This is a kernel plugin that lets you run bare-metal (i.e. without an OS beneath) payloads in ARMv7 non-secure System mode.

At first, the plugin allocates a physically contiguous buffer where it loads the payload (PAYLOAD_PATH in config.h). Then it triggers a power standby request and when PSVita OS is about to send the Syscon command to actually perform the standby, it changes the request type into a soft-reset and the resume routine address to a custom one (resume.S).

Once the PSVita wakes from the soft-reset, the custom resume routine identity maps the scratchpad (address 0x1F000000) using a 1MiB section. Then the payload bootstrap code (payload_bootstrap.S) is copied to the scratchpad and a jump is done to that location afterwards (passing some parameters such the payload physical address).

Since the payload bootstrap code is now in an identity-mapped location, it can proceed to disable the MMU and copy the payload from the previously allocated physically contiguous buffer to its destination address (PAYLOAD_PADDR in config.h), to finally jump to it.

Compilation:

• vitasdk is needed.

Installation:

1. Copy your payload to your PSVita (default path is ux0:/baremetal/payload.bin)
2. Copy baremetal-loader.skprx to your PSVita (or baremetal-loader_363.skprx if your FW is ≥ 3.63)
3. Load the plugin

Check vita-baremetal-sample as sample payload to be loaded with this plugin.

Thanks to everybody who contributes to wiki.henkaku.xyz and helps reverse engineering the PSVita OS.