SceSdif: Difference between revisions

From Vita Development Wiki
Jump to navigation Jump to search
Line 171: Line 171:


== SceSdifForDriver ==
== SceSdifForDriver ==
=== Types ===


<source lang="c">
<source lang="c">

Revision as of 14:41, 11 February 2017

SceSdif is a kernel module that is primary responsible for communicating with SD devices. This includes onboard eMMC, game card MMC, wi-fi/bluetooth SDIO devices. To communicate with particular device SceSdif module uses device index (sd_ctx_index)

Device Index Type Description
0 MMC onboard eMMC
1 MMC game card
2 SDIO wi-fi/bluetooth

There is one more index value that closely correlates with device index. This is speculated to be device type index. It is initialized by internal subroutine that does preinitialization (cmd0, cmd8, cmd5_sdio, cmd55, acmd41). Value is typically stored in sd_context_data structure in field dev_type_idx.

Device Type Index Description
0 unknown (invalid ?)
1 MMC
2 SD
3 SDIO

Device type index will be validated when sd_context_part* will be aquired through these functions:


Module

Known NIDs

Version Name World Privilege NID
1.69 SceSdif Non-secure Kernel 0xCA882EE3
3.60 SceSdif ? Kernel 0x2E7C52F7

Libraries

Known NIDs

Version Name World Visibility NID
1.69 SceSdifForDriver Non-secure Kernel 0x96D306FA
3.60 SceSdifForDriver ? Kernel 0x96D306FA

Data segment layout

Address Size Description
0x0000 0x40 sdif_context_general
0x0040 0x24C0 sd_context_global eMMC
0x2500 0x24C0 sd_context_global game card
0x49C0 0x24C0 sd_context_global wlan/bt
0x6E80 0x398 sd_context_part eMMC
0x7218 0x398 sd_context_part game card
0x75B0 0xC0 custom context used in initialize_sd_device (c1271539)
0x7670 0xC0 custom context used in initialize_sd_device (c1271539)
0x7730 0xC0 custom context used in initialize_sd_device (c1271539)
0x77F0 0xD38 custom context used in aabaa0f0
0x8528 0xD38 custom context used in aabaa0f0
0x9260 0x398 sd_context_part wlan/bt
0x95F8 0x888 unknown
0x9E80 0x118 some wlan/bt data

Allocated blocks

During initialization step Sdif driver allocates couple of memory blocks. This happens when 'module_start' function is called, inside 'init' function.

There are 2 blocks per device context. Each block is named as SceSdif<N> where N is array index.

First block is of size 0x1000 - SceUID and void* are stored in sd_context_data per device context.

Second block is of size 0x10000 - SceUID and void* are stored in sd_context_data per device context.

It is possible that first block is DMA copied to / from corresponding SceSdif<N> physical address.

First memblock looks like to be array of 16 elements 0x100 bytes each. It is speculated that this memblock has some relation to cyclic buffer of 16 commands in sd_context_global.

Layout of single block is partially known:

typedef struct memblock_1000_element
{
   uint32_t unk_0;
   uint16_t unk_4;
   uint16_t unk_6;
   uint32_t unk_8;
   uint16_t unk_C;
   uint16_t unk_E;

   uint32_t unk_10;
   uint32_t unk_14;
   uint32_t unk_18;
   uint32_t unk_1C;

   uint32_t unk_24; //bit 0x10 is insert state, bit 0x13 is ?
   uint8_t unk_28;
   uint8_t unk_29;
   uint8_t unk_2A;
   uint8_t unk_2B;
   uint16_t unk_2C; //used to wait
   uint8_t unk_2E;
   uint8_t unk_2F; //used to wait

   uint16_t unk_30; //used to wait
   uint16_t unk_32; //used to wait
   uint16_t unk_34;
   uint16_t unk_36;
   uint16_t unk_38;
   uint16_t unk_3A;
   uint16_t unk_3C;

   uint32_t unk_40;
   uint32_t unk_48;

   uint8_t unk_54;
   uint32_t unk_58;

   uint16_t unk_80;

   uint16_t unk_FC;
}memblock_1000_element;

SceSdifForDriver

Types


typedef struct output_23a4ef01
{
    uint32_t unk_0;
    uint32_t unk_4;
    uint32_t unk_8;
    uint32_t unk_C;
} output_23a4ef01;

typedef struct output_24
{
    uint32_t unk_0;
    uint32_t unk_4;
    uint32_t unk_8;
    uint32_t unk_C;
    uint32_t unk_10;
    uint8_t unk_14;
    uint8_t unk_15;
    uint8_t unk_16;
    uint8_t unk_17;
    uint32_t unk_18;
    uint32_t unk_1C;
    uint32_t unk_20;
    uint32_t unk_24;
} output_24;

typedef struct output_76d2b87b
{
    uint32_t unk_0;
    uint32_t unk_4;
    uint16_t unk_8;
} output_76d2b87b;

typedef struct sdif_context_general //size is 0x40
{
    SceUID suspend_callback_id;
    uint32_t max_array_index; //typically 3
    uint32_t unk_8;
    uint32_t unk_C; 

    uint32_t unk_10;
    uint32_t unk_14;
    uint32_t unk_18;
    uint32_t unk_1C; 

    uint32_t unk_20;
    uint32_t unk_24;
    uint32_t unk_28;
    uint32_t unk_2C; 

    uint32_t unk_30;
    uint32_t unk_34;
    uint32_t unk_38;
    uint32_t unk_3C; 
}sdif_context_general;

typedef struct cmd_input // size is 0x240
{
   uint32_t size; // 0x240
   uint32_t unk_4;
   uint32_t command;
   uint32_t argument;
   
   uint32_t unk_10;
   uint32_t unk_14;
   uint32_t unk_18;
   uint32_t unk_1C;

   void* buffer; // cmd data buffer ptr
   uint16_t size; // cmd buffer size
   uint16_t flags; // unknown
   uint32_t unk_28;
   uint32_t unk_2C;

   uint8_t data0[0x30];   
   
   struct cmd_input* next_cmd;
   uint32_t unk_64;
   uint32_t array_index;
   uint32_t unk_6C;
   
   uint32_t unk_70;
   uint32_t unk_74;
   struct sd_context_global* gctx_ptr;
   uint32_t unk_7C;
   
   void* vaddr_80; //3
   uint32_t unk_84;
   uint32_t unk_88;
   uint32_t unk_8C;

   uint8_t data1[0xF0];

   uint32_t unk_180;
   void* paddr_184; //3
   uint32_t unk_188;
   uint32_t unk_18C;

   uint32_t unk_190;
   uint32_t unk_194;
   uint32_t unk_198;
   uint32_t unk_19C;

   uint32_t unk_1A0;
   uint32_t unk_1A4;
   void* paddr_1A8; //1
   void* paddr_1AC; //2

   uint32_t unk_1B0;
   uint32_t unk_1B4;
   uint32_t unk_1B8;
   uint32_t unk_1BC;

   void* vaddr_1C0; //1
   uint32_t unk_1C4;
   uint32_t unk_1C8;
   uint32_t unk_1CC;

   uint8_t data2[0x30];

   void* vaddr_200; //2
   uint32_t unk_204;
   uint32_t unk_208;
   uint32_t unk_20C;

   uint8_t data3[0x30];
} cmd_input;

typedef struct sd_context_data // size is 0xC0
{
    struct cmd_input* cmd_ptr;
    struct cmd_input* cmd_ptr_next;
    uint32_t unk_8;
    uint32_t unk_C;
    
    uint32_t dev_type_idx; // (1,2,3)
    struct sd_context_part* ctx;
    uint32_t unk_18;
    uint32_t unk_1C;

    uint32_t array_idx; // (0,1,2)
    uint32_t unk_24;
    uint32_t unk_28;
    uint32_t unk_2C;

    void* membase_1000; // membase of SceSdif (0,1,2) memblock of size 0x1000
    uint32_t unk_34;
    uint32_t unk_38;
    SceUID uid_1000; // UID of SceSdif (0,1,2) memblock of size 0x1000

    uint32_t unk_40; // SceKernelThreadMgr related, probably UID for SceSdif (0,1,2)
    uint32_t unk_44;
    uint32_t unk_48;
    uint32_t unk_4C;

    uint32_t unk_50;
    uint32_t unk_54;
    uint32_t unk_58;
    uint32_t unk_5C;

    uint32_t unk_60;
    uint32_t unk_64;
    uint32_t unk_68;
    uint32_t unk_6C;

    uint32_t unk_70;
    uint32_t unk_74;
    uint32_t unk_78;
    uint32_t unk_7C;      

    //it looks like this chunk is separate structure since offset 0x2480 is used too often

    uint32_t unk_80;
    SceUID uid_10000; // UID of SceSdif (0,1,2) memblock of size 0x10000
    void* membase_10000; // membase of SceSdif (0,1,2) memblock of size 0x10000
    uint32_t unk_8C;

    uint32_t unk_90;
    int lockable_int;
    uint32_t unk_98;
    uint32_t unk_9C;

    uint32_t unk_A0;
    uint32_t unk_A4;
    uint32_t unk_A8;
    uint32_t unk_AC;

    uint32_t unk_B0;
    uint32_t unk_B4;
    uint32_t unk_B8;
    uint32_t unk_BC;
} sd_context_data;

typedef struct sd_context_part // size is 0x398
{
   struct sd_context_global* gctx_ptr;
   uint32_t unk_4;
   uint32_t size; //cmd buffer size   
   
   uint8_t data[0x384];
   
   void* unk_390;
   uint32_t unk_394;
} sd_context_part;

typedef struct sd_context_global // size is 0x24C0
{
    struct cmd_input commands[16];
    struct sd_context_data ctx_data;
} sd_context_global;

module_start

Version NID
3.60 0x935cd196
int module_start();

init

Version NID
3.60 0x0eb0ef86
int init();

deinit

Version NID
3.60 0xe5e5f42e
int deinit();

return_error

Version NID
3.60 0x235ad556
int return_error();

enable_slow_mode

Version NID
3.60 0xf37cf8e5
int enable_slow_mode();

get_card_insert_state1

Version NID
3.60 0x36a2b01b
int get_card_insert_state1(int sd_ctx_index);

get_card_insert_state2

Version NID
3.60 0xfd9e5cfa
int get_card_insert_state2(int sd_ctx_index);

gc_cmd56_response

Version NID
3.60 0x134e06c4
int gc_cmd56_response(sd_context_part* ctx, char* buffer, int length);

gc_cmd56_request

Version NID
3.60 0xb0996641
int gc_cmd56_request(sd_context_part* ctx, char* buffer, int length);

get_sd_context_global

Version NID
3.60 0xdc8f52f8
sd_context_global* get_sd_context_global(int sd_ctx_index);

get_sd_context_part_validate_mmc

Version NID
3.60 0x6a71987f
sd_context_part* get_sd_context_part_validate_mmc(int sd_ctx_index);

get_sd_context_part_validate_sd

Version NID
3.60 0xb9ea5b1e
sd_context_part* get_sd_context_part_validate_sd(int sd_ctx_index);

get_sd_context_part_validate_sdio

Version NID
3.60 0x6a8235fc
sd_context_part* get_sd_context_part_validate_sdio(int sd_ctx_index);

initialize_mmc_device

Version NID
3.60 0x22c82e79

this function only initializes devices with sd_ctx_index 0 and 1 and returns 0x80320013 on any other sd_ctx_index

it is confirmed that this function sends sequence of commands that correspond to MMC initialization protocol

int initialize_mmc_device(int sd_ctx_index, sd_context_part** result);

wlan_bt_cmd52_sdio

Version NID
3.60 0x3428884d
int wlan_bt_cmd52_sdio(wlan_context* wlan_ctx);

wlan_bt_cmd52_sdio

Version NID
3.60 0xe80293ef
int wlan_bt_cmd52_sdio(wlan_context* wlan_ctx);

wlan_bt_cmd52_sdio

Version NID
3.60 0xd0f78d9b
int wlan_bt_cmd52_sdio(wlan_context* wlan_ctx, int num0, int num1, void* unk2, int num3);

wlan_bt_cmd52_sdio

Version NID
3.60 0x3c4cdc8b
int wlan_bt_cmd52_sdio(wlan_context* wlan_ctx, int num0, int num1, void* unk2, int num3);

wlan_bt_cmd52_sdio

Version NID
3.60 0x733bc373
int wlan_bt_cmd52_sdio(wlan_context* wlan_ctx, int num);

wlan_bt_cmd52_sdio

Version NID
3.60 0xdece963b
int wlan_bt_cmd52_sdio(sd_context_part* ctx, int num0, int num1, void* unk2);

wlan_bt_cmd52_sdio

Version NID
3.60 0x5d65e66b
int wlan_bt_cmd52_sdio(sd_context_part* ctx, int num0, int num1, void* unk2);

wlan_bt_cmd52_sdio

Version NID
3.60 0xbc45c83d
int wlan_bt_cmd52_sdio(sd_context_part* ctx, int num);

wlan_bt_initialize_custom_context2

Version NID
3.60 0xaabaa0f0

this function can send these commands: cmd3, cmd52_sdio, cmd0, cmd5_sdio, cmd55, acmd41, cmd7, cmd8

this function uses array of 2 custom contexts.

this function can either set device type index to 3 and use custom context for initialization.

or it can use preinitialization (cmd0, cmd8, cmd5_sdio, cmd55, acmd41) and then check that device type index is 3.

if device type index is not 3 then 0x80320017 error is returned.

int wlan_bt_initialize_custom_context2(int sd_ctx_index, sd_context_part** ctx);

wlan_bt

Version NID
3.60 0x855c95e1
int wlan_bt(wlan_context* wlan_ctx, void* unk0, void* unk1);

wlan_bt

Version NID
3.60 0x0c66e36f
int wlan_bt(sd_context_part* ctx, void* unk0);

wlan_bt_cmd7

Version NID
3.60 0xab0222f2
int wlan_bt_cmd7(sd_context_part* ctx);

wlan_bt_cmd52_sdio

Version NID
3.60 0x55baeb2d
int wlan_bt_cmd52_sdio(wlan_context* wlan_ctx);

wlan_bt_cmd52_sdio

Version NID
3.60 0xfe6f3e7b
int wlan_bt_cmd52_sdio(wlan_context* wlan_ctx);

wlan_bt_cmd52_sdio

Version NID
3.60 0xf1a24edd
int wlan_bt_cmd52_sdio(wlan_context* wlan_ctx);

wlan_bt_cmd52_sdio

Version NID
3.60 0x1847b18c
int wlan_bt_cmd52_sdio(wlan_context* wlan_ctx);

wlan_bt_cmd52_sdio

Version NID
3.60 0xd3c1e2b6
int wlan_bt_cmd52_sdio(wlan_context* wlan_ctx, int unk0, int unk1, int unk2);

wlan_bt_cmd52_sdio

Version NID
3.60 0x5bac6e70
int wlan_bt_cmd52_sdio(wlan_context* wlan_ctx, int unk0, int unk1, int unk2);

wlan_bt_cmd52_sdio

Version NID
3.60 0x01e8eb6c
int wlan_bt_cmd52_sdio(sd_context_part* ctx, char* output, int destLength_100);

wlan_bt_cmd52_sdio

Version NID
3.60 0x763f1075
int wlan_bt_cmd52_sdio(sd_context_part* ctx);

wlan_bt_initialize_custom_context1

Version NID
3.60 0x53962379

this function is just a wrapper for wlan_bt_initialize_custom_context2 (aabaa0f0)

int wlan_bt_initialize_custom_context1(int sd_ctx_index);

wlan_bt_cmd0

Version NID
3.60 0x3b6ab29e
int wlan_bt_cmd0(wlan_context* wlan_ctx, void* unk0, int* result);

wlan_bt_cmd0_cmd52_sdio

Version NID
3.60 0x180e7395
int wlan_bt_cmd0_cmd52_sdio(wlan_context* wlan_ctx, char* output, int destLength_100);

wlan_bt

Version NID
3.60 0x0f157f49
int wlan_bt(wlan_context* wlan_ctx);

wlan_bt

Version NID
3.60 0x849e3216
int wlan_bt(wlan_context* wlan_ctx);

wlan_bt

Version NID
3.60 0xb05eff68
int wlan_bt(wlan_context *wlan_ctx, int unk0);

sdstor_read_sector_async

Version NID
3.60 0x6f8d529b
int sdstor_read_sector_async(sd_context_part* ctx, int sector, char* buffer, int nSectors);

sdstor_read_sector

Version NID
3.60 0xb9593652
int sdstor_read_sector(sd_context_part* ctx, int sector, char* buffer, int nSectors);

sdstor_write_sector_async

Version NID
3.60 0x175543d2
int sdstor_write_sector_async(sd_context_part* ctx, int sector, char* buffer, int nSectors);

sdstor_write_sector

Version NID
3.60 0xe0781171
int sdstor_write_sector(sd_context_part* ctx, int sector, char* buffer, int nSectors);

sdstor_copy_ctx

Version NID
3.60 0x23a4ef01
int sdstor_copy_ctx(sd_context_part* ctx, output_23a4ef01* unk0);

sdstor_cmd0_cmd13

Version NID
3.60 0x6cc8e28d
int sdstor_cmd0_cmd13(int sd_ctx_index);

sdstor_cmd32_cmd33_cmd38_sdio

Version NID
3.60 0x35ba9df8
int sdstor_cmd32_cmd33_cmd38_sdio(int sd_ctx_index, int unk0);

initialize_sd_device

Version NID
3.60 0xc1271539

it is confirmed that this function sends sequence of commands that correspond to SD initialization protocol

these commands include: cmd0, cmd8, cmd5_sdio, cmd2, cmd3, cmd6, cmd9, cmd7, cmd16

some paired commands: (cmd55, acmd41), (cmd55, acmd42), (cmd55, acmd13), (cmd55, acmd51)

there are couple of special points:

  • it does not check sd_ctx_index argument.
  • it uses array of 3 custom contexts instead of sd_context_part structures.
  • it checks device type index after preinitialization (cmd0, cmd8, cmd5_sdio, cmd55, acmd41)
  • it only initializes device with device type index 2. otherwise 0x80320017 error is returned.
int initialize_sd_device(int sd_ctx_index, int* result);

sdstor_cmd6_cmd30

Version NID
3.60 0x995748ea
int sdstor_cmd6_cmd30(sd_context_part *input, int unk0, int unk1, void *unk2);

sdstor

Version NID
3.60 0xe091ba2e
int sdstor(sd_context_part* unk, int unk0, int unk1, int* unk2);

sdif_write

Version NID
3.60 0x60642f49
int sdif_write(sd_context_part *ctx, int unk0, int unk1);

sdif_write

Version NID
3.60 0x0203ecdc
int sdif_write(sd_context_part *ctx, int unk0, int unk1);

sdif

Version NID
3.60 0x29a71e7f
int sdif();

sdif_cmd0_cmd13

Version NID
3.60 0x53518827
int sdif_cmd0_cmd13(sd_context_global *ctx, int *result);

sdif_cmd0

Version NID
3.60 0x475d8e45
int sdif_cmd0(int sd_ctx_index);

sdif

Version NID
3.60 0x3df7e207
int sdif(int sd_ctx_index, output_24* result);

sdif

Version NID
3.60 0x76d2b87b
int sdif(int sd_ctx_index, output_76d2b87b* result);

sdif_cmd_unk

Version NID
3.60 0xb83f7518
int sdif_cmd_unk(int sd_ctx_index, output_24* result);

sdif_cmd0_cmd16

Version NID
3.60 0xb32776c7
int sdif_cmd0_cmd16(sd_context_part* ctx, int num_200);

sdif_cmd0_cmd16

Version NID
3.60 0xaf702fe7
int sdif_cmd0_cmd16(sd_context_part* ctx, int num_200);