ScePfsMgr: Difference between revisions

Module

Libraries

Known NIDs

PFS impl

filedb

unicv (SCEIFTBL)

Types

typedef char[0x10] ScePfsRndDriveId;

typedef struct pmi_blc_subctx {
  pmi_blc_subctx *subctx0;
  pmi_blc_subctx *subctx4;
  SceUInt64 auth_ids[16];
  vfs_block_dev_info block_dev;
  SceUInt32 auth_ids_num;
} pmi_blc_subctx;

union pfs_pmi_buffer_list_ctx_u0 {
  buffer_list *blist;
  int some_flags;
};

typedef struct pfs_pmi_buffer_list_ctx {
    pfs_pmi_buffer_list_ctx_u0 unk_0;
    uint32_t unk_4;
    SceUID ScePfsPmi_mutex_id; // 0x08
    char original_path[0x40];  // 0xC
    
    char rnd_drive_id1[0x22]; // 0x4C - "/%s"
    
    char rnd_drive_id2[0x24];  // 0x6E - "%s0:" - used for pfs_pmi_buffer_list_ctx lookup on mount

    uint16_t mode_index;   // 0x92
    uint16_t crypto_engine_flag; // 0x94 = 0
    
    char klicensee[0x10]; // 0x96
    
    uint16_t key_id;
    uint32_t files_salt;
    uint32_t unk_AC; // = 0
    
    SceUID ScePfsFilesDb_mutex_id; // 0xB0
    
    char unk_data1[0xBC]; // 0xB4
    
    pmi_blc_subctx subctx;
    
    // further fields are unknown
} pfs_pmi_buffer_list_ctx;

typedef struct buffer_list {
    SceUID mutex_id;
    uint32_t unk_4;
    uint32_t unk_8;
    uint32_t unk_C;
    uint32_t unk_10;
    void* blc; // 0x14 - one of versions is pfs_pmi_buffer_list_ctx
} buffer_list;


typedef struct CryptEngineData { // size is 0x60
   uint32_t unk_0;
   uint32_t unk_4;
   uint32_t unk_8;
   uint16_t unk_C;
   uint16_t flag; // 0xE - flag that selects decryption type ?
   
   uint16_t key_id; // 0x10
   uint16_t seed1_base; // iv seed
   
   uint32_t unk_14;
   uint32_t unk_18;
   uint32_t unk_1C;
   
   uint32_t unk_20;
   uint32_t unk_24;
   uint32_t size1;
   char key[0x10]; // 0x2C
   
   char iv_xor_key[0x10]; // 0x3C
   
   char hmac_key[0x14]; // 0x4C
} CryptEngineData;

typedef struct CryptEngineSubctx { // size is 0x58
   uint32_t unk_0;
   uint32_t unk_4;
   uint32_t opt_code; // 0x8 - if 3 then decrypt, if 4 then encrypt, if 2 then encrypt
   CryptEngineData* data; // 0xC
   
   uint32_t unk_10;
   uint32_t source; // 0x14
   uint32_t unk_18;
   uint32_t unk_1C;
   
   uint32_t unk_20;
   uint32_t unk_24;
   uint32_t size2; // 0x28
   uint32_t nDigests; // 0x2C - also digest table index
   
   uint32_t unk_30;
   uint32_t seed0_base; // 0x34
   uint32_t dest_offset; // 0x38
   uint32_t size0; // 0x3C
   
   uint32_t size1;
   uint32_t unk_44;
   uint32_t size3; // 0x48
   char* hmac_sha1_digest; // digest to verify (possibly table)
   
   void* buffer0; // 0x50
   void* buffer1; // 0x54
} CryptEngineSubctx;

typedef struct CryptEngineWorkCtx { // size is 0x18
   void* unk_0; // pointer to data 0x140 + 0x18 ?
   void* unk_4; // pointer to data 0x140 + 0x18 ?
   CryptEngineSubctx* subctx; // 0x8
   uint32_t error; // set to 0 or error code after executing crypto task
   
   SceUID threadId; // Set with sceKernelGetThreadIdForDriver. Used with sceKernelSignalCondToForDriver.
   uint32_t unk_14;
} CryptEngineWorkCtx;

Data segment layout

Decryption process

Crypto engine

ScePfsMgr heavily uses crypto API from SceSblSsMgrForDriver.

There is a separate thread in ScePfsMgr that is called ScePfsCryptEngineThread.

Almost all calls to the crypto API are done from this single thread.

ScePfsMgr uses a crypto task dispatch mechanism based on mutexes and conditions.

It uses a CryptEngineWorkCtx structure for dispatching the task.

Pointer to that structure is written at offset 0x158 of data section (this needs confirmation).

For dispatching the task ScePfsMgr uses subroutine located at offset 0xBD88.

When task is dispatched ScePfsCryptEngineTodoMtx mutex is locked, ScePfsCryptEngineTodoCnd condition is signaled, ScePfsCryptEngineTodoMtx is unlocked.

For waiting till task is completed ScePfsMgr uses subroutine located at offset 0xBEA0.

Then ScePfsCryptEngineDoneMtx mutex is locked, wait happens on ScePfsCryptEngineDoneCnd condition, ScePfsCryptEngineDoneMtx mutex is unlocked.

Meanwhile ScePfsCryptEngineThread runs.

It locks ScePfsCryptEngineTodoMtx mutex, waits for ScePfsCryptEngineTodoCnd condition, unlocks ScePfsCryptEngineTodoMtx mutex.

When task is finished ScePfsCryptEngineThread locks ScePfsCryptEngineDoneCnd mutex, signals ScePfsCryptEngineDoneCnd to specific thread, unlocks ScePfsCryptEngineDoneCnd mutex.

Thread id for signaling ScePfsCryptEngineDoneCnd is stored in CryptEngineWorkCtx.

VFS node functions

Dispatching mechanism is used only by VFS node functions.

Nodes that are used:

• PFS_GDSD_INF
• PFS_AC_INF

Node functions that are used:

• 5 - sceIoReadForDriver
• 6 - sceIoWriteForDriver
• 16 - sceIoChstatForDriver
• 19 - sceIoPreadForDriver
• 20 - sceIoPwriteForDriver
• 26 - sceIoChstatByFdForDriver

Notes

Debug PFS is prohibited on CEX: PFS mounting fails with error code 0x80010016.

ScePfsMgrForKernel

scePfsMountForKernel

int scePfsMountForKernel(const char *path, const ScePfsRndDriveId *rnd_drive_id, SceUInt64 program_authority_id, void *klicensee, SceUInt16 mode_index);

scePfsMount2ForKernel

int scePfsMount2ForKernel(const char *path, const ScePfsRndDriveId *rnd_drive_id, const void *klicensee, uint16_t mode_index);

scePfsUnmountForKernel

int scePfsUnmountForKernel(const ScePfsRndDriveId *rnd_drive_id);

scePfsApproveForKernel

• find pfs_pmi_buffer_list_ctx* by mount_point
• check program authority ID
• set unk_94 flag

int scePfsApproveForKernel(const ScePfsRndDriveId *rnd_drive_id, SceUInt64 program_authority_id);

scePfsDisapproveForKernel

int scePfsDisapproveForKernel(ScePfsRndDriveId *rnd_drive_id, SceUInt64 program_authority_id);

scePfsAcidDirMountForKernel

• open mountpoint/dlc_folder directory
• execute ioctl command 0x4402 with klicensee input
• close mountpoint/dlc_folder directory

int scePfsAcidDirMountForKernel(const char *mountpoint, const char *dlc_folder, const void *klicensee);

scePfsAcidDirUnmountForKernel

• open mountpoint/dlc_folder directory
• execute ioctl command 0x4404
• close mountpoint/dlc_folder directory

int scePfsAcidDirUnmountForKernel(const char *mountpoint, const char *dlc_folder);

scePfsAcidDirApproveForKernel

• open mountpoint/dlc_folder directory
• execute ioctl command 0x4403
• close mountpoint/dlc_folder directory

int scePfsAcidDirApproveForKernel(const char *mountpoint, const char *dlc_folder);

scePfsAcidDirSetForKernel

ScePfsMgrForKernel_27FB7618

Executes 0x4410 command on <device_name>0:. Gets 8 bytes of result.

int ScePfsMgrForKernel_27FB7618(const char *device_name, int *ioctl0_res, int *ioctl1_res);

ScePfsMgrForKernel_806D2EA1

ScePfsMgrForKernel_4C148288

ScePfsMgrForKernel_7E4B76E6

ScePfsMgrForKernel_E9D672AB

ScePfsFacadeForKernel

t_scePfsFacadeReadForDriver

This is a thread callback used by SceIofilemgr

This function is not implemented and throws 0x8014231C error

int t_scePfsFacadeReadForDriver(sceIoReadForDriver_args *args);

t_scePfsFacadeWriteForDriver

This is a thread callback used by SceIofilemgr

int t_scePfsFacadeWriteForDriver(sceIoWriteForDriver_args *args);

t_scePfsFacadePreadForDriver

This is a thread callback used by SceIofilemgr

int t_scePfsFacadePreadForDriver(sceIoPreadForDriver_args *args);

t_scePfsFacadePwriteForDriver

This is a thread callback used by SceIofilemgr

int t_scePfsFacadePwriteForDriver(sceIoPwriteForDriver_args *args);

ScePfsFacadeForKernel_04352D52

ScePfsFacadeForKernel_7F9F4E49