Syscon Update
Jump to navigation
Jump to search
Ernie updates are stored in a packet format.
Packet Header
Each packet shares a common header.
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x1 | Packet ID (ex: 1, 2, 0x10, 0x20) |
| 0x1 | 0x1 | Packet Header Size (ex: 0x10, 0x18) |
| 0x2 | 0x2 | Packet Size (ex: 0, 0x400, 0x800) |
Packet size varies depending on the hardware revision of Syscon:
78K0R/Kx3: 0x800 78K0R/Kx3-L: 0x400 RL78/G13: 0x400
Packets
0x01
Version packet.
This packet is update header field.
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x4 | Packet Header |
| 0x4 | 0x4 | Ernie Version. Version of the Ernie software update. (ex: 0x0100060B -> 1.0.6.11) |
| 0x8 | 0x4 | Hardware Info. PSVita hardware on which this update can be installed. (ex: 0x00723030) |
| 0xC | 0x4 | Padding |
Ernie Version and Hardware Info from a few PUPs:
1.80 CEX 0B 06 00 01 00 32 60 00 0B 06 00 01 00 30 60 00 0B 06 00 01 00 20 60 00 0B 06 00 01 00 10 60 00 0B 06 00 01 00 60 40 00 1.81 CEX 0B 06 00 01 00 32 60 00 0B 06 00 01 00 30 60 00 0B 06 00 01 00 20 60 00 0B 06 00 01 00 10 60 00 0B 06 00 01 00 60 40 00 3.15 CEX 11 05 03 01 38 50 80 00 03 06 03 01 30 30 70 00 0D 06 00 01 00 32 60 00 0D 06 00 01 00 30 60 00 0D 06 00 01 00 20 60 00 0B 06 00 01 00 10 60 00 0D 06 00 01 00 60 40 00 3.30 CEX 11 05 03 01 38 50 80 00 01 03 04 01 30 30 72 00 03 06 03 01 30 30 70 00 0D 06 00 01 00 32 60 00 0D 06 00 01 00 30 60 00 0D 06 00 01 00 20 60 00 0B 06 00 01 00 10 60 00 0D 06 00 01 00 60 40 00 1.69 TOOL 06 03 00 01 00 40 41 00 06 03 00 01 00 50 41 00 03 02 09 00 00 50 31 00 06 03 00 01 00 10 41 00 06 03 00 01 00 52 41 00 06 03 00 01 03 26 10 00 06 03 00 01 00 52 31 00 1.80 TOOL 0B 06 00 01 00 10 60 00 0B 06 00 01 00 60 41 00 0B 06 00 01 00 52 41 00 06 03 00 01 03 26 10 00
0x02
Key revision packet.
This packet embeds the encryption key revision used to decrypt the Syscon update packets.
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x4 | Packet Header |
| 0x4 | 0x4 | Unknown/Unused. Maybe decryption algorithm. (ex: 0) |
| 0x8 | 0x4 | Key revision (ex: 0, 1, 2) |
| 0xC | 0x4 | Padding |
- Key revision 0 is for 78K0R Proto. It is supported since at least FW 0.931 (0.902 doesn't support this) until FW 1.692.
- Key revision 1 is for 78K0R. It is supported since about FW 1.00. It is the key revision for most Fat PSVitas and for PSTV.
- Key revision 2 is for RL78. It is supported since FW 2.50. It is the key revision for Slim PSVita Syscon.
0x10
Encrypted data packet. Each data packet is AES128CBC encrypted.
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x4 | Packet Header |
| 0x4 | 0x4 | Data packet index |
| 0x8 | 0x4 | Encrypted data size |
| 0xC | 0x4 | Padding |
| 0x10 | Variable | Encrypted data |
0x20
Digest packet.
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x4 | Packet Header |
| 0x4 | 0x14 | Digest. Sha-1 hash of decrypted concatenated packets. |
Ernie Update steps
- ARM PSVita updater arrives at last step: Ernie update.
- ARM PSVita updater decrypts Ernie update SPKGs til it finds one whose Hardware Info matches.
- ARM PSVita updater sends the encrypted data blocks directly to Ernie using some command.
- Ernie decrypts concatenated received data blocks using AES128CBC.
- Ernie installs the update using the decrypted data.