SharkPlushie

WARNING I use Linux as my main OS, I do not know if any of this will work on Windows or MacOS! WARNING

Table of contents

1. What is VitaGrafix?
2. Requirements
3. How do I begin?
4. Obtaining the ELF file with FAGDec
5. Setting up Ghidra
6. Patching VitaLoaderRedux
7. Making a new project in Ghidra
8. Importing the ELF file into Ghidra
9. Finding the codes that lock FPS
10. Testing the game

What is VitaGrafix?

Copied from their github repo

VitaGrafix is a taiHEN plugin that allows you to change resolution and FPS cap of PS Vita games (to get better visuals, higher FPS or longer battery life).

Requirements

• A hacked PSVita
• FAGDec
• VitaShell
• Ghidra
• VitaLoaderRedux
• VitaSDK Documentation
• Paru AUR Helper
• Patience, a lot of it

How do I begin?

A question I often ask myself when I start something new, how do I begin? You don’t have to be a programmer or hacker to make your own patches, really. All you need is a hacked PSVita, patience and the ability to read and understand the VitaSDK documentation and maybe some good drink.

I expect you to have a hacked PSVita and have a basic knowledge of VitaShell and installing apps.

Let me help you get started!

Obtaining the ELF file with FAGDec

Download FAGDec and install it via VitaShell.

This is what you will see when you first open FAGDec

Select the game you want to work on and press X.

If there is a patch installed, get the patch eboot.bin instead. There’s a big chance that the code we gotta patch is in there. Select it with X and it should appear on the right side of the screen like so

Now press the O button to go back and you will see this

Now we click on the START button on the PSVita and will see this.
Click on START DECRYPT(ELF)

This is the screen during decryption

When the decryption is done, you will see this

The file is now decrypted and stored on the PSVita at: “ux0:FAGDec/patch/PCSA00147/eboot.bin.elf”

To Copy the elf file from your PSVita to your pc, start VitaShell again and connect your vita to your computer (or you can use FTP, either way works).

Copy the file to your local pc so we can import it in Ghidra later.

My folder has a few more files in it, because of it being an older project I worked on before.

Installing Ghidra

o begin, we are going to install Ghidra and the required extension.
Open a terminal and execute the following:

paru ghidra And select extra/ghidra

Setting up Ghidra

Download the VitaLoaderRedux plugin, you do not have to extract it.

Start Ghidra.

You will then see this screen.

Click on File -> Install Extensions…

Click on the green plus sign on the top right of the new Install Extensions window and browse to the VitaLoaderRedux zip you just downloaded and select it.

Close Ghidra.

Patching VitaLoaderRedux

This is something that is not explained well and is a needed step if you want to follow. Open a file browser and go to your install of Ghidra, for example: “/home/yuki/.ghidra/.ghidra_10.3.2_DEV” Then go to “Extensions/VitaLoaderRedux/data/databases/”

Overwrite this file with this file: DefaultNIDDatabase.yamlThis file has a lot more

Restart Ghidra.

Making a new project in Ghidra

Click on File -> New Project…

Select Non-Shared Project and click on Next.

Make a new directory that will contain the current project files and give it a name.
Click on Finish.

You will now be presented with this:

Click on the green dragon to start the actual program.

This is what you will be presented with next:

Importing the ELF file into Ghidra

Now we are going to import the elf file we obtained via FAGDec.

Click on File -> Import File…

Navigate to the folder you saved it to and import it

Make sure the Format is set to: ARM ELF-PRX for PlayStation®Vita

Click on OK

Click on Yes

Keep defaults and click on Analyze

Click on OK

You will see this in the bottom right

Wait until this is completed before moving on. This can take a bit depending on your computer.

After taking a little break from the computer, it is done

Finding the codes that lock FPS

First things first, click on the Display Memory Map button

Here you will see that the first result starts at 81000000 and ends at 8266295b.
the second segment starts at 82663000 and ends at 82c97187.
Remember that these numers are

Write these numbers down somewhere, since we will need this later on.

Now that everything is finally set up and ready to go, we can look for what actually locks a game to 30 FPS. Most of the time, it’s not as simple as finding a line that says: FPS=30. You usually want to find something that implements a Vsync. Let’s take a look at the VitaSDK documentation.

We can see that this function is responsible for vlank (vsync, locking to a certain screen refresh rate)

Let’s check if that function exists

It seems like it does, now we right click the sceDisplayWaitVblankStart function on the left and select Show References to

The following screen will now popup

If you click on the first result (blx), Ghidra will point to the (usually) correct spot in the file.

Write down what the current address is of the line we want to nop out.

The line in my example is 81bebe5a.

Remember the Start and End we had to note down from the Memory Map? It’s time to use them.

We can see that our code is in between the first 2 numbers, segment 0.

To get the correct address for VitaGrafix, we have to do some simple math, but in hexadecimals. I use: Hex Calculator

We need to subtract the Start number with our address, so: 81000000-81bebe5a=BEBE5A

To test if it is this address, we can nop out this function.

Before we can even do anything, we need to boot the game once first so we get a log in VitaGrafix, so boot your game.

Open VitaShell on your PSVita and enable transfer mode, either USB or FTP.

Navigate to /ux0:/data/VitaGrafix and open log.txt. It should look like this:

VitaGrafix v5.0.2
=======================================
[MAIN] Title ID: PCSA00147
[MAIN] SELF: ux0:/patch/PCSA00147/eboot.bin
[MAIN] NID: 0xB8925727
=======================================
[IO] Parsing ux0:data/VitaGrafix/patch/PCSA00147.txt
[PATCH] Patching seg000 : 00C4F6B6 to C4 F2 70 21, size=4
[PATCH] Patching seg000 : 00C522D4 to 5F F4 20 7B, size=4
[PATCH] Patching seg000 : 00C522D8 to 5F F4 B8 7A, size=4
[PATCH] Patching seg000 : 00C51F62 to 5F F4 20 70, size=4
[PATCH] Patching seg000 : 00C51F6A to 5F F4 B8 75, size=4
[PATCH] Patching seg000 : 0103A348 to 5F F4 20 70, size=4
[PATCH] Patching seg000 : 0103A34E to 5F F4 B8 70, size=4
[PATCH] Patching seg000 : 0103A0F0 to 5F F4 20 71, size=4
[PATCH] Patching seg000 : 0103A0F6 to 5F F4 B8 72, size=4
[PATCH] Patching seg000 : 0069F3A2 to 5F F4 20 71, size=4
[PATCH] Patching seg000 : 0069F3A6 to 5F F4 B8 72, size=4
[PATCH] Patched 44 bytes in 11 patches and it took 3ms
[PATCH] 2 total game patches found in patch list

We want to copy the Title ID and NID.

Navigate to /ux0:/data/VitaGrafix and make a folder called patch.

In this folder, make a new file called PCSA00147.txt or whatever your game’s ID is.

Now, put in the following:

# Freedom Wars
[PCSA00147, eboot.bin, 0xB8925727] # [US, 1.22]
@FPS
0:0xC4F6B6 nop

Save the file and upload it back to the PSVita.

Now open ux0:/data/VitaGrafix/config.txt

To enable the config we just made, we add the following:

[PCSA00147]
ENABLED=1
OSD=1
FPS=60

The number 60 behind FPS won’t do anything, really. It’s just a placeholder for now.

Testing the game

Launch your game and see if it has the lock removed or not.

If it does, congratulations.

If it doesn’t, well.. You’ll have to dig some deeper into the eboot.elf file and the vita documentation. It’s not always as simple as this, something you need to nop out multiple address, or even edit them entirely.

---

Filed under: Reverse Engineering - @ August 25, 2023 12:57 pm

Tags: ghidra, hacking, vita, vitagrafix