About SPU channels 64, 72 and 73

If you are reversing the PS3’s isolated SPU modules, you will eventually notice channels 64, 72 and 73. Here are some C functions, that roughly describe how they work:

void read_ch73(u32 skip, u32 *buf, u32 len)
{
	u32 i;
	spu_wrch(64, 0x10000);
	for(i = 0; i < skip; i++)
		spu_rdch(73);
	for(i = 0; i < len; i++)
		buf[i] = spu_rdch(73);
}

void write_ch72(u32 skip, u32 *buf, u32 len)
{
	u32 i:
	spu_wrch(64, 0x10000);
	for(i = 0; i < skip; i++)
		spu_wrch(72, spu_rdch(73));
	for(i = 0; i < len; i++)
		spu_wrch(72, buf[i]);
}

It seems that lv1ldr is storing it’s version into a special storage area.

s64 lv1ldr_main(...)
{
	//...
	u64 ldr_ver = 0x0003004100000000;
	write_ch72(0, &ldr_ver, 2);
	//...
}

And e.g. isoldr reads the version from the storage area and compares it to it’s own version.
If the check fails, isoldr will just stop execution.

s64 check_version(u64 ldr_ver)
{
	u64 stored_ver;
	read_ch73(0, &stored_ver, 2);
	//...
}

s64 load_isoself(...)
{
	ldr_ver = 0x0003004100000000;
	if(check_version(ldr_ver) != 0)
		return 0x30;
	//...
}

I wonder what else is stored in the area and how long the data in it persists, so my next idea is to code an isolated elf, that allows me to specify the value written to channel 64 and then dumps the data from channel 73.

Advertisements

4 thoughts on “About SPU channels 64, 72 and 73

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s