Loaders: Difference between revisions
m (→appldr) |
CelesteBlue (talk | contribs) No edit summary |
||
(20 intermediate revisions by one other user not shown) | |||
Line 8: | Line 8: | ||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
! Loader !! Location !! Type !! Remarks | ! Loader !! Location !! Type !! Zlib support !! Fself support !! Remarks | ||
|- | |- | ||
| bootldr || [[Flash]] || Boot Loader || primary loader from chain of trust | | bootldr || [[Flash]] || Boot Loader || NO || NO || primary loader from chain of trust, loads lv0 | ||
|- | |- | ||
| metldr || [[Flash]] || Meta Loader || aka asecure_loader. Loads other loaders | | metldr || [[Flash]] || Meta Loader || NO || NO || aka asecure_loader. Loads other loaders | ||
|- | |- | ||
| appldr || [[Boot_Order#CoreOS_PKG_Filelisting|CoreOS]] || Application Loader || loads userspace [f]selfs e.g. [[VSH|vsh.self]], videoplayer_plugin.sprx, disc | | appldr || [[Boot_Order#CoreOS_PKG_Filelisting|CoreOS]] || Application Loader || YES || YES || loads userspace [f]selfs e.g. [[VSH|vsh.self]], videoplayer_plugin.sprx, disc/NPDRM EBOOT.BINs and [[EDAT_files|EDAT files]] | ||
|- | |- | ||
| isoldr || [[Boot_Order#CoreOS_PKG_Filelisting|CoreOS]] || Isolation Loader || loading [[Iso module|isolated SPU modules]] | | isoldr || [[Boot_Order#CoreOS_PKG_Filelisting|CoreOS]] || Isolation Loader || NO || NO || loading [[Iso module|isolated SPU modules]] | ||
|- | |- | ||
| lv1ldr || [[Boot_Order#CoreOS_PKG_Filelisting|CoreOS]] || Hypervisor Loader || loads [[lv1.self]] ([[Hypervisor_Reverse_Engineering|Hypervisor]]) | | lv1ldr || [[Boot_Order#CoreOS_PKG_Filelisting|CoreOS]] || Hypervisor Loader || YES || NO || loads [[lv1.self]] ([[Hypervisor_Reverse_Engineering|Hypervisor]]) | ||
|- | |- | ||
| lv2ldr || [[Boot_Order#CoreOS_PKG_Filelisting|CoreOS]] || Supervisor Loader || loads lv2_kernel.self (Supervisor kernel) | | lv2ldr || [[Boot_Order#CoreOS_PKG_Filelisting|CoreOS]] || Supervisor Loader || YES || NO || loads lv2_kernel.self (Supervisor kernel) | ||
|- | |- | ||
|} | |} | ||
Line 156: | Line 156: | ||
=== appldr === | === appldr === | ||
Used to verify and decrypt | Used to verify and decrypt usermode program/data segments (system libraries, vsh and its modules, games, edat and sdat files)<BR> | ||
Allows to authenticate fselfs by following Target_ids from EID0: 0x81, 0x82, 0xA0. | |||
==== LS Parameters layout ==== | ==== LS Parameters layout ==== | ||
Line 165: | Line 166: | ||
| 0x3E000 || Wait flag || If (flag==0){wait;} // use 0xFF00000000ULL | | 0x3E000 || Wait flag || If (flag==0){wait;} // use 0xFF00000000ULL | ||
|- | |- | ||
| 0x3E400 || EID0 || | | 0x3E400 || EID0 || first 0x400 bytes of EID0 | ||
|- | |- | ||
| 0x3E800 || Arguments || | | 0x3E800 || Arguments || u64 buffer_args_effective_addr | ||
|- | |- | ||
| 0x3EC00 || QA-Flag Info|| u64 qaflag_exist_flag //If existed, set to 0, otherwise -1<BR>u64 unk0 //always 0<BR>u8[0x50] qa_token<BR>u8[0x2A] qa_token_signature<BR>u8[0x6] padding | | 0x3EC00 || QA-Flag Info|| u64 qaflag_exist_flag //If existed, set to 0, otherwise -1<BR>u64 unk0 //always 0<BR>u8[0x50] qa_token<BR>u8[0x2A] qa_token_signature<BR>u8[0x6] padding | ||
Line 175: | Line 176: | ||
| 0x3F000 || Program revoke list || | | 0x3F000 || Program revoke list || | ||
|} | |} | ||
==== Arguments ==== | ==== Arguments ==== | ||
Line 208: | Line 208: | ||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
! Size !! Name !! | ! Size !! Name !! Value | ||
|- | |- | ||
|u64 || | |u64 || subarguments_addr || subarguments effective address | ||
|- | |- | ||
|u64 || | |u64 || lpar_auth_id || subject logical partition authority id | ||
|- | |- | ||
| | | || || | ||
|- | |- | ||
|u64 || | |u64 || field48 || 5 (checked by appldr, if doesnot match -> appldr will be stoped with err code 0x27) | ||
|- | |- | ||
| || || | | || || | ||
|} | |||
subarguments | |||
{| class="wikitable" | |||
|- | |||
! Size !! Name !! Value | |||
|- | |||
| u64 || program_auth_id || | |||
|- | |||
| u64 || self_header_addr || | |||
|- | |||
| u64 || program_segment_addr? || | |||
|- | |||
| u32 || segment_type || 0 for phdrs, 1 for shdrs | |||
|- | |||
| u32 || program_segment_index || segment number | |||
|- | |- | ||
| | | u64 || destination_addr || | ||
|- | |- | ||
| || || | | u64 || capability_addr || capability flags (0x20 bytes) will be copyed at this effective addr | ||
|- | |||
| u64 || flag || some flags // flag & 0xFFFF must be <=2 for APP, 3 for UNK7/seven, 4 for NPDRM_APP, 5 for EDAT | |||
|- | |||
| u64 || || | |||
|- | |||
| u64 || || | |||
|- | |||
| u64 || || | |||
|- | |||
| u64 || || | |||
|- | |||
| u64 || || | |||
|- | |||
| u8[0x10] || sceNpDrmKey || | |||
|- | |||
| u64 || header_key_check_result_addr || ppu addr to send the result. | |||
|- | |||
| u64 || || | |||
|} | |} | ||
Latest revision as of 05:46, 19 June 2022
Explaination[edit | edit source]
Loaders are used for loading other modules.
Commonly found in CoreOS and Flash.
Known loaders[edit | edit source]
Loader | Location | Type | Zlib support | Fself support | Remarks |
---|---|---|---|---|---|
bootldr | Flash | Boot Loader | NO | NO | primary loader from chain of trust, loads lv0 |
metldr | Flash | Meta Loader | NO | NO | aka asecure_loader. Loads other loaders |
appldr | CoreOS | Application Loader | YES | YES | loads userspace [f]selfs e.g. vsh.self, videoplayer_plugin.sprx, disc/NPDRM EBOOT.BINs and EDAT files |
isoldr | CoreOS | Isolation Loader | NO | NO | loading isolated SPU modules |
lv1ldr | CoreOS | Hypervisor Loader | YES | NO | loads lv1.self (Hypervisor) |
lv2ldr | CoreOS | Supervisor Loader | YES | NO | loads lv2_kernel.self (Supervisor kernel) |
Loader encapsulation in lv0[edit | edit source]
version | decrypted SHA1 hash | isoldr | appldr | lv1ldr | lv2ldr | Remarks |
---|---|---|---|---|---|---|
3.60 | 7A051A4A228C5C7256B9DD3ECC0CFABB605490E3 | D/L ; contains weird 2nd loaders that could not be decrypted (named [loader name]_2) | ||||
3.61 | 832CE19B420895B7C89D0DD3D346B9B4254F0902 | |||||
3.65 | C9F7F42BFB30A9FB9FF1394D18F8C490FA20E51D | |||||
3.66 | 110CEA044B059AC8E89C52121DD94EB062605180 | |||||
3.70 | B0CE989CEA9994A7424BC64C49B477ACB9759C45 | |||||
3.72 | E6ABA3DBBAB9CCCFA8B9D4C75AF9BC2CD2A470CC | |||||
3.73 | 17E363EC32AE2C35410250FD147500EAB27C7229 | |||||
3.74 | 048C7F30C6FEC76029DE7107C6EA825D778464D3 | |||||
4.00 | B1BD5C738EA8B4C5882DF3816802042015E57765 | |||||
4.01 | DB42B9FC98E927536F9BDE68517DC7EF6A3E7630 | |||||
4.10 | ED6B89DE996DA92B670A515342E5BA44C506CCB8 | |||||
4.11 | 5A80C633C7679FB24FEC9E603058A65010F1CC59 | |||||
4.20 | 69F14D7512177EAE3DB6A00764CB242D1683511C | |||||
4.21 | DB4E4CF6A795D8AB93200B4ACDA7978028601EDC | |||||
4.23 | AC7BDA2E7E093D4FDDE801FAFAB42F55B92506C4 | |||||
4.25 | A6DE36E9178C75B3C557E3056C8BAE5A13C83038 | |||||
4.26 | 042ACDE3A986B50F8C58450798DD866130EB85EA | |||||
4.30 | 44A048CC7F990A9EE5400695BC0D9EE283BAB02F |
Stop Codes[edit | edit source]
Stop Code | Module | Remark |
---|---|---|
0x30 | isoldr/appldr | Version mismatch (isoldr version differs from version returned by SPU channel 73). |
0x16 | isoldr | Revoke List Error |
0x17 | isoldr | Adresses needs to be aligned |
0x21 | lv1ldr | ??? |
0x27 | appldr | SPU arg at 0x3E840 |
0x20 | metldr | header error |
0x23 | metldr | ECDSA signature failure |
0x27
When booting, lv1ldr store its version in this region writing to ch_72.
isoldr asks for the version in two chuncks, if you want to pass version 3.41 (0x0003004100000000)
Note: this version check was recently added, maybe in fw 3.41
//for ch_73_round_0 data0 = 0x00030041; //for ch_73_round_1 data1 = 0x00000000;
lv1ldr[edit | edit source]
Used for loading the hypervisor (lv1.self). It also handles some initialization of the ATA and ENCDEC subsystems.
LS Parameters Layout[edit | edit source]
Address | Usage | Comments |
---|---|---|
0x34CB0 | Unknown | DMA read from ch74 20 times. |
0x3E000 | Wait flag | If (flag==0){wait;} // use 0xFF00000000ULL |
0x3E800 | Arguments |
lv2ldr[edit | edit source]
Used to verify and decrypt lv2 selfs (lv2_kernel.self, ps2_emu.self, ps2_gxemu.self, ps2_softemu.self, ps2_netemu.self)
And to install RVK-list.
LS Parameters layout[edit | edit source]
Address | Usage | Comments |
---|---|---|
0x3E000 | Wait flag | If (flag==0){wait;} // use 0xFF00000000ULL |
0x3E800 | Arguments | |
0x3F000 | Program revoke list |
Arguments[edit | edit source]
Size | Name | Value |
---|---|---|
u64 | lpar_auth_id | 0x1070000002000001 |
u8 | *lv2_in | lv2 self - address in ram |
u8 | *lv2_out | where to decrypt lv2 - address in ram |
u64 | field18 | -1 |
u8[40] | res1 | Unknown / Not used |
u64 | field48 | 1 |
u8[16] | res2 | Unknown / Not used |
appldr[edit | edit source]
Used to verify and decrypt usermode program/data segments (system libraries, vsh and its modules, games, edat and sdat files)
Allows to authenticate fselfs by following Target_ids from EID0: 0x81, 0x82, 0xA0.
LS Parameters layout[edit | edit source]
Address | Usage | Comments |
---|---|---|
0x3E000 | Wait flag | If (flag==0){wait;} // use 0xFF00000000ULL |
0x3E400 | EID0 | first 0x400 bytes of EID0 |
0x3E800 | Arguments | u64 buffer_args_effective_addr |
0x3EC00 | QA-Flag Info | u64 qaflag_exist_flag //If existed, set to 0, otherwise -1 u64 unk0 //always 0 u8[0x50] qa_token u8[0x2A] qa_token_signature u8[0x6] padding |
0x3EE00 | LV2 Protection Info | u64 hashed memory effective addr u64 hashed memory size u8[0x14] expected_hmac_hash u8[0xC] padding |
0x3F000 | Program revoke list |
Arguments[edit | edit source]
For authenticate_program_segment, firmware 0.8x
Size | Name | Value |
---|---|---|
u64 | program_auth_id | subject program authority id |
u64 | lpar_auth_id | subject logical partition authority id |
u64 | self_header_addr | |
u64 | program_segment_addr | |
u64 | program_segment_index | |
u64 | destination_addr | where to decrypt |
u64 | capability_addr | capability flags will be placed to this addr |
u64 | flag | |
u64 | field40 | unknown/pad |
u64 | field48 | 2 (on modern fws it could be 2 or 3 or 5) |
For authenticate_program_segment, firmware 4.7x
Size | Name | Value |
---|---|---|
u64 | subarguments_addr | subarguments effective address |
u64 | lpar_auth_id | subject logical partition authority id |
u64 | field48 | 5 (checked by appldr, if doesnot match -> appldr will be stoped with err code 0x27) |
subarguments
Size | Name | Value |
---|---|---|
u64 | program_auth_id | |
u64 | self_header_addr | |
u64 | program_segment_addr? | |
u32 | segment_type | 0 for phdrs, 1 for shdrs |
u32 | program_segment_index | segment number |
u64 | destination_addr | |
u64 | capability_addr | capability flags (0x20 bytes) will be copyed at this effective addr |
u64 | flag | some flags // flag & 0xFFFF must be <=2 for APP, 3 for UNK7/seven, 4 for NPDRM_APP, 5 for EDAT |
u64 | ||
u64 | ||
u64 | ||
u64 | ||
u64 | ||
u8[0x10] | sceNpDrmKey | |
u64 | header_key_check_result_addr | ppu addr to send the result. |
u64 |
isoldr[edit | edit source]
Used for loading isolated SPU modules.
LS Parameters layout[edit | edit source]
Address | Usage | Comments |
---|---|---|
0x3E000 | Wait flag | If (flag==0){wait;} // use 0xFF00000000ULL |
0x3E400 | EID0 | |
0x3E800 | Arguments | |
0x3EC00 | QA-Token | If not used set to -1 |
0x3F000 | Program revoke list |
Stop Codes[edit | edit source]
Stop Code | Remark |
---|---|
0x0D | Revocation check failed. |
0x0E | Signature check failed. |
0x0F | Revoke list verification failed. |
0x11 | Revoke list verification failed (header). |
0x12 | SELF segment verification internal error. |
0x13 | SELF verification failed. |
0x16 | Revoke list verification failed. |
0x17 | Isolated module EA is not aligned. |
0x1D | SELF segment verification internal error (ELF32 header). |
0x25 | Auth-ID error? |
Arguments[edit | edit source]
Depending which isolated module you want to load, you would need to pass it different arguments.
Size | Name | spp_verifier |
---|---|---|
u64 | prog_auth_id | 0x1050000003000001 |
u64 | lpar_auth_id | 0x1070000002000001 |
u64 | *spu_module | SPU - address in ram |
u64 | *spu_module_arg1 | Profile - address in ram |
u64 | spu_module_arg1_size | sizeof(profile) |
u64 | *spu_module_arg2 | Not used |
u64 | spu_module_arg2_size | Not used |
u8 | res1[16] | Unknown |
u64 | field48 | 3 |
u8 res2[16] | Unknown |
Size | Name | aim_spu_module |
---|---|---|
u64 | prog_auth_id | 0x1050000003000001 |
u64 | lpar_auth_id | 0x1070000002000001 |
u64 | *spu_module | SPU - address in ram |
u64 | *spu_module_arg1 | aim_spu_args - address in ram |
u64 | spu_module_arg1_size | 0x80 |
u64 | *spu_module_arg2 | eid0 - address in ram |
u64 | spu_module_arg2_size | sizeof(eid0) |
u64 | field48 | 3 |
union aim_spu_args { struct { void *buf; // debug_info buffer address u64 buf_size; // debug_info buffer size u32 param; // 0x01 device type, 0x02 device id, 0x03 pscode, 0x04 psid } in; struct { u8 result[0x10]; // no need to explain... } out; };