PS2 Julian's various PS2 projects (Worklog)

[uyjulian]

Took a look again at the ELF toolchain for IOP...

It seems unpatched and patched GCC 11 produce exactly the same code.

So the remaining issue is probably in my linker script, my elf to irx tool, or GCC >= 12

 

[uyjulian]

I ordered a SCPH-18000 from eBay.

This will make trying stuff out much faster, as I can hotplug the network adapter (without needing to unplug everything), and can extend the hard drive cable so that I can conveniently plug the HDD between the network adapter and the USB to SATA adapter.

 

[uyjulian]

A little note about PS2 Linux 3.8... ipv6 has an issue and it will cause server programs like sshd and telnetd to crash.

To disable ipv6, add ipv6.disable=1 to the kernel command line (KernelParameter in config.txt).

 

[uyjulian]

A little note on EXT2/SWAP/REISER partitions in APA...

On PS2 Linux beta kernel 2.2.1, the offset before the main partition filesystem data start is 4096 (drivers/block/genhd.c, PAGE_SIZE=4096) bytes.
On PSBBN kernel 2.4.17, the offset before the main partition filesystem data start is 4194304 (fs/partitions/ps2.h, PS2_PART_RESV_MAIN=4 * 1024 * 1024) bytes.

On both systems, the offset before the sub partition filesystem data start is 4096 (2.2.1: drivers/block/genhd.c, PAGE_SIZE=4096; 2.4.17: fs/partitions/ps2.h, PS2_PART_RESV_SUB=4 * 1024)

The data between 0 and 4096 is the APA partition header. The data between 4096 and 4194304 is the PS2ICON3D data.

 

[uyjulian]

This is supposed to be in the manuals of games that use DNAS, but DNAS library uses RSA BSAFE(R) SSL-C and Crypto-C libraries.
Also, games that use SCE libhttps uses RSA BSAFE(R) SSL-C library.
As such, they use some of the following APIs from Crypto-C:

B_CreateAlgorithmObject
B_SetAlgorithmInfo
B_DestroyAlgorithmObject
B_CreateKeyObject
B_SetKeyInfo
B_DestroyKeyObject
B_DecryptInit
B_DecryptUpdate
B_DecryptFinal
B_EncryptInit
B_EncryptUpdate
B_EncryptFinal

Also, as such, they use some of the following APIs from SSL-C:

BIO_ctrl
BIO_free
BIO_new
BIO_new_mem
BIO_new_socket
BIO_printf
BIO_read_filename
BIO_s_file
BIO_set_cb
ERR_get_error
EVP_PKEY_free
PEM_ASN1_read_bio
PEM_read_bio_PrivateKey
PEM_read_bio_X509
SSL_CTX_ctrl
SSL_CTX_free
SSL_CTX_new
SSL_CTX_set_app_verify_cb
SSL_CTX_set_verify
SSL_CTX_use_PrivateKey
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_certificate
SSL_CTX_use_certificate_file
SSL_do_handshake
SSL_free
SSL_get_error
SSL_library_cleanup
SSL_new
SSL_read
SSL_set_alert_info_cb
SSL_set_bio
SSL_set_connect_state
SSL_set_info_cb
SSL_shutdown
SSL_write

(By the way, these set of APIs look very similar to OpenSSL...)

There is also a shim layer for the Crypto-C library here: https://web.archive.org/web/20070126091155/http://cypherpunks.to/bsafeeay/
It works on top of the SSLeay library, which OpenSSL and SSL-C forked off from.

 

[uyjulian]

_sce_dnas2_symbol60010 is the function that decrypts the .bnx files and turns them into .amx (Small/Pawn language compiled bytecode) files. I believe it should be similar to the .amx files used in XOSD, but not sure about this.

The first argument is the bnx size, and the second argument is the pointer to the bnx. Decryption is done in-place.
The third argument is the size of the buffer pointed to by the fourth argument. This might be key related, but not sure about this.
The fifth argument is a pointer to something that isn't used, but not sure about this.

In the function, there are calls to rand / litodp / dpmul / dptoul. These segments of code can be stubbed out, since all it does is scramble the memory.

---

/etc/inittab is the file describing how to initialize the system.
/etc/rc.d/rc.sysinit runs first. One of the functions it does is run /sbin/bn_asap, which I believe is the program that shows the orbs on the screen.
/etc/rc.d/rc.bn runs at the end. It runs /opt0/bn/bn as root. Could possibly use LD_PRELOAD here

---

The .daz files on the utility disks are just simple zlib compressed streams. The filesystem data is at offset 4190208 of the decompressed data.

 

[uyjulian]

A few notes on memory limits:

Red Hat 5.2 (not upgraded/installer disk; 2.0.36-0.7): 872MB (if you go past this limit, "Kernel panic: VFS: Unable to mount root fs on 08:22")
Red Hat 5.2 (upgraded; 2.0.36-(?)): 1008MB (if you go past this limit, "Kernel panic: Failed to allocate buffer hash table")

Red Hat 6.2 (2.2.14-5.0): 4096MB (kernel 2.2.14 does not support PAE. It was added starting with 2.3.23)

 

[uyjulian]

I containerized Red Hat Linux 5.2 and Red Hat Linux 6.2 base system, and put them up on GitHub container registry. They can now be executed with Podman or Docker.

Now it is no longer needed to mess with network drives, memory limits, kernel issues, disk images, virtual machines...

 

[uyjulian]

Hmm... If I remember correctly newer PS2s EE had the short loop bug fixed.
Basically, if the loop has 6 instructions or less including a single conditional branch instruction, the loop may exit incorrectly after 1 or 2 branches.
The fix for this is to put a NOP in the branch delay slot.

This is my attempt at trying to check if this is the case.

{
    unsigned int cnt, cond;
    cnt = 0;
    cond = 0;
    __asm__ __volatile__ (
        "\t.set push\n"
        "\t.set volatile\n"
        "\t.set noreorder\n"
        "\tshortloopcheck_loop:"
        "\tslti %[cond], %[cnt], 4\n" // cond = (cnt < 4) ? 1 : 0;
        "\tbnez %[cond], shortloopcheck_loop\n" // if (cond != 0) goto shortloopcheck_loop;
        "\taddiu %[cnt], %[cnt], 1\n" // cnt = cnt + 1;
        "\t.set pop\n"
    : [cnt] "=r"(cnt), [cond] "=r"(cond));
    if (cond != 0)
    {
        printf("Has short loop bug\n");
    }
    else
    {
        printf("No short loop bug\n");
    }
}

 

[uyjulian]

I'm looking into adding shared object support.

Mainly: "unset GENERATE_SHLIB_SCRIPT" needs to be removed from binutils to remove the "-shared not supported" error in "lexsup.c" caused by "config.has_shared" being false.

 

[uyjulian]

Instead of using whatever elf loader has been implemented in the various Vita and Switch various Android loader ports, I'm thinking of adopting ldso in musl libc to work portably in more systems.

Probably need to redirect a large amount of the POSIX/Linux specific functions such as mmap, readlink, pthread_*, etc.
Also I plan to remove some features: TLS support, fixed address executables, symbol redirection, $ORIGIN handling, LD_LIBRARY_PATH, LD_PRELOAD, secure context, ...

Mainly this will let me take more advantage of a more mature ELF loader implementation (and updates to it) while not being too complicated to understand/maintain.

 

[uyjulian]

One effect of dynamic library support is that it becomes possible to interface with both the EE network stack and the IOP network stack in one binary.

 

[uyjulian]

A few tidbits about mcman:

* The max directory entry count is 0x402 (before it will stop searching)
* It is possible to waste at least 1050624 bytes (around 1MB) in directory entries (0x402 * 2) when searching for the memory card update file (assuming there are 2 levels of directory; e.g. the file is at BAEXEC-SYSTEM/osdmain.elf)
* Max amount of cached pages (512 byte blocks) is 0x24.

Basically, having at least 0x24 entries in a directory will thrash the cache, basically allowing you to send whatever directory entries you want.
The cluster containing the file data is in the directory entry. So could pre-load the cluster data with the directory entry.

Also, a tidbit on wasting time with ELF loading:
Have multiple program headers in the ELF file, but make them refer to the same data.
When reading starts back at the beginning of the data, if you don't have the data ready yet just return a stub program, otherwise return the actual program.
Also, since the ELF file is streamed, it can actually be larger than IOP memory.

 

[TnA]

* It is possible to waste at least 1050624 bytes (around 1MB) in directory entries (0x402 * 2) when searching for the memory card update file (assuming there are 2 levels of directory; e.g. the file is at BAEXEC-SYSTEM/osdmain.elf)

Just asking... Is that function terminated??

 

[uyjulian]

Just asking... Is that function terminated??

Yes, it terminates.

 

[uyjulian]

The major functionality missing that is needed to port the HDD checking modules to POSIX is the following:
* Event flag related functions
* Thread related functions
* System clock/benchmark related functions

 

[uyjulian]

A few things before I finish my CDVDMAN/CDVDFSV reversing:

* .irx relocating. CDVDMAN accesses some low memory globals, which clashes with code meant to be relocated off that area. (Ok)
* .rel loading and EE raw binary loading. Need to use this to figure out missing symbols to the interface with CDVDFSV. (Ok)
* arcade module RE. Specifically the ATAPI CDVD modules which expose an interface similar to CDVDMAN/CDVDFSV. (Ok)
* knowledge merge with OPL. (Ok)
* knowledge merge with asmblur's CDVD module work. https://github.com/asmblur/ps2cdvd (Ok)

Edit: One year later this is now done.

Spoiler: Old info

CDVDMAN/CDVDFSV reversing (from XOSD 2.11) and reimplementation
Variants:
* OSD (ROM retail 2.5, based off SDK 1.6/2.0.20) - done
* OSD (HDD, based off SDK 2.3.40/2.4.19)
* OSD (COH, based off SDK 2.0.20)
* DVD player (ROM 3.1.0, based off SDK 2.8)
* Game (SDK 3.1.0) - done
* DNAS (SDK 3.1.0) - done
* Utility disk (SCPH 60160, based off SDK 2.2.49/2.3)
* XOSD (based off SDK 3.0.0) - done
* PSBBN (based off SDK 2.3.4)
* Game (Chinese)

 

[1052]

@uyjulian, will this help fix VMC-Issues?

 

[uyjulian]

@uyjulian, will this help fix VMC-Issues?

Not sure.

 

[uyjulian]

Instead of array of bytes (AOB) signature scanning and fixed addresses, more advanced analysis could be done to determine where a function is in a code.

https://praydog.com/reverse-engineering/2023/07/03/uevr.html

FreeMCBoot (1.8) and FreeDVDBoot use either signature scanning or fixed addresses to find code or data, but there could be a more future proof and smaller way to achieve a similar result.