Changes

F00D Key Ring Base (view source)

Revision as of 22:59, 4 October 2018

18 bytes removed , 22:59, 4 October 2018

→‎Key Ring Slots 0xE0058000

Line 27: Line 27:

{| class="wikitable"

|-

−

! Slot !! Initial Valid !! Initial Protection !! Protection (1.69) !! Ever Valid (1.69) !! Set By? ~~!! Per-console~~ !! Description

+

! Slot !! Initial Valid !! Initial Protection !! Protection (1.69) !! Ever Valid (1.69) !! Set By? !! Description

|-

−

| 0 || 3 || 0x0442 || 0x0442 || Y || ? || ?

+

| 0 || N || 0x0442 || 0x0442 || Y || ? || ?

|-

−

| 1 || 1 || 0x0442 || 0x0442 || N || ? || ?

+

| 1 || N || 0x0442 || 0x0442 || N || ? || ?

|-

−

| 2-7 || 1 || 0x0442 || 0x0040 || N || ? || ?

+

| 2-7 || N || 0x0442 || 0x0040 || N || ? || ?

|-

−

| 8 || 3 || 0x049F || 0x0081 || Y || ? || enp per-console key

+

| 8 || N || 0x049F || 0x0081 || Y || ? || enp per-console key

|-

−

| 9 || 1 || 0x049F || 0x0080 || N || ? || ?

+

| 9 || N || 0x049F || 0x0080 || N || ? || ?

|-

−

| 0xA-0xF || 3 || 0x049F || 0x0080 || Y || ? || ?

+

| 0xA-0xF || N || 0x049F || 0x0080 || Y || ? || ?

|-

−

| 0x10 || 1 || 0x0502 || 0x0502 || N || ? || supports decryption only

+

| 0x10 || N || 0x0502 || 0x0502 || N || ? || supports decryption only

|-

−

| 0x11-0x1F || 1 || 0x0502 || 0x0100 || N || ? || ?

+

| 0x11-0x1F || N || 0x0502 || 0x0100 || N || ? || ?

|-

−

| 0x20 || 3 || 0x061F || 0x0200 || Y || ? || Derived from 0x344, used for hmac-sha256 over enc files

+

| 0x20 || N || 0x061F || 0x0200 || Y || ? || Derived from 0x344, used for hmac-sha256 over enc files

|-

−

| 0x21-0x24 || 1 || 0x061F || 0x061F || N || ? || supports encryption and decryption

+

| 0x21-0x24 || N || 0x061F || 0x061F || N || ? || supports encryption and decryption

|-

−

| 0x25-0x2F || 1 || 0x061F || 0x0200 || N || ? || ?

+

| 0x25-0x2F || N || 0x061F || 0x0200 || N || ? || ?

|-

−

| 0x30-0x34 || 1 || 0x041F || 0x041F || N || ? || ?

+

| 0x30-0x34 || N || 0x041F || 0x041F || N || ? || ?

|-

−

| 0x35-0x7F || 1 || 0x041F || 0x0000 || N || ? || ?

+

| 0x35-0x7F || N || 0x041F || 0x0000 || N || ? || ?

|-

−

| 0x80-0xFF || 0 || 0x0000 || 0x0000 || X || ? || Not used

+

| 0x80-0xFF || X || 0x0000 || 0x0000 || X || ? || Not used

|-

−

| 0x100 || 1 || 0x041F || 0x041F || N || ? || ?

+

| 0x100 || N || 0x041F || 0x041F || N || ? || ?

|-

−

| 0x101-0x17F || 1 || 0x041F || 0x0000 || N || ? || ?

+

| 0x101-0x17F || N || 0x041F || 0x0000 || N || ? || ?

|-

−

| 0x180-0x1FF || 0 || 0x0000 || 0x0000 || X || ? || Not used

+

| 0x180-0x1FF || X || 0x0000 || 0x0000 || X || ? || Not used

|-

−

| 0x200-0x203 || 3 || 0x0002 || 0x0000 || Y || ? || ?

+

| 0x200-0x203 || Y || 0x0002 || 0x0000 || Y || ? || ?

|-

−

| 0x204-0x205 || 3 || 0x006F || 0x006F || Y || ? || ?

+

| 0x204-0x205 || Y || 0x006F || 0x006F || Y || ? || ?

|-

−

| 0x206 || 3 || 0x00AF || 0x00A0 || Y || ? || Used to derive key used to decrypt personalized layer over enc. Should be per-console.

+

| 0x206 || Y || 0x00AF || 0x00A0 || Y || ? || Used to derive key used to decrypt personalized layer over enc. Should be per-console.

|-

−

| 0x207 || 3 || 0x00AF || 0x00A0 || Y || ? || Used instead of the above key when secret debug mode is set. (Possibly non-per-console?)

+

| 0x207 || Y || 0x00AF || 0x00A0 || Y || ? || Used instead of the above key when secret debug mode is set. (Possibly non-per-console?)

|-

−

| 0x208-0x20D || 3 || 0x00AF || 0x00A0 || Y || ? || 6 keys used to decrypt enc metadata, which one is used depends on key revision in enc header

+

| 0x208-0x20D || Y || 0x00AF || 0x00A0 || Y || ? || 6 keys used to decrypt enc metadata, which one is used depends on key revision in enc header

|-

−

| 0x20E-0x20F || 3 || ? || 0x0010 || Y || ? || Maybe per-console emmc crypto keys? Protected by second_loader.

+

| 0x20E-0x20F || Y || ? || 0x0010 || Y || ? || Maybe per-console emmc crypto keys? Protected by second_loader.

|-

−

| 0x210-0x211 || 3 || 0x001F || 0x0000 || Y || ? || ?

+

| 0x210-0x211 || Y || 0x001F || 0x0000 || Y || ? || ?

|-

−

| 0x212 || 3|| 0x001F || 0x001F || Y || ? || ?

+

| 0x212 || Y|| 0x001F || 0x001F || Y || ? || ?

|-

−

| 0x213 || 3|| 0x001F || 0x001F || Y || ? || Used to derive SMI keys, which are used for factory fw decryption. Per-console.

+

| 0x213 || Y|| 0x001F || 0x001F || Y || ? || Used to derive SMI keys, which are used for factory fw decryption. Per-console.

|-

−

| 0x214 || 3|| 0x001F || 0x0000 || Y || ? || Used to derive keyslots 0x514, 0x515 in second_loader

+

| 0x214 || Y|| 0x001F || 0x0000 || Y || ? || Used to derive keyslots 0x514, 0x515 in second_loader

|-

−

| 0x215 || 3|| 0x001F || 0x0000 || Y || ? || ?

+

| 0x215 || Y|| 0x001F || 0x0000 || Y || ? || ?

|-

−

| 0x216 || 3|| 0x001F || 0x001F || Y || ? || Derive 0x502-0x504 by encrypting data in second_loader.

+

| 0x216 || Y|| 0x001F || 0x001F || Y || ? || Derive 0x502-0x504 by encrypting data in second_loader.

|-

−

| 0x217 || 3 || 0x001F || 0x0000 || Y || ? || ?

+

| 0x217 || Y || 0x001F || 0x0000 || Y || ? || ?

|-

−

| 0x218-0x2FF || 0 || 0x0000 || 0x0000 || X || ? || Not used

+

| 0x218-0x2FF || X || 0x0000 || 0x0000 || X || ? || Not used

|-

−

| 0x300-0x33F || 3 || 0x0002 || 0x0000 || Y || ? || ?

+

| 0x300-0x33F || Y || 0x0002 || 0x0000 || Y || ? || ?

|-

−

| 0x340 || 3 || 0x012F || 0x012F || Y || ? || Used to decrypt keys into the 0x10 key slot

+

| 0x340 || Y || 0x012F || 0x012F || Y || ? || Used to decrypt keys into the 0x10 key slot

|-

−

| 0x341-0x343 || 3 || 0x012F || 0x0120 || Y || ? || ?

+

| 0x341-0x343 || Y || 0x012F || 0x0120 || Y || ? || ?

|-

−

| 0x344 || 3 || 0x022F || 0x0220 || Y || ? || Used to derive key 0x20 in brom.

+

| 0x344 || Y || 0x022F || 0x0220 || Y || ? || Used to derive key 0x20 in brom.

|-

−

| 0x345-0x348 || 3 || 0x022F || 0x022F || Y || ? || Used to decrypt keys into one of the 0x21-0x24 key slot

+

| 0x345-0x348 || Y || 0x022F || 0x022F || Y || ? || Used to decrypt keys into one of the 0x21-0x24 key slot

|-

−

| 0x349-0x353 || 3 || 0x022F ||0x0220 || Y || ? || ?

+

| 0x349-0x353 || Y || 0x022F ||0x0220 || Y || ? || ?

|-

−

| 0x354-0x3FF || 3 || 0x001F || 0x0000 || Y || ? || ?

+

| 0x354-0x3FF || Y || 0x001F || 0x0000 || Y || ? || ?

|-

−

| 0x400-0x47F || 1 || 0x1800 || 0x0000 || N || ? || ?

+

| 0x400-0x47F || N || 0x1800 || 0x0000 || N || ? || ?

|-

−

| 0x480-0x4FF || 0 || 0x0000 || 0x0000 || X || ? || Not used

+

| 0x480-0x4FF || X || 0x0000 || 0x0000 || X || ? || Not used

|-

−

| 0x500 || 1 || 0x1800 || 0x1800 || N || ? || ?

+

| 0x500 || N || 0x1800 || 0x1800 || N || ? || ?

|-

−

| 0x501 || 7 || 0x1800 || 0x1000 || Y || first_loader || Used by bootrom first_loader to figure out whether to load from eMMC or ARM comms after reset

+

| 0x501 || N || 0x1800 || 0x1000 || Y || first_loader || Used by bootrom first_loader to figure out whether to load from eMMC or ARM comms after reset

|-

−

| 0x502-0x504 || 3 || 0x1800 || 0x1800 || Y || ~~Yes~~ || Related to Ernie SNVS

+

| 0x502-0x504 || N || 0x1800 || 0x1800 || Y || ? || Related to Ernie SNVS

|-

−

| 0x505 || 1 || 0x1800 || 0x0000 || N || ? || ?

+

| 0x505 || N || 0x1800 || 0x0000 || N || ? || ?

|-

−

| 0x506 || 3 || 0x1800 || 0x1800 || Y || ? || ?

+

| 0x506 || N || 0x1800 || 0x1800 || Y || ? || ?

|-

−

| 0x507 || 3 || 0x1800 || 0x1800 || Y || ? || ?

+

| 0x507 || N || 0x1800 || 0x1800 || Y || ? || ?

|-

−

| 0x508 || 3 || 0x1800 || 0x1800 || Y || ? || Ernie HW version (from syscon cmd 0x1). Set to 0x100060D on 1.692, 0x100010A on 1.05, 0x0100010B on 1.50

+

| 0x508 || N || 0x1800 || 0x1800 || Y || ? || Ernie HW version (from syscon cmd 0x1). Set to 0x100060D on 1.692, 0x100010A on 1.05, 0x0100010B on 1.50

|-

−

| 0x509 || 3 || 0x1800 || 0x1800 || Y || ? || IDPS of unit (console id)

+

| 0x509 || N || 0x1800 || 0x1800 || Y || ? || IDPS of unit (console id)

|-

−

| 0x50A || 3 || 0x1800 || 0x1800 || Y || ? || Byte15bit0,byte14bit0,byte14bit1,byte11bit4: Revocation related. Byte13bit0: Enable F00D debug prints.

+

| 0x50A || N || 0x1800 || 0x1800 || Y || ? || Byte15bit0,byte14bit0,byte14bit1,byte11bit4: Revocation related. Byte13bit0: Enable F00D debug prints.

|-

−

| 0x50B || 3 || 0x1800 || 0x1800 || Y || ? || From 0xD2 SNVS block 0, 8 bytes

+

| 0x50B || N || 0x1800 || 0x1800 || Y || ? || From 0xD2 SNVS block 0, 8 bytes

|-

−

| 0x50C || 3 || 0x1800 || 0x1800 || Y || ? || Flags. Set to 1 on 1.692 and newer, 0 on older

+

| 0x50C || N || 0x1800 || 0x1800 || Y || ? || Flags. Set to 1 on 1.692 and newer, 0 on older

|-

−

| 0x50D || 3 || 0x1800 || 0x1800 || Y || ? || OpenPSID

+

| 0x50D || N || 0x1800 || 0x1800 || Y || ? || OpenPSID

|-

−

| 0x50E || 3 || 0x1800 || 0x1800 || Y || ? || Current firmware version. Comes from SNVS.

+

| 0x50E || N || 0x1800 || 0x1800 || Y || ? || Current firmware version. Comes from SNVS.

|-

−

| 0x50F || 3 || 0x1800 || 0x1800 || Y || ? || Factory firmware version. Comes from idstorage.

+

| 0x50F || N || 0x1800 || 0x1800 || Y || ? || Factory firmware version. Comes from idstorage.

|-

−

| 0x510 || 3 || 0x1800 || 0x1800 || Y || ? || Some bit flags, comes from syscon cmd 0x90 offset 0xE0

+

| 0x510 || N || 0x1800 || 0x1800 || Y || ? || Some bit flags, comes from syscon cmd 0x90 offset 0xE0

|-

−

| 0x511 || 3 || 0x1800 || 0x1800 || Y || ? || Unique per boot session id, Syscon shared 0xD0 session key

+

| 0x511 || N || 0x1800 || 0x1800 || Y || ? || Unique per boot session id, Syscon shared 0xD0 session key

|-

−

| 0x512 || 7 || 0x1800 || 0x1800 || Y || ? || Tick count? Used in Syscon encrypted communication. Set to a random value when session key is set.

+

| 0x512 || N || 0x1800 || 0x1800 || Y || ? || Tick count? Used in Syscon encrypted communication. Set to a random value when session key is set.

|-

−

| 0x513 || 3 || 0x1800 || 0x1800 || Y || ? || DRAM size. Set to 0x20000000 on retail, 0x40000000 on devkit.

+

| 0x513 || N || 0x1800 || 0x1800 || Y || ? || DRAM size. Set to 0x20000000 on retail, 0x40000000 on devkit.

|-

−

| 0x514 || 3 || 0x1800 || 0x1800 || Y || ? || F00d-cmd F01 AES-256-CMAC key. Protected on 1.05.

+

| 0x514 || N || 0x1800 || 0x1800 || Y || ? || F00d-cmd F01 AES-256-CMAC key. Protected on 1.05.

|-

−

| 0x515 || 3 || 0x1800 || 0x1800 || Y || ? || F00d-cmd F01 AES-256-CBC key. Protected on 1.05.

+

| 0x515 || N || 0x1800 || 0x1800 || Y || ? || F00d-cmd F01 AES-256-CBC key. Protected on 1.05.

|-

−

| 0x516 || 3 || 0x1800 || 0x1800 || Y || ? || F00d-cmd F01 writes (u32)1 here when exporting the infoblk. Next time main() executes this flag is cleared.

+

| 0x516 || N || 0x1800 || 0x1800 || Y || ? || F00d-cmd F01 writes (u32)1 here when exporting the infoblk. Next time main() executes this flag is cleared.

|-

−

| 0x517 || 3 || 0x1800 || 0x1800 || Y || ? || When initializing the EEPROM, this is zeroed if 0x50D has bit8 clear (on 1.692).

+

| 0x517 || N || 0x1800 || 0x1800 || Y || ? || When initializing the EEPROM, this is zeroed if 0x50D has bit8 clear (on 1.692).

|-

−

| 0x518 || 3 || 0x1800 || 0x1800 || Y || ? || Another current FW version (3.60+?) Comes from SNVS.

+

| 0x518 || N || 0x1800 || 0x1800 || Y || ? || Another current FW version (3.60+?) Comes from SNVS.

|-

−

| 0x519 || 3 || 0x1800 || 0x1800 || Y || ? || 00s

+

| 0x519 || N || 0x1800 || 0x1800 || Y || ? || 00s

|-

−

| 0x51A || 3 || 0x1800 || 0x1800 || Y || ? || Randomized 0x20 byte key unique every boot/reboot/resume used for kernel coredump encryption

+

| 0x51A || N || 0x1800 || 0x1800 || Y || ? || Randomized 0x20 byte key unique every boot/reboot/resume used for kernel coredump encryption

|-

−

| 0x51B || 3 || 0x1800 || 0x1800 || Y || ? || Some kind of model info 0x406000 on retail and 0x416000 on devkit, obtained from syscon command 5

+

| 0x51B || N || 0x1800 || 0x1800 || Y || ? || Some kind of model info 0x406000 on retail and 0x416000 on devkit, obtained from syscon command 5

|-

−

| 0x51C-0x57F || 1 || 0x1800 || 0x0000 || N || ? || ?

+

| 0x51C-0x57F || N || 0x1800 || 0x0000 || N || ? || ?

|-

−

| 0x580-0x5FF || 0 || 0x0000 || 0x0000 || X || ? || Not used

+

| 0x580-0x5FF || X || 0x0000 || 0x0000 || X || ? || Not used

|-

−

| 0x600 || 3 || 0x1000 || 0x1000 || Y || ? || <code>aimgr_sm.self</code> cmd 0x3 return, VisibleId/FuseId

+

| 0x600 || Y || 0x1000 || 0x1000 || Y || ? || <code>aimgr_sm.self</code> cmd 0x3 return, VisibleId/FuseId

|-

| 0x601 || 3 || 0x1000 || 0x1000 || Y || ? || ?

Yifan Lu

Bureaucrats, hacker, Administrators

932

edits

Changes

F00D Key Ring Base (view source)

Revision as of 22:59, 4 October 2018

Navigation menu

Search