Cmep: Difference between revisions

From Vita Development Wiki
Jump to navigation Jump to search
 
No edit summary
Line 9: Line 9:
=== Read ===
=== Read ===
To read, get a double word from <code>0xE0000000</code>. If it returns 0, no data is available. Otherwise, acknowledge that the data has been read by putting the same data into <code>0xE0000000</code>.
To read, get a double word from <code>0xE0000000</code>. If it returns 0, no data is available. Otherwise, acknowledge that the data has been read by putting the same data into <code>0xE0000000</code>.
=== Extra ports ===
In addition to the 0xE0000000 and 0xE0000010, the communication with F00D seems to happen with other ports too.
{| class='wikitable'
|-
! Port
! Read
! Write
|-
| 0xE0000004
| YES
| ?
|-
| 0xE0000008
| YES
| ?
|-
| 0xE000000C
| YES
| ?
|-
| 0xE0000014
| YES
| YES
|-
| 0xE0000018
| YES
| YES
|-
| 0xE000001C
| YES
| YES
|-
| 0xE0000054
| ?
| YES
|-
| 0xE0000058
| ?
| YES
|-
| 0xE000005C
| ?
| YES
|-
|}


== Protocol ==
== Protocol ==

Revision as of 04:08, 26 December 2016

This processor is hypothesized to perform most of the cryptography tasks including storing and handing of keys. There is little information about it though. The F00D Processor (named after the e_machine field of the ELF headers) is likely a custom Toshiba MeP core.

Communication

Communication seems to go through some sort of FIFO register.

Write

To write, put the double word into 0xE0000010. Next read 0xE0000010 until it returns 0, which indicates the data was read by the F00D processor.

Read

To read, get a double word from 0xE0000000. If it returns 0, no data is available. Otherwise, acknowledge that the data has been read by putting the same data into 0xE0000000.

Extra ports

In addition to the 0xE0000000 and 0xE0000010, the communication with F00D seems to happen with other ports too.

Port Read Write
0xE0000004 YES ?
0xE0000008 YES ?
0xE000000C YES ?
0xE0000014 YES YES
0xE0000018 YES YES
0xE000001C YES YES
0xE0000054 ? YES
0xE0000058 ? YES
0xE000005C ? YES


Protocol

A 32-bit command buffer is defined below. The command is sent to the F00D processor with the method listed above.

Bit End Bit Start Name Description
31 23 ? ?
22 22 ? ?
21 21 ? ?
20 18 flag? ?
17 13 ? Always 0
12 8 ID Command ID
7 1 ? Always 0
0 0 Valid Set 1 to indicate command is valid

Command ID

Below are notes on different commands.

0x0

Seems to be used to set the 0x100 sized shared buffer. First the physical address of the buffer is written to 0xE0000010 and then command 0x0 is written.

0x1

May be used to reset F00D processor.

0x9

Seems to be used to set a 0x80 sized shared buffer.

0xA

Seems to set the SCE encrypted revocation list.

Memory

kprx_auth_sm.self is allowed access to 0x1F000000, 0x1F840000, 0x20000000, and 0x40300000. The address checks is likely done in software. F00D has it's own private 128KB memory from 0x00800000 to 0x00820000. F00D SELFs are typically loaded to 0x0080B000.