The exploit doesn't circumvent the power on reset secure boot sequence, it starts after lv0ldr has been authenticated.
The interrupts he was talking about allows us to pause the SYSCON steps. I assumed he meant the Power On Sequence, which includes POR. I was curious if that could be a tool to allow use to take control of the HW before the secure boot is setup. And use the the same method of SPI sniffing to intercept the command to enable it. IDK if there are checks later that require it to be enabled, but could they not be intercepted too?
Yes, you can do that both from the SPI or the JTAG port, but that depends on the fuse settings inside the pervasive logic. The chips need to be "unlocked" in order to debug (/step through) the actual secure part but not even the JTAG port is enabled.
Hmm... that is interesting. Let's hope it's just the tokins, not the underfill on 65nm RSXs, which does fall under the bumpgate era of Nvidia chip sets.
Are you referring to POR Phase 1, where BE_ATTENTION is first driven active and then the PLL loads data from internal fuses? Do you mean the CELL_ID is one of those impossible to change fuse values? Not something that is written in the Config-Ring data?
It sounds like the explot works during the initialization phases during POR (when the config-ring data is written). It is done over SPI. So while it's not currently known how to "toy" with the config-ring data, and see what it contains, it might be possible in the future. Not that there is anything particularly useful for remarrying a cell in there, IDK.MikeM64 said:
I'm curious if 1701 (BE_ATTENTION) caused by a checkstop error (14FF) or more likely a livelock detection (1601). Or perhaps a 3034/4xxx Data error. Too bad he didn't include the errorcode in that writeup. It's just a curiosity. We tend to see the 1701/1601 happen in BGA/Bump defects that cause a YLOD when the console was on and running code. And 3034/4xx during bittraining cuz it now cant make POST.MikeM64 said:
Yes, it's part of the fuses. The CID/eCID are (read-only) accessable through the spi registers in the pervasive logic (page 103 in the 90nm 1.5 HIG, x'0004' through x'000B').
The exploit happens while lv0ldr is running, ~between "End of the POR sequence" and "System reset interrupt".
Yes, you can do that.
I just went back to read the dates more closely.
The first was published in late august 2008 and the second (with more details about the specific failuers) was published in September. The timeline fits with this theory. So that lends credence to the idea that the CXD2982 was defective. And the cat was out of the bag by september. The 65nm RSX was defective for sure and SONY would no doubt have been informed/working closely with Nvidia to rush a MB revision. The idea that perhaps the 2991 was a hasty fix still needs to be confirmed, but it makes sense there would be a new revision if they realized the manufacturing error back in august (after the DIA-002 had already hit store shelves). It is feasible 2 months might be enough time to get them into PS3's. So a September SKU makes sense.Charlie Demerjian said:
For curiosity sake... i was talking about the different CELL pad layouts before, but today i made a comparison that is going to clarify some of the speculations
I was thinking a flex cable that would be soldered directly to the BGA, with appropriate pads where the new cell needs them moved to. And breakout pads routed the the edge for probing and diagnostics....but anyway... by now it seems the only way would be by using some kind of intermediate "CELL adapter" board
For curiosity sake... i was talking about the different CELL pad layouts before, but today i made a comparison that is going to clarify some of the speculations
The point is... there are up to 4 CELL pad layouts, but 3 of them matches in the 41x41 number of pads in the peripheral (differs in the missing pads at the center "hole" though)... so we was wondering if soldering a different CELL revision in the pad layout of other CELL revision could affect ONLY the pads at the center
https://www.psdevwiki.com/ps3/CELL_BE#Alternative_listing
CELL 90nm (41x41)-(19x19)-84 = 1681-361-84 = 1236 pads layout
CELL 65nm (41x41)-(15x17)-84 = 1681-255-84 = 1342 pads layout
CELL 45nm (41x41)-(17x17)-84 = 1681-289-84 = 1308 pads layout
CELL 45nm (42x42)-(22x18)-9 = 1764-396-9 = 1359 pads layout
In wiki there is an image of the CELL 90nm pad layout, and the pinout, from the COK-001 or COK-002 manuals
https://www.psdevwiki.com/ps3/CXD2964GB
And i just started a page with the pinout of the CELL 65nm, from the SEM-001 manual, and i made this image following the same rotation for comparison purposes
https://www.psdevwiki.com/ps3/CXD2981GB
Long story short... i marked the CELL pads dedicated to syscon connections (8 in total, included the SPI channel) and the location doesnt matches
In other words... if we solder a 65nm CELL in the pad layout of a 90nm CELL this 8 pads dedicated to syscon are not going to be correctly connected, to have a beter understanding of how many pads has been moved it would be needed to continue doing this drawings painting more pads of the 65nm layout in colors to compare them with the 90nm layout, but anyway... by now it seems the only way would be by using some kind of intermediate "CELL adapter" board
