Appliance Information Manager: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
(Replaced content with "Hi, I just wanted to see if you are interested in starting your own online betting and casino business? We offer a totally standalone odds php software ready to go, meanin...")
Tag: Replaced
m (Reverted edits by 92.118.209.216 (talk) to last revision by CelesteBlue)
Tag: Rollback
Line 1: Line 1:
Hi, I just wanted to see if you are interested in starting your own online betting and casino business?
AIM (Appliance Info Manager) is a [[Hypervisor_Reverse_Engineering#Process_socket_services|Process socket service]] supported by the hypervisor (lv1).<br>
We offer a totally standalone odds php software ready to go, meaning you can accept bitcoin and real money bets and get 100% profit


You can also limit winnings, handle payouts and do everything as you like.
It is used to retrieve the IDPS, Target ID, Open PSID and PS Code from the [[Flash#EID0_-_Section_0|EID0]] data that is passed in.


See our website for demo and more information
Responsible is the isolated SPU module '''aim_spu_module.self''' from [[CoreOS|CoreOS]] / [[Flash#ros0|Flash]].


www.betscripts.com
This service accessable from GameOS via Syscall: '''867''' (0x363) and requires 0x40 Root flag ([[Capability_Flags|Capability Flags]]) set in [[SELF - SPRX#Supplemental Header Table|Plaintext Capability Header]].
 
internally loaded@ss_server2.fself
Function Id : 0x19000
Port:       0x24
 
= 0x19000 - AIM =
 
{| class="wikitable FCK__ShowTableBorders"
|-
! Packet ID
! Description
! Lv1 Parameter Usage
! Lv2Syscall Parameter
! notes
|-
| 0x19002
| Get Device Type
|
| uint8_t out[0x10]
|
|-
| 0x19003
| Get Device ID
|
| uint8_t out[0x10]
|
|-
| 0x19004
| Get PS Code
|
| uint8_t out[0x8]
|
|-
| 0x19005
| Get Open PS ID
|
| uint8_t out[0x10]
|
|-
| 0x19006
| Unknown
|
| void
|
|}
 
== 0x19002 - Get Device Type ==
 
* returns the console [[Target_ID|Target Id]]:
<pre>
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x85
</pre>
 
calling from GameOS:
<source lang="c">
struct ss_aim_get_device_type {
    u8 field0[16];
};
 
int cellSsAimGetDeviceType(out:uint8[0x10]);
</source>
 
== 0x19003 - Get Device ID ==
 
* returns the consoles [[IDPS]]
 
<pre>
0x00 0x00 0x00 0x01 0x00 0x89 0x00 0x0B 0x14 0x00 0xEF 0xDD 0xCA 0x25 0x52 0x66  .....‰....ïÝÊ%Rf
</pre>
 
calling from GameOS:
<source lang="c">
struct ss_aim_get_device_id {
    u8 idps[16]; // see [[idps]]
};
 
int cellSsAimGetDeviceId(out:uint8[0x10]);
</source>
 
== 0x19004 - Get PS Code ==
 
on my CECHJ04 it returns:
 
0x00 0x01 0x00 0x85 0x00 0x07 0x00 0x04
 
Last two bytes are calculated simply by using 9th and 10th Byte of [[IDPS]] right shifted by 0xA.
 
calling from GameOS:
<source lang="c">
struct ss_aim_get_ps_code {
    u8 field0[8];
};
 
int cellSsAimGetPsCode(out:uint8[8]);
</source>
 
== 0x19005 - Get Open PS ID ==
 
calling from GameOS:
<source lang="c">
struct ss_aim_get_open_ps_id {
    u8 field0[16];
};
 
int cellSsAimGetOpenPsId(out:uint8[0x10])
</source>
 
== 0x19006 - unkonwn ==
 
* usage found in bdp_BDVD for example... with 1 param (= 0)
* seems to be handled by lv2_kernel, not AIM itself
 
::looks up for qa-flag (if flagged, sets token seed to an lv2 internal buffer), fself flag & device_id
 
calling from GameOS:
<source lang="C">
int syscall(867, 0x19006);
</source>
 
*note: this packet id doesnt need another parameter
 
= Reverse Engineering in Lv1 =
 
Function Id : 0x19000
Port:       0x24
Process:      5
 
If you want to check out about it or get more things documented, consider looking at for example:
 
* coolstuff\hvdump315_reversing\proc_5\code_seg.idb
* coolstuff\hvdump341_reversing\proc_5\code_seg.idb
* coolstuff\hvdump355_reversing\proc_5\code_seg.idb
 
= Reverse Engineering isolated module =
 
A crossreference to [[SPU_Isolated_Modules_Reverse_Engineering#aim_spu_module]].
 
== Debug messages ==
 
{| class="wikitable"
! colspan="2" | Address !! rowspan="2" | Message
|-
! ?&nbsp;3.41&nbsp;? !! 355&nbsp;CEX
|-
| 0x36f0 || 0x3570 || "(spu)start aim spu module!\n"
|-
| 0x3710 || 0x3590 || "(spu) PU DMA area start address is not align 16byte\n"
|-
| 0x3750 || 0x35d0 || "(spu) PU EID area start address is not align 16byte\n"
|-
| 0x3790 || 0x3610 || "(spu) PU DMA area size is not equall to AIM_DMA_SIZE\n"
|}
This messages are DMAed to the ppu if a debug output address is specified.
 
== Data ==
 
{| class="wikitable"
! colspan="2" | Address !! rowspan="2" | Message
|-
! ?&nbsp;3.41&nbsp;? !! 355&nbsp;CEX
|-
| 0x37e0 || - || Reference tool fallback IDPS
|-
| 0x37f0 - ... || 0x3650 - ... || Start of AIM keys [[Keys#aim_keys]]
|-
| 0x3ac0 || 0x3870 || AES sbox (16*16 bytes)
|-
| 0x3c70 || 0x3a20 || AES inverse sbox (16*16 bytes)
|}
 
== Functions ==
 
{| class="wikitable"
! colspan="2" | Address !! rowspan="2" | Name !! rowspan="2" | Parameters !! rowspan="2" | Info
|-
! &nbsp;3.41&nbsp; CEX/DEX !! 355&nbsp;CEX
|-
| 0x9e0 ||  || stop_func || unknown || Stops the module execution with various stop codes.
|-
| 0xa18 ||  || main_func || unknown || Main routine.
|-
| 0xf18 ||  || response || unknown || Sends response to ppu over DMA.
|-
| 0x1158 ||  || process_eid || unknown || Decrypts EID0.
|-
| 0x1438 ||  || prepare_print || unknown || Prepares debug output.
|-
| 0x1440 ||  || debug_print || unknown || As the name already states... (this outputs over DMA)
|-
| 0x17f0 ||  || - || - || AES 1 Part of aes implementation.
|-
| 0x1c48 ||  || aes_encrypt_ecb || - || AES 2 Part of aes implementation.
|-
| 0x1df0 ||  || cellCryptoSpuAesCbcCfb128Decrypt || - || AES 3 Probably part of aes implementation.
|-
| 0x20f0 ||  || aes_omac1 || - || AES 4 Probably part of aes implementation.
|-
| 0x2300 ||  || aes_set_key_dec || - || AES 5 Probably part of aes implementation.
|-
| 0x2418 ||  || aes_decrypt_ecb || - || AES 6 Part of aes implementation.
|-
| 0x2608 ||  || aes_decrypt_ecb_aligned || - || AES 7 Part of aes implementation.
|-
| 0x30c0 ||  || do_dma || ls_addr:$4, dma_effective_addr:$5, size:$6, tag_id:$7, unk0:$8, unk1:$9 || Used to dma data in and out of the isolated module's LS.
|-
| 0x3168 ||  || write_tag_mask_bit || mask_bit:$4 || Used to set a specific bit in MFC_WrTagMask.
|}
 
== Disassembly ==
 
The complete disassembly is available at [http://pastebin.com/7vArGweJ].
 
 
{{Reverse engineering}}
<noinclude>[[Category:Main]]</noinclude>

Revision as of 13:14, 14 January 2020

AIM (Appliance Info Manager) is a Process socket service supported by the hypervisor (lv1).

It is used to retrieve the IDPS, Target ID, Open PSID and PS Code from the EID0 data that is passed in.

Responsible is the isolated SPU module aim_spu_module.self from CoreOS / Flash.

This service accessable from GameOS via Syscall: 867 (0x363) and requires 0x40 Root flag (Capability Flags) set in Plaintext Capability Header. 

internally loaded@ss_server2.fself
Function Id : 0x19000
Port:	      0x24

0x19000 - AIM

Packet ID Description Lv1 Parameter Usage Lv2Syscall Parameter notes
0x19002 Get Device Type uint8_t out[0x10]
0x19003 Get Device ID uint8_t out[0x10]
0x19004 Get PS Code uint8_t out[0x8]
0x19005 Get Open PS ID uint8_t out[0x10]
0x19006 Unknown void

0x19002 - Get Device Type

0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x85

calling from GameOS: 

struct ss_aim_get_device_type {
    u8 field0[16];
};

int cellSsAimGetDeviceType(out:uint8[0x10]);

0x19003 - Get Device ID

  • returns the consoles IDPS
0x00 0x00 0x00 0x01 0x00 0x89 0x00 0x0B 0x14 0x00 0xEF 0xDD 0xCA 0x25 0x52 0x66  .....‰....ïÝÊ%Rf

calling from GameOS: 

struct ss_aim_get_device_id {
    u8 idps[16]; // see [[idps]]
};

int cellSsAimGetDeviceId(out:uint8[0x10]);

0x19004 - Get PS Code

on my CECHJ04 it returns: 

0x00 0x01 0x00 0x85 0x00 0x07 0x00 0x04

Last two bytes are calculated simply by using 9th and 10th Byte of IDPS right shifted by 0xA.

calling from GameOS: 

struct ss_aim_get_ps_code {
    u8 field0[8];
};

int cellSsAimGetPsCode(out:uint8[8]);

0x19005 - Get Open PS ID

calling from GameOS: 

struct ss_aim_get_open_ps_id {
    u8 field0[16];
};

int cellSsAimGetOpenPsId(out:uint8[0x10])

0x19006 - unkonwn

  • usage found in bdp_BDVD for example... with 1 param (= 0)
  • seems to be handled by lv2_kernel, not AIM itself
looks up for qa-flag (if flagged, sets token seed to an lv2 internal buffer), fself flag & device_id

calling from GameOS: 

int syscall(867, 0x19006);
  • note: this packet id doesnt need another parameter

Reverse Engineering in Lv1

Function Id : 0x19000
Port:	      0x24
Process:      5

If you want to check out about it or get more things documented, consider looking at for example:

  • coolstuff\hvdump315_reversing\proc_5\code_seg.idb
  • coolstuff\hvdump341_reversing\proc_5\code_seg.idb
  • coolstuff\hvdump355_reversing\proc_5\code_seg.idb

Reverse Engineering isolated module

A crossreference to SPU_Isolated_Modules_Reverse_Engineering#aim_spu_module.

Debug messages

Address Message
? 3.41 ? 355 CEX
0x36f0 0x3570 "(spu)start aim spu module!\n"
0x3710 0x3590 "(spu) PU DMA area start address is not align 16byte\n"
0x3750 0x35d0 "(spu) PU EID area start address is not align 16byte\n"
0x3790 0x3610 "(spu) PU DMA area size is not equall to AIM_DMA_SIZE\n"

This messages are DMAed to the ppu if a debug output address is specified.

Data

Address Message
? 3.41 ? 355 CEX
0x37e0 - Reference tool fallback IDPS
0x37f0 - ... 0x3650 - ... Start of AIM keys Keys#aim_keys
0x3ac0 0x3870 AES sbox (16*16 bytes)
0x3c70 0x3a20 AES inverse sbox (16*16 bytes)

Functions

Address Name Parameters Info
 3.41  CEX/DEX 355 CEX
0x9e0 stop_func unknown Stops the module execution with various stop codes.
0xa18 main_func unknown Main routine.
0xf18 response unknown Sends response to ppu over DMA.
0x1158 process_eid unknown Decrypts EID0.
0x1438 prepare_print unknown Prepares debug output.
0x1440 debug_print unknown As the name already states... (this outputs over DMA)
0x17f0 - - AES 1 Part of aes implementation.
0x1c48 aes_encrypt_ecb - AES 2 Part of aes implementation.
0x1df0 cellCryptoSpuAesCbcCfb128Decrypt - AES 3 Probably part of aes implementation.
0x20f0 aes_omac1 - AES 4 Probably part of aes implementation.
0x2300 aes_set_key_dec - AES 5 Probably part of aes implementation.
0x2418 aes_decrypt_ecb - AES 6 Part of aes implementation.
0x2608 aes_decrypt_ecb_aligned - AES 7 Part of aes implementation.
0x30c0 do_dma ls_addr:$4, dma_effective_addr:$5, size:$6, tag_id:$7, unk0:$8, unk1:$9 Used to dma data in and out of the isolated module's LS.
0x3168 write_tag_mask_bit mask_bit:$4 Used to set a specific bit in MFC_WrTagMask.

Disassembly

The complete disassembly is available at [1].


General
Hypervisor
Services
Plugin
Interfaces
ap_plugin · audioplayer_plugin · audiop_plugin_dummy · audiop_plugin_mini · auth_plugin · autodownload_plugin · autoupdateconf_plugin · avc_plugin · avc_util · avc2_game_plugin · avc2_game_video_plugin · avc2_text_plugin · bdp_disccheck_plugin · bdp_plugin · bdp_storage_plugin · campaign_plugin · category_setting_plugin · comboplay_plugin · custom_render_plugin · data_copy_plugin · deviceconf_plugin · dlna_plugin · download_plugin · dtcpip_util · edy_plugin · esehttp · eseibrd · eseidle · eselock · eula_cddb_plugin · eula_hcopy_plugin · eula_net_plugin · explore_plugin · explore_plugin_ft · explore_plugin_game · explore_plugin_np · filecopy_plugin · friendim_plugin · friendml_plugin · friendtrophy_plugin · game_ext_plugin · game_indicator_plugin · game_plugin · gamedata_plugin · gamelib_plugin · gameupdate_plugin · hknw_plugin · idle_plugin · impose_plugin · kensaku_plugin · msgdialog_plugin · mtpinitiator_plugin · musicbrowser_plugin · nas_plugin · netconf_plugin · newstore_plugin · np_eula_plugin · np_matching_plugin · np_multisignin_plugin · np_sns_plugin · npsignin_plugin · np_trophy_ingame · np_trophy_plugin · osk · oskfullkeypanel · oskpanel · pesm_plugin · photo_network_sharing_plugin · photolist_plugin · photoviewer_plugin · playlist_plugin · poweroff_plugin · premo_plugin · premo_game_plugin · print_plugin · profile_plugin · ps3_savedata_plugin · ps3_savedata_plugin_game · ps3_savedata_plugin_psp · rec_plugin · regcam_plugin · remotedownload_plugin · sacd_plugin · scenefolder_plugin · screenshot_plugin · software_update_plugin · soundvisualizer_plugin · strviewer_plugin · sysconf_plugin · system_plugin · thumthum_plugin · upload_util · user_info_plugin · user_plugin · videodownloader_plugin · videoeditor_plugin · videoplayer_util · videoplayer_plugin · vmc_savedata_plugin · wboard_plugin · webbrowser_plugin · webbrowser_service · webrender_plugin · xai_plugin · xmb_ingame · xmb_plugin
Emulation
Extended
features
Online
Hardware
SC
CELL
RAM
SB
HDD
BD
Tools
Strings
files
dumps
Reference
Keys & Seeds
Retrieved from "http://www.psdevwiki.com/ps3/index.php?title=Appliance_Information_Manager&oldid=55329"