Orbital

An experimental low-level PlayStation 4 emulator

 

Lightning Talks Overflow @ 35C3

December 29th, 2018

 

@AlexAltea

Disclaimer: Gross over-simplifications.

Emulation

CPU

Translation?

Guest and host share the same architecture:
However, we need to execute privileged instructions.

Interpreters are too slow.

Recompilers are too slow.

Solution: Virtualization!

Hypervisors

Target: We want an hypervisor that is:

  • Open-source: Easy to hack.
  • Cross-platform: Easy to port.
  • Type-2: Easy to install.

...and the winner is Intel HAXM!

HAXM

Compatible OSs: Linux, Windows, MacOS, NetBSD. Compatible CPUs: Intel (...AMD SVM support planned).

Our contributions

  • New x86 instruction emulator.
  • Debugging support.
  • Creating test suites and setting-up CI.
  • Code refactoring, cleanup, improvements, etc.

Enough to run the PS4 kernel/userland software!

More at github.com/intel/haxm.

Hardware

Orbital is based on QEMU, which allows us to:

  • Create and manage VM/VCPU instances in HAXM.
  • Create custom devices, and hook the IO/MMIO they expose to the virtual machine.

SAMU

AM32 CPU running Secure Modules written by Sony.

No publicly known exploitable vulnerabilities:
Essentially a black-box that handles: decryption, encryption, compression, verification, etc.

Question: How can SAMU be emulated *without keys*?

SAMU

  • Decompression: Just link zlib.
  • Verification: Just hardcode "OK" answers.
  • Decrypting static data (e.g. ELFs):
    Decrypt data on the real console,
    then hardcode results in the emulator.
  • Decrypting dynamic data (e.g. HDD, saves):
    Pick arbitrary key, {en,de}crypt everything with it.

GPU

Primary focused on GFX MMIO registers. It describes the pipeline state can be modelled with Vulkan.

CP emulation: Consumes PM4 commands, which can trigger MMIO/memory accesses, draws, among other actions, which are mapped to Vulkan commands.

GCN emulation: GCN shader bytecode can be translated to SPIR-V consumed by the Vulkan drivers.

Aeolia

Marvell Armada SoC (ARM)

  • 104D:908F Aeolia ACPI
  • 104D:909E Aeolia GBE controller
  • 104D:909F Aeolia AHCI
  • 104D:90A0 Aeolia SDHCI
  • 104D:90A1 Aeolia PCI Express glue
  • 104D:90A2 Aeolia DMA controller
  • 104D:90A3 Aeolia Memory (DDR3/SPM)
  • 104D:90A4 Aeolia XHCI USB 3.0 controller

Aeolia

Most of those can be forwarded to QEMU devices.

Interesting is Aeolia PCIe glue device, which exposes registers to communicate with the Aeolia over ICC.

Although would be theoretically possible run the Aeolia software, we are simply high-level emulating it, i.e. reimplementing the handlers for each ICC query.

Status

  • Kernel boots successfully (including device drivers!)
  • Some boot-time userland applications run fine:
    • /mini-syscore.elf runs successfully.
    • /SceSysAvControl.elf runs successfully.
  • /mini-syscore.elf detects an issue and goes to Safe Mode for recovery (supposed to happen!).
  • /safemode.elf runs successfully and waits for gamepad input, while submitting draw commands.

Demo

Thanks!

Discussion at #orbital-emu @ freenode!

Source at github.com/AlexAltea/orbital

News at twitter.com/AlexAltea

 

Shout-out to all PS4 devs and Orbital IRC/Discord people!