Metldr (asecure_loader) - Decryption

--------- <METLDR LOADER> -------------------------------------------------
I succeeded running metldr in spu isolation.
If you want play with source, I've uploaded it on my wiki:

http://www.piemontewireless.net/How_to_load_METLDR_in_ps3

makeclean
--------- </METLDR LOADER> -------------------------------------------------


Elaborate on the following code (from Geohot) to load metldr, taken from his blog

"Tuesday, January 26, 2010


A Level Playing Field

Right now, I'm playing with the isolated SPEs, trying to get metldr to load from OtherOS. Interesting thing, I am not using the exploit. I always assumed the enable isolation mode register was hypervisor privileged. It's not, it's kernel privileged, which means using hypervisor calls you can all get to it. So, get to hacking. Here is the code I am playing with."

This is a linux kernel module, and is missing boom_lpar()

To give you an idea of what metldr is here is another quote from geohot.
[00:22] <+geohot> rom->metldr->lv0->lv1ldr->lv1...
 
More info from (CJCP) on Metldr (asecure_loader)
Another good read about boot and decryption process by CJCP The Bootup Procedure
volatile int init_module() {
 
unsigned long priv2_addr, problem_phys, local_store_phys, context_addr, shadow_addr, spe_id, vas;
 
lv1_get_virtual_address_space_id_of_ppe(0, &vas);
 
printk(KERN_ERR "die kernel %d\n", lv1_destruct_logical_spe(0xb));
 
printk(KERN_ERR "construct SPE: %d\n", lv1_construct_logical_spe(0x10,0x10,0x10,0x10,0x10, vas, 0, &priv2_addr, &problem_phys, &local_store_phys, &context_addr, &shadow_addr, &spe_id));
boom_lpar(shadow_addr);
printk(KERN_ERR "make SPE id: %d\n", spe_id);
printk(KERN_ERR "enable SPE: %d\n", lv1_enable_logical_spe(spe_id, 0));
 
 
unsigned long *problem_mapped, *privileged_mapped, *local_mapped;
 
problem_mapped =__ioremap((unsigned long)problem_phys, 0x20000, PAGE_SHARED_X);
privileged_mapped =__ioremap((unsigned long)priv2_addr, 0x20000, PAGE_SHARED_X);
local_mapped =__ioremap((unsigned long)local_store_phys, 0x40000, PAGE_SHARED_X);
 
printk(KERN_ERR "status: %lx\n", problem_mapped[0x4020/8]);
printk(KERN_ERR "privileged control: %lx\n", privileged_mapped[0x4040/8]);
privileged_mapped[0x4040/8] |= 4;
printk(KERN_ERR "privileged control: %lx\n", privileged_mapped[0x4040/8]);
 
struct file* fd;
mm_segment_t old_fs = get_fs();
set_fs(KERNEL_DS);
fd = filp_open("/work/pwned/metldr", O_RDONLY, 0);
if(!IS_ERR(fd)) {
printk(KERN_ERR "file is open\n");
printk(KERN_ERR "read %d\n", fd->f_op->read(fd, local_mapped, 0x40000, &fd->f_pos));
filp_close(fd, NULL);
} else {
printk(KERN_ERR "file open failed!!!!\n");
}
set_fs(old_fs);
printk(KERN_ERR "read in metldr\n");
 
problem_mapped[0x4018/8] |= 3;
 
int i;
for(i=0;i<0x20;i++) {
printk(KERN_ERR "status: %lx\n", problem_mapped[0x4020/8]);
}
printk(KERN_ERR "destruct SPE: %d\n", lv1_destruct_logical_spe(spe_id));