SPU Isolated Modules Reverse Engineering
Jump to navigation
Jump to search
aim_spu_module
It is used to retrieve the device type, device id, open psid and the pscode from the EID0 data that is passed in.
Debug messages
| Address | Message | |
|---|---|---|
| 355retail | ||
| 0x36f0 | 0x3570 | "(spu)start aim spu module!\n" |
| 0x3710 | 0x3590 | "(spu) PU DMA area start address is not align 16byte\n" |
| 0x3750 | 0x35d0 | "(spu) PU EID area start address is not align 16byte\n" |
| 0x3790 | 0x3610 | "(spu) PU DMA area size is not equall to AIM_DMA_SIZE\n" |
This messages are DMAed to the ppu if a debug output address is specified.
Data
| Address | Info |
|---|---|
| 0x37e0 | Reference tool fallback IDPS |
| 0x37f0 - ... | Start of EID keys |
| 0x3ac0 | AES sbox (16*16 bytes) |
| 0x3c70 | AES inverse sbox (16*16 bytes) |
Functions
| Address | Name | Parameters | Info |
|---|---|---|---|
| 0x9e0 | stop_func | unknown | Stops the module execution with various stop codes. |
| 0xa18 | main_func | unknown | Main routine. |
| 0xf18 | response | unknown | Sends response to ppu over DMA. |
| 0x1158 | process_eid | unknown | Decrypts EID0. |
| 0x1438 | prepare_print | unknown | Prepares debug output. |
| 0x1440 | debug_print | unknown | As the name already states... (this outputs over DMA) |
| 0x17f0 | - | - | Part of aes implementation. |
| 0x1c48 | - | - | Part of aes implementation. |
| 0x1df0 | - | - | Probably part of aes implementation. |
| 0x20f0 | - | - | Probably part of aes implementation. |
| 0x2300 | - | - | Probably part of aes implementation. |
| 0x2418 | - | - | Part of aes implementation. |
| 0x2608 | - | - | Part of aes implementation. |
| 0x30c0 | do_dma | ls_addr:$4, dma_effective_addr:$5, size:$6, tag_id:$7, unk0:$8, unk1:$9 | Used to dma data in and out of the isolated module's LS. |
| 0x3168 | write_tag_mask_bit | mask_bit:$4 | Used to set a specific bit in MFC_WrTagMask. |
Disasm
The complete disassembly is available at [1].