SceMsif: Difference between revisions

From Vita Development Wiki
Jump to navigation Jump to search
No edit summary
 
(43 intermediate revisions by 5 users not shown)
Line 1: Line 1:
Certainly means Memory stick interface.
== Module ==
== Module ==


=== Known NIDs ===
{| class="wikitable"
{| class="wikitable"
|-
|-
! Version !! Name !! World !! Privilege !! NID
! Version !! World !! Privilege
|-
|-
| 1.69 || SceMsif || Non-secure || Kernel || 0xFA979E8E
| 0.990-3.740.011 || Non-secure || Kernel
|-
| 3.60 || SceMsif || ? || Kernel || 0x3305A0FE
|}
|}


Line 19: Line 18:
! Version !! Name !! World !! Visibility !! NID
! Version !! Name !! World !! Visibility !! NID
|-
|-
| 1.69 || [[SceMsif#SceMsifForDriver|SceMsifForDriver]] || Non-secure || Kernel || 0xB706084A
| 0.990-3.740.011 || [[SceMsif#SceMsifForDriver|SceMsifForDriver]] || Non-secure || Kernel || 0xB706084A
|-
| 3.60 || [[SceMsif#SceMsifForDriver|SceMsifForDriver]] || ? || Kernel || 0xB706084A
|}
|}


Line 27: Line 24:


<source lang="C">
<source lang="C">
typedef struct SceMsifIoReq {
typedef struct SceMsifIoReq {
uint32_t addr;
uint32_t addr;
Line 35: Line 31:


typedef struct SceMsif_fptr_table {
typedef struct SceMsif_fptr_table {
 
   // execute READ_ATRB memory access command 0x24
   //executes READ_ATRB memory access command 0x24
   int (*ms_read_atrb)(SceMsif_subctx *subctx, int sector, int nSectors, SceMsifIoReq *io_req);
   int (*ms_read_atrb)(SceMsif_subctx *subctx, int sector, int nSectors, SceMsifIoReq *io_req);


   //executes READ_DATA memory access command 0x20
   // execute READ_DATA memory access command 0x20
   int (*read_sectors)(SceMsif_subctx *subctx, int sector, int nSectors, SceMsifIoReq *io_req);
   int (*ms_read_sectors)(SceMsif_subctx *subctx, int sector, int nSectors, SceMsifIoReq *io_req);


   //executes WRITE_DATA memory access command 0x21
   // execute WRITE_DATA memory access command 0x21
   int (*write_sectors)(SceMsif_subctx *subctx, int sector, int nSectors, SceMsifIoReq *io_req);
   int (*ms_write_sectors)(SceMsif_subctx *subctx, int sector, int nSectors, SceMsifIoReq *io_req);


   //size of name is 0x30 (this is exactly as in specification)
   // size of name is 0x30 (this is exactly as in specification)
   //constructs string based on some msif register values
   // constructs string based on some msif register values
   //or calls fun_1 which in probably executes READ_ATRB
   // or calls fun_1 which in probably executes READ_ATRB
   //that contains manufacturer information
   // that contains manufacturer information
   int (*get_model_name)(SceMsif_subctx *subctx, char* name);
   int (*ms_get_model_name)(SceMsif_subctx *subctx, char* model_name);


   //executes an unknown command (0x16) through EX_SET_CMD
   // execute an unknown command (0x16) through EX_SET_CMD
   int (*fun_5)(SceMsif_subctx *subctx, int count);
   int (*ms_ex_set_cmd_0x16_1)(SceMsif_subctx *subctx, int count);


   //executes FORMAT command 0x10 through EX_SET_CMD
   // execute FORMAT command 0x10 through EX_SET_CMD
   int (*format)(SceMsif_subctx *subctx, int device_init_flag);
   int (*ms_format)(SceMsif_subctx *subctx, int format);


   int (*msif_sbl_auth)(SceMsif_subctx *subctx, int num);
   int (*ms_sbl_auth)(SceMsif_subctx *subctx, int num);


   //this function is called in SceMsifSleepCtrl handler and  
   // this function is called in SceMsifSleepCtrl handler and  
   //looks like it executes SLEEP command 0x11 through EX_SET_CMD
   // looks like it executes SLEEP command 0x11 through EX_SET_CMD
   int (*fun_8)(SceMsif_subctx *subctx);
   int (*ms_sleep)(SceMsif_subctx *subctx);


   //looks like this function executes STOP command 0x25 through EX_SET_CMD
   // execute STOP command 0x25 through EX_SET_CMD
   //then gets some status and returns it
   // then get Card Status register with READ_REG
   int (*stop)(SceMsif_subctx *subctx);
  // then check SL flag
   int (*ms_stop_1)(SceMsif_subctx *subctx);


   int (*fun_10)(SceMsif_subctx *subctx);
  // execute an unknown command (0x16) through EX_SET_CMD
   int (*ms_ex_set_cmd_0x16_2)(SceMsif_subctx *subctx);


   //this function is called after other operations and
   // get INT register with GET_INT
   //looks like it executes STOP command 0x25 through EX_SET_CMD
   // then check BREQ Data request flag
   int (*fun_11)(SceMsif_subctx *subctx);
  // then execute STOP command 0x25 through EX_SET_CMD
   int (*ms_stop_2)(SceMsif_subctx *subctx);
} SceMsif_fptr_table;
} SceMsif_fptr_table;


typedef struct msif_init_ctx //size is unknown
typedef struct msif_init_ctx { // size is unknown
{
   uint32_t index; // 0x0 - some index or number 0, 1, 2, 3, 4, 5
   uint32_t index; // 0x0 some index or number 0, 1, 2, 3, 4, 5
    
    
   //...
   //...
Line 84: Line 81:
   //...
   //...
    
    
}msif_init_ctx;
} msif_init_ctx;


//this structure should be located at SceMsif_memblock1_base + 0x30
// this structure should be located at SceMsif_memblock1_base + 0x30
//so it is mapped to 0xE0900000
// so it is mapped to 0xE0900000


// size is unknown
// size is unknown
//it looks like max used offset from beginning of structure is 0x70
// it looks like max used offset from beginning of structure is 0x70
//and min used offset from beginning of structure is -0x30
// and min used offset from beginning of structure is -0x30


typedef struct SceMsifRegs_30 // size is unknown
typedef struct SceMsifRegs_30 { // size is unknown
{
   uint32_t unk_0;
   uint32_t unk_0;
   uint32_t unk_4;
   uint32_t unk_4;
Line 100: Line 96:
    
    
   //...
   //...
} SceMsifRegs_30;
} SceMsifRegs_30;


typedef struct SceMsif_subctx // size is probably 0xC40
typedef struct SceMsif_subctx { // size is probably 0xC40
{
   uint8_t unk_0[0x400]; // buffer that is used for read ops and its physical address is used in SceMsifIoReq.addr
   uint8_t unk_0[0x400]; //buffer that is used for read ops and its physical address is used in SceMsifIoReq.addr
   //...
 
   uint8_t unk_A00[0x1A0]; // buffer
   //....
   //...
 
   uint8_t unk_A00[0x1A0]; //buffer
 
   //....
 
   SceMsifRegs_30* unk_C00;
   SceMsifRegs_30* unk_C00;
  //...
  uint32_t unk_C10; // bits
  //...
} SceMsif_subctx;


  //....
typedef struct SceMsif_ctx { // size is 0x440
 
  uint32_t unk_C10; //bits
 
  //....
 
}SceMsif_subctx;
 
typedef struct SceMsif_ctx //size is 0x440
{
   void* SceMsif_regs_vaddr; // 0x0
   void* SceMsif_regs_vaddr; // 0x0
   SceUID SceMsif_regs_uid; // 0x4 - size 0x1000 - mapped to 0xE0900000
   SceUID SceMsif_regs_uid; // 0x4 - size 0x1000 - mapped to 0xE0900000
Line 149: Line 134:
   void* unk_1C0_paddr; // 0x74 - physical address of unk_1C0
   void* unk_1C0_paddr; // 0x74 - physical address of unk_1C0
   void* SceMsif_memblock_0x18000_vaddr; // 0x78 - size 0x18000 (0xC0 sectors of size 0x200)
   void* SceMsif_memblock_0x18000_vaddr; // 0x78 - size 0x18000 (0xC0 sectors of size 0x200)
   SceMsif_subctx* subctx; // 0x7C offset (840)
   SceMsif_subctx* subctx; // 0x7C offset (0x840)
    
    
   addr_pair paddr_list_80[4];
   addr_pair paddr_list_80[4];
Line 180: Line 165:
   uint32_t unk_438;
   uint32_t unk_438;
   uint32_t unk_43C;
   uint32_t unk_43C;
} SceMsif_ctx;


}SceMsif_ctx;
typedef struct SceMsId { // size is 8 bytes
    SceUInt8 unk_0x0; // maybe manufacture code. ex: 0x20.
    SceUInt16 manuf_year;
    SceUInt8 manuf_month;
    SceUInt8 manuf_day;
    SceUInt8 manuf_hour;
    SceUInt8 manuf_minute;
    SceUInt8 manuf_second;
} SceMsId;


typedef struct SceMsInfo { // size is 0x24 on FW 0.990-3.01, 0x40 on FW 3.10-3.740.011
    int ms_type; // Always 5 on seen PS Vita memory cards. ex (in software): 0, 1, 2, 3, 4, 5. Other values than 5 might be older revisions (Memory Stick, M2).
    SceBool is_read_only; // Set to 0 to allow RW. Anything else than 0 seems to disable write.
    SceUInt64 nbytes; // Total size in bytes.
    SceUInt64 nbytes2; // Same value as nbytes so for what purpose?
    SceUInt32 sector_size_low; // ex: 0x200 (default for PS Vita memory cards)
    SceUInt32 sector_size_hi; // Always set to 0 (hardcoded). Indeed PS Vita does not support big allocation sizes.
    SceUInt32 fs_offset;
    SceUInt32 unk_0x24; // ex: various
    SceUInt32 unk_0x28; // ex: 0
    SceUInt32 unk_0x2C; // ex: 1
    SceMsId id; // Stored in coredumps.
    void *SceMsif_subctx_addr; // Should not be accessible to usermode as it points to SceMsif kernel module data segment (offset 0x840 on FW 3.60)...
    SceUInt32 reserved; // Totally unused. This field has been forgotten in some code so there exist vulnerabilities.
} SceMsInfo;
</source>
</source>


Line 191: Line 200:
! Address !! Size !! Description
! Address !! Size !! Description
|-
|-
| 0x0000 || 0x4 || SceMsif_subctx* - pointer to offset 840
| 0x0000 || 0x4 || SceMsif_subctx* - pointer to offset 0x840
|-
|-
| 0x0004 || 0x4 || pointer to data at offset 0x18
| 0x0004 || 0x4 || pointer to data at offset 0x18
Line 203: Line 212:
| 0x0014 || 0x4 || unknown
| 0x0014 || 0x4 || unknown
|-
|-
| 0x0018 || 0x828 || unknown
| 0x0018 || 0x800 || some data or array of 0x10 elements of size 0x80
|-
| 0x0818 || 0x28 || unknown
|-
|-
| 0x0840 || 0xC40 || SceMsif_subctx data
| 0x0840 || 0xC40 || SceMsif_subctx data
Line 213: Line 224:
| 0x18C4 || 0x4 || unknown
| 0x18C4 || 0x4 || unknown
|-
|-
| 0x18C8 || 0x8 || UInt64 wide time
| 0x18C8 || 0x8 || UInt64. wide time
|-
|-
| 0x18D0 || 0x8 || UInt64 probably time in ms
| 0x18D0 || 0x8 || UInt64. probably time in ms
|-
|-
| 0x18D8 || 0xE0 || decrypted data - array of 8 elements of size 0x1C (0x1C is probably size of sha224)
| 0x18D8 || 0xE0 || decrypted data - array of 8 elements of size 0x1C (0x1C is probably size of sha224)
Line 221: Line 232:
| 0x19B8 || 0x4 || flag that shows that static sha224 table is decrypted
| 0x19B8 || 0x4 || flag that shows that static sha224 table is decrypted
|-
|-
| 0x19BC || 0x4 || F00D comm id (obtained with sceSblSmCommStartSm)
| 0x19BC || 0x4 || SM communication ID (obtained with sceSblSmCommStartSm)
|-
|-
|}
|}
Line 227: Line 238:
== SceMsifForDriver ==
== SceMsifForDriver ==


=== module_start ===
=== sceMsifReadSectorForDriver ===
{| class="wikitable"
{| class="wikitable"
|-
|-
! Version !! NID
! Version !! NID
|-
|-
| 3.60 || 0x935cd196
| 0.990.000-3.740.011 || 0x58654AA3
|}
|}


<source lang="c">int module_start();</source>
<source lang="c">int sceMsifReadSectorForDriver(int sector, char* buffer, int nSectors);</source>


=== read_sector ===
=== sceMsifWriteSectorForDriver ===
{| class="wikitable"
{| class="wikitable"
|-
|-
! Version !! NID
! Version !! NID
|-
|-
| 3.60 || 0x58654AA3
| 0.990.000-3.740.011 || 0x329035EF
|}
|}


<source lang="c">int ms_read_sector(int sector, char* buffer, int nSectors);</source>
<source lang="c">int sceMsifWriteSectorForDriver(int sector, char* buffer, int nSectors);</source>


=== write_sector ===
=== sceMsifEnableSlowCardModeForDriver ===
{| class="wikitable"
{| class="wikitable"
|-
|-
! Version !! NID
! Version !! NID
|-
|-
| 3.60 || 0x329035EF
| 0.990.000-3.740.011 || 0x4B751CE6
|}
|}


<source lang="c">int ms_write_sector(int sector, char* buffer, int nSectors);</source>
<source lang="c">int sceMsifEnableSlowCardModeForDriver(void);</source>


=== enable_slow_mode ===
=== sceMsifDisableSlowCardModeForDriver ===
{| class="wikitable"
{| class="wikitable"
|-
|-
! Version !! NID
! Version !! NID
|-
|-
| 3.60 || 0x4B751CE6
| 0.990.000-3.740.011 || 0x75848756
|}
|}


<source lang="c">int ms_enable_slow_mode();</source>
<source lang="c">int sceMsifDisableSlowCardModeForDriver(void);</source>


=== disable_slow_mode ===
=== sceMsifGetSlowCardModeStateForDriver ===
{| class="wikitable"
{| class="wikitable"
|-
|-
! Version !! NID
! Version !! NID
|-
|-
| 3.60 || 0x75848756
| 0.990.000-3.740.011 || 0x491E25B5
|}
|}


<source lang="c">int ms_disable_slow_mode();</source>
<source lang="c">int sceMsifGetSlowCardModeStateForDriver(void);</source>


=== get_slow_mode_state ===
=== sceMsifSwResetForDriver ===
{| class="wikitable"
{| class="wikitable"
|-
|-
! Version !! NID
! Version !! NID
|-
|-
| 3.60 || 0x491E25B5
| 0.990.000-3.740.011 || 0x4EA579EF
|}
|}


<source lang="c">int ms_get_slow_mode_state();</source>
Temp name was sceMsifInitializeMmcDeviceForDriver.


=== init1 ===
Part of functionality is same as [[SceMsif#msif_get_sha224_digest_source|msif_get_sha224_digest_source]].
{| class="wikitable"
|-
! Version !! NID
|-
| 3.60 || 0x4EA579EF
|}
 
part of functionality is same as [[SceMsif#get_sha224_digest_source|get_sha224_digest_source]]


<source lang="c">int ms_init1();</source>
<source lang="C">int sceMsifSwResetForDriver(void);</source>


=== init2 ===
=== sceMsifGetMsInfoForDriver ===
{| class="wikitable"
{| class="wikitable"
|-
|-
! Version !! NID
! Version !! NID
|-
|-
| 3.60 || 0xD0307849
| 0.990.000-3.740.011 || 0xD0307849
|}
|}


<source lang="c">int ms_init2(msif_init_ctx* ctx);</source>
<source lang="C">int sceMsifGetMsInfoForDriver(SceMsInfo *pInfo);</source>


=== init_mbr ===
=== msif_init_mbr ===
{| class="wikitable"
{| class="wikitable"
|-
|-
! Version !! NID
! Version !! NID
|-
|-
| 3.60 || 0xF997286B
| 0.931.010-1.06 || not present
|-
| 1.500.151-3.740.011 || 0xF997286B
|}
|}


<source lang="c">int init_mbr();</source>
<source lang="c">int msif_init_mbr();</source>


=== get_time_from_SceMsifSmshc ===
=== msif_get_time_from_SceMsifSmshc ===
{| class="wikitable"
{| class="wikitable"
|-
|-
! Version !! NID
! Version !! NID
|-
|-
| 3.60 || 0x855E1E38
| 0.990.000 || not present
|-
| 0.995.000-3.740.011 || 0x855E1E38
|}
|}


returns wide time difference from last SceMsifSmshc interrupt
Returns wide time difference from last SceMsifSmshc interrupt.


<source lang="c">
<source lang="c">SceInt64 msif_get_time_from_SceMsifSmshc();</source>
SceInt64 get_time_from_SceMsifSmshc();
</source>


=== ms_unk ===
=== sceMsifZerofillSectorForDriver ===
{| class="wikitable"
{| class="wikitable"
|-
|-
! Version !! NID
! Version !! NID
|-
|-
| 3.60 || 0x0f86BEEA
| 0.990.000-3.740.011 || 0x0F86BEEA
|}
|}


function writes some data to the memory card.
This is a guessed name. Temp name was sceMsifDevNullPrepareDmaTableForDriver.


data is taken from memblock2
Zerofills sectors by DMA-ing from '/dev/null' (physical address 0x1D000000).


<source lang="c">
<source lang="C">int sceMsifZerofillSectorForDriver(int sector, int nSectors);</source>
int ms_unk(int sector, int nSectors);
</source>


=== MS Format ===
=== sceMsifFormatForDriver ===
{| class="wikitable"
{| class="wikitable"
|-
|-
! Version !! NID
! Version !! NID
|-
|-
| 3.60 || 0x6EDE7DBA
| 0.990.000-3.740.011 || 0x6EDE7DBA
|}
|}


<source lang="c">
<source lang="c">int sceMsifFormatForDriver(int format_arg);</source>
int SceMsifForDriver_6EDE7DBA_format(int format_arg);
</source>


=== get_sha224_digest_source ===
=== sceMsifGetMediaIdForDriver ===
{| class="wikitable"
{| class="wikitable"
|-
|-
! Version !! NID
! Version !! NID
|-
|-
| 3.60 || 0x718BDFDE
| 0.990.000-3.740.011 || 0x718BDFDE
|}
|}


gets data that is used to calculate sha224 digest
Gets data that is used to calculate sha224 digest. This digest is used to verify static table of sha224 digests. That is decrypted internally using keys that are derived from [[SceSblSsMgr#sceSblSsMgrDecryptWithPortabilityForDriver|sceSblSsMgrDecryptWithPortabilityForDriver]].


this digest is used to verify static table of sha224 digests
This function is also used in [[SceMagicGate]].


that is decrypted internally using keys that are derived from [[SceSblSsMgr#dec_aes_key_msif|dec_aes_key_msif]]
<source lang="C">
// sha224_ds is of size 0x10 bytes
int sceMsifGetMediaIdForDriver(void *sha224_ds);
</source>


this function is also used in [[SceMagicGate|SceMagicGate]]
<source lang="c">
//sha224_ds is of size 0x10
int get_sha224_digest_source(char* sha224_ds);
</source>


[[Category:ARM]]
[[Category:Kernel]]
[[Category:Modules]]
[[Category:Modules]]
[[Category:Kernel]]
[[Category:Library]]

Latest revision as of 22:22, 8 June 2023

Certainly means Memory stick interface.

Module

Version World Privilege
0.990-3.740.011 Non-secure Kernel

Libraries

Known NIDs

Version Name World Visibility NID
0.990-3.740.011 SceMsifForDriver Non-secure Kernel 0xB706084A

Types

typedef struct SceMsifIoReq {
	uint32_t addr;
	uint32_t unk04;
	uint32_t size_flags;
} SceMsifIoReq;

typedef struct SceMsif_fptr_table {
  // execute READ_ATRB memory access command 0x24
  int (*ms_read_atrb)(SceMsif_subctx *subctx, int sector, int nSectors, SceMsifIoReq *io_req);

  // execute READ_DATA memory access command 0x20
  int (*ms_read_sectors)(SceMsif_subctx *subctx, int sector, int nSectors, SceMsifIoReq *io_req);

  // execute WRITE_DATA memory access command 0x21
  int (*ms_write_sectors)(SceMsif_subctx *subctx, int sector, int nSectors, SceMsifIoReq *io_req);

  // size of name is 0x30 (this is exactly as in specification)
  // constructs string based on some msif register values
  // or calls fun_1 which in probably executes READ_ATRB
  // that contains manufacturer information
  int (*ms_get_model_name)(SceMsif_subctx *subctx, char* model_name);

  // execute an unknown command (0x16) through EX_SET_CMD
  int (*ms_ex_set_cmd_0x16_1)(SceMsif_subctx *subctx, int count);

  // execute FORMAT command 0x10 through EX_SET_CMD
  int (*ms_format)(SceMsif_subctx *subctx, int format);

  int (*ms_sbl_auth)(SceMsif_subctx *subctx, int num);

  // this function is called in SceMsifSleepCtrl handler and 
  // looks like it executes SLEEP command 0x11 through EX_SET_CMD
  int (*ms_sleep)(SceMsif_subctx *subctx);

  // execute STOP command 0x25 through EX_SET_CMD
  // then get Card Status register with READ_REG
  // then check SL flag
  int (*ms_stop_1)(SceMsif_subctx *subctx);

  // execute an unknown command (0x16) through EX_SET_CMD
  int (*ms_ex_set_cmd_0x16_2)(SceMsif_subctx *subctx);

  // get INT register with GET_INT
  // then check BREQ Data request flag
  // then execute STOP command 0x25 through EX_SET_CMD
  int (*ms_stop_2)(SceMsif_subctx *subctx);
} SceMsif_fptr_table;

typedef struct msif_init_ctx { // size is unknown
   uint32_t index; // 0x0 - some index or number 0, 1, 2, 3, 4, 5
   
   //...
   
   SceMsif_subctx* sub_ctx; // 0x38
   
   //...
   
} msif_init_ctx;

// this structure should be located at SceMsif_memblock1_base + 0x30
// so it is mapped to 0xE0900000

// size is unknown
// it looks like max used offset from beginning of structure is 0x70
// and min used offset from beginning of structure is -0x30

typedef struct SceMsifRegs_30 { // size is unknown
   uint32_t unk_0;
   uint32_t unk_4;
   uint32_t evid_bits_8;
   
   //...
} SceMsifRegs_30;

typedef struct SceMsif_subctx { // size is probably 0xC40
   uint8_t unk_0[0x400]; // buffer that is used for read ops and its physical address is used in SceMsifIoReq.addr
   //...
   uint8_t unk_A00[0x1A0]; // buffer
   //...
   SceMsifRegs_30* unk_C00;
   //...
   uint32_t unk_C10; // bits
   //...
} SceMsif_subctx;

typedef struct SceMsif_ctx { // size is 0x440
   void* SceMsif_regs_vaddr; // 0x0
   SceUID SceMsif_regs_uid; // 0x4 - size 0x1000 - mapped to 0xE0900000
   uint32_t unk_8; // = 0
   SceUID SceMsif_evid; // 0xC
   
   fast_mutex SceMsif_fast_mutex; //0x10 - size is 0x40
   
   SceUID SceMsif_memblock_0x18000_id; // 0x50
   uint32_t unk_54;
   uint32_t intr_mutex; // 0x58 = 0 - used for suspend resume intr
   
   uint8_t unk_5C;
   uint8_t slow_mode_state; //5D = 0/1
   uint8_t system_time_0; // timewide byte
   uint8_t system_time_1; // timewide byte
   
   void* range_60; //some range that is invalidated
   uint32_t range_len_64; //length of the range
   uint32_t size_180; // 0x68 - size of data in unk_180 buffer
   uint32_t size_1C0; // 0x6C - size of data in unk_1C0 buffer
   
   void* unk180_paddr; // 0x70 - physical address of unk_180
   void* unk_1C0_paddr; // 0x74 - physical address of unk_1C0
   void* SceMsif_memblock_0x18000_vaddr; // 0x78 - size 0x18000 (0xC0 sectors of size 0x200)
   SceMsif_subctx* subctx; // 0x7C offset (0x840)
   
   addr_pair paddr_list_80[4];

   uint8_t unk_A0[0xE0];
   
   uint8_t unk_180[0x40]; // probably some buffer for accessing device. size confirmed.
   
   uint8_t unk_1C0[0x40]; // probably some buffer for accessing device. size confirmed.
   
   SceInt64 wide_time_intr_SceMsifSmshc; //0x200 - set in SceMsifSmshc interrupt handler
   SceInt64 wide_time; //0x208 - some time set in different functions
   
   void* SceMsif_memblock_0x18000_paddr; // 0x210 - physical address of SceMsif_memblock_0x18000
   
   uint32_t unk_214;
   
   uint8_t sector_buffer[0x200]; // 0x218 - read buffer of size 0x200 - used to read MBR and execute other single sector read ops
   
   uint32_t unk_418;
   uint32_t unk_41C;
   
   uint32_t unk_420;
   uint32_t unk_424;
   SceUID SceMsifSleepCtrl_evid; // 428
   SceUID SceMsifSleepCtrl_thid; // 42C - thread id
   
   uint32_t suspend_resume_curr_state; // 0x430 = 0
   uint32_t suspend_resume_prev_state; // 0x434 = 0
   uint32_t unk_438;
   uint32_t unk_43C;
} SceMsif_ctx;

typedef struct SceMsId { // size is 8 bytes
    SceUInt8 unk_0x0; // maybe manufacture code. ex: 0x20.
    SceUInt16 manuf_year;
    SceUInt8 manuf_month;
    SceUInt8 manuf_day;
    SceUInt8 manuf_hour;
    SceUInt8 manuf_minute;
    SceUInt8 manuf_second;
} SceMsId;

typedef struct SceMsInfo { // size is 0x24 on FW 0.990-3.01, 0x40 on FW 3.10-3.740.011
    int ms_type; // Always 5 on seen PS Vita memory cards. ex (in software): 0, 1, 2, 3, 4, 5. Other values than 5 might be older revisions (Memory Stick, M2).
    SceBool is_read_only; // Set to 0 to allow RW. Anything else than 0 seems to disable write.
    SceUInt64 nbytes; // Total size in bytes.
    SceUInt64 nbytes2; // Same value as nbytes so for what purpose?
    SceUInt32 sector_size_low; // ex: 0x200 (default for PS Vita memory cards)
    SceUInt32 sector_size_hi; // Always set to 0 (hardcoded). Indeed PS Vita does not support big allocation sizes.
    SceUInt32 fs_offset;
    SceUInt32 unk_0x24; // ex: various
    SceUInt32 unk_0x28; // ex: 0
    SceUInt32 unk_0x2C; // ex: 1
    SceMsId id; // Stored in coredumps.
    void *SceMsif_subctx_addr; // Should not be accessible to usermode as it points to SceMsif kernel module data segment (offset 0x840 on FW 3.60)...
    SceUInt32 reserved; // Totally unused. This field has been forgotten in some code so there exist vulnerabilities.
} SceMsInfo;

Data segment layout

Address Size Description
0x0000 0x4 SceMsif_subctx* - pointer to offset 0x840
0x0004 0x4 pointer to data at offset 0x18
0x0008 0x4 unknown
0x000C 0x4 unknown
0x0010 0x4 pointer to table SceMsif_fptr_table of 11 function pointers
0x0014 0x4 unknown
0x0018 0x800 some data or array of 0x10 elements of size 0x80
0x0818 0x28 unknown
0x0840 0xC40 SceMsif_subctx data
0x1480 0x440 SceMsif_ctx
0x18C0 0x4 SceMsif suspend callback id
0x18C4 0x4 unknown
0x18C8 0x8 UInt64. wide time
0x18D0 0x8 UInt64. probably time in ms
0x18D8 0xE0 decrypted data - array of 8 elements of size 0x1C (0x1C is probably size of sha224)
0x19B8 0x4 flag that shows that static sha224 table is decrypted
0x19BC 0x4 SM communication ID (obtained with sceSblSmCommStartSm)

SceMsifForDriver

sceMsifReadSectorForDriver

Version NID
0.990.000-3.740.011 0x58654AA3
int sceMsifReadSectorForDriver(int sector, char* buffer, int nSectors);

sceMsifWriteSectorForDriver

Version NID
0.990.000-3.740.011 0x329035EF
int sceMsifWriteSectorForDriver(int sector, char* buffer, int nSectors);

sceMsifEnableSlowCardModeForDriver

Version NID
0.990.000-3.740.011 0x4B751CE6
int sceMsifEnableSlowCardModeForDriver(void);

sceMsifDisableSlowCardModeForDriver

Version NID
0.990.000-3.740.011 0x75848756
int sceMsifDisableSlowCardModeForDriver(void);

sceMsifGetSlowCardModeStateForDriver

Version NID
0.990.000-3.740.011 0x491E25B5
int sceMsifGetSlowCardModeStateForDriver(void);

sceMsifSwResetForDriver

Version NID
0.990.000-3.740.011 0x4EA579EF

Temp name was sceMsifInitializeMmcDeviceForDriver.

Part of functionality is same as msif_get_sha224_digest_source.

int sceMsifSwResetForDriver(void);

sceMsifGetMsInfoForDriver

Version NID
0.990.000-3.740.011 0xD0307849
int sceMsifGetMsInfoForDriver(SceMsInfo *pInfo);

msif_init_mbr

Version NID
0.931.010-1.06 not present
1.500.151-3.740.011 0xF997286B
int msif_init_mbr();

msif_get_time_from_SceMsifSmshc

Version NID
0.990.000 not present
0.995.000-3.740.011 0x855E1E38

Returns wide time difference from last SceMsifSmshc interrupt.

SceInt64 msif_get_time_from_SceMsifSmshc();

sceMsifZerofillSectorForDriver

Version NID
0.990.000-3.740.011 0x0F86BEEA

This is a guessed name. Temp name was sceMsifDevNullPrepareDmaTableForDriver.

Zerofills sectors by DMA-ing from '/dev/null' (physical address 0x1D000000).

int sceMsifZerofillSectorForDriver(int sector, int nSectors);

sceMsifFormatForDriver

Version NID
0.990.000-3.740.011 0x6EDE7DBA
int sceMsifFormatForDriver(int format_arg);

sceMsifGetMediaIdForDriver

Version NID
0.990.000-3.740.011 0x718BDFDE

Gets data that is used to calculate sha224 digest. This digest is used to verify static table of sha224 digests. That is decrypted internally using keys that are derived from sceSblSsMgrDecryptWithPortabilityForDriver.

This function is also used in SceMagicGate.

// sha224_ds is of size 0x10 bytes
int sceMsifGetMediaIdForDriver(void *sha224_ds);