Difference between revisions of "Secure Profile Loader"

From PS3 Developer wiki
Jump to: navigation, search
m
m
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
[[Category:Software]]
 
 
[[Default.spp]] file is stored on '''/dev/rflash1'''
 
[[Default.spp]] file is stored on '''/dev/rflash1'''
  
 
<br>
 
<br>
 +
note: inside ss_server2.fself
  
 
== 0x15000 - SPL (Secure Profile Loader)  ==
 
== 0x15000 - SPL (Secure Profile Loader)  ==
Line 11: Line 11:
 
! Packet ID  
 
! Packet ID  
 
! Description
 
! Description
 +
! Lv1 Parameter Usage
 +
! Notes
 
|-
 
|-
 
| 0x15001  
 
| 0x15001  
 
| Get LPAR Parameter Size/Get LPAR Parameter
 
| Get LPAR Parameter Size/Get LPAR Parameter
 +
|
 +
|
 
|-
 
|-
 
| 0x15003  
 
| 0x15003  
 
| Get Contents Size/Get Contents
 
| Get Contents Size/Get Contents
 +
|
 +
|
 
|-
 
|-
 
| 0x15009  
 
| 0x15009  
 
| Get Component
 
| Get Component
 +
|
 +
|
 
|}
 
|}
  
Line 101: Line 109:
 
|0x1070000017000001
 
|0x1070000017000001
 
|}
 
|}
 +
 +
 +
{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude>

Latest revision as of 08:26, 21 July 2014

Default.spp file is stored on /dev/rflash1


note: inside ss_server2.fself

0x15000 - SPL (Secure Profile Loader)[edit]

Packet ID Description Lv1 Parameter Usage Notes
0x15001 Get LPAR Parameter Size/Get LPAR Parameter
0x15003 Get Contents Size/Get Contents
0x15009 Get Component

SPP File[edit]

  • The file is encrypted but can be read by using 0x15003 service of SPL
  • SPL reads SPP file, parses SPP header and checks some fields
  • SPP file is verified and decrypted by SPU module spp_verifier.self that cab be executed with HV SPE calls
  • Even old default.spp from PS3 Firmware 1.10 can be decrypted with spp_verifier.self from PS3 Firmware 3.41
  • Header format version should be 5 or else the header check fails
  • If (SPP header size % 256 != 0) then header check fails
  • Finally i was able to decrypt profile file from 3.41 but by using SPE HV calls only !!! And Linux Manager is still there !!!
  • The decrypted file is a binary file

Here are the contents of Default.spp#3.56_RETAIL.2FCEX from 3.55.
Here are the contents of Default.spp#3.55_RETAIL.2FCEX from 3.55.
Here are the contents of Default.spp#3.41_RETAIL.2FCEX from 3.41.
Here are the contents of Default.spp#3.15_RETAIL.2FCEX from 3.15.
Here are the contents of Default.spp#1.00_DEBUG.2FDEX from 1.00 Debug Firmware.

SPP Header[edit]

offset 0x2 - header format version (2 bytes)

offset 0x4 - header size (4 bytes)

offset 0x18 - number of segments (4 bytes)

Segments[edit]

  • Segments follow after the header
  • SPP file contains several segments.

Here is the list of profile segments from 3.41:

Name auth id/authority id
*SCE_CELLOS_PME 0x1070000001000001
*PS3_LPAR 0x1070000002000001
*PS2_LPAR 0x1020000003000001
*PS2_GX_LPAR 0x1020000003000001
*PS2_SW_LPAR 0x1020000003000001
*LINUX_LPAR 0x1080000004000001
*SCE_CELLOS_SYSTEM_MGR 0x107000001D000001
*SCE_CELLOS_SYSTEM_MGR_LINUX 0x107000001D000001
*SCE_CELLOS_SYSTEM_MGR_PS2 0x107000001D000001
*SCE_CELLOS_SYSTEM_MGR_PS2_SW 0x107000001D000001
*SCE_CELLOS_SYSTEM_MGR_PS2_GX 0x107000001D000001
*SCE_CELLOS_SS_SECURE_RTC 0x1070000033000001
*SCE_CELLOS_SS_INDI_INFO_EID
*SCE_CELLOS_SS_INIT_LV1_ACL 0x1070000017000001