SPU Isolated Modules Reverse Engineering: Difference between revisions
Jump to navigation
Jump to search
(→Data) |
m (→aim_spu_module) |
||
| Line 5: | Line 5: | ||
=== Debug messages === | === Debug messages === | ||
{| class="wikitable" | {| class="wikitable" | ||
! Address !! | ! colspan="2" | Address !! rowspan="2" | Message | ||
|- | |- | ||
! !! | ! ? 3.41 ? !! 355 CEX | ||
|- | |- | ||
| 0x36f0 || 0x3570 || "(spu)start aim spu module!\n" | | 0x36f0 || 0x3570 || "(spu)start aim spu module!\n" | ||
| Line 18: | Line 18: | ||
|} | |} | ||
This messages are DMAed to the ppu if a debug output address is specified. | This messages are DMAed to the ppu if a debug output address is specified. | ||
=== Data === | === Data === | ||
{| class="wikitable" | {| class="wikitable" | ||
! Address !! | ! colspan="2" | Address !! rowspan="2" | Message | ||
|- | |- | ||
! !! | ! ? 3.41 ? !! 355 CEX | ||
|- | |- | ||
| 0x37e0 || - || Reference tool fallback IDPS | | 0x37e0 || - || Reference tool fallback IDPS | ||
| Line 33: | Line 35: | ||
| 0x3c70 || 0x3a20 || AES inverse sbox (16*16 bytes) | | 0x3c70 || 0x3a20 || AES inverse sbox (16*16 bytes) | ||
|} | |} | ||
=== Functions === | === Functions === | ||
| Line 68: | Line 72: | ||
| 0x3168 || write_tag_mask_bit || mask_bit:$4 || Used to set a specific bit in MFC_WrTagMask. | | 0x3168 || write_tag_mask_bit || mask_bit:$4 || Used to set a specific bit in MFC_WrTagMask. | ||
|} | |} | ||
==== Disasm ==== | ==== Disasm ==== | ||
The complete disassembly is available at [http://pastebin.com/7vArGweJ]. | The complete disassembly is available at [http://pastebin.com/7vArGweJ]. | ||
=== Running in anergistic === | === Running in anergistic === | ||
-> http://pastie.org/2000330 | -> http://pastie.org/2000330 | ||
Revision as of 17:01, 20 September 2011
aim_spu_module
It is used to retrieve the device type, device id, open psid and the pscode from the EID0 data that is passed in.
Debug messages
| Address | Message | |
|---|---|---|
| ? 3.41 ? | 355 CEX | |
| 0x36f0 | 0x3570 | "(spu)start aim spu module!\n" |
| 0x3710 | 0x3590 | "(spu) PU DMA area start address is not align 16byte\n" |
| 0x3750 | 0x35d0 | "(spu) PU EID area start address is not align 16byte\n" |
| 0x3790 | 0x3610 | "(spu) PU DMA area size is not equall to AIM_DMA_SIZE\n" |
This messages are DMAed to the ppu if a debug output address is specified.
Data
| Address | Message | |
|---|---|---|
| ? 3.41 ? | 355 CEX | |
| 0x37e0 | - | Reference tool fallback IDPS |
| 0x37f0 - ... | 0x3650 - ... | Start of EID keys |
| 0x3ac0 | 0x3870 | AES sbox (16*16 bytes) |
| 0x3c70 | 0x3a20 | AES inverse sbox (16*16 bytes) |
Functions
| Address | Name | Parameters | Info |
|---|---|---|---|
| 0x9e0 | stop_func | unknown | Stops the module execution with various stop codes. |
| 0xa18 | main_func | unknown | Main routine. |
| 0xf18 | response | unknown | Sends response to ppu over DMA. |
| 0x1158 | process_eid | unknown | Decrypts EID0. |
| 0x1438 | prepare_print | unknown | Prepares debug output. |
| 0x1440 | debug_print | unknown | As the name already states... (this outputs over DMA) |
| 0x17f0 | - | - | Part of aes implementation. |
| 0x1c48 | - | - | Part of aes implementation. |
| 0x1df0 | - | - | Probably part of aes implementation. |
| 0x20f0 | - | - | Probably part of aes implementation. |
| 0x2300 | - | - | Probably part of aes implementation. |
| 0x2418 | - | - | Part of aes implementation. |
| 0x2608 | - | - | Part of aes implementation. |
| 0x30c0 | do_dma | ls_addr:$4, dma_effective_addr:$5, size:$6, tag_id:$7, unk0:$8, unk1:$9 | Used to dma data in and out of the isolated module's LS. |
| 0x3168 | write_tag_mask_bit | mask_bit:$4 | Used to set a specific bit in MFC_WrTagMask. |
Disasm
The complete disassembly is available at [1].