As advised by @DaveeFTW. Conversation excerpt follow.

<Kyle873> I don't suppose there's a way for me to directly manipulate the input buffer instead of just reading from it?
<Kyle873> rather, I just want to clear it
<davee[m]> Kyle873: context?
<Kyle873> davee[m], developing a game plugin, using the main thread priority hack I've seen others do to pause the main thread while I keep a menu up, on resume of the main thread, some input bleeds into the game thread
<davee[m]> threads are a bad idea
<Kyle873> don't really see another way to do it
<Kyle873> unless i want all my menu control to also flow into the game, which I don't
<Kyle873> davee[m], a very condensed view of the flow http://tinyurl.com/j3vz4a6
<davee[m]> we seriously need a better way to handle threads for plugins
<davee[m]> can you do me a favour and create an issue on taihen github requesting that?
<davee[m]> Kyle873: yeah, threading really sucks on the vita
<davee[m]> there needs to be some API to assist plugins I think

My Vita's Start button is apparently dying/dead and doesn't always work and thus I'm having difficulty accessing the settings menu to enable Unsafe Homebrew.

Since I have a PSTV as well and my Dualshock controller's buttons all work I should be able to move my memory card to it and do the relevant configuration but not everyone has that option available to them but may be in a similar situation.

Proposed alternate button location: Pressing Triangle on a "Drive Letter" (such as "ux0:") to pull up the same menu Start should be.

none

This issue on installing vpk :(

In the case where you don't know the name of the module, this should allow a generic plugin to work for all apps.

Hello!
I am trying to create an mp3 audio player to plugin mode,
First create the code as any application, and it works,
Translate the code to be used as a plugin:
I use the flag -nostartfiles in the make,
And add a couple of functions in the main.c to evade the errors and use the newlib:
Int _free_vita_newlib () {
Return 0;
}
Int _fini () {
Return 0;
}
And finally add the export.yml and its command in the make.
When debugging the plugin in action, I notice that it is not heard, but the report indicates that it is working well internally ...

I do not know if it is due to long memory applications (buffers for samples, and readings),
Or it may be due to some failure in the newlib, since not doing _init_vita_newlib and __libc_init_array there may be incursions in the generic functions no?

Additionally it probe to use the sample of audio provided by vitasdk, and portandolo to plugin, and to arrive at some function of sceAudio, it generates a crash.

Greetings and thank you any help!

At the moment if you install a new plugin you have to cold reset your vita and restart taihen in order to have the plugin loaded. Therefore it might be a good idea to add config sync:

• Either by exposing a sync function in the library that homebrews can use
• Or by parsing the config at every application launch

Right now you cannot hook anything in the >= 0xE0000000 region because the pages mapped there are shared between processes. It increases the complexity as we would have to map the trampoline pages to all processes that use a specific module. Right now, I believe that most plugins would not need to hook any shared modules (they can make do with hooking imports from the main module). If we want to support this going forward, it would make sense to hook modulemgr to always allocate 1-2 additional pages at the end of the .text segment for any shared module. That would serve as the trampoline for the hooks as well as metadata for hooks.

load:

modid = taiLoadStartKernelModule("ux0:app/STAR00001/test.skprx", 1, arg, 0);

returns successfully (with a module uid).
unload:

int res = taiStopUnloadKernelModule(modid, 1, arg, 0, NULL, &kmod_res);

returns 0x8002d002 (SCE_KERNEL_ERROR_MODULEMGR_IN_USE)
and if trying to load again, load returns 0x8002d013 (SCE_KERNEL_ERROR_MODULEMGR_OLD_LIB)

I have noticed that plugins are not loaded for some apps/games with titleid PCSF*, like twitter, flickr, wakup club.

Cannot create ux0:tai/config.txt.
Failed with Error 0x80010011 when trying to create it using shell.
The file cannot be created by copying, renaming or FTP.
Any other file under ux0:tai can be accessed normally, except for config.txt.

Using the latest taiHEN and have unsafe homebrew enabled.

All games are loaded from cartridges which might be my problem as it works perfect on all dumps I've tried.
I used _start for eboot.bin vitamin / maidump calls but while testing i renamed the
ux0:/plugins/game.txt -> ux0:/plugins/game.txtbak so any dump game tests were not interfering

#GRAVITYRUSH (US)
*PCSA00011
ux0:tai/REZAPEEK.skprx #crashed
ux0:plugins/REZAPEEK.suprx #crashed

#FREEDOMWARS (US)
*PCSA00147
ux0:tai/REZAPEEK.skprx #crashed
ux0:plugins/REZAPEEK.suprx #crashed

#LBP (US)
*PCSA00017
ux0:tai/REZAPEEK.skprx #success
ux0:plugins/REZAPEEK.suprx #success

When I tested the following code and replaced my plugin rezapeek with this test dummy build
the folder was not created in any case and all games crashed again except lbp.
Lbp did not successfully call the sceiomkdir but it did not crash either.
when I loaded my plugin into lbp it was successful and loaded the bliter menu and handled my menu variables nicely, but it still did not create the directories my plugin
tried to make. are these functions deprecated ? am i not building the skprx correctly ?
I made a skprx file but its just a suprx file renamed to skprx.

#include <psp2/kernel/modulemgr.h>
#include <psp2/kernel/processmgr.h>
#include <psp2/io/stat.h>

#include <taihen.h>


int main_thread(SceSize args, void *argp) {
	
	//sceKernelDelayThread(5 * 1000 * 1000);
	sceIoMkdir("ux0:/data/plugtest", 0777);
	
	return 0;
}

//vitamin / maidump entry
int _start(SceSize args,const void *argp) {
	SceUID thid = sceKernelCreateThread("REZAPEEK", main_thread, 0x40, 0x600000, 0, 0, NULL);
	if (thid >= 0)
		sceKernelStartThread(thid, 0, NULL);
	return 0;
}

// taihen entry
int module_start(SceSize argc, const void *args) {
	//sceKernelExitProcess(0);
	_start(argc,args);
	return 0;
}

int module_stop(SceSize argc, const void *args) {
  return SCE_KERNEL_STOP_SUCCESS;
}

There's problems people run into. We should keep a list of problems and solutions.

• Using newlib from plugins. Should use either SceLibc, sceClib* from SceLibKernel, or libk.
• Using user imports from kernel mode.
• Unsafe function usage in safe homebrew
• Need for mod.size = sizeof(mod)

Also the following samples should be created

• "Hello world" show FPS in game
• Port amphetamin
• Kernel module that exports user syscall/on demand loading

Hi, while my application boot, my plugin cause a stuck on boot image

#include <stdlib.h>
#include <stdio.h>
#include <taihen.h>

// handle to our hook
static tai_hook_ref_t app_start_ref;
// our hook for app entry
int hook_app_start(SceSize argc, const void *args) {
  printf("hello world!\n");
  return TAI_CONTINUE(int, app_start_ref, argc, args);
}
// our own plugin entry
int module_start(SceSize argc, const void *args) {
  taiHookFunctionExport(&app_start_ref,  // Output a reference
                        "AppName",       // Name of module being hooked
                        TAI_ANY_LIBRARY, // If there's multiple libs exporting this
                        0x935CD196,      // Special NID specifying module_start
                        hook_app_start); // Name of the hook function
  return (0);
}

TARGET  = testplugin
OBJS    = main.o

LIBS    = -ltaihen_stub -lSceLibc_stub

PREFIX  = arm-vita-eabi
CC      = $(PREFIX)-gcc
CFLAGS  = -g -Wl,-q -Wall -O3 -nostartfiles
ASFLAGS = $(CFLAGS)
TYPE = suprx
PSVITAIP = 192.168.1.14

all: $(TARGET).$(TYPE)

%.$(TYPE): %.velf
	vita-make-fself $< $@

%.velf: %.elf
	vita-elf-create $< $@ taihen.json

$(TARGET).elf: $(OBJS)
	$(CC) $(CFLAGS) $^ $(LIBS) -o $@

clean:
	@rm -rf $(TARGET).$(TYPE) $(TARGET).velf $(TARGET).elf $(OBJS)

send: $(TARGET).$(TYPE)
	curl -T $(TARGET).$(TYPE) ftp://$(PSVITAIP):1337/ux0:/data/$(TARGET).$(TYPE)
	@echo "Plugin sended."

pretty simple plugin, but doesn't work, I looked for a long time without solution.
Thanks for your help :-)

Currently kernel modules specified in the configuration are not loaded. There is an action here.

Could be useful if you want to hook a function for user mode but keep kernel function untouched

I am loading a kernel module from an application in user mode,
Using the API taihen, as follows:

SceUID modkernel = taiLoadStartKernelModule("ux0:/mylib.skprx", 0, NULL, 0);

Always the first time I run the application after having installed henkaku, it crashes, the second no longer gives the crash, and works great!
It should be mentioned that the user application, it imports prx functions,
In the module_start, no action is performed,
Could someone help me solve this problem?

Any help will be appreciated.

Someone in chat built a suprx that crashes when loaded after adrenaline but loads fine with settings.

Code is this one: http://pastebin.com/jVJVFMtW

When I attach it to any app - it leads to immediate reboot, probably kernel crash.

This is the modification of user.c in henkaku user plugin, no other modifications were made: https://github.com/henkaku/henkaku/tree/master/plugin

So basically to reproduce you can just replace user.c with mine.

Note: This is an untested theory

When a broken plugin is inserted to SceShell and causes it to crash, i assume the device reboots or restarts SceShell (causing an infinite loop of crashes)
After a reboot the crash would be fixed temporarily until the user reinstalls taihenkaku - which would load the plugin and cause the crashes again, effectively making taihenkaku unusable on that device.

This means there's no opportunity for the user to disable the broken plugin before causing crashes again.

Cydia Substrate prevents this by temporarily disabling plugin loading when a specific key-combo is held, so maybe that's what tai should do in the future if my theory proves to be true

I can't confirm this theory though because i'd rather not pseudo-brick my device

This will be useful for quickly test/use functions

The steps are,

1. I installed taiHEN, restarted the Vita
2. Turn it on, initiate taiHEN.
3. Launch "Setting"
4. Press on "Wi-Fi Settings", and it crashed.

Can't recreate the problem now.

It seems it is not detecting the mail database correctly, it keep asking to enter and close the application in order to create the database.

HENkaku works fine.

I wonder if there is an error in the taiLoadKernelModule function. The header says to set "opt" to NULL if i understand correctly, but "opt" is checked for not NULL : https://github.com/yifanlu/taiHEN/blob/master/taihen-user.c#L356

This one is unlikely to be taken on by me. The PS4's kernel APIs should be close enough (have same/similar functions) where a port of taiHEN to PS4 would be easier than, say, Android. substitute supports x86-64 as well.

This should save memory: if the plugin is found in *ALL, then load it to 0xE0000000 region. The kernel will then share the text pages.

Sometimes you only need to manipulate a single call. Example: sceCtrlPeekBufferPositive does output all buttons (inclusive ps btn, power btn and volumes) if called in kernel mode, whereas from syscall state only user buttons can be received. Patching the import function that checks for syscall mode (not sure if it's really like this) might cause maleffect.

is there a detailed explaination on how the permissions works and how to use in source?

like do i need to define Kernel somewhere to elevate my app during compile to build using the unsafe homebrew flag ? am i completely wrong ? how does it work ? i understand there is a flag on eboot.bin's for their unsafe homebrew etc , does a plugin only gain the access of the app its running in ? if i use taihen config.txt and write
*main
ux0:plugins/rezapeek.suprx # can i do this ? does a suprx and s skprx make a difference other then name ?

and will this only have access to the memory allocated by pcse ?
i guess my question is the memcpy user to kernel and kernal to user and also C memcpy does that work with what level of permisions ? does it error on certain calls to protected memory which with other access would be readable?
*pcseXXXXX
ux0:plugins/rezapeek.suprx

https://gyazo.com/cabb3b258699d81660d994178f9fed18 My vita currently looks like this i also cannot creat folders with molicule shell ether

hooking this way does reboot: config.txt -> suprx -> inside suprx load skprx -> then hook -> reboots. but config.txt -> skprx -> hook: works

Hy Team Henkaku

Could you please add a switch to the taihen settings in order to see and write to the other partitions.
Also I can't write to the root of ux0 like creating folders and so on and a few folders are even hidden in ux0 like the game folder.

I don't persist on the switch, but please fix the ux0 partition.

Regards DarkLPs

Right now, if a function is called in middle of the hook, this series of events could be possible

1. substitute_hook_functions is called
2. Function is written to, old pointer is saved
3. taiHEN sets the old pointer into the tai_hook_t object stored in user address space.
4. Call returns to user with a reference to the tai_hook_t

It is possible, between 2 and 4 that the function is called. In that case, it jumps to the user function, which tries to call TAI_CONTINUE with an uninitialized reference.

There are a couple of possible solutions:

• We initialize the user reference to NULL before 1, then we modify TAI_CONTINUE to not dereference the hook if NULL and return error. The problem with this is that we cannot call the original function and this may break whatever code depends on it.
• We set the hook reference early (before returning from the hook call). This doesn't work for user hooks though.
• We can halt all threads while the hook process is happening. This is what substitute does on iOS. Not sure if we want this for performance reasons.

Supp?!.

Well, I've installed TaiHen and after that I got a lot of problems trying to install VPKs trought vitashell, vita always restart when finishing the instalation, and show some error message in some files... I've noticed that to install beta or going back to regular exploit, you should do it from de begining, like from zero.. deleting molecularshell and doing an database restore before exploit it. otherwise you shall get some errors (sometimes...).

Well, hope I could be helpfull, and sorry about my english.
thx by the efort guys.

This one crashes because the screenshot module isn't loaded yet.
taiHookFunctionImport(&sceScreenShotDisableRef, "ScePspemu", 0xF26FC97D, 0x50AE9FF9, sceScreenShotDisablePatched);

Error code is: C1-2719-9

inside a kernel module:

static int new_kmodStopAllowed()
{
    return 1;
}

int module_start(SceSize argc, const void *args)
{
    kmod_hook_uid = taiHookFunctionImportForKernel(KERNEL_PID,
                                            &kmod_stop_hook,
                                            "SceKernelModulemgr",
                                            0x7ABF5135, // SceSblAuthMgrForKernel
                                            0xBBA13D9C,
                                            new_kmodStopAllowed);
  <...>
  return SCE_KERNEL_START_SUCCESS;
}

crashes the vita.

launched from a usermode app with

modid = taiLoadStartKernelModule("ux0:app/STAR00003/test.skprx", 0, NULL, 0);

If a function includes a conditional branch in the first 8 bytes, libsubstitute can't hook it. We need an alternative way of patching these functions or stuff like the patch for 0xD514BB56 won't work.

I installed vitasdk from https://github.com/vitasdk/buildscripts but got the following error when I was trying to build taiHEN. Any idea about this? Thanks

[100%] Linking C executable taihen.elf
[100%] Built target taihen.elf
Scanning dependencies of target taihen-libs
[100%] Built target taihen-libs
Scanning dependencies of target taihen.skprx
vita-elf-create: dest = elf_begin(fileno(*file), ELF_C_WRITE, NULL) failed: Request error: invalid ELF_C_* argument
vita-elf-create: Assertion failed: (dest = elf_utils_copy_to_file(args.output, ve->elf, &outfile))
make[2]: *** [CMakeFiles/taihen.skprx] Error 1
make[1]: *** [CMakeFiles/taihen.skprx.dir/all] Error 2
make: *** [all] Error 2

We should freeze all threads while hooking kernel and the process when hooking user.

While TaiHenkaku Beta 8 (the December 15th build) is installed, LiveTweet for PS Vita will not work. Reboot to use it.

Not sure if this is a issue so sorry otherwise, but is the taihen.json file a needed file to compile against?

During taiHenkaku installation, Vita crashed almost immediately with the following error: C2-14185-9:
'A problem occurred the last time the PS Vita system was used, and the system did not power off correctly'.

Error History also shows this, though I did not see this error appear: C1-6775-5
'An error occured'.

Now, opening the browser in any case gives this error: C0-15008-4
'A serious error has occured in the system software. This system will restart'.
Vita restarts in the safe mode with only two options: restart this system and restore this system.
Error History shows another error that occurs at the same time but isn't shown: C0-11478-1

Regular Henkaku is still accessible through the offline installer. Rebuilding the database didn't work and I don't want to risk formatting my system and be left without both browser and offline installer in case restoring doesn't fix the error.
There is no tai folder in ux0, so I assume it didn't install at all.

Loading a suprx that is importing ScePgf for example (which isn't loaded yet either) will result in SCE_KERNEL_ERROR_MODULEMGR_NO_LIB. A workaround is to load the pgf module inside config.txt

I am using retroarch pcsx rearmed and it behaves differently between 'henkaku' and 'taihen'. With henkaku (go.henkaku.xyz), it loads game image files fine; but with 'taihen'(beta.henkaku.xyz) it is very unstable, retroarch always reports 'no items' when open a game image file. So i am 99% sure it might be a bug with 'taihen'.