Syscon Update: Difference between revisions
Jump to navigation
Jump to search
CelesteBlue (talk | contribs) No edit summary |
CelesteBlue (talk | contribs) (→0x10) |
||
Line 151: | Line 151: | ||
| 0x4 || 0x4 || Segment Number. Must be between 0 and 0x17F. | | 0x4 || 0x4 || Segment Number. Must be between 0 and 0x17F. | ||
|- | |- | ||
| 0x8 || 0x4 || Size (ex: 0x400 for Renesas RL78, 0x800 for | | 0x8 || 0x4 || Size (ex: 0x400 for Renesas RL78/G13 and NEC 78K0R/Kx3, 0x800 for NEC 78K0R/Kx3-L) | ||
|- | |- | ||
| 0xC || 0x4 || Padding | | 0xC || 0x4 || Padding |
Revision as of 02:26, 24 August 2021
Structure
Ernie updates are stored in a packet format.
Packet Header
Any update packet has a common header structure.
Offset | Size | Description |
---|---|---|
0x0 | 0x1 | Type (ex: 1, 2, 0x10, 0x20) |
0x1 | 0x1 | Header Size (ex: 0x10, 0x18) |
0x2 | 0x2 | Size (ex: 0, 0x400, 0x800) |
Packet size varies depending on the hardware revision of Syscon:
Renesas 78K0R/Kx3: 0x800 Renesas 78K0R/Kx3-L: 0x400 Renesas RL78/G13: 0x400
Packet Types
0x01
Version packet.
This packet is update header field.
Offset | Size | Description |
---|---|---|
0x0 | 0x4 | Packet Header |
0x4 | 0x4 | Firmware Version. Version of the Ernie software update. (ex: 0x0100060B -> 1.0.6.11) |
0x8 | 0x4 | Hardware Info. PSVita hardware on which this update can be installed. (ex: 0x00723030) |
0xC | 0x4 | Padding |
Ernie Version and Hardware Info from a few PUPs:
1.80 CEX 0B 06 00 01 00 32 60 00 0B 06 00 01 00 30 60 00 0B 06 00 01 00 20 60 00 0B 06 00 01 00 10 60 00 0B 06 00 01 00 60 40 00 1.81 CEX 0B 06 00 01 00 32 60 00 0B 06 00 01 00 30 60 00 0B 06 00 01 00 20 60 00 0B 06 00 01 00 10 60 00 0B 06 00 01 00 60 40 00 3.15 CEX 11 05 03 01 38 50 80 00 03 06 03 01 30 30 70 00 0D 06 00 01 00 32 60 00 0D 06 00 01 00 30 60 00 0D 06 00 01 00 20 60 00 0B 06 00 01 00 10 60 00 0D 06 00 01 00 60 40 00 3.30 CEX 11 05 03 01 38 50 80 00 01 03 04 01 30 30 72 00 03 06 03 01 30 30 70 00 0D 06 00 01 00 32 60 00 0D 06 00 01 00 30 60 00 0D 06 00 01 00 20 60 00 0B 06 00 01 00 10 60 00 0D 06 00 01 00 60 40 00 1.69 TOOL 06 03 00 01 00 40 41 00 06 03 00 01 00 50 41 00 03 02 09 00 00 50 31 00 06 03 00 01 00 10 41 00 06 03 00 01 00 52 41 00 06 03 00 01 03 26 10 00 06 03 00 01 00 52 31 00 1.80 TOOL 0B 06 00 01 00 10 60 00 0B 06 00 01 00 60 41 00 0B 06 00 01 00 52 41 00 06 03 00 01 03 26 10 00
0x02
Key revision packet.
This packet embeds the encryption key revision used to decrypt the Syscon update packets.
Offset | Size | Description |
---|---|---|
0x0 | 0x4 | Packet Header |
0x4 | 0x4 | Image Size (ex: 0) |
0x8 | 0x4 | Firmware Type (ex: 0, 1, 2) |
0xC | 0x4 | Padding |
- Firmware Type 0 is for Renesas 78K0R Proto. It is supported since at least FW 0.931 (FW 0.902 doesn't support it) until FW 1.692. It is for Fat PSVita prototype.
- Firmware Type 1 is for Renesas 78K0R. It is supported since about FW 1.00. It is for most Fat PSVitas and for PSTV.
- Firmware Type 2 is for Renesas RL78. It is supported since FW 2.50. It is for PSVita Slim Syscon.
0x03
This packet is special because it is not embedded in Syscon Update SPKGs. It is generated in ARM kernel and sent to Syscon with Syscon command 0x1185.
It is not present on FW 0.931.
Offset | Size | Description |
---|---|---|
0x0 | 0x4 | Packet Header |
0x4 | 0x18 | Unknown data |
0x1C | 0x4 | Padding |
0x10
Encrypted segment packet.
Segments are concatenated before being AES128CBC encrypted/decrypted.
Offset | Size | Description |
---|---|---|
0x0 | 0x4 | Packet Header |
0x4 | 0x4 | Segment Number. Must be between 0 and 0x17F. |
0x8 | 0x4 | Size (ex: 0x400 for Renesas RL78/G13 and NEC 78K0R/Kx3, 0x800 for NEC 78K0R/Kx3-L) |
0xC | 0x4 | Padding |
0x10 | Variable | Encrypted data |
0x20
Hash packet.
Offset | Size | Description |
---|---|---|
0x0 | 0x4 | Packet Header |
0x4 | 0x14 | Hash. Sha-1 hash of decrypted concatenated segments. |
Ernie Update steps
- ARM PSVita updater arrives at last step: Ernie update.
- ARM PSVita updater decrypts Ernie update SPKGs til it finds one whose Hardware Info matches.
- ARM PSVita updater sends the encrypted segments directly to Ernie using some command 0x1181.
- ARM PSVita updater sends the hash directly to Ernie using some command 0x1184.
- Ernie decrypts concatenated received segments using AES128CBC.
- Ernie computes sha1 over the decrypted concatenated data and compares with the received hash.
- Ernie installs the update using the decrypted data.