External Boot Mode

From Vita Development Wiki
Revision as of 21:13, 6 January 2024 by CelesteBlue (talk | contribs) (Created page with "Similarly to the Jigkick battery on PSP, the PS Vita also has a hidden manufacturing/recovery mode in the boot ROM. By convention, we call this "external boot mode". Once a ha...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Similarly to the Jigkick battery on PSP, the PS Vita also has a hidden manufacturing/recovery mode in the boot ROM. By convention, we call this "external boot mode". Once a handshake with Kermit boot ROM passes, the PS Vita will boot from an SD card in the gamecard slot instead of from internal eMMC. The payload must be signed by Sony specifically for this mode. However the signature check can be bypassed by glitching. See Vulnerabilities.

To trigger Kermit Bootrom Jig mode, first enable Syscon UART RPC then do a handshake with Kermit.

See also: SLSK#Secret_debug_mode.

Entering Handshake

Now that #Jig_Handler is set up, you can use Syscon UART RPC interface to trigger the Kermit handshake.

  1. Send a Jig packet with RPC command 0x110. This is a packet whose payload is encrypted.
  2. In the decrypted packet, the data triggers some command handler which sets flag 0x18.
  3. Only state 1 handles flag 0x18.
  4. Main Function in state 1 is called with target state 9. It does some unknown tasks (maybe power on device?) and sets flag 0x15. State is set to 9.
  5. Main Function in state 9 is called with target state 3 (due to flag 0x15).
  6. Ernie is ready to perform the handshake.

Handshake

The pin references for Kermit are from GPIO Registers. The pin references for Ernie are from the reference manual. TODO: figure out the physical mapping of the pins.

  1. Ernie sets P15.
  2. Ernie sets P97.
  3. Kermit polls for GPIO Port 4 high.
  4. Kermit does some magic register writes (possibly switching SPI pins to Jig handshake interface).
  5. Kermit writes 8 bytes challenge to a Cmep only register.
  6. Kermit sets GPIO Port 3 high.
  7. Ernie polls for P16 high.
  8. Ernie clears P90
  9. (Step 1 Kermit -> Ernie) Ernie receives a packet 84 00 88 XX XX XX XX where XX is 4 bytes of the challenge.
  10. Ernie sets P90.
  11. Ernie clears P90.
  12. (Step 2 Kermit -> Ernie) Ernie receives a packet 84 00 8C XX XX XX XX where XX is 4 bytes of the challenge.
  13. Ernie sets P90.
  14. Ernie does some endian swapping with the data.
  15. Ernie AES encrypts the challenge with the shared key with Kermit boot ROM.
  16. Ernie does some endian swapping with the data.
  17. Kermit polls for GPIO Port 4 high.
  18. Ernie clears P90.
  19. (Step 1 Ernie -> Kermit) Ernie sends a packet 85 00 80 XX XX XX XX where XX is 4 bytes of the response.
  20. Ernie sets P90.
  21. Ernie clears P90.
  22. (Step 2 Ernie -> Kermit) Ernie sends a packet 85 00 84 XX XX XX XX where XX is 4 bytes of the response.
  23. Ernie sets P90.
  24. Kermit magically gets 8 bytes in a Cmep only register.
  25. Kermit sets GPIO Port 3 low.
  26. Kermit AES encrypts the challenge with its own shared key and does a timing-safe memcmp with the response.
  27. Kermit makes sure to wipe the key and all relevant registers.