Editing SPU Isolated Modules Reverse Engineering
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
[[Category:Software]] | |||
[ | |||
== aim_spu_module == | == aim_spu_module == | ||
It is used to retrieve the device type, device id, open psid and the pscode from the EID0 data that is passed in. | |||
It is used to retrieve the device type, | |||
=== Debug messages === | === Debug messages === | ||
{| class="wikitable" | {| class="wikitable" | ||
! | ! Address !! !! Message | ||
|- | |- | ||
! | ! !! 355retail !! | ||
|- | |- | ||
| 0x36f0 || 0x3570 || "(spu)start aim spu module!\n" | | 0x36f0 || 0x3570 || "(spu)start aim spu module!\n" | ||
Line 115: | Line 17: | ||
| 0x3790 || 0x3610 || "(spu) PU DMA area size is not equall to AIM_DMA_SIZE\n" | | 0x3790 || 0x3610 || "(spu) PU DMA area size is not equall to AIM_DMA_SIZE\n" | ||
|} | |} | ||
This messages are DMAed to the ppu if a debug output address is specified. | |||
=== Data === | === Data === | ||
{| class="wikitable" | {| class="wikitable" | ||
! | ! Address !! !! Info | ||
|- | |- | ||
! | ! !! 355retail !! | ||
|- | |- | ||
| 0x37e0 || - || Reference | | 0x37e0 || - || Reference tool fallback IDPS | ||
|- | |- | ||
| 0x37f0 - ... || 0x3650 - ... || Start of | | 0x37f0 - ... || 0x3650 - ... || Start of EID keys | ||
|- | |- | ||
| 0x3ac0 || 0x3870 || AES sbox (16*16 bytes) | | 0x3ac0 || 0x3870 || AES sbox (16*16 bytes) | ||
Line 135: | Line 35: | ||
=== Functions === | === Functions === | ||
{| class="wikitable" | {| class="wikitable" | ||
! | ! Address !! Name !! Parameters !! Info | ||
|- | |- | ||
| 0x9e0 | | 0x9e0 || stop_func || unknown || Stops the module execution with various stop codes. | ||
|- | |- | ||
| 0xa18 | | 0xa18 || main_func || unknown || Main routine. | ||
|- | |- | ||
| 0xf18 | | 0xf18 || response || unknown || Sends response to ppu over DMA. | ||
|- | |- | ||
| 0x1158 | | 0x1158 || process_eid || unknown || Decrypts EID0. | ||
|- | |- | ||
| 0x1438 | | 0x1438 || prepare_print || unknown || Prepares debug output. | ||
|- | |- | ||
| 0x1440 | | 0x1440 || debug_print || unknown || As the name already states... (this outputs over DMA) | ||
|- | |- | ||
| 0x17f0 | | 0x17f0 || - || - || Part of aes implementation. | ||
|- | |- | ||
| 0x1c48 || | | 0x1c48 || - || - || Part of aes implementation. | ||
|- | |- | ||
| 0x1df0 || | | 0x1df0 || - || - || Probably part of aes implementation. | ||
|- | |- | ||
| 0x20f0 || | | 0x20f0 || - || - || Probably part of aes implementation. | ||
|- | |- | ||
| 0x2300 || | | 0x2300 || - || - || Probably part of aes implementation. | ||
|- | |- | ||
| 0x2418 || | | 0x2418 || - || - || Part of aes implementation. | ||
|- | |- | ||
| 0x2608 || | | 0x2608 || - || - || Part of aes implementation. | ||
|- | |- | ||
| 0x30c0 | | 0x30c0 || do_dma || ls_addr:$4, dma_effective_addr:$5, size:$6, tag_id:$7, unk0:$8, unk1:$9 || Used to dma data in and out of the isolated module's LS. | ||
|- | |- | ||
| 0x3168 | | 0x3168 || write_tag_mask_bit || mask_bit:$4 || Used to set a specific bit in MFC_WrTagMask. | ||
|} | |} | ||
==== Disasm ==== | ==== Disasm ==== | ||
The complete disassembly is available at [http://pastebin.com/7vArGweJ]. | The complete disassembly is available at [http://pastebin.com/7vArGweJ]. | ||
=== Running in anergistic === | |||
-> http://pastie.org/2000330 | |||
=== Running | |||