From Vita Development Wiki
Jump to navigation
Jump to search
Physical address: 0xE0058000 + 0x20 * keyring_number
.
Flags: See here
Keyring information
0x0~0xFF: Slave common working keyrings
Keyring |
Initial flags |
Flags after kernel boot |
Per Console |
Set By |
Description
|
0 |
0x04420001 |
0x04420003 |
N |
Many Secure Modules. |
General common keyring for crypto operation.
|
1 |
0x04420001 |
0x04420001 |
? |
? |
?
|
2-7 |
0x04420001 |
0x00400001 |
? |
? |
?
|
8 |
0x049F0001 |
0x00810003 |
Y |
first_loader |
SLSK personalization key (encrypt). Derived from keyrings 0x206 or 0x207.
|
9 |
0x049F0001 |
0x00800001 |
? |
first_loader |
SLSK personalization key (decrypt). Derived from keyrings 0x206 or 0x207.
|
0xA-0xF |
0x049F0001 |
0x00800003 |
N |
first_loader |
6 SLSK metadata decryption keys. Derived from keyrings 0x208-0x20D.
|
0x10 |
0x05020001 |
0x05020001 |
? |
? |
Supports decryption only.
|
0x11-0x1F |
0x05020001 |
0x01000001 |
? |
? |
?
|
0x20 |
0x061F0001 |
0x02000003 |
? |
first_loader |
SLSK HMAC-SHA256 Key. Derived from keyring 0x344.
|
0x21-0x24 |
0x061F0001 |
0x061F0001 |
? |
? |
Supports encryption and decryption.
|
0x25-0x2F |
0x061F0001 |
0x02000001 |
? |
? |
?
|
0x30-0x34 |
0x041F0001 |
0x041F0001 |
? |
? |
?
|
0x35-0x7F |
0x041F0001 |
0x00000001 |
? |
? |
?
|
0x80-0xFF |
0x00000000 |
0x00000000 |
? |
N/A |
Not used.
|
0x100~0x1FF: Slave reserved keyrings
Keyring |
Initial flags |
Flags after kernel boot |
Per Console |
Set By |
Description
|
0x100 |
0x041F0001 |
0x041F0001 |
? |
? |
?
|
0x101-0x17F |
0x041F0001 |
0x00000001 |
? |
? |
?
|
0x180-0x1FF |
0x00000000 |
0x00000000 |
? |
N/A |
Not used.
|
0x200~0x2FF: Master keyrings
Keyring |
Initial flags |
Flags after kernel boot |
Per Console |
Set By |
Description
|
0x200-0x203 |
0x00020003 |
0x00000003 |
? |
? |
?
|
0x204 |
0x006F0003 |
0x006F0003 |
Y |
Bigmac |
AES-256 master key for IdStorage Certificates AES-128-ECB keys derivation. Used by KIRK commands 0x10, 0x12, 0x17 and 0x19.
|
0x205 |
0x006F0003 |
0x006F0003 |
Y |
Bigmac |
?
|
0x206 |
0x00AF0003 |
0x00A00003 |
? |
Bigmac |
Master key used to derive key used to decrypt personalized layer over SLSK. Should be per-console.
|
0x207 |
0x00AF0003 |
0x00A00003 |
? |
Bigmac |
Master key used instead of keyring 0x206 when first_loader secret debug mode is set. (Possibly non-per-console?)
|
0x208-0x20D |
0x00AF0003 |
0x00A00003 |
N |
Bigmac |
6 master keys used to derive AES-128-CBC Key to decrypt SLSK metadata. Which one is used depends on encryption key revision in SLSK header.
|
0x20E-0x20F |
0xXXXX0003 |
0x00100003 |
? |
Bigmac |
Maybe per-console eMMC crypto keys. Protected by second_loader.
|
0x210-0x211 |
0x001F0003 |
0x00000003 |
? |
? |
?
|
0x212 |
0x001F0003 |
0x001F0003 |
Y |
Bigmac |
AES-256-CMAC key used by KIRK commands 0x12 and 0x19.
|
0x213 |
0x001F0003 |
0x001F0003 |
Y |
Bigmac |
AES-256-CBC key used to derive (by seed encryption) SMI keys in second_loader, which are used for minimum firmware version decryption.
|
0x214 |
0x001F0003 |
0x00000003 |
? |
? |
AES-256-CBC key used to derive (by seed encryption) keyrings 0x514 and 0x515 in second_loader. IVs and seeds hardcoded in second_loader.
|
0x215 |
0x001F0003 |
0x00000003 |
? |
? |
?
|
0x216 |
0x001F0003 |
0x001F0003 |
Y |
Bigmac |
AES-256-CBC key used to derive (by seed encryption) keyrings 0x502-0x504 in second_loader. IV hardcoded in second_loader. If SMI minimum FW < 0.996, this key is not used and keyrings 0x502-0x504 are set with hardcoded values from second_loader.
|
0x217 |
0x001F0003 |
0x00000003 |
? |
? |
?
|
0x218-0x2FF |
0x00000000 |
0x00000000 |
X |
N/A |
Not used.
|
0x300~0x3FF: Master keyrings 2
Keyring |
Initial flags |
Flags after kernel boot |
Per Console |
Set By |
Description
|
0x300-0x33F |
0x00020003 |
0x00000003 |
? |
? |
?
|
0x340 |
0x012F0003 |
0x012F0003 |
? |
? |
Used to decrypt keys into the 0x10 keyring.
|
0x341-0x343 |
0x012F0003 |
0x01200003 |
? |
? |
?
|
0x344 |
0x022F0003 |
0x02200003 |
? |
? |
Master key used to derive the 0x20 keyring in first_loader.
|
0x345-0x348 |
0x022F0003 |
0x022F0003 |
? |
? |
Used to decrypt keys into one of the 0x21-0x24 keyrings.
|
0x349-0x353 |
0x022F0003 |
0x02200003 |
? |
? |
?
|
0x354-0x3FF |
0x001F0003 |
0x00000003 |
? |
? |
?
|
0x400~0x4FF: RW storage keyrings (Reserved)
Keyring |
Initial flags |
Flags after kernel boot |
Per Console |
Set By |
Description
|
0x400-0x47F |
0x18000001 |
0x00000001 |
? |
? |
?
|
0x480-0x4FF |
0x00000000 |
0x00000000 |
X |
N/A |
Not used.
|
0x500~0x5FF: RW storage keyrings
Keyring |
Initial flags |
Flags after kernel boot |
Per Console |
Set By |
Description
|
0x500 |
0x18000001 |
0x18000001 |
? |
? |
?
|
0x501 |
0x18000001? |
0x10000007 |
N |
first_loader |
Used by first_loader to figure out whether to load from eMMC or ARM comms after reset. Also SLSK AES Key revision on offset>0x1C-byte>bit:0xF0000000
|
0x502 |
0x18000001 |
0x18000003 |
Y |
second_loader |
AES XTS Tweak for Ernie SNVS sectors.
|
0x503 |
0x18000001 |
0x18000003 |
Y |
second_loader |
AES XTS Decryption Key for Ernie SNVS sectors.
|
0x504 |
0x18000001 |
0x18000003 |
Y |
second_loader |
AES-128-CMAC Key for Ernie SNVS sectors.
|
0x505 |
0x18000001 |
0x00000001 |
? |
? |
?
|
0x506 |
0x18000001 |
0x18000003 |
N |
second_loader |
QAF Token AES-256-CBC and AES-256-CMAC key. Hardcoded in second_loader. Used with IV = keyring 0x507.
|
0x507 |
0x18000001 |
0x18000003 |
N |
second_loader |
QAF Token AES-256-CBC IV. Hardcoded in second_loader.
|
0x508 |
0x18000001 |
0x18000003 |
Y |
second_loader |
Ernie version. Comes from Ernie Code Flash memory (Ernie command 1). 4 bytes. If lower (older) than 0x00090903, old Ernie protocols (unencrypted SNVS packets and maybe different SNVS keys) are used.
|
0x509 |
0x18000001 |
0x18000003 |
Y |
second_loader |
ConsoleId of unit. Comes from IdStorage (eMMC).
|
0x50A |
0x18000001? |
0x18000007 |
Y |
second_loader |
QA flags. 0x10 bytes. Comes from Ernie NVS (Ernie command 0x1082).
|
0x50B |
0x18000001 |
0x18000003 |
Y |
second_loader |
Mgmt Data. 8 bytes. Comes from Ernie SNVS block 0 (Ernie command 0xD2).
|
0x50C |
0x18000001 |
0x18000003 |
N |
second_loader |
Second_Loader#Boot_type_indicator_for_slsk
|
0x50D |
0x18000001 |
0x18000003 |
Y |
second_loader |
OpenPSID of unit. Comes from IdStorage (eMMC).
|
0x50E |
0x18000001
|
1.69: 0x18000003
3.60: 0x10000003
|
Y |
second_loader |
Current firmware version. Comes from Ernie SNVS (Ernie command 0xD0).
|
0x50F |
0x18000001 |
0x18000003 |
Y |
second_loader |
Minimum firmware version. Comes from IdStorage SMI leaf (eMMC). 4 bytes.
|
0x510 |
0x18000001 |
0x18000003 |
Y |
second_loader |
DIP Switches. 0x20 bytes. Comes from CP and Ernie VS (Ernie command 0x90 offset 0xE0).
|
0x511 |
0x18000001 |
0x18000003 |
N (random) |
second_loader |
Ernie communication session key. Unique per boot. It is generated by a handshake with Ernie through Ernie command 0xD0. AES-128-ECB key used to enc/dec the content of Ernie secure packets. If (baryonVersion < 0x90903 && (ernieDLVersion & 0xffffff) < 0x3600) it is zeroed by second_loader. Part of SKSO data. Used by SK command 0xF01.
|
0x512 |
0x18000001? |
0x18000007 |
N (counter) |
second_loader |
Ernie communication ticket count. Used as a challenge at the start of each secure Ernie encrypted communication, for example for SNVS read/write. On each boot it is set to a random value by second_loader. Incremented by 1 after each Ernie secure commmand usage. Part of SKSO data. Used by SK command 0xF01.
|
0x513 |
0x18000001 |
0x18000003 |
Y |
second_loader |
DRAM size. Set to 0x20000000 by default, 0x40000000 on DevKit in DevKit Memory Size mode. Determined by DIP Switches (CP).
|
0x514 |
0x18000001 |
0x18000003 |
see keyring 0x214 |
second_loader |
SKSO AES-256-CMAC key. Protected on FW 1.05. Data size 0x90 bytes. Used to verify SKSO. Used by SK command 0xF01.
|
0x515 |
0x18000001 |
0x18000003 |
see keyring 0x214 |
second_loader |
SKSO AES-128-CBC key. Protected on FW 1.05. Data size 0xA0 bytes. Hardcoded IV in second_loader and second_kernel. Used to encrypt/decrypt SKSO (the content written into keyrings 0x511, 0x512, 0x517 and 0x519). Used by SK command 0xF01.
|
0x516 |
0x18000001? |
0x18000007 |
N |
second_loader |
Some status. Set to 0 at the start of second_loader main(). Checked for 0 before initiating communication with Ernie. 4 bytes. Used by SK command 0xF01: writes (u32)1 here after having exported the SKSO to paddr 0x4001FF00.
|
0x517 |
0x18000001 |
0x18000003 |
Y |
second_loader, act_sm |
Kit Activation status. 4 bytes. Part of SKSO data. When initializing the keyrings, this is zeroed if keyring ?0x50D? has bit8 clear (on FW 1.692). Used by SK command 0xF01.
|
0x518 |
0x18000001 |
0x18000003 |
Y |
second_loader |
Another current FW version (3.60+?). Comes from SNVS (Ernie command 0xD0).
|
0x519 |
0x18000001 |
0x18000003 |
Y? |
second_loader |
Part of SKSO data. Used by SK command 0xF01. Not used (maybe zeroed) on old FWs. Used on FW 3.60.
|
0x51A |
0x18000001 |
0x18000003 |
N (random) |
second_loader |
Coredump Encrypted Session Key (FW 2.12+). Randomized 0x20 byte key. Unique for every boot/reboot/resume. Used for Kernel coredump encryption. See KBL Param and SCECAF#Kernel_Coredump_Encrypted_ELF. Used by SK command 0x1001.
|
0x51B |
0x18000001 |
0x18000003 |
Y |
second_loader |
Hardware Info. 4 bytes. Comes from Ernie Code Flash memory (Ernie command 5).
|
0x51C-0x51D |
0x18000001 |
0x00000001 |
? |
? |
Used in update_service_sm for NVS. 4 bytes for each keyring.
|
0x51E-0x521 |
0x18000001 |
0x00000001 |
? |
? |
Used in update_service_sm for NVS. 4 bytes for each keyring.
|
0x522-0x57F |
0x18000001 |
0x00000001 |
? |
? |
?
|
0x580-0x5FF |
0x00000000 |
0x00000000 |
X |
N/A |
Not used.
|
0x600~0x6FF: OTP keyrings
Keyring |
Initial flags |
Flags after kernel boot |
Per Console |
Set By |
Description
|
0x600 |
0x10000003 |
0x10000003 |
Y |
Bigmac |
VisibleId of unit.
|
0x601 |
0x10000003 |
0x10000003 |
Y |
? |
?
|
0x602 |
0x10000003 |
0x10000003 |
Y |
Bigmac |
256 bits copied to 0xE0020100 by second_loader.
|
0x603 |
0x10000003 |
0x10000003 |
N |
Bigmac |
SLSK RSA public key has flags
|
0x604 |
0x10000003 |
0x10000003 |
N |
? |
?
|
0x605-0x607 |
0x10000003 |
0x00000003 |
? |
? |
?
|
0x608-0x6FF |
0x00000000 |
0x00000000 |
X |
N/A |
Not used.
|
Keyring |
Initial flags |
Flags after kernel boot |
Per Console |
Set By |
Description
|
0x700-0x7FF |
0x10000003 |
0x00000003 |
N |
Bigmac |
16 RSA public keys for SLSK files. Which key is used depends on public key revision specified in SLSK header.
|