Loaders
Jump to navigation
Jump to search
Explaination
Loaders are used for loading other modules.
Commonly found in CoreOS and Flash.
Known loaders
Loader | Location | Type | Remarks |
---|---|---|---|
bootldr | Flash | Boot Loader | primary loader from chain of trust |
metldr | Flash | Meta Loader | aka asecure_loader. Loads other loaders |
appldr | CoreOS | Application Loader | loads userspace [f]selfs e.g. vsh.self, videoplayer_plugin.sprx, disc EBOOT.BINs, NPDRM EBOOT.BINs |
isoldr | CoreOS | Isolation Loader | loading isolated SPU modules |
lv1ldr | CoreOS | Hypervisor Loader | loads lv1.self (Hypervisor) |
lv2ldr | CoreOS | Supervisor Loader | loads lv2_kernel.self (Supervisor kernel) |
Stop Codes
Stop Code | Module | Remark |
---|---|---|
0x30 | isoldr/appldr | Version mismatch (isoldr version differs from version returned by SPU channel 73). |
0x16 | isoldr | Revoke List Error |
0x17 | isoldr | Adresses needs to be aligned |
0x27 | appldr | SPU arg at 0x3E840 |
0x20 | metldr | header error |
0x23 | metldr | ECDSA signature failure |
0x27
When booting, lv1ldr store its version in this region writing to ch_72.
isoldr asks for the version in two chuncks, if you want to pass version 3.41 (0x0003004100000000)
Note: this version check was recently added, maybe in fw 3.41
//for ch_73_round_0 data0 = 0x00030041; //for ch_73_round_1 data1 = 0x00000000;
lv1ldr
Used for loading the hypervisor (lv1.self). It also handles some initialization of the ATA and ENCDEC subsystems.
LS Parameters Layout
Address | Usage | Comments |
---|---|---|
0x34CB0 | Unknown | DMA read from ch74 20 times. |
0x3E000 | Wait flag | If (flag==0){wait;} // use 0xFF00000000ULL |
0x3E800 | Arguments |
lv2ldr
Used to verify and decrypt lv2 (lv2_kernel.self)
LS Parameters layout
Address | Usage | Comments |
---|---|---|
0x3E000 | Wait flag | If (flag==0){wait;} // use 0xFF00000000ULL |
0x3E800 | Arguments | |
0x3F000 | Program revoke list |
Arguments
Size | Name | Value |
---|---|---|
u64 | lpar_auth_id | 0x1070000002000001 |
u8 | *lv2_in | lv2 self - address in ram |
u8 | *lv2_out | where to decrypt lv2 - address in ram |
u64 | field18 | -1 |
u8[40] | res1 | Unknown / Not used |
u64 | field48 | 1 |
u8[16] | res2 | Unknown / Not used |
isoldr
Used for loading isolated SPU modules.
LS Parameters layout
Address | Usage | Comments |
---|---|---|
0x3E000 | Wait flag | If (flag==0){wait;} // use 0xFF00000000ULL |
0x3E400 | EID0 | |
0x3E800 | Arguments | |
0x3EC00 | QA-Token | If not used set to -1 |
0x3F000 | Program revoke list |
Arguments
Depending which isolated module you want to load, you would need to pass it different arguments.
Size | Name | spp_verifier |
---|---|---|
u64 | prog_auth_id | 0x1050000003000001 |
u64 | lpar_auth_id | 0x1070000002000001 |
u64 | *spu_module | SPU - address in ram |
u64 | *spu_module_arg1 | Profile - address in ram |
u64 | spu_module_arg1_size | sizeof(profile) |
u64 | *spu_module_arg2 | Not used |
u64 | spu_module_arg2_size | Not used |
u8 | res1[16] | Unknown |
u64 | field48 | 3 |
u8 res2[16] | Unknown |
Size | Name | aim_spu_module |
---|---|---|
u64 | prog_auth_id | 0x1050000003000001 |
u64 | lpar_auth_id | 0x1070000002000001 |
u64 | *spu_module | SPU - address in ram |
u64 | *spu_module_arg1 | aim_spu_args - address in ram |
u64 | spu_module_arg1_size | 0x80 |
u64 | *spu_module_arg2 | eid0 - address in ram |
u64 | spu_module_arg2_size | sizeof(eid0) |
u64 | field48 | 3 |
union aim_spu_args { struct { void *buf; // debug_info buffer address u64 buf_size; // debug_info buffer size u32 param; // 0x01 device type, 0x02 device id, 0x03 pscode, 0x04 psid } in; struct { u8 result[0x10]; // no need to explain... } out; };