From Vita Development Wiki
Jump to: navigation, search

This device, located at physical address 0xE0410000, provides a few cryptographic functions.


In all code samples, device is a volatile uint32_t* pointing to paddr 0xE0410000.

First, reset the device if it's in use:

if (device[9] & 1) {
    device[7] = 0;
    while (device[9] & 1) {}

Then submit your commands. Each command must end with a commit:

#define COMMIT_WAIT device[10] = device[10]; device[7] = 1; while(device[9] & 1){};

device[0] = src_pa; // source addr
device[1] = dst_pa; // destination addr
device[2] = 0x10; // data size
device[3] = 0xC002309; // function index
device[4] = slot; // key slot number
device[5] = iv; // AES IV, where applicable, this will be updated by some functions
// device[8] = 0; // uncomment this and vita will crash after operation
// device[11] = 0xE070; // unknown, unused?
// device[12] = 0x700070; // unknown, unused?


Key slots

It uses the keyring device SceSblDMAC5DmacKRBase for the cryptographic key material. The keyring is at physical address 0xE04E0000. The keyring configuration is set during secure boot. Keyring offset +0x400 is used to configure non-secure kernel accessibility. On boot, it defaults to 0x200000FF, which indicates key slots 0-7 and slot 0x1D can by directly used by non-secure kernel. The +0x400 register is only available in secure mode. On boot the register +0x404 is set to 0xFFFFFFFF.

There are 0x20 key slots, from 0x0 to 0x1F.

Key slots 0x0-0x7 and 0x1D can be modified directly using dmac5keyring.

Key slot 0x1C seems to be related to memory card.


The first byte of the function code indicates which function to use and the second byte the key size.

2nd byte Key size
0 64 and less
1 128
2 192
3 256 and 512

The following functions are available:

  • 0x1: AES-ECB encrypt
  • 0x2: AES-ECB decrypt
  • 0x3: SHA1
  • 0x4: Random Number Generator
  • 0x9: AES-CBC encrypt
  • 0xA: AES-CBC decrypt
  • 0xB: SHA224
  • 0x13: SHA256
  • 0x21: AES-128-CTR encrypt
  • 0x22: AES-128-CTR decrypt (identical to encrypt)
  • 0x23: HMAC-SHA1
  • 0x2B: HMAC-SHA224
  • 0x33: HMAC-SHA256
  • 0x3B: CMAC-AES
  • 0x41: DES-64-ECB encrypt (3DES if key size is 128 or 192)
  • 0x42: DES-64-ECB decrypt (3DES if key size is 128 or 192)
  • 0x49: DES-64-CBC encrypt (3DES if key size is 128 or 192)
  • 0x4A: DES-64-CBC decrypt (3DES if key size is 128 or 192)
  • 0x101: AES-128-ECB encrypt
  • 0x102: AES-128-ECB decrypt
  • 0x109: AES-128-CBC encrypt
  • 0x10A: AES-128-CBC decrypt
  • 0x201: AES-192-ECB encrypt
  • 0x202: AES-192-ECB decrypt
  • 0x209: AES-192-CBC encrypt
  • 0x20A: AES-192-CBC decrypt
  • 0x301: AES-256-ECB encrypt
  • 0x302: AES-256-ECB decrypt
  • 0x309: AES-256-CBC encrypt
  • 0x30A: AES-256-CBC decrypt
  • probably there are more
  • There is usage of higher bits in the commands that don't seem to have much affect. For the encryption examples, 0xC002000 is also set on the command upper bits.