Booting petitboot from VFLASH

From PS3 Developer wiki
Jump to navigation Jump to search

Source: graf_chokolo @

How it was done in 3.15 Firmware[edit | edit source]

  • Linux bootloader otheros.bld is a compressed version of petitboot or kboot
  • otheros.self stores the Linux bootloader on the 5th region of VFLASH
  • The 5th region of VFLASH is of size 0x2000 sectors, each sector is of size 0x200, which makes 0x400000 bytes
  • The 5th region of VFLASH starts at absolute sector offset 0x77E00 on VFLASH storage device
  • So Linux bootloader cannot be larger than 0x400000 bytes
  • In LPAR 1 the 5th region of VFLASH is accessible through device file /dev/rflash_lx
  • Linux System Manager (HV process 9) loads the Linux bootloader stored on /dev/rflash_lx into LPAR 2 memory and when LPAR 2 boots, the Linux bootloader gets control of the system and loads the Linux kernel from HDD

How things are in 3.41 Firmware[edit | edit source]

  • The good news is that the 5th region of VFLASH is still there in 3.41 and even in 3.55 PS3 firmware. Even better, it's accessible in LPAR 1 through /dev/rflash_lx !!!
  • And PS3 Slim has it also !!!
  • Why didn't SONY remove it you will ask. I'm very sure that SONY's HV developer team still uses Linux internally !!! I will bet on it :-)
  • But SONY removed Linux System Manager from 3.41 firmware, so we cannot boot Linux bootloader from VFLASH without adding new code to HV. HV cannot boot the Linux bootloader anymore on its own.
  • The second problem is that the Linux bootloader uncompressed is very large and it won't fit into the default 5th region of VFLASH that is of size 0x400000 bytes.
  • We have to store the Linux bootloader uncompressed on VFLASH
  • Before we can do it, we have to resize the 5th VFLASH region. And nothing is simpler if you know HV like the back of your hand :-)
  • SONY could remove /dev/rflash_lx in future HVs but i know now HV so good that it will be no problem to me to add this device again :-)

Creating and Resizing of VFLASH region[edit | edit source]

  • So we have to resize the 5th VFLASH region in order to be able to store an uncompressed petitiboot which is quite large
  • On my PS3 3.41 i set the size of the 5th VFLASH region to 0x800000 bytes, it's enough to store there petitboot with nice GUI and many features. But we could use larger size without any problems, because VFLASH is large enough.
  • GameOS is able to create/delete storage device regions (see HV calls lv1_undocumented_function_250 and lv1_undocumented_function_251)
  • GameOS is able to set ACLs for a storage device region (see HV calls lv1_undocumented_function_252 and lv1_undocumented_function_253)
  • The 5th VFLASH storage device region can be resized with 2 different methods: the first one is dirty and requires HV access rights, the second one is simpler and requires only GameOS rights
  • I tested both methods, both worked very well
  • The first method is only for advanced HV hackers :-) I reversed the storage device class and know now where which data is stored, e.g. region start sector and region sector count. I patched the sector count of the 5th VFLASH region in memory, then i forced HV to update the partition table of VFLASH and HV stored the new region size on VFLASH. Then i rebooted HV and i got a new larger VFLASH region :-) Another possibility is to write partition table on your own.
  • Don't try the first method if you are not familiar with HV :-) Consider you warned guys :-)
  • The second method is safer. It requires only GameOS rights. First i deleted the 5th VFLASH region, it's safe because GameOS doesn't use this region at all. Then i created it again with larger size. That simple :-)

Installing petitboot on VFLASH region[edit | edit source]

  • petitboot binary image can be stored on the 5th VFLASH region with GameOS rights
  • petitboot should be stored on VFLASH with encryption disabled !!!

Patching GameOS System Manager[edit | edit source]

  • GameOS System Manager is in HV process 9
  • Secure LPAR Loader is in HV process 3
  • GameOS System Manager allocates an initial LPAR 2 memory for GameOS, then it sends a SS request (see my HV page) to Secure LPAR Loader to load lv2_kernel.self
  • We have to patch the initial LPAR 2 memory size because GameOS uses a smaller value but Linux kernel requires more memory

Patching Secure LPAR Loader (SLL)[edit | edit source]

  • Secure LPAR Loader (SLL) is in HV process 3
  • SLL loads lv2_kernel.self from FLASH, passes it to lv2ldr which decrypts it
  • I replaced the lv2_kernel.self loader with my OtherOS bootloader loader

otheros_booloader_loader.S[edit | edit source]

Here is my OtherOS bootloader loader from VFLASH.

  • All function addresses are valid for 3.41 firmware only !!!
  • The loader maps LPAR memory region
  • Reads OtherOS bootloader from VFLASH into mapped LPAR memory region
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; version 2 of the License.
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * GNU General Public License for more details.
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

.set STACK_SIZE,							0x100
.set STACK_LR,								(STACK_SIZE + 0x10)
.set STACK_R25,								(STACK_SIZE - 1 * 0x8)
.set STACK_R26,								(STACK_SIZE - 2 * 0x8)
.set STACK_R27,								(STACK_SIZE - 3 * 0x8)
.set STACK_R28,								(STACK_SIZE - 4 * 0x8)
.set STACK_R29,								(STACK_SIZE - 5 * 0x8)
.set STACK_R30,								(STACK_SIZE - 6 * 0x8)
.set STACK_R31,								(STACK_SIZE - 7 * 0x8)
.set STACK_LPAR_MEM,						        (STACK_SIZE - 8 * 0x8)

.set SUB_SLL_LOAD_LV2,						        0x80000E44		/* sll_load_lv2 */
.set SUB_MMAP_LPAR_MEM,						        0x800026B4
.set SUB_OPEN,								0x80013D40		/* syscall 0x7 */
.set SUB_CLOSE,								0x80013D7C		/* syscall 0x8 */
.set SUB_READ,								0x80013DB8		/* syscall 0x9 */
.set SUB_MUNMAP,							0x80013EB8		/* syscall 0x19 */
.set SUB_BSET,								0x80000278
.set SUB_BCOPY,								0x80000254

#define BL(sub_addr)						        \
	li %r30, 0;							\
	oris %r30, %r30, (sub_addr >> 16);		                \
	ori %r30, %r30, (sub_addr & 0xFFFF);	                        \
	mtctr %r30;							\

.set CACHE_LINE_SIZE,						        0x80

.set FD_ERROR,								0x10
.set HEADER_ERROR,							0x14

#define LWZ_DATA(reg, data_addr)			                lwz reg, data_addr(%r31)
#define LD_DATA(reg, data_addr)				                ld reg, data_addr(%r31)
#define LD_DATA_PTR(reg, data_addr)			                addi reg, %r31, data_addr - sll_load_lv2

 * %r3 - path
 * %r4 - laid
 * %r5 - lpar id
 * %r25 - volatile
 * %r26 - OtherOS bootloader load address
 * %r27 - return value
 * %r28 - size of /dev/rflash_lx
 * %r29 - file descriptor of /dev/rflash_lx
 * %r30 - reserved for function calls
 * %r31 - reserved for data accesses
.globl sll_load_lv2

	stdu %r1, -STACK_SIZE(%r1)
	mflr %r0
	std %r0, STACK_LR(%r1)
	std %r25, STACK_R25(%r1)
	std %r26, STACK_R26(%r1)
	std %r27, STACK_R27(%r1)
	std %r28, STACK_R28(%r1)
	std %r29, STACK_R29(%r1)
	std %r30, STACK_R30(%r1)
	std %r31, STACK_R31(%r1)

	bl 1f


	mflr %r31
	addi %r31, %r31, (sll_load_lv2 - 1b)

	/* map lpar memory */

	mr %r3, %r5
	li %r4, 0
	LD_DATA(%r26, bootloader_load_addr)
	LD_DATA(%r28, dev_rflash_lx_size)
	add %r5, %r26, %r28
	addi %r6, %r1, STACK_LPAR_MEM
	cmpwi %cr7, %r3, 0
	mr %r27, %r3
	bne %cr7, done

	/* zero out lpar memory */

	ld %r3, STACK_LPAR_MEM(%r1)
	li %r4, 0
	mr %r5, %r28

	/* open /dev/rflash_lx where OtherOS bootloader is stored */

	LD_DATA_PTR(%r3, dev_rflash_lx)
	li %r4, 0
	li %r27, FD_ERROR
	cmpwi %cr7, %r3, 0
	mr %r29, %r3
	blt %cr7, bad1

	/* read header */

	extsw %r3, %r29
	ld %r4, STACK_LPAR_MEM(%r1)
	LD_DATA(%r25, header_size)
	mr %r5, %r25
	li %r27, FD_ERROR
	cmpd %cr7, %r3, %r25
	bne %cr7, bad2

	/* check header magic */

	li %r27, HEADER_ERROR

	LD_DATA(%r3, header_magic)
	ld %r5, STACK_LPAR_MEM(%r1)
	ld %r4, 0(%r5)
	cmpd %cr7, %r3, %r4
	bne %cr7, bad2

	/* read OtherOS bootloader size from header */

	ld %r25, 8(%r5)
	cmpd %cr7, %r25, %r28
	bgt %cr7, bad2

	/* read OtherOS bootloader to lpar memory */

	extsw %r3, %r29
	ld %r4, STACK_LPAR_MEM(%r1)
	mr %r5, %r25
	li %r27, FD_ERROR
	cmpd %cr7, %r3, %r25
	bne %cr7, bad2

	/* flush data cache */

	li %r9, 0
	b 2f


	ld %r0, STACK_LPAR_MEM(%r1)
	add %r0, %r9, %r0
	dcbst %r0, %r0
	addi %r9, %r9, CACHE_LINE_SIZE


	cmpd %cr7, %r9, %r28
	blt %cr7, 1b


	/* flush code cache */

	li %r9, 0
	b 2f


	ld %r0, STACK_LPAR_MEM(%r1)
	add %r0, %r9, %r0
	icbi %r0, %r0
	addi %r9, %r9, CACHE_LINE_SIZE


	cmpd %cr7, %r9, %r28
	blt %cr7, 1b



	li %r27, 0


	/* close /dev/rflash_lx */

	extsw %r3, %r29


	/* unmap lpar memory */

	ld %r3, STACK_LPAR_MEM(%r1)
	add %r4, %r26, %r28


	rldicl %r3, %r27, 0, 32

	ld %r0, STACK_LR(%r1)
	ld %r25, STACK_R25(%r1)
	ld %r26, STACK_R26(%r1)
	ld %r27, STACK_R27(%r1)
	ld %r28, STACK_R28(%r1)
	ld %r29, STACK_R29(%r1)
	ld %r30, STACK_R30(%r1)
	ld %r31, STACK_R31(%r1)
	addi %r1, %r1, STACK_SIZE
	mtlr %r0

/* read-only data */


	.quad 0x0000000000000000

	.quad (2 * 0x200) /* 2 sectors of size 0x200 */


	.quad (0x4000 * 0x200) /* 0x4000 sectors of size 0x200 */

	.asciz "/dev/rflash_lx"