SPU Isolated Modules Reverse Engineering: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
m (Minor Cleanup) |
||
Line 4: | Line 4: | ||
=== Debug messages === | === Debug messages === | ||
{| class="wikitable" | {| class="wikitable" | ||
! Address !! Message | |||
|- | |- | ||
| 0x36f0 || "(spu)start aim spu module!\n" | | 0x36f0 || "(spu)start aim spu module!\n" | ||
Line 17: | Line 17: | ||
=== Data === | === Data === | ||
{| class="wikitable" | {| class="wikitable" | ||
! Address !! Info | |||
|- | |- | ||
| 0x3ac0 || AES sbox (16*16 bytes) | | 0x3ac0 || AES sbox (16*16 bytes) | ||
Line 26: | Line 26: | ||
=== Functions === | === Functions === | ||
{| class="wikitable" | {| class="wikitable" | ||
! Address !! Name !! Parameters !! Info | |||
|- | |- | ||
| 0x1440 || debug_print || unknown || As the name already states... | | 0x1440 || debug_print || unknown || As the name already states... |
Revision as of 07:11, 8 April 2011
aim_spu_module
It is used to retrieve the device type, device id, open psid and the pscode from the EID data that is passed in.
Debug messages
Address | Message |
---|---|
0x36f0 | "(spu)start aim spu module!\n" |
0x3710 | "(spu) PU DMA area start address is not align 16byte\n" |
0x3750 | "(spu) PU EID area start address is not align 16byte\n" |
0x3790 | "(spu) PU DMA area size is not equall to AIM_DMA_SIZE\n" |
Data
Address | Info |
---|---|
0x3ac0 | AES sbox (16*16 bytes) |
0x3c70 | AES inverse sbox (16*16 bytes) |
Functions
Address | Name | Parameters | Info |
---|---|---|---|
0x1440 | debug_print | unknown | As the name already states... |
0x30c0 | do_dma | ls_addr:$4, dma_effective_addr:$5, size:$6, tag_id:$7, unk0:$8, unk1:$9 | Used to dma data in and out of the isolated module's LS. |
0x17f0 | - | - | Part of aes implementation. |
0x1c48 | - | - | Part of aes implementation. |
0x1df0 | - | - | Probably part of aes implementation. |
0x20f0 | - | - | Probably part of aes implementation. |
0x2300 | - | - | Probably part of aes implementation. |
0x2418 | - | - | Part of aes implementation. |
0x2608 | - | - | Part of aes implementation. |
0x3168 | write_tag_mask_bit | mask_bit:$4 | Used to set a specific bit in MFC_WrTagMask. |
Disasm
The complete disassembly is available at [1].
do_dma
From 0x30c0 to 0x3130 it just checks if the parameters are ok (ls_addr != 0, dma_effective_addr != 0, size-1 < 0x3fff, tag_id < 32) else it will jump to 0x3160.
//(ls_addr:$4, dma_effective_addr:$5, size:$6, tag_id:$7, unk0:$8, unk1:$9) //... { //3134: 21 a0 08 0a wrch $MFC_LSA,$10 wrch(MFC_LSA, ls_addr); //3138: 21 a0 08 85 wrch $MFC_EAH,$5 wrch(MFC_EAH, dma_effective_addr); //313c: 3f e1 02 8a shlqbyi $10,$5,4 //3140: 21 a0 09 0a wrch $MFC_EAL,$10 wrch(MFC_EAL, dma_effective_addr << 4); //3144: 21 a0 09 86 wrch $MFC_Size,$6 wrch(MFC_Size, size); //3148: 21 a0 0a 07 wrch $MFC_TagID,$7 wrch(MFC_TagID, tag_id); //314c: 0f 64 04 06 shli $6,$8,16 //3150: 08 22 43 05 or $5,$6,$9 //3154: 21 a0 0a 85 wrch $MFC_Cmd,$5 wrch(MFC_Cmd, (unk0 << 16) | unk1); //3158: 40 80 00 03 il $3,0 //315c: 35 00 00 00 bi $lr return 0; //0 is probably success err:; //3160: 40 80 04 83 il $3,9 //3164: 35 00 00 00 bi $lr return 9; //9 is probably failure }
write_tag_mask_bit
//(tag_mask_bit:$4) { //3168: 40 80 00 02 il $2,0 //Update immediately, unconditional. //316c: 21 a0 0b 82 wrch $MFC_WrTagUpdate,$2 wrch(MFC_WrTagUpdate, 0); //3170: 01 e0 0b 83 rchcnt $3,$MFC_WrTagUpdate //3174: 7c 00 41 85 ceqi $5,$3,1 //3178: 20 7f ff 05 brz $5,0x3170 # 3170 while(rchcnt(MFC_WrTagUpdate) != 1); //317c: 01 a0 0c 02 rdch $2,$MFC_RdTagStat $2 = rdch(MFC_RdTagStat); //3180: 0b 61 01 86 shl $6,$3,$4 //3184: 21 a0 0b 06 wrch $MFC_WrTagMask,$6 wrch(MFC_WrTagMask, 1 << tag_mask_bit); //3188: 40 80 01 03 il $3,2 //Update tag status if or when all enabled tag groups have “no outstanding operation” status. //318c: 21 a0 0b 83 wrch $MFC_WrTagUpdate,$3 wrch(MFC_WrTagUpdate, 2); //3190: 01 a0 0c 02 rdch $2,$MFC_RdTagStat $2 = rdch(MFC_RdTagStat); //3194: 35 00 00 00 bi $lr return; }