PlayStation 3
From BovineNet
This page just contains my aggregated notes about the internals of the PlayStation 3 that I have discovered while searching the various forums on the Internet. I don't claim credit for any of the work that originally went into these discoveries.
Contents |
[edit] Third-party OS
Sony provides the ability for the user to run other operating systems (currently limited to Linux only[1]). This is done by adding an option to boot the "Other OS" from within the PlayStation 3's XBR menu system.
[edit] Hypervisor Limitations
While the "Other OS" is running, it is actually running within logical partition that is virtualized by a hypervisor. This allows Sony to ensure that the "Other OS" does not gain too much access to the rest of the hardware, for security purposes. In particular these things are restricted:
- Access to the RSX (Reality Synthesizer) nVidia 3d video chip is blocked. This is a very significant limitation since it restricts the ability to write/play full-speed 3D Linux games. There is a petition for Sony to open up the RSX. However, it is possible that it is actually already open and it just needs drivers to be written for it.
- Access to the Emotion Engine (normally only used for PlayStation 2 emulation) is blocked. It is possible that it is actually already open and it just needs drivers or kernel support to be written for it.
- Access to only 6 of the SPE processors. (There are actually 8 SPE total, but 1 is disabled in the factory for chip yield purposes, and 1 is disabled by the Sony hypervisor, possibly for its virtualization purposes.)
- Access to only the portion of the hard disk that has been allocated to the Other OS. It is not possible to access the parts of the hard disk used by the XBR menu system.
[edit] Other OS implementation
The "Other OS" menu item is implemented with two main files, which are loaded onto the PS3 by the user via a USB thumbdrive:
- otheros.self — this is a Sony-supplied file that is in "SCE + ELF" encrypted format. Since it is encrypted with an unknown method, it is not currently possible to view or modify the contents. It is speculated by others that this contains the actual hypervisor implementation.[2]
- otheros.bld — this is a third-party supplied file that contains the boot-loader to your desired OS. This is simply a gzip file containing a boot image. The typical contents is the kboot boot-loader.
In older versions of the Sony PS3 firmware, it was necessary for the user to download the "otheros.self" file and provide it on the USB thumbdrive for the PS3 to install. However, in newer versions of the firmware (starting with 1.90?) the "otheros.self" is included with the firmware and the user only has to supply the "otheros.bld" file.
There are some other replacement "otheros.bld" files, such as the petitboot graphical boot manager.
[edit] Hypervisor API
The Sony hypervisor provides an API that the "otheros.bld" and Linux kernel can invoke to gain access to certain parts of the hardware. Much of it is still undocumented, but perhaps it might be usable to gain access to the memory-mapped I/O, DMA, IRQ functionality needed to access the RSX.
Some people have already noticed that the malloc_gpu_memory() and free_gpu_memory() functions can be used to access up to 252MB of low-speed memory on RSX.
[edit] Firmware updates
Sony releases firmware updates for the PS3 in two ways:
- Automatic download via the XBR menu system
- Manual download from the Sony website, to allow the user to write the ~120MB file to a USB thumbdrive or CD/DVD disk.
When a firmware update is installed, it is saved to non-volatile flash memory on the PS3 motherboard[3]. Erasing/replacing the hard disk or reinitializing the PS3 does not allow you to downgrade the firmware.
[edit] SCEUF archive
The firmware update file is named "PS3UPDAT.PUP" and is a "SCEUF" archive file that contains several other sub-files. The file format of the SCEUF has already been analyzed by other users and an extraction utility has been written.[4] Here is the sample output from the 1.90 firmware, showing it contains 5 files:
PS3 Update unpacker - ver1 by [RO]man
magic=SCEUF ver=1 unk=0x19BF hdrSize=0x190 dataSize=0x7760BB0
signature=91D2096371FA509D2A1380872417DFEAC616750A
sections=5
section #0: attr=0x100 offs=0x00000190 size=0x00000005
signature=97DB77EAE68D43052EC2D939C62BD8FD7E8C3160.
section #1: attr=0x101 offs=0x00000195 size=0x00000003
signature=1AA4749D0EE0D0AE937FBF73BC4B9ACD352F732A.
section #2: attr=0x200 offs=0x00000198 size=0x005493A8
signature=E6AE80A769FE351EF1AD90A73358160726C42089..
section #3: attr=0x201 offs=0x00549540 size=0x00002800
signature=D9B66E0D2845D71A67D76E7907AB06368CE61E08.
section #4: attr=0x300 offs=0x0054BD40 size=0x07215000
signature=4AC908CD72CCD329AAB4DC28C51C65BBCE6CBFF3.......................
Done
The five files that were extracted are:
- version.txt (5) — contains simply "1.90"
- dots.txt (3) — contains simply "..." Seemingly just for padding purposes.
- updater.sce (5,542,824) — contains a "SCE+ELF" encrypted binary.
- vsh.tar (10,240) — a tar archive containing only a single zero-byte file called "a". Seemingly just for padding purposes.
- update.tar (119,623,680) — a tar archive containing 24 files, with filenames indicatating they are firmware.
[edit] SCE + ELF format
There has been some preliminary work analyzing the format of SCE+ELF files, however much of the actual contents of the ELF portion is still a mystery due to the encryption of it.[5]
[edit] Hard disk contents
While another OS is running under the Sony Hypervisor, it only has access to a portion of the disk. However, some users have opened their PS3 hardware and physically removed the hard disk so that they can read its contents from another computer. The PS3 hard disk has been determined to use encryption that is unit-specific and contain many sections of data interleaved with regular regions of encryption.[6] The interleaved portions of encrypted data may serve as digital signature to prevent unexpected modifications to the disk contents.