Editing Making Isolated SPU Modules and Loaders

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
[[Category:OtherOS]]
=Introduction=
=Introduction=


Line 6: Line 5:


=Tools=
=Tools=
* My Debian LiveCD has all tools you will need.
* See http://www.ps3devwiki.com/wiki/Debian_LiveCD


==SPU GCC Compiler==
==SPU GCC Compiler==


* You need SPU GCC compiler to compile your code and create binary version of it.
* You need SPU GCC compiler to compile your code and create binary version of it.
* On PS3 Debian, just install spu toolchain with aptitude.
* On PS3 Debian, just install spu toolchain.
* You can also cross-compile SPU GCC toolchain for your Linux PC.
* You can also cross-compile SPU GCC toolchain for your Linux PC.
* See http://gitorious.ps3dev.net/ps3linux/powerpc64-cross-compiler if you want to build SPU GCC cross-compiler. Just change in HOWTO target option from powerpc64-linux to spu-elf.
* See http://gitorious.ps3dev.net/ps3linux/powerpc64-cross-compiler if you want to build SPU GCC cross-compiler. Just change in HOWTO target option from powerpc64-linux to spu-elf.
Line 47: Line 43:
* First you need '''sb_iso_spu_module.self''' from your NOR/NAND flash or from PS3 update file.
* First you need '''sb_iso_spu_module.self''' from your NOR/NAND flash or from PS3 update file.


{{Keyboard|content=<syntaxhighlight lang="bash">
<pre>
# compile your SPU code
# compile your SPU code


Line 89: Line 85:
# entry point is 0x880 which is in first program segment at file offset 0x100
# entry point is 0x880 which is in first program segment at file offset 0x100


# now we kill all old code and data with 0s before we put our code there.
# now we kill all old code with 0s before we put our code there.
# seek parameter is the offset of the first program segment.
# seek parameter is the offset of the first program segment.
# count parameter is the sum of the offset of the last program segment plus its size and
# count parameter is the sum of the offset of the last program segment plus its size and
# minus the offset of the first program segmnet.
# minus the offset of the first program segmnet.


# killing old code and data with 0s is a good idea because 0x00000000 means stop opcode.
# killing old code with 0s is a good idea because 0x00000000 means stop opcode.


dd if=/dev/zero of=dump_ata_keys.elf bs=1 seek=$((0x100)) count=$((0x51b0 + 0x34 - 0x100)) conv=notrunc
dd if=/dev/zero of=dump_ata_keys.elf bs=1 seek=$((0x100)) count=$((0x51b0 + 0x34 - 0x100)) conv=notrunc
Line 123: Line 119:


# mount spuisofs (we do it of course on PS3 Linux and not on PC)
# mount spuisofs (we do it of course on PS3 Linux and not on PC)
# you could use my Debian LiveCD e.g. which has all tools you need


sudo mount -t spuisofs none /mnt
sudo mount -t spuisofs none /mnt


ls -l /mnt
glevand@debian:~$ ls -l /mnt
total 0
total 0
-rw-rw-rw- 1 root root 1048576 Sep  7 12:12 app
-rw-rw-rw- 1 root root 1048576 Sep  7 12:12 app
Line 160: Line 155:
problem: spu_status_R 6660082
problem: spu_status_R 6660082


# here is important to check the stop code which is 0x666 :)
# here is important to check the stop code which is 0x0666
# my dump_ata_keys.S code stops with stop code 0x666 when it's done
# my dump_ata_keys.S code stops with stop code 0x0666 when it's done
# this way you can be really sure that your dump_ata_keys.self was correctly signed,
# this way you can be really sure that your dump_ata_keys.self was correctly signed, encrypted and accepted by isoldr
# encrypted and accepted by isoldr


# dump your ATA keys
# dump your ATA keys


hexdump -C /mnt/arg1
hexdump -C /mnt/arg1
</syntaxhighlight>}}
</pre>


=Example: Making dump_encdec_keys.self=
=Example: Making dump_encdec_keys.self=


* First you need '''lv1ldr''' from your NOR/NAND flash or from PS3 update file.
* First you need '''lv1ldr''' from your NOR/NAND flash or from PS3 update file.
{{Keyboard|content=<syntaxhighlight lang="bash">
# compile your SPU code
spu-elf-gcc -c dump_encdec_keys.S
ls -l dump_encdec_keys.o
# convert your code to binary
spu-elf-objcopy -O binary dump_encdec_keys.o dump_encdec_keys.bin
ls -l dump_encdec_keys.bin
# decrypt lv1ldr
unself lv1ldr lv1ldr.elf
ls -l lv1ldr.elf
mv lv1ldr.elf dump_encdec_keys.elf
# print program header of decrypted loader
readelf -l dump_encdec_keys.elf
Elf file type is EXEC (Executable file)
Entry point 0x12c00
There are 3 program headers, starting at offset 52
Program Headers:
  Type          Offset  VirtAddr  PhysAddr  FileSiz MemSiz  Flg Align
  LOAD          0x000080 0x00000800 0x00000800 0x00000 0x0cd20 RW  0x80
  LOAD          0x000100 0x00012c00 0x00012c00 0x1ca00 0x1ca00 R E 0x80
  LOAD          0x01cb00 0x0002f600 0x0002f600 0x004f0 0x004f0 RW  0x80
Section to Segment mapping:
  Segment Sections...
  00    .unknown
  01    .unknown .unknown
  02    .unknown .unknown .unknown
# entry point is 0x12c00 which is in second program segment at file offset 0x100
# now we kill all old code and data with 0s before we put our code there.
# seek parameter is the offset of the second program segment.
# count parameter is the sum of the offset of the last program segment plus its size and
# minus the offset of the second program segment.
# killing old code and data with 0s is a good idea because 0x00000000 means stop opcode.
dd if=/dev/zero of=dump_encdec_keys.elf bs=1 seek=$((0x100)) count=$((0x1cb00 + 0x4f0 - 0x100)) conv=notrunc
# after you filled out the SPU module with 0s, check it with spu-objdump
spu-elf-objdump -d dump_encdec_keys.elf
dump_encdec_keys.elf:    file format elf32-spu
Disassembly of section :
00012c00 <>:
        ...
# now we copy our code to loader
# seek parameter is the entry point offset in file
dd if=dump_encdec_keys.bin of=dump_encdec_keys.elf bs=1 seek=$((0x100)) conv=notrunc
# now build loader
iso_rebuilder dump_encdec_keys.elf dump_encdec_keys.self lv1ldr
# we are done :)
# time to test it with spuldrfs !!!
# mount spuldrfs (we do it of course on PS3 Linux and not on PC)
# you could use my Debian LiveCD e.g. which has all tools you need
sudo mount -t spuldrfs none /mnt
ls -l /mnt
total 0
-rw-rw-rw- 1 root root 1048576 Sep  7 13:20 buf1
-rw-rw-rw- 1 root root 1048576 Sep  7 13:20 buf2
-rw-rw-rw- 1 root root 1048576 Sep  7 13:20 buf3
-r--r--r-- 1 root root      0 Sep  7 13:20 info
-rw-rw-rw- 1 root root 1048576 Sep  7 13:20 ldr
-rw-rw-rw- 1 root root  262144 Sep  7 13:20 ls
-rw-rw-rw- 1 root root 1048576 Sep  7 13:20 metldr
-rw-rw-rw- 1 root root  131072 Sep  7 13:20 priv2
-rw-rw-rw- 1 root root  131072 Sep  7 13:20 problem
--w--w--w- 1 root root      0 Sep  7 13:20 run
-r--r--r-- 1 root root    4096 Sep  7 13:20 shadow
# compile dump_encdec_keys application
tar xvzf dump_encdec_keys.tar.gz
cd dump_encdec_keys
make
ls -l dump_encdec_keys
./dump_encdec_keys
usage: ./dump_encdec_keys <metldr path> <ldr path>
# NOTE: you will need your metldr
./dump_encdec_keys ./metldr ./dump_encdec_keys.self
spuldrfs found at /mnt
buf1 kernel virtual address d000000003c48000
buf2 kernel virtual address d000000003d49000
priv2: puint_mb_R 1
problem: pu_mb_R 1
priv2: puint_mb_R 666
problem: spu_status_R 6660082
# here is important to check the stop code which is 0x666 :)
# my dump_encdec_keys.S code stops with stop code 0x666 when it's done
# this way you can be really sure that your dump_encdec_keys.self was correctly signed,
# encrypted and accepted by metldr
# dump your ENCDEC keys (not really, you have to calculate your ENCDEC keys)
hexdump -C /mnt/buf2
</syntaxhighlight>}}
{{Linux}}<noinclude>[[Category:Main]]</noinclude>
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)

Templates used on this page:

Retrieved from "http://www.psdevwiki.com/ps3/Making_Isolated_SPU_Modules_and_Loaders"