TaiHEN Vita

taiHEN
General
Author	Team Molecule
Type	Custom Firmwares
Version	0.11
License	MIT License
Last Updated	2018/02/21
Links
Download
Website
Source

taiHEN is a CFW framework for PS Vita™. When loaded with a kernel exploit, it acts as a common substrate for patching the system. taiHEN provides three main facilities:

• It disables code signature checks to allow unsigned executables.
• It exposes kernel peek/poke syscalls to user applications and allows loading of kernel modules.
• Most importantly, it provides an API for hooking and replacing functions based off of technology similar to Cydia Substrate (specifically thanks to substitute).

The last point means that developers can add custom patches to kernel, system applications, and games alike.

taiHEN requires a separate kernel exploit to run. Once the exploit loads taihen.skprx to the kernel, taiHEN will take care of the rest.

Please refer to https://vita.hacks.guide/, or documentations for the exploit for more information.

Plugin configuration

Plugins are loaded either into kernel after taiHEN is loaded or on demand when an application is launched. taiHEN reads the configuration file in ux0:tai/config.txt (or ur0:tai/config.txt).

The configuration that determines the plugins to load and the load order can be found in ux0:tai/config.txt (or ux0:tai/config.txt). The format is very simple and self explanatory.

# ignored line starting with #
# Kernel plugins are started with taiHEN and are in this section
*KERNEL
ux0:app/MLCL00001/henkaku.skprx
ux0:path/to/another.skprx
ux0:tai/plugin3.skprx
ux0:data/tai/plugin4.skprx
ux0:data/tai/plugin5.skprx
# titleid for SceSettings
*NPXS10015
ux0:app/MLCL00001/henkaku.suprx
ux0:data/tai/some_settings_plugin.suprx
# titleid for Package Installer
*NPXS10031
ux0:path/to/some_pkg_installer_plgin.suprx
# titleid for SceShell is special (does not follow the XXXXYYYYY format)
*main
ux0:app/MLCL00001/henkaku.skprx
ux0:data/tai/shell_plgin.skprx

The key things to note are:

• # begins a comment, * begins a section, and any other character begins a path.
• KERNEL is a special section name denoting to load a kernel plugin when taiHEN is started up. All other section names are the title id of the application/game in which to load the plugin at startup. Note that SceShell has a special title id of main.
• In each section, there is a list of plugin paths that will be loaded in order. Paths can be anywhere but it is recommended that plugins reside in ux0:tai or ux0:data/tai. It is valid to have one plugin in multiple sections but the developer must ensure that the plugin knows which application it is loaded in if it needs to do things differently.

API

taiHEN exports an API interface both to kernel and to user. This interface is found in the [documentation pages](@ref taihen). You should also read the usage guide for more details. You can either download the release or build taiHEN yourself. After that, you can include taihen.h in your project and link with libtaihen_stub.a (for user modules) or libtaihen_kernel_stub.a (for kernel modules).

v0.11

• Add delayed config loading to allow config to be reloaded from module_start. The main use-case here is if a kernel module defined in *KERNEL wishes to refresh the config. Previously there will be a use-after-free as it tries to free the old config while it is still being parsed. Now that's been fixed and it supports re-loading the config (delayed) after the first parse is complete.

v0.10

• Hold L at start of an application to skip loading user plugins. This also means that if you have Ensō and hold L at boot, you should skip loading of SceShell plugins as well.

v0.9

• Added recovery option to skip loading all plugins (kernel and user) by holding L1.
• If using HENkaku from the web or with the offline installer, hold L1 after the bootstrap installer starts up.
• If using Enso, hold L1 and power on the Vita. You can still reuse plugins by calling taiReloadConfig even if you started taiHEN without plugin loading.

v0.8

• Alternative config file at "ur0:tai/config.txt" loads if "ux0:tai/config.txt" is not found.

v0.7

• Fixed a memory leak where a reference was not decremented.
• Mitigation for a SCE bug that limits the number of plugins that can be loaded per application.
• API Change: When "TAI_MAIN_MODULE" is used, the first loaded module will always be returned. This should be transparent to most plugins except the main change is that you can use TAI_MAIN_MODULE for SceShell now.

v0.6

• Module is now compressed.
• API change: "TAI_MAIN_MODULE" can be passed as a parameter to functions that take a module name. This will resolve to the default main module (aka the eboot.bin of the loaded application).

v0.5

• Add new developer exports "module_get_by_name_nid", "module_get_offset", "module_get_export_func", and "module_get_import_func" for advanced users. Headers not provided because these functions are not recommended for normal users.
• Integrated latest version of substitute with bug fixes for certain types of function hooks.

v0.4

• Implemented clean-up of user hooks on process termination.
• Added more APIs for kernel module loading and process module loading.
• Fixed bug where stack size was too small in syscall leading to crash when hooking or unhooking (seen by suprx loading skprx).
• Added checks to prevent hooking of unresolved weak imports (see docs for details on how to hook weak imports).
• Fixed bug in assembling the outro for BL instructions (can be seen by crash when hooking "app_start").
• Fixed bug where "taiGetModuleInfo" does not retrieve all modules.
• Fixed bug where kernel module stopping crashes.

v0.3

• Fixed issue with user loading of kernel module not working.
• Minor stability fixes.

v0.2

• NID poisoning disabled, allows for user hooks of imports.
• Configuration parsing/loading.
• Fixed race condition in "sceKernelMemPoolCreate".
• Fixed bug in "taiLoadKernelModule" and related function.

• Official website - https://tai.henkaku.xyz/
• GitHub - https://github.com/yifanlu/taiHEN
• VitaDB - https://vitadb.rinnegatamante.it/#/info/143