Updater: Difference between revisions
(102 intermediate revisions by 5 users not shown) | |||
Line 1: | Line 1: | ||
Various components in user, kernel, and secure kernel work together to update the system. All the relevant libraries are documented in this one page because they work close together. | Various components in user, kernel, and secure kernel work together to update the system. All the relevant libraries are documented in this one page because they work close together. | ||
== | = Update Process = | ||
The PS Vita updater is composed of various parts: | |||
* SceCuiSetUpper | |||
* ScePsp2Swu | |||
* SceSblSsUpdateMgr | |||
* update_service_sm | |||
=== | == Initiator == | ||
The first part is the initiator of the update. The responsibility of the initiator is to copy the update file (<code>PSP2UPDAT.PUP</code>) to the <code>ud0</code> [[Partitions|partition]] and extract <code>psp2swu.self</code> from the update file to <code>ud0:PSP2UPDATE/psp2swu.self</code>. Then it signals the [[Syscon|syscon]] to start in update mode, where <code>psp2swu.self</code> is loaded instead of the usual shell. | |||
The initiator that most people use is likely the update option in [[SceSettings]]. Another is the update option in [[SceSafeMode]]. Another option is <code>SceCuiSetUpper</code>, which is extracted from the update [[PUP]]. <code>SceCuiSetUpper</code> is likely used in development units as it can load the update data from <code>host0</code>, which only exists on development units. This file, however, can be found in retail update packages. <code>SceCuiSetUpper</code> also sets a flag to start updater in CUI mode. | |||
== ScePsp2Swu == | == ScePsp2Swu == | ||
Once the system restarts into update mode, the updater runs. Normally, it runs in GUI mode which is the green screen with the progress bar. If a flag is set by the initiator, the updater will run in CUI mode, which is a text interface that provides more verbose information about the update process. | |||
The updater first makes calls to <code>SceSblSsUpdateMgr</code> to verify the PUP header. For more information, check out [[PUP]]. Next, the updater will spawn a thread that calls into the kernel to decrypt, verify, and flash each package file according to the information found in the package header. For more information, check out [[PUP#Packages]]. | |||
== | == SceSblSsUpdateMgr == | ||
This is a kernel module that actually does the work and performs the update. It verifies the [[PUP]] headers as well as the [[PUP#Packages|package]] headers then flashes the decrypted images directly to the [[eMMC]] with block writes. | |||
== | = Update Package Decryption Code = | ||
The following code snippet will decrypt and update a directory of package files on FW 1.69 (the kernel functions called are specific to FW 1.69 prototypes). It is an attempted reproduction of the main code in <code>ScePsp2Swu</code>. The requirements are that you patch the application to be running in [[Vsh]] context (or specifically patch the [[AuthorityId|Authority ID]] to allow access to the kernel update functions). You also need an ability to read and write to the kernel from within your application. Finally, the updater will always attempt to flash the decrypted contents. If the flash failed because of model checks or whatever, it will return an error but the data will still be successfully decrypted and outputted. If it succeeds, note that you have now updated your PS Vita. | |||
| | |||
<source lang="C"> | |||
int update_spackage(int package_type, unsigned char *buf, int buflen, int code2, int *pRequestId) { | |||
int args[11]; | |||
<source lang=" | |||
int | |||
int | |||
int res; | int res; | ||
memset(args, 0, 0x2C); | |||
memset( | args[0] = 0x2C; | ||
args[1] = code1; | |||
args[2] = (int) buf; | |||
args[3] = buflen; | |||
args[4] = code2; | |||
sceClibPrintf("Calling update_spackage with package_type = 0x%x buf = 0x%x buflen = 0x%x code2 = 0x%x \n", package_type, (int)buf, buflen, code2); | |||
sceClibPrintf("Calling | res = sceSblUsUpdateSpackageForUser(package_type, args, pRequestId); | ||
res= | |||
return res; | return res; | ||
} | } | ||
int | int inspect_spackage(int package_type, unsigned char *buf, int buflen, int code2, int *pRequestId) { | ||
int | int args[11]; | ||
int res; | int res; | ||
memset(args, 0, 0x2C); | |||
memset( | args[0] = 0x2C; | ||
args[1] = package_type; | |||
args[2] = (int) buf; | |||
args[3] = buflen; | |||
args[4] = code2; | |||
sceClibPrintf("Calling inspect_spackage with package_type = 0x%x buf = 0x%x buflen = 0x%x code2 = 0x%x\n", package_type, (int)buf, buflen, code2); | |||
sceClibPrintf("Calling | res = sceSblUsInspectSpackageForUser(package_type, args, pRequestId); | ||
res= | |||
return res; | return res; | ||
} | } | ||
int | int extract_spackage(int package_type, unsigned char *buf, int buflen, int code2, int *pRequestId) { | ||
int | int args[11]; | ||
int res; | int res; | ||
memset(args, 0, 0x2C); | |||
memset( | args[0] = 0x2C; | ||
args[1] = package_type; | |||
args[2] = (int) buf; | |||
args[3] = buflen; | |||
args[4] = code2; | |||
sceClibPrintf("Calling extract_spackage with package_type = 0x%x buf = 0x%x buflen = 0x%x code2 = 0x%x\n", package_type, (int)buf, buflen, code2); | |||
sceClibPrintf("Calling | res = sceSblUsExtractSpackageForUser(package_type, args, pRequestId); | ||
res= | |||
return res; | return res; | ||
} | } | ||
int | int get_status(int node_type, int requestId, int *out1, int *out2, int *out3, int *out4) { | ||
int | int args[11]; | ||
int res; | int res; | ||
memset(args, 0, 0x2C); | |||
memset( | args[0] = 0x2C; | ||
args[7] = (int) out1; | |||
args[8] = (int) out2; | |||
args[9] = (int) out3; | |||
args[10] = (int) out4; | |||
sceClibPrintf("Calling get_status with node_type = 0x%x requestId = 0x%x\n", node_type, requestId); | |||
sceClibPrintf("Calling | res = sceSblUsGetStatusForUser(node_type, requestId, args); | ||
res= | |||
return res; | return res; | ||
} | } | ||
int get_final_size(unsigned char * buf) { | |||
int * poffs; | unsigned int get_final_size(unsigned char *buf) { | ||
int * psize; | int *poffs; | ||
int *psize; | |||
poffs = (int *) (buf+0x10); | poffs = (int *) (buf+0x10); | ||
psize = (int *) (buf+(*poffs)+0x20); | psize = (int *) (buf+(*poffs)+0x20); | ||
return *psize; | return *psize; | ||
} | } | ||
int | |||
int * poffs; | int get_package_type(unsigned char *buf) { | ||
int * psize; | int *poffs; | ||
if ( *(int *)buf == 0x00454353 ) | int *psize; | ||
if (*(int *)buf == 0x00454353) { // "SCE\0" | |||
poffs = (int *) (buf+0x10); | poffs = (int *) (buf+0x10); | ||
psize = (int *) (buf+(*poffs)+4); | psize = (int *) (buf+(*poffs)+4); | ||
Line 193: | Line 103: | ||
} | } | ||
else | else | ||
return -1; | return -1; | ||
} | |||
unsigned char * get_data_offset(unsigned char * buf) { | unsigned char *get_data_offset(unsigned char *buf) { | ||
int * poffs; | int *poffs; | ||
poffs = (int *) (buf+0x10); | poffs = (int *) (buf+0x10); | ||
return | return buf + *poffs + 0x80; | ||
} | } | ||
int | int get_extract_spackage(int node_type, int requestId, unsigned char *buf, int maxlen) { | ||
int | int args[11]; | ||
int res; | int res; | ||
unsigned char * payload; | unsigned char *payload; | ||
int size; | int size; | ||
memset(args, 0, 0x2C); | |||
memset( | args[0] = 0x2C; | ||
args[1] = node_type; | |||
args[5] = (int) buf; | |||
args[6] = maxlen; | |||
sceClibPrintf("Calling get_extract_spackage with node_type = 0x%x requestId = 0x%x buf = 0x%x maxlen = 0x%x\n", node_type, requestId, (int)buf, maxlen); | |||
sceClibPrintf("Calling | res = sceSblUsGetExtractSpackageForUser(node_type, requestId, args); | ||
res= | |||
return res; | return res; | ||
} | } | ||
int | int do_decrypt_spackage_file(const char *inpath, const char *outpath, const char *errpath, unsigned int us_buf_size) { | ||
{ | |||
int fd; | int fd; | ||
int res; | int res; | ||
int memid; | int memid; | ||
int | unsigned int read_size; | ||
int maxlen=0x810000; | unsigned int maxlen = 0x810000; | ||
int | int args[0x2C/4]; | ||
int id; | int id; | ||
int | int node_type; | ||
int code; | int code; | ||
unsigned char * | unsigned char *us_buf_addr, *outbuf; | ||
unsigned int | unsigned int requestId, p1, p2, p3, p4; | ||
res= | res = sceSblUsAllocateBufferForUser(us_buf_size, &us_buf_addr); | ||
sceClibPrintf("Allocation returned 0x%x addr 0x%x\n", res, (int) | sceClibPrintf("Allocation returned 0x%x addr 0x%x\n", res, (int)us_buf_addr); | ||
if(res) { | if (res) { | ||
sceClibPrintf("Cannot allocate | sceClibPrintf("Cannot allocate buffer. (us_buf_size 0x%x) fail.\n", us_buf_size); | ||
return 0; | return 0; | ||
} | } | ||
fd = sceIoOpen(inpath, 1, 0); | |||
fd= sceIoOpen(inpath,1,0); | read_size = 0; | ||
while ((read_size = sceIoRead(fd, us_buf_addr, us_buf_size - read_size)) > 0); | |||
while (( | |||
sceIoClose(fd); | sceIoClose(fd); | ||
package_type = get_package_type(us_buf_addr); | |||
switch ( | switch (package_type) { | ||
case -1: | case -1: | ||
sceClibPrintf("Not an encrypted file.\n"); | sceClibPrintf("Not an encrypted file.\n"); | ||
Line 253: | Line 157: | ||
case 4: | case 4: | ||
case 0x1B: | case 0x1B: | ||
node_type = 3; | |||
res= | res = extract_spackage(package_type, us_buf_addr, us_buf_size, 9, &requestId); | ||
break; | break; | ||
case 0: | case 0: | ||
Line 263: | Line 167: | ||
case 0xE: | case 0xE: | ||
case 0x1A: | case 0x1A: | ||
sceClibPrintf("Warning, | sceClibPrintf("Warning, package_type %x is unsupported!\n", package_type); | ||
default: | default: | ||
node_type = 2; | |||
res= | res = inspect_spackage(package_type, us_buf_addr, us_buf_size, 9, &requestId); | ||
break; | break; | ||
} | } | ||
if(res) { | if (res) { | ||
sceClibPrintf(" | sceClibPrintf("xxx_spackage failed. (0x%x)\n", res); | ||
goto ERROR; | goto ERROR; | ||
} | } | ||
for(;;) { | for (;;) { | ||
res= | res = get_status(node_type, requestId, &p1, &p2, &p3, &p4); | ||
if(res) { | if (res) { | ||
sceClibPrintf(" | sceClibPrintf("get_status failed. (0x%x)\n", res); | ||
goto ERROR; | goto ERROR; | ||
} | } | ||
if(p3 == 5) | if (p3 == 5) | ||
break; | break; | ||
else | |||
sceKernelDelayThread( | sceKernelDelayThread(500000); | ||
} | } | ||
sceClibPrintf("p1= 0x%x p2 = 0x%x p3 = 0x%x p4 = 0x%x\n", p1,p2,p3,p4); | sceClibPrintf("p1= 0x%x p2 = 0x%x p3 = 0x%x p4 = 0x%x\n", p1, p2, p3, p4); | ||
if(p2 == 0) { | if (p2 == 0) { | ||
sceClibPrintf("Starting to write %s\n", outpath); | sceClibPrintf("Starting to write %s\n", outpath); | ||
fd= sceIoOpen(outpath,0x603,0x186); | fd = sceIoOpen(outpath, 0x603, 0x186); | ||
read_size = get_final_size(us_buf_addr); | |||
while (( | while ((read_size -= sceIoWrite(fd, get_data_offset(us_buf_addr), read_size)) > 0); | ||
sceIoClose(fd); | sceIoClose(fd); | ||
} else { | } else { | ||
sceClibPrintf("Error decrypting. Writing results to %s\n", errpath); | sceClibPrintf("Error decrypting. Writing results to %s\n", errpath); | ||
fd= sceIoOpen(errpath,0x603,0x186); | fd = sceIoOpen(errpath, 0x603, 0x186); | ||
read_size = get_final_size(us_buf_addr); | |||
while (( | while ((read_size -= sceIoWrite(fd, get_data_offset(us_buf_addr), read_size)) > 0); | ||
sceIoClose(fd); | sceIoClose(fd); | ||
goto ERROR; | goto ERROR; | ||
} | } | ||
res = get_extract_spackage(node_type, requestId, us_buf_addr, maxlen); | |||
res= | if (res) { | ||
if(res) { | sceClibPrintf("get_extract_spackage failed. (0x%x)\n", res); | ||
sceClibPrintf(" | |||
goto ERROR; | goto ERROR; | ||
} | } | ||
res = sceSblUsReleaseBufferForUser(us_buf_addr); | |||
res= | |||
return 1; | return 1; | ||
ERROR: | ERROR: | ||
res= | res = sceSblUsReleaseBufferForUser(us_buf_addr); | ||
return 0; | return 0; | ||
} | } | ||
void | void do_decrypt_spackage_dir(const char *path) { | ||
{ | |||
int fd; | int fd; | ||
SceIoDirent dir; | SceIoDirent dir; | ||
Line 322: | Line 221: | ||
char output[256]; | char output[256]; | ||
char errput[256]; | char errput[256]; | ||
if ((fd = sceIoDopen(path)) < 0) { | |||
if ((fd = sceIoDopen(path)) < 0) | sceClibPrintf("Error opening spackage directory.\n"); | ||
sceClibPrintf("Error opening | |||
return; | return; | ||
} | } | ||
while (sceIoDread(fd, &dir) > 0) { | |||
while (sceIoDread(fd, &dir) > 0) | |||
sprintf(input, "%s/%s", path, dir.d_name); | sprintf(input, "%s/%s", path, dir.d_name); | ||
sprintf(output, "%s/%s.dec", path, dir.d_name); | sprintf(output, "%s/%s.dec", path, dir.d_name); | ||
sprintf(errput, "%s/%s.err", path, dir.d_name); | sprintf(errput, "%s/%s.err", path, dir.d_name); | ||
sceClibPrintf("Decrypting %s (size 0x%x)\n", input, (unsigned int)dir.d_stat.st_size); | sceClibPrintf("Decrypting %s (size 0x%x)\n", input, (unsigned int)dir.d_stat.st_size); | ||
if ( | if (do_decrypt_spackage_file(input, output, errput, (unsigned int)dir.d_stat.st_size)) | ||
sceClibPrintf("Decrypted to %s\n", output); | sceClibPrintf("Decrypted to %s\n", output); | ||
else | else | ||
sceClibPrintf("Failed to decrypt %s\n", dir.d_name); | sceClibPrintf("Failed to decrypt %s\n", dir.d_name); | ||
} | } | ||
sceIoDclose(fd); | sceIoDclose(fd); | ||
} | } | ||
</source> | </source> | ||
== | = Bootloader = | ||
The SLSK bootloaders are re-encrypted with per-console keys during the update process. <code>second_loader.enp</code> and <code>second_loader.enc</code> are transformed into <code>second_loader.enp_</code> and <code>second_loader.enp</code> respectively by cMeP before flashing to eMMC (and the same thing is done to <code>secure_kernel</code>). | |||
= Some useful notes = | |||
[[SceSblUpdateMgr#sceSblUsUpdateSpackageForUser|sceSblUsUpdateSpackageForUser]] does the bulk of the work decrypting and flashing all the update parts. There appears to be two ways to skip the version checks (but not revokion checks). | |||
<s>First way is to patch the imported function <code>SceQafMgrForDriver_8C423C18(void);</code> to return 1. Alternatively, patch [[KBL Param]] offset 0x2C+3 and set bit 0x2. This will bypass ALL version checks, including the peripherals which might be dangerous.</s> | |||
Update: do not do this. It does brick as expected. | |||
<s>Second way is to patch <code>SceVshBridge</code> export of <code>vshSblAimgrIsCEX</code> (takes no arguments) to return 0. Alternatively patch <code>ScePsp2Swu</code>'s import of that function.</s> | |||
Update: this does not work because the export is used by other functions and fails earlier checks. This flag is set by psp2swu.self to indicate bypassing of version checks on the bootloader and system partitions. All other components will be updated if at higher version. This is what DevKits do by default. You can also patch the flags directly. In <code>sceSblUsUpdateSpackageForUser</code>, <code>sceSblUsInspectSpackageForUser</code>, and <code>sceSblUsExtractSpackageForUser</code> (in order: flash, dry run, decrypt only) you can patch the flags argument directly and set <code>0x8</code> to indicate skipping version check on bootloader and system partitions. The flags argument found in R1 (second argument) as a user memory pointer offset 0x10. | |||
Authority ID for psp2swu.self is either <code>2800800000000002</code> or <code>2800800000000003</code>. | |||
Minimal FW update version for a PS Vita is checked at two layers at least: | |||
* From Idstorage SMI leaf. Two AES encryption layers and one RSA. Highest minimal FW version is 3.65. | |||
* From UpdateMgr embedded list. Constant and depending on hardware. Highest minimal FW version is 3.50. | |||
[[Category:Applications]] | [[Category:Applications]] | ||
[[Category:Kernel]] | [[Category:Kernel]] |
Latest revision as of 06:42, 22 January 2023
Various components in user, kernel, and secure kernel work together to update the system. All the relevant libraries are documented in this one page because they work close together.
Update Process
The PS Vita updater is composed of various parts:
- SceCuiSetUpper
- ScePsp2Swu
- SceSblSsUpdateMgr
- update_service_sm
Initiator
The first part is the initiator of the update. The responsibility of the initiator is to copy the update file (PSP2UPDAT.PUP
) to the ud0
partition and extract psp2swu.self
from the update file to ud0:PSP2UPDATE/psp2swu.self
. Then it signals the syscon to start in update mode, where psp2swu.self
is loaded instead of the usual shell.
The initiator that most people use is likely the update option in SceSettings. Another is the update option in SceSafeMode. Another option is SceCuiSetUpper
, which is extracted from the update PUP. SceCuiSetUpper
is likely used in development units as it can load the update data from host0
, which only exists on development units. This file, however, can be found in retail update packages. SceCuiSetUpper
also sets a flag to start updater in CUI mode.
ScePsp2Swu
Once the system restarts into update mode, the updater runs. Normally, it runs in GUI mode which is the green screen with the progress bar. If a flag is set by the initiator, the updater will run in CUI mode, which is a text interface that provides more verbose information about the update process.
The updater first makes calls to SceSblSsUpdateMgr
to verify the PUP header. For more information, check out PUP. Next, the updater will spawn a thread that calls into the kernel to decrypt, verify, and flash each package file according to the information found in the package header. For more information, check out PUP#Packages.
SceSblSsUpdateMgr
This is a kernel module that actually does the work and performs the update. It verifies the PUP headers as well as the package headers then flashes the decrypted images directly to the eMMC with block writes.
Update Package Decryption Code
The following code snippet will decrypt and update a directory of package files on FW 1.69 (the kernel functions called are specific to FW 1.69 prototypes). It is an attempted reproduction of the main code in ScePsp2Swu
. The requirements are that you patch the application to be running in Vsh context (or specifically patch the Authority ID to allow access to the kernel update functions). You also need an ability to read and write to the kernel from within your application. Finally, the updater will always attempt to flash the decrypted contents. If the flash failed because of model checks or whatever, it will return an error but the data will still be successfully decrypted and outputted. If it succeeds, note that you have now updated your PS Vita.
int update_spackage(int package_type, unsigned char *buf, int buflen, int code2, int *pRequestId) { int args[11]; int res; memset(args, 0, 0x2C); args[0] = 0x2C; args[1] = code1; args[2] = (int) buf; args[3] = buflen; args[4] = code2; sceClibPrintf("Calling update_spackage with package_type = 0x%x buf = 0x%x buflen = 0x%x code2 = 0x%x \n", package_type, (int)buf, buflen, code2); res = sceSblUsUpdateSpackageForUser(package_type, args, pRequestId); return res; } int inspect_spackage(int package_type, unsigned char *buf, int buflen, int code2, int *pRequestId) { int args[11]; int res; memset(args, 0, 0x2C); args[0] = 0x2C; args[1] = package_type; args[2] = (int) buf; args[3] = buflen; args[4] = code2; sceClibPrintf("Calling inspect_spackage with package_type = 0x%x buf = 0x%x buflen = 0x%x code2 = 0x%x\n", package_type, (int)buf, buflen, code2); res = sceSblUsInspectSpackageForUser(package_type, args, pRequestId); return res; } int extract_spackage(int package_type, unsigned char *buf, int buflen, int code2, int *pRequestId) { int args[11]; int res; memset(args, 0, 0x2C); args[0] = 0x2C; args[1] = package_type; args[2] = (int) buf; args[3] = buflen; args[4] = code2; sceClibPrintf("Calling extract_spackage with package_type = 0x%x buf = 0x%x buflen = 0x%x code2 = 0x%x\n", package_type, (int)buf, buflen, code2); res = sceSblUsExtractSpackageForUser(package_type, args, pRequestId); return res; } int get_status(int node_type, int requestId, int *out1, int *out2, int *out3, int *out4) { int args[11]; int res; memset(args, 0, 0x2C); args[0] = 0x2C; args[7] = (int) out1; args[8] = (int) out2; args[9] = (int) out3; args[10] = (int) out4; sceClibPrintf("Calling get_status with node_type = 0x%x requestId = 0x%x\n", node_type, requestId); res = sceSblUsGetStatusForUser(node_type, requestId, args); return res; } unsigned int get_final_size(unsigned char *buf) { int *poffs; int *psize; poffs = (int *) (buf+0x10); psize = (int *) (buf+(*poffs)+0x20); return *psize; } int get_package_type(unsigned char *buf) { int *poffs; int *psize; if (*(int *)buf == 0x00454353) { // "SCE\0" poffs = (int *) (buf+0x10); psize = (int *) (buf+(*poffs)+4); return *psize; } else return -1; } unsigned char *get_data_offset(unsigned char *buf) { int *poffs; poffs = (int *) (buf+0x10); return buf + *poffs + 0x80; } int get_extract_spackage(int node_type, int requestId, unsigned char *buf, int maxlen) { int args[11]; int res; unsigned char *payload; int size; memset(args, 0, 0x2C); args[0] = 0x2C; args[1] = node_type; args[5] = (int) buf; args[6] = maxlen; sceClibPrintf("Calling get_extract_spackage with node_type = 0x%x requestId = 0x%x buf = 0x%x maxlen = 0x%x\n", node_type, requestId, (int)buf, maxlen); res = sceSblUsGetExtractSpackageForUser(node_type, requestId, args); return res; } int do_decrypt_spackage_file(const char *inpath, const char *outpath, const char *errpath, unsigned int us_buf_size) { int fd; int res; int memid; unsigned int read_size; unsigned int maxlen = 0x810000; int args[0x2C/4]; int id; int node_type; int code; unsigned char *us_buf_addr, *outbuf; unsigned int requestId, p1, p2, p3, p4; res = sceSblUsAllocateBufferForUser(us_buf_size, &us_buf_addr); sceClibPrintf("Allocation returned 0x%x addr 0x%x\n", res, (int)us_buf_addr); if (res) { sceClibPrintf("Cannot allocate buffer. (us_buf_size 0x%x) fail.\n", us_buf_size); return 0; } fd = sceIoOpen(inpath, 1, 0); read_size = 0; while ((read_size = sceIoRead(fd, us_buf_addr, us_buf_size - read_size)) > 0); sceIoClose(fd); package_type = get_package_type(us_buf_addr); switch (package_type) { case -1: sceClibPrintf("Not an encrypted file.\n"); goto ERROR; case 3: case 4: case 0x1B: node_type = 3; res = extract_spackage(package_type, us_buf_addr, us_buf_size, 9, &requestId); break; case 0: case 2: case 5: case 6: case 7: case 0xE: case 0x1A: sceClibPrintf("Warning, package_type %x is unsupported!\n", package_type); default: node_type = 2; res = inspect_spackage(package_type, us_buf_addr, us_buf_size, 9, &requestId); break; } if (res) { sceClibPrintf("xxx_spackage failed. (0x%x)\n", res); goto ERROR; } for (;;) { res = get_status(node_type, requestId, &p1, &p2, &p3, &p4); if (res) { sceClibPrintf("get_status failed. (0x%x)\n", res); goto ERROR; } if (p3 == 5) break; else sceKernelDelayThread(500000); } sceClibPrintf("p1= 0x%x p2 = 0x%x p3 = 0x%x p4 = 0x%x\n", p1, p2, p3, p4); if (p2 == 0) { sceClibPrintf("Starting to write %s\n", outpath); fd = sceIoOpen(outpath, 0x603, 0x186); read_size = get_final_size(us_buf_addr); while ((read_size -= sceIoWrite(fd, get_data_offset(us_buf_addr), read_size)) > 0); sceIoClose(fd); } else { sceClibPrintf("Error decrypting. Writing results to %s\n", errpath); fd = sceIoOpen(errpath, 0x603, 0x186); read_size = get_final_size(us_buf_addr); while ((read_size -= sceIoWrite(fd, get_data_offset(us_buf_addr), read_size)) > 0); sceIoClose(fd); goto ERROR; } res = get_extract_spackage(node_type, requestId, us_buf_addr, maxlen); if (res) { sceClibPrintf("get_extract_spackage failed. (0x%x)\n", res); goto ERROR; } res = sceSblUsReleaseBufferForUser(us_buf_addr); return 1; ERROR: res = sceSblUsReleaseBufferForUser(us_buf_addr); return 0; } void do_decrypt_spackage_dir(const char *path) { int fd; SceIoDirent dir; char input[256]; char output[256]; char errput[256]; if ((fd = sceIoDopen(path)) < 0) { sceClibPrintf("Error opening spackage directory.\n"); return; } while (sceIoDread(fd, &dir) > 0) { sprintf(input, "%s/%s", path, dir.d_name); sprintf(output, "%s/%s.dec", path, dir.d_name); sprintf(errput, "%s/%s.err", path, dir.d_name); sceClibPrintf("Decrypting %s (size 0x%x)\n", input, (unsigned int)dir.d_stat.st_size); if (do_decrypt_spackage_file(input, output, errput, (unsigned int)dir.d_stat.st_size)) sceClibPrintf("Decrypted to %s\n", output); else sceClibPrintf("Failed to decrypt %s\n", dir.d_name); } sceIoDclose(fd); }
Bootloader
The SLSK bootloaders are re-encrypted with per-console keys during the update process. second_loader.enp
and second_loader.enc
are transformed into second_loader.enp_
and second_loader.enp
respectively by cMeP before flashing to eMMC (and the same thing is done to secure_kernel
).
Some useful notes
sceSblUsUpdateSpackageForUser does the bulk of the work decrypting and flashing all the update parts. There appears to be two ways to skip the version checks (but not revokion checks).
First way is to patch the imported function
SceQafMgrForDriver_8C423C18(void);
to return 1. Alternatively, patch KBL Param offset 0x2C+3 and set bit 0x2. This will bypass ALL version checks, including the peripherals which might be dangerous.
Update: do not do this. It does brick as expected.
Second way is to patch
SceVshBridge
export of vshSblAimgrIsCEX
(takes no arguments) to return 0. Alternatively patch ScePsp2Swu
's import of that function.
Update: this does not work because the export is used by other functions and fails earlier checks. This flag is set by psp2swu.self to indicate bypassing of version checks on the bootloader and system partitions. All other components will be updated if at higher version. This is what DevKits do by default. You can also patch the flags directly. In sceSblUsUpdateSpackageForUser
, sceSblUsInspectSpackageForUser
, and sceSblUsExtractSpackageForUser
(in order: flash, dry run, decrypt only) you can patch the flags argument directly and set 0x8
to indicate skipping version check on bootloader and system partitions. The flags argument found in R1 (second argument) as a user memory pointer offset 0x10.
Authority ID for psp2swu.self is either 2800800000000002
or 2800800000000003
.
Minimal FW update version for a PS Vita is checked at two layers at least:
- From Idstorage SMI leaf. Two AES encryption layers and one RSA. Highest minimal FW version is 3.65.
- From UpdateMgr embedded list. Constant and depending on hardware. Highest minimal FW version is 3.50.