UC_ERR_INSN_INVALID when emulating my machine's bios

[hanetzer]

Not certain if I'm doing it right, but here's what I have.
using bios version 4301 from here (you'll need to strip 4096 bytes from the front of it to get rid of the UEFI cap header),
and calling the tool as such:

$ ./PSPEmu --emulation-mode sys \
    -a zen+-standard --flash-rom `pwd`/bios.rom --timer-real-time --trace-log ./log --intercept-svc-6 --trace-svcs
rcUc=10 (UC_ERR_INSN_INVALID)

the resultant log contains:

00000000             INFO             CORE 0x00000110[0x00000000][  SVC, S,NM,NI,NF,0x00000000] STRING "R0  > 0x00000000 | R1  > 0x00000000 | R2 > 0x00000000 | R3 > 0xffffffff"
                                                                                                STRING "R4  > 0x00000000 | R5  > 0x00000000 | R6 > 0x00000000 | R7 > 0x00000000"
                                                                                                STRING "R8  > 0x00000000 | R9  > 0x00000000 | R10> 0x00000000 | R11> 0x00000000"
                                                                                                STRING "R12 > 0x00000000 | SP  > 0x00000000 | LR > 0x00000000 | PC > 0x00000110"
                                                                                                STRING "CPSR> 0x400001d3 | SPSR> 0x00000000"
                                                                                                STRING "Disasm:"
                                                                                                STRING "0x000110:    mcrrle		p9, #2, r1, r7, c10"
                                                                                                STRING "0x000114:    ldmdble		pc, {r0, r1, r2, r4, r5, r6, r8, sl, ip, lr, pc} ^"
                                                                                                STRING "0x000118:    ldmlt		sb!, {r4, r5, r7, r8, ip} ^"
                                                                                                STRING "0x00011c:    adcvc		r5, r2, r3, lsr r4"
                                                                                                STRING "0x000120:    ldrshpl		sp, [r7], r0"
00000001             INFO             CORE 0x00000110[0x00000000][  SVC, S,NM,NI,NF,0x00000000] STRING "Stack:"
                                                                                                STRING "	0x00000000: 0x00000000 <= SP"
                                                                                                STRING "	0x00000004: 0x00000000"
                                                                                                STRING "	0x00000008: 0x00000000"
                                                                                                STRING "	0x0000000c: 0x00000000"
                                                                                                STRING "	0x00000010: 0x31535024"
                                                                                                STRING "	0x00000014: 0x0000e1c0"
                                                                                                STRING "	0x00000018: 0x00000001"
                                                                                                STRING "	0x0000001c: 0x00000000"

If I'm missing something do let me know.

[AlexanderEichner]

The issue is that the off chip bootloader in your firmware image is encrypted and PSPEmu doesn't support decrypting it automatically (yet) because it requires unwrapping the IKEK which is only possible by hardcoding the result into PSPEmu. You have to extract and decrypt the off chip boot loader you are interested in the image with PSPTool first using:
psptool -X -c -d 0 -e 1 -o rog-off-chip.bin ROG-CROSSHAIR-VII-HERO-WIFI-ASUS-4301/ROG-CROSSHAIR-VII-HERO-WIFI-ASUS-4301.ROM
The -d and -e argument might differ depending on the off chip bootloader you want.

Afterwards you can load the result into PSPEmu using:
./PSPEmu --emulation-mode sys --flash-rom ROG-CROSSHAIR-VII-HERO-WIFI-ASUS-4301/ROG-CROSSHAIR-VII-HERO-WIFI-ASUS-4301.ROM --trace-log run.tracelog.rog --timer-real-time --psp-profile zen+-standard --trace-svcs --intercept-svc-6 --bin-load rog-off-chip.bin --bin-contains-hdr

[hanetzer]

This seems to work better, however I get the following results:
directory 0 & 1, entry 1 (identical):

$ ./PSPEmu --emulation-mode sys --flash-rom bios.bin  --trace-log run.tracelog.rog.1 \
    --timer-real-time --psp-profile zen+-standard --trace-svcs --intercept-svc-6 \
    --bin-load rog-off-chip-1.bin --bin-contains-hdr
Loading the flash ROM failed with 2
Creating flash filesystem read instance failed with -3
pspDevX86UnkMmioRead: offMmio=0 cbRead=1
pspDevFlashSpiCtrlWrite: ATTEMPTED write access to offSmn=0x1e cbWrite=1 -> IGNORED
pspDevFlashSpiCtrlWrite: ATTEMPTED write access to offSmn=0x1f cbWrite=1 -> IGNORED
pspDevFlashSpiCtrlWrite: ATTEMPTED write access to offSmn=0x1e cbWrite=1 -> IGNORED
pspDevFlashSpiCtrlWrite: ATTEMPTED write access to offSmn=0x1f cbWrite=1 -> IGNORED
pspDevFlashSpiCtrlRead: ATTEMPTED read from offSmn=0 cbRead=4 -> return all 0
pspDevFlashSpiCtrlWrite: ATTEMPTED write access to offSmn=0 cbWrite=4 -> IGNORED
pspDevFlashSpiCtrlWrite: ATTEMPTED write access to offSmn=0 cbWrite=4 -> IGNORED
pspDevFlashSpiCtrlRead: ATTEMPTED read from offSmn=0 cbRead=4 -> return all 0
pspDevFlashSpiCtrlRead: ATTEMPTED read from offSmn=0 cbRead=4 -> return all 0
pspDevFlashSpiCtrlWrite: ATTEMPTED write access to offSmn=0 cbWrite=4 -> IGNORED
pspDevFlashSpiCtrlRead: ATTEMPTED read from offSmn=0xc cbRead=1 -> return all 0
pspDevFlashSpiCtrlRead: ATTEMPTED read from offSmn=0xc cbRead=1 -> return all 0
pspDevFlashSpiCtrlRead: ATTEMPTED read from offSmn=0xc cbRead=1 -> return all 0

resultant log:
run.tracelog.rog.1.txt
directory 2, entry 1:

$ ./PSPEmu --emulation-mode sys --flash-rom bios.bin  --trace-log run.tracelog.rog.2 \
    --timer-real-time --psp-profile zen+-standard --trace-svcs --intercept-svc-6 \
    --bin-load rog-off-chip-2.bin --bin-contains-hdr
Loading the flash ROM failed with 2
Creating flash filesystem read instance failed with -3

resultant log:
run.tracelog.rog.2.txt

also I'm seeing the following in my dmesg, expected?

[36953.811231] pcieport 0000:00:03.1: AER: Multiple Corrected error received: 0000:00:00.0
[36953.811246] pcieport 0000:00:03.1: PCIe Bus Error: severity=Corrected, type=Data Link Layer, (Transmitter ID)
[36953.811249] pcieport 0000:00:03.1:   device [1022:1453] error status/mask=00001100/00006000
[36953.811251] pcieport 0000:00:03.1:    [ 8] Rollover              
[36953.811254] pcieport 0000:00:03.1:    [12] Timeout

[AlexanderEichner]

The messages in dmesg are irrelevant, PSPEmu doesn't mess with the host hardware in any way. The error message regarding being able to load the flash image are weird, never seen something like that before.

[hanetzer]

The messages in dmesg are irrelevant, PSPEmu doesn't mess with the host hardware in any way.

Ok, figured as much but the timing was sus.

The error message regarding being able to load the flash image are weird, never seen something like that before.

Aside from that message, do my logs look correct? or am I still missing a piece of the puzzle?

[hanetzer]

dusted off project. made progress. However, I basically hang after this line:
INFO STS 0x0000aa3c[0x0000aaed][ SVC, S, M, I,NF,0x00014000] STRING "POST CODE (X86): PSPSTATUS_PSP_DIRECTORY_ENTRY_NOT_FOUND"

This includes when using the zen+ profile as is (id 0xbc090072) and editing it to the psp id for the directories I see loaded when using psptrace (either 0xbc0a000 or 0xbc0a0100)

[hanetzer]

On a related note, it appears to be loading the wrong pubkey for the directory I'm trying to get it to load:
Loaded AMD public key doesn't match expected size: 0x440 vs 0x240 expected
(lightly modified the code to print as hex so I could check against psptool's output easier)
Both the 0xbc0a[01]00 entries have the smaller public key.