HardwareZone has an article about running Fedore Core Linux on the PS3. They’re not terribly impressed yet, though they reserve some hope that the official Yellow Dog Linux distro might somehow be better. A big problem is graphics resolution– you’re confined to a fairly negligible screen size if you don’t have both the right TV and the right connector cable (a problem that a colleague of mine has also encountered while venturing into this arena). And without any form of hardware acceleration, the overall desktop presentation is apparently unremarkable. Check the photos of OpenOffice running on the TV.

I’m still hopeful that PS3 Linux can be put to some use, just as soon as people get past the novelty of running a web browser and a word processor on an unaccelerated graphic display through their TV.

I’m turning into a PS3 Linux groupie, salivating over any technical information I can find. Sony has, in fact, released some programming details regarding their new PlayStation 3. In particular, the documents discuss what a user can do under Linux (more generally, “Other OS”). I’m not sure where the official documents are supposed to live. There are ostensibly various document mirrors floating around, so here’s one more.

Let’s examine the Linux Kernel Overview document, which reveals the basic capabilities that a user can expect. Perhaps the most obnoxious — though not wholly unexpected — aspect is when the document explains the console’s phenomenal audio and video capabilities… and promptly notes that you will not be able to access a fraction of the power. For example:

PS3 has a powerful graphic processing unit with high speed host connection. The GPU is connected to both HDMI and AV multi interface. Although the GPU is connected directly to CBE, no direct access by guest OSes to the GPU is allowed currently.

So the graphic capability is limited to a big frame buffer. Hopefully, it can go up to 1080p. For audio, it’s unclear how many channels the PS3 will allow the guest OS to access. I will be impressed if the number is greater than 2 (stereo).

Gigabit network access is allowed, sans promiscuous mode. Believe it or not, access to the optical drive is allowed. The overview document specifically states that the drive will reject certain ATAPI commands which is likely in place to prevent the user reading data from discs that have been determined to be official PlayStation 1/2/3 games. HDD and USB storage devices can be accessed, though the PS3 hypervisor probably enforces segmentation to keep the guest OS from going out of bounds on the HDD.

The game pad can be accessed, thankfully, through standard joystick facilities. I don’t think the hypervisor will be sandboxing anything in that department.

Perhaps the most interesting part of these still-incomplete documents is the PDF describing IBM’s libspe. This indicates that the guest OS will be able to program the 6 Cell SPEs present in the PS3. This makes me wonder if the much-vaunted parallel processing power of the Cell made available to the guest OS might be able to compensate for the lack of graphic coprocessing power. I’m not sure about this yet; I’m still trying to digest the SPE documentation.

While browsing at a Salvation Army store this past weekend I found a bin of old CD-ROMs. Naturally, I just had to get a few. Actually, I probably would have taken most of the bin if the merchandise was less than a static $2 per disc. But there was at least one disc I just couldn’t pass up– a Taco Bell-themed computer game. Tek Kids something or other, and disc 2 of 4 to boot. It likely came with a children’s meal for little or no cost above and beyond the cost of the meal. This means I probably paid more for it than the original customer did. Still, I look forward to seeing what the thing is all about.

I also recently learned that Burger King is running a promotional Xbox game tie-in where customers can purchase one of 3 BK-themed Xbox/Xbox 360 games for a nominal price in addition to their meal. Collect them all!

This all reminds me that I have a pile of licensed schlock game titles to review for multimedia purposes, many procured from a variety of garage sales (and many which still need permanent homes is the MobyGames database). You-have-to-see-it-to-believe-it titles include:

• Tek Kids Flash Ops– Mission: Polar Challenge (the aforementioned Taco Bell game)
• Snowday: The Gap Kids Quest
• Little Caesar’s Fractions Pizza
• Kellogg’s Pop-Tarts Presents: Rescue The Rusties
• 13 Days of Halloween: Rhythm And Boos (breakfast cereal tie-in)
• Cap’n Crunch’s Crunchling Adventure

click for a closer look

And this further reminds me what kind of a backlog I’m still looking at for my Multimedia Exploration Journal. Some people observe that I’m the only person they know that thinks it’s a chore to work through this many games; the only person who sighs and talks about how many games are yet to “be processed”.

It’s the path I’ve chosen.

Now that the Sony PlayStation 3 has hit the ground running — at least in the U.S. and Japan, and in fairly measured quantities — we might finally piece together some more solid information about running Linux on this little box and the exposed programming capabilities

Based on earlier blog and forum hearsay, I got the impression that there was some hackish method for getting Linux onto a PS3. It turns out that it’s not a hack, it’s a menu option. The user can install an “other OS” from basically any media format that the PS3 supports (a huge array of optical discs, compact flash, USB media device, and some others).

I’m still searching for actual programming information. Hearsay indicates that X11 will work by rendering to a framebuffer. No word of graphical capabilities beyond that. Still wondering about audio output, controller input, network I/O, and programming multiple Cell SPEs.

Meanwhile, the online user manual contains lists of video and audio formats that the PS3 already knows how to play (and here are the still image formats).

Since I am fascinated with the idea of programming game consoles (even modern ones that increasingly resemble boring, regular PCs), I will be keeping an eye on what people are doing with Linux on PS3. I won’t lose my mind trying to be an early, early adopter of this latest console. I’ll consider purchasing one only when I can walk into a typical store and pick one up off the shelf like a normal consumer; no sooner.

I sometimes hypothesize about reverse engineering code compiled for alternate (i.e. non-x86) CPU architectures. It makes one question why so much effort is focused on x86 RE (to which the simple and immediate answer is, because all the interesting code is compiled for the x86 architecture). Maybe I’m just enamored at how neat RISC code tends to be, with typical architectures featuring 32-bit instruction words. Writing a disassembler obviously embodies not even a fraction of the complexity of a decent x86 disassembler. Fortunately, the GNU binutils take care the disassembly details already (I recently posted a Wiki page on using objdump, even cross-compiling for non-native architectures). Here is some representative disassembly from a PowerPC ELF binary, for those who have never been exposed:

   16b40:       80 e1 01 14     lwz     r7,276(r1)
   16b44:       7c 09 3a 14     add     r0,r9,r7
   16b48:       7d 3e 00 ae     lbzx    r9,r30,r0
   16b4c:       55 20 e1 3e     rlwinm  r0,r9,28,4,31
   16b50:       48 00 00 08     b       16b58
   16b54:       38 00 00 0f     li      r0,15
   16b58:       2c 0b 00 0f     cmpwi   r11,15
   16b5c:       7c 04 03 78     mr      r4,r0
   16b60:       40 82 00 54     bne-    16bb4
   16b64:       88 19 00 02     lbz     r0,2(r25)

Quite a change from the typical x86 slop. Though I sometimes wonder what the ‘reduced’ in reduced instruction set computer (RISC) is really supposed to mean. It definitely doesn’t indicate reduced functionality for individual instructions. I looked up that rlwinm instruction: Rotate Left Word Immediate Then AND with Mask. I started to wonder if it would be simpler to compose an assembly re-targeter for a RISC CPU until I started reading up on this instruction.

And here’s some MIPS RISC code:

  20157c:       84820002        lh      v0,2(a0)
  201580:       2484000a        addiu   a0,a0,10
  201584:       44820000        mtc1    v0,$f0
  201588:       46800020        cvt.s.w $f0,$f0
  20158c:       46010002        mul.s   $f0,$f0,$f1
  201590:       e4600000        swc1    $f0,0(v1)
  201594:       0501fff2        bgez    t0,0x201560
  201598:       24630008        addiu   v1,v1,8
  20159c:       1000000a        b       0x2015c8
  2015a0:       3c020000        lui     v0,0x0

As memory serves, with MIPS CPUs, you get the added fun of manually tracking in your brain the CPU pipelining. I.e., an arithmetic operation from one instruction may not be completed by the next instruction, which happens to operate on the same register, and the compiler was specifically counting on that, and you need to count on it as well during your RE efforts.

“Unnamed RE Project” is the impromptu name I gave to a program that I hastily wanted to start but couldn’t be bothered to come up with even a quasi-clever name. Moreover, I actually got it to do something. I can’t believe I actually made a go of this, perhaps one of the most useless reverse engineering exercises.

Aside: Does this still qualify for my “outlandish brainstorms” blog category if I actually made it work?

The basic idea is one that a lot of reverse engineers surely kick around at some point: A set of CPU registers can be abstracted as a set of global C program variables and individual assembly language instructions map quite neatly onto C program statements. Thus, what about an automatic conversion utility that can take an ASM disassembly and convert it into a C program that can be portably compiled? Not optimal, but it might be a start for other RE projects.

Traditionally, I objected to this approach on the basis of its inherent impurity– one of my objectives in this RE journey is to understand the algorithms being recovered. Technically, while it sounded like a simple enough concept, when one actually sits down to think about, all kinds of problems crop up. One of the most immediate is how case statements (jumps using dynamic tables) would be handled.

Putting aside all uncertainty, I decided to go for it and see what could happen. Believe it or not, I met with some success while also discovering a number of problems I hadn’t yet realized (for example, the dream of portability goes right out the window). I hope to write up some more about this shortly. But for tonight, I will just show the results of the first experiment.

Read the rest of this entry »

I generally don’t like to talk about the top search terms that are driving traffic to this blog since doing so tends to have the effect of driving more traffic based on particular terms to the posts that discuss that particular term. But last month, I noticed that “doubletwist ventures” drove a huge amount of traffic to this old post.

Is it just me, or are DRM-cracking stories just not interesting anymore? Maybe I just think of cracked DRM to be a fait accompli– I accept it as a forgone conclusion that DRM can’t work and it’s just a matter of time before the specific DRM algorithms are recovered (that is, if it’s not just stock AES).

At long last, I am getting around to posting some omelette pictures in an effort to re-hijack the search term. Not only is the site named for the breakfast food, it will have a post about the same illustrated with pictures. Omelettes– they’re not just about multimedia technology and reverse engineering anymore! Without further ado…

This was an all-around well-done omelette.

This is an omelette in the early stages of cooking. I must have used most of the spices on my shelf for this one.

This one looks like it has jalapenos baked in.

Sometimes, things go bad. I probably just wasn’t watching this one and it burned. Looks like it is leaking chopped onions, too.

I’m just going to keep guessing; it’s much easier than digging up actual, empirical data. I’m starting to come to grips with the idea that the number of valid sectors contained on a DVD disc is something that’s interpreted by the optical drive firmware and enforced by the same (as is the case for RPC-2 DVD region encoding). If that’s true, there is no point in using direct SCSI access to beg for sectors beyond the magic 6,992 limit on a standard Xbox disc. Ways around this? There’s the Xbox-Linux FTP trick alluded to in my cursory post on the matter…

Read the rest of this entry »

After yesterday’s post I received a tip that I may wish to try getting at the Xbox disc data using the low-level Linux SCSI layer– the facility commonly known as SCSI generic, or simply ’sg’. In order to make use of this facility, it is necessary to configure your Linux kernel with the right support (CONFIG_CHR_DEV_SG, CONFIG_BLK_DEV_IDESCSI, but not CONFIG_BLK_DEV_IDECD). Download and install the SCSI generic utilities from here (which do not compile on my AMD64 machine; fortunately, the x86-compiled utilities and associated shared library drop into the system perfectly). There are about 30 little sg* utilities in the package. One that caught my attention was sg_dd– your typical ‘dd’ Unix command, but for interacting with a SCSI device. I tested it out on a typical Xbox DVD:

$ sudo sg_dd if=/dev/sg0 of=dvd bs=2048 bpt=1 count=20
20+0 records in
20+0 records out

And, indeed, the beginning of the disc has the markings of a typical DVD filesystem. So let’s try to read beyond the 6,992-sector limit on a standard Xbox disc:

$ sudo sg_dd if=/dev/sg0 of=dvd bs=2048 bpt=1 count=2 skip=6991
reading: SCSI status: Check Condition
 Fixed format, current;  Sense key: Illegal Request
 Additional sense: Logical block address out of range

 Raw sense data (in hex):
        70 00 05 00 00 00 00 0a  00 00 00 00 21 00 00 00
        00 00
plus...: Driver_status=0x08 [DRIVER_SENSE, SUGGEST_OK]
sg_read failed, seek=1
Some error occurred,  remaining block count=1
1+0 records in
1+0 records out

I had to deal with all this SCSI nonsense in a previous life and I admit that this output is conjuring some sour memories. Anyway, it seems that the stock sg_dd command can not read beyond what the DVD header structure ostensibly reports as the size of the disc. There are a number of other utilities I need to investigate for potential. Failing that, it’s possible — with at least a modicum of effort — to program the sg layer. There may yet be a solution.

Related posts:

• Xbox Media Redux
• Studying Xbox Multimedia