SceSblSsMgr: Difference between revisions

From Vita Development Wiki
Jump to navigation Jump to search
Line 980: Line 980:


<source lang="C">
<source lang="C">
// index - max index is 5
// index - 0-5
// input - max size is 0x20
// pData - destination buffer
int sceSblSsGetNvsDataForDriver(int index, char *output, int size);
// size - 2, 4, 8, 0x10, 0x20
int sceSblSsGetNvsDataForDriver(SceSblSsNvsData index, void *pData, int size);
</source>
</source>



Revision as of 11:36, 24 May 2020

Module

Known NIDs

Version Name World Privilege NID
1.69 SceSblSsMgr Non-secure Kernel 0xFDDD93FA
3.60 SceSblSsMgr Non-secure Kernel 0x4E913538

Libraries

Known NIDs

Version Name World Visibility NID
1.69-3.60 SceSblSsMgrForKernel Non-secure Kernel 0x74580D9F
1.69-3.60 SceSblSsMgrForDriver Non-secure Kernel 0x61E9428D
1.69 SceSblSsMgr Non-secure Kernel 0xEC86E4B0
1.69-3.60 SceSblQafMgr Non-secure User 0x756B7E89
1.69-3.60 SceSblRng Non-secure User 0x1843F124
1.69-3.60 SceSblDmac5Mgr Non-secure User 0x437366A2
1.69-3.60 SceSblAimgr Non-secure User 0xD473F968

NVS Areas

Refered as Ernie NVS. Not every part is readable from non-secure kernel: some sectors return error, and some sectors are part of SNVS (Secure NVS) which means they are encrypted.

Offset Size Name Comment Used by
0 0x20 Mgmt Data Embeds SNVS flags and ProductMode. Used for Update, PM and QAF. "sceSblQafManagerSetFlag" (sub_81001610 on FW 0.990), "SpkgInfoUtilGetSNVSFlagStatus" and "SpkgInfoUtilSetSNVSFlagStatus" (on FW 0.931), setProductMode
0x20 0x280 SNVS Sectors 20 XTS encrypted sectors of size 0x20 bytes handled by update_service_sm.self "SpkgInfoUtilInitForUpdater" on FW 0.931
0x2A0 0x20 Qa Flag Version "sceSblQafManagerSetQaFlagVersion" on FW 0.940
0x2C0 0x140 Unknown
0x400 0x80 Qaf Token first 0x18 is QafName
0x480 1 Qaf Token not set flag Set to 1 by default when Qaf Token is not set (FFed).
0x481 0x1F Unknown
0x4A0 1 Update Mode sceSblUsGetUpdateModeForUser, sceSblUsSetUpdateModeForUser
0x4A1 0x3F Unknown
0x4E0 0x20 Unknown per device string ?VisibleId?
0x500 0x20 Unknown Maybe 0x510 is used by Secure Kernel.
0x520 0x80 Activation Area 0x20 first bytes are SceNVSKitActivationData
0x5A0 0x100 Qaf Token RSA signature Not present on FW 0.990. Present on FW 3.60. Maybe added on FW 1.80.
0x6A0 0xC0 Unknown

Area from 0 to 0x400 cannot be read using sceSblSsNvsReadForKernel nor written using sceSblSsNvsWriteForKernel.

typedef struct SceNVSKitActivationData { // size is 0x20 bytes
  char magic[4]; // "act\n"
  uint32_t issue_no;
  uint32_t end_date;
  uint32_t start_date;
  char cmac_hash[0x10];
} SceNVSKitActivationData;

typedef struct SceQAFToken { // size is 0x80 bytes
  char unk[8];
  char string[8] // "NO_FLAGS"
  char unk2[0x70];
} SceQAFToken;

Types

SceKitActivationData

Offset Size Description
0x40 0x4 Magic "act\0"
0x44 0x4 Format version
0x48 0x4 Issue number (increment each activation, prevent rollback)
0x4C 0x4 Start validity time unix timestamp
0x50 0x4 End validity time unix timestamp
0x54 0x10 Activation key
0x64 0x1C Unused
0x80 0x40 Encrypted Token (First 0x30 bytes of SceKitActivationData then 0x10 byte CMAC)
typedef struct SceKitActivationDataToken { // size is 0x40 bytes
  char magic[4]; // "act\n"
  uint32_t issue_no;
  uint32_t format_version;
  uint32_t start_date;
  uint32_t end_date;
  char open_psid[0x10];
  char padding[0xC];
  char cmac[0x10];
} SceKitActivationDataToken;

// This is what embeds the tm0:activation/act.dat file
typedef struct SceKitActivationData { // size is 0x80 bytes
  char magic[4]; // "act\n"
  uint32_t issue_no;
  uint32_t format_version;
  uint32_t start_date;
  uint32_t end_date;
  char open_psid[0x10];
  char padding[0x1C];
  char encrypted_token[0x40];
} SceKitActivationData;

// Used by run_encdec_cmd, itself called by sceSblDmac5EncDec for example.
typedef struct dmac_op_ctx {
	dmac_op_ctx_heap *ctx_heap_addr;
	uint keyring_key_count; // if keyring_key_count < 0x100, keyring_key_count is used as DKey
	uint unk_8;
	SceUID dmac_opid; // used with sceKernelDmaOpFreeForDriver
	char iv[0x28]; // iv_size can be 0, 8, 0x10 or 0x28 depending on cmd itself depending on key_size
} dmac_op_ctx;

typedef struct dmac_op_ctx_heap { // size is 0x40 on FW 0.990
	uint cmd;
	uint unk_4; // 0x100
	uint unk_8; // 0 if unk_flag = 0, 0x3ffff else
	uint dmac5_op;
	char reserved[0x30];
} dmac_op_ctx_heap;

SceSblSsMgrForKernel

sceSblNvsReadDataForKernel

Version NID
0.990-3.60 0xC2EC8F5A

Previous name was sceSblSsMgrGetSysconDataForKernel and sceSblSsMgrNvsReadDataForKernel.

Calls sceSysconNvsReadDataForDriver.

int sceSblNvsReadDataForKernel(int offset, char *buffer, int size);

sceSblNvsWriteDataForKernel

Version NID
0.990-3.60 0xE29E161C

Previous name was sceSblSsMgrSetSysconDataForKernel and sceSblSsMgrNvsWriteDataForKernel.

Calls sceSysconNvsWriteDataForDriver.

int sceSblNvsWriteDataForKernel(int offset, char *buffer, int size);

return_ffffffff

Version NID
0.990-3.60 0x516ECC08

From 0.990 to 3.60, all it does is return -1; // 0xFFFFFFFF.

int return_ffffffff(void);

sceSblQafManagerGetQafTokenForKernel

Version NID
0.990 0x281FD75A

sceSblQafManagerSetQafTokenForKernel

Version NID
0.940-0.990 0x8E9447A1

get_qaf_token

Version NID
1.03 0x228A6653

On 0.990, only returns -1.

SceQafToken *temp_token = token;
sceSblNvsReadDataForKernel(0x480, flag, 1);
	if (!flag) {
		nvs_read(0x400, temp_token, 0x80);
		ret = exec_qaf_sm(temp_token, 0);
	}
return ret;
int get_qaf_token(SceQafToken *token)

sceSblQafManagerClearQafTokenForKernel

Version NID
0.990 0xD45155C6
int sceSblQafManagerClearQafTokenForKernel(void);
  uint32_t ret;
  char buffer[0x80];

  memset(&buffer, 0xFF, 0x80);
  SceKernelSuspendForDriver_4DF40893(0);
  ret = sceSblNvsWriteDataForKernel(0x400, &buffer, 0x80);
  if ( !ret ) // if buffer successfully written, set a flag at 0x480
    ret = sceSblNvsWriteDataForKernel(0x480, (char)1, 1);
  SceKernelSuspendForDriver_2BB92967(0);
  return ret;

sceSblQafManagerGetQAFlagsForKernel

Version NID
0.990-3.60 0x83D254FF
int sceSblQafManagerGetQAFlagsForKernel(char buffer[0x10]);

sceSblQafManagerGetQafNameForKernel

Version NID
0.990-3.60 0xE2DD0378
if ( byte_81008725 & 2 ) {
    char workaround_string = "qaf_workaround";
    memcpy(buffer, workaround_string, max_len);
} else {
	sceSblNvsReadDataForKernel(0x480, flag, 1);
	if (flag) {
		sceSblNvsReadDataForKernel(0x400, buf, 0x80);
		memcpy(buffer, buf, 0x18);
	}
}
int sceSblQafManagerGetQafNameForKernel(char *buffer, unsigned int max_len);

SceSblSsMgrForDriver

Cryptographic functions in this module typically have 3 variations:

  1. Use key - meaning that the key that you provide is used directly for encryption/decryption.
  2. Use slot_id - meaning that you have to use sceSblAuthMgrSetDmac5KeyForKernel function to set the key into a specific slot.
    • Note that in this case you select a key from F00D by key_id. It will be encrypted by F00D and placed into the slot selected by slot_id.
  3. Use key_id - meaning that the call to sceSblAuthMgrSetDmac5KeyForKernel will happen internally.
    • In this case the key from F00D is also selected by key_id and encrypted by F00D. It is then placed into one of the available slots. Default slot range is 0xC-0x17.

sceSblRngPseudoRandomNumberForDriver

Version NID
3.60 0x4F9BFBE5

Temp name was sceSblSsMgrGetRandomNumberForDriver.

int sceSblRngPseudoRandomNumberForDriver(char* result, int size);

sceSblRngGenuineRandomNumberForDriver

Version NID
0.990-3.60 0xAC57F4F0

Temp name was sceSblSsMgrGetRandomDataForDriver.

Generates random data of length 0x40 bytes by doing: sceSblDmac5RndForDriver(dest, 0x40, 1);

Used in SceKrm, SceSblGcAuthMgr.

int sceSblRngGenuineRandomNumberForDriver(char* dest);

sceSblDmac5RndForDriver

Version NID
3.60 0x4DD1B2E5

Temp name was sceSblSsMgrGetRandomDataCropForDriver.

Generates random data of length by executing Dmac5 command 0x04.

Data is then cropped to fit the size in outputBuffer.

Used by SceMsif.

int sceSblDmac5RndForDriver(char* outputBuffer, int size, int unk);

sceSblDmac5AesEcbEncForDriver

Version NID
0.990-3.60 0xC517770D

Temp name was sceSblSsMgrAESECBEncryptForDriver.

Executes Dmac5 command 0x01.

Used in ScePfsMgr.

// size - size of data in src
// key - length is 0x10 / 0x18 / 0x20 (length in bytes)
// key_size - 128 / 192 / 256 (size in bits)
// mask_enable = 1
int sceSblDmac5AesEcbEncForDriver(char *src, char *dst, int size, char* key, int key_size, int mask_enable);

sceSblDmac5AesEcbDecForDriver

Version NID
0.990-3.60 0x7C978BE7

Temp name was sceSblSsMgrAESECBDecryptForDriver.

Executes Dmac5 command 0x02.

Used by ScePfsMgr.

// size - size of data in src
// key - length is 0x10 / 0x18 / 0x20 (length in bytes)
// key_size - 128 / 192 / 256 (size in bits)
// mask_enable = 1
int sceSblDmac5AesEcbDecForDriver(char *src, char *dst, int size, char* key, int key_size, int mask_enable);

sceSblDmac5AesEcbEncNPForDriver

Version NID
0.990-3.60 0x0F7D28AF

Temp name was sceSblSsMgrAESECBEncryptWithKeygenForDriver.

Executes Dmac5 command 0x1.

Used in ScePfsMgr.

// size - size of data in src
// key - length is 0x10 / 0x18 / 0x20 (length in bytes)
// key_size - 128 / 192 / 256 (size in bits)
// key_id - 0 - used with sceSblAuthMgrSetDmac5Key. uses slot_id range 0x0C-0x17 internally
// mask_enable = 1
int sceSblDmac5AesEcbEncNPForDriver(char *src, char *dst, int size, char *key, int key_size, int key_id, int mask_enable);

sceSblDmac5AesEcbDecNPForDriver

Version NID
3.60 0x197ACF6F

Temp name was sceSblSsMgrAESECBDecryptWithKeygenForDriver.

Executes Dmac5 command 0x02.

no usages found

// size - size of data in src
// key - length is 0x10 / 0x18 / 0x20 (length in bytes)
// key_size - 128 / 192 / 256 (size in bits)
// key_id - 0 - used with sceSblAuthMgrSetDmac5KeyForDriver. uses slot_id range 0x0C-0x17 internally
// mask_enable = 1
int sceSblDmac5AesEcbDecNPForDriver(char *src, char *dst, int size, char *key, int key_size, int key_id, int mask_enable);

sceSblDmac5AesEcbEncWithKeyslotForDriver

Version NID
3.60 0x01BE0374

Executes Dmac5 command 0x01

used in SceSblMgKeyMgr

// size - size of data in src
// slot_id - 0x1C, 0x1D, 0x1E, 0x1F
// key_size - 0x80 / 0xC0 / 0x100 (size in bits)
// mask_enable = 1
int sceSblDmac5AesEcbEncWithKeyslotForDriver(char *src, char *dst, int size, int slot_id, int key_size, int mask_enable);

sceSblDmac5AesEcbDecWithKeyslotForDriver

Version NID
3.60 0x8B4700CB

Executes Dmac5 command 0x02.

used by SceSblMgKeyMgr

// size - size of data in src
// slot_id - 0x1D, ?
// key_size - 128 / 192 / 256 (size in bits)
// mask_enable = 1
int sceSblDmac5AesEcbDecWithKeyslotForDriver(char *src, char *dst, int size, int slot_id, int key_size, int mask_enable);

sceSblDmac5DesEcbEncWithKeyslotForDriver

Version NID
3.60 0x37DD5CBF

Temp name was sceSblSsMgrDES64ECBEncryptForDriver.

This also implements 3DES. Chosen function depends on key size.

  • for 64 - DES
  • for 128 - not tested. assuming 3DES with K1 = K3.
  • for 192 - 3DES

Executes Dmac5 command 0x41.

Used in SceSblMgKeyMgr.

// size - size of data in src
// slot_id - 0x1C, ?
// key_size - 192 (size in bits) - other sizes also work
// mask_enable = 1
int sceSblDmac5DesEcbEncWithKeyslotForDriver(char *src, char *dst, int size, int slot_id, int key_size, int mask_enable);

sceSblDmac5DesEcbDecWithKeyslotForDriver

Version NID
3.60 0x8EAFB18A

Temp name was sceSblSsMgrDES64ECBDecryptForDriver.

This also implements 3DES. Chosen function depends on key size.

  • for 64 - DES
  • for 128 - not tested. assuming 3DES with K1 = K3.
  • for 192 - 3DES

Executes Dmac5 command 0x42.

Used in SceSblMgKeyMgr.

// size - size of data in src
// slot_id - 0x1C, ?
// key_size - 192 (size in bits) - other sizes also work
// mask_enable = 1
int sceSblDmac5DesEcbDecWithKeyslotForDriver(char *src, char *dst, int size, int slot_id, int key_size, int mask_enable);

sceSblDmac5DesCbcEncWithKeyslotForDriver

Version NID
3.60 0x05B38698

Temp name was sceSblSsMgrDES64CBCEncryptForDriver.

This also probably implements 3DES. Chosen function depends on key size.

  • for 0x40 - DES
  • for 0x80 - not tested. assuming 3DES with K1 = K3.
  • for 0xC0 - 3DES

Executes Dmac5 command 0x49.

no usages found

// size - size of data in src
// slot_id - 0x1D, ?
// key_size - ? - does not matter ?
// iv - length is 8 for DES - will be updated after encryption (most likely for encrypting data in blocks?)
// mask_enable = 1
int sceSblDmac5DesCbcEncWithKeyslotForDriver(char *src, char *dst, int size, int slot_id, int key_size, char* iv, int mask_enable);

sceSblDmac5DesCbcDecWithKeyslotForDriver

Version NID
3.60 0x926BCCF0

Temp name was sceSblSsMgrDES64CBCDecryptForDriver.

This also probably implements 3DES. Chosen function depends on key size.

  • for 0x40 - DES
  • for 0x80 - not tested. assuming 3DES with K1 = K3.
  • for 0xC0 - 3DES

Executes Dmac5 command 0x4A.

no usages found

// size - size of data in src
// slot_id - 0x1D, ?
// key_size - ? - does not matter ?
// iv - length is 8 for DES
// mask_enable = 1
int sceSblDmac5DesCbcDecWithKeyslotForDriver(char *src, char *dst, int size, int slot_id, int key_size, char* iv, int mask_enable);

sceSblDmac5AesCbcEncForDriver

Version NID
0.990-3.60 0xE6E1AD15

Temp name was sceSblSsMgrAESCBCEncryptForDriver.

Executes Dmac5 command 0x9.

Used by ScePfsMgr.

// size - size of data in src
// key - length is 0x10 / 0x18 / 0x20 (lenght in bytes)
// key_size - 128 / 192 / 256 (size in bits)
// iv - length is 0x10 for AES - will be updated after encryption (most likely for encrypting data in blocks?)
// mask_enable = 1
int sceSblDmac5AesCbcEncForDriver(char *src, char *dst, int size, char *key, int key_size, char *iv, int mask_enable);

sceSblDmac5AesCbcDecForDriver

Version NID
0.990-3.60 0x121FA69F

SCE maybe made a typo: sceSblDmac5AEsCbcDecForDriver.

Temp name was sceSblSsMgrAESCBCDecryptForDriver.

Executes Dmac5 command 0xA.

Used by ScePfsMgr.

// size - size of data in src
// key - length is 0x10 / 0x18 / 0x20 (length in bytes)
// key_size - 128 / 192 / 256 (size in bits)
// iv - length is 0x10 for AES - will be updated after encryption (most likely for encrypting data in blocks?)
// mask_enable = 1
int sceSblDmac5AesCbcDecForDriver(char *src, char *dst, int size, char *key, int key_size, char *iv, int mask_enable);

sceSblDmac5AesCbcEncNPForDriver

Version NID
0.990-3.60 0x711C057A

Temp name was sceSblSsMgrAESCBCEncryptWithKeygenForDriver.

Executes Dmac5 command 0x9.

Used by ScePfsMgr.

// size - size of data in src
// key - length is 0x10 / 0x18 / 0x20 (length in bytes)
// key_size - 128 / 192 / 256 (size in bits)
// iv - length is 0x10 for AES - will be updated after encryption (most likely for encrypting data in blocks?)
// key_id - 0 - used with sceSblAuthMgrSetDmac5KeyForDriver. uses slot_id range 0x0C-0x17 internally
// mask_enable = 1
int sceSblDmac5AesCbcEncNPForDriver(char *src, char *dst, int size, char *key, int key_size, char *iv, int key_id, int mask_enable);

sceSblDmac5AesCbcDecNPForDriver

Version NID
0.990-3.60 0x1901CB5E

Temp name was sceSblSsMgrAESCBCDecryptWithKeygenForDriver.

Executes Dmac5 command 0xA.

Used by ScePfsMgr.

// size - size of data in src
// key - length is 0x10 / 0x18 / 0x20 (length in bytes)
// key_size - 128 / 192 / 256 (size in bits)
// iv - length is 0x10 for AES - will be updated after encryption (most likely for encrypting data in blocks?)
// key_id - 0 - used with sceSblAuthMgrSetDmac5KeyForDriver. uses slot_id range 0x0C-0x17 internally
// mask_enable = 1
int sceSblDmac5AesCbcDecNPForDriver(char *src, char *dst, int size, char *key, int key_size, char *iv, int key_id, int mask_enable);

sceSblDmac5AesCtrEncForDriver

Version NID
1.50 - 3.60 0x82B5DCEF

Temp name was sceSblSsMgrAESCTREncryptForDriver.

Executes Dmac5 command 0x21.

Used by SceNpDrm.

This function can also be used for decryption since CTR is symmetric function.

// size - size of data in src
// key - length is 0x10 / 0x18 / 0x20
// key_size - 128 / 192 / 256 (size in bits)
// iv - length is 0x10 for AES - will be updated after encryption (most likely for encrypting data in blocks?)
// mask_enable = 1
int sceSblDmac5AesCtrEncForDriver(char *src, char *dst, int size, char *key, int key_size, char *iv, int mask_enable);

sceSblDmac5AesCtrDecForDriver

Version NID
3.60 0x7D46768C

Temp name was sceSblSsMgrAESCTRDecryptForDriver.

Executes Dmac5 command 0x22.

no usages found

this function can also be used for encryption since CTR is symmetric function

// size - size of data in src
// key - length is 0x10 / 0x18 / 0x20
// key_size - 128 / 192 / 256 (size in bits)
// iv - length is 0x10 for AES - will be updated after encryption (most likely for encrypting data in blocks?)
// mask_enable = 1
int sceSblDmac5AesCtrDecForDriver(char *src, char *dst, int size, char *key, int key_size, char *iv, int mask_enable);

sceSblDmac5Sha1ForDriver

Version NID
3.60 0xEB3AF9B5

Executes Dmac5 command 0x03.

Used by ScePfsMgr.

// size - size of data in src
// iv = 0
// mask_enable = 1
// command_bit = 0 / 0x400 / 0x800 / 0xC00
int sceSblSsMgrSha1ForDriver(char *src, char *dst, int size, char *iv, int mask_enable, int command_bit);

sceSblDmac5Sha1HmacTransformForDriver

Version NID
0.990-3.60 0x6704D985

Temp name was sceSblSsMgrHMACSHA1ForDriver.

Executes Dmac5 command 0x23.

Used by ScePfsMgr.

Key size is always 256 bits.

// size - size of data in src
// iv = 0
// mask_enable = 1
// command_bit = 0 / 0x400 / 0x800 / 0xC00
int sceSblDmac5Sha1HmacTransformForDriver(char *src, char *dst, int size, char *key, char *iv, int mask_enable, int command_bit);

sceSblDmac5Sha1HmacNPForDriver

Version NID
3.60 0x92E37656

Temp name was sceSblSsMgrHMACSHA1WithKeygenForDriver.

Executes Dmac5 command 0x23

no usages found

key_size is always 256 bits

// size - size of data in src
// key - length is always 0x20 bytes
// iv = 0
// key_id - 0 - used with sceSblAuthMgrSetDmac5KeyForDriver. uses slot_id range 0x0C-0x17 internally
// mask_enable = 1
// command_bit = 0 / 0x400 / 0x800 / 0xC00
int sceSblDmac5Sha1HmacNPForDriver(char *src, char *dst, int size, char *key, char *iv, int key_id, int mask_enable, int command_bit);

sceSblDmac5Sha256HmacForDriver

Version NID
3.60 0x79F38554

Temp name was sceSblSsMgrHMACSHA256ForDriver.

Executes Dmac5 command 0x33.

no usages found

// size - size of data in src
// iv = 0
// mask_enable = 1
// command_bit = 0 / 0x400 / 0x800 / 0xC00
int sceSblDmac5Sha256HmacForDriver(char *src, char *dst, int size, char *key, char *iv, int mask_enable, int command_bit);

sceSblDmac5AesCmacForDriver

Version NID
0.990-3.60 0x1B14658D

Temp name was sceSblSsMgrAESCMACForDriver.

Executes Dmac5 command 0x3B.

Used in ScePfsMgr.

// size - size of data in src
// key - length is 0x10 / 0x18 / 0x20 (length in bytes)
// key_size - 128 / 192 / 256 (size in bits)
// iv = 0
// mask_enable = 1
// command_bit = 0 / 0x400 / 0x800 / 0xC00
int sceSblDmac5AesCmacForDriver(char *src, char *dst, int size, char *key, int key_size, char *iv, int mask_enable, int command_bit);

sceSblDmac5AesCmacNPForDriver

Version NID
3.60 0x83B058F5

Temp name was sceSblSsMgrAESCMACWithKeygenForDriver.

Executes Dmac5 command 0x3B.

Used in ScePfsMgr.

// size - size of data in src
// key - length is 0x10 / 0x18 / 0x20 (length in bytes)
// key_size - 128 / 192 / 256 (size in bits)
// iv = 0
// key_id - 0 - used with sceSblAuthMgrSetDmac5KeyForDriver. uses slot_id range 0x0C-0x17 internally
// mask_enable = 1
// command_bit = 0 / 0x400 / 0x800 / 0xC00
int sceSblDmac5AesCmacNPForDriver(char *src, char *dst, int size, char *key, int key_size, char *iv, int key_id, int mask_enable, int command_bit);

sceSblDmac5AesCmacWithKeyslotForDriver

Version NID
3.60 0xEA6ACB6D

Executes Dmac5 command 0x3B.

no usages found

// size - size of data in src
// slot_id - 0x1D, ?
// key_size - 128 / 192 / 256 (size in bits)
// iv = 0
// mask_enable = 1
// command_bit = 0 / 0x400 / 0x800 / 0xC00
int sceSblDmac5AesCmacWithKeyslotForDriver(char *src, char *dst, int size, int slot_id, int key_size, char *iv, int mask_enable, int command_bit);

sceSblSsMgrExecuteDmac5HashCommandForDriver

Version NID
3.60 0x9641374E

Executes Dmac5 commands related to hash functions.

Used by SceNpDrm.

int sceSblSsMgrExecuteDmac5HashCommandForDriver(char *src, char *dst, int size, char *iv, int mask_enable, int command, int command_bit);

sceSblSsEncryptWithPortabilityForDriver

Version NID
0.990-3.60 0x21EC51F6

derived from _vshSblSsEncryptWithPortability

strangely enough does not use communication with F00D through command 0x1000A from encdec_w_portability_sm.self

struct size_data_pair
{
  int size;
  char data[0x20];
};

int sceSblSsEncryptWithPortabilityForDriver(int key_id, char *iv, size_data_pair *src, size_data_pair *dst);

sceSblSsDecryptWithPortabilityForDriver

Version NID
0.990-3.60 0x934DB6B5

derived from _vshSblSsDecryptWithPortability

Decrypts or derives AES key that is used in msif to decrypt static sha224 table.

Communication with F00D is done with command 0x2000A from encdec_w_portability_sm.self.

typedef struct ScePortabilityInputData // size of structure is 0x24
{
   uint32_t enc_size; // max size is 0x20
   uint8_t enc_msg[0x20];
} ScePortabilityInputData;

typedef struct ScePortabilityOutputData // size of structure is 0x24
{
   uint32_t plain_size; // max size is 0x20
   uint8_t plain_msg[0x20];
} ScePortabilityOutputData;

int sceSblSsDecryptWithPortabilityForDriver(int key_type, char *iv, ScePortabilityInputData* enc, ScePortabilityOutputData* plain);

sceSblSsGetNvsDataForDriver

Version NID
0.990-3.60 0xFDD6D5DE

derived from _vshSblSsGetNvsData

Calls sceSysconNvsReadDataForDriver.

// index - 0-5
// pData - destination buffer
// size - 2, 4, 8, 0x10, 0x20
int sceSblSsGetNvsDataForDriver(SceSblSsNvsData index, void *pData, int size);

sceSblSsSetNvsDataForDriver

Version NID
0.990-3.60 0x249ADB07

derived from _vshSblSsSetNvsData

Calls sceSysconNvsWriteDataForDriver.

// index - max index is 5
// input - max size is 0x20
int sceSblSsSetNvsDataForDriver(int index, char *input, int size);

sceSblAimgrGetVisibleIdForDriver

Version NID
0.990-3.60 0x04843835

Temp name was sceSblSsMgrGetVisibleIdForDriver, or sceSblSsMgrGetFuseIdForDriver.

Derived from _vshSblAimgrGetVisibleId.

Executes F00D aimgr_sm.self command 0x3.

typedef struct VisibleId {
	char visible_id[0x20];
} VisibleId;

int sceSblAimgrGetVisibleIdForDriver(VisibleId* visible_id);

sceSblAimgrGetConsoleIdForDriver

Version NID
0.990-3.60 0xFC6CDD68

Temp name was sceSblSsMgrGetConsoleIdForDriver.

This function obtains Console Id by executing aimgr_sm.self F00D command 0x1.

typedef struct ConsoleId {
	uint16_t unk; // {0, 0}
	uint16_t company_code; // {0, 1}
	uint16_t product_code;
	uint16_t product_sub_code;
	uint8_t chassis_check;
	char unknown[7];
} ConsoleId;

int sceSblAimgrGetConsoleIdForDriver(ConsoleId *console_id);

sceSblAimgrGetOpenPsIdForDriver

Version NID
0.990-3.60 0xA5B5D269

Temp name was sceSblSsMgrGetOpenPsIdForDriver.

This function returns information from a static buffer that is initialized on module_start.

Read OpenPsId from sysroot_buffer+0x70 using sceKernelSysrootGetKblParamForKernel.

typedef struct OpenPsId {
	char open_psid[0x10];
} OpenPsId;

int sceSblAimgrGetOpenPsIdForDriver(OpenPsId *open_psid);

sceSblAimgrGetPscodeForDriver

Version NID
0.990-3.60 0xE0DC2587

Temp name was sceSblSsMgrGetPscodeForDriver.

Derived from _vshSblAimgrGetPscode.

This function returns information from a static buffer that is initialized on module_start.

Read PsCode from sysroot_buffer+0xA0 using sceKernelSysrootGetKblParamForKernel.

typedef struct PsCode {
	uint16_t company_code; // {0, 1}
	uint16_t product_code;
	uint16_t product_sub_code;
	uint16_t factory_code; // = chassis_check >> 2;
} PsCode;

int sceSblAimgrGetPscodeForDriver(PsCode *pscode);

sceSblAimgrGetPscode2ForDriver

Version NID
3.60 0x9A9676D0

Temp name was sceSblSsMgrGetPscode2ForDriver.

Executes F00D aimgr_sm.self command 0x4.

derived from _vshSblAimgrGetPscode2

int sceSblAimgrGetPscode2ForDriver(PsCode *pscode);

sceSblSsCreatePassPhraseForDriver

Version NID
3.60 0xB8B298FD

executes F00D aimgr_sm.self command 0x5

derived from _vshSblSsCreatePassPhrase

//input is of size 0x18
int sceSblSsCreatePassPhraseForDriver(char *input, char *output);

sceSblSsInfraAllocatePARangeVectorForDriver

Version NID
3.60 0xE0B13BA7

Used by SceSblUpdateMgr - does some initialization

int sceSblSsInfraAllocatePARangeVectorForDriver(void *buf, int size, SceUID blockid, SceKernelPaddrList *list);

unk_c38d0cea

Version NID
3.60 0xC38D0CEA

Used by SceSblUpdateMgr - does some cleanup

sceSblSsMemsetForDriver

Version NID
3.60 0xCD98CC92

Used by SceSblPostSsMgr.

void sceSblSsMemsetForDriver(char* dest, char value, int size);

sceSblRtcMgrSetCpRtcForDriver

Version NID
0.940 0xD8F6F110
3.60 moved to PostSsMgr

sceSblRtcMgrGetCpRtcPhysicalForDriver

Version NID
0.940 0xC96622EC
3.60 moved to PostSsMgr

sceSblRtcMgrGetCpRtcLogicalForDriver

Version NID
0.940 0xAF56206D
3.60 moved to PostSsMgr

sceSblLicGetActivationKeyForDriver

Version NID
0.940 0xED4878A4
3.60 moved to PostSsMgr

sceSblLicMgrGetExpireDateForDriver

Version NID
0.940 0xE840CD4E
3.60 moved to PostSsMgr

sceSblPmMgrGetProductModeFromNVSForDriver

Version NID
0.940 0x196C7FB2
3.60 moved to PostSsMgr

sceSblPmMgrSetProductModeForDriver

Version NID
0.940 0x33B706E1
3.60 moved to PostSsMgr

Known values: call it with product_mode 1 then reboot.

void sceSblPmMgrSetProductModeForDriver(int product_mode);

sceSblPmMgrAuthEtoIForDriver

Version NID
0.940 0xB241EA2B
3.60 moved to PostSsMgr

SceSblSsMgr

This library exists on 1.69 but doesn't exist on 3.60.

sceSblSsInfraAllocatePARangeVector

Version NID
0.990 0x8C2822A9

SceSblSsMgr_FAD42134

Version NID
0.990 0xFAD42134

SceSblQafMgr

typedef struct SceQafToken {
  char data[0x80];
  char sig[0x100]; // Not present on FW 0.990. Present on FW 3.60
} SceQafToken;

sceSblQafMgrGetQafToken

Version NID
1.69-3.60 0xB6BAE81D

On 3.60 returns 0x80010058 (SCE_ERROR_ERRNO_ENOSYS).

int sceSblQafMgrGetQafToken(SceQafToken *qaf_token);

sceSblQafMgrGetQafToken2

Version NID
3.60 0xDFBA8569
int sceSblQafMgrGetQafToken2(SceQafToken *qaf_token);

sceSblQafManagerSetQafTokenForUser

Version NID
1.69-3.60 0x56A16392

On 3.60 returns 0x80010058 (SCE_ERROR_ERRNO_ENOSYS).

int sceSblQafManagerSetQafTokenForUser(SceQafToken qaf_token);

sceSblQafMgrSetQafToken2

Version NID
3.60 0xF4B5C8A5
int sceSblQafMgrSetQafToken2(SceQafToken qaf_token);

sceSblQafManagerDeleteQafTokenForUser

Version NID
0.940-3.60 0xD542583F

On 3.60 returns 0x80010058 (SCE_ERROR_ERRNO_ENOSYS).

int sceSblQafManagerDeleteQafTokenForUser(void);

sceSblQafMgrDeleteQafToken2

Version NID
3.60 0x62E30BF4
  int ret;
  int ret2;
  int ret3;
  signed int result;
  char flag;
  char data[0x80];
  char sig[0x100];

  memset(data, (char)0xFF, 0x180);
  SceKernelSuspendForDriver_4DF40893_0(0);
  ret = sceSblNvsWriteDataForKernel(0x400, data, 0x80);
  if ( ret )
  {
    SceKernelSuspendForDriver_4DF40893(0);
    result = ret;
  }
  else
  {
    ret2 = sceSblNvsWriteDataForKernel(0x5A0, sig, 0x100);
    if ( ret2 )
    {
      SceKernelSuspendForDriver_4DF40893(0);
      result = ret2;
    }
    else
    {
      flag = 1;
      ret3 = sceSblNvsWriteDataForKernel(0x480, &flag, 1);
      SceKernelSuspendForDriver_4DF40893(0);
      result = ret3;
    }
  }
  return result;
int sceSblQafMgrDeleteQafToken2(void);

sceSblQafManagerGetQafNameForUser

Version NID
0.940-3.60 0x0F7EA8C2

Wrapper to sceSblQafManagerGetQafNameForKernel.

int sceSblQafManagerGetQafNameForUser(char *buffer, unsigned int max_len);

sceSblQafManagerGetQafName2ForUser

Version NID
3.60 0xF0CA8766
memset(buf, 0, 0x180);
sceSblNvsReadDataForKernel(0x480, buf, 1);
sceSblNvsReadDataForKernel(0x400, buf, 0x80);
memcpy(buffer, buf, 0x18);
sceSblNvsReadDataForKernel(0x5A0, buf, 0x100);
// if all functions returned success
sceSblQafManagerGetQafNameForKernel(buf2, len);
sceKernelMemcpyKernelToUserForDriver(buffer, buf2, len)) != 0 )
int sceSblQafManagerGetQafName2ForUser(char *buffer, unsigned int max_len);

sceSblQafMgrIsAllowMinimumDebugMenuDisplay

Version NID
3.60 0xA156BBD2

return sysroot_buffer->qa_flags[0xF] & 1;

int sceSblQafMgrIsAllowMinimumDebugMenuDisplay(void);

sceSblQafMgrIsAllowLimitedDebugMenuDisplay

Version NID
1.69-3.60 0xC456212D

return (sysroot_buffer->qa_flags[6] >> 1) & 1;

int sceSblQafMgrIsAllowLimitedDebugMenuDisplay(void);

sceSblQafMgrIsAllowAllDebugMenuDisplay

Version NID
1.69-3.60 0x66843305

return (sysroot_buffer->qa_flags[0xC] >> 1) & 1;

int sceSblQafMgrIsAllowAllDebugMenuDisplay(void);

sceSblQafManagerIsAllowKernelDebugForUser

Version NID
0.940-3.60 0x11D30766

return sysroot_buffer->qa_flags[0xD] & 1;

int sceSblQafManagerIsAllowKernelDebugForUser(void);

sceSblQafMgrIsAllowForceUpdate

Version NID
1.69-3.60 0x63F29BA0

return (sysroot_buffer->qa_flags[0xF] >> 1) & 1;

int sceSblQafMgrIsAllowForceUpdate(void);

sceSblQafMgrIsAllowNpTest

Version NID
1.69-3.60 0xA9EBCBAC
if (sysroot_buffer->qa_flags[0xF] << 31)
   return 1;
else
   return sceSysrootUtMgrHasNpTestFlagForKernel(a1, a2, a3);
int sceSblQafMgrIsAllowNpTest(int a1, int a2, int a3);

sceSblQafMgrIsAllowNpFullTest

Version NID
3.60 0x72168C6E

return (sysroot_buffer->qa_flags[6] >> 1) & 1;

int sceSblQafMgrIsAllowNpFullTest(void);

sceSblQafMgrIsAllowNonQAPup

Version NID
1.69-3.60 0xB5621615

return sysroot_buffer->qa_flags[0xF] & 1;

int sceSblQafMgrIsAllowNonQAPup(void);

sceSblQafMgrIsAllowScreenShotAlways

Version NID
1.69-3.60 0xD22A8731

return (sysroot_buffer->qa_flags[6] >> 1) & 1;

int sceSblQafMgrIsAllowScreenShotAlways(void);

sceSblQafMgrIsAllowRemoteSysmoduleLoad

Version NID
0.940-3.60 0xF45AA706

return (sysroot_buffer->qa_flags[0xD] >> 1) & 1;

int sceSblQafMgrIsAllowRemoteSysmoduleLoad(void);

SceSblRng

sceSblRngGenuineRandomNumber

Version NID
0.940-0.990 0xD1189305

Temp name was sceSblSsMgrGetRandomData.

Calls sceSblRngGenuineRandomNumberForDriver.

sceSblRngPseudoRandomNumber

Version NID
0.940-0.990 0xD8BC42B8

_sceKernelGetRandomNumber

Version NID
1.69-3.60 0xC37E818C
int _sceKernelGetRandomNumber(int *out, int a2, char a3[8]);

SceSblDmac5Mgr

sceSblDmac5HashTransform

Version NID
1.69-3.60 0x09EBC6EF

This function can execute the following dmac5 commands:

  • 0x3B: CMAC-AES (length 0x10)
  • 0x03: SHA1 (length 0x14)
  • 0x23: HMAC-SHA1 (length 0x14)
  • 0x13: SHA256 (length 0x20)
  • 0x33: HMAC-SHA256 (length 0x20)
typedef struct hash_trans_opt_t //size 0x18
{
   char* src;
   char* dst;
   uint32_t size;
   uint32_t unk_C; // = 0

   uint32_t unk_10; // = 0
   char* iv;
} hash_trans_opt_t;

// flags: 
// 0x000
// 0x400
// 0x800
// 0xC00

int sceSblDmac5HashTransform(hash_trans_opt_t* ctx, int command, int flags);

sceSblDmac5EncDecKeyGen

Version NID
1.69-3.60 0x5BF4F924

This function is also named sceSblDmac5AesCbcDecKeyGen or sceSblDmac5AesCbcEncKeyGen in SceGameDataPlugin

typedef struct keygen_ctx //size is 0x18
{
   char *src; 
   char *dst; 
   int size; 
   char* key; 
   
   uint32_t key_size;     // (int bits)
   char* out; //hash ?
} keygen_ctx;

// command - 0xA (dmac5 command AES-192-CBC decrypt)
// command - 0x9 (dmac5 command AES-192-CBC encrypt)
int sceSblDmac5EncDecKeyGen(keygen_ctx* ctx, int key_id, int command);

sceSblDmac5EncDec

Version NID
0.990-3.60 0xD0B1F759
int sceSblDmac5EncDec(void *args, int command);

sceSblDmac5EncDecNP

Version NID
0.940 0x30702CC7

sceSblDmac5HmacKeyGen

Version NID
3.60 0xCCE57D33

This function is named sceSblDmac5HmacKeyGen in SceSysLibTrace but is also called sceSblDmac5Sha256HmacKeyGen in SceGameDataPlugin.

// data is of size 0x18 (24 - 192 bits ?)
// unk1 - 0x20001
// command - 0x33 (dmac5 HMAC-SHA256 command)
// flags - 0x400, 0x800, 0xC00
int sceSblDmac5HmacKeyGen(char* data, int unk1, int command, int flags);

SceSblAimgr

_sceKernelGetOpenPsId

Version NID
1.69-3.60 0x6E283E2E
int _sceKernelGetOpenPsId(char open_psid[0x10]);