SPU Isolated Modules Reverse Engineering

aim_spu_module

It is used to retrieve the device type, device id, open psid and the pscode from the EID0 data that is passed in.

Address		Message
? 3.41 ?	355 CEX	Message
0x36f0	0x3570	"(spu)start aim spu module!\n"
0x3710	0x3590	"(spu) PU DMA area start address is not align 16byte\n"
0x3750	0x35d0	"(spu) PU EID area start address is not align 16byte\n"
0x3790	0x3610	"(spu) PU DMA area size is not equall to AIM_DMA_SIZE\n"

This messages are DMAed to the ppu if a debug output address is specified.

Address		Message
? 3.41 ?	355 CEX	Message
0x37e0	-	Reference tool fallback IDPS
0x37f0 - ...	0x3650 - ...	Start of EID keys
0x3ac0	0x3870	AES sbox (16*16 bytes)
0x3c70	0x3a20	AES inverse sbox (16*16 bytes)

Address		Name	Parameters	Info
? 3.41 ?	355 CEX	Name	Parameters	Info
0x9e0		stop_func	unknown	Stops the module execution with various stop codes.
0xa18		main_func	unknown	Main routine.
0xf18		response	unknown	Sends response to ppu over DMA.
0x1158		process_eid	unknown	Decrypts EID0.
0x1438		prepare_print	unknown	Prepares debug output.
0x1440		debug_print	unknown	As the name already states... (this outputs over DMA)
0x17f0		-	-	Part of aes implementation.
0x1c48		-	-	Part of aes implementation.
0x1df0		-	-	Probably part of aes implementation.
0x20f0		-	-	Probably part of aes implementation.
0x2300		-	-	Probably part of aes implementation.
0x2418		-	-	Part of aes implementation.
0x2608		-	-	Part of aes implementation.
0x30c0		do_dma	ls_addr:$4, dma_effective_addr:$5, size:$6, tag_id:$7, unk0:$8, unk1:$9	Used to dma data in and out of the isolated module's LS.
0x3168		write_tag_mask_bit	mask_bit:$4	Used to set a specific bit in MFC_WrTagMask.

The complete disassembly is available at [1].

//Partial code modified to run aim_spu_module