KBL Param
The sysroot buffer is a 0x100 or 0x200
sized buffer passed to the secure kernel bootloader in the scratch space and contains all sorts of flags and system parameters. This buffer is copied to the secure kernel, the non-secure kernel loader, and the non-secure kernel and is used by many functions to check for features that are enabled for the system.
Offset | Size | Description |
---|---|---|
0x00 | 0x2 | Version (usually 1) |
0x02 | 0x2 | Sysroot size (0x100 or 0x200) |
0x04 | 0x4 | Current Firmware Version |
0x08 | 0x4 | Firmware Version Shipped from Factory |
0x2C | 0x8 | Bitfield flags 1 |
0x40 | 0x4 | Devkit Function address 1 |
0x44 | 0x4 | Devkit UID 1 |
0x48 | 0x4 | Devkit Function address 1 |
0x4C | 0x4 | ASLR Seed |
0x50 | 0x4 | Devkit Config Flags1 (0x80000001 or 0x80000003) |
0x54 | 0x4 | Devkit Config Flags2 (0x0) |
0x58 | 0x4 | Devkit Config ?? |
0x5C | 0x4 | Devkit Config Flags3 (0x20000010) |
0x60 | 0x4 | DRAM base paddr |
0x64 | 0x4 | DRAM size |
0x6C | 0x4 | Boot type indicator (0x20000 on resume), 0x1 = no suspend/boot logo |
0x70 | 0x10 | Some serial |
0x80 | 0x4 | secure_kernel.enp raw data paddr (optional)
|
0x84 | 0x4 | secure_kernel.enp size (optional)
|
0x90 | 0x4 | kprx_auth_sm.self raw data paddr
|
0x94 | 0x4 | kprx_auth_sm.self size
|
0x98 | 0x4 | prog_rvk.srvk raw data paddr
|
0x9C | 0x4 | prog_rvk.srvk size
|
0xA0 | 0x2 | Model (0x1000) |
0xA2 | 0x2 | Device type (0x401 = retail device, 0x101 = devkit device) |
0xA4 | 0x2 | Device config (0x1000 = standard form, 0x102 = pstv) |
0xA6 | 0x2 | Type (0x300 = retail, 0x100 = devkit) |
0xB0 | 0x10 | Session ID |
0xC4 | 0x4 | Boot type indicator (0x80 on resume) |
0xD0 | 0x4 | Saved context paddr |
0xF8 | 0x4 | BootLoader Revision |
0xFC | 0x4 | Sysroot Magic value (0xCBAC03AA) |
0x100 | 0x20 | Encrypted Session Key (FW 2.12+) |
Bitfield Flags
DIP Switches
To convert the bit number to the offset and bit: offset = start_offset + (bit_num / 32) * 4
, bit = (bit_num % 32) << 1
CP Information
Bits 0-31
is a 32-bit integer of the current time on the devkit CP clock. This is duplicated in bits 64-95
. Bits 32-47
is a 16-bit integer of the CP version and bits 48-63
is a 16-bit integer of the CP build ID. All integers are little-endian. On non-devkits, these fields are zero. Bits 0-63
are also usable as general purpose switches exposed with sceKernelSetDipsw
, sceKernelClearDipsw
, and sceKernelCheckDipsw
but they do not change anything in hardware (only cached values are overwritten).
User Flags
Bits 96-127
does not seem to be used in the kernel.
SDK Flags
Bits 128-159
are used to store devkit flags. It does not appear to be used in other models.
Bit | Description |
---|---|
159 | Devkit in Development Mode |
Shell Flags
Bits 160-191
are used for SceShell flags.
Bit | Description |
---|
Debug Flags
Bits 192-223
are for various debugging options.
Bit | Description |
---|---|
197 | Enable kernel console logging |
211 | Enable user UART console logging |
System Flags
Bits 224-255
are used for various system options.
Bit | Description |
---|