Lv1.self: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
mNo edit summary
No edit summary
Line 1: Line 1:
This is the Hypervisor see ([[Hypervisor Reverse Engineering]]) and follows the format of every SELF see ([[SELF File Format and Decryption]])
This is the Hypervisor (see [[Hypervisor Reverse Engineering]]) and follows the [[SELF - SPRX|SELF file format]].


=Embedded Files Segment=
= Embedded Files Segment =


lv1 contains many embedded selfs inside of a special segment "Embedded Files Segment"
lv1 contains many embedded selfs inside of a special segment "Embedded Files Segment". This is a segment within the program itself, loading in a hex editor gives a small file table which appears different from the others that sony has used.
This is a segment within the program itself, loading in a hex editor gives a small file table
which appears different from the others that sony has used.


==File Table==
== File Table ==


The file table follows this structure  
The file table follows this structure  
Line 32: Line 30:




=Files common on lv1=
= Files common on lv1 =


lv1.self delegates a lot of his work to the embedded selfs wich it loads to different process see ([[Hypervisor Reverse Engineering]])
lv1.self delegates a lot of his work to the embedded selfs wich it loads to different process (see [[Hypervisor Reverse Engineering]]).


{|class="wikitable"
{|class="wikitable"
Line 118: Line 116:
|}
|}


==lv1.self 3.55==
== lv1.self 3.55 ==


file table
file table
Line 143: Line 141:
|}
|}


==pme_init.conf Example==
== pme_init.conf example ==


<pre>
<pre>
Line 158: Line 156:
</pre>
</pre>


==Dump lv1 embedded elfs Script==
== Dump lv1 embedded ELFs script ==


I did this script quickly to exctract the embedded files within lv1. This script doesn't use the file table, is ugly, but works... anyone feel free to improve it --[[User:PsiCoLeO|PsiCoLeO]] 16:11, 22 May 2011 (CDT)
I did this script quickly to extract the embedded files within lv1. This script doesn't use the file table, is ugly, but works... anyone feel free to improve it --[[User:PsiCoLeO|PsiCoLeO]] 16:11, 22 May 2011 (CDT)


How to use it
How to use it


Save the script in a file named  
1) Save the script in a file named:
 
<pre>
<pre>
dump_lv1_embedded_files.sh
dump_lv1_embedded_files.sh
</pre>
</pre>


give it execute permisions
2) Give it execute permisions:
 
<pre>
<pre>
chmod +x dump_lv1_embedded_files.sh
chmod +x dump_lv1_embedded_files.sh
</pre>
</pre>


feed it with decrypted lv1.self
3) Feed it with decrypted lv1.self:
 
<pre>
<pre>
./dump_lv1_embedded_files.sh lv1.elf
./dump_lv1_embedded_files.sh lv1.elf
</pre>
</pre>


<pre>
<source lang="bash">
#!/bin/bash
#!/bin/bash
# PsiCoLeO 2011
# PsiCoLeO 2011
Line 226: Line 221:
cont=$(($cont+1))
cont=$(($cont+1))
done
done
</pre>
</source>


=ss_server1.fself=
= ss_server1.fself =


==Class list==
== Class list ==


{|class="wikitable"
{|class="wikitable"
Line 295: Line 290:
|}
|}


==Members==
== Members ==


===ss_init_if===
=== ss_init_if ===


{|class="wikitable"
{|class="wikitable"
Line 306: Line 301:
|}
|}


===usb_dongle_authenticator===
=== usb_dongle_authenticator ===


{|class="wikitable"
{|class="wikitable"
Line 319: Line 314:
|}
|}


===security_hardware_framework_if===
=== security_hardware_framework_if ===


{|class="wikitable"
{|class="wikitable"
Line 328: Line 323:
|}
|}


===user_token_manager===
=== user_token_manager ===


{|class="wikitable"
{|class="wikitable"
Line 339: Line 334:
|}
|}


===user_token_processor===
=== user_token_processor ===


{|class="wikitable"
{|class="wikitable"
Line 354: Line 349:
|}
|}


===update_manager===
=== update_manager ===


{|class="wikitable"
{|class="wikitable"
Line 485: Line 480:
|}
|}


===verify_util===
=== verify_util ===


{|class="wikitable"
{|class="wikitable"
Line 506: Line 501:
|}
|}


===region_manager===
=== region_manager ===


{|class="wikitable"
{|class="wikitable"
Line 519: Line 514:
|}
|}


===update_token_procesor===
=== update_token_procesor ===


{|class="wikitable"
{|class="wikitable"
Line 534: Line 529:
|}
|}


===bd_updater===
=== bd_updater ===


{|class="wikitable"
{|class="wikitable"
Line 577: Line 572:
|}
|}


===sc_updater===
=== sc_updater ===


===certified_file_verifier===
=== certified_file_verifier ===


{|class="wikitable"
{|class="wikitable"
Line 590: Line 585:
|}
|}


===virtual_trm_manager===
=== virtual_trm_manager ===


{|class="wikitable"
{|class="wikitable"
Line 684: Line 679:
|instanciate_objs || || ||  
|instanciate_objs || || ||  
|-
|-
| print_flash_range || || ||  
|print_flash_range || || ||  
|-
|-
|free || || ||  
|free || || ||  
Line 693: Line 688:
|}
|}


===get_applicable_version===
=== get_applicable_version ===


{|class="wikitable"
{|class="wikitable"
Line 704: Line 699:
|}
|}


===sc_manager===
=== sc_manager ===


{|class="wikitable"
{|class="wikitable"
Line 722: Line 717:
|}
|}


===composite_region===
=== composite_region ===


{|class="wikitable"
{|class="wikitable"
Line 741: Line 736:
|}
|}


===bank_manager===
=== bank_manager ===


{|class="wikitable"
{|class="wikitable"
Line 752: Line 747:
|}
|}


===capability_checker===
=== capability_checker ===


{|class="wikitable"
{|class="wikitable"
Line 761: Line 756:
|}
|}


===if_proto===
=== if_proto ===


{|class="wikitable"
{|class="wikitable"
Line 770: Line 765:
|}
|}


===ss_responder===
=== ss_responder ===


{|class="wikitable"
{|class="wikitable"
Line 783: Line 778:
|}
|}


===port_id_table===
=== port_id_table ===


{|class="wikitable"
{|class="wikitable"
Line 792: Line 787:
|}
|}


===pme_client===
=== pme_client ===


{|class="wikitable"
{|class="wikitable"
Line 807: Line 802:
|}
|}


===pme_server===
=== pme_server ===


{|class="wikitable"
{|class="wikitable"
Line 824: Line 819:
|}
|}


===page_bytestring===
=== page_bytestring ===


{|class="wikitable"
{|class="wikitable"
Line 835: Line 830:
|}
|}


===ss_packet===
=== ss_packet ===


{|class="wikitable"
{|class="wikitable"
Line 850: Line 845:
|}
|}


===ss_init_repository===
=== ss_init_repository ===


{|class="wikitable"
{|class="wikitable"
Line 861: Line 856:
|}
|}


===sbm===
=== sbm ===


{|class="wikitable"
{|class="wikitable"
Line 891: Line 886:
|sbm_spe_install_signal_handlers  || || ||
|sbm_spe_install_signal_handlers  || || ||
|}
|}




{{File Formats}}
{{File Formats}}
<noinclude>[[Category:Main]]</noinclude>
<noinclude>[[Category:Main]]</noinclude>

Revision as of 00:46, 29 December 2019

This is the Hypervisor (see Hypervisor Reverse Engineering) and follows the SELF file format.

Embedded Files Segment

lv1 contains many embedded selfs inside of a special segment "Embedded Files Segment". This is a segment within the program itself, loading in a hex editor gives a small file table which appears different from the others that sony has used.

File Table

The file table follows this structure

  • 4 bytes = number of entries
  • 4 bytes = table length

then the file table:

  • 4 bytes = index
  • 4 bytes = start
  • 4 bytes = length

then follows a null terminated string for each file commonly:

  • pme_init
  • sysmgr_ss.fself
  • pme_init.conf
  • ss_init.fself
  • updater_frontend.fself
  • ss_server1.fself
  • ss_server2.fself
  • ss_server3.fself


Files common on lv1

lv1.self delegates a lot of his work to the embedded selfs wich it loads to different process (see Hypervisor Reverse Engineering).

File Description
pme_init
sysmgr_ss.fself
pme_init.conf
ss_init.fself
updater_frontend.fself
ss_server1.fself
ss_server2.fself
ss_server3.fself

lv1.self 3.41

lv1 Embedded files segment

Segment start offset
0x1D0000 
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

001D0000  00 00 00 08 00 00 00 E8 00 00 00 00 00 00 00 00  .......è........
001D0010  00 02 48 24 00 00 00 09 00 02 48 24 00 05 F7 90  ..H$......H$..÷.
001D0020  00 00 00 19 00 08 3F B4 00 00 00 AF 00 00 00 27  ......?´...¯...'
001D0030  00 08 40 64 00 03 4E B8 00 00 00 35 00 0B 8F 1C  [email protected]¸...5....
001D0040  00 02 39 F0 00 00 00 4C 00 0D C9 0C 00 08 11 D0  ..9ð...L..É....Ð
001D0050  00 00 00 5D 00 15 DA DC 00 04 A9 40 00 00 00 6E  ...]..ÚÜ..©@...n
001D0060  00 1A 84 1C 00 03 8E D0 70 6D 65 5F 69 6E 69 74  ..„...ŽÐpme_init
001D0070  00 73 79 73 6D 67 72 5F 73 73 2E 66 73 65 6C 66  .sysmgr_ss.fself
001D0080  00 70 6D 65 5F 69 6E 69 74 2E 63 6F 6E 66 00 73  .pme_init.conf.s
001D0090  73 5F 69 6E 69 74 2E 66 73 65 6C 66 00 75 70 64  s_init.fself.upd
001D00A0  61 74 65 72 5F 66 72 6F 6E 74 65 6E 64 2E 66 73  ater_frontend.fs
001D00B0  65 6C 66 00 73 73 5F 73 65 72 76 65 72 31 2E 66  elf.ss_server1.f
001D00C0  73 65 6C 66 00 73 73 5F 73 65 72 76 65 72 32 2E  self.ss_server2.
001D00D0  66 73 65 6C 66 00 73 73 5F 73 65 72 76 65 72 33  fself.ss_server3
001D00E0  2E 66 73 65 6C 66 00 00 7F                       .fself...
Offset Size Value Description
0x00000000 0x04 0x08 number of entries
0x00000004 0x04 0xE8 table length
name start length index Real start (segment start + table length + start)
pme_init 0x0 0x24824 0x00 0x1D00E8
sysmgr_ss.fself 0x24824 0x5f790 0x09 0x1F490C
pme_init.conf 0x83fb4 0xAF 0x19 0x25409C
ss_init.fself 0x84064 0x34eb8 0x27 0x25414C
updater_frontend.fself 0xB8F1C 0x239F0 0x35 0x289004
ss_server1.fself 0xDC90C 0x813B8 0x4C 0x2AC9F4
ss_server2.fself 0x15DADC 0x4A940 0x5D 0x32DDAC
ss_server3.fself 0x1A841C 0x38ED0 0x6E 0x378504

lv1.self 3.55

file table

name start length index Real start (segment start + table length + start) (TOC Address-just4info)
pme_init 0x0 0x24824 0x00 0x1D00E8
sysmgr_ss.fself 0x24824 0x5f790 0x09 0x1F490C 0xC0012A90
pme_init.conf 0x83fb4 0xAF 0x19 0x25409C
ss_init.fself 0x84064 0x34EB8 0x27 0x25414C 0xC000AF80
updater_frontend.fself 0xB8F1C 0x239F0 0x35 0x289004 0xC0009FF0
ss_server1.fself 0xDC90C 0x813B8 0x4C 0x2AC9F4 0xC0014728
ss_server2.fself 0x15DCC4 0x4A940 0x5D 0x32DDAC 0xC000F008
ss_server3.fself 0x1A8604 0x38ED0 0x6E 0x3786EC 0xC000E4E8

pme_init.conf example

#
# configuration file for pme_init
#
# notation:
#	boot	name_of_executable	sync/nosync

# sample
boot	ss_init.fself		sync
boot	sysmgr_ss.fself		nosync
boot	pme_shell		nosync

Dump lv1 embedded ELFs script

I did this script quickly to extract the embedded files within lv1. This script doesn't use the file table, is ugly, but works... anyone feel free to improve it --PsiCoLeO 16:11, 22 May 2011 (CDT)

How to use it

1) Save the script in a file named: 

dump_lv1_embedded_files.sh

2) Give it execute permisions: 

chmod +x dump_lv1_embedded_files.sh

3) Feed it with decrypted lv1.self: 

./dump_lv1_embedded_files.sh lv1.elf

#!/bin/bash
# PsiCoLeO 2011
#
# Script to extract the embedded files from lv1.self
# There is no warranty that this script will work for you
# I can not be held responsable of what you do with this script or any damage you get from using it
# Use it as you please

# File names
files=( "pme_init" "sysmgr_ss.fself" "pme_init.conf" "ss_init.fself" "updater_frontend.fself" "ss_server1.fself" "ss_server2.fself" "ss_server3.fself" )

#comment and uncomment file sizes and offsets depending on the firmware

# File sizes 3.41
size=( 0x24824 0x5f790 0xAF 0x34eb8 0x239F0 0x811D0 0x4A940 0x38ED0 )

# File offsets 3.41
offset=( 0x1D00E8 0x1F490C 0x25409C 0x25414C 0x289004 0x2AC9F4 0x32DBC4 0x378504 )

# File sizes 3.55 
#size=( 0x24824 0x5f790 0xAF 0x34EB8 0x239F0 0x813B8 0x4A940 0x38ED0 )

# File offsets 3.55
#offset=( 0x1D00E8 0x1F490C 0x25409C 0x25414C 0x289004 0x2AC9F4 0x32DDAC 0x3786EC )

cont=0

printf "***************************** \n"
printf "* Psicoleo's                * \n"
printf "* Dump lv1 Embedded files   * \n" 
printf "***************************** \n\n"

for file in "${files[@]}"
do
        printf "***************************** \n\n"
        printf "      %s\n" "${file}"
        printf "***************************** \n\n"
	printf "%s\n" "${offset[$cont]}"
	printf "%s\n" "${size[$cont]}"
	printf "%s\n" "${cont}"
	dd if=$1 of=$file bs=1 obs=1 skip=$((${offset[$cont]})) count=$((${size[$cont]}))
	cont=$(($cont+1))
done

ss_server1.fself

Class list

Name Description
ss_init_if
usb_dongle_authenticator
security_hardware_framework_if
user_token_manager
user_token_processor
update_manager
verify_util
region_manager
update_token_procesor
bd_updater
sc_updater
certified_file_verifier
virtual_trm_manager
get_applicable_version
sc_manager
sc_manager_if
composite_region
bank_manager
capability_checker
if_proto
ss_responder
port_id_table
pme_client
pme_server
page_bytestring
port_id_table
ss_packet
sbm
ss_init_repository

Members

ss_init_if

Name Type Args Description
notify_ready

usb_dongle_authenticator

Name Type Args Description
initialize
verify_response
generate_challenge

security_hardware_framework_if

Name Type Args Description
get_random_number sanity check

user_token_manager

Name Type Args Description
decrypt_user_token
encrypt_user_token

user_token_processor

Name Type Args Description
read_idps
create_command
load_module
request_loading_spu_module

update_manager

Name Type Args Description
read
write verification
swap_bank(%d, 0x%llx)
swap_boot_bank
get_package_info(%d)
get_secure_product_mode
set_sc_status(%d)
get_sc_status(%d)
set_secure_product_mode(0x%x)
decompress_and_write_target
write_target
check_core_os_hash
get_version_and_hash()
*****calc_lv0_hash
*****calc_lv1_hash
read_revoke_list(%d)
initialize_revoke_list_info(%d)
applicable_version_info(%d)
check_revoke_list_hash
check_revoke_list_all
check_size(%d, 0x%llx)
set_SBI_flags
calc_os_hash
force update mode -
update_package_tophalf
*****check_size()
common_tophalf
*****reques_id
is_valid_access (0x%x, 0x%02x, 0x%llx) Valid acces: "TOOL/DEX/ARCADE or manufacturing phase" or "CEX"
inspect_package_tophalf(0x%x, 0x%llx, 0x%x, 0x%llx, 0x%llx, 0x%x, 0x%x)
extract_package_tophalf(0x%x, 0x%llx, 0x%x, 0x%llx, 0x%llx, 0x%x, 0x%x)
update_package_tophalf(0x%x, 0x%llx, 0x%x, 0x%llx, 0x%llx, 0x%x,0x%x)
set_token
read_eprom(0x%x)
get_token_seed
inspect_package_bottomhalf
extract_package_bottomhalf
get_extract_package
copy extracted data
update_package_bottomhalf
get_fix_instruction
erase_core_os_standby_bank
*****get_version_and_hash
*****set_version_and_hash
erase_hash_standby_bank(%d)
set_debug_support_repository
init_ss_params_repositories
set_hdd_copy_mode_repository
init_ss_params_repositories
set_recover_mode_repository
init_ss_params_repositories
set_fself_control_repository
init_device_type
set_update_status_repository
write_eprom(0x%x, 0x%x)
set_qa_flag_repository
init_qa_flag
do_fix_regions
do_fix_trm_regions
init_for_updater
initialize_revoke_list_info(%d)
init_device_type

verify_util

Name Type Args Description
SHA-1 hash
install_revoke_list_to_lv0
prepare_args
detect_id
get_version_and_hash_from_SC
get_version_and_hash
calc_hash_of_target

region_manager

Name Type Args Description
setup_internal
set_update_status(%d)
get_update_status(%d)

update_token_procesor

Name Type Args Description
read_idps
create_command
load_module
request_loading_spu_module

bd_updater

Name Type Args Description
detect_need_eject
disable_reqsense
enable_reqsense
eval_exception_rules(0x%llx)
sense_cmd
check_cmd_result
send_atp_command
detect_drive_generation
polling_progress
writebuf_cmd(0x%x, 0x%x, 0x%x, 0x%x, 0x%x)
send_firmware(0x%llx, 0x%llx)
readbuf_cap_cmd
readbuf_cmd(0x%x, 0x%x, 0x%x, 0x%x, 0x%x)
eject
stop
prepare_drive
inquiry
detect_drive_type

sc_updater

certified_file_verifier

Name Type Args Description
load_module()
request_loading_spu_module()

virtual_trm_manager

Name Type Args Description
read_flash_raw
restart_objs
set_flash_tampered
set_srh
decrypt_master
decrypt_with_portability
decrypt
encrypt_with_portability
encrypt
backup_flash
flash_addr_size
restore_srk_srh
backup_srk_srh
write_flash_raw
restore_flash
vtrm_chk_stat
table_icv
status
sanity check
update_table_icv
*****read
*****write
fix_2pc_status
*****root hash (FLASH)
update_srh
restart_objs
*****restart_twopc
*****retrieve_rhash_rhsec
*****get_twopc_range
*****check_header
*****restart_htbl
restart
force_restart
initialize
*****raw flash area
*****htbl flash area
*****flash erase
*****setup_header
*****init_db
*****init_sc
*****init_header
*****restart
setup_flash
instanciate_objs
print_flash_range
free
store
retrieve

get_applicable_version

Name Type Args Description
installed_version
builtin_rvk_version

sc_manager

Name Type Args Description
init_for_vtrm

sc_manager_if

Name Type Args Description
restore_root_info

composite_region

Name Type Args Description
read(0x%llx, %lld, 0x%llx)
allocate_buffer(%lld)
release_buffer(0x%llx)
cache_all_composite_region_entry
get_composite_region_entry_by_index(%d, 0x%llx)
writev

bank_manager

Name Type Args Description
get_repository_value(m_type = %d)
setup(%d)

capability_checker

Name Type Args Description
check_product_mode_capability

if_proto

Name Type Args Description
send_receive

ss_responder

Name Type Args Description
terminate
initialize
loop_once

port_id_table

Name Type Args Description
function_id2port_id

pme_client

Name Type Args Description
receive
disconnect
connect
send

pme_server

Name Type Args Description
disconnect
force_close
reply
accept
connect

page_bytestring

Name Type Args Description
free_page
alloc_page

ss_packet

Name Type Args Description
send_receive
process_async
process_received
accept_reply

ss_init_repository

Name Type Args Description
get_node_value
create_node

sbm

Name Type Args Description
sbm_set_key
sbm_get_rnd
sbm_set_key
sbm_core_process
*****EID data(encrypt)
sbm_get_header
sbm_check_received_data
sbm_run_iso_spu_module
sbm_set_encdec_key_prepare_args
sbm_set_key_get_result
sbm_set_key_run
sbm_spe_install_signal_handlers


SCE File Types
Certified File
NPDRM
NPDRM · App Types · ACT.DAT · RIF
PKG
EDAT
RCOXML
CXML
XMBML
XMB Config
DB Config
Databases
System Data
XMB Preload
Licences
 ·
Games/Apps
PS3
Emulators
Web
Unsorted
Retrieved from "http://www.psdevwiki.com/ps3/index.php?title=Lv1.self&oldid=55258"