Cmep Key Ring Base: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
Line 11: | Line 11: | ||
|- | |- | ||
| 4 || bigmac destination is allowed to be memory(?) | | 4 || bigmac destination is allowed to be memory(?) | ||
|- | |||
| 7 || related to bootrom functionality. If set then permissions for this slot can be reset | |||
|} | |} | ||
Revision as of 17:16, 1 August 2018
Address = 0xE0058000 + 32 * Slot
Permission bits
Bit | Function |
---|---|
0 | accessible for bigmac encrypt |
1 | accessible for bigmac decrypt |
4 | bigmac destination is allowed to be memory(?) |
7 | related to bootrom functionality. If set then permissions for this slot can be reset |
Key Ring Slots 0xE0058000
Slot | Mode | Protection | Per-console | Description |
---|---|---|---|---|
0 | 3 | 0x0442 | ? | ? |
1 | 1 | 0x0442 | ? | ? |
2-7 | 1 | 0x0040 | ? | ? |
8 | 3 | 0x0081 | Yes. | enp per-console key |
9 | 1 | 0x0080 | ? | ? |
0xA-0xF | 3 | 0x0080 | ? | ? |
0x10 | 1 | 0x0502 | ? | supports decryption only |
0x11-0x1F | 1 | 0x0100 | ? | ? |
0x20 | 3 | 0x0200 | ? | ? |
0x21-0x24 | 1 | 0x061F | ? | supports encryption and decryption |
0x25-0x2F | 1 | 0x0200 | ? | ? |
0x30-0x34 | 1 | 0x041F | ? | ? |
0x35-0x7F | 1 | 0x0000 | ? | ? |
0x80-0xFF | 0 | 0x0000 | ? | ? |
0x100 | 1 | 0x041F | ? | ? |
0x101-0x17F | 1 | 0x0000 | ? | ? |
0x180-0x1FF | 0 | 0x0000 | ? | ? |
0x200-0x203 | 3 | 0x0000 | ? | ? |
0x204-0x205 | 3 | 0x006F | ? | ? |
0x206 | 3 | 0x00A0 | ? | Used to derive key used to decrypt personalized layer over enc. Should be per-console. |
0x207 | 3 | 0x00A0 | ? | Used instead of the above key when secret debug mode is set. (Possibly non-per-console?) |
0x208-0x20D | 3 | 0x00A0 | ? | 6 keys used to decrypt enc metadata, which one is used depends on key revision in enc header |
0x20E-0x20F | 3 | 0x0010 | ? | Maybe per-console emmc crypto keys? Protected by second_loader. |
0x210-0x211 | 3 | 0x0000 | ? | ? |
0x212 | 3 | 0x001F | ? | ? |
0x213 | 3 | 0x001F | ? | Used to derive SMI keys, which are used for factory fw decryption. Per-console. |
0x214 | 3 | 0x0000 | ? | Used to derive keyslots 0x514, 0x515 in second_loader |
0x215 | 3 | 0x0000 | ? | ? |
0x216 | 3 | 0x001F | ? | Derive 0x502-0x504 by encrypting data in second_loader. |
0x217 | 3 | 0x0000 | ? | ? |
0x218-0x2FF | 0 | 0x0000 | ? | ? |
0x300-0x33F | 3 | 0x0000 | ? | ? |
0x340 | 3 | 0x012F | ? | Used to decrypt keys into the 0x10 key slot |
0x341-0x343 | 3 | 0x0120 | ? | ? |
0x344 | 3 | 0x0220 | ? | ? |
0x345-0x348 | 3 | 0x022F | ? | Used to decrypt keys into one of the 0x21-0x24 key slot |
0x349-0x353 | 3 | 0x0220 | ? | ? |
0x354-0x3FF | 3 | 0x0000 | ? | ? |
0x400-0x47F | 1 | 0x0000 | ? | ? |
0x480-0x4FF | 0 | 0x0000 | ? | ? |
0x500 | 1 | 0x1800 | ? | ? |
0x501 | 7 | 0x1000 | ? | Downgrade protection? Set to 4 on 1.692, 0 on 1.05. |
0x502-0x504 | 3 | 0x1800 | Yes | Related to Ernie SNVS |
0x505 | 1 | 0x0000 | ? | ? |
0x506 | 3 | 0x1800 | ? | ? |
0x507 | 3 | 0x1800 | No | ? |
0x508 | 3 | 0x1800 | No | Ernie HW version (from syscon cmd 0x1). Set to 0x100060D on 1.692, 0x100010A on 1.05, 0x0100010B on 1.50 |
0x509 | 3 | 0x1800 | Yes | IDPS of unit (console id) |
0x50A | 3 | 0x1800 | ? | Byte15bit0,byte14bit0,byte14bit1,byte11bit4: Revocation related. Byte13bit0: Enable F00D debug prints. |
0x50B | 3 | 0x1800 | ? | From 0xD2 SNVS block 0, 8 bytes |
0x50C | 3 | 0x1800 | No | Flags. Set to 1 on 1.692 and newer, 0 on older |
0x50D | 3 | 0x1800 | Yes | OpenPSID |
0x50E | 3 | 0x1800 | Yes | Current firmware version. Comes from SNVS. |
0x50F | 3 | 0x1800 | Yes | Factory firmware version. Comes from idstorage. |
0x510 | 3 | 0x1800 | Yes | Some bit flags, comes from syscon cmd 0x90 offset 0xE0 |
0x511 | 3 | 0x1800 | Yes | Unique per boot session id, Syscon shared 0xD0 session key |
0x512 | 7 | 0x1800 | Yes | Tick count? Used in Syscon encrypted communication. Set to a random value when session key is set. |
0x513 | 3 | 0x1800 | No | DRAM size. Set to 0x20000000 on retail, 0x40000000 on devkit. |
0x514 | 3 | 0x1800 | No? | F00d-cmd F01 AES-256-CMAC key. Protected on 1.05. |
0x515 | 3 | 0x1800 | No? | F00d-cmd F01 AES-256-CBC key. Protected on 1.05. |
0x516 | 3 | 0x1800 | ? | F00d-cmd F01 writes (u32)1 here when exporting the infoblk. Next time main() executes this flag is cleared. |
0x517 | 3 | 0x1800 | When initializing the EEPROM, this is zeroed if 0x50D has bit8 clear (on 1.692). | |
0x518 | 3 | 0x1800 | No | Another current FW version (3.60+?) Comes from SNVS. |
0x519 | 3 | 0x1800 | No | 00s |
0x51A | 3 | 0x1800 | Yes | Randomized 0x20 byte key unique every boot/reboot/resume used for kernel coredump encryption |
0x51B | 3 | 0x1800 | No | Some kind of model info 0x406000 on retail and 0x416000 on devkit, obtained from syscon command 5 |
0x51C-0x57F | 1 | 0x0000 | ? | ? |
0x580-0x5FF | 0 | 0x0000 | ? | ? |
0x600 | 3 | 0x1000 | Yes | aimgr_sm.self cmd 0x3 return, VisibleId/FuseId
|
0x601 | 3 | 0x1000 | Yes | ? |
0x602 | 3 | 0x1000 | Yes | ? |
0x603 | 3 | 0x1000 | No | ? |
0x604 | 3 | 0x1000 | No | ? |
0x605-0x607 | 3 | 0x0000 | ? | ? |
0x608-0x6FF | 0 | 0x0000 | ? | ? |
0x700-0x77F | 3 | 0x0000 | ? | 16 public RSA keys for enc, which one is used depends on public key revision from enc header. |
0x780-0x7FF | 3 | 0x0000 | ? | ? |