Editing SPU Isolated Modules Reverse Engineering
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
== aim_spu_module == | == aim_spu_module == | ||
It is used to retrieve the device type, device id, open psid and the pscode from the EID data that is passed in. | |||
It is used to retrieve the device type, | |||
=== Debug messages === | === Debug messages === | ||
{| class="wikitable" | {| class="wikitable" | ||
! | ! Address !! Message | ||
|- | |- | ||
| 0x36f0 | | 0x36f0 || "(spu)start aim spu module!\n" | ||
|- | |- | ||
| 0x3710 | | 0x3710 || "(spu) PU DMA area start address is not align 16byte\n" | ||
|- | |- | ||
| 0x3750 | | 0x3750 || "(spu) PU EID area start address is not align 16byte\n" | ||
|- | |- | ||
| 0x3790 | | 0x3790 || "(spu) PU DMA area size is not equall to AIM_DMA_SIZE\n" | ||
|} | |} | ||
=== Data === | === Data === | ||
{| class="wikitable" | {| class="wikitable" | ||
! | ! Address !! Info | ||
|- | |- | ||
| 0x3ac0 || AES sbox (16*16 bytes) | |||
|- | |- | ||
| 0x3c70 || AES inverse sbox (16*16 bytes) | |||
| 0x3c70 | |||
|} | |} | ||
=== Functions === | === Functions === | ||
{| class="wikitable" | {| class="wikitable" | ||
! | ! Address !! Name !! Parameters !! Info | ||
|- | |- | ||
| 0x1440 | | 0x1440 || debug_print || unknown || As the name already states... | ||
|- | |- | ||
| | | 0x30c0 || do_dma || ls_addr:$4, dma_effective_addr:$5, size:$6, tag_id:$7, unk0:$8, unk1:$9 || Used to dma data in and out of the isolated module's LS. | ||
|- | |- | ||
| | | 0x17f0 || - || - || Part of aes implementation. | ||
|- | |- | ||
| | | 0x1c48 || - || - || Part of aes implementation. | ||
|- | |- | ||
| | | 0x1df0 || - || - || Probably part of aes implementation. | ||
|- | |- | ||
| | | 0x20f0 || - || - || Probably part of aes implementation. | ||
|- | |- | ||
| | | 0x2300 || - || - || Probably part of aes implementation. | ||
|- | |- | ||
| | | 0x2418 || - || - || Part of aes implementation. | ||
|- | |- | ||
| | | 0x2608 || - || - || Part of aes implementation. | ||
|- | |- | ||
| 0x3168 | | 0x3168 || write_tag_mask_bit || mask_bit:$4 || Used to set a specific bit in MFC_WrTagMask. | ||
|} | |} | ||
Line 176: | Line 53: | ||
The complete disassembly is available at [http://pastebin.com/7vArGweJ]. | The complete disassembly is available at [http://pastebin.com/7vArGweJ]. | ||
== | ===== do_dma ===== | ||
From 0x30c0 to 0x3130 it just checks if the parameters are ok (ls_addr != 0, dma_effective_addr != 0, size-1 < 0x3fff, tag_id < 32) else it will jump to 0x3160. | |||
=== | |||
! | |||
//(ls_addr:$4, dma_effective_addr:$5, size:$6, tag_id:$7, unk0:$8, unk1:$9) | |||
//... | |||
{ | |||
//3134: 21 a0 08 0a wrch $MFC_LSA,$10 | |||
wrch(MFC_LSA, ls_addr); | |||
//3138: 21 a0 08 85 wrch $MFC_EAH,$5 | |||
wrch(MFC_EAH, dma_effective_addr); | |||
//313c: 3f e1 02 8a shlqbyi $10,$5,4 | |||
//3140: 21 a0 09 0a wrch $MFC_EAL,$10 | |||
wrch(MFC_EAL, dma_effective_addr << 4); | |||
//3144: 21 a0 09 86 wrch $MFC_Size,$6 | |||
wrch(MFC_Size, size); | |||
//3148: 21 a0 0a 07 wrch $MFC_TagID,$7 | |||
wrch(MFC_TagID, tag_id); | |||
//314c: 0f 64 04 06 shli $6,$8,16 | |||
//3150: 08 22 43 05 or $5,$6,$9 | |||
//3154: 21 a0 0a 85 wrch $MFC_Cmd,$5 | |||
wrch(MFC_Cmd, (unk0 << 16) | unk1); | |||
//3158: 40 80 00 03 il $3,0 | |||
//315c: 35 00 00 00 bi $lr | |||
return 0; //0 is probably success | |||
err:; | |||
//3160: 40 80 04 83 il $3,9 | |||
//3164: 35 00 00 00 bi $lr | |||
return 9; //9 is probably failure | |||
} | |||
{ | ===== write_tag_mask_bit ===== | ||
//(tag_mask_bit:$4) | |||
{ | |||
//3168: 40 80 00 02 il $2,0 //Update immediately, unconditional. | |||
//316c: 21 a0 0b 82 wrch $MFC_WrTagUpdate,$2 | |||
wrch(MFC_WrTagUpdate, 0); | |||
//3170: 01 e0 0b 83 rchcnt $3,$MFC_WrTagUpdate | |||
//3174: 7c 00 41 85 ceqi $5,$3,1 | |||
//3178: 20 7f ff 05 brz $5,0x3170 # 3170 | |||
while(rchcnt(MFC_WrTagUpdate) != 1); | |||
//317c: 01 a0 0c 02 rdch $2,$MFC_RdTagStat | |||
$2 = rdch(MFC_RdTagStat); | |||
//3180: 0b 61 01 86 shl $6,$3,$4 | |||
//3184: 21 a0 0b 06 wrch $MFC_WrTagMask,$6 | |||
wrch(MFC_WrTagMask, 1 << tag_mask_bit); | |||
//3188: 40 80 01 03 il $3,2 //Update tag status if or when all enabled tag groups have “no outstanding operation” status. | |||
//318c: 21 a0 0b 83 wrch $MFC_WrTagUpdate,$3 | |||
wrch(MFC_WrTagUpdate, 2); | |||
//3190: 01 a0 0c 02 rdch $2,$MFC_RdTagStat | |||
$2 = rdch(MFC_RdTagStat); | |||
//3194: 35 00 00 00 bi $lr | |||
return; | |||
} |