Appliance Information Manager: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
mNo edit summary
m (Text replacement - "playstationdev.wiki/psvitadevwiki" to "psdevwiki.com/vita")
 
(45 intermediate revisions by 20 users not shown)
Line 1: Line 1:
[[AIM_Manager|AIM Manager]] is a [[Hypervisor_Reverse_Engineering#Process_socket_services|Process socket service]] supported by the hypervisor (lv1).<br>
= Description =
AIM (Appliance Info Manager) is a [[Hypervisor_Reverse_Engineering#Process_socket_services|Process socket service]] supported by the hypervisor (lv1).<br>


It is used to retrieve the device type, device id, open psid and the pscode from the [[Flash#EID0_-_Section_0|EID0]] data that is passed in.<br>
It is used to retrieve the IDPS, Target ID, Open PSID and PS Code from the [[Flash:Encrypted_Individual_Data_-_eEID#EID0|EID0]] data that is passed in.
Responsible is the isolated SPU module '''aim_spu_module.self''' from [[CoreOS|CoreOS]] / [[Flash#ros0|Flash]]. <br>
This service accessable from GameOS via Syscall: '''867''' (0x363)<br>
and requires 0x40 Root [[Control_Flags|Control Flags]] in [[SELF_File_Format_and_Decryption#Control_Information|SCE Header]].


  internally loaded@
Responsible is the isolated SPU module '''aim_spu_module.self''' from [[CoreOS]] / [[Flash#ros0|Flash]].
 
This service is accessible from GameOS via syscall 867 and requires 0x40 Root flag ([[Capability_Flags|Capability Flags]]) set in [[SELF - SPRX#Supplemental Header Table|Plaintext Capability Header]].
 
  internally loaded@ss_server2.fself
  Function Id : 0x19000
  Function Id : 0x19000
  Port:       0x24
  Port:       0x24


 
= 0x19000 - AIM =
 
= 0x19000 - AIM =


{| class="wikitable FCK__ShowTableBorders"
{| class="wikitable FCK__ShowTableBorders"
Line 18: Line 18:
! Packet ID  
! Packet ID  
! Description
! Description
! Lv1 Parameter Usage
! Lv2Syscall Parameter
! notes
|-
|-
| 0x19002  
| 0x19002  
| Get Device Type
| Get Device Type
|
| uint8_t out[0x10]
|
|-
|-
| 0x19003  
| 0x19003  
| Get Device ID
| Get Device ID
|
| uint8_t out[0x10]
|
|-
|-
| 0x19004  
| 0x19004  
| Get PS Code
| Get PS Code
|
| uint8_t out[0x8]
|
|-
|-
| 0x19005  
| 0x19005  
| Get Open PS ID
| Get Open PS ID
|
| uint8_t out[0x10]
|
|-
|-
| 0x19006  
| 0x19006  
| Unknown
| Unknown
|
| void
|
|}
|}


== 0x19002 - Get Device Type ==
== 0x19002 - Get Device Type ==


* returns your consoles [[Target_ID|Target Id]] value:
* Returns the console's [[Product Code]].
 
<pre>
<pre>
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x85
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x85
</pre>
</pre>


<pre>
calling from GameOS:
struct ss_aim_get_device_type
<source lang="c">
{
struct ss_aim_get_device_type {
     u8 field0[16];
     u8 field0[16];
};
};
</pre>


calling from GameOS: int cellSsAimGetDeviceType(out:uint8[0x10])
int cellSsAimGetDeviceType(out:uint8[0x10]);
</source>


== 0x19003 - Get Device ID ==
== 0x19003 - Get Device ID ==


* returns your consoles [[IDPS]]
* Returns the console's [[IDPS]].


<pre>
<pre>
Line 59: Line 78:
</pre>
</pre>


<pre>
calling from GameOS:
struct ss_aim_get_device_id
<source lang="c">
{
struct ss_aim_get_device_id {
     u8 field0[16];
     u8 idps[16];
};
};
</pre>


calling from GameOS: int cellSsAimGetDeviceId(out:uint8[0x10])
int cellSsAimGetDeviceId(out:uint8[0x10]);
</source>


== 0x19004 - Get PS Code ==
== 0x19004 - Get PS Code ==


on my CECHJ04 it returns:
* Returns the console's [[PSCode]]. See [https://psdevwiki.com/vita/index.php?title=PSCode].
 
0x00 0x01 0x00 0x85 0x00 0x07 0x00 0x04 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00


<pre>
calling from GameOS:
struct ss_aim_get_ps_code
<source lang="c">
{
struct ss_aim_get_ps_code {
     u8 field0[8];
     u8 field0[8];
};
};
</pre>


calling from GameOS: int cellSsAimGetPsCode(out:uint8[8])
int cellSsAimGetPsCode(out:uint8[8]);
</source>


== 0x19005 - Get Open PS ID ==


== 0x19005 - Get Open PS ID ==
* Returns the console's [[OpenPSID]].


<pre>
calling from GameOS:
struct ss_aim_get_open_ps_id
<source lang="c">
{
struct ss_aim_get_open_ps_id {
     u8 field0[16];
     u8 field0[16];
};
};
</pre>


calling from GameOS: int cellSsAimGetOpenPsId(out:uint8[0x10])
int cellSsAimGetOpenPsId(out:uint8[0x10])
</source>


== 0x19006 - ==
== 0x19006 - unkonwn ==


* usage found in bdp_BDVD for example...with 1 param (=0)
* Usage found in bdp_BDVD for example... with 1 param (= 0)
* seems to be handled by lv2_kernel, not aim itself.<br>
* Seems to be handled by lv2_kernel, not AIM itself.
::looks up for qa-flag (if flagged, sets token seed to an lv2 internal buffer), fself flag & device_id
* It looks up for qa-flag (if flagged, sets token seed to an lv2 internal buffer), fself flag & device_id.


calling from GameOS: int syscall(867,0x19006)
calling from GameOS:
note: this packet id doesnt need another parameter
<source lang="C">
int syscall(867, 0x19006);
</source>


*note: this packet id doesnt need another parameter


== Reverse Engineering isolated module ==
= Reverse Engineering in Lv1 =


a crossreference to [[SPU_Isolated_Modules_Reverse_Engineering#aim_spu_module]]
Function Id: 0x19000
 
Port:       0x24
=== Debug messages ===
Process:      5
{| class="wikitable"
! colspan="2" | Address !! rowspan="2" | Message
|-
! ?&nbsp;3.41&nbsp;? !! 355&nbsp;CEX
|-
| 0x36f0 || 0x3570 || "(spu)start aim spu module!\n"
|-
| 0x3710 || 0x3590 || "(spu) PU DMA area start address is not align 16byte\n"
|-
| 0x3750 || 0x35d0 || "(spu) PU EID area start address is not align 16byte\n"
|-
| 0x3790 || 0x3610 || "(spu) PU DMA area size is not equall to AIM_DMA_SIZE\n"
|}
This messages are DMAed to the ppu if a debug output address is specified.


If you want to check out about it or get more things documented, consider looking at for example:
* coolstuff\hvdump315_reversing\proc_5\code_seg.idb
* coolstuff\hvdump341_reversing\proc_5\code_seg.idb
* coolstuff\hvdump355_reversing\proc_5\code_seg.idb


=== Data ===
See also [[SPU_Isolated_Modules_Reverse_Engineering#aim_spu_module]].
{| class="wikitable"
! colspan="2" | Address !! rowspan="2" | Message
|-
! ?&nbsp;3.41&nbsp;? !! 355&nbsp;CEX
|-
| 0x37e0 || - || Reference tool fallback IDPS
|-
| 0x37f0 - ... || 0x3650 - ... || Start of AIM keys [[Keys#aim_keys]]
|-
| 0x3ac0 || 0x3870 || AES sbox (16*16 bytes)
|-
| 0x3c70 || 0x3a20 || AES inverse sbox (16*16 bytes)
|}
 
 
=== Functions ===
{| class="wikitable"
! colspan="2" | Address !! rowspan="2" | Name !! rowspan="2" | Parameters !! rowspan="2" | Info
|-
! &nbsp;3.41&nbsp; CEX/DEX !! 355&nbsp;CEX
|-
| 0x9e0 ||  || stop_func || unknown || Stops the module execution with various stop codes.
|-
| 0xa18 ||  || main_func || unknown || Main routine.
|-
| 0xf18 ||  || response || unknown || Sends response to ppu over DMA.
|-
| 0x1158 ||  || process_eid || unknown || Decrypts EID0.
|-
| 0x1438 ||  || prepare_print || unknown || Prepares debug output.
|-
| 0x1440 ||  || debug_print || unknown || As the name already states... (this outputs over DMA)
|-
| 0x17f0 ||  || - || - || AES 1 Part of aes implementation.
|-
| 0x1c48 ||  || aes_encrypt_ecb || - || AES 2 Part of aes implementation.
|-
| 0x1df0 ||  || cellCryptoSpuAesCbcCfb128Decrypt || - || AES 3 Probably part of aes implementation.
|-
| 0x20f0 ||  || aes_omac1 || - || AES 4 Probably part of aes implementation.
|-
| 0x2300 ||  || aes_set_key_dec || - || AES 5 Probably part of aes implementation.
|-
| 0x2418 ||  || aes_decrypt_ecb || - || AES 6 Part of aes implementation.
|-
| 0x2608 ||  || aes_decrypt_ecb_aligned || - || AES 7 Part of aes implementation.
|-
| 0x30c0 ||  || do_dma || ls_addr:$4, dma_effective_addr:$5, size:$6, tag_id:$7, unk0:$8, unk1:$9 || Used to dma data in and out of the isolated module's LS.
|-
| 0x3168 ||  || write_tag_mask_bit || mask_bit:$4 || Used to set a specific bit in MFC_WrTagMask.
|}




=== Disasm ===
{{Reverse engineering}}
The complete disassembly is available at [http://pastebin.com/7vArGweJ].
<noinclude>[[Category:Main]]</noinclude>

Latest revision as of 06:28, 12 April 2023

Description

AIM (Appliance Info Manager) is a Process socket service supported by the hypervisor (lv1).

It is used to retrieve the IDPS, Target ID, Open PSID and PS Code from the EID0 data that is passed in.

Responsible is the isolated SPU module aim_spu_module.self from CoreOS / Flash.

This service is accessible from GameOS via syscall 867 and requires 0x40 Root flag (Capability Flags) set in Plaintext Capability Header.

internally loaded@ss_server2.fself
Function Id : 0x19000
Port:	      0x24

0x19000 - AIM

Packet ID Description Lv1 Parameter Usage Lv2Syscall Parameter notes
0x19002 Get Device Type uint8_t out[0x10]
0x19003 Get Device ID uint8_t out[0x10]
0x19004 Get PS Code uint8_t out[0x8]
0x19005 Get Open PS ID uint8_t out[0x10]
0x19006 Unknown void

0x19002 - Get Device Type

0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x85

calling from GameOS:

struct ss_aim_get_device_type {
    u8 field0[16];
};

int cellSsAimGetDeviceType(out:uint8[0x10]);

0x19003 - Get Device ID

  • Returns the console's IDPS.
0x00 0x00 0x00 0x01 0x00 0x89 0x00 0x0B 0x14 0x00 0xEF 0xDD 0xCA 0x25 0x52 0x66  .....‰....ïÝÊ%Rf

calling from GameOS:

struct ss_aim_get_device_id {
    u8 idps[16];
};

int cellSsAimGetDeviceId(out:uint8[0x10]);

0x19004 - Get PS Code

calling from GameOS:

struct ss_aim_get_ps_code {
    u8 field0[8];
};

int cellSsAimGetPsCode(out:uint8[8]);

0x19005 - Get Open PS ID

calling from GameOS:

struct ss_aim_get_open_ps_id {
    u8 field0[16];
};

int cellSsAimGetOpenPsId(out:uint8[0x10])

0x19006 - unkonwn

  • Usage found in bdp_BDVD for example... with 1 param (= 0)
  • Seems to be handled by lv2_kernel, not AIM itself.
  • It looks up for qa-flag (if flagged, sets token seed to an lv2 internal buffer), fself flag & device_id.

calling from GameOS:

int syscall(867, 0x19006);
  • note: this packet id doesnt need another parameter

Reverse Engineering in Lv1

Function Id: 0x19000
Port:	      0x24
Process:      5

If you want to check out about it or get more things documented, consider looking at for example:

  • coolstuff\hvdump315_reversing\proc_5\code_seg.idb
  • coolstuff\hvdump341_reversing\proc_5\code_seg.idb
  • coolstuff\hvdump355_reversing\proc_5\code_seg.idb

See also SPU_Isolated_Modules_Reverse_Engineering#aim_spu_module.