Cmep Key Ring Base: Difference between revisions

From Vita Development Wiki
Jump to navigation Jump to search
No edit summary
Line 11: Line 11:
|-
|-
| 4            || bigmac destination is allowed to be memory(?)
| 4            || bigmac destination is allowed to be memory(?)
|-
| 7            || related to bootrom functionality. If set then permissions for this slot can be reset
|}
|}



Revision as of 17:16, 1 August 2018

Address = 0xE0058000 + 32 * Slot

Permission bits

Bit Function
0 accessible for bigmac encrypt
1 accessible for bigmac decrypt
4 bigmac destination is allowed to be memory(?)
7 related to bootrom functionality. If set then permissions for this slot can be reset

Key Ring Slots 0xE0058000

Slot Mode Protection Per-console Description
0 3 0x0442 ? ?
1 1 0x0442 ? ?
2-7 1 0x0040 ? ?
8 3 0x0081 Yes. enp per-console key
9 1 0x0080 ? ?
0xA-0xF 3 0x0080 ? ?
0x10 1 0x0502 ? supports decryption only
0x11-0x1F 1 0x0100 ? ?
0x20 3 0x0200 ? ?
0x21-0x24 1 0x061F ? supports encryption and decryption
0x25-0x2F 1 0x0200 ? ?
0x30-0x34 1 0x041F ? ?
0x35-0x7F 1 0x0000 ? ?
0x80-0xFF 0 0x0000 ? ?
0x100 1 0x041F ? ?
0x101-0x17F 1 0x0000 ? ?
0x180-0x1FF 0 0x0000 ? ?
0x200-0x203 3 0x0000 ? ?
0x204-0x205 3 0x006F ? ?
0x206 3 0x00A0 ? Used to derive key used to decrypt personalized layer over enc. Should be per-console.
0x207 3 0x00A0 ? Used instead of the above key when secret debug mode is set. (Possibly non-per-console?)
0x208-0x20D 3 0x00A0 ? 6 keys used to decrypt enc metadata, which one is used depends on key revision in enc header
0x20E-0x20F 3 0x0010 ? Maybe per-console emmc crypto keys? Protected by second_loader.
0x210-0x211 3 0x0000 ? ?
0x212 3 0x001F ? ?
0x213 3 0x001F ? Used to derive SMI keys, which are used for factory fw decryption. Per-console.
0x214 3 0x0000 ? Used to derive keyslots 0x514, 0x515 in second_loader
0x215 3 0x0000 ? ?
0x216 3 0x001F ? Derive 0x502-0x504 by encrypting data in second_loader.
0x217 3 0x0000 ? ?
0x218-0x2FF 0 0x0000 ? ?
0x300-0x33F 3 0x0000 ? ?
0x340 3 0x012F ? Used to decrypt keys into the 0x10 key slot
0x341-0x343 3 0x0120 ? ?
0x344 3 0x0220 ? ?
0x345-0x348 3 0x022F ? Used to decrypt keys into one of the 0x21-0x24 key slot
0x349-0x353 3 0x0220 ? ?
0x354-0x3FF 3 0x0000 ? ?
0x400-0x47F 1 0x0000 ? ?
0x480-0x4FF 0 0x0000 ? ?
0x500 1 0x1800 ? ?
0x501 7 0x1000 ? Downgrade protection? Set to 4 on 1.692, 0 on 1.05.
0x502-0x504 3 0x1800 Yes Related to Ernie SNVS
0x505 1 0x0000 ? ?
0x506 3 0x1800 ? ?
0x507 3 0x1800 No ?
0x508 3 0x1800 No Ernie HW version (from syscon cmd 0x1). Set to 0x100060D on 1.692, 0x100010A on 1.05, 0x0100010B on 1.50
0x509 3 0x1800 Yes IDPS of unit (console id)
0x50A 3 0x1800 ? Byte15bit0,byte14bit0,byte14bit1,byte11bit4: Revocation related. Byte13bit0: Enable F00D debug prints.
0x50B 3 0x1800 ? From 0xD2 SNVS block 0, 8 bytes
0x50C 3 0x1800 No Flags. Set to 1 on 1.692 and newer, 0 on older
0x50D 3 0x1800 Yes OpenPSID
0x50E 3 0x1800 Yes Current firmware version. Comes from SNVS.
0x50F 3 0x1800 Yes Factory firmware version. Comes from idstorage.
0x510 3 0x1800 Yes Some bit flags, comes from syscon cmd 0x90 offset 0xE0
0x511 3 0x1800 Yes Unique per boot session id, Syscon shared 0xD0 session key
0x512 7 0x1800 Yes Tick count? Used in Syscon encrypted communication. Set to a random value when session key is set.
0x513 3 0x1800 No DRAM size. Set to 0x20000000 on retail, 0x40000000 on devkit.
0x514 3 0x1800 No? F00d-cmd F01 AES-256-CMAC key. Protected on 1.05.
0x515 3 0x1800 No? F00d-cmd F01 AES-256-CBC key. Protected on 1.05.
0x516 3 0x1800 ? F00d-cmd F01 writes (u32)1 here when exporting the infoblk. Next time main() executes this flag is cleared.
0x517 3 0x1800 When initializing the EEPROM, this is zeroed if 0x50D has bit8 clear (on 1.692).
0x518 3 0x1800 No Another current FW version (3.60+?) Comes from SNVS.
0x519 3 0x1800 No 00s
0x51A 3 0x1800 Yes Randomized 0x20 byte key unique every boot/reboot/resume used for kernel coredump encryption
0x51B 3 0x1800 No Some kind of model info 0x406000 on retail and 0x416000 on devkit, obtained from syscon command 5
0x51C-0x57F 1 0x0000 ? ?
0x580-0x5FF 0 0x0000 ? ?
0x600 3 0x1000 Yes aimgr_sm.self cmd 0x3 return, VisibleId/FuseId
0x601 3 0x1000 Yes ?
0x602 3 0x1000 Yes ?
0x603 3 0x1000 No ?
0x604 3 0x1000 No ?
0x605-0x607 3 0x0000 ? ?
0x608-0x6FF 0 0x0000 ? ?
0x700-0x77F 3 0x0000 ? 16 public RSA keys for enc, which one is used depends on public key revision from enc header.
0x780-0x7FF 3 0x0000 ? ?