From Vita Development Wiki
Jump to: navigation, search

This device, located at physical address 0xE0410000, provides a few cryptographic functions.


In all code samples, device is a volatile uint32_t* pointing to paddr 0xE0410000.

First, reset the device if it's in use:

if (device[9] & 1) {
    device[7] = 0;
    while (device[9] & 1) {}

Then submit your commands. Each command must end with a commit:

#define COMMIT_WAIT device[10] = device[10]; device[7] = 1; while(device[9] & 1){};

device[0] = src_pa; // source addr
device[1] = dst_pa; // destination addr
device[2] = 0x10; // data size
device[3] = 0xC002309; // function index
device[4] = slot; // key slot number
device[5] = iv; // AES IV, where applicable, this will be updated by some functions
// device[8] = 0; // uncomment this and vita will crash after operation
// device[11] = 0xE070; // unknown, unused?
// device[12] = 0x700070; // unknown, unused?


Key slots

It uses the keyring device SceSblDMAC5DmacKRBase for the cryptographic key material. The keyring is at physical address 0xE04E0000. The keyring configuration is set during secure boot. Keyring offset +0x400 is used to configure non-secure kernel accessibility. On boot, it defaults to 0x200000FF, which indicates key slots 0-7 and slot 0x1D can by directly used by non-secure kernel. The +0x400 register is only available in secure mode.

There are 0x20 key slots, from 0x0 to 0x1F.

Key slots 0x0-0x7 and 0x1D can be modified directly using dmac5keyring.

Key slot 0x1C seems to be related to memory card.


The following functions are available:

  • 0x301: AES-256-ECB encrypt
  • 0x302: AES-256-ECB decrypt
  • 0x201: AES-192-ECB encrypt
  • 0x202: AES-192-ECB decrypt
  • 0x101: AES-128-ECB encrypt
  • 0x102: AES-128-ECB decrypt
  • 0x309: AES-256-CBC encrypt
  • 0x30a: AES-256-CBC decrypt
  • 0x209: AES-192-CBC encrypt
  • 0x20a: AES-192-CBC decrypt
  • 0x109: AES-128-CBC encrypt
  • 0x10a: AES-128-CBC decrypt
  • 0x4: Random Number Generator
  • 0x3: SHA1
  • 0x13: SHA256
  • 0x23: HMAC-SHA1
  • 0x33: HMAC-SHA256
  • 0x3B: CMAC-AES
  • 0x41: DES-???-ECB encrypt
  • 0x42: DES-???-ECB decrypt
  • 0x49: DES-???-CBC encrypt
  • 0x4A: DES-???-CBC decrypt
  • probably there are more
  • There is usage of higher bits in the commands that don't seem to have much affect. For the encryption examples, 0xC002000 is also set on the command upper bits