Editing Boot Order

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
[[Category:Software]]
== Boot Sequence ==
== Boot Sequence ==
Power on: syscon boots from its internal (non-encrypted / dual banked) ROM *1 *2
Power on: syscon boots from its internal (non-encrypted / dual banked) ROM *1 *2
Line 22: Line 23:


*1) Read/Writeable with undocumented / should also be read/writeable through serial port and possible to switch it to the backup bank1 with backup_mode pulled high
*1) Read/Writeable with undocumented / should also be read/writeable through serial port and possible to switch it to the backup bank1 with backup_mode pulled high
*2) {{CEX}} (+DEX?) consoles go to standby with red light. {{SHOP}} consoles will not standby, but instead boot through without waiting for powerbutton. Also check is done on all models if update is flagged to set it into firmware updating procedure
*2) {{CEX}} (+DEX?) consoles go to standby with red light. {{Shop}} consoles will not standby, but instead boot through without waiting for powerbutton. Also check is done on all models if update is flagged to set it into firmware updating procedure
*3) Partialy Read/Writeable
*3) Partialy Read/Writeable
about the disabled SPE: syscon reads it’s internal (non-encrypted) eeprom @ 0x48C30 which is value 0×06 on all {{CEX}} consoles and will set the cell config ring accordingly for 7 SPE’s. SPE0 and SPE2 are reserved for bootldr and metldr for isolation respectively. Setting the value to a nonworking state (e.g. 0×00, 0xFF, enabling a defective SPE or disabling a needed SPE for proper boot) might brick the console, locking you out from restoring the correct value to the syscon eeprom. Config ring is checked against the known one in bootldr. If you were to modify syscon and the config ring, it still wouldn't boot and would panic as the config ring does not match the expected one.
about the disabled SPE: syscon reads it’s internal (non-encrypted) eeprom @ 0x48C30 which is value 0×06 on all {{CEX}} consoles and will set the cell config ring accordingly for 7 SPE’s. SPE0 and SPE2 are reserved for bootldr and metldr for isolation respectively. Setting the value to a nonworking state (e.g. 0×00, 0xFF, enabling a defective SPE or disabling a needed SPE for proper boot) might brick the console, locking you out from restoring the correct value to the syscon eeprom. Config ring is checked against the known one in bootldr. If you were to modify syscon and the config ring, it still wouldn't boot and would panic as the config ring does not match the expected one.
Line 28: Line 29:
=== References ===
=== References ===
* [http://ip.com/patapp/US20090055637 Secure power-on reset engine]
* [http://ip.com/patapp/US20090055637 Secure power-on reset engine]
** [https://patentimages.storage.googleapis.com/f1/41/35/ebbd57077c21f9/US7895426.pdf US7895426.pdf]
** [http://www.ps3devwiki.com/files/documents/US7895426.pdf US7895426.pdf]
** [https://web.archive.org/web/*/http://ps3devwiki.com/files/documents/US20090055637.pdf US20090055637.pdf]
** [http://www.ps3devwiki.com/files/documents/US20090055637.pdf US20090055637.pdf]
* [https://web.archive.org/web/*/http://ps3devwiki.com/files/documents/-%20Cell%20BE/CellBE_Handbook_v1.12_3Apr09_pub.pdf CellBE_Handbook_v1.12_3Apr09_pub.pdf]
* [http://www.ps3devwiki.com/files/documents/-%20Cell%20BE/CellBE_Handbook_v1.12_3Apr09_pub.pdf CellBE_Handbook_v1.12_3Apr09_pub.pdf]
* [[:File:Cell_Broadband_Engine_processor_vault_security_architecture.pdf|Cell_Broadband_Engine_processor_vault_security_architecture.pdf]]
* [http://www.ps3devwiki.com/files/documents/-%20Cell%20BE/Cell_Broadband_Engine_processor_vault_security_architecture.pdf Cell_Broadband_Engine_processor_vault_security_architecture.pdf]
* [http://www.multiupload.com/7STWIQ8PBF CellBEBootprocess.pdf (177.69 KB)]) (Mirror: [http://git.gitbrew.org/openclit/documentation/CellBEBootprocess.pdf GitBrew]) //  
* [http://www.multiupload.com/7STWIQ8PBF CellBEBootprocess.pdf (177.69 KB)]) (Mirror: [http://git.gitbrew.org/openclit/documentation/CellBEBootprocess.pdf GitBrew]) //  
* [https://web.archive.org/web/*/http://ps3devwiki.com/files/documents/-%20CELL%20SDK%20Documentation/lib/CBE_Secure_SDK_Guide_v3.0.pdf CBE_Secure_SDK_Guide_v3.0.pdf]
* [http://www.ps3devwiki.com/files/documents/-%20CELL%20SDK%20Documentation/lib/CBE_Secure_SDK_Guide_v3.0.pdf CBE_Secure_SDK_Guide_v3.0.pdf]
* [https://web.archive.org/web/*/http://ps3devwiki.com/files/documents/-%20Cell%20BE/CellBE_HIG_65nm_v1.01_8Jun2007.pdf CellBE_HIG_65nm_v1.01_8Jun2007.pdf)]
* [http://www.ps3devwiki.com/files/documents/-%20Cell%20BE/CellBE_HIG_65nm_v1.01_8Jun2007.pdf CellBE_HIG_65nm_v1.01_8Jun2007.pdf)]
* [https://web.archive.org/web/*/http://ps3devwiki.com/files/documents/-%20Cell%20BE/CellBE_HIG_90nm_v1.5_30Nov2007_pub.pdf CellBE_HIG_90nm_v1.5_30Nov2007_pub.pdf])
* [http://www.ps3devwiki.com/files/documents/-%20Cell%20BE/CellBE_HIG_90nm_v1.5_30Nov2007_pub.pdf CellBE_HIG_90nm_v1.5_30Nov2007_pub.pdf])
* [https://web.archive.org/web/*/http://ps3devwiki.com/files/documents/BE_Hardwar_Init_Guide_v1.3_31March2006.pdf BE_Hardwar_Init_Guide_v1.3_31March2006.pdf]
* [http://www.ps3devwiki.com/files/documents/BE_Hardwar_Init_Guide_v1.3_31March2006.pdf BE_Hardwar_Init_Guide_v1.3_31March2006.pdf]


== Chain of Trust ==
== Chain of Trust ==
Line 63: Line 64:
| SPE(0)
| SPE(0)
| Per Console Encrypted at factory
| Per Console Encrypted at factory
| No <span style="color:red!important;">*</span>
| No <span style="color:red;">*</span>
| No
| No
| Setup Primary Hardware + load lv0
| Setup Primary Hardware + load lv0
Line 81: Line 82:
| SPE(2)
| SPE(2)
| Per&nbsp;Console&nbsp;Encrypted at&nbsp;factory
| Per&nbsp;Console&nbsp;Encrypted at&nbsp;factory
| No <span style="color:red!important;">*</span>
| No <span style="color:red;">*</span>
| No
| No
| Load loaders (Meta Loader)
| load loaders (Meta Loader)
| Yes
| Yes
|-
|-
Line 92: Line 93:
| Yes
| Yes
| No
| No
| Decrypt lv1 (Hypervisor) + Initialize ATA/ENCDEC
| Decrypt lv1 (Hypervisor)
| Yes
| Yes
|-
|-
Line 131: Line 132:
| Yes
| Yes
|}
|}
<span style="color:red!important;">*</span> : ofcourse with new hardware revisions, it is updated in factory. See [[Flash#new_metldr.2]]
<span style="color:red;">*</span> : ofcourse with new hardware revisions, it is updated in factory. See [[Flash#new_metldr.2]]


== Chain of trust Diagram ==
== Chain of trust Diagram ==
Line 145: Line 146:


== Changes in firmware 3.60 ==
== Changes in firmware 3.60 ==
Lv0 has now been changed, LV0 now appears to encapsulate all of the [[Loaders]] (appldr, isoldr, lv1ldr, lv2ldr). Now in order to break the chain of trust we need to be able to decrypt/exploit LV0 (or bootldr which loads LV0) and reverse the obfuscation in the loaders -> done! see http://www.psdevwiki.com/ps3/Keys#Key_Scrambling
Lv0 has now been changed, LV0 now appears to encapsulate all of the [[Loaders]] (appldr, isoldr, lv1ldr, lv2ldr). Now in order to break the chain of trust we need to be able to decrypt/exploit LV0 (or bootldr which loads LV0) and reverse the obfuscation in the loaders -> done! see http://www.ps3devwiki.com/wiki/Keys#Key_Scrambling


=== Chain of trust Diagram 3.60++ ===
=== Chain of trust Diagram 3.60++ ===
<table width="100%" align="left"><tr><td align="left">[[File:Ps3-cryptochain-360.png|800px|thumb|left|LV0 with encapsulated loaders (appldr, isoldr, lv1ldr, lv2ldr).)]]</tr></table>
<table width="100%" align="left"><tr><td align="left">[[File:Ps3-cryptochain-360.png|800px|thumb|left|LV0 with encapsulated loaders (appldr, isoldr, lv1ldr, lv2ldr).)]]</tr></tr></table>
not in this diagram: the added .2 metadata<br />
not in this diagram: the added .2 metadata<br />
== PPU Boot Order ==
lv0 -> lv1.self -> lv2_kernel.self -> sys_init_osd.self -> vsh.self
{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude>
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)