From Vita Development Wiki
Jump to navigation Jump to search

This device, located at physical address 0xE0410000, provides a few cryptographic functions. F00D also has access to a similar device ("bigmac") at physical address 0xE0050000, with 0x800 keyslots.


In all code samples, device is a volatile uint32_t* pointing to paddr 0xE0410000.

First, reset the device if it's in use:

if (device[9] & 1) {
    device[7] = 0;
    while (device[9] & 1) {}

Then submit your commands. Each command must end with a commit:

#define COMMIT_WAIT device[10] = device[10]; device[7] = 1; while(device[9] & 1){};

device[0] = src_pa; // source addr
device[1] = dst_pa; // destination addr
device[2] = 0x10; // data size
device[3] = 0xC002309; // function index
device[4] = slot; // key slot number
device[5] = iv; // AES IV, where applicable, this will be updated by some functions
// device[8] = 0; // uncomment this and vita will crash after operation
// device[11] = 0xE070; // unknown, unused?
// device[12] = 0x700070; // unknown, unused?


Key slots

It uses the keyring device SceSblDMAC5DmacKRBase for the cryptographic key material. The keyring is at physical address 0xE04E0000 (F00D can also configure this device). For the F00D's "bigmac" crypto engine, its keyring is located at 0xE0058000, with 0x800 key entries and 0x20 bytes each key. The keyring configuration is set during secure boot. Keyring offset +0x400 is used to configure non-secure kernel accessibility. On boot, it defaults to 0x200000FF, which indicates key slots 0-7 and slot 0x1D can by directly used by non-secure kernel. This value is a 0x20 bit mask value where each bit enables specific key slot. The +0x400 register is only available in secure mode. On boot the register +0x404 is set to 0xFFFFFFFF.

There are 0x20 key slots, from 0x0 to 0x1F.

Key slots 0x0-0x7 and 0x1D can be modified directly using dmac5keyring.

Key slot 0x1C seems to be related to memory card.

Address Size Details
0xE04E0000 0x400 0x20 keys of size 0x20
0xE04E0400 0x4 configure non-secure kernel accessibility. on boot defaults to 0x200000FF
0xE04E0404 0x4 on boot is set to 0xFFFFFFFF


The first byte of the function code indicates which function to use and the second byte the key size.

If function_code & 0x80 (bit 7 is set), a key placed at 0xE0050200 is used instead of the key in the keyslot.

2nd byte Key size
0 64 and less
1 128
2 192
3 256 and 512

The C code that generates the function from different parameters appears to be the following:

unsigned int dmac_func(int unk1, int unk2, int size, int param)
	unsigned int tmp0, tmp1;

	tmp0 = (param & 0xFFFFFFC0) | (unk1 & 7);
	tmp1 = ((unk2 << 3) & 0x38) | tmp0;
	tmp1 = tmp1 & 0xFFFFFCFF;
	tmp1 = tmp1 | ((size << 8) & 0x300);

	return tmp1;

The following functions are available:

  • 0x0: memcpy
  • 0x1: AES-ECB encrypt
  • 0x2: AES-ECB decrypt
  • 0x3: SHA1
  • 0x4: Random Number Generator
  • 0x9: AES-CBC encrypt
  • 0xA: AES-CBC decrypt
  • 0xB: SHA224
  • 0xC: memset
  • 0x13: SHA256
  • 0x21: AES-128-CTR encrypt
  • 0x22: AES-128-CTR decrypt (identical to encrypt)
  • 0x23: HMAC-SHA1
  • 0x2B: HMAC-SHA224
  • 0x33: HMAC-SHA256
  • 0x3B: CMAC-AES
  • 0x41: DES-64-ECB encrypt (3DES if key size is 128 or 192)
  • 0x42: DES-64-ECB decrypt (3DES if key size is 128 or 192)
  • 0x49: DES-64-CBC encrypt (3DES if key size is 128 or 192)
  • 0x4A: DES-64-CBC decrypt (3DES if key size is 128 or 192)
  • 0x101: AES-128-ECB encrypt
  • 0x102: AES-128-ECB decrypt
  • 0x109: AES-128-CBC encrypt
  • 0x10A: AES-128-CBC decrypt
  • 0x201: AES-192-ECB encrypt
  • 0x202: AES-192-ECB decrypt
  • 0x209: AES-192-CBC encrypt
  • 0x20A: AES-192-CBC decrypt
  • 0x301: AES-256-ECB encrypt
  • 0x302: AES-256-ECB decrypt
  • 0x309: AES-256-CBC encrypt
  • 0x30A: AES-256-CBC decrypt
  • probably there are more
  • There is usage of higher bits in the commands that don't seem to have much affect. For the encryption examples, 0xC002000 is also set on the command upper bits.