131w ago - A few days ago we
reported on
graf_chokolo's progress in decrypting PS3 Firmware 3.50, and today he has made available to the PlayStation 3 Wiki (linked above) his PS3 hypervisor reverse-engineering work to date, as follows:
HSPRG
The hypervisor stores a pointer to some structure per LPAR in HSPRG0 register. There are actually 2 HSPRG0 values: one for each thread of Cell CPU !!! There is a HSPRG0 array at 0x8(-0x69A0(HSPRG0)) + 0x20.
LPAR
LPAR = Logical Partition
lpar1 starts at 0x(unknown), and its believed to be the memory space wherre lv1 stores its variables, flags and other data.
lpar2 starts at 0x80000000000 and it's believed to be the memory space where lv2 stores its variables, flags and other data.
The pointer to active LPAR is stored at -0x67E8(HSPRG0).
vtable
0x0033CA40 (3.15)
Member variables
offset 0x38 - some pointer
offset 0x50 - LPAR id (8 bytes)
offset 0x70 - pointer to VAS id bitmap
offset 0x78 - power of 2 of word size from VAS id bitmap (4 bytes), equal to 6
offset 0x7C - number of 64-bit words in VAS id bitmap(4 bytes)
Interrupt handling
The pointer to the interrupt handler that is called e.g. when an external interrupt occurs is at -0x69F0(HSPRG0).
0x00001930 (3.15 and 2.60)
Interrupt vector tables
There are 2 interrupt vector tables. One for each thread. The pointer to these tables is at -0x6950(HSPRG0).
offset 0x8 - IIC memory base address (8 bytes)
offset 0x10 - thread register offset (8 bytes)
offset 0x18 - start of interrupt vector table (19 entries, each entry 32 bytes)
Interrupt vector table entry
offset 0x0 - pointer to interrupt handler
offset 0x8 - TOC
offset 0x10 - 0
offset 0x18 - parameter to interrupt handler
Interrupt handlers
Spurious interrupt handler
0x002BC174 (3.15)
RSX
0x00219A44 (3.15)
0x002176FC (2.60)
SB bus
0x002B9CC4 (3.15)
I/O address translation
0x002CD7D8 (3.15)
0x002C9214 (2.60)
Performance monitor
0x002F0584 (3.15)
0x002EB1B0 (2.60)
Token manager
0x002BBA9C (3.15)
0x002B754C (2.60)
HV call
The address of HV table is stored at -0x6FC8(HSPRG0).
The address of HV table size is stored at -0x6FD0(HSPRG0).
Continue reading the PS3 Hypervisor Reverse Engineering Progress
HERE.
hi dude
my ps3 is 320G. cech 3004B. base version 4.10 but now update to 4.41
can i downgrade and hack it
if yes how can i do that plz
thx...
It just facinates me how the playstation reads binary and this is going to help us unlock everything soon we will be changing the dashboard and having the ability to run anything on this godly device.
This is just sticking our foot in the door of the ps3 though, a tank is around the corner coming to help out though.
So, is all this leading towards a FW 3.50 jailbreak, or just the ability to downgrade? I'm pretty much up to either one. But... being able to modify the XMB and make custom FW would be sooo cool.