Goal : Be able to write data to Nv47 outer register from within shader
Tool : Geohot exploit
Currently there are 2 annoying things :
1) Don't know how to play with RSX if fw>2.01 (for that, I have no idea)
2) Unable to declare video ram areas as TILE or ZCOMP (with fw<=2.01)
(would gain the remaining 30% speed we lack compared to game os)
These are hypothetical tips about fixing 2)
Nv2A (xbox1) had a secret 'bridge' between inner and outer registers
(inner ones are the ones you target from within shader, outer one
are MMIO registers, i.e specific memory addresses). See xbox1 pbkit library for more details. I say 'secret' because before finding it I never heard about it. The kind of low level stuff completely hidden by DirectX 8 upper concepts like "fencing".
To activate the 'secret' bridge you had to use 2 inner registers mapped to 2 outer registers. You wrote a register destination in one and a value in the other. Then you would trigger an interruption with a shader opcode.
The interrupt handler would just do a poke at the destination with the value.
On PS3 we can have our own shaders get executed on ps3 with fw<=2.01
but we lack access to MMIO registers and these ones should allow us to declare ZCOMP and TILE areas. If a similar 'secret' bridge exists in PS3, one way to find how it works would be to disassemble the interrupt handler (can it be in HV?) and detect a specific interrupt just poking a value at a destination by reading destination and value from 2 specific MMIO registers (the one linked by hw to the 2 inner registers). Then we could be able to use this bridge ourself to poke values from within our shaders.
But there is a big if...
Geohot's exploit (bravo george!) seems to allow reading and disassembling of code present in memory when Other OS runs.
So there is no warranty that the hypervisor present in memory is the same as the one running under Game OS (I know nothing precise about that). But that's one more reason to disassemble Other OS hypervisor...
The hunt for Nv47 secret 'bridge'
Re: The hunt for Nv47 secret 'bridge'
ps2devman wrote: 1) Don't know how to play with RSX if fw>2.01 (for that, I have no idea)
jonathan wrote:Odd, then, that Sony employee Geoff Levand would state on IRC then that it was unintentional broken in the FW update.
The last I'd heard, ps3vram was buggy and unsafe anyway. See http://ozlabs.org/pipermail/cbe-oss-dev ... 05513.html
ldesnogu wrote:So much for paranoia: Jim just posted a patch that works with FW 2.50.
EDIT: Here is the link.