Editing SPU Isolated Modules Reverse Engineering
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
[[Category:Software]] | |||
== anergistic == | == anergistic == | ||
Line 6: | Line 7: | ||
*https://github.com/kraiskil/anergistic.git | *https://github.com/kraiskil/anergistic.git | ||
* | *http://foxbrew.org/git/anergistic.git/ | ||
=== | === usage === | ||
anergistic can be launched in two different modes, one that '''only emulates''' (runs) the program through the SPU and the the other that lets you '''debug''' the process through gdb | anergistic can be launched in two different modes, one that '''only emulates''' (runs) the program through the SPU and the the other that lets you '''debug''' the process through gdb | ||
Line 17: | Line 15: | ||
==== only emulate ==== | ==== only emulate ==== | ||
<pre> | |||
./anergistic spu_elf_name.elf | |||
</pre> | |||
this mode runs an elf with all the parameters and actions defined on main.c, channel.c a | this mode runs an elf with all the parameters and actions defined on main.c, channel.c a | ||
==== debug ==== | ==== debug ==== | ||
terminal 1 | terminal 1 | ||
<pre> | |||
./anergistic -g 1234 spu_elf_name.elf | |||
</pre> | |||
terminal 2 | terminal 2 | ||
<pre> | |||
gdb | |||
(gdb)target remote :1234 | (gdb)target remote :1234 | ||
</ | </pre> | ||
this mode performs the same as above but lets you debug the process through gdb | this mode performs the same as above but lets you debug the process through gdb | ||
Line 48: | Line 37: | ||
=== Customizations === | === Customizations === | ||
see example below | |||
'''Running in aim_spu_module anergistic''' | '''Running in aim_spu_module anergistic''' | ||
Line 54: | Line 43: | ||
=== Problems === | === Problems === | ||
==== Connection | ====Connection proble==== | ||
when in debugger mode | when in debugger mode | ||
<pre> | <pre> | ||
Line 62: | Line 50: | ||
recv failed: Success | recv failed: Success | ||
</pre> | </pre> | ||
====Solution==== | |||
use ppu-gdb | |||
== aim_spu_module == | == aim_spu_module == | ||
It is used to retrieve the device type, device id, open psid and the pscode from the EID0 data that is passed in. | |||
=== Debug messages === | === Debug messages === | ||
{| class="wikitable" | {| class="wikitable" | ||
! colspan="2" | Address !! rowspan="2" | Message | ! colspan="2" | Address !! rowspan="2" | Message | ||
Line 115: | Line 72: | ||
| 0x3790 || 0x3610 || "(spu) PU DMA area size is not equall to AIM_DMA_SIZE\n" | | 0x3790 || 0x3610 || "(spu) PU DMA area size is not equall to AIM_DMA_SIZE\n" | ||
|} | |} | ||
This messages are DMAed to the ppu if a debug output address is specified. | |||
=== Data === | === Data === | ||
{| class="wikitable" | {| class="wikitable" | ||
! colspan="2" | Address !! rowspan="2" | Message | ! colspan="2" | Address !! rowspan="2" | Message | ||
Line 125: | Line 81: | ||
! ? 3.41 ? !! 355 CEX | ! ? 3.41 ? !! 355 CEX | ||
|- | |- | ||
| 0x37e0 || - || Reference | | 0x37e0 || - || Reference tool fallback IDPS | ||
|- | |- | ||
| 0x37f0 - ... || 0x3650 - ... || Start of [[Keys# | | 0x37f0 - ... || 0x3650 - ... || Start of AIM keys [[Keys#aim_keys]] | ||
|- | |- | ||
| 0x3ac0 || 0x3870 || AES sbox (16*16 bytes) | | 0x3ac0 || 0x3870 || AES sbox (16*16 bytes) | ||
Line 133: | Line 89: | ||
| 0x3c70 || 0x3a20 || AES inverse sbox (16*16 bytes) | | 0x3c70 || 0x3a20 || AES inverse sbox (16*16 bytes) | ||
|} | |} | ||
=== Functions === | === Functions === | ||
{| class="wikitable" | {| class="wikitable" | ||
! colspan="2" | Address !! rowspan="2" | Name !! rowspan="2" | Parameters !! rowspan="2" | Info | ! colspan="2" | Address !! rowspan="2" | Name !! rowspan="2" | Parameters !! rowspan="2" | Info | ||
Line 155: | Line 111: | ||
| 0x17f0 || || - || - || AES 1 Part of aes implementation. | | 0x17f0 || || - || - || AES 1 Part of aes implementation. | ||
|- | |- | ||
| 0x1c48 || || | | 0x1c48 || || - || - || AES 2 Part of aes implementation. | ||
|- | |- | ||
| 0x1df0 || || | | 0x1df0 || || - || - || AES 3 Probably part of aes implementation. | ||
|- | |- | ||
| 0x20f0 || || | | 0x20f0 || || - || - || AES 4 Probably part of aes implementation. | ||
|- | |- | ||
| 0x2300 || || | | 0x2300 || || - || - || AES 5 Probably part of aes implementation. | ||
|- | |- | ||
| 0x2418 || || | | 0x2418 || || - || - || AES 6 Part of aes implementation. | ||
|- | |- | ||
| 0x2608 || || | | 0x2608 || || - || - || AES 7 Part of aes implementation. | ||
|- | |- | ||
| 0x30c0 || || do_dma || ls_addr:$4, dma_effective_addr:$5, size:$6, tag_id:$7, unk0:$8, unk1:$9 || Used to dma data in and out of the isolated module's LS. | | 0x30c0 || || do_dma || ls_addr:$4, dma_effective_addr:$5, size:$6, tag_id:$7, unk0:$8, unk1:$9 || Used to dma data in and out of the isolated module's LS. | ||
Line 171: | Line 127: | ||
| 0x3168 || || write_tag_mask_bit || mask_bit:$4 || Used to set a specific bit in MFC_WrTagMask. | | 0x3168 || || write_tag_mask_bit || mask_bit:$4 || Used to set a specific bit in MFC_WrTagMask. | ||
|} | |} | ||
==== Disasm ==== | ==== Disasm ==== | ||
The complete disassembly is available at [http://pastebin.com/7vArGweJ]. | |||
== Decrypting EID == | ==Decrypting EID== | ||
=== Dumper iso.self === | === Dumper iso.self === | ||
=== Dumper Payload === | === Dumper Payload === | ||
* http://pastie.org/pastes/2101977 | |||
=== Running in aim_spu_module anergistic === | |||
//Partial code modified to run aim_spu_module | |||
* http://pastie.org/2000330 | |||
=== Running aim_spu_module | |||
* | |||
== isoldr == | == isoldr == | ||
loads, decrypts, runs isolated modules, and creates through aes the required key in LS 0x0 | |||
=== Debug messages === | === Debug messages === | ||
This module doesnt contain debug messages | |||
This module | |||
=== Data === | === Data === | ||
{| class="wikitable" | {| class="wikitable" | ||
! colspan="2" | Address !! rowspan="2" | Message | ! colspan="2" | Address !! rowspan="2" | Message | ||
Line 208: | Line 158: | ||
|- | |- | ||
|- | |- | ||
| 0x34C40 - ... || | | 0x34C40 - ... || || Start of isoldr keys [[Keys#Modules]] | ||
|- | |- | ||
| 0x35130 || | | 0x35130 || || AES sbox (16*16 bytes) | ||
|- | |- | ||
| 0x35300 || | | 0x35300 || || AES inverse sbox (16*16 bytes) | ||
|} | |} | ||
=== Functions === | === Functions === | ||
{| class="wikitable" | {| class="wikitable" | ||
! colspan="2" | Address !! rowspan="2" | Name !! rowspan="2" | Parameters !! rowspan="2" | Info | ! colspan="2" | Address !! rowspan="2" | Name !! rowspan="2" | Parameters !! rowspan="2" | Info | ||
Line 222: | Line 172: | ||
! ? 3.41 ? !! 355 CEX | ! ? 3.41 ? !! 355 CEX | ||
|- | |- | ||
| | | 0xa18 || || main_func || unknown || Main routine. | ||
|- | |- | ||
| | | 0x2BF28 || || - || - || AES 2 Part of aes implementation. | ||
|- | |- | ||
| | | 0x2C240 || || - || - || AES 3 Probably part of aes implementation. | ||
|- | |- | ||
| | | 0x2C8D0 || || - || - || AES 4 Probably part of aes implementation. | ||
|- | |- | ||
| | | 0x2CDC8 || || - || - || AES 5 Probably part of aes implementation. | ||
|- | |- | ||
| | | 0x2D7C0 || || - || - || AES 6 Part of aes implementation. | ||
|- | |- | ||
| | | 0x2D9B0 || || - || - || AES 7 Part of aes implementation. | ||
|- | |- | ||
| | | 0x346B0 || || write_tag_mask_bit || mask_bit:$4 || Used to set a specific bit in MFC_WrTagMask. | ||
|} | |} | ||