Editing Talk:Hypervisor Reverse Engineering

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
Merge needed of info from:
Merge needed (?) : https://webcache.googleusercontent.com/search?q=cache:http%3A%2F%2Fwiki.gitbrew.org%2Fwikibrew%2FPS3%3AHvReverseEngineering
[https://web.archive.org/web/20130623170001/https://webcache.googleusercontent.com/search?q=cache:http%3A%2F%2Fwiki.gitbrew.org%2Fwikibrew%2FPS3%3AHvReverseEngineering wiki.gitbrew.org]
and
[https://web.archive.org/web/20111217183835/http://www.ps3devwiki.com/index.php?title=Talk:Hypervisor_Reverse_Engineering]


== MMIO / Memorymap ==
== MMIO / Memorymap ==
Line 13: Line 10:
| 0x200000 || 0x400000 ||  || LV1 Code Region || ||
| 0x200000 || 0x400000 ||  || LV1 Code Region || ||
|-
|-
| 0x8000000 / 0x1000000(DECR) || 0x800000 || || LV2 Region || || The region you get when you dump lv2
| 0x20000000000 || 0x80000 ||  || SPE0 MMIO Memory Region || ||
|-
| 0x20000000000 || 0x80000 ||  || SPE0 MMIO Memory Region || || (be.0.bp_base)
|-
|-
| 0x20000080000 || 0x80000 ||  || SPE1 MMIO Memory Region || 0x003ABC20 ||  
| 0x20000080000 || 0x80000 ||  || SPE1 MMIO Memory Region || 0x003ABC20 ||  
Line 29: Line 24:
| 0x20000300000 || 0x80000 ||  || SPE6 MMIO Memory Region || 0x003B5BE0 ||  
| 0x20000300000 || 0x80000 ||  || SPE6 MMIO Memory Region || 0x003B5BE0 ||  
|-
|-
| 0x20000509000 || 0x1000 ||  || Pervasive Memory ||  || Contains 48 bit Serial Number at position 0xC80 size 0x08
| 0x20000509000 || 0x1000 ||  || Pervasive Memory ||  || Contains 48 bit Serial Number(???)
|-
|-
|  || 0x1000 ||  || SPE1 Shadow Registers Memory Region || 0x003ABDA0 ||  
|  || 0x1000 ||  || SPE1 Shadow Registers Memory Region || 0x003ABDA0 ||  
Line 49: Line 44:
| 0x2000050A210 || 0x4 || || XDR Memory Channel Type || || For use with above memory locations
| 0x2000050A210 || 0x4 || || XDR Memory Channel Type || || For use with above memory locations
|-
|-
| 0x24000000000 ||  ||  || SB bus subsystem ||  || (be.0.ioif1.addr)
| 0x24000000000 ||  ||  || SB bus subsystem ||  ||  
|-
|-
| 0x24000002000 || 0x200 || 1 || SATA Controller 1 ||  ||  
| 0x24000002000 || 0x200 || 1 || SATA Controller 1 ||  ||  
Line 125: Line 120:
| 0x2401F000000 || 0x1000000 || || NOR Flash || ||  
| 0x2401F000000 || 0x1000000 || || NOR Flash || ||  
|-
|-
| 0x2401FC00000 || 0x40000 || || SYS ROM || || lv0ldr/bootldr
| 0x28000000000 || 0x2000 ||  || AV Manager (/dev/ioif0) ||  || only mmap system call
|-
| 0x28000000000 || 0x2000 ||  || AV Manager (/dev/ioif0) ||  || (be.0.ioif0.addr) only mmap system call  
|-
|-
| 0x28001800000 || 0x1000 ||  || AV Manager (/dev/ioif0) ||  || only mmap system call
| 0x28001800000 || 0x1000 ||  || AV Manager (/dev/ioif0) ||  || only mmap system call
Line 154: Line 147:
|-
|-
| 0x28000080100 || 0x8000 || 5 || GPU Device Memory Region || 0x003BB420 ||  
| 0x28000080100 || 0x8000 || 5 || GPU Device Memory Region || 0x003BB420 ||  
|-
| 0x2808FC00000 || 0x400000 || || RSX Internal State Memory Area (All) || ||
|-
| 0x2808FF80000 || 0x80000 || || RAMIN (Encompasses RAMHT,RAMFC,DMA Objects, Graphic Objects and GRAPH) || ||
|-
| 0x2808FF90000 || 0x4000 || || RAM Hash Table || ||
|-
| 0x2808FFA0000 || 0x1000 || || RAM FIFO Context || ||
|-
| 0x2808FFC0000 || 0x10000 || || DMA Objects || ||
|-
| 0x2808FFD0000 || 0x10000 || || Graphic Objects || ||
|-
| 0x2808FFE0000 || 0x10000 || || Graphic Context || ||
|-
|-
|  ||  || 9 || FLASH Controller device (StarShip - SS) ||  || FLASH controller doesn't have MMIO regions
|  ||  || 9 || FLASH Controller device (StarShip - SS) ||  || FLASH controller doesn't have MMIO regions
Line 180: Line 159:
|-
|-
|}
|}
* Linux driver for playing with BE MMIO: http://pastie.org/private/zkzpmj5j6hixacxppk9waq [https://pastebin.com/Y6ZEDdi3 mirror]


== PS3 ea memory map ==
== PS3 ea memory map ==
Line 219: Line 196:
               | Unmapped Area                |   
               | Unmapped Area                |   
   0x0000_0000  +-------------------------------+
   0x0000_0000  +-------------------------------+
</pre>http://pastie.org/private/bfqqa2cpadolns9bm0eqa
== Packet ID Entries ==
<pre>
seg002:C0000180 packet_id_ss_id_map_entry <0x2001, 0x34># 0 <-vtrm
seg002:C0000180                packet_id_ss_id_map_entry <0x2002, 0x35># 1
seg002:C0000180                packet_id_ss_id_map_entry <0x2003, 0x36># 2
seg002:C0000180                packet_id_ss_id_map_entry <0x2006, 0x39># 3
seg002:C0000180                packet_id_ss_id_map_entry <0x2004, 0x37># 4
seg002:C0000180                packet_id_ss_id_map_entry <0x2005, 0x38># 5
seg002:C0000180                packet_id_ss_id_map_entry <0x200A, 0x3D># 6
seg002:C0000180                packet_id_ss_id_map_entry <0x200B, 0x3E># 7
seg002:C0000180                packet_id_ss_id_map_entry <0x200C, 0x3F># 8
seg002:C0000180                packet_id_ss_id_map_entry <0x200D, 0x40># 9
seg002:C0000180                packet_id_ss_id_map_entry <0x200E, 0x41># 10
seg002:C0000180                packet_id_ss_id_map_entry <0x2012, 0x7B># 11
seg002:C0000180                packet_id_ss_id_map_entry <0x2013, 0x7C># 12
seg002:C0000180                packet_id_ss_id_map_entry <0x2016, 0x7D># 13
seg002:C0000180                packet_id_ss_id_map_entry <0x2014, 0x7E># 14
seg002:C0000180                packet_id_ss_id_map_entry <0x2015, 0x7F># 15
seg002:C0000180                packet_id_ss_id_map_entry <0x2017, 0x80># 16
seg002:C0000180                packet_id_ss_id_map_entry <0x3001, 0x4A># 17 <-srtc
seg002:C0000180                packet_id_ss_id_map_entry <0x3002, 0x27># 18
seg002:C0000180                packet_id_ss_id_map_entry <0x3003, 0x28># 19
seg002:C0000180                packet_id_ss_id_map_entry <0x6002, 0x6B># 20 <- um
seg002:C0000180                packet_id_ss_id_map_entry <0x6001, 0x33># 21
seg002:C0000180                packet_id_ss_id_map_entry <0x6005, 0x2D># 22
seg002:C0000180                packet_id_ss_id_map_entry <0x6006, 0x2E># 23
seg002:C0000180                packet_id_ss_id_map_entry <0x6003, 0x30># 24
seg002:C0000180                packet_id_ss_id_map_entry <0x6004, 0x2F># 25
seg002:C0000180                packet_id_ss_id_map_entry <0x6007, 0x32># 26
seg002:C0000180                packet_id_ss_id_map_entry <0x6008, 0x4D># 27
seg002:C0000180                packet_id_ss_id_map_entry <0x6009, 0x4E># 28
seg002:C0000180                packet_id_ss_id_map_entry <0x600A, 0x4F># 29
seg002:C0000180                packet_id_ss_id_map_entry <0x600B, 0x54># 30
seg002:C0000180                packet_id_ss_id_map_entry <0x600C, 0x55># 31
seg002:C0000180                packet_id_ss_id_map_entry <0x6011, 0x82># 32
seg002:C0000180                packet_id_ss_id_map_entry <0x8001, 4># 33 <- ???
seg002:C0000180                packet_id_ss_id_map_entry <0x8002, 5># 34
seg002:C0000180                packet_id_ss_id_map_entry <0x8003, 6># 35
seg002:C0000180                packet_id_ss_id_map_entry <0x8004, 3># 36
seg002:C0000180                packet_id_ss_id_map_entry <0x8005, 7># 37
seg002:C0000180                packet_id_ss_id_map_entry <0x9001, 0x16># 38 <-scm
seg002:C0000180                packet_id_ss_id_map_entry <0x9002, 0x1E># 39
seg002:C0000180                packet_id_ss_id_map_entry <0x9006, 0x14># 40
seg002:C0000180                packet_id_ss_id_map_entry <0x9007, 0x1D># 41
seg002:C0000180                packet_id_ss_id_map_entry <0x9008, 0x49># 42
seg002:C0000180                packet_id_ss_id_map_entry <0x9009, 0x17># 43
seg002:C0000180                packet_id_ss_id_map_entry <0x900A, 0x1C># 44
seg002:C0000180                packet_id_ss_id_map_entry <0x9003, 0x13># 45
seg002:C0000180                packet_id_ss_id_map_entry <0x9004, 0x12># 46
seg002:C0000180                packet_id_ss_id_map_entry <0x9005, 0x1A># 47
seg002:C0000180                packet_id_ss_id_map_entry <0x900B, 0x1B># 48
seg002:C0000180                packet_id_ss_id_map_entry <0x900C, 0x1F># 49
seg002:C0000180                packet_id_ss_id_map_entry <0x900E, 0x15># 50
seg002:C0000180                packet_id_ss_id_map_entry <0x900D, 0x19># 51
seg002:C0000180                packet_id_ss_id_map_entry <0x9011, 0x62># 52
seg002:C0000180                packet_id_ss_id_map_entry <0x9012, 0x64># 53
seg002:C0000180                packet_id_ss_id_map_entry <0x9013, 0x65># 54
seg002:C0000180                packet_id_ss_id_map_entry <0x9014, 0x75># 55
seg002:C0000180                packet_id_ss_id_map_entry <0x9015, 0x79># 56
seg002:C0000180                packet_id_ss_id_map_entry <0x9016, 0x7A># 57
seg002:C0000180                packet_id_ss_id_map_entry <0x10001, 0x10># 58 <- ???
seg002:C0000180                packet_id_ss_id_map_entry <0x10002, 0xF># 59
seg002:C0000180                packet_id_ss_id_map_entry <0x10004, 0x47># 60
seg002:C0000180                packet_id_ss_id_map_entry <0x10005, 0x69># 61
seg002:C0000180                packet_id_ss_id_map_entry <0x10006, 0x6F># 62
seg002:C0000180                packet_id_ss_id_map_entry <0x10007, 0x71># 63
seg002:C0000180                packet_id_ss_id_map_entry <0x11002, 0x2C># 64 <- SPM
seg002:C0000180                packet_id_ss_id_map_entry <0x14001, 0x21># 65 <- SLL
seg002:C0000180                packet_id_ss_id_map_entry <0x14002, 0x20># 66
seg002:C0000180                packet_id_ss_id_map_entry <0x14003, 0x22># 67
seg002:C0000180                packet_id_ss_id_map_entry <0x14004, 0x45># 68
seg002:C0000180                packet_id_ss_id_map_entry <0x14005, 0x46># 69
seg002:C0000180                packet_id_ss_id_map_entry <0x14006, 0x48># 70
seg002:C0000180                packet_id_ss_id_map_entry <0x15001, 0x25># 71 <-SPL
seg002:C0000180                packet_id_ss_id_map_entry <0x15002, 0x26># 72
seg002:C0000180                packet_id_ss_id_map_entry <0x15003, 0x23># 73
seg002:C0000180                packet_id_ss_id_map_entry <0x15004, 0x24># 74
seg002:C0000180                packet_id_ss_id_map_entry <0x15009, 0x81># 75
seg002:C0000180                packet_id_ss_id_map_entry <0x5001, 0x2B># 76 <- SM
seg002:C0000180                packet_id_ss_id_map_entry <0x5002, 0x29># 77
seg002:C0000180                packet_id_ss_id_map_entry <0x5003, 0x2A># 78
seg002:C0000180                packet_id_ss_id_map_entry <0x5004, 0x50># 79
seg002:C0000180                packet_id_ss_id_map_entry <0x5005, 0x51># 80
seg002:C0000180                packet_id_ss_id_map_entry <0x5007, 0x63># 81
seg002:C0000180                packet_id_ss_id_map_entry <0x5008, 0x6A># 82
seg002:C0000180                packet_id_ss_id_map_entry <0x5009, 0x70># 83
seg002:C0000180                packet_id_ss_id_map_entry <0x500A, 0x72># 84
seg002:C0000180                packet_id_ss_id_map_entry <0x18001, 1># 85 <-dm
seg002:C0000180                packet_id_ss_id_map_entry <0x18002, 2># 86
seg002:C0000180                packet_id_ss_id_map_entry <0x17001, 9># 87 <-iim
seg002:C0000180                packet_id_ss_id_map_entry <0x17002, 0xB># 88
seg002:C0000180                packet_id_ss_id_map_entry <0x17003, 0xA># 89
seg002:C0000180                packet_id_ss_id_map_entry <0x17004, 0xC># 90
seg002:C0000180                packet_id_ss_id_map_entry <0x17005, 0xE># 91
seg002:C0000180                packet_id_ss_id_map_entry <0x17006, 8># 92
seg002:C0000180                packet_id_ss_id_map_entry <0x17007, 0xD># 93
seg002:C0000180                packet_id_ss_id_map_entry <0x17009, 0x59># 94
seg002:C0000180                packet_id_ss_id_map_entry <0x17010, 0x5A># 95
seg002:C0000180                packet_id_ss_id_map_entry <0x17011, 0x5B># 96
seg002:C0000180                packet_id_ss_id_map_entry <0x17012, 0x5C># 97
seg002:C0000180                packet_id_ss_id_map_entry <0x17013, 0x5D># 98
seg002:C0000180                packet_id_ss_id_map_entry <0x17014, 0x5E># 99
seg002:C0000180                packet_id_ss_id_map_entry <0x17015, 0x5F># 100
seg002:C0000180                packet_id_ss_id_map_entry <0x17016, 0x60># 101
seg002:C0000180                packet_id_ss_id_map_entry <0x17017, 0x61># 102
seg002:C0000180                packet_id_ss_id_map_entry <0x19002, 0x43># 103 <- AIM
seg002:C0000180                packet_id_ss_id_map_entry <0x19003, 0x44># 104
seg002:C0000180                packet_id_ss_id_map_entry <0x19004, 0x57># 105
seg002:C0000180                packet_id_ss_id_map_entry <0x19005, 0x68># 106
seg002:C0000180                packet_id_ss_id_map_entry <0x22001, 0x52># 107 <- ???
seg002:C0000180                packet_id_ss_id_map_entry <0x22002, 0x53># 108
seg002:C0000180                packet_id_ss_id_map_entry <0x22003, 0x66># 109
seg002:C0000180                packet_id_ss_id_map_entry <0x22004, 0x67># 110
seg002:C0000180                packet_id_ss_id_map_entry <0x24001, 0x73># 111 <- UDA
seg002:C0000180                packet_id_ss_id_map_entry <0x24002, 0x74># 112
seg002:C0000180                packet_id_ss_id_map_entry <0x25001, 0x83># 113 <- UTM
seg002:C0000180                packet_id_ss_id_map_entry <0x25002, 0x84># 114
</pre>
</pre>
https://web.archive.org/web/20141119024023/http://pastie.org/private/bfqqa2cpadolns9bm0eqa
== History of Packet ID Entries ==
* 0x18000 <- [[Dispatcher_Manager]]
* 0x8000  <- ???
* 0x17000 <- [[Indi_Info_Manager]]
* 0x10000 <- [[SB_Manager]]
* 0x9000  <- [[SC_Manager]]
* 0x14000 <- [[Secure_LPAR_Loader]]
* 0x15000 <- [[Secure_Profile_Loader]]
* 0x3000  <- [[Secure_RTC_Manager]]
* 0x5000  <- [[Storage_Manager]]
* 0x11000 <- [[Security_Policy_Manager]]
* 0x6000  <- [[Update_Manager]]
* 0x2000  <- [[Virtual_TRM_Manager]]
* 0x19000 <- [[AIM_Manager]]
* 0x22000 <- [[Factory_Data_Manager]]
* 0x24000 <- [[USB_Dongle_Authenticator]]
* 0x25000 <- [[User_Token_Manager]]
* 0x84000 <- http://paste.ubuntu.com/25395752/


from SPM
from SPM


[http://pastie.org/private/mdw6lcgcp6sby1qvlipog possible process names][https://pastebin.com/1Z1vG23V]
[http://pastie.org/private/mdw6lcgcp6sby1qvlipog possible process names]
[http://pastie.org/private/guigb77nctwvsq50tkaeq possible process / packet ids 1][https://pastebin.com/D8VeZ02B]
[http://pastie.org/private/guigb77nctwvsq50tkaeq possible process / packet ids 1]
[http://pastie.org/private/j7cv141bu5jw2acundzla possible process / packet ids 2][https://pastebin.com/fy4KZfmJ]
[http://pastie.org/private/j7cv141bu5jw2acundzla possible process / packet ids 2]


==coolstuf==
==coolstuf==
Line 261: Line 335:


Repositories:
Repositories:
* https://www.sendspace.com/file/klddg3
* http://www.sendspace.com/file/qlkzkd
* http://www.sendspace.com/file/qlkzkd
* http://www.mirrorcreator.com/files/0NFBM0PC/coolstuff_0.rar_links
* http://www.mirrorcreator.com/files/0NFBM0PC/coolstuff_0.rar_links
Line 267: Line 340:
* http://fileape.com/index.php?act=download&id=aG4VzHXWKqwXbi50
* http://fileape.com/index.php?act=download&id=aG4VzHXWKqwXbi50


* https://web.archive.org/web/*/http://ps3devwiki.com/files/coolstuf/
* http://ps3devwiki.com/files/coolstuf/


===Content===
===Content===
Line 609: Line 682:
ps3wiki/XRegistry File Format_2.htm 52.7 KB
ps3wiki/XRegistry File Format_2.htm 52.7 KB
</pre>
</pre>


==emer init.self==
==emer init.self==


=== Program 1 ===
===Program 1===
 
Crossreference: [http://portal.gitbrew.org/wikibrew/PS3:HvReverseEngineering:emer_init.self:Program_1 gitbrew.org::emer_init.self:Program_1] <br />
Crossreference: [https://web.archive.org/web/20110927024647/http://portal.gitbrew.org/wikibrew/PS3:HvReverseEngineering:emer_init.self:Program_1 gitbrew.org::emer_init.self:Program_1] <br />


<pre>
<pre>
Line 835: Line 908:
</pre>
</pre>


=== Program 2 ===
===Program 2===
 
Crossreference: [http://portal.gitbrew.org/wikibrew/PS3:HvReverseEngineering:emer_init.self:Program_2 gitbrew.org::emer_init.self:Program_2] <br />
Crossreference: [https://web.archive.org/web/20110927023704/http://portal.gitbrew.org/wikibrew/PS3:HvReverseEngineering:emer_init.self:Program_2 gitbrew.org::emer_init.self:Program_2] <br />
<pre>
<pre>
0x80308
0x80308
Line 1,152: Line 1,224:
0x66604200
0x66604200
</pre>
</pre>


----
----
== About RSX ==
<pre>
RAMIN is on VRAM.
0x28002010000 contains the same as 0x2808FF90000
0x28002050000 contains the same as 0x2808FFD0000
you can prove that by writing in one offset and reading the other
0x2808XXXXXXX is BAR1 (i.e. VRAM on Nvidia GPUs)
0x28002XXXXXX is BAR2 (i.e. PRAMIN on Nvidia GPUs)
</pre>
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)