SceSblGcAuthMgr

From Vita Development Wiki
Jump to navigation Jump to search

Module

Known NIDs

Version Name World Privilege NID
1.69 SceSblGcAuthMgr Non-secure Kernel 0x4B777EBC
3.60 SceSblGcAuthMgr ? Kernel 0xDB1A9016

Libraries

Known NIDs

Version Name World Visibility NID
1.69 SceSblGcAuthMgrDrmBBForDriver Non-secure Kernel 0x1926B182
3.60 SceSblGcAuthMgrDrmBBForDriver ? Kernel 0x1926B182
1.69 SceSblGcAuthMgrPcactForDriver Non-secure Kernel 0xB8600A5
1.69 SceSblGcAuthMgrMlnpsnlForDriver Non-secure Kernel 0x29ED0109
3.60 SceSblGcAuthMgrMlnpsnlForDriver ? Kernel 0x29ED0109
1.69 SceSblGcAuthMgrAdhocBBForDriver Non-secure Kernel 0x2EFA9203
1.69 SceSblGcAuthMgrPkgForDriver Non-secure Kernel 0x82FBA7D
3.60 SceSblGcAuthMgrPkgForDriver ? Kernel 0x082FBA7D
1.69 SceSblGcAuthMgrSclkForDriver Non-secure Kernel 0xF24F760D
3.60 SceSblGcAuthMgrSclkForDriver ? Kernel 0xF24F760D
1.69 SceSblGcAuthMgrGcAuthForDriver Non-secure Kernel 0xC6627F5E
3.60 SceSblGcAuthMgrGcAuthForDriver ? Kernel 0xC6627F5E
1.69 SceSblGcAuthMgr Non-secure User 0x7B13BCF7
3.60 SceSblGcAuthMgr ? ? 0x7B13BCF7
3.60 SceSblGcAuthMgrPsmactForDriver ? Kernel 0x1C53F37D
3.60 SceSblGcAuthMgrMsSaveBBForDriver ? Kernel 0x5032E8D4

Data segment layout

Address Size Description
0x0000 0x4BC4 unknown
0x4BC4 0x30 temp buffer for storing parts of cmd56 packets
0x4BF4 0x200 cmd56 request buffer
0x4DF4 0x04 packet6 gc parameter
0x4DF8 0x200 temp buffer for initializing cm56 req packets
0x4FF8 0x20 temp buffer for storing parts of cmd56 packets
0x5018 0x34 one of kirk responses
0x504C 0x200 cmd56 response buffer 1
0x524C 0x200 cmd56 response buffer 2
0x544C 0x20 one of kirk responses
0x546C 0x898 unknown

SceSblGcAuthMgrDrmBBForDriver

verify_checksum

Version NID
3.60 0x22FD5D23

This function verifies that last responce from the card (cmd56) is valid

For example it is called from sceAppMgrGameDataMount

int verify_checksum(char* in_data);

Here is reversed code:


char resp_buffer[0x14]; //static buffer with response data

int verify_checksum(char* in_data)
{
   char* ib = in_data;
   char* rb = resp_buffer;
   char* rbe = rb + 0x14;
   
   int crc = 0;
   
   while(rb != rbe)
   {
       crc = crc | ((*ib) ^ (*rb));
       rb++;
       ib++;
   }
   
   if(crc == 0)
     return 0;
   else
     return 0x808A040A;
}

This is a timing safe memcmp. Xyz (talk) 10:02, 1 May 2017 (UTC)

clear_sensitive_data

Version NID
3.60 0x812B2B5C

Clears some sensitive data.

Called after verify_checksum

int clear_sensitive_data(int* value);

clear_sensitive_data

Version NID
3.60 0xBB451E83

Clears sensitive data that is left after cmd56 custom initialization.

This includes data generated by Kirk services 0x1C, 0x1F, 0x20 and packet6.

Called after initialize_sd_device

int clear_sensitive_data();

get_5018_data

Version NID
3.60 0xBB70DDC0

This function copies first 0x20 bytes of the buffer to destination.

int get_5018_data(char* dest);

SceSblGcAuthMgrPcactForDriver

SceSblGcAuthMgrMlnpsnlForDriver

SceSblGcAuthMgrAdhocBBForDriver

SceSblGcAuthMgrPkgForDriver

SceSblGcAuthMgrSclkForDriver

SceSblGcAuthMgrGcAuthForDriver

initialize_sd_device

Version NID
3.60 0x68781760

This is a wrapper function that starts initialization subroutine through run_execlusive

int initialize_sd_device(int sd_ctx_index);

SceSblGcAuthMgr

_sceSblGcAuthMgrPcactActivation

Version NID
1.69 0x32E7CEA

_sceSblGcAuthMgrGetMediaIdType01

Version NID
1.69 0xAC64154

_sceSblGcAuthMgrAdhocBB224Auth1

Version NID
1.69 0x307FD67C

_sceSblGcAuthMgrPkgVry

Version NID
1.69 0x3E168BC4

_sceSblGcAuthMgrAdhocBB224Auth5

Version NID
1.69 0x459F5503

_sceSblGcAuthMgrAdhocBB224Init

Version NID
1.69 0x5AB126A7

_sceSblGcAuthMgrAdhocBB224Auth4

Version NID
1.69 0x5CCC216C

_sceSblGcAuthMgrAdhocBB224Auth2

Version NID
1.69 0x788C0517

_sceSblGcAuthMgrSclkSetData2

Version NID
1.69 0x837D0FB6

_sceSblGcAuthMgrSclkGetData1

Version NID
1.69 0x8A3AF1E8

_sceSblGcAuthMgrAdhocBB224Shutdown

Version NID
1.69 0x8ECEACF9

_sceSblGcAuthMgrPcactGetChallenge

Version NID
1.69 0x98153286

_sceSblGcAuthMgrAdhocBB224GetKeys

Version NID
1.69 0xC236FB28

_sceSblGcAuthMgrAdhocBB224Auth3

Version NID
1.69 0xD3F95259

gcauth_sm "KIRK" calls to F00D

The use of os0:sm/gcauthmgr_sm.self is to support the next generation of KIRK. It uses a similar input structure to the original KIRK on the PSP.

PSP support

4,7,0xC,0xD,0xE, 0x10, 0x11, 0x12 are the classic PSP KIRK Services supported by gcauth_sm.

New PSVita Codes

0x14-0x19, 0x1b-0x23 are the new KIRK Services supported by gcauth_sm.

0x14 is the 224bit ecdsa keypair gen. The only input is an empty buffer size (3*0x1C) it returns 3 values. Private key, Public X point, Public Y point. Each value is 0x1C bytes long.

0x16 is random 224bit generator. It will return 0x1C bytes of random data into the buffer. 0x17 -0x19 are the 224bit ecdsa versions of psp's 160bit 0x10-0x12