|
|
Line 270: |
Line 270: |
|
| |
|
| This function copies first 0x20 bytes of the buffer of size 0x34 to destination. | | This function copies first 0x20 bytes of the buffer of size 0x34 to destination. |
| | |
| | Buffer is obtained with [[F00D_Commands#0x20|KIRK command 0x20]] |
|
| |
|
| <source lang="C">int get_5018_data(char* dest);</source> | | <source lang="C">int get_5018_data(char* dest);</source> |
Module
Known NIDs
Version |
Name |
World |
Privilege |
NID
|
1.69 |
SceSblGcAuthMgr |
Non-secure |
Kernel |
0x4B777EBC
|
3.60 |
SceSblGcAuthMgr |
? |
Kernel |
0xDB1A9016
|
Libraries
Known NIDs
Data segment layout
Address |
Size |
Description
|
0x0000 |
0x4BC4 |
unknown
|
0x4BC4 |
0x30 |
temp buffer for storing parts of cmd56 packets
|
0x4BF4 |
0x200 |
cmd56 request buffer
|
0x4DF4 |
0x04 |
packet6 gc parameter
|
0x4DF8 |
0x200 |
temp buffer for initializing cm56 req packets
|
0x4FF8 |
0x20 |
temp buffer for storing parts of cmd56 packets
|
0x5018 |
0x34 |
one of kirk responses
|
0x504C |
0x200 |
cmd56 response buffer 1
|
0x524C |
0x200 |
cmd56 response buffer 2
|
0x544C |
0x20 |
one of kirk responses
|
0x546C |
0x898 |
unknown
|
SceSblGcAuthMgrDrmBBForDriver
command 0x1000B 0x11
Version |
NID
|
3.60 |
0x4cea150c
|
Original PSP Kirk 0x11 service for 160bit ECC signature verification.
command 0x1000B 0x18
Version |
NID
|
3.60 |
0x4b506be7
|
Almost certainly a 224bit version of 0x11
command 0x1000B 0x21
Version |
NID
|
3.60 |
0x30a0b441
|
command 0x1000B 0x22
Version |
NID
|
3.60 |
0x050dc6df
|
command 0x1000B 0x4
Version |
NID
|
3.60 |
0x500f5157
|
Original PSP Kirk 4 service for encrypting data
command 0x1000B 0x4
Version |
NID
|
3.60 |
0x6ef3c9db
|
Original PSP Kirk 4 service for encrypting data
command 0x1000B 0x4
Version |
NID
|
3.60 |
0x7f98e4e2
|
Original PSP Kirk 4 service for encrypting data
command 0x1000B 0x4
Version |
NID
|
3.60 |
0xe950be32
|
Original PSP Kirk 4 service for encrypting data
command 0x1000B 0x7
Version |
NID
|
3.60 |
0x3c25f9fa
|
Original PSP Kirk 7 service for decrypting data
command 0x1000B 0x7
Version |
NID
|
3.60 |
0xb13577e2
|
Original PSP Kirk 7 service for decrypting data
command 0x1000B 0x7
Version |
NID
|
3.60 |
0xc0f37f18
|
Original PSP Kirk 7 service for decrypting data
command 0x1000B 0x4 0x7
Version |
NID
|
3.60 |
0x4fe89adb
|
Original PSP Kirk Enc and Dec
int unk_4fe89adb(int unk0, int unk1, int unk2, int unk3, int arg_0);
clear_context
Version |
NID
|
3.60 |
0x48d7784e
|
typedef struct ctx_48d7784e //size is 0x28
{
uint32_t unk_0;
char unk_4[0x10];
char unk_14[0x10];
uint32_t unk_24;
}ctx_48d7784e;
int clear_context(ctx_48d7784e *ctx, int idx);
clear_context
Version |
NID
|
3.60 |
0x6e6d2b89
|
typedef struct ctx_6e6d2b89 //size is 0x18
{
uint32_t unk_0;
uint32_t unk_4;
char unk_8[0x10];
}ctx_6e6d2b89;
int clear_context(ctx_6e6d2b89 *ctx);
enc_dec
Version |
NID
|
3.60 |
0x4c5de1aa
|
includes both aes and psp kirk 1000B 4 and 7
int enc_dec(void* data, void* dec_rif_key, int unk2, void* unk3);
error
Version |
NID
|
3.60 |
0x535b87bc
|
returns error 0x808A040A
get_5018_data
Version |
NID
|
3.60 |
0xBB70DDC0
|
This function copies first 0x20 bytes of the buffer of size 0x34 to destination.
Buffer is obtained with KIRK command 0x20
int get_5018_data(char* dest);
memcmp_5018_fast
Version |
NID
|
3.60 |
0x22FD5D23
|
This function verifies that last 0x14 bytes of last responce of size 0x34 from the game card (cmd56) are valid
For example it is called from sceAppMgrGameDataMount
int memcmp_5018_fast(char* in_data);
This is a timing safe memcmp. Xyz (talk) 10:02, 1 May 2017 (UTC)
clear_sensitive_data
Version |
NID
|
3.60 |
0x812B2B5C
|
Clears some sensitive data.
Called after verify_checksum
int clear_sensitive_data(int unk, int* value);
clear_sensitive_data
Version |
NID
|
3.60 |
0xBB451E83
|
Clears sensitive data that is left after cmd56 custom initialization.
This includes data generated by Kirk services 0x1C, 0x1F, 0x20 and packet6.
Buffer offsets are 0x4BC4, 0x4FF8, 0x5018, 0x544C.
Called after initialize_sd_device
int clear_sensitive_data();
SceSblGcAuthMgrPcactForDriver
SceSblGcAuthMgrMlnpsnlForDriver
SceSblGcAuthMgrAdhocBBForDriver
SceSblGcAuthMgrPkgForDriver
SceSblGcAuthMgrSclkForDriver
SceSblGcAuthMgrGcAuthForDriver
cmd56_handshake
Version |
NID
|
3.60 |
0x68781760
|
This is a wrapper function that starts initialization subroutine through run_execlusive
int cmd56_handshake(int sd_ctx_index);
SceSblGcAuthMgr
_sceSblGcAuthMgrPcactActivation
Version |
NID
|
1.69 |
0x32E7CEA
|
_sceSblGcAuthMgrGetMediaIdType01
Version |
NID
|
1.69 |
0xAC64154
|
_sceSblGcAuthMgrAdhocBB224Auth1
Version |
NID
|
1.69 |
0x307FD67C
|
_sceSblGcAuthMgrPkgVry
Version |
NID
|
1.69 |
0x3E168BC4
|
_sceSblGcAuthMgrAdhocBB224Auth5
Version |
NID
|
1.69 |
0x459F5503
|
_sceSblGcAuthMgrAdhocBB224Init
Version |
NID
|
1.69 |
0x5AB126A7
|
_sceSblGcAuthMgrAdhocBB224Auth4
Version |
NID
|
1.69 |
0x5CCC216C
|
_sceSblGcAuthMgrAdhocBB224Auth2
Version |
NID
|
1.69 |
0x788C0517
|
_sceSblGcAuthMgrSclkSetData2
Version |
NID
|
1.69 |
0x837D0FB6
|
_sceSblGcAuthMgrSclkGetData1
Version |
NID
|
1.69 |
0x8A3AF1E8
|
_sceSblGcAuthMgrAdhocBB224Shutdown
Version |
NID
|
1.69 |
0x8ECEACF9
|
_sceSblGcAuthMgrPcactGetChallenge
Version |
NID
|
1.69 |
0x98153286
|
_sceSblGcAuthMgrAdhocBB224GetKeys
Version |
NID
|
1.69 |
0xC236FB28
|
_sceSblGcAuthMgrAdhocBB224Auth3
Version |
NID
|
1.69 |
0xD3F95259
|
SceSblGcAuthMgrPsmactForDriver
get_act_data
Version |
NID
|
3.60 |
0x39222A58
|
executes kirk command 1000B 19
//data is of size 0x80
int get_act_data(void* data);
SceSblGcAuthMgrMsSaveBBForDriver
gcauth_sm "KIRK" calls to F00D
The use of os0:sm/gcauthmgr_sm.self is to support the next generation of KIRK. It uses a similar input structure to the original KIRK on the PSP.
PSP support
4,7,0xC,0xD,0xE, 0x10, 0x11, 0x12 are the classic PSP KIRK Services supported by gcauth_sm.
New PSVita Codes
0x14-0x19, 0x1b-0x23 are the new KIRK Services supported by gcauth_sm.
0x14 is the 224bit ecdsa keypair gen. The only input is an empty buffer size (3*0x1C) it returns 3 values. Private key, Public X point, Public Y point. Each value is 0x1C bytes long.
0x16 is random 224bit generator. It will return 0x1C bytes of random data into the buffer.
0x17 -0x19 are the 224bit ecdsa versions of psp's 160bit 0x10-0x12