Editing Hypervisor Reverse Engineering
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
<span style="background:red; color:#ffffff;">Warning, this page | <span style="background:red; color:#ffffff;">Warning, this page way too long and voted to be split into seperate sections</span> | ||
---- | ---- | ||
Line 180: | Line 180: | ||
There are 2 system call tables in HV. The first one stores system calls 0 - 36. The second one stores system calls 0x10000 - 0x100FF. | There are 2 system call tables in HV. The first one stores system calls 0 - 36. The second one stores system calls 0x10000 - 0x100FF. | ||
== | == System call table 0 - 36 == | ||
0x0035FAE8 (3.15) | 0x0035FAE8 (3.15) | ||
Line 187: | Line 187: | ||
=== System call numbers === | === System call numbers === | ||
0x1 - | 0x1 - getpid(void) | ||
0x2 - | 0x2 - getppid(void) | ||
0x3 - | 0x3 - fork(void) | ||
0x4 - | 0x4 - exit | ||
0x5 - | 0x5 - exec(filename) | ||
0x6 - | 0x6 - wait(status) | ||
0x7 - | 0x7 - open(filename) | ||
0x8 - | 0x8 - close(fd) | ||
0x9 - | 0x9 - read | ||
0xA - | 0xA - write | ||
0xB - | 0xB - seek | ||
0xC - unlink( | 0xC - unlink(filename) | ||
0xD - | 0xD - signal | ||
0xE - | 0xE - kill(pid, signal type) | ||
0xF - | 0xF - brk | ||
0x10 - | 0x10 - socket(af, type, protocol) (supports only address family 0x1F, type 0x0 and protocol 0x0) | ||
0x11 - | 0x11 - bind | ||
0x12 - | 0x12 - listen(fd, backlog) | ||
0x13 - | 0x13 - accept | ||
0x14 - | 0x14 - connect | ||
0x15 - | 0x15 - ? | ||
0x16 - | 0x16 - pause(void) | ||
0x17 - | 0x17 - sleep(seconds) | ||
0x18 - | 0x18 - mmap(addr, size, prot, flags, fd, offset) | ||
0x19 - | 0x19 - munmap | ||
0x1A - | 0x1A - some fs func for directories, perhaps readdir | ||
0x1B - | 0x1B - ? | ||
0x1C - map_pages | 0x1C - map_pages (used for alloc) | ||
0x1D - unmap_pages | 0x1D - unmap_pages (used for free) | ||
0x1E - | 0x1E - select | ||
0x1F - getcwd | 0x1F - getcwd | ||
0x20 - | 0x20 - ? | ||
0x21 - | 0x21 - alarm | ||
0x22 - | 0x22 - ioctl | ||
0x23 - | 0x23 - _map_pages | ||
0x24 - | 0x24 - _unmap_pages | ||
== | == System call table 0x10000 - 0x100FF == | ||
0x0035DE78 (3.15) | 0x0035DE78 (3.15) | ||
Line 269: | Line 268: | ||
=== System call numbers === | === System call numbers === | ||
0x10000 - | 0x10000 - allocate_memory_region(LPAR id, size, log2 of page size, ?, ?) | ||
0x10001 - | 0x10001 - lpar_query_address_region_info | ||
0x10002 - | 0x10002 - lpar_memory_addr_to_phys_addr(LPAR id, LPAR address, physical addr) | ||
0x10005 - construct_logical_pu | 0x10005 - construct_logical_pu | ||
0x10007 - activate_logical_pu(LPAR id, PPE id) | 0x10007 - activate_logical_pu(LPAR id, PPE id) | ||
0x10009 - construct_logical_partition(0, LPAR id, outlet) | 0x10009 - construct_logical_partition(0, LPAR id, outlet) | ||
0x1000E - release_memory_region(LPAR id, memory region address) | 0x1000E - release_memory_region(LPAR id, memory region address) | ||
0x1001A - construct_event_receive_port | 0x1001A - construct_event_receive_port | ||
0x10024 - shutdown_logical_partition(LPAR id, shutdown command) | 0x10024 - shutdown_logical_partition(LPAR id, shutdown command) | ||
Line 320: | Line 289: | ||
0x10026 - get_logical_partition_info | 0x10026 - get_logical_partition_info | ||
0x1002C - construct_scheduling_table | 0x1002C - construct_scheduling_table | ||
Line 335: | Line 294: | ||
0x1002D - set_scheduling_slot | 0x1002D - set_scheduling_slot | ||
0x1002E - | 0x1002E - ? | ||
0x10032 - accesses system console | |||
0x10034 - | 0x10034 - ? | ||
0x10035 - | 0x10035 - ? | ||
0x10036 - | 0x10036 - accesses system console | ||
0x10037 - ? | 0x10037 - ? | ||
Line 353: | Line 310: | ||
0x10039 - ? | 0x10039 - ? | ||
0x10040 - construct_spe_type_1(SPE id, shaddow_addr) | 0x10040 - construct_spe_type_1(SPE id, shaddow_addr) | ||
0x10041 - destruct_spe(SPE id) | 0x10041 - destruct_spe(SPE id) | ||
0x10042 - decrypt_lv2_self(spe id, LPAR auth id, SELF file image ptr, LPAR memory address) | 0x10042 - decrypt_lv2_self(spe id, LPAR auth id, SELF file image ptr, LPAR memory address) | ||
Line 363: | Line 320: | ||
0x10044 - disable_spe_execution | 0x10044 - disable_spe_execution | ||
0x10045 - | 0x10045 - set_spe_interrupt_mask | ||
0x10046 - read_spe_problem_state_register(spe id, register offset, value) | |||
0x10047 - write_spe_problem_state_register(spe id, register offset, value) | |||
0x1004B - disable_spe_loading | 0x1004B - disable_spe_loading | ||
0x10053 - pmi_set_guest_os_mode | 0x10053 - pmi_set_guest_os_mode | ||
0x10081 - accesses system console | |||
0x10081 - | |||
0x10084 - construct_virtual_uart(LPAR id, VUART id, VUART data buffer size) | 0x10084 - construct_virtual_uart(LPAR id, VUART id, VUART data buffer size) | ||
0x10085 - destruct_virtual_uart(LPAR id, VUART id) | 0x10085 - destruct_virtual_uart(LPAR id, VUART id) | ||
0x10088 - RSX_syscall_10088(LPAR id) | 0x10088 - RSX_syscall_10088(LPAR id) | ||
Line 415: | Line 350: | ||
0x100C2 - modify_repository_node_value(LPAR id) | 0x100C2 - modify_repository_node_value(LPAR id) | ||
0x100C3 - | 0x100C3 - remove_repository_node_value(LPAR id) | ||
= Process = | = Process = | ||
Line 840: | Line 775: | ||
=== vtable === | === vtable === | ||
0x003569F8 (3.15) | 0x003569F8 (3.15) | ||
== IOIF device file objects == | == IOIF device file objects == | ||
Line 1,026: | Line 961: | ||
=== vtable === | === vtable === | ||
0x000x352308 (3.15) | |||
=== Member variables === | === Member variables === | ||
Line 1,705: | Line 1,640: | ||
*Before a storage region is accessed, HV checks access rights of the caller. | *Before a storage region is accessed, HV checks access rights of the caller. | ||
*Repository node '''ss.laid''' ( | *Repository node '''ss.laid''' (LPAR authentication id) is evaluated for this purpose. | ||
*If LPAR has a repository node '''ios.ata.region0.access''' (value doesn't matter) then the access rights check never fails. After System Manager sets ATA keys it removes this repository node from LPAR 1. If we add this repository node again or patch System Manager so it's not removed then we will be able to access all storage regions of all storage devices. | *If LPAR has a repository node '''ios.ata.region0.access''' (value doesn't matter) then the access rights check never fails. After System Manager sets ATA keys it removes this repository node from LPAR 1. If we add this repository node again or patch System Manager so it's not removed then we will be able to access all storage regions of all storage devices. | ||
*'''ALL storage accesses from LPAR 1 are allowed''' | *'''ALL storage accesses from LPAR 1 are allowed''' | ||
Line 1,836: | Line 1,771: | ||
*The commands can be used with HV call '''lv1_storage_send_device_command'''. | *The commands can be used with HV call '''lv1_storage_send_device_command'''. | ||
*However, before a command is executed HV does bit manipulation with it and checks it against the value of repository node '''ss.laid''' or also called ''' | *However, before a command is executed HV does bit manipulation with it and checks it against the value of repository node '''ss.laid''' or also called '''LPAR authentication ID'''. If this test fails then the command is NOT executed. | ||
{| class="wikitable FCK__ShowTableBorders" | {| class="wikitable FCK__ShowTableBorders" | ||
Line 2,089: | Line 2,024: | ||
*The commands can be used with HV call '''lv1_storage_send_device_command'''. | *The commands can be used with HV call '''lv1_storage_send_device_command'''. | ||
*However, before a command is executed HV does bit manipulation with it and checks it against the value of repository node '''ss.laid''' or also called ''' | *However, before a command is executed HV does bit manipulation with it and checks it against the value of repository node '''ss.laid''' or also called '''LPAR authentication ID'''. If this test fails then the command is NOT executed. | ||
{| class="wikitable FCK__ShowTableBorders" | {| class="wikitable FCK__ShowTableBorders" | ||
Line 2,689: | Line 2,624: | ||
*The commands can be used with HV call '''lv1_storage_send_device_command'''. | *The commands can be used with HV call '''lv1_storage_send_device_command'''. | ||
*However, before a command is executed HV does bit manipulation with it and checks it against the value of repository node '''ss.laid''' or also called ''' | *However, before a command is executed HV does bit manipulation with it and checks it against the value of repository node '''ss.laid''' or also called '''LPAR authentication ID'''. If this test fails then the command is NOT executed. | ||
{| class="wikitable FCK__ShowTableBorders" | {| class="wikitable FCK__ShowTableBorders" | ||
Line 3,475: | Line 3,410: | ||
! Address of Data in HV Dump | ! Address of Data in HV Dump | ||
! Size of Data | ! Size of Data | ||
|- | |- | ||
| 0 | | 0 | ||
| | | - | ||
| 0x0C150000 | | 0x0C150000 | ||
| 0x1E5CC | | 0x1E5CC | ||
|- | |- | ||
| 1 | | 1 | ||
Line 3,487: | Line 3,420: | ||
| 0x00011000 | | 0x00011000 | ||
| 0xE8D0 | | 0xE8D0 | ||
|- | |- | ||
| 2 | | 2 | ||
Line 3,493: | Line 3,425: | ||
| 0x00020000 | | 0x00020000 | ||
| 0x16DA0 | | 0x16DA0 | ||
|- | |- | ||
| 3 | | 3 | ||
Line 3,499: | Line 3,430: | ||
| 0x00055000 | | 0x00055000 | ||
| 0x12E44 | | 0x12E44 | ||
|- | |- | ||
| 4 | | 4 | ||
Line 3,505: | Line 3,435: | ||
| 0x00037000 | | 0x00037000 | ||
| 0x1DAE4 | | 0x1DAE4 | ||
|- | |- | ||
| 5 | | 5 | ||
Line 3,511: | Line 3,440: | ||
| 0x00068000 | | 0x00068000 | ||
| 0x860 | | 0x860 | ||
|- | |- | ||
| 6 | | 6 | ||
| | | - | ||
| 0x00069010 | | 0x00069010 | ||
| 0x8 | | 0x8 | ||
|- | |- | ||
| 7 | | 7 | ||
| | | - | ||
| 0x00069020 | | 0x00069020 | ||
| 0x50 | | 0x50 | ||
|- | |- | ||
| 8 | | 8 | ||
| | | - | ||
| 0x00069070 | | 0x00069070 | ||
| 0x8 | | 0x8 | ||
|} | |} | ||
Line 3,593: | Line 3,518: | ||
=== appldr === | === appldr === | ||
*'''appldr''' is used for decryption of SELFs | *'''appldr''' is used for decryption of SELFs | ||
*HV call '''lv1_authenticate_program_segment''' loads '''appldr''' | *HV call '''lv1_authenticate_program_segment''' loads '''appldr''' | ||
Line 3,602: | Line 3,527: | ||
==== Loading appldr ==== | ==== Loading appldr ==== | ||
*64 bit memory address of ''' | *64 bit memory address of '''isoldr''' is written into 32 bit SPU register '''SPU_In_Mbox''' | ||
*'''metldr''' is loaded | *'''metldr''' is loaded | ||
Line 3,989: | Line 3,914: | ||
offset 0x90 - LPAR image path | offset 0x90 - LPAR image path | ||
offset 0x1C0 - LPAR ability (8 bytes) | offset 0x1C0 - LPAR ability (8 bytes) | ||
=== Types of System Manager === | === Types of System Manager === | ||
Line 4,657: | Line 4,582: | ||
| 8 | | 8 | ||
| 0x8001 - 0x8005 | | 0x8001 - 0x8005 | ||
| | | | ||
|- | |- | ||
| 0x9000 | | 0x9000 | ||
Line 4,740: | Line 4,665: | ||
uint32_t retval; | uint32_t retval; | ||
uint8_t res[4]; | uint8_t res[4]; | ||
uint64_t laid; /* LPAR | uint64_t laid; /* LPAR authority id */ | ||
uint64_t paid; /* Program | uint64_t paid; /* Program authority id */ | ||
} | } | ||
</pre> | </pre> | ||
Line 9,461: | Line 9,386: | ||
* Tested on OtherOS++ 3.55 | * Tested on OtherOS++ 3.55 | ||
* Host certificate, host private key and AACS LA public key are stored encrypted with AES-256-CTR in the SPU module and are decrypted when the SPU module is loaded or when it's accessed first. The AES-256-CTR key and IV are in the SPU module too. | * Host certificate, host private key and AACS LA public key are stored encrypted with AES-256-CTR in the SPU module and are decrypted when the SPU module is loaded or when it's accessed first. The AES-256-CTR key and IV are in the SPU module too. | ||
====Communication==== | ====Communication==== | ||
Line 9,471: | Line 9,395: | ||
====Commands==== | ====Commands==== | ||
* The SPU module supports max '''0x78''' | * The SPU module supports max '''0x78''' commands but not all are implemented | ||
* After a command is finished by the SPU module, it sends the status of the command to PPU through '''SPU Out Intr Mbox'''. Value 0 means success. | * After a command is finished by the SPU module, it sends the status of the command to PPU through '''SPU Out Intr Mbox'''. Value 0 means success. | ||
=====Read 4 Bytes from XDR Buffer (0x2)===== | |||
* It just reads 4 bytes of data from the XDR buffer passed to the SPU module. | * It just reads 4 bytes of data from the XDR buffer passed to the SPU module. | ||
=====Set KCD (0x1e)===== | |||
* Sends KCD (Key Conversion Data) to the SPU module. | * Sends KCD (Key Conversion Data) to the SPU module. | ||
* KCD is encrypted with the Bus Key which was established previously by AACS authentication. | * KCD is encrypted with the Bus Key which was established previously by AACS authentication. | ||
=====Init AES_H (0x34)===== | |||
* Initializes AES_H hashing function. | * Initializes AES_H hashing function. | ||
=====Calculate AES_H 1 (0x35)===== | |||
* Calculates AES_H hash of the data stored in XDR buffer. | * Calculates AES_H hash of the data stored in XDR buffer. | ||
=====Calculate AES_H 2 (0x36)===== | |||
* Calculates AES_H hash of the data stored in XDR buffer. | * Calculates AES_H hash of the data stored in XDR buffer. | ||
=====Generate Host Nonce (0x3c)===== | |||
* Generates a nonce which is returned in command ''' | |||
* Generates a nonce which is returned in command '''0x3d''' | |||
=====Get Host Nonce and Certificate (0x3d)===== | |||
* The data returned by this command is of size '''0x14 (Nonce) + 0x5c (Host Certificate)''' | * The data returned by this command is of size '''0x14 (Nonce) + 0x5c (Host Certificate)''' | ||
* The data returned by this command is sent by BD player with SCSI command '''SEND KEY''' to BD drive during AACS authentication | * The data returned by this command is sent by BD player with SCSI command '''SEND KEY''' to BD drive during AACS authentication | ||
* '''Host Certificate is easy to get from the SPU module, e.g. with aacs_module on OtherOS++''' | * '''Host Certificate is easy to get from the SPU module, e.g. with aacs_module on OtherOS++''' | ||
* The data contains a nonce, host public key and host certificate signature. | * The data contains a nonce, host public key and host certificate signature. | ||
=====Set Drive Nonce and Certificate (0x3e)===== | |||
* Stores BD drive nonce and certificate in local memory of SPU | * Stores BD drive nonce and certificate in local memory of SPU | ||
=====Verify Drive Certificate (0x3f)===== | |||
=====Set Drive Key (0x40)===== | |||
=====Sign Host Key (0x44)===== | |||
=====Get Host Key (0x45)===== | |||
=====Calculate Bus Key (0x46)===== | |||
=====Set Volume ID (0x47)===== | |||
* Sends volume id and its MAC to the SPU module | * Sends volume id and its MAC to the SPU module | ||
=====Calculate Volume ID MAC (0x48)===== | |||
* Calculates MAC of the passed volume id | * Calculates MAC of the passed volume id | ||
=====Verify Volume ID MAC (0x49)===== | |||
* Verifies MAC of the passed volume id | * Verifies MAC of the passed volume id | ||
=====Set PMSN (0x4a)===== | |||
* Sends PMSN and its MAC to the SPU module | * Sends PMSN and its MAC to the SPU module | ||
=====Calculate PMSN MAC (0x4b)===== | |||
* Calculates MAC of the passed PMSN | * Calculates MAC of the passed PMSN | ||
=====Verify PMSN (0x4c)===== | |||
* Verifies MAC of the passed PMSN | |||
=====Set Media ID (0x4d)===== | |||
* Sends media id and its MAC to the SPU module | * Sends media id and its MAC to the SPU module | ||
=====Calculate Media ID MAC (0x4e)===== | |||
* Calculates MAC of the passed media id | * Calculates MAC of the passed media id | ||
=====Verify Media ID MAC (0x4f)===== | |||
* Verifies MAC of the passed media id | * Verifies MAC of the passed media id | ||
=====Unknown (0x54)===== | |||
=====Verify Host/Drive Revocation (0x55)===== | |||
* BD player stores HRL/DRL list entries in XDR buffer and passes it to the SPU module for verification | * BD player stores HRL/DRL list entries in XDR buffer and passes it to the SPU module for verification | ||
=====Terminate Session (0xfefefeff)===== | |||
* AACS SPU module runs and processes commands as long as you need | * AACS SPU module runs and processes commands as long as you need | ||
* After a command is complete, the SPU module waits for the next command | * After a command is complete, the SPU module waits for the next command | ||
* This command terminates the current session and stops SPU module | * This command terminates the current session and stops SPU module | ||
===Drive Revocation List (DRL)=== | ===Drive Revocation List (DRL)=== | ||
Line 10,547: | Line 10,468: | ||
====P-Block==== | ====P-Block==== | ||
=====Creating===== | =====Creating===== |