IdStorage: Difference between revisions

From Vita Development Wiki
Jump to navigation Jump to search
Line 432: Line 432:
== 0x110 - WlanRegion ==
== 0x110 - WlanRegion ==


The following algorithm is used to derive it from PsCode:
PS Vita IdStorage leaf 0x110 contains only 0x10 bytes of data. The first 3 bytes are the WlanRegion. The rest are FFed (unused).
 
The following algorithm is used to derive WlanRegion from PsCode:
<source lang="c">
<source lang="c">
byte WlanRegion[3]; // PS Vita IdStorage leaf 0x110 contains only 3 bytes of data
byte WlanRegion[3];


switch(pscode.product_code) {
switch(pscode.product_code) {
Line 470: Line 472:
</source>
</source>


In Manufacturing Mode, it seems that WlanRegion is spoofed to <code>FF 1F 00</code>.
In Manufacturing Mode, WlanRegion is spoofed to <code>FF 1F 00</code>.


== 0x111 - WlanMacAddress ==
== 0x111 - WlanMacAddress ==

Revision as of 19:54, 8 January 2024

See also [1].

Description

Region of the PSVita eMMC where perconsole info is stored.

Location

Idstorage data is stored at first raw partition (code 0x1). Use [2] to extract.

Structure

The IdStorage partition is divided in two parts: the mapping table and the leaves.

Mapping table

The mapping table is located at the start of the partition. It's an array of 16-bit leaf IDs that serves as a leaf ID->index mapping table. The mapping table must be at least one-sector wide but may be bigger.

There are two leaf IDs reserved for usage in the mapping table: all entries corresponding to the mapping table (i.e. the first M entries for an M sectors sized table) must hold the value 0xFFF5, and all unallocated leaves hold the value 0xFFFF.

To lookup a leaf index based on its ID, use the following algorithm:

#define M /* implementation defined */
#define SECTOR_SIZE (512)

#define NUM_TABLE_ITEMS ((M * SECTOR_SIZE) / sizeof(uint16_t))
uint16_t g_mappingTable[NUM_TABLE_ITEMS];

int leafIndexFromId(unsigned id) {
   if (id >= 0xFFF0)
       return /* ERROR: invalid leaf ID */;

   for (int i = 0; i < NUM_TABLE_ITEMS; i++) {
      if (g_mappingTable[i] == id)
         return i;
   }
   return /* ERROR: leaf ID is not in mapping table */;
}

Leaves

Leaves are sector-sized (512 bytes) areas in the IdStorage partition used to store arbitrary data. While the data stored may be smaller, a leaf always occupies one sector in the partition.

To read a leaf's data, obtain the leaf index (this can be known directly, or obtained from a leaf ID using the previously mentioned algorithm) then read 512 bytes starting at offset 512 * leafIndex in the IdStorage partition.

Limits

The number of leaves that can be stored in an IdStorage partition is limited by three factors: the size of the partition, the size of the mapping table and the size of leaf IDs.

  • An M sectors wide mapping table can hold up to 255 * M leaves
    • This is because a single-sector mapping table can reference SECTOR_SIZE/sizeof(u16) - 1 = 255 leaves (the - 1 is needed because a table consumes one entry for itself)
  • A P sectors wide partition can hold up to P - M leaves
    • This is because leaves are sector-sized, and the mapping table consumes M sectors
  • There are 65520 leaf IDs available
    • While an unsigned 16-bit variable can hold 65536 values, IDs superior or equal to 0xFFF0 are reserved and cannot be used

From this, we can conclude that an IdStorage partition of P sectors with an M sectors mapping table can hold up to min(255*M, P-M, 65520) leaves. We can also deduce an IdStorage partition is optimally shaped (no space is non-allocatable) when P = 256 * M.

On Vita, the IdStorage partition is 512KiB and 32 sectors are reserved for the indexing table (P = 1024, M = 32, a non-optimal choice), which means the console's partition can hold up to 992 IdStorage leaves.

Leaf content

In this section, the following conventions and terms are used:

  • Empty: area has all bits set to 1 (i.e., 0xFF)
  • Present / Not present: the leaf exists in IdStorage partition
  • The content of a leaf always starts at offset 0.
  • If leaf contents are smaller than 512 bytes, the unused parts are left empty.
  • Strings are padded with NUL bytes if the content is smaller than maximum size, but may be non-NUL terminated

Leaves not listed in this section have not been found in any unit, and leaves listed in this section are not all found in every unit.

The following information may not be valid for all pre-production units (DEM/CEM).

Idps certificates

Leaves 0x000~0x07F are written to IdStorage during manufacturing by a function called _writeIdpsCert.

Leaf 0x07E contains the signed SHA-256 digest of leaves 0x000~0x07D (signed using RSA-2048). The public key used for signature verification can be found in factTest.self.

Leaf 0x07F is not covered by the signature but is flashed in _writeIdpsCert nonetheless.

Empty leaves

The following leaves have always been observed to only contain zeroes:

  • 0x008~0x01F
  • 0x028~0x03F
  • 0x050~0x07D
  • 0x7F

0x000~0x007 - SceIdStoragePspCertificates

Identical across all units and duplicated in leaves 0x020 to 0x027.

0x040~0x047 - SceIdStoragePsp2Certificates

Console-unique.

0x048~0x04F

Console-unique. Maybe UMD certificates like in PSP IdStorage.

0x07E

Console-unique.

The RSA-2048 signature of the Idps certificates (2048 bits/256 bytes) is located at offset 0x60 of this leaf.

Data contained between 0x0 and 0x5F is unknown, and data between 0x160 and 0x1FF is unused (always 00).

0x80 - SMI

Service / Manufacturing Information (SMI)

Console-unique. Contains minimal firmware version (checked in second_loader).

struct SMILeaf {
    uint8_t magic[4]; //'SMI\0'
    uint32_t version; //1
    uint32_t min_fwv; //Minimal firmware version
    uint8_t unused[0x80 - 0xC];
    //Encrypted with per-console keys.
    //This is used to verify the leaf has not been modified.
    uint8_t encrypted_data[0x200 - 0x80];
};

0x100

Name may be Idlog.

Console-unique. Two strings related to manufacturing.

Both strings are 0x100 bytes wide; one starts at offset 0 and one at offset 0x100.

The string at offset 0x100 is written at a different stage (end of manufacturing?) than the string at offset 0, so it is possible to find units with only first string written (e.g., a Dolphin CEM-3000 unit).

0x102

Console-unique. Per-console factory/service product information.

typedef struct {
  u32 server_ip;
  u16 server_port;
  u8 netmask; //Number of '1' bits in netmask
  u8 unused;
  u32 client_ip;
  u32 defaultGW;
} conn_param;

struct Leaf0x102 {
    u32 unk0;
    u32 unk4;
    struct {
        u8 id;
        u8 state;
    } ProcessId[0x20];
    char gcpId[0x20];
    char productId[0x20];
    //The following fields indicate the number of X present in unit
    struct {
        u8 ComNum;     //Com (3G module)
        u8 WlanNum;    //Ethernet is also counted in here, despite field name
        u8 BtNum;      //Bluetooth
        u8 BatteryNum;
        u8 HdmiNum;
        u8 CpNum;      //Communication Processor
        struct { //Guessed field names
            u8 Front;
            u8 Back;
        } CameraNum;
        struct { //Guessed field names
            u8 Front;
            u8 Back;
        } TouchNum;
        u8 SixSenseNum;  //Gyro
        u8 EMagNum;      //Magnetometer / Compass
        u8 GpsNum;
        u8 AnaDevNum;    //a.k.a. Analog Pad (AP) or Joystick
        u8 DisplayNum;
        u8 SimNum;       //SIM slot
    } DeviceNum;
    u8 SimPackNum;   //Prepaid SIM card
    u8 ComType;
    u8 unused_9A[14];
    u32 contentsVer;  //spkgInfo.version from sceSblUsGetSpkgInfo(0x18)
    u8 unk_AC[4];
    u8 unk_B0;
    u8 unused_B1[0x7];
    u8 unk_B8;
    u8 unused_B9[3];
    conn_param conn_param_0; //For WLAN test?
    conn_param conn_param_1; //For Ethernet test?
    char ssid[0x20];    //SSID of AP used for WLAN test
    u8 test_bt_addr[6]; //Bluetooth MAC address for BT test
    u8 unused_106[2];
    char ImeiBarcode[32];
    char PartsNoBardcode[16];
    char Imsi[16];
    char IccId[20];
    u8 unused_15C[4];

    //Version of the software executed on the unit
    //during manufacturing. Each element of the array
    //corresponds to a different program.
    u32 softVer[3];
    u8 unused_16C[4];
    struct {
        char essid[12];
        u8 channel;
    } WlanTestApInfo;
    u8 unused_17D[3];
    u16 WlanRssi;
    u8 unused_182[6];

    //Obtained from sceSblUsGetSpkgInfo(0x1C), which
    //corresponds to preinstall data patch Spkg.
    //First 4 bytes = spkgInfo.version
    //Fifth byte    = spkgInfo.status[1]
    u8 CustomThemeVersion[5];
    u8 unused_18D[3];

    //If set, clears itself at some point during
    //factTest and skips something
    u8 ConfigProcessJumpFlag;
    u8 unused_191[111];
};

0x103

Console-unique. Unit hardware information.

Offset Size Name Description
0x000 0x4 ErnieHwInfo Ernie (Syscon) Hardware Information
0x004 0x4 ErnieFwVersion Ernie Firmware Version (also called Ernie Verison)
0x008 0x4 ErnieDlVersion ErnieDlVersion
0x00C 0x2 ErnieCfgVersion Obtained from scePdPowerGetConfigStorageInfo. Part of the Syscon "ConfZZ" header.
0x00E 0x12 Empty
0x020 0x8 EmmcFwVersion Vendor ID (1 byte), empty space (1 byte) and Device Version (6 bytes)
0x028 0x8 Empty
0x030 0x8 EmmcFwVersion2 Vendor ID (1 byte), Device Version (6 bytes) and an additional byte (for Samsung eMMC, 0 otherwise)
0x038 0x8 Empty
0x040 0x2 ElmoFWVer Elmo Firmware Version
0x042 0x1E Empty
0x060 0x2 CookieFWVer Cookie Firmware Version
0x062 0x1E Empty
0x080 0x2 BarkleyFwVersion Motion Device Firmware Version/Hardware Information
0x082 0x2 BarkleyHwInfo
0x084 0x1C Empty
0x0A0 0x2 AbbyHWVersion Abby HW/FW/DF Version
0x0A2 0x2 AbbyFWVersion
0x0A4 0x2 AbbyDFVersion
0x0A6 0x02 Empty
0x0A8 0x02 BatteryVoltageCalib Battery calibration data (for Abby)
0x0AA 0x02 BatteryCurrentCalib
0x0AC 0x14 Empty
0x0C0 0x8 TouchpanelFWVersion Touchpanel Version info (4 u16s)
0x0C8 0x4 TouchpanelConfigVersion 2 u16s
0x0CC 0x4 Empty
0x0D0 0x10 TouchpanelLotInfo 8 bytes for each panel
0x0E0 0x4 WlanBtHWRevision WLAN/Bluetooth Hardware Revision
0x0E4 0x4 Empty
0x0E8 0x6 WlanMacAddress WLAN MAC Address
0x0EE 0x2 Empty
0x0F0 0x6 BtMacAddress Bluetooth MAC Address (usually equal to WlanMacAddress + 1)
0x0F6 0xA Empty
0x100 0x20 BatteryLotInfo ASCII string
0x120 0x84 An ASCII string containing a date.
0x184 0x10 OLEDLotInfo ASCII string
0x194 0x10 An ASCII string (usually starting with TDA).
0x1A4 0x4 Empty
0x1A8 0x20 LcdModLotInfo ASCII string
0x1C8 0x38 Empty

0x104

Console-unique. Test/diagnostic results.

This leaf is only present if diagnostic software has been executed on the unit or some factory tests failed.

0x110 - WlanRegion

PS Vita IdStorage leaf 0x110 contains only 0x10 bytes of data. The first 3 bytes are the WlanRegion. The rest are FFed (unused).

The following algorithm is used to derive WlanRegion from PsCode:

byte WlanRegion[3];

switch(pscode.product_code) {
    case 0x100:
    case 0x101:
    case 0x102:
    case 0x104:
    case 0x10B:
    case 0x10F:
    case 0x110:
    case 0x111:
      WlanRegion[2] = 0;
      WlanRegion[1] = 7;
      break;
    case 0x103:
    case 0x106:
    case 0x108:
    case 0x10A:
    case 0x10D:
    case 0x10E:
      WlanRegion[2] = 0;
      WlanRegion[1] = 0x1F;
      break;
    case 0x105:
    case 0x107:
    case 0x109:
    case 0x10C:
      WlanRegion[2] = 1;
      WlanRegion[1] = 0x1F;
      break;
    default:
      goto error;
}
WlanRegion[0] = 0xFF;

In Manufacturing Mode, WlanRegion is spoofed to FF 1F 00.

0x111 - WlanMacAddress

Console-unique. The MAC address of the Wireless LAN adapter (6 bytes).

Example:

  • some PCH-1100: D4-4B-5E (OUI for Taiyo Yuden Co., Ltd. - Japanese firm)
  • some Blue PCH-1xxx / PCH-2000 : F8-2F-A8
  • some PCH-2000 : 2C-33-7A / 70-77-81 / D4-6A-6A

Note that, besides the first, all these OUIs belong to Hon Hai Precision Ind. Co.,Ltd., also known as Foxconn.

0x112 - MtpSerial

Console-unique. The serial number reported via the MTP protocol (32 UTF-16 characters).

0x113

Console-unique on 3G units and empty on all others. Contains informations related to the 3G modem.

  • 0x136-0x136: ComNum

0x114 - DeviceLocation

Identical for all consoles of a generation (one kind for Fat, one kind for Slim, empty on PSTV).

Contains four struct DeviceLocations describing the location of physical devices in the unit.

struct DeviceLocation { //size is 0x10 bytes
    //0x00 - Front camera
    //0x01 - Back camera
    //0x10 - Accelerometer
    //0x11 - Gyro
    uint32_t type;
    int32_t x;
    int32_t y;
    int32_t z;
};

The structures are usually found in the following order: Cameras followed by Motion (Acc + Gyro).

There is also an unknown int32 flag at offset 0x100.

0x115 - ProductTypeInfo

Identical for all consoles "with same SKU". A string of 16 characters containing information about the product type.

Example values:

  • PDEL100000010000 (PDEL-1000)
  • PCH01004ZAZ20000 (PCH-1004 - Call of Duty: Black Ops Declassified limited edition)
  • PCH01100AA010002 (Crystal Black PCH-1100 - docomo carrier)
  • PCH02000ZA120000 (White PCH-2000)

Decomposition: FFFF NNNN PPPP xxx O

  • FFFF-NNNN PPPP is usually printed on the product's box
    • FFFF = family (e.g., PCH, PDEL)
    • NNNN = number (e.g., 1000, 1004, 1100)
    • PPPP = variant code (e.g., 0001, ZAZ2, AA01, ZA12)
  • xxx = ? (always 000?)
  • O = Product target operator (carrier ID for 3G models - usually matches offset 0x88 of leaf 0x113 on SIM-locked models).
    • 1: US operator
    • 2: JP operator
    • 3: EU generic
    • 4: Asia generic
    • 5: Canada operator
    • 6: Mexico generic

0x116 - ColorVariation

Used for wave color by SceShell if present. (Patch example)

struct ColorVariation {
    uint8_t unk0;
    uint16_t unk1; //maybe just two uint8_t?
    uint8_t unk3;
    /* rest of the leaf is empty */
};

Example values:

  • Call of Duty: Black Ops Declassified limited edition PCH-1004: { 0x01, 0x0000, 0x00 }
  • Glacier White PCH-2000 / White PSTV: { 0x01, 0x000C, 0x00 }

0x117 - TemperatureThreashold

The typo in this leaf's name is present in SCE code.

Contains 4 elements of 1 byte each, which are always all zeroes when the leaf is present.

Sent to Syscon?

0x118 - AudioParam

1 byte. If set to 0 (or the leaf is absent?), AVLS is never forcefully enabled.

Should be 0x0 except on units with PsCode Product Code 0x105 (Europe/East/Africa), 0x107 (Great Britain/United Kingdom) or 0x109 (Australia/New Zealand).

0x119 - EtherMacAddress

Console-unique. The MAC address of the Ethernet adapter (6 bytes).

Empty or not present for non-PSTV units.

0x11A - WebBrowserParam

1 byte.

Seen: 0x02 on PCH200X, 0x11 on PSTV

Should be 0x1 on Fat CEX/DEX, 0x2 on Slim, 0x11 on PSTV and 0x0 on all other units.

0x11B - ShutterParam

1 byte. When leaf is present and contains 0x01, the value returned by sceAVConfigGetShutterVol() changes from 30 to 26.

Seen: 0x01 on PCH200X, 0x00 on PSTV.

Should be 0x1 on Slim units and 0x0 on all others.

0x11C - LedInfoParam

1 byte.

Seen: 0x01 on PCH200X, 0x00 on PSTV

Should be 0x1 on Slim units and 0x0 on all others.