Sponsored Links

Sponsored Links

Page 1 of 2 12 LastLast
Results 1 to 10 of 15



  1. #1
    Forum Moderator PS3 News's Avatar
    Join Date
    Apr 2005
    Posts
    27,849
    Sponsored Links

    Post PS3 Hypervisor and Bootstrap lv0/lv1 Examined, Offload Available

    Sponsored Links
    Today we have some news from Spanish PS3 developer DemonHades (linked above) of their ongoing PS3 Hypervisor and Bootstrap lv0/lv1 examination, and news of [Register or Login to view links]'s Offload: Community Edition which is now available free for Cell Broadband Engine devices.

    Download: [Register or Login to view links]

    To quote: "The Offload tool suite provides the Offload tool as well as a full Windows based GCC SDK, enabling the easy offloading code to the SPUs on the Cell Broadband Engine.

    It also includes integration with a Cell Broadband Engine enhanced Eclipse CDT, and the Offload Player Debugger, for executing and debugging code on the target Cell Broadband Engine hardware. Offload: Community Edition is free to use for academic research and commercial projects, subject to licensing conditions."

    Below is DemonHades PS3 Hypervisor and Bootstrap Dump lv0/lv1 examination findings thus far, roughly translated via Google. If anyone who is fluent in Spanish can add to it feel free to do so below!

    For those who bear on our community and this study shall know the hypervisor and bootstrap, but for new and newcomers who want to know about the safety features on ps3, and is protected as it manages the hypervisor (hardware manager) believe that interesting reading this list.

    Then I leave it here hypervisor dump that I have gone and published it to all make a good background paper on the hypervisor and the bootstrap

    Here you will be added all the features you get in a list, if you see that are already discussed here, and exposed them to not only need to copy them from your valleys and fast

    TerminosBE Dictionary ---> Broadband Engine (Cell Processor)
    RSX-->Grafica NVIDIA Playstation 3
    SB-->SouthBritdge
    SS2-->StarShip 2 Northbridge
    LPAR-->Particion Logica
    flh--->Memoria Flash
    lx-->Linux OS
    xmb-->Frontend del Game_OS
    Otheros-->Particion para el GUEST OS
    spu-->Procesadores de apoyo para el procesador Central
    ppu-->Unidad de Procesamiento Central.
    lv--->Level o Nivel.
    ldr-->Loader o Cargador
    pkg-->Package o Contenedor de datos.

    Layout Ram Privilege

    TABLE OF PARTITIONS



    Colors representing the number of the partition

    1.A lack of defined (temporary)

    2.--->LPAR_PS3
    10200000030000010000000000000001

    3.A lack of defined (temporary)

    4.A falta de definir(temporal)

    5.--->LPAR_Linux
    10800000040000010000000000000003

    6.A falta de definir(temporal)

    FROM A COPY OF CORE_OS internal NANDFLASHEste ram content belongs to a copy of the partition you, which is on the nand flash, seems to be encrypted is copied to ram and decryption ayi same.

    Description of the Binary

    asecure_loader

    Better known as METLDR, is the first loader in the chain of decoded, this loader is loaded into the SPU isolated, it decrypts the master key to decrypt the keys by removing the following loaders (ldr1, lv1, ldr2, LV2)

    spu_pkg_rvk_verifier.self

    Verifier Certificate Revocation List

    spu_token_processor.self

    Even without defining

    spu_utoken_processor.self

    Even without defenir

    sc_iso.self

    This seems to be the system calls of Lv0.

    aim_spu_module.self

    Even without defining

    spp_verifier.self

    Verifier spp, allegedly responsible for verifying and validating that not been tampered with.

    mc_iso_spu_module.self

    Even without defining

    me_iso_spu_module.self

    Even without defining

    sv_iso_spu_module.self

    Even without defining

    sb_iso_spu_module.self

    Code southbridge image

    default.spp

    Default factory settings, reset factory settings.

    lv1.self

    Known as a hypervisor, is the manager of the hardware and LPAR, controls all access to the hardware from different LPAR.

    lv2_kernel.self

    Known as the Supervisor, is the kernel and software manager, is working on PS3_LPAR, is responsible for managing all

    software, firmware and communications with the hypervisor.

    eurus_fw.bin

    Firmware version and configuration data related to this region.

    emer_init.self

    This would be like the beginning of emergency, we may think that is the recovery ... but it is early to give it for granted.

    creserved_0

    Even without defining

    Position of Internal Self Belonging to Core_OS

    0x20000 [E03D1478BEEF49B2020EA7687E15C4068EBF9866]
    0x37000 [35BC85F1AFD3FCD0C7A70E602C82E49F594DAA31]
    0x55000 [00B84C6ECC4A9374588A710D527F07794263C659]
    0xA19A0 [without hash and decryption]
    0xAA410 [without hash and decryption]
    0x1624BC [46CFAE517AB1ADD239E705ACBB663CF6E551A194]
    0x35E100 [hash but this does not bring this figure]
    0x369720 [without hash and decryption]
    0x6C25B4 [46CFAE517AB1ADD239E705ACBB663CF6E551A194]
    0x6C5ED4 [encryption but without hash]
    0x6D5470 [encryption but without hash]

    REFERENCES TO FACTORY SIGNED ELF

    ss_init.fself
    ss_server1.fself
    ss_server2.fself
    ss_server3.fself
    sysmgr_ss.fself
    updater_frontend.fself
    factory.fself

    COMMUNICATION WITH THE KERNEL LV2

    load_lv2:
    load_gos
    load_profile
    load_additional_policy:
    load_internal_policy:

    gsboot: load_lv2: filename:% s
    gsboot: load_lv2: lpar_id: laid% d:% d
    SLL: Failde fileloader load:% d
    SLL: mmap orig size:% lu
    SLL: mmap start address:% lu
    SLL: mmap size:% lu
    SLL: mmap Failde:% d
    SLL: mmap to% p
    SLL: auth_lv2 called
    SLL: auth_lv2 fail:% d
    SLL: unmmap EA:% p munmap:% d
    SLL: deleting laid lpar_auth_id remove node: status =% d error
    SLL: setting ss lpar_auth_id create node: status =% d error
    FL: release_buffer for allocate_memory
    FL: munmap:% d
    FL: Release:% d addr:% p
    SLL: main memory size:% lu:% lu memory segment construct: error status =% d allocated lpar:% d address:% p
    FL: mmap size:% lu
    FL: mmap Failde:% d
    FL: mmap to% p / rmt / local_sys0 / flh .. / / / /.
    FL: vfs open error:% d: toolong
    FL: vfs open error:% d: errno:% d
    FL: vfs size error:% d
    FL: lseek fail, and close fail: fd:% d SL: allocate fail: size (% d)
    FL: close fail: fd:% d
    FL: vfs seek error:% d
    FL: vfs size error:% d
    FL: size error:% d% d
    FL: file loaded:% d
    FL: init err conf_mgr
    offset:% d size:% d
    FL: read error:% d / flh / os / SL: signal: stop and signal problem area:% p SPU state:% lu stop code =% u SL: signal: handler_end *

    map data buffer: / proc / partitions /% d / mem could not open file ...(% s) mapped address:% p mmap failed: errno =% d close error:% d

    SL: signal: spu timeout signal has arrived ----- ----- SL: timeout_handler: disable

    auth_lv2
    auth_sv
    auth_disc_hdd

    REFERENCES TO SPU

    spu_filename:% s
    spu_fir (0x
    spu_fir_error_mask (0x
    spu_fir_checkstop_enable (0x

    Spu dump regs fir *** ***
    spu_fir 0x
    spu_fir_error_mask 0x
    spu_fir_checkstop_enable 0x

    *** [DETECT] unit: spu

    *** [DETECT HW Error] unit: global fir, cause: CheckStop ***
    ras_checkstop_fir 0x

    *** [DETECT HW Error] unit: global fir, cause: recoverable ***
    ras_recoverable_fir 0x
    ras_fir_enable_mask 0x

    Global dump regs fir *** ***
    ras_lerr_counter_stat 0x

    *** *** Dump regs fir biu
    biu_fir 0x
    biu_fir_error_mask 0x
    biu_fir_checkstop_enable 0x

    *** [DETECT] unit: biu ***

    L2 dump regs fir *** ***

    l2_fir 0xl2
    fir_error_mask 0xl2
    fir_checkstop_enable 0xl2
    mode_setup1 0x

    *** [DETECT] unit: l2 ***

    *** *** Dump regs fir ioc

    ioc_fir 0x
    ioc_fir_error_mask 0x
    ioc_fir_checkstop_enable 0x
    bic_if0thr 0x
    bic_if1thr 0x
    bic_if0ccnt 0x
    bic_if1ccnt 0x

    *** [DETECT] unit: ioc ***
    bic_if0rcnt 0x
    bic_if1rcnt 0x

    *** Dump regs fir mic ***
    mic_fir0 0x
    mic_fir1 0x

    *** [DETECT] unit: mic ***

    Fir city dump regs *** ***

    ciu_fir 0x
    ciu_fir_error_mask 0x
    ciu_fir_checkstop_enable (0x

    *** [DETECT] unit: city ***
    sys.lv1.be_ras

    [HVL]

    sys.hvlog.size

    SPE hang is detected: GUID UNKNOWN construction of SPU NPC VPU management failed
    pmi_set_guest_os_mode (): already called
    pmi_set_guest_os_mode (): wrong gos_mode

    sys.lv1.dump_mmioplat.id

    [PANIC]
    Can not get loader parameter =
    sys.flash.fmt
    sys.tmp_storage.size
    spider.gbe0.macaddr.1
    spider.gbe0.macaddr.2
    spider.gbe0.macaddr.3
    sys.debug.device
    rsx.rdcy.3
    rsx.rdcy.4
    rsx.rdcy.5
    rsx.rdcy.6
    rsx.rdcy.7
    rsx.rdcy.8
    sys.lv1.iosysenableios.net.eurus.lpar
    sys.hw.config_version
    sys.hw.model_emulate
    be.0.nclk
    be.0.ioif0.addrlv1.heap.check

    [Warnig]

    The allocation size from the heap () Exceeds bytes: 0x [lp = lc.allow.large_id [lc =, lp :
    sys.dbgcard.dgbe
    sys.lc.polling.time
    physical_console_0
    hypervisor_console
    EIC driver initialization failed
    FAIL: construction of a SPU objs
    FAIL: Loader parameter 'be.0.spu.faultbm' is required.sys.cellos.spu.configure
    FAIL: Lv-1 does not support system more than SPEs 2.SPE = (unit_id =, = resv_id, normal, system

    BROADBAND ENGINE

    be.0.lpm.lpar
    be .. clock.
    be .. ioifn.
    be .. ioif.addr
    be.0.bp_base
    be.0.fir.l2_ee
    be.0.fir.l2_em
    be.0.fir.biu_ee
    be.0.fir.biu_em
    be.0.fir.ciu_ee
    be.0.fir.ciu_em
    be.0.fir.mic_f0
    be.0.fir.mic_f1
    be.0.fir.ioc_em
    be.0.fir.ioc_ee
    be.0.fir.ras_ee
    be.0.fir.spu0_ee
    be.0.fir.spu0_em
    be.0.fir.spu1_ee
    be.0.fir.spu1_em
    be.0.fir.spu2_ee
    be.0.fir.spu2_em
    be.0.fir.spu3_em
    be.0.fir.spu3_ee
    be.0.fir.spu4_em
    be.0.fir.spu4_ee
    be.0.fir.spu5_em
    be.0.fir.spu5_ee
    be.0.fir.spu6_em
    be.0.fir.spu6_ee
    be.0.fir.spu7_em
    be.0.fir.spu7_ee
    be.0.ioif1.addr
    be.0.ioif0.addr.lv1.heap.check
    be.0.lpm.priv
    be.0.nclk
    be.0.ref_clk
    be.0.spu.faultbm
    be.0.tb_clk
    betb_clk
    beclock
    benclk
    beioifn
    beioifaddr
    beioifaddr

    REFERENCES TO SPP



    REFERENCES TO BUS DATOS

    busnum_dev
    busdevregtype
    busdevregdata
    busdevintr
    BusID
    busnum_dev
    BusID
    Bustype
    busdevintr
    busdevmeddling
    busdevregion
    busdevn_regs
    busdevtype
    busdevintr
    busdevblk_size
    busdevn_blocks
    busdevport
    busdevmeddling
    busdevregionid
    busdevregionstart
    busdevregionsize
    busdevregioncrypto
    busdevn_regs

    REFERENCES SYSTEM CALLS

    sc_iso.self
    sc_iso_factory.self
    sc_binary_patch:
    sc_core:
    sc_sendrecv:
    sc_proxy_if: sendrecv
    sc_proxy_if: sendrecv:
    sc_proxy:: open
    sc_proxy:: write
    sc_proxy_if: sendrecv:
    sc_proxy:: close
    sc_proxy:: read
    sc_proxy:: close
    sc_proxy:: write:
    sc_proxy:: open:
    sc_manager
    sc_timer
    sc_tc
    sc_rc
    sc0
    sc1
    sc_version
    sc_status
    sc
    sc_updater::
    sc_type
    sc_decrypt
    sc_encrypt
    sc_manager_if: restore_root_info
    sc_manager_if: backup_root_info
    sc_get_srh
    sc_set_srh
    sc_is_init_vtrm
    sc_init_for_vtrm
    sc_manager: init_for_vtrm

    REFERENCES SYSTEM MANAGER CALLS

    scm_correct_rtc_factory:
    scm_set_rtc_factory:
    scm_sc_binary_patch:
    scm_set_sc_status:
    scm_init_for_updater:
    scm_set_rtc:
    scm_init_for_vtrm:
    scm_set_srh:
    scm_restore_root_info:
    scm_backup_root_info:
    scm_correct_rtc_factory:
    scm_set_rtc_factory:
    scm_sc_binary_patch:
    scm_set_sc_status:
    scm_get_sc_status:
    scm_get_property:
    scm_init_for_updater:
    scm_set_rtc:
    scm_set_time:
    scm_get_time:
    scm_set_region_data:
    scm_get_region_data:
    scm_init_for_vtrm:
    scm_backup_root_info:
    scm_set_time:
    scm_set_region_data:
    scm_get_region_data:
    scm_get_srh:
    scm_decrypt:
    scm_encrypt:
    scm_get_sc_status:
    scm_get_property:

    REFERENCES TO SYSTEM SETTINGS

    ss_dispatcher:: terminate
    ss_dispatcher:: loop
    ss_dispatcher: loop_once
    ss_dispatcher:: initialize
    ss_packet: send_receive
    ss_packet: process_async
    ss_packet: process_received
    ss_packet: accept_reply
    ss_init_repository: get_node_value:
    ss_init_repository: create_node:

    ss_init.fself
    ss_server1.fself
    ss_server2.fself
    ss_server3.fself
    ss_init_if: notify_failure
    ss_init_if: notify_ready
    ss_responder:: terminate
    ss_responder:: initialize (this in Spanish!)
    ss_responder: loop_once
    ss_packet: send_receive
    ss_packet: process_async
    ss_packet: process_received

    ss_packet: accept_reply
    ss_init_repository: get_node_value:
    ss_init_repository: create_node:

    REFERENCES TO CERTIFICATE REVOCATION LIST

    spu_pkg_rvk_verifier.self
    certified_file_verifier: SIGSPUMB caught (not dísir)
    certified_file_verifier: plain_src_addr = 0x% llx, plain_size = 0x% llx, 0x% llx enc_size =
    certified_file_verifier: prepare_args failure
    certified_file_verifier:: load_module () failure:% d
    certified_file_verifier: request_loading_spu_module () failure
    cerfified_file_verifier: request_loading_spu_module () success
    certified_file_verifier: SIGSPUTIMEOUT caught (not dísir)
    certified_file_verifier: SIGSPUERR caught (not dísir)
    certified_file_verifier: SIGSPUDMA caught (not dísir)
    certified_file_verifier: SIGSPUMB msg = 0x% x
    certified_file_verifier: SIGSPUMB read PUINTMB failure
    certified_file_verifier: SIGSPUSTOP_SL received
    certified_file_verifier:: status = 0x% x
    certified_file_verifier: stop_code = 0x% x
    certified_file_verifier: SIGSPUSTOP received

    REFERENCES TO THE READER BLURAY

    Identificadores the BluRay disc in the player

    HW: auth sv ret:% d
    HW: emu disc auth:% d
    HW: disc auth API emu
    HW: param error:% d
    HW: disc mode% d
    HW: test unit ready ret:% d code:% lx
    HW: test unit 0x% 08x req sense
    HW: read disc structure ret:% d code:% lx
    HW: inquiry ret% d result% d
    HW: inquiry:% s:% s
    HW: FW not supported failed Success
    HW: sendign security command for check drive auth retry: ret =% d
    HW: get vesion
    HW: I dec block: index% size% llu llu
    HW: I auth header: size% llu
    HW: mc: ret% d
    HW: mc:% p% p% p
    HW: ps3 disc new API change
    HW: ps3 disc profile param% d:% 08X
    HW: not ps3 disc
    HW: size:% d mode:% d
    HW: hdd ps3 game new auth API
    HW: not ps3 disc, set policy HDD auth fail: recover ..
    HW: save disc id for HDD
    HW: ps3 disc new auth API
    HW: single layer bd ps3
    HW: multi layer ps3 bd
    HW: ps3 dvd
    HW: save disc id
    HW: ps2 disc auth
    HW: not ps2 disc
    HW: drive auth:% d
    HW: Check device file:
    HW: drive interface is busy.drive interface open failed
    HW: not ready, clean key
    HW: ret% d
    HW: not ready for auth key clean
    HW: encdec / param ata: 0x% lx
    HW: set key for disable ata encdec ret:% d
    HW: set key for enable ata encdec ret:% d
    SB: atagpest% lx
    HW: send clear ret:% d result:% p
    PS-SYSTEM
    PS-SPECIAL
    incorrect header
    check unknown compression method
    invalid window size
    unknown header flags in September
    header crc mismatch
    invalid block type
    invalid stored block lengths
    too many length or distance symbols
    invalid code lengths in September
    invalid bit length repeat
    invalid literal / lengths in September
    September invalid distances
    invalid literal / length code
    invalid distance code
    invalid distance too far back
    incorrect data check
    incorrect length check

    Physical integrity checks on the reader

    bd_updater: check_cmd_result ()
    bd_updater: check_cmd_result (): result_code = 0x% llx
    bd_updater: detect_need_eject (): type =% d, revision =% d, need_eject = true
    BDVD: Drive Not Ready Timeout
    Initiation BluRay Reader
    BDVD result: 0x drive: request complete tag:
    device:: encdec. start device ID:
    SYSTEM CLOCK Fail: Set: Encdec device ERROR:: initialize end: Seqence KSET Encdec ioctl cmd:
    ENCDEC TransLparAddrToSbAddr invalid address
    usrbuf request lpar
    dscbuf request lpar
    req size: 0x
    invalid addr ba?:
    invalid addr ba?:
    ENCDEC EdecXTS3 TransLparAddrToSbAddr invalid address
    EdecSS start.
    EdecSS end. Kicked DMA
    EdecKgen1 start.
    EdecKgen1 end.
    EdecKset start.
    EdecKset end.
    EdecKgen2 start.
    EdecKgen2 end.
    EdecKgenFlash.
    Encdec decsec.
    EdecKset OK.
    EdecKset NG.

    Found EncDec Test Mode Interrupt Reason:
    Encdec timeout
    handler called
    OR SetStgSsDbufEncdec ENC DEC:
    SetStgReadDesc lbn:
    OR SetStgSsEncdec ENC DEC:
    InitializeENCDEC Start.
    Fail address ENCDEC TransSbAddrToPhyAddr search
    Fail TransSbAddrToPhyAddr get ENCDEC address 0x:

    References to BluRay Reader Spansion flash

    TP Spansion memory shortage
    TEST: End.
    TEST: Read lsn: 0x SS2 status: 0x
    TEST: Current Read: 0x
    FLASH Memory complete: lsn: 0x
    TEST: Start.

    Starship Reset Error: ERROR StarShip
    unknown scenario:
    stage:
    exec proto:
    SWResetPtcl
    SS2 HW Reset ERROR: 0x
    SSTransfer Start. Protcol:
    IN PIO SSTransfer
    PIO SSTransfer OUT
    DMA SSTransfer
    SSTransfer End.
    SSOperation cmd:
    Flash Chip Not Found

    REFERENCES TO INTERRUPTS

    # # # Dump interrupts # # #

    TIRCS 0x
    Tirdad 0x
    TIREMSKA 0x
    TIREMSKB 0x
    TIRPIEN 0x
    TIRPNDA 0x
    TIRPNDB 0x
    TIRPPNDA 0x
    TIRPPNDB 0x
    TIRCFGA [] 0x

    TIRCFGB [can not get GBUSC forward region 3]

    PIO registers Dump
    Piodão's 0x
    piodi 0x
    Pioda 0x
    piood 0x
    pioaen 0x
    pioactl 0x
    pioco 0x

    sys.hw.config

    REFERENCES TO SOUTHBRIDGE

    # # # # SB DEVICE # # # #
    # Controller_id:
    # Ioid: 0x
    # Bus_master_id: 0x
    # Base_io_segment: 0x
    # Sb_master_transaction_base_address_: 0x

    SYSTEM

    sys.lv0.address
    sys.lv0.revision
    sys.lv0.size
    sys.lv0.version
    sys.lv1.large_pciex
    sys.lv1.rsxenable
    sys.lv1log.size
    sys.lv11.ahcr
    sys.tmp_storage.size
    sys.lv1.be_ras
    sys.lv1console.mode
    sys.lv1.dump_mmio
    sys.lv1.emuioif0irq
    sys.lv1.iosys.errorhandler
    sys.lv1.iosys.network
    sys.lv1.iosys.pci.d.thread
    sys.lv1.iosys.pci.retry
    sys.lv1.iosys.pciex
    sys.lv1.iosys.storage
    sys.lv1.iosysenable
    sys.lv1.iofaultmsg
    sys.lv1.rsxdebug
    sys.lv1.rsxmemcheck
    sys.ac.sd
    sys.ac.misc
    sys.ac.misc2
    sys.be.. spursvsl
    sys.be.. ausrspun
    sys.be.. asysspun
    sys.cellos.spu.configure
    sys.cellos.flags
    sys.dbgcard.dgbe
    sys.debug.device
    sys.sata.param
    sys.pci.share
    sys.load.image.in_rom
    sys.flash.fmt
    sys.flash.boot
    sys.flash.ext
    sys.hw.config
    sys.hvlog.size
    sys.hw.config_version
    sys.hw.model_emulate
    sys.lc.polling.time
    sys.mmio.map_allow
    sys.platform.mode
    sys.qaf.qafen
    sys.rom.addr
    sys.syscon.protocol_version
    sys.wake_source
    sys.param.load.rom1st
    sys.syscon.pversion.
    sys.flash.fmt.
    sys.flash.boot.
    sys.flash.ext.
    sys.lv1.large
    interrupt handler does not add internal
    interrupt handler does not connect internal

    sys.syscon.protocol
    message header from syscon is not correct.
    message from SYSCON is checksum error.
    syscon other port sends interrupt
    sysparamloadrom1st
    syssysconpversion
    sysflashfmt
    sysflashboot
    sysflashext
    syshwconfigversion
    syshwconfig
    syshwmodelemulate
    sysacsd
    sysbespursvsl
    sysbeausrspun
    sysbeasysspun
    sys.pci.share
    sys.lv1.iofaultmsg
    sys.lv1.dump_mmioplat.id
    sys.lv1.be_ras
    sys.hvlog.size

    Level1-Hypervisor

    lv1.iosys.enable.
    lv1_ioctl:
    lv1_result
    lv1_runtime.tcl
    lv1.heap.check
    lv1.self
    lv1.buildid
    lv1.heap.afill
    lv1.heap.rfill
    lv1.iosys
    lv1.maxplgid
    lv1.rsx
    lv1.specver
    lv1.ts
    lv1.ram.biu_modesetup1
    lv1.ram.biu_modesetup2
    lv1.ram.enable
    lv1.ram.ioc_ioif0_quethshld
    lv1.ram.ioc_ioif1_quethshld
    lv1.ram.mic_tm_threshold_0
    lv1.ram.mic_tm_threshold_1
    lv1.ram.tkm_ioif0_ar
    lv1.ram.tkm_ioif1_ar
    lv1.ram.tkm_cr
    lv1.ram.tkm_pr
    lv1.ram.tkm_mbar
    lv1.ts.size.
    lv1.ts.start.
    lv1.rsx.enable.
    lv1.ram.spe_ragid
    lv1.ram.ppe_ragid
    lv1.ram.mic
    lv1tssize
    lv1tsstart
    lv1iosysenable

    BROADBAND DEBUG ENGINE

    dbe.0.fir.l2_em

    NVIDIA RSX

    rsx t: close
    rsx t: open
    rsx.rdcy ..
    rsx.rdcy.1
    rsx.rdcy.2
    rsx.rdcy.3
    rsx.rdcy.4
    rsx.rdcy.5
    rsx.rdcy.6
    rsx.rdcy.7
    rsx.rdcy.8
    rsx ioif0 bus

    REFERENCES TO THE RSX DRIVERS

    rsx driver failed assert
    rsx: invalid context attrib:
    EIC RSX driver initialization failed
    rsx driver assert failed: / space / aoki / svn / tmp / sys / trunk / cellos.nv / .. / cellos / src / implementation / driver / rsx / core / device.h
    rsx driver failed assert: core / device.cc
    rsx driver failed assert: core / memory.cc
    rsx driver failed assert: core / context.cc
    rsx driver assert failed: utils / bitmap.cc
    rsx driver assert failed: bus/ioif0.cc
    rsx driver assert failed: device / eic.cc
    rsx driver assert failed: device / master.cc
    rsx driver assert failed: device / fb.cc
    rsx driver assert failed: device / fifo.cc
    rsx driver assert failed: device / graph.cc
    ctxsw rsx driver timeout! please report
    assert failed rsx driver: device / graph
    assert failed rsx driver: device / clock
    geom clkshader memory clk clk clk display
    rsx driver assert failed: device / audio.cc
    rsx driver assert failed: object / context
    rsx driver assert failed: object / nv
    rsx driver assert failed: object / sw
    rsx driver assert failed: object / channel.cc
    rsx driver assert failed: object / hash
    rsx driver assert failed: object / vfb.cc
    rsx driver assert failed: object / video
    rsx driver failed assert: post / post
    rom rsx abort!
    rsx memory check failed. errors:
    rsx t: post

    INITIATION

    HashTable

    object_entry: get_rule_entry_list_head
    object_hashtable: get_first_object_entry
    object_hashtable: get_next_object_entry
    object_hashtable: get_object_entry
    object_entry: match_rule_entry
    object_hashtable: remove_object_entry
    object_entry: add_rule_entry
    object_hashtable: add_object_entry
    object_hashtable:: initialize
    object_entry: get_rule_entry
    object_entry: get_rule_entry_list_head:
    object_entry: add_rule_entry:
    object_hashtable: get_first_object_entry:
    object_hashtable: get_object_entry:
    object_hashtable:: initialize:
    object_hashtable: remove_object_entry:
    object_entry
    object_hashtable: get_next_object_entry:
    object_hashtable: add_object_entry:

    REFERENCE TO THE ROM DIRECTORIES

    CORE>

    device.cc
    memory.cc
    context.cc

    UTILS>

    bitmap.cc

    OBJECT>

    context
    context_dma.cc
    nv_class.cc
    sw_class.cc
    channel.cc
    hash_table.cc
    sw_driver.cc
    vfb.cc
    video_rsx.cc
    nv
    sw
    channel.cc
    hash
    vfb.cc
    video

    POST>
    post
    DEVICE>

    eic.cc
    master.cc
    fb.cc
    fifo.cc
    graph.cc
    audio.cc

    BUS>

    ioif0.cc

    FLASH DEV

    / dev/sc3
    / dev / flash_num
    / dev/sc0
    / dev / rflash_lx
    / dev/net0
    / dev/rbd0
    / dev / sd_detector
    / dev/sc1
    / dev/hvlog0
    / dev / rflash_lxp
    / dev/cp0
    / dev / rflash
    / dev / eflash
    / dev / flash
    / dev / eflash
    / dev/ioif0

    USER TOKEN

    user_token m_magic = 0x% x
    user_token m_format_version = 0x% x
    user_token m_size = 0x% llx
    user_token m_capability = 0x% llx
    user_token m_expire_date = 0x% llx
    user_token m_idps = 0x% 02x
    user_token m_attribute
    m_type user_token attr = 0x% x
    user_token attr = 0x% x m_size
    attr user_token m_data
    user_token m_digest
    user_token_manager decrypt_user_token () decrypt_and_verify format invalid user token () failure = 0x% x get_time ()

    failure = 0x% x status = 0x% llx rtc value = status = 0x% llx 0x% llx user token has been expired
    user_token_manager encrypt_user_token () sign_and_decrypt () failure = 0x% x
    spu_utoken_processor.self
    user_token_processor SIGSPUMB caught (not desired)
    user_token_processor SIGSTIMEOUT caught (not desired)
    user_token_processor SIGSPUERR caught (not desired)
    user_token_processor SIGSPUDMA caught (not desired)
    user_token_processor SIGSPUMB msg = 0x% x
    SIGSPUSTOP_SL received user_token_processor
    user_token_processor status = 0x% x
    user_token_processor stop_code = 0x% x
    SIGSPUSTOP received user_token_processor
    user_token_processor read_idps () read size ID0 failure (% d)
    user_token_processor read_idps () size =% d EID0
    user_token_processor read_idps () malloc failure
    user_token_processor read_idps () EID0 read failure (% d)
    user_token_processor read_idps () EID0
    user_token_processor read_idps () failure (% d)
    user_token_processor create_command () failure (% d)
    user_token_processor load module () failure
    user_token_processor request_loading_spu_module () failure
    user_token_processor request_loading_spu_module () success

    ASSISTANT / MANAGER FOR UPDATING AND FIRMWARE

    sys0/sys/internal/eurus
    Manager:: reset failed eurus
    manager:: read firmware invaild jump command: command = 0x% 08x, new current size =% d offset =% d, offset =% d data
    manager:: Error: eurus F / W download failed.
    manager:: read firmware invaild data: command = 0x% 08x, new current size =% d offset =% d, offset =% d data
    manager:: read firmware data:% d, firm offset:% d
    manager:: put firmware firmware read fails.
    manager:: put firmware ioctl fails% d
    Manager:: open firmware can not open file
    Manager:: open firmware open file
    Manager:: open firmware open file
    manager:: on received ioctl
    manager:: on received Error: eurus F / W download failed.
    manager:: on received firmware downloaded.
    manager:: start download get value failed. % d
    manager:: start
    Manager:: initialize ...
    Manager:: initialize could not open the file% s.
    Manager:: initialize mac addr = 0x% 016lx
    Manager:: initialize ioctl fails% d
    Manager:: initialize ... completed.
    manager: delete key success
    manager: key failed
    manager: skip delete
    manager: read size error% d! =% d
    manager: event =% llu, bus id =% llu, dev id =% llu, port =% lld, dev type =% llx
    manager: unknown event type
    manager: fatal error. Can not open device file no response from syscon. waiting reply for transaction:
    manager: from syscon
    manager: to syscon
    manager: set source% x LED: p =% x, s =% x result =% d led: b =% x, h =% x result =% d press: timer failed
    manager: receive packet from unknown syscon. cmd id:% x timer: invalid state
    manager:%% d event smask
    manager: read header error
    manager: body read error% d byte header: body% d byte:
    manager: from syscon event =% x size =% d
    manager: fatal error. Can not open device file syscon
    manager: wake source:% x Other OS mode: wake source:% x
    manager: set source% x->% x I switch: Wake source:% x pages failed: this =% p, area
    pages =% d syscon write data: command write failed. shutdown handler invoked
    shutdown unknown interrupt% d

    timer: expired
    timer: set alarm% d us

    INTEGRITY AND CHECK OS

    lv0 and lv1 have passed integrity check
    Lv0 has been altered. integrity check failure.
    lv1 has been altered. integrity check failure

    INTEGRITY AND CHECK THE CORE_OS

    check_core_os_hash () config_manager failure
    recover encrypted master key failed
    filename =% s, file_loc = 0x% llx, file_size = 0x% llx
    verify_util:: SHA-1 hash
    0x% x update_manager:: check_core_os_hash ()
    in product mode, check is skipped.
    update_manager: check_core_os_hash () get_version_and_hash () failure
    update_manager: check_core_os_hash () SC not initialized. skipped integrity check.
    update_manager: check_core_os_hash () config_manager failure
    update_manager: check_core_os_hash () calc hash Lv0 failure (% d)
    update_manager: check_core_os_hash () calc hash lv1 failure (% d)
    updater_frontend.fself
    update_manager:: write
    update_manager: swap_bank ()
    update_manager: get_package_info (% d)
    update_manager: get_secure_product_mode ()
    update_manager: get_sc_status (% d)
    update_manager: get_secure_product_mode ()
    update_manager: set_secure_product_mode (0x% x)
    update_manager: set_sc_status (% d)
    update_manager: decompress_and_write_target ()
    update_manager: write_target ()
    update_manager: read_revoke_list (% d)
    update_manager: initialize_revoke_list_info (% d)
    update_manager: applicable_version_info (% d)
    update_manager: check_revoke_list_hash ()
    update_manager: check_revoke_list_all ()
    update_manager:: set
    update_manager:: bank
    update_manager:: data
    update_manager: calc_os_hash
    update_manager: calc_os_hash
    update_manager:: force
    update_manager: update_package_tophalf ()
    update_manager: common_tophalf::
    update_manager: inspect_package_tophalf (0x% x,
    update_manager: extract_package_tophalf (0x% x,
    update_manager: update_package_tophalf (0x% x,
    update_manager: update_package_tophalf ()
    update_package (% d)
    update_manager: set_token ()
    update_manager: read_eprom (0x% x)
    update_manager: get_token_seed ()
    update_manager: inspect_package_bottomhalf ()
    update_manager: get_extract_package ()
    update_manager:: illegal
    update_manager: no
    update_manager:: invalid
    update_manager:: copy
    update_manager: update_package_bottomhalf ()
    update_manager: get_fix_instruction ()
    update_manager: erase_core_os_standby_bank ()
    update_manager: erase_hash_standby_bank (% d)
    update_manager: set_debug_support_repository ()
    update_manager: init_ss_params_repositories ()
    update_manager: set_recover_mode_repository ()
    update_manager: init_ss_params_repositories ()
    update_manager: set_fself_control_repository ()
    update_manager: init_device_type ()
    update_manager: set_update_status_repository ()
    update_manager: write_eprom (0x% x,
    update_manager: set_qa_flag_repository ()
    update_manager: init_qa_flag ()
    update_manager: do_fix_regions ()
    update_status
    update_manager: do_fix_trm_regions ()
    update_manager:: sc
    update_manager: init_for_updater (% d)
    update_manager: initialize_revoke_list_info (% d)
    update_manager: init_device_type ()
    update_token_processor: read_idps ()
    update_srh,
    update_table_icv,

    Checks security policies

    security_policy_manager:: request:
    security_policy_manager:: initialize
    security_policy_manager:: request:
    security_policy_manager:: request:
    security_policy_manager: register_rule:
    security_policy_manager: load_additional_policy:
    security_policy_manager:: initialize
    security_policy_manager: load_additional_policy:
    security_policy_manager: security_hardware_framework_if: get_random_number

    REFERENCES TO CELL_OS

    SCE_CELLOS_SS_SPM
    SCE_CELLOS_SS_INDI_INFO_EID
    SCE_CELLOS_SS_SECURE_RTC
    SCE_CELLOS_SYSTEM_MGR
    SCE_CELLOS_SYSTEM_MGR_PS2_SW
    SCE_CELLOS_SYSTEM_MGR_LINUX
    SCE_CELLOS_SYSTEM_MGR_PS2
    SCE_CELLOS_SYSTEM_MGR_PS2_GX
    SCE_CELLOS_PME

    REFERENCES TO LPAR

    if: notify lpar shutdown start to BSC
    if: notify lpar shutdown start to av set% d
    if: notify lpar boot done to BSC
    if: notify done to lpar boot AV Set
    if: notify lpar done to kill BSC
    if: notify shutdown done to lpar AV Set
    if: shutdown done to lpar notify BSC
    if: notify lpar boot start to BSC
    if: boot param from SC eeprom
    if: notify lpar boot start to av set% d
    if: notify system boot done to BSC
    if: notify system boot done to AV Set
    if: notify system shutdown start to BSC
    if: notify system shutdown start to av set% d
    if: notify BSC start to kill lpar
    if: shutdown does not activate current lpar refused lpar
    if: Killing not activate current lpar refused lpar
    event: inter-lpar parameter length =% d size parameter over inter lpar
    event: boot parameter% d. param =% lx, st =% d
    boot parameter% d. % s privilege not receive unknown response. type =% d failed to send packet to lpar% d
    event: to lpar sid =% d, size =% d
    event: send inter-lpar parameter: bytes =% d
    event: from lpar sid =% d, size =% d
    lparmgr: boot failed reason =% d
    lparmgr: give up booting% s
    lparmgr: initialize default repository failed% d
    lparmgr: construct pu failed =% x
    lparmgr: boot parameter =% 08x
    lparmgr: construct repositories failed
    lparmgr: activate logical pu failed% x
    lparmgr: boot completed
    ------------------------------------------
    lparmgr:% s partition booting ...
    lparmgr: ability =% x
    lparmgr: construct logical parition failed% x
    lparmgr: allocate memory failed% x
    lparmgr: delete key success
    lparmgr: key failed
    lparmgr: set key success
    lparmgr: key failed
    lparmgr: setup bd drive ...
    lparmgr: load Guest ...
    lparmgr: load you image guest failed% d
    lparmgr: registering signal handler shutdown failed% x
    lparmgr: skip size ata get contents failed. status =% d, prof =% s / file =% s / type =% d
    get contents failed. status =% d, prof =% s / file =% s / type =% d cellos memory size =% ldb
    lparmgr: construct event port receive failed% x
    lparmgr: get lpar size parameter failed. status =% d, prof =% s
    lparmgr: get lpar parameter failed. status =% d, prof =% s
    lparmgr: lpar unmatch size parameter. buf size =% d, acm size =% d, buf using
    lparmgr: shutdown% s partition ...
    lparmgr: shutdown% s failed% x
    lparmgr: unload guest ... Failed to get info for% s. status =% d
    lparmgr: destructing partition ... Failed to destruct partition for% s. result =% d
    lparmgr: reset bd drive ... bd drive reset failed% d
    lparmgr: kill% s partition ... id =% d
    lparmgr: shutdown% s partition ...
    lparmgr:% s failed% x
    lparmgr: shutdown% s rejected lpar invalid state% d
    lparmgr: start shutdown partition. id =% d
    lparmgr: send shutdown command to% s
    lparmgr: start destructing partition. id =% d
    entry: auth drive success
    entry: bd drive ready
    entry: auth drive time-outed
    entry: auth failed drive
    / rmt /% s.dat
    / dev / rflash
    / proc / partitions /% d / mem
    LPAR file address space could not be opened ...
    mmap failed: errno =% d
    entry: copy
    size! = file
    entry: boot additional data% ld,% d
    create node: status =% d error

    pci bus power off failed.
    power on pci bus failed.

    remove node: error status =% d scheduling table entry in table scheduling construct spp file failed% d slot scheduling

    looking up table failed% d slot% d: index =% d, name =% s, ts =% dus failed% d slot scheduling

    sysmgr.boot.ps2.1st
    sysmgr.boot.linux.1st
    sysmgr.debug.level
    sysmgr: available number of spus for lpar =% d
    sysmgr: spu condition info =% p
    sysmgr: tb frequency =% d config: total memory size =% d
    sysmgr: number of system spus =% d

    PS3_LPAR
    / flh/os/lv2_kernel.self
    PS2_SW_LPAR
    / local_sys0/ps2emu/ps2_softemu.self
    LINUX_LPAR
    / flh / lx / linux

    REFERENCES TO NEOS SONY CELL GAP OS KERNEL

    NEOS kernel for OS Cell Sony bpa BPA Team .. / src / Core / common / Thread.cc
    Thread:: terminate: the thread is inheriting the priority.
    Thread:
    Thread: Thread The target object is not in dormant state.
    a system exception% d,% 08x is raised in the exception handling daemon
    Thread:: releaseTypeFlag: invalid type flag.
    Thread:: releaseTypeFlag: releasing un-assigned type bit.
    Thread:: terminate: The target Thread Mutex object holds any locks.
    Thread:: restart: Thread The target object is not in stopped state.
    Thread:: start: Thread The target object is not in dormant state.
    Thread:: start: Thread The target object has not been configured.
    Thread:: start: The specified RelayPoint is used by another Thread object.
    Thread:: configure: The target thread object is not in dormant state.
    Thread:: configure: Thread The target object has been configured with invalid argument.
    Thread:: configure: Thread The target object has been configured as executing user mode, but not been specified.
    Thread:: setBasePrioriry: The specified prioriry is not in the proper prioriry range.
    Timer:: wait: This member function is called when the scheduler is locked.
    Timer:: setPeriodic: The specified period less than or equals to zero.
    Timer::
    Timer: deleting a timer while some threads are waiting on the timer.
    % p% d.% 09d

    WeakLock::
    WeakLock: The WeakLock target object has been locked by any threads.
    WeakLock:: Lock: The caller thread of this function is WeakLock holding another object.
    WeakLock: tryLock: The caller thread of this function is WeakLock holding another object.
    WeakLock:: lock: This member function is called when the scheduler is locked.
    dummy initial thread thread fmt null null There are some threads waiting on a MessageQueue destructing.
    / proc / partitions

    ERROR>
    .. / src / PMPI / construct logical partition.cc
    could not create / proc / partitions /
    / proc / partitions /
    .. / src / PMPI / destruct logical partition.cc
    namei could not "% s" to inode

    / vuart /
    .. / src / PMPI / vuart.cc
    proc num =
    proc ids =

    REFERENCES USB DONGLE

    init
    if:: notify failed failure: init
    if:: notify ready failed: usb dongle authenticator: authenticator initialize usbdongle: verify responses given response
    body =% 02x challenge
    body = id =% u dongle dongle dongle key error ID revoked.get calc. response
    body = usb dongle authenticator:: generate challenge hardware security framework
    if:: get random number sanity check error: r =% d

    recover encrypted master key succeeded.
    recover encrypted master key failed -> use dummy key.

    REFERENCES ATA

    set_ata_key success
    delete_ata_key failed
    delete_ata_key success
    set_ata_key
    skip ata_key

    REFERENCES TO GUEST OS

    gosldr: inflateInit:% s
    gosldr: read error you ext
    gosldr: inflate:% s
    gosldr: overflow:% d
    gosldr: unknown error
    gosldr: inflateEnd:% s
    gosldr: found valid image gos
    gosldr: mmap failed: errno =% d
    gosldr: inflating gos image
    gosldr: load complete picture gos

    load GuestOS
    failed guest OS image load
    unload GuestOS
    pmi_set_guest_os_mode (): already called
    pmi_set_guest_os_mode (): wrong gos_mode

    OTHER DOCUMENT NO DATA

    physical_console_0
    hypervisor_console
    _USB_DONGLE_AUTH_USB_DONGLE_
    ÈAÀmu.1.size???
    plat.id
    CokC12
    pme.memory.size
    iosneteuruslpar
    musize
    biboot_datsize
    bipurm_addr
    bipun
    ssparambankos
    ssparambankrvkpkg
    sslaidp
    bipumui
    bipurm_size
    acpchannelbitmap

    PS3 Hypervisor and Bootstrap lv0/lv1 Examined, Offload Available

    PS3 Hypervisor and Bootstrap lv0/lv1 Examined, Offload Available

    More PlayStation 3 News...
    Attached Thumbnails<br><br> Attached Thumbnails

    24vtmzd.png   29lodxc.png  

  2. #2
    Contributor semitope's Avatar
    Join Date
    Feb 2009
    Posts
    605
    Sponsored Links
    Sponsored Links
    Hopefully someone here will provide a proper translation to update that post. These online translation services are retarded.

  3. #3
    Forum Moderator PS3 News's Avatar
    Join Date
    Apr 2005
    Posts
    27,849
    Sponsored Links
    Sponsored Links
    Yep, for the most part the clear text string output above from the HV Dump is grouped and is easy enough to follow... but it would be great if any written updates DemonHades does can be added with a better translation.

  4. #4
    Senior Member Mbb's Avatar
    Join Date
    Jan 2010
    Posts
    323
    Good news indeed!

  5. #5
    Contributor cenoxdj's Avatar
    Join Date
    Jun 2007
    Posts
    34
    i'm italian cannot translate that, but i will hire my girlfriend (which is spanish) to translate it properly. Where is the link to find the spanish article?

  6. #6
    Registered User cmccmc's Avatar
    Join Date
    Jan 2010
    Posts
    29
    damn he found a lot already

  7. #7
    Registered User JesusFMA's Avatar
    Join Date
    Apr 2009
    Posts
    67
    Yes, the translation at the very beginning is quite confusing, but as you read the other info, you'll find a very easy Spanish; the automatic translation is well done (it only has some errors, but nothing you can't understand). I leave you a very simple translation of the part mentioned above:

    For those who have been part of our community for a long time, you already know about this Hypervisor and BootStrap study, but for the newbies and newcomers who want to know about the PS3 security functions, how it protects itself and how it manages the Hypervisor (Hardware manager), I think you’ll be very interested in reading this list.

    Here I left you the Hypervisor dump that I’ve been given and I’m also making it public so everybody can make a very well done document of information about the Hypervisor and BootStrap.

    In here, we’ll be adding all the functions, on a list, that you post. If you see that they’re already commented and exposed, don’t post them again, so I only have to copy the ones that are left so we can go faster.

    Dictionary of Terms
    BE --> Broadband Engine(Cell Processor)
    RSX --> PS3 NVIDIA graphic card
    SB --> South Bridge
    SS2 --> StarShip 2 North bridge
    LPAR --> Logic Partition
    Flh ---> Flash Memory
    Lx --> Linux OS
    Xmb --> Game_OS Front end
    Otheros--> GUEST OS Partition
    Spu --> Back Up Processors for the Main One
    Ppu --> Central Process Unit
    Lv ---> Level
    Ldr --> Loader
    Pkg --> Package

    Partition Table
    1 Not Defined (Temporary)
    2 LPAR_PS3
    10200000030000010000000000000001
    3 Not Defined (Temporary)
    4 Not Defined (Temporary)
    5 LPAR_LINUX
    10800000040000010000000000000003
    6 Not Defined (Temporary)

    Copy of the CORE_OS from de NAND FLASH
    This inner content of RAM belongs to a copy of the OS partition that resides in the NAND Flash, it seems to be copied as encrypted info into the ram and it's unencrypted there too.
    ....
    ...
    ..
    .
    If you need anything else, please, let me know!

  8. #8
    Registered User livpool's Avatar
    Join Date
    Sep 2009
    Posts
    211
    great work jesus! god would be proud of you (pun intended) +rep

  9. #9
    Contributor teusjuh's Avatar
    Join Date
    Jul 2007
    Posts
    23
    what does this all mean?? lvl2 dump also possible?

  10. #10
    Registered User talruum's Avatar
    Join Date
    Nov 2007
    Posts
    37
    Anybody knowns if is it possible to call these functions using the hardware exploit?

    update_manager: get_secure_product_mode ()
    update_manager: set_secure_product_mode (0x% x)

 

Sponsored Links
Page 1 of 2 12 LastLast
Advertising - Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News