SPU Isolated Modules Reverse Engineering: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
No edit summary
Line 1: Line 1:
== aim_spu_module ==
== aim_spu_module ==
It is used to retrieve the device type, device id, open psid and the pscode from the EID data that is passed in.
It is used to retrieve the device type, device id, open psid and the pscode from the EID0 data that is passed in.


=== Debug messages ===
=== Debug messages ===
Line 14: Line 14:
| 0x3790 || "(spu) PU DMA area size is not equall to AIM_DMA_SIZE\n"
| 0x3790 || "(spu) PU DMA area size is not equall to AIM_DMA_SIZE\n"
|}
|}
This messages are DMAed to the ppu if a debug output address is specified.


=== Data ===
=== Data ===
{| class="wikitable"
{| class="wikitable"
! Address !! Info
! Address !! Info
|-
| 0x37e0 || Reference tool fallback IDPS
|-
| 0x37f0 - ... || Start of EID keys
|-
|-
| 0x3ac0 || AES sbox (16*16 bytes)
| 0x3ac0 || AES sbox (16*16 bytes)
Line 28: Line 33:
! Address !! Name !! Parameters !! Info
! Address !! Name !! Parameters !! Info
|-
|-
| 0x1440 || debug_print || unknown || As the name already states...
| 0x9e0 || stop_func || unknown || Stops the module execution with various stop codes.
|-
| 0xa18 || main_func || unknown || Main routine.
|-
| 0xf18 || response || unknown || Sends response to ppu over DMA.
|-
| 0x1158 || process_eid || unknown || Decrypts EID0.
|-
| 0x1438 || prepare_print || unknown || Prepares debug output.
|-
|-
| 0x30c0 || do_dma || ls_addr:$4, dma_effective_addr:$5, size:$6, tag_id:$7, unk0:$8, unk1:$9 || Used to dma data in and out of the isolated module's LS.
| 0x1440 || debug_print || unknown || As the name already states... (this outputs over DMA)
|-
|-
| 0x17f0 || - || - || Part of aes implementation.
| 0x17f0 || - || - || Part of aes implementation.
Line 45: Line 58:
|-
|-
| 0x2608 || - || - || Part of aes implementation.
| 0x2608 || - || - || Part of aes implementation.
|-
| 0x30c0 || do_dma || ls_addr:$4, dma_effective_addr:$5, size:$6, tag_id:$7, unk0:$8, unk1:$9 || Used to dma data in and out of the isolated module's LS.
|-
|-
| 0x3168 || write_tag_mask_bit || mask_bit:$4 || Used to set a specific bit in MFC_WrTagMask.
| 0x3168 || write_tag_mask_bit || mask_bit:$4 || Used to set a specific bit in MFC_WrTagMask.
Line 50: Line 65:


==== Disasm ====
==== Disasm ====
The complete disassembly is available at [http://pastebin.com/7vArGweJ].
The complete disassembly is available at [http://pastebin.com/7vArGweJ].


===== do_dma =====
=== Running in anergistic ===
From 0x30c0 to 0x3130 it just checks if the parameters are ok (ls_addr != 0, dma_effective_addr != 0, size-1 < 0x3fff, tag_id < 32) else it will jump to 0x3160.
-> http://pastie.org/2000330
 
//(ls_addr:$4, dma_effective_addr:$5, size:$6, tag_id:$7, unk0:$8, unk1:$9)
//...
{
  //3134: 21 a0 08 0a wrch $MFC_LSA,$10
  wrch(MFC_LSA, ls_addr);
  //3138: 21 a0 08 85 wrch $MFC_EAH,$5
  wrch(MFC_EAH, dma_effective_addr);
  //313c: 3f e1 02 8a shlqbyi $10,$5,4
  //3140: 21 a0 09 0a wrch $MFC_EAL,$10
  wrch(MFC_EAL, dma_effective_addr << 4);
  //3144: 21 a0 09 86 wrch $MFC_Size,$6
  wrch(MFC_Size, size);
  //3148: 21 a0 0a 07 wrch $MFC_TagID,$7
  wrch(MFC_TagID, tag_id);
  //314c: 0f 64 04 06 shli $6,$8,16
  //3150: 08 22 43 05 or $5,$6,$9
  //3154: 21 a0 0a 85 wrch $MFC_Cmd,$5
  wrch(MFC_Cmd, (unk0 << 16) | unk1);
  //3158: 40 80 00 03 il $3,0
  //315c: 35 00 00 00 bi $lr
  return 0; //0 is probably success
  err:;
  //3160: 40 80 04 83 il $3,9
  //3164: 35 00 00 00 bi $lr
  return 9; //9 is probably failure
}
 
===== write_tag_mask_bit =====
//(tag_mask_bit:$4)
{
  //3168: 40 80 00 02 il $2,0 //Update immediately, unconditional.
  //316c: 21 a0 0b 82 wrch $MFC_WrTagUpdate,$2
  wrch(MFC_WrTagUpdate, 0);
  //3170: 01 e0 0b 83 rchcnt $3,$MFC_WrTagUpdate
  //3174: 7c 00 41 85 ceqi $5,$3,1
  //3178: 20 7f ff 05 brz $5,0x3170 # 3170
  while(rchcnt(MFC_WrTagUpdate) != 1);
  //317c: 01 a0 0c 02 rdch $2,$MFC_RdTagStat
  $2 = rdch(MFC_RdTagStat);
  //3180: 0b 61 01 86 shl $6,$3,$4
  //3184: 21 a0 0b 06 wrch $MFC_WrTagMask,$6
  wrch(MFC_WrTagMask, 1 << tag_mask_bit);
  //3188: 40 80 01 03 il $3,2 //Update tag status if or when all enabled tag groups have “no outstanding operation” status.
  //318c: 21 a0 0b 83 wrch $MFC_WrTagUpdate,$3
  wrch(MFC_WrTagUpdate, 2);
  //3190: 01 a0 0c 02 rdch $2,$MFC_RdTagStat
  $2 = rdch(MFC_RdTagStat);
  //3194: 35 00 00 00 bi $lr
  return;
}

Revision as of 20:57, 3 June 2011

aim_spu_module

It is used to retrieve the device type, device id, open psid and the pscode from the EID0 data that is passed in.

Debug messages

Address Message
0x36f0 "(spu)start aim spu module!\n"
0x3710 "(spu) PU DMA area start address is not align 16byte\n"
0x3750 "(spu) PU EID area start address is not align 16byte\n"
0x3790 "(spu) PU DMA area size is not equall to AIM_DMA_SIZE\n"

This messages are DMAed to the ppu if a debug output address is specified.

Data

Address Info
0x37e0 Reference tool fallback IDPS
0x37f0 - ... Start of EID keys
0x3ac0 AES sbox (16*16 bytes)
0x3c70 AES inverse sbox (16*16 bytes)

Functions

Address Name Parameters Info
0x9e0 stop_func unknown Stops the module execution with various stop codes.
0xa18 main_func unknown Main routine.
0xf18 response unknown Sends response to ppu over DMA.
0x1158 process_eid unknown Decrypts EID0.
0x1438 prepare_print unknown Prepares debug output.
0x1440 debug_print unknown As the name already states... (this outputs over DMA)
0x17f0 - - Part of aes implementation.
0x1c48 - - Part of aes implementation.
0x1df0 - - Probably part of aes implementation.
0x20f0 - - Probably part of aes implementation.
0x2300 - - Probably part of aes implementation.
0x2418 - - Part of aes implementation.
0x2608 - - Part of aes implementation.
0x30c0 do_dma ls_addr:$4, dma_effective_addr:$5, size:$6, tag_id:$7, unk0:$8, unk1:$9 Used to dma data in and out of the isolated module's LS.
0x3168 write_tag_mask_bit mask_bit:$4 Used to set a specific bit in MFC_WrTagMask.

Disasm

The complete disassembly is available at [1].

Running in anergistic

-> http://pastie.org/2000330

Retrieved from "http://www.psdevwiki.com/ps3/index.php?title=SPU_Isolated_Modules_Reverse_Engineering&oldid=2036"