Editing Hypervisor Reverse Engineering
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
<span style="background:red; color:#ffffff;">Warning, this page | <span style="background:red; color:#ffffff;">Warning, this page way too long and voted to be split into seperate sections</span> | ||
---- | ---- | ||
Line 180: | Line 180: | ||
There are 2 system call tables in HV. The first one stores system calls 0 - 36. The second one stores system calls 0x10000 - 0x100FF. | There are 2 system call tables in HV. The first one stores system calls 0 - 36. The second one stores system calls 0x10000 - 0x100FF. | ||
== | == System call table 0 - 36 == | ||
0x0035FAE8 (3.15) | 0x0035FAE8 (3.15) | ||
Line 187: | Line 187: | ||
=== System call numbers === | === System call numbers === | ||
0x0 - | 0x0 - eosh(void) //end_of_signal_handling(void) | ||
0x1 - | 0x1 - getpid(void) | ||
0x2 - | 0x2 - getppid(void) | ||
0x3 - | 0x3 - fork(void) | ||
0x4 - | 0x4 - exit(int status) | ||
0x5 - | 0x5 - execv(const char *path, char *const argv[]) | ||
0x6 - | 0x6 - wait(int *status) | ||
0x7 - | 0x7 - open(const char *path, int oflag, ...) | ||
0x8 - | 0x8 - close(int fd) | ||
0x9 - | 0x9 - read(int fd, void *buf, unsigned int nbyte) | ||
0xA - | 0xA - write(int fd, const void *buf, unsigned int nbyte) | ||
0xB - | 0xB - lseek(int fd, long offset, int whence) | ||
0xC - unlink(const char *path) | 0xC - unlink(const char *path) | ||
0xD - | 0xD - signal(int sig, void *func(int sig)) | ||
0xE - | 0xE - kill(int pid, int signal_type) | ||
0xF - | 0xF - brk(void *) | ||
0x10 - | 0x10 - socket(int af, int type, int protocol) (supports only address family 0x1F, type 0x0 and protocol 0x0) | ||
0x11 - | 0x11 - bind(int sockfd , const sockaddr *addr, unsigned int addrlen) | ||
0x12 - | 0x12 - listen(int sockfd, int backlog) | ||
0x13 - | 0x13 - accept(int sockfd, sockaddr *addr, unsigned int *addrlen) | ||
0x14 - | 0x14 - connect(int sockfd, const sockaddr *serv_addr, unsigned int addrlen) | ||
0x15 - | 0x15 - ? | ||
0x16 - | 0x16 - pause(void) | ||
0x17 - | 0x17 - alarm(unsigned int seconds) | ||
0x18 - | 0x18 - mmap(void *addr, unsigned long size, int prot, int flags, int fd, long offset, unsigned long some_additional_arg) | ||
0x19 - | 0x19 - munmap (void *addr, unsigned long size) | ||
0x1A - | 0x1A - some fs func for directories, perhaps readdir | ||
0x1B - | 0x1B - ? | ||
0x1C - | 0x1C - _map_pages (used for alloc) | ||
0x1D - | 0x1D - _unmap_pages (used for free) | ||
0x1E - | 0x1E - select | ||
0x1F - getcwd | 0x1F - getcwd | ||
0x20 - Not used | 0x20 - Not used | ||
0x21 - | 0x21 - usleep | ||
0x22 - | 0x22 - ioctl | ||
0x23 - pme_memalign | 0x23 - pme_memalign | ||
0x24 - ? | 0x24 - ? | ||
== | == System call table 0x10000 - 0x100FF == | ||
0x0035DE78 (3.15) | 0x0035DE78 (3.15) | ||
Line 269: | Line 269: | ||
=== System call numbers === | === System call numbers === | ||
0x10000 - | 0x10000 - allocate_memory_region(LPAR id, size, log2 of page size, ?, ?) | ||
0x10001 - | 0x10001 - lpar_query_address_region_info | ||
0x10002 - | 0x10002 - lpar_memory_addr_to_phys_addr(LPAR id, LPAR address, physical addr) | ||
0x10005 - construct_logical_pu | 0x10005 - construct_logical_pu | ||
0x10007 - activate_logical_pu(LPAR id, PPE id) | 0x10007 - activate_logical_pu(LPAR id, PPE id) | ||
0x10009 - construct_logical_partition(0, LPAR id, outlet) | 0x10009 - construct_logical_partition(0, LPAR id, outlet) | ||
0x1000E - release_memory_region(LPAR id, memory region address) | 0x1000E - release_memory_region(LPAR id, memory region address) | ||
Line 320: | Line 306: | ||
0x10026 - get_logical_partition_info | 0x10026 - get_logical_partition_info | ||
0x1002C - construct_scheduling_table | 0x1002C - construct_scheduling_table | ||
Line 353: | Line 329: | ||
0x10039 - ? | 0x10039 - ? | ||
0x10040 - construct_spe_type_1(SPE id, shaddow_addr) | 0x10040 - construct_spe_type_1(SPE id, shaddow_addr) | ||
0x10041 - destruct_spe(SPE id) | 0x10041 - destruct_spe(SPE id) | ||
0x10042 - decrypt_lv2_self(spe id, LPAR auth id, SELF file image ptr, LPAR memory address) | 0x10042 - decrypt_lv2_self(spe id, LPAR auth id, SELF file image ptr, LPAR memory address) | ||
Line 363: | Line 339: | ||
0x10044 - disable_spe_execution | 0x10044 - disable_spe_execution | ||
0x10045 - | 0x10045 - set_spe_interrupt_mask | ||
0x10046 - read_spe_problem_state_register(spe id, register offset, value) | |||
0x10047 - write_spe_problem_state_register(spe id, register offset, value) | |||
0x1004B - disable_spe_loading | 0x1004B - disable_spe_loading | ||
0x10053 - pmi_set_guest_os_mode | 0x10053 - pmi_set_guest_os_mode | ||
0x1007F - | 0x1007F - pmpi_pause | ||
0x10080 - | 0x10080 - ? | ||
0x10081 - reset | 0x10081 - reset | ||
Line 840: | Line 802: | ||
=== vtable === | === vtable === | ||
0x003569F8 (3.15) | 0x003569F8 (3.15) | ||
== IOIF device file objects == | == IOIF device file objects == | ||
Line 3,602: | Line 3,564: | ||
==== Loading appldr ==== | ==== Loading appldr ==== | ||
*64 bit memory address of ''' | *64 bit memory address of '''isoldr''' is written into 32 bit SPU register '''SPU_In_Mbox''' | ||
*'''metldr''' is loaded | *'''metldr''' is loaded | ||
Line 3,989: | Line 3,951: | ||
offset 0x90 - LPAR image path | offset 0x90 - LPAR image path | ||
offset 0x1C0 - LPAR ability (8 bytes) | offset 0x1C0 - LPAR ability (8 bytes) | ||
=== Types of System Manager === | === Types of System Manager === | ||
Line 4,741: | Line 4,703: | ||
uint8_t res[4]; | uint8_t res[4]; | ||
uint64_t laid; /* LPAR Authority ID */ | uint64_t laid; /* LPAR Authority ID */ | ||
uint64_t paid; /* | uint64_t paid; /* Authority ID */ | ||
} | } | ||
</pre> | </pre> | ||
Line 9,493: | Line 9,455: | ||
| 0x35|| 0x22 || Calculate AES_H 1 || || | | 0x35|| 0x22 || Calculate AES_H 1 || || | ||
* Calculates AES_H hash of the data stored in XDR buffer. | * Calculates AES_H hash of the data stored in XDR buffer. | ||
|- | |- | ||
| 0x36|| 0x24 || Calculate AES_H 2 || || | | 0x36|| 0x24 || Calculate AES_H 2 || || | ||
Line 10,550: | Line 10,503: | ||
Decrypted P-Block (and EID4) contains region settings (see below) | Decrypted P-Block (and EID4) contains region settings (see below) | ||
In decrypted P-Block(bytes 0x30 and 0x32) and in EID4(first byte) these bytes match [[ | In decrypted P-Block(bytes 0x30 and 0x32) and in EID4(first byte) these bytes match [[Target ID]]: | ||
{| class="wikitable sortable" style="font-size:small; border:2px ridge #999999;" | {| class="wikitable sortable" style="font-size:small; border:2px ridge #999999;" | ||
|- | |- | ||
! Hex !! bitflag !! [[ | ! Hex !! bitflag !! [[Target ID]] !! Console Type !! Remarks | ||
|- | |- | ||
| | | || || {{TID80}} || | ||
|- | |- | ||
| 0xFF || '''11111111''' || {{TID81}} || No BD playback on that [[ | | 0xFF || '''11111111''' || {{TID81}} || No BD playback on that [[Target ID]] | ||
|- | |- | ||
| 0xFF || '''11111111''' || {{TID82}} || No BD playback on that [[ | | 0xFF || '''11111111''' || {{TID82}} || No BD playback on that [[Target ID]] | ||
|- | |- | ||
| 0x01 || 0000000'''1''' || {{TID83}} || bit 0 | | 0x01 || 0000000'''1''' || {{TID83}} || bit 0 | ||
|- | |- | ||
| 0x02 || 000000'''1'''0 || {{TID84}} || bit 1 | | 0x02 || 000000'''1'''0 || {{TID84}} || bit 1 | ||
|- | |- | ||
| 0x04 || 00000'''1'''00 || {{TID85}} || bit 2 | | 0x04 || 00000'''1'''00 || {{TID85}} || bit 2 | ||
|- | |- | ||
| 0x10 || 000'''1'''0000 || {{TID86}} || bit 4 | | 0x10 || 000'''1'''0000 || {{TID86}} || bit 4 | ||
|- | |- | ||
| 0x04 || 00000'''1'''00 || {{TID87}} || bit 2 | | 0x04 || 00000'''1'''00 || {{TID87}} || bit 2 | ||
|- | |- | ||
| | | || || {{TID88}} || | ||
|- | |- | ||
| 0x08 || 0000'''1'''000 || {{TID89}} || bit 3 | | 0x08 || 0000'''1'''000 || {{TID89}} || bit 3 | ||
|- | |- | ||
| | | || || {{TID8A}} || | ||
|- | |- | ||
| | | || || {{TID8B}} || | ||
|- | |- | ||
| 0x20 || 00'''1'''00000 || {{TID8C}} || bit 5 | | 0x20 || 00'''1'''00000 || {{TID8C}} || bit 5 | ||
|- | |- | ||
| | | || || {{TID8D}} || | ||
|- | |- | ||
| 0x10 || 000'''1'''0000 || {{TID8E}} || bit 4 | | 0x10 || 000'''1'''0000 || {{TID8E}} || bit 4 | ||
|- | |- | ||
| | | || || {{TID8F}} || | ||
|- | |- | ||
| 0xFF || '''11111111''' || {{TIDA0}} || No BD playback on that [[ | | 0xFF || '''11111111''' || {{TIDA0}} || No BD playback on that [[Target ID]] | ||
|- | |- | ||
|} | |} |