Difference between revisions of "KBL Param"

Latest revision as of 19:57, 30 March 2024

The KBL Param buffer (temporary name was sysroot buffer) is a 0x100 or 0x200 bytes sized buffer passed to the Secure Kernel BootLoader in the scratch space and contains all sorts of flags and system parameters. This buffer is created in Second Loader copied to Secure Kernel, passed to the Secure and Non-Secure Kernel BootLoaders, and finally to the non-secure kernel. It is used in many functions to check for features that are enabled for the system. The strategy in this buffer is to compute once for all the information that is often used, to share it between all security layers not to have to implement generator code many times, and to implement the generation code in the most secure layer: second_loader (excluding first_loader but that's because first_loader is not updatable and has minimum code).

Structure

Offset	Size	Set by	Description
0x0	0x2	second_loader	Version (usually 1)
0x2	0x2	second_loader	Size. Size of this structure. 0x100 or 0x200.
0x4	0x4	second_loader	Current Firmware Version
0x8	0x4	second_loader	Minimum Firmware Version. Comes from SMI IdStorage leaf.
0xC	0x4	Unknown	Unknown
0x10	0x4	Unknown	Used for Kit Activation. If lower than 0x20, the Kit is fake activated (License Status = 0, Issue No = 0, Expire Date = 0xffffffff). If lower than 0x30, default bus error handler is not registered in SceKernelBusError.
0x14	0xC	Unknown	maybe unused
0x20	0x10	second_loader	QA flags
0x30	0x10	second_loader	Boot flags
0x40	0x20	second_loader	DIP Switches
0x60	0x4	second_loader	DRAM base paddr (0x40000000)
0x64	0x4	second_loader	DRAM size (0x20000000 on retail and testkit, 0x40000000 on DevKit in DevKit Memory Size mode)
0x68	0x4	Unknown	unk
0x6C	0x4	second_loader	Boot type indicator 1
0x70	0x10	second_loader	OpenPsId. Comes from IdStorage.
0x80	0x4	second_loader	`secure_kernel.enp` raw data paddr (optional)
0x84	0x4	second_loader	`secure_kernel.enp` size (optional)
0x88	0x4	second_loader	`context_auth_sm.self` raw data paddr
0x8C	0x4	second_loader	`context_auth_sm.self` size
0x90	0x4	second_loader	`kprx_auth_sm.self` raw data paddr
0x94	0x4	second_loader	`kprx_auth_sm.self` size
0x98	0x4	second_loader	`prog_rvk.srvk` raw data paddr
0x9C	0x4	second_loader	`prog_rvk.srvk` size
0xA0	0x8	second_loader	PsCode. Comes from IdStorage.
0xA8	0x4	second_loader	__stack_chk_guard. Set by Second Loader to a pseudo random number. Exported by SceSysmem as __stack_chk_guard.
0xAC	0x4	second_loader	Unknown. Set by Second Loader to a pseudo random number.
0xB0	0x10	second_loader	Session ID
0xC0	0x4	second_loader	Sleep Factor. Comes from Syscon command 3.
0xC4	0x4	second_loader	Wakeup Factor. Comes from Syscon command 0x10.
0xC8	0x4	second_loader	Unknown, contains USB info. Comes from Syscon command 0x800 (?device model dependant?). (ex: 0x40 PS Vita usually, 0x60 PS TV usually, 0x64 DEM-3000H, 0x1C0 PC USB -> charge USB on FAT, 0x2D2 PC USB -> USB -> charge USB on FAT, 0x2D3 charge USB on FAT, 0x3D2, 0xC001C0 USB charge on SLIM, 0xC503D2 USB charge on SLIM, 0xC501CA USB data to PC)
0xCC	0x4	second_loader	Boot Controls Info. Comes from Syscon command 0x100.
0xD0	0x4	second_loader	`suspendinfo_adr`. Resume context physical address. Comes from Syscon command 0x90, Scratch Pad offset 0xC.
0xD4	0x4	second_loader	Hardware Info. Comes from Syscon command 5.
0xD8	0x4	second_loader	Power Info
0xDC	0x4	Unknown	unk
0xE0	0x4	second_loader, SceDriverTzs	If resume, always 0 (second_loader).
0xE4	0x4	Unknown	unk
0xE8	0x10	second_loader	Hardware Info 2. Comes from Syscon command 6.
0xF8	0x4	second_loader	BootLoader Revision
0xFC	0x4	Unknown	KBL Param Magic value (0xCBAC03AA)
0x100	0x20	second_loader	Coredump Encrypted Session Key (FW 2.12+)

QA flags

The steps to install QA flags on a PS Vita are:

Write Qaf token to NVS at offset 0x400 (0x80-bytes) (tied to Console ID).
Write Qaf token RSA signature to NVS at offset 0x5A0 (0x100-bytes) (only required on firmware 1.80 and above).
Write Qaf version to SNVS sector 0x15.
Clear Qaf inhibit DIP switches 240 and 241 (maybe even more DIP switches inhibit QA flags).
Write Qaf enable flag to NVS at offset 0x480.
Set Qaf ON flag to SNVS mgmt sector.

The following libraries are available for checking QA Flags

SceSblQafMgr

SceSblQafMgrForDriver

SceVshBridge

In the following table bytes are counted from left to right and bits from left to right too (little-endian). However the OS uses bit masking for QA flags (unlike bit shifting for DIP Switches).

Byte (0-0xF) - mask = 1 << (bit_no & 7)	Used in	Description
Byte 0x0 > Mask 1	update_service_sm	Skip System Update version check on CEX (but still there Manufacturing mode checks).
Byte 0x0 > Mask 1	spkg_verifier_sm_w_key_2
Byte 0x0 > Mask 2	Unknown	-
Byte 0x0 > Mask 0x10	SceNpDrm	Allow Finalized Retail Package on Non CEX unit without StoreFlag.
Byte 0x0 > Mask 0x20	Unknown	-
Byte 0x6 > Mask 1	Unknown	-
Byte 0x6 > Mask 2	To check	Allow Dtcp Ip Reset, Allow NearTest/PSPEmuShowQAInfo (SceVshBridge)
	SceShell	Allow Fake AC Install, Allow Show Title Upgrade Info, Allow Liblocation Change Model on CEX, Allow ScreenShot Always.
	SceRtc	Allow something on sceRtcGetCurrentAdNetworkTickForDriver
	SceStoreBrowser	Allow Limited Debug Menu Display
	SceSettings	Allow Limited Debug Menu Display
	SceNpCommon	Allow Np Full Test
	SceIduUpdate	Allow Control Idu Auto Update
Byte 0x6 > Mask 4	Unknown	-
Byte 0x6 > Mask 8	Unknown	-
Byte 0x7 > Mask 1	Unknown	-
Byte 0x7 > Mask 4	Unknown	-
Byte 0x8 > Mask 1	Unknown	-
Byte 0x8 > Mask 2	Unknown	-
Byte 0x8 > Mask 4	Unknown	-
Byte 0x8 > Mask 0x10	Unknown	-
Byte 0x8 > Mask 0x20	Unknown	-
Byte 0x8 > Mask 0x40	Unknown	-
Byte 0x9 > Mask 1	Used on FW 0.931 by SceSblACMgrForKernel_F7524073	-
Byte 0xB > Mask 1	Unknown	Unknown. Maybe to use alternate keyset (internal).
Byte 0xB > Mask 4	kprx_auth_sm	Use alternate keyset e.g. QA SPSFO key/NpDrm app key.
	SceAppMgr	Allow ignore app keystone error.
	SceSblACMgr	Allow User App Debug.
Byte 0xB > Mask 0x10	secure_kernel	Bypass platform (Test/Tool/Diag) requirement for loading of fSELF with attribute 128
	SceSettings	Allow EMPR via vshSblQafMgrIsAllowLoadMagicGate
	SceDbRecovery	-
Byte 0xC > Mask 2	SceSettings	Allow All Debug Menu Display, Allow RemotePlayDebug
Byte 0xC > Mask 2	SceGps	Allow sceSblACMgrIsSystem bypass
Byte 0xC > Mask 4	Updater	Skip version checks in system updates
Byte 0xC > Mask 4	compat_sm	Allow compat_sm operation on DevKit (can be use PspEmu)
Byte 0xD > Mask 1 : Allow Kernel Debug	To check	USB Enum Wake Up Debug Menu.
	secure_kernel	CMeP Debug.
	NSKBL	logging level set to 0 instead of 1/2, 1 instead of 2
	SceSysmem	Allow printing Syscall Frame info with module name + offset.
	SceSysmem	Allow Kernel Debug Level.
	SceDeci4pSDrfp	Allow starting this module.
	SceDeci4pSCTtyp	Allow starting this module.
	SceDeci4pSDbgp	Allow starting this module. Allow call to SceDeci4pSdbgpTest export function.
	SceDeci4pSDfMgr	Allow dumping the non encrypted .psp2kerndmp
	SceDeci4pLoadp	Allow load/unload/start/stop Kernel module.
	SceDeci4pDtracep	Allow disabled NID encode. Allow dtrace sysbreak. Allow all process dtrace. And more.
	SceExcpmgr	Allow printing module info with module name.
	SceKernelModulemgr	Allow dump the module load address (printing)
	ScePamgr	Allow more SyscallTrace flag.
	SceHdmi	Allow HDCP control by dipsw. Allow HDMI CEC on PS TV Emu.
	SceAudio	Allow something audio debug control by dipsw.
	SceWlanBt	Allow enable WlanBt on DEM-3000 (IRT-001) for Non IsTest unit and Non Product Mode
Byte 0xD > Mask 2 : Allow System Debug	secure_kernel	Allow to bypass absent Media Type 7 (host0:) in SELF attribute for usermode SELF.
	SceAppMgr	Dictates if you can pass arguments to sceAppMgrLaunchAppByPathForDriver
	SceSysmodule	Allow Remote Sysmodule Load (host0:)
	SceParty
	SceCommonDialogMain
	SceShell
	SceSysStateMgr	Allow loading `host0:psp2config.rpath`.
	SceDeci4pLoadp	Allow any drive path.
	SceKernelModulemgr	Allow preloading module path switching by dipsw.
	SceSysLibTrace	Allow System NID symbol table refer.
	SceSblACMgr	Allow System App Debug
	SceDeci4pDtracep	Allow System App dtrace.
	SceVshBridge (stub)	Allow Marlin Test (SceVshBridge)
Byte 0xE > Mask 1 : Allow Module Debug	second_loader	Allow ignore SceKblPara->dipsw.ASLR initialize.
	secure_kernel	Allow to bypass absent Media Type 7 (host0:) in SELF attribute for Kernel/SM SELF.
	NSKBL	Allow Force Loading Boot Kernel Module in 100000 times on loadModule function.
	SceSysStateMgr	Allow loading `host0:psp2config.skprx`, Allow loading psp2config as plaintext. Allow loading `host0:psp2config.rpath`.
	SceDeci4pLoadp	Allow any drive path.
	SceSblPostSsMgr	Allow Remote SM Loading (host0:), Allow Remote Spfso Auth (host0:), Allow Remote FwLoader path switching by dipsw (host0:module/).
	SceKernelModulemgr	Allow Remote Kernel module Loading (host0:).
Byte 0xE - mask 2	Unknown	Unknown
Byte 0xF > Mask 1	secure_kernel	Allow SELF attribute qaf::0xF::1 required
	kprx_auth_sm	Enable DMAC5 keyset for 0x10001
	update_service_sm	Allow QAUpdate
	spkg_verifier_sm_w_key_2
	SceSblUpdateMgr
	SceSettings	Minimum Debug Menu Display
	SceCuiSetUpper	Allow Non QAPup on CEX.
	SceSafeMode
	SceSettings
	SceShell
	SceNpDrm	Allow Debug DRM Loose Bind.
	SceNpCommon	Allow Np Test
	SceShell	Allow Np Test
	SceRegistryMgr	Allow more registry keys.
	SceShell	Allow Keep CoreFile
Byte 0xF > Mask 2 : Allow Force Update	update_service_sm	Skip the System Update's version checks and Manufacturing mode checks on CEX
	spkg_verifier_sm_w_key_2
	SceSblUpdateMgr
Any QA flag	act_sm	Infinite Kit activation

To check: Byte 0xF - mask 1, Byte 0xE - mask 1, Byte 0xE - mask 2, Byte 0xB - mask 0x10: Revocation related.

Existing QA flag token templates identified thus far:

NO_FLAGS: Default value with no QA flag set. Generated upon request on unit by qaf_sm using QAF keyslots set by second_loader, no signature.

QAF_QATEAM_MINI_E: QA flags (mini) for QA Team units running External System Software. Set on DevKits.

QAF_QATEAM_FULL_E: QA flags (full) for QA Team units running External System Software. Set on Retail and TestKits. Same as QAF_QATEAM_MINI_E but with two more QA flags (Byte 0x0 - mask 0x10 and Byte 0x6 - mask 2) set. These supplementary QA flags allow features like: ScreenShot Always, Np Full Test, Limited Debug Menu Display.

QAF_SYS_DEV_I: QA flags (development) for System Software QA units running Internal System Software. Set on Development tools used for system debugging, running Internal firmware. Set on DevKits.

QAF_MGVIDEO_DEV_I: QA flags (development) for Magic Gate Video QA units running Internal System Software. Set on DevKits.

Basically the same as QAF_SYS_DEV_I, but with the addition of the AllowMagicGate flag. But the AllowKernelDebug flag is cleared.

QAF_MGVIDEO_ADV_I: QA flags (advanced) for Magic Gate Video QA units running Internal System Software. Set on DevKits.

Basically the same as QAF_SYS_DEV_I, but with the addition of the AllowMagicGate flag.

flags for NO_FLAGS:
  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
flags for QAF_QATEAM_MINI_E: 
  01 00 00 00 00 00 0D 04 64 00 00 00 04 00 00 03
flags for QAF_QATEAM_FULL_E: 
  11 00 00 00 00 00 0F 04 64 00 00 00 04 00 00 03
flags for QAF_SYS_DEV_I:
  33 00 00 00 00 00 07 05 73 01 00 01 06 03 03 01
flags for QAF_MGVIDEO_DEV_I:
  33 00 00 00 00 00 07 05 73 01 00 11 06 02 03 01
flags for QAF_MGVIDEO_ADV_I:
  33 00 00 00 00 00 07 05 73 01 00 11 06 03 03 01

Boot flags

These Boot flags come from Ernie NVS.

On FW 3.60, second_loader generates the boot flags as following:

byte 0 = NVS 0x4A0
byte 1 = NVS 0x481
byte 2 = 0
byte 3 = NVS 0x483
byte 4 = NVS 0x487
byte 5 = NVS 0x486
byte 6-0xF = 0

Example: FF FF 00 FF FF FF 00 00 00 00 00 00 00 00 00 00

Bit	Description
47	MCEmu (Use internal `ux0`)

byte 0: 0xFF - not update mode, other value - update step (to detail)
byte 1: 0xFF - extra UART disabled, 0x00 - extra UART enabled, 0x01 - extra UART enabled only when Jig dongle is connected
byte 3: 0xFF - not safe mode
byte 4: 0xFF - unknown, maybe not used on FWs <= 0.995
byte 5: 0xFF on FAT - no internal storage or on PS TV or Slim - internal storage enabled, 0xFE on PS TV or Slim - internal storage disabled, maybe not used on FWs <= 0.995

DIP Switches

DIP switches area embeds two parts: Communication Processor information as 32-bit integers, followed by DIP switches stored as bit flags.

Offset	Size	Description
0x40	0x4	CP Timestamp 1 (ex: 0x4AD86AB3 -> 16/10/2009 14:44:35)
0x44	0x2	CP Version (ex: 0x1301 -> 1301 on PDEL-100x)
0x46	0x2	CP Board ID (3 on DEM-300xH, 4 on PDEL-100x)
0x48	0x4	CP Timestamp 2 (identical as CP Timestamp 1)
0x4C	0x4	ASLR Seed (?USER flags?) (also set on CEX and DEX) (ex: 0x00000000 on a DEM-300xH)
0x50	0x4	SDK (SCE) flags (ex: 0x80000000, 0x80000001, 0x80000003, 0x81000000, 0x81000001, 0, 2)
0x54	0x4	Shell flags (ex: 0x00000000 on a DEM-300xH)
0x58	0x4	Debug control flags (ex: 0x000413E7 on a DEM-300xH, 0x001453E7 dev mode, 0x00080002 release mode)
0x5C	0x4	System control flags (ex: 0x2000001C on a DEM-300xH, 0x20000010 dev mode, 0x20000000 release mode)

DIP Switches bit flags resolving

Warning: DIP Switches bit flags actually start at offset 0x10 (before that is CP information), which implies the first bit flag number is 128 (bit_num = offset / 8).

DIP Switches bit flags follow little-endian logic, which makes it hard to visualize in commonly used big-endian hexadecimal:

((uint32_t *)kbl_param->dipsw[0x10])[0] = 0x00000001 (big-endian in hex) = 01 00 00 00 (little-endian in hex) = 10000000 00000000 00000000 00000000 (little-endian in base 2) <- the 1 corresponds to bit flag number 128
((uint32_t *)kbl_param->dipsw[0x10])[0] = 0x00000002 (big-endian in hex) = 02 00 00 00 (little-endian in hex) = 01000000 00000000 00000000 00000000 (little-endian in base 2) <- the 1 corresponds to bit flag number 129
((uint32_t *)kbl_param->dipsw[0x10])[0] = 0x00000100 (big-endian in hex) = 00 01 00 00 (little-endian in hex) = 00000000 10000000 00000000 00000000 (little-endian in base 2) <- the 1 corresponds to bit flag number 136
((uint32_t *)kbl_param->dipsw[0x10])[0] = 0x80000000 (big-endian in hex) = 00 00 00 80 (little-endian in hex) = 00000000 00000000 00000000 00000001 (little-endian in base 2) <- the 1 corresponds to bit flag number 159

As you can see this way is not convenient to know in memory on which byte corresponds which bit flag, so instead we can use a formula to convert bit number to offset and bit: offset = (bit_num / 32) * 4, bit = bit_num & 31. This is used for example in the following code:

SceBool sceKernelCheckDipswForDriver(SceUInt32 no) {
  return (*(SceUInt32 *)(kbl_param->dipsw + (no >> 5) * 4) >> (no & 31)) & 1;
}

CP Information

Bits 0-31 is a 32-bit integer of the current time on the CP clock. This is duplicated in bits 64-95.

Bits 32-47 is a 16-bit integer of the CP version and bits 48-63 is a 16-bit integer of the CP board ID. All integers are little-endian. On units that do not have a CP, these fields are zeroes.

Bits 96-127 is 32-bit integer ASLR seed that is randomized on each boot in second loader. It can be disabled by setting a specific DIP switch or QA flag byte 0xE mask 1.

Bits 0-63 are also manipulable as general purpose DIP Switches exposed with sceKernelSetDipsw, sceKernelClearDipsw, and sceKernelCheckDipsw but these functions do not change anything in hardware (only cached values are overwritten in SceSysmem).

According to SDK only DIP Switches 0-63 are accessible from usermode, however:

On FW 0.990 (but not on FW 0.931 nor 3.60), DIP Switch number 237 is the only one out of range 0-63 that can be set from usermode.
Usermode SELFs can use DIP Switches number > 63 if they have a special attribute or capability in SELF Auth Info.

SDK (SCE) flags

Bits 128-159 are used for DevKit Boot Parameters.

Bit	Name	Description
128	memory_size_switch	Memory Size. Console Size: 1 - Development Tool Size: 0. (Extended game memory)
129	release_check_mode_console	Release Mode Console. On: 1 - Off: 0
152	platform_emulation_dolce	PS TV Emulation. On: 1 - Off: 0
159	development_mode	Release Check Mode. Development Mode: 1 - Release Mode: 0

Shell flags

Bits 160-191 are used for SceShell flags.

dipsw 190 is ignored if dipsw 191 is on.

Turning on dipsw 191 and 213 at the same time can cause physical address conflicts.

Bit	Name	Description
168		Memory Size.
184	enable_extra_tty	Enable extra TTY: On: 1 - Off: 0. (tty7:)
185		Enable System Boot Time Notifications: On: 1 - Off: 0
186		Related to SceShellCronCallback.
187		Allow processes to run on all cores (CPU affinity): On: 1 - Off: 0
190		Disable to ScePhyMemPartShellDummy with PA 0x78000000 0x8000000-bytes.
191		Grow PhyMemPart with PA 0x78000000 0x8000000-bytes. Shell += 48MiB, Shared += 80MiB.

Debug control flags

Bits 192-223 are for various debug options.

Bit	Description
192	Enable Dmac6.
193	Enable SDbgSdio, deci4p_sdfmgr, deci4p_sttyp
194	Enable User DECI. Enables Cpup, SceDbgSdio, SceDbgUsb and dtrace module start. Force UnloadProcessModules on Process Delete.
195	Disable USB Debug. nouse_dbgusb (if enabled, SceDbgUsb does not init).
196	Enable kernel/NSKBL UART0 console logging (if enabled, UART0 is initialized and SceDebug handlers are set to UART0 functions). Or disable remote power control.
197	Enable kernel/NSKBL UART1 console logging: On: 1 - Off: 0
198	Enable System TTY: On: 1 - Off: 0. See SceDeci4pSTtyp.
199	Enable TTY stdio ("tty0:"): On: 1 - Off: 0
200	Stop when an assertion fails: On: 1 - Off: 0
201	Set minimum assertion level to 1: On: 1 - Off: 0. Used in SceSysmem.
202	Set minimum assertion level to 2: On: 1 - Off: 0. Used in SceSysmem.
204	Set minimum log level to 1: On: 1 - Off: 0. Used in NSKBL and SceSysmem.
205	Set minimum log level to 2: On: 1 - Off: 0. Used in NSKBL and SceSysmem.
206	Allow syscall debug. Used in SceKernelThreadMgr.
210	SCE_DIPSW_ENABLE_TOOL_PHYMEMPART. Allow Kernel Budget (Enable Devkit 512MiB DRAM): On: 1 - Off: 0
211	Enable usermode UART console logging: On: 1 - Off: 0. Enables SceTty2uart. Used in SceCoredump.
212	Enable PA memory mapping for usermode. Used in NSKBL and SceSysmem, ScePamgr. Works with dipsw 213.
213	PA memory mapping address. 1 to use PA 0x78000000 0x8000000-bytes. 0 to use PA 0x80000000 0x20000000-bytes. Used in NSKBL and SceSysmem, ScePamgr. Works with dipsw 212.
214	Disable ASLR: Disabled: 1 - Enabled: 0.
215	Disable DECI4P System Debug process Trace: Disabled: 1 - Enabled: 0.
216	Wipe kernel stack by 0xFF: On: 1 - Off: 0.
217	Enable path logging: On: 1 - Off: 0. Used in SceIofilemgr. If set, SceKernelThreadMgr sets kernel thread stack size to 0x4000-bytes instead of 0x1000-bytes.
218	Ignore app keystone error in SceAppMgr: On: 1 - Off: 0.
222	Enable KBL Simple Memory Test over ScePowerScratchPad32KiB: On: 1 - Off: 0. See Physical Memory, SKBL.
223	Enable KBL Simple Memory Test over Secure DRAM: On: 1 - Off: 0. See Physical Memory, SKBL.

System control flags

Bits 224-255 are used for various system options.

Bit	Description
224	`SCE_DIPSW_PSP2_CONFIG_SD` Enable sdbgp's sysmemChecker. Allow plain psp2-config. Allows loading sd0:psp2-config.txt.
225	L2 Cache Disabled? (0 = L2 Cache ON, 1 = L2 Cache OFF). Used in SceSysmem, NSKBL when doing something with exception stacks
228	Enables hardware break/watch point. Used in SKBL, SceProcessmgr and SceKernelThreadMgr. SKBL seems to enable/disable unknown devices. SceKernelThreadMgr copies some process info to SceKernelThreadObject related to breakpoints.
229	HDCP enable/disable. Used in SceAudio.
230	Enable initialization of sd0 and ur0. Used in SceExfatfs, ?SceIofilemgr?.
231	Enable initialization of os0. Used in SceExfatfs, SceIofilemgr.
232	? Used in second_loader. DIP Switches 232, 240 and 241 are related.
233	Used in SceSdstor on System Software version 1.50.
236	GPU overclock. When enabled, GPU and GPU Xbar are overclocked from 111MHz to 166MHz.
237	Probably underclock/overclock related. On FW 0.990 (but not on FW 0.931 nor 3.60), this is the only DIP switch out of range 0-63 that can be set from usermode.
238	Underclock. When enabled, something is underclocked from 222MHz to 111MHz.
239	Underclock/overclock related.
240	Disable QA flags. Used in second_loader. DIP Switches 232, 240 and 241 are related.
241	Disable QA flags 0xD mask 1 and 0xE mask 1. Used in second_loader. DIP Switches 232, 240 and 241 are related.
250	Enable "tty0:"
251	Enable "dummytty0:". Also allow sysmodule load from `host0:` (SceSysmodule debug).
252	Allow host0: access. Used in SceSysStateMgr, SceSblFwLoader.
253	Enable some console logging: On: 1 - Off: 0. Used in NSKBL.

Boot type indicator 1

We ignore the official name so we name it Boot type indicator 1.

0x1: external boot mode. It is used in manufacture image to boot in external mode. It cannot be set in release second_loader.
0x2: SKBL has been loaded from GCSD
0x4: product mode. manufacturing mode (Mgmt bit 0)
0x8: seems to be never set in release second_loader. Required by FW 0.931 SKBL to perform memory tests.
0x40: use special Media Type. Never set in release second_loader. Used in NSKBL when loading modules from sd0:.
0x10000: jig handshake5 status, bypasses current system software version checks
0x20000: resume mode. Disables boot logo display.
0x40000: manufacturing mode (Mgmt bit 0) and GCSD initialized (for mounting sd0:) by second_loader using Syscon command 0x888.
0x80000: sd mode (Mgmt bit 1). SceExfatfs checks this flag before mounting sd0:.

Sleep Factor

This is a guessed name. A possible name is "Wakeup Req" from PSP function name sceSysconGetWakeUpReq.

Used in SceSysmem#sceKernelSysrootIsUsbEnumWakeupForKernel.

1 bsod reboot (or other serious factors)
4 seen on a DEM-3000G running System Software 0.930.010
0x10 bsod poweroff
0x60 seen on a PCH-11xx
0x400 seen on a PCH-1xxx in Manufacturing mode
0x20000 unknown

Wakeup Factor

Wakeup Factor is only 2 bytes but to preserve alignment, in KBL Param it is extended to 4 bytes.

00 00 00 00 coldboot on a DEM-3000H
01 XX XX XX unknown
04 00 00 00 reboot
0E XX XX XX related to USB Enum Wakeup(maybe devkit)
0F 00 00 00 USB Enum Wakeup
14 00 00 00 boot with power hold
00 FF 00 00 maybe coldboot
04 FF 00 00 reboot
14 FF 00 00 boot with power hold
16 FF 00 00 boot by charge cable
17 XX 00 00 BSOD reboot
80 00 00 00 after suspend

Deduction:

1: Maybe do not show lock screen
2: USB enum wakeup
4: reboot
0x8: BSOD
0xB: goes to safe mode
0x10: anormal boot
0x1F: goes to safe mode
0x20: unknown

Wakeup factor bits description
Bitmask	Usage	Notes
0xFF00	Unknown	?battery related?
0x0080	Resume flag	Set when unit is resuming
0x007F	Wakeup reason	Indicates why the unit has been powered on. May be a bitflag or an enumeration.

Boot Controls Info

This information can be parsed the same way as in SceSysconControl.

Keys combo:

Enter Safe mode: Power + PS + R
Rebuild Database: Power + PS + R + (Square or Cross)
Set Production Mode On for Prototype: Power + PS + Square + Cross + Up + Left
Set Production Mode On: Power + PS + R + Square + Cross (not present on FW 0.931, present on FWs 0.940+)

Note:

Set Production Mode On combos are not needed on genuine PS TV in Wakeup Factor flag 0x20 and are only checked when Wakeup Factor flags 0xB or 0x20 are set.
Set Production Mode On requires Jig connected else it fails with error 0x800F0A05 on set_pm STEP 8657.

Hardware Info

Hardware Info is got from Ernie.

It can be obtained using SceSyscon#sceSysconGetHardwareInfoForDriver. It can also be seen in the packet header in Syscon Update.

The following list is ordered by Ernie firmware version, which should approximately match the hardware revision order.

0x00101003: supports FW 0.931.010
0x00102003: supports FW 0.931.010
0x00314000: supports FW 0.931.010
0x00102403: supports FW 0.931.010-1.692.000
0x00315000: certainly DEM-3000G (IRT-001), supports FW 0.931.010-1.692.000
0x00102603: supports FW 0.940.000-3.680.011
0x00315200: certainly DEM-3000H (IRT-001), supports FW 0.940.000-1.692.000
0x00411000: supports FW 0.990.030-1.692.000, Product Sub Code 7, 9 or 0xA probably
0x00414000: DEM-3000K (IRT-002), supports FW 0.990.030-1.692.000, Product Sub Code 9
0x00415000: DEM-3000L (IRT-002), supports FW 0.995.070-1.692.000, Product Sub Code 0xB
0x00415200: certainly DEM-3000P (IRT-002), supports FW 0.996.070-3.680.011, Product Sub Code 0xC probably
0x00416000: PDEL-10XX, DEM-3000JEC third revision (IRT-002), supports FW 1.000-3.730, Product Sub Code 0xF, 0x10
0x00404000: unknown DEX model, CEM-3000, supports FW 0.990-1.692.000
0x00404100: unknown DEX model, CEM-3000, supports FW 0.990-1.692.000
0x00404400: unknown DEX model, CEM-3000, supports FW 0.990-1.692.000
0x00404600: DEX model, CEM-3000NE2, supports FW 0.990-1.692.000
0x00404800: unknown DEX model, supports FW 1.660-1.692.000
0x00405000: unknown DEX model, supports FW 1.660-3.720
0x00405200: unknown DEX model, supports FW 1.660-3.720
0x00406000: PCH-10XX / PTEL-10XX (Product Sub Code 0x10) (IRS-002 without 3G PCIe); ?CEM-3000VP1? / CEM-3000NP1 / TEFV-1000PV1 (Product Sub Code 0xF) -> supports FW 1.000-3.740
0x00406002: PCH-11XX (IRS-002 with 3G PCIe), supports FW 1.040-3.740
0x0051XXXX: Prototype PS TV.
0x00601000: unknown TOOL/DEX/CEX model (IRS-1001), supports FW 1.800-3.740
0x00602000: unknown DEX/CEX model (IRS-1001), supports FW 1.800-3.740
0x00603000: unknown DEX/CEX model (IRS-1001), supports FW 1.800-3.740
0x00603200: PCH-10XX / PCH-11XX (IRS-1001), supports FW 1.800-3.740
0x00703000: CEM-3000P01 (DOL-1001), supports FW 2.500-3.740
0x00703030: VTE-10XX (DOL-1001), supports FW 2.500-3.740
0x00805038: PCH-20XX / PTEL-20XX (USS-1001), supports FW 2.500-3.740
0x00723030: VTE-10XX (DOL-1002), supports FW 3.300-3.740
0x00822238: PCH-20XX (USS-1002), supports FW 3.500-3.740
0x0090XXXX: Unknown prototype.

Bytes meaning

As PS Vita uses little-endian, we describe here in the same order, from the lowest to the highest.

First byte

This byte indicates the presence of some components. It works by bit flags:

0x01: ?has SD card reader? (some DevKits and prototypes)
0x02: has WWAN (3G modem). This is what SceBbmc checks to know if 3G modem is supported.
0x04: unknown
0x08: ?has microUSB? (Slim only)
0x10: is MC emu capable (Slim and PS TV only). MC Emulation is done by partitionning the internal memory EMMC.
0x20: has hw_info_2 (Slim and PS TV only)
0x40: is Show mode
0x80: is IDU mode

Second byte

This byte indicates the motherboard minor version. It is relative to the motherboard main version which is indicated by third byte.

Third byte

This byte indicates the motherboard main version:

10 -> unknown prototype motherboard, has Syscon, maybe IRS-001
31 -> IRT-001
40 -> IRS-002
41 -> IRT-002
51 -> PS TV prototype motherboard
60 -> IRS-1001
70 -> DOL-1001
72 -> DOL-1002
80 -> USS-1001
82 -> USS-1002
90 -> unknown prototype motherboard

We can also guess that flag 1 means that the console has a Communication Processor.

Fourth byte

This byte is reserved in case 3 bytes becomes not enough to handle all Hardware Info:

00 -> default, unused

Power Info

Experimental point of view

- No AC connected + No POWER Button pressed: 0x0
ex: rebooting by software PS Vita when AC is not connected

- No AC connected + POWER Button pressed: 0x4
ex: booting PS Vita by pressing POWER button when AC is not connected

- AC connected + No POWER Button pressed: 0x8
ex: rebooting by software PS Vita when AC is connected
ex: autobooting PS TV/IDU PS Vita by pluging AC

- AC connected + POWER Button pressed: 0xC
ex: powering off by software PS TV then booting it by pressing POWER button
ex: booting PS Vita by pressing POWER button when AC is connected

Bit flags point of view

Bit	Description
0	unknown. Not seen.
1	unknown. Not seen.
2	POWER button: pressed: 1 - not pressed: 0
3	AC: connected: 1 - disconnected: 0 (note that PS TV always has AC connected)

Hardware Info 2

Hardware Info 2 is supported since System Software version 2.10. It is an extension to Hardware Info

Hardware Info 2 is got from Syscon command 6.

It can be obtained using SceSyscon#sceSysconGetHardwareInfo2ForDriver.

Bit	Description
1 (0x2)	unknown
4 (0x8)	Related to display
5 (0x20)	unknown
6 (0x40)	Conexant Codec IC (1 = present, 0 = not present)
7 (0x80)	unknown
14 (0x4000)	unknown

Seen values:

0 on a Fat PS Vita with IRS-002
7 on a Slim PS Vita with USS-1001
0x247 on a Slim PS Vita with USS-1002

Types

typedef struct SceDIPSW {
  uint32_t cp_timestamp_1;
  uint16_t cp_version;
  uint16_t cp_build_id;
  uint32_t cp_timestamp_2;
  uint32_t aslr_seed;
  uint32_t sce_sdk_flags;
  uint32_t shell_flags;
  uint32_t debug_control_flags;
  uint32_t system_control_flags;
} SceDIPSW;

typedef struct SceKblParam {
  uint16_t version;
  uint16_t size;
  uint32_t current_fw_version;
  uint32_t min_fw_version;
  uint32_t unk_C;
  uint32_t unk_10;
  uint8_t unk_14[0xC];
  uint8_t qa_flags[0x10];
  uint8_t boot_flags[0x10];
  SceDIPSW dipsw;
  SceKernelPARange dram;
  uint32_t unk_68;
  uint32_t boot_type_indicator_1;
  SceOpenPsId openpsid;
  SceKernelPARange secure_kernel_enp;
  SceKernelPARange context_auth_sm_self;
  SceKernelPARange kprx_auth_sm_self;
  SceKernelPARange prog_rvk_srvk;
  ScePsCode pscode;
  uint32_t __stack_chk_guard;
  uint8_t unk_AC[4];
  uint8_t session_id[0x10];
  uint32_t sleep_factor;
  uint32_t wakeup_factor;
  uint32_t unk_C8;
  uint32_t boot_controls_info;
  uint32_t resume_context_paddr;
  uint32_t hardware_info;
  uint32_t power_info;
  uint8_t unk_DC[0xC];
  uint8_t hardware_info_2[0x10];
  uint32_t bootldr_revision;
  uint32_t magic;
  uint8_t coredump_session_key[0x20];
  uint8_t unused[0xE0];
} __attribute__((packed)) SceKblParam;