-
Notifications
You must be signed in to change notification settings - Fork 9
IPL
The decrypted IPL is composed of 3 parts: Part1 - the 'loader', Part2 - 'main.bin', and Part3 - 'kbooti_for_ipl'. Part1 is plaintext MIPS code, Part2 is gzip compressed and encrypted, and Part3 is again gzip compressed and encrypted. Part3 is what actually loads the kernel modules from flash and begins the kernel boot process.
One of the first things Part1 IPL does is reset the main CPU. After reset the pre-IPL mask ROM device is no longer mapped to memory at all (the 0x1FC00000 address range is then remapped to the 4KB RAM mentioned above to be used for the ME reset vector). This is why the pre-IPL is no longer accessable once the IPL has booted. The Part1 IPL does some very basic hardware inits and decompresses the gzipped Part2 IPL (main.bin) to address 0x04000000 (still in EDRAM). Part1 IPL then jumps to the entry address of main.bin (0x04000000) to initialise the hardware.
Part2 IPL (main.bin) is responsible for initialising the PSP hardware. It has copies of it's own driver libraries similar to the drivers found in the firmware (including: sceNAND_Driver, sceDDR_Driver, sceIdStorage_Service, sceSYSREG_Driver, sceSYSCON_Driver, sceGPIO_Driver, sceClockgen_Driver, & sceI2C_Driver). Some of the initialisation of the hardware depends on data stored in idstorage keys (for example keys 4,5,6). Note this is where TA082/086 motherboards 'brick' on 1.50 firmware. The clockgen hardware was changed on TA082/086 motherboards so the functions used to initialise it does not recognise the new hardware. And because part of the initialisation depends on data stored in key5, simply by invalidating key5 (by corrupting the header), the initialisation is skipped allowing the firmware to continue to boot. After initialising the hardware (including the DDR RAM), Part2 IPL decrypts the Part3 IPL (the payload) and loads it to address 0x08400000 (which is located in normal DDR RAM now that it has been initialised). It then jumps to the entry address of the Part3 IPL (0x08400000) to boot the firmware.
Part 3 is really the IPL equivalent of reboot.bin. Since part2 kindly initialized main DDR memory, part3 is the first to actually run inside DDR. On most modern firmwares this will load to 0x88600000. After some initial clean up of the co-processsors, this begins by loading /kd/sysmem.prx and /kd/loadcore.prx from flash0. Part3 contains a kernel version of the main prx decrypt routines as well as the keys for decrypting the prx tags for this version of the kernel. This is very similar to what you would find in mesg_led.prx. At the conclusion of the load, part3 sets a series of useful function pointers for loadcore.prx and transfers control to loadcore for the rest of the kernel load process.