Difference between revisions of "Appliance Information Manager"

From PS3 Developer wiki
Jump to: navigation, search
m (CelesteBlue moved page AIM Manager to Appliance Information Manager)
(Replaced content with "Hi, I just wanted to see if you are interested in starting your own online betting and casino business? We offer a totally standalone odds php software ready to go, meanin...")
(Tag: Replaced)
Line 1: Line 1:
AIM (Appliance Info Manager) is a [[Hypervisor_Reverse_Engineering#Process_socket_services|Process socket service]] supported by the hypervisor (lv1).<br>
+
Hi, I just wanted to see if you are interested in starting your own online betting and casino business?
 +
We offer a totally standalone odds php software ready to go, meaning you can accept bitcoin and real money bets and get 100% profit
  
It is used to retrieve the IDPS, Target ID, Open PSID and PS Code from the [[Flash#EID0_-_Section_0|EID0]] data that is passed in.
+
You can also limit winnings, handle payouts and do everything as you like.
  
Responsible is the isolated SPU module '''aim_spu_module.self''' from [[CoreOS|CoreOS]] / [[Flash#ros0|Flash]].
+
See our website for demo and more information
  
This service accessable from GameOS via Syscall: '''867''' (0x363) and requires 0x40 Root flag ([[Capability_Flags|Capability Flags]]) set in [[SELF - SPRX#Supplemental Header Table|Plaintext Capability Header]].
+
www.betscripts.com
 
 
internally loaded@ss_server2.fself
 
Function Id : 0x19000
 
Port:       0x24
 
 
 
= 0x19000 - AIM =
 
 
 
{| class="wikitable FCK__ShowTableBorders"
 
|-
 
! Packet ID
 
! Description
 
! Lv1 Parameter Usage
 
! Lv2Syscall Parameter
 
! notes
 
|-
 
| 0x19002
 
| Get Device Type
 
|
 
| uint8_t out[0x10]
 
|
 
|-
 
| 0x19003
 
| Get Device ID
 
|
 
| uint8_t out[0x10]
 
|
 
|-
 
| 0x19004
 
| Get PS Code
 
|
 
| uint8_t out[0x8]
 
|
 
|-
 
| 0x19005
 
| Get Open PS ID
 
|
 
| uint8_t out[0x10]
 
|
 
|-
 
| 0x19006
 
| Unknown
 
|
 
| void
 
|
 
|}
 
 
 
== 0x19002 - Get Device Type ==
 
 
 
* returns the console [[Target_ID|Target Id]]:
 
<pre>
 
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x85
 
</pre>
 
 
 
calling from GameOS:
 
<source lang="c">
 
struct ss_aim_get_device_type {
 
    u8 field0[16];
 
};
 
 
 
int cellSsAimGetDeviceType(out:uint8[0x10]);
 
</source>
 
 
 
== 0x19003 - Get Device ID ==
 
 
 
* returns the consoles [[IDPS]]
 
 
 
<pre>
 
0x00 0x00 0x00 0x01 0x00 0x89 0x00 0x0B 0x14 0x00 0xEF 0xDD 0xCA 0x25 0x52 0x66  .....‰....ïÝÊ%Rf
 
</pre>
 
 
 
calling from GameOS:
 
<source lang="c">
 
struct ss_aim_get_device_id {
 
    u8 idps[16]; // see [[idps]]
 
};
 
 
 
int cellSsAimGetDeviceId(out:uint8[0x10]);
 
</source>
 
 
 
== 0x19004 - Get PS Code ==
 
 
 
on my CECHJ04 it returns:
 
 
 
0x00 0x01 0x00 0x85 0x00 0x07 0x00 0x04
 
 
 
Last two bytes are calculated simply by using 9th and 10th Byte of [[IDPS]] right shifted by 0xA.
 
 
 
calling from GameOS:
 
<source lang="c">
 
struct ss_aim_get_ps_code {
 
    u8 field0[8];
 
};
 
 
 
int cellSsAimGetPsCode(out:uint8[8]);
 
</source>
 
 
 
== 0x19005 - Get Open PS ID ==
 
 
 
calling from GameOS:
 
<source lang="c">
 
struct ss_aim_get_open_ps_id {
 
    u8 field0[16];
 
};
 
 
 
int cellSsAimGetOpenPsId(out:uint8[0x10])
 
</source>
 
 
 
== 0x19006 - unkonwn ==
 
 
 
* usage found in bdp_BDVD for example... with 1 param (= 0)
 
* seems to be handled by lv2_kernel, not AIM itself
 
 
 
::looks up for qa-flag (if flagged, sets token seed to an lv2 internal buffer), fself flag & device_id
 
 
 
calling from GameOS:
 
<source lang="C">
 
int syscall(867, 0x19006);
 
</source>
 
 
 
*note: this packet id doesnt need another parameter
 
 
 
= Reverse Engineering in Lv1 =
 
 
 
Function Id : 0x19000
 
Port:       0x24
 
Process:      5
 
 
 
If you want to check out about it or get more things documented, consider looking at for example:
 
 
 
* coolstuff\hvdump315_reversing\proc_5\code_seg.idb
 
* coolstuff\hvdump341_reversing\proc_5\code_seg.idb
 
* coolstuff\hvdump355_reversing\proc_5\code_seg.idb
 
 
 
= Reverse Engineering isolated module =
 
 
 
A crossreference to [[SPU_Isolated_Modules_Reverse_Engineering#aim_spu_module]].
 
 
 
== Debug messages ==
 
 
 
{| class="wikitable"
 
! colspan="2" | Address !! rowspan="2" | Message
 
|-
 
! ?&nbsp;3.41&nbsp;? !! 355&nbsp;CEX
 
|-
 
| 0x36f0 || 0x3570 || "(spu)start aim spu module!\n"
 
|-
 
| 0x3710 || 0x3590 || "(spu) PU DMA area start address is not align 16byte\n"
 
|-
 
| 0x3750 || 0x35d0 || "(spu) PU EID area start address is not align 16byte\n"
 
|-
 
| 0x3790 || 0x3610 || "(spu) PU DMA area size is not equall to AIM_DMA_SIZE\n"
 
|}
 
This messages are DMAed to the ppu if a debug output address is specified.
 
 
 
== Data ==
 
 
 
{| class="wikitable"
 
! colspan="2" | Address !! rowspan="2" | Message
 
|-
 
! ?&nbsp;3.41&nbsp;? !! 355&nbsp;CEX
 
|-
 
| 0x37e0 || - || Reference tool fallback IDPS
 
|-
 
| 0x37f0 - ... || 0x3650 - ... || Start of AIM keys [[Keys#aim_keys]]
 
|-
 
| 0x3ac0 || 0x3870 || AES sbox (16*16 bytes)
 
|-
 
| 0x3c70 || 0x3a20 || AES inverse sbox (16*16 bytes)
 
|}
 
 
 
== Functions ==
 
 
 
{| class="wikitable"
 
! colspan="2" | Address !! rowspan="2" | Name !! rowspan="2" | Parameters !! rowspan="2" | Info
 
|-
 
! &nbsp;3.41&nbsp; CEX/DEX !! 355&nbsp;CEX
 
|-
 
| 0x9e0 ||  || stop_func || unknown || Stops the module execution with various stop codes.
 
|-
 
| 0xa18 ||  || main_func || unknown || Main routine.
 
|-
 
| 0xf18 ||  || response || unknown || Sends response to ppu over DMA.
 
|-
 
| 0x1158 ||  || process_eid || unknown || Decrypts EID0.
 
|-
 
| 0x1438 ||  || prepare_print || unknown || Prepares debug output.
 
|-
 
| 0x1440 ||  || debug_print || unknown || As the name already states... (this outputs over DMA)
 
|-
 
| 0x17f0 ||  || - || - || AES 1 Part of aes implementation.
 
|-
 
| 0x1c48 ||  || aes_encrypt_ecb || - || AES 2 Part of aes implementation.
 
|-
 
| 0x1df0 ||  || cellCryptoSpuAesCbcCfb128Decrypt || - || AES 3 Probably part of aes implementation.
 
|-
 
| 0x20f0 ||  || aes_omac1 || - || AES 4 Probably part of aes implementation.
 
|-
 
| 0x2300 ||  || aes_set_key_dec || - || AES 5 Probably part of aes implementation.
 
|-
 
| 0x2418 ||  || aes_decrypt_ecb || - || AES 6 Part of aes implementation.
 
|-
 
| 0x2608 ||  || aes_decrypt_ecb_aligned || - || AES 7 Part of aes implementation.
 
|-
 
| 0x30c0 ||  || do_dma || ls_addr:$4, dma_effective_addr:$5, size:$6, tag_id:$7, unk0:$8, unk1:$9 || Used to dma data in and out of the isolated module's LS.
 
|-
 
| 0x3168 ||  || write_tag_mask_bit || mask_bit:$4 || Used to set a specific bit in MFC_WrTagMask.
 
|}
 
 
 
== Disassembly ==
 
 
 
The complete disassembly is available at [http://pastebin.com/7vArGweJ].
 
 
 
 
 
{{Reverse engineering}}
 
<noinclude>[[Category:Main]]</noinclude>
 

Revision as of 00:09, 14 January 2020

Hi, I just wanted to see if you are interested in starting your own online betting and casino business? We offer a totally standalone odds php software ready to go, meaning you can accept bitcoin and real money bets and get 100% profit

You can also limit winnings, handle payouts and do everything as you like.

See our website for demo and more information

www.betscripts.com