Console Hacking 2015

Penguins on Aeolia

 

It's a PC

Except it isn't.

fail0verflow@ps4:~/linux:ps4 -$ git diff v4.4-rc6 | grep -v CONFIG_ | wc -l
7443

7000+ line kernel diff and counting.

fail0verflow@ps4:~ -$ cat /proc/cpuinfo
processor       : 0
vendor_id       : AuthenticAMD
cpu family      : 22
model           : 17
model name      : DG1000FGF84HT
stepping        : 3
microcode       : 0x7011104
cpu MHz         : 800.000
cache size      : 2048 KB
physical id     : 0
siblings        : 8
core id         : 0
cpu cores       : 8
apicid          : 0
initial apicid  : 0
fpu             : yes
fpu_exception   : yes
cpuid level     : 13
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good nopl nonstop_tsc extd_apicid aperfmperf eagerfpu pni pclmulqdq monitor ssse3 cx16 sse4_1 sse4_2 movbe popcnt aes xsave avx f16c lahf_lm cmp_legacy extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ibs skinit wdt nodeid_msr topoext perfctr_nb bpext perfctr_l2 arat hw_pstate proc_feedback vmmcall bmi1 xsaveopt
bugs            : fxsave_leak sysret_ss_attrs
bogomips        : 3187.47
TLB size        : 1024 4K pages
clflush size    : 64
cache_alignment : 64
address sizes   : 40 bits physical, 48 bits virtual
power management: ts ttp tm 100mhzsteps hwpstate [11]

processor       : 1

[ ... ×8 ... ]


fail0verflow@ps4:~ -$ sudo lspci
00:00.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Liverpool Processor Root Complex
00:00.2 IOMMU: Advanced Micro Devices, Inc. [AMD] Liverpool I/O Memory Management Unit
00:01.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Liverpool Graphics
00:01.1 Audio device: Advanced Micro Devices, Inc. [AMD/ATI] Liverpool HDMI/DP Audio Controller
00:02.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Liverpool Processor Root Port
00:14.0 System peripheral: Sony Corporation Aeolia ACPI
00:14.1 System peripheral: Sony Corporation Aeolia Ethernet Controller (Marvell Yukon 2 Family)
00:14.2 System peripheral: Sony Corporation Aeolia SATA AHCI Controller
00:14.3 System peripheral: Sony Corporation Aeolia SD/MMC Host Controller
00:14.4 System peripheral: Sony Corporation Aeolia PCI Express Glue and Miscellaneous Devices
00:14.5 System peripheral: Sony Corporation Aeolia DMA Controller
00:14.6 System peripheral: Sony Corporation Aeolia Memory (DDR3/SPM)
00:14.7 System peripheral: Sony Corporation Aeolia USB 3.0 xHCI Host Controller

Key:    ▣ Crazy    ▣ Batshit Crazy

The Marvell engineers who designed the southbridge were smoking some real good stuff.

(And/or felt like reinventing PCI their own way)

Achievement Unlocked: NOP command is broken on the GPU

(But at least it's a Radeon)

16MB of VRAM ain't enough for everybody.

(Unified memory is hard)

Codenames

dce_ihdef_get_info_crtc_linea_liverpool
"LVP A0" StarshaAsicStateRegInfo
ThJStarsha AGESAThebeJBDK

 

Nobody (not even Sony/AMD) agrees on the APU codename

We're calling it Liverpool

At least the southbridge is always Aeolia

Working

  • Timers, IRQs, PCI shenanigans
  • Serial port
  • Framebuffer
  • Kernel Modesetting
  • HDMI encoder
  • Ethernet (mostly, 1Gbps only)
  • WiFi
  • Bluetooth
  • S/PDIF Audio (Optical)
  • Blinkenlights

WIP

  • 3D acceleration
  • USB (and HDD, which is USB‽‽‽)
  • HDMI Audio

 

Untested

  • SATA AHCI (Blu-Ray)

Kernel patches coming soon

Plus custom bootstrap code

 

Some Assembly Required:

Bring Your Own Exploit™

(PS4 security is crappy enough that you don't need us for that)

http://fail0verflow.com · @fail0verflow

P.S. you can borrow our slide style, but you'll never beat the original ;-)