.a</code> (for user modules) or <code>libtaihen_kernel_stub.a</code> (for kernel modules).


== How To Build TaiHEN? ==
==Screenshots==
To build, you need the latest version of the [https://github.com/vitasdk/buildscripts toolchain] with kernel support. Then just use CMake to build.
taihenvita3.png
 
<pre>$ mkdir build &amp;&amp; cd build
$ cmake ../
$ make</pre>


==Changelog==
==Changelog==
'''(v.0.11)'''
'''v0.11'''
Add delayed config loading to allow config to be reloaded from '''module_start'''. The main use-case here is if a kernel module defined in '''*KERNEL''' wishes to refresh the config.
*Add delayed config loading to allow config to be reloaded from module_start. The main use-case here is if a kernel module defined in *KERNEL wishes to refresh the config. Previously there will be a use-after-free as it tries to free the old config while it is still being parsed. Now that's been fixed and it supports re-loading the config (delayed) after the first parse is complete.


Previously there will be a use-after-free as it tries to free the old config while it is still being parsed. Now that's been fixed and it supports re-loading the config (delayed) after the first parse is complete.
'''v0.10'''
 
'''(v.0.10)'''
*Hold L at start of an application to skip loading user plugins. This also means that if you have Ensō and hold L at boot, you should skip loading of SceShell plugins as well.
*Hold L at start of an application to skip loading user plugins. This also means that if you have Ensō and hold L at boot, you should skip loading of SceShell plugins as well.


'''(v.0.9)'''
'''v0.9'''
*Added recovery option to skip loading all plugins (kernel and user) by holding L1.  
*Added recovery option to skip loading all plugins (kernel and user) by holding L1.  
*If using [[Henkaku Vita|HENkaku]] from the web or with the offline installer, hold L1 after the bootstrap installer starts up.
*If using HENkaku from the web or with the offline installer, hold L1 after the bootstrap installer starts up.
*If using [[Enso Ex Installer Vita|Enso]], hold L1 and power on the Vita. You can still reuse plugins by calling taiReloadConfig even if you started taiHEN without plugin loading.
*If using Enso, hold L1 and power on the Vita. You can still reuse plugins by calling taiReloadConfig even if you started taiHEN without plugin loading.
 
'''(v.0.8)'''
*Alternative config file at '''ur0:tai/config.txt''' loads if '''ux0:tai/config.txt''' is not found.


'''(v.0.7)'''
'''v0.8'''
*Fixed a memory leak where a reference was not decremented
*Alternative config file at "ur0:tai/config.txt" loads if "ux0:tai/config.txt" is not found.
*Mitigation for a SCE bug that limits the number of plugins that can be loaded per application
*API Change: When '''TAI_MAIN_MODULE''' is used, the first loaded module will always be returned. This should be transparent to most plugins except the main change is that you can use '''TAI_MAIN_MODULE''' for SceShell now.


'''(v.0.6)'''
'''v0.7'''
*Module is now compressed
*Fixed a memory leak where a reference was not decremented.
*API change: '''TAI_MAIN_MODULE''' can be passed as a parameter to functions that take a module name. This will resolve to the default main module (aka the eboot.bin of the loaded application).
*Mitigation for a SCE bug that limits the number of plugins that can be loaded per application.
*API Change: When "TAI_MAIN_MODULE" is used, the first loaded module will always be returned. This should be transparent to most plugins except the main change is that you can use TAI_MAIN_MODULE for SceShell now.


'''(v.0.5)'''
'''v0.6'''
Add new developer exports '''module_get_by_name_nid''', '''module_get_offset''', '''module_get_export_func''', and '''module_get_import_func''' for advanced users. Headers not provided because these functions are not recommended for normal users.
*Module is now compressed.
Integrated latest version of substitute with bug fixes for certain types of function hooks.
*API change: "TAI_MAIN_MODULE" can be passed as a parameter to functions that take a module name. This will resolve to the default main module (aka the eboot.bin of the loaded application).


'''(v.0.4)'''
'''v0.5'''
*Implemented clean-up of user hooks on process termination
*Add new developer exports "module_get_by_name_nid", "module_get_offset", "module_get_export_func", and "module_get_import_func" for advanced users. Headers not provided because these functions are not recommended for normal users.
*Added more APIs for kernel module loading and process module loading
*Integrated latest version of substitute with bug fixes for certain types of function hooks.
*Fixed bug where stack size was too small in syscall leading to crash when hooking or unhooking (seen by suprx loading skprx)
*Added checks to prevent hooking of unresolved weak imports (see docs for details on how to hook weak imports)
*Fixed bug in assembling the outro for BL instructions (can be seen by crash when hooking '''app_start''')
*Fixed bug where '''taiGetModuleInfo''' does not retrieve all modules.
*Fixed bug where kernel module stopping crashes


'''(v.0.3)'''
'''v0.4'''
*Fixed issue with user loading of kernel module not working
*Implemented clean-up of user hooks on process termination.
*Minor stability fixes
*Added more APIs for kernel module loading and process module loading.
*Fixed bug where stack size was too small in syscall leading to crash when hooking or unhooking (seen by suprx loading skprx).
*Added checks to prevent hooking of unresolved weak imports (see docs for details on how to hook weak imports).
*Fixed bug in assembling the outro for BL instructions (can be seen by crash when hooking "app_start").
*Fixed bug where "taiGetModuleInfo" does not retrieve all modules.
*Fixed bug where kernel module stopping crashes.


'''(v.0.2)'''
'''v0.3'''
*NID poisoning disabled, allows for user hooks of imports
*Fixed issue with user loading of kernel module not working.
*Configuration parsing/loading
*Minor stability fixes.
*Fixed race condition in sceKernelMemPoolCreate
*Fixed bug in taiLoadKernelModule and related function


'''(v.0.1)'''
'''v0.2'''
* First Release.
*NID poisoning disabled, allows for user hooks of imports.
*Configuration parsing/loading.
*Fixed race condition in "sceKernelMemPoolCreate".
*Fixed bug in "taiLoadKernelModule" and related function.


== External links ==
== External links ==
* Github - https://github.com/yifanlu/taiHEN
* Official website - https://tai.henkaku.xyz/
* GitHub - https://github.com/yifanlu/taiHEN
* VitaDB - https://vitadb.rinnegatamante.it/#/info/143
* VitaDB - https://vitadb.rinnegatamante.it/#/info/143

Revision as of 09:45, 6 Ocak 2023

taiHen
File:Taihenvita.jpg
General
AuthorTeam Molecule
TypePlugins
Version0.11
LicenseMIT License
Last Updated2018/02/21
Links
Download
Website
Source

taiHEN is a CFW framework for PS Vita™. When loaded with a kernel exploit, it acts as a common substrate for patching the system. taiHEN provides three main facilities:

  • It disables code signature checks to allow unsigned executables.
  • It exposes kernel peek/poke syscalls to user applications and allows loading of kernel modules.
  • Most importantly, it provides an API for hooking and replacing functions based off of technology similar to Cydia Substrate (specifically thanks to substitute).

The last point means that developers can add custom patches to kernel, system applications, and games alike.

Installation

taiHEN requires a separate kernel exploit to run. Once the exploit loads taihen.skprx to the kernel, taiHEN will take care of the rest.

Please refer to https://vita.hacks.guide/, or documentations for the exploit for more information.

User guide

Plugin configuration

Plugins are loaded either into kernel after taiHEN is loaded or on demand when an application is launched. taiHEN reads the configuration file in ux0:tai/config.txt (or ur0:tai/config.txt).

The configuration that determines the plugins to load and the load order can be found in ux0:tai/config.txt (or ux0:tai/config.txt). The format is very simple and self explanatory.

# ignored line starting with #
# Kernel plugins are started with taiHEN and are in this section
*KERNEL
ux0:app/MLCL00001/henkaku.skprx
ux0:path/to/another.skprx
ux0:tai/plugin3.skprx
ux0:data/tai/plugin4.skprx
ux0:data/tai/plugin5.skprx
# titleid for SceSettings
*NPXS10015
ux0:app/MLCL00001/henkaku.suprx
ux0:data/tai/some_settings_plugin.suprx
# titleid for Package Installer
*NPXS10031
ux0:path/to/some_pkg_installer_plgin.suprx
# titleid for SceShell is special (does not follow the XXXXYYYYY format)
*main
ux0:app/MLCL00001/henkaku.skprx
ux0:data/tai/shell_plgin.skprx

The key things to note are:

  • # begins a comment, * begins a section, and any other character begins a path.
  • KERNEL is a special section name denoting to load a kernel plugin when taiHEN is started up. All other section names are the title id of the application/game in which to load the plugin at startup. Note that SceShell has a special title id of main.
  • In each section, there is a list of plugin paths that will be loaded in order. Paths can be anywhere but it is recommended that plugins reside in ux0:tai or ux0:data/tai. It is valid to have one plugin in multiple sections but the developer must ensure that the plugin knows which application it is loaded in if it needs to do things differently.

API

taiHEN exports an API interface both to kernel and to user. This interface is found in the [documentation pages](@ref taihen). You should also read the usage guide for more details. You can either download the release or build taiHEN yourself. After that, you can include taihen.h in your project and link with libtaihen_stub.a (for user modules) or libtaihen_kernel_stub.a (for kernel modules).

Screenshots

taihenvita3.png

Changelog

v0.11

  • Add delayed config loading to allow config to be reloaded from module_start. The main use-case here is if a kernel module defined in *KERNEL wishes to refresh the config. Previously there will be a use-after-free as it tries to free the old config while it is still being parsed. Now that's been fixed and it supports re-loading the config (delayed) after the first parse is complete.

v0.10

  • Hold L at start of an application to skip loading user plugins. This also means that if you have Ensō and hold L at boot, you should skip loading of SceShell plugins as well.

v0.9

  • Added recovery option to skip loading all plugins (kernel and user) by holding L1.
  • If using HENkaku from the web or with the offline installer, hold L1 after the bootstrap installer starts up.
  • If using Enso, hold L1 and power on the Vita. You can still reuse plugins by calling taiReloadConfig even if you started taiHEN without plugin loading.

v0.8

  • Alternative config file at "ur0:tai/config.txt" loads if "ux0:tai/config.txt" is not found.

v0.7

  • Fixed a memory leak where a reference was not decremented.
  • Mitigation for a SCE bug that limits the number of plugins that can be loaded per application.
  • API Change: When "TAI_MAIN_MODULE" is used, the first loaded module will always be returned. This should be transparent to most plugins except the main change is that you can use TAI_MAIN_MODULE for SceShell now.

v0.6

  • Module is now compressed.
  • API change: "TAI_MAIN_MODULE" can be passed as a parameter to functions that take a module name. This will resolve to the default main module (aka the eboot.bin of the loaded application).

v0.5

  • Add new developer exports "module_get_by_name_nid", "module_get_offset", "module_get_export_func", and "module_get_import_func" for advanced users. Headers not provided because these functions are not recommended for normal users.
  • Integrated latest version of substitute with bug fixes for certain types of function hooks.

v0.4

  • Implemented clean-up of user hooks on process termination.
  • Added more APIs for kernel module loading and process module loading.
  • Fixed bug where stack size was too small in syscall leading to crash when hooking or unhooking (seen by suprx loading skprx).
  • Added checks to prevent hooking of unresolved weak imports (see docs for details on how to hook weak imports).
  • Fixed bug in assembling the outro for BL instructions (can be seen by crash when hooking "app_start").
  • Fixed bug where "taiGetModuleInfo" does not retrieve all modules.
  • Fixed bug where kernel module stopping crashes.

v0.3

  • Fixed issue with user loading of kernel module not working.
  • Minor stability fixes.

v0.2

  • NID poisoning disabled, allows for user hooks of imports.
  • Configuration parsing/loading.
  • Fixed race condition in "sceKernelMemPoolCreate".
  • Fixed bug in "taiLoadKernelModule" and related function.

External links

Advertising: