Dmac5

From Vita Development Wiki
Jump to navigation Jump to search

DMAC5 is a crypto device, located at physical address 0xE0410000 that provides a few cryptographic functions used mostly in kernel and a bit in usermode.

Cmep has access to a similar crypto engine device (Bigmac) at physical address 0xE0050000, with 0x800 key rings and 0x20 bytes for each key. Cmep Bigmac is at the opposite of DMAC5 used directly only by secure kernel and bootloaders.

Device

Dev Address Features
DMAC0 0xE3000000 normal memset / no TRNG / broken SHA
DMAC1 0xE3010000 normal memset / no TRNG / broken SHA
DMAC2 0xE5000000 normal memset / no TRNG / broken SHA
DMAC3 0xE5010000 normal memset / no TRNG / broken SHA
DMAC4 0xE0400000 normal memset / no TRNG / broken SHA
DMAC5 0xE0410000 normal memset / TRNG / correct SHA
DMAC6 0xE50C0000 normal memset / no TRNG / broken SHA

Tested on ARM NS, but most of the DMAC devices are broken except DMAC5.

0xE04E0000: SceDmacmgrKeyringReg

key data: 0x20-bytes * 0x20?

Usage

In all code samples, device is a volatile uint32_t* pointing to physical address 0xE0410000.

First, reset the device if it is in use:

if (device[9] & 1) {
    device[7] = 0;
    while (device[9] & 1) {}
}

Then submit your commands. Each command must end with a commit:

#define COMMIT_WAIT device[10] = device[10]; device[7] = 1; while(device[9] & 1){};

device[0] = src_pa; // source physical address
device[1] = dst_pa; // destination physical address
device[2] = 0x10; // data size
device[3] = 0xC002309; // function index
device[4] = keyring; // key ring number
device[5] = iv; // AES IV, where applicable, this will be updated by some functions
// device[8] = 0; // uncomment this and PS Vita will crash after operation
// device[11] = 0xE070; // unknown, unused?
// device[12] = 0x700070; // unknown, unused?

COMMIT_WAIT;

Key rings

DMAC5 uses the key ring device named SceSblDMAC5DmacKR for the cryptographic key material. This device is at physical address 0xE04E0000 (cmep can also configure this device).

The key ring configuration is set during secure boot. Key ring at offset +0x400 is used to configure non-secure kernel accessibility. On boot, it defaults to 0x200000FF, which indicates key rings 0-7 and rings 0x1D can be directly used by non-secure kernel. This value is a 0x20 bit mask value where each bit enables specific key rings. The +0x400 register is only available in secure world. On boot the register +0x404 is set to 0xFFFFFFFF.

There are 0x20 DMAC5 key rings, from 0x0 to 0x1F.

Key rings 0x0-0x7 and 0x1D can be modified directly writing to the DMAC5 key ring.

Key ring 0x1C is related to Removable Media Authentication (https://pastebin.com/5vuehLr7). This key is set by rmauth_sm.

Key rings 0x1E and 0x1F are related to Magic Gate Manager. These keys are set by mgkm_sm.

Address Size Details
0xE04E0000 0x400 0x20 keys of size 0x20 (maybe write only on ARM)
0xE04E0400 0x4 Configure non-secure kernel accessibility. On boot defaults to 0x200000FF
0xE04E0404 0x4 On boot is set to 0xFFFFFFFF

Functions

See here