SceSblPostSsMgr

From Vita Development Wiki
Jump to navigation Jump to search

Module

Version World Privilege
3.60 Non-secure Kernel

Libraries

Known NIDs

Version Name World Visibility NID
1.03-3.60 SceSblPostSsMgrForDriver Non-secure Kernel 0x2254E1B2
0.990-1.692 SceZlibForDriver Non-secure Kernel not present. Was present in SceSysmem#SceZlibForDriver.
1.80-3.60 SceZlibForDriver Non-secure Kernel 0xE241534E
0.990 SceSblFwLoaderForDriver Non-secure Kernel not present. Was present in SceSblFwLoader#SceSblFwLoaderForDriver.
3.60 SceSblFwLoaderForDriver Non-secure Kernel 0x6FE424E4
1.03-3.60 SceSblPmMgr Non-secure User 0xA9CE5795
1.03-3.60 SceSblRtcMgr Non-secure User 0x44C5F209
1.03-3.60 SceSblLicMgr Non-secure User 0x62083C72
1.03-3.60 SceSblUtMgr Non-secure User 0x000DF81A
1.03 SceSblSpsfoMgr Non-secure User 0x7959298B

Types

typedef struct spsfo_ctx {
  SceUID mem_uid; // SceSblSpsfoMgr
  void* mem_block_base;
  uint32_t unk_8;
} spsfo_ctx;

typedef struct SceUtoken { // size is 0x800
  char unk_data[0x800];
} SceUtoken;

typedef struct SceUtokenDecrypted { // size is 0x58
    SceUInt64 program_authority_id;
    SceSelfCapability capability;
    SceSelfAttribute attribute; // the important utoken flags are at &attribute+8
    SceUInt8 shared_secret_0[0x10];
} SceUtokenDecrypted;

Not exported

module_start

Calls 2 subroutines:

  • init_qaftoken
  • init_utoken

init utoken

Reads tm0:utoken.dat.

Calls utoken_sm.self service 2 to decrypt SceUtoken buffer. The output is a 0x58 bytes buffer.

SceSblPostSsMgrForDriver

sceSblSpsfoMgrOpenForDriver

Version NID
3.60 0xBDF18922 
int sceSblSpsfoMgrOpenForDriver(const char *path, spsfo_ctx *result);

sceSblSpsfoMgrVerifyForDriver

Version NID
3.60 0x686B9461

Derived from _vshSblAuthMgrVerifySpsfo. 

int sceSblSpsfoMgrVerifyForDriver(spsfo_ctx *ctx, int *res, int *size);

sceSblSpsfoMgrCloseForDriver

Version NID
3.60 0xAD3B0078 
int sceSblSpsfoMgrCloseForDriver(spsfo_ctx *ctx);

sceSblLicMgrGetActivationKeyForDriver

Version NID
3.60 0xF7F1015B 
typedef struct activation_key // size is 0x14
{
   char open_psid[0x10]; // obtained with sceSblSsMgrGetOpenPsIdForDriver
   uint32_t vadd_hash; // result of vector add operation applied to open_psid
} activation_key;

int sceSblLicMgrGetActivationKeyForDriver(activation_key* key);

sceSblLicMgrActivateDevkitForDriver

Version NID
0.990-3.60 0x0298382B 
int sceSblLicMgrActivateDevkitForDriver(char *afv_path);

sceSblLicMgrGetLicenseStatusForDriver

Version NID
3.60 0x15F37282 
// Return value: -1 = not initialized, 0 = activated, 1 = expired, 2 = RTC backup battery failure
int sceSblLicMgrGetLicenseStatusForDriver(void);

sceSblLicMgrGetExpireDateForDriver

Version NID
1.03-3.60 0x4FF2682F

Get activation data expire date.

If sceSblAIMgrIsToolDVT1ForDriver, 30/10/2011 8:00:00.

If sceSblAIMgrIsToolRev4ForDriver or TEST, expire_date = 0xFFFFFFFF.

If sceSblAIMgrIsToolDVT2ForDriver, 30/6/2012 8:00:00.

If sceSblAIMgrIsDEXForDriver and product_sub_code = 0xA, 0xB or 0xC, 31/3/2012 14:59:00. 

// If read_from_nvs is false, it reads expire_date from SceSblPostSsMgr memory, else it reads NVS and queries act_sm.
int sceSblLicMgrGetExpireDateForDriver(int *expire_date, SceBool read_from_nvs);

sceSblPmMgrSetProductModeForDriver

Version NID
0.990-3.60 0xADF92824

Executes pm_sm.self commands 2, 3, 4, 5, 6, 7, 8, 9, 0xA.

  • If enable = 0, it calls pm_set(5). The console exits Manufacturing Mode.
  • If enable = 1, it calls pm_set(4). That console enters Manufacturing Mode.
int sceSblPmMgrSetProductModeForDriver(SceBool enable);

sceSblPmMgrSetSdModeOffForDriver

Version NID
1.03-3.60 0xFE92A318

Executes pm_sm.self commands 2, 3, 4, 5, 6, 7, 8, 9, 0xA.

If productMode != 0 (normal mode), it calls pm_set(7, use_new_ernie_protocol). 

int sceSblPmMgrSetSdModeOffForDriver(SceUInt32 productMode);

sceSblPmMgrGetProductModeFromNVSForDriver

Version NID
0.990-3.60 0x4663C195

Executes pm_sm.self command 1. 

int sceSblPmMgrGetProductModeFromNVSForDriver(SceUInt8 *pProductMode);

sceSblPmMgrAuthEtoIForDriver

Version NID
0.990-3.60 0x19B63D65

Returns jig_auth(12). Returns an integer on success.

jig_auth:

  • On 0.990: executes pm_sm_sd.self commands 3 (gen_req_hello), 4 (gen_challenge), 5 (check_response), 6 (gen_req_result), 7 (check_result).
  • On 1.03-3.60: executes pm_sm_sd.self commands 9, 0xA.
int sceSblPmMgrAuthEtoIForDriver(void);

sceSblPostSsMgrDecryptSealedkeyForDriver

Version NID
3.60 0x33275F95

data is 0x50 bytes of data from sealedkey

this function:

verifies pfsSKKey header

decrypts aes_key(pfsSKKey__EncKey) and hmac_key(pfsSKKey__Secret) using sceSblSsEncryptWithPortabilityForDriver

verifies hmac256 value in HMAC Value

decrypts Encrypted key into dst_secret 

//data - size 0x50
//dst_secret - size 0x10
int sceSblPostSsMgrDecryptSealedkeyForDriver(char* data, char* dst_secret);

sceSblPostSsMgrEncryptSealedkeyForDriver

Version NID
3.60 0x08525D8D

data is 0x50 bytes of data like in sealedkey

this function:

writes pfsSKKey header

decrypts aes_key(pfsSKKey__EncKey) and hmac_key(pfsSKKey__Secret) using sceSblSsEncryptWithPortabilityForDriver

randomly generates 0x10 bytes of IV with sceSblRngPseudoRandomNumberForDriver

randomly generates 0x10 bytes of secret with sceSblRngPseudoRandomNumberForDriver

encrypts the secret into Encrypted key

calculates hmac256 value into HMAC Value 

// dest_data - size 0x50
int sceSblPostSsMgrEncryptSealedkeyForDriver (char* dest_data);

sceSblPostSsMgrVerifyKeystoneForDriver

Version NID
3.60 0xDDA6FA6D

This function verifies magic in the header and HMAC of the keystone file 

int sceSblPostSsMgrVerifyKeystoneForDriver(char* data, int version);

sceSblPostSsMgrVerifyKeystoneWithPasscodeForDriver

Version NID
3.60 0xF86F1452

This function calls sceSblPostSsMgrVerifyKeystoneForDriver. Then also verifies HMAC of passcode. 

int sceSblPostSsMgrVerifyKeystoneWithPasscodeForDriver(char* keystone_data, char* passcode);

sceSblPostSsMgrDebugEncryptKeystoneForDriver

Version NID
3.60 0x42474C8B 
int sceSblPostSsMgrDebugEncryptKeystoneForDriver(char* src_secret, char* dest_data);

sceSblPostSsMgrDebugDecryptKeystoneForDriver

Version NID
3.60 0xCC5AA5A5 
int sceSblPostSsMgrDebugDecryptKeystoneForDriver(char* keystone_data, char* dst_secret);

sceSblPostSsMgrGenerateAppKeyForDriver

Version NID
3.60 0x2646DE64 
int sceSblPostSsMgrGenerateAppKeyForDriver(void *in, void *out);

sceSblUtMgrIsAllowComTestForDriver

Version NID
1.03-3.60 0x128FB35A

Temp name was sceSblUtMgrIsUtokenProgramForDriver.

pseudo-code: 

SceBool sceSblUtMgrIsAllowComTestForDriver(SceUID pid) {
  SceBool ret;
  SceUInt32 stack_cookie;
  SceUInt32 ret2;
  SceUInt32 paid[2];
  if (g_has_com_test_flag == 0 || sceSblACMgrGetPaidForKernel(pid, &paid) != 0)
    ret = false;
  else
    ret = g_ut_paid_hi == paid[1] && g_ut_paid_low == paid[0];
  if (stack_cookie != 0)
    __stack_chk_fail();
  return ret;
}
SceBool sceSblUtMgrIsAllowComTestForDriver(SceUID pid);

sceSblUtMgrUpdateUtokenForDriver

Version NID
1.03-3.60 0xC2E58CE3

Executes utoken_sm command 1 to verify buffer, then writes the 0x800 bytes buffer to tm0:utoken/utoken.dat. 

// size = 0x800
int sceSblUtMgrExecuteUtokenSmCommand1ForDriver(char* buf, SceSize size);

sceSblUtMgrResetUtokenFileForDriver

Version NID
3.60 0x1FF699DD

Writes blank 0x800 bytes to tm0:utoken/utoken.dat or removes it.

Exported to usermode by sceSblUtMgrResetUtokenFile. 

int sceSblUtMgrResetUtokenFileForDriver(void);

sceSblUtMgrHasComTestFlagForDriver

Version NID
1.03-3.60 0x7ACCAA50

Derived from vshSblUtMgrHasComTestFlag. 

int sceSblUtMgrHasComTestFlagForDriver(void);

sceSblUtMgrHasStoreFlagForDriver

Version NID
1.03-3.60 0x9D2E2D39

Derived from vshSblUtMgrHasStoreFlag. 

int sceSblUtMgrHasStoreFlagForDriver(void);

sceSblUtMgrHasNpTestFlagForDriver

Version NID
1.03-3.60 0x9FD835B0

Derived from vshSblUtMgrHasNpTestFlag. 

int sceSblUtMgrHasNpTestFlagForDriver(void);

sceSblUtMgrHasUNK1FlagForDriver

Version NID
1.03-3.60 0x22599675 
int sceSblUtMgrHasUNK1FlagForDriver(void);

sceSblUtMgrHasUNK2FlagForDriver

Version NID
1.03-3.60 0x9B49C249 
int sceSblUtMgrHasUNK2FlagForDriver(void);

sceSblUtMgrHasUNK3FlagForDriver

Version NID
1.03-3.60 0x1923D80D 
int sceSblUtMgrHasUNK3FlagForDriver(void);

sceSblUtMgrHasUNK4FlagForDriver

Version NID
3.60 0xC93C0A0D 
int sceSblUtMgrHasUNK4FlagForDriver(void);

sceSblUtMgrGetTrilithiumBufferForDriver

Version NID
3.60 0xABDD68CD 
int sceSblUtMgrGetTrilithiumBufferForDriver(SceUtokenDecrypted *buffer);

sceSblRtcMgrSetCpRtcForDriver

Version NID
3.60 0x3F9BDEDF

Set RTC in DevKit CP. 

int sceSblRtcMgrSetCpRtcForDriver(int rtc);

sceSblRtcMgrGetCpRtcPhysicalForDriver

Version NID
1.03-3.60 0x942010A0 
int sceSblRtcMgrGetCpRtcPhysicalForDriver(int *rtc);

sceSblRtcMgrGetCpRtcLogicalForDriver

Version NID
1.03-3.60 0xDE5150FE 
int sceSblRtcMgrGetCpRtcLogicalForDriver(int *rtc);

SceSblPostSsMgrForDriver_D8A2D465

Version NID
3.60 0xD8A2D465

Related to Activation file.

Returns true if a1 and a2 are identical to some values in memory. 

SceBool SceSblPostSsMgrForDriver_D8A2D465(int a1, int a2);

SceSblPostSsMgrForDriver_2C463AF1

Version NID
3.60 0x2C463AF1

Used just before SceSblPostSsMgrForDriver_CB5436BD. 

int SceSblPostSsMgrForDriver_2C463AF1(int maybe_keyset, SceSize size, void *buf);

SceSblPostSsMgrForDriver_CB5436BD

Version NID
3.60 0xCB5436BD

Transforms? coredump key. 

int SceSblPostSsMgrForDriver_CB5436BD(int maybe_keyset, SceSize size, void *buf);

SceZlibForDriver

This library was moved from SceSblPostSsMgr#SceZlibForDriver on FW 1.80.

SceSblFwLoaderForDriver

This library was moved to SceSblFwLoader#SceSblFwLoaderForDriver on FW ?1.80? (somewhere between 0.990 and 3.60).

SceSblPmMgr

sceSblPmMgrSetProductModeOffForUser

Version NID
3.60 0x41FE8A37

Calls sceSblPmMgrSetProductModeForDriver(0). 

int sceSblPmMgrSetProductModeOffForUser(void);

sceSblPmMgrGetProductModeForUser

Version NID
3.60 0x46EA9FDB

Returns 0 on success.

Gets KBL Param using sceKernelSysrootGetKblParamForKernel.

result = ((int *)(pKblParam->boot_type_indicator_1) >> 2) & 1; // manufacturing mode flag 

int sceSblPmMgrGetProductModeForUser(int* result);

sceSblPmMgrGetProductModeFromNVS

Version NID
3.60 0x49CE0DDF

Calls sceSblPmMgrGetProductModeFromNVSForDriver.

sceSblPmMgrAuthEtoI

Version NID
0.990-3.60 0xBD38B141

Calls sceSblPmMgrAuthEtoIForDriver().

Returns an integer on success. 

int sceSblPmMgrAuthEtoI(void);

sceSblPmMgrGetCurrentMode

Version NID
3.60 0xDA4EDEBF

Returns 0 on success.

Gets KBL Param using sceKernelSysrootGetKblParamForKernel.

result = ((int *)(pKblParam->boot_type_indicator_1) >> 2) & 1; // manufacturing mode flag 

int sceSblPmMgrGetCurrentMode(int* result);

SceSblRtcMgr

sceSblRtcMgrGetCpRtcPhysicalForUser

Version NID
3.60 0x1614302B

sceSblRtcMgrSetCpActivationKey

Version NID
3.60 0x298AE544

sceSblRtcMgrSetCpRtcPhysicalAndKey

Version NID
3.60 0x3C0EEC69

sceSblRtcMgrSetCpRtcLogical

Version NID
3.60 0x9DFB118B

sceSblRtcMgrSetCpRtcPhysicalForUser

Version NID
3.60 0xA990BC44

sceSblRtcMgrGetCpRtcLogical

Version NID
3.60 0xDD44D726

sceSblRtcMgrGetCpSerialId

Version NID
3.60 0xE162A827

Calls sceDeci4pCpupGetCpSerialIdForDriver.

SceSblLicMgr

Functions related to afv file.

sceSblLicMgrGetIssueNo

Version NID
3.60 0x0E0691A1 
// if request_data_flag is 0 then some cached value is used
// if request_data_flag is 1 then data is requested from syscon
int sceSblLicMgrGetIssueNo(int *issue_number, int request_data_flag);

sceSblLicMgrGetLicenseStatus

Version NID
3.60 0x0EA6A30C 
int sceSblLicMgrGetLicenseStatus();

sceSblLicMgrGetActivationKey

Version NID
3.60 0x2A437187 
typedef struct activation_key // size is 0x14
{
   char open_psid[0x10]; // obtained with sceSblSsMgrGetOpenPsIdForDriver
   uint32_t vadd_hash; // result of vector add operation applied to openPSID
} activation_key;

int sceSblLicMgrGetActivationKey(activation_key* key);

sceSblLicMgrActivateFromFs

Version NID
3.60 0x6E56EA0A

Activates from ux0:/data/activate/. 

int sceSblLicMgrActivateFromFs(void);

sceSblLicMgrGetUsageTimeLimit

Version NID
3.60 0x774EBBA2 
/*
 * sceSblLicMgrGetUsageTimeLimit:
 *   0x800f1326:
 *     DEX:  "This testing kit is not activated."
 *     Tool: "This development kit is not activated."
 *   0x800f1329:
 *     "The backup battery has failed."
 *   0x80251002:
 *     "Cannot check expiration date. Please set date via Internet."
 *   0:
 *     Time_is_0:
 *       DEX:  "This Testing Kit is expired. See DevKit/TestKit Activation  User\'s Guide."
 *       Tool: "This Development Kit is expired. See DevKit/TestKit Activation User\'s Guide."
 *     else:
 *       DEX:  "This testing kit expires in %2d day +%02d:%02d:%02d"
 *       Tool: "This development kit expires in %2d day +%02d:%02d:%02d"
 *
 * + "This testing kit expires in %2d day\n+%02d:%02d:%02d."
 * + "This development kit expires in %2d day\n+%02d:%02d:%02d."
 */

int sceSblLicMgrGetUsageTimeLimit(SceUInt32 *time_limit);

Uses sceSblSsMgrGetQAFlagsForKernel.

sceSblLicMgrClearActivationData

Version NID
3.60 0x9B749D1D 
int sceSblLicMgrClearActivationData();

sceSblLicMgrGetExpireDate

Version NID
0.940-3.60 0xE9FA0FE5 
// if request_data_flag is 0 then some cached value is used
// if request_data_flag is 1 then data is requested from syscon
int sceSblLicMgrGetExpireDate(int *expire_date, int request_data_flag);

sceSblLicMgrActivateDevkit

Version NID
3.60 0xEB21DD39 
// afv_path is of size 0x100
int sceSblLicMgrActivateDevkit(char* afv_path);

SceSblUtMgr

sceSblUtMgrUpdateUtoken

Version NID
3.60 0xBDE74645

Calls sceSblUtMgrUpdateUtokenForDriver(buf, 0x800);. 

// size = 0x800
int sceSblUtMgrUpdateUtoken(char* buf, SceSize size);

sceSblUtMgrReadUtoken

Version NID
3.60 0xD2836E0D 
// size = 0x800
int sceSblUtMgrReadUtoken(char *buf, int SceSize size);

sceSblUtMgrResetUtokenFile

Version NID
3.60 0x1CD57182

Calls sceSblUtMgrResetUtokenFileForDriver. 

int sceSblUtMgrResetUtokenFile(void);

sceSblUtMgrGetCurrentSecureTick

Version NID
3.60 0xCFCB1355

Calls sceRtcGetCurrentSecureTickForDriver then uses sceKernelMemcpyKernelToUserForDriver. 

int sceSblUtMgrGetCurrentSecureTick(int* secure_tick);

sceSblUtMgrGetUtName

Version NID
3.60 0x04CA1311 
// name: buffer that will embed Utoken name if User Token for this app is valid
// size: max size is 0x18
int sceSblUtMgrGetUtName(char *name, SceSize size);

SceSblSpsfoMgr

sceSblSpsfoMgrOpen

Version NID
1.03 0x64B45B53 
int sceSblSpsfoMgrOpen(char *path, spsfo_ctx *result);

sceSblSpsfoMgrVerify

Version NID
1.03 0x517CAF25 
int sceSblSpsfoMgrVerify(spsfo_ctx *ctx, int *res, int *size);

sceSblSpsfoMgrClose

Version NID
1.03 0x3533B542 
int sceSblSpsfoMgrClose(spsfo_ctx *ctx);
Retrieved from "http://wiki.henkaku.xyz/index.php?title=SceSblPostSsMgr&oldid=18199"