Secure Profile Loader: Difference between revisions
Jump to navigation
Jump to search
mNo edit summary |
mNo edit summary |
||
Line 1: | Line 1: | ||
[[Default.spp]] file is stored on '''/dev/rflash1''' | [[Default.spp]] file is stored on '''/dev/rflash1''' | ||
Line 101: | Line 100: | ||
|0x1070000017000001 | |0x1070000017000001 | ||
|} | |} | ||
{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude> |
Revision as of 20:15, 5 February 2014
Default.spp file is stored on /dev/rflash1
0x15000 - SPL (Secure Profile Loader)
Packet ID | Description |
---|---|
0x15001 | Get LPAR Parameter Size/Get LPAR Parameter |
0x15003 | Get Contents Size/Get Contents |
0x15009 | Get Component |
SPP File
- The file is encrypted but can be read by using 0x15003 service of SPL
- SPL reads SPP file, parses SPP header and checks some fields
- SPP file is verified and decrypted by SPU module spp_verifier.self that cab be executed with HV SPE calls
- Even old default.spp from PS3 Firmware 1.10 can be decrypted with spp_verifier.self from PS3 Firmware 3.41
- Header format version should be 5 or else the header check fails
- If (SPP header size % 256 != 0) then header check fails
- Finally i was able to decrypt profile file from 3.41 but by using SPE HV calls only !!! And Linux Manager is still there !!!
- The decrypted file is a binary file
Here are the contents of Default.spp#3.56_RETAIL.2FCEX from 3.55.
Here are the contents of Default.spp#3.55_RETAIL.2FCEX from 3.55.
Here are the contents of Default.spp#3.41_RETAIL.2FCEX from 3.41.
Here are the contents of Default.spp#3.15_RETAIL.2FCEX from 3.15.
Here are the contents of Default.spp#1.00_DEBUG.2FDEX from 1.00 Debug Firmware.
SPP Header
offset 0x2 - header format version (2 bytes)
offset 0x4 - header size (4 bytes)
offset 0x18 - number of segments (4 bytes)
Segments
- Segments follow after the header
- SPP file contains several segments.
Here is the list of profile segments from 3.41:
Name | auth id/authority id |
---|---|
*SCE_CELLOS_PME | 0x1070000001000001 |
*PS3_LPAR | 0x1070000002000001 |
*PS2_LPAR | 0x1020000003000001 |
*PS2_GX_LPAR | 0x1020000003000001 |
*PS2_SW_LPAR | 0x1020000003000001 |
*LINUX_LPAR | 0x1080000004000001 |
*SCE_CELLOS_SYSTEM_MGR | 0x107000001D000001 |
*SCE_CELLOS_SYSTEM_MGR_LINUX | 0x107000001D000001 |
*SCE_CELLOS_SYSTEM_MGR_PS2 | 0x107000001D000001 |
*SCE_CELLOS_SYSTEM_MGR_PS2_SW | 0x107000001D000001 |
*SCE_CELLOS_SYSTEM_MGR_PS2_GX | 0x107000001D000001 |
*SCE_CELLOS_SS_SECURE_RTC | 0x1070000033000001 |
*SCE_CELLOS_SS_INDI_INFO_EID | |
*SCE_CELLOS_SS_INIT_LV1_ACL | 0x1070000017000001 |