Advertising (This ad goes away for registered users. You can Login or Register)

List of PSP CPU definitions

Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
User avatar
Zecoxao
Posts: 281
Joined: Mon Sep 27, 2010 7:27 pm

List of PSP CPU definitions

Post by Zecoxao » Wed Dec 01, 2010 4:24 pm

Just so you want to know why i made this
I wanted to give some definitions of what you might find in psplink, so next time you see a crash, you know if it's exploitable or not. I also thought of making some instruction definitions, to help the general understanding of PSP's Allegrex Processor
All credit from this point onwards goes to Nymphaea, without her I would have a hard time cleaning all this ***. The Original OP is still saved, so i'll add the functions that miss at the end of it, according to what she doesn't have and what I have, and obviously according to what the PSP has. Here it goes:

Basics
CPU Registers
$zr -> Zero Register, always contains 0x00000000
$at -> Assembler temporary, can generally ignore this
$v0-v1 -> Function return values, these tend to be easily changed from loading functions
$a0-a3 -> Function arguments, if you have control of these you will need to look into the following functions
$t0-t9 -> Temporaries, usually useless, may be useful depending how they are used
$s0-s7 -> Saved temporaries, should keep an eye on these in complex sections of code, can be useful
$k0-k1 -> Kernel registers, defines the exception handling
$gp -> Global data Pointer, name kind of says it all
$sp -> Stack Pointer, VERY useful in more complex sections of code, contain old $ra values and $s# values
$fp -> Frame Pointer, points to somewhere in the stack, only used by some(usually large) functions
$ra -> Return Address, easiest register to exploit if you have control
Instruction Syntax
LOAD AND STORE
la: load address
lb: load byte
lbu: load byte unsigned
ld: load double
lh: load halfword
lhu: load halfword unsigned
lw: load word
lwl: load word left
lwr: load word right
ulh: unaligned load halfword
ulhu: unaligned load halfword unsigned
ulw: unaligned load word
lui: load upper immediate
sb: store byte
sd: store double
sh: store halfword
sw: store word
swl: store word left
swr: store word right
ush: unaligned store halfword
usw: unaligned store word
COMPUTE
Nymphaea's note: "Unsigned" in MIPS is kind of a misnomer from what I've seen/heard

add: add (with overflow)
addu: add unsigned
and : AND
div: divide (signed)
divu: divide unsigned
xor: exclusive OR
mul(t): multiply
mulo: multiply (with overflow)
mulou: multiply (with overflow unsigned)
nor: NOR
or: OR
seq: set equal
sge: set on greater than or equal
sgeu: set on greater than or equal unsigned
sgt: set on greater than
sgtu: set on greater than unsigned
sle: set on less than or equal
sleu: set on less than or equal unsigned
slt: set on less than
slt: set on less than unsigned
sne: set on not equal
sub: subtract
subu: subtract unsigned
rem: remainder
remu: remainder unsigned
rol: rotate left
ror: rotate right
sll: shift left logical
srl: shift right logical
sra: shift left logical variable
abs: absolute value
neg: negate (with overflow)
negu: negate (without overflow)
not: NOT
multu: multiply unsigned
teq: trap if equal
tge: trap if greater than or equal
tgeu: trap if greater than or equal unsigned
tlt: trap if less than
tltu: trap if less than unsigned
tne: trap if not equal
JUMP AND BRANCH
Nymphaea's first note: Jumps and branches(basically the same thing) usually happen within a single function, except jr $ra (end of function), jal (jumps to function/subroutine), and jalr(jumps to smaller functions, sometimes exploitable)
Nymphaea's second note: All jumps and branches have a "delay slot", a function that is placed right after it, but happens at the same time as the jump. Branches can also have a "likely" added to them(by adding an "l" to the end of the name), which makes the delay slot be executed ONLY if the condition is true.

j: Jump
jr: Jump to Register value
jal: Jump And Link
jalr: Jump And Link Register
beq: Branch on EQual
bge: Branch on Greater than or Equal
bgeu: Branch on Greater than or Equal Unsigned
bgtu: branch on greater than unsigned
bleu: branch on less than or equal
bltu: branch on less than unsigned
bne: branch on not equal
beqz: branch on equal to zero
bnez: branch on not equal to zero
bgezal: branch on greater than or equal to zero and link
bgtz: branch on greater than zero
blez: branch on less than or equal to zero
bltz:branch on less than zero
bltzal branch on less than zero and link
SPECIAL
break: break
mfhi: move from high
mflo: move from low
mthi: move to high
mtlo: move to low
nop: no operation
rfe: restore from exception
syscall:system call
Original Post
CPU Registers:

Code: Select all

$zr -> Constant zero
$at -> Assembler temporary
$v0-v1 -> Function return
$a0-a3 -> Incoming arguments
$t0-t9 -> Temporaries
$s0-s7 -> Saved temporaries
$k0-k1 -> Exception handling <- Defines the exception handling
$gp -> Global data pointer
$sp -> Stack pointer 
$fp -> Saved temporary
$ra -> Return address <- GOAL
CoProcessor Registers:

Code: Select all

BADVAddr -> Bad Virtual Address
Status -> Status Register
Cause -> Cause Register
EPC -> Exception Program Counter Register

Exception Types:

Code: Select all

0->External Interrupt (useless)
1-3->Reserved (most likely FPU exception) (useless)
4->Address error (load or instruction fetch)(BINGO!!! Available in Davee's Tiff Exploit)
5->Address error (data store) (useless, unless you control some registers' values) 
6->Bus error (instruction fetch) (BINGO!!! Available in ALL game exploits)
7->Bus error (data load or store) (useless, unless you control some register's values)
8-Syscall instruction (useless)
9-Breakpoint (useless, BUT a very rare case where $ra was totally overwritten appeared, still it's very very rare that this happens)
10-Reserved instruction (useless)
11- Coprocessor unusable (useless)
12- Arithmetic overflow (useless)
13-15- Not used 
Instruction Syntax (for those who asked) :

Code: Select all

LOAD AND STORE
la: load address
lb: load byte
lbu: load byte unsigned
ld: load double
lh: load halfword
lhu: load halfword unsigned
lw: load word
lwl: load word left 
lwr: load word right
ulh: unaligned load halfword
ulhu: unaligned load halfword unsigned
ulw: unaligned load word
li: load immediate
lui: load upper immediate
sb: store byte
sd: store double
sh: store halfword
sw: store word
swl: store word left
swr: store word right
ush: unaligned store halfword
usw: unaligned store word
COMPUTE
add: add (with overflow)
addu: add unsigned
and : AND
div: divide (signed)
divu: divide unsigned
xor: exclusive OR
mul(t): multiply
mulo: multiply (with overflow)
mulou: multiply (with overflow unsigned)
nor: NOR
or: OR
seq: set equal
sge: set on greater than or equal
sgeu: set on greater than or equal unsigned
sgt: set on greater than
sgtu: set on greater than unsigned
sle: set on less than or equal
sleu: set on less than or equal unsigned
slt: set on less than
slt: set on less than unsigned
sne: set on not equal
sub: subtract
subu: subtract unsigned
rem: remainder
remu: remainder unsigned
rol: rotate left
ror: rotate right
sll: shift left logical
srl: shift right logical
sra: shift left logical variable
abs: absolute value
neg: negate (with overflow)
negu: negate (without overflow)
not: NOT
move: move
multu: multiply unsigned
teq: trap if equal
tge: trap if greater than or equal
tgeu: trap if greater than or equal unsigned
tlt: trap if less than
tltu: trap if less than unsigned
tne: trap if not equal
JUMP AND BRANCH
j: jump
jal: jump and link
beq: branch on equal
bge: branch on greater than or equal
bgeu: brach on greater than or equal unsigned
bgt: branch on greater than
bgtu: branch on greater than unsigned
ble: branch on less than or equal
bleu: branch on less than or equal
blt: branch on less than
bltu: branch on less than unsigned
bne: branch on not equal
beqz: branch on equal to zero
bnez: branch on not equal to zero
bgezal: branch on greater than or equal to zero and link
bgtz: branch on greater than zero
blez: branch on less than or equal to zero
bltz:branch on less than zero
bltzal branch on less than zero and link
b: branch
bal: branch and link
SPECIAL
break: break
mfhi: move from high
mflo: move from low 
mthi: move to high
mtlo: move to low
nop: no operation
rfe: restore from exception
syscall:system call
I would also like to give many MANY thanks to m0skit0, without him I would never find out about any of this. I still keep in my head the memory of my first successful crash that I later made into a Breakpoint Exception by implementing on it a simple break call. Too bad it wasn't much use :(
Advertising
Last edited by Zecoxao on Sun Dec 05, 2010 2:54 pm, edited 7 times in total.
My sig is original :D

Askarik
Posts: 94
Joined: Wed Nov 10, 2010 5:02 pm
Location: Turkish Republic Of Cyprus

Re: Some MIPS definitions

Post by Askarik » Thu Dec 02, 2010 6:09 pm

Very useful for n00bs (like me :D) that tests their crashes with PsPLink. I think this topic must be sticky.
Advertising
If you can read this, you are awesome!

$PsPhaKeR
Posts: 85
Joined: Fri Nov 26, 2010 6:18 pm

Re: Some MIPS definitions

Post by $PsPhaKeR » Thu Dec 02, 2010 10:29 pm

More descriptive please, whatever :D
btw good tut
Last edited by $PsPhaKeR on Thu Dec 02, 2010 11:47 pm, edited 1 time in total.

Mr. X
Retired Mod
Posts: 528
Joined: Tue Sep 28, 2010 8:01 am
Location: England

Re: Some MIPS definitions

Post by Mr. X » Thu Dec 02, 2010 10:44 pm

$PsPhaKeR wrote:More descriptive please, whatever :D
Hey take a look at this, im sure it is useless
but I would feel better having a confirmation :)
If you can't understand this then there isn't much hope of you finding a useful exploit. Also, go elsewhere with your crash. This topic is not the place to post it.

OT: I don't have any use for this right now, but I might in the future. Thanks, Zecoxao.
All HBL Revisions: Binaries + Source | Topic
TN HEN Releases: Download

$PsPhaKeR
Posts: 85
Joined: Fri Nov 26, 2010 6:18 pm

Re: Some MIPS definitions

Post by $PsPhaKeR » Thu Dec 02, 2010 10:51 pm

Mr. X wrote:
$PsPhaKeR wrote:More descriptive please, whatever :D
Hey take a look at this, im sure it is useless
but I would feel better having a confirmation :)
If you can't understand this then there isn't much hope of you finding a useful exploit. Also, go elsewhere with your crash. This topic is not the place to post it.

OT: I don't have any use for this right now, but I might in the future. Thanks, Zecoxao.
As I said I dont think it is worth anything, sorry for posting here just did not want to make a new topic if it is not useful :|

User avatar
Zecoxao
Posts: 281
Joined: Mon Sep 27, 2010 7:27 pm

Re: Some MIPS definitions

Post by Zecoxao » Fri Dec 03, 2010 3:24 pm

$PsPhaKeR wrote:More descriptive please, whatever :D
btw good tut
I'm working on it, but it'll take some time because there are many instructions available. Will finish it and show it as spoiler, so it doesn't make a very large page ;)
My sig is original :D

User avatar
m0skit0
Guru
Posts: 3817
Joined: Mon Sep 27, 2010 6:01 pm

Re: Some MIPS definitions

Post by m0skit0 » Fri Dec 03, 2010 3:30 pm

There are plenty of MIPS references out there. I don't see why you should waste your time re-writing them. Just an opinion though.
I wanna lots of mov al,0xb
Image
"just not into this RA stuffz"

User avatar
Zecoxao
Posts: 281
Joined: Mon Sep 27, 2010 7:27 pm

Re: Some MIPS definitions

Post by Zecoxao » Fri Dec 03, 2010 3:52 pm

m0skit0 wrote:There are plenty of MIPS references out there. I don't see why you should waste your time re-writing them. Just an opinion though.
Yes I know, but people like having their work done for them, beats me why, though :? ...
My sig is original :D

User avatar
m0skit0
Guru
Posts: 3817
Joined: Mon Sep 27, 2010 6:01 pm

Re: Some MIPS definitions

Post by m0skit0 » Fri Dec 03, 2010 10:31 pm

Laziness? Don't help them be lazy! :lol: ;)
I wanna lots of mov al,0xb
Image
"just not into this RA stuffz"

Nymphaea
Retired Mod
Posts: 158
Joined: Fri Oct 01, 2010 8:40 pm
Contact:

Re: Some MIPS definitions

Post by Nymphaea » Sat Dec 04, 2010 5:47 pm

Zecoxao wrote:Basics
CPU Registers
$zr -> Zero Register, always contains 0x00000000
$at -> Assembler temporary, can generally ignore this
$v0-v1 -> Function return values, these tend to be easily changed from loading functions
$a0-a3 -> Function arguments, if you have control of these you will need to look into the following functions
$t0-t9 -> Temporaries, usually useless, may be useful depending how they are used
$s0-s7 -> Saved temporaries, should keep an eye on these in complex sections of code, can be useful
$k0-k1 -> Kernel registers, defines the exception handling
$gp -> Global data Pointer, name kind of says it all
$sp -> Stack Pointer, VERY useful in more complex sections of code, contain old $ra values and $s# values
$fp -> Frame Pointer, points to somewhere in the stack, only used by some(usually large) functions
$ra -> Return Address, easiest register to exploit if you have control
Instruction Syntax
LOAD AND STORE
la: load address
lb: load byte
lbu: load byte unsigned
ld: load double
lh: load halfword
lhu: load halfword unsigned
lw: load word
lwl: load word left
lwr: load word right
ulh: unaligned load halfword
ulhu: unaligned load halfword unsigned
ulw: unaligned load word
li: load immediate
lui: load upper immediate
sb: store byte
sd: store double
sh: store halfword
sw: store word
swl: store word left
swr: store word right
ush: unaligned store halfword
usw: unaligned store word
COMPUTE
Nymphaea's note: "Unsigned" in MIPS is kind of a misnomer from what I've seen/heard

add: add (with overflow)
addu: add unsigned
and : AND
div: divide (signed)
divu: divide unsigned
xor: exclusive OR
mul(t): multiply
mulo: multiply (with overflow)
mulou: multiply (with overflow unsigned)
nor: NOR
or: OR
seq: set equal
sge: set on greater than or equal
sgeu: set on greater than or equal unsigned
sgt: set on greater than
sgtu: set on greater than unsigned
sle: set on less than or equal
sleu: set on less than or equal unsigned
slt: set on less than
slt: set on less than unsigned
sne: set on not equal
sub: subtract
subu: subtract unsigned
rem: remainder
remu: remainder unsigned
rol: rotate left
ror: rotate right
sll: shift left logical
srl: shift right logical
sra: shift left logical variable
abs: absolute value
neg: negate (with overflow)
negu: negate (without overflow)
not: NOT
move: move
multu: multiply unsigned
teq: trap if equal
tge: trap if greater than or equal
tgeu: trap if greater than or equal unsigned
tlt: trap if less than
tltu: trap if less than unsigned
tne: trap if not equal
JUMP AND BRANCH
Nymphaea's first note: Jumps and branches(basically the same thing) usually happen within a single function, except jr $ra (end of function), jal (jumps to function/subroutine), and jalr(jumps to smaller functions, sometimes exploitable)
Nymphaea's second note: All jumps and branches have a "delay slot", a function that is placed right after it, but happens at the same time as the jump. Branches can also have a "likely" added to them(by adding an "l" to the end of the name), which makes the delay slot be executed ONLY if the condition is true.

j: Jump
jr: Jump to Register value
jal: Jump And Link
jalr: Jump And Link Register
beq: Branch on EQual
bge: Branch on Greater than or Equal
bgeu: Branch on Greater than or Equal Unsigned
bgt: branch on greater than
bgtu: branch on greater than unsigned
ble: branch on less than or equal
bleu: branch on less than or equal
blt: branch on less than
bltu: branch on less than unsigned
bne: branch on not equal
beqz: branch on equal to zero
bnez: branch on not equal to zero
bgezal: branch on greater than or equal to zero and link
bgtz: branch on greater than zero
blez: branch on less than or equal to zero
bltz:branch on less than zero
bltzal branch on less than zero and link
SPECIAL
break: break
mfhi: move from high
mflo: move from low
mthi: move to high
mtlo: move to low
nop: no operation
rfe: restore from exception
syscall:system call
Cleaned up a little, I left out the parts that I don't know much about XP I left in all the instructions(except b and bal, don't exist) though I'm sure a large amount of them are wrong, possibly you're looking at a different version of MIPS? You also completely left out the "likely' variations of branches, which show up a lot in the PSP. I added a few notes(would like some verification on the unsigned thing, I believe I remember hearing that it has something to do with overflow/underflow on MIPS, at least with the math functions) to help, the jump ones are kind of important.

I HIGHLY suggest you go through all the instructions, and capitalize the letters in the name that are in the instruction, I find it helps me to remember the instruction if I know what each letter stands for.

And I would agree with m0skit0, but I find MIPS isn't overly easy to find info about, especially "likely" branches tend to be confused a lot. PSP also has a few unique instructions I believe. It would be helpful for people getting started if there was a big resource here. I highly suggest if you plan to learn, go through crash logs/disasm's and try understanding it, I learned MIPS in a few days going through dozens of logs (Thank you TiPi :P)

Here's the BBCode for above, if you're too lazy to retype it all yourself XP (Remember I left some things out, don't overwrite your post with this)

Code: Select all

[size=150][u]Basics[/u][/size]
[spoiler=CPU Registers]$zr -> Zero Register, always contains 0x00000000
$at -> Assembler temporary, can generally ignore this
$v0-v1 -> Function return values, these tend to be easily changed from loading functions
$a0-a3 -> Function arguments, if you have control of these you will need to look into the following functions
$t0-t9 -> Temporaries, usually useless, may be useful depending how they are used
$s0-s7 -> Saved temporaries, should keep an eye on these in complex sections of code, can be useful
$k0-k1 -> Kernel registers, defines the exception handling
$gp -> Global data Pointer, name kind of says it all
$sp -> Stack Pointer, VERY useful in more complex sections of code, contain old $ra values and $s# values
$fp -> Frame Pointer, points to somewhere in the stack, only used by some(usually large) functions
$ra -> Return Address, easiest register to exploit if you have control[/spoiler]
[size=150][u]Instruction Syntax[/u][/size]
[spoiler=LOAD AND STORE]la: load address
lb: load byte
lbu: load byte unsigned
ld: load double
lh: load halfword
lhu: load halfword unsigned
lw: load word
lwl: load word left 
lwr: load word right
ulh: unaligned load halfword
ulhu: unaligned load halfword unsigned
ulw: unaligned load word
li: load immediate
lui: load upper immediate
sb: store byte
sd: store double
sh: store halfword
sw: store word
swl: store word left
swr: store word right
ush: unaligned store halfword
usw: unaligned store word[/spoiler]
[spoiler=COMPUTE]Nymphaea's note: "Unsigned" in MIPS is kind of a misnomer from what I've seen/heard

add: add (with overflow)
addu: add unsigned
and : AND
div: divide (signed)
divu: divide unsigned
xor: exclusive OR
mul(t): multiply
mulo: multiply (with overflow)
mulou: multiply (with overflow unsigned)
nor: NOR
or: OR
seq: set equal
sge: set on greater than or equal
sgeu: set on greater than or equal unsigned
sgt: set on greater than
sgtu: set on greater than unsigned
sle: set on less than or equal
sleu: set on less than or equal unsigned
slt: set on less than
slt: set on less than unsigned
sne: set on not equal
sub: subtract
subu: subtract unsigned
rem: remainder
remu: remainder unsigned
rol: rotate left
ror: rotate right
sll: shift left logical
srl: shift right logical
sra: shift left logical variable
abs: absolute value
neg: negate (with overflow)
negu: negate (without overflow)
not: NOT
move: move
multu: multiply unsigned
teq: trap if equal
tge: trap if greater than or equal
tgeu: trap if greater than or equal unsigned
tlt: trap if less than
tltu: trap if less than unsigned
tne: trap if not equal[/spoiler]
[spoiler=JUMP AND BRANCH]Nymphaea's first note: Jumps and branches(basically the same thing) usually happen within a single function, except jr $ra (end of function), jal (jumps to function/subroutine), and jalr(jumps to smaller functions, sometimes exploitable)
Nymphaea's second note: All jumps and branches have a "delay slot", a function that is placed right after it, but happens at the same time as the jump. Branches can also have a "likely" added to them(by adding an "l" to the end of the name), which makes the delay slot be executed ONLY if the condition is true.

j: Jump
jr: Jump to Register value
jal: Jump And Link
jalr: Jump And Link Register
beq: Branch on EQual
bge: Branch on Greater than or Equal
bgeu: Branch on Greater than or Equal Unsigned
bgt: branch on greater than
bgtu: branch on greater than unsigned
ble: branch on less than or equal
bleu: branch on less than or equal
blt: branch on less than
bltu: branch on less than unsigned
bne: branch on not equal
beqz: branch on equal to zero
bnez: branch on not equal to zero
bgezal: branch on greater than or equal to zero and link
bgtz: branch on greater than zero
blez: branch on less than or equal to zero
bltz:branch on less than zero
bltzal branch on less than zero and link[/spoiler]
[spoiler=SPECIAL]break: break
mfhi: move from high
mflo: move from low 
mthi: move to high
mtlo: move to low
nop: no operation
rfe: restore from exception
syscall:system call[/spoiler]
There are 10 types of people in the world:
jocks,
nerds,
preps,
emos,
punks,
crazies,
losers,
ghosts,
individuals
and people who don't give a dang about the stupid binary joke.

Post Reply

Return to “Programming and Security”