XRPC

From t-hack.com - Hack X300T / X301T

Jump to: navigation, search

Making a xrpc (secure remote procedure call) to the to SMP8630 xpu works like this :
1) Build a xrpc_block_header at VIRTUAL address $A 

#define XRPC_ID_GETSERIAL      0 // return chip serial number to param0..3
#define XRPC_ID_GETRANDOM      2 // return 32bit of true random to param0
#define XRPC_ID_BONDINGCOMMENT 3 // return the bonding comment to param0..1
#define XRPC_ID_SHA1XOS        4 // outputs SHA-1 of burnt signablearea-xosMxy.bin to param0..4
#define XRPC_ID_XLOAD          5 // for ucode, interrupt handler, xtasks... 
#define XRPC_ID_XOSSELFUPDATE  9 // fir xos update
#define XRPC_ID_IH_LOAD       13 // interrupt handler ?
#define XRPC_ID_DRAM          15 /* --- deprecated in xosMa0 */
#define XRPC_ID_XUNLOAD       17 // unload xtask from slot
#define XRPC_ID_CACHEDUMP     18 // not implemented in release build
#define XRPC_ID_REBOOT        19
#define XRPC_ID_XBIND         20 // bind/unbind certificate to xload.
#define XRPC_ID_XSTART        21 // start xtask
#define XRPC_ID_XKILL         22 // signal or stop xtask
#define XRPC_ID_GETPROTECTION 23 // Get protection registers
#define XRPC_ID_GETBINDING    24 // Get binding hash
#define XRPC_ID_GETOWNER      25 // Get sector ownership hash
#define XRPC_ID_SETENHANCEDMODE 26 // enhanced mode 
#define XRPC_ID_VERSION       27 // Get XOS build version string (!= sha1)

struct xrpc_block_header {
	RMuint32 callerid; // deprecated field, put XRPC_CALLERID_IGNORED
	RMuint32 xrpcid;
	// parameters (input and output)
	RMuint32 param0;
	RMuint32 param1;
	RMuint32 param2;
	RMuint32 param3;
	RMuint32 param4;
	RMuint32 headerandblocksize;
};

2) Acquire XRPC_MUTEX aka (REG_BASE_host_interface+host_mutex10) by reading from XRPC_MUTEX until the return value is 0
3) Tell the XOS where to find your xrpc_block_header by writing the PHYSICAL address $A to (REG_BASE_cpu_block+LR_XPU_STAGE), aka CPU_LOCALRAM_STAGE, aka (REG_BASE_cpu_block+CPU_LOCALRAM_SIZE-4)
4) Set SOFT_IRQ_XRPC at (REG_BASE_xpu_block+CPU_irq_softset) to tell the XOS that there is a valid xrpc_block_header
5) Poll (REG_BASE_xpu_block+CPU_irq_softset) until SOFT_IRQ_XRPC is 0 which means that the xrpc call has finished
6) Read the result code from (REG_BASE_cpu_block+LR_XPU_STAGE), 6 == RM_OK
7) Release XRPC_MUTEX by writing 0 to XRPC_MUTEX
8) Use the returned parameters from param0-param4

This is how the whole shebang looks like in reality, TV2Engine.dll's DoPlatformSpecificInitialization from the DRA nk.bin. The sub builds a xrpc block at 0xA0190000 and calls XRPC_ID_BONDINGCOMMENT, then checks the return values.
Image:Bondingcomment_DRA.png

Retrieved from "http://www.t-hack.com/wiki/index.php/XRPC"
Personal tools