SceSblSsSmComm: Difference between revisions
(→Module) |
|||
(16 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
SceSblSsSmComm is a kernel module that is primarily responsible for calling [[ | SceSblSsSmComm is a kernel module that is primarily responsible for calling [[Secure_Modules|Secure Modules]] functions. | ||
== Module == | == Module == | ||
Line 7: | Line 7: | ||
! Version !! World !! Privilege | ! Version !! World !! Privilege | ||
|- | |- | ||
| 0.931-3. | | 0.931.010-3.740.011 || Non-secure || Kernel | ||
|} | |} | ||
Line 18: | Line 18: | ||
! Version !! Name !! World !! Visibility !! NID | ! Version !! Name !! World !! Visibility !! NID | ||
|- | |- | ||
| 0.931-3. | | 0.931.010-3.740.011 || [[SceSblSsSmComm#SceSblSmCommForKernel|SceSblSmCommForKernel]] || Non-secure || Kernel || 0xCD3C89B6 | ||
|- | |- | ||
| 0.931-1. | | 0.931.010-1.692.000 || [[SceSblSsSmComm#SceSblSsSmComm|SceSblSsSmComm]] || Non-secure || User || 0xD8DC7847 | ||
|- | |||
| 1.800.071-3.740.011 || [[SceSblSsSmComm#SceSblSsSmComm|SceSblSsSmComm]] || Non-secure || User || not present | |||
|} | |} | ||
Line 49: | Line 51: | ||
}; */ | }; */ | ||
typedef struct SceSelfAuthInfo { // size is 0x90 on FWs 0.931.010-3.740.011 | |||
typedef struct SceSelfAuthInfo { // size is 0x90 on FWs 0.931-3. | |||
SceUInt64 program_authority_id; | SceUInt64 program_authority_id; | ||
uint8_t padding[8]; | uint8_t padding[8]; | ||
uint8_t capability[0x20]; | uint8_t capability[0x20]; | ||
uint8_t attribute[0x20]; | uint8_t attribute[0x20]; | ||
SceSharedSecret | SceSharedSecret shared_secret; // current hypothesis of SceSharedSecret is full (0x40 bytes) shared_secret overwritten with klicensee at offset 0x10 | ||
} SceSelfAuthInfo; | } SceSelfAuthInfo; | ||
typedef struct SceSblSmCommContext130 { // size is 0x130 on FWs 0.931-3. | typedef struct SceSblSmCommContext130 { // size is 0x130 on FWs 0.931.010-3.740.011 (as its name indicates) | ||
SceUInt32 unk_0; | SceUInt32 unk_0; | ||
SceUInt32 self_type; // kernel = 0, user = 1, SM = 2, 0x10, 0x100, ?0x10001 main user process? | SceUInt32 self_type; // kernel = 0, user = 1, SM = 2, 0x10, 0x100, ?0x10001 main user process? | ||
SceSelfAuthInfo spawner_self_auth_info; // can be obtained with sceKernelGetSelfAuthInfoForKernel | SceSelfAuthInfo spawner_self_auth_info; // can be obtained with sceKernelGetSelfAuthInfoForKernel | ||
SceSelfAuthInfo spawned_self_auth_info; // set by | SceSelfAuthInfo spawned_self_auth_info; // set by secure_kernel in response SceSblSmCommContext130 | ||
SceUInt32 media_type; // can be obtained with sceSblACMgrGetMediaTypeForKernel or sceIoGetMediaTypeForDriver | SceUInt32 media_type; // can be obtained with sceSblACMgrGetMediaTypeForKernel or sceIoGetMediaTypeForDriver | ||
SceUInt32 | SceUInt32 unk_0x12C; // if (kbl_param->boot_type_indicator_1????? & 0x40) == 1, then set unk_0x12C to 1, else set to 10, ?mistook with media_type? | ||
} SceSblSmCommContext130; | } SceSblSmCommContext130; | ||
</source> | </source> | ||
Line 87: | Line 71: | ||
== SceSblSmCommForKernel == | == SceSblSmCommForKernel == | ||
=== | === sceSblSmCommCallFunc_ForKernel === | ||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
! Version !! NID | ! Version !! NID | ||
|- | |- | ||
| 0.931-3. | | 0.931.010-1.03 || 0x4960DF9E | ||
|- | |||
| 1.692.000-3.740.011 || not present | |||
|} | |} | ||
This function | This function is just a 4-argument wrapper for [[#sceSblSmCommCallFuncForKernel]]. | ||
<source lang="c"> | |||
typedef struct sceSblSmCommCallFunc_Param { | |||
void *pData; | |||
SceSize dataSize; | |||
} sceSblSmCommCallFunc_Param; | |||
int sceSblSmCommCallFunc_ForKernel(SceSmSchedRequestId req_id, SceUInt32 func_id, SceUInt32 *pResponse, sceSblSmCommCallFunc_Param *pParam); | |||
</source> | |||
=== | === sceSblSmCommStopCommForKernel === | ||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
! Version !! NID | ! Version !! NID | ||
|- | |- | ||
| 3. | | 0.931.010-1.03 || 0xC35FB95A | ||
|- | |||
| 1.692.000-3.740.011 || not present | |||
|} | |} | ||
<source lang=" | <source lang="C">int sceSblSmCommStopCommForKernel(SceSmSchedRequestId req_id);</source> | ||
=== sceSblSmCommStartSmForKernel === | === sceSblSmCommStartSmForKernel === | ||
Line 114: | Line 109: | ||
! Version !! NID | ! Version !! NID | ||
|- | |- | ||
| 0.931-3. | | 0.931.010-1.03 || 0x7863A0CC | ||
|- | |||
| 1.692.000-1.810.021 || not present | |||
|- | |||
| 2.000.081-3.740.011 || 0x7863A0CC | |||
|} | |} | ||
Priority is binary: 1 = low, 0 = high. Running a high priority SM while a low priority one is currently running will [[ | Priority is binary: 1 = low, 0 = high. Running a high priority SM while a low priority one is currently running will [[CMeP#Protocol|suspend]] the low one. | ||
<source lang="c">int sceSblSmCommStartSmForKernel(SceBool priority, | The following conditions must be met in order for this function to be called successfully: | ||
- In kernel thread. | |||
- In kernel context. | |||
Calling a function without satisfying the conditions freezes the system. | |||
<source lang="c">int sceSblSmCommStartSmForKernel(SceBool priority, const char *sm_self_path, SceSblSmCommContext130 *ctx_130, SceSmSchedRequestId *req_id);</source> | |||
=== sceSblSmCommStartSm_ForKernel === | === sceSblSmCommStartSm_ForKernel === | ||
Line 126: | Line 131: | ||
! Version !! NID | ! Version !! NID | ||
|- | |- | ||
| 0.931-1. | | 0.931.010-1.800.071 || 0x992BB9DB | ||
|- | |||
| 2.000.081-3.740.011 || not present | |||
|} | |} | ||
<source lang="c">int sceSblSmCommStartSm_ForKernel(SceBool priority, const char *path, SceBool some_bool, int unk_a4, int unk_a5, int unk_a6, SceSblSmCommContext130 *pCtx, SceSmSchedRequestId *pReqId);</source> | <source lang="c">int sceSblSmCommStartSm_ForKernel(SceBool priority, const char *path, SceBool some_bool, int unk_a4, int unk_a5, int unk_a6, SceSblSmCommContext130 *pCtx, SceSmSchedRequestId *pReqId);</source> | ||
=== sceSblSmCommStartSmFromDataForKernel === | |||
{| class="wikitable" | |||
|- | |||
! Version !! NID | |||
|- | |||
| 0.931.010-1.800.071 || not present | |||
|- | |||
| 3.600.011-3.740.011 || 0x039C73B1 | |||
|} | |||
<source lang="c">int sceSblSmCommStartSmFromDataForKernel(SceBool priority, const void *sm_self, SceSize sm_self_size, int cmd_id, SceSblSmCommContext130 *ctx_130, SceSmSchedRequestId *req_id);</source> | |||
=== sceSblSmCommCallFuncForKernel === | === sceSblSmCommCallFuncForKernel === | ||
Line 135: | Line 154: | ||
! Version !! NID | ! Version !! NID | ||
|- | |- | ||
| 0.931-3. | | 0.931.010-3.740.011 || 0xDB9FC204 | ||
|} | |} | ||
<source lang="c">int sceSblSmCommCallFuncForKernel(SceSmSchedRequestId req_id, SceUInt32 func_id, SceUInt32 *pResponse, void *pData, SceSize dataSize);</source> | <source lang="c">int sceSblSmCommCallFuncForKernel(SceSmSchedRequestId req_id, SceUInt32 func_id, SceUInt32 *pResponse, void *pData, SceSize dataSize);</source> | ||
=== | === sceSblSmCommStopSmForKernel === | ||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
! Version !! NID | ! Version !! NID | ||
|- | |- | ||
| 0.931 || | | 0.931.010-3.740.011 || 0x0631F8ED | ||
|} | |} | ||
<source lang="c"> | This function calls [[SceSblSsSmComm#sceSblSmCommCallFuncForKernel|sceSblSmCommCallFuncForKernel]] with <code>-1 (0xFFFFFFFF)</code> as <code>func_id</code> and then calls [[SceSblSmschedProxy#sceSblSmSchedProxyWaitForKernel|sceSblSmSchedProxyWaitForKernel]]. | ||
<source lang="c">int sceSblSmCommStopSmForKernel(SceSmSchedRequestId req_id, status_handler *pStatusHandler);</source> | |||
== SceSblSsSmComm == | |||
This library is present up to and including System Software version 1.692.000, then removed since System Software version 1.800.071 for security reasons. | |||
=== | === sceSblSmCommStartSm === | ||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
! Version !! NID | ! Version !! NID | ||
|- | |- | ||
| 0.931 || | | 0.931.010-1.000.041 || 0x7863A0CC | ||
|- | |||
| 1.692.000-3.740.011 || not present | |||
|} | |} | ||
Alias for [[#sceSblSmCommStartSmForKernel]]. | |||
== | === sceSblSmCommCallFunc_ === | ||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
! Version !! NID | ! Version !! NID | ||
|- | |- | ||
| 0.931-1. | | 0.931.010-1.000.041 || 0x4960DF9E | ||
|- | |||
| 1.692.000-3.740.011 || not present | |||
|} | |} | ||
=== | Alias for [[#sceSblSmCommCallFunc_ForKernel]]. | ||
=== sceSblSmCommStopComm === | |||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
! Version !! NID | ! Version !! NID | ||
|- | |- | ||
| 0.931 || | | 0.931.010-1.000.041 || 0xC35FB95A | ||
|- | |||
| 1.692.000-3.740.011 || not present | |||
|} | |} | ||
Alias for [[#sceSblSmCommStopCommForKernel]]. | |||
=== sceSblSmCommStartSm_ === | === sceSblSmCommStartSm_ === | ||
Line 192: | Line 216: | ||
! Version !! NID | ! Version !! NID | ||
|- | |- | ||
| 0.931-1. | | 0.931.010-1.692.000 || 0x992BB9DB | ||
|- | |||
| 1.800.071-3.740.011 || not present | |||
|} | |} | ||
Alias for [[#sceSblSmCommStartSm_ForKernel]]. | |||
=== sceSblSmCommCallFunc === | === sceSblSmCommCallFunc === | ||
Line 199: | Line 227: | ||
! Version !! NID | ! Version !! NID | ||
|- | |- | ||
| 0.931 || 0xDB9FC204 | | 0.931.010-1.692.000 || 0xDB9FC204 | ||
|- | |||
| 1.800.071-3.740.011 || not present | |||
|} | |} | ||
=== | Alias for [[#sceSblSmCommCallFuncForKernel]]. | ||
=== sceSblSmCommStopSm === | |||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
! Version !! NID | ! Version !! NID | ||
|- | |- | ||
| 0.931-1. | | 0.931.010-1.692.000 || 0x0631F8ED | ||
|- | |||
| 1.800.071-3.740.011 || not present | |||
|} | |} | ||
=== | Alias for [[#sceSblSmCommStopSmForKernel]]. | ||
== Changelog == | |||
Between 1.000.041 and 1.692.000 (to precise): many exported functions were removed. These functions were exported both to usermode and to kernel. | |||
Between 1.692.000 and 1.800.071: the usermode library SceSblSsSmComm was removed. It should not have been exported to usermode for two security reasons: firstly SM communication should not be handled by usermode programs, secondly these exported functions were pointing to their kernel equivalent without any check on input addresses. | |||
Between 1.800.071 and 2.500.071 (to precise): sceSblSmCommStartSm_ForKernel was replaced by two functions: sceSblSmCommStartSmForKernel (same name as in 0.931.010) that has the same features and sceSblSmCommStartSmFromDataForKernel that loads a SM from a buffer instead of a file. | |||
== Obfuscated names == | |||
Since some System Software version between 1.000.041 and 1.692.000 (to precise), the module is compiled with a MACRO that converts some object names to obfuscated names. The algorithm is obfuscated_name = "SceSblSmComm" + hash(real_name) where hash is an unknown function. | |||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
! | ! Real name !! Hash of real name !! Obfuscated name !! Comments | ||
|- | |||
| SceSblSmComm || 0xB639DB03 || SceSblSmCommB639DB03 || event flag | |||
|- | |||
| SceSblSmCommMutex || 0xAB75E2BE || SceSblSmCommAB75E2BE || fast mutex | |||
|- | |||
| SceSblSmCommSema (guessed name) || 0x62970C2D || SceSblSmComm62970c2d || sema (not present on <=1.000.041) | |||
|- | |||
| SceSblSmCommReadBuff || 0x8D26C678 || SceSblSmComm8D26C678 || memblock | |||
|- | |- | ||
| | | SceSblCmCommBuff || 0x7EB92BED || SceSblSmComm7EB92BED || memblock | ||
|} | |} | ||
[[Category:ARM]] | |||
[[Category:Kernel]] | |||
[[Category:Modules]] | [[Category:Modules]] | ||
[[Category: | [[Category:Library]] |
Latest revision as of 15:37, 27 August 2023
SceSblSsSmComm is a kernel module that is primarily responsible for calling Secure Modules functions.
Module
Version | World | Privilege |
---|---|---|
0.931.010-3.740.011 | Non-secure | Kernel |
Libraries
Known NIDs
Version | Name | World | Visibility | NID |
---|---|---|---|---|
0.931.010-3.740.011 | SceSblSmCommForKernel | Non-secure | Kernel | 0xCD3C89B6 |
0.931.010-1.692.000 | SceSblSsSmComm | Non-secure | User | 0xD8DC7847 |
1.800.071-3.740.011 | SceSblSsSmComm | Non-secure | User | not present |
Types
/* example of spawner_self_auth_info char data[0x90] = { 0x01,0x00,0x00,0x00, 0x00,0x00,0x08,0x28, // KBL program-authority-id 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00, 0x80,0x00,0x00,0x00, 0xC0,0x00,0xF0,0x00, // KBL capability 0x00,0x00,0x00,0x00, 0xFF,0xFF,0xFF,0xFF, 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00, 0x80,0x09,0x80,0x03, 0x00,0x00,0xC3,0x00, // KBL attribute 0x00,0x00,0x80,0x09, 0x80,0x00,0x00,0x00, 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00, 0xFF,0xFF,0xFF,0xFF, 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00, // KBL shared secret 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00, }; */ typedef struct SceSelfAuthInfo { // size is 0x90 on FWs 0.931.010-3.740.011 SceUInt64 program_authority_id; uint8_t padding[8]; uint8_t capability[0x20]; uint8_t attribute[0x20]; SceSharedSecret shared_secret; // current hypothesis of SceSharedSecret is full (0x40 bytes) shared_secret overwritten with klicensee at offset 0x10 } SceSelfAuthInfo; typedef struct SceSblSmCommContext130 { // size is 0x130 on FWs 0.931.010-3.740.011 (as its name indicates) SceUInt32 unk_0; SceUInt32 self_type; // kernel = 0, user = 1, SM = 2, 0x10, 0x100, ?0x10001 main user process? SceSelfAuthInfo spawner_self_auth_info; // can be obtained with sceKernelGetSelfAuthInfoForKernel SceSelfAuthInfo spawned_self_auth_info; // set by secure_kernel in response SceSblSmCommContext130 SceUInt32 media_type; // can be obtained with sceSblACMgrGetMediaTypeForKernel or sceIoGetMediaTypeForDriver SceUInt32 unk_0x12C; // if (kbl_param->boot_type_indicator_1????? & 0x40) == 1, then set unk_0x12C to 1, else set to 10, ?mistook with media_type? } SceSblSmCommContext130;
SceSblSmCommForKernel
sceSblSmCommCallFunc_ForKernel
Version | NID |
---|---|
0.931.010-1.03 | 0x4960DF9E |
1.692.000-3.740.011 | not present |
This function is just a 4-argument wrapper for #sceSblSmCommCallFuncForKernel.
typedef struct sceSblSmCommCallFunc_Param { void *pData; SceSize dataSize; } sceSblSmCommCallFunc_Param; int sceSblSmCommCallFunc_ForKernel(SceSmSchedRequestId req_id, SceUInt32 func_id, SceUInt32 *pResponse, sceSblSmCommCallFunc_Param *pParam);
sceSblSmCommStopCommForKernel
Version | NID |
---|---|
0.931.010-1.03 | 0xC35FB95A |
1.692.000-3.740.011 | not present |
int sceSblSmCommStopCommForKernel(SceSmSchedRequestId req_id);
sceSblSmCommStartSmForKernel
Version | NID |
---|---|
0.931.010-1.03 | 0x7863A0CC |
1.692.000-1.810.021 | not present |
2.000.081-3.740.011 | 0x7863A0CC |
Priority is binary: 1 = low, 0 = high. Running a high priority SM while a low priority one is currently running will suspend the low one.
The following conditions must be met in order for this function to be called successfully: - In kernel thread. - In kernel context.
Calling a function without satisfying the conditions freezes the system.
int sceSblSmCommStartSmForKernel(SceBool priority, const char *sm_self_path, SceSblSmCommContext130 *ctx_130, SceSmSchedRequestId *req_id);
sceSblSmCommStartSm_ForKernel
Version | NID |
---|---|
0.931.010-1.800.071 | 0x992BB9DB |
2.000.081-3.740.011 | not present |
int sceSblSmCommStartSm_ForKernel(SceBool priority, const char *path, SceBool some_bool, int unk_a4, int unk_a5, int unk_a6, SceSblSmCommContext130 *pCtx, SceSmSchedRequestId *pReqId);
sceSblSmCommStartSmFromDataForKernel
Version | NID |
---|---|
0.931.010-1.800.071 | not present |
3.600.011-3.740.011 | 0x039C73B1 |
int sceSblSmCommStartSmFromDataForKernel(SceBool priority, const void *sm_self, SceSize sm_self_size, int cmd_id, SceSblSmCommContext130 *ctx_130, SceSmSchedRequestId *req_id);
sceSblSmCommCallFuncForKernel
Version | NID |
---|---|
0.931.010-3.740.011 | 0xDB9FC204 |
int sceSblSmCommCallFuncForKernel(SceSmSchedRequestId req_id, SceUInt32 func_id, SceUInt32 *pResponse, void *pData, SceSize dataSize);
sceSblSmCommStopSmForKernel
Version | NID |
---|---|
0.931.010-3.740.011 | 0x0631F8ED |
This function calls sceSblSmCommCallFuncForKernel with -1 (0xFFFFFFFF)
as func_id
and then calls sceSblSmSchedProxyWaitForKernel.
int sceSblSmCommStopSmForKernel(SceSmSchedRequestId req_id, status_handler *pStatusHandler);
SceSblSsSmComm
This library is present up to and including System Software version 1.692.000, then removed since System Software version 1.800.071 for security reasons.
sceSblSmCommStartSm
Version | NID |
---|---|
0.931.010-1.000.041 | 0x7863A0CC |
1.692.000-3.740.011 | not present |
Alias for #sceSblSmCommStartSmForKernel.
sceSblSmCommCallFunc_
Version | NID |
---|---|
0.931.010-1.000.041 | 0x4960DF9E |
1.692.000-3.740.011 | not present |
Alias for #sceSblSmCommCallFunc_ForKernel.
sceSblSmCommStopComm
Version | NID |
---|---|
0.931.010-1.000.041 | 0xC35FB95A |
1.692.000-3.740.011 | not present |
Alias for #sceSblSmCommStopCommForKernel.
sceSblSmCommStartSm_
Version | NID |
---|---|
0.931.010-1.692.000 | 0x992BB9DB |
1.800.071-3.740.011 | not present |
Alias for #sceSblSmCommStartSm_ForKernel.
sceSblSmCommCallFunc
Version | NID |
---|---|
0.931.010-1.692.000 | 0xDB9FC204 |
1.800.071-3.740.011 | not present |
Alias for #sceSblSmCommCallFuncForKernel.
sceSblSmCommStopSm
Version | NID |
---|---|
0.931.010-1.692.000 | 0x0631F8ED |
1.800.071-3.740.011 | not present |
Alias for #sceSblSmCommStopSmForKernel.
Changelog
Between 1.000.041 and 1.692.000 (to precise): many exported functions were removed. These functions were exported both to usermode and to kernel.
Between 1.692.000 and 1.800.071: the usermode library SceSblSsSmComm was removed. It should not have been exported to usermode for two security reasons: firstly SM communication should not be handled by usermode programs, secondly these exported functions were pointing to their kernel equivalent without any check on input addresses.
Between 1.800.071 and 2.500.071 (to precise): sceSblSmCommStartSm_ForKernel was replaced by two functions: sceSblSmCommStartSmForKernel (same name as in 0.931.010) that has the same features and sceSblSmCommStartSmFromDataForKernel that loads a SM from a buffer instead of a file.
Obfuscated names
Since some System Software version between 1.000.041 and 1.692.000 (to precise), the module is compiled with a MACRO that converts some object names to obfuscated names. The algorithm is obfuscated_name = "SceSblSmComm" + hash(real_name) where hash is an unknown function.
Real name | Hash of real name | Obfuscated name | Comments |
---|---|---|---|
SceSblSmComm | 0xB639DB03 | SceSblSmCommB639DB03 | event flag |
SceSblSmCommMutex | 0xAB75E2BE | SceSblSmCommAB75E2BE | fast mutex |
SceSblSmCommSema (guessed name) | 0x62970C2D | SceSblSmComm62970c2d | sema (not present on <=1.000.041) |
SceSblSmCommReadBuff | 0x8D26C678 | SceSblSmComm8D26C678 | memblock |
SceSblCmCommBuff | 0x7EB92BED | SceSblSmComm7EB92BED | memblock |