0:00:00.000,0:00:13.321
33C3 preroll music
0:00:13.321,0:00:16.840
Herald: You have been[br]here on stage before.
0:00:16.840,0:00:20.160
You successfully tampered with the Wii,
0:00:20.160,0:00:23.110
You successfully tampered[br]with the PS3 and got
0:00:23.110,0:00:26.840
some legal challenges over there?
0:00:26.840,0:00:28.939
marcan: Some unfounded[br]legal challenges, yes.
0:00:28.939,0:00:31.640
Herald: And then you fucked,[br]and excuse my French over here
0:00:31.640,0:00:35.149
– by the way, that is number 8021 to get
0:00:35.149,0:00:39.840
the translation on your DECT phone.
0:00:39.840,0:00:44.600
So you fucked with the Wii U as well.
0:00:44.600,0:00:47.999
“Console Hacking 2016”,[br]here we go!
0:00:47.999,0:00:51.629
marcan: I’m a lazy guy, so I haven’t[br]turned on my computer yet for the slides.
0:00:51.629,0:00:57.180
So let me do that,[br]hopefully this will work.
0:00:57.180,0:01:00.559
My computer is a little bit special.[br]It runs a lot of Open Source software.
0:01:00.559,0:01:05.620
It runs FreeBSD.
0:01:05.620,0:01:09.909
applause
0:01:09.909,0:01:14.370
It even has things like OpenSSL[br]in there, and nginx.
0:01:14.370,0:01:21.160
And Cairo I think, and WebKit. It runs a[br]lot of interesting Open Source software.
0:01:21.160,0:01:24.980
But we all know that BSD is dying, so[br]we can make it run something a little bit
0:01:24.980,0:01:29.730
more interesting. And hopefully[br]give a presentation about it.
0:01:29.730,0:01:32.530
Let’s see if this works.
0:01:36.149,0:01:38.380
It’s a good start, black screen, you know.
0:01:38.380,0:01:43.330
It’s syncing to disk[br]and file system shutting down.
0:01:43.330,0:01:48.710
There we go![br]applause
0:01:48.710,0:01:55.310
continued applause
0:01:55.310,0:01:58.610
And yes, I run Gentoo Linux.
0:01:58.610,0:02:01.390
applause
0:02:01.390,0:02:05.400
This is the “Does Wi-Fi work?” moment.[br]Hopefully.
0:02:07.490,0:02:12.570
NTP, yeah, no… “NTP failed”. Well,[br]that’s a bit annoying, but it still works.
0:02:15.630,0:02:21.250
Hello? Yeah, it takes a bit to boot.[br]It doesn’t run systemd, you know.
0:02:21.250,0:02:25.250
It’s sane, it’s a tiny bit slower,[br]but it’s sane.
0:02:25.250,0:02:30.390
There we go.[br]applause
0:02:30.390,0:02:35.260
This is the “Does my controller[br]work?” moment.
0:02:35.260,0:02:39.517
Bluetooth in Saal 1.[br]Okay, it does.
0:02:39.517,0:02:41.708
Alright, so let’s get started.
0:02:49.700,0:02:53.730
So this is “Console Hacking 2016 –[br]PS4: PC Master Race”.
0:02:53.730,0:02:58.350
I apologize for the horrible Nazi joke in[br]the subtitle, but it’s a Reddit thing.
0:02:58.350,0:03:03.069
“PC Master Race”, why? Well.[br]PS4, is it a PC? Is it not a PC?
0:03:03.069,0:03:06.070
But before we get started,[br]I would like to dedicate this talk
0:03:06.070,0:03:09.430
to my good friend Ben Byer[br]who we all know as “bushing”.
0:03:09.430,0:03:11.790
Unfortunately, he passed away[br]in February of this year and he was
0:03:11.790,0:03:15.240
a great hacker, he came to multiple[br]congresses, one of the nicest people
0:03:15.240,0:03:19.040
I’ve ever met. I’m sure that some of you[br]who have met him would agree with that.
0:03:19.040,0:03:23.960
If it weren’t for him, I wouldn’t be here.[br]So, thank you.
0:03:23.960,0:03:30.480
applause
0:03:30.480,0:03:34.840
Alright. So, the PS4.[br]Is it a PC? Is it not a PC?
0:03:34.840,0:03:37.220
Well, it’s a little bit different[br]from previous consoles.
0:03:37.220,0:03:42.490
It has x86, it’s an x86 CPU.[br]It runs FreeBSD, it runs WebKit.
0:03:42.490,0:03:45.490
It doesn’t have a hypervisor,[br]unfortunately.
0:03:45.490,0:03:49.849
Then again, the PS3 had a hypervisor[br]and it was useless, so there you go.
0:03:49.849,0:03:52.380
So this is different from the PS3,[br]but it’s not completely different.
0:03:52.380,0:03:54.959
It does have a security processor[br]that you can just ignore because
0:03:54.959,0:03:59.779
it doesn’t secure anything.[br]So that’s good.
0:03:59.779,0:04:02.520
So how to own a PS4? Well, you write[br]a WebKit exploit and you write
0:04:02.520,0:04:07.800
a FreeBSD exploit, duh. Right?[br]Everything runs WebKit,
0:04:07.800,0:04:10.739
and FreeBSD is not exactly the[br]most secure OS in the world,
0:04:10.739,0:04:14.800
especially not with Sony customizations.[br]So this is completely boring stuff.
0:04:14.800,0:04:18.548
Like, what’s the point of talking about[br]WebKit and FreeBSD exploits?
0:04:18.548,0:04:22.089
Instead, this talk is going to be about[br]something a little bit different.
0:04:22.089,0:04:26.040
First of all, after you run an exploit,[br]well, you know, step 3 “something”,
0:04:26.040,0:04:29.770
step 4 “PROFIT”. What is this about?[br]And not only that, though.
0:04:29.770,0:04:32.740
Before you write an exploit, you usually[br]want to have the code you’re trying
0:04:32.740,0:04:38.100
to exploit. And with WebKit and FreeBSD[br]you kinda do, but not the build they use,
0:04:38.100,0:04:41.440
and it’s customized. And it’s annoying to[br]write an exploit if you don’t have access
0:04:41.440,0:04:43.770
to the binary. So how do you get[br]the binary in the first place?
0:04:43.770,0:04:47.690
Well, you dump the code,[br]that’s an interesting step.
0:04:47.690,0:04:51.580
So let’s get started with step zero:[br]black-box code extraction, the fun way.
0:04:51.580,0:04:54.450
A long time ago[br]in a hackerspace far, far away
0:04:54.450,0:04:59.280
fail0verflow got together[br]after 31c3.
0:04:59.280,0:05:02.530
And we looked at the PS4 motherboard[br]and this is what we saw. So there’s
0:05:02.530,0:05:06.000
an Aeolia southbridge, that’s a codename,[br]by the way. Then there’s the Liverpool APU
0:05:06.000,0:05:10.450
which is the main processor.[br]It’s a GPU and a CPU
0:05:10.450,0:05:13.870
which is done by AMD, and[br]it has some RAM. And then
0:05:13.870,0:05:16.250
the southbridge connects to a bunch[br]of random crap like the USB ports,
0:05:16.250,0:05:19.280
a hard disk, which is USB. For some[br]inexplicable reason the internal disk
0:05:19.280,0:05:24.840
on the PS4 is USB. Like it’s SATA to USB,[br]and then to USB on the southbridge.
0:05:24.840,0:05:28.040
Even though it has SATA,[br]like, what? laughs
0:05:28.040,0:05:31.630
The Blu-ray drive is SATA. The Wi-Fi,[br]Bluetooth, SDIO and Ethernet is GMII.
0:05:31.630,0:05:34.090
Okay, how do we attack this?[br]Well, GDDR5…
0:05:34.090,0:05:38.720
What just…?[br]Oh. I have a screensaver, apparently!
0:05:38.720,0:05:40.960
That’s great.[br]laughter
0:05:40.960,0:05:44.350
I thought I killed that,[br]let me kill that screensaver real quick.
0:05:44.350,0:05:50.960
applause[br]Something had to fail, it always does.
0:05:52.490,0:05:55.310
I mean, of course I can[br]SSH into my PS4, right?
0:05:55.310,0:05:59.500
So there we go, okay.[br]Could have sworn I’d fix that. Anyway…
0:05:59.500,0:06:02.760
Which one of these interfaces[br]do you attack? Well, you know,
0:06:02.760,0:06:06.820
USB, SATA, SDIO, GMII – that’s[br]the raw ethernet interface, by the way –
0:06:06.820,0:06:11.520
all these are CPU-controlled. The CPU[br]issues commands and the devices reply.
0:06:11.520,0:06:16.389
The devices can’t really do anything. They[br]can’t write to memory or anything like that.
0:06:16.389,0:06:19.050
You can exploit USB if you[br]hide a bug in the USB driver,
0:06:19.050,0:06:21.370
but we’re back to the no-code issue.
0:06:21.370,0:06:24.870
DDR5, that would be great,[br]we could just write to our memory
0:06:24.870,0:06:27.930
and basically own the entire thing.[br]But it’s a very high-speed bus.
0:06:27.930,0:06:30.160
It’s definitely exploitable.[br]If you were making a secure system
0:06:30.160,0:06:33.840
don’t assume we can’t own DDR5,[br]because we will.
0:06:33.840,0:06:37.020
But it’s not the path of least resistance,[br]so we’re not gonna do that.
0:06:37.020,0:06:40.150
However, there’s a thing called[br]PCI Express in the middle there.
0:06:40.150,0:06:42.100
Hmm, that’s interesting!
0:06:42.100,0:06:45.430
PCIe is very fun for hacking –[br]even though it might seem intimidating –
0:06:45.430,0:06:48.870
because it’s bus mastering,[br]that means you can DMA to memory.
0:06:48.870,0:06:52.759
It’s complicated, and complicated things[br]are hard to implement properly.
0:06:52.759,0:06:58.330
It’s robust. People think that PCIe is this[br]voodoo-highspeed… No it’s not!
0:06:58.330,0:07:00.610
It’s high-speed, but you don’t need[br]matched traces to make it work.
0:07:00.610,0:07:05.440
It will run over wet string. You can hotwire[br]PCIe with pieces of wire and it will work.
0:07:05.440,0:07:09.330
At least at short distances anyway.[br]Believe me, it’s not as bad as you think.
0:07:09.330,0:07:13.310
It’s delay-tolerant, so you[br]can take your time to reply.
0:07:13.310,0:07:16.550
And the drivers are full of fail because[br]nobody writes a PCIe driver assuming
0:07:16.550,0:07:19.520
the device is evil even though of course[br]everybody should because devices can
0:07:19.520,0:07:22.620
and will be evil.[br]But nobody does that.
0:07:22.620,0:07:25.680
So, what can we do?[br]Well, we have a PCIe link,
0:07:25.680,0:07:30.740
let’s cut the lines and plug in the[br]southbridge to a PC motherboard
0:07:30.740,0:07:34.460
that we stick on the side. Now[br]the southbridge is a PCIe card for us.
0:07:34.460,0:07:38.479
And we connect the APU to an FPGA[br]board which then can pretend to be
0:07:38.479,0:07:43.130
a PCIe device. So we can man-in-the-middle[br]this PCIe bus and it’s now x1 width
0:07:43.130,0:07:47.110
instead of x4 because it’s easier that[br]way, but it will negotiate, that’s fine.
0:07:47.110,0:07:50.520
So how do we connect that[br]motherboard and the FPGA?
0:07:50.520,0:07:53.669
There’s of course many ways of doing this.[br]How many of you have done
0:07:53.669,0:07:57.550
any hardware hacking, even Arduino or[br]anything like that? Raise your hand!
0:07:57.550,0:08:02.310
I think that’s about a third to a half[br]or something like that, at least.
0:08:02.310,0:08:04.750
When you hack some hardware,[br]you meld some hardware,
0:08:04.750,0:08:10.100
after you blink an LED, what is the first[br]interface you use to talk to your hardware?
0:08:10.100,0:08:14.880
Serial port! So we run[br]PCIe over RS232 at 115 kBaud
0:08:14.880,0:08:16.490
which makes this PCIe…[br]laughter and applause
0:08:21.500,0:08:27.710
I said it was delay-tolerant![br]So it makes this PCIe 0.00002x.
0:08:27.710,0:08:30.199
And eventually there was a[br]Gigabit ethernet port on the FPGA
0:08:30.199,0:08:35.000
so I upgraded to that, but I only got[br]around to doing it in one direction.
0:08:35.000,0:08:39.019
So now it’s PCIe 0.0002x in one direction[br]and 0.5x in the other direction
0:08:39.019,0:08:42.099
which has to make this one of the most[br]asymmetric buses in the world.
0:08:43.489,0:08:45.870
But it works, believe me.[br]This his hilarious.
0:08:45.870,0:08:50.920
We can run PCIe over serial out. Also, we[br]were ASCII encoding, so half the bandwidth.
0:08:50.920,0:08:52.940
It works fine. It’s fine.
0:08:52.940,0:08:56.550
So, PCIe 101.[br]It’s a reliable packet-switched network.
0:08:56.550,0:08:59.270
It uses a thing called[br]“Transaction Layer Packets”
0:08:59.270,0:09:03.440
which are basically just packets you send.[br]It can be… Memory Read, Memory Write,
0:09:03.440,0:09:06.140
IO Read, IO Write,[br]Configuration Read, Configuration Write.
0:09:06.140,0:09:09.600
There can be a message-signaled interrupt[br]which is a way of saying: “Hey,
0:09:09.600,0:09:13.470
listen to me!” by writing[br]to an address in memory.
0:09:13.470,0:09:16.010
Because we can write the thing,[br]so why not write for interrupts?
0:09:16.010,0:09:20.320
It has legacy interrupts[br]which are basically emulating the old
0:09:20.320,0:09:24.430
wire-low-for-interrupt-and-[br]high-for-no-interrupt thing,
0:09:24.430,0:09:25.750
you can tunnel that over PCIe.
0:09:25.750,0:09:29.380
And it has completions, which are[br]basically the replies. So if you read
0:09:29.380,0:09:31.930
a value from memory the completion[br]is what you get back with the value
0:09:31.930,0:09:36.040
you tried to read. So that’s PCIe,[br]we can just go wild with DMA.
0:09:36.040,0:09:39.250
We can just read all memory, dump[br]the kernel. Hey, it’s awesome, right?
0:09:39.250,0:09:41.470
Except there’s an IOMMU in the APU.
0:09:41.470,0:09:46.180
But... first, the IOMMU will protect [br]the devices. It will only let you access
0:09:46.180,0:09:50.430
what memory is mapped to your device.[br]So the host has to allow you
0:09:50.430,0:09:53.070
to read and write to memory.[br]But just because there’s an IOMMU
0:09:53.070,0:09:58.190
doesn’t mean that Sony uses it properly.[br]Here’s some pseudo-code,
0:09:58.190,0:10:01.390
it has a buffer on the stack, it says:[br]“please read from flash to this buffer”
0:10:01.390,0:10:04.810
with the correct length. Can anyone[br]see the problem with this code?
0:10:04.810,0:10:09.290
Well, it maps the buffer and it[br]reads and it unmaps the buffer.
0:10:09.290,0:10:13.100
But IOMMUs don’t just map[br]byte “foo” to byte “bar”,
0:10:13.100,0:10:16.570
they map pages, and[br]pages are 64k on the PS4.
0:10:16.570,0:10:19.910
So Sony has just mapped 64k[br]of its stack to the device so
0:10:19.910,0:10:25.720
it can just DMA straight into the stack,[br]basically the whole stack, and take over.
0:10:25.720,0:10:29.660
Now we got code execution, FreeBSD[br]kernel dump, and WebKit and OS libs dump,
0:10:29.660,0:10:32.500
just from mapping the flash.
0:10:32.500,0:10:36.080
Okay, that’s step zero.[br]We have the code.
0:10:36.080,0:10:39.930
But that’s not the PS4 that we did this[br]on, it was a giant mess of wires.
0:10:39.930,0:10:43.019
Someone here knows about that,[br]you know, flying over on Facebook.
0:10:43.019,0:10:46.480
We don’t make a ‘nice’ exploit.[br]We’ve done that because, as I said,
0:10:46.480,0:10:50.089
WebKit, FreeBSD, whatever.[br]What comes after that?
0:10:50.089,0:10:55.010
We want to do something.[br]Of course we want to run Linux, duh!
0:10:55.010,0:10:58.590
How do you go from FreeBSD to Linux?[br]It’s not a trivial process.
0:10:58.590,0:11:02.660
But you use something[br]that we call “ps4-kexec”.
0:11:02.660,0:11:06.640
So how does this work? It’s simple,[br]right? You just want to run Linux?
0:11:06.640,0:11:10.190
Just ‘jmp’ to Linux, right?[br]Well… kind of.
0:11:10.190,0:11:13.180
You need to load Linux into contiguous[br]physical RAM, set up boot parameters,
0:11:13.180,0:11:16.700
shut down FreeBSD cleanly, halt secondary[br]CPUs, make new pagetables etc.
0:11:16.700,0:11:19.540
A lot of random things. I’m not going to[br]bore you with this crap because you
0:11:19.540,0:11:23.459
can read the code. But there’s a lot[br]of iteration in getting this to work.
0:11:23.459,0:11:26.930
Let’s assume that you do all this magical[br]cleanup and you get Linux into
0:11:26.930,0:11:32.850
a nice state and you can ‘jmp’ Linux.[br]Now we jmp Linux, right? It’s cool.
0:11:32.850,0:11:35.440
Yeah, you can technically jmp to Linux,[br]and it will technically run
0:11:35.440,0:11:41.370
…for a little bit. And it will stop.
0:11:41.370,0:11:45.290
And you will not get any serial or any[br]video or anything. What’s going on here?
0:11:45.290,0:11:49.430
Let’s talk about hardware.[br]What is x86?
0:11:49.430,0:11:53.050
x86 is a mediocre instruction set[br]architecture by Intel.
0:11:53.050,0:11:56.190
It’s okay, I guess.[br]It’s not great.
0:11:56.190,0:12:00.250
PS4 is definitely x86, it’s x86-64.
0:12:00.250,0:12:03.580
What is a PC? Aah![br]PC is a horrible, horrible thing
0:12:03.580,0:12:07.220
built upon piles and piles of legacy crap[br]dating back to 1981.
0:12:07.220,0:12:10.310
The PS4 is definitely -not- a PC.
0:12:10.310,0:12:15.190
That’s practically Sony-level hardware fail,[br]so it could be, but it’s not.
0:12:15.190,0:12:19.480
So what’s going on? A legacy PC
0:12:19.480,0:12:22.660
basically has an 8259 Programmable[br]Interrupt Controller,
0:12:22.660,0:12:27.360
a 8253 Programmable Interval Timer,[br]a UART at I/O 3f8h,
0:12:27.360,0:12:29.399
which is the standard address[br]for a serial port.
0:12:29.399,0:12:33.709
It has a PS/2 keyboard controller, 8042.[br]It has an RTC, a real-time clock
0:12:33.709,0:12:35.510
with a CMOS, and everyone[br]knows the CMOS, right?
0:12:35.510,0:12:40.240
MC146818 is the chip number for that. An[br]ISA bus – even if you think you don’t have
0:12:40.240,0:12:43.010
an ISA bus your computer has an ISA bus[br]inside the southbridge somewhere.
0:12:43.010,0:12:48.019
And it has VGA.[br]The PS4 doesn’t have -any- of these things.
0:12:48.019,0:12:51.880
So what do we do?[br]Let’s look a little bit how a PC works
0:12:51.880,0:12:55.760
and how a PS4 works. This is a general[br]simple PC system. There’s an APU
0:12:55.760,0:13:00.170
or an Intel Core CPU with a southbridge,[br]Intel calls it PCH, AMD FCH.
0:13:00.170,0:13:03.750
There’s an interface that is basically[br]PCIe although Intel calls it DMI and AMD
0:13:03.750,0:13:08.270
calls it UMI. DDR3 RAM and a bunch[br]of peripherals and SATA, whatever.
0:13:08.270,0:13:12.120
The PS4 kind of looks like that, right?[br]So you think this can’t be that dif…
0:13:12.120,0:13:15.810
What’s so hard about this?[br]Because all the crap I mentioned earlier
0:13:15.810,0:13:20.410
is in the southbridge on a PC, right?[br]The PS4 has a southbridge, right?
0:13:20.410,0:13:23.870
Right? Right? Umm… so[br]the southbridge, the AMD standard FCH
0:13:23.870,0:13:27.959
implements Intel legacy from 1981.[br]The Marvell Aeolia
0:13:27.959,0:13:31.030
– Marvell is the maker of the PS4[br]southbridge – implements Intel legacy
0:13:31.030,0:13:35.550
from 2002. What does that mean?[br]Ah! That’s no southbridge,
0:13:35.550,0:13:40.300
that’s a Marvell Armada SoC![br]So it’s not actually a southbridge,
0:13:40.300,0:13:43.760
it was never a southbridge.[br]It’s an ARM system-on-a-chip CPU
0:13:43.760,0:13:47.120
with everything. It’s a descendant[br]from Intel StrongARM or XScale.
0:13:47.120,0:13:49.120
It has a bunch of peripherals.[br]And what they did is, they stuck
0:13:49.120,0:13:53.240
a PCIe bridge on the side and said: “Hey[br]x86, you can now use all my ARM shit.”
0:13:53.240,0:13:56.270
So it exposes all of its ARM peripherals[br]to the x86. They added some stuff
0:13:56.270,0:13:59.100
they really needed for PCs[br]and it has its own RAM.
0:13:59.100,0:14:03.720
Why do they do this? Well, it also runs[br]FreeBSD on the ARM in standby mode.
0:14:03.720,0:14:06.019
And that’s how they do the whole[br]“download updates in the background,
0:14:06.019,0:14:08.760
get content, update, whatever”.[br]All that crap is because they have
0:14:08.760,0:14:12.851
a separate OS on a separate chip running[br]in standby mode. Okay, that’s great, but
0:14:12.851,0:14:17.860
it’s also batshit insane.[br]laughter
0:14:17.860,0:14:21.540
Quick recap: This is what a[br]PCIe bus number looks like,
0:14:21.540,0:14:24.459
sorry, a device number.[br]It has a bus number, which is 8 bits,
0:14:24.459,0:14:27.980
a device number, which is 5 bits,[br]and a function number, which is 3 bits.
0:14:27.980,0:14:31.339
You’ve probably seen this in lspci[br]if you ever done that.
0:14:31.339,0:14:34.480
This is what a regular southbridge[br]looks like. It has a USB controller,
0:14:34.480,0:14:38.180
a PCI, ISA bridge, SATA, whatever.[br]And it has a bunch of devices.
0:14:38.180,0:14:41.110
So one southbridge pretends[br]to be multiple devices.
0:14:41.110,0:14:43.769
Because you only have three bits[br]for a function number so you can only have
0:14:43.769,0:14:47.200
up to eight functions in one device.
0:14:47.200,0:14:48.860
Intel southbridge just says:[br]“I’m device 14, 16, 1a, 1…,
0:14:48.860,0:14:51.860
I’m just a bunch of devices,[br]and you can talk to all of them.”
0:14:51.860,0:14:57.670
If you lspci on a roughly unpatched[br]Linux kernel on the PS4
0:14:57.670,0:15:00.649
you get something like this.[br]So the Aeolia first of all
0:15:00.649,0:15:03.740
clones itself into every PCIe device[br]because they were too lazy to do
0:15:03.740,0:15:08.110
“if device equals my number then[br]reply, otherwise don’t reply”. No,
0:15:08.110,0:15:11.470
they just said: “Oh, just reply to every[br]single PCIe device that might query”.
0:15:11.470,0:15:16.870
Linux sees the southbridge 31 different[br]times, which is kind of annoying
0:15:16.870,0:15:20.380
because it gets really confused when it[br]sees 31 clones of the same southbridge.
0:15:20.380,0:15:24.540
And then it has eight functions:[br]ACPI, ethernet, SATA, SDMC, PCIe,…
0:15:24.540,0:15:27.839
Eight functions, so all three bits.
0:15:27.839,0:15:29.790
Turns out, eight functions[br]are not enough for everybody.
0:15:29.790,0:15:34.490
Function no. 4, “PCI Express Glue”, has a[br]bridge config, MSI interrupt controller,
0:15:34.490,0:15:37.410
ICC – we’ll talk about that later –,[br]HPET timers, Flash controller,
0:15:37.410,0:15:44.920
RTC, timers, 2 serial ports, I2C… All[br]this smashed into one single PCIe device.
0:15:44.920,0:15:49.210
Linux has a minimum system requirement[br]to run on anything.
0:15:49.210,0:15:53.520
You need a timer, you need interrupts,[br]and you need some kind of console.
0:15:53.520,0:15:57.010
The PS4 has no PIT, no PIC and no standard[br]serial so none of the standard PC stuff
0:15:57.010,0:16:01.639
is going to work here. The board has[br]test points for an 8250 standard serial
0:16:01.639,0:16:05.529
in a different place. So we run[br]DMESG over that, okay, fine.
0:16:05.529,0:16:08.300
Linux has earlycon which we can[br]point to a serial port and say:
0:16:08.300,0:16:11.221
“Please send all your DMESG here[br]very early because I really want to see
0:16:11.221,0:16:16.030
what’s going on”. Doesn’t need IRQs,[br]you set console=uart8250,
0:16:16.030,0:16:20.420
the type, the address, the speed.[br]And you’ll see it says 3200 instead of
0:16:20.420,0:16:23.420
115 kBaud. That’s because their clock[br]is different. So you set 3200 but
0:16:23.420,0:16:27.540
it really means 115k.[br]And that gets you DMESG.
0:16:27.540,0:16:29.710
That actually gets you “Linux booting,[br]uncompressing”, whatever.
0:16:29.710,0:16:32.400
That’s pretty good.
0:16:32.400,0:16:36.540
Okay, we need a timer.[br]Because otherwise everything explodes.
0:16:36.540,0:16:40.360
Linux supports the TSC, a built-in CPU[br]timer which is super nice and super fun.
0:16:40.360,0:16:44.420
And PS4 has that. But Linux tries to[br]calibrate it against the legacy timer
0:16:44.420,0:16:47.430
which on the PS4 doesn’t exist[br]so that’s fail.
0:16:47.430,0:16:52.149
So again, the PS4 -really- is not a PC.
0:16:52.149,0:16:54.270
What we need to do here is[br]defining a new subarchitecture
0:16:54.270,0:16:58.519
because Linux supports this concept.[br]Says: “this is not a PC, this is a PS4”.
0:16:58.519,0:17:01.290
The bootloader tells Linux:[br]“Hey! This is a PS4!”
0:17:01.290,0:17:04.010
And then Linux says: “Okay, I’m not gonna[br]do the old timestamp calibration,
0:17:04.010,0:17:07.829
I’m gonna do it for the PS4” which has[br]a special code that we wrote
0:17:07.829,0:17:11.339
that calibrates against the PS4 timer.[br]And it disables the legacy crap.
0:17:11.339,0:17:13.790
So now this is officially[br]not a PC anymore.
0:17:13.790,0:17:18.539
Now we can talk about ACPI.
0:17:18.539,0:17:21.479
You might know ACPI for all its[br]horribleness and all its evilness
0:17:21.479,0:17:25.059
and all its Microsoft-y-ness.[br]ACPI - most people associate it with
0:17:25.059,0:17:28.069
“Suspend” and “Suspend to Hibernate”.[br]It’s not just power,
0:17:28.069,0:17:31.940
it does other stuff, too.[br]So we need ACPI for PCI config,
0:17:31.940,0:17:34.139
for the IOMMU, for the CPU frequency.
0:17:34.139,0:17:38.389
The PS4 of course has broken ACPI tables[br]because, of course it would be.
0:17:38.389,0:17:42.190
So we fixed them in ps4-kexec.
0:17:42.190,0:17:44.789
Now interrupts. We have timers,[br]we have serial, we fixed some stuff.
0:17:44.789,0:17:48.619
The PS4 does message-signaled interrupts[br]which is, what I said, the non-legacy,
0:17:48.619,0:17:51.490
the nice new thing where you just write[br]a value, and what you do is you tell
0:17:51.490,0:17:55.129
the device when you want to interrupt[br]“please write this value to this address”.
0:17:55.129,0:17:58.450
The device does that, and the CPU[br]interrupt controller sees that write
0:17:58.450,0:18:01.049
and says: “Oh, this is an interrupt”[br]and then just fires off that interrupt
0:18:01.049,0:18:06.490
into the CPU. That’s great.[br]It’s super fast and very efficient.
0:18:06.490,0:18:08.739
And the value directly tells the CPU:[br]“That’s the interrupt vector you have
0:18:08.739,0:18:14.460
to go to”. Okay, that’s the standard MSI[br]way there. Your computer does MSI that way.
0:18:14.460,0:18:19.700
This is how the PS4 does MSI: The Aeolia[br]ignores the MSI config registers
0:18:19.700,0:18:24.419
in the standard location. Instead of[br]has its own MSI controller,
0:18:24.419,0:18:28.279
all stuff that’s in Function 4,[br]which is that “glue” device.
0:18:28.279,0:18:32.460
Each function gets a shared address in[br]memory to write to and the top 27 bits
0:18:32.460,0:18:36.119
of data. And every sub function, because[br]you can’t do a lot of things into one place,
0:18:36.119,0:18:40.309
only gets the different 5 bits.[br]And all MSIs originate from Function 4,
0:18:40.309,0:18:43.399
so this device has to fire an interrupt,[br]then it goes to here, and then
0:18:43.399,0:18:48.700
that device fires an interrupt. Like… what…[br]this is all… what the hell is going on?
0:18:48.700,0:18:53.769
Seriously, this is really fucked up. And[br]– the i’s are missing in the front there.
0:18:53.769,0:18:59.299
But yeah. So, driver hell. Now the devices[br]are interdependent. Then the IRQ vector
0:18:59.299,0:19:02.831
location is not sequential, so that’s not[br]gonna work. And you need to modify
0:19:02.831,0:19:07.590
all the drivers. This is really painful to[br]develop for. So what we ended up doing
0:19:07.590,0:19:11.950
is there is a core driver that implements[br]an interrupt controller for this thing.
0:19:11.950,0:19:15.779
And then we have to make sure that loads[br]first, before the device driver. So Linux
0:19:15.779,0:19:19.399
has a mechanism for that. And we had to[br]patch the drivers. Some drivers we patched,
0:19:19.399,0:19:22.820
so to use these interrupts. And others[br]we wrapped around to use these interrupts.
0:19:22.820,0:19:26.350
Unfortunately, because of the top bit[br]thing, everything has to share one interrupt
0:19:26.350,0:19:31.279
within a function. Thankfully, we can fix[br]that with a IOMMU because it can read
0:19:31.279,0:19:34.320
direct interrupt. So we can say:[br]“Oh, interrupt no. 0 goes to here,
0:19:34.320,0:19:39.209
1 goes to here, 2 goes to here…”.[br]That’s great 'cause it's consecutive, right?
0:19:39.209,0:19:45.490
0 1 2 3 4 5… it’s obviously gonna have[br]the same top bits. But we have to fix
0:19:45.495,0:19:49.152
the ACPI table for that because it’s[br]broken. But this does work. So this
0:19:49.152,0:19:54.109
gets us interrupts that function and[br]they’re individual. So let’s look at
0:19:54.109,0:19:58.220
the check list: we have interrupts, timers,[br]early serial, late serial with interrupts.
0:19:58.220,0:20:03.169
We can get some user space, we can stash[br]some user space and binaries into the kernel.
0:20:03.169,0:20:06.060
And it will boot and you can get a console,[br]but you get a console and you try
0:20:06.060,0:20:12.880
writing commands and sometimes it hangs.[br]Okay. What’s going on there?
0:20:12.880,0:20:16.700
So it turns out that FreeBSD masks[br]interrupts with an AMD proprietary
0:20:16.700,0:20:21.149
register set. We had to clean that up,[br]too. And that fixes serial,
0:20:21.149,0:20:24.729
and all the other interrupts.[br]This took ages to find. It’s like: “why…
0:20:24.729,0:20:26.909
interrupts on CPU serial[br]sometimes don’t…, yeah”.
0:20:26.909,0:20:33.789
I ended up dumping register sets,[br]and I saw this #FFFFF here, not #FFFFF,
0:20:33.789,0:20:39.350
what’s that? But tracking through this[br]stack to find this was really annoying.
0:20:39.350,0:20:45.780
Alright. So we have the basics. We have[br]like a core platform we can run Linux on,
0:20:45.780,0:20:49.500
even though it won’t do anything[br]interesting. Add drivers!
0:20:49.500,0:20:54.450
So we have USB xHCI which has three[br]controllers in one device. Again, because
0:20:54.450,0:20:59.899
“Let’s make it insane!”. We have SDHCI,[br]that’s SDIO for the Wi-Fi and the Bluetooth.
0:20:59.899,0:21:03.509
Needs a non-standard config, it needs[br]quirks. Ethernet needs more hacks.
0:21:03.509,0:21:07.139
It’s still partially broken, it only runs at[br]Gigabit speed. If you plug in a 100Mbit/s
0:21:07.139,0:21:10.320
switch it just doesn’t send any data.[br]Not sure why.
0:21:10.320,0:21:13.809
And then all of this worked fine in[br]Linux 4.4, and then just three days ago
0:21:13.809,0:21:18.190
I think I tried to rebase on 4.9, and so[br]we have the latest and the greatest.
0:21:18.190,0:21:21.249
And everything failed. And DMA didn’t[br]work. And all the drivers were just
0:21:21.249,0:21:24.200
throwing their hands up in the air,[br]“what’s going on here?”.
0:21:24.200,0:21:27.279
exhales[br]Aeolia strikes back. So.
0:21:27.279,0:21:32.549
That’s what… the Aeolia looks like,[br]normally. So you have… again,
0:21:32.549,0:21:36.690
it’s an ARM SoC, it’s really not a device.[br]It’s like its own little system. But
0:21:36.690,0:21:40.750
it maps, it’s low 2 GB of the address base[br]to memory on the PC. And then the PC
0:21:40.750,0:21:45.080
has a window into its registers that it[br]can use to control those devices.
0:21:45.080,0:21:48.429
So the PC can kind of play with the[br]devices, and the DMA is to the same address
0:21:48.429,0:21:53.149
and that works great. Because it’s mapped[br]in the same place. And then has its own RAM,
0:21:53.149,0:21:58.580
in its own address space. This works fine.[br]But now we had an IOMMU. Because
0:21:58.580,0:22:01.869
we needed it for the interrupts. And the[br]IOMMU inserts its own address space
0:22:01.869,0:22:05.190
in between and says: “Okay, you can map[br]anything to anything you want, that’s great.“
0:22:05.190,0:22:08.320
It’s a page table, you can say “this[br]address goes to that address.”
0:22:08.320,0:22:13.099
Linux 4.4 did this: it would find some[br]addresses at the bottom of the IOMMU
0:22:13.099,0:22:17.659
address space, say: “page 1 goes to this,[br]page 2 goes to that, page 3 goes to that”.
0:22:17.659,0:22:22.870
And say: “device, you can now write to these[br]pages”. And they go to this place in the x86.
0:22:22.870,0:22:28.200
That worked fine. It turns out Linux 4.9,[br]or somewhere between 4.4 and 4.9
0:22:28.200,0:22:32.549
it started doing this: it would map pages[br]from the top of the IOMMU address space
0:22:32.549,0:22:36.749
and that’s fine for the IOMMU but it’s[br]not in the window in the Aeolia, so
0:22:36.749,0:22:42.140
you say “ethernet DMA to address[br]FExxx”, and instead of DMA-ing
0:22:42.140,0:22:49.830
to the RAM on the PC it DMA-s to the RAM[br]on the Aeolia which is not gonna work.
0:22:49.830,0:22:53.980
Effectively the Aeolia implements 31 bit[br]DMA, not 32 bit DMA because only
0:22:53.980,0:23:00.009
the bottom half is usable. It’s like why…[br]this is all really fucked up, guys!
0:23:00.009,0:23:03.799
Seriously. And this is littered all over[br]the code in Linux, so they seeded
0:23:03.799,0:23:07.409
more patches, and it works, but, yeah.
0:23:07.409,0:23:11.029
Painful. Okay. Devices, laying out (?)[br]devices’ work.
0:23:11.029,0:23:16.259
Now for something completely different.[br]Who can tell me who this character is?
0:23:16.259,0:23:20.659
That’s Starsha from Space Battleship Yamato.[br]And apparently that’s the code name
0:23:20.659,0:23:24.840
for the PS4 graphics chip. Or at least that’s[br]one of the code names. Because
0:23:24.840,0:23:27.940
they don’t seem to be able to agree[br]on like what the code names are.
0:23:27.940,0:23:31.860
It’s got “Liverpool” in some places, and[br]“Starsha” in other places. Then “ThebeJ”
0:23:31.860,0:23:36.210
in other places. And we think Sony calls[br]it “Starsha” and AMD calls it “Liverpool”
0:23:36.210,0:23:39.789
but we’re not sure. We are calling it[br]“Liverpool” everywhere just to avoid
0:23:39.789,0:23:43.660
confusion. Okay.[br]What’s this GPU about?
0:23:43.660,0:23:47.230
Well, it’s an AMD Sea[br]Islands generation GPU,
0:23:47.230,0:23:52.940
which is spelled CI instead of SI because[br]“S” was taken. It’s similar to other chips
0:23:52.940,0:23:57.969
in the generation. So at least that’s[br]not a bat shit crazy new thing.
0:23:57.969,0:24:00.950
But it does have quirks and customizations[br]and oddities and things that don’t work.
0:24:00.950,0:24:03.769
What we did is we took Bonaire which is[br]another GPU that is already supported
0:24:03.769,0:24:06.919
by Linux in that generation, and just kind[br]of added a new chip and said, okay,
0:24:06.919,0:24:12.769
do all the Bonaire stuff, and then change[br]things. And hopefully adapt it to the PS4.
0:24:12.769,0:24:16.440
So hacking AMD drivers, okay, well,[br]they’re open-source but AMD does not
0:24:16.440,0:24:20.190
publish register docs. They publish 3D[br]shader and command queue documentations,
0:24:20.190,0:24:24.280
so we get all the user space 3D rendering[br]commands, that’s documented. But they
0:24:24.280,0:24:27.609
don’t publish all the kernel hardware[br]register documentation. That’s what
0:24:27.609,0:24:30.740
we really want for hacking on drivers. So[br]that’s annoying. And you’re thinking
0:24:30.740,0:24:34.389
“the code is the documentation”,[br]right? “Just read the Linux drivers”.
0:24:34.389,0:24:39.299
That’s great. Yeah, but they’re incomplete,[br]then they have magic numbers, and
0:24:39.299,0:24:43.229
it’s, you know, you don’t know if you need[br]to write a new register that’s not there,
0:24:43.229,0:24:47.399
and it really sucks to try to write a GPU[br]driver by reading other GPU drivers
0:24:47.399,0:24:50.840
with no docs. So what do we do? We’re[br]hackers, right? We google. Everytime
0:24:50.840,0:24:54.480
we need information, hopefully Google will[br]find it because Google knows everything.
0:24:54.480,0:24:59.109
And any tip that you could find in any[br]forum or code dumped somewhere is
0:24:59.109,0:25:05.850
great. One of the things we found is we[br]googled this little string, “R8XXGPU”.
0:25:05.850,0:25:10.730
And we get nine results. And the second[br]result is this place, it’s “Siliconkit”,
0:25:10.730,0:25:15.629
token, was that okay? It’s an XML file.[br]And if we look at that it looks like
0:25:15.629,0:25:21.499
it’s an XML file that contains a dump of[br]the Bonaire GPU register documentation.
0:25:21.499,0:25:26.389
But it’s like broken XML, and it’s[br]incomplete, it stops at one point.
0:25:26.389,0:25:31.379
But like: “what’s this doing here?”[br]And where did this come from, right?
0:25:31.379,0:25:35.539
So let’s dig a little deeper. Okay Google,[br]what do you know about this website?
0:25:35.539,0:25:39.789
Well, there’s some random things like[br]whatthehellno.txt and whatthehellyes.txt
0:25:39.789,0:25:46.200
and some Excel files. Those are[br]really Excel like XML cell sheets.
0:25:46.200,0:25:50.890
And then there’s a thing in the (?) there[br]called RAI.GRAMMAR.4.TXT.
0:25:50.890,0:25:56.960
I wonder what that is. And it looks like[br]it’s a grammar, being a notation description
0:25:56.960,0:26:03.490
for a syntax, of some kind of register[br]documentation file. This looks like
0:26:03.490,0:26:10.749
an AMD internal format but it’s on this[br]website. Okay. So we have these two URLs,
0:26:10.749,0:26:14.559
/pragmatic/bonaire.xml[br]and /RAI/rai.grammar4.txt.
0:26:14.559,0:26:22.199
Let’s try something. How about maybe[br]/pragmatic/bonaire.rai – nah, it’s a 404.
0:26:22.199,0:26:26.539
Okay, /pragmatic/RAI/bonaire.rai – aah![br]Bingo!
0:26:26.539,0:26:34.869
laughter and applause
0:26:34.869,0:26:39.249
So this is a full – almost full Bonaire[br]register documentation with like
0:26:39.249,0:26:44.350
full register field descriptions, breakdowns,[br]all the addresses. It’s not 100% but
0:26:44.350,0:26:48.829
like of the vast majority. This seems to[br]be AMD-internal stuff. And I looked
0:26:48.829,0:26:53.469
this guy up, and apparently he worked[br]at AMD at some point. So…
0:26:53.469,0:26:56.849
But yeah… This is really, really helpful[br]because now you know what everything
0:26:56.849,0:27:03.249
means, and debug registers, and… yeah.[br]So I wrote a working parser for this format.
0:27:03.249,0:27:06.559
This was effectively writing an XML parser,[br]something like convert this thing to XML
0:27:06.559,0:27:10.833
but it was all broken. Oh – he was writing[br]it in PHP, by the way, so there you go …
0:27:10.833,0:27:14.580
So I wrote a working one in Python and[br]you can dump it and then you can see
0:27:14.580,0:27:18.309
what each register means, and it’ll tell[br]you all the options. You can take
0:27:18.309,0:27:22.519
a register dump and map it to the (?)(?)[br]documented. You can diff dumps,
0:27:22.519,0:27:26.529
you can generic defines, it’s very useful[br]for AMD GPUs. And this, grossly speaking
0:27:26.529,0:27:31.109
applies to a lot of AMD GPUs, like they[br]share a lot of registers. So this is useful
0:27:31.109,0:27:36.090
for anyone hacking on AMD GPU stuff. Over[br]4.000 registers are documented in the …
0:27:36.090,0:27:42.019
just in the main GPU address space alone.[br]That’s great. Okay. So we have some docs.
0:27:42.019,0:27:49.969
How do we get to a frame buffer? So if you…[br]Israel (?) is HDMI it’s easy, right? The GPU
0:27:49.969,0:27:52.489
has HDMI, and if you query the GPU[br]information you actually get that it has
0:27:52.489,0:27:57.860
an HDMI port and a DisplayPort port. Okay,[br]maybe it’s unconnected, that’s fine, right?
0:27:57.860,0:28:03.509
But if you actually ask the GPU it tells[br]you: “HDMI is not connected, DP is connected”.
0:28:03.509,0:28:09.919
Okay. Yeah, they have an external HDMI[br]encoder from DisplayPort to HDMI because
0:28:09.919,0:28:13.029
just putting a wire from A to B is too[br]difficult, because this is Sony, so:
0:28:13.029,0:28:19.759
“let’s put a chip that converts some[br]protocol A to protocol B…” sighs
0:28:19.759,0:28:25.700
Yeah, yeah.[br]applause
0:28:25.700,0:28:33.549
It’s a Panasonic DisplayPort to HDMI[br]bridge, not documented by the way.
0:28:33.549,0:28:37.429
We parsed config to work, that’s why it[br]doesn’t just work. Even though some bridges do.
0:28:37.429,0:28:41.389
And you’d think, okay, it’s hooked up to the[br]GPU I2C bus, because GPUs have in the past
0:28:41.389,0:28:45.309
used these bridges, and, not this one[br]particularly but other AMD cards have had
0:28:45.309,0:28:48.659
various chips that they stuck in front. And[br]the code has support for talking to them
0:28:48.659,0:28:54.309
through the GPU I2C interface, right?[br]That’s easy. Yay, you wish – it’s a Sony.
0:28:54.309,0:28:57.909
sighs[br]Enter ICC! So, remember the ICC thing
0:28:57.909,0:29:02.169
in the Aeolia – it’s an RPC protocol you[br]use to send commands to an MCU that is
0:29:02.169,0:29:05.549
somewhere else on the motherboard. It’s[br]a message box system, so you write some
0:29:05.549,0:29:09.519
message to a memory place, and then you[br]tell: “Hey, read this message!” and then
0:29:09.519,0:29:12.090
it writes some message back, and it tells[br]you “Hey, it’s the reply!”.
0:29:12.090,0:29:15.019
The Aeolia – not the otherGPU – uses it for things like
0:29:15.019,0:29:20.989
Power Button, the LEDs, turning the power[br]on and off, and also the HDMI encoder I2C.
0:29:20.989,0:29:25.460
So now we have the dependency from the[br]GPU driver to the Aeolia driver, two different
0:29:25.460,0:29:30.200
PCI devices and two different… sighs[br]Yeah. And okay, again, ICC, but it’s I2C,
0:29:30.200,0:29:34.099
you know, I2C is a simple protocol.[br]You read a register, you write a register,
0:29:34.099,0:29:38.549
that’s all you need. It super simple.[br]Right? Now let’s make a byte code
0:29:38.549,0:29:41.479
fucking scripting engine to which you I2C[br]commands and delays and bit masking
0:29:41.479,0:29:47.029
and everything. And why, Sony, why, like[br]why would you do this? Well, because
0:29:47.029,0:29:50.769
ICC is so slow? That if you actually tried[br]to do one read and one write at a time
0:29:50.769,0:29:55.500
it takes 2 seconds to bring up HDMI.[br]exhales
0:29:55.500,0:29:57.039
Yeah…
0:29:57.039,0:30:01.820
I don’t even know at this point…[br]applause
0:30:01.820,0:30:04.059
I have no idea.[br]continued applause
0:30:04.059,0:30:10.499
And by the way this thing has commands[br]where you can send scripts in a script
0:30:10.499,0:30:13.849
to be run when certain events happen. So[br]“Yo dawg, I heard you like scripts, I put
0:30:13.849,0:30:16.960
scripts in your scripts so you can I2C[br]while you I2C”. Like: “let’s just go
0:30:16.960,0:30:23.769
even deeper at this point”, right? Yeah.[br]exhales
0:30:23.769,0:30:29.009
Okay. We wrote some code for this,[br]you need more hacks, it needs all
0:30:29.009,0:30:33.599
DisplayPort lanes up, Linux tries to downscale,[br]doesn’t work. Memory bandwidth calculation
0:30:33.599,0:30:37.289
is broken. Mouse cursor size is from the[br]previous GPU generation for some reason,
0:30:37.289,0:30:41.750
I guess they forgot to update that. So[br]wait! All this crap – we get a frame buffer.
0:30:41.750,0:30:47.159
But X won’t start. Ah. Well, it turns out[br]that PS4 uses a unified memory architecture
0:30:47.159,0:30:52.580
so it has a single memory pool that is[br]shared between the x86 and the GPU.
0:30:52.580,0:30:56.110
And games just put a texture in memory[br]and say: “Hey, GPU, render this!” and
0:30:56.110,0:31:00.889
that works great. And this makes a lot of[br]sense, and their driver uses this to the
0:31:00.889,0:31:06.369
fullest extents. So there’s a VRAM,[br]you know, the legacy… GPUs had
0:31:06.369,0:31:10.229
a separate VRAM and all these integrated[br]chip sets can emulate VRAM using a chunk
0:31:10.229,0:31:13.739
of the system memory. And you can usually[br]configure that in the BIOS if you have
0:31:13.739,0:31:18.729
a PC that does this. And PS4 sets it to[br]16 MB which is actually the lowest possible
0:31:18.729,0:31:24.659
setting. And 16 Megs is not enough to have[br]more than one Full HD frame buffer. So,
0:31:24.659,0:31:28.519
obviously, that’s going to explode in[br]Linux pretty badly. So what we do is
0:31:28.519,0:31:31.749
we actually reconfigure the memory[br]controller in the system to give 1 GB
0:31:31.749,0:31:36.719
of RAM to the VRAM, and we did it on the[br]psd-kexec. So it’s basically doing like
0:31:36.719,0:31:41.519
BIOSy things. We were reconfiguring the[br]Northbridge at this point to make this work.
0:31:41.519,0:31:46.299
But it works. And with this we can get X[br]to start because it can allocate its frame buffer.
0:31:46.299,0:31:53.659
But okay, it’s 3D time, right? – Neeaah,[br]GPU acceleration doesn’t quite work yet.
0:31:53.659,0:31:58.560
So we got at least, you know, X but let’s[br]talk a bit about the Radeon GPU
0:31:58.560,0:32:03.179
for a second. So when you want to draw[br]something on the GPU you send it a command
0:32:03.179,0:32:06.289
and you do this by putting it into ‘ring’[br]which is really just a structure in memory,
0:32:06.289,0:32:11.499
that’s a (?)(?)(?)(?). And it wraps around.[br]So that way you can queue things to be done
0:32:11.499,0:32:15.600
in the GPU, and then it does it on its own[br]and you can go and do other things.
0:32:15.600,0:32:20.330
There’s a Graphics Ring for drawing,[br]a Compute Ring for GPGPU, and a DMA Ring
0:32:20.330,0:32:24.809
for copying things around. The commands[br]are processed by the GPU Command Processor
0:32:24.809,0:32:32.419
which is really a bunch of different CPUs[br]inside the GPU. They are called F32.
0:32:32.419,0:32:36.570
And they run a proprietary AMD microcode.[br]So this is a custom architecture.
0:32:36.570,0:32:40.419
Also the rings can call out to IBs which[br]are indirect buffers. So you can say
0:32:40.419,0:32:44.999
basically “Call this piece of memory, do[br]this stuff there, return back to the ring”.
0:32:44.999,0:32:48.629
And that’s actually how the user space[br]thing does things. So this says:
0:32:48.629,0:32:51.750
“Draw this stuff” and it tells the kernel:[br]“Hey, draw this stuff”. And the kernel
0:32:51.750,0:32:57.269
tells the GPU: “Jump to that stuff,[br]read it come back, keep doing stuff”.
0:32:57.269,0:33:01.999
This is basically how most GPUs work but[br]Radeon specifically works like, you know…
0:33:01.999,0:33:06.649
with this F32 stuff. Okay. The driver[br]complains: “Ring 0 test failed”.
0:33:06.649,0:33:10.669
Technically (?), you test them, so at least[br]you know it has nice diagnostic,
0:33:10.669,0:33:13.669
and how does the test work? It’s really[br]easy. It writes a register with a value,
0:33:13.669,0:33:16.649
and then it tells the GPU with a command[br]“Please write this other value
0:33:16.649,0:33:21.159
to the register”, runs it and the checks[br]to see if the register was actually written
0:33:21.159,0:33:29.190
with the new value. So the write doesn’t[br]happen. Thankfully, thanks to that RAI file
0:33:29.190,0:33:32.459
earlier we found some debug registers that[br]tell you exactly what’s going on inside
0:33:32.459,0:33:36.809
the GPU. And it shows the Command[br]Processor is stuck, waiting for data
0:33:36.809,0:33:41.549
in the ring, so it needs more data.[br]After a NOP command?! Yeah…
0:33:41.549,0:33:46.950
NOP is hard, let’s go stalling. So packet[br]headers in this GPU thing have a size
0:33:46.950,0:33:51.700
that is SIZE-2. Whoever thought that was[br]a good idea. So a 2 word packet
0:33:51.700,0:33:58.919
has a size of zero. Then AMD implemented[br]a 1 word packet with a size of -1.
0:33:58.919,0:34:03.309
And old firmware doesn’t support that and[br]thinks: “Oh it’s 3FFF so I’m just gonna wait
0:34:03.309,0:34:08.540
for a shitload of code in the buffer”,[br]right? It turns out that Hawaii,
0:34:08.540,0:34:12.418
which is another GPU in the same gen[br]has the same problem with old firmware.
0:34:12.418,0:34:14.772
So they use a different NOP packet, so[br]there was an exception in the driver
0:34:14.772,0:34:18.940
for this. And we had to add ours to that.[br]But again – getting to this point, many,
0:34:18.940,0:34:23.110
many, many hours of headbanging.
0:34:23.110,0:34:28.230
Okay. We fixed that. Now it says:[br]“Ring 3 test failed”.
0:34:28.230,0:34:31.069
That’s the SDMA ring. That’s for copying[br]things in memory and it works
0:34:31.069,0:34:34.909
in the same way. It puts a value in RAM.[br]It tells the SDMA engine: “hey, write
0:34:34.909,0:34:40.429
a different value”. And checks. This time[br]we see the write happens but it writes “0”
0:34:40.429,0:34:44.839
instead if the 0xDEADBEEF or whatever.[br]Okay. So I tried this.
0:34:44.839,0:34:48.139
I put two Write commands in the ring[br]saying: “Write to one place, write to
0:34:48.139,0:34:52.518
a different place”. And this time,[br]if I saw, what it did is it wrote “1”
0:34:52.518,0:34:56.619
to the first destination and “0” to the[br]second destination. I’m thinking:
0:34:56.619,0:35:00.380
“Okay, it’s supposed to write 0xDEADBEEF…”[br]which is what you see there, it’s…
0:35:00.380,0:35:04.450
0xDEADBEEF is that word[br]with the value. It writes “1”.
0:35:04.450,0:35:08.980
Well, there’s a “1” there that[br]wasn’t there before, it was a “0”,
0:35:08.980,0:35:13.640
because of this padding, right? So it[br]turns out they have it off by four,
0:35:13.640,0:35:17.890
in the SDMA command parser[br]and it reads from four words later
0:35:17.890,0:35:21.670
than it should.[br]exhales
0:35:21.670,0:35:26.910
Again, this took many hours of[br]headbanging. It was like:
0:35:26.910,0:35:32.390
“Randomly try two commands, oh, one, one?”[br]– “One”.
0:35:32.390,0:35:37.779
So it reads four words too late but only[br]in ring buffers. Indirect buffers work fine.
0:35:37.779,0:35:40.940
That’s good because those come from user[br]space. So we don’t have to mock with those.
0:35:40.940,0:35:43.480
We can work around this, because it’s[br]only used in two places in the kernel,
0:35:43.480,0:35:47.540
by using a Fill command instead of a Write[br]command. That works fine. Again,…
0:35:47.540,0:35:52.490
how do they even make these mistakes?![br]Okay. But still the GPU doesn’t work.
0:35:52.490,0:35:55.640
The ring tests pass but if you tried[br]to draw you get a bunch of page faults.
0:35:55.640,0:35:59.369
And it turns out that what happens is that[br]on the PS4 you can’t write the page table
0:35:59.369,0:36:05.829
registers from actual commands in the GPU[br]itself. You can write to them from the CPU
0:36:05.829,0:36:09.319
directly. You can say just: “Write memory[br]– memory register write”, and then
0:36:09.319,0:36:14.519
I’ll write. But you can’t tell the GPU:[br]“Please write to the page table register this”.
0:36:14.519,0:36:18.520
So the page tables don’t work, the GPU[br]can’t see any memory, so everything is broken.
0:36:18.520,0:36:22.920
Linux uses this, FreeBSD doesn’t. It uses[br]direct writes. And we think this is maybe
0:36:22.920,0:36:27.290
a Firewall somewhere in the Liverpool,[br]some kind of security thing they added.
0:36:27.290,0:36:30.940
We can directly write from the CPU.[br]But it like breaks the regular…
0:36:30.940,0:36:34.830
like it’s not asynchronous anymore. So[br]this could break things. And it’s a really
0:36:34.830,0:36:39.000
hacky solution. I would really like to fix[br]this. And I’m thinking: “Maybe the firewall
0:36:39.000,0:36:42.940
is in the firmware, right?”. But it’s[br]proprietary and undocumented firmware.
0:36:42.940,0:36:47.630
So let’s look at that firmware. It’s[br]a thing, it needs microcode, a CP thing.
0:36:47.630,0:36:51.440
It’s undocumented. But we take the blobs[br]out of FreeBSD. And that’s great because
0:36:51.440,0:36:56.510
we have don’t have to ship them. Let’s[br]dig deeper into those blobs. So how do you
0:36:56.510,0:37:00.599
reverse-engineer an unknown CPU[br]architecture? That’s really easy,
0:37:00.599,0:37:05.039
run an instruction and see what it did.[br]And then just keep doing that. Thankfully,
0:37:05.039,0:37:07.710
we upload custom firmwares, so it’s[br]actually really easy to just have like
0:37:07.710,0:37:10.450
a two-instruction firmware that does[br]something, and then writes a register
0:37:10.450,0:37:14.220
to a memory location. And that’s actually[br]really easy to find. If you first like
0:37:14.220,0:37:17.460
write the memory instruction, it’s really[br]easy to find in the binary because you see
0:37:17.460,0:37:23.559
like GPU register offsets that stand out[br]a bit in one column. So long story short,
0:37:23.559,0:37:27.799
we wrote F32DIS which is a disassembler[br]for the proprietary AMD F32 microcode.
0:37:27.799,0:37:31.619
I shamelessly stole the instruction[br]syntax from ARM. So you may recognize
0:37:31.619,0:37:35.130
that if you’ve ever seen an ARM disassembly.[br]And this is not complete but it can
0:37:35.130,0:37:38.980
disassemble every single instruction[br]in all the firmware in Liverpool for PFP,
0:37:38.980,0:37:43.110
ME, CE, MEC and RLC which are five[br]different blocks in the GPU. As far
0:37:43.110,0:37:46.319
as I notice that’s never been done before,[br]all the firmware was like in a voodoo
0:37:46.319,0:37:50.099
black magic thing that’s been shipped.[br]Not even the non-AMD kernel developers
0:37:50.099,0:37:54.710
know anything about this. So…[br]applause
0:37:54.710,0:37:57.290
ongoing applause
0:37:57.290,0:38:01.839
And you can disassemble the desktop[br]GPU stuff, too. So this could be good for
0:38:01.839,0:38:06.133
debugging strange GPU shenanigans[br]in non-PS4 stuff.
0:38:06.133,0:38:10.660
Alright. Alas, it’s not in the firmware.[br]It seems to be blocked in hardware.
0:38:10.660,0:38:14.510
I found a debug register that actually[br]says: “there was an access violation
0:38:14.510,0:38:17.340
in the bus when you try to write this[br]thing”. And I tried a bunch of workarounds
0:38:17.340,0:38:22.789
and I even bought an AMD APU system,[br]desktop. Dumped all the registers,
0:38:22.789,0:38:26.780
diff’ed them against the one I had on Linux[br]and tried setting every single value
0:38:26.780,0:38:30.880
from the other GPU and hoping I find some[br]magic bits somewhere, but… no.
0:38:30.880,0:38:35.420
They probably have a setting for this,[br]somewhere, but it’s a sea of ones and zeros,
0:38:35.420,0:38:40.210
good luck finding it. It does work with[br]a CPU Write, workaround, though.
0:38:40.210,0:38:43.769
So, hey, at least we get 3D! And it’s[br]actually pretty stable, so if there’s
0:38:43.769,0:38:49.210
a race condition I’m not really seeing it.[br]So – checklist! What works,
0:38:49.210,0:38:52.640
what doesn’t work. We have interrupts,[br]and timers – the core thing you need
0:38:52.640,0:38:56.490
to run any OS – we have a serial port,[br]we can shutdown the system and reboot,
0:38:56.490,0:38:59.559
and you’ll think that’s funny but actually[br]that goes through ICC, so again,
0:38:59.559,0:39:02.420
at least some interesting code there.[br]I actually just implemented that about
0:39:02.420,0:39:08.700
four hours ago. Because pulling the plug[br]was getting old. The Power button works.
0:39:08.700,0:39:13.280
USB works. There’s a funny story with USB[br]as it used not to work. And we said:
0:39:13.280,0:39:17.430
“Fix it later, there seems to be special[br]code missing.” And then someone
0:39:17.430,0:39:20.499
pulled a repo from the USB-not-working[br]branch, and tested it, and said:
0:39:20.499,0:39:25.450
“It’s working!” It seems we fixed it by[br]accident, by changing something else.
0:39:25.450,0:39:29.170
The hard disk works which is via the USB.[br]Blu-ray works, I wrote a driver for that,
0:39:29.170,0:39:32.170
also four hours ago. – Three hours ago[br]now? Yeah, something like that.
0:39:32.170,0:39:34.930
And I spent 20 minutes looking for someone[br]in the Hackcenter that had a DVD I could
0:39:34.930,0:39:40.400
stick in to try. Apparently I’m from[br]he past if I ask for DVDs.
0:39:40.400,0:39:45.390
But it does work. So that’s good. Wi-Fi[br]and Bluetooth works.
0:39:45.390,0:39:49.119
Ethernet works, except only at GBit speeds.[br]Frame buffer works. HDMI works.
0:39:49.119,0:39:54.829
It’s currently hard-coded to 1080p so…[br]It does work. We can fix that
0:39:54.829,0:40:00.960
by improving the encoder implementation.[br]3D works with the ugly register write hack.
0:40:00.960,0:40:06.659
And SPDIF audio works. So that’s good.[br]HDMI audio doesn’t work. Mostly because
0:40:06.659,0:40:10.450
I only got audio grossly working, in[br]general, recently, and I haven’t had
0:40:10.450,0:40:15.250
a chance to program the encoder to support[br]the audio stuff yet. Because, again,
0:40:15.250,0:40:18.619
new more annoying hacks there. And the[br]real-time clock doesn’t work and everything.
0:40:18.619,0:40:23.350
That’s simple, the clock, that device is[br]simple. But ever since the PS2 the way
0:40:23.350,0:40:27.410
Sony has implemented real-time clocks[br]is that instead of reading and writing
0:40:27.410,0:40:29.920
the time on the clock, which is what you[br]would think is the normal thing to do,
0:40:29.920,0:40:33.480
they never write the time on the clock.[br]Instead, they store an offset from the clock
0:40:33.480,0:40:39.579
to the real time, in some kind of storage[br]location. And there’s a giant mess of…
0:40:39.579,0:40:44.269
…registry it’s called, in the PS4, and[br]I don’t even know where it’s stored.
0:40:44.269,0:40:46.970
It might be on the hard drive, it might be[br]encrypted. So basically, getting
0:40:46.970,0:40:50.259
the real-time clock to actually show the[br]right time involves a pile of nonsense
0:40:50.259,0:40:53.980
that I haven’t had the chance to look at[br]yet. But… we have NTP, right?
0:40:53.980,0:40:59.030
So it’s good enough. – Oh, and we have[br]Blinkenlights! Important! The Power LED
0:40:59.030,0:41:04.329
does some interesting things, if you’re[br]on Linux. So that’s good.
0:41:04.329,0:41:10.610
So – the code: you can get the ps4-kexec[br]code on our Github page. That has
0:41:10.610,0:41:14.910
the kexec and the hardware configuration,[br]and the bootloader Linux stuff.
0:41:14.910,0:41:18.599
You can get the ps4 Linux branch which is[br]the… our fork of the kernel,
0:41:18.599,0:41:22.769
rebased on 4.9 which is the latest (?)[br]version, I think.
0:41:22.769,0:41:26.319
You can get our Radeon patches which are[br]three, I think, really tiny patches for
0:41:26.319,0:41:30.410
user space libraries just to support this[br]new chip. Really simple stuff, the NOP
0:41:30.410,0:41:35.289
thing, and a couple of commands. And the[br]RAI and F32DIS thing I mentioned.
0:41:35.289,0:41:40.779
You can get Radeon tools at that Github[br]repo. Just push that right before the stock.
0:41:40.779,0:41:44.089
So if you’re interested – there you go.[br]And if you going at the RAI file, well,
0:41:44.089,0:41:47.569
we wanna put you on a run before the guys[br]at that website realize they really should
0:41:47.569,0:41:52.589
take that down! But I’m sure the internet[br]wayback machine has it somewhere.
0:41:52.589,0:42:00.279
Okay! That’s everything for the story of[br]how we got Linux running on the PS4.
0:42:00.279,0:42:08.710
And you can reach us at that website[br]or fail0verflow on Twitter.
0:42:08.710,0:42:14.440
applause[br]Thank you!
0:42:14.440,0:42:18.259
ongoing applause
0:42:18.259,0:42:24.309
I hope that wasn’t too fast, sorry, I had[br]to rush through my 89 slides a little bit
0:42:24.309,0:42:29.460
because I really wanted to do a demo.[br]I think this kind of is the demo, right.
0:42:29.460,0:42:33.180
But we can try something else.[br]So maybe I can shut this –
0:42:33.180,0:42:39.839
so I can aim with my controller.
0:42:39.839,0:42:43.960
This is really not meant as a mouse![br]That’s not Right Button.
0:42:43.960,0:42:46.809
Come on! Yeah, I think it is…
0:42:46.809,0:42:48.810
Close? Close! Maybe…
0:42:48.810,0:42:51.099
So we have this little icon here.[br]I wonder what happens if it works.
0:42:51.099,0:42:55.740
Do we have internet access? Hopefully[br]Wi-Fi works, let’s then just check real quick.
0:42:55.740,0:42:57.730
keyboard typing sounds
0:42:57.730,0:42:59.849
This could bork really badly if we don’t.
0:42:59.849,0:43:02.039
keyboard typing sounds
0:43:02.039,0:43:03.500
mumbles ping 8.8.8.8
0:43:03.500,0:43:06.009
Yeah, we have internet access.[br]So, Wi-Fi works!
0:43:06.009,0:43:08.710
Okay. I wonder what happens[br]if we click that!
0:43:08.710,0:43:15.160
It takes a while to load.[br]This is not optimized for…
0:43:15.160,0:43:23.859
laughter and applause[br]marcan laughs
0:43:23.859,0:43:28.410
So the CPUs on this thing are[br]a little bit slow. But…
0:43:28.410,0:43:31.990
sounds of the machine[br]Hey, it works!
0:43:31.990,0:43:35.880
And now it’s a real game console!
0:43:35.880,0:43:42.089
laughter and applause
0:43:42.089,0:43:49.069
And this is… there we go, okay.
0:43:49.069,0:43:54.290
So I think we can probably take some Q&A[br]because this is a little bit slow to load.
0:43:54.290,0:43:56.529
But we can try a game, maybe.
0:43:56.529,0:44:03.020
Herald: If you are for Q&A I think[br]there will be some questions.
0:44:03.020,0:44:07.089
So shall we start with one[br]from the internet.
0:44:07.089,0:44:16.029
Signal Angel: Hey! The internet wants to[br]know if most of your research will be
0:44:16.029,0:44:18.470
published, or if stuff’s[br]going to stay private.
0:44:18.470,0:44:21.992
marcan: All of this… the publishing is[br]basically the code which… and you know
0:44:21.992,0:44:26.660
the explanation I just gave… I said that[br]everything’s on Github. So all the drivers
0:44:26.660,0:44:30.950
we wrote, all the… I mean… and in this[br]case also the spec is the code.
0:44:30.950,0:44:34.300
If you really want to I could write some[br]Wiki pages on this. But roughly speaking,
0:44:34.300,0:44:37.890
what’s in the drivers is what we found[br]out. The really interesting bit,
0:44:37.890,0:44:44.269
I think, is that F32 stuff from the AMD[br]GPU stuff. And that we have a repo for.
0:44:44.269,0:44:48.369
But if you have any general questions, or[br]name a particular device, or any details,
0:44:48.369,0:44:54.069
feel free to ask. I don’t know… again, it[br]would be nice if we wrote a bunch
0:44:54.069,0:44:57.220
of docs and everything. But it’s not really[br]a matter of not wanting to write them,
0:44:57.220,0:45:01.250
it’s lazy engineers not wanting to write[br]documentation. But the code is at least…
0:45:01.250,0:45:05.250
the things we have on Github are fairly[br]clean. So.
0:45:05.250,0:45:08.630
Herald: Okay, so, someone is piling up[br]on 4. Guys, if you have questions
0:45:08.630,0:45:11.990
you see the microphones over here.[br]Just pile up over there
0:45:11.990,0:45:14.539
and I’m gonna point… 4 please!
0:45:14.539,0:45:19.210
Question: Just a small question.[br]How likely is it that you upstream
0:45:19.210,0:45:22.700
some of that stuff. Because… I mean…
0:45:22.700,0:45:27.299
marcan: So there’s two sides to that.[br]One side is that we need to actually
0:45:27.299,0:45:31.059
get together and upstream it. The code…[br]some of it has horrible hacks, some of it
0:45:31.059,0:45:36.539
isn’t too bad. So we want to upstream it.
0:45:36.539,0:45:42.099
We have to sit down and actually do it.[br]I think most of the custom x86 based
0:45:42.099,0:45:45.280
machine stuff and the kernel is doable.[br]The drivers are probably doable.
0:45:45.280,0:45:49.609
Some people might scream at the interrupt[br]hacks. But it’s probably not terrible.
0:45:49.609,0:45:53.580
And if they have a better way of doing it[br]I’m all ears, there are other kernel devs.
0:45:53.580,0:45:59.589
The Radeon stuff is quite fishy because of[br]the encoder thing that is like (?) non-standard.
0:45:59.589,0:46:03.880
And also understandably[br]AMD GPU driver developers
0:46:03.880,0:46:07.380
that work for AMD may want to have nothing[br]to do with this. And in fact I know
0:46:07.380,0:46:11.570
for a fact that at least[br]one of them doesn’t. But
0:46:11.570,0:46:16.609
they can’t really stop us from upstreaming[br]things into the Linux kernel, right?
0:46:16.609,0:46:20.210
So I think as long as we get to come[br]to a state where it’s doable it’s fine.
0:46:20.210,0:46:23.250
But most likely I think…[br]laughter
0:46:23.250,0:46:27.910
…I think most likely the non-GPU stuff[br]will go in first if we have a chance
0:46:27.910,0:46:30.940
to do that. And of course, if you wanna[br]try upstreaming it go ahead!
0:46:30.940,0:46:33.470
It’s open source, right? So.
0:46:33.470,0:46:35.460
Herald: Over to microphone 1, please.
0:46:35.460,0:46:42.079
Question: Hi. First I think I should[br]employ you to try and find trouble Hudson. (?)
0:46:42.079,0:46:48.430
And control him into using your FreeBSD[br]kexec implementation in heads.
0:46:48.430,0:46:55.210
Instead of having to run all of Linux in it,[br]as a joke. But my real question is:
0:46:55.210,0:46:59.160
if the reason you used Gentoo was[br]because systemd was yet another hurdle
0:46:59.160,0:47:00.519
in getting this to run?
0:47:00.519,0:47:02.710
laughter[br]marcan laughs
0:47:02.710,0:47:06.430
marcan: I run Gentoo on my main machine,[br]I run Gentoo on most of the machines
0:47:06.430,0:47:10.950
I care about. I do run Arch on a few of[br]the others and then I’d live with systemd.
0:47:10.950,0:47:15.661
But the reason why I run Gentoo is, first[br]it’s what I like and use. And second it’s
0:47:15.661,0:47:19.119
super easy to use patches on Gentoo.[br]You get those things we put onto Github,
0:47:19.119,0:47:21.549
which are just patch files, it’s not really[br]a repo. Because they’re so easy
0:47:21.549,0:47:24.869
it’s not worth cloning everything. Just[br]get those patch files, stick them on
0:47:24.869,0:47:28.480
/etc/portage/patches/, have a little hook to patch,[br]and that’s all you need. So it’s really
0:47:28.480,0:47:33.070
easy to patch packages in Gentoo,[br]that’s one of the main reasons.
0:47:33.070,0:47:37.730
laughs about something in audience
0:47:37.730,0:47:39.599
Herald: No. 3 please!
0:47:39.599,0:47:43.550
Question: Will there be new exploits,[br]new way to boot Linux
0:47:43.550,0:47:48.400
on PS3 with modern firmwares[br]because finding one
0:47:48.400,0:47:51.109
with firmware 1.76 is really rare.
0:47:51.109,0:47:52.460
marcan: That was 4.05!
0:47:52.460,0:47:58.500
Question: Ah, okay.[br]marcan: But again, our goal is to focus
0:47:58.500,0:48:01.369
on… I just told you the story of the[br]pre-exploit thing because I think
0:48:01.369,0:48:05.089
that’s good like a hacker story, a good[br]knowledge suite trying new platforms.
0:48:05.089,0:48:07.740
And the Linux thing we’re working on.[br]The reason why we don’t want to publish
0:48:07.740,0:48:11.599
the exploit or really get involved in the[br]whole exploit scene is that there is
0:48:11.599,0:48:17.099
a lot of drama, it’s not rocket science[br]in that it’s like super custom code,
0:48:17.099,0:48:21.400
this is WebKit and FreeBSD. It’s actually not[br]that hard. And we know for a fact
0:48:21.400,0:48:25.751
that several people have reproduced this[br]on various firmwares. So there’s no need
0:48:25.751,0:48:29.980
for us to be the exploit provider. And[br]we don’t want to get into that because
0:48:29.980,0:48:37.420
it’s a giant drama fest as we all know,[br]anyway. Please DIY it this time!
0:48:37.420,0:48:39.470
Question: Okay. Thanks.
0:48:39.470,0:48:41.329
Herald: And what is the internet saying?
0:48:41.329,0:48:46.440
Signal Angel: The internet wants to know[br]if you ever had fun with the BSD
0:48:46.440,0:48:47.749
on the second processor.
0:48:47.749,0:48:52.460
marcan: Oh, that’s a very good question.[br]I myself haven’t. I don’t know if anyone
0:48:52.460,0:48:55.930
else has looked at it briefly. One of the[br]commands for rebooting will boot
0:48:55.930,0:49:01.339
that CPU into FreeBSD. And there’s[br]probably fun to be had there.
0:49:01.339,0:49:03.869
But we haven’t really looked into it.
0:49:03.869,0:49:06.819
Herald: And over to 5, please.
0:49:06.819,0:49:13.000
Question: I was wondering if any of that[br]stuff was applicable to the PS4 VR edition
0:49:13.000,0:49:18.800
or whatever it’s called, the new one?[br]Did you ever test it?
0:49:18.800,0:49:20.460
marcan: Sorry, say it again!
0:49:20.460,0:49:22.359
Question: Sony brought up a new PS4[br]I thought.
0:49:22.359,0:49:24.299
marcan: Oh, the Pro you mean,[br]the PS4 Pro?
0:49:24.299,0:49:26.670
Question: Yes.[br]marcan: So Linux boots on the Pro,
0:49:26.670,0:49:30.289
we got that far. GPU is broken. So we[br]would like to get this ported to the Pro
0:49:30.289,0:49:34.140
and also working. It’s basically an[br]incremental update, so it’s not that hard,
0:49:34.140,0:49:36.999
but the GPU needs a new definition,[br]new jBullet(?) stuff.
0:49:36.999,0:49:40.940
Yeah, you get a lot of C frames[br]down-burned (?), yeah…
0:49:40.940,0:49:45.280
So, as you can see, 3D works,[br]and, there you go!
0:49:45.280,0:49:52.340
synth speech from game[br]applause
0:49:52.340,0:49:56.119
I only have to look up and down in this game!
0:49:56.119,0:49:58.230
continued synth speech from game
0:49:58.230,0:50:01.019
Herald: Well, then number 3, please.
0:50:01.019,0:50:07.679
Question: I want to ask you if you want to[br]port these Radeon patches to the new
0:50:07.679,0:50:16.274
amdgpu driver because AMD now supports[br]the Southern Island GPUs?
0:50:16.274,0:50:19.354
marcan: Yes, that’s a very good question.[br]Actually, the first attempt we made
0:50:19.354,0:50:22.609
at writing this driver was with amdgpu.[br]And at the time it wasn’t working at all.
0:50:22.609,0:50:26.559
And there was a big concern about its[br]freshness at the time and it was
0:50:26.559,0:50:31.130
experimentally supporting this GPU[br]generation. I’m told it should work.
0:50:31.130,0:50:35.720
So I would like to port this… move to[br]amdgpu and we have a working
0:50:35.720,0:50:38.970
implementation, and we got to clean up[br]code much better, we know where all
0:50:38.970,0:50:42.050
the nits are, I want to try again with[br]amdgpu and see if that works.
0:50:42.050,0:50:47.019
That’s a very good question because the[br]newer gen might require the driver maybe, so …
0:50:47.019,0:50:49.029
Question: Thank you.[br]Herald: Well then I’m gonna guess we ask
0:50:49.029,0:50:50.220
the internet again.
0:50:50.220,0:50:56.210
Signal Angel: Okay, the internet states[br]that about a year ago you argued
0:50:56.210,0:51:02.069
with someone on twitter that the PS4 wasn’t[br]a PC and now you’re saying that kind of
0:51:02.069,0:51:05.330
is something. And what’s about that?
0:51:05.330,0:51:11.249
marcan: So again, the reason of saying[br]it’s not a PC is that it’s not an IBM
0:51:11.249,0:51:17.369
Personal Computer compatible device.[br]It’s an x86 device that happens to
0:51:17.369,0:51:20.470
be structured roughly like a current PC[br]but if you look at the details
0:51:20.470,0:51:24.280
so many things are completely different.[br]It really isn’t a PC. Like on Linux I had
0:51:24.280,0:51:29.730
to define “sub arch PS4”. It’s an x86[br]but it’s not a PC. And that’s actually
0:51:29.730,0:51:32.520
a very important distinction because[br]there’s a lot of things you have
0:51:32.520,0:51:36.210
never heard of that are x86 but not PC.[br]It’s like e.g. there’s a high chance
0:51:36.210,0:51:40.480
your monitor at home has[br]an 8186 CPU in it. So, yeah.
0:51:40.480,0:51:45.200
Herald: So nobody’s piling at the[br]microphones any more.
0:51:45.200,0:51:47.430
Is there one last question[br]from the internet?
0:51:47.430,0:51:51.299
Signal Angel: Yes, there is.
0:51:51.299,0:51:53.819
The question is…
0:51:53.819,0:51:59.660
…if there was any[br]decryption needed.
0:51:59.660,0:52:05.509
marcan: No. So this is purely… you[br]exploit WebKit, you get user mode,
0:52:05.509,0:52:08.769
you exploit the kernel, you got kernel[br]mode. You jump Linux…
0:52:08.769,0:52:12.240
there’s no security like… there’s nothing[br]like stopping you from doing
0:52:12.240,0:52:15.160
all that stuff. There’s a sand box in[br]FreeBSD but obviously you exploit
0:52:15.160,0:52:20.920
around the sand box. There’s nothing…[br]there’s no hypervisor, there’s no monitoring,
0:52:20.920,0:52:24.650
there’s nothing like saying: “Oh this code[br]should not be running.” There’s no
0:52:24.650,0:52:29.089
like integrity checking. They have a security[br]architecture but as it’s tradition for Sony
0:52:29.089,0:52:35.230
you can just walk around it.[br]laughter
0:52:35.230,0:52:37.730
applause
0:52:37.730,0:52:42.660
The PS3 was notable for the fact that[br]the PS Jailbreak which is a USB…
0:52:42.660,0:52:47.470
it’s effectively a piracy device[br]that was released by someone
0:52:47.470,0:52:51.510
that basically used a USB exploit[br]in the kernel and only a USB exploit
0:52:51.510,0:52:54.990
in the kernel to effectively enable piracy.[br]So when you have like a stack of security
0:52:54.990,0:52:58.400
and you break one thing and you get[br]piracy that’s a fail! This is basically
0:52:58.400,0:53:02.050
the same idea. Except I have no idea what[br]you do to do piracy and I don’t care.
0:53:02.050,0:53:09.780
But Sony doesn’t really know how to[br]architecture secure systems.
0:53:09.780,0:53:11.500
That’s it.
0:53:11.500,0:53:14.689
Herald: That’s it, here we go,[br]that’s your applause!
0:53:14.689,0:53:20.230
applause
0:53:20.230,0:53:21.810
postroll music
0:53:21.810,0:53:32.109
subtitles created by c3subtitles.de[br]in the year 2017. Join, and help us!