XorHack v2.0: The Updated PS3 Exploit Toolkit Arrives

Category: PS3 Hacks & JailBreak  By: PS3 News - (xorloser.com)
Tags: xorhack v2.0 updated ps3 exploit ps3 toolkit ps3 hacks hack ps3

165w ago - Today xorloser has updated his XorHack PS3 Exploit Toolkit to XorHack v2.0!

Download: XorHack v2.0: The Updated PS3 Exploit Toolkit

To quote: After using the XorHack for a while I realised it was missing some things so I decided it was time for an update. New syscalls have been added to give finer control over data access, now providing 8, 16, 32 and 64 bit reads and writes.

Also some new ioctls were added to provide additional useful functions for your userland code. Lastly new userland applications were added which now give the ability to read, write and execute memory from the command line.

Hypervisor Exploit Changes

At the innermost level some more syscalls are now added to the hypervisor when initially exploiting the PS3. These use different syscall numbers to the previous exploit code in order to group them all together rather than scattering them all over the place.

This should make keeping track of them easier. There are now nine syscalls added to the PS3 upon exploiting. These are added as syscalls 32 to 40 inclusive. Previously syscalls 16 and 20 were used for 64bit peek and 64bit poke, but these syscalls are no longer setup.

Kernel Module Changes

In the middle level I added interfacing support to the nine new syscalls as well as a new ioctl to let user apps convert lpar addresses to real addresses and yet another to let user apps perform an ioremap on memory. I also fixed the syscall that executes code via a real memory address since previously it wasn't saving the link register, which is not good..

Lastly I tracked down the problem I was having with calling ioctls from userland code. It turns out there are issues sending ioctls to a 64bit kernel from 32bit userland code. When you send the ioctl from your userland code there is a hidden function that attempts to "make it compatible" before sending it on to the kernel. This was transparently causing some ioctls to not make it to my kernel code

Things like this are why I hate linux hehe. It looked like fixing this was going to require a rebuild of sections of the kernel, so instead I brute force tried all ioctl numbers until I found a nice bunch that made it through ok and settled for using them instead. When sending these ioctls a handle to the XorHack device is used, so I am not too worried about them going astray and wreaking havoc.

User Library Changes

Finally the on outermost level I added support for calling the new syscalls to read and write 8, 16, 32, or 64 bits at a time. In doing so I support unaligned addresses without the user having to check or worry about such things. If the address being accessed is aligned it will access it in a single syscall of the specified size.

If the address is unaligned it will either use multiple syscalls or a syscall of a larger access size. I also added functions to easily check if the system has been exploited yet, to perform the lpar address to real address translation, io-remapping of addresses and to execute code at a given real address.

A new header file xorhack_sc.h was added which contains translations between syscalls as they would be used in kernel mode and the userland interface. I have only done a few here, but it should be enough to follow the pattern and create translations for any other syscalls. If anyone does complete these translations, please send it to me to include in the next version of XorHack.

Sample Application Changes

As well as the above additions and changes to userland code I have added three new command line applications; ps3peek, ps3poke and ps3exec which allow reading, writing and executing of memory. The ps3peek and ps3poke tools work in a similar fashion.

Both are able to perform 8bit, 16bit, 32bit and 64bit data accesses and can access multiple amounts of the data size in one call. The ps3peek tool can print data to screen as hex values and ascii characters similar to the display of a hex editor, or be printed as binary data and redirected into a file.

The ps3poke tool does not print data to screen but can write data to memory from values passed on the command line or values read from a file.

Here are some examples of what these tools can be used for.

Dumping the Hypervisor

This reads 0Ã--10000000 bytes (16MB) of data starting at address zero using a data access size of 8 bytes (64bits) and prints it in binary form which gets redirected into the hvdump.bin file. Note that the 64bit access is used since it requires 8 times less syscalls to get the same amount of information as if we used the default 8bit access.

ps3peek 0 -s 0Ã--1000000 -d 8 -b > hvdump.bin

Reading the status register for spu0

ps3peek 0Ã--20000044024 -d 4

Loading metldr..

Scripts can be written using ps3peek, ps3poke and ps3exec and utilising files to store values between calls. By doing so many tasks can be done such as the setting of the required registers to load metldr.

Everyone loves pictures

The following is a picture taken with my dodgy G1 iPhone camera to show peek and poke in action. One day I will get a decent camera...



Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 6 Comments - Go to Forum Thread »

Quick Reply Quick Reply

  • Decrease Size
    Increase Size
  • Wrap [QUOTE] tags around selected text
PS3 News's Avatar
#6 - PS3 News - 158w ago
Reply
Here is an update to xorhack_sc.h from covenant, to quote:
Quote A small update to and probably the last from me for a while as I need to get to grips with IDA now: http://pastebin.com/vszR9TZt

This version is rather verbose as it also contains most of the notes I collected from the ps2dev wiki, as much code as I can put together around the undocumented calls (based on present knowledge - hence IDA) and a number of corrections to typos, mistakes etc. The xorhack tools compile cleanly with this version of xorhack_sc.h on my PS3 (Ubuntu 8.10).

I hope it is of some use.

The code is below as well:

//
// syscalls using xorhack
// since there are many syscalls i have only defined some as i used them.
// you can define your own here by following the approach shown.
//
// if someone wants to add all syscalls and send the completed file back
// to me for the next version of xorhack, that'd be great
//
// xorloser - March 2010
// www.xorloser.com
//
//
// Updated by Disane and covenant tested and corrected by covenant and TitanMKD
// - undocumented functions have not yet been added (current task is reversing undocumented calls from dumps)
// - added some GPU context attribute hypercalls for testing (based on the ps2dev.org wiki information)
// - some of the GPU context attribute operation codes are undocumented
// - we are currently trying to reverse the lv1 and lv2 dumps to find any opcodes that are missing

#ifndef _XORHACK_SC_H_
#define _XORHACK_SC_H_

#include "xorhack.h"

// Comments from Disane:
// All of the functions below this explanation were taken from:
// http://wiki.ps2dev.org/ps3:hypervisor
// There are also some Lv1 functions which are not supported by the current kernel
// but I am not sure if they're functional but addded them anyway.
//
// UNDOCUMENTED CALLS:
// Calls that are not presently documented are only listed if pertinent information about a
// given call exists at the ps2dev wiki. The output from such functions - and their consequential
// structure - assumes that [R3]-[R10] were passed as zero unless otherwise stated.
//
// A little bit of infomation on how the Hypervisor functions are called,
// which registers are used to store the parameters, the return values and
// what kind of return values we can expect from the system.
//
// Hypervisor Parameters:
// The Hypervisor will take up to 8 x 64 bit parameters as input in registers R3 - R10 with the function code passed in R11.
// R3 - parameter 1, R4 - parameter 2, R5 - parameter 3, R6 - parameter 4, R7 - parameter 5, R8 - parameter 6, R9 - parameter 7, R10 - parameter 8, R11 - function code (1-255)
// I surmise that the function code is 8 bits because the maximum documented function code is 255 and is labeled "lv1_panic".
//
// Hypervisor Return Values
// The Hypervisor returns the status of the call in R3 as a 32 bit result.
// Up to 7 x 64 bit results can be returned by the hypervisor system call which are returned in R4 to R10.
// R3 - Call Status (32 bit), R4 - result 1, R5 - result 2, R6 - result 3, R7 - result 4, R8 - result 5, R9 - result 6, R10 - result 7
//
// Hypervisor Function Return Status
// The following Hypervisor function return statuses are defined:
//
// LV1_SUCCESS 0, -1 is not used
// LV1_RESOURCE_SHORTAGE -2
// LV1_NO_PRIVILEGE -3
// LV1_DENIED_BY_POLICY -4
// LV1_ACCESS_VIOLATION -5
// LV1_NO_ENTRY -6
// LV1_DUPLICATE_ENTRY -7
// LV1_TYPE_MISMATCH -8
// LV1_BUSY -9
// LV1_EMPTY -10
// LV1_WRONG_STATE -11
// -12 is not used
// LV1_NO_MATCH -13
// LV1_ALREADY_CONNECTED -14
// LV1_UNSUPPORTED_PARAMETER_VALUE -15
// LV1_CONDITION_NOT_SATISFIED -16
// LV1_ILLEGAL_PARAMETER_VALUE -17
// LV1_BAD_OPTION -18
// LV1_IMPLEMENTATION_LIMITATION -19,
// LV1_NOT_IMPLEMENTED -20
// LV1_INVALID_CLASS_ID -21
// LV1_CONSTRAINT_NOT_SATISFIED -22
// LV1_ALIGNMENT_ERROR -23
// LV1_INTERNAL_ERROR -32768
//
// Data Address Breakpoint Register (DABR)
typedef enum
{
DABR_USER = 1, DABR_KERNEL = 2
}t_dabr;

// Start syscall function definitions hereafter

// Call: 0 result = lv1_allocate_memory( /*IN*/ size, page_size_exp, 0, flags, /*OUT*/ &addr, &muid );
// Name: xorhack_allocate_memory
// Create a memory region in the Hypervisor Virtual Address Space (VAS)
// [R3]size - of the region to allocate (must be a multiple of page_size)
// [R4]page_size_exp - where required page_size = 2 ^ page_size_exp
// [R5]arg2 - unknown (see notes below)
// [R6]flags - (from linux/include/asm-powerpc/lv1call.h)
// bit 63: transferability: TF_NO = 0×00, TF_YES = 0×01
// bit 62: destruction_scheme: DS_NO_CONNECTIONS = 0×00, DS_ANYTIME = 0×02
// bit 61: fail or alternative: FA_FAIL = 0×00, FA_ALTERNATIVE = 0×04
// bit 60: need LPAR address 0: ADDR_ANY = 0×00, ADDR_0 = 0×08
// function unknown
// [R3]Status - 0 = OK, LV1_RESOURCE_SHORTAGE (-2), LV1_NO_ENTRY (-6), LV1_DUPLICATE_ENTRY (-7)
// [R4]addr - LPAR Address of region
// [R6]muid - Unknown, unused by kernel
// Notes:
// page_size_exp takes values of 12 (page_size = 4K) to 21 (page_size = 2M) before LV1_RESOURCE_SHORTAGE (-2) is returned under a fully booted Linux OS.
// Higher values (24, page_size = 16M) can be found in the actual kernel source and can presumably be made before the OS has fully booted.
// page_size_exp values below 12 cause a return status of LV1_ILLEGAL_PARAMETER_VALUE (-17). Input R5 was speculated to be the initialization value for the allocated region,
// but appears not to be the case. Values other than 0 or 1 appear to return a status of LV1_NO_ENTRY (-6),
// though a valid value of page_size_exp appears to be checked first (-17 is returned for invalid values of page_size_exp, regardless of the value of R5).
//
// Allocations with flags = 0×00, 0×01, 0×02, 0×03 and 0×04 were successful though the effects of the flags could not be tested at this point. Allocations with flags >= 0×400 return LV1_ILLEGAL_PARAMETER_VALUE.
// Initial tests allocating memory with flags = 0×08 (ADDR_0, presumably request physical address rather than logical partition address) result in a status of LV1_DUPLICATE_ENTRY (-7).
// his and the previous return value of -6 suggest an association with a database of some kind (repository values or memory maps?).
// It appears that some form of allocation may be taking place as LV1_ILLEGAL_PARAMETER_VALUE and LV1_RESOURCE_SHORTAGE are reported for invalid input parameters, rather than LV1_DUPLICATE_ENTRY.
//
// For all successful allocations so far, output muid (R5) = 1
static inline u64 xorhack_allocate_memory(
u64 allocSize, u64 pageExpSize, u64 arg2, u64 flags, u64* lparAddr, u64* muid)
{
u64 ret;
xorhack_syscall(0,
allocSize, pageExpSize, arg2, flags, 0,0,0,0,
&ret, lparAddr, muid, 0,0,0,0,0);
return ret;
}

// Call: 1 result = lv1_write_htab_entry( /*IN*/ vas_id, slot, va, pa );
// Name: xorhack_write_htab_entry
// Write an entry to the Hash Page Table (HTAB).
// slot - table slot to write entry to
// va - first half of PTE
// pa - second half of PTE, except RPN is replaced with LPAR address
// returns 0 if ok, everything else means failure
static inline u64 xorhack_write_htab_entry(
u64 vas_id, u64 slot, u64 va,u64 pa)
{
u64 ret;
xorhack_syscall(1,
vas_id, slot, va, pa, 0,0,0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// Call: 2 result = lv1_construct_virtual_address_space( /*IN*/ htab_size, number_of_sizes, page_sizes, /*OUT*/ &vas_id, &act_htab_size );
// Name: xorhack_construct_virtual_address_space
// Construct a PPE Virtual Address Space (VAS)
// htab_size - must be 18, 19 or 20 (256KB, 512KB or 1MB)
// number_of_sizes - How many page sizes are specified in page_sizes
// page_sizes - see notes
// returns 0 if ok, everything else means failure
// vas_id - virtual address space id
// act_htab_size - actual hash table size?
// Notes: Page sizes are specified as the power of two for the desired sizes. Each power of two is stored as an 8 bit field in page_sizes, starting from the MSB.
// The "pages_sizes" parameter is set in "mm.c" using the following function:
//
// page_sizes = make_page_sizes(PAGE_SHIFT_16M, PAGE_SHIFT_64K);
// static unsigned long make_page_sizes(unsigned long a, unsigned long b)
// {
// return (a 0x4c0000640000, 0x4c0000740000, 0x4c0000840000, 0x4c0000940000, 0x4c0000a40000, 0x4c0000b40000
// local_store_phys -> 0x4c0000600000, 0x4c0000700000, 0x4c0000800000, 0x4c0000900000, 0x4c0000a00000, 0x4c0000b00000
// context_addr -> 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
// shadow_addr -> 0x30000000d000, 0x30000000f000, 0x300000011000, 0x300000013000, 0x300000015000 0x300000017000
// spe_id -> 11, 15, 19, 23, 27, 31
//
// For each entry, only two separate lpar are allocated by the hypervisor.
// calling lv1_query_logical_partition_address_region_info on priv2_addr, problem_phys, local_store_phys and shadow_addr
// for the first entry returns the following info:
//
// LPAR -> 0x4c0000660000, 0x4c0000640000, 0x4c0000600000, 0x30000000d000
// start_address -> 0x4c0000600000, 0x4c0000600000, 0x4c0000600000, 0x30000000d000
// size -> 524288, 524288, 524288, 4096
// access_right -> 0x3 (RW), 0x3 (RW), 0x3 (RW), 0x1 (RO)
// max_page_size -> 12, 12, 12, 12
// flags -> 0xa000000000000000, 0xa000000000000000, 0xa000000000000000, 0xa000000000000000
// comment -> SPU MMIO lpar, privilege state 2 region (128kB), SPU MMIO lpar, problem state region (128kB), SPU MMIO lpar, local store region (256kB), SPU shadow registers lpar (4kB, read-only)
// From this info we see a single lpar is used for all the SPU MMIO region
// (see figure 5-1 CBE Memory Map of the Cell Broadband Engine Programmig Handbook) and another lpar is used for the SPE registers.
static inline u64 xorhack_construct_logical_spe(
u64 page_shift_0, u64 page_shift_1, u64 page_shift_2, u64 page_shift_3, u64 page_shift_4, u64 vas_id, u64 SPE_TYPE_LOGICAL,
u64* priv2_addr, u64* problem_phys, u64* local_store_phys, u64* context_addr, u64* shadow_addr, u64* spe_id)
{
u64 ret;
xorhack_syscall(57,
page_shift_0, page_shift_1, page_shift_2, page_shift_3, page_shift_4, vas_id, SPE_TYPE_LOGICAL, 0,
&ret, priv2_addr, problem_phys, local_store_phys, context_addr, shadow_addr, spe_id, 0);
return ret;
}

// Call 61 lv1_set_spe_interrupt_mask( /*IN*/ spe_id, class, mask );
// Name: xorhack_set_spe_interrupt_mask
// Set the interrupt mask of a specific spe.
// spe_id - logical spe id
// _class - spe interrupt class
// mask - spe interrupt mask
static inline u64 xorhack_set_spe_interrupt_mask(
u64 spe_id, u64 _class, u64 mask)
{
u64 ret;
xorhack_syscall(61,
spe_id, _class, mask, 0,0,0,0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// Call 62 result = xorhack_call_62( /*IN*/ out_r4);
// Name: xorhack_call_62
// Call 62 is presently undocummented
// R3 R4 R5 R6 R7 R8 R9 R10
// 0 -4 (LV1_DENIED_BY_POLICY) 0 0 0 0 0 0
static inline u64 xorhack_call_62(
u64 out_r4)
{
u64 ret;
xorhack_syscall(62,
0, 0, 0,0,0,0,0,0,
&ret,0, out_r4,0,0,0,0,0);
return ret;
}

// Call 63 result = xorhack_call_63( /*IN*/ out_r4);
// Name: xorhack_call_62
// Call 62 is presently undocummented
// R3 R4 R5 R6 R7 R8 R9 R10
// 0 -4 (LV1_DENIED_BY_POLICY) 0 0 0 0 0 0
// Returns documented on FW v1.7. Function removed in FW v3.15
static inline u64 xorhack_call_63(
u64 out_r4)
{
u64 ret;
xorhack_syscall(63,
0, 0, 0,0,0,0,0,0,
&ret,0, out_r4,0,0,0,0,0);
return ret;
}

// Call 64 result = lv1_set_spe_transition_notifier( /*IN*/ p1, p2, p3 );
// Name: xorhack_set_spe_transition_notifier
// Not used in current kernel.
static inline u64 xorhack_set_spe_transition_notifier(
u64 p1, u64 p2, u64 p3)
{
u64 ret;
xorhack_syscall(64,
p1, p2, p3, 0,0,0,0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// Call 65 result = lv1_disable_logical_spe( /*IN*/ spe_id, 0 );
// Name: xorhack_disable_logical_spe
// Disables a logical SPE.
// spe_id - logical spe id
// arg1 - usage unknown
// returns 0 if ok, everything else means failure
static inline u64 xorhack_disable_logical_spe(
u64 spe_id, u64 arg1)
{
u64 ret;
xorhack_syscall(65,
spe_id, arg1, 0,0,0,0,0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// Call 66 lv1_clear_spe_interrupt_status( /*IN*/ spe_id, class, stat, 0 );
// Name: xorhack_clear_spe_interrupt_status
// Clear the interrupt status of a specific SPE.
// spe_id - logical SPE ID
// _class - SPE interrupt class
// stat - new interrupt status ?
// arg3 - usage unknown
static inline u64 xorhack_clear_spe_interrupt_status(
u64 spe_id, u64 _class, u64 stat, u64 arg3)
{
u64 ret;
xorhack_syscall(66,
spe_id, _class, stat, arg3, 0,0,0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// Call 67 lv1_get_spe_interrupt_status( /*IN*/ spe_id, class, /*OUT*/ &stat );
// Name: xorhack_get_spe_interrupt_status
// Get the interrupt status of a specific spe.
// spe_id - logical spe id
// class - spe interrupt class
// stat - interrupt status
static inline u64 xorhack_get_spe_interrupt_status(
u64 spe_id, u64 _class, u64* stat)
{
u64 ret;
xorhack_syscall(67,
spe_id, _class, 0,0,0,0,0,0,
&ret, stat,0,0,0,0,0,0);
return ret;
}

// Call 69 status = lv1_get_logical_ppe_id( /*OUT*/ &ppe_id );
// Name: xorhack_get_logical_ppe_id
// Returns the logical PPE id.
// ppe_id - logical PPE ID
// returns 0 if ok, everything else means failure
// When called from kernel module init function, ppe_id always seem to be 1.
static inline u64 xorhack_get_logical_ppe_id(
u64* ppe_id)
{
u64 ret;
xorhack_syscall(69,
0,0,0,0,0,0,0,0,
&ret, ppe_id, 0,0,0,0,0,0);
return ret;
}

// Call 73 result = lv1_set_interrupt_mask( /*IN*/ p1, p2, p3, p4, p5 );
// Name: xorhack_set_interrupt_mask
// Not used in current kernel.
static inline u64 xorhack_set_interrupt_mask(
u64 p1, u64 p2, u64 p3, u64 p4, u64 p5)
{
u64 ret;
xorhack_syscall(73,
p1, p2, p3, p4, p5,0,0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// Call 74 result = lv1_get_logical_partition_id(/*OUT*/ &lp_id );
// Name: xorhack_get_logical_partition_id
// Called during Kernel setup.
// The single output parameter, logical partition ID, is later used as a parameter to call other Hypervisor functions.
// lpar_id - logical partition ID
// returns 0 if ok, everything else means failure
// When called from kernel module init function, lpar_id always seems to be 2.
// The "read_node" function contained in "repository.c" is passed a parameter, lpar_id (logical partition ID).
// If lpar_id is equal to PS3_LPAR_ID_CURRENT (0) then lv1_get_logical_partition_id is called to retrieve the current logical partition ID.
// Any other value for lpar_id is passed directly to the following HV calls, though the only other value in use appears to be PS3_LPAR_ID_PME (1)
static inline u64 xorhack_get_logical_partition_id(
u64* lpar_id)
{
u64 ret;
xorhack_syscall(74,
0,0,0,0,0,0,0,0,
&ret, lpar_id, 0,0,0,0,0,0);
return ret;
}

// Call 75 result = xorhack_call_63( /*IN*/ out_r3);
// Name: xorhack_call_75
// Call 75 is presently undocummented
// R3 R4 R5 R6 R7 R8 R9 R10
// 0 (LV1_SUCCESS) 0 0 0 0 0 0 0
// Returns documented on FW v1.7.
static inline u64 xorhack_call_75(
u64 out_r3)
{
u64 ret;
xorhack_syscall(75,
0,0,0,0,0,0,0,0,
&ret, out_r3,0,0,0,0,0,0);
return ret;
}

// Call 77 result = lv1_configure_execution_time_variable( /*IN*/ p1 );
// Name: xorhack_configure_execution_time_variable
// Not used in current kernel.
static inline u64 xorhack_configure_execution_time_variable(
u64 p1)
{
u64 ret;
xorhack_syscall(77,
p1, 0,0,0,0,0,0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// Call 78 result = lv1_get_spe_irq_outlet( /*IN*/ spe_id, class, /*OUT*/ &outlet );
// Name: xorhack_get_spe_irq_outlet
// Get an IRQ outlet of a certain class from the specified SPE.
// spe_id - logical SPE ID
// _class - spe interrupt class (0, 1 or 2)
// outlet - IRQ outlet
// returns 0 if ok, everything else means failure
// SPE interrupt class:
// Class Description Examples
// 0 Errors SPE errors, DMA errors, DMA alignment errors
// 1 DMA translation exceptions MFC page faults, segment faults
// 2 Application events SPE stop and signal, DMA completion interrupt, mailbox interrupts
static inline u64 xorhack_get_spe_irq_outlet(
u64 spe_id, u64 _class, u64* outlet)
{
u64 ret;
xorhack_syscall(78,
spe_id, _class, 0,0,0,0,0,0,
&ret, outlet,0,0,0,0,0,0);
return ret;
}

// Call 79 lv1_set_spe_privilege_state_area_1_register( /*IN*/ spe_id, offset, value );
// Name: xorhack_set_spe_privilege_state_area_1_register
// Set a register in SPE privilege area 1.
// spe_id - spe ID
// offset - register offset, 0, 0x600, 0x710, 0x808, 0x820
// value - register value
// From kernel spu.c:
// static void mfc_sr1_set(struct spu *spu, u64 sr1)
// {
// /* Check bits allowed by HV. */
//
// static const u64 allowed = ~(MFC_STATE1_LOCAL_STORAGE_DECODE_MASK
// | MFC_STATE1_PROBLEM_STATE_MASK);
//
// BUG_ON((sr1 & allowed) != (spu_pdata(spu)->cache.sr1 & allowed));
//
// spu_pdata(spu)->cache.sr1 = sr1;
// lv1_set_spe_privilege_state_area_1_register(
// spu_pdata(spu)->spe_id,
// offsetof(struct spu_priv1, mfc_sr1_RW),
// spu_pdata(spu)->cache.sr1);
// }
static inline u64 xorhack_set_spe_privilege_state_area_1_register(
u64 spe_id, u64 offset, u64 value)
{
u64 ret;
xorhack_syscall(79,
spe_id, offset, value, 0,0,0,0,0,
&ret,0,0,0,0,0,0,0);
return ret;
}

// Call 89 result = xorhack_call_89( /*IN*/ out_r3);
// Name: xorhack_call_89
// Call 89 is presently undocummented
// R3 R4 R5 R6 R7 R8 R9 R10
// -6 (LV1_NO_ENTRY) 0 0 0 0 0 0 0
// Returns documented on FW v1.7.
static inline u64 xorhack_call_89(
u64 out_r3)
{
u64 ret;
xorhack_syscall(89,
0,0,0,0,0,0,0,0,
&ret, out_r3,0,0,0,0,0,0);
return ret;
}

// Call 90 status = lv1_create_repository_node(/*IN*/ n1, n2, n3, n4, v1, v2 );
// Name: xorhack_create_repository_node
// The repository appears to be an area of storage for use by the Hypervisor.
// n1 - top level key
// n2 - 2nd level key
// n3 - 3rd level key
// n4 - 4th level key
// v1 - value 1
// v2 - value 2
// returns 0 if ok, everything else means failure
// This call is not used within the current Kernel, so the parameter list is based on speculation.
// See "lv1_get_repository_node_value" for an example of actual key/value usage within the Kernel.
static inline u64 xorhack_create_repository_node(
u64 n1, u64 n2, u64 n3, u64 n4, u64 v1, u64 v2)
{
u64 ret;
xorhack_syscall(90,
n1, n2, n3, n4, v1, v2,0,0,
&ret,0,0,0,0,0,0,0);
return ret;
}

// Call 91 status = lv1_get_repository_node_value(/*IN*/ lpar_id, n1, n2, n3, n4 /*OUT*/ &v1, &v2 );
// Name: xorhack_get_repository_node_value
// The repository appears to be an area of storage for use by the Hypervisor.
// 256-bit keys are used to reference 128-bit values stored in the repository.
// Functions exist to create, get, modify and remove repository nodes.
// The logical partition id is also required as an input parameter to get a repository node value,
// but this parameter does not appear to be passed when creating, modifying or removing nodes.
// There are instances in the Kernel code where the keys are constructed from string values,
// which appear to follow a 4-level key/subkey hierarchy.
// See test results on http://wiki.ps2dev.org/ps3:hypervisor:lv1_get_repository_node_value
// lpar_id - Logical Partition ID
// n1 - top level key
// n2 - 2nd level key
// n3 - 3rd level key
// n4 - 4th level key
// returns 0 if ok, and -6 if LV1_NO_ENTRY
// v1 - value 1
// v2 - value 2
// Test Results

// Calling lv1_get_repository_node_value for the node 'bi.pu.#1.rm_size' produces the following result:
// bi.pu.(1).rm_size - Real mode memory size

// Register Hex value Value Comment
// R3 0000000000000002 (2) PS3_LPAR_ID_CURRENT
// R4 0000000062690000 ....bi.. boot info?
// R5 7075000000000000 pu...... processor unit
// R6 0000000000000001 ........ pu id (1)
// R7 726d5f73697a6500 rm_size. real mode size
// Outputs
// R3 0000000000000000 (0) LV1_SUCCESS
// R4 0000000008000000 (134217728) 128 Mb
// R5 0000000000000000 (0)

// Other nodes referenced in "repository.c":
// lpar_id = PS3_LPAR_ID_CURRENT (0×2)
// Node v1 v2 Comment
// bi.spun.#0.#0 0000000000000006 (6) 0 (0) number of physical spus reserved
// bi.spursvn.#0.#0 0000000000000006 (6) 0 (0) number of spu resource reservations
// bi.spursv.(0..5).#0 8000000000000000 (PS3_SPU_RESOURCE_TYPE_EXCLUSIVE) (0..5) spu resource reservation id value
// bi.boot_dat.address.#0 0000000007fff000 (134213632) 0 (0) boot data address
// bi.boot_dat.size.#0 0000000000000800 (2048) 0 (0) boot data size
// bi.pu.(1).rm_size 0000000008000000 (134217728) 0 (0) real mode limit
// bi.rgntotal.#0.#0 000000000f800000 (260046848) 0 (0) max memory size

// lpar_id = PS3_LPAR_ID_PME (0×1)
// Node v1 v2 Comment
// ben.#0.#0.#0 0000000000000001 (1) 0000000000000000 (0) Unused - in function "ps3_repository_read_num_be"
// be(0).#0.#0.#0 0000000000000000 (0) 0000000000000000 (0) be node id (used to retrieve clock freq)
// be.(0).clock.#0 0000000004c1a6c0 (79800000) 0000000000000000 (0) decrementer frequency (3.2 Ghz / 40)

// Another nodes:
// lpar_id = PS3_LPAR_ID_PME (0×1) - FW 3.15 PAL 60GB PS3, First Generation (Fat)
// Node v1 v2 Comment
// sys.flash.fmt.#0 00000000000001 (1) 00000000000000 (0) Flash format ?
// sys.hw.config.#0 20000000fffffeff 00000000000000 (0) 0×20000000000000 mask + something
// sys.flash.ext.#0 000000000000ff (255) 00000000000000 (0) -
// plat.id.#0.#0 436f6b4231300000 (ASCII'CokB10') 00000000000000 (0) Platform ID
// sys.ac.sd.#0 00000000000000 (0) 00000000000000 (0) -
// sys.flash.boot.#0 00000000000000 (0) 00000000000000 (0) -
// be.0.lpm.priv 00000000000002 (2) 00000000780101 (7864577)-
// rsx.rdcy.1.#0 ffff0d020a02ffff 00000000000000 (0) -
// rsx.rdcy.2.#0 ffffffffffffffff 00000000000000 (0) -
// rsx.rdcy.3.#0 00000000000000 (0) 00000000000000 (0) -
// rsx.rdcy.4.#0 00000000000000 (0) 00000000000000 (0) -
// rsx.rdcy.5.#0 00000000000000 (0) 00000000000000 (0) -
// rsx.rdcy.6.#0 00000000000000 (0) 00000000000000 (0) -
// rsx.rdcy.7.#0 00000000000000 (0) 00000000000000 (0) -
// rsx.rdcy.8.#0 00000000000000 (0) 00000000000000 (0) -
// mu.1.size.#0 00000010000000 (268435456) 00000000000000 (0) -
// be.0.tb_clk.#0 00000004c1a6c0 (79800000) 00000000000000 (0) -
// be.0.nclk.#0 000000be420e00 (3192000000) 00000000000000 (0) -
// ios.net.eurus.lpar 00000000000000 (0) 00000000000000 (0) -
// sys.syscon.pversion.#0 00000000000001 (1) 00000000000000 (0) -
// sys.param.load.rom1st 00000000000001 (1) 00000000000000 (0) -
// lv1.maxplgid.#0.#0 00000000000100 (256) 00000000000000 (0) -
// lv1.specver.#0.#0 00000300010005 00000000000000 (0) Matches firmware 3.1.5
// lv1.buildid.#0.#0 00000000000000 (0) 00000000000000 (0) -
// lv1.ts.size.#0 00000000000000 (0) 00000000000000 (0) -
// lv1.ts.start.#0 00000010000000 (268435456) 00000000000000 (0) -
static inline u64 xorhack_get_repository_node_value(
u64 lpar_id, u64 n1, u64 n2, u64 n3, u64 n4, u64* v1, u64* v2)
{
u64 ret;
xorhack_syscall(91,
lpar_id, n1, n2, n3, n4, 0,0,0,
&ret, v1, v2, 0,0,0,0,0);
return ret;
}

// Call 92 status = lv1_modify_repository_node_value(/*IN*/ n1, n2, n3, n4, v1, v2 );
// Name: xorhack_modify_repository_node_value
// The repository appears to be an area of storage for use by the Hypervisor.
// n1 - top level key
// n2 - 2nd level key
// n3 - 3rd level key
// n4 - 4th level key
// v1 - value 1
// v2 - value 2
// returns 0 if ok, everything else means failure
// This call is not used within the current Kernel, so the parameter list is based on speculation !!!
static inline u64 xorhack_modify_repository_node_value(
u64 n1, u64 n2, u64 n3, u64 n4, u64 v1, u64 v2 )
{
u64 ret;
xorhack_syscall(92,
n1, n2, n3, n4, v1, v2,0,0,
&ret,0,0,0,0,0,0,0);
return ret;
}

// Call 93 status = lv1_remove_repository_node( /*IN*/ n1, n2, n3, n4 );
// Name: xorhack_remove_repository_node
// The repository appears to be an area of storage for use by the Hypervisor.
// n1 - top level key
// n2 - 2nd level key
// n3 - 3rd level key
// n4 - 4th level key
// returns 0 if ok, everything else means failure
// This call is not used within the current Kernel, so the parameter list is based on speculation !!!
static inline u64 xorhack_remove_repository_node(
u64 n1, u64 n2, u64 n3, u64 n4)
{
u64 ret;
xorhack_syscall(93,
n1, n2, n3, n4, 0,0,0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// Call 95: result = lv1_read_htab_entries( /*IN*/ p1, p2, /*OUT*/ &v1, &v2, &v3, &v4, &v5 );
// Name: xorhack_read_htab_entries
// Not used in current kernel.
// Notes: offset is 64-bit indexed. r4-r7 seem to be right from the htab. r8 is 16-bit indexed reading from something 0xFFFB is max offset
// v1, v2, v3, v4, v5 are unknown :-/
static inline u64 xorhack_read_htab_entries(
u64 vas_id, u64 offset, u64* v1, u64* v2, u64* v3, u64* v4, u64* v5)
{
u64 ret;
xorhack_syscall(95,
vas_id, offset, 0,0,0,0,0,0,
&ret, v1, v2, v3, v4, v5, 0,0);
return ret;
}

// Call 96 result = lv1_set_dabr( /*IN*/ dabr, DABR_KERNEL | DABR_USER);
// Name: xorhack_set_dabr
// Sets dabr (data address breakpoint register) - an exception should be thrown upon access to data at this address (range?)
// dabr - data address
// (DABR_KERNEL | DABR_USER) - DABR_KERNEL and DABR_USER are defined on top of "xorhack_sc.h" (this header) (in setup.c in kernel)
static inline u64 xorhack_set_dabr(t_dabr dabr)
{
u64 ret;
xorhack_syscall(96,
dabr, (DABR_KERNEL | DABR_USER), 0,0,0,0,0,0,
&ret,0,0,0,0,0,0,0);
return ret;
}

// Call 97 result = lv1_set_vmx_graphics_mode( mode );
// Name: xorhack_set_vmx_graphics_mode
// Set the Single Precision mode of the vmx graphics units in the PPU
// mode - 0 = IEEE 754-1985 SIMD rounding mode for VMX/Altivec Instructions
// mode - 1 = SPE-compatible SIMD graphics-rounding mode for VMX/Altivec Instructions
// returns the following result: 0 = LV1_SUCCESS, -17 = LV1_ILLEGAL_PARAMETER_VALUE
// This is a call to set the single precision rounding mode of the VMX units in the Cell PPUs.
// The AltiVec/VMX SIMD/Vector processing unit has 2 rounding modes for dealing with Single-precision floating-point.
// IEEE 754-1985 and SPE-compatible SIMD graphics-rounding mode.
// The Cell Broadband Engine Programming Handbook has this to say on the subject:
// The first implementation of the Cell Broadband Engine Architecture (CBEA) (the CBE processor) supports instructions
// with a graphics rounding mode. This mode allows programs written with vector/SIMD multimedia extension instructions
// to produce floating-point results that are equivalent in precision to those written in the SPU instruction set.
// In this mode, as in the SPU environment, the default rounding mode is round to zero, denormals are treated as zero,
// and there are no infinities or NaNs. To change this mode, bit 12 in the HID1 register (known as grap_md or grap_mode
// in various documents). HID1 is a HV privileged resource, hence to change the mode from Supervisor mode requires a HV call.
// Reference Documents: Cell Broadband Engine Programming Handbook V1.1 Cell Broadband Engine Registers V1.5
// Tests: When recompiled into Kernel module init function, accepts values of 0 and 1 for p1. All other values return -17
// (LV1_ILLEGAL_PARAMETER_VALUE)
static inline u64 xorhack_set_vmx_graphics_mode(u64 mode)
{
u64 ret;
xorhack_syscall(97,
mode, 0,0,0,0,0,0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// Call 98 result = lv1_set_thread_switch_control_register( /*IN*/ p1 );
// Name: xorhack_set_thread_switch_control_register
// Present in kboot; not used in current kernel.
// p1 - Unknown
static inline u64 xorhack_set_thread_switch_control_register(
u64 p1)
{
u64 ret;
xorhack_syscall(98,
p1, 0,0,0,0,0,0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// Call 99 result = xorhack_call_99( /*IN*/ out_r3);
// Name: xorhack_call_99
// Call 99 is presently undocummented
// R3 R4 R5 R6 R7 R8 R9 R10
// -4 (LV1_DENIED_BY_POLICY) 0 0 0 0 0 0 0
// Returns documented on FW v1.7.
static inline u64 xorhack_call_99(
u64 out_r3)
{
u64 ret;
xorhack_syscall(99,
0,0,0,0,0,0,0,0,
&ret, out_r3,0,0,0,0,0,0);
return ret;
}

// Call 102 result = xorhack_call_102( /*IN*/ out_r3);
// Name: xorhack_call_102
// Call 102 is presently undocummented
// R3 R4 R5 R6 R7 R8 R9 R10
// 0 (LV1_SUCCESS) 692F5D1E7h 0 0 0 0 0 0
// Returns documented on FW v1.7.
static inline u64 xorhack_call_102(
u64 out_r3)
{
u64 ret;
xorhack_syscall(102,
0,0,0,0,0,0,0,0,
&ret, out_r3,0,0,0,0,0,0);
return ret;
}
// Call 103 result = lv1_get_total_execution_time( /*IN*/ p1, p2, /*OUT*/ &v1 );
// Name: xorhack_get_total_execution_time
// Not used in current kernel.
// I always get LV1_NOT_IMPLEMENTED
static inline u64 xorhack_get_total_execution_time(
u64 p1, u64 p2, u64* v1)
{
u64 ret;
xorhack_syscall(103, p1, p2,0,0,0,0,0,0,
&ret, v1,0,0,0,0,0,0);
return ret;
}

// Call 105 result = xorhack_call_105( /*IN*/ out_r3, out_r4, out_r5, out_r6, out_r7, out_r8, out_r9, out_r10);
// Name: xorhack_call_105
// Call 105 is presently undocummented
// R3 R4 R5 R6 R7 R8 R9 R10
// -17 (LV1_ILLEGAL_PARAMETER_VALUE) 0 0 C000000000537EF8h F09B89AF5001h 6C0061D8E190h C0000000008DF718h F09B89AF5001h
// Returns documented on FW v1.7.
// Does not currently compile
// static inline u64 xorhack_call_105(
// u64 out_r3, u64 out_r4, u64 out_r5, u64 out_r6, u64 out_r7, u64 out_r8, u64 out_r9, u64 out_r10)
// {
// u64 ret;
// xorhack_syscall(105,
// 0,0,0,0,0,0,0,0,
// &ret, out_r3, out_r4, out_r5, out_r6, out_r7, out_r8, out_r9, out_r10);
// return ret;
// }

// Call 106 result = xorhack_call_106( /*IN*/ out_r3, out_r4, out_r5, out_r6, out_r7, out_r8, out_r9, out_r10);
// Name: xorhack_call_106
// Call 106 is presently undocummented
// R3 R4 R5 R6 R7 R8 R9 R10
// -17 (LV1_ILLEGAL_PARAMETER_VALUE) 0 0 C000000000537EF8h F09B89AF5001h 6C0061D8E190h C0000000008DF718h F09B89AF5001h
// Returns documented on FW v1.7.
// Does not currently compile
// static inline u64 xorhack_call_106(
// u64 out_r3, u64 out_r4, u64 out_r5, u64 out_r6, u64 out_r7, u64 out_r8, u64 out_r9, u64 out_r10)
// {
// u64 ret;
// xorhack_syscall(106,
// 0,0,0,0,0,0,0,0,
// &ret, out_r3, out_r4, out_r5, out_r6, out_r7, out_r8, out_r9, out_r10);
// return ret;
// }

// Call 107 result = xorhack_call_107( /*IN*/ out_r3, out_r4, out_r5, out_r6, out_r7, out_r8, out_r9, out_r10);
// Name: xorhack_call_107
// Call 107 is presently undocummented
// R3 R4 R5 R6 R7 R8 R9 R10
// -17 (LV1_ILLEGAL_PARAMETER_VALUE) 0 0 C000000000537EF8h F09B89AF5001h 6C0061D8E190h C0000000008DF718h F09B89AF5001h
// Returns documented on FW v1.7.
// Does not currently compile
// static inline u64 xorhack_call_107(
// u64 out_r3, u64 out_r4, u64 out_r5, u64 out_r6, u64 out_r7, u64 out_r8, u64 out_r9, u64 out_r10)
// {
// u64 ret;
// xorhack_syscall(107,
// 0,0,0,0,0,0,0,0,
// &ret, out_r3, out_r4, out_r5, out_r6, out_r7, out_r8, out_r9, out_r10);
// return ret;
// }

// Call 108 result = xorhack_call_108( /*IN*/ out_r3, out_r4, out_r5, out_r6, out_r7, out_r8, out_r9, out_r10);
// Name: xorhack_call_108
// Call 108 is presently undocummented
// R3 R4 R5 R6 R7 R8 R9 R10
// -17 (LV1_ILLEGAL_PARAMETER_VALUE) 0 0 C000000000537EF8h F09B89AF5001h 6C0061D8E190h C0000000008DF718h F09B89AF5001h
// Returns documented on FW v1.7.
// Does not currently compile
// static inline u64 xorhack_call_108(
// u64 out_r3, u64 out_r4, u64 out_r5, u64 out_r6, u64 out_r7, u64 out_r8, u64 out_r9, u64 out_r10)
// {
// u64 ret;
// xorhack_syscall(108,
// 0,0,0,0,0,0,0,0,
// &ret, out_r3, out_r4, out_r5, out_r6, out_r7, out_r8, out_r9, out_r10);
// return ret;
// }

// Call 109 result = xorhack_call_109( /*IN*/ out_r3, out_r4, out_r5, out_r6, out_r7, out_r8, out_r9, out_r10);
// Name: xorhack_call_109
// Call 109 is presently undocummented
// R3 R4 R5 R6 R7 R8 R9 R10
// -17 (LV1_ILLEGAL_PARAMETER_VALUE) 0 0 C000000000537EF8h F09B89AF5001h 6C0061D8E190h C0000000008DF718h F09B89AF5001h
// Returns documented on FW v1.7.
// Does not currently compile
// static inline u64 xorhack_call_109(
// u64 out_r3, u64 out_r4, u64 out_r5, u64 out_r6, u64 out_r7, u64 out_r8, u64 out_r9, u64 out_r10)
// {
// u64 ret;
// xorhack_syscall(109,
// 0,0,0,0,0,0,0,0,
// &ret, out_r3, out_r4, out_r5, out_r6, out_r7, out_r8, out_r9, out_r10);
// return ret;
// }

// Call 110 result = xorhack_call_110( /*IN*/ out_r3, out_r4, out_r5, out_r6, out_r7, out_r8, out_r9, out_r10);
// Name: xorhack_call_110
// Call 110 is presently undocummented
// R3 R4 R5 R6 R7 R8 R9 R10
// -6 (LV1_NO_ENTRY) 0 0 C000000000537EF8h F09B89AF5001h 6C0061D8E190h C0000000008DF718h F09B89AF5001h
// Returns documented on FW v1.7.
// static inline u64 xorhack_call_110(
// u64 out_r3, u64 out_r4, u64 out_r5, u64 out_r6, u64 out_r7, u64 out_r8, u64 out_r9, u64 out_r10)
// {
// u64 ret;
// xorhack_syscall(110,
// 0,0,0,0,0,0,0,0,
// &ret, out_r3, out_r4, out_r5, out_r6, out_r7, out_r8, out_r9, out_r10);
// return ret;
// }

// Call 111 result = xorhack_call_111( /*IN*/ out_r3, out_r4, out_r5, out_r6, out_r7, out_r8, out_r9, out_r10);
// Name: xorhack_call_111
// Call 111 is presently undocummented
// R3 R4 R5 R6 R7 R8 R9 R10
// -6 (LV1_NO_ENTRY) 0 0 C000000000537EF8h F09B89AF5001h 6C0061D8E190h C0000000008DF718h F09B89AF5001h
// Returns documented on FW v1.7.
// static inline u64 xorhack_call_111(
// u64 out_r3, u64 out_r4, u64 out_r5, u64 out_r6, u64 out_r7, u64 out_r8, u64 out_r9, u64 out_r10)
// {
// u64 ret;
// xorhack_syscall(111,
// 0,0,0,0,0,0,0,0,
// &ret, out_r3, out_r4, out_r5, out_r6, out_r7, out_r8, out_r9, out_r10);
// return ret;
// }

// Call 112 result = xorhack_call_112( /*IN*/ out_r3, out_r4, out_r5, out_r6, out_r7, out_r8, out_r9, out_r10);
// Name: xorhack_call_112
// Call 112 is presently undocummented
// R3 R4 R5 R6 R7 R8 R9 R10
// -6 (LV1_NO_ENTRY) 0 0 C000000000537EF8h F09B89AF5001h 6C0061D8E190h C0000000008DF718h F09B89AF5001h
// Returns documented on FW v1.7.
// static inline u64 xorhack_call_112(
// u64 out_r3, u64 out_r4, u64 out_r5, u64 out_r6, u64 out_r7, u64 out_r8, u64 out_r9, u64 out_r10)
// {
// u64 ret;
// xorhack_syscall(112,
// 0,0,0,0,0,0,0,0,
// &ret, out_r3, out_r4, out_r5, out_r6, out_r7, out_r8, out_r9, out_r10);
// return ret;
// }

// Call 114 result = xorhack_call_114( /*IN*/ out_r3, out_r4, out_r5, out_r6, out_r7, out_r8, out_r9, out_r10);
// Name: xorhack_call_114
// Call 114 is presently undocummented
// R3
// -17 (LV1_ILLEGAL_PARAMETER_VALUE)
// Returns documented on FW v1.7.
// static inline u64 xorhack_call_114(u64 out_r3)
// {
// u64 ret;
// xorhack_syscall(114,
// 0,0,0,0,0,0,0,0,
// &ret, out_r3, 0, 0, 0, 0, 0, 0, 0);
// return ret;
// }

// Call 115 result = xorhack_call_115( /*IN*/ out_r3, out_r4, out_r5, out_r6, out_r7, out_r8, out_r9, out_r10);
// Name: xorhack_call_115
// Call 115 is presently undocummented
// R3
// -8 (LV1_TYPE_MISMATCH)
// Returns documented on FW v1.7.
// static inline u64 xorhack_call_115(u64 out_r3)
// {
// u64 ret;
// xorhack_syscall(115,
// 0,0,0,0,0,0,0,0,
// &ret, out_r3, 0, 0, 0, 0, 0, 0, 0);
// return ret;
// }

// Call 116 result = lv1_allocate_io_segment( /*IN*/ ioas_id, segment_size, io_page_size, /*OUT*/ &ioif_addr );
// Name: xorhack_allocate_io_segment
// Allocates an io segment.
// ioas_id - io address space id
// segment_size - io segment size
// io_page_size - io page size, 0xC, 0×10, 0×14
// returns 0 if ok, everything else means failure
// ioif_addr - io interface address
// Code taken from kboot-10\dl\linux-2.6.16\sound\powerpc\snd_ps3pf.c (kboot-20061208)
//
// ret64 = lv1_allocate_io_segment(0, /* io space */
// IO_SEGMENTSIZE, /* segment size */
// IO_PAGESIZE_SHIFT, /* io page size */
// &(ioif_map_info_array[current_segment].ioif_addr));
static inline u64 xorhack_allocate_io_segment(
u64 ioas_id, u64 segment_size, u64 io_page_size, u64* ioif_addr )
{
u64 ret;
xorhack_syscall(116,
ioas_id, segment_size, io_page_size, 0,0,0,0,0,
&ret, ioif_addr, 0,0,0,0,0,0);
return ret;
}

// Call 117 result = lv1_release_io_segment( /*IN*/ ioas_id, ioif_addr );
// Name: xorhack_release_io_segment
// Releases an io segment.
// ioas_id - io address space id
// ioif_addr - io interface address
// returns 0 if ok, everything else means failure
// Code taken from kboot-10\dl\linux-2.6.16\sound\powerpc\snd_ps3pf.c (kboot-20061208)
//
// ret64 = lv1_release_io_segment(0, /* io space */
// ioif_map_info_array[current_segment].ioif_addr);
static inline u64 xorhack_release_io_segment(
u64 ioas_id, u64 ioif_addr)
{
u64 ret;
xorhack_syscall(117,
ioas_id, ioif_addr,0,0,0,0,0,0,
&ret,0,0,0,0,0,0,0);
return ret;
}

// Call 118 result = lv1_allocate_ioid( /*IN*/ p1, /*OUT*/ &v1 );
// Name: xorhack_allocate_ioid
// Present in kboot; not used in current kernel.
static inline u64 xorhack_allocate_ioid(
u64 SBZ, u64* ioid)
{
u64 ret;
xorhack_syscall(118,
SBZ, 0,0,0,0,0,0,0,
&ret, ioid,0,0,0,0,0,0);
return ret;
}

//Call 119 result = lv1_release_ioid( /*IN*/ p1, p2 );
// Name: xorhack_release_ioid
// Present in kboot; not used in current kernel.
static inline u64 xorhack_release_ioid(
u64 p1, u64 p2)
{
u64 ret;
xorhack_syscall(119,
p1, p2,0,0,0,0,0,0,
&ret,0,0,0,0,0,0,0);
return ret;
}

// Call 120 result = lv1_construct_io_irq_outlet( /*IN*/ interrupt_id, /*OUT*/ &outlet );
// Name: xorhack_construct_io_irq_outlet
// Construct an outlet for a non-virtualized device interrupt.
// interrupt_id - interrupt id
// returns 0 if ok, everything else means failure
// outlet - interrupt outlet
static inline u64 xorhack_construct_io_irq_outlet(
u64 interrupt_id, u64* outlet )
{
u64 ret;
xorhack_syscall(120,
interrupt_id, 0,0,0,0,0,0,0,
&ret, outlet,0,0,0,0,0,0);
return ret;
}

// Call 121 result = lv1_destruct_io_irq_outlet( /*IN*/ outlet );
// Name: xorhack_destruct_io_irq_outlet
// Destruct a previously constructed device interrupt outlet.
// outlet - interrupt outlet
// returns 0 if ok, everything else means failure
static inline u64 xorhack_destruct_io_irq_outlet(
u64 outlet)
{
u64 ret;
xorhack_syscall(121,
outlet, 0,0,0,0,0,0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// Call 122 result = lv1_map_htab( /*IN*/ 0, /*OUT*/ &htab_addr );
// Name: xorhack_map_htab
// Maps the hash page table (HTAB).
// lpar_id - Logical Partition (LPAR) ID bus_id, p->bus_pci_bus, p->bus_pci_dev, p->bus_pci_func,(uint64_t)offset, size, &data);
static inline u64 xorhack_read_pci_config(
u64 bus_id, u64 pci_bus_id, u64 dev_id, u64 func_id, u64 offset, u64 size, u64* config_data)
{
u64 ret;
xorhack_syscall(178,
bus_id, pci_bus_id, dev_id, func_id, offset, size, 0,0,
&ret, config_data,0,0,0,0,0,0);
return ret;
}

// Call 179 result = lv1_write_pci_config( /*IN*/ bus_id, pci_bus_id, dev_id, func_id, offset, size, config_data );
// Name: xorhack_write_pci_config
// Write external PCI config. PS3tool only?
// bus_id - ps3 bus id
// pci_bus_id - pci bus id
// dev_id - pci device id
// func_id - pci function
// offset - offset to store data within config_data
// size - size of config_data
// config_data - pci config data
// returns 0 if ok, everything else means failure
// Notes: status = lv1_write_pci_config(p->bus_id, p->bus_pci_bus, p->bus_pci_dev, p->bus_pci_func, (uint64_t)offset, size, (uint64_t)val);
// if(status) { /* lv1_write_pci_config can't write reg from 0x10 to 0x3f */}
static inline u64 xorhack_write_pci_config(
u64 bus_id, u64 pci_bus_id, u64 dev_id, u64 func_id, u64 offset, u64 size, u64 config_data )
{
u64 ret;
xorhack_syscall(179,
bus_id, pci_bus_id, dev_id, func_id, offset, size, config_data, 0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// Call 180 result = lv1_read_pci_io( /*IN*/ p1, p2, p3, p4, /*OUT*/ &v1 );
// Name: xorhack_read_pci_io
// Present in kboot; not used in current kernel.
static inline u64 xorhack_read_pci_io(
u64 arg0, u64 arg1, u64 arg2, u64 arg3, u64* arg4 )
{
u64 ret;
xorhack_syscall(180,
arg0, arg1, arg2, arg3, 0,0,0,0,
&ret, arg4,0,0,0,0,0,0);
return ret;
}

// Call 181 result = lv1_write_pci_io( /*IN*/ p1, p2, p3, p4, p5 );
// Name: xorhack_write_pci_io
// Present in kboot; not used in current kernel.
static inline u64 xorhack_write_pci_io(
u64 arg0, u64 arg1, u64 arg2, u64 arg3, u64 arg4 )
{
u64 ret;
xorhack_syscall(181,
arg0, arg1, arg2, arg3, arg4, 0,0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// Call 182
// Name: xorhack_call_182
// Call 182 is presently undocummented
// Call 182 has not yet been probed
// Call 182 appears in a FW 3.1.5 HV dump

// Call 183
// Name: xorhack_call_183
// Call 183 is presently undocummented
// Call 183 has not yet been probed
// Call 183 appears in a FW 3.1.5 HV dump
// Call 183 may be associated with freeing/allocating memory (source: ps2dev wiki)

// Call 185 result = lv1_net_add_multicast_address( /*IN*/ bus_id, dev_id, addr, flag );
// Name: xorhack_net_add_multicast_address
// Add multicast address to the specified network device.
// bus_id - bus id
// dev_id - device id
// addr - see notes
// flag - see notes
// returns 0 if ok, everything else means failure
// Notes: From "gelic_net.c", addr can also take special values of 0 and GELIC_NET_BROADCAST_ADDR (0xffffffff)
// and flag is assigned values of 0 and 1.
static inline u64 xorhack_net_add_multicast_address(
u64 bus_id, u64 dev_id, u64 addr, u64 flag)
{
u64 ret;
xorhack_syscall(185,
bus_id, dev_id, addr, flag, 0,0,0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// Call 186 result = lv1_net_remove_multicast_address( /*IN*/ bus_id, dev_id, 0, 1 );
// Name: xorhack_net_remove_multicast_address
// Remove multicast address on the specified network device.
// bus_id - bus id
// dev_id - device id
// arg2, arg3 are unknown
// returns 0 if ok, everything else means failure
static inline u64 xorhack_net_remove_multicast_address(
u64 bus_id, u64 dev_id, u64 arg2, u64 arg3 )
{
u64 ret;
xorhack_syscall(186,
bus_id, dev_id, arg2, arg3, 0,0,0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// Call 187 result = lv1_net_start_tx_dma( /*IN*/ bus_id, dev_id, bus_addr, 0 );
// Name: xorhack_net_start_tx_dma
// Start DMA transmit on the specified network device.
// bus_id - bus id
// dev_id - device id
// bus_addr - dma address?
// arg3 is unknown
// returns 0 if ok, everything else means failure
static inline u64 xorhack_net_start_tx_dma(
u64 bus_id, u64 dev_id, u64 bus_addr, u64 arg3)
{
u64 ret;
xorhack_syscall(187,
bus_id, dev_id, bus_addr, arg3, 0,0,0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// Call 188 result = lv1_net_stop_tx_dma( /*IN*/ bus_id, dev_id, 0 );
// Name: xorhack_enable_net_stop_tx_dma
// Stop DMA transmit on the specified network device.
// bus_id - bus id
// dev_id - device id
// arg2 - unknown
// returns 0 if ok, everything else means failure
static inline u64 xorhack_enable_net_stop_tx_dma(
u64 bus_id, u64 dev_id, u64 arg2)
{
u64 ret;
xorhack_syscall(188,
bus_id, dev_id, arg2, 0,0,0,0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// Call 189 result = lv1_net_start_rx_dma( /*IN*/ bus_id, dev_id, bus_addr, 0 );
// Name: xorhack_net_start_rx_dma
// Start DMA receive on the specified network device.
// bus_id - bus id
// dev_id - device id
// bus_addr - dma address?
// arg3 - unknown
// returns 0 if ok, everything else means failure
static inline u64 xorhack_net_start_rx_dma(
u64 bus_id, u64 dev_id, u64 bus_addr, u64 arg3)
{
u64 ret;
xorhack_syscall(189,
bus_id, dev_id, bus_addr, arg3, 0,0,0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// 190 result = lv1_net_stop_rx_dma( /*IN*/ bus_id, dev_id, 0 );
// Name: xorhack_net_stop_rx_dma
// Stop DMA receive on the specified network device.
// bus_id - bus id
// dev_id - device id
// arg2 - unknown
// returns 0 if ok, everything else means failure
static inline u64 xorhack_net_stop_rx_dma(
u64 bus_id, u64 dev_id, u64 arg2)
{
u64 ret;
xorhack_syscall(190,
bus_id, dev_id, arg2, 0,0,0,0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// Call 191 result = lv1_net_set_interrupt_status_indicator( /*IN*/ bus_id, dev_id, irq_status_addr, 0 );
// Name: xorhack_net_set_interrupt_status_indicator
// Set the interrupt status indicator for the specified network device.
// bus_id - bus id
// dev_id - device id
// irq_status_addr - lpar address of the irq status indicator
// arg3 - unknown
// returns 0 if ok, everything else means failure
static inline u64 xorhack_net_set_interrupt_status_indicator(
u64 bus_id, u64 dev_id, u64 irq_status_addr, u64 arg3)
{
u64 ret;
xorhack_syscall(191,
bus_id, dev_id, irq_status_addr, arg3,0,0,0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// Call 193 result = lv1_net_set_interrupt_mask( /*IN*/ bus_id, dev_id, mask, 0 );
// Name: xorhack_net_set_interrupt_mask
// Sets the interrupt mask for specified network device.
// bus_id - bus id
// dev_id - device id
// mask - interrupt mask
// arg3 - unknown
// returns 0 if ok, everything else means failure
static inline u64 xorhack_net_set_interrupt_mask(
u64 bus_id, u64 dev_id, u64 mask, u64 arg3)
{
u64 ret;
xorhack_syscall(193,
bus_id, dev_id, mask, arg3,0,0,0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// Call 194 result = lv1_net_control( /*IN*/ bus_id, dev_id, p1, p2, p3, p4, /*OUT*/ &v1, &v2 );
// Name: xorhack_net_control
// Send a control command to the specified network device.
// bus_id - bus id
// dev_id - device id
// p1,p2,p3,p4 are command dependent input parameter
// returns 0 if ok, everything else means failure
// v1,v2 are command dependent input parameter
// p1 -> GELIC_NET_GET_ETH_PORT_STATUS, GELIC_NET_GET_MAC_ADDRESS, GELIC_NET_GET_VLAN_ID
// p2 -> GELIC_NET_PORT, 0, 1..GELIC_NET_VLAN_MAX
// p3 -> 0, 0, 0,
// p4 -> 0, 0, 0,
// v1 -> GELIC_NET_LINK_UP | GELIC_NET_FULL_DUPLEX | GELIC_NET_SPEED_10 | GELIC_NET_SPEED_100 | GELIC_NET_SPEED_1000, MAC address, vlan_id,
// v2 -> unused ?
static inline u64 xorhack_net_control(
u64 bus_id, u64 dev_id, u64 p1, u64 p2, u64 p3, u64 p4, u64* v1, u64* v2)
{
u64 ret;
xorhack_syscall(194,
bus_id, dev_id, p1, p2, p3, p4, 0,0,
&ret, v1, v2, 0,0,0,0,0);
return ret;
}

// Call 195 result = xorhack_call_195( /*IN*/ out_r3);
// Name: xorhack_call_195
// Call 195 is presently undocummented
// R3 R4 R5 R6 R7 R8 R9 R10
// -4 -3 (LV1_NO_PRIVILEGE) 0 0 0 0 0 0 0
// Returns documented on FW v1.7.
static inline u64 xorhack_call_195(
u64 out_r3)
{
u64 ret;
xorhack_syscall(195,
0,0,0,0,0,0,0,0,
&ret,out_r3,0,0,0,0,0,0);
return ret;
}

// Call 196 result = xorhack_call_196( /*IN*/ out_r3);
// Name: xorhack_call_196
// Call 196 is presently undocummented
// R3 R4 R5 R6 R7 R8 R9 R10
// -4 -3 (LV1_NO_PRIVILEGE) 0 0 0 0 0 0 0
// Returns documented on FW v1.7.
static inline u64 xorhack_call_196(
u64 out_r3)
{
u64 ret;
xorhack_syscall(196,
0,0,0,0,0,0,0,0,
&ret,out_r3,0,0,0,0,0,0);
return ret;
}

// Call 197 result = lv1_connect_interrupt_event_receive_port( /*IN*/ bus_id, dev_id, outlet, interrupt_id );
// Name: xorhack_connect_interrupt_event_receive_port
// Assign a virtual interrupt to a system bus device.
// bus_id - bus id
// dev_id - device id
// outlet - interrupt outlet
// interrupt_id - interrupt id
// returns 0 if ok, everything else means failure
static inline u64 xorhack_connect_interrupt_event_receive_port(
u64 bus_id, u64 dev_id, u64 outlet, u64 interrupt_id)
{
u64 ret;
xorhack_syscall(197,
bus_id, dev_id, outlet, interrupt_id, 0,0,0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// Call 198 result = lv1_disconnect_interrupt_event_receive_port( /*IN*/ bus_id, dev_id, outlet, interrupt_id );
// Name: xorhack_disconnect_interrupt_event_receive_port
// Disconnect a virtual interrupt from a system bus device.
// bus_id - bus id
// dev_id - device id
// outlet - interrupt outlet
// interrupt_id - interrupt id
// returns 0 if ok, everything else means failure
static inline u64 xorhack_disconnect_interrupt_event_receive_port(
u64 bus_id, u64 dev_id, u64 outlet, u64 interrupt_id)
{
u64 ret;
xorhack_syscall(198,
bus_id, dev_id, outlet, interrupt_id, 0,0,0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// Call 199 result = lv1_get_spe_all_interrupt_statuses( /*IN*/ p1, /*OUT*/ &v1 );
// Name: xorhack_get_spe_all_interrupt_statuses
// Not in current kernel
// ps2dev wiki HV: result = lv1_get_spe_all_interrupt_statuses( /*IN*/ p1, /*OUT*/ &v1 );
// Inputs
// Register Description
// R3 p1 - Unknown
// Outputs
// Register Description
// R3 Status?
// R4 v1 - unknown
// PS3 40GB FW 3.15 Ubuntu 8.10 2.5.25-2; SX28-based exploit
// Passing any value (0-256) on R3 input always returns zero for R3.
// covenant 2010
static inline u64 xorhack_get_spe_all_interrupt_statuses( u64 p1, u64* v1 )
{
u64 ret;
xorhack_syscall(199,
p1, 0,0,0,0,0,0,0,
&ret, v1, 0,0,0,0,0,0);
return ret;
}

// Call 200 result = xorhack_call_200( /*IN*/ out_r3);
// Name: xorhack_call_200
// Call 200 is presently undocummented
// R3 R4 R5 R6 R7 R8 R9 R10
// -4 (LV1_DENIED_BY_POLICY) 0 0 0 0 0 0 0
static inline u64 xorhack_call_200(
u64 out_r3)
{
u64 ret;
xorhack_syscall(200,
0, 0, 0,0,0,0,0,0,
&ret,out_r3,0,0,0,0,0,0);
return ret;
}

// Call 201 result = xorhack_call_201( /*IN*/ out_r3);
// Name: xorhack_call_201
// Call 201 is presently undocummented
// R3 R4 R5 R6 R7 R8 R9 R10
// -4 (LV1_DENIED_BY_POLICY) 0 0 0 0 0 0 0
static inline u64 xorhack_call_201(
u64 out_r3)
{
u64 ret;
xorhack_syscall(201,
0, 0, 0,0,0,0,0,0,
&ret,out_r3,0,0,0,0,0,0);
return ret;
}

// Call 202 result = lv1_deconfigure_virtual_uart_irq();
// Name: xorhack_deconfigure_virtual_uart_irq
// Deconfigure the VUART IRQ.
// returns 0 if ok, everything else means failure
static inline u64 xorhack_deconfigure_virtual_uart_irq()
{
u64 ret;
xorhack_syscall(202,
0,0,0,0,0,0,0,0,
&ret,0,0,0,0,0,0,0);
return ret;
}

// Call 207 status = lv1_enable_logical_spe( /*IN*/ spe_id, resource_id );
// Name: xorhack_enable_logical_spe
// Enables a logical SPE.
// spe_id - logical SPE ID
// resource_id - spe resource ID (prevously retrieved from Kernel repository)
// returns 0 if ok, everything else means failure
static inline u64 xorhack_enable_logical_spe(
u64 spe_id, u64 resource_id)
{
u64 ret;
xorhack_syscall(207,
spe_id, resource_id, 0,0,0,0,0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// Call 209 result = xorhack_call_209( /*IN*/ out_r3);
// Name: xorhack_call_209
// Call 231'ping google.com' is presently undocummented
// R3 R4 R5 R6 R7 R8 R9 R10
// -4 (LV1_DENIED_BY_POLICY) 0 0 0 0 0 0 0
static inline u64 xorhack_call_209(
u64 out_r3)
{
u64 ret;
xorhack_syscall(209,
0, 0, 0,0,0,0,0,0,
&ret,out_r3,0,0,0,0,0,0);
return ret;
}

// Call 210 status = lv1_gpu_open( /*IN*/ p1 );
// Name: xorhack_gpu_open
// Open the GPU. Call lv1_gpu_close to close the GPU.
// p1 - Unknown, Kernel only ever passes 0, though other randomly chosen values seem to succeed.
// status: 0 = LV1_SUCCESS, -6 = LV1_NO_ENTRY
// Notes: When called from Kernel module init function, if GPU is already open, subsequent calls to
// lv1_gpu_open return LV1_NO_ENTRY (-6). Closing the GPU and re-opening succeeds.
static inline u64 xorhack_gpu_open(u64 p1)
{
u64 ret;
xorhack_syscall(210,
p1, 0,0,0,0,0,0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// Call 211 status = lv1_gpu_close();
// Name: xorhack_gpu_close
// Closes the GPU. Must be called once for every call to lv1_gpu_open
// returns 0 if ok, everything else means failure
static inline u64 xorhack_gpu_close()
{
u64 ret;
xorhack_syscall(211,
0,0,0,0,0,0,0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// Call 212 result = lv1_gpu_device_map( /*IN*/ dev_id, /*OUT*/ &lpar_addr, &lpar_size );
// Name: xorhack_gpu_device_map
// Map a device into logical address space. Address needs to be ioremapped before use.
// dev_id - device id (see notes)
// returns 0 if ok, everything else means failure
// lpar_addr - logical partition address of device block
// lpar_size - size of device block
// Notes: Info taken from kboot-10\dl\linux-2.6.16\sound\powerpc\snd_ps3pf.c (kboot-20061208)
// where the audio front-end registers are mapped into memory. Two calls to lv1_gpu_device_map
// are performed, the first when dev_id = 1, to obtain the audio interrupt (Audio IRQ Outlet)
// and a second time when dev_id = 2 to obtain a mapping of the register block (Audio Registers).
// lpar_addr is a virtual address, created by the Hypervisor. Multiple calls to lv1_gpu_device_map
// with the same dev_id return successfully, but the lpar_address returned for each is different
// (if there have been no intermediary lv1_gpu_device_unmap calls). These various virtual
// lpar_addr values all alias the same physical location in memory.
//
// for test results and mm_dumps visit: http://wiki.ps2dev.org/ps3:hypervisor:lv1_gpu_device_map

// lv1_gpu_device_map
// dev_id result lpar_addr lpar_size Comment
// 0 ffffffffffffffef 98d2f7d44da1ceae 0100000000000000 result = LV1_ILLEGAL_PARAMETER_VALUE
// 1 0000000000000000 0000300000022000 0000000000001000 Audio IRQ Outlet (map1_dump)
// 2 0000000000000000 00003c0000128000 0000000000008000 Audio_Registers (map2_dump)
// 3 0000000000000000 0000300000026000 0000000000001000 ??? - Any attempt to dereference this lpar_addr locks up the PS3
// 4 ffffffffffffffef 0000300000026000 0000000000001000 result = LV1_ILLEGAL_PARAMETER_VALUE
// 5 0000000000000000 0000300000028000 0000000000001000 ??? - (map5_dump)
// 6 0000000000000000 0000300000029000 0000000000001000 ??? - (map6_dump)
// 7 0000000000000000 00003000002A0000 0000000000010000 ??? - (map7_dump)
// 8 0000000000000000 000030000002B000 0000000000001000 video RAM at offset 0x0ff10000- (map8_dump)
// 9-255 -20 ??? ??? result = LV1_NOT_IMPLEMENTED
//
// Devices 1 & 2: dev_id 1 gives a location used to process IRQ's from the audio and dev_id 2 gives
// the base address of the Audio Hardware registers.
// From published Sony documents (http://www.watch.impress.co.jp/game/docs/20060329/3dps303.htm),
// Audio is believed to be on the RSX, this call seems to confirm that. Access to the audio
// after this mapping call (it would appear) bypasses the Hypervisor and occurs directly on the
// RSX hardware. 3,5,6,7,8 are currently unknown. Presumably 0 and 4 are otherwise valid parameters
// blocked by the Hypervisor for OtherOS (ie, they may function for Games) otherwise I would have
// expected a return result of -20 for them. So rather than just being a bridge for audio into
// HDMI, it is for all audio.
// Also interesting is that the GPU version number returned by lv1_gpu_context_allocate appears
// at address 0×10 in the device 1 dump, though this of course may be complete coincidence.
// Device 7: dev_id 7 appears to be a video device. It is not possible to map the entire reported
// memory space (0×10000), only areas 0×0000 to 0x0fff and 0×2000 to 0x2fff (discovered via laborious
// trial and error testing, mapping other areas causes the PS3 to hang without warning). In both
// mappable areas, the current screen resolution can be seen at locations 0×200 and 0×210.
// Changes to the ps3 video mode (e.g. using the ps3videomode utility) can be observed in the mapped
// areas, but modifying the values directly does not affect the screen resolution. Although both areas
// contain different values, there appear to be parts in common, as changing the values at 0×200 and
// 0×210 directly in one area also causes the same values in the other area to change.
// Given the screen resolution connection, it could be possible that this device is a mapping of the
// GPU display heads: - Out of 16Kb, only two areas are mappable (= number of accessible display heads)
// - Mappable areas are 2Kb apart ? 8 total display heads (= size of display heads array returned by lv1_gpu_context_allocate)
// Device 8: dev_id 8 appears to be a mapping of video RAM at offset 0x0ff10000. This region of video
// memory is referenced by RSX DMA objects but its purpose is unknown.
static inline u64 xorhack_gpu_device_map(
u64 dev_id, u64* lpar_addr, u64* lpar_size)
{
u64 ret;
xorhack_syscall(212,
dev_id, 0,0,0,0,0,0,0,
&ret, lpar_addr, lpar_size,0,0,0,0,0);
return ret;
}

// Call 213 lv1_gpu_device_unmap( /*IN*/ dev_id );
// Name: xorhack_gpu_device_unmap
// Map a device into logical address space. Address needs to be ioremapped before use.
// dev_id - device id (see lv1_gpu_device_map)
static inline u64 xorhack_gpu_device_unmap(u64 dev_id)
{
u64 ret;
xorhack_syscall(213,
dev_id, 0,0,0,0,0,0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// Call 214 status = lv1_gpu_memory_allocate(ddr_size, 0, 0, 0, 0, &memory_handle, &ddr_lpar);
// Name: xorhack_gpu_memory_allocate
// Allocate GPU memory.
// ddr_size - amount of DDR to reserve? (see notes)
// arg1 - Unknown. Max value 512*1024.
// arg2 - Unknown. Max value 3075*1024.
// arg3 - Unknown. Max value 15.
// arg4 - Unknown. Max value 8.
// status: 0 = LV1_SUCCESS, -17 = LV1_ILLEGAL_PARAMETER_VALUE
// memory_handle - used by lv1_gpu_context_allocate and lv1_gpu_memory_free??
// ddr_lpar - remappable address of allocated video memory, unused by Kernel.
// Notes: ddr_size accepts values (0..252) * 2^20 - values not divisible by 2^20 (1 MB) and above the range result in a return value of -17 (LV1_ILLEGAL_PARAMETER_VALUE). [Verified by Strontium Dog on an AU PS3 V1.5 firmware]
// Bits 52-63 of ddr_size seem to be ignored or correspond to flags. The lower bits correspond to the amount of allocated video RAM.
// lv1_gpu_context_allocate using the returned memory_handle will create a RSX DMA object handle 0xfeed0000 corresponding to the region of allocated memory.
// Multiple calls to lv1_gpu_memory_allocate with non-zero ddr_size will change the start of this region. The DMA object limit is set to ddr_size - 1.
// Before FW 2.1, a ddr_size of 0 was accepted, in which case a DMA object starting at zero and of limit 0xffffffff was created. Note that in this case,
// the start of this region is always zero even if previous calls to lv1_gpu_memory_allocate with non-zero ddr_size were performed. As of FW 2.1 and above, a zero ddr_size is not accepted anymore.
//
// Parameters r4-r7 are unknown. Maximum values for these parameters are respectively 512kB, 3075kB, 15 and 8. They refer to shared scarce resources, as allocations are retained across multiple calls to lv1_gpu_memory_allocate.
// When attached to a context during lv1_gpu_context_allocate, the values of these parameters are reported in the lpar_driver_info structure of the context.
// Cell separates multiple OS into Logical Partitions (lpar) described at http://research.scea.com/research/html/CellGDC05/13.html.
// PS3 GPU memory is referred to as DDR (or GDDR) whereas system memory is XDR. 256 MB of each are installed in PS3 though only XDR is currently available for use by OtherOS.
// To make use of the allocated DDR ddr_lpar needs to be transformed into a usable address using: ddr_address = ioremap_flags(ddr_lpar, ddr_size, _PAGE_NO_CACHE);
// Be aware that the memory that holds the physical GPU frame buffer is not allocated by the Kernel, just used. So on the first call to this, some or all of the memory you request (depending on now much you request)
// may be actually used as the frame buffer. You will know this, because your writes to memory will mysteriously disappear up to 20ms after you perform them. Note that direct access to video ram is very slow (~10MB/s).
//
// Test Results:
// R3: 0x000000000fc00000, 264241152(dec), 252 MB
// R4, R5, R6, R7: 0x0000000000000000, 0(dec)
// Outputs:
// R3: 0x0000000000000000, 0(dec), LV1_SUCCESS
// R4: 0x000000005a5a5a5b, (...), memory handle
// R5: 0x00007001a0000000, (...), ddr logical partition address
static inline u64 xorhack_gpu_memory_allocate(
u64 ddr_size, u64 arg1, u64 arg2, u64 arg3, u64 arg4, u64* memory_handle, u64* ddr_lpar)
{
u64 ret;
xorhack_syscall(214,
ddr_size, arg1, arg2, arg3, arg4, 0,0,0,
&ret, memory_handle, ddr_lpar, 0,0,0,0,0);
return ret;
}

// Call 216 status = lv1_gpu_memory_free(ps3fb.memory_handle);
// Name: xorhack_gpu_memory_free
// Free memory handle returned by lv1_gpu_memory_allocate.
// Must be called to dispose of the handle returned by lv1_gpu_memory_allocate.
// Memory handle returned by lv1_gpu_memory_allocate
// returns 0 if ok, everything else means failure
static inline u64 xorhack_gpu_memory_free(
u64 memory_handle)
{
u64 ret;
xorhack_syscall(216,
memory_handle, 0,0,0,0,0,0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}
// Call 217
//status = lv1_gpu_context_allocate(ps3fb.memory_handle, 0,
// &ps3fb.context_handle,
// &lpar_dma_control, &lpar_driver_info,
// &lpar_reports, &lpar_reports_size);
//
// status = lv1_gpu_context_allocate(memory_handle, 0,
// &channel_hv_handle,
// &lpar_channel_control,
// &lpar_channel_info,
// &lpar_channel_reports,
// &channel_reports_size);
// Name: xorhack_gpu_context_allocate
// Creates a Channel to the GPU through the Hypervisor at max 8 which seems to being accordance with the nv47 specs
// (What we used to belive) Allocate a GPU Context, that is used by many other lv1_gpu_* calls.
// When finished with the context_handle, free it by using lv1_gpu_context_free
// memory_handle - Memory Handle obtained by lv1_gpu_memory_allocate
// flag - Flags (see below)
// returns 0 if ok, everything else means failure
// context_handle = handle to the allocated context
// lpar_dma_control = the address of the channels FIFO control registers, (unused by Kernel in ps3fb)
// lpar_driver_info = the address of a driver information structure (see below this structure holds gpu object handles)
// lpar_reports = the address of the DMA notifiers, (unused by Kernel in ps3fb.)
// lpar_reports_size = the size of the lpar_reports area (see below)
//
// lpar_driver_info is a Physical Address of a structure on the other side of the Hypervisor. The Kernel uses ioremap to make the physical address accessible by the Kernel. Eg:
// ps3fb.dinfo = ioremap(lpar_driver_info, 128 * 1024);
// By creating several channels and comparing data it is revealed that several of these regs are mapped individually in the hv this example is from a 2.50+ ps3
//
// Registers -> lpar_channel_control, lpar_channel_info, lpar_channel_reports,
// lpar_addr -> 0×440000220000, 0x4000000f0000, 0×480000410000,
// size -> unknown, unknown, 10000,
// comments -> next channel control starts at a offset of 0×1000 4KB from this, next channel info starts at a offset of 0×4000 16KB from this, next channel report starts at offset 0×10000 64KB from this
//
// 128KB of memory is iomap'd in this way, although the data is given the structure: gpu_driver_info which is much smaller than 128KB. For each call of lv1_gpu_context_allocate,
// a new gpu_driver_info is allocated at offset 0×4000 from the previous one.
// This make a total of 8 possible contexts for 128KB, corresponding to the hardware context switching capabilities of the RSX. However, the Kernel only uses one context, so it does not explain why it maps 128KB.
// lpar_dma_control is the Physical Address of the FIFO control registers. The FIFO is located in system RAM and used to send commands to the RSX. These registers control the pointers of the RSX in the FIFO.
// lpar_reports is the Physical Address of the DMA notification zone available to report completion of RSX commands. The lpar_reports_size indicates the size of the lpar_reports structure.
// The second parameters is not used by the kernel, but is supposed to contain flags. The following values change the behaviour of the call, other values are unknown:
//
// Flag: Description:
// 0x04, create DMA objects 0xfeed0003 (class 0×02) and 0xfeed0004 (class 0x3D) targetting video RAM at offset 0×04000000 size 0×1000
// 0x08, create DMA objects 0×13378080 (class 0×02) and 0×13378086 (class 0x3D) targetting system RAM at address 0x8f03f000 (1st context), 0x9f03f000 (2nd context) size 0×1000
// ~0x20, Most values mixed with this bit generates a 0xbad68000 at offset 0×78 in info
//
// For Driver Info Structure visit: http://wiki.ps2dev.org/ps3:hypervisor:lv1_gpu_context_allocate
static inline u64 xorhack_gpu_context_allocate(
u64 memory_handle, u64 flag, u64* context_handle, u64* lpar_dma_control, u64* lpar_driver_info, u64* lpar_reports, u64* lpar_reports_size)
{
u64 ret;
xorhack_syscall(217,
memory_handle, flag,0,0,0,0,0,0,
&ret, context_handle, lpar_dma_control, lpar_driver_info, lpar_reports, lpar_reports_size,0,0);
return ret;
}

// Call 218 status = lv1_gpu_context_free(ps3fb.context_handle);
// Name: xorhack_gpu_context_free
// Free the GPU Context allocated by lv1_gpu_context_allocate
// context_handle - The value returned in R4 by the matching lv1_gpu_context_allocate
// returns 0 if ok, everything else means failure
// Don't use the context_handle after this call, it is highly unlikely to remain valid.
static inline u64 xorhack_gpu_context_free(
u64 context_handle)
{
u64 ret;
xorhack_syscall(218,
context_handle, 0,0,0,0,0,0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// Call 221
// status = lv1_gpu_context_iomap(ps3fb.context_handle, GPU_IOIF,
// xdr_lpar, ps3fb_videomemory.size, 0);
// Name: xorhack_gpu_context_iomap
// Map system RAM address to GPU through the Cell FlexIO interface
// context_handle as allocated by lv1_gpu_context_allocate
// GPU_IOIF = 0x0d000000UL - GPU address where the system RAM virtual framebuffer is remapped
// xdr_lpar - lpar version of the physical address of the virtual frame buffer in local memory. (Note: the lpar version = the physical address in the PS3)
// size = The size of the virtual frame buffer
// IOPTE_flag - bitfield describing protection, coherency and ordering of the I/O mapping.
// Any combination of 0 or 2^{11 (cache hint),59 (read ordering),60 (write ordering),61 (coherency),62 (read protection) ,63 (write protection)} seems valid
// Status - 0 = OK, LV1_TYPE_MISMATCH (-8) if R5 set to a DDR lpar address, LV1_ILLEGAL_PARAMETER_VALUE (-17) if any other bit set in R7 than described above
//
// This function creates a mapping in GPU address space so that the RSX can access system RAM. The Kernel uses it to associate the virtual framebuffer residing in system RAM to the GPU,
// so that so that transfers can be initiated by the RSX from the system RAM to the video RAM using the lv1_gpu_context_attribute:fb_blit() call.
//
// Comments:
// It was previously suspected that GPU_IOIF was the address of GPU MMIO registers. However GPU_IOIF is a GPU address, not a lpar address, and therefore has no meaning on the Linux side,
// and cannot be directly mapped from the Linux address space. Reserving the memory block (using request_mem_region) and mapping (using ioremap) results in a block of memory that is used by Linux
// (nothing resembling IO registers was observed whilst single frame stepping a gfx demo). [was: As you've previously discovered that the top of RAM is 0x0e00 0000, GPU_IOIF here is 16Mb below that.
// That's typically the size of the a graphics card PCI IO region on a PC, so given the name, I'd strongly suggest it's not GPU memory that's being mapped but the GPU IO registers.
// Although why this address range would overlap with RAM is a mystery.]
// GPU_IOIF was successfully set to other values (0×00000000, 0×02000000, 0×04000000) with Linux booting and displaying correctly. A value of 0x0f000000 causes the PS3 to hang (need to retest 0x0e0000000)
// Although it looks like GPU_IOIF would overlap video RAM, the RSX differentiates between the two by associating different DMA objects to the source and destination of the blit.
// The source is associated with DMA object handle 0xfeed0001 which targets system memory, while the destination is associated with DMA object handle 0xfeed0000 which targets video memory.
// This has been observed by analysing the FIFO commands sent to the GPU by the hypervisor during the lv1_gpu_context_attribute:fb_setup() and lv1_gpu_context_attribute:fb_blit() calls.
// It seems a call to lv1_gpu_context_iomap(handle, bus_addr, xdr_lpar, size, flags) is equivalent to a series of call to lv1_put_iopte:
//
// int i;
// int context_number; /* derived from handle, 1st allocated context 0, 2nd allocated context 1, etc... */
// for (i = 0; i < size; i += 1024 * 1024)
// {
// lv1_put_iopte(0, /* IO ASID */
// ((0x08ULL + context_number) = 2.1 and used in recent Linux kernel (called with 0,0,0,0) to undo fb_setup. Not a Valid operation on older firmware. 0×210694
// No Entry 0×0604-0x0FFF Not a valid operation, returns LV1_NO_ENTRY (-6)
// context_handle - as allocated by lv1_gpu_context_allocate
// operation_code - The code of the operation to perform.
// (arg3 - arg6) - Parameter(s) to the operation
// returns 0 if ok, everything else means failure
// for operation codes visit: http://wiki.ps2dev.org/ps3:hypervisor:lv1_gpu_context_attribute
static inline u64 xorhack_gpu_context_attribute( u64 context_handle, u64 operation_code,
u64 arg2, u64 arg3, u64 arg4, u64 arg5 )
{
u64 ret;
xorhack_syscall(225,
context_handle, operation_code, arg2, arg3, arg4, arg5,0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

/*
* some gpu context attributes to play with
* These are specific operations of the generic operation lv1_gpu_context_attribute(...);
*/

// Call 225 status = lv1_gpu_context_attribute(0x0,L1GPU_CONTEXT_ATTRIBUTE_DISPLAY_MODE_SET,
// 0, 0, 1, 0);
// Name: xorhack_gpu_context_attribute_display_mode_set
// Sets up the display mode
// 0x0 - ps3fb.context_handle as allocated by lv1_gpu_context_allocate theoretically.
// The Kernel actually passes 0 for this operation, so it must not be required.
// 0x100 - operation_code, L1GPU_CONTEXT_ATTRIBUTE_DISPLAY_MODE_SET
// (arg0 - arg2) are unknown
// head - 0 = Head A (Unfitted to the Retail PS3), 1 = Head B the active head on the PS3.
// returns 0 if ok, everything else means failure
static inline u64 xorhack_gpu_context_attribute_display_mode_set( u64 arg0, u64 arg1, u64 head, u64 arg3)
{
u64 ret;
xorhack_syscall(225,
0x0, 0x100, arg0, arg1, head, arg3,0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// Call 225 status = lv1_gpu_context_attribute(0x0,L1GPU_CONTEXT_ATTRIBUTE_DISPLAY_SYNC,
// head, L1GPU_DISPLAY_SYNC_VSYNC, 0, 0);
// Name: xorhack_gpu_context_attribute_display_sync
// Sets up some sort of Display Sync attribute mode.
// 0x0 - ps3fb.context_handle as allocated by lv1_gpu_context_allocate theoretically.
// The Kernel actually passes 0 for this operation, so it must not be required.
// 0x101 - operation_code, L1GPU_CONTEXT_ATTRIBUTE_DISPLAY_SYNC
// head - 0 = Head A (Unfitted to the PC), 1 = Head B the active head on the PS3.
// sync_type - L1GPU_DISPLAY_SYNC_VSYNC = Enable VSync?
// Possibly also L1GPU_DISPLAY_SYNC_HSYNC = Enable HSync?
// (arg2-arg3) are unknown and they seem unused
// returns 0 if ok, everything else means failure
static inline u64 xorhack_gpu_context_attribute_display_sync( u64 head, u64 sync_type, u64 arg2, u64 arg3)
{
u64 ret;
xorhack_syscall(225,
0x0, 0x101, head , sync_type, arg2, arg3, 0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// Call 225 status = lv1_gpu_context_attribute(ps3fb.context_handle,
// L1GPU_CONTEXT_ATTRIBUTE_DISPLAY_FLIP,
// head, offset, 0, 0);
// Name: xorhack_gpu_context_attribute_display_flip
// Sets the start of the current video page in video memory.
// context_handle - as allocated by lv1_gpu_context_allocate theoretically.
// 0x102 - operation_code, L1GPU_CONTEXT_ATTRIBUTE_DISPLAY_FLIP
// head - 0 = Head A (Unfitted to the PS3), 1 = Head B the active head on the PS3.
// offset - Offset from start of video memory to set as active displayed memory.
// returns 0 if ok, everything else means failure
static inline u64 xorhack_gpu_context_attribute_display_flip( u64 context_handle, u64 head, u64 offset, u64 arg3, u64 arg4)
{
u64 ret;
xorhack_syscall(225,
context_handle, 0x102, head, offset, arg3, arg4, 0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// Call 225 status = lv1_gpu_context_attribute(ps3fb.context_handle,
// L1GPU_CONTEXT_ATTRIBUTE_FB_SETUP,
// xdr_lpar, ps3fb_videomemory.size,
// GPU_IOIF, 0);
// Name: xorhack_gpu_context_attribute_fb_setup
// Set the start of the current video page in video memory.
// context_handle - as allocated by lv1_gpu_context_allocate theoretically.
// 0x600 - operation_code, L1GPU_CONTEXT_ATTRIBUTE_FB_SETUP
// xdr_lpar - Address of command FIFO
// size - Size of command FIFO, ps3fb_videomemory.size
// GPU_IOIF = 0x0d000000UL. - GPU address of command FIFO
// (was: I dont know what this address is. Maybe its the address of the frame buffers in Video memory???)
// arg4 - Unknown, seems unused.
// returns 0 if ok, everything else means failure
//
/* Part of patch to move FIFO from start of video memory to end:
status = lv1_gpu_context_attribute(ps3fb.context_handle,
L1GPU_CONTEXT_ATTRIBUTE_FB_SETUP,
xdr_lpar, ps3fb_videomemory.size,
GPU_IOIF, 0);
* or you can give the following args:
status = lv1_gpu_context_attribute(ps3fb.context_handle,
L1GPU_CONTEXT_ATTRIBUTE_FB_SETUP,
xdr_lpar + ps3fb.xdr_size,
GPU_CMD_BUF_SIZE,
GPU_IOIF + ps3fb.xdr_size, 0);
* The memory map used to look like:
* xdr_lpar -> FIFO region
* xdr_lpar + ??? -> Not used
* xdr_lpar + ps3fb_videomemory.size - 2 * frame size -> Frame 2
* xdr_lpar + ps3fb_videomemory.size - frame size -> Frame 1
* xdr_lpar + ps3fb_videomemory.size -> END
*
* The memory map of ps3fb now looks like this:
* xdr_lpar -> Frame 1
* xdr_lpar + FB_OFF(1) -> Frame 2
* xdr_lpar + FB_OFF(2) -> Not Used
* xdr_lpar + ps3fb_videomemory.size - GPU_CMD_BUF_SIZE -> FIFO region
* xdr_lpar + ps3fb_videomemory.size -> END
*
* The FIFO section of the memory range is now not mapped into Linux's address space.
* So, from that change we can see that R5 and R7 are moved by the size of the xdr_size
* (videomemory_size-GPU_CMD_BUF_SIZE) so both refer to the FIFO buffer in different addressing schemes
* (probably physical memory address and LPAR address)
*
* More discussion on this is at http://forums.ps2dev.org/viewtopic.php?t=8364
*/
static inline u64 xorhack_gpu_context_attribute_fb_setup( u64 context_handle, u64 xdr_lpar, u64 size, u64 GPU_IOIF, u64 arg4)
{
u64 ret;
xorhack_syscall(225,
context_handle, 0x600, xdr_lpar, size, GPU_IOIF, arg4, 0,0,
&ret, 0,0,0,0,0,0,0);
return ret;
}

// Call 225 status = lv1_gpu_context_attribute(ps3fb.context_handle,
// L1GPU_CONTEXT_ATTRIBUTE_FB_BLIT,
// offset, fb_ioif,
// L1GPU_FB_BLIT_WAIT_FOR_COMPLETION |
// (xres 0x01, 0x23,
static inline u64 xorhack_storage_send_device_command(
u64 dev_id, u64 cmd_id, u64 cmd_block, u64 cmd_size, u64 data_buffer, u64 blocks, u64* lv1_tag)
{
u64 ret;
xorhack_syscall(248,
dev_id, cmd_id, cmd_block, cmd_size, data_buffer, blocks, 0,0,
&ret, lv1_tag,0,0,0,0,0,0);
return ret;
}

// Call 249 result = lv1_storage_get_async_status( /*IN*/ dev_id, /*OUT*/ &lv1_tag, &lv1_status );
// Name: xorhack_storage_get_async_status
// Get status of asynchronous storage operations for the specified device?
// dev_id - device id
// returns 0 if ok, everything else means failure
// lv1_tag - tag to identify operation?
// lv1_status - 0 = OK, else error
static inline u64 xorhack_storage_get_async_status(
u64 dev_id, u64* lv1_tag, u64* lv1_status)
{
u64 ret;
xorhack_syscall(249,
dev_id, 0,0,0,0,0,0,0,
&ret, lv1_tag, lv1_status,0,0,0,0,0);
return ret;
}

// Call 250 result = xorhack_call_250( /*IN*/ out_r3);
// Name: xorhack_call_250
// Call 250 is presently undocummented
// R3 R4 R5 R6 R7 R8 R9 R10
// -11 (LV1_WRONG_STATE) 0 0 0 0 0 0 0
// Returns documented on FW v1.7.
static inline u64 xorhack_call_250(
u64 out_r3)
{
u64 ret;
xorhack_syscall(250,
0,0,0,0,0,0,0,0,
&ret, out_r3,0,0,0,0,0,0);
return ret;
}

// Call 251 result = xorhack_call_251( /*IN*/ out_r3);
// Name: xorhack_call_251
// Call 244 is presently undocummented
// R3 R4 R5 R6 R7 R8 R9 R10
// -11 (LV1_WRONG_STATE) 0 0 0 0 0 0 0
// Returns documented on FW v1.7.
static inline u64 xorhack_call_251(
u64 out_r3)
{
u64 ret;
xorhack_syscall(251,
0,0,0,0,0,0,0,0,
&ret, out_r3,0,0,0,0,0,0);
return ret;
}

// Call 252 result = xorhack_call_252( /*IN*/ out_r3);
// Name: xorhack_call_252
// Call 252 is presently undocummented
// R3 R4 R5 R6 R7 R8 R9 R10
// -11 (LV1_WRONG_STATE) 0 0 0 0 0 0 0
// Returns documented on FW v1.7.
static inline u64 xorhack_call_252(
u64 out_r3)
{
u64 ret;
xorhack_syscall(252,
0,0,0,0,0,0,0,0,
&ret, out_r3,0,0,0,0,0,0);
return ret;
}

// Call 253 result = xorhack_call_253( /*IN*/ out_r3);
// Name: xorhack_call_253
// Call 253 is presently undocummented
// R3 R4 R5 R6 R7 R8 R9 R10
// -11 (LV1_WRONG_STATE) 0 0 0 0 0 0 0
// Returns documented on FW v1.7.
static inline u64 xorhack_call_253(
u64 out_r3)
{
u64 ret;
xorhack_syscall(253,
0,0,0,0,0,0,0,0,
&ret, out_r3,0,0,0,0,0,0);
return ret;
}

// Call 254 result = lv1_storage_check_async_status( /*IN*/ dev_id, lv1_tag, /*OUT*/ &lv1_status );
// Name: xorhack_storage_check_async_status
// Check status of an asynchronous storage operation on the specified device.
// dev_id - device id
// lv1_tag - tag to identify operation?
// returns 0 if ok, everything else means failure
// lv1_status - 0 = OK, else error
static inline u64 xorhack_storage_check_async_status(
u64 dev_id, u64 lv1_tag, u64* lv1_status)
{
u64 ret;
xorhack_syscall(254,
dev_id, lv1_tag, 0,0,0,0,0,0,
&ret, lv1_status, 0,0,0,0,0,0);
return ret;
}

// Call 254 lv1_panic( /*IN*/ reboot );
// Name: xorhack_panic
// Panic, causes the OtherOS to be halted.
// reboot: 0 = power off, 1 = reboot after panic
// It is not expected that this call returns, so no Outputs.
// Notes: This hypervisor call causes the PS3 to shutdown immediately, without performing any cleanup or callbacks.
// Remember to sync filesystems before calling this function! It seems that any non-zero value in R3 causes a reboot
// after panic, rather than just 1. The code in the kernel does all manner of things to actually reboot, including
// sending vuart messages to some other process running in a different LPAR. I haven't investigated enough to see exactly
// what it does, but calling lv1_panic(0) from my code in the hypervisor causes a panic with the red light flashing until
// the power button is pressed whereas the kernel's shutdown code doesn't.
static inline u64 xorhack_panic(u64 reboot)
{
// does not return anything
xorhack_syscall(255,
reboot, 0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0);
}

#endif // _XORHACK_SC_H_

proskopina's Avatar
#5 - proskopina - 164w ago
Reply
yes it looks like really a breakthrough... I was following the progress of hacking psp from beginning, of course I used many of the mods and hack on my psp, and it looks similar. I think its a big step.

vandalj's Avatar
#4 - vandalj - 165w ago
Reply
Originally Posted by IuMb View Post
Quote I have a question, can you make the custom soundtrack work for ALL games with the hack? that would be great!

As stated above, this hack tool is explicitly for exploring the PS3's innards with the hardware exploit.

sapperlott's Avatar
#3 - sapperlott - 165w ago
Reply
Originally Posted by IuMb View Post
Quote I have a question, can you make the custom soundtrack work for ALL games with the hack? that would be great!
No. Neither that nor playing pirated games. Right now you can't do anything with the hack an end user would benefit from - it's strictly a hacker / developer toy.

IuMb's Avatar
#2 - IuMb - 165w ago
Reply
I have a question, can you make the custom soundtrack work for ALL games with the hack? that would be great!

Page 1 of 2 12LAST »

Related PS3 News and PS3 CFW Hacks or JailBreak Articles

PSPMinis / PS3Minis / Bite v1.5.1 Update for PS3 is Now Released
PS3 Fan Control Utility v1.7 for PS3 CFW CEX 3.41 to 4.41 Arrives
PSPMinis / PS3Minis / Bite v1.5 for PS3 with PSP Homebrew Support
PS3 Fan Control Utility v1.6 for PS3 CFW CEX 3.41 to 4.40 Arrives
OpenSCETool (OSCETool) v0.9.2 By SpacemanSpiff for PS3 is Released
PUAD GUI v1.5 - PS3 PUP Unpacker, Repacker and Decrypter Out
Affiliates  NewsNow  Privacy  PS3 CFW & MFW  PS3 Hacks & JailBreak  PS3 Reviews  PS3 Videos  © 2013 PlayStation 3 News

PlayStation 3 Links

Contact Us E-Mail
PS3 Affiliates
PS3 CFW & MFW
PS3 Debug Firmware
PS3 Decrypted PSN Links for CFW
PS3 Downloads
PS3 EBOOT.BIN Original File Links
PS3 Firmware
PS3 Game Releases List
PS3 Guides & Tutorials
PS3 Hacking Guides and Tutorials
PS3 Hacks & JailBreak
PS3 Help & Support
PS3 JailBreak Game Compatibility List
PS3 JB2 / True Blue (TB) Game Links
PS3 multiMAN Updates
PS3 News Forums
PS3 News Site FAQ
PS3 News Site Advertising FAQ
PS3 News Site Posting FAQ
PS3 News Site Privacy FAQ
PS3 News Site Rules
PS3 News Site Tag Cloud
PS3 News Site Terms
PS3 Resources
PS3 Reviews
PS3 Save Files Repository
PS3 Themes
PS3 Trophies List
PS3 Videos
PS Vita Trophies List

PlayStation 3 News Discussions
PS3 Fan Control Utility v0.3 for 4.31 and 4.40 CFW CEX is Released - 13m ago

JJYP666's Avatar
Quote Great app! Hopefully I'll dodge YLoD on my 60GB using this. Just one thing though, I can't figure out how to edit and install custom Payload settings....
By JJYP666 with
 17 Comments »
Cfw - mfw - ofw ? - 2h ago

magnusri's Avatar
Quote CFW: Custom Firmware (made by third parties) MFW: Modified Firmware (not completely custom, but modified OFW. Lighter than the CFW) OFW: Original Firm...
By magnusri with
 1 Comment »
PS3 Fan Control Utility v0.3 for 4.31 and 4.40 CFW CEX is Released - 3h ago

goncalodoom's Avatar
Quote My PS3 YLOD when exiting this app,With iris manager its fine btw im using rebug 4.41...
By goncalodoom with
 17 Comments »
Cfw - mfw - ofw ? - 4h ago

Ultimabstract's Avatar
Quote Hi guys, I am overwhelmed and confused. Please be patient with me for a minute: - What is CFW, MFW, OFW...etc? (any tutorial for newbies) - I wan...
By Ultimabstract with
 1 Comment »

Latest PlayStation 3 Trophies
 PixelJunk Monsters : Encore : Zero Carat
 PixelJunk Monsters : Encore : Wishing Well
 PixelJunk Monsters : Encore : Scrooge's Return
 PixelJunk Monsters : Encore : Black Flag

Latest PlayStation Vita Trophies
 Jacob Jones and the Bigfoot Mystery : Low Notes
 Jacob Jones and the Bigfoot Mystery : Unjammed
 Jacob Jones and the Bigfoot Mystery : Low Roller
 Jacob Jones and the Bigfoot Mystery : Quick Packer

Latest PlayStation 3 Releases
Muvluv Alternative Total Eclipse JPN PS3-HR - 05-17-2013
Skate 2 EUR PS3-Googlecus - 05-16-2013
The Walking Dead A Telltale Games Series PS3-COLLATERAL - 05-15-2013
The Cube PS3-ANTiDOTE - 05-14-2013

Latest PlayStation 3 Themes
 Wolverine Origins PS3 Theme - 05-11-2013
 Heavy Rain (Official) Dynamic PS3 Theme - 05-09-2013
 Wipeout HD Fury Dynamic PS3 Theme - 05-06-2013
 Batman Arkham City Dynamic PS3 Theme - 05-04-2013