Loaders

From PS3 Developer wiki
Jump to: navigation, search

Explaination[edit]

Loaders are used for loading other modules.

Commonly found in CoreOS and Flash.


Known loaders[edit]

Loader Location Type Remarks
bootldr Flash Boot Loader primary loader from chain of trust
metldr Flash Meta Loader aka asecure_loader. Loads other loaders
appldr CoreOS Application Loader loads userspace [f]selfs e.g. vsh.self, videoplayer_plugin.sprx, disc EBOOT.BINs, NPDRM EBOOT.BINs
isoldr CoreOS Isolation Loader loading isolated SPU modules
lv1ldr CoreOS Hypervisor Loader loads lv1.self (Hypervisor)
lv2ldr CoreOS Supervisor Loader loads lv2_kernel.self (Supervisor kernel)

Loader encapsulation in lv0[edit]

version decrypted SHA1 hash isoldr appldr lv1ldr lv2ldr Remarks
3.60 7A051A4A228C5C7256B9DD3ECC0CFABB605490E3 D/L ; contains weird 2nd loaders that could not be decrypted (named [loader name]_2)
3.61 832CE19B420895B7C89D0DD3D346B9B4254F0902
3.65 C9F7F42BFB30A9FB9FF1394D18F8C490FA20E51D
3.66 110CEA044B059AC8E89C52121DD94EB062605180
3.70 B0CE989CEA9994A7424BC64C49B477ACB9759C45
3.72 E6ABA3DBBAB9CCCFA8B9D4C75AF9BC2CD2A470CC
3.73 17E363EC32AE2C35410250FD147500EAB27C7229
3.74 048C7F30C6FEC76029DE7107C6EA825D778464D3
4.00 B1BD5C738EA8B4C5882DF3816802042015E57765
4.01 DB42B9FC98E927536F9BDE68517DC7EF6A3E7630
4.10 ED6B89DE996DA92B670A515342E5BA44C506CCB8
4.11 5A80C633C7679FB24FEC9E603058A65010F1CC59
4.20 69F14D7512177EAE3DB6A00764CB242D1683511C
4.21 DB4E4CF6A795D8AB93200B4ACDA7978028601EDC
4.23 AC7BDA2E7E093D4FDDE801FAFAB42F55B92506C4
4.25 A6DE36E9178C75B3C557E3056C8BAE5A13C83038
4.26 042ACDE3A986B50F8C58450798DD866130EB85EA
4.30 44A048CC7F990A9EE5400695BC0D9EE283BAB02F

Stop Codes[edit]

Stop Code Module Remark
0x30 isoldr/appldr Version mismatch (isoldr version differs from version returned by SPU channel 73).
0x16 isoldr Revoke List Error
0x17 isoldr Adresses needs to be aligned
0x21 lv1ldr  ???
0x27 appldr SPU arg at 0x3E840
0x20 metldr header error
0x23 metldr ECDSA signature failure

0x27

When booting, lv1ldr store its version in this region writing to ch_72.
isoldr asks for the version in two chuncks, if you want to pass version 3.41 (0x0003004100000000)

Note: this version check was recently added, maybe in fw 3.41

//for ch_73_round_0
data0 = 0x00030041;
//for ch_73_round_1
data1 = 0x00000000;

lv1ldr[edit]

Used for loading the hypervisor (lv1.self). It also handles some initialization of the ATA and ENCDEC subsystems.

LS Parameters Layout[edit]

Address Usage Comments
0x34CB0 Unknown DMA read from ch74 20 times.
0x3E000 Wait flag If (flag==0){wait;} // use 0xFF00000000ULL
0x3E800 Arguments

lv2ldr[edit]

Used to verify and decrypt lv2 selfs (lv2_kernel.self, ps2_emu.self, ps2_gxemu.self, ps2_softemu.self, ps2_netemu.self)

And to install RVK-list.

LS Parameters layout[edit]

Address Usage Comments
0x3E000 Wait flag If (flag==0){wait;} // use 0xFF00000000ULL
0x3E800 Arguments
0x3F000 Program revoke list

Arguments[edit]

Size Name Value
u64 lpar_auth_id 0x1070000002000001
u8 *lv2_in lv2 self - address in ram
u8 *lv2_out where to decrypt lv2 - address in ram
u64 field18 -1
u8[40] res1 Unknown / Not used
u64 field48 1
u8[16] res2 Unknown / Not used

appldr[edit]

Used to verify and decrypt userland program/data segments (system libraries, vsh and its modules, games, edat and sdat files)
Allows to authenticate fselfs by following Target_ids from EID0: 0x81, 0x82, 0xA0.

LS Parameters layout[edit]

Address Usage Comments
0x3E000 Wait flag If (flag==0){wait;} // use 0xFF00000000ULL
0x3E400 EID0
0x3E800 Arguments
0x3EC00 QA-Flag Info u64 qaflag_exist_flag //If existed, set to 0, otherwise -1
u64 unk0 //always 0
u8[0x50] qa_token
u8[0x2A] qa_token_signature
u8[0x6] padding
0x3EE00 LV2 Protection Info u64 hashed memory effective addr
u64 hashed memory size
u8[0x14] expected_hmac_hash
u8[0xC] padding
0x3F000 Program revoke list

Arguments[edit]

For authenticate_program_segment, firmware 0.8x

Size Name Value
u64 program_auth_id subject program authority id
u64 lpar_auth_id subject logical partition authority id
u64 self_header_addr
u64 program_segment_addr
u64 program_segment_index
u64 destination_addr where to decrypt
u64 capability_addr capability flags will be placed to this addr
u64 flag
u64 field40 unknown/pad
u64 field48 2 (on modern fws it could be 2 or 3 or 5)

For authenticate_program_segment, firmware 4.7x

Size Name Value
u64 subarguments_addr subarguments effective address
u64 lpar_auth_id subject logical partition authority id
u64 field48 5 (checked by appldr, if doesnot match -> appldr will be stoped with err code 0x27)

subarguments

Size Name Value
u64 program_auth_id
u64 self_header_addr
u64 program_segment_addr?
u32 segment_type 0 for phdrs, 1 for shdrs
u32 program_segment_index segment number
u64 destination_addr
u64 capability_addr capability flags (0x20 bytes) will be copyed at this effective addr
u64 flag some flags // flag & 0xFFFF must be <=2 for APP, 3 for UNK7/seven, 4 for NPDRM_APP, 5 for EDAT
u64
u64
u64
u64
u64
u8[0x10] sceNpDrmKey
u64 header_key_check_result_addr ppu addr to send the result.
u64

isoldr[edit]

Used for loading isolated SPU modules.

LS Parameters layout[edit]

Address Usage Comments
0x3E000 Wait flag If (flag==0){wait;} // use 0xFF00000000ULL
0x3E400 EID0
0x3E800 Arguments
0x3EC00 QA-Token If not used set to -1
0x3F000 Program revoke list

Stop Codes[edit]

Stop Code Remark
0x0D Revocation check failed.
0x0E Signature check failed.
0x0F Revoke list verification failed.
0x11 Revoke list verification failed (header).
0x12 SELF segment verification internal error.
0x13 SELF verification failed.
0x16 Revoke list verification failed.
0x17 Isolated module EA is not aligned.
0x1D SELF segment verification internal error (ELF32 header).
0x25 Auth-ID error?

Arguments[edit]

Depending which isolated module you want to load, you would need to pass it different arguments.

Size Name spp_verifier
u64 prog_auth_id 0x1050000003000001
u64 lpar_auth_id 0x1070000002000001
u64 *spu_module SPU - address in ram
u64 *spu_module_arg1 Profile - address in ram
u64 spu_module_arg1_size sizeof(profile)
u64 *spu_module_arg2 Not used
u64 spu_module_arg2_size Not used
u8 res1[16] Unknown
u64 field48 3
u8 res2[16] Unknown
Size Name aim_spu_module
u64 prog_auth_id 0x1050000003000001
u64 lpar_auth_id 0x1070000002000001
u64 *spu_module SPU - address in ram
u64 *spu_module_arg1 aim_spu_args - address in ram
u64 spu_module_arg1_size 0x80
u64 *spu_module_arg2 eid0 - address in ram
u64 spu_module_arg2_size sizeof(eid0)
u64 field48 3
union aim_spu_args {
	struct {
		void *buf;           // debug_info buffer address
		u64 buf_size;        // debug_info buffer size
		u32 param;           // 0x01 device type, 0x02 device id, 0x03 pscode, 0x04 psid
	} in;

	struct {
		u8 result[0x10];     // no need to explain...
	} out;
};