Update Manager

From PS3 Developer wiki
Jump to navigation Jump to search

This service is responsible for processing Sony Playstation 3 Update files like CoreOS, Revoke List and Firmware PKGs 

Update Manager service is accessed by GameOS syscall 863


0x6000 - Update Manager

Packet ID Description
0x6001 Update Package Tophalf
0x6002 Inspect Package Tophalf
0x6003 Get Package Info
0x6004 Get Fix Instruction
0x6005 Extract Package Tophalf
0x6006 Get Extract Package
0x6007 Not Implemented
0x6008 Not Implemented
0x6009 Get Token Seed
0x600A Set Token
0x600B Read EPROM
0x600C Write EPROM
0x600D Get Status
0x600E Allocate Buffer
0x600F Release Buffer
0x6010 Check Integrity
0x6011 Get Applicable Version
0x6012 (Re?)Allocate Buffer (only lv2kernel)
0x6013


0x6001 - Update Package Tophalf

  • The result of the request can be checked by reading the value of repository node ss.update.request.<Request ID> periodically

0x6002 - Inspect Package Tophalf

  • I have got access to this service through DM and tested it with PSGroove
  • This service can tell you if a package can be installed or not, the service just checks a package but does not install it
  • Packages can be updated without GameOS !!! I'm using only HV calls and communicate directly with Dispatcher Manager and Update Manager
  • I just sent a whole SCE package to GameOS through network, created a LPAR memory region and stored the file there
  • It expects a SCE package that can be easily extracted from PUP file
  • The data of SCE package can be passed either in SS packet itself or through LPAR memory of requester
  • When the data of SCE package is too large for SS packet (SS packets are sent through DM, GameOS and DM communicate through VUART that has only 0x800 bytes buffer) then the data of SCE package has to be passed through GameOS LPAR memory. The requester sends a vector of LPAR memory addresses where the data of SCE package is stored and Update Manager maps it into the address space of Process 6
  • E.g. Revoke List packages can be sent in SS packets because they are small (about 0x200 bytes). All other packages are too big to sent them in SS packets
  • The service is actually split into 2 halfs: Top-Half and Bottom-Half
  • The Top-Half is executed synchronously with service request and it sends a reply to the requester
  • In the reply sent by Top-Half a Request ID (8 bytes) is returned to the requester
  • Request ID is calculated by using SHA-1
  • After the Top-Half is done, a reply is sent to the requester but the service just checked some input parameter upto now and the passed SCE package was not really checked yet
  • The Bottom-Half is called asynchronously to the request, it does the real job, it checks the passed SCE package.
  • The result of the request can be checked by reading the value of repository node ss.inspect.request.<Request ID> periodically
  • I successfully tested this service with RL_FOR_PROGRAM.img from 3.50 PUP file and the service returned Success, so theoretically i could install this package on my PS3. But of course i want to downgrade and NOT to upgrade.

Inspect Package Tophalf Return Values

Error Code Description
0x00000000 Success
0x00000013 Same Version/Older Version
0x00000014 -

0x6003 - Get Package Info

  • I have got access to this service through DM and tested it with PSGroove
  • The service expects one additional parameter: package type (valid values are 1-9)
  • The service returns the version (8 bytes) of a package type installed

Here are the versions of packages installed on my PS3:

Package Type Returned Version Description Package Name in PUP File
1 0x0003004100000000 Core OS Package CORE_OS_PACKAGE.pkg
2 0x0003004100000000 Revoke List Package for Program RL_FOR_PROGRAM.img
3 0x0002003000000000 Revoke List Package for Package RL_FOR_PACKAGE.img
4 0xDEADBEAFFACEBABE - -
5 0xDEADBEAFFACEBABE - -
6 0x0003004000000000 BD Firmware Package BDIT_FIRMWARE_PACKAGE.pkg, BDPT_FIRMWARE_PACKAGE_*.pkg
7 Invalid Parameter Bluetooth Firmware, dev_flash tarballs BLUETOOTH_FIRMWARE.pkg, dev_flash, dev_flash3
8 Invalid Parameter - -
9 Invalid Parameter SC Firmware Package SYS_CON_FIRMWARE_*.pkg

Decrypting and Extracting Packages with spu_pkg_rvk_verifier.self

  • I have managed to decrypt and extract Revoke List Packages 3.41 and 3.50 by using SPE HV calls and spu_pkg_rvk_verifier.self
  • Important: Parameters to SPU module shuold be aligned, i used cache line alignment, don't know exactly alignment requerements. Or else some very strange things could happen. E.g SYSCON firmware was only partially decrypted when i used no cache line alignment.
  • I have also managed to decrypt and extract Core OS Packages 1.10, 1.18 Debug, 2.40, 2.80, 3.15, 3.41 and 3.50 by using SPE HV calls and spu_pkg_rvk_verifier.self but it's compressed with zlib.Update Manager in Process 6 from 3.15 uses zlib 1.2.3 inflate to decompress it after it was decrypted and then it stores the data to flash memory.
  • I decompressed the decrypted Core OS Packages with zlib.
  • I am able now to decrypt and decompress all Core OS Packages
  • The decrypted and decompressed package CORE_OS_PACKAGE.pkg looks exactly like it's stored on flash.
  • I also decrypted BD Firmwares BDIT_FIRMWARE_PACKAGE.pkg and BDPT_FIRMWARE_PACKAGE.pkg successfully. The firmware is not compressed.
  • I also decrypted Bluetooth Firmware BLUETOOTH_FIRMWARE.pkg successfully. The firmware is encrypted and compressed.
  • I also managed to decrypt System Controller Firmware SYS_CON_FIRMWARE_01050101.pkg from 3.41.
  • Core OS Package 3.50 contains a new isolated SPU module that is not contained in older versions. The SPU module is manu_info_spu_module.self.
  • Here links to PS3 Firmwares: [1] and [2]
RL_FOR_PROGRAM.img 3.41
Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000200   00 00 00 04 00 00 00 01  00 03 00 41 00 00 00 00   ...........A....
00000210   00 00 00 06 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000220   00 00 00 03 00 00 00 01  00 03 00 41 00 00 00 00   ...........A....
00000230   00 00 00 00 00 00 00 02  FF FF FF FF FF FF FF FF   ........ÿÿÿÿÿÿÿÿ
00000240   00 00 00 04 00 00 00 01  00 03 00 41 00 00 00 00   ...........A....
00000250   10 70 00 05 FF 00 00 01  FF FF FF FF FF FF FF FF   .p..ÿ...ÿÿÿÿÿÿÿÿ
00000260   00 00 00 04 00 00 00 01  00 03 00 41 00 00 00 00   ...........A....
00000270   10 70 00 05 FE 00 00 01  FF FF FF FF FF FF FF FF   .p..þ...ÿÿÿÿÿÿÿÿ
00000280   00 00 00 04 00 00 00 01  00 03 00 41 00 00 00 00   ...........A....
00000290   10 70 00 05 FD 00 00 01  FF FF FF FF FF FF FF FF   .p..ý...ÿÿÿÿÿÿÿÿ
000002A0   00 00 00 04 00 00 00 01  00 03 00 41 00 00 00 00   ...........A....
000002B0   10 70 00 05 FC 00 00 01  FF FF FF FF FF FF FF FF   .p..ü...ÿÿÿÿÿÿÿÿ
000002C0   00 00 00 04 00 00 00 03  00 01 00 00 00 00 00 00   ................
000002D0   10 70 00 04 00 00 00 01  FF FF FF FF FF FF FF FF   .p......ÿÿÿÿÿÿÿÿ
RL_FOR_PROGRAM.img 3.50
Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000200   00 00 00 04 00 00 00 01  00 03 00 50 00 00 00 00   ...........P....
00000210   00 00 00 06 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000220   00 00 00 03 00 00 00 01  00 03 00 50 00 00 00 00   ...........P....
00000230   00 00 00 00 00 00 00 02  FF FF FF FF FF FF FF FF   ........ÿÿÿÿÿÿÿÿ
00000240   00 00 00 04 00 00 00 01  00 03 00 50 00 00 00 00   ...........P....
00000250   10 70 00 05 FF 00 00 01  FF FF FF FF FF FF FF FF   .p..ÿ...ÿÿÿÿÿÿÿÿ
00000260   00 00 00 04 00 00 00 01  00 03 00 50 00 00 00 00   ...........P....
00000270   10 70 00 05 FE 00 00 01  FF FF FF FF FF FF FF FF   .p..þ...ÿÿÿÿÿÿÿÿ
00000280   00 00 00 04 00 00 00 01  00 03 00 50 00 00 00 00   ...........P....
00000290   10 70 00 05 FD 00 00 01  FF FF FF FF FF FF FF FF   .p..ý...ÿÿÿÿÿÿÿÿ
000002A0   00 00 00 04 00 00 00 01  00 03 00 50 00 00 00 00   ...........P....
000002B0   10 70 00 05 FC 00 00 01  FF FF FF FF FF FF FF FF   .p..ü...ÿÿÿÿÿÿÿÿ
000002C0   00 00 00 04 00 00 00 03  00 01 00 00 00 00 00 00   ................
000002D0   10 70 00 04 00 00 00 01  FF FF FF FF FF FF FF FF   .p......ÿÿÿÿÿÿÿÿ
RL_FOR_PACKAGE.img 3.41
Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000200   00 00 00 03 00 00 00 02  00 01 00 00 00 00 00 00   ................
00000210   00 00 00 01 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000220   00 00 00 01 00 00 00 00  00 00 00 01 00 00 00 02   ................
00000230   00 00 00 08 00 05 00 00  00 00 00 00 00 00 00 00   ................
RL_FOR_PACKAGE.img 3.50
Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000200   00 00 00 03 00 00 00 02  00 01 00 00 00 00 00 00   ................
00000210   00 00 00 01 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000220   00 00 00 01 00 00 00 00  00 00 00 01 00 00 00 02   ................
00000230   00 00 00 08 00 05 00 00  00 00 00 00 00 00 00 00   ................
CORE_OS_PACKAGE.pkg 3.15

Here is a piece of data from decrypted and decompressed package. 

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000000   00 00 00 01 00 00 00 17  00 00 00 00 00 6F FF E0   .............oÿà
00000010   00 00 00 00 00 00 04 60  00 00 00 00 00 04 00 00   .......`........
00000020   63 72 65 73 65 72 76 65  64 5F 30 00 00 00 00 00   creserved_0.....
00000030   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000040   00 00 00 00 00 04 04 60  00 00 00 00 00 00 00 08   .......`........
00000050   73 64 6B 5F 76 65 72 73  69 6F 6E 00 00 00 00 00   sdk_version.....
00000060   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000070   00 00 00 00 00 04 04 80  00 00 00 00 00 01 E5 CC   .......€......åÌ
00000080   6C 76 31 6C 64 72 00 00  00 00 00 00 00 00 00 00   lv1ldr..........
00000090   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000000A0   00 00 00 00 00 05 EA 80  00 00 00 00 00 01 6D A0   ......ê€......m 
000000B0   6C 76 32 6C 64 72 00 00  00 00 00 00 00 00 00 00   lv2ldr..........
000000C0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000000D0   00 00 00 00 00 07 58 80  00 00 00 00 00 01 2E 44   ......X€.......D
000000E0   69 73 6F 6C 64 72 00 00  00 00 00 00 00 00 00 00   isoldr..........
000000F0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000100   00 00 00 00 00 08 87 00  00 00 00 00 00 01 DA E4   ......‡.......Úä
00000110   61 70 70 6C 64 72 00 00  00 00 00 00 00 00 00 00   appldr..........
00000120   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000130   00 00 00 00 00 0A 61 E4  00 00 00 00 00 00 FA CC   ......aä......úÌ
00000140   73 70 75 5F 70 6B 67 5F  72 76 6B 5F 76 65 72 69   spu_pkg_rvk_veri
00000150   66 69 65 72 2E 73 65 6C  66 00 00 00 00 00 00 00   fier.self.......
00000160   00 00 00 00 00 0B 5C B0  00 00 00 00 00 00 5C 94   ......\°......\”
00000170   73 70 75 5F 74 6F 6B 65  6E 5F 70 72 6F 63 65 73   spu_token_proces
00000180   73 6F 72 2E 73 65 6C 66  00 00 00 00 00 00 00 00   sor.self........
00000190   00 00 00 00 00 0B B9 44  00 00 00 00 00 00 65 D0   ......¹D......eÐ
000001A0   73 70 75 5F 75 74 6F 6B  65 6E 5F 70 72 6F 63 65   spu_utoken_proce
000001B0   73 73 6F 72 2E 73 65 6C  66 00 00 00 00 00 00 00   ssor.self.......
000001C0   00 00 00 00 00 0C 1F 14  00 00 00 00 00 01 53 2C   ..............S,
000001D0   73 63 5F 69 73 6F 2E 73  65 6C 66 00 00 00 00 00   sc_iso.self.....
000001E0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000001F0   00 00 00 00 00 0D 72 40  00 00 00 00 00 00 44 98   [email protected]˜
00000200   61 69 6D 5F 73 70 75 5F  6D 6F 64 75 6C 65 2E 73   aim_spu_module.s
00000210   65 6C 66 00 00 00 00 00  00 00 00 00 00 00 00 00   elf.............
00000220   00 00 00 00 00 0D B6 D8  00 00 00 00 00 00 D7 F0   ......¶Ø......×ð
00000230   73 70 70 5F 76 65 72 69  66 69 65 72 2E 73 65 6C   spp_verifier.sel
00000240   66 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   f...............
00000250   00 00 00 00 00 0E 8E C8  00 00 00 00 00 00 80 8C   ......ŽÈ......€Œ
00000260   6D 63 5F 69 73 6F 5F 73  70 75 5F 6D 6F 64 75 6C   mc_iso_spu_modul
00000270   65 2E 73 65 6C 66 00 00  00 00 00 00 00 00 00 00   e.self..........
00000280   00 00 00 00 00 0F 0F 54  00 00 00 00 00 00 88 B8   .......T......ˆ¸
00000290   6D 65 5F 69 73 6F 5F 73  70 75 5F 6D 6F 64 75 6C   me_iso_spu_modul
000002A0   65 2E 73 65 6C 66 00 00  00 00 00 00 00 00 00 00   e.self..........
000002B0   00 00 00 00 00 0F 98 0C  00 00 00 00 00 00 C0 78   ......˜.......Àx
000002C0   73 76 5F 69 73 6F 5F 73  70 75 5F 6D 6F 64 75 6C   sv_iso_spu_modul
000002D0   65 2E 73 65 6C 66 00 00  00 00 00 00 00 00 00 00   e.self..........
000002E0   00 00 00 00 00 10 58 84  00 00 00 00 00 00 5D B0   ......X„......]°
000002F0   73 62 5F 69 73 6F 5F 73  70 75 5F 6D 6F 64 75 6C   sb_iso_spu_modul
00000300   65 2E 73 65 6C 66 00 00  00 00 00 00 00 00 00 00   e.self..........
00000310   00 00 00 00 00 10 B6 34  00 00 00 00 00 00 22 A0   ......¶4......" 
00000320   64 65 66 61 75 6C 74 2E  73 70 70 00 00 00 00 00   default.spp.....
00000330   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000340   00 00 00 00 00 10 D9 00  00 00 00 00 00 12 B1 70   ......Ù.......±p
00000350   6C 76 31 2E 73 65 6C 66  00 00 00 00 00 00 00 00   lv1.self........
00000360   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000370   00 00 00 00 00 23 8A 80  00 00 00 00 00 03 E8 28   .....#Š€......è(
00000380   6C 76 30 00 00 00 00 00  00 00 00 00 00 00 00 00   lv0.............
00000390   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000003A0   00 00 00 00 00 27 72 A8  00 00 00 00 00 16 EE B8   .....'r¨......î¸
000003B0   6C 76 32 5F 6B 65 72 6E  65 6C 2E 73 65 6C 66 00   lv2_kernel.self.
000003C0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000003D0   00 00 00 00 00 3E 61 60  00 00 00 00 00 07 0F 94   .....>a`.......”
000003E0   65 75 72 75 73 5F 66 77  2E 62 69 6E 00 00 00 00   eurus_fw.bin....
000003F0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000400   00 00 00 00 00 45 70 F4  00 00 00 00 00 07 FC 48   .....Epô......üH
00000410   65 6D 65 72 5F 69 6E 69  74 2E 73 65 6C 66 00 00   emer_init.self..
00000420   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000430   00 00 00 00 00 4D 6D 3C  00 00 00 00 00 06 16 00   .....Mm<........
00000440   68 64 64 5F 63 6F 70 79  2E 73 65 6C 66 00 00 00   hdd_copy.self...
00000450   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................

00040460   33 31 35 2E 30 30 30 0A  00 00 00 00 00 00 00 00   315.000.........
00040470   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
BDIT_FIRMWARE_PACKAGE.pkg 3.50

Here is a piece of data from decrypted package. 

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000300   43 6F 70 79 72 69 67 68  74 28 43 29 20 32 30 30   Copyright(C) 200
00000310   35 2D 32 30 30 36 2C 20  53 6F 6E 79 20 43 6F 6D   5-2006, Sony Com
00000320   70 75 74 65 72 20 45 6E  74 65 72 74 61 69 6E 6D   puter Entertainm
00000330   65 6E 74 20 49 6E 63 2E  1A 00 00 00 00 00 00 00   ent Inc.........
00000340   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000350   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000360   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000370   41 96 18 D3 2D 8F 0F 68  11 4D A7 09 E4 1F A7 6F   A–.Ó-.h.M§.ä.§o
00000380   EF 29 48 A0 E9 F2 A8 F0  CC 4B F3 4D E0 4A B0 17   ï)H éò¨ðÌKóMàJ°.
00000390   C2 DA 07 5F 96 B3 C8 8D  E1 06 2E 3A 1D A7 FD 20   ÂÚ._–³Èá..:.§ý
BDPT_FIRMWARE_PACKAGE_301R.pkg 3.50

Here is a piece of data from decrypted package. 

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000300   43 6F 70 79 72 69 67 68  74 28 43 29 20 32 30 30   Copyright(C) 200
00000310   35 2D 32 30 30 39 2C 20  53 6F 6E 79 20 43 6F 6D   5-2009, Sony Com
00000320   70 75 74 65 72 20 45 6E  74 65 72 74 61 69 6E 6D   puter Entertainm
00000330   65 6E 74 20 49 6E 63 2E  1A 00 00 00 00 00 00 00   ent Inc.........
00000340   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000350   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000360   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000370   80 18 D2 E4 22 AA 2B D7  85 47 F4 40 53 9A 04 0C   €.Òä"ª+×…Gô@Sš..
00000380   D0 B8 A5 04 20 51 9E 90  09 4F 2E 78 BA 32 C0 EA   и¥. Qž.O.xº2Àê
00000390   E9 61 96 ED D8 2A 70 C0  59 68 4E B2 47 25 9C 97   éa–íØ*pÀYhN²G%œ—
BLUETOOTH_FIRMWARE.pkg 3.41
Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000000   52 43 32 39 5F 66 69 72  6D 77 61 72 65 5F 66 6F   RC29_firmware_fo
00000010   6F 74 65 72 2E 64 66 75  00 00 00 00 00 00 00 00   oter.dfu........
00000020   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000030   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000040   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000050   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000060   00 00 00 00 30 30 30 30  36 34 34 00 30 30 30 30   ....0000644.0000
00000070   30 30 30 00 30 30 30 30  30 30 30 00 30 30 30 30   000.0000000.0000
00000080   31 35 36 36 33 30 30 00  31 31 30 36 34 33 34 36   1566300.11064346
00000090   33 30 36 00 30 31 35 34  36 33 00 20 30 00 00 00   306.015463. 0...
000000A0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000000B0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000000C0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000000D0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000000E0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000000F0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000100   00 75 73 74 61 72 20 20  00 72 6F 6F 74 00 00 00   .ustar  .root...
00000110   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000120   00 00 00 00 00 00 00 00  00 72 6F 6F 74 00 00 00   .........root...
00000130   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000140   00 00 00 00 00 00 00 00  00 30 30 30 30 30 30 30   .........0000000
00000150   00 30 30 30 30 30 30 30  00 00 00 00 00 00 00 00   .0000000........


000A5950   84 1B 00 C0 94 04 00 00  74 06 00 00 45 75 72 75   „..À”...t...Euru
000A5960   73 5F 50 72 69 6D 61 72  79 5F 50 68 79 00 00 00   s_Primary_Phy...
000A5970   4D 61 72 76 65 6C 6C 5F  41 50 00 00 94 BB 01 C0   Marvell_AP..”».À


000B7CC0   00 00 00 00 01 10 60 23  4D 61 72 76 65 6C 6C 20   ......`#Marvell 
000B7CD0   46 69 72 6D 77 61 72 65  20 53 44 4B 20 56 65 72   Firmware SDK Ver
000B7CE0   73 69 6F 6E 20 32 2E 33  2E 30 54 74 5D 04 02 2B   sion 2.3.0Tt]..+
000B7CF0   0F 14 E1 36 04 32 0A 1A  FD 08 32 1A 1A C1 08 02   ..á6.2..ý.2..Á..


000F42B0   44 6F 53 68 61 72 65 64  4B 65 79 53 65 71 31 3A   DoSharedKeySeq1:
000F42C0   20 45 6E 74 65 72 65 64  20 2D 2D 2D 20 72 73 70    Entered --- rsp
000F42D0   4D 61 63 20 3D 20 25 30  32 78 3A 25 30 32 78 3A   Mac = %02x:%02x:
000F42E0   25 30 32 78 3A 25 30 32  78 3A 25 30 32 78 3A 25   %02x:%02x:%02x:%
000F42F0   30 32 78 0A 00 00 00 00  6D 6C 6D 65 41 75 74 68   02x.....mlmeAuth
000F4300   44 6F 53 68 61 72 65 64  4B 65 79 53 65 71 31 3A   DoSharedKeySeq1:
000F4310   20 56 61 6C 69 64 61 74  69 6F 6E 20 66 61 69 6C    Validation fail
000F4320   65 64 20 2D 2D 2D 20 72  73 70 4D 61 63 20 3D 20   ed --- rspMac = 
000F4330   25 30 32 78 3A 25 30 32  78 3A 25 30 32 78 0A 00   %02x:%02x:%02x..
000F4340   6D 6C 6D 65 41 75 74 68  44 6F 53 68 61 72 65 64   mlmeAuthDoShared
000F4350   4B 65 79 53 65 71 33 3A  20 76 61 6C 69 64 61 74   KeySeq3: validat
000F4360   69 6F 6E 20 66 61 69 6C  65 64 21 20 2D 2D 2D 20   ion failed! --- 
000F4370   72 73 70 4D 61 63 20 3D  20 25 30 32 78 3A 25 30   rspMac = %02x:%0
000F4380   32 78 3A 25 30 32 78 0A  00 65 65 70 72 6F 6D 00   2x:%02x..eeprom.
000F4390   62 74 5F 68 63 69 00 62  74 5F 75 61 72 74 00 75   bt_hci.bt_uart.u
000F43A0   73 62 30 00 75 73 62 31  00 4F 53 41 00 77 6C 61   sb0.usb1.OSA.wla
000F43B0   F3 B8 E9 70 01 00 00 00  1C 6B 03 00 00 02 00 00   ó¸ép.....k......
SYS_CON_FIRMWARE_01050101.pkg 3.41
Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000300   1B 2D 70 0F AB 5E B3 99  68 20 FE 3D E1 80 6A 1D   .-p.«^³™h þ=á€j.
00000310   B8 FD 37 CF CD 45 85 AB  51 F7 05 E3 EA 32 A5 EA   ¸ý7ÏÍE…«Q÷.ãê2¥ê
00000320   67 45 F9 48 00 00 00 00  00 10 00 00 C0 0F 00 00   gEùH........À...
00000330   8B 04 07 F9 9B A2 90 3A  75 89 F1 42 12 59 DA 0D   ‹..ù›¢:u‰ñB.YÚ.
00000340   21 7C A2 C3 5A E4 78 00  10 8D 4B F7 A2 73 9C 63   !|¢ÃZäx..K÷¢sœc
00000350   5D 8D 5D 49 16 C7 6F 2C  AD 33 FE 1F D3 6C A1 CA   ]]I.Ço,­3þ.Ól¡Ê
00000360   BA AD 2B FE 8F 33 71 D7  C5 E6 5C FF BF 77 6C 80   º­+þ3q×Åæ\ÿ¿wl€
00000370   F2 BE 11 BB 3C 52 52 DC  A9 68 E5 24 AD 4F F3 48   ò¾.»<RRÜ©hå$­OóH

0x6005 - Extract Package Tophalf

  • The result of the request can be checked by reading the value of repository node ss.extract.request.<Request ID> periodically

0x600B - Read EEPROM

  • I have got read access to EEPROM of Update Manager through DM and tested it with PSGroove
  • I read PRODUCT_MODE from it successfully, PRODUCT_MODE = 0x000000FF
  • The service expects one additional parameter: offset (4 bytes)
  • The service accepts only some predefined offsets
  • The service returns the specified offset and the value at this offset

EEPROM Offset Table

Here is the table of EEPROM offsets that can be accessed through Update Manager (3.15):

--> EEPROM Offset Table

0x600C - Write EEPROM

  • Writting to EEPROM of Update Manager is also possible through DM
  • Tested this service successfully with QA flag

0x6010 - Check Integrity

  • This service checks integrity of important files stored on /dev/rflash1, e.g. lv0 or lv1
  • The service is used e.g. by System Manager
  • When product mode is NOT 0xFF then check is skipped !!!
    • This check is patched to always skip, with 'nocheck' downgrader patches

0x6011 - Get Applicable Version

  • I have got access to this service through DM and PSGroove and tested it
  • The service expects one additional unknown parameter of size 4 bytes, it has to be 0x00000001 or else the service fails
    (sc863(0x6011,1,out:uint64_t,0,0,0,0,0))

Here is the return value: 

00 00 00 01 00 00 00 00 00 03 00 20 00 00 00 00 00 00 00 00 00 00 00 01
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01

BD Firmware Update

  • Update Manager in HV Process 6 updates BD firmware through ATAPI Interface of /dev/rbd0 device.
  • BD firmware is sent to BD drive by using ATAPI Write Buffer (0x3B) command with Mode 0x07 (Download microcode with offsets and save) and Buffer ID 0x00.
  • The current BD drive firmware version and hash is also stored by and retrieved from SYSCON by using SC Manager Get/Set Region Data (0x9006/0x9007) service. After successfull BD firmware update, Update Manager sends the new firmware version and hash to SYSCON.
  • BD firmware package is decrypted, SCE header size + 0x80 bytes are skipped and data beginning with copyright message is sent to BD drive.
  • BD firmware is sent packet wise, one packet is at most 0x8000 bytes.
  • After each sent packet, Update Manager checks the result by using ATAPI Request Sense (0x3) command.
  • Theoretically, BD firmware update can be done also from GameOS by using ATAPI interface of the BD drive.

Detecting BD Drive Type, Generation and Revision

  • To detect BD drive type, Update Manager uses ATAPI Inquiry command.
  • To detect BD drive generation, Update Manager uses ATAPI Mode Sense 10 command.
BD Drive Type Table

Here is the BD Drive Type Table extracted from HV Process 6 (3.15) / ss_server1.fself :

Index Vendor Identification String Drive Type
0 
"SONY    EmerFlashROM"
 0x2100000000000001
1 
"SONY    PS-EMBOOT   300R"
 0x2100000000000001
2 
"SONY    BDRW AQUAM(BDIT)"
 0x1100000000000001
3 
"SONY    PS-SYSTEM   300R"
 0x1100000000000001
4 
"SONY    PS-SYSTEM   V300"
 0x1100000000000001
5 
"SCEI    EMER-FLASH-8"
 0x2200000000000002
6 
"SONY    PS-EMBOOT   301R"
 0x2200000000000002
7 
"SONY    PS-SYSTEM   301R"
 0x1200000000000002
8 
"SONY    PS-EMBOOT   302R"
 0x2200000000000003
9 
"SONY    PS-SYSTEM   302R"
 0x1200000000000003
10 
"SONY    PS-EMBOOT   303R"
 0x2200000000000004
11 
"SONY    PS-SYSTEM   303R"
 0x1200000000000004
12 
"SONY    PS-EMBOOT   304R"
 0x2200000000000005
13 
"SONY    PS-SYSTEM   304R"
 0x1200000000000005
14 
"SONY    PS-EMBOOT   306R"
 0x2200000000000007
15 
"SONY    PS-SYSTEM   306R"
 0x1200000000000007
16 
"SONY    PS-EMBOOT   308R"
 0x2200000000000008
17 
"SONY    PS-SYSTEM   308R"
 0x1200000000000008
18 
"SONY    PS-EMBOOT   310R"
 0x2200000000000009
19 
"SONY    PS-SYSTEM   310R"
 0x1200000000000009
20 
"SONY    PS-EMBOOT   312R"
 0x220000000000000A
21 
"SONY    PS-SYSTEM   312R"
 0x120000000000000A
22 
"SONY    PS-EMBOOT   314R"
 0x220000000000000B
23 
"SONY    PS-SYSTEM   314R"
 0x120000000000000B

Methods (HV Process 6)

update_manager_update_bd_firmware - 0x800064BC (3.15)

bd_updater_prepare_drive - 0x80011A88 (3.15)

bd_updater_send_firmware - 0x80011544 (3.15)

bd_updater_disable_reqsense - 0x80010410 (3.15)

bd_updater_enable_reqsense - 0x800104D8 (3.15)

send_atp_command - 0x80023B10 (3.15)

Retrieved from "http://www.psdevwiki.com/ps3/index.php?title=Update_Manager&oldid=24161"