From Vita Development Wiki
Jump to navigation Jump to search

DMAC5 is a crypto device, located at physical address 0xE0410000 that provides a few cryptographic functions used mostly in kernel and a bit in usermode.

Cmep has access to a similar crypto engine device (Bigmac) at physical address 0xE0050000, with 0x800 key rings and 0x20 bytes for each key. Cmep Bigmac is at the opposite of DMAC5 used directly only by secure kernel and bootloaders.


Dev Address Features
DMAC0 0xE3000000 normal memset / no TRNG / broken SHA
DMAC1 0xE3010000 normal memset / no TRNG / broken SHA
DMAC2 0xE5000000 normal memset / no TRNG / broken SHA
DMAC3 0xE5010000 normal memset / no TRNG / broken SHA
DMAC4 0xE0400000 normal memset / no TRNG / broken SHA
DMAC5 0xE0410000 normal memset / TRNG / correct SHA
DMAC6 0xE50C0000 normal memset / no TRNG / broken SHA

Tested on ARM NS, but most of the DMAC devices are broken except DMAC5.

0xE04E0000: SceDmacmgrKeyringReg

key data: 0x20-bytes * 0x20?


In all code samples, device is a volatile uint32_t* pointing to physical address 0xE0410000.

First, reset the device if it is in use:

if (device[9] & 1) {
    device[7] = 0;
    while (device[9] & 1) {}

Then submit your commands. Each command must end with a commit:

#define COMMIT_WAIT device[10] = device[10]; device[7] = 1; while(device[9] & 1){};

device[0] = src_pa; // source physical address
device[1] = dst_pa; // destination physical address
device[2] = 0x10; // data size
device[3] = 0xC002309; // function index
device[4] = keyring; // key ring number
device[5] = iv; // AES IV, where applicable, this will be updated by some functions
// device[8] = 0; // uncomment this and PS Vita will crash after operation
// device[11] = 0xE070; // unknown, unused?
// device[12] = 0x700070; // unknown, unused?


Key rings

DMAC5 uses the key ring device named SceSblDMAC5DmacKR for the cryptographic key material. This device is at physical address 0xE04E0000 (cmep can also configure this device).

The key ring configuration is set during secure boot. Key ring at offset +0x400 is used to configure non-secure kernel accessibility. On boot, it defaults to 0x200000FF, which indicates key rings 0-7 and rings 0x1D can be directly used by non-secure kernel. This value is a 0x20 bit mask value where each bit enables specific key rings. The +0x400 register is only available in secure world. On boot the register +0x404 is set to 0xFFFFFFFF.

There are 32 slot on DMAC5 key ring.

Keyring ID Details
0~7 can be modified directly writing to the DMAC5 key ring from ARM.
0x1B non-secure kernel encryption key.
0x1C is related to Removable Media Authentication ( This key is set by rmauth_sm.
0x1D can be modified directly writing to the DMAC5 key ring from ARM.
0x1E~0x1F are related to Magic Gate Key Manager. These keys are set by mgkm_sm.
Address Size Details
0xE04E0000 0x400 32 keys of size 0x20-bytes
0xE04E0400 0x4 Configure non-secure kernel accessibility. On boot it defaults to 0x200000FF.
0xE04E0404 0x4 On boot it is set to 0xFFFFFFFF.


See functions here.