User talk:JuanNadie

From PS3 Developer wiki
Jump to: navigation, search

Current projects[edit]

Bootldr

Status: Stopped until "how the config ring is loaded" is discovered.

Log:

INCOMPLETE BTLDR DMA SEQUENCE.  BTLDR len 0x2F53

Copyright JuanNadie

INITIALIZATING REGISTERS:

0000: 0x0000020000511048 <- 0x3E008 1F 26 00 00 00 00 00 00 (0x8)
0001: 0x0000020000511448 <- 0x3E008 08 26 00 00 00 00 00 00 (0x8)
0002: 0x0000020000512008 <- 0x3E008 04 00 00 00 00 00 00 00 (0x8)
0003: 0x0000020000513008 <- 0x3E008 04 00 00 00 00 00 00 00 (0x8)
0004: 0x0000020000511800 <- 0x3E000 88 06 80 00 00 00 00 00 (0x8)

INIT TERMINAL (probably the txx9 serial described in linux scc-sio). The same sequence can be found on lv1ldr

0005: 0x0000024000FFF508 <- 0x3E008 00 00 FF 00 (0x4)
0006: 0x0000024000FFF530 <- 0x3E000 00 00 FF A0 (0x4)
0007: 0x0000024000FFF310 <- 0x3E000 00 00 80 8F (0x4)
0008: 0x0000024000FFF310 <- 0x3E000 00 00 00 8E (0x4)
0009: 0x0000024000FFF300 <- 0x3E000 00 00 40 20 (0x4)
000A: 0x0000024000FFF304 <- 0x3E004 00 00 00 00 (0x4)
000B: 0x0000024000FFF314 <- 0x3E004 00 00 00 02 (0x4)
000C: 0x0000024000FFF318 <- 0x3E008 00 00 00 17 (0x4)

SEND SYSCON INITIALIZATION PACKAGE. EXPECTS 0x000002400008CFF8 to be -1ULL

000D: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
000E: 0x000002400008DFF0 <- 0x3E000 00 00 00 00 (0x4)
000F: 0x000002400008DFF4 <- 0x3E004 00 00 00 00 (0x4)
0010: 0x000002400008DFF2 -> 0x3E002 00 00 (0x2)
0011: 0x000002400008CFF6 -> 0x3E006 00 00 (0x2)
0012: 0x000002400008D000 <- 0x3E000 FF 01 00 00 00 00 81 00 00 00 00 00 00 01 00 01 01 00 00 00 00 00 FE 7C 00 00 00 00 00 00 00 00 (0x20)
0013: 0x000002400008DFF0 <- 0x3E000 00 01 00 01 (0x4)
0014: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
0015: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
0016: 0x000002400008CFF8 -> 0x3E008 FF FF FF FF FF FF FF FF (0x8)

THIS MESSAGE PROBABLY ASK IF COMMAND XX( PAYLOAD BYTE 2) IS ALLOWED. IN THIS CASE 0x14 (NVS_READ/WRITE SC EEPROM)

0017: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
0018: 0x000002400008DFF2 -> 0x3E002 00 01 (0x2)
0019: 0x000002400008CFF6 -> 0x3E006 00 01 (0x2)
001A: 0x000002400008D000 <- 0x3E000 18 01 00 01 00 00 80 1A 00 00 00 00 00 02 00 02 01 14 00 00 00 00 FF 33 00 00 00 00 00 00 00 00 (0x20)
001B: 0x000002400008DFF0 <- 0x3E000 00 02 00 02 (0x4)
001C: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
001D: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
RESPONSE: 18 01 00 01 00 00 80 1A 00 00 00 00 00 04 00 04 00 14 02 00 FF FF FF 2E 
001E: 0x000002400008CFF2 -> 0x3E002 00 02 (0x2)
001F: 0x000002400008DFF6 -> 0x3E006 00 01 (0x2)
0020: 0x000002400008CFF6 -> 0x3E006 00 02 (0x2)
0021: 0x000002400008CFF2 -> 0x3E002 00 02 (0x2)
0022: 0x000002400008DFF6 -> 0x3E006 00 01 (0x2)
0023: 0x000002400008C000 -> 0x3E000 18 01 00 01 00 00 80 1A 00 00 00 00 00 04 00 04 (0x10)
0024: 0x000002400008C000 -> 0x3E000 18 01 00 01 00 00 80 1A 00 00 00 00 00 04 00 04 00 14 02 00 FF FF FF 2E 41 41 41 41 41 41 41 41 (0x20)
0025: 0x000002400008DFF4 <- 0x3E004 00 02 00 02 (0x4)
0026: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)


READ SC EEPROM BLOCK 2 offset 0 len 0x20

0027: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
0028: 0x000002400008DFF2 -> 0x3E002 00 02 (0x2)
0029: 0x000002400008CFF6 -> 0x3E006 00 02 (0x2)
002A: 0x000002400008D000 <- 0x3E000 14 01 00 02 00 00 80 17 00 00 00 00 00 04 00 04 20 02 00 20 00 00 FF 08 41 41 41 41 41 41 41 41 (0x20)
002B: 0x000002400008DFF0 <- 0x3E000 00 03 00 03 (0x4)
002C: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
002D: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
RESPONSE: 14 01 00 02 00 00 80 17 00 00 00 00 00 24 00 24 00 02 00 20 01 FF 05 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FE FF FF FF FF 00 00 00 00 00 00 00 00 FF FF E8 F9 
002E: 0x000002400008CFF2 -> 0x3E002 00 03 (0x2)
002F: 0x000002400008DFF6 -> 0x3E006 00 02 (0x2)
0030: 0x000002400008CFF6 -> 0x3E006 00 03 (0x2)
0031: 0x000002400008CFF2 -> 0x3E002 00 03 (0x2)
0032: 0x000002400008DFF6 -> 0x3E006 00 02 (0x2)
0033: 0x000002400008C000 -> 0x3E000 14 01 00 02 00 00 80 17 00 00 00 00 00 24 00 24 (0x10)
0034: 0x000002400008C000 -> 0x3E000 14 01 00 02 00 00 80 17 00 00 00 00 00 24 00 24 00 02 00 20 01 FF 05 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FE FF FF FF FF 00 00 00 00 00 00 00 00 FF FF E8 F9 41 41 41 41 41 41 41 41 (0x40)
0035: 0x000002400008DFF4 <- 0x3E004 00 03 00 03 (0x4)
0036: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)

REQUEST PARAMETER. PROBABLY PLL_CLK_REF (400MHz)

0037: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
0038: 0x000002400008DFF2 -> 0x3E002 00 03 (0x2)
0039: 0x000002400008CFF6 -> 0x3E006 00 03 (0x2)
003A: 0x000002400008D000 <- 0x3E000 12 01 00 03 00 00 80 16 00 00 00 00 00 02 00 02 03 10 00 00 00 00 FF 3D FF FF FF FF FF FF FF FF (0x20)
003B: 0x000002400008DFF0 <- 0x3E000 00 04 00 04 (0x4)
003C: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
003D: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
RESPONSE: 12 01 00 03 00 00 80 16 00 00 00 00 00 0C 00 0C 03 00 00 00 17 D7 84 00 00 00 00 00 FF FF FD C7 
003E: 0x000002400008CFF2 -> 0x3E002 00 04 (0x2)
003F: 0x000002400008DFF6 -> 0x3E006 00 03 (0x2)
0040: 0x000002400008CFF6 -> 0x3E006 00 04 (0x2)
0041: 0x000002400008CFF2 -> 0x3E002 00 04 (0x2)
0042: 0x000002400008DFF6 -> 0x3E006 00 03 (0x2)
0043: 0x000002400008C000 -> 0x3E000 12 01 00 03 00 00 80 16 00 00 00 00 00 0C 00 0C (0x10)
0044: 0x000002400008C000 -> 0x3E000 12 01 00 03 00 00 80 16 00 00 00 00 00 0C 00 0C 03 00 00 00 17 D7 84 00 00 00 00 00 FF FF FD C7 (0x20)
0045: 0x000002400008DFF4 <- 0x3E004 00 04 00 04 (0x4)
0046: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)


SET THE TBR ACCORDINGLY. CHANGES IF THE PREVIOUS VALUE CHANGES

0047: 0x0000020000509890 <- 0x3E000 00 00 00 00 00 00 00 4F (0x8)

AT THIS POINT SPU DECREMENTER ACTIVATES.... READ FROM 0x0000024000087000 PROBABLY CAN TIMEOUT.
0x0000024000087000 APPEARS TO BE SOME KIND OF STATUS.... the first byte & 0x7F have been seen taking values 0x01, 0x02, 0x03 and 0x04 and lv1ldr

0048: 0x0000024000087000 -> 0x3E000 01 00 00 00 (0x4)
0049: 0x0000024000087000 -> 0x3E000 81 00 00 00 (0x4)
004A: 0x0000024000001F60 <- 0x3E000 01 00 04 BA (0x4)
004B: 0x0000024000087000 -> 0x3E000 81 00 00 00 (0x4)
004C: 0x0000024000001C70 <- 0x3E000 0F F0 00 00 (0x4)
004D: 0x0000024000087000 -> 0x3E000 81 00 00 00 (0x4)
004E: 0x0000024000001C74 <- 0x3E004 00 10 00 00 (0x4)
004F: 0x0000024000087000 -> 0x3E000 81 00 00 00 (0x4)
0050: 0x0000024000FF9030 <- 0x3E000 00 10 00 00 00 30 30 0A (0x8)
0051: 0x0000024001000038 <- 0x3E008 FF (0x1)
0052: 0x0000024001000028 <- 0x3E008 00 (0x1)

THIS MESSAGE PROBABLY ASK IF COMMAND XX( PAYLOAD BYTE 2) IS ALLOWED. IN THIS CASE 0x1B

0053: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
0054: 0x000002400008DFF2 -> 0x3E002 00 04 (0x2)
0055: 0x000002400008CFF6 -> 0x3E006 00 04 (0x2)
0056: 0x000002400008D000 <- 0x3E000 18 01 00 04 00 00 80 1D 00 00 00 00 00 02 00 02 01 1B 00 00 00 00 FF 26 00 00 00 00 FF FF FD C7 (0x20)
0057: 0x000002400008DFF0 <- 0x3E000 00 05 00 05 (0x4)
0058: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
0059: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
RESPONSE: 18 01 00 04 00 00 80 1D 00 00 00 00 00 04 00 04 00 1B 02 00 FF FF FF 21 
005A: 0x000002400008CFF2 -> 0x3E002 00 05 (0x2)
005B: 0x000002400008DFF6 -> 0x3E006 00 04 (0x2)
005C: 0x000002400008CFF6 -> 0x3E006 00 05 (0x2)
005D: 0x000002400008CFF2 -> 0x3E002 00 05 (0x2)
005E: 0x000002400008DFF6 -> 0x3E006 00 04 (0x2)
005F: 0x000002400008C000 -> 0x3E000 18 01 00 04 00 00 80 1D 00 00 00 00 00 04 00 04 (0x10)
0060: 0x000002400008C000 -> 0x3E000 18 01 00 04 00 00 80 1D 00 00 00 00 00 04 00 04 00 1B 02 00 FF FF FF 21 00 00 00 00 FF FF FD C7 (0x20)
0061: 0x000002400008DFF4 <- 0x3E004 00 05 00 05 (0x4)
0062: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)

UNKNOWN

0063: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
0064: 0x000002400008DFF2 -> 0x3E002 00 05 (0x2)
0065: 0x000002400008CFF6 -> 0x3E006 00 05 (0x2)
0066: 0x000002400008D000 <- 0x3E000 1B 01 00 05 00 00 80 21 00 00 00 00 00 02 00 02 10 00 00 00 00 00 FF 2A 00 00 00 00 FF FF FD C7 (0x20)
0067: 0x000002400008DFF0 <- 0x3E000 00 06 00 06 (0x4)
0068: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
0069: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
RESPONSE: 1B 01 00 05 00 00 80 21 00 00 00 00 00 01 00 01 00 00 00 00 FF FF FF 3C 
006A: 0x000002400008CFF2 -> 0x3E002 00 06 (0x2)
006B: 0x000002400008DFF6 -> 0x3E006 00 05 (0x2)
006C: 0x000002400008CFF6 -> 0x3E006 00 06 (0x2)
006D: 0x000002400008CFF2 -> 0x3E002 00 06 (0x2)
006E: 0x000002400008DFF6 -> 0x3E006 00 05 (0x2)
006F: 0x000002400008C000 -> 0x3E000 1B 01 00 05 00 00 80 21 00 00 00 00 00 01 00 01 (0x10)
0070: 0x000002400008C000 -> 0x3E000 1B 01 00 05 00 00 80 21 00 00 00 00 00 01 00 01 00 00 00 00 FF FF FF 3C 00 00 00 00 FF FF FD C7 (0x20)
0071: 0x000002400008DFF4 <- 0x3E004 00 06 00 06 (0x4)
0072: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)

INIT INTERRUPT/CHECKSTOP VECTORS

0073: 0x0000020000500910 <- 0x3E000 00 00 00 00 00 00 00 00 (0x8)
0074: 0x0000020000500920 <- 0x3E000 FF FF FF FF FF FF FF FF (0x8)
0075: 0x0000020000500918 <- 0x3E008 00 00 00 00 00 00 00 00 (0x8)
0076: 0x0000020000500928 <- 0x3E008 FF FF FF FF FF FF FF FF (0x8)
0077: 0x0000020000500930 <- 0x3E000 2C 00 00 00 00 00 00 00 (0x8)
0078: 0x0000020000500938 <- 0x3E008 C0 00 00 00 00 00 00 00 (0x8)
0079: 0x0000020000500B10 <- 0x3E000 00 00 00 00 00 00 00 00 (0x8)
007A: 0x0000020000500B20 <- 0x3E000 FF FF FF FF FF FF FF FF (0x8)
007B: 0x0000020000500B18 <- 0x3E008 00 00 00 00 00 00 00 00 (0x8)
007C: 0x0000020000500B28 <- 0x3E008 FF FF FF FF FF FF FF FF (0x8)
007D: 0x0000020000500B30 <- 0x3E000 00 00 00 00 00 00 00 FF (0x8)
007E: 0x0000020000500810 <- 0x3E000 00 00 00 00 00 00 00 00 (0x8)
007F: 0x0000020000500820 <- 0x3E000 FF FF FF FF FF FF FF FF (0x8)
0080: 0x0000020000500818 <- 0x3E008 00 00 00 00 00 00 00 40 (0x8)
0081: 0x0000020000500828 <- 0x3E008 FF FF FF FF FF FF FF FF (0x8)
0082: 0x0000020000500830 <- 0x3E000 00 00 00 00 00 0E B7 81 (0x8)
0083: 0x0000020000500848 -> 0x3E008 00 00 00 00 00 00 00 00 (0x8)
0084: 0x0000020000500848 <- 0x3E008 00 00 00 00 00 00 00 04 (0x8)
0085: 0x000002000050A230 <- 0x3E000 00 00 FD 7E 00 00 00 00 (0x8)
0086: 0x000002000050A238 <- 0x3E008 00 00 02 80 00 00 00 00 (0x8)
0087: 0x0000020000508508 <- 0x3E008 00 00 00 00 00 00 00 00 (0x8)
0088: 0x0000020000508500 <- 0x3E000 FF FF FF FF FF FF FF FF (0x8)
0089: 0x0000020000508518 <- 0x3E008 00 00 00 00 00 00 00 00 (0x8)

GET ACTIVE SPE TO SET INTERRUPTS/CHECKSTOP TO ONLY THOSE ACTIVE

008A: 0x0000020000509C38 -> 0x3E008 00 00 00 EF (0x4)
008B: 0x0000020000400020 -> 0x3E000 00 00 00 00 00 00 21 00 (0x8)
008C: 0x0000020000508510 <- 0x3E000 07 0F F0 FF 03 D0 3D 1F (0x8)
008D: 0x0000020000512010 <- 0x3E000 FF FF 00 00 00 00 10 00 (0x8)
008E: 0x0000020000513010 <- 0x3E000 FF FF 00 00 00 00 10 00 (0x8)
008F: 0x0000020000509C38 -> 0x3E008 00 00 00 EF (0x4)
0090: 0x0000020000400388 <- 0x3E008 00 00 00 00 00 00 00 00 (0x8)
0091: 0x0000020000400390 <- 0x3E000 FF FF FF FF FF FF FF FF (0x8)
0092: 0x00000200004003A0 <- 0x3E000 00 00 00 00 00 00 00 00 (0x8)
0093: 0x00000200004003A8 <- 0x3E008 FF FF FF FF FF FF FF FF (0x8)
0094: 0x0000020000509C38 -> 0x3E008 00 00 00 EF (0x4)
0095: 0x00000200004003B0 <- 0x3E000 00 00 00 00 00 00 05 84 (0x8)
0096: 0x0000020000402388 <- 0x3E008 00 00 00 00 00 00 00 00 (0x8)
0097: 0x0000020000402390 <- 0x3E000 FF FF FF FF FF FF FF FF (0x8)
0098: 0x00000200004023A0 <- 0x3E000 00 00 00 00 00 00 00 00 (0x8)
0099: 0x00000200004023A8 <- 0x3E008 FF FF FF FF FF FF FF FF (0x8)
009A: 0x0000020000509C38 -> 0x3E008 00 00 00 EF (0x4)
009B: 0x00000200004023B0 <- 0x3E000 00 00 00 00 00 00 05 84 (0x8)
009C: 0x0000020000404388 <- 0x3E008 00 00 00 00 00 00 00 00 (0x8)
009D: 0x0000020000404390 <- 0x3E000 FF FF FF FF FF FF FF FF (0x8)
009E: 0x00000200004043A0 <- 0x3E000 00 00 00 00 00 00 00 00 (0x8)
009F: 0x00000200004043A8 <- 0x3E008 FF FF FF FF FF FF FF FF (0x8)
00A0: 0x0000020000509C38 -> 0x3E008 00 00 00 EF (0x4)
00A1: 0x00000200004043B0 <- 0x3E000 00 00 00 00 00 00 05 84 (0x8)
00A2: 0x0000020000408388 <- 0x3E008 00 00 00 00 00 00 00 00 (0x8)
00A3: 0x0000020000408390 <- 0x3E000 FF FF FF FF FF FF FF FF (0x8)
00A4: 0x00000200004083A0 <- 0x3E000 00 00 00 00 00 00 00 00 (0x8)
00A5: 0x00000200004083A8 <- 0x3E008 FF FF FF FF FF FF FF FF (0x8)
00A6: 0x0000020000509C38 -> 0x3E008 00 00 00 EF (0x4)
00A7: 0x00000200004083B0 <- 0x3E000 00 00 00 00 00 00 05 84 (0x8)
00A8: 0x000002000040A388 <- 0x3E008 00 00 00 00 00 00 00 00 (0x8)
00A9: 0x000002000040A390 <- 0x3E000 FF FF FF FF FF FF FF FF (0x8)
00AA: 0x000002000040A3A0 <- 0x3E000 00 00 00 00 00 00 00 00 (0x8)
00AB: 0x000002000040A3A8 <- 0x3E008 FF FF FF FF FF FF FF FF (0x8)
00AC: 0x0000020000509C38 -> 0x3E008 00 00 00 EF (0x4)
00AD: 0x000002000040A3B0 <- 0x3E000 00 00 00 00 00 00 05 84 (0x8)
00AE: 0x000002000040C388 <- 0x3E008 00 00 00 00 00 00 00 00 (0x8)
00AF: 0x000002000040C390 <- 0x3E000 FF FF FF FF FF FF FF FF (0x8)
00B0: 0x000002000040C3A0 <- 0x3E000 00 00 00 00 00 00 00 00 (0x8)
00B1: 0x000002000040C3A8 <- 0x3E008 FF FF FF FF FF FF FF FF (0x8)
00B2: 0x0000020000509C38 -> 0x3E008 00 00 00 EF (0x4)
00B3: 0x000002000040C3B0 <- 0x3E000 00 00 00 00 00 00 05 84 (0x8)
00B4: 0x000002000040E388 <- 0x3E008 00 00 00 00 00 00 00 00 (0x8)
00B5: 0x000002000040E390 <- 0x3E000 FF FF FF FF FF FF FF FF (0x8)
00B6: 0x000002000040E3A0 <- 0x3E000 00 00 00 00 00 00 00 00 (0x8)
00B7: 0x000002000040E3A8 <- 0x3E008 FF FF FF FF FF FF FF FF (0x8)
00B8: 0x0000020000509C38 -> 0x3E008 00 00 00 EF (0x4)
00B9: 0x000002000040E3B0 <- 0x3E000 00 00 00 00 00 00 05 84 (0x8)
00BA: 0x0000020000509C18 <- 0x3E008 00 00 01 30 (0x4)
00BB: 0x0000020000509C20 <- 0x3E000 FF FF FF FC (0x4)

UNKNOWN ADDRESSES. PROBABLY INITIALIZATION OF SEVERAL DEVICES

00BC: 0x0000024000080310 <- 0x3E000 4E FF FF FE (0x4)
00BD: 0x0000024000080260 <- 0x3E000 0F FF FF 00 (0x4)
00BE: 0x0000024000080264 <- 0x3E004 0F FF FF 00 (0x4)
00BF: 0x0000024000080268 <- 0x3E008 0F FF FF 00 (0x4)
00C0: 0x000002400008026C <- 0x3E00C 0F FF FF 00 (0x4)
00C1: 0x0000024000080270 <- 0x3E000 0F FF FF 00 (0x4)
00C2: 0x0000024000080274 <- 0x3E004 0F FF FF 00 (0x4)
00C3: 0x0000024000080278 <- 0x3E008 0F FF FF 00 (0x4)
00C4: 0x000002400008027C <- 0x3E00C 0F FF FF 00 (0x4)
00C5: 0x00000240000800C8 <- 0x3E008 0F FF 00 00 (0x4)
00C6: 0x00000240000800CC <- 0x3E00C 00 01 00 00 (0x4)
00C7: 0x00000240000800D0 <- 0x3E000 00 00 00 00 (0x4)
00C8: 0x00000240000800D4 <- 0x3E004 00 00 00 01 (0x4)
00C9: 0x00000240000800D8 <- 0x3E008 00 00 00 00 (0x4)
00CA: 0x00000240000800DC <- 0x3E00C 00 00 00 01 (0x4)
00CB: 0x00000240000800E0 <- 0x3E000 00 00 00 00 (0x4)

GET STATUS OF DEVICES??

00CC: 0x0000024000087000 -> 0x3E000 81 00 00 00 (0x4)

SET DEVICES INTERRUPTS??

00CD: 0x0000024000087020 -> 0x3E000 00 00 00 15 (0x4)
00CE: 0x0000024000087020 <- 0x3E000 00 00 00 17 (0x4)
00CF: 0x0000024000087030 -> 0x3E000 00 00 00 15 (0x4)
00D0: 0x0000024000087030 <- 0x3E000 00 00 00 17 (0x4)
00D1: 0x0000024000087030 -> 0x3E000 00 00 00 17 (0x4)
00D2: 0x00000240000011A8 -> 0x3E008 00 F0 00 70 (0x4)
00D3: 0x00000240000011A8 <- 0x3E008 00 F0 00 70 (0x4)
00D4: 0x0000024000087000 -> 0x3E000 81 00 00 00 (0x4)
00D5: 0x0000024000002FA8 -> 0x3E008 00 00 00 00 (0x4)
00D6: 0x0000024000002FA8 <- 0x3E008 00 00 00 60 (0x4)
00D7: 0x0000024000087000 -> 0x3E000 81 00 00 00 (0x4)
00D8: 0x0000024000000FA8 -> 0x3E008 00 00 00 00 (0x4)
00D9: 0x0000024000000FA8 <- 0x3E008 00 00 00 60 (0x4)

UNKNOWN.


00DA: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
00DB: 0x000002400008DFF2 -> 0x3E002 00 06 (0x2)
00DC: 0x000002400008CFF6 -> 0x3E006 00 06 (0x2)
00DD: 0x000002400008D000 <- 0x3E000 12 01 00 06 00 00 80 19 00 00 00 00 00 02 00 02 02 00 00 00 00 00 FF 48 00 00 00 00 FF FF FD C7 (0x20)
00DE: 0x000002400008DFF0 <- 0x3E000 00 07 00 07 (0x4)
00DF: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
00E0: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
RESPONSE: 12 01 00 06 00 00 80 19 00 00 00 00 00 05 00 05 02 00 00 00 00 00 00 00 FF FF FF 42 
00E1: 0x000002400008CFF2 -> 0x3E002 00 07 (0x2)
00E2: 0x000002400008DFF6 -> 0x3E006 00 06 (0x2)
00E3: 0x000002400008CFF6 -> 0x3E006 00 07 (0x2)
00E4: 0x000002400008CFF2 -> 0x3E002 00 07 (0x2)
00E5: 0x000002400008DFF6 -> 0x3E006 00 06 (0x2)
00E6: 0x000002400008C000 -> 0x3E000 12 01 00 06 00 00 80 19 00 00 00 00 00 05 00 05 (0x10)
00E7: 0x000002400008C000 -> 0x3E000 12 01 00 06 00 00 80 19 00 00 00 00 00 05 00 05 02 00 00 00 00 00 00 00 FF FF FF 42 FF FF FD C7 (0x20)
00E8: 0x000002400008DFF4 <- 0x3E004 00 07 00 07 (0x4)
00E9: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)

AT THIS POINT SOMETHING WENT WRONG. THIS WRITE HANGS THE CONSOLE. LOG AFTER THIS SHOULD NOT BE USED FOR RESEARCH AS IT SHOULD NOT HAPPEN 

HOW DID THE SPU GET THE CONFIG RING??????!!!!!!!!!


00EA: 0x0000020000511C00 <- 0x3E000 00 00 00 00 10 00 08 00 (0x8)

SEND LOG MESSAGE TO SYSCON

00EB: 0x0000020000509C38 -> 0x3E008 00 00 00 EF (0x4)
00EC: 0x0000020000400020 -> 0x3E000 00 00 00 00 00 00 21 00 (0x8)
00EE: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
00EF: 0x000002400008DFF2 -> 0x3E002 00 07 (0x2)
00F0: 0x000002400008CFF6 -> 0x3E006 00 07 (0x2)
00F1: 0x000002400008D000 <- 0x3E000 20 01 00 07 00 00 80 28 00 00 00 00 00 40 00 40 00 5B 45 52 52 4F 52 5D 3A 20 63 6F 6E 66 69 67 5F 72 69 6E 67 20 63 6D 70 20 66 61 69 6C 20 62 69 74 20 32 37 2C 20 61 63 74 75 61 6C 20 30 78 30 30 2C 20 65 78 70 65 63 74 20 30 78 31 30 0A 00 00 EA 95 00 00 00 00 00 00 00 00 00 00 00 00 (0x60)
00F2: 0x000002400008DFF0 <- 0x3E000 00 08 00 08 (0x4)
00F3: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
00F4: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
MSG:  [ERROR]: config_ring cmp fail bit 27, actual 0x00, expect 0x10

RESPONSE: 20 01 00 07 00 00 80 28 00 00 00 00 00 02 00 02 00 00 00 00 FF FF FF 2C 
00F5: 0x000002400008CFF2 -> 0x3E002 00 08 (0x2)
00F6: 0x000002400008DFF6 -> 0x3E006 00 07 (0x2)
00F7: 0x000002400008CFF6 -> 0x3E006 00 08 (0x2)
00F8: 0x000002400008CFF2 -> 0x3E002 00 08 (0x2)
00F9: 0x000002400008DFF6 -> 0x3E006 00 07 (0x2)
00FA: 0x000002400008C000 -> 0x3E000 20 01 00 07 00 00 80 28 00 00 00 00 00 02 00 02 (0x10)
00FB: 0x000002400008C000 -> 0x3E000 20 01 00 07 00 00 80 28 00 00 00 00 00 02 00 02 00 00 00 00 FF FF FF 2C FF FF FF 42 FF FF FD C7 (0x20)
00FC: 0x000002400008DFF4 <- 0x3E004 00 08 00 08 (0x4)
00FD: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
00FE: 0x0000020000509C90 <- 0x3E000 00 00 00 00 00 00 00 00 (0x8)
00FF: 0x0000000000511C00 -> 0x3E000 59 59 59 59 59 59 59 59 (0x8)
0100: 0x0000000000511C00 <- 0x3E000 00 00 00 00 10 00 08 00 (0x8)
0101: 0x0000000000510918 <- 0x3E008 00 00 00 00 00 00 00 00 (0x8)
0102: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
0103: 0x000002400008DFF2 -> 0x3E002 00 08 (0x2)
0104: 0x000002400008CFF6 -> 0x3E006 00 08 (0x2)
0105: 0x000002400008D000 <- 0x3E000 20 01 00 08 00 00 80 29 00 00 00 00 00 01 00 01 00 00 00 00 00 00 FF 2C FF FF FF 42 FF FF FD C7 (0x20)
0106: 0x000002400008DFF0 <- 0x3E000 00 09 00 09 (0x4)
0107: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
0108: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
MSG:  
RESPONSE: 20 01 00 08 00 00 80 29 00 00 00 00 00 02 00 02 00 00 00 00 FF FF FF 2A 
0109: 0x000002400008CFF2 -> 0x3E002 00 09 (0x2)
010A: 0x000002400008DFF6 -> 0x3E006 00 08 (0x2)
010B: 0x000002400008CFF6 -> 0x3E006 00 09 (0x2)
010C: 0x000002400008CFF2 -> 0x3E002 00 09 (0x2)
010D: 0x000002400008DFF6 -> 0x3E006 00 08 (0x2)
010E: 0x000002400008C000 -> 0x3E000 20 01 00 08 00 00 80 29 00 00 00 00 00 02 00 02 (0x10)
010F: 0x000002400008C000 -> 0x3E000 20 01 00 08 00 00 80 29 00 00 00 00 00 02 00 02 00 00 00 00 FF FF FF 2A FF FF FF 42 FF FF FD C7 (0x20)
0110: 0x000002400008DFF4 <- 0x3E004 00 09 00 09 (0x4)
0111: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
0112: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
0113: 0x000002400008DFF2 -> 0x3E002 00 09 (0x2)
0114: 0x000002400008CFF6 -> 0x3E006 00 09 (0x2)
0115: 0x000002400008D000 <- 0x3E000 13 01 00 09 00 00 80 1D 00 00 00 00 00 01 00 01 33 00 00 00 00 00 FF 11 FF FF FF 42 FF FF FD C7 (0x20)
0116: 0x000002400008DFF0 <- 0x3E000 00 0A 00 0A (0x4)
0117: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
0118: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
RESPONSE: 13 01 00 09 00 00 80 1D 00 00 00 00 00 08 00 08 00 00 00 00 16 FF 02 5E FF FF FD C1 
0119: 0x000002400008CFF2 -> 0x3E002 00 0A (0x2)
011A: 0x000002400008DFF6 -> 0x3E006 00 09 (0x2)
011B: 0x000002400008CFF6 -> 0x3E006 00 0A (0x2)
011C: 0x000002400008CFF2 -> 0x3E002 00 0A (0x2)
011D: 0x000002400008DFF6 -> 0x3E006 00 09 (0x2)
011E: 0x000002400008C000 -> 0x3E000 13 01 00 09 00 00 80 1D 00 00 00 00 00 08 00 08 (0x10)
011F: 0x000002400008C000 -> 0x3E000 13 01 00 09 00 00 80 1D 00 00 00 00 00 08 00 08 00 00 00 00 16 FF 02 5E FF FF FD C1 FF FF FD C7 (0x20)
0120: 0x000002400008DFF4 <- 0x3E004 00 0A 00 0A (0x4)
0121: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)

FOR OBVIOUS REASON I HAVEN'T SEND THIS COMMAND TO SYSCON.... IF SOMEONE WANTS TO SEND IT PLEASE NOTE THAT THIS LIKELY WILL BRICK YOUR SC EEPROM (NOT YOUR FLASH).
16 FF 02 5E IS THE RESULT OF THE PREVIOUS MESSAGE


0122: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
0123: 0x000002400008DFF2 -> 0x3E002 00 0A (0x2)
0124: 0x000002400008CFF6 -> 0x3E006 00 0A (0x2)
0125: 0x000002400008D000 <- 0x3E000 14 01 00 0A 00 00 80 1F 00 00 00 00 00 08 00 08 10 01 08 04 16 FF 02 5E 00 00 FD A0 FF FF FD C7 (0x20)
0126: 0x000002400008DFF0 <- 0x3E000 00 0B 00 0B (0x4)
0127: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
0128: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
WARNING: WRITE SC EEPROM DETECTED. IGNORING...RESPONSE: 14 01 00 0A 00 00 80 1F 00 00 00 00 00 04 00 04 00 01 08 00 FF FF FF 31 
0129: 0x000002400008CFF2 -> 0x3E002 00 0B (0x2)
012A: 0x000002400008DFF6 -> 0x3E006 00 0A (0x2)
012B: 0x000002400008CFF6 -> 0x3E006 00 0B (0x2)
012C: 0x000002400008CFF2 -> 0x3E002 00 0B (0x2)
012D: 0x000002400008DFF6 -> 0x3E006 00 0A (0x2)
012E: 0x000002400008C000 -> 0x3E000 14 01 00 0A 00 00 80 1F 00 00 00 00 00 04 00 04 (0x10)
012F: 0x000002400008C000 -> 0x3E000 14 01 00 0A 00 00 80 1F 00 00 00 00 00 04 00 04 00 01 08 00 FF FF FF 31 FF FF FD C1 FF FF FD C7 (0x20)
0130: 0x000002400008DFF4 <- 0x3E004 00 0B 00 0B (0x4)
0131: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
0132: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
0133: 0x000002400008DFF2 -> 0x3E002 00 0B (0x2)
0134: 0x000002400008CFF6 -> 0x3E006 00 0B (0x2)
0135: 0x000002400008D000 <- 0x3E000 14 01 00 0B 00 00 80 20 00 00 00 00 00 08 00 08 10 01 04 04 09 FF FF FF 00 00 FC 11 FF FF FD C7 (0x20)
0136: 0x000002400008DFF0 <- 0x3E000 00 0C 00 0C (0x4)
0137: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
0138: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
WARNING: WRITE SC EEPROM DETECTED. IGNORING...RESPONSE: 14 01 00 0B 00 00 80 20 00 00 00 00 00 04 00 04 00 01 04 00 FF FF FF 33 
0139: 0x000002400008CFF2 -> 0x3E002 00 0C (0x2)
013A: 0x000002400008DFF6 -> 0x3E006 00 0B (0x2)
013B: 0x000002400008CFF6 -> 0x3E006 00 0C (0x2)
013C: 0x000002400008CFF2 -> 0x3E002 00 0C (0x2)
013D: 0x000002400008DFF6 -> 0x3E006 00 0B (0x2)
013E: 0x000002400008C000 -> 0x3E000 14 01 00 0B 00 00 80 20 00 00 00 00 00 04 00 04 (0x10)
013F: 0x000002400008C000 -> 0x3E000 14 01 00 0B 00 00 80 20 00 00 00 00 00 04 00 04 00 01 04 00 FF FF FF 33 FF FF FD C1 FF FF FD C7 (0x20)
0140: 0x000002400008DFF4 <- 0x3E004 00 0C 00 0C (0x4)
0141: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
0142: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
0143: 0x000002400008DFF2 -> 0x3E002 00 0C (0x2)
0144: 0x000002400008CFF6 -> 0x3E006 00 0C (0x2)
0145: 0x000002400008D000 <- 0x3E000 13 01 00 0C 00 00 80 20 00 00 00 00 00 08 00 08 12 00 00 00 00 00 03 34 00 00 FE E7 FF FF FD C7 (0x20)
0146: 0x000002400008DFF0 <- 0x3E000 00 0D 00 0D (0x4)
0147: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
0148: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
RESPONSE: 13 01 00 0C 00 00 80 20 00 00 00 00 00 01 00 01 00 00 00 00 FF FF FF 3E 
0149: 0x000002400008CFF2 -> 0x3E002 00 0D (0x2)
014A: 0x000002400008DFF6 -> 0x3E006 00 0C (0x2)
014B: 0x000002400008CFF6 -> 0x3E006 00 0D (0x2)
014C: 0x000002400008CFF2 -> 0x3E002 00 0D (0x2)
014D: 0x000002400008DFF6 -> 0x3E006 00 0C (0x2)
014E: 0x000002400008C000 -> 0x3E000 13 01 00 0C 00 00 80 20 00 00 00 00 00 01 00 01 (0x10)
014F: 0x000002400008C000 -> 0x3E000 13 01 00 0C 00 00 80 20 00 00 00 00 00 01 00 01 00 00 00 00 FF FF FF 3E FF FF FD C1 FF FF FD C7 (0x20)
0150: 0x000002400008DFF4 <- 0x3E004 00 0D 00 0D (0x4)
0151: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
0152: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
0153: 0x000002400008DFF2 -> 0x3E002 00 0D (0x2)
0154: 0x000002400008CFF6 -> 0x3E006 00 0D (0x2)
0155: 0x000002400008D000 <- 0x3E000 13 01 00 0D 00 00 80 21 00 00 00 00 00 04 00 04 11 00 00 03 00 00 FF 22 FF FF FD C1 FF FF FD C7 (0x20)
0156: 0x000002400008DFF0 <- 0x3E000 00 0E 00 0E (0x4)
0157: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)
0158: 0x000002400008E004 -> 0x3E004 00 00 00 02 (0x4)
RESPONSE: 13 01 00 0D 00 00 80 21 00 00 00 00 00 00 00 00 FF FF FF 3E 
0159: 0x000002400008CFF2 -> 0x3E002 00 0E (0x2)
015A: 0x000002400008DFF6 -> 0x3E006 00 0D (0x2)
015B: 0x000002400008CFF6 -> 0x3E006 00 0E (0x2)
015C: 0x000002400008CFF2 -> 0x3E002 00 0E (0x2)
015D: 0x000002400008DFF6 -> 0x3E006 00 0D (0x2)
015E: 0x000002400008C000 -> 0x3E000 13 01 00 0D 00 00 80 21 00 00 00 00 00 00 00 00 (0x10)
015F: 0x000002400008C000 -> 0x3E000 13 01 00 0D 00 00 80 21 00 00 00 00 00 00 00 00 FF FF FF 3E FF FF FF 3E FF FF FD C1 FF FF FD C7 (0x20)
0160: 0x000002400008DFF4 <- 0x3E004 00 0E 00 0E (0x4)
0161: 0x000002400008E100 <- 0x3E000 00 00 00 01 (0x4)

-> Seems like we're failing at the same command ;) (btw. 0x0000000010000800 write to IOC_IOCmd_Cfg enables IR0 and IR1). If you wanna join forces, meet us at #ps3dev@efnet --naehrwert/jestero

SC Firmware

Status: Reversing sc_iso.self

Found that XTS-AES is used to decrypt/encrypt sector. Key is calculated from a string. Input/Output data must be found

Undocumented channels

Status: Created test bench allowing to execute code on isolated state.

Undocumented channel 73/72 appears to be circular buffer of size 0x12. Two first word are the firmware, the last one is 0xFFFFFFFF. lv1ldr expects this channel to be 0xFFFFFFFF FFFFFFFF FFFFFFFF prior to execution. That means it can not be rerunned... unless channel is reset.