Syscon Update: Difference between revisions
Jump to navigation
Jump to search
CelesteBlue (talk | contribs) No edit summary |
CelesteBlue (talk | contribs) (→0x03) |
||
Line 122: | Line 122: | ||
=== 0x03 === | === 0x03 === | ||
This packet is special because it is not embedded in Syscon Update SPKGs. It is generated in ARM kernel and sent to Syscon with Syscon command 0x1185. | |||
{| class="wikitable" | {| class="wikitable" | ||
Line 132: | Line 130: | ||
| 0x0 || 0x4 || Packet Header | | 0x0 || 0x4 || Packet Header | ||
|- | |- | ||
| 0x4 || 0x1C || | | 0x4 || 0x18 || Unknown data | ||
|- | |||
| 0x1C || 0x4 || Padding | |||
|} | |} | ||
Revision as of 12:42, 23 February 2021
Structure
Ernie updates are stored in a packet format.
Packet Header
Any update packet has a common header structure.
Offset | Size | Description |
---|---|---|
0x0 | 0x1 | Type (ex: 1, 2, 0x10, 0x20) |
0x1 | 0x1 | Header Size (ex: 0x10, 0x18) |
0x2 | 0x2 | Size (ex: 0, 0x400, 0x800) |
Packet size varies depending on the hardware revision of Syscon:
Renesas 78K0R/Kx3: 0x800 Renesas 78K0R/Kx3-L: 0x400 Renesas RL78/G13: 0x400
Packet Types
0x01
Version packet.
This packet is update header field.
Offset | Size | Description |
---|---|---|
0x0 | 0x4 | Packet Header |
0x4 | 0x4 | Ernie Version. Version of the Ernie software update. (ex: 0x0100060B -> 1.0.6.11) |
0x8 | 0x4 | Hardware Info. PSVita hardware on which this update can be installed. (ex: 0x00723030) |
0xC | 0x4 | Padding |
Ernie Version and Hardware Info from a few PUPs:
1.80 CEX 0B 06 00 01 00 32 60 00 0B 06 00 01 00 30 60 00 0B 06 00 01 00 20 60 00 0B 06 00 01 00 10 60 00 0B 06 00 01 00 60 40 00 1.81 CEX 0B 06 00 01 00 32 60 00 0B 06 00 01 00 30 60 00 0B 06 00 01 00 20 60 00 0B 06 00 01 00 10 60 00 0B 06 00 01 00 60 40 00 3.15 CEX 11 05 03 01 38 50 80 00 03 06 03 01 30 30 70 00 0D 06 00 01 00 32 60 00 0D 06 00 01 00 30 60 00 0D 06 00 01 00 20 60 00 0B 06 00 01 00 10 60 00 0D 06 00 01 00 60 40 00 3.30 CEX 11 05 03 01 38 50 80 00 01 03 04 01 30 30 72 00 03 06 03 01 30 30 70 00 0D 06 00 01 00 32 60 00 0D 06 00 01 00 30 60 00 0D 06 00 01 00 20 60 00 0B 06 00 01 00 10 60 00 0D 06 00 01 00 60 40 00 1.69 TOOL 06 03 00 01 00 40 41 00 06 03 00 01 00 50 41 00 03 02 09 00 00 50 31 00 06 03 00 01 00 10 41 00 06 03 00 01 00 52 41 00 06 03 00 01 03 26 10 00 06 03 00 01 00 52 31 00 1.80 TOOL 0B 06 00 01 00 10 60 00 0B 06 00 01 00 60 41 00 0B 06 00 01 00 52 41 00 06 03 00 01 03 26 10 00
0x02
Key revision packet.
This packet embeds the encryption key revision used to decrypt the Syscon update packets.
Offset | Size | Description |
---|---|---|
0x0 | 0x4 | Packet Header |
0x4 | 0x4 | Unknown/Unused. Maybe decryption algorithm. (ex: 0) |
0x8 | 0x4 | Key revision (ex: 0, 1, 2) |
0xC | 0x4 | Padding |
- Key revision 0 is for Renesas 78K0R Proto. It is supported since at least FW 0.931 (FW 0.902 doesn't support this) until FW 1.692.
- Key revision 1 is for Renesas 78K0R. It is supported since about FW 1.00. It is the key revision for most Fat PSVitas and for PSTV.
- Key revision 2 is for Renesas RL78. It is supported since FW 2.50. It is the key revision for PSVita Slim Syscon.
0x03
This packet is special because it is not embedded in Syscon Update SPKGs. It is generated in ARM kernel and sent to Syscon with Syscon command 0x1185.
Offset | Size | Description |
---|---|---|
0x0 | 0x4 | Packet Header |
0x4 | 0x18 | Unknown data |
0x1C | 0x4 | Padding |
0x10
Encrypted data packet.
Each data packet is AES128CBC encrypted.
Offset | Size | Description |
---|---|---|
0x0 | 0x4 | Packet Header |
0x4 | 0x4 | Data packet index (ex: 0, 1, ...) |
0x8 | 0x4 | Encrypted data size (ex: 0x400 for Renesas RL78, 0x800 for Renesas 78K0R) |
0xC | 0x4 | Padding |
0x10 | Variable | Encrypted data |
0x20
Digest packet.
Offset | Size | Description |
---|---|---|
0x0 | 0x4 | Packet Header |
0x4 | 0x14 | Digest. Sha-1 hash of decrypted concatenated packets. |
Ernie Update steps
- ARM PSVita updater arrives at last step: Ernie update.
- ARM PSVita updater decrypts Ernie update SPKGs til it finds one whose Hardware Info matches.
- ARM PSVita updater sends the encrypted data blocks directly to Ernie using some command.
- ARM PSVita updater sends the digest packet directly to Ernie using some command.
- Ernie decrypts concatenated received blocks using AES128CBC.
- Ernie computes sha1 over the decrypted concatenated data and compares with the received digest.
- Ernie installs the update using the decrypted data.