Cmep Key Ring Base: Difference between revisions

From Vita Development Wiki
Jump to navigation Jump to search
Line 45: Line 45:
| 0x11-0x1F      || 1    || 0x0100      || ?          || ?
| 0x11-0x1F      || 1    || 0x0100      || ?          || ?
|-
|-
| 0x20          || 3 || 0x0200      || ?          || ?
| 0x20          || 3 || 0x0200      || ?          || Derived from 0x344, used for hmac-sha256 over enc files
|-
|-
| 0x21-0x24      || 1 || 0x061F      || ?          || supports encryption and decryption
| 0x21-0x24      || 1 || 0x061F      || ?          || supports encryption and decryption
Line 97: Line 97:
| 0x341-0x343    || 3 || 0x0120      || ?          || ?
| 0x341-0x343    || 3 || 0x0120      || ?          || ?
|-
|-
| 0x344          || 3 || 0x0220      || ?          || ?
| 0x344          || 3 || 0x0220      || ?          || Used to derive key 0x20 in brom.
|-
|-
| 0x345-0x348    || 3 || 0x022F      || ?          || Used to decrypt keys into one of the 0x21-0x24 key slot
| 0x345-0x348    || 3 || 0x022F      || ?          || Used to decrypt keys into one of the 0x21-0x24 key slot

Revision as of 19:27, 3 August 2018

Address = 0xE0058000 + 32 * Slot

Permission bits

Bit Function
0x01 accessible for bigmac encrypt
0x02 accessible for bigmac decrypt
0x10 ?
0x20 crypto operation supports a keyslot dst
0x80 related to bootrom functionality. If set then permissions for this slot can be reset
0x400 dst can be memory
0x800 can be written directly by f00d (?)
0x1000 can be read directly by f00d

Key Ring Slots 0xE0058000

Slot Mode Protection Per-console Description
0 3 0x0442 ? ?
1 1 0x0442 ? ?
2-7 1 0x0040 ? ?
8 3 0x0081 Yes. enp per-console key
9 1 0x0080 ? ?
0xA-0xF 3 0x0080 ? ?
0x10 1 0x0502 ? supports decryption only
0x11-0x1F 1 0x0100 ? ?
0x20 3 0x0200 ? Derived from 0x344, used for hmac-sha256 over enc files
0x21-0x24 1 0x061F ? supports encryption and decryption
0x25-0x2F 1 0x0200 ? ?
0x30-0x34 1 0x041F ? ?
0x35-0x7F 1 0x0000 ? ?
0x80-0xFF 0 0x0000 ? ?
0x100 1 0x041F ? ?
0x101-0x17F 1 0x0000 ? ?
0x180-0x1FF 0 0x0000 ? ?
0x200-0x203 3 0x0000 ? ?
0x204-0x205 3 0x006F ? ?
0x206 3 0x00A0 ? Used to derive key used to decrypt personalized layer over enc. Should be per-console.
0x207 3 0x00A0 ? Used instead of the above key when secret debug mode is set. (Possibly non-per-console?)
0x208-0x20D 3 0x00A0 ? 6 keys used to decrypt enc metadata, which one is used depends on key revision in enc header
0x20E-0x20F 3 0x0010 ? Maybe per-console emmc crypto keys? Protected by second_loader.
0x210-0x211 3 0x0000 ? ?
0x212 3 0x001F ? ?
0x213 3 0x001F ? Used to derive SMI keys, which are used for factory fw decryption. Per-console.
0x214 3 0x0000 ? Used to derive keyslots 0x514, 0x515 in second_loader
0x215 3 0x0000 ? ?
0x216 3 0x001F ? Derive 0x502-0x504 by encrypting data in second_loader.
0x217 3 0x0000 ? ?
0x218-0x2FF 0 0x0000 ? ?
0x300-0x33F 3 0x0000 ? ?
0x340 3 0x012F ? Used to decrypt keys into the 0x10 key slot
0x341-0x343 3 0x0120 ? ?
0x344 3 0x0220 ? Used to derive key 0x20 in brom.
0x345-0x348 3 0x022F ? Used to decrypt keys into one of the 0x21-0x24 key slot
0x349-0x353 3 0x0220 ? ?
0x354-0x3FF 3 0x0000 ? ?
0x400-0x47F 1 0x0000 ? ?
0x480-0x4FF 0 0x0000 ? ?
0x500 1 0x1800 ? ?
0x501 7 0x1000 ? Downgrade protection? Set to 4 on 1.692, 0 on 1.05.
0x502-0x504 3 0x1800 Yes Related to Ernie SNVS
0x505 1 0x0000 ? ?
0x506 3 0x1800 ? ?
0x507 3 0x1800 No ?
0x508 3 0x1800 No Ernie HW version (from syscon cmd 0x1). Set to 0x100060D on 1.692, 0x100010A on 1.05, 0x0100010B on 1.50
0x509 3 0x1800 Yes IDPS of unit (console id)
0x50A 3 0x1800 ? Byte15bit0,byte14bit0,byte14bit1,byte11bit4: Revocation related. Byte13bit0: Enable F00D debug prints.
0x50B 3 0x1800 ? From 0xD2 SNVS block 0, 8 bytes
0x50C 3 0x1800 No Flags. Set to 1 on 1.692 and newer, 0 on older
0x50D 3 0x1800 Yes OpenPSID
0x50E 3 0x1800 Yes Current firmware version. Comes from SNVS.
0x50F 3 0x1800 Yes Factory firmware version. Comes from idstorage.
0x510 3 0x1800 Yes Some bit flags, comes from syscon cmd 0x90 offset 0xE0
0x511 3 0x1800 Yes Unique per boot session id, Syscon shared 0xD0 session key
0x512 7 0x1800 Yes Tick count? Used in Syscon encrypted communication. Set to a random value when session key is set.
0x513 3 0x1800 No DRAM size. Set to 0x20000000 on retail, 0x40000000 on devkit.
0x514 3 0x1800 No? F00d-cmd F01 AES-256-CMAC key. Protected on 1.05.
0x515 3 0x1800 No? F00d-cmd F01 AES-256-CBC key. Protected on 1.05.
0x516 3 0x1800 ? F00d-cmd F01 writes (u32)1 here when exporting the infoblk. Next time main() executes this flag is cleared.
0x517 3 0x1800 When initializing the EEPROM, this is zeroed if 0x50D has bit8 clear (on 1.692).
0x518 3 0x1800 No Another current FW version (3.60+?) Comes from SNVS.
0x519 3 0x1800 No 00s
0x51A 3 0x1800 Yes Randomized 0x20 byte key unique every boot/reboot/resume used for kernel coredump encryption
0x51B 3 0x1800 No Some kind of model info 0x406000 on retail and 0x416000 on devkit, obtained from syscon command 5
0x51C-0x57F 1 0x0000 ? ?
0x580-0x5FF 0 0x0000 ? ?
0x600 3 0x1000 Yes aimgr_sm.self cmd 0x3 return, VisibleId/FuseId
0x601 3 0x1000 Yes ?
0x602 3 0x1000 Yes ?
0x603 3 0x1000 No ?
0x604 3 0x1000 No ?
0x605-0x607 3 0x0000 ? ?
0x608-0x6FF 0 0x0000 ? ?
0x700-0x77F 3 0x0000 ? 16 public RSA keys for enc, which one is used depends on public key revision from enc header.
0x780-0x7FF 3 0x0000 ? ?