External Boot Mode
Similarly to the Jigkick battery on PSP, the PS Vita also has a hidden manufacturing/recovery mode in the boot ROM. By convention, we call this "external boot mode". Once a handshake with Kermit boot ROM passes, the PS Vita will boot from an SD card in the gamecard slot instead of from internal eMMC. The payload must be signed by Sony specifically for this mode. However the signature check can be bypassed by glitching. See Vulnerabilities.
To trigger Kermit Bootrom Jig mode, first enable Syscon UART RPC then do a handshake with Kermit.
See also: SLSK#Secret_debug_mode.
Entering Handshake
Now that #Jig_Handler is set up, you can use Syscon UART RPC interface to trigger the Kermit handshake.
- Send a Jig packet with RPC command 0x110. This is a packet whose payload is encrypted.
- In the decrypted packet, the data triggers some command handler which sets flag
0x18
. - Only state 1 handles flag
0x18
. - Main Function in state 1 is called with target state 9. It does some unknown tasks (maybe power on device?) and sets flag
0x15
. State is set to 9. - Main Function in state 9 is called with target state 3 (due to flag
0x15
). - Ernie is ready to perform the handshake.
Handshake
The pin references for Kermit are from GPIO Registers. The pin references for Ernie are from the reference manual. TODO: figure out the physical mapping of the pins.
- Ernie sets P15.
- Ernie sets P97.
- Kermit polls for GPIO Port 4 high.
- Kermit does some magic register writes (possibly switching SPI pins to Jig handshake interface).
- Kermit writes 8 bytes challenge to a Cmep only register.
- Kermit sets GPIO Port 3 high.
- Ernie polls for P16 high.
- Ernie clears P90
- (Step 1 Kermit -> Ernie) Ernie receives a packet
84 00 88 XX XX XX XX
where XX is 4 bytes of the challenge. - Ernie sets P90.
- Ernie clears P90.
- (Step 2 Kermit -> Ernie) Ernie receives a packet
84 00 8C XX XX XX XX
where XX is 4 bytes of the challenge. - Ernie sets P90.
- Ernie does some endian swapping with the data.
- Ernie AES encrypts the challenge with the shared key with Kermit boot ROM.
- Ernie does some endian swapping with the data.
- Kermit polls for GPIO Port 4 high.
- Ernie clears P90.
- (Step 1 Ernie -> Kermit) Ernie sends a packet
85 00 80 XX XX XX XX
where XX is 4 bytes of the response. - Ernie sets P90.
- Ernie clears P90.
- (Step 2 Ernie -> Kermit) Ernie sends a packet
85 00 84 XX XX XX XX
where XX is 4 bytes of the response. - Ernie sets P90.
- Kermit magically gets 8 bytes in a Cmep only register.
- Kermit sets GPIO Port 3 low.
- Kermit AES encrypts the challenge with its own shared key and does a timing-safe memcmp with the response.
- Kermit makes sure to wipe the key and all relevant registers.