Loaders: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
m (some lv1ldr additions)
No edit summary
 
(47 intermediate revisions by 10 users not shown)
Line 1: Line 1:
[[Category:Software]]
= Explaination =
= Explaination =
Loaders are used for loading other modules.
Loaders are used for loading other modules.
Line 9: Line 8:
{| class="wikitable"
{| class="wikitable"
|-
|-
! Loader !! Location !! Type !! Remarks
! Loader !! Location !! Type !! Zlib support !! Fself support !! Remarks
|-
|-
| bootldr || [[Flash]] || Boot Loader || primairy loader from chain of trust
| bootldr || [[Flash]] || Boot Loader || NO || NO || primary loader from chain of trust, loads lv0
|-
|-
| metldr || [[Flash]] || Meta Loader || aka asecure_loader. Loads other loaders
| metldr || [[Flash]] || Meta Loader || NO || NO || aka asecure_loader. Loads other loaders
|-
|-
| appldr || [[Boot_Order#CoreOS_PKG_Filelisting|CoreOS]] || Application Loader || loads [[VSH|vsh.self]] (Userspace Module)
| appldr || [[Boot_Order#CoreOS_PKG_Filelisting|CoreOS]] || Application Loader || YES || YES || loads userspace [f]selfs e.g. [[VSH|vsh.self]], videoplayer_plugin.sprx, disc/NPDRM EBOOT.BINs and [[EDAT_files|EDAT files]]
|-
|-
| isoldr || [[Boot_Order#CoreOS_PKG_Filelisting|CoreOS]] || Isolation Loader || loading [[Iso module|isolated SPU modules]]
| isoldr || [[Boot_Order#CoreOS_PKG_Filelisting|CoreOS]] || Isolation Loader || NO ||  NO || loading [[Iso module|isolated SPU modules]]
|-
|-
| lv1ldr || [[Boot_Order#CoreOS_PKG_Filelisting|CoreOS]] || Hypervisor Loader || loads [[lv1.self]] ([[Hypervisor_Reverse_Engineering|Hypervisor]])
| lv1ldr || [[Boot_Order#CoreOS_PKG_Filelisting|CoreOS]] || Hypervisor Loader || YES ||  NO || loads [[lv1.self]] ([[Hypervisor_Reverse_Engineering|Hypervisor]])
|-  
|-  
| lv2ldr || [[Boot_Order#CoreOS_PKG_Filelisting|CoreOS]] || Supervisor Loader || loads lv2_kernel.self (Supervisor kernel)
| lv2ldr || [[Boot_Order#CoreOS_PKG_Filelisting|CoreOS]] || Supervisor Loader || YES ||  NO || loads lv2_kernel.self (Supervisor kernel)
|-
|}
 
=== Loader encapsulation in lv0 ===
{| class="wikitable"
|-
! [http://www.mirrorcreator.com/files/1MLGFUHN/lv0-360-426.rar_links version] !! decrypted SHA1 hash !! isoldr !! appldr !! lv1ldr !! lv2ldr !! Remarks
|-
| [http://www.mirrorcreator.com/files/0YTEHDT5/lv0-360.elf_links 3.60] || 7A051A4A228C5C7256B9DD3ECC0CFABB605490E3 || || || || || [http://www.mirrorcreator.com/files/IJZ2LZ6I/3.60_loaders.7z_links D/L] ; contains weird 2nd loaders that could not be decrypted (named [loader name]_2)
|-
| [http://www.mirrorcreator.com/files/1XLVGOHY/lv0-361.elf_links 3.61] || 832CE19B420895B7C89D0DD3D346B9B4254F0902 ||  ||  ||  ||  ||
|-
| [http://www.mirrorcreator.com/files/SEZJC9MY/lv0-365.elf_links 3.65] || C9F7F42BFB30A9FB9FF1394D18F8C490FA20E51D ||  ||  ||  ||  ||
|-
| [http://www.mirrorcreator.com/files/KCT9T16O/lv0-366.elf_links 3.66] || 110CEA044B059AC8E89C52121DD94EB062605180 ||  ||  ||  ||  ||
|-
| [http://www.mirrorcreator.com/files/0R5PB6HD/lv0-370.elf_links 3.70] || B0CE989CEA9994A7424BC64C49B477ACB9759C45 ||  ||  ||  ||  ||
|-
| [http://www.mirrorcreator.com/files/3T5G4HTU/lv0-372.elf_links 3.72] || E6ABA3DBBAB9CCCFA8B9D4C75AF9BC2CD2A470CC ||  ||  ||  ||  ||
|-
| [http://www.mirrorcreator.com/files/UFNLTHF4/lv0-373.elf_links 3.73] || 17E363EC32AE2C35410250FD147500EAB27C7229 ||  ||  ||  ||  ||
|-
| [http://www.mirrorcreator.com/files/0PPREFR4/lv0-374.elf_links 3.74] || 048C7F30C6FEC76029DE7107C6EA825D778464D3 ||  ||  ||  ||  ||
|-
| [http://www.mirrorcreator.com/files/0DMBS9UJ/lv0-400.elf_links 4.00] || B1BD5C738EA8B4C5882DF3816802042015E57765 ||  ||  ||  ||  ||
|-
| [http://www.mirrorcreator.com/files/BYC8OJTA/lv0-401.elf_links 4.01] || DB42B9FC98E927536F9BDE68517DC7EF6A3E7630 ||  ||  ||  ||  ||
|-
| [http://www.mirrorcreator.com/files/10ZSJ0EV/lv0-410.elf_links 4.10] || ED6B89DE996DA92B670A515342E5BA44C506CCB8 ||  ||  ||  ||  ||
|-
| [http://www.mirrorcreator.com/files/YAVOOWHN/lv0-411.elf_links 4.11] || 5A80C633C7679FB24FEC9E603058A65010F1CC59 ||  ||  ||  ||  ||
|-
| [http://www.mirrorcreator.com/files/ZASV4VRP/lv0-420.elf_links 4.20] || 69F14D7512177EAE3DB6A00764CB242D1683511C ||  ||  ||  ||  ||
|-
| [http://www.mirrorcreator.com/files/6YUOJVTH/lv0-421.elf_links 4.21] || DB4E4CF6A795D8AB93200B4ACDA7978028601EDC ||  ||  ||  ||  ||
|-
| [http://www.mirrorcreator.com/files/NOYHSIPY/lv0-423.elf_links 4.23] || AC7BDA2E7E093D4FDDE801FAFAB42F55B92506C4 ||  ||  ||  ||  ||
|-
| [http://www.mirrorcreator.com/files/1BJIVAWD/lv0-425.elf_links 4.25] || A6DE36E9178C75B3C557E3056C8BAE5A13C83038 ||  ||  ||  ||  ||
|-
| [http://www.mirrorcreator.com/files/0GJNGKIH/lv0-426.elf_links 4.26] || 042ACDE3A986B50F8C58450798DD866130EB85EA ||  ||  ||  ||  ||
|-
| [http://www.mirrorcreator.com/files/M85N5C74/lv0-430.elf_links 4.30] || 44A048CC7F990A9EE5400695BC0D9EE283BAB02F ||  ||  ||  ||  ||
|-
|-
|}
|}
Line 32: Line 74:
| 0x30 || isoldr/appldr || Version mismatch (isoldr version differs from version returned by SPU channel 73).
| 0x30 || isoldr/appldr || Version mismatch (isoldr version differs from version returned by SPU channel 73).
|-
|-
| 0x16 || isoldr ||
| 0x16 || isoldr || Revoke List Error
|-
| 0x17 || isoldr || Adresses needs to be aligned
|-
| 0x21 || lv1ldr || ???
|-
|-
| 0x27 || appldr || SPU arg at 0x3E840
| 0x27 || appldr || SPU arg at 0x3E840
|-
| 0x20 || metldr || header error
|-
| 0x23 || metldr || ECDSA signature failure
|-
|-
|}
|}
Line 40: Line 90:
0x27
0x27


When booting, lv1ldr store its version in this region writing to ch_72.<br />
isoldr asks for the version in two chuncks, if you want to pass version 3.41 (0x0003004100000000)
isoldr asks for the version in two chuncks, if you want to pass version 3.41 (0x0003004100000000)
Note: this version check was recently added, maybe in fw 3.41


<pre>
<pre>
Line 50: Line 103:


=== lv1ldr ===
=== lv1ldr ===
Used for loading the hypervisor (lv1.self)
Used for loading the hypervisor (lv1.self). It also handles some initialization of the ATA and ENCDEC subsystems.


==== LS Parameters Layout ====
==== LS Parameters Layout ====
{| class="wikitable"
|-
! Address !! Usage !! Comments
|-
| 0x34CB0 || Unknown || DMA read from ch74 20 times.
|-
| 0x3E000 || Wait flag || If (flag==0){wait;} // use 0xFF00000000ULL
|-
| 0x3E800 || Arguments ||
|}
=== lv2ldr ===
Used to verify and decrypt lv2 selfs (lv2_kernel.self, ps2_emu.self, ps2_gxemu.self, ps2_softemu.self, ps2_netemu.self)
And to install RVK-list.
==== LS Parameters layout ====
{| class="wikitable"
{| class="wikitable"
|-
|-
Line 60: Line 130:
|-
|-
| 0x3E800 || Arguments ||
| 0x3E800 || Arguments ||
|-
| 0x3F000 || Program revoke list ||
|}
==== Arguments ====
{| class="wikitable"
|-
! Size !! Name !! Value
|-
|u64 || lpar_auth_id || 0x1070000002000001
|-
|u8 || *lv2_in || lv2 self - address in ram
|-
|u8 || *lv2_out || where to decrypt lv2 - address in ram
|-
|u64 || field18 || -1
|-
|u8[40] || res1 || Unknown / Not used
|-
|u64 || field48 || 1
|-
|u8[16] || res2 || Unknown / Not used
|}
=== appldr ===
Used to verify and decrypt usermode program/data segments (system libraries, vsh and its modules, games, edat and sdat files)<BR>
Allows to authenticate fselfs by following Target_ids from EID0: 0x81, 0x82, 0xA0.
==== LS Parameters layout ====
{| class="wikitable"
|-
! Address !! Usage !! Comments
|-
| 0x3E000 || Wait flag || If (flag==0){wait;} // use 0xFF00000000ULL
|-
| 0x3E400 || EID0 || first 0x400 bytes of EID0
|-
| 0x3E800 || Arguments || u64 buffer_args_effective_addr
|-
| 0x3EC00 || QA-Flag Info|| u64 qaflag_exist_flag //If existed, set to 0, otherwise -1<BR>u64 unk0 //always 0<BR>u8[0x50] qa_token<BR>u8[0x2A] qa_token_signature<BR>u8[0x6] padding
|-
| 0x3EE00 || LV2 Protection Info || u64 hashed memory effective addr<BR>u64 hashed memory size<BR>u8[0x14] expected_hmac_hash<BR>u8[0xC] padding
|-
| 0x3F000 || Program revoke list ||
|}
==== Arguments ====
For authenticate_program_segment, firmware 0.8x
{| class="wikitable"
|-
! Size !! Name !! Value
|-
|u64 || program_auth_id || subject program authority id
|-
|u64 || lpar_auth_id || subject logical partition authority id
|-
|u64 || self_header_addr ||
|-
|u64 || program_segment_addr ||
|-
|u64 || program_segment_index ||
|-
|u64 || destination_addr || where to decrypt
|-
|u64 || capability_addr || capability flags will be placed to this addr
|-
|u64 || flag ||
|-
|u64 || field40 || unknown/pad
|-
|u64 || field48 || 2 (on modern fws it could be 2 or 3 or 5)
|}
For authenticate_program_segment, firmware 4.7x
{| class="wikitable"
|-
! Size !! Name !! Value
|-
|u64 || subarguments_addr || subarguments effective address
|-
|u64 || lpar_auth_id || subject logical partition authority id
|-
| || ||
|-
|u64 || field48 || 5 (checked by appldr, if doesnot match -> appldr will be stoped with err code 0x27)
|-
| || ||
|}
subarguments
{| class="wikitable"
|-
! Size !! Name !! Value
|-
| u64 || program_auth_id ||
|-
| u64 || self_header_addr ||
|-
| u64 || program_segment_addr? ||
|-
| u32 || segment_type || 0 for phdrs, 1 for shdrs
|-
| u32 || program_segment_index || segment number
|-
| u64 || destination_addr ||
|-
| u64 || capability_addr || capability flags (0x20 bytes) will be copyed at this effective addr
|-
| u64 || flag || some flags // flag & 0xFFFF must be <=2 for APP, 3 for UNK7/seven, 4 for NPDRM_APP, 5 for EDAT
|-
| u64 || ||
|-
| u64 || ||
|-
| u64 || ||
|-
| u64 || ||
|-
| u64 || ||
|-
| u8[0x10] || sceNpDrmKey ||
|-
| u64 || header_key_check_result_addr || ppu addr to send the result.
|-
| u64 || ||
|}
|}


Line 79: Line 277:
|-
|-
| 0x3F000 || Program revoke list ||
| 0x3F000 || Program revoke list ||
|}
==== Stop Codes ====
{| class="wikitable"
|-
! Stop Code !! Remark
|-
| 0x0D || Revocation check failed.
|-
| 0x0E || Signature check failed.
|-
| 0x0F || Revoke list verification failed.
|-
| 0x11 || Revoke list verification failed (header).
|-
| 0x12 || SELF segment verification internal error.
|-
| 0x13 || SELF verification failed.
|-
| 0x16 || Revoke list verification failed.
|-
| 0x17 || Isolated module EA is not aligned.
|-
| 0x1D || SELF segment verification internal error (ELF32 header).
|-
| 0x25 || Auth-ID error?
|-
|}
|}


Line 86: Line 311:
{| class="wikitable"
{| class="wikitable"
|-
|-
! Size !! Name !! spp_verifier !!
! Size !! Name !! spp_verifier
|-
|-
|u64 || prog_auth_id || 0x1050000003000001
|u64 || prog_auth_id || 0x1050000003000001
Line 94: Line 319:
|u64 || *spu_module || SPU - address in ram
|u64 || *spu_module || SPU - address in ram
|-
|-
|u64 || *spu_module_arg1 || Profile - address in ram ||
|u64 || *spu_module_arg1 || Profile - address in ram
|-
|-
|u64 || spu_module_arg1_size || sizeof(profile) ||
|u64 || spu_module_arg1_size || sizeof(profile)
|-
|-
|u64 || *spu_module_arg2 || Not used ||
|u64 || *spu_module_arg2 || Not used
|-
|-
|u64 || spu_module_arg2_size || Not used ||
|u64 || spu_module_arg2_size || Not used
|-
|-
|u8 || res1[16] || Unknown  
|u8 || res1[16] || Unknown  
Line 108: Line 333:
|u8 res2[16] || Unknown
|u8 res2[16] || Unknown
|}
|}
{| class="wikitable"
|-
! Size !! Name !! aim_spu_module
|-
|u64 || prog_auth_id || 0x1050000003000001
|-
|u64 || lpar_auth_id || 0x1070000002000001
|-
|u64 || *spu_module || SPU - address in ram
|-
|u64 || *spu_module_arg1 || aim_spu_args - address in ram
|-
|u64 || spu_module_arg1_size || 0x80
|-
|u64 || *spu_module_arg2 || eid0 - address in ram
|-
|u64 || spu_module_arg2_size || sizeof(eid0)
|-
|u64 || field48 || 3
|}
<pre>
union aim_spu_args {
struct {
void *buf;          // debug_info buffer address
u64 buf_size;        // debug_info buffer size
u32 param;          // 0x01 device type, 0x02 device id, 0x03 pscode, 0x04 psid
} in;
struct {
u8 result[0x10];    // no need to explain...
} out;
};
</pre>
{{Development}}<noinclude>[[Category:Main]]</noinclude>

Latest revision as of 05:46, 19 June 2022

Explaination[edit | edit source]

Loaders are used for loading other modules.

Commonly found in CoreOS and Flash.


Known loaders[edit | edit source]

Loader Location Type Zlib support Fself support Remarks
bootldr Flash Boot Loader NO NO primary loader from chain of trust, loads lv0
metldr Flash Meta Loader NO NO aka asecure_loader. Loads other loaders
appldr CoreOS Application Loader YES YES loads userspace [f]selfs e.g. vsh.self, videoplayer_plugin.sprx, disc/NPDRM EBOOT.BINs and EDAT files
isoldr CoreOS Isolation Loader NO NO loading isolated SPU modules
lv1ldr CoreOS Hypervisor Loader YES NO loads lv1.self (Hypervisor)
lv2ldr CoreOS Supervisor Loader YES NO loads lv2_kernel.self (Supervisor kernel)

Loader encapsulation in lv0[edit | edit source]

version decrypted SHA1 hash isoldr appldr lv1ldr lv2ldr Remarks
3.60 7A051A4A228C5C7256B9DD3ECC0CFABB605490E3 D/L ; contains weird 2nd loaders that could not be decrypted (named [loader name]_2)
3.61 832CE19B420895B7C89D0DD3D346B9B4254F0902
3.65 C9F7F42BFB30A9FB9FF1394D18F8C490FA20E51D
3.66 110CEA044B059AC8E89C52121DD94EB062605180
3.70 B0CE989CEA9994A7424BC64C49B477ACB9759C45
3.72 E6ABA3DBBAB9CCCFA8B9D4C75AF9BC2CD2A470CC
3.73 17E363EC32AE2C35410250FD147500EAB27C7229
3.74 048C7F30C6FEC76029DE7107C6EA825D778464D3
4.00 B1BD5C738EA8B4C5882DF3816802042015E57765
4.01 DB42B9FC98E927536F9BDE68517DC7EF6A3E7630
4.10 ED6B89DE996DA92B670A515342E5BA44C506CCB8
4.11 5A80C633C7679FB24FEC9E603058A65010F1CC59
4.20 69F14D7512177EAE3DB6A00764CB242D1683511C
4.21 DB4E4CF6A795D8AB93200B4ACDA7978028601EDC
4.23 AC7BDA2E7E093D4FDDE801FAFAB42F55B92506C4
4.25 A6DE36E9178C75B3C557E3056C8BAE5A13C83038
4.26 042ACDE3A986B50F8C58450798DD866130EB85EA
4.30 44A048CC7F990A9EE5400695BC0D9EE283BAB02F

Stop Codes[edit | edit source]

Stop Code Module Remark
0x30 isoldr/appldr Version mismatch (isoldr version differs from version returned by SPU channel 73).
0x16 isoldr Revoke List Error
0x17 isoldr Adresses needs to be aligned
0x21 lv1ldr ???
0x27 appldr SPU arg at 0x3E840
0x20 metldr header error
0x23 metldr ECDSA signature failure

0x27

When booting, lv1ldr store its version in this region writing to ch_72.
isoldr asks for the version in two chuncks, if you want to pass version 3.41 (0x0003004100000000)

Note: this version check was recently added, maybe in fw 3.41 

//for ch_73_round_0
data0 = 0x00030041;
//for ch_73_round_1
data1 = 0x00000000;

lv1ldr[edit | edit source]

Used for loading the hypervisor (lv1.self). It also handles some initialization of the ATA and ENCDEC subsystems.

LS Parameters Layout[edit | edit source]

Address Usage Comments
0x34CB0 Unknown DMA read from ch74 20 times.
0x3E000 Wait flag If (flag==0){wait;} // use 0xFF00000000ULL
0x3E800 Arguments

lv2ldr[edit | edit source]

Used to verify and decrypt lv2 selfs (lv2_kernel.self, ps2_emu.self, ps2_gxemu.self, ps2_softemu.self, ps2_netemu.self)

And to install RVK-list.

LS Parameters layout[edit | edit source]

Address Usage Comments
0x3E000 Wait flag If (flag==0){wait;} // use 0xFF00000000ULL
0x3E800 Arguments
0x3F000 Program revoke list

Arguments[edit | edit source]

Size Name Value
u64 lpar_auth_id 0x1070000002000001
u8 *lv2_in lv2 self - address in ram
u8 *lv2_out where to decrypt lv2 - address in ram
u64 field18 -1
u8[40] res1 Unknown / Not used
u64 field48 1
u8[16] res2 Unknown / Not used

appldr[edit | edit source]

Used to verify and decrypt usermode program/data segments (system libraries, vsh and its modules, games, edat and sdat files)
Allows to authenticate fselfs by following Target_ids from EID0: 0x81, 0x82, 0xA0.

LS Parameters layout[edit | edit source]

Address Usage Comments
0x3E000 Wait flag If (flag==0){wait;} // use 0xFF00000000ULL
0x3E400 EID0 first 0x400 bytes of EID0
0x3E800 Arguments u64 buffer_args_effective_addr
0x3EC00 QA-Flag Info u64 qaflag_exist_flag //If existed, set to 0, otherwise -1
u64 unk0 //always 0
u8[0x50] qa_token
u8[0x2A] qa_token_signature
u8[0x6] padding
0x3EE00 LV2 Protection Info u64 hashed memory effective addr
u64 hashed memory size
u8[0x14] expected_hmac_hash
u8[0xC] padding
0x3F000 Program revoke list

Arguments[edit | edit source]

For authenticate_program_segment, firmware 0.8x

Size Name Value
u64 program_auth_id subject program authority id
u64 lpar_auth_id subject logical partition authority id
u64 self_header_addr
u64 program_segment_addr
u64 program_segment_index
u64 destination_addr where to decrypt
u64 capability_addr capability flags will be placed to this addr
u64 flag
u64 field40 unknown/pad
u64 field48 2 (on modern fws it could be 2 or 3 or 5)

For authenticate_program_segment, firmware 4.7x

Size Name Value
u64 subarguments_addr subarguments effective address
u64 lpar_auth_id subject logical partition authority id
u64 field48 5 (checked by appldr, if doesnot match -> appldr will be stoped with err code 0x27)

subarguments

Size Name Value
u64 program_auth_id
u64 self_header_addr
u64 program_segment_addr?
u32 segment_type 0 for phdrs, 1 for shdrs
u32 program_segment_index segment number
u64 destination_addr
u64 capability_addr capability flags (0x20 bytes) will be copyed at this effective addr
u64 flag some flags // flag & 0xFFFF must be <=2 for APP, 3 for UNK7/seven, 4 for NPDRM_APP, 5 for EDAT
u64
u64
u64
u64
u64
u8[0x10] sceNpDrmKey
u64 header_key_check_result_addr ppu addr to send the result.
u64

isoldr[edit | edit source]

Used for loading isolated SPU modules.

LS Parameters layout[edit | edit source]

Address Usage Comments
0x3E000 Wait flag If (flag==0){wait;} // use 0xFF00000000ULL
0x3E400 EID0
0x3E800 Arguments
0x3EC00 QA-Token If not used set to -1
0x3F000 Program revoke list

Stop Codes[edit | edit source]

Stop Code Remark
0x0D Revocation check failed.
0x0E Signature check failed.
0x0F Revoke list verification failed.
0x11 Revoke list verification failed (header).
0x12 SELF segment verification internal error.
0x13 SELF verification failed.
0x16 Revoke list verification failed.
0x17 Isolated module EA is not aligned.
0x1D SELF segment verification internal error (ELF32 header).
0x25 Auth-ID error?

Arguments[edit | edit source]

Depending which isolated module you want to load, you would need to pass it different arguments.

Size Name spp_verifier
u64 prog_auth_id 0x1050000003000001
u64 lpar_auth_id 0x1070000002000001
u64 *spu_module SPU - address in ram
u64 *spu_module_arg1 Profile - address in ram
u64 spu_module_arg1_size sizeof(profile)
u64 *spu_module_arg2 Not used
u64 spu_module_arg2_size Not used
u8 res1[16] Unknown
u64 field48 3
u8 res2[16] Unknown
Size Name aim_spu_module
u64 prog_auth_id 0x1050000003000001
u64 lpar_auth_id 0x1070000002000001
u64 *spu_module SPU - address in ram
u64 *spu_module_arg1 aim_spu_args - address in ram
u64 spu_module_arg1_size 0x80
u64 *spu_module_arg2 eid0 - address in ram
u64 spu_module_arg2_size sizeof(eid0)
u64 field48 3 
union aim_spu_args {
	struct {
		void *buf;           // debug_info buffer address
		u64 buf_size;        // debug_info buffer size
		u32 param;           // 0x01 device type, 0x02 device id, 0x03 pscode, 0x04 psid
	} in;

	struct {
		u8 result[0x10];     // no need to explain...
	} out;
};


SDK
VSH
IDs + labels
Reference
Others
Retrieved from "http://www.psdevwiki.com/ps3/index.php?title=Loaders&oldid=67181"