KBL Param: Difference between revisions

From Vita Development Wiki
Jump to navigation Jump to search
Line 232: Line 232:


if((System control flags & 1) != 0){not allow load QA flag}else{allow load QA flag}
if((System control flags & 1) != 0){not allow load QA flag}else{allow load QA flag}
if((System control flags & 2) != 0){do clear qa flags(SceQafMgrForDriver_382C71E8, SceQafMgrForDriver_52B4E164, sceSblQafMgrIsAllowHost0Access and sceSblQafMgrIsAllowDecryptedBootConfigLoad functions will return false)}


=== DIP Switches bit flags resolving ===
=== DIP Switches bit flags resolving ===

Revision as of 14:45, 16 May 2020

The sysroot buffer is a 0x100 or 0x200 sized buffer passed to the secure kernel bootloader in the scratch space and contains all sorts of flags and system parameters. This buffer is copied to the secure kernel, the non-secure kernel loader, and the non-secure kernel and is used by many functions to check for features that are enabled for the system.

Offset Size Description
0x0 0x2 Version (usually 1)
0x2 0x2 Sysroot size (0x100 or 0x200)
0x4 0x4 Current Firmware Version
0x8 0x4 Factory Firmware Version
0xC 0x14 unk
0x20 0x10 QA flags
0x30 0x10 Boot flags
0x40 0x20 DIP Switches
0x60 0x4 DRAM base paddr (0x40000000)
0x64 0x4 DRAM size (0x20000000 on retail and testkit, 0x40000000 on DevKit)
0x68 0x4 unk
0x6C 0x4 Boot type indicator 1 (0x20000 on resume - no boot logo, 0x1 on boot - boot logo, 0x4 manufacturing mode)
0x70 0x10 OpenPsId
0x80 0x4 secure_kernel.enp raw data paddr (optional)
0x84 0x4 secure_kernel.enp size (optional)
0x88 0x4 context_auth_sm.self raw data paddr
0x8C 0x4 context_auth_sm.self size
0x90 0x4 kprx_auth_sm.self raw data paddr
0x94 0x4 kprx_auth_sm.self size
0x98 0x4 prog_rvk.srvk raw data paddr
0x9C 0x4 prog_rvk.srvk size
0xA0 0x8 PSCode
0xA8 0x8 unk
0xB0 0x10 Session ID
0xC0 0x4 Unknown, comes from syscon cmd 3
0xC4 0x4 Wakeup factor
0xC8 0x4 Unknown, comes from syscon cmd 0x800 (?Device model dependant?) (ex: 0x40, 0x60, 0x64, 0x3D2, 0xC001C0)
0xCC 0x4 Unknown, comes from syscon cmd 0x100 (0x74FFFFFF on coldboot, 0x74FFBFFF on warmboot, 0x36AFFFXX triggers SetProductMode on 0.940)
0xD0 0x4 Saved context paddr, comes from syscon cmd 0x90 offset 0xC
0xD4 0x4 Hardware Info
0xD8 0x4 Boot type indicator 2
0xDC 0xC unk
0xE8 0x10 Hardware flags, comes from syscon cmd 6
0xF8 0x4 BootLoader Revision
0xFC 0x4 Sysroot Magic value (0xCBAC03AA)
0x100 0x20 Encrypted Session Key (FW 2.12+)

QA flags

In the following table bytes are counted from left to right and bits from left to right too.

Byte (0-0xF) - bit (0-8) Description Used in
Byte 0x6 - bit 6 Allow ScreenShot Always, Np Full Test, Limited Debug Menu Display Shell, Settings
Byte 0xC - bit 5 Set to skip version checks in system updates Updater
Byte 0xC - bit 6 Allow All Debug Menu Display Settings
Byte 0xD - bit 7 Allow Kernel Debug, Allow F00D Debug CMeP Secure Kernel, most NS and S kernel modules
Byte 0xD - bit 6 Allow Remote Sysmodule Load, Dictates if you can pass arguments to sceAppMgrLaunchAppByPathForDriver SceAppMgr
Byte 0xF - bit 7 Allow NonQA Pup, Minimum Debug Menu Display Updater, Settings

To check: Byte 0xF bit 7, byte 0xE bit 7, byte 0xE bit 6, byte 0xB bit 3: Revocation related.

The data below contains QA Flags captured (at 0x20 in sysroot buffer) from a System Debugger unit (SD DEM):

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000020  33 00 00 00 00 00 07 05 73 01 00 01 06 03 03 01  3.......s.......

Boot flags

Bit Description
47 use internal storage
  • at 0x30: 0xFF - not update mode
  • at 0x33: 0xFF - not safe mode
  • at 0x35: FF on FAT - no internal storage or on PSTV or SLIM - internal storage enabled, FE on PSTV or SLIM - internal storage disabled

Hardware Info

Data returned by Ernie.

  • 00 60 41 00: PDEL-1XXX
  • 00 60 40 00: PCH-10XX / PTEL-1XXX
  • 02 60 40 00: PCH-11XX
  • 38 22 82 00: PCH-2XXX model revision 0x18
  • 30 30 70 00: VTE-XXXX

Bytes meaning

First byte

  • 00 -> FAT WIFI
  • 02 -> FAT 3G. This is what SceBbmc checks.
  • 30 -> PSTV model revision 0x18
  • 38 -> SLIM

Bit flags

Bit Description
2 PSTV Slim
3 PSTV Slim
4 Slim
6 3G Modem
9 Fat
10 always set
11 PSTV
16 Slim
17 PSTV Fat
18 PSTV
19 PSTV
22 Slim
23 ?Communication Processor?

Boot type indicator 2

Experimental point of view

- No AC connected + No POWER Button pressed: 0x0
ex: rebooting by software PSVita when AC is not connected

- No AC connected + POWER Button pressed: 0x4
ex: booting PSVita by pressing POWER button when AC is not connected

- AC connected + No POWER Button pressed: 0x8
ex: rebooting by software PSVita when AC is connected
ex: autobooting PSTV/IDU PSVita by pluging AC

- AC connected + POWER Button pressed: 0xC
ex: powering off by software PSTV then booting it by pressing POWER button
ex: booting PSVita by pressing POWER button when AC is connected

Bit flags point of view

Bit Description
0 AC: connected: 1 - disconnected: 0 (note that PSTV always has AC connected)
1 POWER button: pressed: 1 - not pressed: 0

Wakeup factor

  • 14 FF 00 00
  • 04 FF 00 00 after normal reboot
  • 04 00 00 00
  • 00 FF 00 00
  • 80 after suspend

DIP Switches

DIP switches area embeds two parts: Communication Processor information as 32-bit integers, followed by DIP switches represented by bitflags.

Offset Size Description
0x40 0x4 CP Timestamp 1 (ex: 0x4AD86AB3 -> 16/10/2009 14:44:35)
0x44 0x2 CP Version (ex:0x1301 => 1301 on PDEL-100x)
0x46 0x2 CP Board ID (3 on DEM-300xH, 4 on PDEL-100x)
0x48 0x4 CP Timestamp 2 (identical as 1)
0x4C 0x4 ASLR Seed (?USER flags?) (also set on Retail and TestKit) (ex: 0x00000000 on a DEM-300xH)
0x50 0x4 SDK (SCE) flags (ex: 0x80000000 or 0x80000001 or 0x80000003 or 0x81000000 or 0x81000001 OR 0x0 or 0x2 in release mode)
0x54 0x4 SHELL flags (ex: 0x00000000 on a DEM-300xH)
0x58 0x4 Debug control flags (ex: 0x000413e7 on a DEM-300xH, 0x1453E7 dev mode, 0x080002 release mode)
0x5C 0x4 System control flags (ex: 0x2000001c on a DEM-300xH, 0x20000010 dev mode, 0x20000000 release mode)

if((System control flags & 1) != 0){not allow load QA flag}else{allow load QA flag}

if((System control flags & 2) != 0){do clear qa flags(SceQafMgrForDriver_382C71E8, SceQafMgrForDriver_52B4E164, sceSblQafMgrIsAllowHost0Access and sceSblQafMgrIsAllowDecryptedBootConfigLoad functions will return false)}

DIP Switches bit flags resolving

DIP Switches bit flags are numbered from right to left. Thus, we have to use an algorithm to convert bit number to offset and bit.

To convert the bit number to the offset and bit: offset = 0x40 + (bit_num / 32) * 4, bit = 1 << (bit_num % 32).

CP Information

Bits 0-31 is a 32-bit integer of the current time on the CP clock. This is duplicated in bits 64-95.

Bits 32-47 is a 16-bit integer of the CP version and bits 48-63 is a 16-bit integer of the CP board ID. All integers are little-endian. On non-devkits, these fields are zeroes.

Bits 0-63 are also usable as general purpose switches exposed with sceKernelSetDipsw, sceKernelClearDipsw, and sceKernelCheckDipsw but they do not change anything in hardware (only cached values are overwritten). According to SDK only DIP switches 0-63 are accessible from userland.

User flags

Bits 96-127 does not seem to be used in the kernel.

SDK (SCE) flags

Bits 128-159 are used for DevKit Boot Parameters.

Bit Description
128 Memory Size. (Extended game memory): On: 1 - Off: 0
129 ?Release Mode Console?: On: 1 - Off: 0
152 PS TV Emulation: On: 1 - Off: 0
159 Release Check Mode: Development Mode: 1 - Release Mode: 0

Shell flags

Bits 160-191 are used for SceShell flags.

Bit Description
168 Memory Size: Console Size: 1 - Development Tool Size: 0
184 Enable extra TTY: On: 1 - Off: 0. (tty7:)
185 Enable System Boot Time Notifications: On: 1 - Off: 0
187 Allow processes to run on all cores (CPU affinity): On: 1 - Off: 0

Debug control flags

Bits 192-223 are for various debug options.

Bit Description
192 ?
193 Enable SDbgSdio
194 Enable CP (if disabled it disables Cpup, DbgSdio and UsbDbg)
195 Disable USB Debug. nouse_dbgusb (if enabled, SceUsbDbg doesn't init)
196 Enable kernel UART console logging (if enabled, UART is initialized and SceDebug handlers are set to UART functions).
197 Enable kernel console logging: On: 1 - Off: 0
199 Enable TTY stdio ("tty0:"): On: 1 - Off: 0
200 Stop when an assertion fails: On: 1 - Off: 0
201 Set minimum assertion level to 1: On: 1 - Off: 0
202 Set minimum assertion level to 2: On: 1 - Off: 0
210 Allow Kernel Budget (related to memblock types)
211 Enable usermode UART console logging?
212 ?
216 Used on FW 0.990 by functions SceThreadmgrForKernel_CA84C603 and SceThreadmgrForKernel_05F5306C

System control flags

Bits 224-255 are used for various system options.

Bit Description
224 Allows loading sd0:psp2-config.txt
228 Allows getting and setting Process and Thread HBP and HWP. sceKernelGetPHWPForKernel, sceKernelSetPHWPForKernel, sceKernelGetPHBPForKernel, sceKernelSetPHBPForKernel, sceKernelGetTHBPForDriver, sceKernelSetTHBPForDriver.
229 HDCP related?
236 GPU overclock. When enabled, GPU and GPU Xbar are overclocked from 111MHz to 166MHz.
238 Underclock. When enabled, something is underclocked from 222MHz to 111MHz.
239 Underclock/overclock related.
250 Enable "tty0:"
251 Enable "dummytty0:"
252 ? Used in SceSblFwLoader.

Hardware flags

Bit Description
1 IC Connexant: 1 - yes, 2 - no
5 unk
6 unk
7 unk
14 unk
  • all zeroes on most cases
  • 47 02, 07 00 on a Slim

Types

typedef struct SceBootArgs {
  uint16_t version;
  uint16_t size;
  uint32_t current_fw_version;
  uint32_t factory_fw_version;
  uint8_t unk_C[0x14];
  uint8_t qa_flags[0x10];
  uint8_t boot_flags[0x10];
  uint32_t devkit_cp_timestamp_1;
  uint16_t devkit_cp_version;
  uint16_t devkit_cp_build_id;
  uint32_t devkit_cp_timestamp_2;
  uint32_t aslr_seed;
  uint32_t devkit_boot_parameters;
  uint32_t unk_54;
  uint32_t devkit_unk_flags;
  uint32_t devkit_flags_3;
  uint32_t dram_base;
  uint32_t dram_size;
  uint32_t unk_68;
  uint32_t boot_type_indicator_1;
  uint8_t openpsid[0x10];
  uint32_t secure_kernel_enp_addr;
  uint32_t secure_kernel_enp_size;
  uint32_t context_auth_sm_self_addr;
  uint32_t context_auth_sm_self_size;
  uint32_t kprx_auth_sm_self_addr;
  uint32_t kprx_auth_sm_self_size;
  uint32_t prog_rvk_srvk_addr;
  uint32_t prog_rvk_srvk_size;
  uint8_t pscode[0x8];
  uint8_t unk_A8[0x8];
  uint8_t session_id[0x10];
  uint32_t unk_C0;
  uint32_t wakeup_factor;
  uint32_t unk_C8;
  uint32_t unk_CC;
  uint32_t resume_context_addr;
  uint32_t hardware_info;
  uint32_t boot_type_indicator_2;
  uint8_t unk_DC[0xC];
  uint8_t hardware_flags[0x10];
  uint32_t bootldr_revision;
  uint32_t magic;
  uint8_t session_key[0x20];
  uint8_t unused[0xE0];
} __attribute__((packed)) SceBootArgs;