SPU Isolated Modules Reverse Engineering: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
(please if you know how tu use anergistic complete this section)
No edit summary
Line 51: Line 51:
</pre>
</pre>
====Solution====
====Solution====
please fill if you know the solution
use ppu-gdb




Line 83: Line 83:
| 0x37e0 || - || Reference tool fallback IDPS
| 0x37e0 || - || Reference tool fallback IDPS
|-
|-
| 0x37f0 - ... || 0x3650 - ... || Start of EID keys
| 0x37f0 - ... || 0x3650 - ... || Start of AIM keys [[Keys#aim_keys]]
|-
|-
| 0x3ac0 || 0x3870 || AES sbox (16*16 bytes)
| 0x3ac0 || 0x3870 || AES sbox (16*16 bytes)
Line 95: Line 95:
! colspan="2" | Address !! rowspan="2" | Name !! rowspan="2" | Parameters !! rowspan="2" | Info
! colspan="2" | Address !! rowspan="2" | Name !! rowspan="2" | Parameters !! rowspan="2" | Info
|-
|-
! ?&nbsp;3.41&nbsp;? !! 355&nbsp;CEX
! &nbsp;3.41&nbsp; CEX/DEX !! 355&nbsp;CEX
|-
|-
| 0x9e0 ||  || stop_func || unknown || Stops the module execution with various stop codes.
| 0x9e0 ||  || stop_func || unknown || Stops the module execution with various stop codes.
Line 109: Line 109:
| 0x1440 ||  || debug_print || unknown || As the name already states... (this outputs over DMA)
| 0x1440 ||  || debug_print || unknown || As the name already states... (this outputs over DMA)
|-
|-
| 0x17f0 ||  || - || - || Part of aes implementation.
| 0x17f0 ||  || - || - || AES 1 Part of aes implementation.
|-
|-
| 0x1c48 ||  || - || - || Part of aes implementation.
| 0x1c48 ||  || - || - || AES 2 Part of aes implementation.
|-
|-
| 0x1df0 ||  || - || - || Probably part of aes implementation.
| 0x1df0 ||  || - || - || AES 3 Probably part of aes implementation.
|-
|-
| 0x20f0 ||  || - || - || Probably part of aes implementation.
| 0x20f0 ||  || - || - || AES 4 Probably part of aes implementation.
|-
|-
| 0x2300 ||  || - || - || Probably part of aes implementation.
| 0x2300 ||  || - || - || AES 5 Probably part of aes implementation.
|-
|-
| 0x2418 ||  || - || - || Part of aes implementation.
| 0x2418 ||  || - || - || AES 6 Part of aes implementation.
|-
|-
| 0x2608 ||  || - || - || Part of aes implementation.
| 0x2608 ||  || - || - || AES 7 Part of aes implementation.
|-
|-
| 0x30c0 ||  || do_dma || ls_addr:$4, dma_effective_addr:$5, size:$6, tag_id:$7, unk0:$8, unk1:$9 || Used to dma data in and out of the isolated module's LS.
| 0x30c0 ||  || do_dma || ls_addr:$4, dma_effective_addr:$5, size:$6, tag_id:$7, unk0:$8, unk1:$9 || Used to dma data in and out of the isolated module's LS.
Line 143: Line 143:
//Partial code modified to run aim_spu_module
//Partial code modified to run aim_spu_module
* http://pastie.org/2000330
* http://pastie.org/2000330
== isoldr ==
loads, decrypts, runs isolated modules, and creates through aes the required key in LS 0x0
=== Debug messages ===
This module doesnt contain debug messages
=== Data ===
{| class="wikitable"
! colspan="2" | Address !! rowspan="2" | Message
|-
! ?&nbsp;3.41&nbsp;? !! 355&nbsp;CEX
|-
|-
| 0x34C40 - ... ||  || Start of isoldr keys [[Keys#Modules]]
|-
| 0x35130 ||  || AES sbox (16*16 bytes)
|-
| 0x35300 ||  || AES inverse sbox (16*16 bytes)
|}
=== Functions ===
{| class="wikitable"
! colspan="2" | Address !! rowspan="2" | Name !! rowspan="2" | Parameters !! rowspan="2" | Info
|-
! ?&nbsp;3.41&nbsp;? !! 355&nbsp;CEX
|-
| 0xa18 ||  || main_func || unknown || Main routine.
|-
| 0x2BF28 ||  || - || - || AES 2 Part of aes implementation.
|-
| 0x2C240 ||  || - || - || AES 3 Probably part of aes implementation.
|-
| 0x2C8D0 ||  || - || - || AES 4 Probably part of aes implementation.
|-
| 0x2CDC8 ||  || - || - || AES 5 Probably part of aes implementation.
|-
| 0x2D7C0 ||  || - || - || AES 6 Part of aes implementation.
|-
| 0x2D9B0 ||  || - || - || AES 7 Part of aes implementation.
|-
| 0x346B0 ||  || write_tag_mask_bit || mask_bit:$4 || Used to set a specific bit in MFC_WrTagMask.
|}

Revision as of 23:38, 26 October 2011

anergistic

Using a static analysis (IDA) could give you a good view of what the program does, but sometimes you want to know what a program does in real time and how it reacts to different parameters, this is where anergistics becomes a powerful tool. It simulates the SPU including its communication, and storage.

Current repos

usage

anergistic can be launched in two different modes, one that only emulates (runs) the program through the SPU and the the other that lets you debug the process through gdb

only emulate

./anergistic spu_elf_name.elf

this mode runs an elf with all the parameters and actions defined on main.c, channel.c a

debug

terminal 1 

./anergistic -g 1234 spu_elf_name.elf

terminal 2 

gdb
(gdb)target remote :1234

this mode performs the same as above but lets you debug the process through gdb

Customizations

see example below

Running in aim_spu_module anergistic

Problems

Connection proble

when in debugger mode 

Waiting for gdb to connect...
Client connected.
recv failed: Success

Solution

use ppu-gdb


aim_spu_module

It is used to retrieve the device type, device id, open psid and the pscode from the EID0 data that is passed in.


Debug messages

Address Message
? 3.41 ? 355 CEX
0x36f0 0x3570 "(spu)start aim spu module!\n"
0x3710 0x3590 "(spu) PU DMA area start address is not align 16byte\n"
0x3750 0x35d0 "(spu) PU EID area start address is not align 16byte\n"
0x3790 0x3610 "(spu) PU DMA area size is not equall to AIM_DMA_SIZE\n"

This messages are DMAed to the ppu if a debug output address is specified.


Data

Address Message
? 3.41 ? 355 CEX
0x37e0 - Reference tool fallback IDPS
0x37f0 - ... 0x3650 - ... Start of AIM keys Keys#aim_keys
0x3ac0 0x3870 AES sbox (16*16 bytes)
0x3c70 0x3a20 AES inverse sbox (16*16 bytes)


Functions

Address Name Parameters Info
 3.41  CEX/DEX 355 CEX
0x9e0 stop_func unknown Stops the module execution with various stop codes.
0xa18 main_func unknown Main routine.
0xf18 response unknown Sends response to ppu over DMA.
0x1158 process_eid unknown Decrypts EID0.
0x1438 prepare_print unknown Prepares debug output.
0x1440 debug_print unknown As the name already states... (this outputs over DMA)
0x17f0 - - AES 1 Part of aes implementation.
0x1c48 - - AES 2 Part of aes implementation.
0x1df0 - - AES 3 Probably part of aes implementation.
0x20f0 - - AES 4 Probably part of aes implementation.
0x2300 - - AES 5 Probably part of aes implementation.
0x2418 - - AES 6 Part of aes implementation.
0x2608 - - AES 7 Part of aes implementation.
0x30c0 do_dma ls_addr:$4, dma_effective_addr:$5, size:$6, tag_id:$7, unk0:$8, unk1:$9 Used to dma data in and out of the isolated module's LS.
0x3168 write_tag_mask_bit mask_bit:$4 Used to set a specific bit in MFC_WrTagMask.


Disasm

The complete disassembly is available at [1].


Decrypting EID

Dumper iso.self

Dumper Payload

Running in aim_spu_module anergistic

//Partial code modified to run aim_spu_module

isoldr

loads, decrypts, runs isolated modules, and creates through aes the required key in LS 0x0


Debug messages

This module doesnt contain debug messages

Data

Address Message
? 3.41 ? 355 CEX
0x34C40 - ... Start of isoldr keys Keys#Modules
0x35130 AES sbox (16*16 bytes)
0x35300 AES inverse sbox (16*16 bytes)


Functions

Address Name Parameters Info
? 3.41 ? 355 CEX
0xa18 main_func unknown Main routine.
0x2BF28 - - AES 2 Part of aes implementation.
0x2C240 - - AES 3 Probably part of aes implementation.
0x2C8D0 - - AES 4 Probably part of aes implementation.
0x2CDC8 - - AES 5 Probably part of aes implementation.
0x2D7C0 - - AES 6 Part of aes implementation.
0x2D9B0 - - AES 7 Part of aes implementation.
0x346B0 write_tag_mask_bit mask_bit:$4 Used to set a specific bit in MFC_WrTagMask.
Retrieved from "http://www.psdevwiki.com/ps3/index.php?title=SPU_Isolated_Modules_Reverse_Engineering&oldid=6328"