[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:13.32,Default,,0000,0000,0000,,{\i1}33C3 preroll music{\i0}
Dialogue: 0,0:00:13.32,0:00:16.84,Default,,0000,0000,0000,,Herald: You have been\Nhere on stage before.
Dialogue: 0,0:00:16.84,0:00:20.16,Default,,0000,0000,0000,,You successfully tampered with the Wii,
Dialogue: 0,0:00:20.16,0:00:23.11,Default,,0000,0000,0000,,You successfully tampered\Nwith the PS3 and got
Dialogue: 0,0:00:23.11,0:00:26.84,Default,,0000,0000,0000,,some legal challenges over there?
Dialogue: 0,0:00:26.84,0:00:28.94,Default,,0000,0000,0000,,marcan: Some unfounded\Nlegal challenges, yes.
Dialogue: 0,0:00:28.94,0:00:31.64,Default,,0000,0000,0000,,Herald: And then you fucked,\Nand excuse my French over here
Dialogue: 0,0:00:31.64,0:00:35.15,Default,,0000,0000,0000,,– by the way, that is number 8021 to get
Dialogue: 0,0:00:35.15,0:00:39.84,Default,,0000,0000,0000,,the translation on your DECT phone.
Dialogue: 0,0:00:39.84,0:00:44.60,Default,,0000,0000,0000,,So you fucked with the Wii U as well.
Dialogue: 0,0:00:44.60,0:00:47.100,Default,,0000,0000,0000,,“Console Hacking 2016”,\Nhere we go!
Dialogue: 0,0:00:47.100,0:00:51.63,Default,,0000,0000,0000,,marcan: I’m a lazy guy, so I haven’t\Nturned on my computer yet for the slides.
Dialogue: 0,0:00:51.63,0:00:57.18,Default,,0000,0000,0000,,So let me do that,\Nhopefully this will work.
Dialogue: 0,0:00:57.18,0:01:00.56,Default,,0000,0000,0000,,My computer is a little bit special.\NIt runs a lot of Open Source software.
Dialogue: 0,0:01:00.56,0:01:05.62,Default,,0000,0000,0000,,It runs FreeBSD.
Dialogue: 0,0:01:05.62,0:01:09.91,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:01:09.91,0:01:14.37,Default,,0000,0000,0000,,It even has things like OpenSSL\Nin there, and nginx.
Dialogue: 0,0:01:14.37,0:01:21.16,Default,,0000,0000,0000,,And Cairo I think, and WebKit. It runs a\Nlot of interesting Open Source software.
Dialogue: 0,0:01:21.16,0:01:24.98,Default,,0000,0000,0000,,But we all know that BSD is dying, so\Nwe can make it run something a little bit
Dialogue: 0,0:01:24.98,0:01:29.73,Default,,0000,0000,0000,,more interesting. And hopefully\Ngive a presentation about it.
Dialogue: 0,0:01:29.73,0:01:32.53,Default,,0000,0000,0000,,Let’s see if this works.
Dialogue: 0,0:01:36.15,0:01:38.38,Default,,0000,0000,0000,,It’s a good start, black screen, you know.
Dialogue: 0,0:01:38.38,0:01:43.33,Default,,0000,0000,0000,,It’s syncing to disk\Nand file system shutting down.
Dialogue: 0,0:01:43.33,0:01:48.71,Default,,0000,0000,0000,,There we go!\N{\i1}applause{\i0}
Dialogue: 0,0:01:48.71,0:01:55.31,Default,,0000,0000,0000,,{\i1}continued applause{\i0}
Dialogue: 0,0:01:55.31,0:01:58.61,Default,,0000,0000,0000,,And yes, I run Gentoo Linux.
Dialogue: 0,0:01:58.61,0:02:01.39,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:02:01.39,0:02:05.40,Default,,0000,0000,0000,,This is the “Does Wi-Fi work?” moment.\NHopefully.
Dialogue: 0,0:02:07.49,0:02:12.57,Default,,0000,0000,0000,,NTP, yeah, no… “NTP failed”. Well,\Nthat’s a bit annoying, but it still works.
Dialogue: 0,0:02:15.63,0:02:21.25,Default,,0000,0000,0000,,Hello? Yeah, it takes a bit to boot.\NIt doesn’t run systemd, you know.
Dialogue: 0,0:02:21.25,0:02:25.25,Default,,0000,0000,0000,,It’s sane, it’s a tiny bit slower,\Nbut it’s sane.
Dialogue: 0,0:02:25.25,0:02:30.39,Default,,0000,0000,0000,,There we go.\N{\i1}applause{\i0}
Dialogue: 0,0:02:30.39,0:02:35.26,Default,,0000,0000,0000,,This is the “Does my controller\Nwork?” moment.
Dialogue: 0,0:02:35.26,0:02:39.52,Default,,0000,0000,0000,,Bluetooth in Saal 1.\NOkay, it does.
Dialogue: 0,0:02:39.52,0:02:41.71,Default,,0000,0000,0000,,Alright, so let’s get started.
Dialogue: 0,0:02:49.70,0:02:53.73,Default,,0000,0000,0000,,So this is “Console Hacking 2016 –\NPS4: PC Master Race”.
Dialogue: 0,0:02:53.73,0:02:58.35,Default,,0000,0000,0000,,I apologize for the horrible Nazi joke in\Nthe subtitle, but it’s a Reddit thing.
Dialogue: 0,0:02:58.35,0:03:03.07,Default,,0000,0000,0000,,“PC Master Race”, why? Well.\NPS4, is it a PC? Is it not a PC?
Dialogue: 0,0:03:03.07,0:03:06.07,Default,,0000,0000,0000,,But before we get started,\NI would like to dedicate this talk
Dialogue: 0,0:03:06.07,0:03:09.43,Default,,0000,0000,0000,,to my good friend Ben Byer\Nwho we all know as “bushing”.
Dialogue: 0,0:03:09.43,0:03:11.79,Default,,0000,0000,0000,,Unfortunately, he passed away\Nin February of this year and he was
Dialogue: 0,0:03:11.79,0:03:15.24,Default,,0000,0000,0000,,a great hacker, he came to multiple\Ncongresses, one of the nicest people
Dialogue: 0,0:03:15.24,0:03:19.04,Default,,0000,0000,0000,,I’ve ever met. I’m sure that some of you\Nwho have met him would agree with that.
Dialogue: 0,0:03:19.04,0:03:23.96,Default,,0000,0000,0000,,If it weren’t for him, I wouldn’t be here.\NSo, thank you.
Dialogue: 0,0:03:23.96,0:03:30.48,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:03:30.48,0:03:34.84,Default,,0000,0000,0000,,Alright. So, the PS4.\NIs it a PC? Is it not a PC?
Dialogue: 0,0:03:34.84,0:03:37.22,Default,,0000,0000,0000,,Well, it’s a little bit different\Nfrom previous consoles.
Dialogue: 0,0:03:37.22,0:03:42.49,Default,,0000,0000,0000,,It has x86, it’s an x86 CPU.\NIt runs FreeBSD, it runs WebKit.
Dialogue: 0,0:03:42.49,0:03:45.49,Default,,0000,0000,0000,,It doesn’t have a hypervisor,\Nunfortunately.
Dialogue: 0,0:03:45.49,0:03:49.85,Default,,0000,0000,0000,,Then again, the PS3 had a hypervisor\Nand it was useless, so there you go.
Dialogue: 0,0:03:49.85,0:03:52.38,Default,,0000,0000,0000,,So this is different from the PS3,\Nbut it’s not completely different.
Dialogue: 0,0:03:52.38,0:03:54.96,Default,,0000,0000,0000,,It does have a security processor\Nthat you can just ignore because
Dialogue: 0,0:03:54.96,0:03:59.78,Default,,0000,0000,0000,,it doesn’t secure anything.\NSo that’s good.
Dialogue: 0,0:03:59.78,0:04:02.52,Default,,0000,0000,0000,,So how to own a PS4? Well, you write\Na WebKit exploit and you write
Dialogue: 0,0:04:02.52,0:04:07.80,Default,,0000,0000,0000,,a FreeBSD exploit, duh. Right?\NEverything runs WebKit,
Dialogue: 0,0:04:07.80,0:04:10.74,Default,,0000,0000,0000,,and FreeBSD is not exactly the\Nmost secure OS in the world,
Dialogue: 0,0:04:10.74,0:04:14.80,Default,,0000,0000,0000,,especially not with Sony customizations.\NSo this is completely boring stuff.
Dialogue: 0,0:04:14.80,0:04:18.55,Default,,0000,0000,0000,,Like, what’s the point of talking about\NWebKit and FreeBSD exploits?
Dialogue: 0,0:04:18.55,0:04:22.09,Default,,0000,0000,0000,,Instead, this talk is going to be about\Nsomething a little bit different.
Dialogue: 0,0:04:22.09,0:04:26.04,Default,,0000,0000,0000,,First of all, after you run an exploit,\Nwell, you know, step 3 “something”,
Dialogue: 0,0:04:26.04,0:04:29.77,Default,,0000,0000,0000,,step 4 “PROFIT”. What is this about?\NAnd not only that, though.
Dialogue: 0,0:04:29.77,0:04:32.74,Default,,0000,0000,0000,,Before you write an exploit, you usually\Nwant to have the code you’re trying
Dialogue: 0,0:04:32.74,0:04:38.10,Default,,0000,0000,0000,,to exploit. And with WebKit and FreeBSD\Nyou kinda do, but not the build they use,
Dialogue: 0,0:04:38.10,0:04:41.44,Default,,0000,0000,0000,,and it’s customized. And it’s annoying to\Nwrite an exploit if you don’t have access
Dialogue: 0,0:04:41.44,0:04:43.77,Default,,0000,0000,0000,,to the binary. So how do you get\Nthe binary in the first place?
Dialogue: 0,0:04:43.77,0:04:47.69,Default,,0000,0000,0000,,Well, you dump the code,\Nthat’s an interesting step.
Dialogue: 0,0:04:47.69,0:04:51.58,Default,,0000,0000,0000,,So let’s get started with step zero:\Nblack-box code extraction, the fun way.
Dialogue: 0,0:04:51.58,0:04:54.45,Default,,0000,0000,0000,,A long time ago\Nin a hackerspace far, far away
Dialogue: 0,0:04:54.45,0:04:59.28,Default,,0000,0000,0000,,fail0verflow got together\Nafter 31c3.
Dialogue: 0,0:04:59.28,0:05:02.53,Default,,0000,0000,0000,,And we looked at the PS4 motherboard\Nand this is what we saw. So there’s
Dialogue: 0,0:05:02.53,0:05:06.00,Default,,0000,0000,0000,,an Aeolia southbridge, that’s a codename,\Nby the way. Then there’s the Liverpool APU
Dialogue: 0,0:05:06.00,0:05:10.45,Default,,0000,0000,0000,,which is the main processor.\NIt’s a GPU and a CPU
Dialogue: 0,0:05:10.45,0:05:13.87,Default,,0000,0000,0000,,which is done by AMD, and\Nit has some RAM. And then
Dialogue: 0,0:05:13.87,0:05:16.25,Default,,0000,0000,0000,,the southbridge connects to a bunch\Nof random crap like the USB ports,
Dialogue: 0,0:05:16.25,0:05:19.28,Default,,0000,0000,0000,,a hard disk, which is USB. For some\Ninexplicable reason the internal disk
Dialogue: 0,0:05:19.28,0:05:24.84,Default,,0000,0000,0000,,on the PS4 is USB. Like it’s SATA to USB,\Nand then to USB on the southbridge.
Dialogue: 0,0:05:24.84,0:05:28.04,Default,,0000,0000,0000,,Even though it has SATA,\Nlike, what? {\i1}laughs{\i0}
Dialogue: 0,0:05:28.04,0:05:31.63,Default,,0000,0000,0000,,The Blu-ray drive is SATA. The Wi-Fi,\NBluetooth, SDIO and Ethernet is GMII.
Dialogue: 0,0:05:31.63,0:05:34.09,Default,,0000,0000,0000,,Okay, how do we attack this?\NWell, GDDR5…
Dialogue: 0,0:05:34.09,0:05:38.72,Default,,0000,0000,0000,,What just…?\NOh. I have a screensaver, apparently!
Dialogue: 0,0:05:38.72,0:05:40.96,Default,,0000,0000,0000,,That’s great.\N{\i1}laughter{\i0}
Dialogue: 0,0:05:40.96,0:05:44.35,Default,,0000,0000,0000,,I thought I killed that,\Nlet me kill that screensaver real quick.
Dialogue: 0,0:05:44.35,0:05:50.96,Default,,0000,0000,0000,,{\i1}applause{\i0}\NSomething had to fail, it always does.
Dialogue: 0,0:05:52.49,0:05:55.31,Default,,0000,0000,0000,,I mean, of course I can\NSSH into my PS4, right?
Dialogue: 0,0:05:55.31,0:05:59.50,Default,,0000,0000,0000,,So there we go, okay.\NCould have sworn I’d fix that. Anyway…
Dialogue: 0,0:05:59.50,0:06:02.76,Default,,0000,0000,0000,,Which one of these interfaces\Ndo you attack? Well, you know,
Dialogue: 0,0:06:02.76,0:06:06.82,Default,,0000,0000,0000,,USB, SATA, SDIO, GMII – that’s\Nthe raw ethernet interface, by the way –
Dialogue: 0,0:06:06.82,0:06:11.52,Default,,0000,0000,0000,,all these are CPU-controlled. The CPU\Nissues commands and the devices reply.
Dialogue: 0,0:06:11.52,0:06:16.39,Default,,0000,0000,0000,,The devices can’t really do anything. They\Ncan’t write to memory or anything like that.
Dialogue: 0,0:06:16.39,0:06:19.05,Default,,0000,0000,0000,,You can exploit USB if you\Nhide a bug in the USB driver,
Dialogue: 0,0:06:19.05,0:06:21.37,Default,,0000,0000,0000,,but we’re back to the no-code issue.
Dialogue: 0,0:06:21.37,0:06:24.87,Default,,0000,0000,0000,,DDR5, that would be great,\Nwe could just write to our memory
Dialogue: 0,0:06:24.87,0:06:27.93,Default,,0000,0000,0000,,and basically own the entire thing.\NBut it’s a very high-speed bus.
Dialogue: 0,0:06:27.93,0:06:30.16,Default,,0000,0000,0000,,It’s definitely exploitable.\NIf you were making a secure system
Dialogue: 0,0:06:30.16,0:06:33.84,Default,,0000,0000,0000,,don’t assume we can’t own DDR5,\Nbecause we will.
Dialogue: 0,0:06:33.84,0:06:37.02,Default,,0000,0000,0000,,But it’s not the path of least resistance,\Nso we’re not gonna do that.
Dialogue: 0,0:06:37.02,0:06:40.15,Default,,0000,0000,0000,,However, there’s a thing called\NPCI Express in the middle there.
Dialogue: 0,0:06:40.15,0:06:42.10,Default,,0000,0000,0000,,Hmm, that’s interesting!
Dialogue: 0,0:06:42.10,0:06:45.43,Default,,0000,0000,0000,,PCIe is very fun for hacking –\Neven though it might seem intimidating –
Dialogue: 0,0:06:45.43,0:06:48.87,Default,,0000,0000,0000,,because it’s bus mastering,\Nthat means you can DMA to memory.
Dialogue: 0,0:06:48.87,0:06:52.76,Default,,0000,0000,0000,,It’s complicated, and complicated things\Nare hard to implement properly.
Dialogue: 0,0:06:52.76,0:06:58.33,Default,,0000,0000,0000,,It’s robust. People think that PCIe is this\Nvoodoo-highspeed… No it’s not!
Dialogue: 0,0:06:58.33,0:07:00.61,Default,,0000,0000,0000,,It’s high-speed, but you don’t need\Nmatched traces to make it work.
Dialogue: 0,0:07:00.61,0:07:05.44,Default,,0000,0000,0000,,It will run over wet string. You can hotwire\NPCIe with pieces of wire and it will work.
Dialogue: 0,0:07:05.44,0:07:09.33,Default,,0000,0000,0000,,At least at short distances anyway.\NBelieve me, it’s not as bad as you think.
Dialogue: 0,0:07:09.33,0:07:13.31,Default,,0000,0000,0000,,It’s delay-tolerant, so you\Ncan take your time to reply.
Dialogue: 0,0:07:13.31,0:07:16.55,Default,,0000,0000,0000,,And the drivers are full of fail because\Nnobody writes a PCIe driver assuming
Dialogue: 0,0:07:16.55,0:07:19.52,Default,,0000,0000,0000,,the device is evil even though of course\Neverybody should because devices can
Dialogue: 0,0:07:19.52,0:07:22.62,Default,,0000,0000,0000,,and will be evil.\NBut nobody does that.
Dialogue: 0,0:07:22.62,0:07:25.68,Default,,0000,0000,0000,,So, what can we do?\NWell, we have a PCIe link,
Dialogue: 0,0:07:25.68,0:07:30.74,Default,,0000,0000,0000,,let’s cut the lines and plug in the\Nsouthbridge to a PC motherboard
Dialogue: 0,0:07:30.74,0:07:34.46,Default,,0000,0000,0000,,that we stick on the side. Now\Nthe southbridge is a PCIe card for us.
Dialogue: 0,0:07:34.46,0:07:38.48,Default,,0000,0000,0000,,And we connect the APU to an FPGA\Nboard which then can pretend to be
Dialogue: 0,0:07:38.48,0:07:43.13,Default,,0000,0000,0000,,a PCIe device. So we can man-in-the-middle\Nthis PCIe bus and it’s now x1 width
Dialogue: 0,0:07:43.13,0:07:47.11,Default,,0000,0000,0000,,instead of x4 because it’s easier that\Nway, but it will negotiate, that’s fine.
Dialogue: 0,0:07:47.11,0:07:50.52,Default,,0000,0000,0000,,So how do we connect that\Nmotherboard and the FPGA?
Dialogue: 0,0:07:50.52,0:07:53.67,Default,,0000,0000,0000,,There’s of course many ways of doing this.\NHow many of you have done
Dialogue: 0,0:07:53.67,0:07:57.55,Default,,0000,0000,0000,,any hardware hacking, even Arduino or\Nanything like that? Raise your hand!
Dialogue: 0,0:07:57.55,0:08:02.31,Default,,0000,0000,0000,,I think that’s about a third to a half\Nor something like that, at least.
Dialogue: 0,0:08:02.31,0:08:04.75,Default,,0000,0000,0000,,When you hack some hardware,\Nyou meld some hardware,
Dialogue: 0,0:08:04.75,0:08:10.10,Default,,0000,0000,0000,,after you blink an LED, what is the first\Ninterface you use to talk to your hardware?
Dialogue: 0,0:08:10.10,0:08:14.88,Default,,0000,0000,0000,,Serial port! So we run\NPCIe over RS232 at 115 kBaud
Dialogue: 0,0:08:14.88,0:08:16.49,Default,,0000,0000,0000,,which makes this PCIe…\N{\i1}laughter and applause{\i0}
Dialogue: 0,0:08:21.50,0:08:27.71,Default,,0000,0000,0000,,I said it was delay-tolerant!\NSo it makes this PCIe 0.00002x.
Dialogue: 0,0:08:27.71,0:08:30.20,Default,,0000,0000,0000,,And eventually there was a\NGigabit ethernet port on the FPGA
Dialogue: 0,0:08:30.20,0:08:35.00,Default,,0000,0000,0000,,so I upgraded to that, but I only got\Naround to doing it in one direction.
Dialogue: 0,0:08:35.00,0:08:39.02,Default,,0000,0000,0000,,So now it’s PCIe 0.0002x in one direction\Nand 0.5x in the other direction
Dialogue: 0,0:08:39.02,0:08:42.10,Default,,0000,0000,0000,,which has to make this one of the most\Nasymmetric buses in the world.
Dialogue: 0,0:08:43.49,0:08:45.87,Default,,0000,0000,0000,,But it works, believe me.\NThis his hilarious.
Dialogue: 0,0:08:45.87,0:08:50.92,Default,,0000,0000,0000,,We can run PCIe over serial out. Also, we\Nwere ASCII encoding, so half the bandwidth.
Dialogue: 0,0:08:50.92,0:08:52.94,Default,,0000,0000,0000,,It works fine. It’s fine.
Dialogue: 0,0:08:52.94,0:08:56.55,Default,,0000,0000,0000,,So, PCIe 101.\NIt’s a reliable packet-switched network.
Dialogue: 0,0:08:56.55,0:08:59.27,Default,,0000,0000,0000,,It uses a thing called\N“Transaction Layer Packets”
Dialogue: 0,0:08:59.27,0:09:03.44,Default,,0000,0000,0000,,which are basically just packets you send.\NIt can be… Memory Read, Memory Write,
Dialogue: 0,0:09:03.44,0:09:06.14,Default,,0000,0000,0000,,IO Read, IO Write,\NConfiguration Read, Configuration Write.
Dialogue: 0,0:09:06.14,0:09:09.60,Default,,0000,0000,0000,,There can be a message-signaled interrupt\Nwhich is a way of saying: “Hey,
Dialogue: 0,0:09:09.60,0:09:13.47,Default,,0000,0000,0000,,listen to me!” by writing\Nto an address in memory.
Dialogue: 0,0:09:13.47,0:09:16.01,Default,,0000,0000,0000,,Because we can write the thing,\Nso why not write for interrupts?
Dialogue: 0,0:09:16.01,0:09:20.32,Default,,0000,0000,0000,,It has legacy interrupts\Nwhich are basically emulating the old
Dialogue: 0,0:09:20.32,0:09:24.43,Default,,0000,0000,0000,,wire-low-for-interrupt-and-\Nhigh-for-no-interrupt thing,
Dialogue: 0,0:09:24.43,0:09:25.75,Default,,0000,0000,0000,,you can tunnel that over PCIe.
Dialogue: 0,0:09:25.75,0:09:29.38,Default,,0000,0000,0000,,And it has completions, which are\Nbasically the replies. So if you read
Dialogue: 0,0:09:29.38,0:09:31.93,Default,,0000,0000,0000,,a value from memory the completion\Nis what you get back with the value
Dialogue: 0,0:09:31.93,0:09:36.04,Default,,0000,0000,0000,,you tried to read. So that’s PCIe,\Nwe can just go wild with DMA.
Dialogue: 0,0:09:36.04,0:09:39.25,Default,,0000,0000,0000,,We can just read all memory, dump\Nthe kernel. Hey, it’s awesome, right?
Dialogue: 0,0:09:39.25,0:09:41.47,Default,,0000,0000,0000,,Except there’s an IOMMU in the APU.
Dialogue: 0,0:09:41.47,0:09:46.18,Default,,0000,0000,0000,,But... first, the IOMMU will protect \Nthe devices. It will only let you access
Dialogue: 0,0:09:46.18,0:09:50.43,Default,,0000,0000,0000,,what memory is mapped to your device.\NSo the host has to allow you
Dialogue: 0,0:09:50.43,0:09:53.07,Default,,0000,0000,0000,,to read and write to memory.\NBut just because there’s an IOMMU
Dialogue: 0,0:09:53.07,0:09:58.19,Default,,0000,0000,0000,,doesn’t mean that Sony uses it properly.\NHere’s some pseudo-code,
Dialogue: 0,0:09:58.19,0:10:01.39,Default,,0000,0000,0000,,it has a buffer on the stack, it says:\N“please read from flash to this buffer”
Dialogue: 0,0:10:01.39,0:10:04.81,Default,,0000,0000,0000,,with the correct length. Can anyone\Nsee the problem with this code?
Dialogue: 0,0:10:04.81,0:10:09.29,Default,,0000,0000,0000,,Well, it maps the buffer and it\Nreads and it unmaps the buffer.
Dialogue: 0,0:10:09.29,0:10:13.10,Default,,0000,0000,0000,,But IOMMUs don’t just map\Nbyte “foo” to byte “bar”,
Dialogue: 0,0:10:13.10,0:10:16.57,Default,,0000,0000,0000,,they map pages, and\Npages are 64k on the PS4.
Dialogue: 0,0:10:16.57,0:10:19.91,Default,,0000,0000,0000,,So Sony has just mapped 64k\Nof its stack to the device so
Dialogue: 0,0:10:19.91,0:10:25.72,Default,,0000,0000,0000,,it can just DMA straight into the stack,\Nbasically the whole stack, and take over.
Dialogue: 0,0:10:25.72,0:10:29.66,Default,,0000,0000,0000,,Now we got code execution, FreeBSD\Nkernel dump, and WebKit and OS libs dump,
Dialogue: 0,0:10:29.66,0:10:32.50,Default,,0000,0000,0000,,just from mapping the flash.
Dialogue: 0,0:10:32.50,0:10:36.08,Default,,0000,0000,0000,,Okay, that’s step zero.\NWe have the code.
Dialogue: 0,0:10:36.08,0:10:39.93,Default,,0000,0000,0000,,But that’s not the PS4 that we did this\Non, it was a giant mess of wires.
Dialogue: 0,0:10:39.93,0:10:43.02,Default,,0000,0000,0000,,Someone here knows about that,\Nyou know, flying over on Facebook.
Dialogue: 0,0:10:43.02,0:10:46.48,Default,,0000,0000,0000,,We don’t make a ‘nice’ exploit.\NWe’ve done that because, as I said,
Dialogue: 0,0:10:46.48,0:10:50.09,Default,,0000,0000,0000,,WebKit, FreeBSD, whatever.\NWhat comes after that?
Dialogue: 0,0:10:50.09,0:10:55.01,Default,,0000,0000,0000,,We want to do something.\NOf course we want to run Linux, duh!
Dialogue: 0,0:10:55.01,0:10:58.59,Default,,0000,0000,0000,,How do you go from FreeBSD to Linux?\NIt’s not a trivial process.
Dialogue: 0,0:10:58.59,0:11:02.66,Default,,0000,0000,0000,,But you use something\Nthat we call “ps4-kexec”.
Dialogue: 0,0:11:02.66,0:11:06.64,Default,,0000,0000,0000,,So how does this work? It’s simple,\Nright? You just want to run Linux?
Dialogue: 0,0:11:06.64,0:11:10.19,Default,,0000,0000,0000,,Just ‘jmp’ to Linux, right?\NWell… kind of.
Dialogue: 0,0:11:10.19,0:11:13.18,Default,,0000,0000,0000,,You need to load Linux into contiguous\Nphysical RAM, set up boot parameters,
Dialogue: 0,0:11:13.18,0:11:16.70,Default,,0000,0000,0000,,shut down FreeBSD cleanly, halt secondary\NCPUs, make new pagetables etc.
Dialogue: 0,0:11:16.70,0:11:19.54,Default,,0000,0000,0000,,A lot of random things. I’m not going to\Nbore you with this crap because you
Dialogue: 0,0:11:19.54,0:11:23.46,Default,,0000,0000,0000,,can read the code. But there’s a lot\Nof iteration in getting this to work.
Dialogue: 0,0:11:23.46,0:11:26.93,Default,,0000,0000,0000,,Let’s assume that you do all this magical\Ncleanup and you get Linux into
Dialogue: 0,0:11:26.93,0:11:32.85,Default,,0000,0000,0000,,a nice state and you can ‘jmp’ Linux.\NNow we jmp Linux, right? It’s cool.
Dialogue: 0,0:11:32.85,0:11:35.44,Default,,0000,0000,0000,,Yeah, you can technically jmp to Linux,\Nand it will technically run
Dialogue: 0,0:11:35.44,0:11:41.37,Default,,0000,0000,0000,,…for a little bit. And it will stop.
Dialogue: 0,0:11:41.37,0:11:45.29,Default,,0000,0000,0000,,And you will not get any serial or any\Nvideo or anything. What’s going on here?
Dialogue: 0,0:11:45.29,0:11:49.43,Default,,0000,0000,0000,,Let’s talk about hardware.\NWhat is x86?
Dialogue: 0,0:11:49.43,0:11:53.05,Default,,0000,0000,0000,,x86 is a mediocre instruction set\Narchitecture by Intel.
Dialogue: 0,0:11:53.05,0:11:56.19,Default,,0000,0000,0000,,It’s okay, I guess.\NIt’s not great.
Dialogue: 0,0:11:56.19,0:12:00.25,Default,,0000,0000,0000,,PS4 is definitely x86, it’s x86-64.
Dialogue: 0,0:12:00.25,0:12:03.58,Default,,0000,0000,0000,,What is a PC? Aah!\NPC is a horrible, horrible thing
Dialogue: 0,0:12:03.58,0:12:07.22,Default,,0000,0000,0000,,built upon piles and piles of legacy crap\Ndating back to 1981.
Dialogue: 0,0:12:07.22,0:12:10.31,Default,,0000,0000,0000,,The PS4 is definitely -not- a PC.
Dialogue: 0,0:12:10.31,0:12:15.19,Default,,0000,0000,0000,,That’s practically Sony-level hardware fail,\Nso it could be, but it’s not.
Dialogue: 0,0:12:15.19,0:12:19.48,Default,,0000,0000,0000,,So what’s going on? A legacy PC
Dialogue: 0,0:12:19.48,0:12:22.66,Default,,0000,0000,0000,,basically has an 8259 Programmable\NInterrupt Controller,
Dialogue: 0,0:12:22.66,0:12:27.36,Default,,0000,0000,0000,,a 8253 Programmable Interval Timer,\Na UART at I/O 3f8h,
Dialogue: 0,0:12:27.36,0:12:29.40,Default,,0000,0000,0000,,which is the standard address\Nfor a serial port.
Dialogue: 0,0:12:29.40,0:12:33.71,Default,,0000,0000,0000,,It has a PS/2 keyboard controller, 8042.\NIt has an RTC, a real-time clock
Dialogue: 0,0:12:33.71,0:12:35.51,Default,,0000,0000,0000,,with a CMOS, and everyone\Nknows the CMOS, right?
Dialogue: 0,0:12:35.51,0:12:40.24,Default,,0000,0000,0000,,MC146818 is the chip number for that. An\NISA bus – even if you think you don’t have
Dialogue: 0,0:12:40.24,0:12:43.01,Default,,0000,0000,0000,,an ISA bus your computer has an ISA bus\Ninside the southbridge somewhere.
Dialogue: 0,0:12:43.01,0:12:48.02,Default,,0000,0000,0000,,And it has VGA.\NThe PS4 doesn’t have -any- of these things.
Dialogue: 0,0:12:48.02,0:12:51.88,Default,,0000,0000,0000,,So what do we do?\NLet’s look a little bit how a PC works
Dialogue: 0,0:12:51.88,0:12:55.76,Default,,0000,0000,0000,,and how a PS4 works. This is a general\Nsimple PC system. There’s an APU
Dialogue: 0,0:12:55.76,0:13:00.17,Default,,0000,0000,0000,,or an Intel Core CPU with a southbridge,\NIntel calls it PCH, AMD FCH.
Dialogue: 0,0:13:00.17,0:13:03.75,Default,,0000,0000,0000,,There’s an interface that is basically\NPCIe although Intel calls it DMI and AMD
Dialogue: 0,0:13:03.75,0:13:08.27,Default,,0000,0000,0000,,calls it UMI. DDR3 RAM and a bunch\Nof peripherals and SATA, whatever.
Dialogue: 0,0:13:08.27,0:13:12.12,Default,,0000,0000,0000,,The PS4 kind of looks like that, right?\NSo you think this can’t be that dif…
Dialogue: 0,0:13:12.12,0:13:15.81,Default,,0000,0000,0000,,What’s so hard about this?\NBecause all the crap I mentioned earlier
Dialogue: 0,0:13:15.81,0:13:20.41,Default,,0000,0000,0000,,is in the southbridge on a PC, right?\NThe PS4 has a southbridge, right?
Dialogue: 0,0:13:20.41,0:13:23.87,Default,,0000,0000,0000,,Right? Right? Umm… so\Nthe southbridge, the AMD standard FCH
Dialogue: 0,0:13:23.87,0:13:27.96,Default,,0000,0000,0000,,implements Intel legacy from 1981.\NThe Marvell Aeolia
Dialogue: 0,0:13:27.96,0:13:31.03,Default,,0000,0000,0000,,– Marvell is the maker of the PS4\Nsouthbridge – implements Intel legacy
Dialogue: 0,0:13:31.03,0:13:35.55,Default,,0000,0000,0000,,from 2002. What does that mean?\NAh! That’s no southbridge,
Dialogue: 0,0:13:35.55,0:13:40.30,Default,,0000,0000,0000,,that’s a Marvell Armada SoC!\NSo it’s not actually a southbridge,
Dialogue: 0,0:13:40.30,0:13:43.76,Default,,0000,0000,0000,,it was never a southbridge.\NIt’s an ARM system-on-a-chip CPU
Dialogue: 0,0:13:43.76,0:13:47.12,Default,,0000,0000,0000,,with everything. It’s a descendant\Nfrom Intel StrongARM or XScale.
Dialogue: 0,0:13:47.12,0:13:49.12,Default,,0000,0000,0000,,It has a bunch of peripherals.\NAnd what they did is, they stuck
Dialogue: 0,0:13:49.12,0:13:53.24,Default,,0000,0000,0000,,a PCIe bridge on the side and said: “Hey\Nx86, you can now use all my ARM shit.”
Dialogue: 0,0:13:53.24,0:13:56.27,Default,,0000,0000,0000,,So it exposes all of its ARM peripherals\Nto the x86. They added some stuff
Dialogue: 0,0:13:56.27,0:13:59.10,Default,,0000,0000,0000,,they really needed for PCs\Nand it has its own RAM.
Dialogue: 0,0:13:59.10,0:14:03.72,Default,,0000,0000,0000,,Why do they do this? Well, it also runs\NFreeBSD on the ARM in standby mode.
Dialogue: 0,0:14:03.72,0:14:06.02,Default,,0000,0000,0000,,And that’s how they do the whole\N“download updates in the background,
Dialogue: 0,0:14:06.02,0:14:08.76,Default,,0000,0000,0000,,get content, update, whatever”.\NAll that crap is because they have
Dialogue: 0,0:14:08.76,0:14:12.85,Default,,0000,0000,0000,,a separate OS on a separate chip running\Nin standby mode. Okay, that’s great, but
Dialogue: 0,0:14:12.85,0:14:17.86,Default,,0000,0000,0000,,it’s also batshit insane.\N{\i1}laughter{\i0}
Dialogue: 0,0:14:17.86,0:14:21.54,Default,,0000,0000,0000,,Quick recap: This is what a\NPCIe bus number looks like,
Dialogue: 0,0:14:21.54,0:14:24.46,Default,,0000,0000,0000,,sorry, a device number.\NIt has a bus number, which is 8 bits,
Dialogue: 0,0:14:24.46,0:14:27.98,Default,,0000,0000,0000,,a device number, which is 5 bits,\Nand a function number, which is 3 bits.
Dialogue: 0,0:14:27.98,0:14:31.34,Default,,0000,0000,0000,,You’ve probably seen this in lspci\Nif you ever done that.
Dialogue: 0,0:14:31.34,0:14:34.48,Default,,0000,0000,0000,,This is what a regular southbridge\Nlooks like. It has a USB controller,
Dialogue: 0,0:14:34.48,0:14:38.18,Default,,0000,0000,0000,,a PCI, ISA bridge, SATA, whatever.\NAnd it has a bunch of devices.
Dialogue: 0,0:14:38.18,0:14:41.11,Default,,0000,0000,0000,,So one southbridge pretends\Nto be multiple devices.
Dialogue: 0,0:14:41.11,0:14:43.77,Default,,0000,0000,0000,,Because you only have three bits\Nfor a function number so you can only have
Dialogue: 0,0:14:43.77,0:14:47.20,Default,,0000,0000,0000,,up to eight functions in one device.
Dialogue: 0,0:14:47.20,0:14:48.86,Default,,0000,0000,0000,,Intel southbridge just says:\N“I’m device 14, 16, 1a, 1…,
Dialogue: 0,0:14:48.86,0:14:51.86,Default,,0000,0000,0000,,I’m just a bunch of devices,\Nand you can talk to all of them.”
Dialogue: 0,0:14:51.86,0:14:57.67,Default,,0000,0000,0000,,If you lspci on a roughly unpatched\NLinux kernel on the PS4
Dialogue: 0,0:14:57.67,0:15:00.65,Default,,0000,0000,0000,,you get something like this.\NSo the Aeolia first of all
Dialogue: 0,0:15:00.65,0:15:03.74,Default,,0000,0000,0000,,clones itself into every PCIe device\Nbecause they were too lazy to do
Dialogue: 0,0:15:03.74,0:15:08.11,Default,,0000,0000,0000,,“if device equals my number then\Nreply, otherwise don’t reply”. No,
Dialogue: 0,0:15:08.11,0:15:11.47,Default,,0000,0000,0000,,they just said: “Oh, just reply to every\Nsingle PCIe device that might query”.
Dialogue: 0,0:15:11.47,0:15:16.87,Default,,0000,0000,0000,,Linux sees the southbridge 31 different\Ntimes, which is kind of annoying
Dialogue: 0,0:15:16.87,0:15:20.38,Default,,0000,0000,0000,,because it gets really confused when it\Nsees 31 clones of the same southbridge.
Dialogue: 0,0:15:20.38,0:15:24.54,Default,,0000,0000,0000,,And then it has eight functions:\NACPI, ethernet, SATA, SDMC, PCIe,…
Dialogue: 0,0:15:24.54,0:15:27.84,Default,,0000,0000,0000,,Eight functions, so all three bits.
Dialogue: 0,0:15:27.84,0:15:29.79,Default,,0000,0000,0000,,Turns out, eight functions\Nare not enough for everybody.
Dialogue: 0,0:15:29.79,0:15:34.49,Default,,0000,0000,0000,,Function no. 4, “PCI Express Glue”, has a\Nbridge config, MSI interrupt controller,
Dialogue: 0,0:15:34.49,0:15:37.41,Default,,0000,0000,0000,,ICC – we’ll talk about that later –,\NHPET timers, Flash controller,
Dialogue: 0,0:15:37.41,0:15:44.92,Default,,0000,0000,0000,,RTC, timers, 2 serial ports, I2C… All\Nthis smashed into one single PCIe device.
Dialogue: 0,0:15:44.92,0:15:49.21,Default,,0000,0000,0000,,Linux has a minimum system requirement\Nto run on anything.
Dialogue: 0,0:15:49.21,0:15:53.52,Default,,0000,0000,0000,,You need a timer, you need interrupts,\Nand you need some kind of console.
Dialogue: 0,0:15:53.52,0:15:57.01,Default,,0000,0000,0000,,The PS4 has no PIT, no PIC and no standard\Nserial so none of the standard PC stuff
Dialogue: 0,0:15:57.01,0:16:01.64,Default,,0000,0000,0000,,is going to work here. The board has\Ntest points for an 8250 standard serial
Dialogue: 0,0:16:01.64,0:16:05.53,Default,,0000,0000,0000,,in a different place. So we run\NDMESG over that, okay, fine.
Dialogue: 0,0:16:05.53,0:16:08.30,Default,,0000,0000,0000,,Linux has earlycon which we can\Npoint to a serial port and say:
Dialogue: 0,0:16:08.30,0:16:11.22,Default,,0000,0000,0000,,“Please send all your DMESG here\Nvery early because I really want to see
Dialogue: 0,0:16:11.22,0:16:16.03,Default,,0000,0000,0000,,what’s going on”. Doesn’t need IRQs,\Nyou set console=uart8250,
Dialogue: 0,0:16:16.03,0:16:20.42,Default,,0000,0000,0000,,the type, the address, the speed.\NAnd you’ll see it says 3200 instead of
Dialogue: 0,0:16:20.42,0:16:23.42,Default,,0000,0000,0000,,115 kBaud. That’s because their clock\Nis different. So you set 3200 but
Dialogue: 0,0:16:23.42,0:16:27.54,Default,,0000,0000,0000,,it really means 115k.\NAnd that gets you DMESG.
Dialogue: 0,0:16:27.54,0:16:29.71,Default,,0000,0000,0000,,That actually gets you “Linux booting,\Nuncompressing”, whatever.
Dialogue: 0,0:16:29.71,0:16:32.40,Default,,0000,0000,0000,,That’s pretty good.
Dialogue: 0,0:16:32.40,0:16:36.54,Default,,0000,0000,0000,,Okay, we need a timer.\NBecause otherwise everything explodes.
Dialogue: 0,0:16:36.54,0:16:40.36,Default,,0000,0000,0000,,Linux supports the TSC, a built-in CPU\Ntimer which is super nice and super fun.
Dialogue: 0,0:16:40.36,0:16:44.42,Default,,0000,0000,0000,,And PS4 has that. But Linux tries to\Ncalibrate it against the legacy timer
Dialogue: 0,0:16:44.42,0:16:47.43,Default,,0000,0000,0000,,which on the PS4 doesn’t exist\Nso that’s fail.
Dialogue: 0,0:16:47.43,0:16:52.15,Default,,0000,0000,0000,,So again, the PS4 -really- is not a PC.
Dialogue: 0,0:16:52.15,0:16:54.27,Default,,0000,0000,0000,,What we need to do here is\Ndefining a new subarchitecture
Dialogue: 0,0:16:54.27,0:16:58.52,Default,,0000,0000,0000,,because Linux supports this concept.\NSays: “this is not a PC, this is a PS4”.
Dialogue: 0,0:16:58.52,0:17:01.29,Default,,0000,0000,0000,,The bootloader tells Linux:\N“Hey! This is a PS4!”
Dialogue: 0,0:17:01.29,0:17:04.01,Default,,0000,0000,0000,,And then Linux says: “Okay, I’m not gonna\Ndo the old timestamp calibration,
Dialogue: 0,0:17:04.01,0:17:07.83,Default,,0000,0000,0000,,I’m gonna do it for the PS4” which has\Na special code that we wrote
Dialogue: 0,0:17:07.83,0:17:11.34,Default,,0000,0000,0000,,that calibrates against the PS4 timer.\NAnd it disables the legacy crap.
Dialogue: 0,0:17:11.34,0:17:13.79,Default,,0000,0000,0000,,So now this is officially\Nnot a PC anymore.
Dialogue: 0,0:17:13.79,0:17:18.54,Default,,0000,0000,0000,,Now we can talk about ACPI.
Dialogue: 0,0:17:18.54,0:17:21.48,Default,,0000,0000,0000,,You might know ACPI for all its\Nhorribleness and all its evilness
Dialogue: 0,0:17:21.48,0:17:25.06,Default,,0000,0000,0000,,and all its Microsoft-y-ness.\NACPI - most people associate it with
Dialogue: 0,0:17:25.06,0:17:28.07,Default,,0000,0000,0000,,“Suspend” and “Suspend to Hibernate”.\NIt’s not just power,
Dialogue: 0,0:17:28.07,0:17:31.94,Default,,0000,0000,0000,,it does other stuff, too.\NSo we need ACPI for PCI config,
Dialogue: 0,0:17:31.94,0:17:34.14,Default,,0000,0000,0000,,for the IOMMU, for the CPU frequency.
Dialogue: 0,0:17:34.14,0:17:38.39,Default,,0000,0000,0000,,The PS4 of course has broken ACPI tables\Nbecause, of course it would be.
Dialogue: 0,0:17:38.39,0:17:42.19,Default,,0000,0000,0000,,So we fixed them in ps4-kexec.
Dialogue: 0,0:17:42.19,0:17:44.79,Default,,0000,0000,0000,,Now interrupts. We have timers,\Nwe have serial, we fixed some stuff.
Dialogue: 0,0:17:44.79,0:17:48.62,Default,,0000,0000,0000,,The PS4 does message-signaled interrupts\Nwhich is, what I said, the non-legacy,
Dialogue: 0,0:17:48.62,0:17:51.49,Default,,0000,0000,0000,,the nice new thing where you just write\Na value, and what you do is you tell
Dialogue: 0,0:17:51.49,0:17:55.13,Default,,0000,0000,0000,,the device when you want to interrupt\N“please write this value to this address”.
Dialogue: 0,0:17:55.13,0:17:58.45,Default,,0000,0000,0000,,The device does that, and the CPU\Ninterrupt controller sees that write
Dialogue: 0,0:17:58.45,0:18:01.05,Default,,0000,0000,0000,,and says: “Oh, this is an interrupt”\Nand then just fires off that interrupt
Dialogue: 0,0:18:01.05,0:18:06.49,Default,,0000,0000,0000,,into the CPU. That’s great.\NIt’s super fast and very efficient.
Dialogue: 0,0:18:06.49,0:18:08.74,Default,,0000,0000,0000,,And the value directly tells the CPU:\N“That’s the interrupt vector you have
Dialogue: 0,0:18:08.74,0:18:14.46,Default,,0000,0000,0000,,to go to”. Okay, that’s the standard MSI\Nway there. Your computer does MSI that way.
Dialogue: 0,0:18:14.46,0:18:19.70,Default,,0000,0000,0000,,This is how the PS4 does MSI: The Aeolia\Nignores the MSI config registers
Dialogue: 0,0:18:19.70,0:18:24.42,Default,,0000,0000,0000,,in the standard location. Instead of\Nhas its own MSI controller,
Dialogue: 0,0:18:24.42,0:18:28.28,Default,,0000,0000,0000,,all stuff that’s in Function 4,\Nwhich is that “glue” device.
Dialogue: 0,0:18:28.28,0:18:32.46,Default,,0000,0000,0000,,Each function gets a shared address in\Nmemory to write to and the top 27 bits
Dialogue: 0,0:18:32.46,0:18:36.12,Default,,0000,0000,0000,,of data. And every sub function, because\Nyou can’t do a lot of things into one place,
Dialogue: 0,0:18:36.12,0:18:40.31,Default,,0000,0000,0000,,only gets the different 5 bits.\NAnd all MSIs originate from Function 4,
Dialogue: 0,0:18:40.31,0:18:43.40,Default,,0000,0000,0000,,so this device has to fire an interrupt,\Nthen it goes to here, and then
Dialogue: 0,0:18:43.40,0:18:48.70,Default,,0000,0000,0000,,that device fires an interrupt. Like… what…\Nthis is all… what the hell is going on?
Dialogue: 0,0:18:48.70,0:18:53.77,Default,,0000,0000,0000,,Seriously, this is really fucked up. And\N– the i’s are missing in the front there.
Dialogue: 0,0:18:53.77,0:18:59.30,Default,,0000,0000,0000,,But yeah. So, driver hell. Now the devices\Nare interdependent. Then the IRQ vector
Dialogue: 0,0:18:59.30,0:19:02.83,Default,,0000,0000,0000,,location is not sequential, so that’s not\Ngonna work. And you need to modify
Dialogue: 0,0:19:02.83,0:19:07.59,Default,,0000,0000,0000,,all the drivers. This is really painful to\Ndevelop for. So what we ended up doing
Dialogue: 0,0:19:07.59,0:19:11.95,Default,,0000,0000,0000,,is there is a core driver that implements\Nan interrupt controller for this thing.
Dialogue: 0,0:19:11.95,0:19:15.78,Default,,0000,0000,0000,,And then we have to make sure that loads\Nfirst, before the device driver. So Linux
Dialogue: 0,0:19:15.78,0:19:19.40,Default,,0000,0000,0000,,has a mechanism for that. And we had to\Npatch the drivers. Some drivers we patched,
Dialogue: 0,0:19:19.40,0:19:22.82,Default,,0000,0000,0000,,so to use these interrupts. And others\Nwe wrapped around to use these interrupts.
Dialogue: 0,0:19:22.82,0:19:26.35,Default,,0000,0000,0000,,Unfortunately, because of the top bit\Nthing, everything has to share one interrupt
Dialogue: 0,0:19:26.35,0:19:31.28,Default,,0000,0000,0000,,within a function. Thankfully, we can fix\Nthat with a IOMMU because it can read
Dialogue: 0,0:19:31.28,0:19:34.32,Default,,0000,0000,0000,,direct interrupt. So we can say:\N“Oh, interrupt no. 0 goes to here,
Dialogue: 0,0:19:34.32,0:19:39.21,Default,,0000,0000,0000,,1 goes to here, 2 goes to here…”.\NThat’s great 'cause it's consecutive, right?
Dialogue: 0,0:19:39.21,0:19:45.49,Default,,0000,0000,0000,,0 1 2 3 4 5… it’s obviously gonna have\Nthe same top bits. But we have to fix
Dialogue: 0,0:19:45.50,0:19:49.15,Default,,0000,0000,0000,,the ACPI table for that because it’s\Nbroken. But this does work. So this
Dialogue: 0,0:19:49.15,0:19:54.11,Default,,0000,0000,0000,,gets us interrupts that function and\Nthey’re individual. So let’s look at
Dialogue: 0,0:19:54.11,0:19:58.22,Default,,0000,0000,0000,,the check list: we have interrupts, timers,\Nearly serial, late serial with interrupts.
Dialogue: 0,0:19:58.22,0:20:03.17,Default,,0000,0000,0000,,We can get some user space, we can stash\Nsome user space and binaries into the kernel.
Dialogue: 0,0:20:03.17,0:20:06.06,Default,,0000,0000,0000,,And it will boot and you can get a console,\Nbut you get a console and you try
Dialogue: 0,0:20:06.06,0:20:12.88,Default,,0000,0000,0000,,writing commands and sometimes it hangs.\NOkay. What’s going on there?
Dialogue: 0,0:20:12.88,0:20:16.70,Default,,0000,0000,0000,,So it turns out that FreeBSD masks\Ninterrupts with an AMD proprietary
Dialogue: 0,0:20:16.70,0:20:21.15,Default,,0000,0000,0000,,register set. We had to clean that up,\Ntoo. And that fixes serial,
Dialogue: 0,0:20:21.15,0:20:24.73,Default,,0000,0000,0000,,and all the other interrupts.\NThis took ages to find. It’s like: “why…
Dialogue: 0,0:20:24.73,0:20:26.91,Default,,0000,0000,0000,,interrupts on CPU serial\Nsometimes don’t…, yeah”.
Dialogue: 0,0:20:26.91,0:20:33.79,Default,,0000,0000,0000,,I ended up dumping register sets,\Nand I saw this #FFFFF here, not #FFFFF,
Dialogue: 0,0:20:33.79,0:20:39.35,Default,,0000,0000,0000,,what’s that? But tracking through this\Nstack to find this was really annoying.
Dialogue: 0,0:20:39.35,0:20:45.78,Default,,0000,0000,0000,,Alright. So we have the basics. We have\Nlike a core platform we can run Linux on,
Dialogue: 0,0:20:45.78,0:20:49.50,Default,,0000,0000,0000,,even though it won’t do anything\Ninteresting. Add drivers!
Dialogue: 0,0:20:49.50,0:20:54.45,Default,,0000,0000,0000,,So we have USB xHCI which has three\Ncontrollers in one device. Again, because
Dialogue: 0,0:20:54.45,0:20:59.90,Default,,0000,0000,0000,,“Let’s make it insane!”. We have SDHCI,\Nthat’s SDIO for the Wi-Fi and the Bluetooth.
Dialogue: 0,0:20:59.90,0:21:03.51,Default,,0000,0000,0000,,Needs a non-standard config, it needs\Nquirks. Ethernet needs more hacks.
Dialogue: 0,0:21:03.51,0:21:07.14,Default,,0000,0000,0000,,It’s still partially broken, it only runs at\NGigabit speed. If you plug in a 100Mbit/s
Dialogue: 0,0:21:07.14,0:21:10.32,Default,,0000,0000,0000,,switch it just doesn’t send any data.\NNot sure why.
Dialogue: 0,0:21:10.32,0:21:13.81,Default,,0000,0000,0000,,And then all of this worked fine in\NLinux 4.4, and then just three days ago
Dialogue: 0,0:21:13.81,0:21:18.19,Default,,0000,0000,0000,,I think I tried to rebase on 4.9, and so\Nwe have the latest and the greatest.
Dialogue: 0,0:21:18.19,0:21:21.25,Default,,0000,0000,0000,,And everything failed. And DMA didn’t\Nwork. And all the drivers were just
Dialogue: 0,0:21:21.25,0:21:24.20,Default,,0000,0000,0000,,throwing their hands up in the air,\N“what’s going on here?”.
Dialogue: 0,0:21:24.20,0:21:27.28,Default,,0000,0000,0000,,{\i1}exhales{\i0}\NAeolia strikes back. So.
Dialogue: 0,0:21:27.28,0:21:32.55,Default,,0000,0000,0000,,That’s what… the Aeolia looks like,\Nnormally. So you have… again,
Dialogue: 0,0:21:32.55,0:21:36.69,Default,,0000,0000,0000,,it’s an ARM SoC, it’s really not a device.\NIt’s like its own little system. But
Dialogue: 0,0:21:36.69,0:21:40.75,Default,,0000,0000,0000,,it maps, it’s low 2 GB of the address base\Nto memory on the PC. And then the PC
Dialogue: 0,0:21:40.75,0:21:45.08,Default,,0000,0000,0000,,has a window into its registers that it\Ncan use to control those devices.
Dialogue: 0,0:21:45.08,0:21:48.43,Default,,0000,0000,0000,,So the PC can kind of play with the\Ndevices, and the DMA is to the same address
Dialogue: 0,0:21:48.43,0:21:53.15,Default,,0000,0000,0000,,and that works great. Because it’s mapped\Nin the same place. And then has its own RAM,
Dialogue: 0,0:21:53.15,0:21:58.58,Default,,0000,0000,0000,,in its own address space. This works fine.\NBut now we had an IOMMU. Because
Dialogue: 0,0:21:58.58,0:22:01.87,Default,,0000,0000,0000,,we needed it for the interrupts. And the\NIOMMU inserts its own address space
Dialogue: 0,0:22:01.87,0:22:05.19,Default,,0000,0000,0000,,in between and says: “Okay, you can map\Nanything to anything you want, that’s great.“
Dialogue: 0,0:22:05.19,0:22:08.32,Default,,0000,0000,0000,,It’s a page table, you can say “this\Naddress goes to that address.”
Dialogue: 0,0:22:08.32,0:22:13.10,Default,,0000,0000,0000,,Linux 4.4 did this: it would find some\Naddresses at the bottom of the IOMMU
Dialogue: 0,0:22:13.10,0:22:17.66,Default,,0000,0000,0000,,address space, say: “page 1 goes to this,\Npage 2 goes to that, page 3 goes to that”.
Dialogue: 0,0:22:17.66,0:22:22.87,Default,,0000,0000,0000,,And say: “device, you can now write to these\Npages”. And they go to this place in the x86.
Dialogue: 0,0:22:22.87,0:22:28.20,Default,,0000,0000,0000,,That worked fine. It turns out Linux 4.9,\Nor somewhere between 4.4 and 4.9
Dialogue: 0,0:22:28.20,0:22:32.55,Default,,0000,0000,0000,,it started doing this: it would map pages\Nfrom the top of the IOMMU address space
Dialogue: 0,0:22:32.55,0:22:36.75,Default,,0000,0000,0000,,and that’s fine for the IOMMU but it’s\Nnot in the window in the Aeolia, so
Dialogue: 0,0:22:36.75,0:22:42.14,Default,,0000,0000,0000,,you say “ethernet DMA to address\NFExxx”, and instead of DMA-ing
Dialogue: 0,0:22:42.14,0:22:49.83,Default,,0000,0000,0000,,to the RAM on the PC it DMA-s to the RAM\Non the Aeolia which is not gonna work.
Dialogue: 0,0:22:49.83,0:22:53.98,Default,,0000,0000,0000,,Effectively the Aeolia implements 31 bit\NDMA, not 32 bit DMA because only
Dialogue: 0,0:22:53.98,0:23:00.01,Default,,0000,0000,0000,,the bottom half is usable. It’s like why…\Nthis is all really fucked up, guys!
Dialogue: 0,0:23:00.01,0:23:03.80,Default,,0000,0000,0000,,Seriously. And this is littered all over\Nthe code in Linux, so they seeded
Dialogue: 0,0:23:03.80,0:23:07.41,Default,,0000,0000,0000,,more patches, and it works, but, yeah.
Dialogue: 0,0:23:07.41,0:23:11.03,Default,,0000,0000,0000,,Painful. Okay. Devices, laying out (?)\Ndevices’ work.
Dialogue: 0,0:23:11.03,0:23:16.26,Default,,0000,0000,0000,,Now for something completely different.\NWho can tell me who this character is?
Dialogue: 0,0:23:16.26,0:23:20.66,Default,,0000,0000,0000,,That’s Starsha from Space Battleship Yamato.\NAnd apparently that’s the code name
Dialogue: 0,0:23:20.66,0:23:24.84,Default,,0000,0000,0000,,for the PS4 graphics chip. Or at least that’s\None of the code names. Because
Dialogue: 0,0:23:24.84,0:23:27.94,Default,,0000,0000,0000,,they don’t seem to be able to agree\Non like what the code names are.
Dialogue: 0,0:23:27.94,0:23:31.86,Default,,0000,0000,0000,,It’s got “Liverpool” in some places, and\N“Starsha” in other places. Then “ThebeJ”
Dialogue: 0,0:23:31.86,0:23:36.21,Default,,0000,0000,0000,,in other places. And we think Sony calls\Nit “Starsha” and AMD calls it “Liverpool”
Dialogue: 0,0:23:36.21,0:23:39.79,Default,,0000,0000,0000,,but we’re not sure. We are calling it\N“Liverpool” everywhere just to avoid
Dialogue: 0,0:23:39.79,0:23:43.66,Default,,0000,0000,0000,,confusion. Okay.\NWhat’s this GPU about?
Dialogue: 0,0:23:43.66,0:23:47.23,Default,,0000,0000,0000,,Well, it’s an AMD Sea\NIslands generation GPU,
Dialogue: 0,0:23:47.23,0:23:52.94,Default,,0000,0000,0000,,which is spelled CI instead of SI because\N“S” was taken. It’s similar to other chips
Dialogue: 0,0:23:52.94,0:23:57.97,Default,,0000,0000,0000,,in the generation. So at least that’s\Nnot a bat shit crazy new thing.
Dialogue: 0,0:23:57.97,0:24:00.95,Default,,0000,0000,0000,,But it does have quirks and customizations\Nand oddities and things that don’t work.
Dialogue: 0,0:24:00.95,0:24:03.77,Default,,0000,0000,0000,,What we did is we took Bonaire which is\Nanother GPU that is already supported
Dialogue: 0,0:24:03.77,0:24:06.92,Default,,0000,0000,0000,,by Linux in that generation, and just kind\Nof added a new chip and said, okay,
Dialogue: 0,0:24:06.92,0:24:12.77,Default,,0000,0000,0000,,do all the Bonaire stuff, and then change\Nthings. And hopefully adapt it to the PS4.
Dialogue: 0,0:24:12.77,0:24:16.44,Default,,0000,0000,0000,,So hacking AMD drivers, okay, well,\Nthey’re open-source but AMD does not
Dialogue: 0,0:24:16.44,0:24:20.19,Default,,0000,0000,0000,,publish register docs. They publish 3D\Nshader and command queue documentations,
Dialogue: 0,0:24:20.19,0:24:24.28,Default,,0000,0000,0000,,so we get all the user space 3D rendering\Ncommands, that’s documented. But they
Dialogue: 0,0:24:24.28,0:24:27.61,Default,,0000,0000,0000,,don’t publish all the kernel hardware\Nregister documentation. That’s what
Dialogue: 0,0:24:27.61,0:24:30.74,Default,,0000,0000,0000,,we really want for hacking on drivers. So\Nthat’s annoying. And you’re thinking
Dialogue: 0,0:24:30.74,0:24:34.39,Default,,0000,0000,0000,,“the code is the documentation”,\Nright? “Just read the Linux drivers”.
Dialogue: 0,0:24:34.39,0:24:39.30,Default,,0000,0000,0000,,That’s great. Yeah, but they’re incomplete,\Nthen they have magic numbers, and
Dialogue: 0,0:24:39.30,0:24:43.23,Default,,0000,0000,0000,,it’s, you know, you don’t know if you need\Nto write a new register that’s not there,
Dialogue: 0,0:24:43.23,0:24:47.40,Default,,0000,0000,0000,,and it really sucks to try to write a GPU\Ndriver by reading other GPU drivers
Dialogue: 0,0:24:47.40,0:24:50.84,Default,,0000,0000,0000,,with no docs. So what do we do? We’re\Nhackers, right? We google. Everytime
Dialogue: 0,0:24:50.84,0:24:54.48,Default,,0000,0000,0000,,we need information, hopefully Google will\Nfind it because Google knows everything.
Dialogue: 0,0:24:54.48,0:24:59.11,Default,,0000,0000,0000,,And any tip that you could find in any\Nforum or code dumped somewhere is
Dialogue: 0,0:24:59.11,0:25:05.85,Default,,0000,0000,0000,,great. One of the things we found is we\Ngoogled this little string, “R8XXGPU”.
Dialogue: 0,0:25:05.85,0:25:10.73,Default,,0000,0000,0000,,And we get nine results. And the second\Nresult is this place, it’s “Siliconkit”,
Dialogue: 0,0:25:10.73,0:25:15.63,Default,,0000,0000,0000,,token, was that okay? It’s an XML file.\NAnd if we look at that it looks like
Dialogue: 0,0:25:15.63,0:25:21.50,Default,,0000,0000,0000,,it’s an XML file that contains a dump of\Nthe Bonaire GPU register documentation.
Dialogue: 0,0:25:21.50,0:25:26.39,Default,,0000,0000,0000,,But it’s like broken XML, and it’s\Nincomplete, it stops at one point.
Dialogue: 0,0:25:26.39,0:25:31.38,Default,,0000,0000,0000,,But like: “what’s this doing here?”\NAnd where did this come from, right?
Dialogue: 0,0:25:31.38,0:25:35.54,Default,,0000,0000,0000,,So let’s dig a little deeper. Okay Google,\Nwhat do you know about this website?
Dialogue: 0,0:25:35.54,0:25:39.79,Default,,0000,0000,0000,,Well, there’s some random things like\Nwhatthehellno.txt and whatthehellyes.txt
Dialogue: 0,0:25:39.79,0:25:46.20,Default,,0000,0000,0000,,and some Excel files. Those are\Nreally Excel like XML cell sheets.
Dialogue: 0,0:25:46.20,0:25:50.89,Default,,0000,0000,0000,,And then there’s a thing in the (?) there\Ncalled RAI.GRAMMAR.4.TXT.
Dialogue: 0,0:25:50.89,0:25:56.96,Default,,0000,0000,0000,,I wonder what that is. And it looks like\Nit’s a grammar, being a notation description
Dialogue: 0,0:25:56.96,0:26:03.49,Default,,0000,0000,0000,,for a syntax, of some kind of register\Ndocumentation file. This looks like
Dialogue: 0,0:26:03.49,0:26:10.75,Default,,0000,0000,0000,,an AMD internal format but it’s on this\Nwebsite. Okay. So we have these two URLs,
Dialogue: 0,0:26:10.75,0:26:14.56,Default,,0000,0000,0000,,/pragmatic/bonaire.xml\Nand /RAI/rai.grammar4.txt.
Dialogue: 0,0:26:14.56,0:26:22.20,Default,,0000,0000,0000,,Let’s try something. How about maybe\N/pragmatic/bonaire.rai – nah, it’s a 404.
Dialogue: 0,0:26:22.20,0:26:26.54,Default,,0000,0000,0000,,Okay, /pragmatic/RAI/bonaire.rai – aah!\NBingo!
Dialogue: 0,0:26:26.54,0:26:34.87,Default,,0000,0000,0000,,{\i1}laughter and applause{\i0}
Dialogue: 0,0:26:34.87,0:26:39.25,Default,,0000,0000,0000,,So this is a full – almost full Bonaire\Nregister documentation with like
Dialogue: 0,0:26:39.25,0:26:44.35,Default,,0000,0000,0000,,full register field descriptions, breakdowns,\Nall the addresses. It’s not 100% but
Dialogue: 0,0:26:44.35,0:26:48.83,Default,,0000,0000,0000,,like of the vast majority. This seems to\Nbe AMD-internal stuff. And I looked
Dialogue: 0,0:26:48.83,0:26:53.47,Default,,0000,0000,0000,,this guy up, and apparently he worked\Nat AMD at some point. So…
Dialogue: 0,0:26:53.47,0:26:56.85,Default,,0000,0000,0000,,But yeah… This is really, really helpful\Nbecause now you know what everything
Dialogue: 0,0:26:56.85,0:27:03.25,Default,,0000,0000,0000,,means, and debug registers, and… yeah.\NSo I wrote a working parser for this format.
Dialogue: 0,0:27:03.25,0:27:06.56,Default,,0000,0000,0000,,This was effectively writing an XML parser,\Nsomething like convert this thing to XML
Dialogue: 0,0:27:06.56,0:27:10.83,Default,,0000,0000,0000,,but it was all broken. Oh – he was writing\Nit in PHP, by the way, so there you go …
Dialogue: 0,0:27:10.83,0:27:14.58,Default,,0000,0000,0000,,So I wrote a working one in Python and\Nyou can dump it and then you can see
Dialogue: 0,0:27:14.58,0:27:18.31,Default,,0000,0000,0000,,what each register means, and it’ll tell\Nyou all the options. You can take
Dialogue: 0,0:27:18.31,0:27:22.52,Default,,0000,0000,0000,,a register dump and map it to the (?)(?)\Ndocumented. You can diff dumps,
Dialogue: 0,0:27:22.52,0:27:26.53,Default,,0000,0000,0000,,you can generic defines, it’s very useful\Nfor AMD GPUs. And this, grossly speaking
Dialogue: 0,0:27:26.53,0:27:31.11,Default,,0000,0000,0000,,applies to a lot of AMD GPUs, like they\Nshare a lot of registers. So this is useful
Dialogue: 0,0:27:31.11,0:27:36.09,Default,,0000,0000,0000,,for anyone hacking on AMD GPU stuff. Over\N4.000 registers are documented in the …
Dialogue: 0,0:27:36.09,0:27:42.02,Default,,0000,0000,0000,,just in the main GPU address space alone.\NThat’s great. Okay. So we have some docs.
Dialogue: 0,0:27:42.02,0:27:49.97,Default,,0000,0000,0000,,How do we get to a frame buffer? So if you…\NIsrael (?) is HDMI it’s easy, right? The GPU
Dialogue: 0,0:27:49.97,0:27:52.49,Default,,0000,0000,0000,,has HDMI, and if you query the GPU\Ninformation you actually get that it has
Dialogue: 0,0:27:52.49,0:27:57.86,Default,,0000,0000,0000,,an HDMI port and a DisplayPort port. Okay,\Nmaybe it’s unconnected, that’s fine, right?
Dialogue: 0,0:27:57.86,0:28:03.51,Default,,0000,0000,0000,,But if you actually ask the GPU it tells\Nyou: “HDMI is not connected, DP is connected”.
Dialogue: 0,0:28:03.51,0:28:09.92,Default,,0000,0000,0000,,Okay. Yeah, they have an external HDMI\Nencoder from DisplayPort to HDMI because
Dialogue: 0,0:28:09.92,0:28:13.03,Default,,0000,0000,0000,,just putting a wire from A to B is too\Ndifficult, because this is Sony, so:
Dialogue: 0,0:28:13.03,0:28:19.76,Default,,0000,0000,0000,,“let’s put a chip that converts some\Nprotocol A to protocol B…” {\i1}sighs{\i0}
Dialogue: 0,0:28:19.76,0:28:25.70,Default,,0000,0000,0000,,Yeah, yeah.\N{\i1}applause{\i0}
Dialogue: 0,0:28:25.70,0:28:33.55,Default,,0000,0000,0000,,It’s a Panasonic DisplayPort to HDMI\Nbridge, not documented by the way.
Dialogue: 0,0:28:33.55,0:28:37.43,Default,,0000,0000,0000,,We parsed config to work, that’s why it\Ndoesn’t just work. Even though some bridges do.
Dialogue: 0,0:28:37.43,0:28:41.39,Default,,0000,0000,0000,,And you’d think, okay, it’s hooked up to the\NGPU I2C bus, because GPUs have in the past
Dialogue: 0,0:28:41.39,0:28:45.31,Default,,0000,0000,0000,,used these bridges, and, not this one\Nparticularly but other AMD cards have had
Dialogue: 0,0:28:45.31,0:28:48.66,Default,,0000,0000,0000,,various chips that they stuck in front. And\Nthe code has support for talking to them
Dialogue: 0,0:28:48.66,0:28:54.31,Default,,0000,0000,0000,,through the GPU I2C interface, right?\NThat’s easy. Yay, you wish – it’s a Sony.
Dialogue: 0,0:28:54.31,0:28:57.91,Default,,0000,0000,0000,,{\i1}sighs{\i0}\NEnter ICC! So, remember the ICC thing
Dialogue: 0,0:28:57.91,0:29:02.17,Default,,0000,0000,0000,,in the Aeolia – it’s an RPC protocol you\Nuse to send commands to an MCU that is
Dialogue: 0,0:29:02.17,0:29:05.55,Default,,0000,0000,0000,,somewhere else on the motherboard. It’s\Na message box system, so you write some
Dialogue: 0,0:29:05.55,0:29:09.52,Default,,0000,0000,0000,,message to a memory place, and then you\Ntell: “Hey, read this message!” and then
Dialogue: 0,0:29:09.52,0:29:12.09,Default,,0000,0000,0000,,it writes some message back, and it tells\Nyou “Hey, it’s the reply!”.
Dialogue: 0,0:29:12.09,0:29:15.02,Default,,0000,0000,0000,,The Aeolia – not the otherGPU – uses it for things like
Dialogue: 0,0:29:15.02,0:29:20.99,Default,,0000,0000,0000,,Power Button, the LEDs, turning the power\Non and off, and also the HDMI encoder I2C.
Dialogue: 0,0:29:20.99,0:29:25.46,Default,,0000,0000,0000,,So now we have the dependency from the\NGPU driver to the Aeolia driver, two different
Dialogue: 0,0:29:25.46,0:29:30.20,Default,,0000,0000,0000,,PCI devices and two different… {\i1}sighs{\i0}\NYeah. And okay, again, ICC, but it’s I2C,
Dialogue: 0,0:29:30.20,0:29:34.10,Default,,0000,0000,0000,,you know, I2C is a simple protocol.\NYou read a register, you write a register,
Dialogue: 0,0:29:34.10,0:29:38.55,Default,,0000,0000,0000,,that’s all you need. It super simple.\NRight? Now let’s make a byte code
Dialogue: 0,0:29:38.55,0:29:41.48,Default,,0000,0000,0000,,fucking scripting engine to which you I2C\Ncommands and delays and bit masking
Dialogue: 0,0:29:41.48,0:29:47.03,Default,,0000,0000,0000,,and everything. And why, Sony, why, like\Nwhy would you do this? Well, because
Dialogue: 0,0:29:47.03,0:29:50.77,Default,,0000,0000,0000,,ICC is so slow? That if you actually tried\Nto do one read and one write at a time
Dialogue: 0,0:29:50.77,0:29:55.50,Default,,0000,0000,0000,,it takes 2 seconds to bring up HDMI.\N{\i1}exhales{\i0}
Dialogue: 0,0:29:55.50,0:29:57.04,Default,,0000,0000,0000,,Yeah…
Dialogue: 0,0:29:57.04,0:30:01.82,Default,,0000,0000,0000,,I don’t even know at this point…\N{\i1}applause{\i0}
Dialogue: 0,0:30:01.82,0:30:04.06,Default,,0000,0000,0000,,I have no idea.\N{\i1}continued applause{\i0}
Dialogue: 0,0:30:04.06,0:30:10.50,Default,,0000,0000,0000,,And by the way this thing has commands\Nwhere you can send scripts in a script
Dialogue: 0,0:30:10.50,0:30:13.85,Default,,0000,0000,0000,,to be run when certain events happen. So\N“Yo dawg, I heard you like scripts, I put
Dialogue: 0,0:30:13.85,0:30:16.96,Default,,0000,0000,0000,,scripts in your scripts so you can I2C\Nwhile you I2C”. Like: “let’s just go
Dialogue: 0,0:30:16.96,0:30:23.77,Default,,0000,0000,0000,,even deeper at this point”, right? Yeah.\N{\i1}exhales{\i0}
Dialogue: 0,0:30:23.77,0:30:29.01,Default,,0000,0000,0000,,Okay. We wrote some code for this,\Nyou need more hacks, it needs all
Dialogue: 0,0:30:29.01,0:30:33.60,Default,,0000,0000,0000,,DisplayPort lanes up, Linux tries to downscale,\Ndoesn’t work. Memory bandwidth calculation
Dialogue: 0,0:30:33.60,0:30:37.29,Default,,0000,0000,0000,,is broken. Mouse cursor size is from the\Nprevious GPU generation for some reason,
Dialogue: 0,0:30:37.29,0:30:41.75,Default,,0000,0000,0000,,I guess they forgot to update that. So\Nwait! All this crap – we get a frame buffer.
Dialogue: 0,0:30:41.75,0:30:47.16,Default,,0000,0000,0000,,But X won’t start. Ah. Well, it turns out\Nthat PS4 uses a unified memory architecture
Dialogue: 0,0:30:47.16,0:30:52.58,Default,,0000,0000,0000,,so it has a single memory pool that is\Nshared between the x86 and the GPU.
Dialogue: 0,0:30:52.58,0:30:56.11,Default,,0000,0000,0000,,And games just put a texture in memory\Nand say: “Hey, GPU, render this!” and
Dialogue: 0,0:30:56.11,0:31:00.89,Default,,0000,0000,0000,,that works great. And this makes a lot of\Nsense, and their driver uses this to the
Dialogue: 0,0:31:00.89,0:31:06.37,Default,,0000,0000,0000,,fullest extents. So there’s a VRAM,\Nyou know, the legacy… GPUs had
Dialogue: 0,0:31:06.37,0:31:10.23,Default,,0000,0000,0000,,a separate VRAM and all these integrated\Nchip sets can emulate VRAM using a chunk
Dialogue: 0,0:31:10.23,0:31:13.74,Default,,0000,0000,0000,,of the system memory. And you can usually\Nconfigure that in the BIOS if you have
Dialogue: 0,0:31:13.74,0:31:18.73,Default,,0000,0000,0000,,a PC that does this. And PS4 sets it to\N16 MB which is actually the lowest possible
Dialogue: 0,0:31:18.73,0:31:24.66,Default,,0000,0000,0000,,setting. And 16 Megs is not enough to have\Nmore than one Full HD frame buffer. So,
Dialogue: 0,0:31:24.66,0:31:28.52,Default,,0000,0000,0000,,obviously, that’s going to explode in\NLinux pretty badly. So what we do is
Dialogue: 0,0:31:28.52,0:31:31.75,Default,,0000,0000,0000,,we actually reconfigure the memory\Ncontroller in the system to give 1 GB
Dialogue: 0,0:31:31.75,0:31:36.72,Default,,0000,0000,0000,,of RAM to the VRAM, and we did it on the\Npsd-kexec. So it’s basically doing like
Dialogue: 0,0:31:36.72,0:31:41.52,Default,,0000,0000,0000,,BIOSy things. We were reconfiguring the\NNorthbridge at this point to make this work.
Dialogue: 0,0:31:41.52,0:31:46.30,Default,,0000,0000,0000,,But it works. And with this we can get X\Nto start because it can allocate its frame buffer.
Dialogue: 0,0:31:46.30,0:31:53.66,Default,,0000,0000,0000,,But okay, it’s 3D time, right? – Neeaah,\NGPU acceleration doesn’t quite work yet.
Dialogue: 0,0:31:53.66,0:31:58.56,Default,,0000,0000,0000,,So we got at least, you know, X but let’s\Ntalk a bit about the Radeon GPU
Dialogue: 0,0:31:58.56,0:32:03.18,Default,,0000,0000,0000,,for a second. So when you want to draw\Nsomething on the GPU you send it a command
Dialogue: 0,0:32:03.18,0:32:06.29,Default,,0000,0000,0000,,and you do this by putting it into ‘ring’\Nwhich is really just a structure in memory,
Dialogue: 0,0:32:06.29,0:32:11.50,Default,,0000,0000,0000,,that’s a (?)(?)(?)(?). And it wraps around.\NSo that way you can queue things to be done
Dialogue: 0,0:32:11.50,0:32:15.60,Default,,0000,0000,0000,,in the GPU, and then it does it on its own\Nand you can go and do other things.
Dialogue: 0,0:32:15.60,0:32:20.33,Default,,0000,0000,0000,,There’s a Graphics Ring for drawing,\Na Compute Ring for GPGPU, and a DMA Ring
Dialogue: 0,0:32:20.33,0:32:24.81,Default,,0000,0000,0000,,for copying things around. The commands\Nare processed by the GPU Command Processor
Dialogue: 0,0:32:24.81,0:32:32.42,Default,,0000,0000,0000,,which is really a bunch of different CPUs\Ninside the GPU. They are called F32.
Dialogue: 0,0:32:32.42,0:32:36.57,Default,,0000,0000,0000,,And they run a proprietary AMD microcode.\NSo this is a custom architecture.
Dialogue: 0,0:32:36.57,0:32:40.42,Default,,0000,0000,0000,,Also the rings can call out to IBs which\Nare indirect buffers. So you can say
Dialogue: 0,0:32:40.42,0:32:44.100,Default,,0000,0000,0000,,basically “Call this piece of memory, do\Nthis stuff there, return back to the ring”.
Dialogue: 0,0:32:44.100,0:32:48.63,Default,,0000,0000,0000,,And that’s actually how the user space\Nthing does things. So this says:
Dialogue: 0,0:32:48.63,0:32:51.75,Default,,0000,0000,0000,,“Draw this stuff” and it tells the kernel:\N“Hey, draw this stuff”. And the kernel
Dialogue: 0,0:32:51.75,0:32:57.27,Default,,0000,0000,0000,,tells the GPU: “Jump to that stuff,\Nread it come back, keep doing stuff”.
Dialogue: 0,0:32:57.27,0:33:01.100,Default,,0000,0000,0000,,This is basically how most GPUs work but\NRadeon specifically works like, you know…
Dialogue: 0,0:33:01.100,0:33:06.65,Default,,0000,0000,0000,,with this F32 stuff. Okay. The driver\Ncomplains: “Ring 0 test failed”.
Dialogue: 0,0:33:06.65,0:33:10.67,Default,,0000,0000,0000,,Technically (?), you test them, so at least\Nyou know it has nice diagnostic,
Dialogue: 0,0:33:10.67,0:33:13.67,Default,,0000,0000,0000,,and how does the test work? It’s really\Neasy. It writes a register with a value,
Dialogue: 0,0:33:13.67,0:33:16.65,Default,,0000,0000,0000,,and then it tells the GPU with a command\N“Please write this other value
Dialogue: 0,0:33:16.65,0:33:21.16,Default,,0000,0000,0000,,to the register”, runs it and the checks\Nto see if the register was actually written
Dialogue: 0,0:33:21.16,0:33:29.19,Default,,0000,0000,0000,,with the new value. So the write doesn’t\Nhappen. Thankfully, thanks to that RAI file
Dialogue: 0,0:33:29.19,0:33:32.46,Default,,0000,0000,0000,,earlier we found some debug registers that\Ntell you exactly what’s going on inside
Dialogue: 0,0:33:32.46,0:33:36.81,Default,,0000,0000,0000,,the GPU. And it shows the Command\NProcessor is stuck, waiting for data
Dialogue: 0,0:33:36.81,0:33:41.55,Default,,0000,0000,0000,,in the ring, so it needs more data.\NAfter a NOP command?! Yeah…
Dialogue: 0,0:33:41.55,0:33:46.95,Default,,0000,0000,0000,,NOP is hard, let’s go stalling. So packet\Nheaders in this GPU thing have a size
Dialogue: 0,0:33:46.95,0:33:51.70,Default,,0000,0000,0000,,that is SIZE-2. Whoever thought that was\Na good idea. So a 2 word packet
Dialogue: 0,0:33:51.70,0:33:58.92,Default,,0000,0000,0000,,has a size of zero. Then AMD implemented\Na 1 word packet with a size of -1.
Dialogue: 0,0:33:58.92,0:34:03.31,Default,,0000,0000,0000,,And old firmware doesn’t support that and\Nthinks: “Oh it’s 3FFF so I’m just gonna wait
Dialogue: 0,0:34:03.31,0:34:08.54,Default,,0000,0000,0000,,for a shitload of code in the buffer”,\Nright? It turns out that Hawaii,
Dialogue: 0,0:34:08.54,0:34:12.42,Default,,0000,0000,0000,,which is another GPU in the same gen\Nhas the same problem with old firmware.
Dialogue: 0,0:34:12.42,0:34:14.77,Default,,0000,0000,0000,,So they use a different NOP packet, so\Nthere was an exception in the driver
Dialogue: 0,0:34:14.77,0:34:18.94,Default,,0000,0000,0000,,for this. And we had to add ours to that.\NBut again – getting to this point, many,
Dialogue: 0,0:34:18.94,0:34:23.11,Default,,0000,0000,0000,,many, many hours of headbanging.
Dialogue: 0,0:34:23.11,0:34:28.23,Default,,0000,0000,0000,,Okay. We fixed that. Now it says:\N“Ring 3 test failed”.
Dialogue: 0,0:34:28.23,0:34:31.07,Default,,0000,0000,0000,,That’s the SDMA ring. That’s for copying\Nthings in memory and it works
Dialogue: 0,0:34:31.07,0:34:34.91,Default,,0000,0000,0000,,in the same way. It puts a value in RAM.\NIt tells the SDMA engine: “hey, write
Dialogue: 0,0:34:34.91,0:34:40.43,Default,,0000,0000,0000,,a different value”. And checks. This time\Nwe see the write happens but it writes “0”
Dialogue: 0,0:34:40.43,0:34:44.84,Default,,0000,0000,0000,,instead if the 0xDEADBEEF or whatever.\NOkay. So I tried this.
Dialogue: 0,0:34:44.84,0:34:48.14,Default,,0000,0000,0000,,I put two Write commands in the ring\Nsaying: “Write to one place, write to
Dialogue: 0,0:34:48.14,0:34:52.52,Default,,0000,0000,0000,,a different place”. And this time,\Nif I saw, what it did is it wrote “1”
Dialogue: 0,0:34:52.52,0:34:56.62,Default,,0000,0000,0000,,to the first destination and “0” to the\Nsecond destination. I’m thinking:
Dialogue: 0,0:34:56.62,0:35:00.38,Default,,0000,0000,0000,,“Okay, it’s supposed to write 0xDEADBEEF…”\Nwhich is what you see there, it’s…
Dialogue: 0,0:35:00.38,0:35:04.45,Default,,0000,0000,0000,,0xDEADBEEF is that word\Nwith the value. It writes “1”.
Dialogue: 0,0:35:04.45,0:35:08.98,Default,,0000,0000,0000,,Well, there’s a “1” there that\Nwasn’t there before, it was a “0”,
Dialogue: 0,0:35:08.98,0:35:13.64,Default,,0000,0000,0000,,because of this padding, right? So it\Nturns out they have it off by four,
Dialogue: 0,0:35:13.64,0:35:17.89,Default,,0000,0000,0000,,in the SDMA command parser\Nand it reads from four words later
Dialogue: 0,0:35:17.89,0:35:21.67,Default,,0000,0000,0000,,than it should.\N{\i1}exhales{\i0}
Dialogue: 0,0:35:21.67,0:35:26.91,Default,,0000,0000,0000,,Again, this took many hours of\Nheadbanging. It was like:
Dialogue: 0,0:35:26.91,0:35:32.39,Default,,0000,0000,0000,,“Randomly try two commands, oh, one, one?”\N– “One”.
Dialogue: 0,0:35:32.39,0:35:37.78,Default,,0000,0000,0000,,So it reads four words too late but only\Nin ring buffers. Indirect buffers work fine.
Dialogue: 0,0:35:37.78,0:35:40.94,Default,,0000,0000,0000,,That’s good because those come from user\Nspace. So we don’t have to mock with those.
Dialogue: 0,0:35:40.94,0:35:43.48,Default,,0000,0000,0000,,We can work around this, because it’s\Nonly used in two places in the kernel,
Dialogue: 0,0:35:43.48,0:35:47.54,Default,,0000,0000,0000,,by using a Fill command instead of a Write\Ncommand. That works fine. Again,…
Dialogue: 0,0:35:47.54,0:35:52.49,Default,,0000,0000,0000,,how do they even make these mistakes?!\NOkay. But still the GPU doesn’t work.
Dialogue: 0,0:35:52.49,0:35:55.64,Default,,0000,0000,0000,,The ring tests pass but if you tried\Nto draw you get a bunch of page faults.
Dialogue: 0,0:35:55.64,0:35:59.37,Default,,0000,0000,0000,,And it turns out that what happens is that\Non the PS4 you can’t write the page table
Dialogue: 0,0:35:59.37,0:36:05.83,Default,,0000,0000,0000,,registers from actual commands in the GPU\Nitself. You can write to them from the CPU
Dialogue: 0,0:36:05.83,0:36:09.32,Default,,0000,0000,0000,,directly. You can say just: “Write memory\N– memory register write”, and then
Dialogue: 0,0:36:09.32,0:36:14.52,Default,,0000,0000,0000,,I’ll write. But you can’t tell the GPU:\N“Please write to the page table register this”.
Dialogue: 0,0:36:14.52,0:36:18.52,Default,,0000,0000,0000,,So the page tables don’t work, the GPU\Ncan’t see any memory, so everything is broken.
Dialogue: 0,0:36:18.52,0:36:22.92,Default,,0000,0000,0000,,Linux uses this, FreeBSD doesn’t. It uses\Ndirect writes. And we think this is maybe
Dialogue: 0,0:36:22.92,0:36:27.29,Default,,0000,0000,0000,,a Firewall somewhere in the Liverpool,\Nsome kind of security thing they added.
Dialogue: 0,0:36:27.29,0:36:30.94,Default,,0000,0000,0000,,We can directly write from the CPU.\NBut it like breaks the regular…
Dialogue: 0,0:36:30.94,0:36:34.83,Default,,0000,0000,0000,,like it’s not asynchronous anymore. So\Nthis could break things. And it’s a really
Dialogue: 0,0:36:34.83,0:36:39.00,Default,,0000,0000,0000,,hacky solution. I would really like to fix\Nthis. And I’m thinking: “Maybe the firewall
Dialogue: 0,0:36:39.00,0:36:42.94,Default,,0000,0000,0000,,is in the firmware, right?”. But it’s\Nproprietary and undocumented firmware.
Dialogue: 0,0:36:42.94,0:36:47.63,Default,,0000,0000,0000,,So let’s look at that firmware. It’s\Na thing, it needs microcode, a CP thing.
Dialogue: 0,0:36:47.63,0:36:51.44,Default,,0000,0000,0000,,It’s undocumented. But we take the blobs\Nout of FreeBSD. And that’s great because
Dialogue: 0,0:36:51.44,0:36:56.51,Default,,0000,0000,0000,,we have don’t have to ship them. Let’s\Ndig deeper into those blobs. So how do you
Dialogue: 0,0:36:56.51,0:37:00.60,Default,,0000,0000,0000,,reverse-engineer an unknown CPU\Narchitecture? That’s really easy,
Dialogue: 0,0:37:00.60,0:37:05.04,Default,,0000,0000,0000,,run an instruction and see what it did.\NAnd then just keep doing that. Thankfully,
Dialogue: 0,0:37:05.04,0:37:07.71,Default,,0000,0000,0000,,we upload custom firmwares, so it’s\Nactually really easy to just have like
Dialogue: 0,0:37:07.71,0:37:10.45,Default,,0000,0000,0000,,a two-instruction firmware that does\Nsomething, and then writes a register
Dialogue: 0,0:37:10.45,0:37:14.22,Default,,0000,0000,0000,,to a memory location. And that’s actually\Nreally easy to find. If you first like
Dialogue: 0,0:37:14.22,0:37:17.46,Default,,0000,0000,0000,,write the memory instruction, it’s really\Neasy to find in the binary because you see
Dialogue: 0,0:37:17.46,0:37:23.56,Default,,0000,0000,0000,,like GPU register offsets that stand out\Na bit in one column. So long story short,
Dialogue: 0,0:37:23.56,0:37:27.80,Default,,0000,0000,0000,,we wrote F32DIS which is a disassembler\Nfor the proprietary AMD F32 microcode.
Dialogue: 0,0:37:27.80,0:37:31.62,Default,,0000,0000,0000,,I shamelessly stole the instruction\Nsyntax from ARM. So you may recognize
Dialogue: 0,0:37:31.62,0:37:35.13,Default,,0000,0000,0000,,that if you’ve ever seen an ARM disassembly.\NAnd this is not complete but it can
Dialogue: 0,0:37:35.13,0:37:38.98,Default,,0000,0000,0000,,disassemble every single instruction\Nin all the firmware in Liverpool for PFP,
Dialogue: 0,0:37:38.98,0:37:43.11,Default,,0000,0000,0000,,ME, CE, MEC and RLC which are five\Ndifferent blocks in the GPU. As far
Dialogue: 0,0:37:43.11,0:37:46.32,Default,,0000,0000,0000,,as I notice that’s never been done before,\Nall the firmware was like in a voodoo
Dialogue: 0,0:37:46.32,0:37:50.10,Default,,0000,0000,0000,,black magic thing that’s been shipped.\NNot even the non-AMD kernel developers
Dialogue: 0,0:37:50.10,0:37:54.71,Default,,0000,0000,0000,,know anything about this. So…\N{\i1}applause{\i0}
Dialogue: 0,0:37:54.71,0:37:57.29,Default,,0000,0000,0000,,{\i1}ongoing applause{\i0}
Dialogue: 0,0:37:57.29,0:38:01.84,Default,,0000,0000,0000,,And you can disassemble the desktop\NGPU stuff, too. So this could be good for
Dialogue: 0,0:38:01.84,0:38:06.13,Default,,0000,0000,0000,,debugging strange GPU shenanigans\Nin non-PS4 stuff.
Dialogue: 0,0:38:06.13,0:38:10.66,Default,,0000,0000,0000,,Alright. Alas, it’s not in the firmware.\NIt seems to be blocked in hardware.
Dialogue: 0,0:38:10.66,0:38:14.51,Default,,0000,0000,0000,,I found a debug register that actually\Nsays: “there was an access violation
Dialogue: 0,0:38:14.51,0:38:17.34,Default,,0000,0000,0000,,in the bus when you try to write this\Nthing”. And I tried a bunch of workarounds
Dialogue: 0,0:38:17.34,0:38:22.79,Default,,0000,0000,0000,,and I even bought an AMD APU system,\Ndesktop. Dumped all the registers,
Dialogue: 0,0:38:22.79,0:38:26.78,Default,,0000,0000,0000,,diff’ed them against the one I had on Linux\Nand tried setting every single value
Dialogue: 0,0:38:26.78,0:38:30.88,Default,,0000,0000,0000,,from the other GPU and hoping I find some\Nmagic bits somewhere, but… no.
Dialogue: 0,0:38:30.88,0:38:35.42,Default,,0000,0000,0000,,They probably have a setting for this,\Nsomewhere, but it’s a sea of ones and zeros,
Dialogue: 0,0:38:35.42,0:38:40.21,Default,,0000,0000,0000,,good luck finding it. It does work with\Na CPU Write, workaround, though.
Dialogue: 0,0:38:40.21,0:38:43.77,Default,,0000,0000,0000,,So, hey, at least we get 3D! And it’s\Nactually pretty stable, so if there’s
Dialogue: 0,0:38:43.77,0:38:49.21,Default,,0000,0000,0000,,a race condition I’m not really seeing it.\NSo – checklist! What works,
Dialogue: 0,0:38:49.21,0:38:52.64,Default,,0000,0000,0000,,what doesn’t work. We have interrupts,\Nand timers – the core thing you need
Dialogue: 0,0:38:52.64,0:38:56.49,Default,,0000,0000,0000,,to run any OS – we have a serial port,\Nwe can shutdown the system and reboot,
Dialogue: 0,0:38:56.49,0:38:59.56,Default,,0000,0000,0000,,and you’ll think that’s funny but actually\Nthat goes through ICC, so again,
Dialogue: 0,0:38:59.56,0:39:02.42,Default,,0000,0000,0000,,at least some interesting code there.\NI actually just implemented that about
Dialogue: 0,0:39:02.42,0:39:08.70,Default,,0000,0000,0000,,four hours ago. Because pulling the plug\Nwas getting old. The Power button works.
Dialogue: 0,0:39:08.70,0:39:13.28,Default,,0000,0000,0000,,USB works. There’s a funny story with USB\Nas it used not to work. And we said:
Dialogue: 0,0:39:13.28,0:39:17.43,Default,,0000,0000,0000,,“Fix it later, there seems to be special\Ncode missing.” And then someone
Dialogue: 0,0:39:17.43,0:39:20.50,Default,,0000,0000,0000,,pulled a repo from the USB-not-working\Nbranch, and tested it, and said:
Dialogue: 0,0:39:20.50,0:39:25.45,Default,,0000,0000,0000,,“It’s working!” It seems we fixed it by\Naccident, by changing something else.
Dialogue: 0,0:39:25.45,0:39:29.17,Default,,0000,0000,0000,,The hard disk works which is via the USB.\NBlu-ray works, I wrote a driver for that,
Dialogue: 0,0:39:29.17,0:39:32.17,Default,,0000,0000,0000,,also four hours ago. – Three hours ago\Nnow? Yeah, something like that.
Dialogue: 0,0:39:32.17,0:39:34.93,Default,,0000,0000,0000,,And I spent 20 minutes looking for someone\Nin the Hackcenter that had a DVD I could
Dialogue: 0,0:39:34.93,0:39:40.40,Default,,0000,0000,0000,,stick in to try. Apparently I’m from\Nhe past if I ask for DVDs.
Dialogue: 0,0:39:40.40,0:39:45.39,Default,,0000,0000,0000,,But it does work. So that’s good. Wi-Fi\Nand Bluetooth works.
Dialogue: 0,0:39:45.39,0:39:49.12,Default,,0000,0000,0000,,Ethernet works, except only at GBit speeds.\NFrame buffer works. HDMI works.
Dialogue: 0,0:39:49.12,0:39:54.83,Default,,0000,0000,0000,,It’s currently hard-coded to 1080p so…\NIt does work. We can fix that
Dialogue: 0,0:39:54.83,0:40:00.96,Default,,0000,0000,0000,,by improving the encoder implementation.\N3D works with the ugly register write hack.
Dialogue: 0,0:40:00.96,0:40:06.66,Default,,0000,0000,0000,,And SPDIF audio works. So that’s good.\NHDMI audio doesn’t work. Mostly because
Dialogue: 0,0:40:06.66,0:40:10.45,Default,,0000,0000,0000,,I only got audio grossly working, in\Ngeneral, recently, and I haven’t had
Dialogue: 0,0:40:10.45,0:40:15.25,Default,,0000,0000,0000,,a chance to program the encoder to support\Nthe audio stuff yet. Because, again,
Dialogue: 0,0:40:15.25,0:40:18.62,Default,,0000,0000,0000,,new more annoying hacks there. And the\Nreal-time clock doesn’t work and everything.
Dialogue: 0,0:40:18.62,0:40:23.35,Default,,0000,0000,0000,,That’s simple, the clock, that device is\Nsimple. But ever since the PS2 the way
Dialogue: 0,0:40:23.35,0:40:27.41,Default,,0000,0000,0000,,Sony has implemented real-time clocks\Nis that instead of reading and writing
Dialogue: 0,0:40:27.41,0:40:29.92,Default,,0000,0000,0000,,the time on the clock, which is what you\Nwould think is the normal thing to do,
Dialogue: 0,0:40:29.92,0:40:33.48,Default,,0000,0000,0000,,they never write the time on the clock.\NInstead, they store an offset from the clock
Dialogue: 0,0:40:33.48,0:40:39.58,Default,,0000,0000,0000,,to the real time, in some kind of storage\Nlocation. And there’s a giant mess of…
Dialogue: 0,0:40:39.58,0:40:44.27,Default,,0000,0000,0000,,…registry it’s called, in the PS4, and\NI don’t even know where it’s stored.
Dialogue: 0,0:40:44.27,0:40:46.97,Default,,0000,0000,0000,,It might be on the hard drive, it might be\Nencrypted. So basically, getting
Dialogue: 0,0:40:46.97,0:40:50.26,Default,,0000,0000,0000,,the real-time clock to actually show the\Nright time involves a pile of nonsense
Dialogue: 0,0:40:50.26,0:40:53.98,Default,,0000,0000,0000,,that I haven’t had the chance to look at\Nyet. But… we have NTP, right?
Dialogue: 0,0:40:53.98,0:40:59.03,Default,,0000,0000,0000,,So it’s good enough. – Oh, and we have\NBlinkenlights! Important! The Power LED
Dialogue: 0,0:40:59.03,0:41:04.33,Default,,0000,0000,0000,,does some interesting things, if you’re\Non Linux. So that’s good.
Dialogue: 0,0:41:04.33,0:41:10.61,Default,,0000,0000,0000,,So – the code: you can get the ps4-kexec\Ncode on our Github page. That has
Dialogue: 0,0:41:10.61,0:41:14.91,Default,,0000,0000,0000,,the kexec and the hardware configuration,\Nand the bootloader Linux stuff.
Dialogue: 0,0:41:14.91,0:41:18.60,Default,,0000,0000,0000,,You can get the ps4 Linux branch which is\Nthe… our fork of the kernel,
Dialogue: 0,0:41:18.60,0:41:22.77,Default,,0000,0000,0000,,rebased on 4.9 which is the latest (?)\Nversion, I think.
Dialogue: 0,0:41:22.77,0:41:26.32,Default,,0000,0000,0000,,You can get our Radeon patches which are\Nthree, I think, really tiny patches for
Dialogue: 0,0:41:26.32,0:41:30.41,Default,,0000,0000,0000,,user space libraries just to support this\Nnew chip. Really simple stuff, the NOP
Dialogue: 0,0:41:30.41,0:41:35.29,Default,,0000,0000,0000,,thing, and a couple of commands. And the\NRAI and F32DIS thing I mentioned.
Dialogue: 0,0:41:35.29,0:41:40.78,Default,,0000,0000,0000,,You can get Radeon tools at that Github\Nrepo. Just push that right before the stock.
Dialogue: 0,0:41:40.78,0:41:44.09,Default,,0000,0000,0000,,So if you’re interested – there you go.\NAnd if you going at the RAI file, well,
Dialogue: 0,0:41:44.09,0:41:47.57,Default,,0000,0000,0000,,we wanna put you on a run before the guys\Nat that website realize they really should
Dialogue: 0,0:41:47.57,0:41:52.59,Default,,0000,0000,0000,,take that down! But I’m sure the internet\Nwayback machine has it somewhere.
Dialogue: 0,0:41:52.59,0:42:00.28,Default,,0000,0000,0000,,Okay! That’s everything for the story of\Nhow we got Linux running on the PS4.
Dialogue: 0,0:42:00.28,0:42:08.71,Default,,0000,0000,0000,,And you can reach us at that website\Nor fail0verflow on Twitter.
Dialogue: 0,0:42:08.71,0:42:14.44,Default,,0000,0000,0000,,{\i1}applause{\i0}\NThank you!
Dialogue: 0,0:42:14.44,0:42:18.26,Default,,0000,0000,0000,,{\i1}ongoing applause{\i0}
Dialogue: 0,0:42:18.26,0:42:24.31,Default,,0000,0000,0000,,I hope that wasn’t too fast, sorry, I had\Nto rush through my 89 slides a little bit
Dialogue: 0,0:42:24.31,0:42:29.46,Default,,0000,0000,0000,,because I really wanted to do a demo.\NI think this kind of is the demo, right.
Dialogue: 0,0:42:29.46,0:42:33.18,Default,,0000,0000,0000,,But we can try something else.\NSo maybe I can shut this –
Dialogue: 0,0:42:33.18,0:42:39.84,Default,,0000,0000,0000,,so I can aim with my controller.
Dialogue: 0,0:42:39.84,0:42:43.96,Default,,0000,0000,0000,,This is really not meant as a mouse!\NThat’s not Right Button.
Dialogue: 0,0:42:43.96,0:42:46.81,Default,,0000,0000,0000,,Come on! Yeah, I think it is…
Dialogue: 0,0:42:46.81,0:42:48.81,Default,,0000,0000,0000,,Close? Close! Maybe…
Dialogue: 0,0:42:48.81,0:42:51.10,Default,,0000,0000,0000,,So we have this little icon here.\NI wonder what happens if it works.
Dialogue: 0,0:42:51.10,0:42:55.74,Default,,0000,0000,0000,,Do we have internet access? Hopefully\NWi-Fi works, let’s then just check real quick.
Dialogue: 0,0:42:55.74,0:42:57.73,Default,,0000,0000,0000,,{\i1}keyboard typing sounds{\i0}
Dialogue: 0,0:42:57.73,0:42:59.85,Default,,0000,0000,0000,,This could bork really badly if we don’t.
Dialogue: 0,0:42:59.85,0:43:02.04,Default,,0000,0000,0000,,{\i1}keyboard typing sounds{\i0}
Dialogue: 0,0:43:02.04,0:43:03.50,Default,,0000,0000,0000,,{\i1}mumbles{\i0} ping 8.8.8.8
Dialogue: 0,0:43:03.50,0:43:06.01,Default,,0000,0000,0000,,Yeah, we have internet access.\NSo, Wi-Fi works!
Dialogue: 0,0:43:06.01,0:43:08.71,Default,,0000,0000,0000,,Okay. I wonder what happens\Nif we click that!
Dialogue: 0,0:43:08.71,0:43:15.16,Default,,0000,0000,0000,,It takes a while to load.\NThis is not optimized for…
Dialogue: 0,0:43:15.16,0:43:23.86,Default,,0000,0000,0000,,{\i1}laughter and applause{\i0}\N{\i1}marcan laughs{\i0}
Dialogue: 0,0:43:23.86,0:43:28.41,Default,,0000,0000,0000,,So the CPUs on this thing are\Na little bit slow. But…
Dialogue: 0,0:43:28.41,0:43:31.99,Default,,0000,0000,0000,,{\i1}sounds of the machine{\i0}\NHey, it works!
Dialogue: 0,0:43:31.99,0:43:35.88,Default,,0000,0000,0000,,And now it’s a real game console!
Dialogue: 0,0:43:35.88,0:43:42.09,Default,,0000,0000,0000,,{\i1}laughter and applause{\i0}
Dialogue: 0,0:43:42.09,0:43:49.07,Default,,0000,0000,0000,,And this is… there we go, okay.
Dialogue: 0,0:43:49.07,0:43:54.29,Default,,0000,0000,0000,,So I think we can probably take some Q&A\Nbecause this is a little bit slow to load.
Dialogue: 0,0:43:54.29,0:43:56.53,Default,,0000,0000,0000,,But we can try a game, maybe.
Dialogue: 0,0:43:56.53,0:44:03.02,Default,,0000,0000,0000,,Herald: If you are for Q&A I think\Nthere will be some questions.
Dialogue: 0,0:44:03.02,0:44:07.09,Default,,0000,0000,0000,,So shall we start with one\Nfrom the internet.
Dialogue: 0,0:44:07.09,0:44:16.03,Default,,0000,0000,0000,,Signal Angel: Hey! The internet wants to\Nknow if most of your research will be
Dialogue: 0,0:44:16.03,0:44:18.47,Default,,0000,0000,0000,,published, or if stuff’s\Ngoing to stay private.
Dialogue: 0,0:44:18.47,0:44:21.99,Default,,0000,0000,0000,,marcan: All of this… the publishing is\Nbasically the code which… and you know
Dialogue: 0,0:44:21.99,0:44:26.66,Default,,0000,0000,0000,,the explanation I just gave… I said that\Neverything’s on Github. So all the drivers
Dialogue: 0,0:44:26.66,0:44:30.95,Default,,0000,0000,0000,,we wrote, all the… I mean… and in this\Ncase also the spec is the code.
Dialogue: 0,0:44:30.95,0:44:34.30,Default,,0000,0000,0000,,If you really want to I could write some\NWiki pages on this. But roughly speaking,
Dialogue: 0,0:44:34.30,0:44:37.89,Default,,0000,0000,0000,,what’s in the drivers is what we found\Nout. The really interesting bit,
Dialogue: 0,0:44:37.89,0:44:44.27,Default,,0000,0000,0000,,I think, is that F32 stuff from the AMD\NGPU stuff. And that we have a repo for.
Dialogue: 0,0:44:44.27,0:44:48.37,Default,,0000,0000,0000,,But if you have any general questions, or\Nname a particular device, or any details,
Dialogue: 0,0:44:48.37,0:44:54.07,Default,,0000,0000,0000,,feel free to ask. I don’t know… again, it\Nwould be nice if we wrote a bunch
Dialogue: 0,0:44:54.07,0:44:57.22,Default,,0000,0000,0000,,of docs and everything. But it’s not really\Na matter of not wanting to write them,
Dialogue: 0,0:44:57.22,0:45:01.25,Default,,0000,0000,0000,,it’s lazy engineers not wanting to write\Ndocumentation. But the code is at least…
Dialogue: 0,0:45:01.25,0:45:05.25,Default,,0000,0000,0000,,the things we have on Github are fairly\Nclean. So.
Dialogue: 0,0:45:05.25,0:45:08.63,Default,,0000,0000,0000,,Herald: Okay, so, someone is piling up\Non 4. Guys, if you have questions
Dialogue: 0,0:45:08.63,0:45:11.99,Default,,0000,0000,0000,,you see the microphones over here.\NJust pile up over there
Dialogue: 0,0:45:11.99,0:45:14.54,Default,,0000,0000,0000,,and I’m gonna point… 4 please!
Dialogue: 0,0:45:14.54,0:45:19.21,Default,,0000,0000,0000,,Question: Just a small question.\NHow likely is it that you upstream
Dialogue: 0,0:45:19.21,0:45:22.70,Default,,0000,0000,0000,,some of that stuff. Because… I mean…
Dialogue: 0,0:45:22.70,0:45:27.30,Default,,0000,0000,0000,,marcan: So there’s two sides to that.\NOne side is that we need to actually
Dialogue: 0,0:45:27.30,0:45:31.06,Default,,0000,0000,0000,,get together and upstream it. The code…\Nsome of it has horrible hacks, some of it
Dialogue: 0,0:45:31.06,0:45:36.54,Default,,0000,0000,0000,,isn’t too bad. So we want to upstream it.
Dialogue: 0,0:45:36.54,0:45:42.10,Default,,0000,0000,0000,,We have to sit down and actually do it.\NI think most of the custom x86 based
Dialogue: 0,0:45:42.10,0:45:45.28,Default,,0000,0000,0000,,machine stuff and the kernel is doable.\NThe drivers are probably doable.
Dialogue: 0,0:45:45.28,0:45:49.61,Default,,0000,0000,0000,,Some people might scream at the interrupt\Nhacks. But it’s probably not terrible.
Dialogue: 0,0:45:49.61,0:45:53.58,Default,,0000,0000,0000,,And if they have a better way of doing it\NI’m all ears, there are other kernel devs.
Dialogue: 0,0:45:53.58,0:45:59.59,Default,,0000,0000,0000,,The Radeon stuff is quite fishy because of\Nthe encoder thing that is like (?) non-standard.
Dialogue: 0,0:45:59.59,0:46:03.88,Default,,0000,0000,0000,,And also understandably\NAMD GPU driver developers
Dialogue: 0,0:46:03.88,0:46:07.38,Default,,0000,0000,0000,,that work for AMD may want to have nothing\Nto do with this. And in fact I know
Dialogue: 0,0:46:07.38,0:46:11.57,Default,,0000,0000,0000,,for a fact that at least\None of them doesn’t. But
Dialogue: 0,0:46:11.57,0:46:16.61,Default,,0000,0000,0000,,they can’t really stop us from upstreaming\Nthings into the Linux kernel, right?
Dialogue: 0,0:46:16.61,0:46:20.21,Default,,0000,0000,0000,,So I think as long as we get to come\Nto a state where it’s doable it’s fine.
Dialogue: 0,0:46:20.21,0:46:23.25,Default,,0000,0000,0000,,But most likely I think…\N{\i1}laughter{\i0}
Dialogue: 0,0:46:23.25,0:46:27.91,Default,,0000,0000,0000,,…I think most likely the non-GPU stuff\Nwill go in first if we have a chance
Dialogue: 0,0:46:27.91,0:46:30.94,Default,,0000,0000,0000,,to do that. And of course, if you wanna\Ntry upstreaming it go ahead!
Dialogue: 0,0:46:30.94,0:46:33.47,Default,,0000,0000,0000,,It’s open source, right? So.
Dialogue: 0,0:46:33.47,0:46:35.46,Default,,0000,0000,0000,,Herald: Over to microphone 1, please.
Dialogue: 0,0:46:35.46,0:46:42.08,Default,,0000,0000,0000,,Question: Hi. First I think I should\Nemploy you to try and find trouble Hudson. (?)
Dialogue: 0,0:46:42.08,0:46:48.43,Default,,0000,0000,0000,,And control him into using your FreeBSD\Nkexec implementation in heads.
Dialogue: 0,0:46:48.43,0:46:55.21,Default,,0000,0000,0000,,Instead of having to run all of Linux in it,\Nas a joke. But my real question is:
Dialogue: 0,0:46:55.21,0:46:59.16,Default,,0000,0000,0000,,if the reason you used Gentoo was\Nbecause systemd was yet another hurdle
Dialogue: 0,0:46:59.16,0:47:00.52,Default,,0000,0000,0000,,in getting this to run?
Dialogue: 0,0:47:00.52,0:47:02.71,Default,,0000,0000,0000,,{\i1}laughter{\i0}\N{\i1}marcan laughs{\i0}
Dialogue: 0,0:47:02.71,0:47:06.43,Default,,0000,0000,0000,,marcan: I run Gentoo on my main machine,\NI run Gentoo on most of the machines
Dialogue: 0,0:47:06.43,0:47:10.95,Default,,0000,0000,0000,,I care about. I do run Arch on a few of\Nthe others and then I’d live with systemd.
Dialogue: 0,0:47:10.95,0:47:15.66,Default,,0000,0000,0000,,But the reason why I run Gentoo is, first\Nit’s what I like and use. And second it’s
Dialogue: 0,0:47:15.66,0:47:19.12,Default,,0000,0000,0000,,super easy to use patches on Gentoo.\NYou get those things we put onto Github,
Dialogue: 0,0:47:19.12,0:47:21.55,Default,,0000,0000,0000,,which are just patch files, it’s not really\Na repo. Because they’re so easy
Dialogue: 0,0:47:21.55,0:47:24.87,Default,,0000,0000,0000,,it’s not worth cloning everything. Just\Nget those patch files, stick them on
Dialogue: 0,0:47:24.87,0:47:28.48,Default,,0000,0000,0000,,/etc/portage/patches/, have a little hook to patch,\Nand that’s all you need. So it’s really
Dialogue: 0,0:47:28.48,0:47:33.07,Default,,0000,0000,0000,,easy to patch packages in Gentoo,\Nthat’s one of the main reasons.
Dialogue: 0,0:47:33.07,0:47:37.73,Default,,0000,0000,0000,,{\i1}laughs about something in audience{\i0}
Dialogue: 0,0:47:37.73,0:47:39.60,Default,,0000,0000,0000,,Herald: No. 3 please!
Dialogue: 0,0:47:39.60,0:47:43.55,Default,,0000,0000,0000,,Question: Will there be new exploits,\Nnew way to boot Linux
Dialogue: 0,0:47:43.55,0:47:48.40,Default,,0000,0000,0000,,on PS3 with modern firmwares\Nbecause finding one
Dialogue: 0,0:47:48.40,0:47:51.11,Default,,0000,0000,0000,,with firmware 1.76 is really rare.
Dialogue: 0,0:47:51.11,0:47:52.46,Default,,0000,0000,0000,,marcan: That was 4.05!
Dialogue: 0,0:47:52.46,0:47:58.50,Default,,0000,0000,0000,,Question: Ah, okay.\Nmarcan: But again, our goal is to focus
Dialogue: 0,0:47:58.50,0:48:01.37,Default,,0000,0000,0000,,on… I just told you the story of the\Npre-exploit thing because I think
Dialogue: 0,0:48:01.37,0:48:05.09,Default,,0000,0000,0000,,that’s good like a hacker story, a good\Nknowledge suite trying new platforms.
Dialogue: 0,0:48:05.09,0:48:07.74,Default,,0000,0000,0000,,And the Linux thing we’re working on.\NThe reason why we don’t want to publish
Dialogue: 0,0:48:07.74,0:48:11.60,Default,,0000,0000,0000,,the exploit or really get involved in the\Nwhole exploit scene is that there is
Dialogue: 0,0:48:11.60,0:48:17.10,Default,,0000,0000,0000,,a lot of drama, it’s not rocket science\Nin that it’s like super custom code,
Dialogue: 0,0:48:17.10,0:48:21.40,Default,,0000,0000,0000,,this is WebKit and FreeBSD. It’s actually not\Nthat hard. And we know for a fact
Dialogue: 0,0:48:21.40,0:48:25.75,Default,,0000,0000,0000,,that several people have reproduced this\Non various firmwares. So there’s no need
Dialogue: 0,0:48:25.75,0:48:29.98,Default,,0000,0000,0000,,for us to be the exploit provider. And\Nwe don’t want to get into that because
Dialogue: 0,0:48:29.98,0:48:37.42,Default,,0000,0000,0000,,it’s a giant drama fest as we all know,\Nanyway. Please DIY it this time!
Dialogue: 0,0:48:37.42,0:48:39.47,Default,,0000,0000,0000,,Question: Okay. Thanks.
Dialogue: 0,0:48:39.47,0:48:41.33,Default,,0000,0000,0000,,Herald: And what is the internet saying?
Dialogue: 0,0:48:41.33,0:48:46.44,Default,,0000,0000,0000,,Signal Angel: The internet wants to know\Nif you ever had fun with the BSD
Dialogue: 0,0:48:46.44,0:48:47.75,Default,,0000,0000,0000,,on the second processor.
Dialogue: 0,0:48:47.75,0:48:52.46,Default,,0000,0000,0000,,marcan: Oh, that’s a very good question.\NI myself haven’t. I don’t know if anyone
Dialogue: 0,0:48:52.46,0:48:55.93,Default,,0000,0000,0000,,else has looked at it briefly. One of the\Ncommands for rebooting will boot
Dialogue: 0,0:48:55.93,0:49:01.34,Default,,0000,0000,0000,,that CPU into FreeBSD. And there’s\Nprobably fun to be had there.
Dialogue: 0,0:49:01.34,0:49:03.87,Default,,0000,0000,0000,,But we haven’t really looked into it.
Dialogue: 0,0:49:03.87,0:49:06.82,Default,,0000,0000,0000,,Herald: And over to 5, please.
Dialogue: 0,0:49:06.82,0:49:13.00,Default,,0000,0000,0000,,Question: I was wondering if any of that\Nstuff was applicable to the PS4 VR edition
Dialogue: 0,0:49:13.00,0:49:18.80,Default,,0000,0000,0000,,or whatever it’s called, the new one?\NDid you ever test it?
Dialogue: 0,0:49:18.80,0:49:20.46,Default,,0000,0000,0000,,marcan: Sorry, say it again!
Dialogue: 0,0:49:20.46,0:49:22.36,Default,,0000,0000,0000,,Question: Sony brought up a new PS4\NI thought.
Dialogue: 0,0:49:22.36,0:49:24.30,Default,,0000,0000,0000,,marcan: Oh, the Pro you mean,\Nthe PS4 Pro?
Dialogue: 0,0:49:24.30,0:49:26.67,Default,,0000,0000,0000,,Question: Yes.\Nmarcan: So Linux boots on the Pro,
Dialogue: 0,0:49:26.67,0:49:30.29,Default,,0000,0000,0000,,we got that far. GPU is broken. So we\Nwould like to get this ported to the Pro
Dialogue: 0,0:49:30.29,0:49:34.14,Default,,0000,0000,0000,,and also working. It’s basically an\Nincremental update, so it’s not that hard,
Dialogue: 0,0:49:34.14,0:49:36.100,Default,,0000,0000,0000,,but the GPU needs a new definition,\Nnew jBullet(?) stuff.
Dialogue: 0,0:49:36.100,0:49:40.94,Default,,0000,0000,0000,,Yeah, you get a lot of C frames\Ndown-burned (?), yeah…
Dialogue: 0,0:49:40.94,0:49:45.28,Default,,0000,0000,0000,,So, as you can see, 3D works,\Nand, there you go!
Dialogue: 0,0:49:45.28,0:49:52.34,Default,,0000,0000,0000,,{\i1}synth speech from game{\i0}\N{\i1}applause{\i0}
Dialogue: 0,0:49:52.34,0:49:56.12,Default,,0000,0000,0000,,I only have to look up and down in this game!
Dialogue: 0,0:49:56.12,0:49:58.23,Default,,0000,0000,0000,,{\i1}continued synth speech from game{\i0}
Dialogue: 0,0:49:58.23,0:50:01.02,Default,,0000,0000,0000,,Herald: Well, then number 3, please.
Dialogue: 0,0:50:01.02,0:50:07.68,Default,,0000,0000,0000,,Question: I want to ask you if you want to\Nport these Radeon patches to the new
Dialogue: 0,0:50:07.68,0:50:16.27,Default,,0000,0000,0000,,amdgpu driver because AMD now supports\Nthe Southern Island GPUs?
Dialogue: 0,0:50:16.27,0:50:19.35,Default,,0000,0000,0000,,marcan: Yes, that’s a very good question.\NActually, the first attempt we made
Dialogue: 0,0:50:19.35,0:50:22.61,Default,,0000,0000,0000,,at writing this driver was with amdgpu.\NAnd at the time it wasn’t working at all.
Dialogue: 0,0:50:22.61,0:50:26.56,Default,,0000,0000,0000,,And there was a big concern about its\Nfreshness at the time and it was
Dialogue: 0,0:50:26.56,0:50:31.13,Default,,0000,0000,0000,,experimentally supporting this GPU\Ngeneration. I’m told it should work.
Dialogue: 0,0:50:31.13,0:50:35.72,Default,,0000,0000,0000,,So I would like to port this… move to\Namdgpu and we have a working
Dialogue: 0,0:50:35.72,0:50:38.97,Default,,0000,0000,0000,,implementation, and we got to clean up\Ncode much better, we know where all
Dialogue: 0,0:50:38.97,0:50:42.05,Default,,0000,0000,0000,,the nits are, I want to try again with\Namdgpu and see if that works.
Dialogue: 0,0:50:42.05,0:50:47.02,Default,,0000,0000,0000,,That’s a very good question because the\Nnewer gen might require the driver maybe, so …
Dialogue: 0,0:50:47.02,0:50:49.03,Default,,0000,0000,0000,,Question: Thank you.\NHerald: Well then I’m gonna guess we ask
Dialogue: 0,0:50:49.03,0:50:50.22,Default,,0000,0000,0000,,the internet again.
Dialogue: 0,0:50:50.22,0:50:56.21,Default,,0000,0000,0000,,Signal Angel: Okay, the internet states\Nthat about a year ago you argued
Dialogue: 0,0:50:56.21,0:51:02.07,Default,,0000,0000,0000,,with someone on twitter that the PS4 wasn’t\Na PC and now you’re saying that kind of
Dialogue: 0,0:51:02.07,0:51:05.33,Default,,0000,0000,0000,,is something. And what’s about that?
Dialogue: 0,0:51:05.33,0:51:11.25,Default,,0000,0000,0000,,marcan: So again, the reason of saying\Nit’s not a PC is that it’s not an IBM
Dialogue: 0,0:51:11.25,0:51:17.37,Default,,0000,0000,0000,,Personal Computer compatible device.\NIt’s an x86 device that happens to
Dialogue: 0,0:51:17.37,0:51:20.47,Default,,0000,0000,0000,,be structured roughly like a current PC\Nbut if you look at the details
Dialogue: 0,0:51:20.47,0:51:24.28,Default,,0000,0000,0000,,so many things are completely different.\NIt really isn’t a PC. Like on Linux I had
Dialogue: 0,0:51:24.28,0:51:29.73,Default,,0000,0000,0000,,to define “sub arch PS4”. It’s an x86\Nbut it’s not a PC. And that’s actually
Dialogue: 0,0:51:29.73,0:51:32.52,Default,,0000,0000,0000,,a very important distinction because\Nthere’s a lot of things you have
Dialogue: 0,0:51:32.52,0:51:36.21,Default,,0000,0000,0000,,never heard of that are x86 but not PC.\NIt’s like e.g. there’s a high chance
Dialogue: 0,0:51:36.21,0:51:40.48,Default,,0000,0000,0000,,your monitor at home has\Nan 8186 CPU in it. So, yeah.
Dialogue: 0,0:51:40.48,0:51:45.20,Default,,0000,0000,0000,,Herald: So nobody’s piling at the\Nmicrophones any more.
Dialogue: 0,0:51:45.20,0:51:47.43,Default,,0000,0000,0000,,Is there one last question\Nfrom the internet?
Dialogue: 0,0:51:47.43,0:51:51.30,Default,,0000,0000,0000,,Signal Angel: Yes, there is.
Dialogue: 0,0:51:51.30,0:51:53.82,Default,,0000,0000,0000,,The question is…
Dialogue: 0,0:51:53.82,0:51:59.66,Default,,0000,0000,0000,,…if there was any\Ndecryption needed.
Dialogue: 0,0:51:59.66,0:52:05.51,Default,,0000,0000,0000,,marcan: No. So this is purely… you\Nexploit WebKit, you get user mode,
Dialogue: 0,0:52:05.51,0:52:08.77,Default,,0000,0000,0000,,you exploit the kernel, you got kernel\Nmode. You jump Linux…
Dialogue: 0,0:52:08.77,0:52:12.24,Default,,0000,0000,0000,,there’s no security like… there’s nothing\Nlike stopping you from doing
Dialogue: 0,0:52:12.24,0:52:15.16,Default,,0000,0000,0000,,all that stuff. There’s a sand box in\NFreeBSD but obviously you exploit
Dialogue: 0,0:52:15.16,0:52:20.92,Default,,0000,0000,0000,,around the sand box. There’s nothing…\Nthere’s no hypervisor, there’s no monitoring,
Dialogue: 0,0:52:20.92,0:52:24.65,Default,,0000,0000,0000,,there’s nothing like saying: “Oh this code\Nshould not be running.” There’s no
Dialogue: 0,0:52:24.65,0:52:29.09,Default,,0000,0000,0000,,like integrity checking. They have a security\Narchitecture but as it’s tradition for Sony
Dialogue: 0,0:52:29.09,0:52:35.23,Default,,0000,0000,0000,,you can just walk around it.\N{\i1}laughter{\i0}
Dialogue: 0,0:52:35.23,0:52:37.73,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:52:37.73,0:52:42.66,Default,,0000,0000,0000,,The PS3 was notable for the fact that\Nthe PS Jailbreak which is a USB…
Dialogue: 0,0:52:42.66,0:52:47.47,Default,,0000,0000,0000,,it’s effectively a piracy device\Nthat was released by someone
Dialogue: 0,0:52:47.47,0:52:51.51,Default,,0000,0000,0000,,that basically used a USB exploit\Nin the kernel and only a USB exploit
Dialogue: 0,0:52:51.51,0:52:54.99,Default,,0000,0000,0000,,in the kernel to effectively enable piracy.\NSo when you have like a stack of security
Dialogue: 0,0:52:54.99,0:52:58.40,Default,,0000,0000,0000,,and you break one thing and you get\Npiracy that’s a fail! This is basically
Dialogue: 0,0:52:58.40,0:53:02.05,Default,,0000,0000,0000,,the same idea. Except I have no idea what\Nyou do to do piracy and I don’t care.
Dialogue: 0,0:53:02.05,0:53:09.78,Default,,0000,0000,0000,,But Sony doesn’t really know how to\Narchitecture secure systems.
Dialogue: 0,0:53:09.78,0:53:11.50,Default,,0000,0000,0000,,That’s it.
Dialogue: 0,0:53:11.50,0:53:14.69,Default,,0000,0000,0000,,Herald: That’s it, here we go,\Nthat’s your applause!
Dialogue: 0,0:53:14.69,0:53:20.23,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:53:20.23,0:53:21.81,Default,,0000,0000,0000,,{\i1}postroll music{\i0}
Dialogue: 0,0:53:21.81,0:53:32.11,Default,,0000,0000,0000,,{\i1}subtitles created by c3subtitles.de\Nin the year 2017. Join, and help us!{\i0}