Venezia

From Vita Development Wiki
Jump to: navigation, search

There are 8 MeP cores that serve as the media co-processor (called Venezia or VIP). The CPU ID register for them are

0x00300500 0x00310500 0x00320500 0x00330500 0x00340500 0x00350500 0x00360500 0x00370500

This means they are MeP c5 cores and are uniquely numbered 48-55.

Running Code

It is easy to run your own MeP code. It appears that the code is DMA copied to MeP's private memory before resetting and executing it.

MeP payload:

.text

_start:
jmp 0x800018
jmp 0x800018
jmp 0x800018
jmp 0x800018
jmp 0x800018
jmp 0x800018

_init:
movh $0,0xf184
add3 $0,$0,0
mov $1,0x8
sw $1,0($0)

_writecpuid:
ldc $2,17
srl $2,14
ldc $1,17
add3 $2,$2,$0
add3 $2,$2,4
sw $1,0($2)

.wait:
bra .wait

On ARM:

// the following code has hard coded offsets in 1.69
int restart_vnz()
{
  volatile unsigned int *regs, *spram; // r4@1
  int v1; // r6@1
  unsigned int img_paddr; // r3@2
  int dram_base; // r0@2
  int size;
  unsigned int v4; // r0@3
  unsigned int v5; // r3@3
  int v7; // r1@6
  int v8; // r2@6

  spram = *(volatile unsigned int **)0x0190F67C;
  regs = *(volatile unsigned int **)0x0190F670;
  printf("ScePervasive2Reg: 0x%08X, spram: 0x%08X\n", regs, spram);
  ScePervasiveForDriver_0xFB01A2DD();
  img_paddr = 0x40800000; // paddr of region
  dram_base = 0x40300000;
  size = 0x400000;
  regs[192] = 0x1D001000;
  if ( dram_base < img_paddr )
  {
    v7 = img_paddr + size;
    v8 = dram_base + 0x2500000;
    if ( img_paddr + size < v8 )
    {
      regs[193] = dram_base;
      regs[194] = img_paddr;
      regs[195] = v7;
      regs[196] = v8;
    }
  }
  v4 = img_paddr >> 23 << 23;
  regs[224] = v4;
  regs[228] = 0x1E000000;
  regs[229] = 0x20000000;
  regs[230] = 0x22000000;
  regs[231] = img_paddr & 0xFE000000;
  regs[232] = 0x18000000;
  regs[233] = 0x20000000;
  regs[234] = img_paddr & 0xF8000000;
  regs[235] = (img_paddr + 0x8000000) & 0xF8000000;
  regs[236] = 0x1E000000;
  regs[237] = 0x20000000;
  regs[238] = 0x22000000;
  regs[239] = img_paddr & 0xFE000000;
  regs[256] = v4;
  regs[898] = 0xFFFF0000;
  spram[0] = 1;
  SceCpuForDriver_0xE813EBB2_clean_l2();
  regs[898];
  __asm__("dsb sy" ::: "memory");
  ScePervasiveForDriver_0xA7E64C6F_reset_vnz();
  v1 = 0;
  while (spram[0] != 8)
  {
    printf("waiting...");
    sceKernelDelayThread(100);
    if (v1++ > 20)
      break;
  }
  return 0;
}

int vnz_hack()
{
  volatile unsigned int *spram_vaddr;
  unsigned int *img_vaddr;
  int i;
  int ret;

  spram_vaddr = *(volatile unsigned int **)0x0190F67C;
  img_vaddr = *(unsigned int **)0x0190F664;
  printf("Vaddr: %08X\n", img_vaddr);
  ret = make_smc_call(1, 1, 0, 0, 0x110);
  printf("Reset VNZ: 0x%08X\n", ret);

  memset(spram_vaddr, 0, 256);
  memcpy(img_vaddr, YOUR_MEP_CODE, YOUR_MEP_CODE_LEN);
  ret = restart_vnz();
  printf("Restart VNZ: 0x%08X\n", ret);

  return 0;
}