KBL Param: Difference between revisions
m (→QA flags) |
m (→QA flags) |
||
Line 130: | Line 130: | ||
To check: Byte 0xF bit 7, byte 0xE bit 7, byte 0xE bit 6, byte 0xB bit 3: Revocation related. | To check: Byte 0xF bit 7, byte 0xE bit 7, byte 0xE bit 6, byte 0xB bit 3: Revocation related. | ||
The data below contain QA Flags captured (at 0x20 in KBL Param and 0x10 in decrypted QA token) from multiple PS Vita System Debugger units (DEM-3000H, DEM-3000L and PDEL-1000 System Debuggers): | The data below contain QA Flags captured (at 0x20 in KBL Param and 0x10 in decrypted QA token) from multiple PS Vita System Debugger units (DEM-3000H, DEM-3000L, DEM-3000JEC and PDEL-1000 System Debuggers): | ||
<source> | <source> | ||
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F |
Revision as of 07:48, 1 September 2022
The KBL Param buffer (temporary name was sysroot buffer) is a 0x100 or 0x200
bytes sized buffer passed to the Secure Kernel BootLoader in the scratch space and contains all sorts of flags and system parameters. This buffer is created in Second Loader copied to Secure Kernel, passed to the Secure and Non-Secure Kernel BootLoaders, and finally to the non-secure kernel. It is used by many functions to check for features that are enabled for the system. The strategy in this buffer is to compute once for all the information that is often used, to share it between all security layers not to have to implement generator code many times, and to implement the generation code in the most secure layer: second_loader (excluding first_loader but that's because first_loader is not updatable and has minimum code).
Structure
Offset | Size | Set by | Description |
---|---|---|---|
0x0 | 0x2 | second_loader | Version (usually 1) |
0x2 | 0x2 | second_loader | Size. Size of this structure. 0x100 or 0x200. |
0x4 | 0x4 | second_loader | Current Firmware Version |
0x8 | 0x4 | second_loader | Minimum Firmware Version. Comes from SMI IdStorage leaf. |
0xC | 0x4 | Unknown | Unknown |
0x10 | 0x4 | Unknown | Used for Kit Activation. If lower than 0x20, the Kit is fake activated (License Status = 0, Issue No = 0, Expire Date = 0xffffffff). If lower than 0x30, default bus error handler is not registered in SceKernelBusError. |
0x14 | 0xC | Unknown | maybe unused |
0x20 | 0x10 | second_loader | QA flags |
0x30 | 0x10 | second_loader | Boot flags |
0x40 | 0x20 | second_loader | DIP Switches |
0x60 | 0x4 | second_loader | DRAM base paddr (0x40000000) |
0x64 | 0x4 | second_loader | DRAM size (0x20000000 on retail and testkit, 0x40000000 on DevKit in DevKit Memory Size mode) |
0x68 | 0x4 | Unknown | unk |
0x6C | 0x4 | second_loader | Boot type indicator 1 |
0x70 | 0x10 | second_loader | OpenPsId. Comes from IdStorage. |
0x80 | 0x4 | second_loader | secure_kernel.enp raw data paddr (optional)
|
0x84 | 0x4 | second_loader | secure_kernel.enp size (optional)
|
0x88 | 0x4 | second_loader | context_auth_sm.self raw data paddr
|
0x8C | 0x4 | second_loader | context_auth_sm.self size
|
0x90 | 0x4 | second_loader | kprx_auth_sm.self raw data paddr
|
0x94 | 0x4 | second_loader | kprx_auth_sm.self size
|
0x98 | 0x4 | second_loader | prog_rvk.srvk raw data paddr
|
0x9C | 0x4 | second_loader | prog_rvk.srvk size
|
0xA0 | 0x8 | second_loader | PsCode. Comes from IdStorage. |
0xA8 | 0x4 | second_loader | __stack_chk_guard. Set by Second Loader to a pseudo random number. Exported by SceSysmem as __stack_chk_guard. |
0xAC | 0x4 | second_loader | Unknown. Set by Second Loader to a pseudo random number. |
0xB0 | 0x10 | second_loader | Session ID |
0xC0 | 0x4 | second_loader | Sleep Factor. Comes from syscon cmd 3. |
0xC4 | 0x4 | second_loader | Wakeup Factor. Comes from syscon cmd 0x10. |
0xC8 | 0x4 | second_loader | Unknown, contains USB info. Comes from syscon cmd 0x800 (?device model dependant?). (ex: 0x40 PSVita usually, 0x60 PSTV usually, 0x64 DEM-3000H, 0x1C0 PC USB -> charge USB on FAT, 0x2D2 PC USB -> USB -> charge USB on FAT, 0x2D3 charge USB on FAT, 0x3D2, 0xC001C0 USB charge on SLIM, 0xC503D2 USB charge on SLIM, 0xC501CA USB data to PC) |
0xCC | 0x4 | second_loader | Boot Controls Info. Comes from syscon cmd 0x100. |
0xD0 | 0x4 | second_loader | suspendinfo_adr . Resume context physical address. Comes from syscon cmd 0x90 offset 0xC.
|
0xD4 | 0x4 | second_loader | Hardware Info. Comes from syscon cmd 5. |
0xD8 | 0x4 | second_loader | Power Info |
0xDC | 0x4 | Unknown | unk |
0xE0 | 0x4 | second_loader, SceDriverTzs | If resume, always 0 (second_loader). |
0xE4 | 0x4 | Unknown | unk |
0xE8 | 0x10 | second_loader | Hardware flags. Comes from syscon cmd 6. |
0xF8 | 0x4 | second_loader | BootLoader Revision |
0xFC | 0x4 | Unknown | KBL Param Magic value (0xCBAC03AA) |
0x100 | 0x20 | second_loader | Coredump Encrypted Session Key (FW 2.12+) |
QA flags
We are need setting QA flags to
SNVS mgmt qaf init flag SNVS sector 0x15 qafv write NVS qaf enable area Write Qaf token to NVS at offset 0x400 (0x80-bytes) Write Qaf RSA signature to NVS at offset 0x5A0 (0x100-bytes) Dipsw qaf enable bit (clear to bit 0xF0)
In the following table bytes are counted from left to right and bits from left to right too (little-endian). However the OS uses bit masking for QA flags (unlike bit shifting for DIP Switches).
Byte (0-0xF) - mask = 1 << (bit_no & 7) | Description | Used in |
---|---|---|
Byte 0x6 - mask 2 | Allow ScreenShot Always, Np Full Test, Limited Debug Menu Display | Shell, Settings |
Byte 0x9 - mask 0x1 | Used on FW 0.931 by SceSblACMgrForKernel_F7524073 | |
Byte 0xB - mask 0x4 | Use qa spsfo key. If no set, Overwrite qa spsfo key by spsfo key. | kprx_auth_sm |
Byte 0xB - mask 0x10 | Allow MagicGate, Bypass platform (Test/Tool/Diag) requirement for loading of fSELF with attribute 128 | secure_kernel |
Byte 0xC - mask 2 | Allow All Debug Menu Display | Settings |
Byte 0xC - mask 4 | Skip version checks in system updates, Allow DevKit PspEmu | Updater, compat_sm |
Byte 0xD - mask 1 | Allow Kernel Debug (NSKBL logging level set to 0 instead of 1/2, 1 instead of 2, deci4p_sdbgp), CMeP Debug, USB Enum Wake Up Debug Menu | secure_kernel, most NS and S kernel modules |
Byte 0xD - mask 2 | Allow Remote Sysmodule Load (host0:), Dictates if you can pass arguments to sceAppMgrLaunchAppByPathForDriver | secure_kernel, SceAppMgr |
Byte 0xE - mask 1 | Allow Remote SM and Kernel module Load (host0:), Allow ASLR Disable, Force Load Kernel Module in NSKBL (loop until success) | second_loader, secure_kernel, NSKBL |
Byte 0xF - mask 1 | Allow NonQA Pup, Minimum Debug Menu Display, Enable DMAC5 keyset 0x10001 in kprx_auth_sm | kprx_auth_sm (DMAC5 key related), secure_kernel, update_service_sm, Updater, Settings |
Byte 0xF - mask 2 | unknown | update_service_sm |
To check: Byte 0xF bit 7, byte 0xE bit 7, byte 0xE bit 6, byte 0xB bit 3: Revocation related.
The data below contain QA Flags captured (at 0x20 in KBL Param and 0x10 in decrypted QA token) from multiple PS Vita System Debugger units (DEM-3000H, DEM-3000L, DEM-3000JEC and PDEL-1000 System Debuggers):
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000020 33 00 00 00 00 00 07 05 73 01 00 01 06 03 03 01 3.......s.......
Boot flags
These Boot flags come from Ernie NVS.
On FW 3.60, second_loader generates the boot flags as following:
- byte 0 = NVS 0x4A0
- byte 1 = NVS 0x481
- byte 2 = 0
- byte 3 = NVS 0x483
- byte 4 = NVS 0x487
- byte 5 = NVS 0x486
- byte 6-0xF = 0
Example: FF FF 00 FF FF FF 00 00 00 00 00 00 00 00 00 00
Bit | Description |
---|---|
47 | use internal storage |
- byte 0: 0xFF - not update mode
- byte 1: 0xFF - extra UART not enabled
- byte 3: 0xFF - not safe mode
- byte 4: 0xFF - unknown, maybe not used on FWs <= 0.995
- byte 5: 0xFF on FAT - no internal storage or on PSTV or SLIM - internal storage enabled, 0xFE on PSTV or SLIM - internal storage disabled, maybe not used on FWs <= 0.995
DIP Switches
DIP switches area embeds two parts: Communication Processor information as 32-bit integers, followed by DIP switches stored as bit flags.
Offset | Size | Description |
---|---|---|
0x40 | 0x4 | CP Timestamp 1 (ex: 0x4AD86AB3 -> 16/10/2009 14:44:35) |
0x44 | 0x2 | CP Version (ex: 0x1301 -> 1301 on PDEL-100x) |
0x46 | 0x2 | CP Board ID (3 on DEM-300xH, 4 on PDEL-100x) |
0x48 | 0x4 | CP Timestamp 2 (identical as CP Timestamp 1) |
0x4C | 0x4 | ASLR Seed (?USER flags?) (also set on Retail and TestKit) (ex: 0x00000000 on a DEM-300xH) |
0x50 | 0x4 | SDK (SCE) flags (ex: 0x80000000, 0x80000001, 0x80000003, 0x81000000, 0x81000001, 0, 2) |
0x54 | 0x4 | Shell flags (ex: 0x00000000 on a DEM-300xH) |
0x58 | 0x4 | Debug control flags (ex: 0x000413E7 on a DEM-300xH, 0x001453E7 dev mode, 0x00080002 release mode) |
0x5C | 0x4 | System control flags (ex: 0x2000001C on a DEM-300xH, 0x20000010 dev mode, 0x20000000 release mode) |
DIP Switches bit flags resolving
Warning: DIP Switches bit flags actually start at offset 0x10 (before that is CP information), which implies the first bit flag number is 128 (bit_num = offset / 8).
DIP Switches bit flags follow little-endian logic, which makes it hard to visualize in commonly used big-endian hexadecimal:
- ((uint32_t *)kbl_param->dipsw[0x10])[0] = 0x00000001 (big-endian in hex) = 01 00 00 00 (little-endian in hex) = 10000000 00000000 00000000 00000000 (little-endian in base 2) <- the 1 corresponds to bit flag number 128
- ((uint32_t *)kbl_param->dipsw[0x10])[0] = 0x00000002 (big-endian in hex) = 02 00 00 00 (little-endian in hex) = 01000000 00000000 00000000 00000000 (little-endian in base 2) <- the 1 corresponds to bit flag number 129
- ((uint32_t *)kbl_param->dipsw[0x10])[0] = 0x00000100 (big-endian in hex) = 00 01 00 00 (little-endian in hex) = 00000000 10000000 00000000 00000000 (little-endian in base 2) <- the 1 corresponds to bit flag number 136
- ((uint32_t *)kbl_param->dipsw[0x10])[0] = 0x80000000 (big-endian in hex) = 00 00 00 80 (little-endian in hex) = 00000000 00000000 00000000 00000001 (little-endian in base 2) <- the 1 corresponds to bit flag number 159
As you can see this way is not convenient to know in memory on which byte corresponds which bit flag, so instead we can use a formula to convert bit number to offset and bit: offset = (bit_num / 32) * 4
, bit = bit_num & 31
. This is used for example in the following code:
SceBool sceKernelCheckDipswForDriver(SceUInt32 no) { return (*(SceUInt32 *)(kbl_param->dipsw + (no >> 5) * 4) >> (no & 31)) & 1; }
CP Information
Bits 0-31
is a 32-bit integer of the current time on the CP clock. This is duplicated in bits 64-95
.
Bits 32-47
is a 16-bit integer of the CP version and bits 48-63
is a 16-bit integer of the CP board ID. All integers are little-endian. On units that do not have a CP, these fields are zeroes.
Bits 96-127
is 32-bit integer ASLR seed that is randomized on each boot in second loader. It can be disabled by setting a specific DIP switch or QA flag byte 0xE mask 1.
Bits 0-63
are also manipulable as general purpose DIP Switches exposed with sceKernelSetDipsw
, sceKernelClearDipsw
, and sceKernelCheckDipsw
but these functions do not change anything in hardware (only cached values are overwritten in SceSysmem).
According to SDK only DIP Switches 0-63 are accessible from usermode, however:
- On FW 0.990 (but not on FW 0.931 nor 3.60), DIP Switch number 237 is the only one out of range 0-63 that can be set from usermode.
- Usermode SELFs can use DIP Switches number > 63 if they have a special attribute or capability in SELF Auth Info.
SDK (SCE) flags
Bits 128-159
are used for DevKit Boot Parameters.
Bit | Name | Description |
---|---|---|
128 | memory_size_switch | Memory Size. Console Size: 1 - Development Tool Size: 0. (Extended game memory) |
129 | release_check_mode_console | Release Mode Console. On: 1 - Off: 0 |
152 | platform_emulation_dolce | PS TV Emulation. On: 1 - Off: 0 |
159 | development_mode | Release Check Mode. Development Mode: 1 - Release Mode: 0 |
Shell flags
Bits 160-191
are used for SceShell flags.
Bit | Name | Description |
---|---|---|
168 | Memory Size. | |
184 | enable_extra_tty | Enable extra TTY: On: 1 - Off: 0. (tty7:) |
185 | Enable System Boot Time Notifications: On: 1 - Off: 0 | |
187 | Allow processes to run on all cores (CPU affinity): On: 1 - Off: 0 |
Debug control flags
Bits 192-223
are for various debug options.
Bit | Description |
---|---|
192 | ? |
193 | Enable SDbgSdio, deci4p_sdfmgr, deci4p_sttyp |
194 | Enable CP (if disabled it disables Cpup, DbgSdio and UsbDbg) |
195 | Disable USB Debug. nouse_dbgusb (if enabled, SceUsbDbg does not init). |
196 | Enable kernel UART console logging (if enabled, UART is initialized and SceDebug handlers are set to UART functions). Or disable remote power control. |
197 | Enable kernel console logging: On: 1 - Off: 0 |
199 | Enable TTY stdio ("tty0:"): On: 1 - Off: 0 |
200 | Stop when an assertion fails: On: 1 - Off: 0 |
201 | Set minimum assertion level to 1: On: 1 - Off: 0. Used in SceSysmem. |
202 | Set minimum assertion level to 2: On: 1 - Off: 0. Used in SceSysmem. |
204 | Set minimum log level to 1: On: 1 - Off: 0. Used in NSKBL and SceSysmem. |
205 | Set minimum log level to 2: On: 1 - Off: 0. Used in NSKBL and SceSysmem. |
206 | Allow to syscall debug. Used by SceKernelThreadMgr. |
210 | Allow Kernel Budget (Enable Devkit 512MiB DRAM): On: 1 - Off: 0 |
211 | Enable usermode UART console logging. Enables SceTty2uart. Used in SceCoredump. |
212 | Mapping secret memory. Used in NSKBL and SceSysmem, ScePamgr. Works with dipsw 213. |
213 | Mapping option. Used in NSKBL and SceSysmem, ScePamgr. Works with dipsw 212. |
214 | Disable ASLR. |
215 | Maybe Enable DECI4P System Debug process Trace. |
216 | Wipe SceKernelBootStackCore0 in NSKBL: On: 1 - Off: 0. Used on FW 0.990 by functions SceKernelThreadMgr#SceThreadmgrForKernel_CA84C603 and SceKernelThreadMgr#SceThreadmgrForKernel_05F5306C and on FW 3.60 by NSKBL. |
217 | Enable path logging. Used by SceIofilemgr. If set, SceKernelThreadMgr sets kernel thread stack size to 0x4000-bytes instead of 0x1000-bytes. |
222 | Enable KBL Simple Memory Test over ScePowerScratchPad32KiB. See Physical Memory, SKBL. |
223 | Enable KBL Simple Memory Test over Secure DRAM. See Physical Memory, SKBL. |
System control flags
Bits 224-255
are used for various system options.
Bit | Description |
---|---|
224 | Allows loading sd0:psp2-config.txt |
225 | L2 Cache Disabled? (0 = L2 Cache ON, 1 = L2 Cache OFF). Used in SceSysmem, NSKBL when doing something with exception stacks |
228 | Enables hardware break/watch point. Used in SKBL, SceProcessmgr and SceKernelThreadMgr. SKBL seems to enable/disable unknown devices. SceKernelThreadMgr copies some process info to SceKernelThreadObject related to breakpoints. |
229 | HDCP enable/disable |
231 | used by SceIofilemgr |
232 | ? Used in second_loader. DIP Switches 232, 240 and 241 are related. |
236 | GPU overclock. When enabled, GPU and GPU Xbar are overclocked from 111MHz to 166MHz. |
237 | On FW 0.990 (but not on FW 0.931 nor 3.60), this is the only DIP switch out of range 0-63 that can be set from usermode. |
238 | Underclock. When enabled, something is underclocked from 222MHz to 111MHz. |
239 | Underclock/overclock related. |
240 | Disable QA flags. Used in second_loader. DIP Switches 232, 240 and 241 are related. |
241 | Disable QA flags 0xD mask 1 and 0xE mask 1. Used in second_loader. DIP Switches 232, 240 and 241 are related. |
250 | Enable "tty0:" |
251 | Enable "dummytty0:". Also allow to sysmodule loading from host0: (SceSysmodule debug).
|
252 | Allow host0: access. Used in SceSysStateMgr, SceSblFwLoader. |
253 | Enable some console logging: On: 1 - Off: 0. Used in NSKBL. |
if ((System control flags & 1) != 0) { // not allow load QA flag } else { // allow load QA flag } if ((System control flags & 2) != 0) { // clear qa flags // (sceSblQafMgrIsAllowKernelDebugForDriver, SceQafMgrForDriver_52B4E164, SceQafMgrForDriver_082A4FC2 and SceQafMgrForDriver_883E9465 functions will return false) }
Boot type indicator 1
We ignore the official name so we name it Boot type indicator 1.
- 0x1: external boot mode. It is used in internal FWs to boot in external mode. It cannot be set in external (release) second_loader.
- 0x2: seems to be never set in external (release) second_loader
- 0x4: product mode. manufacturing mode (Mgmt bit 0)
- 0x8: seems to be never set in external (release) second_loader. Required by FW 0.931 SKBL to perform memory tests.
- 0x40: use special media type. Never set in external (release) second_loader. Used in NSKBL when loading modules from sd0:.
- 0x10000: seems to be never set in external (release) second_loader, allows to bypass current fw check for module loading
- 0x20000: on resume, no boot logo
- 0x40000: manufacturing mode (Mgmt bit 0) and GCSD initialized (for mounting sd0:) by second_loader using Ernie command 0x888
- 0x80000: ?sd mode? - (Mgmt bit 1)
Sleep Factor
This is a guessed name.
Used by SceSysmem#sceKernelSysrootIsUsbEnumWakeupForKernel.
- 1 bsod reboot (or other serious factors)
- 0x10 bsod poweroff
- 0x400 usually
- 0x20000 unknown
Wakeup Factor
Wakeup Factor is only 2 bytes but to preserve alignment, in KBL Param it is extended to 4 bytes.
- 00 00 00 00 coldboot on a DEM-3000H
- 01 XX XX XX unknown
- 04 00 00 00 reboot
- 0E XX XX XX related to USB Enum Wakeup(maybe devkit)
- 0F 00 00 00 USB Enum Wakeup
- 14 00 00 00 boot with power hold
- 00 FF 00 00 maybe coldboot
- 04 FF 00 00 reboot
- 14 FF 00 00 boot with power hold
- 16 FF 00 00 boot by charge cable
- 17 XX 00 00 BSOD reboot
- 80 00 00 00 after suspend
Deduction:
- 1: Maybe do not show lock screen
- 2: USB enum wakeup
- 4: reboot
- 0x8: BSOD
- 0xB: goes to safe mode
- 0x10: anormal boot
- 0x1F: goes to safe mode
- 0x20: unknown
- 0x80: resume from suspend mode
- 0xFF00: ?battery related?
Boot Controls Info
This information can be parsed the same way as in SceSysconControl.
Keys combo:
- Enter Safe mode: Power + PS + R
- Rebuild Database: Power + PS + R + (Square or Cross)
- Set Production Mode On for Prototype: Power + PS + Square + Cross + Up + Left
- Set Production Mode On: Power + PS + R + Square + Cross (not present on FW 0.931, present on FWs 0.940+)
Note:
- Set Production Mode On combos are not needed on genuine PSTV in Wakeup Factor flag 0x20 and are only checked when Wakeup Factor flags 0xB or 0x20 are set.
- Set Production Mode On requires Jig connected else it fails with error 0x800F0A05 on set_pm STEP 8657.
Hardware Info
Hardware Info is got from Ernie.
It can be obtained using SceSyscon#sceSysconGetHardwareInfoForDriver or SceSyscon#sceSysconGetHardwareInfo2ForDriver. It can also be seen in the packet header in Syscon Update.
The following list is ordered by Ernie version, that should approximately match the hardware revision order.
- 0x00101003: supports FW 0.931
- 0x00102003: supports FW 0.931
- 0x00314000: supports FW 0.931
- 0x00102403: supports FW 0.931-1.691
- 0x00315000: certainly DEM-3000G (IRT-001), supports FW 0.931-1.691
- 0x00102603: supports FW 0.940-3.68
- 0x00315200: certainly DEM-3000H (IRT-001), supports FW 0.940-1.691
- 0x00411000: certainly DEM-3000JEC (IRT-002), supports FW 0.990-1.691, Product Sub Code 7, 9 or 0xA probably
- 0x00414000: DEM-3000K (IRT-002), supports FW 0.990-1.691, Product Sub Code 9
- 0x00415000: DEM-3000L (IRT-002), supports FW 0.996-1.691, Product Sub Code 0xB
- 0x00415200: certainly DEM-3000P (IRT-002), supports FW 0.996-3.68, Product Sub Code 0xC or 0xF probably
- 0x00416000: PDEL-10XX (IRT-002), supports FW 1.000-3.68, Product Sub Code 0x10
- 0x00404000: unknown DEX model, CEM-3000, supports FW 0.990-1.692
- 0x00404100: unknown DEX model, CEM-3000, supports FW 0.990-1.692
- 0x00404400: unknown DEX model, CEM-3000, supports FW 0.990-1.692
- 0x00404600: DEX model, CEM-3000NE2, supports FW 0.990-1.692
- 0x00404800: unknown DEX model, supports FW 1.66-1.692
- 0x00405000: unknown DEX model, supports FW 1.66-3.68
- 0x00405200: unknown DEX model, supports FW 1.66-3.68
- 0x00406000: PCH-10XX / PTEL-10XX (IRS-002 without 3G PCIe) -> supports FW 1.04-3.73, CEM-3000NP1 -> supports FW 1.00-3.73
- 0x00406002: PCH-11XX (IRS-002 with 3G PCIe), supports FW 1.04-3.73
- 0x0051XXXX: Prototype PS TV.
- 0x00601000: unknown TOOL/DEX/CEX model (IRS-1001), supports FW 1.80-3.73
- 0x00602000: unknown DEX/CEX model (IRS-1001), supports FW 1.80-3.73
- 0x00603000: unknown DEX/CEX model (IRS-1001), supports FW 1.80-3.73
- 0x00603200: PCH-10XX / PCH-11XX (IRS-1001), supports FW 1.80-3.73
- 0x00703000: CEM-3000P01 (DOL-1001), supports FW 2.50-3.73
- 0x00703030: VTE-10XX (DOL-1001), supports FW 2.50-3.73
- 0x00805038: PCH-20XX / PTEL-20XX (USS-1001), supports FW 2.50-3.73
- 0x00723030: VTE-10XX (DOL-1002), supports FW 3.30-3.73
- 0x00822238: PCH-20XX (USS-1002), supports FW 3.50-3.73
- 0x0090XXXX: Unknown prototype.
Bytes meaning
As PS Vita uses little-endian, we describe here in the same order, from the lowest to the highest.
First byte
This byte indicates the presence of some components. It works by bit flags:
- 0x01: ?SD card reader? (some DevKits and prototypes)
- 0x02: has WWAN (3G modem). This is what SceBbmc checks to know if 3G modem is supported.
- 0x04: unknown
- 0x08: ?microUSB? (Slim only)
- 0x10: is MC emu capable (Slim and PS TV only). MC Emulation is done by partitionning the internal memory EMMC.
- 0x20: has hw_info_2 (Slim and PS TV only)
- 0x40: is Show mode.
- Used by SceDs3. If the registry "/CONFIG/SYSTEM/dualshock4_usb" is enabled, is ds4 also available?
- 0x80: is IDU mode
Second byte
This byte indicates the motherboard minor version. It is relative to the motherboard main version which is indicated by third byte.
Third byte
This byte indicates the motherboard main version:
- 10 -> unknown prototype motherboard, has Syscon, maybe IRS-001
- 31 -> IRT-001
- 40 -> IRS-002
- 41 -> IRT-002
- 51 -> PS TV prototype motherboard
- 60 -> IRS-1001
- 70 -> DOL-1001
- 72 -> DOL-1002
- 80 -> USS-1001
- 82 -> USS-1002
- 90 -> unknown prototype motherboard
We can also guess that flag 1 means that the console has a Communication Processor.
Fourth byte
This byte is reserved in case 3 bytes becomes not enough to handle all Hardware Info:
- 00 -> default, unused
Power Info
Experimental point of view
- No AC connected + No POWER Button pressed: 0x0
ex: rebooting by software PSVita when AC is not connected
- No AC connected + POWER Button pressed: 0x4
ex: booting PSVita by pressing POWER button when AC is not connected
- AC connected + No POWER Button pressed: 0x8
ex: rebooting by software PSVita when AC is connected
ex: autobooting PSTV/IDU PSVita by pluging AC
- AC connected + POWER Button pressed: 0xC
ex: powering off by software PSTV then booting it by pressing POWER button
ex: booting PSVita by pressing POWER button when AC is connected
Bit flags point of view
Bit | Description |
---|---|
0 | AC: connected: 1 - disconnected: 0 (note that PSTV always has AC connected) |
1 | POWER button: pressed: 1 - not pressed: 0 |
Hardware flags
Bit | Description |
---|---|
1 (0x2) | unk |
4 (0x8) | Related to display |
5 (0x20) | unk |
6 (0x40) | Conexant Codec IC (1 = yes, 0 = no) |
7 (0x80) | unk |
14 (0x4000) | unk |
- all zeroes on most cases
- seen values:
- ?0x0? on a Fat PS Vita with IRS-002
- 0x7 on a Slim PS Vita with USS-1001
- 0x247 on a Slim PS Vita with USS-1002
Types
typedef struct SceDIPSW { uint32_t cp_timestamp_1; uint16_t cp_version; uint16_t cp_build_id; uint32_t cp_timestamp_2; uint32_t aslr_seed; uint32_t sce_sdk_flags; uint32_t shell_flags; uint32_t debug_control_flags; uint32_t system_control_flags; } SceDIPSW; typedef struct SceKblParam { uint16_t version; uint16_t size; uint32_t current_fw_version; uint32_t min_fw_version; uint32_t unk_C; uint32_t unk_10; uint8_t unk_14[0xC]; uint8_t qa_flags[0x10]; uint8_t boot_flags[0x10]; SceDIPSW dipsw; SceKernelPARange dram; uint32_t unk_68; uint32_t boot_type_indicator_1; SceOpenPsId openpsid; SceKernelPARange secure_kernel_enp; SceKernelPARange context_auth_sm_self; SceKernelPARange kprx_auth_sm_self; SceKernelPARange prog_rvk_srvk; ScePsCode pscode; uint32_t __stack_chk_guard; uint8_t unk_AC[4]; uint8_t session_id[0x10]; uint32_t sleep_factor; uint32_t wakeup_factor; uint32_t unk_C8; uint32_t boot_controls_info; uint32_t resume_context_paddr; uint32_t hardware_info; uint32_t power_info; uint8_t unk_DC[0xC]; uint8_t hardware_flags[0x10]; uint32_t bootldr_revision; uint32_t magic; uint8_t coredump_session_key[0x20]; uint8_t unused[0xE0]; } __attribute__((packed)) SceKblParam;