SceSblSsMgr
Module
Version | World | Privilege |
---|---|---|
1.69-3.60 | Non-secure | Kernel |
Libraries
Known NIDs
Version | Name | World | Visibility | NID |
---|---|---|---|---|
1.69-3.60 | SceSblSsMgrForKernel | Non-secure | Kernel | 0x74580D9F |
1.69-3.60 | SceSblSsMgrForDriver | Non-secure | Kernel | 0x61E9428D |
1.69 | SceSblSsMgr | Non-secure | Kernel | 0xEC86E4B0 |
1.69-3.60 | SceSblQafMgr | Non-secure | User | 0x756B7E89 |
1.69-3.60 | SceSblRng | Non-secure | User | 0x1843F124 |
1.69-3.60 | SceSblDmac5Mgr | Non-secure | User | 0x437366A2 |
1.69-3.60 | SceSblAimgr | Non-secure | User | 0xD473F968 |
TODO
- study command flags
- check if mask_enable is a SceBool and if so change type.
- check which keyrings are allowed per function, and if key_id are per keyring index.
- create enum for keyrings indexes
- check IV usage
Types
SceKitActivationData
Offset | Size | Description |
---|---|---|
0x00 | 0x4 | Magic "act\0" |
0x04 | 0x4 | Format version |
0x08 | 0x4 | Issue number (increment each activation, prevent rollback) |
0x0C | 0x4 | Start validity time unix timestamp |
0x10 | 0x4 | End validity time unix timestamp |
0x14 | 0x10 | Activation key |
0x24 | 0x1C | Unused |
0x40 | 0x40 | Encrypted Token (First 0x30 bytes of SceKitActivationData then 0x10 byte CMAC) |
typedef struct SceConsoleId { uint16_t unk; // {0, 0} uint16_t company_code; // {0, 1} uint16_t product_code; uint16_t product_sub_code; uint8_t chassis_check; uint8_t unknown[7]; } SceConsoleId; typedef struct SceOpenPsId { uint8_t open_psid[0x10]; } SceOpenPsId; typedef struct ScePsCode { uint16_t company_code; // {0, 1} uint16_t product_code; uint16_t product_sub_code; uint16_t factory_code; // = chassis_check >> 2; } ScePsCode; typedef struct Sce SceVisibleId { char visible_id[0x20]; } SceVisibleId; typedef enum SceSblSsNvsDataType { SCE_SBL_SS_NVS_DATA_SYSTEM_LANGUAGE = 0, // offset 0x4A4, size 4 - used by SceRegistryMgr SCE_SBL_SS_NVS_DATA_WLAN_BT = 1, // offset 0x500, size 1 - used by SceWlanBt SCE_SBL_SS_NVS_DATA_UNK_482 = 2, // offset 0x482, size 1 SCE_SBL_SS_NVS_DATA_UNK_4E0 = 3, // offset 0x4E0, size 0x20 SCE_SBL_SS_NVS_DATA_UNK_483 = 4, // offset 0x483, size 1 - not present on FW 0.931, present on FW 0.990 SCE_SBL_SS_NVS_DATA_UNK_486 = 5 // offset 0x486, size 1 - not present on FW 0.931-0.990, present on FW 3.60 } SceSblSsNvsDataType; typedef struct SceKitActivationDataToken { // size is 0x40 bytes char magic[4]; // "act\n" uint32_t issue_no; uint32_t format_version; uint32_t start_date; uint32_t end_date; char open_psid[0x10]; char padding[0xC]; char cmac[0x10]; } SceKitActivationDataToken; // This is what embeds the tm0:activation/act.dat file typedef struct SceKitActivationData { // size is 0x80 bytes char magic[4]; // "act\n" uint32_t issue_no; uint32_t format_version; uint32_t start_date; uint32_t end_date; char open_psid[0x10]; char padding[0x1C]; char encrypted_token[0x40]; } SceKitActivationData; typedef struct SceQafToken { // size is 0x80 bytes SceUInt32 qaf_version; SceUInt32 unk_4; char qaf_name[0x10]; // "NO_FLAGS" by default char unk_18[8]; char consoleid[0x10]; char qa_flags[0x10]; char unk_40[0x30]; char cmac[0x10]; // AES256CMAC of SceQafToken with zeroed CMAC field } SceQafToken; typedef struct ScePortabilityData { // size is 0x24 SceSize msg_size; // max size is 0x20 uint8_t msg[0x20]; } ScePortabilityData; // Used by run_encdec_cmd, itself called by sceSblDmac5EncDec for example. typedef struct dmac_op_ctx { dmac_op_ctx_heap *ctx_heap_addr; uint keyring_key_count; // if keyring_key_count < 0x100, keyring_key_count is used as DKey uint unk_8; SceUID dmac_opid; // used with sceKernelDmaOpFreeForDriver char iv[0x28]; // iv_size can be 0, 8, 0x10 or 0x28 depending on cmd itself depending on key_length } dmac_op_ctx; typedef struct dmac_op_ctx_heap { // size is 0x40 on FW 0.990 uint cmd; uint unk_4; // 0x100 uint unk_8; // 0 if unk_flag = 0, 0x3ffff else uint dmac5_op; char reserved[0x30]; } dmac_op_ctx_heap; typedef struct SceSblSsCreatePassPhraseParam { // size is 0x18 SceUInt32 reserved; // ex: 0 SceSize size; // Size of this structure char accountIdText[0x10]; // Taken from registry "/CONFIG/NP/account_id" and converted to ASCII } SceSblSsCreatePassPhraseParam; typedef struct SceKernelGetRandomNumberParam { SceUInt32 dstSize; // In bytes. Must be <= 0x40. SceUInt32 reserved; } SceKernelGetRandomNumberParam; typedef struct SceQafToken { char data[0x80]; char sig[0x100]; // Not present on FW 0.990. Present on FW 3.60 } SceQafToken; typedef struct SceSblDmac5EncDecParam { // size is 0x18-bytes const void *src; void *dst; SceSize size; const void *key; SceSize keysize; void *iv; } SceSblDmac5EncDecParam; typedef struct SceSblDmac5HashTransformContext { // size is 0x28-bytes SceUInt32 state[8]; SceUInt64 length; } SceSblDmac5HashTransformContext; typedef struct SceSblDmac5HashTransformParam { // size is 0x18-bytes const void *src; // must be aligned on 0x40-byte void *dst; SceSize size; const void *key; SceSize keysize; SceSblDmac5HashTransformContext *ctx; // Or another context of size 0x10-bytes } SceSblDmac5HashTransformParam;
SceSblSsMgrForKernel
sceSblNvsReadDataForKernel
Version | NID |
---|---|
0.990-3.60 | 0xC2EC8F5A |
Temp name was sceSblSsMgrNvsReadDataForKernel.
Calls SceSyscon#sceSysconNvsReadDataForDriver.
Trying to read at offset 0-0x3FF: error 0x8025023C (cannot read SNVS using this function, need to use SNVS protocol).
Trying to read at offset > 0xB5F: error 0x80250001 (out of range).
Trying to read at ((offset & 7) != 0): error 0x80250001 (non aligned).
int sceSblNvsReadDataForKernel(int offset, char *buffer, int size);
sceSblNvsWriteDataForKernel
Version | NID |
---|---|
0.990-3.60 | 0xE29E161C |
Temp name was sceSblSsMgrNvsWriteDataForKernel.
Calls sceSysconNvsWriteDataForDriver.
int sceSblNvsWriteDataForKernel(int offset, char *buffer, int size);
sceSblPmMgrGetProductModeForKernel
Version | NID |
---|---|
0.990-3.60 | 0x516ECC08 |
Temp name was scePmMgrGetProductModeForKernel.
From FWs 0.990 to 3.60, it is simply a redirect to SceSysmem#scePmMgrGetProductModeForDriver.
int sceSblPmMgrGetProductModeForKernel(char* result);
sceSblQafManagerGetQafTokenForKernel
Version | NID |
---|---|
0.931-0.990 | 0x281FD75A |
3.60 | not present |
int sceSblQafManagerGetQafTokenForKernel(SceQafToken *pToken);
sceSblQafManagerSetQafTokenForKernel
Version | NID |
---|---|
0.931-0.990 | 0x8E9447A1 |
3.60 | not present |
int sceSblQafManagerSetQafTokenForKernel(SceQafToken *pToken);
sceSblQafManagerGetQafOnNVSForKernel
Version | NID |
---|---|
0.931 | not present |
0.990-1.03 | 0x228A6653 |
3.60 | not present |
SceQafToken *temp_token = pToken; sceSblNvsReadDataForKernel(0x480, flag, 1); if (!flag) { nvs_read(0x400, temp_token, 0x80); ret = exec_qaf_sm(temp_token, 0); } return ret;
int sceSblQafManagerGetQafOnNVSForKernel(SceQafToken *pToken)
sceSblQafManagerClearQafTokenForKernel
Version | NID |
---|---|
0.931-0.990 | 0xD45155C6 |
3.60 | not present |
int sceSblQafManagerClearQafTokenForKernel(void);
uint32_t ret; char qaf_token[0x80]; memset(&qaf_token, 0xFF, 0x80); SceKernelSuspendForDriver_4DF40893(0); ret = sceSblNvsWriteDataForKernel(0x400, &qaf_token, 0x80); if (!ret) // if qaf_token successfully written, set a flag at 0x480 ret = sceSblNvsWriteDataForKernel(0x480, 1, 1); SceKernelSuspendForDriver_2BB92967(0); return ret;
sceSblQafManagerGetQAFlagsForKernel
Version | NID |
---|---|
0.931-3.60 | 0x83D254FF |
int sceSblQafManagerGetQAFlagsForKernel(char buffer[0x10]);
sceSblQafManagerGetQafNameForKernel
Version | NID |
---|---|
0.931-3.60 | 0xE2DD0378 |
if ( byte_81008725 & 2 ) { char workaround_string = "qaf_workaround"; memcpy(buffer, workaround_string, max_len); } else { sceSblNvsReadDataForKernel(0x480, flag, 1); if (flag) { sceSblNvsReadDataForKernel(0x400, buf, 0x80); memcpy(buffer, buf, 0x18); } }
int sceSblQafManagerGetQafNameForKernel(char *buffer, unsigned int max_len);
SceSblSsMgrForDriver
Cryptographic functions in this module typically have 3 variations:
- Use
key
- meaning that the key that you provide is used directly for encryption/decryption. - Use
keyring_id
- meaning that you have to use sceSblAuthMgrSetDmac5KeyForKernel function to set the key into a specific keyring. In this case you select a key from cmep bykey_id
. It will be encrypted by cmep and placed into the keyring selected bykeyring_id
. - Use
key_id
- meaning that the call to sceSblAuthMgrSetDmac5KeyForKernel will happen internally. In this case the key from cmep is also selected bykey_id
and encrypted by cmep. It is then placed into one of the available keyrings. Default keyring range is 0xC-0x17.
sceSblRngPseudoRandomNumberForDriver
Version | NID |
---|---|
0.990-3.60 | 0x4F9BFBE5 |
Temp name was sceSblSsMgrGetRandomNumberForDriver.
Gets the pseudo-random number calculated within SceSblSsMgr.
The base seed is (DMAC5 RNG + HMAC-SHA1) * 2. System Time is also used for one of them.
int sceSblRngPseudoRandomNumberForDriver(void *result, SceSize size);
sceSblRngGenuineRandomNumberForDriver
Version | NID |
---|---|
0.990-3.60 | 0xAC57F4F0 |
Temp name was sceSblSsMgrGetRandomDataForDriver.
Generates random data of length 0x40 bytes by doing: sceSblDmac5RndForDriver(dest, 0x40, 1);
Used in SceKrm, SceSblGcAuthMgr.
int sceSblRngGenuineRandomNumberForDriver(char* dest);
sceSblDmac5SetKeyLocalForDriver
Version | NID |
---|---|
0.931 | 0x18A1BF77 |
0.990-3.60 | not present |
int sceSblDmac5SetKeyLocalForDriver(uint *pCtx, SceSize alignment, SceSize size, SceUInt32 flag, void *pKey);
sceSblDmac5DeleteKeyLocalForDriver
Version | NID |
---|---|
0.931 | 0x9DC22C1A |
0.990-3.60 | not present |
int sceSblDmac5DeleteKeyLocalForDriver(uint *pCtx);
SceSblSsMgrForDriver_8C31A8FD
Version | NID |
---|---|
0.931 | 0x8C31A8FD |
0.990-3.60 | not present |
Uses _sceSblDmac5AllocOp.
SceSblSsMgrForDriver_CAB891D3
Version | NID |
---|---|
0.931 | 0xCAB891D3 |
0.990-3.60 | not present |
Uses _sceSblDmac5AllocOp.
sceSblDmac5AllocOpForDriver
Version | NID |
---|---|
0.931 | 0xE293FC8E |
0.990-3.60 | not present |
sceSblDmac5FreeOpForDriver
Version | NID |
---|---|
0.931 | 0xCAEF7541 |
0.990-3.60 | not present |
_sceSblDmac5FreeOpForDriver
Version | NID |
---|---|
0.931 | 0xEB462E80 |
0.990-3.60 | not present |
sceSblDmac5DirectCryptForDriver
Version | NID |
---|---|
0.931 | 0x850F81AD |
0.990-3.60 | not present |
_sceSblDmac5DirectCryptForDriver
Version | NID |
---|---|
0.931 | 0x29BE9D99 |
0.990-3.60 | not present |
This is a guessed name.
Uses _sceSblDmac5DirectCrypt.
SceSblSsMgrForDriver_A87E82A4
Version | NID |
---|---|
0.931 | 0xA87E82A4 |
0.990-3.60 | not present |
Uses _sceSblDmac5DirectCrypt.
SceSblSsMgrForDriver_465D1526
Version | NID |
---|---|
0.931 | 0x465D1526 |
0.990-3.60 | not present |
Uses _sceSblDmac5DirectCrypt.
sceSblDmac5RndForDriver
Version | NID |
---|---|
0.931-3.60 | 0x4DD1B2E5 |
Temp name was sceSblSsMgrGetRandomDataCropForDriver.
Generates random data by executing Dmac5 command 0x4.
Data is then cropped to fit the size in pOutputBuffer.
Used in SceMsif.
int sceSblDmac5RndForDriver(char* pOutputBuffer, int size, int unk);
sceSblDmac5AesEcbEncForDriver
Version | NID |
---|---|
0.990-3.60 | 0xC517770D |
Temp name was sceSblSsMgrAESECBEncryptForDriver.
Executes Dmac5 command 0x1.
Used in ScePfsMgr.
// size: size of data in src // key: Key. // key_length: Key length in bits. 128 / 192 / 256 // mask_enable: ex: 1 int sceSblDmac5AesEcbEncForDriver(const void *src, void *dst, SceSize size, const void *key, SceSize key_length, SceUInt32 mask_enable);
sceSblDmac5AesEcbDecForDriver
Version | NID |
---|---|
0.990-3.60 | 0x7C978BE7 |
Temp name was sceSblSsMgrAESECBDecryptForDriver.
Executes Dmac5 command 0x2.
Used in ScePfsMgr.
// size: size of data in src // key: Key. // key_length: Key length in bits. Accepted values: 128 / 192 / 256. // mask_enable: ex: 1 int sceSblDmac5AesEcbDecForDriver(const void *src, void *dst, SceSize size, const void *key, SceSize key_length, SceUInt32 mask_enable);
sceSblDmac5AesEcbEncNPForDriver
Version | NID |
---|---|
0.990-3.60 | 0x0F7D28AF |
Temp name was sceSblSsMgrAESECBEncryptWithKeygenForDriver.
Executes Dmac5 command 0x1.
Used in ScePfsMgr.
// size: size of data in src // key: Key. // key_length: Key length in bits. Accepted values: 128 / 192 / 256. // key_id: ex: 0. Used with sceSblAuthMgrSetDmac5Key. Uses keyring_id range 0x0C-0x17 internally. // mask_enable: ex: 1 int sceSblDmac5AesEcbEncNPForDriver(const void *src, void *dst, SceSize size, const void *key, SceSize key_length, SceUInt32 key_id, SceUInt32 mask_enable);
sceSblDmac5AesEcbDecNPForDriver
Version | NID |
---|---|
3.60 | 0x197ACF6F |
Temp name was sceSblSsMgrAESECBDecryptWithKeygenForDriver.
Executes Dmac5 command 0x2.
no usages found
// size: size of data in src // key: Key. // key_length: Key length in bits. Accepted values: 128 / 192 / 256. // key_id: ex: 0. Used with sceSblAuthMgrSetDmac5KeyForDriver. Uses keyring_id range 0x0C-0x17 internally. // mask_enable: ex: 1 int sceSblDmac5AesEcbDecNPForDriver(const void *src, void *dst, SceSize size, const void *key, SceSize key_length, SceUInt32 key_id, SceUInt32 mask_enable);
sceSblDmac5AesEcbEncWithDmac5KeyForDriver
Version | NID |
---|---|
3.60 | 0x01BE0374 |
Temp name was sceSblDmac5AesEcbEncWithKeyslotForDriver.
Executes Dmac5 command 0x1.
Used in SceSblMgKeyMgr.
// size: size of data in src // keyring_id: ex: 0x1C, 0x1D, 0x1E, 0x1F // key_length: Key length in bits. Accepted values: 128 / 192 / 256. // mask_enable: ex: 1 int sceSblDmac5AesEcbEncWithDmac5KeyForDriver(const void *src, void *dst, SceSize size, SceUInt32 keyring_id, SceSize key_length, SceUInt32 mask_enable);
sceSblDmac5AesEcbDecWithDmac5KeyForDriver
Version | NID |
---|---|
3.60 | 0x8B4700CB |
Temp name was sceSblDmac5AesEcbDecWithKeyslotForDriver.
Executes Dmac5 command 0x2.
Used in SceSblMgKeyMgr.
// size: size of data in src // keyring_id: ex: 0x1D // key_length: Key length in bits. Accepted values: 128 / 192 / 256. // mask_enable: ex: 1 int sceSblDmac5AesEcbDecWithDmac5KeyForDriver(const void *src, void *dst, SceSize size, SceUInt32 keyring_id, SceSize key_length, SceUInt32 mask_enable);
sceSblDmac5DesEcbEncWithDmac5KeyForDriver
Version | NID |
---|---|
3.60 | 0x37DD5CBF |
Temp name was sceSblDmac5DesEcbEncWithKeyslotForDriver, sceSblSsMgrDES64ECBEncryptForDriver.
This also implements 3DES. Chosen function depends on key size.
- for 64 - DES
- for 128 - not tested. assuming 3DES with K1 = K3.
- for 192 - 3DES
Executes Dmac5 command 0x41.
Used in SceSblMgKeyMgr.
// size: size of data in src // keyring_id: ex: 0x1C // key_length: Key length in bits. ex: 192 - other sizes also work // mask_enable: ex: 1 int sceSblDmac5DesEcbEncWithDmac5KeyForDriver(const void *src, void *dst, SceSize size, SceUInt32 keyring_id, SceSize key_length, SceUInt32 mask_enable);
sceSblDmac5DesEcbDecWithDmac5KeyForDriver
Version | NID |
---|---|
3.60 | 0x8EAFB18A |
Temp name was sceSblDmac5DesEcbDecWithKeyslotForDriver, sceSblSsMgrDES64ECBDecryptForDriver.
This also implements 3DES. Chosen function depends on key size.
- for 64 - DES
- for 128 - not tested. assuming 3DES with K1 = K3.
- for 192 - 3DES
Executes Dmac5 command 0x42.
Used in SceSblMgKeyMgr.
// size: size of data in src // keyring_id: ex: 0x1C // key_length: Key length in bits. ex: 192, other sizes also work. // mask_enable: ex: 1 int sceSblDmac5DesEcbDecWithDmac5KeyForDriver(const void *src, void *dst, SceSize size, SceUInt32 keyring_id, SceSize key_length, SceUInt32 mask_enable);
sceSblDmac5DesCbcEncWithDmac5KeyForDriver
Version | NID |
---|---|
3.60 | 0x05B38698 |
Temp name was sceSblDmac5DesCbcEncWithKeyslotForDriver, sceSblSsMgrDES64CBCEncryptForDriver.
This also probably implements 3DES. Chosen function depends on key size.
- for 0x40 - DES
- for 0x80 - not tested. assuming 3DES with K1 = K3.
- for 0xC0 - 3DES
Executes Dmac5 command 0x49.
no usages found
// size: size of data in src // keyring_id: ex: 0x1D // key_length: Key length in bits. ? - does not matter ? // iv: IV. IV length is 8 bytes for DES - will be updated after encryption (most likely for encrypting data in blocks?). // mask_enable: ex: 1 int sceSblDmac5DesCbcEncWithDmac5KeyForDriver(const void *src, void *dst, SceSize size, SceUInt32 keyring_id, SceSize key_length, void *iv, SceUInt32 mask_enable);
sceSblDmac5DesCbcDecWithDmac5KeyForDriver
Version | NID |
---|---|
3.60 | 0x926BCCF0 |
Temp name was sceSblDmac5DesCbcDecWithKeyslotForDriver, sceSblSsMgrDES64CBCDecryptForDriver.
This also probably implements 3DES. Chosen function depends on key size.
- for 0x40 - DES
- for 0x80 - not tested. assuming 3DES with K1 = K3.
- for 0xC0 - 3DES
Executes Dmac5 command 0x4A.
no usages found
// size: size of data in src // keyring_id: ex: 0x1D // key_length: Key length. ? - does not matter ? // iv: IV. IV length is 8 bytes for DES. // mask_enable: ex: 1 int sceSblDmac5DesCbcDecWithDmac5KeyForDriver(const void *src, void *dst, SceSize size, SceUInt32 keyring_id, SceSize key_length, void *iv, SceUInt32 mask_enable);
sceSblDmac5AesCbcEncForDriver
Version | NID |
---|---|
0.990-3.60 | 0xE6E1AD15 |
Temp name was sceSblSsMgrAESCBCEncryptForDriver.
Executes Dmac5 command 0x9.
Used in ScePfsMgr.
// size: size of data in src // key: Key. // key_length: Key length in bits. Allowed values are: 128 / 192 / 256. // iv: IV. IV length is 0x10 bytes for AES. It will be updated after encryption (most likely for encrypting data in blocks?). // mask_enable: ex: 1 int sceSblDmac5AesCbcEncForDriver(const void *src, void *dst, SceSize size, const void *key, SceSize key_length, void *iv, SceUInt32 mask_enable);
sceSblDmac5AesCbcDecForDriver
Version | NID |
---|---|
0.990-3.60 | 0x121FA69F |
SCE maybe made a typo: sceSblDmac5AEsCbcDecForDriver.
Temp name was sceSblSsMgrAESCBCDecryptForDriver.
Executes Dmac5 command 0xA.
Used in ScePfsMgr.
// size: size of data in src // key: Key. // key_length: Key length in bits. Accepted values: 128 / 192 / 256. // iv: IV. IV length is 0x10 bytes for AES. It will be updated after encryption (most likely for encrypting data in blocks?). // mask_enable: ex: 1 int sceSblDmac5AesCbcDecForDriver(const void *src, void *dst, SceSize size, const void *key, SceSize key_length, void *iv, SceUInt32 mask_enable);
sceSblDmac5AesCbcEncNPForDriver
Version | NID |
---|---|
0.990-3.60 | 0x711C057A |
Temp name was sceSblSsMgrAESCBCEncryptWithKeygenForDriver.
Executes Dmac5 command 0x9.
Used in ScePfsMgr.
// size: size of data in src // key: Key. // key_length: Key length in bits. Accepted values: 128 / 192 / 256. // iv: IV. IV length is 0x10 bytes for AES. It will be updated after encryption (most likely for encrypting data in blocks?). // key_id: ex: 0. Used with sceSblAuthMgrSetDmac5KeyForDriver. Uses keyring_id range 0x0C-0x17 internally. // mask_enable: ex: 1 int sceSblDmac5AesCbcEncNPForDriver(const void *src, void *dst, SceSize size, const void *key, SceSize key_length, void *iv, SceUInt32 key_id, SceUInt32 mask_enable);
sceSblDmac5AesCbcDecNPForDriver
Version | NID |
---|---|
0.990-3.60 | 0x1901CB5E |
Temp name was sceSblSsMgrAESCBCDecryptWithKeygenForDriver.
Executes Dmac5 command 0xA.
Used in ScePfsMgr.
// size: size of data in src // key: Key. // key_length: Key length in bits. Accepted values: 128 / 192 / 256. // iv: IV. IV length is 0x10 bytes for AES. It will be updated after encryption (most likely for encrypting data in blocks?). // key_id: ex: 0. Used with sceSblAuthMgrSetDmac5KeyForDriver. Uses keyring_id range 0x0C-0x17 internally. // mask_enable: ex: 1 int sceSblDmac5AesCbcDecNPForDriver(const void *src, void *dst, SceSize size, const void *key, SceSize key_length, void *iv, SceUInt32 key_id, SceUInt32 mask_enable);
sceSblDmac5AesCtrEncForDriver
Version | NID |
---|---|
1.50-3.60 | 0x82B5DCEF |
Temp name was sceSblSsMgrAESCTREncryptForDriver.
Executes Dmac5 command 0x21.
Used in SceNpDrm.
This function can also be used for decryption since AES CTR is a symmetric function.
// size: size of data in src // key: Key. // key_length: Key length in bits. Accepted values: 128 / 192 / 256. // iv: IV. IV length is 0x10 bytes for AES. It will be updated after encryption (most likely for encrypting data in blocks?). // mask_enable: ex: 1 int sceSblDmac5AesCtrEncForDriver(const void *src, void *dst, SceSize size, const void *key, SceSize key_length, void *iv, SceUInt32 mask_enable);
sceSblDmac5AesCtrDecForDriver
Version | NID |
---|---|
3.60 | 0x7D46768C |
Temp name was sceSblSsMgrAESCTRDecryptForDriver.
Executes Dmac5 command 0x22.
no usages found
This function can also be used for encryption since AES CTR is a symmetric function.
// size: size of data in src // key: Key. // key_length: Key length in bits. Accepted values: 128 / 192 / 256. // iv: IV. IV length is 0x10 bytes for AES. It will be updated after encryption (most likely for encrypting data in blocks?). // mask_enable: ex: 1 int sceSblDmac5AesCtrDecForDriver(const void *src, void *dst, SceSize size, const void *key, SceSize key_length, void *iv, SceUInt32 mask_enable);
sceSblDmac5Sha1ForDriver
Version | NID |
---|---|
3.60 | 0xEB3AF9B5 |
Executes Dmac5 command 0x3. Used in ScePfsMgr.
int sceSblDmac5Sha1ForDriver(const void *src, void *dst, SceSize length, SceSblDmac5HashTransformContext *ctx, SceUInt32 mask_enable, SceUInt32 extra);
sceSblDmac5Sha1HmacTransformForDriver
Version | NID |
---|---|
0.990-3.60 | 0x6704D985 |
Temp name was sceSblSsMgrHMACSHA1ForDriver.
Executes Dmac5 command 0x23. Used in ScePfsMgr.
Key size is always 256-bits.
int sceSblDmac5Sha1HmacTransformForDriver(const void *src, void *dst, SceSize length, const void *key, SceSblDmac5HashTransformContext *ctx, SceBool mask_enable, SceUInt32 extra);
sceSblDmac5Sha1HmacNPForDriver
Version | NID |
---|---|
3.60 | 0x92E37656 |
Temp name was sceSblSsMgrHMACSHA1WithKeygenForDriver.
Executes Dmac5 command 0x23. no usages found.
int sceSblDmac5Sha1HmacNPForDriver(const void *src, void *dst, SceSize length, const void *key, SceSblDmac5HashTransformContext *ctx, SceUInt32 key_id, SceBool mask_enable, SceUInt32 extra);
sceSblDmac5Sha256HmacForDriver
Version | NID |
---|---|
3.60 | 0x79F38554 |
Temp name was sceSblSsMgrHMACSHA256ForDriver.
Executes Dmac5 command 0x33. no usages found.
int sceSblDmac5Sha256HmacForDriver(const void *src, void *dst, SceSize length, const void *key, SceSblDmac5HashTransformContext *ctx, SceBool mask_enable, SceUInt32 extra);
sceSblDmac5AesCmacForDriver
Version | NID |
---|---|
0.990-3.60 | 0x1B14658D |
Temp name was sceSblSsMgrAESCMACForDriver.
Executes Dmac5 command 0x3B. Used in ScePfsMgr.
int sceSblDmac5AesCmacForDriver(const void *src, void *dst, SceSize size, const void *key, SceSize keysize, SceSblDmac5HashTransformContext *ctx, SceBool mask_enable, SceUInt32 extra);
sceSblDmac5AesCmacNPForDriver
Version | NID |
---|---|
3.60 | 0x83B058F5 |
Temp name was sceSblSsMgrAESCMACWithKeygenForDriver.
Executes Dmac5 command 0x3B. Used in ScePfsMgr.
int sceSblDmac5AesCmacNPForDriver(const void *src, void *dst, SceSize length, const void *key, SceSize keysize, SceSblDmac5HashTransformContext *ctx, SceUInt32 key_id, SceBool mask_enable, SceUInt32 extra);
sceSblDmac5AesCmacWithDmac5KeyForDriver
Version | NID |
---|---|
3.60 | 0xEA6ACB6D |
Temp name was sceSblDmac5AesCmacWithKeyslotForDriver.
Executes Dmac5 command 0x3B.
no usages found
// size: size of data in src // keyring_id: ex: 0x1D // key_length: Key length in bits. Accepted values: 128 / 192 / 256. // iv: ex: 0 // mask_enable: ex: 1 // flags: ex: 0 / 0x400 / 0x800 / 0xC00 int sceSblDmac5AesCmacWithDmac5KeyForDriver(const void *src, void *dst, SceSize size, SceUInt32 keyring_id, SceSize key_length, void *iv, SceUInt32 mask_enable, SceUInt32 flags);
sceSblSsMgrExecuteDmac5HashCommandForDriver
Version | NID |
---|---|
3.60 | 0x9641374E |
Executes Dmac5 commands related to hash functions.
Used in SceNpDrm.
int sceSblSsMgrExecuteDmac5HashCommandForDriver(const void *src, void *dst, SceSize size, void *iv, SceUInt32 mask_enable, SceUInt32 command, SceUInt32 flags);
sceSblSsEncryptWithPortabilityForDriver
Version | NID |
---|---|
0.931-3.60 | 0x21EC51F6 |
derived from _vshSblSsEncryptWithPortability
Strangely it does not communicate with encdec_w_portability_sm command 0x1000A. That's because anyway this SM command is not implemented in release FWs.
SceInt32 sceSblSsEncryptWithPortabilityForDriver(SceUInt32 key_type, void *iv, ScePortabilityData *plain_msg, ScePortabilityData *enc_msg);
sceSblSsDecryptWithPortabilityForDriver
Version | NID |
---|---|
0.931-3.60 | 0x934DB6B5 |
derived from _vshSblSsDecryptWithPortability
For example, decrypts or derives AES key that is used in msif to decrypt static sha224 table.
Executes encdec_w_portability_sm command 0x2000A.
int sceSblSsDecryptWithPortabilityForDriver(SceUInt32 key_type, void *iv, ScePortabilityData *enc, ScePortabilityData *plain);
sceSblSsGetNvsDataForDriver
Version | NID |
---|---|
0.931-3.60 | 0xFDD6D5DE |
derived from _vshSblSsGetNvsData
Calls sceSysconNvsReadDataForDriver.
// type - 0-5 // pData - destination buffer // size - 2, 4, 8, 0x10, 0x20 int sceSblSsGetNvsDataForDriver(SceSblSsNvsDataType type, void *pData, SceSize size);
sceSblSsSetNvsDataForDriver
Version | NID |
---|---|
0.931-3.60 | 0x249ADB07 |
derived from _vshSblSsSetNvsData
Calls sceSysconNvsWriteDataForDriver.
// type - 0-5 // pData - source buffer // size - 2, 4, 8, 0x10, 0x20 int sceSblSsSetNvsDataForDriver(SceSblSsNvsDataType type, void *pData, SceSize size);
sceSblAimgrGetVisibleIdForDriver
Version | NID |
---|---|
0.990-3.60 | 0x04843835 |
Temp name was sceSblSsMgrGetVisibleIdForDriver, sceSblSsMgrGetFuseIdForDriver.
Derived from _vshSblAimgrGetVisibleId
.
Obtains Visible Id by executing aimgr_sm command 0x3.
int sceSblAimgrGetVisibleIdForDriver(SceVisibleId *pVisibleId);
sceSblAimgrGetConsoleIdForDriver
Version | NID |
---|---|
0.990-3.60 | 0xFC6CDD68 |
Temp name was sceSblSsMgrGetConsoleIdForDriver.
Obtains Console Id by executing aimgr_sm command 0x1.
int sceSblAimgrGetConsoleIdForDriver(SceConsoleId *pConsoleId);
sceSblAimgrGetOpenPsIdForDriver
Version | NID |
---|---|
0.990-3.60 | 0xA5B5D269 |
Temp name was sceSblSsMgrGetOpenPsIdForDriver.
This function returns information from a static buffer that is initialized on module_start.
OpenPsId comes from kbl_param->openpsid using SceSysmem#sceKernelSysrootGetKblParamForKernel.
int sceSblAimgrGetOpenPsIdForDriver(SceOpenPsId *pOpenPsId);
sceSblAimgrGetPscodeForDriver
Version | NID |
---|---|
0.990-3.60 | 0xE0DC2587 |
Temp name was sceSblSsMgrGetPscodeForDriver.
Derived from _vshSblAimgrGetPscode
.
This function returns information from a static buffer that is initialized on module_start.
PsCode comes from kbl_param->pscode using SceSysmem#sceKernelSysrootGetKblParamForKernel.
int sceSblAimgrGetPscodeForDriver(ScePsCode *pPsCode);
sceSblAimgrGetPscode2ForDriver
Version | NID |
---|---|
3.60 | 0x9A9676D0 |
Temp name was sceSblSsMgrGetPscode2ForDriver.
Derived from _vshSblAimgrGetPscode2
Obtains Ps Code by executing aimgr_sm command 0x4.
int sceSblAimgrGetPscode2ForDriver(ScePsCode *pPsCode);
sceSblSsCreatePassPhraseForDriver
Version | NID |
---|---|
3.60 | 0xB8B298FD |
derived from _vshSblSsCreatePassPhrase
Obtains PassPhrase by executing aimgr_sm command 0x5.
int sceSblSsCreatePassPhraseForDriver(SceSblSsCreatePassPhraseParam *pParam, void *pPassPhrase);
sceSblSsInfraAllocatePARangeVectorForDriver
Version | NID |
---|---|
0.931-3.60 | 0xE0B13BA7 |
Used by SceSblUpdateMgr.
int sceSblSsInfraAllocatePARangeVectorForDriver(void *buf, SceSize size, SceUID blockid, SceKernelPAVector *pPAV);
sceSblSsInfraFreePARangeVectorForDriver
Version | NID |
---|---|
0.931-3.60 | 0xC38D0CEA |
Used by SceSblUpdateMgr.
int sceSblSsInfraFreePARangeVectorForDriver(SceUID blockid, SceKernelPAVector *pPAV);
sceSblSsMemsetForDriver
Version | NID |
---|---|
3.60 | 0xCD98CC92 |
Used by SceSblPostSsMgr.
void sceSblSsMemsetForDriver(char* dest, char value, int size);
sceSblRtcMgrSetCpRtc_1ForDriver
Version | NID |
---|---|
0.931 | 0x2B259A82 |
0.990-3.60 | not present |
sceSblRtcMgrSetCpRtc_2ForDriver
Version | NID |
---|---|
0.931-0.940 | 0xD8F6F110 |
0.990-3.60 | moved to PostSsMgr |
sceSblRtcMgrGetCpRtcPhysicalForDriver
Version | NID |
---|---|
0.931-0.940 | 0xC96622EC |
0.990-3.60 | moved to PostSsMgr |
sceSblRtcMgrGetCpRtcLogicalForDriver
Version | NID |
---|---|
0.931-0.940 | 0xAF56206D |
0.990-3.60 | moved to PostSsMgr |
sceSblLicMgrActivateDevkitForDriver
Version | NID |
---|---|
0.931 | 0x37682AB1 |
0.990-3.60 | moved to PostSsMgr |
sceSblLicGetActivationKeyForDriver
Version | NID |
---|---|
0.931 | not present |
0.940 | 0xED4878A4 |
0.990-3.60 | moved to PostSsMgr |
sceSblLicMgrGetExpireDateForDriver
Version | NID |
---|---|
0.931-0.940 | 0xE840CD4E |
0.990-3.60 | moved to PostSsMgr |
sceSblLicMgrGetLicenseStatusForDriver
Version | NID |
---|---|
0.931-0.940 | 0x65CBED16 |
0.990-3.60 | moved to PostSsMgr |
sceSblPmMgrGetProductModeFromNVSForDriver
Version | NID |
---|---|
0.931-0.940 | 0x196C7FB2 |
0.990-3.60 | moved to PostSsMgr |
sceSblPmMgrSetProductModeForDriver
Version | NID |
---|---|
0.931-0.940 | 0x33B706E1 |
0.990-3.60 | moved to PostSsMgr |
sceSblPmMgrAuthEtoIForDriver
Version | NID |
---|---|
0.931-0.940 | 0xB241EA2B |
0.990-3.60 | moved to PostSsMgr |
sceSblSsCrepoInitializeForDriver
Version | NID |
---|---|
0.931 | not present |
0.990 | 0x80879AFB |
3.60 | not present |
int sceSblSsCrepoInitializeForDriver(void);
SceSblSsMgrForDriver_2D794404
Version | NID |
---|---|
0.931 | not present |
0.990 | 0x2D794404 |
3.60 | not present |
Uses Crepo Key Ring.
SceSblSsMgrForDriver_52BC448C
Version | NID |
---|---|
0.931 | not present |
0.990 | 0x52BC448C |
3.60 | not present |
Uses Crepo Key Ring.
SceSblSsMgrForDriver_2B3EF6DF
Version | NID |
---|---|
0.931 | not present |
0.990 | 0x2B3EF6DF |
3.60 | not present |
Clears Crepo Key Ring.
int SceSblSsMgrForDriver_2B3EF6DF(void);
sceSblSsDebugDecryptKeystoneForDriver
Version | NID |
---|---|
0.931 | not present |
0.990 | 0x9084AEDB |
3.60 | moved to PostSs |
sceSblSsDebugEncryptKeystoneForDriver
Version | NID |
---|---|
0.931 | not present |
0.990 | 0xDFB5E945 |
3.60 | moved to PostSs |
sceSblSsEncryptSealedkeyForDriver
Version | NID |
---|---|
0.931 | not present |
0.990 | 0xB36051C4 |
3.60 | moved to PostSs |
sceSblSsDecryptSealedkeyForDriver
Version | NID |
---|---|
0.931 | not present |
0.990 | 0xEC0D967A |
3.60 | moved to PostSs |
SceSblSsMgr
This library exists on FW 1.69 but does not exist on FW 3.60.
sceSblSsInfraAllocatePARangeVector
Version | NID |
---|---|
0.931-1.69 | 0x8C2822A9 |
int sceSblSsInfraAllocatePARangeVector(void *buf, SceSize size, SceUID blockid, SceKernelPAVector *pPAV);
sceSblSsInfraFreePARangeVector
Version | NID |
---|---|
0.931-1.69 | 0xFAD42134 |
int sceSblSsInfraFreePARangeVector(SceUID blockid, SceKernelPAVector *pPAV);
SceSblQafMgr
sceSblQafMgrGetQafToken
Version | NID |
---|---|
1.69-3.60 | 0xB6BAE81D |
On 3.60 returns 0x80010058 (SCE_ERROR_ERRNO_ENOSYS).
int sceSblQafMgrGetQafToken(SceQafToken *qaf_token);
sceSblQafMgrGetQafToken2
Version | NID |
---|---|
3.60 | 0xDFBA8569 |
int sceSblQafMgrGetQafToken2(SceQafToken *qaf_token);
sceSblQafManagerSetQafTokenForUser
Version | NID |
---|---|
1.69-3.60 | 0x56A16392 |
On 3.60 returns 0x80010058 (SCE_ERROR_ERRNO_ENOSYS).
int sceSblQafManagerSetQafTokenForUser(SceQafToken qaf_token);
sceSblQafMgrSetQafToken2
Version | NID |
---|---|
3.60 | 0xF4B5C8A5 |
int sceSblQafMgrSetQafToken2(SceQafToken qaf_token);
sceSblQafManagerDeleteQafTokenForUser
Version | NID |
---|---|
0.940-3.60 | 0xD542583F |
On 3.60 returns 0x80010058 (SCE_ERROR_ERRNO_ENOSYS).
int sceSblQafManagerDeleteQafTokenForUser(void);
sceSblQafMgrDeleteQafToken2
Version | NID |
---|---|
3.60 | 0x62E30BF4 |
int ret; int ret2; int ret3; signed int result; char flag; char data[0x80]; char sig[0x100]; memset(data, (char)0xFF, 0x180); SceKernelSuspendForDriver_4DF40893_0(0); ret = sceSblNvsWriteDataForKernel(0x400, data, 0x80); if ( ret ) { SceKernelSuspendForDriver_4DF40893(0); result = ret; } else { ret2 = sceSblNvsWriteDataForKernel(0x5A0, sig, 0x100); if ( ret2 ) { SceKernelSuspendForDriver_4DF40893(0); result = ret2; } else { flag = 1; ret3 = sceSblNvsWriteDataForKernel(0x480, &flag, 1); SceKernelSuspendForDriver_4DF40893(0); result = ret3; } } return result;
int sceSblQafMgrDeleteQafToken2(void);
sceSblQafManagerGetQafNameForUser
Version | NID |
---|---|
0.940-3.60 | 0x0F7EA8C2 |
Wrapper to sceSblQafManagerGetQafNameForKernel.
int sceSblQafManagerGetQafNameForUser(char *buffer, unsigned int max_len);
sceSblQafManagerGetQafName2ForUser
Version | NID |
---|---|
3.60 | 0xF0CA8766 |
memset(buf, 0, 0x180); sceSblNvsReadDataForKernel(0x480, buf, 1); sceSblNvsReadDataForKernel(0x400, buf, 0x80); memcpy(buffer, buf, 0x18); sceSblNvsReadDataForKernel(0x5A0, buf, 0x100); // if all functions returned success sceSblQafManagerGetQafNameForKernel(buf2, len); sceKernelMemcpyKernelToUserForDriver(buffer, buf2, len)) != 0 )
int sceSblQafManagerGetQafName2ForUser(char *buffer, unsigned int max_len);
sceSblQafMgrIsAllowMinimumDebugMenuDisplay
Version | NID |
---|---|
3.60 | 0xA156BBD2 |
return pKblParam->qa_flags[0xF] & 1;
int sceSblQafMgrIsAllowMinimumDebugMenuDisplay(void);
sceSblQafMgrIsAllowLimitedDebugMenuDisplay
Version | NID |
---|---|
1.69-3.60 | 0xC456212D |
return (pKblParam->qa_flags[6] >> 1) & 1;
int sceSblQafMgrIsAllowLimitedDebugMenuDisplay(void);
sceSblQafMgrIsAllowAllDebugMenuDisplay
Version | NID |
---|---|
1.69-3.60 | 0x66843305 |
return (pKblParam->qa_flags[0xC] >> 1) & 1;
int sceSblQafMgrIsAllowAllDebugMenuDisplay(void);
sceSblQafManagerIsAllowKernelDebugForUser
Version | NID |
---|---|
0.940-3.60 | 0x11D30766 |
return pKblParam->qa_flags[0xD] & 1;
int sceSblQafManagerIsAllowKernelDebugForUser(void);
sceSblQafMgrIsAllowForceUpdate
Version | NID |
---|---|
1.69-3.60 | 0x63F29BA0 |
return (pKblParam->qa_flags[0xF] >> 1) & 1;
int sceSblQafMgrIsAllowForceUpdate(void);
sceSblQafMgrIsAllowNpTest
Version | NID |
---|---|
1.69-3.60 | 0xA9EBCBAC |
if (pKblParam->qa_flags[0xF] << 31) return 1; else return sceSysrootUtMgrHasNpTestFlagForKernel(a1, a2, a3);
int sceSblQafMgrIsAllowNpTest(int a1, int a2, int a3);
sceSblQafMgrIsAllowNpFullTest
Version | NID |
---|---|
3.60 | 0x72168C6E |
return (pKblParam->qa_flags[6] >> 1) & 1;
int sceSblQafMgrIsAllowNpFullTest(void);
sceSblQafMgrIsAllowNonQAPup
Version | NID |
---|---|
1.69-3.60 | 0xB5621615 |
return pKblParam->qa_flags[0xF] & 1;
int sceSblQafMgrIsAllowNonQAPup(void);
sceSblQafMgrIsAllowScreenShotAlways
Version | NID |
---|---|
1.69-3.60 | 0xD22A8731 |
return (pKblParam->qa_flags[6] >> 1) & 1;
int sceSblQafMgrIsAllowScreenShotAlways(void);
sceSblQafMgrIsAllowRemoteSysmoduleLoad
Version | NID |
---|---|
0.940-3.60 | 0xF45AA706 |
return (pKblParam->qa_flags[0xD] >> 1) & 1;
int sceSblQafMgrIsAllowRemoteSysmoduleLoad(void);
SceSblRng
sceSblRngGenuineRandomNumber
Version | NID |
---|---|
0.940-0.990 | 0xD1189305 |
3.60 | not present |
Temp name was sceSblSsMgrGetRandomData.
Calls #sceSblRngGenuineRandomNumberForDriver.
sceSblRngGenuineRandomNumber2
Version | NID |
---|---|
0.940-0.990 | 0xBA5242FE |
3.60 | not present |
sceSblRngPseudoRandomNumber
Version | NID |
---|---|
0.940-0.990 | 0xD8BC42B8 |
3.60 | not present |
Calls #sceSblRngPseudoRandomNumberForDriver.
sceSblRngPseudoRandomNumber2
Version | NID |
---|---|
0.940-0.990 | 0xD84424230 |
3.60 | not present |
_sceKernelGetRandomNumber
Version | NID |
---|---|
0.940-0.990 | not present |
1.69-3.60 | 0xC37E818C |
Calls #sceSblRngPseudoRandomNumberForDriver.
// length: length in bytes of the random number to generate. The actual length written to pDst is in pParam. Must be <= 0x40. int _sceKernelGetRandomNumber(void *pDst, SceSize length, SceKernelGetRandomNumberParam *pParam);
SceSblDmac5Mgr
sceSblDmac5EncDec
Version | NID |
---|---|
0.931 | not present |
0.990-3.60 | 0xD0B1F759 |
int sceSblDmac5EncDec(SceSblDmac5EncDecParam *pParam, SceUInt32 command);
sceSblDmac5EncDecNP
Version | NID |
---|---|
0.931 | not present |
0.940-0.990 | 0x30702CC7 |
3.60 | not present |
int sceSblDmac5EncDecNP(void *args, SceUInt32 key_id, SceUInt32 command);
sceSblDmac5EncDecKeyGen
Version | NID |
---|---|
1.69-3.60 | 0x5BF4F924 |
official:
AesCbcEncrypt command to sceSblDmac5AesCbcEncKeyGen
in SceGameDataPlugin.
AesCbcDecrypt command to sceSblDmac5AesCbcDecKeyGen
in SceGameDataPlugin.
theory:
AesCtrEncrypt command to sceSblDmac5AesCtrEncKeyGen
.
int sceSblDmac5EncDecKeyGen(SceSblDmac5EncDecParam *pParam, SceUInt32 key_id, SceUInt32 command);
sceSblDmac5HashTransform
Version | NID |
---|---|
1.69-3.60 | 0x09EBC6EF |
Support to Sha1/Sha224/Sha256 only.
int sceSblDmac5HashTransform(SceSblDmac5HashTransformParam *pParam, SceUInt32 command, SceUInt32 extra);
sceSblDmac5HmacKeyGen
Version | NID |
---|---|
3.60 | 0xCCE57D33 |
This function is named sceSblDmac5HmacKeyGen
in SceSysLibTrace.
HmacSha256 command to sceSblDmac5Sha256HmacKeyGen
in SceGameDataPlugin (official name).
Theory:
HmacSha1 command to sceSblDmac5Sha1HmacKeyGen
.
HmacSha224 command to sceSblDmac5Sha224HmacKeyGen
.
int sceSblDmac5HmacKeyGen(SceSblDmac5HashTransformParam *pParam, SceUInt32 key_id, SceUInt32 command, SceUInt32 extra);
SceSblAimgr
_sceKernelGetOpenPsId
Version | NID |
---|---|
1.69-3.60 | 0x6E283E2E |
int _sceKernelGetOpenPsId(SceOpenPsId *pOpenPsId);