| View previous topic :: View next topic |
| Author |
Message |
ps2devman
Joined: 09 Oct 2006
Posts: 265
|
 Posted: Thu Jan 28, 2010 1:59 am Post subject: The hunt for Nv47 secret 'bridge' |
 |
|
Goal : Be able to write data to Nv47 outer register from within shader
Tool : Geohot exploit
Currently there are 2 annoying things :
1) Don't know how to play with RSX if fw>2.01 (for that, I have no idea)
2) Unable to declare video ram areas as TILE or ZCOMP (with fw<=2.01)
(would gain the remaining 30% speed we lack compared to game os)
These are hypothetical tips about fixing 2)
Nv2A (xbox1) had a secret 'bridge' between inner and outer registers
(inner ones are the ones you target from within shader, outer one
are MMIO registers, i.e specific memory addresses). See xbox1 pbkit library for more details. I say 'secret' because before finding it I never heard about it. The kind of low level stuff completely hidden by DirectX 8 upper concepts like "fencing".
To activate the 'secret' bridge you had to use 2 inner registers mapped to 2 outer registers. You wrote a register destination in one and a value in the other. Then you would trigger an interruption with a shader opcode.
The interrupt handler would just do a poke at the destination with the value.
On PS3 we can have our own shaders get executed on ps3 with fw<=2.01
but we lack access to MMIO registers and these ones should allow us to declare ZCOMP and TILE areas. If a similar 'secret' bridge exists in PS3, one way to find how it works would be to disassemble the interrupt handler (can it be in HV?) and detect a specific interrupt just poking a value at a destination by reading destination and value from 2 specific MMIO registers (the one linked by hw to the 2 inner registers). Then we could be able to use this bridge ourself to poke values from within our shaders.
But there is a big if...
Geohot's exploit (bravo george!) seems to allow reading and disassembling of code present in memory when Other OS runs.
So there is no warranty that the hypervisor present in memory is the same as the one running under Game OS (I know nothing precise about that). But that's one more reason to disassemble Other OS hypervisor... |
|
| Back to top |
|
 |
moreno
Joined: 30 Dec 2007
Posts: 5
|
| Posted: Wed Feb 17, 2010 6:49 pm Post subject: Re: The hunt for Nv47 secret 'bridge' |
|
|
| ps2devman wrote: |
1) Don't know how to play with RSX if fw>2.01 (for that, I have no idea)
|
| ldesnogu wrote: | So much for paranoia: Jim just posted a patch that works with FW 2.50.
EDIT: Here is the link. |
|
|
| Back to top |
|
|
ps2devman
Joined: 09 Oct 2006
Posts: 265
|
| Posted: Thu Feb 18, 2010 12:20 am Post subject: |
|
|
You refer to rsx used as ram extension
I'm talking about activating 3D accelerated graphics again |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
