Lv1.self: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
(→‎Dump lv1 embedded ELFs script: Updated PsiCoLeO's original script. Source: https://techbliss.org/threads/script-to-extract-lv1-embedded-selfs.410/)
 
(5 intermediate revisions by 3 users not shown)
Line 28: Line 28:
* ss_server2.fself
* ss_server2.fself
* ss_server3.fself
* ss_server3.fself


= Files common on lv1 =
= Files common on lv1 =


lv1.self delegates a lot of his work to the embedded selfs wich it loads to different process (see [[Hypervisor Reverse Engineering]]).
lv1.self delegates a lot of work to the embedded selfs which it loads to different process (see [[Hypervisor Reverse Engineering]]).


{|class="wikitable"
{|class="wikitable"
Line 159: Line 158:


I did this script quickly to extract the embedded files within lv1. This script doesn't use the file table, is ugly, but works... anyone feel free to improve it --[[User:PsiCoLeO|PsiCoLeO]] 16:11, 22 May 2011 (CDT)
I did this script quickly to extract the embedded files within lv1. This script doesn't use the file table, is ugly, but works... anyone feel free to improve it --[[User:PsiCoLeO|PsiCoLeO]] 16:11, 22 May 2011 (CDT)
Located an updated variant of PsiCoLeO's script. The update includes offsets and sizes for 4.21 - 4.41 firmware, and was contributed by Rip Cord from an external source, with minor typo fixes by myself. See edit summary for source attribution. --[[User:Tuxsavvy|Tuxsavvy]] ([[User talk:Tuxsavvy|talk]]) 08:55, 22 April 2023 (CEST)


How to use it
How to use it
Line 180: Line 181:
#!/bin/bash
#!/bin/bash
# PsiCoLeO 2011
# PsiCoLeO 2011
# Rip Cord 2013
#
#
# Script to extract the embedded files from lv1.self
# Script to extract the embedded files from lv1.self
# There is no warranty that this script will work for you
# There is no warranty that this script will work for you
# I can not be held responsable of what you do with this script or any damage you get from using it
# I can not be held responsible of what you do with this script or any damage you get from using it
# Use it as you please
# Use it as you please
 
# File names
# File names
files=( "pme_init" "sysmgr_ss.fself" "pme_init.conf" "ss_init.fself" "updater_frontend.fself" "ss_server1.fself" "ss_server2.fself" "ss_server3.fself" )
files=( "pme_init" "sysmgr_ss.fself" "pme_init.conf" "ss_init.fself" "updater_frontend.fself" "ss_server1.fself" "ss_server2.fself" "ss_server3.fself" )
 
#comment and uncomment file sizes and offsets depending on the firmware
#comment and uncomment file sizes and offsets depending on the firmware
 
# File sizes 3.41
# File sizes 3.41
size=( 0x24824 0x5f790 0xAF 0x34eb8 0x239F0 0x811D0 0x4A940 0x38ED0 )
#size=( 0x24824 0x5f790 0xAF 0x34eb8 0x239F0 0x811D0 0x4A940 0x38ED0 )
 
# File offsets 3.41
# File offsets 3.41
offset=( 0x1D00E8 0x1F490C 0x25409C 0x25414C 0x289004 0x2AC9F4 0x32DBC4 0x378504 )
#offset=( 0x1D00E8 0x1F490C 0x25409C 0x25414C 0x289004 0x2AC9F4 0x32DBC4 0x378504 )
 
# File sizes 3.55  
# File sizes 3.55
#size=( 0x24824 0x5f790 0xAF 0x34EB8 0x239F0 0x813B8 0x4A940 0x38ED0 )
#size=( 0x24824 0x5f790 0xAF 0x34EB8 0x239F0 0x813B8 0x4A940 0x38ED0 )
 
# File offsets 3.55
# File offsets 3.55
#offset=( 0x1D00E8 0x1F490C 0x25409C 0x25414C 0x289004 0x2AC9F4 0x32DDAC 0x3786EC )
#offset=( 0x1D00E8 0x1F490C 0x25409C 0x25414C 0x289004 0x2AC9F4 0x32DDAC 0x3786EC )
 
#*******************************************************************************
# values for firmwares 4.21 - 4.41 have been added to PsiCoLeO's original release
# File sizes 4.21
#size=( 0x217D8 0x5FBC8 0xAF 0x35058 0x239F0 0x81890 0x4ACE0 0x39080 )
# File offsets 4.21
#offset=( 0x1F00E8 0x2118C0 0x271488 0x271538 0x2A6590 0x2C9F80 0x34B810 0x3964F0 )
# File sizes 4.30
#size=( 0x217D8 0x5FCA8 0xAF 0x35058 0x239F0 0x81A38 0x4ACE0 0x391D0 )
# File offsets 4.30
#offset=( 0x1F00E8 0x2118C0 0x271568 0x271618 0x2A6670 0x2CA060 0x34BA98 0x396778 )
# File sizes 4.41
size=( 0x217D8 0x5FCA8 0xAF 0x35058 0x23D90 0x81A38 0x4ACE0 0x391D0 )
# File offsets 4.41
offset=( 0x1F00E8 0x2118C0 0x271568 0x271618 0x2A6670 0x2CA400 0x34BE38 0x396B18)
#*******************************************************************************
cont=0
cont=0
 
printf "***************************** \n"
printf "***************************** \n"
printf "* Psicoleo's                * \n"
printf "* Psicoleo's                * \n"
printf "* Dump lv1 Embedded files   * \n"  
printf "* Dump lv1 Embedded files * \n"
printf "***************************** \n\n"
printf "***************************** \n\n"
 
for file in "${files[@]}"
for file in "${files[@]}"
do
do
Line 215: Line 241:
         printf "      %s\n" "${file}"
         printf "      %s\n" "${file}"
         printf "***************************** \n\n"
         printf "***************************** \n\n"
printf "%s\n" "${offset[$cont]}"
    printf "%s\n" "${offset[$cont]}"
printf "%s\n" "${size[$cont]}"
    printf "%s\n" "${size[$cont]}"
printf "%s\n" "${cont}"
    printf "%s\n" "${cont}"
dd if=$1 of=$file bs=1 obs=1 skip=$((${offset[$cont]})) count=$((${size[$cont]}))
    dd if=$1 of=$file bs=1 obs=1 skip=$((${offset[$cont]})) count=$((${size[$cont]}))
cont=$(($cont+1))
    cont=$(($cont+1))
done
done
</source>
</source>
Line 577: Line 603:


=== sc_updater ===
=== sc_updater ===
{|class="wikitable"
|-
! Name !! Type !! Args !! Description
|-
|initialize() || || ||
|}


=== certified_file_verifier ===
=== certified_file_verifier ===
Line 735: Line 768:
|-
|-
! Name !! Type !! Args !! Description
! Name !! Type !! Args !! Description
|-
|read(0x%llx, %lld, 0x%llx) || || ||
|-
|-
|allocate_buffer(%lld) || || ||  
|allocate_buffer(%lld) || || ||  
|-
|-
|release_buffer(0x%llx) || || ||  
|cache_all_composite_region_entry || || ||  
|-
|-
|cache_all_composite_region_entry || || ||  
|get_bank_info || || ||  
|-
|-
|get_composite_region_entry_by_index(%d, 0x%llx) || || ||  
|get_composite_region_entry_by_index(%d, 0x%llx) || || ||  
|-
|get_composite_region_entry_by_name(%s) || || ||
|-
|get_composite_region_header || || ||
|-
|initialize || || ||
|-
|read(0x%llx, %lld, 0x%llx) || || ||
|-
|release_buffer(0x%llx) || || ||
|-
|-
|writev || || ||  
|writev || || ||  
Line 898: Line 939:
|-
|-
|sbm_spe_install_signal_handlers  || || ||
|sbm_spe_install_signal_handlers  || || ||
|}
=== flash_io ===
{|class="wikitable"
|-
! Name !! Type !! Args !! Description
|-
|init  || || ||
|-
|range  || || ||
|}
|}



Latest revision as of 07:55, 22 April 2023

This is the Hypervisor (see Hypervisor Reverse Engineering) and follows the SELF file format.

Embedded Files Segment[edit | edit source]

lv1 contains many embedded selfs inside of a special segment "Embedded Files Segment". This is a segment within the program itself, loading in a hex editor gives a small file table which appears different from the others that sony has used.

File Table[edit | edit source]

The file table follows this structure

  • 4 bytes = number of entries
  • 4 bytes = table length

then the file table:

  • 4 bytes = index
  • 4 bytes = start
  • 4 bytes = length

then follows a null terminated string for each file commonly:

  • pme_init
  • sysmgr_ss.fself
  • pme_init.conf
  • ss_init.fself
  • updater_frontend.fself
  • ss_server1.fself
  • ss_server2.fself
  • ss_server3.fself

Files common on lv1[edit | edit source]

lv1.self delegates a lot of work to the embedded selfs which it loads to different process (see Hypervisor Reverse Engineering).

File Description
pme_init
sysmgr_ss.fself
pme_init.conf
ss_init.fself
updater_frontend.fself
ss_server1.fself
ss_server2.fself
ss_server3.fself

lv1.self 3.41[edit | edit source]

lv1 Embedded files segment

Segment start offset
0x1D0000
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

001D0000  00 00 00 08 00 00 00 E8 00 00 00 00 00 00 00 00  .......è........
001D0010  00 02 48 24 00 00 00 09 00 02 48 24 00 05 F7 90  ..H$......H$..÷.
001D0020  00 00 00 19 00 08 3F B4 00 00 00 AF 00 00 00 27  ......?´...¯...'
001D0030  00 08 40 64 00 03 4E B8 00 00 00 35 00 0B 8F 1C  [email protected]¸...5....
001D0040  00 02 39 F0 00 00 00 4C 00 0D C9 0C 00 08 11 D0  ..9ð...L..É....Ð
001D0050  00 00 00 5D 00 15 DA DC 00 04 A9 40 00 00 00 6E  ...]..ÚÜ..©@...n
001D0060  00 1A 84 1C 00 03 8E D0 70 6D 65 5F 69 6E 69 74  ..„...ŽÐpme_init
001D0070  00 73 79 73 6D 67 72 5F 73 73 2E 66 73 65 6C 66  .sysmgr_ss.fself
001D0080  00 70 6D 65 5F 69 6E 69 74 2E 63 6F 6E 66 00 73  .pme_init.conf.s
001D0090  73 5F 69 6E 69 74 2E 66 73 65 6C 66 00 75 70 64  s_init.fself.upd
001D00A0  61 74 65 72 5F 66 72 6F 6E 74 65 6E 64 2E 66 73  ater_frontend.fs
001D00B0  65 6C 66 00 73 73 5F 73 65 72 76 65 72 31 2E 66  elf.ss_server1.f
001D00C0  73 65 6C 66 00 73 73 5F 73 65 72 76 65 72 32 2E  self.ss_server2.
001D00D0  66 73 65 6C 66 00 73 73 5F 73 65 72 76 65 72 33  fself.ss_server3
001D00E0  2E 66 73 65 6C 66 00 00 7F                       .fself...
Offset Size Value Description
0x00000000 0x04 0x08 number of entries
0x00000004 0x04 0xE8 table length
name start length index Real start (segment start + table length + start)
pme_init 0x0 0x24824 0x00 0x1D00E8
sysmgr_ss.fself 0x24824 0x5f790 0x09 0x1F490C
pme_init.conf 0x83fb4 0xAF 0x19 0x25409C
ss_init.fself 0x84064 0x34eb8 0x27 0x25414C
updater_frontend.fself 0xB8F1C 0x239F0 0x35 0x289004
ss_server1.fself 0xDC90C 0x813B8 0x4C 0x2AC9F4
ss_server2.fself 0x15DADC 0x4A940 0x5D 0x32DDAC
ss_server3.fself 0x1A841C 0x38ED0 0x6E 0x378504

lv1.self 3.55[edit | edit source]

file table

name start length index Real start (segment start + table length + start) (TOC Address-just4info)
pme_init 0x0 0x24824 0x00 0x1D00E8
sysmgr_ss.fself 0x24824 0x5f790 0x09 0x1F490C 0xC0012A90
pme_init.conf 0x83fb4 0xAF 0x19 0x25409C
ss_init.fself 0x84064 0x34EB8 0x27 0x25414C 0xC000AF80
updater_frontend.fself 0xB8F1C 0x239F0 0x35 0x289004 0xC0009FF0
ss_server1.fself 0xDC90C 0x813B8 0x4C 0x2AC9F4 0xC0014728
ss_server2.fself 0x15DCC4 0x4A940 0x5D 0x32DDAC 0xC000F008
ss_server3.fself 0x1A8604 0x38ED0 0x6E 0x3786EC 0xC000E4E8

pme_init.conf example[edit | edit source]

#
# configuration file for pme_init
#
# notation:
#	boot	name_of_executable	sync/nosync

# sample
boot	ss_init.fself		sync
boot	sysmgr_ss.fself		nosync
boot	pme_shell		nosync

Dump lv1 embedded ELFs script[edit | edit source]

I did this script quickly to extract the embedded files within lv1. This script doesn't use the file table, is ugly, but works... anyone feel free to improve it --PsiCoLeO 16:11, 22 May 2011 (CDT)

Located an updated variant of PsiCoLeO's script. The update includes offsets and sizes for 4.21 - 4.41 firmware, and was contributed by Rip Cord from an external source, with minor typo fixes by myself. See edit summary for source attribution. --Tuxsavvy (talk) 08:55, 22 April 2023 (CEST)

How to use it

1) Save the script in a file named:

dump_lv1_embedded_files.sh

2) Give it execute permisions:

chmod +x dump_lv1_embedded_files.sh

3) Feed it with decrypted lv1.self:

./dump_lv1_embedded_files.sh lv1.elf
#!/bin/bash
# PsiCoLeO 2011
# Rip Cord 2013
#
# Script to extract the embedded files from lv1.self
# There is no warranty that this script will work for you
# I can not be held responsible of what you do with this script or any damage you get from using it
# Use it as you please
 
# File names
files=( "pme_init" "sysmgr_ss.fself" "pme_init.conf" "ss_init.fself" "updater_frontend.fself" "ss_server1.fself" "ss_server2.fself" "ss_server3.fself" )
 
#comment and uncomment file sizes and offsets depending on the firmware
 
# File sizes 3.41
#size=( 0x24824 0x5f790 0xAF 0x34eb8 0x239F0 0x811D0 0x4A940 0x38ED0 )
 
# File offsets 3.41
#offset=( 0x1D00E8 0x1F490C 0x25409C 0x25414C 0x289004 0x2AC9F4 0x32DBC4 0x378504 )
 
# File sizes 3.55
#size=( 0x24824 0x5f790 0xAF 0x34EB8 0x239F0 0x813B8 0x4A940 0x38ED0 )
 
# File offsets 3.55
#offset=( 0x1D00E8 0x1F490C 0x25409C 0x25414C 0x289004 0x2AC9F4 0x32DDAC 0x3786EC )
 
 
#*******************************************************************************
# values for firmwares 4.21 - 4.41 have been added to PsiCoLeO's original release
 
# File sizes 4.21
#size=( 0x217D8 0x5FBC8 0xAF 0x35058 0x239F0 0x81890 0x4ACE0 0x39080 )
 
# File offsets 4.21
#offset=( 0x1F00E8 0x2118C0 0x271488 0x271538 0x2A6590 0x2C9F80 0x34B810 0x3964F0 )
 
# File sizes 4.30
#size=( 0x217D8 0x5FCA8 0xAF 0x35058 0x239F0 0x81A38 0x4ACE0 0x391D0 )
 
# File offsets 4.30
#offset=( 0x1F00E8 0x2118C0 0x271568 0x271618 0x2A6670 0x2CA060 0x34BA98 0x396778 )
 
# File sizes 4.41
size=( 0x217D8 0x5FCA8 0xAF 0x35058 0x23D90 0x81A38 0x4ACE0 0x391D0 )
 
# File offsets 4.41
offset=( 0x1F00E8 0x2118C0 0x271568 0x271618 0x2A6670 0x2CA400 0x34BE38 0x396B18)
 
#*******************************************************************************
 
cont=0
 
printf "***************************** \n"
printf "* Psicoleo's                * \n"
printf "* Dump lv1 Embedded files  * \n"
printf "***************************** \n\n"
 
for file in "${files[@]}"
do
        printf "***************************** \n\n"
        printf "      %s\n" "${file}"
        printf "***************************** \n\n"
    printf "%s\n" "${offset[$cont]}"
    printf "%s\n" "${size[$cont]}"
    printf "%s\n" "${cont}"
    dd if=$1 of=$file bs=1 obs=1 skip=$((${offset[$cont]})) count=$((${size[$cont]}))
    cont=$(($cont+1))
done

ss_server1.fself[edit | edit source]

Class list[edit | edit source]

Name Description
ss_init_if
usb_dongle_authenticator
security_hardware_framework_if
user_token_manager
user_token_processor
update_manager
verify_util
region_manager
update_token_procesor
bd_updater
sc_updater
certified_file_verifier
virtual_trm_manager
get_applicable_version
sc_manager
sc_manager_if
composite_region
bank_manager
capability_checker
if_proto
ss_responder
port_id_table
pme_client
pme_server
page_bytestring
port_id_table
ss_packet
sbm
ss_init_repository

Members[edit | edit source]

ss_init_if[edit | edit source]

Name Type Args Description
notify_ready

usb_dongle_authenticator[edit | edit source]

Name Type Args Description
initialize
verify_response
generate_challenge

security_hardware_framework_if[edit | edit source]

Name Type Args Description
get_random_number sanity check

user_token_manager[edit | edit source]

Name Type Args Description
decrypt_user_token
encrypt_user_token

user_token_processor[edit | edit source]

Name Type Args Description
read_idps
create_command
load_module
request_loading_spu_module

update_manager[edit | edit source]

Name Type Args Description
read
write verification
swap_bank(%d, 0x%llx)
swap_boot_bank
get_package_info(%d)
get_secure_product_mode
set_sc_status(%d)
get_sc_status(%d)
set_secure_product_mode(0x%x)
decompress_and_write_target
write_target
check_core_os_hash
get_version_and_hash()
*****calc_lv0_hash
*****calc_lv1_hash
read_revoke_list(%d)
initialize_revoke_list_info(%d)
applicable_version_info(%d)
check_revoke_list_hash
check_revoke_list_all
check_size(%d, 0x%llx)
set_SBI_flags
calc_os_hash
force update mode -
update_package_tophalf
*****check_size()
common_tophalf
*****reques_id
is_valid_access (0x%x, 0x%02x, 0x%llx) Valid acces: "TOOL/DEX/ARCADE or manufacturing phase" or "CEX"
inspect_package_tophalf(0x%x, 0x%llx, 0x%x, 0x%llx, 0x%llx, 0x%x, 0x%x)
extract_package_tophalf(0x%x, 0x%llx, 0x%x, 0x%llx, 0x%llx, 0x%x, 0x%x)
update_package_tophalf(0x%x, 0x%llx, 0x%x, 0x%llx, 0x%llx, 0x%x,0x%x)
set_token
read_eprom(0x%x)
get_token_seed
inspect_package_bottomhalf
extract_package_bottomhalf
get_extract_package
copy extracted data
update_package_bottomhalf
get_fix_instruction
erase_core_os_standby_bank
*****get_version_and_hash
*****set_version_and_hash
erase_hash_standby_bank(%d)
set_debug_support_repository
init_ss_params_repositories
set_hdd_copy_mode_repository
init_ss_params_repositories
set_recover_mode_repository
init_ss_params_repositories
set_fself_control_repository
init_device_type
set_update_status_repository
write_eprom(0x%x, 0x%x)
set_qa_flag_repository
init_qa_flag
do_fix_regions
do_fix_trm_regions
init_for_updater
initialize_revoke_list_info(%d)
init_device_type

verify_util[edit | edit source]

Name Type Args Description
SHA-1 hash
install_revoke_list_to_lv0
prepare_args
detect_id
get_version_and_hash_from_SC
get_version_and_hash
calc_hash_of_target

region_manager[edit | edit source]

Name Type Args Description
setup_internal
set_update_status(%d)
get_update_status(%d)
read_data(%d, 0x%llx, 0x%llx, 0x%llx)
write_data(%d, 0x%llx, 0x%llx, 0x%llx)

update_token_procesor[edit | edit source]

Name Type Args Description
read_idps
create_command
load_module
request_loading_spu_module

bd_updater[edit | edit source]

Name Type Args Description
detect_need_eject
disable_reqsense
enable_reqsense
eval_exception_rules(0x%llx)
sense_cmd
check_cmd_result
send_atp_command
detect_drive_generation
polling_progress
writebuf_cmd(0x%x, 0x%x, 0x%x, 0x%x, 0x%x)
send_firmware(0x%llx, 0x%llx)
readbuf_cap_cmd
readbuf_cmd(0x%x, 0x%x, 0x%x, 0x%x, 0x%x)
eject
stop
prepare_drive
inquiry
detect_drive_type

sc_updater[edit | edit source]

Name Type Args Description
initialize()

certified_file_verifier[edit | edit source]

Name Type Args Description
load_module()
request_loading_spu_module()

virtual_trm_manager[edit | edit source]

Name Type Args Description
read_flash_raw
restart_objs
set_flash_tampered
set_srh
decrypt_master
decrypt_with_portability
decrypt
encrypt_with_portability
encrypt
backup_flash
flash_addr_size
restore_srk_srh
backup_srk_srh
write_flash_raw
restore_flash
vtrm_chk_stat
table_icv
status
sanity check
update_table_icv
*****read
*****write
fix_2pc_status
*****root hash (FLASH)
update_srh
restart_objs
*****restart_twopc
*****retrieve_rhash_rhsec
*****get_twopc_range
*****check_header
*****restart_htbl
restart
force_restart
initialize
*****raw flash area
*****htbl flash area
*****flash erase
*****setup_header
*****init_db
*****init_sc
*****init_header
*****restart
setup_flash
instanciate_objs
print_flash_range
free
store
retrieve

get_applicable_version[edit | edit source]

Name Type Args Description
installed_version
builtin_rvk_version

module_loader[edit | edit source]

Name Type Args Description
load_module

sc_manager[edit | edit source]

Name Type Args Description
init_for_vtrm

sc_manager_if[edit | edit source]

Name Type Args Description
restore_root_info

composite_region[edit | edit source]

Name Type Args Description
allocate_buffer(%lld)
cache_all_composite_region_entry
get_bank_info
get_composite_region_entry_by_index(%d, 0x%llx)
get_composite_region_entry_by_name(%s)
get_composite_region_header
initialize
read(0x%llx, %lld, 0x%llx)
release_buffer(0x%llx)
writev

bank_manager[edit | edit source]

Name Type Args Description
get_repository_value(m_type = %d)
setup(%d)

capability_checker[edit | edit source]

Name Type Args Description
check_product_mode_capability

if_proto[edit | edit source]

Name Type Args Description
send_receive

ss_responder[edit | edit source]

Name Type Args Description
terminate
initialize
loop_once

port_id_table[edit | edit source]

Name Type Args Description
function_id2port_id

pme_client[edit | edit source]

Name Type Args Description
receive
disconnect
connect
send

pme_server[edit | edit source]

Name Type Args Description
disconnect
force_close
reply
accept
connect

page_bytestring[edit | edit source]

Name Type Args Description
free_page
alloc_page

ss_packet[edit | edit source]

Name Type Args Description
send_receive
process_async
process_received
accept_reply

ss_init_repository[edit | edit source]

Name Type Args Description
get_node_value
create_node

sbm[edit | edit source]

Name Type Args Description
sbm_set_key
sbm_get_rnd
sbm_set_key
sbm_core_process
*****EID data(encrypt)
sbm_get_header
sbm_check_received_data
sbm_run_iso_spu_module
sbm_set_encdec_key_prepare_args
sbm_set_key_get_result
sbm_set_key_run
sbm_spe_install_signal_handlers

flash_io[edit | edit source]

Name Type Args Description
init
range