Spuisofs

From PS3 Developer wiki
Revision as of 21:12, 16 August 2012 by Glevand (talk | contribs) (→‎Mounting)
Jump to navigation Jump to search

Introduction

  • spuisofs is a Linux virtual filesystem which allows you to execute isolated SPU modules from user-space.
  • spuisofs can execute only isolated SPU modules which are decrypted by isoldr.
  • I used this driver e.g. to dump my EID0 key and my ATA keys.

Mounting

glevand@debian:~$ sudo mount -t spuisofs none /mnt

Filesystem Layout

glevand@debian:~$ ls -l /mnt
total 0
-rw-rw-rw- 1 root root 1048576 Aug 16 11:10 app
-rw-rw-rw- 1 root root 1048576 Aug 16 11:10 arg1
-rw-rw-rw- 1 root root 1048576 Aug 16 11:10 arg2
--w--w--w- 1 root root       0 Aug 16 11:10 cont
-r--r--r-- 1 root root       0 Aug 16 11:10 info
-rw-rw-rw- 1 root root  262144 Aug 16 11:10 ls
-rw-rw-rw- 1 root root  131072 Aug 16 11:10 priv2
-rw-rw-rw- 1 root root  131072 Aug 16 11:10 problem
--w--w--w- 1 root root      24 Aug 16 11:10 run
-r--r--r-- 1 root root    4096 Aug 16 11:10 shadow
glevand@debian:~$ cat /mnt/info 
arg1 d000000003b9d000
arg2 d000000003c9e000

Dumping EID0 Key with spuisofs

  • I modified aim_spu_module.self to dump EID0 IV and key with my spuisofs.

SPU Program

Here is my SPU program to dump EID0 key and IV: 

/*
 * Dump EID0 IV and key to EA with MFC
 *
 * Copyright (C) 2012 glevand <[email protected]>
 * All rights reserved.
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published
 * by the Free Software Foundation; version 2 of the License.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License along
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */

.text

start:

	ila		$2, 0x3dfa0
	lr		$sp, $2

	ila		$80, 0x3e000
	lr		$81, $3

	stqd		$7, 0($80)
	stqd		$8, 0x10($80)	# store EID0 IV
	stqd		$9, 0x20($80)	# store upper 16bytes of EID0 key
	stqd		$10, 0x30($80)	# store lower 16bytes of EID0 key
	stqd		$11, 0x40($80)
	stqd		$12, 0x50($80)

	lr		$3, $80
	lr		$4, $81
	il		$5, 0x60
	il		$6, 0x7
	il		$7, 0x20
	brsl		$lr, 0x10	# mfc_dma_xfer

	il		$3, 0x7
	brsl		$lr, 0x28	# mfc_dma_wait

	stop		0x666		# our evil stop code :)

/*
 * r3 - LSA
 * r4 - EA
 * r5 - size
 * r6 - tag
 * r7 - cmd
 */
mfc_dma_xfer:

	wrch		$ch16, $3
	wrch		$ch17, $4
	shlqbyi		$4, $4, 4
	wrch		$ch18, $4
	wrch		$ch19, $5
	wrch		$ch20, $6
	wrch		$ch21, $7

	bi		$lr

/*
 * r3 - tag
 */
mfc_dma_wait:

	il		$2, 0
	nop		$127
	hbra		2f, 1f
	wrch		$ch23, $2

1:

	rchcnt		$2, $ch23
	ceqi		$2, $2, 1
	nop		$127
	nop		$127
	nop		$127
	nop		$127
	nop		$127

2:

	brz		$2, 1b
	hbr		3f, $lr
	rdch		$2, $ch24
	il		$2, 1
	shl		$2, $2, $3
	wrch		$ch22, $2
	il		$2, 2
	wrch		$ch23, $2
	rdch		$2, $ch24
	nop		$127

3:

	bi		$lr

http://pastie.org/4503104

Result

[glevand@arch dump_eid0_key]$ ./dump_eid0_key ../dump_eid0_key.self ../eid0
spuisofs found at /mnt
arg1 kernel virtual address d000000000722000
shadow: spe_execution_status 7
priv2: puint_mb_R 2
shadow: spe_execution_status b
problem: spu_status_R 6660082
[glevand@arch dump_eid0_key]$ hexdump -C /mnt/arg1
...
Here are your EID0 key and IV
At offset 0x10 is EID0 IV (16 bytes)
At offset 0x20 is EID0 key (32 bytes)
...
Retrieved from "http://www.psdevwiki.com/ps3/index.php?title=Spuisofs&oldid=13252"