Editing SPU Isolated Modules Reverse Engineering
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
[[Category:Software]] | |||
== anergistic == | == anergistic == | ||
Line 6: | Line 7: | ||
*https://github.com/kraiskil/anergistic.git | *https://github.com/kraiskil/anergistic.git | ||
* | *http://foxbrew.org/git/anergistic.git/ | ||
=== | === usage === | ||
anergistic can be launched in two different modes, one that '''only emulates''' (runs) the program through the SPU and the the other that lets you '''debug''' the process through gdb | anergistic can be launched in two different modes, one that '''only emulates''' (runs) the program through the SPU and the the other that lets you '''debug''' the process through gdb | ||
Line 17: | Line 15: | ||
==== only emulate ==== | ==== only emulate ==== | ||
<pre> | |||
./anergistic spu_elf_name.elf | |||
</pre> | |||
this mode runs an elf with all the parameters and actions defined on main.c, channel.c a | this mode runs an elf with all the parameters and actions defined on main.c, channel.c a | ||
==== debug ==== | ==== debug ==== | ||
terminal 1 | terminal 1 | ||
<pre> | |||
./anergistic -g 1234 spu_elf_name.elf //simulate debug server in the local host on port 1234 | |||
simulate debug server in the local host on port 1234 | </pre> | ||
terminal 2 | terminal 2 | ||
<pre> | |||
spu-gdb spu_elf_name.elf | spu-gdb spu_elf_name.elf | ||
(gdb)target remote :1234 | (gdb)target remote :1234 //connect to the local host on port 1234 | ||
(gdb)help //gives you information of the command available | |||
</pre> | |||
connect to the local host on port 1234 | |||
(gdb)help | |||
==== Documentation ==== | ==== Documentation ==== | ||
Line 48: | Line 44: | ||
=== Customizations === | === Customizations === | ||
see example below | |||
'''Running in aim_spu_module anergistic''' | '''Running in aim_spu_module anergistic''' | ||
Line 54: | Line 50: | ||
=== Problems === | === Problems === | ||
==== Connection | ====Connection proble==== | ||
when in debugger mode | when in debugger mode | ||
<pre> | <pre> | ||
Line 62: | Line 57: | ||
recv failed: Success | recv failed: Success | ||
</pre> | </pre> | ||
====Solution==== | |||
use spu-gdb | |||
=== | === Tools === | ||
[http://pastie.org/2810870 gnuify_ida.pl] | |||
[http://pastie.org/2810870 gnuify_ida.pl | |||
Use this to convert IDA disassembly into a format suitable for GNU AS. Literals in IDA are unsigned while AS expects signed literals. Conversion of literals is a work in progress. | Use this to convert IDA disassembly into a format suitable for GNU AS. Literals in IDA are unsigned while AS expects signed literals. Conversion of literals is a work in progress. | ||
== aim_spu_module == | == aim_spu_module == | ||
It is used to retrieve the device type, device id, open psid and the pscode from the EID0 data that is passed in. | |||
=== Debug messages === | === Debug messages === | ||
{| class="wikitable" | {| class="wikitable" | ||
! colspan="2" | Address !! rowspan="2" | Message | ! colspan="2" | Address !! rowspan="2" | Message | ||
Line 115: | Line 83: | ||
| 0x3790 || 0x3610 || "(spu) PU DMA area size is not equall to AIM_DMA_SIZE\n" | | 0x3790 || 0x3610 || "(spu) PU DMA area size is not equall to AIM_DMA_SIZE\n" | ||
|} | |} | ||
This messages are DMAed to the ppu if a debug output address is specified. | |||
=== Data === | === Data === | ||
{| class="wikitable" | {| class="wikitable" | ||
! colspan="2" | Address !! rowspan="2" | Message | ! colspan="2" | Address !! rowspan="2" | Message | ||
Line 125: | Line 92: | ||
! ? 3.41 ? !! 355 CEX | ! ? 3.41 ? !! 355 CEX | ||
|- | |- | ||
| 0x37e0 || - || Reference | | 0x37e0 || - || Reference tool fallback IDPS | ||
|- | |- | ||
| 0x37f0 - ... || 0x3650 - ... || Start of [[Keys# | | 0x37f0 - ... || 0x3650 - ... || Start of AIM keys [[Keys#aim_keys]] | ||
|- | |- | ||
| 0x3ac0 || 0x3870 || AES sbox (16*16 bytes) | | 0x3ac0 || 0x3870 || AES sbox (16*16 bytes) | ||
Line 133: | Line 100: | ||
| 0x3c70 || 0x3a20 || AES inverse sbox (16*16 bytes) | | 0x3c70 || 0x3a20 || AES inverse sbox (16*16 bytes) | ||
|} | |} | ||
=== Functions === | === Functions === | ||
{| class="wikitable" | {| class="wikitable" | ||
! colspan="2" | Address !! rowspan="2" | Name !! rowspan="2" | Parameters !! rowspan="2" | Info | ! colspan="2" | Address !! rowspan="2" | Name !! rowspan="2" | Parameters !! rowspan="2" | Info | ||
Line 171: | Line 138: | ||
| 0x3168 || || write_tag_mask_bit || mask_bit:$4 || Used to set a specific bit in MFC_WrTagMask. | | 0x3168 || || write_tag_mask_bit || mask_bit:$4 || Used to set a specific bit in MFC_WrTagMask. | ||
|} | |} | ||
==== Disasm ==== | ==== Disasm ==== | ||
The complete disassembly is available at [http://pastebin.com/7vArGweJ]. | |||
== Decrypting EID == | ==Decrypting EID== | ||
=== Dumper iso.self === | === Dumper iso.self === | ||
=== Dumper Payload === | === Dumper Payload === | ||
* http://pastie.org/pastes/2101977 | |||
=== Running in aim_spu_module anergistic === | |||
//Partial code modified to run aim_spu_module | |||
* http://pastie.org/2000330 | |||
=== Running aim_spu_module | |||
* | |||
== isoldr == | == isoldr == | ||
loads, decrypts, runs isolated modules, and creates through aes the required key in LS 0x0 | |||
=== Debug messages === | === Debug messages === | ||
This module doesnt contain debug messages | |||
This module | |||
=== Data === | === Data === | ||
{| class="wikitable" | {| class="wikitable" | ||
! colspan="2" | Address !! rowspan="2" | Message | ! colspan="2" | Address !! rowspan="2" | Message | ||
Line 216: | Line 177: | ||
=== Functions === | === Functions === | ||
{| class="wikitable" | {| class="wikitable" | ||
! colspan="2" | Address !! rowspan="2" | Name !! rowspan="2" | Parameters !! rowspan="2" | Info | ! colspan="2" | Address !! rowspan="2" | Name !! rowspan="2" | Parameters !! rowspan="2" | Info | ||
Line 271: | Line 231: | ||
|} | |} | ||
from isoldr 3.41 iirc -> http://pastie.org/2774207 //offsets relative to segment start | |||