Sponsored Links

Sponsored Links

PS3 Hypervisor and Bootstrap lv0/lv1 Examined, Offload Available


Sponsored Links
233w ago - Today we have some news from Spanish PS3 developer DemonHades (linked above) of their ongoing PS3 Hypervisor and Bootstrap lv0/lv1 examination, and news of [Register or Login to view links]'s Offload: Community Edition which is now available free for Cell Broadband Engine devices.

Download: [Register or Login to view links]

To quote: "The Offload tool suite provides the Offload tool as well as a full Windows based GCC SDK, enabling the easy offloading code to the SPUs on the Cell Broadband Engine.

It also includes integration with a Cell Broadband Engine enhanced Eclipse CDT, and the Offload Player Debugger, for executing and debugging code on the target Cell Broadband Engine hardware. Offload: Community Edition is free to use for academic research and commercial projects, subject to licensing conditions."

Below is DemonHades PS3 Hypervisor and Bootstrap Dump lv0/lv1 examination findings thus far, roughly translated via Google. If anyone who is fluent in Spanish can add to it feel free to do so below!

For those who bear on our community and this study shall know the hypervisor and bootstrap, but for new and newcomers who want to know about the safety features on ps3, and is protected as it manages the hypervisor (hardware manager) believe that interesting reading this list.

Then I leave it here hypervisor dump that I have gone and published it to all make a good background paper on the hypervisor and the bootstrap

Here you will be added all the features you get in a list, if you see that are already discussed here, and exposed them to not only need to copy them from your valleys and fast

TerminosBE Dictionary ---> Broadband Engine (Cell Processor)
RSX-->Grafica NVIDIA Playstation 3
SB-->SouthBritdge
SS2-->StarShip 2 Northbridge
LPAR-->Particion Logica
flh--->Memoria Flash
lx-->Linux OS
xmb-->Frontend del Game_OS
Otheros-->Particion para el GUEST OS
spu-->Procesadores de apoyo para el procesador Central
ppu-->Unidad de Procesamiento Central.
lv--->Level o Nivel.
ldr-->Loader o Cargador
pkg-->Package o Contenedor de datos.

Layout Ram Privilege

TABLE OF PARTITIONS

http://i47.tinypic.com/24vtmzd.png

Colors representing the number of the partition

1.A lack of defined (temporary)

2.--->LPAR_PS3
10200000030000010000000000000001

3.A lack of defined (temporary)

4.A falta de definir(temporal)

5.--->LPAR_Linux
10800000040000010000000000000003

6.A falta de definir(temporal)

FROM A COPY OF CORE_OS internal NANDFLASHEste ram content belongs to a copy of the partition you, which is on the nand flash, seems to be encrypted is copied to ram and decryption ayi same.

Description of the Binary

asecure_loader

Better known as METLDR, is the first loader in the chain of decoded, this loader is loaded into the SPU isolated, it decrypts the master key to decrypt the keys by removing the following loaders (ldr1, lv1, ldr2, LV2)

spu_pkg_rvk_verifier.self

Verifier Certificate Revocation List

spu_token_processor.self

Even without defining

spu_utoken_processor.self

Even without defenir

sc_iso.self

This seems to be the system calls of Lv0.

aim_spu_module.self

Even without defining

spp_verifier.self

Verifier spp, allegedly responsible for verifying and validating that not been tampered with.

mc_iso_spu_module.self

Even without defining

me_iso_spu_module.self

Even without defining

sv_iso_spu_module.self

Even without defining

sb_iso_spu_module.self

Code southbridge image

default.spp

Default factory settings, reset factory settings.

lv1.self

Known as a hypervisor, is the manager of the hardware and LPAR, controls all access to the hardware from different LPAR.

lv2_kernel.self

Known as the Supervisor, is the kernel and software manager, is working on PS3_LPAR, is responsible for managing all

software, firmware and communications with the hypervisor.

eurus_fw.bin

Firmware version and configuration data related to this region.

emer_init.self

This would be like the beginning of emergency, we may think that is the recovery ... but it is early to give it for granted.

creserved_0

Even without defining

Position of Internal Self Belonging to Core_OS

0x20000 [E03D1478BEEF49B2020EA7687E15C4068EBF9866]
0x37000 [35BC85F1AFD3FCD0C7A70E602C82E49F594DAA31]
0x55000 [00B84C6ECC4A9374588A710D527F07794263C659]
0xA19A0 [without hash and decryption]
0xAA410 [without hash and decryption]
0x1624BC [46CFAE517AB1ADD239E705ACBB663CF6E551A194]
0x35E100 [hash but this does not bring this figure]
0x369720 [without hash and decryption]
0x6C25B4 [46CFAE517AB1ADD239E705ACBB663CF6E551A194]
0x6C5ED4 [encryption but without hash]
0x6D5470 [encryption but without hash]

REFERENCES TO FACTORY SIGNED ELF

ss_init.fself
ss_server1.fself
ss_server2.fself
ss_server3.fself
sysmgr_ss.fself
updater_frontend.fself
factory.fself

COMMUNICATION WITH THE KERNEL LV2

load_lv2:
load_gos
load_profile
load_additional_policy:
load_internal_policy:

gsboot: load_lv2: filename:% s
gsboot: load_lv2: lpar_id: laid% d:% d
SLL: Failde fileloader load:% d
SLL: mmap orig size:% lu
SLL: mmap start address:% lu
SLL: mmap size:% lu
SLL: mmap Failde:% d
SLL: mmap to% p
SLL: auth_lv2 called
SLL: auth_lv2 fail:% d
SLL: unmmap EA:% p munmap:% d
SLL: deleting laid lpar_auth_id remove node: status =% d error
SLL: setting ss lpar_auth_id create node: status =% d error
FL: release_buffer for allocate_memory
FL: munmap:% d
FL: Release:% d addr:% p
SLL: main memory size:% lu:% lu memory segment construct: error status =% d allocated lpar:% d address:% p
FL: mmap size:% lu
FL: mmap Failde:% d
FL: mmap to% p / rmt / local_sys0 / flh .. / / / /.
FL: vfs open error:% d: toolong
FL: vfs open error:% d: errno:% d
FL: vfs size error:% d
FL: lseek fail, and close fail: fd:% d SL: allocate fail: size (% d)
FL: close fail: fd:% d
FL: vfs seek error:% d
FL: vfs size error:% d
FL: size error:% d% d
FL: file loaded:% d
FL: init err conf_mgr
offset:% d size:% d
FL: read error:% d / flh / os / SL: signal: stop and signal problem area:% p SPU state:% lu stop code =% u SL: signal: handler_end *

map data buffer: / proc / partitions /% d / mem could not open file ...(% s) mapped address:% p mmap failed: errno =% d close error:% d

SL: signal: spu timeout signal has arrived ----- ----- SL: timeout_handler: disable

auth_lv2
auth_sv
auth_disc_hdd

REFERENCES TO SPU

spu_filename:% s
spu_fir (0x
spu_fir_error_mask (0x
spu_fir_checkstop_enable (0x

Spu dump regs fir *** ***
spu_fir 0x
spu_fir_error_mask 0x
spu_fir_checkstop_enable 0x

*** [DETECT] unit: spu

*** [DETECT HW Error] unit: global fir, cause: CheckStop ***
ras_checkstop_fir 0x

*** [DETECT HW Error] unit: global fir, cause: recoverable ***
ras_recoverable_fir 0x
ras_fir_enable_mask 0x

Global dump regs fir *** ***
ras_lerr_counter_stat 0x

*** *** Dump regs fir biu
biu_fir 0x
biu_fir_error_mask 0x
biu_fir_checkstop_enable 0x

*** [DETECT] unit: biu ***

L2 dump regs fir *** ***

l2_fir 0xl2
fir_error_mask 0xl2
fir_checkstop_enable 0xl2
mode_setup1 0x

*** [DETECT] unit: l2 ***

*** *** Dump regs fir ioc

ioc_fir 0x
ioc_fir_error_mask 0x
ioc_fir_checkstop_enable 0x
bic_if0thr 0x
bic_if1thr 0x
bic_if0ccnt 0x
bic_if1ccnt 0x

*** [DETECT] unit: ioc ***
bic_if0rcnt 0x
bic_if1rcnt 0x

*** Dump regs fir mic ***
mic_fir0 0x
mic_fir1 0x

*** [DETECT] unit: mic ***

Fir city dump regs *** ***

ciu_fir 0x
ciu_fir_error_mask 0x
ciu_fir_checkstop_enable (0x

*** [DETECT] unit: city ***
sys.lv1.be_ras

[HVL]

sys.hvlog.size

SPE hang is detected: GUID UNKNOWN construction of SPU NPC VPU management failed
pmi_set_guest_os_mode (): already called
pmi_set_guest_os_mode (): wrong gos_mode

sys.lv1.dump_mmioplat.id

[PANIC]
Can not get loader parameter =
sys.flash.fmt
sys.tmp_storage.size
spider.gbe0.macaddr.1
spider.gbe0.macaddr.2
spider.gbe0.macaddr.3
sys.debug.device
rsx.rdcy.3
rsx.rdcy.4
rsx.rdcy.5
rsx.rdcy.6
rsx.rdcy.7
rsx.rdcy.8
sys.lv1.iosysenableios.net.eurus.lpar
sys.hw.config_version
sys.hw.model_emulate
be.0.nclk
be.0.ioif0.addrlv1.heap.check

[Warnig]

The allocation size from the heap () Exceeds bytes: 0x [lp = lc.allow.large_id [lc =, lp =):
sys.dbgcard.dgbe
sys.lc.polling.time
physical_console_0
hypervisor_console
EIC driver initialization failed
FAIL: construction of a SPU objs
FAIL: Loader parameter 'be.0.spu.faultbm' is required.sys.cellos.spu.configure
FAIL: Lv-1 does not support system more than SPEs 2.SPE = (unit_id =, = resv_id, normal, system

BROADBAND ENGINE

be.0.lpm.lpar
be .. clock.
be .. ioifn.
be .. ioif.addr
be.0.bp_base
be.0.fir.l2_ee
be.0.fir.l2_em
be.0.fir.biu_ee
be.0.fir.biu_em
be.0.fir.ciu_ee
be.0.fir.ciu_em
be.0.fir.mic_f0
be.0.fir.mic_f1
be.0.fir.ioc_em
be.0.fir.ioc_ee
be.0.fir.ras_ee
be.0.fir.spu0_ee
be.0.fir.spu0_em
be.0.fir.spu1_ee
be.0.fir.spu1_em
be.0.fir.spu2_ee
be.0.fir.spu2_em
be.0.fir.spu3_em
be.0.fir.spu3_ee
be.0.fir.spu4_em
be.0.fir.spu4_ee
be.0.fir.spu5_em
be.0.fir.spu5_ee
be.0.fir.spu6_em
be.0.fir.spu6_ee
be.0.fir.spu7_em
be.0.fir.spu7_ee
be.0.ioif1.addr
be.0.ioif0.addr.lv1.heap.check
be.0.lpm.priv
be.0.nclk
be.0.ref_clk
be.0.spu.faultbm
be.0.tb_clk
betb_clk
beclock
benclk
beioifn
beioifaddr
beioifaddr

REFERENCES TO SPP

http://i50.tinypic.com/29lodxc.png

REFERENCES TO BUS DATOS

busnum_dev
busdevregtype
busdevregdata
busdevintr
BusID
busnum_dev
BusID
Bustype
busdevintr
busdevmeddling
busdevregion
busdevn_regs
busdevtype
busdevintr
busdevblk_size
busdevn_blocks
busdevport
busdevmeddling
busdevregionid
busdevregionstart
busdevregionsize
busdevregioncrypto
busdevn_regs

REFERENCES SYSTEM CALLS

sc_iso.self
sc_iso_factory.self
sc_binary_patch:
sc_core:
sc_sendrecv:
sc_proxy_if: sendrecv
sc_proxy_if: sendrecv:
sc_proxy:: open
sc_proxy:: write
sc_proxy_if: sendrecv:
sc_proxy:: close
sc_proxy:: read
sc_proxy:: close
sc_proxy:: write:
sc_proxy:: open:
sc_manager
sc_timer
sc_tc
sc_rc
sc0
sc1
sc_version
sc_status
sc
sc_updater::
sc_type
sc_decrypt
sc_encrypt
sc_manager_if: restore_root_info
sc_manager_if: backup_root_info
sc_get_srh
sc_set_srh
sc_is_init_vtrm
sc_init_for_vtrm
sc_manager: init_for_vtrm

REFERENCES SYSTEM MANAGER CALLS

scm_correct_rtc_factory:
scm_set_rtc_factory:
scm_sc_binary_patch:
scm_set_sc_status:
scm_init_for_updater:
scm_set_rtc:
scm_init_for_vtrm:
scm_set_srh:
scm_restore_root_info:
scm_backup_root_info:
scm_correct_rtc_factory:
scm_set_rtc_factory:
scm_sc_binary_patch:
scm_set_sc_status:
scm_get_sc_status:
scm_get_property:
scm_init_for_updater:
scm_set_rtc:
scm_set_time:
scm_get_time:
scm_set_region_data:
scm_get_region_data:
scm_init_for_vtrm:
scm_backup_root_info:
scm_set_time:
scm_set_region_data:
scm_get_region_data:
scm_get_srh:
scm_decrypt:
scm_encrypt:
scm_get_sc_status:
scm_get_property:

REFERENCES TO SYSTEM SETTINGS

ss_dispatcher:: terminate
ss_dispatcher:: loop
ss_dispatcher: loop_once
ss_dispatcher:: initialize
ss_packet: send_receive
ss_packet: process_async
ss_packet: process_received
ss_packet: accept_reply
ss_init_repository: get_node_value:
ss_init_repository: create_node:

ss_init.fself
ss_server1.fself
ss_server2.fself
ss_server3.fself
ss_init_if: notify_failure
ss_init_if: notify_ready
ss_responder:: terminate
ss_responder:: initialize (this in Spanish!)
ss_responder: loop_once
ss_packet: send_receive
ss_packet: process_async
ss_packet: process_received

ss_packet: accept_reply
ss_init_repository: get_node_value:
ss_init_repository: create_node:

REFERENCES TO CERTIFICATE REVOCATION LIST

spu_pkg_rvk_verifier.self
certified_file_verifier: SIGSPUMB caught (not dísir)
certified_file_verifier: plain_src_addr = 0x% llx, plain_size = 0x% llx, 0x% llx enc_size =
certified_file_verifier: prepare_args failure
certified_file_verifier:: load_module () failure:% d
certified_file_verifier: request_loading_spu_module () failure
cerfified_file_verifier: request_loading_spu_module () success
certified_file_verifier: SIGSPUTIMEOUT caught (not dísir)
certified_file_verifier: SIGSPUERR caught (not dísir)
certified_file_verifier: SIGSPUDMA caught (not dísir)
certified_file_verifier: SIGSPUMB msg = 0x% x
certified_file_verifier: SIGSPUMB read PUINTMB failure
certified_file_verifier: SIGSPUSTOP_SL received
certified_file_verifier:: status = 0x% x
certified_file_verifier: stop_code = 0x% x
certified_file_verifier: SIGSPUSTOP received

REFERENCES TO THE READER BLURAY

Identificadores the BluRay disc in the player

HW: auth sv ret:% d
HW: emu disc auth:% d
HW: disc auth API emu
HW: param error:% d
HW: disc mode% d
HW: test unit ready ret:% d code:% lx
HW: test unit 0x% 08x req sense
HW: read disc structure ret:% d code:% lx
HW: inquiry ret% d result% d
HW: inquiry:% s:% s
HW: FW not supported failed Success
HW: sendign security command for check drive auth retry: ret =% d
HW: get vesion
HW: I dec block: index% size% llu llu
HW: I auth header: size% llu
HW: mc: ret% d
HW: mc:% p% p% p
HW: ps3 disc new API change
HW: ps3 disc profile param% d:% 08X
HW: not ps3 disc
HW: size:% d mode:% d
HW: hdd ps3 game new auth API
HW: not ps3 disc, set policy HDD auth fail: recover ..
HW: save disc id for HDD
HW: ps3 disc new auth API
HW: single layer bd ps3
HW: multi layer ps3 bd
HW: ps3 dvd
HW: save disc id
HW: ps2 disc auth
HW: not ps2 disc
HW: drive auth:% d
HW: Check device file:
HW: drive interface is busy.drive interface open failed
HW: not ready, clean key
HW: ret% d
HW: not ready for auth key clean
HW: encdec / param ata: 0x% lx
HW: set key for disable ata encdec ret:% d
HW: set key for enable ata encdec ret:% d
SB: atagpest% lx
HW: send clear ret:% d result:% p
PS-SYSTEM
PS-SPECIAL
incorrect header
check unknown compression method
invalid window size
unknown header flags in September
header crc mismatch
invalid block type
invalid stored block lengths
too many length or distance symbols
invalid code lengths in September
invalid bit length repeat
invalid literal / lengths in September
September invalid distances
invalid literal / length code
invalid distance code
invalid distance too far back
incorrect data check
incorrect length check

Physical integrity checks on the reader

bd_updater: check_cmd_result ()
bd_updater: check_cmd_result (): result_code = 0x% llx
bd_updater: detect_need_eject (): type =% d, revision =% d, need_eject = true
BDVD: Drive Not Ready Timeout
Initiation BluRay Reader
BDVD result: 0x drive: request complete tag:
device:: encdec. start device ID:
SYSTEM CLOCK Fail: Set: Encdec device ERROR:: initialize end: Seqence KSET Encdec ioctl cmd:
ENCDEC TransLparAddrToSbAddr invalid address
usrbuf request lpar
dscbuf request lpar
req size: 0x
invalid addr ba?:
invalid addr ba?:
ENCDEC EdecXTS3 TransLparAddrToSbAddr invalid address
EdecSS start.
EdecSS end. Kicked DMA
EdecKgen1 start.
EdecKgen1 end.
EdecKset start.
EdecKset end.
EdecKgen2 start.
EdecKgen2 end.
EdecKgenFlash.
Encdec decsec.
EdecKset OK.
EdecKset NG.

Found EncDec Test Mode Interrupt Reason:
Encdec timeout
handler called
OR SetStgSsDbufEncdec ENC DEC:
SetStgReadDesc lbn:
OR SetStgSsEncdec ENC DEC:
InitializeENCDEC Start.
Fail address ENCDEC TransSbAddrToPhyAddr search
Fail TransSbAddrToPhyAddr get ENCDEC address 0x:

References to BluRay Reader Spansion flash

TP Spansion memory shortage
TEST: End.
TEST: Read lsn: 0x SS2 status: 0x
TEST: Current Read: 0x
FLASH Memory complete: lsn: 0x
TEST: Start.

Starship Reset Error: ERROR StarShip
unknown scenario:
stage:
exec proto:
SWResetPtcl
SS2 HW Reset ERROR: 0x
SSTransfer Start. Protcol:
IN PIO SSTransfer
PIO SSTransfer OUT
DMA SSTransfer
SSTransfer End.
SSOperation cmd:
Flash Chip Not Found

REFERENCES TO INTERRUPTS

# # # Dump interrupts # # #

TIRCS 0x
Tirdad 0x
TIREMSKA 0x
TIREMSKB 0x
TIRPIEN 0x
TIRPNDA 0x
TIRPNDB 0x
TIRPPNDA 0x
TIRPPNDB 0x
TIRCFGA [] 0x

TIRCFGB [can not get GBUSC forward region 3]

PIO registers Dump
Piod£o's 0x
piodi 0x
Pioda 0x
piood 0x
pioaen 0x
pioactl 0x
pioco 0x

sys.hw.config

REFERENCES TO SOUTHBRIDGE

# # # # SB DEVICE # # # #
# Controller_id:
# Ioid: 0x
# Bus_master_id: 0x
# Base_io_segment: 0x
# Sb_master_transaction_base_address_: 0x

SYSTEM

sys.lv0.address
sys.lv0.revision
sys.lv0.size
sys.lv0.version
sys.lv1.large_pciex
sys.lv1.rsxenable
sys.lv1log.size
sys.lv11.ahcr
sys.tmp_storage.size
sys.lv1.be_ras
sys.lv1console.mode
sys.lv1.dump_mmio
sys.lv1.emuioif0irq
sys.lv1.iosys.errorhandler
sys.lv1.iosys.network
sys.lv1.iosys.pci.d.thread
sys.lv1.iosys.pci.retry
sys.lv1.iosys.pciex
sys.lv1.iosys.storage
sys.lv1.iosysenable
sys.lv1.iofaultmsg
sys.lv1.rsxdebug
sys.lv1.rsxmemcheck
sys.ac.sd
sys.ac.misc
sys.ac.misc2
sys.be.. spursvsl
sys.be.. ausrspun
sys.be.. asysspun
sys.cellos.spu.configure
sys.cellos.flags
sys.dbgcard.dgbe
sys.debug.device
sys.sata.param
sys.pci.share
sys.load.image.in_rom
sys.flash.fmt
sys.flash.boot
sys.flash.ext
sys.hw.config
sys.hvlog.size
sys.hw.config_version
sys.hw.model_emulate
sys.lc.polling.time
sys.mmio.map_allow
sys.platform.mode
sys.qaf.qafen
sys.rom.addr
sys.syscon.protocol_version
sys.wake_source
sys.param.load.rom1st
sys.syscon.pversion.
sys.flash.fmt.
sys.flash.boot.
sys.flash.ext.
sys.lv1.large
interrupt handler does not add internal
interrupt handler does not connect internal

sys.syscon.protocol
message header from syscon is not correct.
message from SYSCON is checksum error.
syscon other port sends interrupt
sysparamloadrom1st
syssysconpversion
sysflashfmt
sysflashboot
sysflashext
syshwconfigversion
syshwconfig
syshwmodelemulate
sysacsd
sysbespursvsl
sysbeausrspun
sysbeasysspun
sys.pci.share
sys.lv1.iofaultmsg
sys.lv1.dump_mmioplat.id
sys.lv1.be_ras
sys.hvlog.size

Level1-Hypervisor

lv1.iosys.enable.
lv1_ioctl:
lv1_result
lv1_runtime.tcl
lv1.heap.check
lv1.self
lv1.buildid
lv1.heap.afill
lv1.heap.rfill
lv1.iosys
lv1.maxplgid
lv1.rsx
lv1.specver
lv1.ts
lv1.ram.biu_modesetup1
lv1.ram.biu_modesetup2
lv1.ram.enable
lv1.ram.ioc_ioif0_quethshld
lv1.ram.ioc_ioif1_quethshld
lv1.ram.mic_tm_threshold_0
lv1.ram.mic_tm_threshold_1
lv1.ram.tkm_ioif0_ar
lv1.ram.tkm_ioif1_ar
lv1.ram.tkm_cr
lv1.ram.tkm_pr
lv1.ram.tkm_mbar
lv1.ts.size.
lv1.ts.start.
lv1.rsx.enable.
lv1.ram.spe_ragid
lv1.ram.ppe_ragid
lv1.ram.mic
lv1tssize
lv1tsstart
lv1iosysenable

BROADBAND DEBUG ENGINE

dbe.0.fir.l2_em

NVIDIA RSX

rsx t: close
rsx t: open
rsx.rdcy ..
rsx.rdcy.1
rsx.rdcy.2
rsx.rdcy.3
rsx.rdcy.4
rsx.rdcy.5
rsx.rdcy.6
rsx.rdcy.7
rsx.rdcy.8
rsx ioif0 bus

REFERENCES TO THE RSX DRIVERS

rsx driver failed assert
rsx: invalid context attrib:
EIC RSX driver initialization failed
rsx driver assert failed: / space / aoki / svn / tmp / sys / trunk / cellos.nv / .. / cellos / src / implementation / driver / rsx / core / device.h
rsx driver failed assert: core / device.cc
rsx driver failed assert: core / memory.cc
rsx driver failed assert: core / context.cc
rsx driver assert failed: utils / bitmap.cc
rsx driver assert failed: bus/ioif0.cc
rsx driver assert failed: device / eic.cc
rsx driver assert failed: device / master.cc
rsx driver assert failed: device / fb.cc
rsx driver assert failed: device / fifo.cc
rsx driver assert failed: device / graph.cc
ctxsw rsx driver timeout! please report
assert failed rsx driver: device / graph
assert failed rsx driver: device / clock
geom clkshader memory clk clk clk display
rsx driver assert failed: device / audio.cc
rsx driver assert failed: object / context
rsx driver assert failed: object / nv
rsx driver assert failed: object / sw
rsx driver assert failed: object / channel.cc
rsx driver assert failed: object / hash
rsx driver assert failed: object / vfb.cc
rsx driver assert failed: object / video
rsx driver failed assert: post / post
rom rsx abort!
rsx memory check failed. errors:
rsx t: post

INITIATION

HashTable

object_entry: get_rule_entry_list_head
object_hashtable: get_first_object_entry
object_hashtable: get_next_object_entry
object_hashtable: get_object_entry
object_entry: match_rule_entry
object_hashtable: remove_object_entry
object_entry: add_rule_entry
object_hashtable: add_object_entry
object_hashtable:: initialize
object_entry: get_rule_entry
object_entry: get_rule_entry_list_head:
object_entry: add_rule_entry:
object_hashtable: get_first_object_entry:
object_hashtable: get_object_entry:
object_hashtable:: initialize:
object_hashtable: remove_object_entry:
object_entry
object_hashtable: get_next_object_entry:
object_hashtable: add_object_entry:

REFERENCE TO THE ROM DIRECTORIES

CORE>

device.cc
memory.cc
context.cc

UTILS>

bitmap.cc

OBJECT>

context
context_dma.cc
nv_class.cc
sw_class.cc
channel.cc
hash_table.cc
sw_driver.cc
vfb.cc
video_rsx.cc
nv
sw
channel.cc
hash
vfb.cc
video

POST>
post
DEVICE>

eic.cc
master.cc
fb.cc
fifo.cc
graph.cc
audio.cc

BUS>

ioif0.cc

FLASH DEV

/ dev/sc3
/ dev / flash_num
/ dev/sc0
/ dev / rflash_lx
/ dev/net0
/ dev/rbd0
/ dev / sd_detector
/ dev/sc1
/ dev/hvlog0
/ dev / rflash_lxp
/ dev/cp0
/ dev / rflash
/ dev / eflash
/ dev / flash
/ dev / eflash
/ dev/ioif0

USER TOKEN

user_token m_magic = 0x% x
user_token m_format_version = 0x% x
user_token m_size = 0x% llx
user_token m_capability = 0x% llx
user_token m_expire_date = 0x% llx
user_token m_idps = 0x% 02x
user_token m_attribute
m_type user_token attr = 0x% x
user_token attr = 0x% x m_size
attr user_token m_data
user_token m_digest
user_token_manager decrypt_user_token () decrypt_and_verify format invalid user token () failure = 0x% x get_time ()

failure = 0x% x status = 0x% llx rtc value = status = 0x% llx 0x% llx user token has been expired
user_token_manager encrypt_user_token () sign_and_decrypt () failure = 0x% x
spu_utoken_processor.self
user_token_processor SIGSPUMB caught (not desired)
user_token_processor SIGSTIMEOUT caught (not desired)
user_token_processor SIGSPUERR caught (not desired)
user_token_processor SIGSPUDMA caught (not desired)
user_token_processor SIGSPUMB msg = 0x% x
SIGSPUSTOP_SL received user_token_processor
user_token_processor status = 0x% x
user_token_processor stop_code = 0x% x
SIGSPUSTOP received user_token_processor
user_token_processor read_idps () read size ID0 failure (% d)
user_token_processor read_idps () size =% d EID0
user_token_processor read_idps () malloc failure
user_token_processor read_idps () EID0 read failure (% d)
user_token_processor read_idps () EID0
user_token_processor read_idps () failure (% d)
user_token_processor create_command () failure (% d)
user_token_processor load module () failure
user_token_processor request_loading_spu_module () failure
user_token_processor request_loading_spu_module () success

ASSISTANT / MANAGER FOR UPDATING AND FIRMWARE

sys0/sys/internal/eurus
Manager:: reset failed eurus
manager:: read firmware invaild jump command: command = 0x% 08x, new current size =% d offset =% d, offset =% d data
manager:: Error: eurus F / W download failed.
manager:: read firmware invaild data: command = 0x% 08x, new current size =% d offset =% d, offset =% d data
manager:: read firmware data:% d, firm offset:% d
manager:: put firmware firmware read fails.
manager:: put firmware ioctl fails% d
Manager:: open firmware can not open file
Manager:: open firmware open file
Manager:: open firmware open file
manager:: on received ioctl
manager:: on received Error: eurus F / W download failed.
manager:: on received firmware downloaded.
manager:: start download get value failed. % d
manager:: start
Manager:: initialize ...
Manager:: initialize could not open the file% s.
Manager:: initialize mac addr = 0x% 016lx
Manager:: initialize ioctl fails% d
Manager:: initialize ... completed.
manager: delete key success
manager: key failed
manager: skip delete
manager: read size error% d! =% d
manager: event =% llu, bus id =% llu, dev id =% llu, port =% lld, dev type =% llx
manager: unknown event type
manager: fatal error. Can not open device file no response from syscon. waiting reply for transaction:
manager: from syscon
manager: to syscon
manager: set source% x LED: p =% x, s =% x result =% d led: b =% x, h =% x result =% d press: timer failed
manager: receive packet from unknown syscon. cmd id:% x timer: invalid state
manager:%% d event smask
manager: read header error
manager: body read error% d byte header: body% d byte:
manager: from syscon event =% x size =% d
manager: fatal error. Can not open device file syscon
manager: wake source:% x Other OS mode: wake source:% x
manager: set source% x->% x I switch: Wake source:% x pages failed: this =% p, area
pages =% d syscon write data: command write failed. shutdown handler invoked
shutdown unknown interrupt% d

timer: expired
timer: set alarm% d us

INTEGRITY AND CHECK OS

lv0 and lv1 have passed integrity check
Lv0 has been altered. integrity check failure.
lv1 has been altered. integrity check failure

INTEGRITY AND CHECK THE CORE_OS

check_core_os_hash () config_manager failure
recover encrypted master key failed
filename =% s, file_loc = 0x% llx, file_size = 0x% llx
verify_util:: SHA-1 hash
0x% x update_manager:: check_core_os_hash ()
in product mode, check is skipped.
update_manager: check_core_os_hash () get_version_and_hash () failure
update_manager: check_core_os_hash () SC not initialized. skipped integrity check.
update_manager: check_core_os_hash () config_manager failure
update_manager: check_core_os_hash () calc hash Lv0 failure (% d)
update_manager: check_core_os_hash () calc hash lv1 failure (% d)
updater_frontend.fself
update_manager:: write
update_manager: swap_bank ()
update_manager: get_package_info (% d)
update_manager: get_secure_product_mode ()
update_manager: get_sc_status (% d)
update_manager: get_secure_product_mode ()
update_manager: set_secure_product_mode (0x% x)
update_manager: set_sc_status (% d)
update_manager: decompress_and_write_target ()
update_manager: write_target ()
update_manager: read_revoke_list (% d)
update_manager: initialize_revoke_list_info (% d)
update_manager: applicable_version_info (% d)
update_manager: check_revoke_list_hash ()
update_manager: check_revoke_list_all ()
update_manager:: set
update_manager:: bank
update_manager:: data
update_manager: calc_os_hash
update_manager: calc_os_hash
update_manager:: force
update_manager: update_package_tophalf ()
update_manager: common_tophalf::
update_manager: inspect_package_tophalf (0x% x,
update_manager: extract_package_tophalf (0x% x,
update_manager: update_package_tophalf (0x% x,
update_manager: update_package_tophalf ()
update_package (% d)
update_manager: set_token ()
update_manager: read_eprom (0x% x)
update_manager: get_token_seed ()
update_manager: inspect_package_bottomhalf ()
update_manager: get_extract_package ()
update_manager:: illegal
update_manager: no
update_manager:: invalid
update_manager:: copy
update_manager: update_package_bottomhalf ()
update_manager: get_fix_instruction ()
update_manager: erase_core_os_standby_bank ()
update_manager: erase_hash_standby_bank (% d)
update_manager: set_debug_support_repository ()
update_manager: init_ss_params_repositories ()
update_manager: set_recover_mode_repository ()
update_manager: init_ss_params_repositories ()
update_manager: set_fself_control_repository ()
update_manager: init_device_type ()
update_manager: set_update_status_repository ()
update_manager: write_eprom (0x% x,
update_manager: set_qa_flag_repository ()
update_manager: init_qa_flag ()
update_manager: do_fix_regions ()
update_status
update_manager: do_fix_trm_regions ()
update_manager:: sc
update_manager: init_for_updater (% d)
update_manager: initialize_revoke_list_info (% d)
update_manager: init_device_type ()
update_token_processor: read_idps ()
update_srh,
update_table_icv,

Checks security policies

security_policy_manager:: request:
security_policy_manager:: initialize
security_policy_manager:: request:
security_policy_manager:: request:
security_policy_manager: register_rule:
security_policy_manager: load_additional_policy:
security_policy_manager:: initialize
security_policy_manager: load_additional_policy:
security_policy_manager: security_hardware_framework_if: get_random_number

REFERENCES TO CELL_OS

SCE_CELLOS_SS_SPM
SCE_CELLOS_SS_INDI_INFO_EID
SCE_CELLOS_SS_SECURE_RTC
SCE_CELLOS_SYSTEM_MGR
SCE_CELLOS_SYSTEM_MGR_PS2_SW
SCE_CELLOS_SYSTEM_MGR_LINUX
SCE_CELLOS_SYSTEM_MGR_PS2
SCE_CELLOS_SYSTEM_MGR_PS2_GX
SCE_CELLOS_PME

REFERENCES TO LPAR

if: notify lpar shutdown start to BSC
if: notify lpar shutdown start to av set% d
if: notify lpar boot done to BSC
if: notify done to lpar boot AV Set
if: notify lpar done to kill BSC
if: notify shutdown done to lpar AV Set
if: shutdown done to lpar notify BSC
if: notify lpar boot start to BSC
if: boot param from SC eeprom
if: notify lpar boot start to av set% d
if: notify system boot done to BSC
if: notify system boot done to AV Set
if: notify system shutdown start to BSC
if: notify system shutdown start to av set% d
if: notify BSC start to kill lpar
if: shutdown does not activate current lpar refused lpar
if: Killing not activate current lpar refused lpar
event: inter-lpar parameter length =% d size parameter over inter lpar
event: boot parameter% d. param =% lx, st =% d
boot parameter% d. % s privilege not receive unknown response. type =% d failed to send packet to lpar% d
event: to lpar sid =% d, size =% d
event: send inter-lpar parameter: bytes =% d
event: from lpar sid =% d, size =% d
lparmgr: boot failed reason =% d
lparmgr: give up booting% s
lparmgr: initialize default repository failed% d
lparmgr: construct pu failed =% x
lparmgr: boot parameter =% 08x
lparmgr: construct repositories failed
lparmgr: activate logical pu failed% x
lparmgr: boot completed
------------------------------------------
lparmgr:% s partition booting ...
lparmgr: ability =% x
lparmgr: construct logical parition failed% x
lparmgr: allocate memory failed% x
lparmgr: delete key success
lparmgr: key failed
lparmgr: set key success
lparmgr: key failed
lparmgr: setup bd drive ...
lparmgr: load Guest ...
lparmgr: load you image guest failed% d
lparmgr: registering signal handler shutdown failed% x
lparmgr: skip size ata get contents failed. status =% d, prof =% s / file =% s / type =% d
get contents failed. status =% d, prof =% s / file =% s / type =% d cellos memory size =% ldb
lparmgr: construct event port receive failed% x
lparmgr: get lpar size parameter failed. status =% d, prof =% s
lparmgr: get lpar parameter failed. status =% d, prof =% s
lparmgr: lpar unmatch size parameter. buf size =% d, acm size =% d, buf using
lparmgr: shutdown% s partition ...
lparmgr: shutdown% s failed% x
lparmgr: unload guest ... Failed to get info for% s. status =% d
lparmgr: destructing partition ... Failed to destruct partition for% s. result =% d
lparmgr: reset bd drive ... bd drive reset failed% d
lparmgr: kill% s partition ... id =% d
lparmgr: shutdown% s partition ...
lparmgr:% s failed% x
lparmgr: shutdown% s rejected lpar invalid state% d
lparmgr: start shutdown partition. id =% d
lparmgr: send shutdown command to% s
lparmgr: start destructing partition. id =% d
entry: auth drive success
entry: bd drive ready
entry: auth drive time-outed
entry: auth failed drive
/ rmt /% s.dat
/ dev / rflash
/ proc / partitions /% d / mem
LPAR file address space could not be opened ...
mmap failed: errno =% d
entry: copy
size! = file
entry: boot additional data% ld,% d
create node: status =% d error

pci bus power off failed.
power on pci bus failed.

remove node: error status =% d scheduling table entry in table scheduling construct spp file failed% d slot scheduling

looking up table failed% d slot% d: index =% d, name =% s, ts =% dus failed% d slot scheduling

sysmgr.boot.ps2.1st
sysmgr.boot.linux.1st
sysmgr.debug.level
sysmgr: available number of spus for lpar =% d
sysmgr: spu condition info =% p
sysmgr: tb frequency =% d config: total memory size =% d
sysmgr: number of system spus =% d

PS3_LPAR
/ flh/os/lv2_kernel.self
PS2_SW_LPAR
/ local_sys0/ps2emu/ps2_softemu.self
LINUX_LPAR
/ flh / lx / linux

REFERENCES TO NEOS SONY CELL GAP OS KERNEL

NEOS kernel for OS Cell Sony bpa BPA Team .. / src / Core / common / Thread.cc
Thread:: terminate: the thread is inheriting the priority.
Thread:
Thread: Thread The target object is not in dormant state.
a system exception% d,% 08x is raised in the exception handling daemon
Thread:: releaseTypeFlag: invalid type flag.
Thread:: releaseTypeFlag: releasing un-assigned type bit.
Thread:: terminate: The target Thread Mutex object holds any locks.
Thread:: restart: Thread The target object is not in stopped state.
Thread:: start: Thread The target object is not in dormant state.
Thread:: start: Thread The target object has not been configured.
Thread:: start: The specified RelayPoint is used by another Thread object.
Thread:: configure: The target thread object is not in dormant state.
Thread:: configure: Thread The target object has been configured with invalid argument.
Thread:: configure: Thread The target object has been configured as executing user mode, but not been specified.
Thread:: setBasePrioriry: The specified prioriry is not in the proper prioriry range.
Timer:: wait: This member function is called when the scheduler is locked.
Timer:: setPeriodic: The specified period less than or equals to zero.
Timer::
Timer: deleting a timer while some threads are waiting on the timer.
% p% d.% 09d

WeakLock::
WeakLock: The WeakLock target object has been locked by any threads.
WeakLock:: Lock: The caller thread of this function is WeakLock holding another object.
WeakLock: tryLock: The caller thread of this function is WeakLock holding another object.
WeakLock:: lock: This member function is called when the scheduler is locked.
dummy initial thread thread fmt null null There are some threads waiting on a MessageQueue destructing.
/ proc / partitions

ERROR>
.. / src / PMPI / construct logical partition.cc
could not create / proc / partitions /
/ proc / partitions /
.. / src / PMPI / destruct logical partition.cc
namei could not "% s" to inode

/ vuart /
.. / src / PMPI / vuart.cc
proc num =
proc ids =

REFERENCES USB DONGLE

init
if:: notify failed failure: init
if:: notify ready failed: usb dongle authenticator: authenticator initialize usbdongle: verify responses given response
body =% 02x challenge
body = id =% u dongle dongle dongle key error ID revoked.get calc. response
body = usb dongle authenticator:: generate challenge hardware security framework
if:: get random number sanity check error: r =% d

recover encrypted master key succeeded.
recover encrypted master key failed -> use dummy key.

REFERENCES ATA

set_ata_key success
delete_ata_key failed
delete_ata_key success
set_ata_key
skip ata_key

REFERENCES TO GUEST OS

gosldr: inflateInit:% s
gosldr: read error you ext
gosldr: inflate:% s
gosldr: overflow:% d
gosldr: unknown error
gosldr: inflateEnd:% s
gosldr: found valid image gos
gosldr: mmap failed: errno =% d
gosldr: inflating gos image
gosldr: load complete picture gos

load GuestOS
failed guest OS image load
unload GuestOS
pmi_set_guest_os_mode (): already called
pmi_set_guest_os_mode (): wrong gos_mode

OTHER DOCUMENT NO DATA

physical_console_0
hypervisor_console
_USB_DONGLE_AUTH_USB_DONGLE_
ÈAÀmu.1.size???
plat.id
CokC12
pme.memory.size
iosneteuruslpar
musize
biboot_datsize
bipurm_addr
bipun
ssparambankos
ssparambankrvkpkg
sslaidp
bipumui
bipurm_size
acpchannelbitmap





Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 14 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

veggav's Avatar
#14 - veggav - 233w ago
I'm not registered at demonhads blog but I do speak portuguese that is very close to spanish. I'll translate what does not need to register to see. If someone post the entire article in spanish I can do the rest.

Para los que llevais en nuestra comunidad sabreis ya de este estudio del hipervisor y bootstrap, pero para los nuevos y recien llegados que quieran saber de las funciones de seguridad en ps3, como se protege y como gestiona el hipervisor(gestor de hardware) creo que es interesante una lectura de esta lista.

For those who are in our comunity they will know already about that study of the hipervisor and the bootstrap, but for the newbie and recent come that wish to know about the functions of security on the ps3, how if protect itself and how it manages the hipervision (manager of hardware) I believe that is interesting a reading of that list.

Them I'll need the full text, hope i've helped.

DemonHades

Hi xorloser,great work my english is bad sorry

I have a dude,when u coment it…

“dumprom – Dumps the system rom to a file in the current directory”

Tell u the nandflash os partition(core_os store) or full dump how infectus?

I study the eeprom(syscon) for replace the boot and using the arm for writing using dma channel for replace on fly the privilege zone for use calls lvl1 on lpar_ps3 at unix code(dont lv2 kernel).

xorloser

DemonHades: the systemrom is just the small section that the ps3 refers to as the sys.rom, it is not the full flash dump. also i think the arm thing you are looking at is just the wifi firmware. is it from the eurus file?

DemonHades

thx xorloser,i know the Os zone into nandflash store the core_os,and arm is the bios ps3 named ”CXR713120″,i have a study how work and active flags init boot.

Factory mode,Restore Resolutions and Recovery mode for example.

The cxr(mullion) is know how SYSCON,and using channel dma for comunicate just whith the CBE,and yellogstone ”XDR”.

I Study replace code into syscon for when boot at lpar_ps3 write new calls lv1 into privilege zone ram,syscon have generator pulse for attack it point... and later using calls news and little shell for run code(using ppu and spu free),dont using the real kernel(need code sony)The real kernel is limited and need sign sony.

CJPC's Avatar
#13 - CJPC - 233w ago
Why does the metldr decrypt the master (root) key. Doesn't it load the root key and decrypt data using it? Is the root key really decrypted (using another key) ?

Best regards

It may be lost in translation, more likely that line should have read something along the lines of "this loader is loaded into the SPU isolated, and it is decrypted by the master key"

oyashio's Avatar
#12 - oyashio - 233w ago

Description of the Binary

asecure_loader

Better known as METLDR, is the first loader in the chain of decoded, this loader is loaded into the SPU isolated, it decrypts the master key to decrypt the keys by removing the following loaders (ldr1, lv1, ldr2, LV2)
...
Why does the metldr decrypt the master (root) key. Doesn't it load the root key and decrypt data using it? Is the root key really decrypted (using another key) ?

Best regards

PS3 News's Avatar
#11 - PS3 News - 233w ago
i'm italian cannot translate that, but i will hire my girlfriend (which is spanish) to translate it properly. Where is the link to find the spanish article?
It's located at the top of the main article here: [Register or Login to view links]

sapperlott's Avatar
#10 - sapperlott - 233w ago
Anybody knowns if is it possible to call these functions using the hardware exploit?

update_manager: get_secure_product_mode ()
update_manager: set_secure_product_mode (0x% x)If someone figures out where in memory they reside and adds the appropriate HV call why not? But until then: no.

Not too much there except two things that caught my interest:
- the assumption that metldr == asecure_loader - could somebody with deeper knowledge of the flash contents comment on that?
- the checksums for the SELFs - they seem to be created using xorloser's SelfTool (basefile digest; which actually makes them checksums for the contained ELFs)

Other than that I think that people are obsessing a bit too much over the strings. Yes it's natural to get excited about the only human readable parts in this mess but the strings are not the really interesting nor the relevant parts of the dump. I also don't particularly like how speculation is presented as fact in DemonHades' post - it should be taken with a huge grain of salt.

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News