lets take a look at the boot order of a ps3 console
Boot Sequence
Power on: syscon boots from its internal (non-encrypted / dual banked) ROM *1 *2
+ syscon powers up various power subsystems
+ syscon powers up cell and checks status
+ syscon sends Cell configuration ring to Cell. It is either sent during or before bootldr. The config ring is checked within bootldr (ch67).
+ syscon pulls the reset of Cell high -> Cell INIT (Partially).
Cell INIT: CELL boots from its internal ROM *2
+ fetches encrypted bootldr off NAND (at address 0x000000) /NOR flash (at address 0xFC0000) and boots in isolated SPU.
Bootldr Running: (Which SPU?)
+ Initialises I/O (IOIF0/IOIF1)
+ Initialises XDR (And verifies with memtest elf - On SPU 0 - It's hardcoded to load there).
+ bootldr decrypts lv0 which runs on PPU -> loaders INIT
NEW consoles only: metadata lv0.2 (signed with nonrandomfail key) is used to check lv0 integrity
syscon sends cell configuration ring before before bootldr kicks in
and sends a request from internal non encrypted dual banked read only memory
now if the metadata of 0.2 is signed with the non random fail key
how do you check lv0 integrity if you dont know wich spu module is being loaded...
if the SYSCON SENDS CELL CONFIG RING request right before BOOTLDR KICKS IN
bootldr decrypts lv0 which runs on PPU -> loaders INIT
find those parameters and get back to me .
Boot Sequence
Power on: syscon boots from its internal (non-encrypted / dual banked) ROM *1 *2
+ syscon powers up various power subsystems
+ syscon powers up cell and checks status
+ syscon sends Cell configuration ring to Cell. It is either sent during or before bootldr. The config ring is checked within bootldr (ch67).
+ syscon pulls the reset of Cell high -> Cell INIT (Partially).
Cell INIT: CELL boots from its internal ROM *2
+ fetches encrypted bootldr off NAND (at address 0x000000) /NOR flash (at address 0xFC0000) and boots in isolated SPU.
Bootldr Running: (Which SPU?)
+ Initialises I/O (IOIF0/IOIF1)
+ Initialises XDR (And verifies with memtest elf - On SPU 0 - It's hardcoded to load there).
+ bootldr decrypts lv0 which runs on PPU -> loaders INIT
NEW consoles only: metadata lv0.2 (signed with nonrandomfail key) is used to check lv0 integrity
syscon sends cell configuration ring before before bootldr kicks in
and sends a request from internal non encrypted dual banked read only memory
now if the metadata of 0.2 is signed with the non random fail key
how do you check lv0 integrity if you dont know wich spu module is being loaded...
if the SYSCON SENDS CELL CONFIG RING request right before BOOTLDR KICKS IN
bootldr decrypts lv0 which runs on PPU -> loaders INIT
find those parameters and get back to me .
Previous thread
Next thread
