static void map_dma_mem(int bus_id, int dev_id, void *start, size_t len,
u64 *real_bus_addr)
{
s64 result;
u64 real_addr = ((u64)start) & 0x0fffffffffffffffUL;
u64 real_end = real_addr + len;
u64 map_start = real_addr & ~0xfff;
u64 map_end = (real_end + 0xfff) & ~0xfff;
u64 bus_addr = 0;
u64 flags = 0xf800000000000000UL;
result = lv1_allocate_device_dma_region(bus_id, dev_id,
map_end - map_start, 12, 0,
&bus_addr);
if (result)
lv1_panic(0);
result = lv1_map_device_dma_region(bus_id, dev_id, map_start,
bus_addr, map_end - map_start,
flags);
if (result)
lv1_panic(0);
*real_bus_addr = bus_addr + real_addr - map_start;
}
int main(void)
{
u8 *payload, *stage2;
int payload_size, result;
#ifdef DEBUG
debug_init();
#endif
DPRINTF("Stage 1.5 lan hello.\n");
result = gelic_init();
if (result != 0)
goto error;
payload = (void *)MKA(0x700000);//alloc(MAX_PAYLOAD_SIZE, 0x27);
if (!payload)
goto error;
payload_size = gelic_recv_data(payload, MAX_PAYLOAD_SIZE);
if (payload_size <= 0)
goto error;
DPRINTF("Receive data: %d\n", payload_size);
stage2 = alloc(payload_size, 0x27);
if (!stage2)
goto error;
memcpy(stage2, payload, payload_size);
clear_icache(stage2, payload_size);
memset(payload, 0, payload_size);
//dealloc(payload, 0x27);
result = gelic_deinit();
if (result != 0)
goto error;
/*result = mm_deinit();
if (result != 0)
goto error;*/
f_desc_t desc;
desc.addr = stage2;
DPRINTF("Calling stage2...\n");
debug_end();
void (* stage2_func)(void) = (void *)&desc;
stage2_func();
return 0;
error:
lv1_panic(0);
return -1;
}
static void ps3_exit(void)
{
printf("ps3_exit\n");
/* lv1_panic will shutdown the lpar. */
lv1_panic(0); /* zero = do not reboot */
while (1);
}
void
ppc_exception(int code, vm_offset_t where, register_t msr)
{
mtmsr(PSL_IR | PSL_DR | PSL_RI);
printf("Exception %x at %#lx!\n", code, where);
printf("Rebooting in 5 seconds...\n");
delay(10000000);
lv1_panic(1);
}
void kernel_launch(void)
{
devtree_prepare();
printf("Relocating vectors...\n");
memcpy((void*)0, vec_buf, VECSIZE);
sync_before_exec((void*)0, VECSIZE);
printf("Letting thread1 run loose...\n");
_thread1_vector = 0x60; /* this is __secondary_hold in Linux */
_thread1_release = 1;
printf("Taking the plunge...\n");
debug_shutdown();
((kernel_entry)entry)(__devtree, entry[0], NULL);
lv1_panic(0);
}
int aim_get_open_ps_id(void)
{
#define N(a) (sizeof((a)) / sizeof((a)[0]))
u64 vuart_lpar_addr, muid, nread, nwritten;
u8 *msgbuf;
struct dispmgr_header *dispmgr_header;
struct ss_header *ss_header;
struct ss_aim_get_open_ps_id *ss_aim_get_open_ps_id;
int result;
result = lv1_allocate_memory(AIM_GET_OPEN_PS_ID_SIZE, AIM_GET_OPEN_PS_ID_PAGE_SIZE,
0, 0, &vuart_lpar_addr, &muid);
if (result != 0)
return result;
MM_LOAD_BASE(msgbuf, AIM_GET_OPEN_PS_ID_OFFSET);
result = mm_map_lpar_memory_region(0, MM_EA2VA((u64) msgbuf), vuart_lpar_addr,
AIM_GET_OPEN_PS_ID_SIZE, AIM_GET_OPEN_PS_ID_PAGE_SIZE, 0, 0);
if (result != 0)
return result;
memset(msgbuf, 0, AIM_GET_OPEN_PS_ID_SIZE);
dispmgr_header = (struct dispmgr_header *) msgbuf;
dispmgr_header->request_id = 1;
dispmgr_header->function_id = 0x19000;
dispmgr_header->request_size = sizeof(struct ss_header);
dispmgr_header->response_size = sizeof(struct ss_header) +
sizeof(struct ss_aim_get_open_ps_id);
ss_header = (struct ss_header *) (dispmgr_header + 1);
memset(ss_header, 0, sizeof(struct ss_header));
ss_header->packet_id = 0x19005;
ss_header->function_id = 0x19000;
ss_header->laid = subject_id[0];
ss_header->paid = subject_id[1];
ss_aim_get_open_ps_id = (struct ss_aim_get_open_ps_id *) (ss_header + 1);
memset(ss_aim_get_open_ps_id, 0, sizeof(struct ss_aim_get_open_ps_id));
dispmgr_header->request_size += sizeof(struct ss_aim_get_open_ps_id);
result = lv1_write_virtual_uart(DISPMGR_VUART_PORT, vuart_lpar_addr,
sizeof(struct dispmgr_header) + dispmgr_header->request_size, &nwritten);
if (result < 0)
return result;
result = vuart_wait_for_rx_data(DISPMGR_VUART_PORT);
if (result < 0)
return result;
result = lv1_read_virtual_uart(DISPMGR_VUART_PORT, vuart_lpar_addr,
AIM_GET_OPEN_PS_ID_SIZE, &nread);
if (result < 0)
return result;
result = gelic_xmit_data(gelic_bcast_mac_addr, 0xBEEF, msgbuf, nread);
if (result < 0)
return result;
beep(BEEP_DOUBLE);
lv1_panic(1);
return 0;
#undef N
}
void
exit(int code)
{
lv1_panic(code);
}
int product_mode_off(void)
{
u64 vuart_lpar_addr, muid, nread, nwritten;
u8 *msgbuf;
struct dispmgr_header *dispmgr_header;
struct ss_header *ss_header;
struct ss_update_mgr_write_eprom *ss_update_mgr_write_eprom;
int result;
result = lv1_allocate_memory(PRODUCT_MODE_SIZE, PRODUCT_MODE_PAGE_SIZE,
0, 0, &vuart_lpar_addr, &muid);
if (result != 0)
return result;
MM_LOAD_BASE(msgbuf, PRODUCT_MODE_OFFSET);
result = mm_map_lpar_memory_region(0, (u64) msgbuf, vuart_lpar_addr,
PRODUCT_MODE_SIZE, PRODUCT_MODE_PAGE_SIZE, 0, 0);
if (result != 0)
return result;
memset(msgbuf, 0, PRODUCT_MODE_SIZE);
dispmgr_header = (struct dispmgr_header *) msgbuf;
dispmgr_header->request_id = 1;
dispmgr_header->function_id = 0x6000;
dispmgr_header->request_size = sizeof(struct ss_header);
dispmgr_header->response_size = sizeof(struct ss_header) +
sizeof(struct ss_update_mgr_write_eprom);
ss_header = (struct ss_header *) (dispmgr_header + 1);
memset(ss_header, 0, sizeof(struct ss_header));
ss_header->packet_id = 0x600C;
ss_header->function_id = 0x6000;
ss_header->laid = subject_id[0];
ss_header->paid = subject_id[1];
ss_update_mgr_write_eprom =
(struct ss_update_mgr_write_eprom *) (ss_header + 1);
memset(ss_update_mgr_write_eprom, 0,
sizeof(struct ss_update_mgr_write_eprom));
ss_update_mgr_write_eprom->offset = 0x48C07;
ss_update_mgr_write_eprom->value = 0xFF;
dispmgr_header->request_size += sizeof(struct ss_update_mgr_write_eprom);
result = lv1_write_virtual_uart(DISPMGR_VUART_PORT, vuart_lpar_addr,
sizeof(struct dispmgr_header) + dispmgr_header->request_size, &nwritten);
if (result < 0)
return result;
result = vuart_wait_for_rx_data(DISPMGR_VUART_PORT);
if (result < 0)
return result;
result = lv1_read_virtual_uart(DISPMGR_VUART_PORT, vuart_lpar_addr, PRODUCT_MODE_SIZE,
&nread);
if (result < 0)
return result;
result = gelic_xmit_data(gelic_bcast_mac_addr, 0xBEEF, msgbuf, nread);
if (result < 0)
return result;
beep(BEEP_DOUBLE);
lv1_panic(1);
return 0;
}
static void gelic_debug_init(void)
{
s64 result;
u64 v2;
u64 mac;
u64 vlan_id;
result = lv1_open_device(GELIC_BUS_ID, GELIC_DEVICE_ID, 0);
if (result)
lv1_panic(0);
map_dma_mem(GELIC_BUS_ID, GELIC_DEVICE_ID, &dbg, sizeof(dbg),
&bus_addr);
memset(&dbg, 0, sizeof(dbg));
dbg.descr.buf_addr = bus_addr + offsetof(struct debug_block, pkt);
wmb();
result = lv1_net_control(GELIC_BUS_ID, GELIC_DEVICE_ID,
GELIC_LV1_GET_MAC_ADDRESS, 0, 0, 0,
&mac, &v2);
if (result)
lv1_panic(0);
mac <<= 16;
h_eth = (struct ethhdr *)dbg.pkt;
memset(&h_eth->dest, 0xff, 6);
memcpy(&h_eth->src, &mac, 6);
header_size = sizeof(struct ethhdr);
result = lv1_net_control(GELIC_BUS_ID, GELIC_DEVICE_ID,
GELIC_LV1_GET_VLAN_ID,
GELIC_LV1_VLAN_TX_ETHERNET_0, 0, 0,
&vlan_id, &v2);
if (!result) {
h_eth->type = 0x8100;
header_size += sizeof(struct vlantag);
h_vlan = (struct vlantag *)(h_eth + 1);
h_vlan->vlan = vlan_id;
h_vlan->subtype = 0x0800;
h_ip = (struct iphdr *)(h_vlan + 1);
} else {
h_eth->type = 0x0800;
h_ip = (struct iphdr *)(h_eth + 1);
}
header_size += sizeof(struct iphdr);
h_ip->ver_len = 0x45;
h_ip->ttl = 10;
h_ip->proto = 0x11;
h_ip->src = 0x00000000;
h_ip->dest = 0xffffffff;
header_size += sizeof(struct udphdr);
h_udp = (struct udphdr *)(h_ip + 1);
h_udp->src = GELIC_DEBUG_PORT;
h_udp->dest = GELIC_DEBUG_PORT;
pmsgc = pmsg = (char *)(h_udp + 1);
}
int main(void)
{
int i, result;
result = mm_init();
if (result != 0)
goto error;
result = param_init();
if (result != 0)
goto error;
result = gelic_init();
if (result != 0)
goto error;
patch_dispmgr();
/*
result = gelic_xmit_test();
if (result != 0)
goto error;
*/
/*
result = gelic_recv_test();
if (result != 0)
goto error;
*/
/*
result = dump_lv2(0x8000000000000000ULL, 8 * 1024 * 1024);
if (result != 0)
goto error;
*/
/*
result = dump_slb();
if (result != 0)
goto error;
*/
/*
result = dump_sprg0();
if (result != 0)
goto error;
*/
/*
result = dump_htab();
if (result != 0)
goto error;
*/
/*
result = dump_stor();
if (result != 0)
goto error;
*/
/*
result = dump_flash();
if (result != 0)
goto error;
*/
/*
result = dump_repo_nodes();
if (result != 0)
goto error;
*/
/*
result = dump_repo_nodes_spu();
if (result != 0)
goto error;
*/
/*
result = dump_profile();
if (result != 0)
goto error;
*/
/*
result = decrypt_profile();
if (result != 0)
goto error;
*/
/*
result = vuart_sysmgr();
if (result != 0)
goto error;
*/
/*
result = vuart_dispmgr();
if (result != 0)
goto error;
*/
/*
result = decrypt_usb_dongle_master_key();
if (result != 0)
goto error;
*/
/*
result = update_mgr_qa_flag();
if (result != 0)
goto error;
*/
/*
result = update_mgr_get_token_seed();
if (result != 0)
goto error;
*/
/*
result = update_mgr_set_token();
if (result != 0)
goto error;
*/
/*
result = update_mgr_inspect_pkg();
if (result != 0)
goto error;
*/
/*
result = query_lpar_address();
if (result != 0)
goto error;
*/
/*
result = update_mgr_calc_token();
if (result != 0)
goto error;
*/
/*
result = update_mgr_verify_token();
if (result != 0)
goto error;
*/
/*
result = decrypt_pkg();
if (result != 0)
goto error;
*/
/*
result = decrypt_self();
if (result != 0)
goto error;
*/
/*
result = dump_hvcall99_param();
if (result != 0)
goto error;
*/
/*
result = decrypt_npdrm();
if (result != 0)
goto error;
*/
/*
result = self_decrypter_hook();
if (result != 0)
goto error;
*/
/*
result = decrypt_game();
if (result != 0)
goto error;
*/
/*
result = decrypt_lv2_direct();
if (result != 0)
goto error;
*/
/*
result = decrypt_lv2_direct_355();
if (result != 0)
goto error;
*/
/*
result = usb_dongle_auth();
if (result != 0)
goto error;
*/
/*
result = product_mode_off();
if (result != 0)
goto error;
*/
/*
result = decrypt_self_direct();
if (result != 0)
goto error;
*/
/*
result = decrypt_self_direct_355();
if (result != 0)
goto error;
*/
/*
result = vuart_hook();
if (result != 0)
goto error;
*/
/*
result = stor_hook();
if (result != 0)
goto error;
*/
/*
result = hvcall209_hook();
if (result != 0)
goto error;
*/
/*
result = dump_lpar_ra();
if (result != 0)
goto error;
*/
/*
result = hv_mmap_exploit();
if (result != 0)
goto error;
*/
/*
result = dump_lv1();
if (result != 0)
goto error;
*/
/*
result = sc_mgr_read_eprom();
if (result != 0)
goto error;
*/
/*
result = sc_mgr_get_region_data();
if (result != 0)
goto error;
*/
/*
result = sc_mgr_get_sc_status();
if (result != 0)
goto error;
*/
/*
result = sc_mgr_get_srh();
if (result != 0)
goto error;
*/
/*
result = aim_get_device_type();
if (result != 0)
goto error;
*/
/*
result = aim_get_device_id();
if (result != 0)
goto error;
*/
/*
result = aim_get_ps_code();
if (result != 0)
goto error;
*/
/*
result = aim_get_open_ps_id();
if (result != 0)
goto error;
*/
/*
result = decrypt_profile_direct();
if (result != 0)
goto error;
*/
/*
result = sc_iso_sc_binary_patch();
if (result != 0)
goto error;
*/
/*
result = sc_iso_get_sc_status();
if (result != 0)
goto error;
*/
/*
result = sc_iso_get_property();
if (result != 0)
goto error;
*/
/*
result = sb_iso_get_rnd();
if (result != 0)
goto error;
*/
/*
result = sb_iso_encdec_key();
if (result != 0)
goto error;
*/
/*
result = edec_kgen1();
if (result != 0)
goto error;
*/
/*
result = store_file_on_flash();
if (result != 0)
goto error;
*/
/*
result = replace_lv2();
if (result != 0)
goto error;
*/
result = dump_dev_flash();
if (result != 0)
goto error;
return 0;
done:
lv1_panic(0);
return 0;
error:
lv1_panic(1);
}
static void
ps3_reset(platform_t plat)
{
lv1_panic(1);
}
void fatal(const char *msg)
{
printf("FATAL: %s\n", msg);
printf("Panicking.\n");
lv1_panic(0);
}
void abort(void)
{
printf("abort() called! Panicking.\n");
lv1_panic(0);
}
int sequence(void)
{
static int tick = 0, tack = 0;
switch (gstate) {
case STATE_START:
printf("Waiting for DHCP lease...\n");
gstate = STATE_WAIT_NET;
break;
case STATE_WAIT_NET:
if (!(tick & 0xFFFF))
{
tick = 0;
tack++;
}
tick++;
if (tack == 1000)
{
tftp = tftp_new();
printf("Timed out...\n");
return 1;
}
if (eth.dhcp->state == DHCP_BOUND) {
gstate = STATE_GOT_NET;
}
break;
case STATE_GOT_NET:
printf("Network is up:\n");
printf(" IP address: %d.%d.%d.%d\n", P_IP(eth.ip_addr.addr));
printf(" Netmask: %d.%d.%d.%d\n", P_IP(eth.netmask.addr));
printf(" Gateway: %d.%d.%d.%d\n", P_IP(eth.gw.addr));
printf(" TFTP server: %d.%d.%d.%d\n", P_IP(eth.dhcp->offered_si_addr.addr));
if (eth.dhcp->boot_file_name)
printf(" Bootfile: %s\n", eth.dhcp->boot_file_name);
else
printf(" Bootfile: NONE\n");
#ifdef NETRPC_ENABLE
netrpc_init();
#endif
#ifdef AUTO_TFTP
if (eth.dhcp->offered_si_addr.addr == 0 || !eth.dhcp->boot_file_name) {
tftp = tftp_new();
printf("Missing boot settings, falling back to embedded kernel...\n");
return 1;
}
tftp = tftp_new();
if (!tftp)
fatal("tftp alloc failed");
tftp_connect(tftp, ð.dhcp->offered_si_addr, 69);
printf("Downloading configuration file...\n");
seq_tftp_get((char*)eth.dhcp->boot_file_name, conf_buf, MAX_KBOOTCONF_SIZE-1, STATE_GOT_CONF);
#else
gstate = STATE_IDLE;
#endif
break;
case STATE_GOT_CONF:
if (t_status != TFTP_STATUS_OK) {
printf("Transfer did not complete successfully\n");
printf("Rebooting...\n");
lv1_panic(1);
}
printf("Configuration: %ld bytes\n", t_recvd);
conf_buf[t_recvd] = 0;
kbootconf_parse();
if (conf.num_kernels == 0) {
printf("No kernels found in configuration file. Rebooting...\n");
lv1_panic(1);
}
boot_entry = conf.default_idx;
printf("Starting to boot '%s'\n", conf.kernels[boot_entry].label);
printf("Downloading kernel...\n");
kernel_buf = mm_highmem_freestart();
seq_tftp_get(conf.kernels[boot_entry].kernel, kernel_buf, mm_highmem_freesize(), STATE_GOT_KERNEL);
break;
case STATE_GOT_KERNEL:
if (t_status != TFTP_STATUS_OK) {
printf("Transfer did not complete successfully. Rebooting...\n");
lv1_panic(1);
}
if (kernel_load(kernel_buf, t_recvd) != 0) {
printf("Failed to load kernel. Rebooting...\n");
lv1_panic(1);
}
if (conf.kernels[boot_entry].initrd && conf.kernels[boot_entry].initrd[0]) {
printf("Downloading initrd...\n");
initrd_buf = mm_highmem_freestart();
seq_tftp_get(conf.kernels[boot_entry].initrd, initrd_buf, mm_highmem_freesize(), STATE_GOT_INITRD);
} else {
gstate = STATE_BOOT;
}
break;
case STATE_GOT_INITRD:
if (t_status != TFTP_STATUS_OK) {
printf("Transfer did not complete successfully. Rebooting...\n");
lv1_panic(1);
}
mm_highmem_reserve(t_recvd);
kernel_set_initrd(initrd_buf, t_recvd);
gstate = STATE_BOOT;
break;
case STATE_BOOT:
kernel_build_cmdline(conf.kernels[boot_entry].parameters, conf.kernels[boot_entry].root);
shutdown_and_launch();
break;
case STATE_WAIT_TFTP:
break;
case STATE_IDLE:
break;
}
return 0;
}
int main(void)
{
int res;
udelay(2000000);
debug_init();
printf("\n\nBootOS Stage 2 starting.\n");
printf("Waiting for thread 1...\n");
while(!_thread1_active);
printf("Thread 1 is alive, all systems go.\n");
exceptions_init();
lv2_cleanup();
mm_init();
#ifdef USE_NETWORK
net_init();
gstate = STATE_START;
while(1) {
net_poll();
if(sequence())
break;
}
#endif
#ifdef AUTO_HDD
static FATFS fatfs;
DSTATUS stat;
stat = disk_initialize(0);
if (stat & ~STA_PROTECT)
fatal("disk_initialize() failed");
printf("Mounting filesystem...\n");
res = f_mount(0, &fatfs);
if (res != FR_OK)
fatal("f_mount() failed");
printf("Reading kboot.conf...\n");
res = readfile("/kboot.conf", conf_buf, MAX_KBOOTCONF_SIZE-1);
if (res <= 0) {
printf("Could not read kboot.conf (%d), panicking\n", res);
lv1_panic(0);
}
conf_buf[res] = 0;
kbootconf_parse();
if (conf.num_kernels == 0) {
printf("No kernels found in configuration file. Panicing...\n");
lv1_panic(0);
}
boot_entry = conf.default_idx;
printf("Starting to boot '%s'\n", conf.kernels[boot_entry].label);
printf("Loading kernel (%s)...\n", conf.kernels[boot_entry].kernel);
kernel_buf = mm_highmem_freestart();
res = readfile(conf.kernels[boot_entry].kernel, kernel_buf, mm_highmem_freesize());
if (res <= 0) {
printf("Could not read kernel (%d), panicking\n", res);
lv1_panic(0);
}
printf("Kernel size: %d\n", res);
if (kernel_load(kernel_buf, res) != 0) {
printf("Failed to load kernel. Rebooting...\n");
lv1_panic(1);
}
if (conf.kernels[boot_entry].initrd && conf.kernels[boot_entry].initrd[0]) {
initrd_buf = mm_highmem_freestart();
res = readfile(conf.kernels[boot_entry].initrd, initrd_buf, mm_highmem_freesize());
if (res <= 0) {
printf("Could not read initrd (%d), panicking\n", res);
lv1_panic(0);
}
printf("Initrd size: %d\n", res);
mm_highmem_reserve(res);
kernel_set_initrd(initrd_buf, res);
}
kernel_build_cmdline(conf.kernels[boot_entry].parameters, conf.kernels[boot_entry].root);
f_mount(0, NULL);
disk_shutdown(0);
mm_shutdown();
kernel_launch();
#endif
printf("Loading embedded kernel...\n");
kernel_buf = mm_highmem_freestart();
printf("Decompressing kernel to %lX...\n", (u64) kernel_buf);
res = unzpipe (kernel_buf, __vmlinux, &kernel_sz);
if (res)
{
printf("Cannot decompress kernel, error %d.\n", res);
lv1_panic(1);
}
printf("Kernel size: %ld\n", kernel_sz);
if (kernel_load(kernel_buf, kernel_sz) != 0)
{
printf("Failed to load embedded kernel. Rebooting...\n");
lv1_panic(1);
}
kernel_build_cmdline("video=ps3fb:mode:0 panic=5", "/dev/sda1");
shutdown_and_launch();
printf("End of main() reached! Rebooting...\n");
lv1_panic(1);
return 0;
}
