Talk:Timebases

From PS3 Developer wiki
Revision as of 19:42, 26 July 2014 by Anonymous (Privacy policy) (→‎Applications)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Outofspec attackvector

Normal usage - CellBE/RAM

Clock speed of the system is initialised during the POR sequence using the Syscon reference clock (PLL_REFCLK). The ref clock operates at 400mhz and is multiplied by a factor of the core clock multiplier, which is 1:8 in the PS3 (3.2 Ghz). The clock signal is generated by the XCG module ICS ICS9214DGLFT located adjacent to the sata bay and xdr units. The refclock is only used to calibrate the internal speed of the CELL BE during bootup. When the internal clock is stable the refclock is no longer used.


Applications

Changing the clock speed during bootup was used to pwn the gameboy bootrom, using a sophisticated op skipping technique.


OK, so now I just counted clock cycles until I saw that write to the 0xFF50 register and I wrote up some quick (and rather dirty) VHDL which sends slow (around 2MHz) clock cycles until we reach that spot. Then, it sends a burst of fast clock cycles (24MHz) which are meant to overclock the system beyond the point where it can execute the register write instruction properly, but slow enough for the PC to increment. This essentially causes this instruction to not be executed! Thus, the boot ROM falls through to my usercode at 0x0100 without running the disable instruction where I have this little block of code:

http://www.its.caltech.edu/~costis/sgb_hack/

Slowing down the clock speed

Any idea of how to slow down clock speed at initialization using external hardware?