Decoding "otheros.self" on PS3

Investigation into how Linux on the PS3 might lead to homebrew development.

Moderators: cheriff, emoon

Post Reply
baygins
Posts: 7
Joined: Sat Jul 09, 2005 11:36 pm

Decoding "otheros.self" on PS3

Post by baygins »

I have been playing with the "otheros.self" file and have pretty much have figured out that the initial few bytes contain the Sony Computer Entertainment magic word "SCE". After that comes the standard-looking "0x7F-ELF" magic bytes.

I tried to decode the ELF header portion to find the Section Headers, however, the section header offset (0x0000000000DF2548) was pointing to an address much larger than the file size. My purpose in doing this is to figure out what "otheros.self" file is doing.

Any Linux experts out there? Help?
jimparis
Posts: 1145
Joined: Fri Jun 10, 2005 4:21 am
Location: Boston

Post by jimparis »

"otheros.self" is not a Linux program. It runs under the Game OS and as such it's most likely encrypted and signed by Sony. The majority of the file looks this way (high entropy, uncompressable).
baygins
Posts: 7
Joined: Sat Jul 09, 2005 11:36 pm

Post by baygins »

jimparis wrote:"otheros.self" is not a Linux program. It runs under the Game OS and as such it's most likely encrypted and signed by Sony. The majority of the file looks this way (high entropy, uncompressable).
I would agree that there is some encryption, but if you take the "SCE" signed first few dozen bytes off, then you are left with what looks like a regular ELF file.

It has the proper ELF signature and it seems like it has proper ELF header info.

Most of the meta data (machine type, bit-width: 64, LSB/MSB stuff) looks right. So if most of the info on the ELF header is right, then why would the Segment Header offset data not be right (even the Program Header offset looks to be right)?
J.F.
Posts: 2906
Joined: Sun Feb 22, 2004 11:41 am

Post by J.F. »

Seeing as the core processor is a PPC, it probably runs in big-endian mode. Make sure you aren't trying to read addresses in little-endian mode.
baygins
Posts: 7
Joined: Sat Jul 09, 2005 11:36 pm

Post by baygins »

J.F. wrote:Seeing as the core processor is a PPC, it probably runs in big-endian mode. Make sure you aren't trying to read addresses in little-endian mode.
I believe the ELF header is endian-unaware? So, when we talk about the Section Header offset, which is supposed to be 8 words (since this is a 64 bit architecture), reading a byte stream of [0000000000DF2548] would translate to an address of 0x0000000000DF2548, right?
J.F.
Posts: 2906
Joined: Sun Feb 22, 2004 11:41 am

Post by J.F. »

There should be a code in the header that tells the endianness as well as the size and processor. But yes, that looks like a BE 64bit value there. Maybe it's a virtual address as opposed to a physical address.
baygins
Posts: 7
Joined: Sat Jul 09, 2005 11:36 pm

Post by baygins »

I am "totally" speculating that it could be a round-the-file-and-back wrap around offset. So if the file is 100 bytes, but the offset is 250 bytes, it literally means "go around the file twice and then 50 some more bytes".

Is there anyone who has coded on the PPC64 platform to comment on this?
mrbeans
Posts: 2
Joined: Wed Feb 07, 2007 3:52 am

Post by mrbeans »

Portions of the file are both compressed and encrypted. The compression of the file will make legitimate values in the ELF header to appear wrong (out of bounds.)

If you look at the qword at 0x0018 you'll find what appears to be the file size before signing, compression, encryption, etc. This value is something like 0x00DF2D08, which is larger than your section header offset above.

Any data after 0x03e0 is probably garbage without decoding, or in the wrong spot (~0x0149548 onwards -- the data pointed to by qword 0x0040)

So I guess I'm saying it's not going to wrap around the file ;)
baygins
Posts: 7
Joined: Sat Jul 09, 2005 11:36 pm

Post by baygins »

mrbeans wrote:Portions of the file are both compressed and encrypted. The compression of the file will make legitimate values in the ELF header to appear wrong (out of bounds.)

If you look at the qword at 0x0018 you'll find what appears to be the file size before signing, compression, encryption, etc. This value is something like 0x00DF2D08, which is larger than your section header offset above.

Any data after 0x03e0 is probably garbage without decoding, or in the wrong spot (~0x0149548 onwards -- the data pointed to by qword 0x0040)

So I guess I'm saying it's not going to wrap around the file ;)
Sounds very logical actually. Are there methods/tools to figure out if/what kind of compression/encryption is being used in a file based on the byte stream?
mrbeans
Posts: 2
Joined: Wed Feb 07, 2007 3:52 am

Post by mrbeans »

There are certainly methods to figure this out. It would help if there were a wealth of other files to compare it against.

It would make sense that compression would come before encryption (as encrypted data is usually harder to compress.) Figuring out what type of compression algorithm is difficult as there likely isn't any compressed non encrypted data. It can't be too shabby though, as it appears to have done a good job.

Because of the compression + encryption, there likely isn't any good plain text knowledge to take advantage of either. My encryption skills are out of date. Keys will likely not be in the file but be in the firmware; likewise decryption could easily be implemented with hardware for speed reasons. If we could create our own files this would be significantly easier.

I think the best bet is to figure out more of what is around the encryption to get a better idea of what to expect and where inside the encryption. For instance, is the entire elf header in plain text, is it duplicated in the encrypted data?
Post Reply