Upload
detschel
View
217
Download
0
Embed Size (px)
Citation preview
7/29/2019 CellBEBootprocess(1)
1/1
Power OnEvent
lv0ldr(Bootloader)
CellBE
Configuration Ring(CPU init settings)
Lv0 (SE Bootloader)
metldr(Meta Loader)
lv1ldr
lv2ldr
appldr
isoldr
Lv1 (Hypervisor)
Lv2 (GameOS)
SysCon (System Controller)
wer On Reset Sequence (POR)
t Sequence
ervisor Init
nel Init
Metldr is loaded to an isolated SPU tofacilitate loading of each SPU IsolatedLoader.ref. IBM Secure SDK Documentation
Lv0 is decrypted to the PPU RAM bylv0ldr. Lv0ldr then starts the PPUexecuting Lv0 from RAM at address0x100. There is no extra loader used on
the SPU in this case.
cation OffsetND: 0x0R: 0xFC0000
SPU loads and executes lv0ldr according tothe reset vector provided. This differs to theprocess in non secure boot, where theROM code is executed by PPUref. CellBE HIG - 2.2.1
Loads configuration ring and calibrates I/Ocontroller, will not do anything further inPORref. CellBE HIG - 2.2
This contains the reset vector, which is theaddress of lv0ldr. It also contains the initialregister and cpu settings, these are passedto the CellBE
ref. CellBE HIG - 2.3.4
set Vector for secure bootND: 0x240_1FC00000R: 0x240_1FFC0000
Time
metldr
(Meta Loader)
SPU SecureLoader
SPUIsolatedLoader
PPCSecure ELF (SELF)
Hardware
CellBE Secure Boot Process
1 by mas & xorloser
HW Root Key
HW Root Key
HW Root Key
From now on access to hardwareresources must be done via theHypervisor. Direct access is no longerpossible.
GameSystem Files
Isolated SPU Modules(i.e.sc_iso.self)
SPUSecure ELF (SELF)
rland Init
ated SPU Init metldr(Meta Loader)
metldr(Meta Loader)
HW Root Key
HW Root Key
SPU Isolated Loaders are loaded by metldrto a high LS address. Metldr then zeros
itself out and jumps to their entrypoint tobegin their execution.
Isolated SPU Modules are loaded by isoldrto a low LS address. Isoldr then zeros itselfout and jumps to their entrypoint to begintheir execution.
Loading a game is optional
System files like vsh (XMB) or games callback to the GameOS, which then call backto the hypervisor for certain operations. Theprocesses in userland after boot are moredynamic, but this is outside the scope of thisdocument.
Vsh(XMB)
HW Root Key is storede the CellBE hardware.key is unique to each
BE and is used to decryptverify SPU Secure Loaders
h as metldr and lv0ldr
SPU Secure Loaders are loaded by CellBEhardware to the LS address 0x400. TheCellBE decrypts, authenticates and thenexeutes them at 0x400.
The Game Operating System kernel runson top of the hypervisor. Both this kerneland the hypervisor stay present in memorywhile all userland operations run on top ofthem.
Legend