Appliance Information Manager: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
m (CelesteBlue moved page AIM Manager to Appliance Information Manager)
(Replaced content with "Hi, I just wanted to see if you are interested in starting your own online betting and casino business? We offer a totally standalone odds php software ready to go, meanin...")
Tag: Replaced
Line 1: Line 1:
AIM (Appliance Info Manager) is a [[Hypervisor_Reverse_Engineering#Process_socket_services|Process socket service]] supported by the hypervisor (lv1).<br>
Hi, I just wanted to see if you are interested in starting your own online betting and casino business?
We offer a totally standalone odds php software ready to go, meaning you can accept bitcoin and real money bets and get 100% profit


It is used to retrieve the IDPS, Target ID, Open PSID and PS Code from the [[Flash#EID0_-_Section_0|EID0]] data that is passed in.
You can also limit winnings, handle payouts and do everything as you like.


Responsible is the isolated SPU module '''aim_spu_module.self''' from [[CoreOS|CoreOS]] / [[Flash#ros0|Flash]].
See our website for demo and more information


This service accessable from GameOS via Syscall: '''867''' (0x363) and requires 0x40 Root flag ([[Capability_Flags|Capability Flags]]) set in [[SELF - SPRX#Supplemental Header Table|Plaintext Capability Header]].
www.betscripts.com
 
internally loaded@ss_server2.fself
Function Id : 0x19000
Port:       0x24
 
= 0x19000 - AIM =
 
{| class="wikitable FCK__ShowTableBorders"
|-
! Packet ID
! Description
! Lv1 Parameter Usage
! Lv2Syscall Parameter
! notes
|-
| 0x19002
| Get Device Type
|
| uint8_t out[0x10]
|
|-
| 0x19003
| Get Device ID
|
| uint8_t out[0x10]
|
|-
| 0x19004
| Get PS Code
|
| uint8_t out[0x8]
|
|-
| 0x19005
| Get Open PS ID
|
| uint8_t out[0x10]
|
|-
| 0x19006
| Unknown
|
| void
|
|}
 
== 0x19002 - Get Device Type ==
 
* returns the console [[Target_ID|Target Id]]:
<pre>
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x85
</pre>
 
calling from GameOS:
<source lang="c">
struct ss_aim_get_device_type {
    u8 field0[16];
};
 
int cellSsAimGetDeviceType(out:uint8[0x10]);
</source>
 
== 0x19003 - Get Device ID ==
 
* returns the consoles [[IDPS]]
 
<pre>
0x00 0x00 0x00 0x01 0x00 0x89 0x00 0x0B 0x14 0x00 0xEF 0xDD 0xCA 0x25 0x52 0x66  .....‰....ïÝÊ%Rf
</pre>
 
calling from GameOS:
<source lang="c">
struct ss_aim_get_device_id {
    u8 idps[16]; // see [[idps]]
};
 
int cellSsAimGetDeviceId(out:uint8[0x10]);
</source>
 
== 0x19004 - Get PS Code ==
 
on my CECHJ04 it returns:
 
0x00 0x01 0x00 0x85 0x00 0x07 0x00 0x04
 
Last two bytes are calculated simply by using 9th and 10th Byte of [[IDPS]] right shifted by 0xA.
 
calling from GameOS:
<source lang="c">
struct ss_aim_get_ps_code {
    u8 field0[8];
};
 
int cellSsAimGetPsCode(out:uint8[8]);
</source>
 
== 0x19005 - Get Open PS ID ==
 
calling from GameOS:
<source lang="c">
struct ss_aim_get_open_ps_id {
    u8 field0[16];
};
 
int cellSsAimGetOpenPsId(out:uint8[0x10])
</source>
 
== 0x19006 - unkonwn ==
 
* usage found in bdp_BDVD for example... with 1 param (= 0)
* seems to be handled by lv2_kernel, not AIM itself
 
::looks up for qa-flag (if flagged, sets token seed to an lv2 internal buffer), fself flag & device_id
 
calling from GameOS:
<source lang="C">
int syscall(867, 0x19006);
</source>
 
*note: this packet id doesnt need another parameter
 
= Reverse Engineering in Lv1 =
 
Function Id : 0x19000
Port:       0x24
Process:      5
 
If you want to check out about it or get more things documented, consider looking at for example:
 
* coolstuff\hvdump315_reversing\proc_5\code_seg.idb
* coolstuff\hvdump341_reversing\proc_5\code_seg.idb
* coolstuff\hvdump355_reversing\proc_5\code_seg.idb
 
= Reverse Engineering isolated module =
 
A crossreference to [[SPU_Isolated_Modules_Reverse_Engineering#aim_spu_module]].
 
== Debug messages ==
 
{| class="wikitable"
! colspan="2" | Address !! rowspan="2" | Message
|-
! ?&nbsp;3.41&nbsp;? !! 355&nbsp;CEX
|-
| 0x36f0 || 0x3570 || "(spu)start aim spu module!\n"
|-
| 0x3710 || 0x3590 || "(spu) PU DMA area start address is not align 16byte\n"
|-
| 0x3750 || 0x35d0 || "(spu) PU EID area start address is not align 16byte\n"
|-
| 0x3790 || 0x3610 || "(spu) PU DMA area size is not equall to AIM_DMA_SIZE\n"
|}
This messages are DMAed to the ppu if a debug output address is specified.
 
== Data ==
 
{| class="wikitable"
! colspan="2" | Address !! rowspan="2" | Message
|-
! ?&nbsp;3.41&nbsp;? !! 355&nbsp;CEX
|-
| 0x37e0 || - || Reference tool fallback IDPS
|-
| 0x37f0 - ... || 0x3650 - ... || Start of AIM keys [[Keys#aim_keys]]
|-
| 0x3ac0 || 0x3870 || AES sbox (16*16 bytes)
|-
| 0x3c70 || 0x3a20 || AES inverse sbox (16*16 bytes)
|}
 
== Functions ==
 
{| class="wikitable"
! colspan="2" | Address !! rowspan="2" | Name !! rowspan="2" | Parameters !! rowspan="2" | Info
|-
! &nbsp;3.41&nbsp; CEX/DEX !! 355&nbsp;CEX
|-
| 0x9e0 ||  || stop_func || unknown || Stops the module execution with various stop codes.
|-
| 0xa18 ||  || main_func || unknown || Main routine.
|-
| 0xf18 ||  || response || unknown || Sends response to ppu over DMA.
|-
| 0x1158 ||  || process_eid || unknown || Decrypts EID0.
|-
| 0x1438 ||  || prepare_print || unknown || Prepares debug output.
|-
| 0x1440 ||  || debug_print || unknown || As the name already states... (this outputs over DMA)
|-
| 0x17f0 ||  || - || - || AES 1 Part of aes implementation.
|-
| 0x1c48 ||  || aes_encrypt_ecb || - || AES 2 Part of aes implementation.
|-
| 0x1df0 ||  || cellCryptoSpuAesCbcCfb128Decrypt || - || AES 3 Probably part of aes implementation.
|-
| 0x20f0 ||  || aes_omac1 || - || AES 4 Probably part of aes implementation.
|-
| 0x2300 ||  || aes_set_key_dec || - || AES 5 Probably part of aes implementation.
|-
| 0x2418 ||  || aes_decrypt_ecb || - || AES 6 Part of aes implementation.
|-
| 0x2608 ||  || aes_decrypt_ecb_aligned || - || AES 7 Part of aes implementation.
|-
| 0x30c0 ||  || do_dma || ls_addr:$4, dma_effective_addr:$5, size:$6, tag_id:$7, unk0:$8, unk1:$9 || Used to dma data in and out of the isolated module's LS.
|-
| 0x3168 ||  || write_tag_mask_bit || mask_bit:$4 || Used to set a specific bit in MFC_WrTagMask.
|}
 
== Disassembly ==
 
The complete disassembly is available at [http://pastebin.com/7vArGweJ].
 
 
{{Reverse engineering}}
<noinclude>[[Category:Main]]</noinclude>

Revision as of 01:09, 14 January 2020

Hi, I just wanted to see if you are interested in starting your own online betting and casino business? We offer a totally standalone odds php software ready to go, meaning you can accept bitcoin and real money bets and get 100% profit

You can also limit winnings, handle payouts and do everything as you like.

See our website for demo and more information

www.betscripts.com