SceMsif: Difference between revisions
Jump to navigation
Jump to search
CelesteBlue (talk | contribs) No edit summary |
|||
(5 intermediate revisions by 3 users not shown) | |||
Line 7: | Line 7: | ||
! Version !! World !! Privilege | ! Version !! World !! Privilege | ||
|- | |- | ||
| 0.990-3. | | 0.990-3.740.011 || Non-secure || Kernel | ||
|} | |} | ||
Line 18: | Line 18: | ||
! Version !! Name !! World !! Visibility !! NID | ! Version !! Name !! World !! Visibility !! NID | ||
|- | |- | ||
| 0.990-3. | | 0.990-3.740.011 || [[SceMsif#SceMsifForDriver|SceMsifForDriver]] || Non-secure || Kernel || 0xB706084A | ||
|} | |} | ||
Line 177: | Line 177: | ||
} SceMsId; | } SceMsId; | ||
typedef struct SceMsInfo { // size is 0x24 on FW 0.990-3.01, 0x40 on FW 3.10-3. | typedef struct SceMsInfo { // size is 0x24 on FW 0.990-3.01, 0x40 on FW 3.10-3.740.011 | ||
int ms_type; // Always 5 on seen PS Vita memory cards. ex (in software): 0, 1, 2, 3, 4, 5. Other values than 5 might be older revisions (Memory Stick, M2). | int ms_type; // Always 5 on seen PS Vita memory cards. ex (in software): 0, 1, 2, 3, 4, 5. Other values than 5 might be older revisions (Memory Stick, M2). | ||
SceBool is_read_only; // Set to 0 to allow RW. Anything else than 0 seems to disable write. | SceBool is_read_only; // Set to 0 to allow RW. Anything else than 0 seems to disable write. | ||
Line 190: | Line 190: | ||
SceMsId id; // Stored in coredumps. | SceMsId id; // Stored in coredumps. | ||
void *SceMsif_subctx_addr; // Should not be accessible to usermode as it points to SceMsif kernel module data segment (offset 0x840 on FW 3.60)... | void *SceMsif_subctx_addr; // Should not be accessible to usermode as it points to SceMsif kernel module data segment (offset 0x840 on FW 3.60)... | ||
SceUInt32 reserved; // Totally unused. This field has been forgotten in some code so there | SceUInt32 reserved; // Totally unused. This field has been forgotten in some code so there exist vulnerabilities. | ||
} SceMsInfo; | } SceMsInfo; | ||
</source> | </source> | ||
Line 243: | Line 243: | ||
! Version !! NID | ! Version !! NID | ||
|- | |- | ||
| 3. | | 0.990.000-3.740.011 || 0x58654AA3 | ||
|} | |} | ||
Line 253: | Line 253: | ||
! Version !! NID | ! Version !! NID | ||
|- | |- | ||
| 3. | | 0.990.000-3.740.011 || 0x329035EF | ||
|} | |} | ||
Line 263: | Line 263: | ||
! Version !! NID | ! Version !! NID | ||
|- | |- | ||
| 3. | | 0.990.000-3.740.011 || 0x4B751CE6 | ||
|} | |} | ||
Line 273: | Line 273: | ||
! Version !! NID | ! Version !! NID | ||
|- | |- | ||
| 3. | | 0.990.000-3.740.011 || 0x75848756 | ||
|} | |} | ||
Line 283: | Line 283: | ||
! Version !! NID | ! Version !! NID | ||
|- | |- | ||
| 3. | | 0.990.000-3.740.011 || 0x491E25B5 | ||
|} | |} | ||
<source lang="c">int sceMsifGetSlowCardModeStateForDriver(void);</source> | <source lang="c">int sceMsifGetSlowCardModeStateForDriver(void);</source> | ||
=== | === sceMsifSwResetForDriver === | ||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
! Version !! NID | ! Version !! NID | ||
|- | |- | ||
| 3. | | 0.990.000-3.740.011 || 0x4EA579EF | ||
|} | |} | ||
Temp name was sceMsifInitializeMmcDeviceForDriver. | |||
Part of functionality is same as [[SceMsif#msif_get_sha224_digest_source|msif_get_sha224_digest_source]]. | Part of functionality is same as [[SceMsif#msif_get_sha224_digest_source|msif_get_sha224_digest_source]]. | ||
<source lang="C">int | <source lang="C">int sceMsifSwResetForDriver(void);</source> | ||
=== sceMsifGetMsInfoForDriver === | === sceMsifGetMsInfoForDriver === | ||
Line 305: | Line 307: | ||
! Version !! NID | ! Version !! NID | ||
|- | |- | ||
| 0.990-3. | | 0.990.000-3.740.011 || 0xD0307849 | ||
|} | |} | ||
Line 315: | Line 317: | ||
! Version !! NID | ! Version !! NID | ||
|- | |- | ||
| 3. | | 0.931.010-1.06 || not present | ||
|- | |||
| 1.500.151-3.740.011 || 0xF997286B | |||
|} | |} | ||
Line 325: | Line 329: | ||
! Version !! NID | ! Version !! NID | ||
|- | |- | ||
| 3. | | 0.990.000 || not present | ||
|- | |||
| 0.995.000-3.740.011 || 0x855E1E38 | |||
|} | |} | ||
Line 332: | Line 338: | ||
<source lang="c">SceInt64 msif_get_time_from_SceMsifSmshc();</source> | <source lang="c">SceInt64 msif_get_time_from_SceMsifSmshc();</source> | ||
=== | === sceMsifZerofillSectorForDriver === | ||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
! Version !! NID | ! Version !! NID | ||
|- | |- | ||
| 0.990-3. | | 0.990.000-3.740.011 || 0x0F86BEEA | ||
|} | |} | ||
This is a guessed name. Temp name was sceMsifDevNullPrepareDmaTableForDriver. | |||
Zerofills sectors by DMA-ing from '/dev/null' (physical address 0x1D000000). | |||
<source lang=" | <source lang="C">int sceMsifZerofillSectorForDriver(int sector, int nSectors);</source> | ||
=== sceMsifFormatForDriver === | === sceMsifFormatForDriver === | ||
Line 349: | Line 357: | ||
! Version !! NID | ! Version !! NID | ||
|- | |- | ||
| 3. | | 0.990.000-3.740.011 || 0x6EDE7DBA | ||
|} | |} | ||
Line 359: | Line 367: | ||
! Version !! NID | ! Version !! NID | ||
|- | |- | ||
| 3. | | 0.990.000-3.740.011 || 0x718BDFDE | ||
|} | |} | ||
Gets data that is used to calculate sha224 digest. This digest is used to verify static table of sha224 digests. That is decrypted internally using keys that are derived from [[SceSblSsMgr#sceSblSsMgrDecryptWithPortabilityForDriver|sceSblSsMgrDecryptWithPortabilityForDriver]]. | Gets data that is used to calculate sha224 digest. This digest is used to verify static table of sha224 digests. That is decrypted internally using keys that are derived from [[SceSblSsMgr#sceSblSsMgrDecryptWithPortabilityForDriver|sceSblSsMgrDecryptWithPortabilityForDriver]]. | ||
This function is also used in [[ | This function is also used in [[SceMagicGate]]. | ||
<source lang="C"> | <source lang="C"> | ||
Line 372: | Line 380: | ||
[[Category:ARM]] | |||
[[Category:Kernel]] | |||
[[Category:Modules]] | [[Category:Modules]] | ||
[[Category: | [[Category:Library]] |
Latest revision as of 22:22, 8 June 2023
Certainly means Memory stick interface.
Module
Version | World | Privilege |
---|---|---|
0.990-3.740.011 | Non-secure | Kernel |
Libraries
Known NIDs
Version | Name | World | Visibility | NID |
---|---|---|---|---|
0.990-3.740.011 | SceMsifForDriver | Non-secure | Kernel | 0xB706084A |
Types
typedef struct SceMsifIoReq { uint32_t addr; uint32_t unk04; uint32_t size_flags; } SceMsifIoReq; typedef struct SceMsif_fptr_table { // execute READ_ATRB memory access command 0x24 int (*ms_read_atrb)(SceMsif_subctx *subctx, int sector, int nSectors, SceMsifIoReq *io_req); // execute READ_DATA memory access command 0x20 int (*ms_read_sectors)(SceMsif_subctx *subctx, int sector, int nSectors, SceMsifIoReq *io_req); // execute WRITE_DATA memory access command 0x21 int (*ms_write_sectors)(SceMsif_subctx *subctx, int sector, int nSectors, SceMsifIoReq *io_req); // size of name is 0x30 (this is exactly as in specification) // constructs string based on some msif register values // or calls fun_1 which in probably executes READ_ATRB // that contains manufacturer information int (*ms_get_model_name)(SceMsif_subctx *subctx, char* model_name); // execute an unknown command (0x16) through EX_SET_CMD int (*ms_ex_set_cmd_0x16_1)(SceMsif_subctx *subctx, int count); // execute FORMAT command 0x10 through EX_SET_CMD int (*ms_format)(SceMsif_subctx *subctx, int format); int (*ms_sbl_auth)(SceMsif_subctx *subctx, int num); // this function is called in SceMsifSleepCtrl handler and // looks like it executes SLEEP command 0x11 through EX_SET_CMD int (*ms_sleep)(SceMsif_subctx *subctx); // execute STOP command 0x25 through EX_SET_CMD // then get Card Status register with READ_REG // then check SL flag int (*ms_stop_1)(SceMsif_subctx *subctx); // execute an unknown command (0x16) through EX_SET_CMD int (*ms_ex_set_cmd_0x16_2)(SceMsif_subctx *subctx); // get INT register with GET_INT // then check BREQ Data request flag // then execute STOP command 0x25 through EX_SET_CMD int (*ms_stop_2)(SceMsif_subctx *subctx); } SceMsif_fptr_table; typedef struct msif_init_ctx { // size is unknown uint32_t index; // 0x0 - some index or number 0, 1, 2, 3, 4, 5 //... SceMsif_subctx* sub_ctx; // 0x38 //... } msif_init_ctx; // this structure should be located at SceMsif_memblock1_base + 0x30 // so it is mapped to 0xE0900000 // size is unknown // it looks like max used offset from beginning of structure is 0x70 // and min used offset from beginning of structure is -0x30 typedef struct SceMsifRegs_30 { // size is unknown uint32_t unk_0; uint32_t unk_4; uint32_t evid_bits_8; //... } SceMsifRegs_30; typedef struct SceMsif_subctx { // size is probably 0xC40 uint8_t unk_0[0x400]; // buffer that is used for read ops and its physical address is used in SceMsifIoReq.addr //... uint8_t unk_A00[0x1A0]; // buffer //... SceMsifRegs_30* unk_C00; //... uint32_t unk_C10; // bits //... } SceMsif_subctx; typedef struct SceMsif_ctx { // size is 0x440 void* SceMsif_regs_vaddr; // 0x0 SceUID SceMsif_regs_uid; // 0x4 - size 0x1000 - mapped to 0xE0900000 uint32_t unk_8; // = 0 SceUID SceMsif_evid; // 0xC fast_mutex SceMsif_fast_mutex; //0x10 - size is 0x40 SceUID SceMsif_memblock_0x18000_id; // 0x50 uint32_t unk_54; uint32_t intr_mutex; // 0x58 = 0 - used for suspend resume intr uint8_t unk_5C; uint8_t slow_mode_state; //5D = 0/1 uint8_t system_time_0; // timewide byte uint8_t system_time_1; // timewide byte void* range_60; //some range that is invalidated uint32_t range_len_64; //length of the range uint32_t size_180; // 0x68 - size of data in unk_180 buffer uint32_t size_1C0; // 0x6C - size of data in unk_1C0 buffer void* unk180_paddr; // 0x70 - physical address of unk_180 void* unk_1C0_paddr; // 0x74 - physical address of unk_1C0 void* SceMsif_memblock_0x18000_vaddr; // 0x78 - size 0x18000 (0xC0 sectors of size 0x200) SceMsif_subctx* subctx; // 0x7C offset (0x840) addr_pair paddr_list_80[4]; uint8_t unk_A0[0xE0]; uint8_t unk_180[0x40]; // probably some buffer for accessing device. size confirmed. uint8_t unk_1C0[0x40]; // probably some buffer for accessing device. size confirmed. SceInt64 wide_time_intr_SceMsifSmshc; //0x200 - set in SceMsifSmshc interrupt handler SceInt64 wide_time; //0x208 - some time set in different functions void* SceMsif_memblock_0x18000_paddr; // 0x210 - physical address of SceMsif_memblock_0x18000 uint32_t unk_214; uint8_t sector_buffer[0x200]; // 0x218 - read buffer of size 0x200 - used to read MBR and execute other single sector read ops uint32_t unk_418; uint32_t unk_41C; uint32_t unk_420; uint32_t unk_424; SceUID SceMsifSleepCtrl_evid; // 428 SceUID SceMsifSleepCtrl_thid; // 42C - thread id uint32_t suspend_resume_curr_state; // 0x430 = 0 uint32_t suspend_resume_prev_state; // 0x434 = 0 uint32_t unk_438; uint32_t unk_43C; } SceMsif_ctx; typedef struct SceMsId { // size is 8 bytes SceUInt8 unk_0x0; // maybe manufacture code. ex: 0x20. SceUInt16 manuf_year; SceUInt8 manuf_month; SceUInt8 manuf_day; SceUInt8 manuf_hour; SceUInt8 manuf_minute; SceUInt8 manuf_second; } SceMsId; typedef struct SceMsInfo { // size is 0x24 on FW 0.990-3.01, 0x40 on FW 3.10-3.740.011 int ms_type; // Always 5 on seen PS Vita memory cards. ex (in software): 0, 1, 2, 3, 4, 5. Other values than 5 might be older revisions (Memory Stick, M2). SceBool is_read_only; // Set to 0 to allow RW. Anything else than 0 seems to disable write. SceUInt64 nbytes; // Total size in bytes. SceUInt64 nbytes2; // Same value as nbytes so for what purpose? SceUInt32 sector_size_low; // ex: 0x200 (default for PS Vita memory cards) SceUInt32 sector_size_hi; // Always set to 0 (hardcoded). Indeed PS Vita does not support big allocation sizes. SceUInt32 fs_offset; SceUInt32 unk_0x24; // ex: various SceUInt32 unk_0x28; // ex: 0 SceUInt32 unk_0x2C; // ex: 1 SceMsId id; // Stored in coredumps. void *SceMsif_subctx_addr; // Should not be accessible to usermode as it points to SceMsif kernel module data segment (offset 0x840 on FW 3.60)... SceUInt32 reserved; // Totally unused. This field has been forgotten in some code so there exist vulnerabilities. } SceMsInfo;
Data segment layout
Address | Size | Description |
---|---|---|
0x0000 | 0x4 | SceMsif_subctx* - pointer to offset 0x840 |
0x0004 | 0x4 | pointer to data at offset 0x18 |
0x0008 | 0x4 | unknown |
0x000C | 0x4 | unknown |
0x0010 | 0x4 | pointer to table SceMsif_fptr_table of 11 function pointers |
0x0014 | 0x4 | unknown |
0x0018 | 0x800 | some data or array of 0x10 elements of size 0x80 |
0x0818 | 0x28 | unknown |
0x0840 | 0xC40 | SceMsif_subctx data |
0x1480 | 0x440 | SceMsif_ctx |
0x18C0 | 0x4 | SceMsif suspend callback id |
0x18C4 | 0x4 | unknown |
0x18C8 | 0x8 | UInt64. wide time |
0x18D0 | 0x8 | UInt64. probably time in ms |
0x18D8 | 0xE0 | decrypted data - array of 8 elements of size 0x1C (0x1C is probably size of sha224) |
0x19B8 | 0x4 | flag that shows that static sha224 table is decrypted |
0x19BC | 0x4 | SM communication ID (obtained with sceSblSmCommStartSm) |
SceMsifForDriver
sceMsifReadSectorForDriver
Version | NID |
---|---|
0.990.000-3.740.011 | 0x58654AA3 |
int sceMsifReadSectorForDriver(int sector, char* buffer, int nSectors);
sceMsifWriteSectorForDriver
Version | NID |
---|---|
0.990.000-3.740.011 | 0x329035EF |
int sceMsifWriteSectorForDriver(int sector, char* buffer, int nSectors);
sceMsifEnableSlowCardModeForDriver
Version | NID |
---|---|
0.990.000-3.740.011 | 0x4B751CE6 |
int sceMsifEnableSlowCardModeForDriver(void);
sceMsifDisableSlowCardModeForDriver
Version | NID |
---|---|
0.990.000-3.740.011 | 0x75848756 |
int sceMsifDisableSlowCardModeForDriver(void);
sceMsifGetSlowCardModeStateForDriver
Version | NID |
---|---|
0.990.000-3.740.011 | 0x491E25B5 |
int sceMsifGetSlowCardModeStateForDriver(void);
sceMsifSwResetForDriver
Version | NID |
---|---|
0.990.000-3.740.011 | 0x4EA579EF |
Temp name was sceMsifInitializeMmcDeviceForDriver.
Part of functionality is same as msif_get_sha224_digest_source.
int sceMsifSwResetForDriver(void);
sceMsifGetMsInfoForDriver
Version | NID |
---|---|
0.990.000-3.740.011 | 0xD0307849 |
int sceMsifGetMsInfoForDriver(SceMsInfo *pInfo);
msif_init_mbr
Version | NID |
---|---|
0.931.010-1.06 | not present |
1.500.151-3.740.011 | 0xF997286B |
int msif_init_mbr();
msif_get_time_from_SceMsifSmshc
Version | NID |
---|---|
0.990.000 | not present |
0.995.000-3.740.011 | 0x855E1E38 |
Returns wide time difference from last SceMsifSmshc interrupt.
SceInt64 msif_get_time_from_SceMsifSmshc();
sceMsifZerofillSectorForDriver
Version | NID |
---|---|
0.990.000-3.740.011 | 0x0F86BEEA |
This is a guessed name. Temp name was sceMsifDevNullPrepareDmaTableForDriver.
Zerofills sectors by DMA-ing from '/dev/null' (physical address 0x1D000000).
int sceMsifZerofillSectorForDriver(int sector, int nSectors);
sceMsifFormatForDriver
Version | NID |
---|---|
0.990.000-3.740.011 | 0x6EDE7DBA |
int sceMsifFormatForDriver(int format_arg);
sceMsifGetMediaIdForDriver
Version | NID |
---|---|
0.990.000-3.740.011 | 0x718BDFDE |
Gets data that is used to calculate sha224 digest. This digest is used to verify static table of sha224 digests. That is decrypted internally using keys that are derived from sceSblSsMgrDecryptWithPortabilityForDriver.
This function is also used in SceMagicGate.
// sha224_ds is of size 0x10 bytes int sceMsifGetMediaIdForDriver(void *sha224_ds);