From PS3 Developer wiki
Jump to: navigation, search


Loaders are used for loading other modules.

Commonly found in CoreOS and Flash.

Known loaders[edit]

Loader Location Type Remarks
bootldr Flash Boot Loader primary loader from chain of trust
metldr Flash Meta Loader aka asecure_loader. Loads other loaders
appldr CoreOS Application Loader loads userspace [f]selfs e.g. vsh.self, videoplayer_plugin.sprx, disc EBOOT.BINs, NPDRM EBOOT.BINs
isoldr CoreOS Isolation Loader loading isolated SPU modules
lv1ldr CoreOS Hypervisor Loader loads lv1.self (Hypervisor)
lv2ldr CoreOS Supervisor Loader loads lv2_kernel.self (Supervisor kernel)

Loader encapsulation in lv0[edit]

version decrypted SHA1 hash isoldr appldr lv1ldr lv2ldr Remarks
3.60 7A051A4A228C5C7256B9DD3ECC0CFABB605490E3 D/L ; contains weird 2nd loaders that could not be decrypted (named [loader name]_2)
3.61 832CE19B420895B7C89D0DD3D346B9B4254F0902
3.65 C9F7F42BFB30A9FB9FF1394D18F8C490FA20E51D
3.66 110CEA044B059AC8E89C52121DD94EB062605180
3.70 B0CE989CEA9994A7424BC64C49B477ACB9759C45
3.73 17E363EC32AE2C35410250FD147500EAB27C7229
3.74 048C7F30C6FEC76029DE7107C6EA825D778464D3
4.00 B1BD5C738EA8B4C5882DF3816802042015E57765
4.01 DB42B9FC98E927536F9BDE68517DC7EF6A3E7630
4.10 ED6B89DE996DA92B670A515342E5BA44C506CCB8
4.11 5A80C633C7679FB24FEC9E603058A65010F1CC59
4.20 69F14D7512177EAE3DB6A00764CB242D1683511C
4.21 DB4E4CF6A795D8AB93200B4ACDA7978028601EDC
4.23 AC7BDA2E7E093D4FDDE801FAFAB42F55B92506C4
4.25 A6DE36E9178C75B3C557E3056C8BAE5A13C83038
4.26 042ACDE3A986B50F8C58450798DD866130EB85EA
4.30 44A048CC7F990A9EE5400695BC0D9EE283BAB02F

Stop Codes[edit]

Stop Code Module Remark
0x30 isoldr/appldr Version mismatch (isoldr version differs from version returned by SPU channel 73).
0x16 isoldr Revoke List Error
0x17 isoldr Adresses needs to be aligned
0x21 lv1ldr  ???
0x27 appldr SPU arg at 0x3E840
0x20 metldr header error
0x23 metldr ECDSA signature failure


When booting, lv1ldr store its version in this region writing to ch_72.
isoldr asks for the version in two chuncks, if you want to pass version 3.41 (0x0003004100000000)

Note: this version check was recently added, maybe in fw 3.41

//for ch_73_round_0
data0 = 0x00030041;
//for ch_73_round_1
data1 = 0x00000000;


Used for loading the hypervisor (lv1.self). It also handles some initialization of the ATA and ENCDEC subsystems.

LS Parameters Layout[edit]

Address Usage Comments
0x34CB0 Unknown DMA read from ch74 20 times.
0x3E000 Wait flag If (flag==0){wait;} // use 0xFF00000000ULL
0x3E800 Arguments


Used to verify and decrypt lv2 selfs (lv2_kernel.self, ps2_emu.self, ps2_gxemu.self, ps2_softemu.self, ps2_netemu.self)

LS Parameters layout[edit]

Address Usage Comments
0x3E000 Wait flag If (flag==0){wait;} // use 0xFF00000000ULL
0x3E800 Arguments
0x3F000 Program revoke list


Size Name Value
u64 lpar_auth_id 0x1070000002000001
u8 *lv2_in lv2 self - address in ram
u8 *lv2_out where to decrypt lv2 - address in ram
u64 field18 -1
u8[40] res1 Unknown / Not used
u64 field48 1
u8[16] res2 Unknown / Not used


Used for loading isolated SPU modules.

LS Parameters layout[edit]

Address Usage Comments
0x3E000 Wait flag If (flag==0){wait;} // use 0xFF00000000ULL
0x3E400 EID0
0x3E800 Arguments
0x3EC00 QA-Token If not used set to -1
0x3F000 Program revoke list

Stop Codes[edit]

Stop Code Remark
0x0D Revocation check failed.
0x0E Signature check failed.
0x0F Revoke list verification failed.
0x11 Revoke list verification failed (header).
0x12 SELF segment verification internal error.
0x13 SELF verification failed.
0x16 Revoke list verification failed.
0x17 Isolated module EA is not aligned.
0x1D SELF segment verification internal error (ELF32 header).
0x25 Auth-ID error?


Depending which isolated module you want to load, you would need to pass it different arguments.

Size Name spp_verifier
u64 prog_auth_id 0x1050000003000001
u64 lpar_auth_id 0x1070000002000001
u64 *spu_module SPU - address in ram
u64 *spu_module_arg1 Profile - address in ram
u64 spu_module_arg1_size sizeof(profile)
u64 *spu_module_arg2 Not used
u64 spu_module_arg2_size Not used
u8 res1[16] Unknown
u64 field48 3
u8 res2[16] Unknown
Size Name aim_spu_module
u64 prog_auth_id 0x1050000003000001
u64 lpar_auth_id 0x1070000002000001
u64 *spu_module SPU - address in ram
u64 *spu_module_arg1 aim_spu_args - address in ram
u64 spu_module_arg1_size 0x80
u64 *spu_module_arg2 eid0 - address in ram
u64 spu_module_arg2_size sizeof(eid0)
u64 field48 3
union aim_spu_args {
	struct {
		void *buf;           // debug_info buffer address
		u64 buf_size;        // debug_info buffer size
		u32 param;           // 0x01 device type, 0x02 device id, 0x03 pscode, 0x04 psid
	} in;

	struct {
		u8 result[0x10];     // no need to explain...
	} out;