Secure Profile Loader: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
(kudos to graf/glevand for this reverse engineering)
 
mNo edit summary
Line 1: Line 1:
[[Category:Software]]
[[Default.spp]] file is stored on '''/dev/rflash1'''
[[Default.spp]] file is stored on '''/dev/rflash1'''



Revision as of 05:32, 13 November 2012

Default.spp file is stored on /dev/rflash1


0x15000 - SPL (Secure Profile Loader)

Packet ID Description
0x15001 Get LPAR Parameter Size/Get LPAR Parameter
0x15003 Get Contents Size/Get Contents
0x15009 Get Component

SPP File

  • The file is encrypted but can be read by using 0x15003 service of SPL
  • SPL reads SPP file, parses SPP header and checks some fields
  • SPP file is verified and decrypted by SPU module spp_verifier.self that cab be executed with HV SPE calls
  • Even old default.spp from PS3 Firmware 1.10 can be decrypted with spp_verifier.self from PS3 Firmware 3.41
  • Header format version should be 5 or else the header check fails
  • If (SPP header size % 256 != 0) then header check fails
  • Finally i was able to decrypt profile file from 3.41 but by using SPE HV calls only !!! And Linux Manager is still there !!!
  • The decrypted file is a binary file

Here are the contents of Default.spp#3.56_RETAIL.2FCEX from 3.55.
Here are the contents of Default.spp#3.55_RETAIL.2FCEX from 3.55.
Here are the contents of Default.spp#3.41_RETAIL.2FCEX from 3.41.
Here are the contents of Default.spp#3.15_RETAIL.2FCEX from 3.15.
Here are the contents of Default.spp#1.00_DEBUG.2FDEX from 1.00 Debug Firmware.

SPP Header

offset 0x2 - header format version (2 bytes)

offset 0x4 - header size (4 bytes)

offset 0x18 - number of segments (4 bytes)

Segments

  • Segments follow after the header
  • SPP file contains several segments.

Here is the list of profile segments from 3.41:

Name auth id/authority id
*SCE_CELLOS_PME 0x1070000001000001
*PS3_LPAR 0x1070000002000001
*PS2_LPAR 0x1020000003000001
*PS2_GX_LPAR 0x1020000003000001
*PS2_SW_LPAR 0x1020000003000001
*LINUX_LPAR 0x1080000004000001
*SCE_CELLOS_SYSTEM_MGR 0x107000001D000001
*SCE_CELLOS_SYSTEM_MGR_LINUX 0x107000001D000001
*SCE_CELLOS_SYSTEM_MGR_PS2 0x107000001D000001
*SCE_CELLOS_SYSTEM_MGR_PS2_SW 0x107000001D000001
*SCE_CELLOS_SYSTEM_MGR_PS2_GX 0x107000001D000001
*SCE_CELLOS_SS_SECURE_RTC 0x1070000033000001
*SCE_CELLOS_SS_INDI_INFO_EID
*SCE_CELLOS_SS_INIT_LV1_ACL 0x1070000017000001