Making Isolated SPU Modules and Loaders
Jump to navigation
Jump to search
Introduction
- E.g. to dump your ATA, ENCDEC or EID2 keys you have to make signed isolated SPU modules or loaders.
- This is a tutorial how to do it on Linux (it doesn't matter on PC or PS3).
Tools
SPU GCC Compiler
- You need SPU GCC compiler to compile your code and create binary version of it.
- On PS3 Debian, just install spu toolchain.
- You can also cross-compile SPU GCC toolchain for your Linux PC.
ps3tools
- You need these tools to decrypt PS3 isolated SPU modules and loaders.
- You also need it to sign and encrypt your own SPU modules and loaders.
- self_rebuilder doesn't work properly with isolated SPU modules or loaders. Therefore, i made a new tool which works with isolated SPU modules and loaders. It's called iso_rebuilder and is a modified version of self_rebuilder.
- See my GIT repop: http://gitorious.ps3dev.net/ps3otheros/ps3tools
How To Test Isolated SPU Modules and Loaders
- I test my isolated SPU modules and loaders with PS3 Linux and spuisofs/spuldrfs Virtual File Systems.
spuisofs
- You can test with spuisofs isolated SPU modules which are decrypted by isoldr.
- You cannot test loaders with spuisofs.
- But spuisofs has the advantage that it's alot easier to execute isolated SPUs with it than with spuldrfs.
See http://www.ps3devwiki.com/wiki/Spuisofs
spuldrfs
- You can test with spuldrfs isolated SPU modules which are decrypted by isoldr and loaders which are decrypted by metldr.
- Use spuisofs if you want to execute isoldr SPUs, it's easier to do than with spuldrfs.
See http://www.ps3devwiki.com/wiki/Spuldrfs
Example: Making dump_ata_keys.self
- First you need sb_iso_spu_module.self from your NOR/NAND flash or from PS3 update file.
# compile your SPU code spu-elf-gcc -c dump_ata_keys.S ls -l dump_ata_keys.o # convert your code to binary spu-elf-objcopy -O binary dump_ata_keys.o dump_ata_keys.bin ls -l dump_ata_keys.bin # decrypt sb_iso_spu_module.self unself sb_iso_spu_module.self sb_iso_spu_module.elf ls -l sb_iso_spu_module.elf mv sb_iso_spu_module.elf dump_ata_keys.elf # print program header of decrypted SPU module readelf -l dump_ata_keys.elf Elf file type is EXEC (Executable file) Entry point 0x880 There are 3 program headers, starting at offset 52 Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align LOAD 0x000100 0x00000880 0x00000880 0x05040 0x05040 R E 0x80 LOAD 0x005180 0x00005900 0x00005900 0x00030 0x001c0 RW 0x80 NOTE 0x0051b0 0x00000000 0x00000000 0x00034 0x00000 R 0x10 Section to Segment mapping: Segment Sections... 00 .unknown .unknown 01 .unknown .unknown .unknown .unknown 02 .unknown # entry point is 0x880 which is in first program segment at file offset 0x100 # now we kill all old code with 0s before we put our code there. # seek parameter is the offset of the first program segment. # count parameter is the sum of the offset of the last program segment plus its size and # minus the offset of the first program segmnet. dd if=/dev/zero of=dump_ata_keys.elf bs=1 seek=$((0x100)) count=$((0x51b0 + 0x34 - 0x100)) conv=notrunc # after you filled out the SPU module with 0s, check it with spu-objdump spu-elf-objdump -d dump_ata_keys.elf dump_ata_keys.elf: file format elf32-spu Disassembly of section : 00000880 <>: ... # now we copy our code to SPU module # seek parameter is the entry point offset in file dd if=dump_ata_keys.bin of=dump_ata_keys.elf bs=1 seek=$((0x100)) conv=notrunc # now build isolated SPU module iso_rebuilder dump_ata_keys.elf dump_ata_keys.self sb_iso_spu_module.self # we are done :) # time to test it with spuisofs !!!
Example: Making dump_encdec_keys.self
- First you need lv1ldr from your NOR/NAND flash or from PS3 update file.