SceSblSsMgr

From Vita Development Wiki
Jump to navigation Jump to search

Module

Version World Privilege
1.69-3.60 Non-secure Kernel

Libraries

Known NIDs

Version Name World Visibility NID
1.69-3.60 SceSblSsMgrForKernel Non-secure Kernel 0x74580D9F
1.69-3.60 SceSblSsMgrForDriver Non-secure Kernel 0x61E9428D
1.69 SceSblSsMgr Non-secure Kernel 0xEC86E4B0
1.69-3.60 SceSblQafMgr Non-secure User 0x756B7E89
1.69-3.60 SceSblRng Non-secure User 0x1843F124
1.69-3.60 SceSblDmac5Mgr Non-secure User 0x437366A2
1.69-3.60 SceSblAimgr Non-secure User 0xD473F968

TODO

  • study command flags
  • check if mask_enable is a SceBool and if so change type.
  • check which keyrings are allowed per function, and if key_id are per keyring index.
  • create enum for keyrings indexes
  • check IV usage

Types

SceKitActivationData

Offset Size Description
0x00 0x4 Magic "act\0"
0x04 0x4 Format version
0x08 0x4 Issue number (increment each activation, prevent rollback)
0x0C 0x4 Start validity time unix timestamp
0x10 0x4 End validity time unix timestamp
0x14 0x10 Activation key
0x24 0x1C Unused
0x40 0x40 Encrypted Token (First 0x30 bytes of SceKitActivationData then 0x10 byte CMAC)
typedef struct SceConsoleId {
	uint16_t unk; // {0, 0}
	uint16_t company_code; // {0, 1}
	uint16_t product_code;
	uint16_t product_sub_code;
	uint8_t chassis_check;
	uint8_t unknown[7];
} SceConsoleId;

typedef struct SceOpenPsId {
	uint8_t open_psid[0x10];
} SceOpenPsId;

typedef struct ScePsCode {
	uint16_t company_code; // {0, 1}
	uint16_t product_code;
	uint16_t product_sub_code;
	uint16_t factory_code; // = chassis_check >> 2;
} ScePsCode;

typedef struct Sce SceVisibleId {
	char visible_id[0x20];
} SceVisibleId;

typedef enum SceSblSsNvsDataType {
	SCE_SBL_SS_NVS_DATA_SYSTEM_LANGUAGE  = 0, // offset 0x4A4, size 4 - used by SceRegistryMgr
	SCE_SBL_SS_NVS_DATA_WLAN_BT          = 1, // offset 0x500, size 1 - used by SceWlanBt
	SCE_SBL_SS_NVS_DATA_UNK_482          = 2, // offset 0x482, size 1
	SCE_SBL_SS_NVS_DATA_UNK_4E0          = 3, // offset 0x4E0, size 0x20
	SCE_SBL_SS_NVS_DATA_UNK_483          = 4, // offset 0x483, size 1 - not present on FW 0.931, present on FW 0.990
	SCE_SBL_SS_NVS_DATA_UNK_486          = 5  // offset 0x486, size 1 - not present on FW 0.931-0.990, present on FW 3.60
} SceSblSsNvsDataType;

typedef struct SceKitActivationDataToken { // size is 0x40 bytes
  char magic[4]; // "act\n"
  uint32_t issue_no;
  uint32_t format_version;
  uint32_t start_date;
  uint32_t end_date;
  char open_psid[0x10];
  char padding[0xC];
  char cmac[0x10];
} SceKitActivationDataToken;

// This is what embeds the tm0:activation/act.dat file
typedef struct SceKitActivationData { // size is 0x80 bytes
  char magic[4]; // "act\n"
  uint32_t issue_no;
  uint32_t format_version;
  uint32_t start_date;
  uint32_t end_date;
  char open_psid[0x10];
  char padding[0x1C];
  char encrypted_token[0x40];
} SceKitActivationData;

typedef struct SceQafToken { // size is 0x80 bytes
  SceUInt32 qaf_version;
  SceUInt32 unk_4;
  char qaf_name[0x10]; // "NO_FLAGS" by default
  char unk_18[8];
  char consoleid[0x10];
  char qa_flags[0x10];
  char unk_40[0x30];
  char cmac[0x10]; // AES256CMAC of SceQafToken with zeroed CMAC field
} SceQafToken;

typedef struct ScePortabilityData { // size is 0x24
   SceSize msg_size; // max size is 0x20
   uint8_t msg[0x20];
} ScePortabilityData;

// Used by run_encdec_cmd, itself called by sceSblDmac5EncDec for example.
typedef struct dmac_op_ctx {
	dmac_op_ctx_heap *ctx_heap_addr;
	uint keyring_key_count; // if keyring_key_count < 0x100, keyring_key_count is used as DKey
	uint unk_8;
	SceUID dmac_opid; // used with sceKernelDmaOpFreeForDriver
	char iv[0x28]; // iv_size can be 0, 8, 0x10 or 0x28 depending on cmd itself depending on key_length
} dmac_op_ctx;

typedef struct dmac_op_ctx_heap { // size is 0x40 on FW 0.990
	uint cmd;
	uint unk_4; // 0x100
	uint unk_8; // 0 if unk_flag = 0, 0x3ffff else
	uint dmac5_op;
	char reserved[0x30];
} dmac_op_ctx_heap;

typedef struct SceSblSsCreatePassPhraseParam { // size is 0x18
  SceUInt32 reserved; // ex: 0
  SceSize size; // Size of this structure
  char accountIdText[0x10]; // Taken from registry "/CONFIG/NP/account_id" and converted to ASCII
} SceSblSsCreatePassPhraseParam;

typedef struct SceKernelGetRandomNumberParam {
    SceUInt32 dstSize; // In bytes. Must be <= 0x40.
    SceUInt32 reserved;
} SceKernelGetRandomNumberParam;

typedef struct SceQafToken {
  char data[0x80];
  char sig[0x100]; // Not present on FW 0.990. Present on FW 3.60
} SceQafToken;

typedef struct SceSblDmac5EncDecParam { // size is 0x18-bytes
	const void *src;
	void *dst;
	SceSize size;
	const void *key;
	SceSize keysize;
	void *iv;
} SceSblDmac5EncDecParam;

typedef struct SceSblDmac5HashTransformContext { // size is 0x28-bytes
	SceUInt32 state[8];
	SceUInt64 length;
} SceSblDmac5HashTransformContext;

typedef struct SceSblDmac5HashTransformParam { // size is 0x18-bytes
	const void *src; // must be aligned on 0x40-byte
	void *dst;
	SceSize size;
	const void *key;
	SceSize keysize;
	SceSblDmac5HashTransformContext *ctx; // Or another context of size 0x10-bytes
} SceSblDmac5HashTransformParam;

SceSblSsMgrForKernel

sceSblNvsReadDataForKernel

Version NID
0.990-3.60 0xC2EC8F5A

Temp name was sceSblSsMgrNvsReadDataForKernel.

Calls SceSyscon#sceSysconNvsReadDataForDriver.

Trying to read at offset 0-0x3FF: error 0x8025023C (cannot read SNVS using this function, need to use SNVS protocol).

Trying to read at offset > 0xB5F: error 0x80250001 (out of range).

Trying to read at ((offset & 7) != 0): error 0x80250001 (non aligned).

int sceSblNvsReadDataForKernel(int offset, char *buffer, int size);

sceSblNvsWriteDataForKernel

Version NID
0.990-3.60 0xE29E161C

Temp name was sceSblSsMgrNvsWriteDataForKernel.

Calls sceSysconNvsWriteDataForDriver.

int sceSblNvsWriteDataForKernel(int offset, char *buffer, int size);

sceSblPmMgrGetProductModeForKernel

Version NID
0.990-3.60 0x516ECC08

Temp name was scePmMgrGetProductModeForKernel.

From FWs 0.990 to 3.60, it is simply a redirect to SceSysmem#scePmMgrGetProductModeForDriver.

int sceSblPmMgrGetProductModeForKernel(char* result);

sceSblQafManagerGetQafTokenForKernel

Version NID
0.931-0.990 0x281FD75A
3.60 not present
int sceSblQafManagerGetQafTokenForKernel(SceQafToken *pToken);

sceSblQafManagerSetQafTokenForKernel

Version NID
0.931-0.990 0x8E9447A1
3.60 not present
int sceSblQafManagerSetQafTokenForKernel(SceQafToken *pToken);

sceSblQafManagerGetQafOnNVSForKernel

Version NID
0.931 not present
0.990-1.03 0x228A6653
3.60 not present
SceQafToken *temp_token = pToken;
sceSblNvsReadDataForKernel(0x480, flag, 1);
	if (!flag) {
		nvs_read(0x400, temp_token, 0x80);
		ret = exec_qaf_sm(temp_token, 0);
	}
return ret;
int sceSblQafManagerGetQafOnNVSForKernel(SceQafToken *pToken)

sceSblQafManagerClearQafTokenForKernel

Version NID
0.931-0.990 0xD45155C6
3.60 not present
int sceSblQafManagerClearQafTokenForKernel(void);
  uint32_t ret;
  char qaf_token[0x80];

  memset(&qaf_token, 0xFF, 0x80);
  SceKernelSuspendForDriver_4DF40893(0);
  ret = sceSblNvsWriteDataForKernel(0x400, &qaf_token, 0x80);
  if (!ret) // if qaf_token successfully written, set a flag at 0x480
    ret = sceSblNvsWriteDataForKernel(0x480, 1, 1);
  SceKernelSuspendForDriver_2BB92967(0);
  return ret;

sceSblQafManagerGetQAFlagsForKernel

Version NID
0.931-3.60 0x83D254FF
int sceSblQafManagerGetQAFlagsForKernel(char buffer[0x10]);

sceSblQafManagerGetQafNameForKernel

Version NID
0.931-3.60 0xE2DD0378
if ( byte_81008725 & 2 ) {
    char workaround_string = "qaf_workaround";
    memcpy(buffer, workaround_string, max_len);
} else {
	sceSblNvsReadDataForKernel(0x480, flag, 1);
	if (flag) {
		sceSblNvsReadDataForKernel(0x400, buf, 0x80);
		memcpy(buffer, buf, 0x18);
	}
}
int sceSblQafManagerGetQafNameForKernel(char *buffer, unsigned int max_len);

SceSblSsMgrForDriver

Cryptographic functions in this module typically have 3 variations:

  1. Use key - meaning that the key that you provide is used directly for encryption/decryption.
  2. Use keyring_id - meaning that you have to use sceSblAuthMgrSetDmac5KeyForKernel function to set the key into a specific keyring. In this case you select a key from cmep by key_id. It will be encrypted by cmep and placed into the keyring selected by keyring_id.
  3. Use key_id - meaning that the call to sceSblAuthMgrSetDmac5KeyForKernel will happen internally. In this case the key from cmep is also selected by key_id and encrypted by cmep. It is then placed into one of the available keyrings. Default keyring range is 0xC-0x17.

sceSblRngPseudoRandomNumberForDriver

Version NID
0.990-3.60 0x4F9BFBE5

Temp name was sceSblSsMgrGetRandomNumberForDriver.

Gets the pseudo-random number calculated within SceSblSsMgr.

The base seed is (DMAC5 RNG + HMAC-SHA1) * 2. System Time is also used for one of them.

int sceSblRngPseudoRandomNumberForDriver(void *result, SceSize size);

sceSblRngGenuineRandomNumberForDriver

Version NID
0.990-3.60 0xAC57F4F0

Temp name was sceSblSsMgrGetRandomDataForDriver.

Generates random data of length 0x40 bytes by doing: sceSblDmac5RndForDriver(dest, 0x40, 1);

Used in SceKrm, SceSblGcAuthMgr.

int sceSblRngGenuineRandomNumberForDriver(char* dest);

sceSblDmac5SetKeyLocalForDriver

Version NID
0.931 0x18A1BF77
0.990-3.60 not present
int sceSblDmac5SetKeyLocalForDriver(uint *pCtx, SceSize alignment, SceSize size, SceUInt32 flag, void *pKey);

sceSblDmac5DeleteKeyLocalForDriver

Version NID
0.931 0x9DC22C1A
0.990-3.60 not present
int sceSblDmac5DeleteKeyLocalForDriver(uint *pCtx);

SceSblSsMgrForDriver_8C31A8FD

Version NID
0.931 0x8C31A8FD
0.990-3.60 not present

Uses _sceSblDmac5AllocOp.

SceSblSsMgrForDriver_CAB891D3

Version NID
0.931 0xCAB891D3
0.990-3.60 not present

Uses _sceSblDmac5AllocOp.

sceSblDmac5AllocOpForDriver

Version NID
0.931 0xE293FC8E
0.990-3.60 not present

sceSblDmac5FreeOpForDriver

Version NID
0.931 0xCAEF7541
0.990-3.60 not present

_sceSblDmac5FreeOpForDriver

Version NID
0.931 0xEB462E80
0.990-3.60 not present

sceSblDmac5DirectCryptForDriver

Version NID
0.931 0x850F81AD
0.990-3.60 not present

_sceSblDmac5DirectCryptForDriver

Version NID
0.931 0x29BE9D99
0.990-3.60 not present

This is a guessed name.

Uses _sceSblDmac5DirectCrypt.

SceSblSsMgrForDriver_A87E82A4

Version NID
0.931 0xA87E82A4
0.990-3.60 not present

Uses _sceSblDmac5DirectCrypt.

SceSblSsMgrForDriver_465D1526

Version NID
0.931 0x465D1526
0.990-3.60 not present

Uses _sceSblDmac5DirectCrypt.

sceSblDmac5RndForDriver

Version NID
0.931-3.60 0x4DD1B2E5

Temp name was sceSblSsMgrGetRandomDataCropForDriver.

Generates random data by executing Dmac5 command 0x4.

Data is then cropped to fit the size in pOutputBuffer.

Used in SceMsif.

int sceSblDmac5RndForDriver(char* pOutputBuffer, int size, int unk);

sceSblDmac5AesEcbEncForDriver

Version NID
0.990-3.60 0xC517770D

Temp name was sceSblSsMgrAESECBEncryptForDriver.

Executes Dmac5 command 0x1.

Used in ScePfsMgr.

// size: size of data in src
// key: Key.
// key_length: Key length in bits. 128 / 192 / 256
// mask_enable: ex: 1
int sceSblDmac5AesEcbEncForDriver(const void *src, void *dst, SceSize size, const void *key, SceSize key_length, SceUInt32 mask_enable);

sceSblDmac5AesEcbDecForDriver

Version NID
0.990-3.60 0x7C978BE7

Temp name was sceSblSsMgrAESECBDecryptForDriver.

Executes Dmac5 command 0x2.

Used in ScePfsMgr.

// size: size of data in src
// key: Key.
// key_length: Key length in bits. Accepted values: 128 / 192 / 256.
// mask_enable: ex: 1
int sceSblDmac5AesEcbDecForDriver(const void *src, void *dst, SceSize size, const void *key, SceSize key_length, SceUInt32 mask_enable);

sceSblDmac5AesEcbEncNPForDriver

Version NID
0.990-3.60 0x0F7D28AF

Temp name was sceSblSsMgrAESECBEncryptWithKeygenForDriver.

Executes Dmac5 command 0x1.

Used in ScePfsMgr.

// size: size of data in src
// key: Key.
// key_length: Key length in bits. Accepted values: 128 / 192 / 256.
// key_id: ex: 0. Used with sceSblAuthMgrSetDmac5Key. Uses keyring_id range 0x0C-0x17 internally.
// mask_enable: ex: 1
int sceSblDmac5AesEcbEncNPForDriver(const void *src, void *dst, SceSize size, const void *key, SceSize key_length, SceUInt32 key_id, SceUInt32 mask_enable);

sceSblDmac5AesEcbDecNPForDriver

Version NID
3.60 0x197ACF6F

Temp name was sceSblSsMgrAESECBDecryptWithKeygenForDriver.

Executes Dmac5 command 0x2.

no usages found

// size: size of data in src
// key: Key.
// key_length: Key length in bits. Accepted values: 128 / 192 / 256.
// key_id: ex: 0. Used with sceSblAuthMgrSetDmac5KeyForDriver. Uses keyring_id range 0x0C-0x17 internally.
// mask_enable: ex: 1
int sceSblDmac5AesEcbDecNPForDriver(const void *src, void *dst, SceSize size, const void *key, SceSize key_length, SceUInt32 key_id, SceUInt32 mask_enable);

sceSblDmac5AesEcbEncWithDmac5KeyForDriver

Version NID
3.60 0x01BE0374

Temp name was sceSblDmac5AesEcbEncWithKeyslotForDriver.

Executes Dmac5 command 0x1.

Used in SceSblMgKeyMgr.

// size: size of data in src
// keyring_id: ex: 0x1C, 0x1D, 0x1E, 0x1F
// key_length: Key length in bits. Accepted values: 128 / 192 / 256.
// mask_enable: ex: 1
int sceSblDmac5AesEcbEncWithDmac5KeyForDriver(const void *src, void *dst, SceSize size, SceUInt32 keyring_id, SceSize key_length, SceUInt32 mask_enable);

sceSblDmac5AesEcbDecWithDmac5KeyForDriver

Version NID
3.60 0x8B4700CB

Temp name was sceSblDmac5AesEcbDecWithKeyslotForDriver.

Executes Dmac5 command 0x2.

Used in SceSblMgKeyMgr.

// size: size of data in src
// keyring_id: ex: 0x1D
// key_length: Key length in bits. Accepted values: 128 / 192 / 256.
// mask_enable: ex: 1
int sceSblDmac5AesEcbDecWithDmac5KeyForDriver(const void *src, void *dst, SceSize size, SceUInt32 keyring_id, SceSize key_length, SceUInt32 mask_enable);

sceSblDmac5DesEcbEncWithDmac5KeyForDriver

Version NID
3.60 0x37DD5CBF

Temp name was sceSblDmac5DesEcbEncWithKeyslotForDriver, sceSblSsMgrDES64ECBEncryptForDriver.

This also implements 3DES. Chosen function depends on key size.

  • for 64 - DES
  • for 128 - not tested. assuming 3DES with K1 = K3.
  • for 192 - 3DES

Executes Dmac5 command 0x41.

Used in SceSblMgKeyMgr.

// size: size of data in src
// keyring_id: ex: 0x1C
// key_length: Key length in bits. ex: 192 - other sizes also work
// mask_enable: ex: 1
int sceSblDmac5DesEcbEncWithDmac5KeyForDriver(const void *src, void *dst, SceSize size, SceUInt32 keyring_id, SceSize key_length, SceUInt32 mask_enable);

sceSblDmac5DesEcbDecWithDmac5KeyForDriver

Version NID
3.60 0x8EAFB18A

Temp name was sceSblDmac5DesEcbDecWithKeyslotForDriver, sceSblSsMgrDES64ECBDecryptForDriver.

This also implements 3DES. Chosen function depends on key size.

  • for 64 - DES
  • for 128 - not tested. assuming 3DES with K1 = K3.
  • for 192 - 3DES

Executes Dmac5 command 0x42.

Used in SceSblMgKeyMgr.

// size: size of data in src
// keyring_id: ex: 0x1C
// key_length: Key length in bits. ex: 192, other sizes also work.
// mask_enable: ex: 1
int sceSblDmac5DesEcbDecWithDmac5KeyForDriver(const void *src, void *dst, SceSize size, SceUInt32 keyring_id, SceSize key_length, SceUInt32 mask_enable);

sceSblDmac5DesCbcEncWithDmac5KeyForDriver

Version NID
3.60 0x05B38698

Temp name was sceSblDmac5DesCbcEncWithKeyslotForDriver, sceSblSsMgrDES64CBCEncryptForDriver.

This also probably implements 3DES. Chosen function depends on key size.

  • for 0x40 - DES
  • for 0x80 - not tested. assuming 3DES with K1 = K3.
  • for 0xC0 - 3DES

Executes Dmac5 command 0x49.

no usages found

// size: size of data in src
// keyring_id: ex: 0x1D
// key_length: Key length in bits. ? - does not matter ?
// iv: IV. IV length is 8 bytes for DES - will be updated after encryption (most likely for encrypting data in blocks?).
// mask_enable: ex: 1
int sceSblDmac5DesCbcEncWithDmac5KeyForDriver(const void *src, void *dst, SceSize size, SceUInt32 keyring_id, SceSize key_length, void *iv, SceUInt32 mask_enable);

sceSblDmac5DesCbcDecWithDmac5KeyForDriver

Version NID
3.60 0x926BCCF0

Temp name was sceSblDmac5DesCbcDecWithKeyslotForDriver, sceSblSsMgrDES64CBCDecryptForDriver.

This also probably implements 3DES. Chosen function depends on key size.

  • for 0x40 - DES
  • for 0x80 - not tested. assuming 3DES with K1 = K3.
  • for 0xC0 - 3DES

Executes Dmac5 command 0x4A.

no usages found

// size: size of data in src
// keyring_id: ex: 0x1D
// key_length: Key length. ? - does not matter ?
// iv: IV. IV length is 8 bytes for DES.
// mask_enable: ex: 1
int sceSblDmac5DesCbcDecWithDmac5KeyForDriver(const void *src, void *dst, SceSize size, SceUInt32 keyring_id, SceSize key_length, void *iv, SceUInt32 mask_enable);

sceSblDmac5AesCbcEncForDriver

Version NID
0.990-3.60 0xE6E1AD15

Temp name was sceSblSsMgrAESCBCEncryptForDriver.

Executes Dmac5 command 0x9.

Used in ScePfsMgr.

// size: size of data in src
// key: Key.
// key_length: Key length in bits. Allowed values are: 128 / 192 / 256.
// iv: IV. IV length is 0x10 bytes for AES. It will be updated after encryption (most likely for encrypting data in blocks?).
// mask_enable: ex: 1
int sceSblDmac5AesCbcEncForDriver(const void *src, void *dst, SceSize size, const void *key, SceSize key_length, void *iv, SceUInt32 mask_enable);

sceSblDmac5AesCbcDecForDriver

Version NID
0.990-3.60 0x121FA69F

SCE maybe made a typo: sceSblDmac5AEsCbcDecForDriver.

Temp name was sceSblSsMgrAESCBCDecryptForDriver.

Executes Dmac5 command 0xA.

Used in ScePfsMgr.

// size: size of data in src
// key: Key.
// key_length: Key length in bits. Accepted values: 128 / 192 / 256.
// iv: IV. IV length is 0x10 bytes for AES. It will be updated after encryption (most likely for encrypting data in blocks?).
// mask_enable: ex: 1
int sceSblDmac5AesCbcDecForDriver(const void *src, void *dst, SceSize size, const void *key, SceSize key_length, void *iv, SceUInt32 mask_enable);

sceSblDmac5AesCbcEncNPForDriver

Version NID
0.990-3.60 0x711C057A

Temp name was sceSblSsMgrAESCBCEncryptWithKeygenForDriver.

Executes Dmac5 command 0x9.

Used in ScePfsMgr.

// size: size of data in src
// key: Key.
// key_length: Key length in bits. Accepted values: 128 / 192 / 256.
// iv: IV. IV length is 0x10 bytes for AES. It will be updated after encryption (most likely for encrypting data in blocks?).
// key_id: ex: 0. Used with sceSblAuthMgrSetDmac5KeyForDriver. Uses keyring_id range 0x0C-0x17 internally.
// mask_enable: ex: 1
int sceSblDmac5AesCbcEncNPForDriver(const void *src, void *dst, SceSize size, const void *key, SceSize key_length, void *iv, SceUInt32 key_id, SceUInt32 mask_enable);

sceSblDmac5AesCbcDecNPForDriver

Version NID
0.990-3.60 0x1901CB5E

Temp name was sceSblSsMgrAESCBCDecryptWithKeygenForDriver.

Executes Dmac5 command 0xA.

Used in ScePfsMgr.

// size: size of data in src
// key: Key.
// key_length: Key length in bits. Accepted values: 128 / 192 / 256.
// iv: IV. IV length is 0x10 bytes for AES. It will be updated after encryption (most likely for encrypting data in blocks?).
// key_id: ex: 0. Used with sceSblAuthMgrSetDmac5KeyForDriver. Uses keyring_id range 0x0C-0x17 internally.
// mask_enable: ex: 1
int sceSblDmac5AesCbcDecNPForDriver(const void *src, void *dst, SceSize size, const void *key, SceSize key_length, void *iv, SceUInt32 key_id, SceUInt32 mask_enable);

sceSblDmac5AesCtrEncForDriver

Version NID
1.50-3.60 0x82B5DCEF

Temp name was sceSblSsMgrAESCTREncryptForDriver.

Executes Dmac5 command 0x21.

Used in SceNpDrm.

This function can also be used for decryption since AES CTR is a symmetric function.

// size: size of data in src
// key: Key.
// key_length: Key length in bits. Accepted values: 128 / 192 / 256.
// iv: IV. IV length is 0x10 bytes for AES. It will be updated after encryption (most likely for encrypting data in blocks?).
// mask_enable: ex: 1
int sceSblDmac5AesCtrEncForDriver(const void *src, void *dst, SceSize size, const void *key, SceSize key_length, void *iv, SceUInt32 mask_enable);

sceSblDmac5AesCtrDecForDriver

Version NID
3.60 0x7D46768C

Temp name was sceSblSsMgrAESCTRDecryptForDriver.

Executes Dmac5 command 0x22.

no usages found

This function can also be used for encryption since AES CTR is a symmetric function.

// size: size of data in src
// key: Key.
// key_length: Key length in bits. Accepted values: 128 / 192 / 256.
// iv: IV. IV length is 0x10 bytes for AES. It will be updated after encryption (most likely for encrypting data in blocks?).
// mask_enable: ex: 1
int sceSblDmac5AesCtrDecForDriver(const void *src, void *dst, SceSize size, const void *key, SceSize key_length, void *iv, SceUInt32 mask_enable);

sceSblDmac5Sha1ForDriver

Version NID
3.60 0xEB3AF9B5

Executes Dmac5 command 0x3.

Used in ScePfsMgr.

// size: size of data in src
// iv: ex: 0
// mask_enable: ex: 1
// flags: ex: 0 / 0x400 / 0x800 / 0xC00
int sceSblDmac5Sha1ForDriver(const void *src, void *dst, SceSize size, void *iv, SceUInt32 mask_enable, SceUInt32 flags);

sceSblDmac5Sha1HmacTransformForDriver

Version NID
0.990-3.60 0x6704D985

Temp name was sceSblSsMgrHMACSHA1ForDriver.

Executes Dmac5 command 0x23.

Used in ScePfsMgr.

Key size is always 256 bits.

// size: size of data in src
// iv: ex: 0
// mask_enable: ex: 1
// flags: ex: 0 / 0x400 / 0x800 / 0xC00
int sceSblDmac5Sha1HmacTransformForDriver(const void *src, void *dst, SceSize size, const void *key, void *iv, SceUInt32 mask_enable, SceUInt32 flags);

sceSblDmac5Sha1HmacNPForDriver

Version NID
3.60 0x92E37656

Temp name was sceSblSsMgrHMACSHA1WithKeygenForDriver.

Executes Dmac5 command 0x23.

no usages found

// size: size of data in src
// key: Key. Key length is always 256 bits (0x20 bytes).
// iv: 0
// key_id: ex: 0. Used with sceSblAuthMgrSetDmac5KeyForDriver. Uses keyring_id range 0x0C-0x17 internally.
// mask_enable: ex: 1
// flags: ex: 0 / 0x400 / 0x800 / 0xC00
int sceSblDmac5Sha1HmacNPForDriver(const void *src, void *dst, SceSize size, const void *key, void *iv, SceUInt32 key_id, SceUInt32 mask_enable, SceUInt32 flags);

sceSblDmac5Sha256HmacForDriver

Version NID
3.60 0x79F38554

Temp name was sceSblSsMgrHMACSHA256ForDriver.

Executes Dmac5 command 0x33.

no usages found

// size: size of data in src
// iv: ex: 0
// mask_enable: ex: 1
// flags: ex: 0 / 0x400 / 0x800 / 0xC00
int sceSblDmac5Sha256HmacForDriver(const void *src, void *dst, SceSize size, const void *key, void *iv, SceUInt32 mask_enable, SceUInt32 flags);

sceSblDmac5AesCmacForDriver

Version NID
0.990-3.60 0x1B14658D

Temp name was sceSblSsMgrAESCMACForDriver.

Executes Dmac5 command 0x3B.

Used in ScePfsMgr.

// size: size of data in src
// key: Key.
// key_length: Key length in bits. Accepted values: 128 / 192 / 256.
// iv: ex: 0
// mask_enable: ex: 1
// flags: ex: 0 / 0x400 / 0x800 / 0xC00
int sceSblDmac5AesCmacForDriver(const void *src, void *dst, SceSize size, const void *key, SceSize key_length, void *iv, SceUInt32 mask_enable, SceUInt32 flags);

sceSblDmac5AesCmacNPForDriver

Version NID
3.60 0x83B058F5

Temp name was sceSblSsMgrAESCMACWithKeygenForDriver.

Executes Dmac5 command 0x3B.

Used in ScePfsMgr.

// size: size of data in src
// key: Key.
// key_length: Key length in bits. Accepted values: 128 / 192 / 256.
// iv: ex: 0
// key_id: ex: 0 - used with sceSblAuthMgrSetDmac5KeyForDriver. Uses keyring_id range 0x0C-0x17 internally
// mask_enable: ex: 1
// flags: ex: 0 / 0x400 / 0x800 / 0xC00
int sceSblDmac5AesCmacNPForDriver(const void *src, void *dst, SceSize size, const void *key, SceSize key_length, void *iv, SceUInt32 key_id, SceUInt32 mask_enable, SceUInt32 flags);

sceSblDmac5AesCmacWithDmac5KeyForDriver

Version NID
3.60 0xEA6ACB6D

Temp name was sceSblDmac5AesCmacWithKeyslotForDriver.

Executes Dmac5 command 0x3B.

no usages found

// size: size of data in src
// keyring_id: ex: 0x1D
// key_length: Key length in bits. Accepted values: 128 / 192 / 256.
// iv: ex: 0
// mask_enable: ex: 1
// flags: ex: 0 / 0x400 / 0x800 / 0xC00
int sceSblDmac5AesCmacWithDmac5KeyForDriver(const void *src, void *dst, SceSize size, SceUInt32 keyring_id, SceSize key_length, void *iv, SceUInt32 mask_enable, SceUInt32 flags);

sceSblSsMgrExecuteDmac5HashCommandForDriver

Version NID
3.60 0x9641374E

Executes Dmac5 commands related to hash functions.

Used in SceNpDrm.

int sceSblSsMgrExecuteDmac5HashCommandForDriver(const void *src, void *dst, SceSize size, void *iv, SceUInt32 mask_enable, SceUInt32 command, SceUInt32 flags);

sceSblSsEncryptWithPortabilityForDriver

Version NID
0.931-3.60 0x21EC51F6

derived from _vshSblSsEncryptWithPortability

Strangely it does not communicate with encdec_w_portability_sm command 0x1000A. That's because anyway this SM command is not implemented in release FWs.

int sceSblSsEncryptWithPortabilityForDriver(SceUInt32 key_id, void *iv, ScePortabilityData *plain, ScePortabilityData *enc);

sceSblSsDecryptWithPortabilityForDriver

Version NID
0.931-3.60 0x934DB6B5

derived from _vshSblSsDecryptWithPortability

For example, decrypts or derives AES key that is used in msif to decrypt static sha224 table.

Executes encdec_w_portability_sm command 0x2000A.

int sceSblSsDecryptWithPortabilityForDriver(SceUInt32 key_type, void *iv, ScePortabilityData *enc, ScePortabilityData *plain);

sceSblSsGetNvsDataForDriver

Version NID
0.931-3.60 0xFDD6D5DE

derived from _vshSblSsGetNvsData

Calls sceSysconNvsReadDataForDriver.

// type - 0-5
// pData - destination buffer
// size - 2, 4, 8, 0x10, 0x20
int sceSblSsGetNvsDataForDriver(SceSblSsNvsDataType type, void *pData, SceSize size);

sceSblSsSetNvsDataForDriver

Version NID
0.931-3.60 0x249ADB07

derived from _vshSblSsSetNvsData

Calls sceSysconNvsWriteDataForDriver.

// type - 0-5
// pData - source buffer
// size - 2, 4, 8, 0x10, 0x20
int sceSblSsSetNvsDataForDriver(SceSblSsNvsDataType type, void *pData, SceSize size);

sceSblAimgrGetVisibleIdForDriver

Version NID
0.990-3.60 0x04843835

Temp name was sceSblSsMgrGetVisibleIdForDriver, sceSblSsMgrGetFuseIdForDriver.

Derived from _vshSblAimgrGetVisibleId.

Obtains Visible Id by executing aimgr_sm command 0x3.

int sceSblAimgrGetVisibleIdForDriver(SceVisibleId *pVisibleId);

sceSblAimgrGetConsoleIdForDriver

Version NID
0.990-3.60 0xFC6CDD68

Temp name was sceSblSsMgrGetConsoleIdForDriver.

Obtains Console Id by executing aimgr_sm command 0x1.

int sceSblAimgrGetConsoleIdForDriver(SceConsoleId *pConsoleId);

sceSblAimgrGetOpenPsIdForDriver

Version NID
0.990-3.60 0xA5B5D269

Temp name was sceSblSsMgrGetOpenPsIdForDriver.

This function returns information from a static buffer that is initialized on module_start.

OpenPsId comes from kbl_param->openpsid using SceSysmem#sceKernelSysrootGetKblParamForKernel.

int sceSblAimgrGetOpenPsIdForDriver(SceOpenPsId *pOpenPsId);

sceSblAimgrGetPscodeForDriver

Version NID
0.990-3.60 0xE0DC2587

Temp name was sceSblSsMgrGetPscodeForDriver.

Derived from _vshSblAimgrGetPscode.

This function returns information from a static buffer that is initialized on module_start.

PsCode comes from kbl_param->pscode using SceSysmem#sceKernelSysrootGetKblParamForKernel.

int sceSblAimgrGetPscodeForDriver(ScePsCode *pPsCode);

sceSblAimgrGetPscode2ForDriver

Version NID
3.60 0x9A9676D0

Temp name was sceSblSsMgrGetPscode2ForDriver.

Derived from _vshSblAimgrGetPscode2

Obtains Ps Code by executing aimgr_sm command 0x4.

int sceSblAimgrGetPscode2ForDriver(ScePsCode *pPsCode);

sceSblSsCreatePassPhraseForDriver

Version NID
3.60 0xB8B298FD

derived from _vshSblSsCreatePassPhrase

Obtains PassPhrase by executing aimgr_sm command 0x5.

int sceSblSsCreatePassPhraseForDriver(SceSblSsCreatePassPhraseParam *pParam, void *pPassPhrase);

sceSblSsInfraAllocatePARangeVectorForDriver

Version NID
0.931-3.60 0xE0B13BA7

Used by SceSblUpdateMgr.

int sceSblSsInfraAllocatePARangeVectorForDriver(void *buf, SceSize size, SceUID blockid, SceKernelPAVector *pPAV);

sceSblSsInfraFreePARangeVectorForDriver

Version NID
0.931-3.60 0xC38D0CEA

Used by SceSblUpdateMgr.

int sceSblSsInfraFreePARangeVectorForDriver(SceUID blockid, SceKernelPAVector *pPAV);

sceSblSsMemsetForDriver

Version NID
3.60 0xCD98CC92

Used by SceSblPostSsMgr.

void sceSblSsMemsetForDriver(char* dest, char value, int size);

sceSblRtcMgrSetCpRtc_1ForDriver

Version NID
0.931 0x2B259A82
0.990-3.60 not present

sceSblRtcMgrSetCpRtc_2ForDriver

Version NID
0.931-0.940 0xD8F6F110
0.990-3.60 moved to PostSsMgr

sceSblRtcMgrGetCpRtcPhysicalForDriver

Version NID
0.931-0.940 0xC96622EC
0.990-3.60 moved to PostSsMgr

sceSblRtcMgrGetCpRtcLogicalForDriver

Version NID
0.931-0.940 0xAF56206D
0.990-3.60 moved to PostSsMgr

sceSblLicMgrActivateDevkitForDriver

Version NID
0.931 0x37682AB1
0.990-3.60 moved to PostSsMgr

sceSblLicGetActivationKeyForDriver

Version NID
0.931 not present
0.940 0xED4878A4
0.990-3.60 moved to PostSsMgr

sceSblLicMgrGetExpireDateForDriver

Version NID
0.931-0.940 0xE840CD4E
0.990-3.60 moved to PostSsMgr

sceSblLicMgrGetLicenseStatusForDriver

Version NID
0.931-0.940 0x65CBED16
0.990-3.60 moved to PostSsMgr

sceSblPmMgrGetProductModeFromNVSForDriver

Version NID
0.931-0.940 0x196C7FB2
0.990-3.60 moved to PostSsMgr

sceSblPmMgrSetProductModeForDriver

Version NID
0.931-0.940 0x33B706E1
0.990-3.60 moved to PostSsMgr

sceSblPmMgrAuthEtoIForDriver

Version NID
0.931-0.940 0xB241EA2B
0.990-3.60 moved to PostSsMgr

sceSblSsCrepoInitializeForDriver

Version NID
0.931 not present
0.990 0x80879AFB
3.60 not present
int sceSblSsCrepoInitializeForDriver(void);

SceSblSsMgrForDriver_2D794404

Version NID
0.931 not present
0.990 0x2D794404
3.60 not present

Uses Crepo Key Ring.

SceSblSsMgrForDriver_52BC448C

Version NID
0.931 not present
0.990 0x52BC448C
3.60 not present

Uses Crepo Key Ring.

SceSblSsMgrForDriver_2B3EF6DF

Version NID
0.931 not present
0.990 0x2B3EF6DF
3.60 not present

Clears Crepo Key Ring.

int SceSblSsMgrForDriver_2B3EF6DF(void);

sceSblSsDebugDecryptKeystoneForDriver

Version NID
0.931 not present
0.990 0x9084AEDB
3.60 moved to PostSs

sceSblSsDebugEncryptKeystoneForDriver

Version NID
0.931 not present
0.990 0xDFB5E945
3.60 moved to PostSs

sceSblSsEncryptSealedkeyForDriver

Version NID
0.931 not present
0.990 0xB36051C4
3.60 moved to PostSs

sceSblSsDecryptSealedkeyForDriver

Version NID
0.931 not present
0.990 0xEC0D967A
3.60 moved to PostSs

SceSblSsMgr

This library exists on FW 1.69 but does not exist on FW 3.60.

sceSblSsInfraAllocatePARangeVector

Version NID
0.931-1.69 0x8C2822A9
int sceSblSsInfraAllocatePARangeVector(void *buf, SceSize size, SceUID blockid, SceKernelPAVector *pPAV);

sceSblSsInfraFreePARangeVector

Version NID
0.931-1.69 0xFAD42134
int sceSblSsInfraFreePARangeVector(SceUID blockid, SceKernelPAVector *pPAV);

SceSblQafMgr

sceSblQafMgrGetQafToken

Version NID
1.69-3.60 0xB6BAE81D

On 3.60 returns 0x80010058 (SCE_ERROR_ERRNO_ENOSYS).

int sceSblQafMgrGetQafToken(SceQafToken *qaf_token);

sceSblQafMgrGetQafToken2

Version NID
3.60 0xDFBA8569
int sceSblQafMgrGetQafToken2(SceQafToken *qaf_token);

sceSblQafManagerSetQafTokenForUser

Version NID
1.69-3.60 0x56A16392

On 3.60 returns 0x80010058 (SCE_ERROR_ERRNO_ENOSYS).

int sceSblQafManagerSetQafTokenForUser(SceQafToken qaf_token);

sceSblQafMgrSetQafToken2

Version NID
3.60 0xF4B5C8A5
int sceSblQafMgrSetQafToken2(SceQafToken qaf_token);

sceSblQafManagerDeleteQafTokenForUser

Version NID
0.940-3.60 0xD542583F

On 3.60 returns 0x80010058 (SCE_ERROR_ERRNO_ENOSYS).

int sceSblQafManagerDeleteQafTokenForUser(void);

sceSblQafMgrDeleteQafToken2

Version NID
3.60 0x62E30BF4
  int ret;
  int ret2;
  int ret3;
  signed int result;
  char flag;
  char data[0x80];
  char sig[0x100];

  memset(data, (char)0xFF, 0x180);
  SceKernelSuspendForDriver_4DF40893_0(0);
  ret = sceSblNvsWriteDataForKernel(0x400, data, 0x80);
  if ( ret ) {
    SceKernelSuspendForDriver_4DF40893(0);
    result = ret;
  } else {
    ret2 = sceSblNvsWriteDataForKernel(0x5A0, sig, 0x100);
    if ( ret2 ) {
      SceKernelSuspendForDriver_4DF40893(0);
      result = ret2;
    } else {
      flag = 1;
      ret3 = sceSblNvsWriteDataForKernel(0x480, &flag, 1);
      SceKernelSuspendForDriver_4DF40893(0);
      result = ret3;
    }
  }
  return result;
int sceSblQafMgrDeleteQafToken2(void);

sceSblQafManagerGetQafNameForUser

Version NID
0.940-3.60 0x0F7EA8C2

Wrapper to sceSblQafManagerGetQafNameForKernel.

int sceSblQafManagerGetQafNameForUser(char *buffer, unsigned int max_len);

sceSblQafManagerGetQafName2ForUser

Version NID
3.60 0xF0CA8766
memset(buf, 0, 0x180);
sceSblNvsReadDataForKernel(0x480, buf, 1);
sceSblNvsReadDataForKernel(0x400, buf, 0x80);
memcpy(buffer, buf, 0x18);
sceSblNvsReadDataForKernel(0x5A0, buf, 0x100);
// if all functions returned success
sceSblQafManagerGetQafNameForKernel(buf2, len);
sceKernelMemcpyKernelToUserForDriver(buffer, buf2, len)) != 0 )
int sceSblQafManagerGetQafName2ForUser(char *buffer, unsigned int max_len);

sceSblQafMgrIsAllowMinimumDebugMenuDisplay

Version NID
3.60 0xA156BBD2

return pKblParam->qa_flags[0xF] & 1;

int sceSblQafMgrIsAllowMinimumDebugMenuDisplay(void);

sceSblQafMgrIsAllowLimitedDebugMenuDisplay

Version NID
1.69-3.60 0xC456212D

return (pKblParam->qa_flags[6] >> 1) & 1;

int sceSblQafMgrIsAllowLimitedDebugMenuDisplay(void);

sceSblQafMgrIsAllowAllDebugMenuDisplay

Version NID
1.69-3.60 0x66843305

return (pKblParam->qa_flags[0xC] >> 1) & 1;

int sceSblQafMgrIsAllowAllDebugMenuDisplay(void);

sceSblQafManagerIsAllowKernelDebugForUser

Version NID
0.940-3.60 0x11D30766

return pKblParam->qa_flags[0xD] & 1;

int sceSblQafManagerIsAllowKernelDebugForUser(void);

sceSblQafMgrIsAllowForceUpdate

Version NID
1.69-3.60 0x63F29BA0

return (pKblParam->qa_flags[0xF] >> 1) & 1;

int sceSblQafMgrIsAllowForceUpdate(void);

sceSblQafMgrIsAllowNpTest

Version NID
1.69-3.60 0xA9EBCBAC
if (pKblParam->qa_flags[0xF] << 31)
   return 1;
else
   return sceSysrootUtMgrHasNpTestFlagForKernel(a1, a2, a3);
int sceSblQafMgrIsAllowNpTest(int a1, int a2, int a3);

sceSblQafMgrIsAllowNpFullTest

Version NID
3.60 0x72168C6E

return (pKblParam->qa_flags[6] >> 1) & 1;

int sceSblQafMgrIsAllowNpFullTest(void);

sceSblQafMgrIsAllowNonQAPup

Version NID
1.69-3.60 0xB5621615

return pKblParam->qa_flags[0xF] & 1;

int sceSblQafMgrIsAllowNonQAPup(void);

sceSblQafMgrIsAllowScreenShotAlways

Version NID
1.69-3.60 0xD22A8731

return (pKblParam->qa_flags[6] >> 1) & 1;

int sceSblQafMgrIsAllowScreenShotAlways(void);

sceSblQafMgrIsAllowRemoteSysmoduleLoad

Version NID
0.940-3.60 0xF45AA706

return (pKblParam->qa_flags[0xD] >> 1) & 1;

int sceSblQafMgrIsAllowRemoteSysmoduleLoad(void);

SceSblRng

sceSblRngGenuineRandomNumber

Version NID
0.940-0.990 0xD1189305
3.60 not present

Temp name was sceSblSsMgrGetRandomData.

Calls #sceSblRngGenuineRandomNumberForDriver.

sceSblRngGenuineRandomNumber2

Version NID
0.940-0.990 0xBA5242FE
3.60 not present

sceSblRngPseudoRandomNumber

Version NID
0.940-0.990 0xD8BC42B8
3.60 not present

Calls #sceSblRngPseudoRandomNumberForDriver.

sceSblRngPseudoRandomNumber2

Version NID
0.940-0.990 0xD84424230
3.60 not present

_sceKernelGetRandomNumber

Version NID
0.940-0.990 not present
1.69-3.60 0xC37E818C

Calls #sceSblRngPseudoRandomNumberForDriver.

// length: length in bytes of the random number to generate. The actual length written to pDst is in pParam. Must be <= 0x40.
int _sceKernelGetRandomNumber(void *pDst, SceSize length, SceKernelGetRandomNumberParam *pParam);

SceSblDmac5Mgr

sceSblDmac5HashTransform

Version NID
1.69-3.60 0x09EBC6EF

Support to Sha1/Sha224/Sha256 only.

// flags: 
// 0x000
// 0x400
// 0x800
// 0xC00
int sceSblDmac5HashTransform(SceSblDmac5HashTransformParam *pParam, SceUInt32 command, SceUInt32 flags);

sceSblDmac5EncDecKeyGen

Version NID
1.69-3.60 0x5BF4F924

official:

AesCbcEncrypt command to sceSblDmac5AesCbcEncKeyGen in SceGameDataPlugin.

AesCbcDecrypt command to sceSblDmac5AesCbcDecKeyGen in SceGameDataPlugin.


theory:

AesCtrEncrypt command to sceSblDmac5AesCtrEncKeyGen.

// command - 0xA (dmac5 command AES-192-CBC decrypt)
// command - 0x9 (dmac5 command AES-192-CBC encrypt)
int sceSblDmac5EncDecKeyGen(SceSblDmac5EncDecKeyGenParam* pParam, SceUInt32 key_id, SceUInt32 command);

sceSblDmac5EncDec

Version NID
0.931 not present
0.990-3.60 0xD0B1F759
int sceSblDmac5EncDec(void *args, SceUInt32 command);

sceSblDmac5EncDecNP

Version NID
0.931 not present
0.940-0.990 0x30702CC7
3.60 not present
int sceSblDmac5EncDecNP(void *args, SceUInt32 key_id, SceUInt32 command);

sceSblDmac5HmacKeyGen

Version NID
3.60 0xCCE57D33

This function is named sceSblDmac5HmacKeyGen in SceSysLibTrace.

HmacSha256 command to sceSblDmac5Sha256HmacKeyGen in SceGameDataPlugin (official name).

Theory:

HmacSha1 command to sceSblDmac5Sha1HmacKeyGen.

HmacSha224 command to sceSblDmac5Sha224HmacKeyGen.

// data: data of size ?0x18 (192 bits)?
// mode: ex: 0x20001 (aes128cbc on 0x20 bytes). See [[F00D_commands#0x50001_-_sceSblAuthMgrSetDmac5Key]].
// command: ex: 0x33 (dmac5 HMAC-SHA256 command)
// flags: ex: 0x400, 0x800, 0xC00
int sceSblDmac5HmacKeyGen(char *data, SceUInt32 mode, SceUInt32 command, SceUInt32 flags);

SceSblAimgr

_sceKernelGetOpenPsId

Version NID
1.69-3.60 0x6E283E2E
int _sceKernelGetOpenPsId(SceOpenPsId *pOpenPsId);