Update Manager: Difference between revisions
(kudos to graf/glevand for this reverse engineering) |
mNo edit summary |
||
Line 1: | Line 1: | ||
[[Category:Software]] | |||
This service is responsible for processing Sony Playstation 3 Update files like CoreOS, Revoke List and Firmware PKGs | This service is responsible for processing Sony Playstation 3 Update files like CoreOS, Revoke List and Firmware PKGs | ||
Revision as of 05:33, 13 November 2012
This service is responsible for processing Sony Playstation 3 Update files like CoreOS, Revoke List and Firmware PKGs
Update Manager service is accessed by GameOS syscall 863
0x6000 - Update Manager
Packet ID | Description |
---|---|
0x6001 | Update Package Tophalf |
0x6002 | Inspect Package Tophalf |
0x6003 | Get Package Info |
0x6004 | Get Fix Instruction |
0x6005 | Extract Package Tophalf |
0x6006 | Get Extract Package |
0x6007 | Check Integrity too |
0x6008 | Check Integrity too |
0x6009 | Get Token Seed |
0x600A | Set Token |
0x600B | Read EPROM |
0x600C | Write EPROM |
0x600D | Get Status |
0x600E | Allocate Buffer |
0x600F | Release Buffer |
0x6010 | Check Integrity |
0x6011 | Get Applicable Version |
0x6012 | (Re?)Allocate Buffer |
0x6001 - Update Package Tophalf
- The result of the request can be checked by reading the value of repository node ss.update.request.<Request ID> periodically
0x6002 - Inspect Package Tophalf
- I have got access to this service through DM and tested it with PSGroove
- This service can tell you if a package can be installed or not, the service just checks a package but does not install it
- Packages can be updated without GameOS !!! I'm using only HV calls and communicate directly with Dispatcher Manager and Update Manager
- I just sent a whole SCE package to GameOS through network, created a LPAR memory region and stored the file there
- It expects a SCE package that can be easily extracted from PUP file
- The data of SCE package can be passed either in SS packet itself or through LPAR memory of requester
- When the data of SCE package is too large for SS packet (SS packets are sent through DM, GameOS and DM communicate through VUART that has only 0x800 bytes buffer) then the data of SCE package has to be passed through GameOS LPAR memory. The requester sends a vector of LPAR memory addresses where the data of SCE package is stored and Update Manager maps it into the address space of Process 6
- E.g. Revoke List packages can be sent in SS packets because they are small (about 0x200 bytes). All other packages are too big to sent them in SS packets
- The service is actually split into 2 halfs: Top-Half and Bottom-Half
- The Top-Half is executed synchronously with service request and it sends a reply to the requester
- In the reply sent by Top-Half a Request ID (8 bytes) is returned to the requester
- Request ID is calculated by using SHA-1
- After the Top-Half is done, a reply is sent to the requester but the service just checked some input parameter upto now and the passed SCE package was not really checked yet
- The Bottom-Half is called asynchronously to the request, it does the real job, it checks the passed SCE package.
- The result of the request can be checked by reading the value of repository node ss.inspect.request.<Request ID> periodically
- I successfully tested this service with RL_FOR_PROGRAM.img from 3.50 PUP file and the service returned Success, so theoretically i could install this package on my PS3. But of course i want to downgrade and NOT to upgrade.
Inspect Package Tophalf Return Values
Error Code | Description |
---|---|
0x00000000 | Success |
0x00000013 | Same Version/Older Version |
0x00000014 | - |
0x6003 - Get Package Info
- I have got access to this service through DM and tested it with PSGroove
- The service expects one additional parameter: package type (valid values are 1-9)
- The service returns the version (8 bytes) of a package type installed
Here are the versions of packages installed on my PS3:
Package Type | Returned Version | Description | Package Name in PUP File |
---|---|---|---|
1 | 0x0003004100000000 | Core OS Package | CORE_OS_PACKAGE.pkg |
2 | 0x0003004100000000 | Revoke List Package for Program | RL_FOR_PROGRAM.img |
3 | 0x0002003000000000 | Revoke List Package for Package | RL_FOR_PACKAGE.img |
4 | 0xDEADBEAFFACEBABE | - | - |
5 | 0xDEADBEAFFACEBABE | - | - |
6 | 0x0003004000000000 | BD Firmware Package | BDIT_FIRMWARE_PACKAGE.pkg, BDPT_FIRMWARE_PACKAGE_*.pkg |
7 | Invalid Parameter | Bluetooth Firmware, dev_flash tarballs | BLUETOOTH_FIRMWARE.pkg, dev_flash, dev_flash3 |
8 | Invalid Parameter | - | - |
9 | Invalid Parameter | SC Firmware Package | SYS_CON_FIRMWARE_*.pkg |
Decrypting and Extracting Packages with spu_pkg_rvk_verifier.self
- I have managed to decrypt and extract Revoke List Packages 3.41 and 3.50 by using SPE HV calls and spu_pkg_rvk_verifier.self
- Important: Parameters to SPU module shuold be aligned, i used cache line alignment, don't know exactly alignment requerements. Or else some very strange things could happen. E.g SYSCON firmware was only partially decrypted when i used no cache line alignment.
- I have also managed to decrypt and extract Core OS Packages 1.10, 1.18 Debug, 2.40, 2.80, 3.15, 3.41 and 3.50 by using SPE HV calls and spu_pkg_rvk_verifier.self but it's compressed with zlib.Update Manager in Process 6 from 3.15 uses zlib 1.2.3 inflate to decompress it after it was decrypted and then it stores the data to flash memory.
- I decompressed the decrypted Core OS Packages with zlib.
- I am able now to decrypt and decompress all Core OS Packages
- The decrypted and decompressed package CORE_OS_PACKAGE.pkg looks exactly like it's stored on flash.
- I also decrypted BD Firmwares BDIT_FIRMWARE_PACKAGE.pkg and BDPT_FIRMWARE_PACKAGE.pkg successfully. The firmware is not compressed.
- I also decrypted Bluetooth Firmware BLUETOOTH_FIRMWARE.pkg successfully. The firmware is encrypted and compressed.
- I also managed to decrypt System Controller Firmware SYS_CON_FIRMWARE_01050101.pkg from 3.41.
- Core OS Package 3.50 contains a new isolated SPU module that is not contained in older versions. The SPU module is manu_info_spu_module.self.
- Here links to PS3 Firmwares: [1] and [2]
RL_FOR_PROGRAM.img 3.41
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000200 00 00 00 04 00 00 00 01 00 03 00 41 00 00 00 00 ...........A.... 00000210 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000220 00 00 00 03 00 00 00 01 00 03 00 41 00 00 00 00 ...........A.... 00000230 00 00 00 00 00 00 00 02 FF FF FF FF FF FF FF FF ........ÿÿÿÿÿÿÿÿ 00000240 00 00 00 04 00 00 00 01 00 03 00 41 00 00 00 00 ...........A.... 00000250 10 70 00 05 FF 00 00 01 FF FF FF FF FF FF FF FF .p..ÿ...ÿÿÿÿÿÿÿÿ 00000260 00 00 00 04 00 00 00 01 00 03 00 41 00 00 00 00 ...........A.... 00000270 10 70 00 05 FE 00 00 01 FF FF FF FF FF FF FF FF .p..þ...ÿÿÿÿÿÿÿÿ 00000280 00 00 00 04 00 00 00 01 00 03 00 41 00 00 00 00 ...........A.... 00000290 10 70 00 05 FD 00 00 01 FF FF FF FF FF FF FF FF .p..ý...ÿÿÿÿÿÿÿÿ 000002A0 00 00 00 04 00 00 00 01 00 03 00 41 00 00 00 00 ...........A.... 000002B0 10 70 00 05 FC 00 00 01 FF FF FF FF FF FF FF FF .p..ü...ÿÿÿÿÿÿÿÿ 000002C0 00 00 00 04 00 00 00 03 00 01 00 00 00 00 00 00 ................ 000002D0 10 70 00 04 00 00 00 01 FF FF FF FF FF FF FF FF .p......ÿÿÿÿÿÿÿÿ
RL_FOR_PROGRAM.img 3.50
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000200 00 00 00 04 00 00 00 01 00 03 00 50 00 00 00 00 ...........P.... 00000210 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000220 00 00 00 03 00 00 00 01 00 03 00 50 00 00 00 00 ...........P.... 00000230 00 00 00 00 00 00 00 02 FF FF FF FF FF FF FF FF ........ÿÿÿÿÿÿÿÿ 00000240 00 00 00 04 00 00 00 01 00 03 00 50 00 00 00 00 ...........P.... 00000250 10 70 00 05 FF 00 00 01 FF FF FF FF FF FF FF FF .p..ÿ...ÿÿÿÿÿÿÿÿ 00000260 00 00 00 04 00 00 00 01 00 03 00 50 00 00 00 00 ...........P.... 00000270 10 70 00 05 FE 00 00 01 FF FF FF FF FF FF FF FF .p..þ...ÿÿÿÿÿÿÿÿ 00000280 00 00 00 04 00 00 00 01 00 03 00 50 00 00 00 00 ...........P.... 00000290 10 70 00 05 FD 00 00 01 FF FF FF FF FF FF FF FF .p..ý...ÿÿÿÿÿÿÿÿ 000002A0 00 00 00 04 00 00 00 01 00 03 00 50 00 00 00 00 ...........P.... 000002B0 10 70 00 05 FC 00 00 01 FF FF FF FF FF FF FF FF .p..ü...ÿÿÿÿÿÿÿÿ 000002C0 00 00 00 04 00 00 00 03 00 01 00 00 00 00 00 00 ................ 000002D0 10 70 00 04 00 00 00 01 FF FF FF FF FF FF FF FF .p......ÿÿÿÿÿÿÿÿ
RL_FOR_PACKAGE.img 3.41
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000200 00 00 00 03 00 00 00 02 00 01 00 00 00 00 00 00 ................ 00000210 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000220 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 02 ................ 00000230 00 00 00 08 00 05 00 00 00 00 00 00 00 00 00 00 ................
RL_FOR_PACKAGE.img 3.50
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000200 00 00 00 03 00 00 00 02 00 01 00 00 00 00 00 00 ................ 00000210 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000220 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 02 ................ 00000230 00 00 00 08 00 05 00 00 00 00 00 00 00 00 00 00 ................
CORE_OS_PACKAGE.pkg 3.15
Here is a piece of data from decrypted and decompressed package.
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000000 00 00 00 01 00 00 00 17 00 00 00 00 00 6F FF E0 .............oÿà 00000010 00 00 00 00 00 00 04 60 00 00 00 00 00 04 00 00 .......`........ 00000020 63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00 creserved_0..... 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040 00 00 00 00 00 04 04 60 00 00 00 00 00 00 00 08 .......`........ 00000050 73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00 sdk_version..... 00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000070 00 00 00 00 00 04 04 80 00 00 00 00 00 01 E5 CC .......€......åÌ 00000080 6C 76 31 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv1ldr.......... 00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000A0 00 00 00 00 00 05 EA 80 00 00 00 00 00 01 6D A0 ......ê€......m 000000B0 6C 76 32 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv2ldr.......... 000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000D0 00 00 00 00 00 07 58 80 00 00 00 00 00 01 2E 44 ......X€.......D 000000E0 69 73 6F 6C 64 72 00 00 00 00 00 00 00 00 00 00 isoldr.......... 000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000100 00 00 00 00 00 08 87 00 00 00 00 00 00 01 DA E4 ......‡.......Úä 00000110 61 70 70 6C 64 72 00 00 00 00 00 00 00 00 00 00 appldr.......... 00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000130 00 00 00 00 00 0A 61 E4 00 00 00 00 00 00 FA CC ......aä......úÌ 00000140 73 70 75 5F 70 6B 67 5F 72 76 6B 5F 76 65 72 69 spu_pkg_rvk_veri 00000150 66 69 65 72 2E 73 65 6C 66 00 00 00 00 00 00 00 fier.self....... 00000160 00 00 00 00 00 0B 5C B0 00 00 00 00 00 00 5C 94 ......\°......\” 00000170 73 70 75 5F 74 6F 6B 65 6E 5F 70 72 6F 63 65 73 spu_token_proces 00000180 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 00 sor.self........ 00000190 00 00 00 00 00 0B B9 44 00 00 00 00 00 00 65 D0 ......¹D......eÐ 000001A0 73 70 75 5F 75 74 6F 6B 65 6E 5F 70 72 6F 63 65 spu_utoken_proce 000001B0 73 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 ssor.self....... 000001C0 00 00 00 00 00 0C 1F 14 00 00 00 00 00 01 53 2C ..............S, 000001D0 73 63 5F 69 73 6F 2E 73 65 6C 66 00 00 00 00 00 sc_iso.self..... 000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001F0 00 00 00 00 00 0D 72 40 00 00 00 00 00 00 44 98 [email protected]˜ 00000200 61 69 6D 5F 73 70 75 5F 6D 6F 64 75 6C 65 2E 73 aim_spu_module.s 00000210 65 6C 66 00 00 00 00 00 00 00 00 00 00 00 00 00 elf............. 00000220 00 00 00 00 00 0D B6 D8 00 00 00 00 00 00 D7 F0 ......¶Ø......×ð 00000230 73 70 70 5F 76 65 72 69 66 69 65 72 2E 73 65 6C spp_verifier.sel 00000240 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f............... 00000250 00 00 00 00 00 0E 8E C8 00 00 00 00 00 00 80 8C ......ŽÈ......€Œ 00000260 6D 63 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C mc_iso_spu_modul 00000270 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 00000280 00 00 00 00 00 0F 0F 54 00 00 00 00 00 00 88 B8 .......T......ˆ¸ 00000290 6D 65 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C me_iso_spu_modul 000002A0 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 000002B0 00 00 00 00 00 0F 98 0C 00 00 00 00 00 00 C0 78 ......˜.......Àx 000002C0 73 76 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C sv_iso_spu_modul 000002D0 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 000002E0 00 00 00 00 00 10 58 84 00 00 00 00 00 00 5D B0 ......X„......]° 000002F0 73 62 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C sb_iso_spu_modul 00000300 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 00000310 00 00 00 00 00 10 B6 34 00 00 00 00 00 00 22 A0 ......¶4......" 00000320 64 65 66 61 75 6C 74 2E 73 70 70 00 00 00 00 00 default.spp..... 00000330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000340 00 00 00 00 00 10 D9 00 00 00 00 00 00 12 B1 70 ......Ù.......±p 00000350 6C 76 31 2E 73 65 6C 66 00 00 00 00 00 00 00 00 lv1.self........ 00000360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000370 00 00 00 00 00 23 8A 80 00 00 00 00 00 03 E8 28 .....#Š€......è( 00000380 6C 76 30 00 00 00 00 00 00 00 00 00 00 00 00 00 lv0............. 00000390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000003A0 00 00 00 00 00 27 72 A8 00 00 00 00 00 16 EE B8 .....'r¨......î¸ 000003B0 6C 76 32 5F 6B 65 72 6E 65 6C 2E 73 65 6C 66 00 lv2_kernel.self. 000003C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000003D0 00 00 00 00 00 3E 61 60 00 00 00 00 00 07 0F 94 .....>a`.......” 000003E0 65 75 72 75 73 5F 66 77 2E 62 69 6E 00 00 00 00 eurus_fw.bin.... 000003F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000400 00 00 00 00 00 45 70 F4 00 00 00 00 00 07 FC 48 .....Epô......üH 00000410 65 6D 65 72 5F 69 6E 69 74 2E 73 65 6C 66 00 00 emer_init.self.. 00000420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000430 00 00 00 00 00 4D 6D 3C 00 00 00 00 00 06 16 00 .....Mm<........ 00000440 68 64 64 5F 63 6F 70 79 2E 73 65 6C 66 00 00 00 hdd_copy.self... 00000450 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00040460 33 31 35 2E 30 30 30 0A 00 00 00 00 00 00 00 00 315.000......... 00040470 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
BDIT_FIRMWARE_PACKAGE.pkg 3.50
Here is a piece of data from decrypted package.
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000300 43 6F 70 79 72 69 67 68 74 28 43 29 20 32 30 30 Copyright(C) 200 00000310 35 2D 32 30 30 36 2C 20 53 6F 6E 79 20 43 6F 6D 5-2006, Sony Com 00000320 70 75 74 65 72 20 45 6E 74 65 72 74 61 69 6E 6D puter Entertainm 00000330 65 6E 74 20 49 6E 63 2E 1A 00 00 00 00 00 00 00 ent Inc......... 00000340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000370 41 96 18 D3 2D 8F 0F 68 11 4D A7 09 E4 1F A7 6F A–.Ó-.h.M§.ä.§o 00000380 EF 29 48 A0 E9 F2 A8 F0 CC 4B F3 4D E0 4A B0 17 ï)H éò¨ðÌKóMàJ°. 00000390 C2 DA 07 5F 96 B3 C8 8D E1 06 2E 3A 1D A7 FD 20 ÂÚ._–³Èá..:.§ý
BDPT_FIRMWARE_PACKAGE_301R.pkg 3.50
Here is a piece of data from decrypted package.
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000300 43 6F 70 79 72 69 67 68 74 28 43 29 20 32 30 30 Copyright(C) 200 00000310 35 2D 32 30 30 39 2C 20 53 6F 6E 79 20 43 6F 6D 5-2009, Sony Com 00000320 70 75 74 65 72 20 45 6E 74 65 72 74 61 69 6E 6D puter Entertainm 00000330 65 6E 74 20 49 6E 63 2E 1A 00 00 00 00 00 00 00 ent Inc......... 00000340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000370 80 18 D2 E4 22 AA 2B D7 85 47 F4 40 53 9A 04 0C €.Òä"ª+×…Gô@Sš.. 00000380 D0 B8 A5 04 20 51 9E 90 09 4F 2E 78 BA 32 C0 EA и¥. Qž.O.xº2Àê 00000390 E9 61 96 ED D8 2A 70 C0 59 68 4E B2 47 25 9C 97 éa–íØ*pÀYhN²G%œ—
BLUETOOTH_FIRMWARE.pkg 3.41
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000000 52 43 32 39 5F 66 69 72 6D 77 61 72 65 5F 66 6F RC29_firmware_fo 00000010 6F 74 65 72 2E 64 66 75 00 00 00 00 00 00 00 00 oter.dfu........ 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000060 00 00 00 00 30 30 30 30 36 34 34 00 30 30 30 30 ....0000644.0000 00000070 30 30 30 00 30 30 30 30 30 30 30 00 30 30 30 30 000.0000000.0000 00000080 31 35 36 36 33 30 30 00 31 31 30 36 34 33 34 36 1566300.11064346 00000090 33 30 36 00 30 31 35 34 36 33 00 20 30 00 00 00 306.015463. 0... 000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000100 00 75 73 74 61 72 20 20 00 72 6F 6F 74 00 00 00 .ustar .root... 00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000120 00 00 00 00 00 00 00 00 00 72 6F 6F 74 00 00 00 .........root... 00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000140 00 00 00 00 00 00 00 00 00 30 30 30 30 30 30 30 .........0000000 00000150 00 30 30 30 30 30 30 30 00 00 00 00 00 00 00 00 .0000000........ 000A5950 84 1B 00 C0 94 04 00 00 74 06 00 00 45 75 72 75 „..À”...t...Euru 000A5960 73 5F 50 72 69 6D 61 72 79 5F 50 68 79 00 00 00 s_Primary_Phy... 000A5970 4D 61 72 76 65 6C 6C 5F 41 50 00 00 94 BB 01 C0 Marvell_AP..”».À 000B7CC0 00 00 00 00 01 10 60 23 4D 61 72 76 65 6C 6C 20 ......`#Marvell 000B7CD0 46 69 72 6D 77 61 72 65 20 53 44 4B 20 56 65 72 Firmware SDK Ver 000B7CE0 73 69 6F 6E 20 32 2E 33 2E 30 54 74 5D 04 02 2B sion 2.3.0Tt]..+ 000B7CF0 0F 14 E1 36 04 32 0A 1A FD 08 32 1A 1A C1 08 02 ..á6.2..ý.2..Á.. 000F42B0 44 6F 53 68 61 72 65 64 4B 65 79 53 65 71 31 3A DoSharedKeySeq1: 000F42C0 20 45 6E 74 65 72 65 64 20 2D 2D 2D 20 72 73 70 Entered --- rsp 000F42D0 4D 61 63 20 3D 20 25 30 32 78 3A 25 30 32 78 3A Mac = %02x:%02x: 000F42E0 25 30 32 78 3A 25 30 32 78 3A 25 30 32 78 3A 25 %02x:%02x:%02x:% 000F42F0 30 32 78 0A 00 00 00 00 6D 6C 6D 65 41 75 74 68 02x.....mlmeAuth 000F4300 44 6F 53 68 61 72 65 64 4B 65 79 53 65 71 31 3A DoSharedKeySeq1: 000F4310 20 56 61 6C 69 64 61 74 69 6F 6E 20 66 61 69 6C Validation fail 000F4320 65 64 20 2D 2D 2D 20 72 73 70 4D 61 63 20 3D 20 ed --- rspMac = 000F4330 25 30 32 78 3A 25 30 32 78 3A 25 30 32 78 0A 00 %02x:%02x:%02x.. 000F4340 6D 6C 6D 65 41 75 74 68 44 6F 53 68 61 72 65 64 mlmeAuthDoShared 000F4350 4B 65 79 53 65 71 33 3A 20 76 61 6C 69 64 61 74 KeySeq3: validat 000F4360 69 6F 6E 20 66 61 69 6C 65 64 21 20 2D 2D 2D 20 ion failed! --- 000F4370 72 73 70 4D 61 63 20 3D 20 25 30 32 78 3A 25 30 rspMac = %02x:%0 000F4380 32 78 3A 25 30 32 78 0A 00 65 65 70 72 6F 6D 00 2x:%02x..eeprom. 000F4390 62 74 5F 68 63 69 00 62 74 5F 75 61 72 74 00 75 bt_hci.bt_uart.u 000F43A0 73 62 30 00 75 73 62 31 00 4F 53 41 00 77 6C 61 sb0.usb1.OSA.wla 000F43B0 F3 B8 E9 70 01 00 00 00 1C 6B 03 00 00 02 00 00 ó¸ép.....k......
SYS_CON_FIRMWARE_01050101.pkg 3.41
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000300 1B 2D 70 0F AB 5E B3 99 68 20 FE 3D E1 80 6A 1D .-p.«^³™h þ=á€j. 00000310 B8 FD 37 CF CD 45 85 AB 51 F7 05 E3 EA 32 A5 EA ¸ý7ÏÍE…«Q÷.ãê2¥ê 00000320 67 45 F9 48 00 00 00 00 00 10 00 00 C0 0F 00 00 gEùH........À... 00000330 8B 04 07 F9 9B A2 90 3A 75 89 F1 42 12 59 DA 0D ‹..ù›¢:u‰ñB.YÚ. 00000340 21 7C A2 C3 5A E4 78 00 10 8D 4B F7 A2 73 9C 63 !|¢ÃZäx..K÷¢sœc 00000350 5D 8D 5D 49 16 C7 6F 2C AD 33 FE 1F D3 6C A1 CA ]]I.Ço,3þ.Ól¡Ê 00000360 BA AD 2B FE 8F 33 71 D7 C5 E6 5C FF BF 77 6C 80 º+þ3q×Åæ\ÿ¿wl€ 00000370 F2 BE 11 BB 3C 52 52 DC A9 68 E5 24 AD 4F F3 48 ò¾.»<RRÜ©hå$OóH
0x6005 - Extract Package Tophalf
- The result of the request can be checked by reading the value of repository node ss.extract.request.<Request ID> periodically
0x600B - Read EEPROM
- I have got read access to EEPROM of Update Manager through DM and tested it with PSGroove
- I read PRODUCT_MODE from it successfully, PRODUCT_MODE = 0x000000FF
- The service expects one additional parameter: offset (4 bytes)
- The service accepts only some predefined offsets
- The service returns the specified offset and the value at this offset
EEPROM Offset Table
Here is the table of EEPROM offsets that can be accessed through Update Manager (3.15):
0x600C - Write EEPROM
- Writting to EEPROM of Update Manager is also possible through DM
- Tested this service successfully with QA flag
0x6010 - Check Integrity
- This service checks integrity of important files stored on /dev/rflash1, e.g. lv0 or lv1
- The service is used e.g. by System Manager
- When product mode is NOT 0xFF then check is skipped !!!
- This check is patched to always skip, with 'nocheck' downgrader patches
0x6011 - Get Applicable Version
- I have got access to this service through DM and PSGroove and tested it
- The service expects one additional unknown parameter of size 4 bytes, it has to be 0x00000001 or else the service fails
(sc863(0x6011,1,out:uint64_t,0,0,0,0,0))
Here is the return value:
00 00 00 01 00 00 00 00 00 03 00 20 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01
BD Firmware Update
- Update Manager in HV Process 6 updates BD firmware through ATAPI Interface of /dev/rbd0 device.
- BD firmware is sent to BD drive by using ATAPI Write Buffer (0x3B) command with Mode 0x07 (Download microcode with offsets and save) and Buffer ID 0x00.
- The current BD drive firmware version and hash is also stored by and retrieved from SYSCON by using SC Manager Get/Set Region Data (0x9006/0x9007) service. After successfull BD firmware update, Update Manager sends the new firmware version and hash to SYSCON.
- BD firmware package is decrypted, SCE header size + 0x80 bytes are skipped and data beginning with copyright message is sent to BD drive.
- BD firmware is sent packet wise, one packet is at most 0x8000 bytes.
- After each sent packet, Update Manager checks the result by using ATAPI Request Sense (0x3) command.
- Theoretically, BD firmware update can be done also from GameOS by using ATAPI interface of the BD drive.
Detecting BD Drive Type, Generation and Revision
- To detect BD drive type, Update Manager uses ATAPI Inquiry command.
- To detect BD drive generation, Update Manager uses ATAPI Mode Sense 10 command.
BD Drive Type Table
Here is the BD Drive Type Table extracted from HV Process 6 (3.15):
Index | Vendor Identification String | Drive Type |
---|---|---|
0 | "SONY EmerFlashROM" |
0x2100000000000001 |
1 | "SONY PS-EMBOOT 300R" |
0x2100000000000001 |
2 | "SONY BDRW AQUAM(BDIT)" |
0x1100000000000001 |
3 | "SONY PS-SYSTEM 300R" |
0x1100000000000001 |
4 | "SONY PS-SYSTEM V300" |
0x1100000000000001 |
5 | "SCEI EMER-FLASH-8" |
0x2200000000000002 |
6 | "SONY PS-EMBOOT 301R" |
0x2200000000000002 |
7 | "SONY PS-SYSTEM 301R" |
0x1200000000000002 |
8 | "SONY PS-EMBOOT 302R" |
0x2200000000000003 |
9 | "SONY PS-SYSTEM 302R" |
0x1200000000000003 |
10 | "SONY PS-EMBOOT 303R" |
0x2200000000000004 |
11 | "SONY PS-SYSTEM 303R" |
0x1200000000000004 |
12 | "SONY PS-EMBOOT 304R" |
0x2200000000000005 |
13 | "SONY PS-SYSTEM 304R" |
0x1200000000000005 |
14 | "SONY PS-EMBOOT 306R" |
0x2200000000000007 |
15 | "SONY PS-SYSTEM 306R" |
0x1200000000000007 |
Methods (HV Process 6)
update_manager_update_bd_firmware - 0x800064BC (3.15)
bd_updater_prepare_drive - 0x80011A88 (3.15)
bd_updater_send_firmware - 0x80011544 (3.15)
bd_updater_disable_reqsense - 0x80010410 (3.15)
bd_updater_enable_reqsense - 0x800104D8 (3.15)
send_atp_command - 0x80023B10 (3.15)