Editing Hypervisor Reverse Engineering

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
<span style="background:red; color:#ffffff;">Warning, this page is way too long and is voted to be split into seperate sections</span>
<span style="background:red; color:#ffffff;">Warning, this page way too long and voted to be split into seperate sections</span>


----
----
Line 180: Line 180:
There are 2 system call tables in HV. The first one stores system calls 0 - 36. The second one stores system calls 0x10000 - 0x100FF.  
There are 2 system call tables in HV. The first one stores system calls 0 - 36. The second one stores system calls 0x10000 - 0x100FF.  


== UX System call table 0 - 36  ==
== System call table 0 - 36  ==


0x0035FAE8 (3.15)  
0x0035FAE8 (3.15)  
Line 187: Line 187:


=== System call numbers  ===
=== System call numbers  ===
0x0 - void eosh(void) //end_of_signal_handling(void)  
0x0 - eosh(void) //end_of_signal_handling(void)  


0x1 - pid_t getpid(void)  
0x1 - getpid(void)  


0x2 - pid_t getppid(void)  
0x2 - getppid(void)  


0x3 - pid_t fork(void)  
0x3 - fork(void)  


0x4 - void exit(int status)  
0x4 - exit(int status)  


0x5 - void execv(const char *path, char *const argv[])  
0x5 - execv(const char *path, char *const argv[])  


0x6 - void wait(int *status)  
0x6 - wait(int *status)  


0x7 - int open(const char *path, int flags)  
0x7 - open(const char *path, int oflag, ...)  


0x8 - void close(int fd)  
0x8 - close(int fd)  


0x9 - ssize_t read(int fd, void *buf, unsigned int nbyte)  
0x9 - read(int fd, void *buf, unsigned int nbyte)  


0xA - ssize_t write(int fd, const void *buf, unsigned int nbyte)  
0xA - write(int fd, const void *buf, unsigned int nbyte)  


0xB - void lseek(int fd, long offset, int whence)  
0xB - lseek(int fd, long offset, int whence)  


0xC - unlink(const char *path)  
0xC - unlink(const char *path)  


0xD - void signal(int sig, void *func(int sig))
0xD - signal(int sig, void *func(int sig))


0xE - int kill(int pid, int signal_type)  
0xE - kill(int pid, int signal_type)  


0xF - int brk(void *addr)  
0xF - brk(void *)  


0x10 - int socket(int af, int type, int protocol) (supports only address family 0x1F, type 0x0 and protocol 0x0)  
0x10 - socket(int af, int type, int protocol) (supports only address family 0x1F, type 0x0 and protocol 0x0)  


0x11 - int bind(int sockfd , const sockaddr *addr, unsigned int addrlen)  
0x11 - bind(int sockfd , const sockaddr *addr, unsigned int addrlen)  


0x12 - int listen(int sockfd, int backlog)  
0x12 - listen(int sockfd, int backlog)  


0x13 - int accept(int sockfd, sockaddr *addr, unsigned int *addrlen)  
0x13 - accept(int sockfd, sockaddr *addr, unsigned int *addrlen)  


0x14 - int connect(int sockfd, const sockaddr *serv_addr, unsigned int addrlen)  
0x14 - connect(int sockfd, const sockaddr *serv_addr, unsigned int addrlen)  


0x15 - void putchar(int c)
0x15 -&nbsp;?


0x16 - int pause(void)  
0x16 - pause(void)  


0x17 - int sleep(unsigned int seconds)  
0x17 - alarm(unsigned int seconds)  


0x18 - int mmap(void *addr, unsigned long size, int prot, int flags, int fd, long offset, void *mapped_addr)  
0x18 - mmap(void *addr, unsigned long size, int prot, int flags, int fd, long offset, unsigned long some_additional_arg)  


0x19 - int munmap (void *addr, unsigned long size)
0x19 - munmap (void *addr, unsigned long size)


0x1A - int chdir(const char *path)
0x1A - some fs func for directories, perhaps readdir


0x1B - void getchar(char *c)
0x1B -&nbsp;?


0x1C - map_pages(...) (used for alloc)  
0x1C - _map_pages (used for alloc)  


0x1D - unmap_pages(...) (used for free)  
0x1D - _unmap_pages (used for free)  


0x1E - int select(int nfds, fd_set *readfds, fd_set *writefds, fd_set *exceptfds, struct timeval *timeout)
0x1E - select  


0x1F - getcwd(...)
0x1F - getcwd  


0x20 - Not used
0x20 - Not used


0x21 - unsigned int alarm(unsigned int seconds)
0x21 - usleep


0x22 - int ioctl(int fd, unsigned __int64 request, ...)
0x22 - ioctl


0x23 - pme_memalign(...)
0x23 - pme_memalign


0x24 - ?
0x24 - ?


== PMI System call table 0x10000 - 0x100FF  ==
== System call table 0x10000 - 0x100FF  ==


0x0035DE78 (3.15)  
0x0035DE78 (3.15)  
Line 269: Line 269:
=== System call numbers  ===
=== System call numbers  ===


0x10000 - allocate_memory(LPAR id, size, log2 of page size,&nbsp;?,&nbsp;?) / construct_memory_segment
0x10000 - allocate_memory_region(LPAR id, size, log2 of page size,&nbsp;?,&nbsp;?)  


0x10001 - query_logical_partition_address_region_info
0x10001 - lpar_query_address_region_info


0x10002 - translate_logical_partition_to_physical_address(LPAR id, LPAR address, physical addr)  
0x10002 - lpar_memory_addr_to_phys_addr(LPAR id, LPAR address, physical addr)  
 
0x10003 - map_physical_address_region
 
0x10004 - unmap_physical_address_region


0x10005 - construct_logical_pu  
0x10005 - construct_logical_pu  
0x10006 - destruct_logical_pu


0x10007 - activate_logical_pu(LPAR id, PPE id)  
0x10007 - activate_logical_pu(LPAR id, PPE id)  


0x10009 - construct_logical_partition(0, LPAR id, outlet)  
0x10009 - construct_logical_partition(0, LPAR id, outlet)  
0x1000A - get_logical_console_info
0x1000B - get_remote_file_size
0x1000C - read_remote_file
0x1000D - write_remote_file


0x1000E - release_memory_region(LPAR id, memory region address)  
0x1000E - release_memory_region(LPAR id, memory region address)  
Line 320: Line 306:


0x10026 - get_logical_partition_info  
0x10026 - get_logical_partition_info  
0x10027 - read_privilege_set
0x10028 - modify_privilege_set
0x10029 - get_remote_file_size_long_name
0x1002A - read_remote_file_long_name
0x1002B - write_remote_file_long_name


0x1002C - construct_scheduling_table  
0x1002C - construct_scheduling_table  
Line 353: Line 329:
0x10039 - ?
0x10039 - ?


0x10040 - construct_spe_type_1(SPE id, shaddow_addr) / construct_logical_spu
0x10040 - construct_spe_type_1(SPE id, shaddow_addr)  


0x10041 - destruct_spe(SPE id) / destruct_logical_spu
0x10041 - destruct_spe(SPE id)  


0x10042 - decrypt_lv2_self(spe id, LPAR auth id, SELF file image ptr, LPAR memory address)  
0x10042 - decrypt_lv2_self(spe id, LPAR auth id, SELF file image ptr, LPAR memory address)  
Line 363: Line 339:
0x10044 - disable_spe_execution  
0x10044 - disable_spe_execution  


0x10045 - read_spu_puint_mb(unsigned long spu_id, unsigned long msg)
0x10045 - set_spe_interrupt_mask
 
0x10046 - read_spe_problem_state_register(spe id, register offset, value) / read_spu_problem_state_area_register


0x10047 - write_spe_problem_state_register(spe id, register offset, value) / write_spu_problem_state_area_register
0x10046 - read_spe_problem_state_register(spe id, register offset, value)  


0x1004A - install_revoke_list
0x10047 - write_spe_problem_state_register(spe id, register offset, value)


0x1004B - disable_spe_loading  
0x1004B - disable_spe_loading  
0x1004C - install_access_control_table?
0x1004D - get_storage_status?
0x1004E - get_region_table_bits?
0x1004F - commit_region_update?
0x10050 - abort_region_update?
0x10051 - set_storage_tampered?


0x10053 - pmi_set_guest_os_mode  
0x10053 - pmi_set_guest_os_mode  


0x1007F - pause
0x1007F - pmpi_pause


0x10080 - get_total_execution_time
0x10080 - ?


0x10081 - reset  
0x10081 - reset  
Line 840: Line 802:
=== vtable  ===
=== vtable  ===


0x003569F8 (3.15)
0x003569F8 (3.15)  


== IOIF device file objects  ==
== IOIF device file objects  ==
Line 3,602: Line 3,564:
==== Loading appldr  ====
==== Loading appldr  ====


*64 bit memory address of '''appldr''' is written into 32 bit SPU register '''SPU_In_Mbox'''  
*64 bit memory address of '''isoldr''' is written into 32 bit SPU register '''SPU_In_Mbox'''  
*'''metldr''' is loaded
*'''metldr''' is loaded


Line 3,989: Line 3,951:
offset 0x90 - LPAR image path  
offset 0x90 - LPAR image path  


offset 0x1C0 - LPAR ability (8 bytes)
offset 0x1C0 - LPAR ability (8 bytes)  


=== Types of System Manager  ===
=== Types of System Manager  ===
Line 4,741: Line 4,703:
     uint8_t res[4];
     uint8_t res[4];
     uint64_t laid;            /* LPAR Authority ID */
     uint64_t laid;            /* LPAR Authority ID */
     uint64_t paid;            /* Program Authority ID */
     uint64_t paid;            /* Authority ID */
}
}
</pre>
</pre>
Line 9,493: Line 9,455:
| 0x35|| 0x22 || Calculate AES_H 1 || ||  
| 0x35|| 0x22 || Calculate AES_H 1 || ||  
* Calculates AES_H hash of the data stored in XDR buffer.
* Calculates AES_H hash of the data stored in XDR buffer.
|-
| || 0x21 ||  || 2x 4 Bytes ||
Signed CSS CheckCRL
|-
| || 0x56||  || ||
Get Random Seed
|-
| || 0x32||  || ||
Unknown
|-
|-
| 0x36|| 0x24 || Calculate AES_H 2 || ||  
| 0x36|| 0x24 || Calculate AES_H 2 || ||  
Line 10,550: Line 10,503:
Decrypted P-Block (and EID4) contains region settings (see below)
Decrypted P-Block (and EID4) contains region settings (see below)


In decrypted P-Block(bytes 0x30 and 0x32) and in EID4(first byte) these bytes match [[Product Code]]:
In decrypted P-Block(bytes 0x30 and 0x32) and in EID4(first byte) these bytes match [[Target ID]]:
{| class="wikitable sortable" style="font-size:small; border:2px ridge #999999;"
{| class="wikitable sortable" style="font-size:small; border:2px ridge #999999;"
|-
|-
! Hex !! bitflag !! [[Product Code]] !! Console Type !! Remarks
! Hex !! bitflag !! [[Target ID]] !! Console Type !! Remarks
|-
|-
| 0xFF || '''11111111''' || {{TID80}} || No BD playback on that [[Product Code]]
| || || {{TID80}} ||  
|-
|-
| 0xFF || '''11111111''' || {{TID81}} || No BD playback on that [[Product Code]]
| 0xFF || '''11111111''' || {{TID81}} || No BD playback on that [[Target ID]]
|-
|-
| 0xFF || '''11111111''' || {{TID82}} || No BD playback on that [[Product Code]]
| 0xFF || '''11111111''' || {{TID82}} || No BD playback on that [[Target ID]]
|-
|-
| 0x01 || 0000000'''1''' || {{TID83}} || bit 0 (Region 0: Japan?)
| 0x01 || 0000000'''1''' || {{TID83}} || bit 0
|-
|-
| 0x02 || 000000'''1'''0 || {{TID84}} || bit 1 (Region 1: USA & Canada, Bermuda, and US Territories)
| 0x02 || 000000'''1'''0 || {{TID84}} || bit 1
|-
|-
| 0x04 || 00000'''1'''00 || {{TID85}} || bit 2 (Region 2: Europe (with the exceptions of Russia, Ukraine, Belarus), South Africa, Swaziland, Middle East, Egypt, Lesotho, and Greenland)
| 0x04 || 00000'''1'''00 || {{TID85}} || bit 2
|-
|-
| 0x10 || 000'''1'''0000 || {{TID86}} || bit 4 (Region 3: Southeastern Asia)
| 0x10 || 000'''1'''0000 || {{TID86}} || bit 4
|-
|-
| 0x04 || 00000'''1'''00 || {{TID87}} || bit 2 (Region 2: Europe (with the exceptions of Russia, Ukraine, Belarus), South Africa, Swaziland, Middle East, Egypt, Lesotho, and Greenland)
| 0x04 || 00000'''1'''00 || {{TID87}} || bit 2
|-
|-
| 0x08 || 0000'''1'''000 || {{TID88}} || bit 3 (Region 4: Latin America and Australia)
| || || {{TID88}} ||  
|-
|-
| 0x08 || 0000'''1'''000 || {{TID89}} || bit 3 (Region 4: Latin America and Australia)
| 0x08 || 0000'''1'''000 || {{TID89}} || bit 3
|-
|-
| 0x20 || 00'''1'''00000 || {{TID8A}} || bit 5 (Region 5: Russia, Asia (non-southeast), and Africa)
| || || {{TID8A}} ||  
|-
|-
| 0x10 || 000'''1'''0000 || {{TID8B}} || bit 4 (Region 3: Southeastern Asia)
| || || {{TID8B}} ||  
|-
|-
| 0x20 || 00'''1'''00000 || {{TID8C}} || bit 5 (Region 5: Russia, Asia (non-southeast), and Africa)
| 0x20 || 00'''1'''00000 || {{TID8C}} || bit 5
|-
|-
| 0x40 || 0'''1'''000000 || {{TID8D}} || bit 6? (Region 6: China)
| || || {{TID8D}} ||  
|-
|-
| 0x10 || 000'''1'''0000 || {{TID8E}} || bit 4 (Region 3: Southeastern Asia)
| 0x10 || 000'''1'''0000 || {{TID8E}} || bit 4
|-
|-
| 0x08 || 0000'''1'''000 || {{TID8F}} || bit 3 (Region 4: Latin America and Australia)
| || || {{TID8F}} ||  
|-
|-
| 0xFF || '''11111111''' || {{TIDA0}} || No BD playback on that [[Product Code]]
| 0xFF || '''11111111''' || {{TIDA0}} || No BD playback on that [[Target ID]]
|-
|-
|}
|}
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)