IdStorage: Difference between revisions

From Vita Development Wiki
Jump to navigation Jump to search
(→‎Leaf content: Regroup IdpsCert in its own section, add descriptions, rework some leaves)
(→‎0x115: Regroup into a single variant code to match observations, add note, tidy up)
Line 283: Line 283:
* <code>PCH02000ZA120000</code> (White PCH-2000)
* <code>PCH02000ZA120000</code> (White PCH-2000)


Decomposition: <code>FFFF NNNN ZZ Y X xxx O</code>
Decomposition: <code>FFFF NNNN PPPP xxx O</code>
* <code>FFFF</code> and <code>NNNN</code> = Model code (e.g. PDEL-1000) decomposed in two parts
* <code>FFFF-NNNN PPPP</code> is usually printed on the product's box
** <code>FFFF</code> = family (e.g., PCH, PDEL)
** <code>FFFF</code> = family (e.g., PCH, PDEL)
** <code>NNNN</code> = number (e.g., 1000, 1004, 1100)
** <code>NNNN</code> = number (e.g., 1000, 1004, 1100)
* <code>ZZ</code> = ? (known values: 00, ZA, AA)
** <code>PPPP</code> = variant code (e.g., 0001, ZAZ2, AA01, ZA12)
* <code>Y</code> = ? (known values: 0, 1, Z)
*** IdStorage and box may differ (e.g., CoD unit IdStorage is ZAZ2 but box is ZA01)
* <code>X</code> = ? (known values: 1, 2)
* <code>xxx</code> = ? (always 000?)
* <code>xxx</code> = ? (always 000)
* <code>O</code> = Product target operator (carrier ID for 3G models - usually matches offset 0x88 of leaf 0x113 on SIM-locked models).
* <code>O</code> = Product target operator (carrier ID for 3G models - usually matches offset 0x88 of leaf 0x113 on SIM-locked models).
** 1 us operator
** 1: US operator
** 2 jp operator
** 2: JP operator
** 3 eu generic
** 3: EU generic
** 4 asia generic
** 4: Asia generic
** 5 canada operator
** 5: Canada operator
** 6 mexico generic
** 6: Mexico generic


== 0x116 ==
== 0x116 ==

Revision as of 18:51, 24 December 2023

See also [1].

Description

Region of the PSVita eMMC where perconsole info is stored.

Location

Idstorage data is stored at first raw partition (code 0x1). Use [2] to extract.

Structure

The IdStorage partition is divided in two parts: the mapping table and the leaves.

Mapping table

The mapping table is located at the start of the partition. It's an array of 16-bit leaf IDs that serves as a leaf ID->index mapping table. The mapping table must be at least one-sector wide but may be bigger.

There are two leaf IDs reserved for usage in the mapping table: all entries corresponding to the mapping table (i.e. the first M entries for an M sectors sized table) must hold the value 0xFFF5, and all unallocated leaves hold the value 0xFFFF.

To lookup a leaf index based on its ID, use the following algorithm:

#define M /* implementation defined */
#define SECTOR_SIZE (512)

#define NUM_TABLE_ITEMS ((M * SECTOR_SIZE) / sizeof(uint16_t))
uint16_t g_mappingTable[NUM_TABLE_ITEMS];

int leafIndexFromId(unsigned id) {
   if (id >= 0xFFF0)
       return /* ERROR: invalid leaf ID */;

   for (int i = 0; i < NUM_TABLE_ITEMS; i++) {
      if (g_mappingTable[i] == id)
         return i;
   }
   return /* ERROR: leaf ID is not in mapping table */;
}

Leaves

Leaves are sector-sized (512 bytes) areas in the IdStorage partition used to store arbitrary data. While the data stored may be smaller, a leaf always occupies one sector in the partition.

To read a leaf's data, obtain the leaf index (this can be known directly, or obtained from a leaf ID using the previously mentioned algorithm) then read 512 bytes starting at offset 512 * leafIndex in the IdStorage partition.

Limits

The number of leaves that can be stored in an IdStorage partition is limited by three factors: the size of the partition, the size of the mapping table and the size of leaf IDs.

  • An M sectors wide mapping table can hold up to 255 * M leaves
    • This is because a single-sector mapping table can reference SECTOR_SIZE/sizeof(u16) - 1 = 255 leaves (the - 1 is needed because a table consumes one entry for itself)
  • A P sectors wide partition can hold up to P - M leaves
    • This is because leaves are sector-sized, and the mapping table consumes M sectors
  • There are 65520 leaf IDs available
    • While an unsigned 16-bit variable can hold 65536 values, IDs superior or equal to 0xFFF0 are reserved and cannot be used

From this, we can conclude that an IdStorage partition of P sectors with an M sectors mapping table can hold up to min(255*M, P-M, 65520) leaves. We can also deduce an IdStorage partition is optimally shaped (no space is non-allocatable) when P = 256 * M.

On Vita, the IdStorage partition is 512KiB and 32 sectors are reserved for the indexing table (P = 1024, M = 32, a non-optimal choice), which means the console's partition can hold up to 992 IdStorage leaves.

Leaf content

Leaves not present in this section have not been found in any unit.

In the following section, "empty" means that the area has all bits set to 1 (i.e., 0xFF). "Present"/"Not present" means whether or not a leaf exists in IdStorage.

When a size is indicated, this means only the first X bytes of the leaf are used, and the rest is empty.

The following information may not be valid for pre-production units.

Idps certificates

Leaves 0x000~0x07F are written to IdStorage during manufacturing by a function called _writeIdpsCert.

Leaf 0x07E contains the signed SHA-256 digest of leaves 0x000~0x07D (signed using RSA-2048). The public key used for signature verification can be found in factTest.self.

Leaf 0x07F is not covered by the signature but is flashed in _writeIdpsCert nonetheless.

Empty leaves

The following leaves have always been observed to only contain zeroes:

  • 0x008~0x01F
  • 0x028~0x03F
  • 0x050~0x07D
  • 0x7F

0x000~0x007

SceIdStoragePspCertificates

Identical across all units and duplicated in leaves 0x020 to 0x027.

0x040~0x047

SceIdStoragePsp2Certificates.

Console-unique.

0x048~0x04F

Console-unique. May be certificate(s).

0x07E

Console-unique.

The RSA-2048 signature of the Idps certificates (2048 bits/256 bytes) is located at offset 0x60 of this leaf.

Data contained between 0x0 and 0x5F is unknown, and data between 0x160 and 0x1FF is unused (always 00).

0x80

Service / Manufacturing Information (SMI)

Console-unique. Contains minimal firmware version (checked in second_loader).

struct SMILeaf {
    uint8_t magic[4]; //'SMI\0'
    uint32_t version; //1
    uint32_t min_fwv; //Minimal firmware version
    uint8_t unused[0x80 - 0xC];
    //Encrypted with per-console keys.
    //This is used to verify the leaf has not been modified.
    uint8_t encrypted_data[0x200 - 0x80];
};

0x100

Console-unique. Build data strings. One string starts at offset 0, and one string starts at offset 0x100. Both strings are 0x100 characters long.

In a 0.920 minfw unit, this leaf instead contains 0x0 at offset 0, 0x10 at offset 0x10, etc up to offset 0xF0, while all other bytes are zeroes.

0x102

Console-unique. Per-console factory/service product information.

0x103

Console-unique. Motherboard information.

  • 0x000-0x003: ErnieHwInfo
  • 0x004-0x007: ErnieFwVersion (also called Ernie Verison)
  • 0x008-0x00B: ErnieDlVersion
  • 0x00C-0x00D: ErnieCfgVersion (version from ConfigStorageInfo; part of Syscon "ConfZZ" header)
  • 0x00E-0x00F: Padding
  • 0x010-0x01F: unknown
  • 0x020-0x028: EmmcFwVersion - 1 byte (Vendor ID), 1 empty byte, then 6 bytes (Device Version) // identical on PCH-10xx and PDEL-100x, PS TV has different padding, PCH-20xx has different values
  • 0x029-0x02F: unknown
  • 0x030-0x037: EmmcFwVersion2 - 1 byte (Vendor ID), 6 bytes (Device Version) and 1 byte (only filled for Samsung eMMC, 0 otherwise)
  • 0x038-0x03F: unknown
  • 0x040-0x041: ElmoFwVersion
  • 0x042-0x05F: Empty?
  • 0x060-0x061: CookieFwVersion
  • 0x062-0x07F: Empty?
  • 0x080-0x083: Motion Device Info: BarkleyFwVersion (u16) followed by BarkleyHwInfo (u16)
  • 0x084-0x09F: Empty?
  • 0x0A0-0x0A5: Battery (Abby or Bert) Version. Empty on PS TV and PDEL-10xx.
  • 0x0A6-0x0A7: Empty?
  • 0x0A8-0x0AC: Battery calibration data. BatteryVoltageCalib (u16) followed by BatteryCurrentCalib (u16)
  • 0x0AC-0x0BF: Empty?
  • 0x0C0-0x0CB: TouchpanelFWVersion (4 u16) followed by TouchpanelConfigVersion (2 u16)
  • 0x0CC-0x0CF: Empty?
  • 0x0D0-0x0DF: TouchpanelLotInfo: 2 u32 for each panel
  • 0x0E0-0x0E3: Wlan/Bt HW Revision (ex: 50 00 00 00 on PCH-10xx/PCH-20xx/PS TV/PDEL-10xx)
  • 0x0E4-0x0E7: Empty?
  • 0x0E8-0x0ED: WlanMacAddress - WLAN MAC Address
  • 0x0EE-0x0EF: Empty?
  • 0x0F0-0x0F5: BtMacAddress - Bluetooh MAC Address
  • 0x0F6-0x0FF: Empty?
  • 0x100-0x11F: BatteryLotInfo (battery lot serial number in ASCII)
  • 0x120-0x183: unknown
  • 0x184-0x193: OLEDLotInfo
  • 0x194-0x1A3: 4 elements of 0x4 bytes
  • 0x1A4-0x1A7: unknown
  • 0x1A8-0x1C7: LcdModLotInfo

0x104

Console-unique. Test/diagnostic results.

Only present if diagnostic software has been executed on the unit or some factory tests failed.

0x110

WlanRegion (3 bytes)

The following algorithm is used to derive it from PsCode:

byte WlanRegion[3];
switch(pscode.product_code) {
    case 0x100:
    case 0x101:
    case 0x102:
    case 0x104:
    case 0x10B:
    case 0x10F:
    case 0x110:
    case 0x111:
      WlanRegion[2] = 0;
      WlanRegion[1] = 7;
      break;
    case 0x103:
    case 0x106:
    case 0x108:
    case 0x10A:
    case 0x10D:
    case 0x10E:
      WlanRegion[2] = 0;
      WlanRegion[1] = 0x1F;
      break;
    case 0x105:
    case 0x107:
    case 0x109:
    case 0x10C:
      WlanRegion[2] = 1;
      WlanRegion[1] = 0x1F;
      break;
    default:
      goto error;
}
WlanRegion[0] = 0xFF;

0x111

WlanMacAddress (6 bytes)

Console-unique. The MAC address of the Wireless LAN adapter.

0x112

MtpSerial (wchar_t[0x20])

Console-unique. The serial number sent via the MTP protocol.

0x113

Console-unique. Information related to the 3G modem.

Empty on non-3G models.

0x114

DeviceLocation (four of struct DeviceLocation)

The location of physical devices in the unit.

struct DeviceLocation {
    //0x00 - Front camera
    //0x01 - Back camera
    //0x10 - Accelerometer
    //0x11 - Gyro
    uint32_t type;
    int32_t x;
    int32_t y;
    int32_t z;
};

Usually, Cameras are at offsets 0x00 and 0x10 while Motion is at 0x20 and 0x30

There's unknown int32 flag at 0x100.

Identical for all consoles of a generation (one kind for Fat, one kind for Slim).

Empty on PSTV.

0x115

ProductTypeInfo (char[16])

Identical for consoles of the same "type".

Example values:

  • PDEL100000010000 (PDEL-1000)
  • PCH01004ZAZ20000 (PCH-1004 - Call of Duty: Black Ops Declassified limited edition)
  • PCH01100AA010002 (Crystal Black PCH-1100 - docomo carrier)
  • PCH02000ZA120000 (White PCH-2000)

Decomposition: FFFF NNNN PPPP xxx O

  • FFFF-NNNN PPPP is usually printed on the product's box
    • FFFF = family (e.g., PCH, PDEL)
    • NNNN = number (e.g., 1000, 1004, 1100)
    • PPPP = variant code (e.g., 0001, ZAZ2, AA01, ZA12)
      • IdStorage and box may differ (e.g., CoD unit IdStorage is ZAZ2 but box is ZA01)
  • xxx = ? (always 000?)
  • O = Product target operator (carrier ID for 3G models - usually matches offset 0x88 of leaf 0x113 on SIM-locked models).
    • 1: US operator
    • 2: JP operator
    • 3: EU generic
    • 4: Asia generic
    • 5: Canada operator
    • 6: Mexico generic

0x116

ColorVariation (4 bytes)

Not present on all units.

Used for wave color by SceShell. (Patch example)

struct ColorVariation {
    uint8_t unk0;
    uint16_t unk1; //maybe just two uint8_t?
    uint8_t unk3;
    /* rest of the leaf is empty */
};

Example values:

  • Call of Duty: Black Ops Declassified limited edition PCH-1004: { 0x01, 0x0000, 0x00 }
  • Glacier White PCH-2000 / White PSTV: { 0x01, 0x000C, 0x00 }

0x117

TemperatureThreashold[sic] (4 elements of 1 byte each)

Not present on all units, and always all zeroes when present. Sent to Syscon?

0x118

AudioParam (1 byte)

Not present on all units.

If set to 0 (or the leaf is absent?), AVLS is never forcefully enabled.

0x119

EtherMacAddress (6 bytes)

Console-unique. The MAC address of the Ethernet adapter.

Present on PSTV and PCH-2000 (empty for the latter).

0x11A

WebBrowserParam (1 byte)

Can be 0/1/2/0x11?

Seen: 0x02 on PCH200X, 0x11 on PSTV

0x11B

ShutterParam (1 byte)

Seen: 0x01 on PCH200X, 0x00 on PSTV. When leaf is present and contains 0x01, the value returned by sceAVConfigGetShutterVol() changes from 30 to 26.

0x11C

LedInfoParam (1 byte)

Seen 0x01 on PCH200X, 0x00 on PSTV