Difference between revisions of "Venezia"
Jump to navigation
Jump to search
(Created page with "There are 8 MeP cores that serve as the media co-processor (called Venezia or VIP). The CPU ID register for them are <code>0x00300500 0x00310500 0x00320500 0x00330500 0x00340...") |
|||
Line 10: | Line 10: | ||
MeP payload: | MeP payload: | ||
− | <source> | + | <source lang="asm"> |
.text | .text | ||
Revision as of 06:10, 2 February 2017
There are 8 MeP cores that serve as the media co-processor (called Venezia or VIP). The CPU ID register for them are
0x00300500 0x00310500 0x00320500 0x00330500 0x00340500 0x00350500 0x00360500 0x00370500
This means they are MeP c5 cores and are uniquely numbered 48-55.
Running Code
It is easy to run your own MeP code. It appears that the code is DMA copied to MeP's private memory before resetting and executing it.
MeP payload:
.text
_start:
jmp 0x800018
jmp 0x800018
jmp 0x800018
jmp 0x800018
jmp 0x800018
jmp 0x800018
_init:
movh $0,0xf184
add3 $0,$0,0
mov $1,0x8
sw $1,0($0)
_writecpuid:
ldc $2,17
srl $2,14
ldc $1,17
add3 $2,$2,$0
add3 $2,$2,4
sw $1,0($2)
.wait:
bra .wait
On ARM:
// the following code has hard coded offsets in 1.69
int restart_vnz()
{
volatile unsigned int *regs, *spram; // r4@1
int v1; // r6@1
unsigned int img_paddr; // r3@2
int dram_base; // r0@2
int size;
unsigned int v4; // r0@3
unsigned int v5; // r3@3
int v7; // r1@6
int v8; // r2@6
spram = *(volatile unsigned int **)0x0190F67C;
regs = *(volatile unsigned int **)0x0190F670;
printf("ScePervasive2Reg: 0x%08X, spram: 0x%08X\n", regs, spram);
ScePervasiveForDriver_0xFB01A2DD();
img_paddr = 0x40800000; // paddr of region
dram_base = 0x40300000;
size = 0x400000;
regs[192] = 0x1D001000;
if ( dram_base < img_paddr )
{
v7 = img_paddr + size;
v8 = dram_base + 0x2500000;
if ( img_paddr + size < v8 )
{
regs[193] = dram_base;
regs[194] = img_paddr;
regs[195] = v7;
regs[196] = v8;
}
}
v4 = img_paddr >> 23 << 23;
regs[224] = v4;
regs[228] = 0x1E000000;
regs[229] = 0x20000000;
regs[230] = 0x22000000;
regs[231] = img_paddr & 0xFE000000;
regs[232] = 0x18000000;
regs[233] = 0x20000000;
regs[234] = img_paddr & 0xF8000000;
regs[235] = (img_paddr + 0x8000000) & 0xF8000000;
regs[236] = 0x1E000000;
regs[237] = 0x20000000;
regs[238] = 0x22000000;
regs[239] = img_paddr & 0xFE000000;
regs[256] = v4;
regs[898] = 0xFFFF0000;
spram[0] = 1;
SceCpuForDriver_0xE813EBB2_clean_l2();
regs[898];
__asm__("dsb sy" ::: "memory");
ScePervasiveForDriver_0xA7E64C6F_reset_vnz();
v1 = 0;
while (spram[0] != 8)
{
printf("waiting...");
sceKernelDelayThread(100);
if (v1++ > 20)
break;
}
return 0;
}
int vnz_hack()
{
volatile unsigned int *spram_vaddr;
unsigned int *img_vaddr;
int i;
int ret;
spram_vaddr = *(volatile unsigned int **)0x0190F67C;
img_vaddr = *(unsigned int **)0x0190F664;
printf("Vaddr: %08X\n", img_vaddr);
ret = make_smc_call(1, 1, 0, 0, 0x110);
printf("Reset VNZ: 0x%08X\n", ret);
memset(spram_vaddr, 0, 256);
memcpy(img_vaddr, YOUR_MEP_CODE, YOUR_MEP_CODE_LEN);
ret = restart_vnz();
printf("Restart VNZ: 0x%08X\n", ret);
return 0;
}