Talk:Hypervisor Reverse Engineering: Difference between revisions
Jump to navigation
Jump to search
mNo edit summary |
mNo edit summary |
||
Line 1: | Line 1: | ||
= MMIO / Memorymap = | |||
{| class="wikitable sortable" | |||
|- | |||
! Physical Address !! Size !! <abbr title="DeviceID">ID</abbr> !! Usage !! Address<br />in HV dump<br />(3.15) !! Notes | |||
|- | |||
| 0x20000080000 || 0x80000 || || SPE1 MMIO Memory Region|| 0x003ABC20 || | |||
|- | |||
| 0x20000100000 || 0x80000 || || SPE2 MMIO Memory Region || 0x003AAD70 || | |||
|- | |||
| 0x20000180000 || 0x80000 || || SPE3 MMIO Memory Region || 0x003A8880 || | |||
|- | |||
| 0x20000200000 || 0x80000 || || SPE4 MMIO Memory Region || 0x003B4F70 || | |||
|- | |||
| 0x20000280000 || 0x80000 || || SPE5 MMIO Memory Region || 0x003AB700 || | |||
|- | |||
| 0x20000300000 || 0x80000 || || SPE6 MMIO Memory Region || 0x003B5BE0 || | |||
|- | |||
| || 0x1000 || || SPE1 Shadow Registers Memory Region || 0x003ABDA0 || | |||
|- | |||
| || 0x1000 || || SPE2 Shadow Registers Memory Region || 0x003B4290 || | |||
|- | |||
| || 0x1000 || || SPE3 Shadow Registers Memory Region || 0x003A8A00 || | |||
|- | |||
| || 0x1000 || || SPE4 Shadow Registers Memory Region || 0x003B50F0 || | |||
|- | |||
| || 0x1000 || || SPE5 Shadow Registers Memory Region || 0x001FFC90 || | |||
|- | |||
| || 0x1000 || || SPE6 Shadow Registers Memory Region || 0x003AE5B0 || | |||
|- | |||
| 0x24000000000 || || || SB bus subsystem || || | |||
|- | |||
| 0x24000002000 || 0x200 || 1 || SATA Controller 1 || || | |||
|- | |||
| 0x24000002200 || 0x200 || 2 || SATA Controller 2 || || | |||
|- | |||
| 0x24000002400 || 0x200 || 3 || USB Controller 1 || || | |||
|- | |||
| 0x24000002600 || 0x200 || 4 || USB Controller 2 || || | |||
|- | |||
| 0x24000002800 || 0x200 || 0 || Gelic Device || || | |||
|- | |||
| 0x24000002C00 || 0x200 || 7 || ENCDEC Device || || | |||
|- | |||
| 0x24000008100 || || || SB bus interrupt handler || 0x002B9CC4 || | |||
|- | |||
| 0x24000008104 || || || SB bus interrupt handler || || | |||
|- | |||
| 0x2400008C000 || || || SYSCON (receive packetheader) || || | |||
|- | |||
| 0x2400008C010 || || || SYSCON (receive packetbody) || || | |||
|- | |||
| 0x2400008CFF0 || || || SYSCON (receive ?) || || | |||
|- | |||
| 0x2400008CFF4 || || || SYSCON (send ?) || || | |||
|- | |||
| 0x2400008D000 || || || SYSCON (send packetheader)|| || | |||
|- | |||
| 0x2400008D010 || || || SYSCON (send packetbody) || || | |||
|- | |||
| 0x2400008DFF0 || || || SYSCON (send ?) || || | |||
|- | |||
| 0x2400008DFF4 || || || SYSCON (receive ?) || || | |||
|- | |||
| 0x2400008E000 || || || SYSCON (receive ?) || || | |||
|- | |||
| 0x2400008E004 || || || SYSCON (receive test bit 0x2) || || | |||
|- | |||
| 0x2400008E100 || || || SYSCON (send notify) || || | |||
|- | |||
| 0x24003000000 || 0x1000 || 1 || SATA Controller 1 || || | |||
|- | |||
| 0x24003001000 || 0x1000 || 2 || SATA Controller 2 || || | |||
|- | |||
| 0x24003004000 || 0x1000 || 0 || Gelic Device || || | |||
|- | |||
| 0x24003005000 || 0x1000 || 7 || ENCDEC Device || || | |||
|- | |||
| 0x24003005200 || 0x4 || 7 || ENCDEC Device || || 0 != ENCDEC Test Mode | |||
|- | |||
| 0x24003006000 || 0x1000 || 7 || ENCDEC Device || || | |||
|- | |||
| 0x240030060A0 || 0x4 || 7 || ENCDEC Device || || EdecKgenFlash Command (0x84) | |||
|- | |||
| 0x24003010000 || 0x10000 || 3 || USB Controller 1 || 0x001FDF00 || | |||
|- | |||
| 0x24003020000 || 0x10000 || 4 || USB Controller 2 || 0x003B3850 || | |||
|- | |||
| 0x24003800000 || 0x1000 || 1 || SATA Controller 1 || || | |||
|- | |||
| 0x24003801000 || 0x1000 || 2 || SATA Controller 2 || || | |||
|- | |||
| 0x24003802000 || 0x1000 || 1 || SATA Controller 1 || || | |||
|- | |||
| 0x24003803000 || 0x1000 || 2 || SATA Controller 2 || || | |||
|- | |||
| 0x24003810000 || 0x10000 || 3 || USB Controller 1 || 0x003B6E50 || | |||
|- | |||
| 0x24003820000 || 0x10000 || 4 || USB Controller 2 || 0x003B9950 || | |||
|- | |||
| 0x28000000000 || 0x2000 || || AV Manager (/dev/ioif0) || || only mmap system call | |||
|- | |||
| 0x28001800000 || 0x1000 || || AV Manager (/dev/ioif0) || || only mmap system call | |||
|- | |||
| 0x28000600000 || 0x4000 || || AV Manager (/dev/ioif0) || || only mmap system call | |||
|- | |||
| 0x28000680000 || 0x4000 || || AV Manager (/dev/ioif0) || || only mmap system call | |||
|- | |||
| 0x28000080000 || 0x8000 || || AV Manager (/dev/ioif0) || || only mmap system call | |||
|- | |||
| 0x28000088000 || 0x1000 || || AV Manager (/dev/ioif0) || || only mmap system call | |||
|- | |||
| 0x2800000C000 || 0x1000 || || AV Manager (/dev/ioif0) || || only mmap system call | |||
|- | |||
| 0x2800008A000 || 0x1000 || || AV Manager (/dev/ioif0) || || only mmap system call | |||
|- | |||
| 0x2800008C000 || 0x1000 || || AV Manager (/dev/ioif0) || || only mmap system call | |||
|- | |||
| 0x28080000000 || 0xFE00000 || 1 || GPU Device Memory Region || 0x003AF380 || | |||
|- | |||
| 0x3C0000 || 0xC000 || 2 || GPU Device Memory Region || 0x003AF500 || | |||
|- | |||
| 0x2808FE00000 || 0x40000 || 3 || GPU Device Memory Region || 0x003AF680 || | |||
|- | |||
| 0x28000C00000 || 0x20000 || 4 || GPU Device Memory Region || 0x003AFC30 || | |||
|- | |||
| 0x28000080100 || 0x8000 || 5 || GPU Device Memory Region || 0x003BB420 || | |||
|- | |||
| || || 9 || FLASH Controller device (StarShip - SS) || || FLASH controller doesn't have MMIO regions | |||
|- | |||
| 0x000000000000 || 0x1000000 || || GameOS || || | |||
|- | |||
| 0x700020000000 || 0xA0000 || || GameOS || || | |||
|- | |||
| 0x700020000000 || 0xE900000 || || GameOS || || | |||
|- | |||
| 0x800000000F000000 || 0xF000000 || || GameOS HTAB || || | |||
|- | |||
|} | |||
=emer init.self= | =emer init.self= | ||
Revision as of 16:17, 1 December 2011
MMIO / Memorymap
Physical Address | Size | ID | Usage | Address in HV dump (3.15) |
Notes |
---|---|---|---|---|---|
0x20000080000 | 0x80000 | SPE1 MMIO Memory Region | 0x003ABC20 | ||
0x20000100000 | 0x80000 | SPE2 MMIO Memory Region | 0x003AAD70 | ||
0x20000180000 | 0x80000 | SPE3 MMIO Memory Region | 0x003A8880 | ||
0x20000200000 | 0x80000 | SPE4 MMIO Memory Region | 0x003B4F70 | ||
0x20000280000 | 0x80000 | SPE5 MMIO Memory Region | 0x003AB700 | ||
0x20000300000 | 0x80000 | SPE6 MMIO Memory Region | 0x003B5BE0 | ||
0x1000 | SPE1 Shadow Registers Memory Region | 0x003ABDA0 | |||
0x1000 | SPE2 Shadow Registers Memory Region | 0x003B4290 | |||
0x1000 | SPE3 Shadow Registers Memory Region | 0x003A8A00 | |||
0x1000 | SPE4 Shadow Registers Memory Region | 0x003B50F0 | |||
0x1000 | SPE5 Shadow Registers Memory Region | 0x001FFC90 | |||
0x1000 | SPE6 Shadow Registers Memory Region | 0x003AE5B0 | |||
0x24000000000 | SB bus subsystem | ||||
0x24000002000 | 0x200 | 1 | SATA Controller 1 | ||
0x24000002200 | 0x200 | 2 | SATA Controller 2 | ||
0x24000002400 | 0x200 | 3 | USB Controller 1 | ||
0x24000002600 | 0x200 | 4 | USB Controller 2 | ||
0x24000002800 | 0x200 | 0 | Gelic Device | ||
0x24000002C00 | 0x200 | 7 | ENCDEC Device | ||
0x24000008100 | SB bus interrupt handler | 0x002B9CC4 | |||
0x24000008104 | SB bus interrupt handler | ||||
0x2400008C000 | SYSCON (receive packetheader) | ||||
0x2400008C010 | SYSCON (receive packetbody) | ||||
0x2400008CFF0 | SYSCON (receive ?) | ||||
0x2400008CFF4 | SYSCON (send ?) | ||||
0x2400008D000 | SYSCON (send packetheader) | ||||
0x2400008D010 | SYSCON (send packetbody) | ||||
0x2400008DFF0 | SYSCON (send ?) | ||||
0x2400008DFF4 | SYSCON (receive ?) | ||||
0x2400008E000 | SYSCON (receive ?) | ||||
0x2400008E004 | SYSCON (receive test bit 0x2) | ||||
0x2400008E100 | SYSCON (send notify) | ||||
0x24003000000 | 0x1000 | 1 | SATA Controller 1 | ||
0x24003001000 | 0x1000 | 2 | SATA Controller 2 | ||
0x24003004000 | 0x1000 | 0 | Gelic Device | ||
0x24003005000 | 0x1000 | 7 | ENCDEC Device | ||
0x24003005200 | 0x4 | 7 | ENCDEC Device | 0 != ENCDEC Test Mode | |
0x24003006000 | 0x1000 | 7 | ENCDEC Device | ||
0x240030060A0 | 0x4 | 7 | ENCDEC Device | EdecKgenFlash Command (0x84) | |
0x24003010000 | 0x10000 | 3 | USB Controller 1 | 0x001FDF00 | |
0x24003020000 | 0x10000 | 4 | USB Controller 2 | 0x003B3850 | |
0x24003800000 | 0x1000 | 1 | SATA Controller 1 | ||
0x24003801000 | 0x1000 | 2 | SATA Controller 2 | ||
0x24003802000 | 0x1000 | 1 | SATA Controller 1 | ||
0x24003803000 | 0x1000 | 2 | SATA Controller 2 | ||
0x24003810000 | 0x10000 | 3 | USB Controller 1 | 0x003B6E50 | |
0x24003820000 | 0x10000 | 4 | USB Controller 2 | 0x003B9950 | |
0x28000000000 | 0x2000 | AV Manager (/dev/ioif0) | only mmap system call | ||
0x28001800000 | 0x1000 | AV Manager (/dev/ioif0) | only mmap system call | ||
0x28000600000 | 0x4000 | AV Manager (/dev/ioif0) | only mmap system call | ||
0x28000680000 | 0x4000 | AV Manager (/dev/ioif0) | only mmap system call | ||
0x28000080000 | 0x8000 | AV Manager (/dev/ioif0) | only mmap system call | ||
0x28000088000 | 0x1000 | AV Manager (/dev/ioif0) | only mmap system call | ||
0x2800000C000 | 0x1000 | AV Manager (/dev/ioif0) | only mmap system call | ||
0x2800008A000 | 0x1000 | AV Manager (/dev/ioif0) | only mmap system call | ||
0x2800008C000 | 0x1000 | AV Manager (/dev/ioif0) | only mmap system call | ||
0x28080000000 | 0xFE00000 | 1 | GPU Device Memory Region | 0x003AF380 | |
0x3C0000 | 0xC000 | 2 | GPU Device Memory Region | 0x003AF500 | |
0x2808FE00000 | 0x40000 | 3 | GPU Device Memory Region | 0x003AF680 | |
0x28000C00000 | 0x20000 | 4 | GPU Device Memory Region | 0x003AFC30 | |
0x28000080100 | 0x8000 | 5 | GPU Device Memory Region | 0x003BB420 | |
9 | FLASH Controller device (StarShip - SS) | FLASH controller doesn't have MMIO regions | |||
0x000000000000 | 0x1000000 | GameOS | |||
0x700020000000 | 0xA0000 | GameOS | |||
0x700020000000 | 0xE900000 | GameOS | |||
0x800000000F000000 | 0xF000000 | GameOS HTAB |
emer init.self
Program 1
Crossreference: gitbrew.org::emer_init.self:Program_1
0x40000 # bind object to subchannel 0 0x31337000 0x3C0180 0x66604200 0xFEED0000 0xFEED0001 0xFEED0000 0x0 0xFEED0000 0xFEED0000 0xFEED0000 0xFEED0001 0x66606660 0x66626660 0x0 0x0 0xFEED0000 0xFEED0000 0x40060 0x66616661 0x340200 0x0 0x0 0x121 0x40 0x0 0x0 0x0 0x40 0x1 0x80 0x100 0x40 0x0 0x100280 0x40 0x40 0x0 0x0 0x41D80 0x3 0x4802B8 0x0 0x0 0xFFF0000 0xFFF0000 0xFFF0000 0xFFF0000 0xFFF0000 0xFFF0000 0xFFF0000 0xFFF0000 0xFFF0000 0xFFF0000 0xFFF0000 0xFFF0000 0xFFF0000 0xFFF0000 0xFFF0000 0x81D98 0xFFF0000 0xFFF0000 0x41DA4 0x0 0x403B0 0x10 0x41454 0x0 0x41FF4 0x3FFFFF 0x181FC0 0x0 0x6144321 0xEDCBA987 0x6F 0x171615 0x1B1A19 0x280B40 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x40A0C 0x0 0xC0A60 0x0 0x0 0x0 0x80A78 0x0 0x0 0x41428 0x1 0x41D88 0x1000 0x41E94 0x11 0x41450 0x80003 0x41FE0 0x2000000 0x400B00 0x2DC8 0x2DC8 0x2DC8 0x2DC8 0x2DC8 0x2DC8 0x2DC8 0x2DC8 0x2DC8 0x2DC8 0x2DC8 0x2DC8 0x2DC8 0x2DC8 0x2DC8 0x2DC8 0x1008CC 0x800 0x0 0x0 0x0 0x100240 0xFFFF 0x0 0x0 0x0 0x0 0xC003C0 0x10101 0x10101 0x10101 0x10101 0x10101 0x10101 0x10101 0x10101 0x10101 0x10101 0x10101 0x10101 0x10101 0x10101 0x10101 0x10101 0x7421 0x7421 0x7421 0x7421 0x7421 0x7421 0x7421 0x7421 0x7421 0x7421 0x7421 0x7421 0x7421 0x7421 0x7421 0x7421 0x9AABAA98 0x66666789 0x98766666 0x89AABAA9 0x99999999 0x88888889 0x98888888 0x99999999 0x56676654 0x33333345 0x54333333 0x45667665 0xAABBBA99 0x66667899 0x99876666 0x99ABBBAA 0x81738 0x0 0x0 0x4E000 # bind object to subchannel 7 0xCAFEBABE
Program 2
Crossreference: gitbrew.org::emer_init.self:Program_2
0x80308 0x207 0x0 0x40304 0x0 0xC0350 0x207 0x0 0xFF 0x4034C 0xFF 0xC035C 0x1E00 0x1E00 0x1E00 0x4031C 0x0 0x4037C 0x0 0x40310 0x0 0x4036C 0x0 0x40320 0x80068006 0x80314 0x10001 0x0 0x41D8C 0xFFFFFF00 0x41D94 0x0 0x40100 0x0 0x40324 0x1010101 0x4183C 0x0 0x41830 0x405 0x80384 0x0 0x3F800000 0x40380 0x0 0x40A6C 0x201 0x40A70 0x1 0x40A74 0x0 0x40300 0x1 0x41FEC 0x0 0x41FC0 0x0 0x41834 0x901 0x403B8 0x8 0x40374 0x0 0x40378 0x1503 0x41EE0 0x3F800000 0x40A68 0x0 0x80A78 0x0 0x0 0x41DAC 0x0 0x41DB0 0xFFFFFFFF 0x808C0 0x10000000 0x10000000 0x40368 0x1D01 0xC0330 0x207 0x0 0xFF 0x4032C 0xFF 0xC033C 0x1E00 0x1E00 0x1E00 0x40328 0x0 for (x = 0; x < 16; x++) { 0x41A08 + (x * 0x20) 0x30101 0x41A1C + (x * 0x20) 0x0 0x41A0C + (x * 0x20) 0x60000 0x41A14 + (x * 0x20) 0x2052000 } 0x40348 0x0 for (x = 0; x < 16; x++) { 0x41740 + (x * 0x4) 0x2 0x41680 + (x * 0x4) 0x0 } 0x80A00 0x10000000 0x10000000 0x80394 0x0 0x3F800000 0x200A20 2048.0 2048.0 0.5 0x0 2048.0 2048.0 0.5 0x0 0x200A20 2048.0 2048.0 0.5 0x0 2048.0 2048.0 0.5 0x0 0x41D7C 0xFFFF0000 0x4182C 0x1B02 0x41D90 0x0 0x40370 0x0 0x41828 0x1B02 0x403BC 0x0 0x41DB4 0x0 0x41EE4 0x0 0x41EE8 0x0 0x41838 0x0 0x4147C 0x0 0x41E98 0x1000000 0x41478 0x0 0x41FF0 0xFFFF 0x417CC 0x0 for (x = 0; x < 16; x++) { 0x40908 + (x * 0x20) 0x101 0x4091C + (x * 0x20) 0x0 0x4090C + (x * 0x20) 0x60000 0x40914 + (x * 0x20) 0x0 } 0x40238 0x0 0x41D78 0x1 0x4142C 0x0 0x41FF8 0x0 0x41FE8 0x0
Program 3
Crossreference: gitbrew.org::emer_init.self:Program_2
0x42000 # bind object to subchannel 1 0x31337303 0xC2180 # method of subchannel 1 0x66604200 0xFEED0001 0xFEED0000 0x46000 # bind object to subchannel 3 0x313371C3 0xC6180 # method of subchannel 3 0x66604200 0xFEED0000 0xFEED0000 0x4A000 # bind object to subchannel 5 0x31337808 0x20A180 # method of subchannel 5 0x66604200 0x0 0x0 0x0 0x0 0x0 0x0 0x313371C3 0x8A2FC # method of subchannel 5 0x3 0x4 0x48000 # bind object to subchannel 4 0x31337A73 0x88180 # method of subchannel 4 0x66604200 0xFEED0000 0x4C000 # bind object to subchannel 6 0x3137AF00 0x4C180 # method of subchannel 6 0x66604200