KBL Param: Difference between revisions
| Line 232: | Line 232: | ||
if((System control flags & 1) != 0){not allow load QA flag}else{allow load QA flag} | if((System control flags & 1) != 0){not allow load QA flag}else{allow load QA flag} | ||
if((System control flags & 2) != 0){do clear qa flags(SceQafMgrForDriver_382C71E8, SceQafMgrForDriver_52B4E164, sceSblQafMgrIsAllowHost0Access and sceSblQafMgrIsAllowDecryptedBootConfigLoad functions will return false)} | |||
=== DIP Switches bit flags resolving === | === DIP Switches bit flags resolving === | ||
Revision as of 14:45, 16 May 2020
The sysroot buffer is a 0x100 or 0x200 sized buffer passed to the secure kernel bootloader in the scratch space and contains all sorts of flags and system parameters. This buffer is copied to the secure kernel, the non-secure kernel loader, and the non-secure kernel and is used by many functions to check for features that are enabled for the system.
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x2 | Version (usually 1) |
| 0x2 | 0x2 | Sysroot size (0x100 or 0x200) |
| 0x4 | 0x4 | Current Firmware Version |
| 0x8 | 0x4 | Factory Firmware Version |
| 0xC | 0x14 | unk |
| 0x20 | 0x10 | QA flags |
| 0x30 | 0x10 | Boot flags |
| 0x40 | 0x20 | DIP Switches |
| 0x60 | 0x4 | DRAM base paddr (0x40000000) |
| 0x64 | 0x4 | DRAM size (0x20000000 on retail and testkit, 0x40000000 on DevKit) |
| 0x68 | 0x4 | unk |
| 0x6C | 0x4 | Boot type indicator 1 (0x20000 on resume - no boot logo, 0x1 on boot - boot logo, 0x4 manufacturing mode) |
| 0x70 | 0x10 | OpenPsId |
| 0x80 | 0x4 | secure_kernel.enp raw data paddr (optional)
|
| 0x84 | 0x4 | secure_kernel.enp size (optional)
|
| 0x88 | 0x4 | context_auth_sm.self raw data paddr
|
| 0x8C | 0x4 | context_auth_sm.self size
|
| 0x90 | 0x4 | kprx_auth_sm.self raw data paddr
|
| 0x94 | 0x4 | kprx_auth_sm.self size
|
| 0x98 | 0x4 | prog_rvk.srvk raw data paddr
|
| 0x9C | 0x4 | prog_rvk.srvk size
|
| 0xA0 | 0x8 | PSCode |
| 0xA8 | 0x8 | unk |
| 0xB0 | 0x10 | Session ID |
| 0xC0 | 0x4 | Unknown, comes from syscon cmd 3 |
| 0xC4 | 0x4 | Wakeup factor |
| 0xC8 | 0x4 | Unknown, comes from syscon cmd 0x800 (?Device model dependant?) (ex: 0x40, 0x60, 0x64, 0x3D2, 0xC001C0) |
| 0xCC | 0x4 | Unknown, comes from syscon cmd 0x100 (0x74FFFFFF on coldboot, 0x74FFBFFF on warmboot, 0x36AFFFXX triggers SetProductMode on 0.940) |
| 0xD0 | 0x4 | Saved context paddr, comes from syscon cmd 0x90 offset 0xC |
| 0xD4 | 0x4 | Hardware Info |
| 0xD8 | 0x4 | Boot type indicator 2 |
| 0xDC | 0xC | unk |
| 0xE8 | 0x10 | Hardware flags, comes from syscon cmd 6 |
| 0xF8 | 0x4 | BootLoader Revision |
| 0xFC | 0x4 | Sysroot Magic value (0xCBAC03AA) |
| 0x100 | 0x20 | Encrypted Session Key (FW 2.12+) |
QA flags
In the following table bytes are counted from left to right and bits from left to right too.
| Byte (0-0xF) - bit (0-8) | Description | Used in |
|---|---|---|
| Byte 0x6 - bit 6 | Allow ScreenShot Always, Np Full Test, Limited Debug Menu Display | Shell, Settings |
| Byte 0xC - bit 5 | Set to skip version checks in system updates | Updater |
| Byte 0xC - bit 6 | Allow All Debug Menu Display | Settings |
| Byte 0xD - bit 7 | Allow Kernel Debug, Allow F00D Debug | CMeP Secure Kernel, most NS and S kernel modules |
| Byte 0xD - bit 6 | Allow Remote Sysmodule Load, Dictates if you can pass arguments to sceAppMgrLaunchAppByPathForDriver | SceAppMgr |
| Byte 0xF - bit 7 | Allow NonQA Pup, Minimum Debug Menu Display | Updater, Settings |
To check: Byte 0xF bit 7, byte 0xE bit 7, byte 0xE bit 6, byte 0xB bit 3: Revocation related.
The data below contains QA Flags captured (at 0x20 in sysroot buffer) from a System Debugger unit (SD DEM):
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000020 33 00 00 00 00 00 07 05 73 01 00 01 06 03 03 01 3.......s.......
Boot flags
| Bit | Description |
|---|---|
| 47 | use internal storage |
- at 0x30: 0xFF - not update mode
- at 0x33: 0xFF - not safe mode
- at 0x35: FF on FAT - no internal storage or on PSTV or SLIM - internal storage enabled, FE on PSTV or SLIM - internal storage disabled
Hardware Info
Data returned by Ernie.
- 00 60 41 00: PDEL-1XXX
- 00 60 40 00: PCH-10XX / PTEL-1XXX
- 02 60 40 00: PCH-11XX
- 38 22 82 00: PCH-2XXX model revision 0x18
- 30 30 70 00: VTE-XXXX
Bytes meaning
First byte
- 00 -> FAT WIFI
- 02 -> FAT 3G. This is what SceBbmc checks.
- 30 -> PSTV model revision 0x18
- 38 -> SLIM
Bit flags
| Bit | Description |
|---|---|
| 2 | PSTV Slim |
| 3 | PSTV Slim |
| 4 | Slim |
| 6 | 3G Modem |
| 9 | Fat |
| 10 | always set |
| 11 | PSTV |
| 16 | Slim |
| 17 | PSTV Fat |
| 18 | PSTV |
| 19 | PSTV |
| 22 | Slim |
| 23 | ?Communication Processor? |
Boot type indicator 2
Experimental point of view
- No AC connected + No POWER Button pressed: 0x0
ex: rebooting by software PSVita when AC is not connected
- No AC connected + POWER Button pressed: 0x4
ex: booting PSVita by pressing POWER button when AC is not connected
- AC connected + No POWER Button pressed: 0x8
ex: rebooting by software PSVita when AC is connected
ex: autobooting PSTV/IDU PSVita by pluging AC
- AC connected + POWER Button pressed: 0xC
ex: powering off by software PSTV then booting it by pressing POWER button
ex: booting PSVita by pressing POWER button when AC is connected
Bit flags point of view
| Bit | Description |
|---|---|
| 0 | AC: connected: 1 - disconnected: 0 (note that PSTV always has AC connected) |
| 1 | POWER button: pressed: 1 - not pressed: 0 |
Wakeup factor
- 14 FF 00 00
- 04 FF 00 00 after normal reboot
- 04 00 00 00
- 00 FF 00 00
- 80 after suspend
DIP Switches
DIP switches area embeds two parts: Communication Processor information as 32-bit integers, followed by DIP switches represented by bitflags.
| Offset | Size | Description |
|---|---|---|
| 0x40 | 0x4 | CP Timestamp 1 (ex: 0x4AD86AB3 -> 16/10/2009 14:44:35) |
| 0x44 | 0x2 | CP Version (ex:0x1301 => 1301 on PDEL-100x) |
| 0x46 | 0x2 | CP Board ID (3 on DEM-300xH, 4 on PDEL-100x) |
| 0x48 | 0x4 | CP Timestamp 2 (identical as 1) |
| 0x4C | 0x4 | ASLR Seed (?USER flags?) (also set on Retail and TestKit) (ex: 0x00000000 on a DEM-300xH) |
| 0x50 | 0x4 | SDK (SCE) flags (ex: 0x80000000 or 0x80000001 or 0x80000003 or 0x81000000 or 0x81000001 OR 0x0 or 0x2 in release mode) |
| 0x54 | 0x4 | SHELL flags (ex: 0x00000000 on a DEM-300xH) |
| 0x58 | 0x4 | Debug control flags (ex: 0x000413e7 on a DEM-300xH, 0x1453E7 dev mode, 0x080002 release mode) |
| 0x5C | 0x4 | System control flags (ex: 0x2000001c on a DEM-300xH, 0x20000010 dev mode, 0x20000000 release mode) |
if((System control flags & 1) != 0){not allow load QA flag}else{allow load QA flag}
if((System control flags & 2) != 0){do clear qa flags(SceQafMgrForDriver_382C71E8, SceQafMgrForDriver_52B4E164, sceSblQafMgrIsAllowHost0Access and sceSblQafMgrIsAllowDecryptedBootConfigLoad functions will return false)}
DIP Switches bit flags resolving
DIP Switches bit flags are numbered from right to left. Thus, we have to use an algorithm to convert bit number to offset and bit.
To convert the bit number to the offset and bit: offset = 0x40 + (bit_num / 32) * 4, bit = 1 << (bit_num % 32).
CP Information
Bits 0-31 is a 32-bit integer of the current time on the CP clock. This is duplicated in bits 64-95.
Bits 32-47 is a 16-bit integer of the CP version and bits 48-63 is a 16-bit integer of the CP board ID. All integers are little-endian. On non-devkits, these fields are zeroes.
Bits 0-63 are also usable as general purpose switches exposed with sceKernelSetDipsw, sceKernelClearDipsw, and sceKernelCheckDipsw but they do not change anything in hardware (only cached values are overwritten). According to SDK only DIP switches 0-63 are accessible from userland.
User flags
Bits 96-127 does not seem to be used in the kernel.
SDK (SCE) flags
Bits 128-159 are used for DevKit Boot Parameters.
| Bit | Description |
|---|---|
| 128 | Memory Size. (Extended game memory): On: 1 - Off: 0 |
| 129 | ?Release Mode Console?: On: 1 - Off: 0 |
| 152 | PS TV Emulation: On: 1 - Off: 0 |
| 159 | Release Check Mode: Development Mode: 1 - Release Mode: 0 |
Shell flags
Bits 160-191 are used for SceShell flags.
| Bit | Description |
|---|---|
| 168 | Memory Size: Console Size: 1 - Development Tool Size: 0 |
| 184 | Enable extra TTY: On: 1 - Off: 0. (tty7:) |
| 185 | Enable System Boot Time Notifications: On: 1 - Off: 0 |
| 187 | Allow processes to run on all cores (CPU affinity): On: 1 - Off: 0 |
Debug control flags
Bits 192-223 are for various debug options.
| Bit | Description |
|---|---|
| 192 | ? |
| 193 | Enable SDbgSdio |
| 194 | Enable CP (if disabled it disables Cpup, DbgSdio and UsbDbg) |
| 195 | Disable USB Debug. nouse_dbgusb (if enabled, SceUsbDbg doesn't init) |
| 196 | Enable kernel UART console logging (if enabled, UART is initialized and SceDebug handlers are set to UART functions). |
| 197 | Enable kernel console logging: On: 1 - Off: 0 |
| 199 | Enable TTY stdio ("tty0:"): On: 1 - Off: 0 |
| 200 | Stop when an assertion fails: On: 1 - Off: 0 |
| 201 | Set minimum assertion level to 1: On: 1 - Off: 0 |
| 202 | Set minimum assertion level to 2: On: 1 - Off: 0 |
| 210 | Allow Kernel Budget (related to memblock types) |
| 211 | Enable usermode UART console logging? |
| 212 | ? |
| 216 | Used on FW 0.990 by functions SceThreadmgrForKernel_CA84C603 and SceThreadmgrForKernel_05F5306C |
System control flags
Bits 224-255 are used for various system options.
| Bit | Description |
|---|---|
| 224 | Allows loading sd0:psp2-config.txt |
| 228 | Allows getting and setting Process and Thread HBP and HWP. sceKernelGetPHWPForKernel, sceKernelSetPHWPForKernel, sceKernelGetPHBPForKernel, sceKernelSetPHBPForKernel, sceKernelGetTHBPForDriver, sceKernelSetTHBPForDriver. |
| 229 | HDCP related? |
| 236 | GPU overclock. When enabled, GPU and GPU Xbar are overclocked from 111MHz to 166MHz. |
| 238 | Underclock. When enabled, something is underclocked from 222MHz to 111MHz. |
| 239 | Underclock/overclock related. |
| 250 | Enable "tty0:" |
| 251 | Enable "dummytty0:" |
| 252 | ? Used in SceSblFwLoader. |
Hardware flags
| Bit | Description |
|---|---|
| 1 | IC Connexant: 1 - yes, 2 - no |
| 5 | unk |
| 6 | unk |
| 7 | unk |
| 14 | unk |
- all zeroes on most cases
- 47 02, 07 00 on a Slim
Types
typedef struct SceBootArgs {
uint16_t version;
uint16_t size;
uint32_t current_fw_version;
uint32_t factory_fw_version;
uint8_t unk_C[0x14];
uint8_t qa_flags[0x10];
uint8_t boot_flags[0x10];
uint32_t devkit_cp_timestamp_1;
uint16_t devkit_cp_version;
uint16_t devkit_cp_build_id;
uint32_t devkit_cp_timestamp_2;
uint32_t aslr_seed;
uint32_t devkit_boot_parameters;
uint32_t unk_54;
uint32_t devkit_unk_flags;
uint32_t devkit_flags_3;
uint32_t dram_base;
uint32_t dram_size;
uint32_t unk_68;
uint32_t boot_type_indicator_1;
uint8_t openpsid[0x10];
uint32_t secure_kernel_enp_addr;
uint32_t secure_kernel_enp_size;
uint32_t context_auth_sm_self_addr;
uint32_t context_auth_sm_self_size;
uint32_t kprx_auth_sm_self_addr;
uint32_t kprx_auth_sm_self_size;
uint32_t prog_rvk_srvk_addr;
uint32_t prog_rvk_srvk_size;
uint8_t pscode[0x8];
uint8_t unk_A8[0x8];
uint8_t session_id[0x10];
uint32_t unk_C0;
uint32_t wakeup_factor;
uint32_t unk_C8;
uint32_t unk_CC;
uint32_t resume_context_addr;
uint32_t hardware_info;
uint32_t boot_type_indicator_2;
uint8_t unk_DC[0xC];
uint8_t hardware_flags[0x10];
uint32_t bootldr_revision;
uint32_t magic;
uint8_t session_key[0x20];
uint8_t unused[0xE0];
} __attribute__((packed)) SceBootArgs;