Editing Talk:Boot Order

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 5: Line 5:
* https://www-01.ibm.com/chips/techlib/techlib.nsf/techdocs/AF7832F379790768872572D10047E52B/$file/CellBE_HIG_65nm_v1.01_8Jun2007.pdf
* https://www-01.ibm.com/chips/techlib/techlib.nsf/techdocs/AF7832F379790768872572D10047E52B/$file/CellBE_HIG_65nm_v1.01_8Jun2007.pdf
* http://cell.scei.co.jp/e_download.html
* http://cell.scei.co.jp/e_download.html
=== Other docs ===
Masking a hardware boot sequence (patent)
* https://www.google.com/patents/US8046573?dq=cell+broadband+engine+secure&hl=en&sa=X&ei=dfQCVM_hGpXh8AXm54D4Ag&ved=0CCMQ6AEwATgK


===SPI traces/testpoints===
===SPI traces/testpoints===
Line 58: Line 55:
== What type of encryption? ==
== What type of encryption? ==


The various loaders and levels in this page are encrypted as [[Certified File]]s.
The Boot Order table lists whether the various loaders and levels are encrypted, but doesn't say what type of encryption. Is this generally AES256?
-- 69.55.232.38
 
^try reading the alinea just above^ where you posted this question ;) and ofcourse the [[SELF File Format and Decryption]] page is a good reference. :) [[User:Euss|Euss]]


== LV0 ==
== LV0 ==
Line 64: Line 64:
* 3.66 DEX : Boot Loader SE Version 3.6.6 (Build ID: 4534,47762, Build Date: 2011-06-16_13:24:46)
* 3.66 DEX : Boot Loader SE Version 3.6.6 (Build ID: 4534,47762, Build Date: 2011-06-16_13:24:46)
* 3.73 DEX : Boot Loader SE Version 3.7.3 (Build ID: 4611,48369, Build Date: 2011-10-12_12:31:19)
* 3.73 DEX : Boot Loader SE Version 3.7.3 (Build ID: 4611,48369, Build Date: 2011-10-12_12:31:19)
<!--// "Boot Loader SE Version  (Build ID: security$,system$ Build Date: tardate$)" //-->
<small>(You can get these strings via tty on a [[SKU_Models#Reference_Tool_.28Tool.2FDECR.29|DECR]], so its not a proof of decryption :P)</small>
<small>(You can get these strings via tty on a [[SKU_Models#Reference_Tool_.28Tool.2FDECR.29|DECR]], so its not a proof of decryption :P)</small>


== old and new metldr handle CoreOS/flash the same ==
== 4.0 PUP and 4.0 Flash comparison ==
 
=== 4.0 PUP and 4.0 Flash comparison (all metldr) ===
{| class="wikitable sortable"
{| class="wikitable sortable"
|-
|-
Line 140: Line 137:
|-
|-
|}
|}
=== 3.60 PUP and 3.60 Flash comparison (sanity crosscheck 'metldr.2') ===
{| class="wikitable sortable"
|-
! PUP file !! PUP SHA1 !! Flash SHA1 !! Flash region !! Notes
|-
| aim_spu_module.self || 9283d37bd2fdd5fda03fc14e725e717904840633 || 9283d37bd2fdd5fda03fc14e725e717904840633 || 0x083FF9C ||
|-
| creserved_0 || 1e4903cd5f594c13dad2fd74666ba35c62550044 || 1e4903cd5f594c13dad2fd74666ba35c62550044 || 0x07C0470 ||
|-
| default.spp || 6610b4c76d069919d54818fe959e722a764c7ed2 || 6610b4c76d069919d54818fe959e722a764c7ed2 || 0x0874190 ||
|-
| emer_init.self || fcc019cc046ba8e3e6b64c86c3d72b75d8ddbe39 || fcc019cc046ba8e3e6b64c86c3d72b75d8ddbe39 || 0x0C3B67C ||
|-
| eurus_fw.bin || f7b44127177a9d877bc477895ab25008262c17d6 || f7b44127177a9d877bc477895ab25008262c17d6 || 0x0BCA6E8 ||
|-
| hdd_copy.self || b2b787e93a44ae66350e00ad416d317c30a36cf4 || b2b787e93a44ae66350e00ad416d317c30a36cf4 || 0x0CB98E4 ||
|-
| lv0 || 4d916dd40f594515a080fb1a5e9217b720d0adff || 4d916dd40f594515a080fb1a5e9217b720d0adff || 0x099C390 ||
|-
| lv0.2 || f0350d02bb9df3322e4a8f7e3a0527f379807891 || f0350d02bb9df3322e4a8f7e3a0527f379807891 || 0x0A51890 ||
|-
| lv1.self || 3fe00a9a76a7af93854537e48bd96dc6fe49e9cd || 3fe00a9a76a7af93854537e48bd96dc6fe49e9cd || 0x0876490 ||
|-
| lv2_kernel.self || 26791e398a6d73092f2e92692b2572b122751844 || 26791e398a6d73092f2e92692b2572b122751844 || 0x0A51D90 ||
|-
| manu_info_spu_module.self || 30d85dd537609ea6d407ce0d4a70a644d8321b68 || 30d85dd537609ea6d407ce0d4a70a644d8321b68 || 0x0D1B0FC ||
|-
| mc_iso_spu_module.self || 1802405dc3c05b45cb9324a25942487757066ef6 || 1802405dc3c05b45cb9324a25942487757066ef6 || 0x0851A24 ||
|-
| me_iso_spu_module.self || 2d30fe7f78fd667d82faae775fed0fd6ee807de4 || 2d30fe7f78fd667d82faae775fed0fd6ee807de4 || 0x0859AB0 ||
|-
| pkg.srvk || bc90ec2cca61363916581429588d762acc91b5d3 || bc90ec2cca61363916581429588d762acc91b5d3 || 0x0D1C3A4 ||
|-
| prog.srvk || 4939c2c67a4c042892f3d41d053c5df0300b6fe1 || 4939c2c67a4c042892f3d41d053c5df0300b6fe1 || 0x0D1C684 ||
|-
| sb_iso_spu_module.self || ebc24d11e949a89f133faf5af8b65ab0bdd48a5b || ebc24d11e949a89f133faf5af8b65ab0bdd48a5b || 0x086E3E0 ||
|-
| sc_iso.self || f88da181630e9b18906a2422eef84d9031389a0d || f88da181630e9b18906a2422eef84d9031389a0d || 0x0822CC4 ||
|-
| sdk_version || b3811e02d05e465b40fb97c90bdf6555f57c2bc1 || b3811e02d05e465b40fb97c90bdf6555f57c2bc1 || 0x0800470 ||
|-
| spp_verifier.self || c229c969c86aaaf6fcb8a6c934efc4c89cade331 || c229c969c86aaaf6fcb8a6c934efc4c89cade331 || 0x0844234 ||
|-
| spu_pkg_rvk_verifier.self || a65bc5d877975c8d6b9f32871cd0f72623437179 || a65bc5d877975c8d6b9f32871cd0f72623437179 || 0x0800478 ||
|-
| spu_token_processor.self || 24ca3d547c96a273e0ca6e7a04950da479c37240 || 24ca3d547c96a273e0ca6e7a04950da479c37240 || 0x080FFC4 ||
|-
| spu_utoken_processor.self || 2fb6594a089fd2a979ee135aaf563813eb9af3e2 || 2fb6594a089fd2a979ee135aaf563813eb9af3e2 || 0x081C8F4 ||
|-
| sv_iso_spu_module.self || bd95da672a720e2db8129949834c8b37b116f4f5 || bd95da672a720e2db8129949834c8b37b116f4f5 || 0x0862368 ||
|-
| colspan="5" |
|-
|-
| RL_FOR_PACKAGE.img || a1859315621737a6a231d2b5939acf25a8bd6498 || - || - ||
|-
| RL_FOR_PROGRAM.img || b747d015488762163ae60bce82541cd36351151c || - || - ||
|-
| - || - || 1b65641edaa9c53cb33d1d7cb4c15e5417917a33 || 0x0080000 || trvk_pkg0
|-
| - || - || 1b65641edaa9c53cb33d1d7cb4c15e5417917a33 || 0x00A0000 || trvk_pkg1
|-
| - || - || da1721aa1a8e0626ab916299562fb0f517c7da52 || 0x0040000 || trvk_prg0
|-
| - || - || da1721aa1a8e0626ab916299562fb0f517c7da52 || 0x0060000 || trvk_prg1
|-
|}
== CoreOS Contents Per Firmware ==
Generated with BwE Bulk Validator BETA 0.01 - Matched with valid ROS0/1 Extracts.
This list should have static MD5's (Meaning your files should not differ).
http://pastebin.com/mGNMZ1Nm
== CEB Units ==
* On CEB units the Boot order is different:
- There is no metldr, all loaders are Secure Isolated Loader (Not Secure Loader Applications) and load as metldr would, they are 00 paired and as such can be updated/overwritten
* 1. lv0ldr (the file is actually called this way on NOR) starts, if DIP SW is set to normal position it starts lv0 from lv0_bank0; if lv0_bank0 is missing, corrupt or blank, it starts from lv0_bank1 if none are present, it fails
If DIP SW is set to update mode, then it starts "updater" instead of lv0_bank0.
* 2. updater is a slightly modified lv0, it will load isoldr and use it to decrypt ebootroms (old ebootroms are encrypted with AES128CTR), old Ebootroms only contained a NOR image.
* 3. If DIP SW is set to normal, lv0_bank0 is loaded and will start rvkldr which will verify revocation using RL_FOR_PROGRAM.img for lv1.self then lv1ldr, which will decrypt and start lv1.self
* 4. Lv1 will start rvkldr to verify lv2_kernel.self revocation using RL_FOR_PROGRAM.img, if the check passes it will load lv2ldr and lv2_Kernel.self will start
* 5. sys_init_ios.self is decrypted by lv2ldr and started. (There is no appldr)
* 6. sys_init_app.self is decrypted by lv2ldr and started. (There is no appldr)
* Note 1 : updater, lv0_bank0 and lv1.self share the same keyset (even though lv1ldr is exclusively used to decrypt lv1.self)
* Note 2 : There is no isolated module that I know of that isoldr decrypts (even though it does handle the feature), isoldr is used for updating purposes back then on the CEB units
* Note 3 : Self Applications are all decrypted by lv2ldr (only sys_init_app.self and sys_init_ios.self exist in self format, all other applications are in .elf format and started directly by sys_init_app)
* Note 4 : There is no CBC Step in the self decryption ! Even if you can't dump/decrypt loaders it is still possible to decrypt self by xoring their metadatas together for those using the same keysets (AES128CTR using the same key and iv)
* Note 5 : A 00 paired Secure Isolated Loader can be identified by the fact that the per console key in the header located at 0x14 of size 0x0C is filled with 0x00. These loaders do not decrypt/load on regular consoles because the per console key is forced in the decryption step if set.
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)