Changes

Jump to navigation Jump to search
3,064 bytes added ,  09:05, 30 May 2021
Line 1: Line 1: −
Depending on the F00D SELF that is currently loaded, different commands are handled.
+
Depending on the [[SM]] that is currently loaded, different commands are handled.
    
== Request Buffer ==
 
== Request Buffer ==
   −
Each request that is made sends a page aligned buffer that has a max size of a page. After as 64 byte header common to all commands, the data afterwards is specific to each command. The documentation for each command below specifies the data that goes after the header. The special command id of -1 (<code>0xFFFFFFFF</code>) is used to shut down the currently loaded F00D SELF.
+
Each request that is made sends a page aligned buffer that has a max size of a page. After as 64 byte header common to all commands, the data afterwards is specific to each command. The documentation for each command below specifies the data that goes after the header. The special command id of -1 (<code>0xFFFFFFFF</code>) is used to stop the current loaded [[SM]].
   −
{| class="wikitable"
+
Command buffer structure (as seen on FWs 3.60-3.73):
 +
 
 +
{| class='wikitable'
 
|-
 
|-
! Offset !! Size !! Description
+
! Offset
 +
! Size
 +
! Description
 
|-
 
|-
| 0x0 || 0x4 || Size of buffer
+
| 0x0
 +
| 0x4
 +
| Size of the structure (header + data)
 
|-
 
|-
| 0x4 || 0x4 || Command ID
+
| 0x4
 +
| 0x4
 +
| Command ID
 
|-
 
|-
| 0x8 || 0x4 || Return value (output)
+
| 0x8
 +
| 0x4
 +
| Command return value is written here by the SM
 
|-
 
|-
| 0xC || 0x34 || Unknown/Unused
+
| 0xC
 +
| 0x4
 +
| unk2
 
|-
 
|-
| 0x40 || Variable (max 0xFC0) || Command specific buffer
+
| 0x10
 +
| 0x30
 +
| padding
 
|-
 
|-
 +
| 0x40
 +
| variable, chosen by NS Kernel, max=0x1000-0x40
 +
| data buffer
 
|}
 
|}
   −
=== Physical Address List ===
+
On FW 0.931, and maybe in later prototype FWs, the data buffer is located at offset 0x10 instead of 0x40. Thus we can ask why they added the 0x30 bytes padding.
 +
 
 +
=== Physical Address Range ===
    
A common format used in these requests is a list of physical address and size. This simple structure is defined below. See [[SceSysmem#sceKernelVARangeToPARangeForDriver|sceKernelVARangeToPARangeForDriver]] for information on creating this list.
 
A common format used in these requests is a list of physical address and size. This simple structure is defined below. See [[SceSysmem#sceKernelVARangeToPARangeForDriver|sceKernelVARangeToPARangeForDriver]] for information on creating this list.
Line 32: Line 51:  
|-
 
|-
 
| 0x4 || 0x4 || Size
 
| 0x4 || 0x4 || Size
|-
   
|}
 
|}
   −
This data format is used when passing large buffers of data to F00D. This is because the memory manager in kernel could allocate contiguous virtual addresses that corresponds to varying physical addresses.
+
This data format is used when passing large buffers of data to [[F00D]]. This is because the memory manager in kernel could allocate contiguous virtual addresses that corresponds to varying physical addresses.
    
== kprx_auth_sm.self ==
 
== kprx_auth_sm.self ==
   −
This is a special SELF that is found in the boot [[SLB2]] partition. The raw (encrypted) SELF is found in secure world memory (placed there by an early bootloader). It is used to decrypt SELFs for ARM. The SELF header is passed into a page aligned buffer and a [[F00D Commands#Physical Address List|paddr list]] is generated from it.
+
This is a special SM found in the [[SLB2]] partition. The raw (encrypted) SELF is stored in [[Secure World]] memory. It is placed there by an early bootloader.
 +
 
 +
kprx_auth_sm is used to decrypt SELF and SPSFO files for ARM. The CF header is passed into a page aligned buffer and a [[F00D Commands#Physical Address Range|PA range]] is generated from it.
    
=== 0x10001 - sceSblAuthMgrAuthHeader ===
 
=== 0x10001 - sceSblAuthMgrAuthHeader ===
Line 158: Line 178:  
Removed on FW 2.10.
 
Removed on FW 2.10.
   −
Verify SceKitActivationData derived from AFV.
+
Verify SceKitActivationData read from sd0:/act.dat.
 +
 
 +
Uses different keys (AES256CBC and AES256CMAC) than check_activation_code_2.
   −
Use "internal" keys (?internal kits maybe? Not used on PDEL kernel).
+
Used only on TOOL rev 3.
    
{| class="wikitable"
 
{| class="wikitable"
Line 166: Line 188:  
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x80 || [[SceSblSsMgr#SceKitActivationData|SceKitActivationData]]
+
| 0x0 || 0x80 || Input: [[SceSblSsMgr|SceKitActivationData]]
 
|}
 
|}
   Line 173: Line 195:  
Removed on FW 2.10.
 
Removed on FW 2.10.
   −
Verify SceKitActivationData derived from AFV.
+
Verify SceKitActivationData read from sd0:VITA.ACT.
 +
 
 +
Uses different keys (AES256CBC and AES256CMAC) than check_activation_code_1.
   −
Use PDEL/PTEL keys. (maybe also latest DEM)
+
Used on any Kit other than TOOL rev 3 (uses command 1), TEST, TOOL rev 4, Manufacturing Mode and QA flagged (bypasses activation).
    
{| class="wikitable"
 
{| class="wikitable"
Line 181: Line 205:  
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x80 || [[SceSblSsMgr#SceKitActivationData|SceKitActivationData]]
+
| 0x0 || 0x80 || Input: [[SceSblSsMgr|SceKitActivationData]]
 
|}
 
|}
   −
=== 0x4 - check_cmac ===
+
=== 0x4 - check_nvs_cmac ===
 +
 
 +
Not present on FW 0.931.
   −
Verify ?NVS? activation data. Maybe checks CMAC.
+
Verify NVS activation data authenticity using CMAC.
    
{| class="wikitable"
 
{| class="wikitable"
Line 192: Line 218:  
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x80 || input and output: [[SceSblSsMgr#SceKitActivationData|SceKitActivationData]]
+
| 0x0 || 0x20 || Input: [[SceSblSsMgr|SceNVSKitActivationData]]
 
|}
 
|}
   −
=== 0x5 - gen_act_cmac ===
+
=== 0x5 - gen_nvs_cmac ===
    
Removed on FW 2.10.
 
Removed on FW 2.10.
   −
Get activation data. The returned data is written to NVS at offset 0x520 or 0x530.
+
Generate CMAC of NVS activation data. The returned data is written to NVS at offset 0x520 or 0x530.
    
{| class="wikitable"
 
{| class="wikitable"
Line 205: Line 231:  
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x4 || Magic "act\0"
+
| 0x0 || 0x4 || Magic "act\0"
 
|-
 
|-
| 0x44 || 0x4 || Issue number
+
| 0x4 || 0x4 || Issue number
 
|-
 
|-
| 0x48 || 0x4 || Start validity time unix timestamp
+
| 0x8 || 0x4 || Start validity time unix timestamp
 
|-
 
|-
| 0x4C || 0x4 || End validity time unix timestamp
+
| 0xC || 0x4 || End validity time unix timestamp
 
|-
 
|-
| 0x50 || 0x10 || Unknown (returned data) ?CMAC?
+
| 0x10 || 0x10 || Output: CMAC of the 0x10 input bytes
 
|}
 
|}
   Line 226: Line 252:  
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x10 || SceKitNVSActivationData without CMAC
+
| 0x0 || 0x10 || [[SceSblSsMgr|SceNVSKitActivationData]] without CMAC
 
|-
 
|-
| 0x50 || 0x20 || SceKitNVSActivationData
+
| 0x10 || 0x20 || [[SceSblSsMgr|SceNVSKitActivationData]]
 
|}
 
|}
   Line 241: Line 267:  
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x80 || [[SceSblSsMgr#SceKitActivationData|SceKitActivationData]] (new activation data)
+
| 0x0 || 0x80 || Input: [[SceSblSsMgr#|SceKitActivationData]] (new activation data)
 
|-
 
|-
| 0xC0 || 0x100 || RSA signature over new activation data
+
| 0x80 || 0x100 || Input: RSA signature over new activation data
 
|-
 
|-
| 0x1C0 || 0x80 ||[[SceSblSsMgr#SceKitActivationData|SceKitActivationData]] (previous activation data)
+
| 0x180 || 0x80 || Input: [[SceSblSsMgr|SceKitActivationData]] (previous activation data)
 
|-
 
|-
| 0x240 || 0x100 || RSA signature over previous activation data
+
| 0x200 || 0x100 || Input: RSA signature over previous activation data
 
|-
 
|-
| 0x340 || 0x20 || Output: SceKitNVSActivationData (same as command 0x4)
+
| 0x300 || 0x20 || Output: [[SceSblSsMgr|SceNVSKitActivationData]]
 
|}
 
|}
   Line 256: Line 282:  
Introduced in FW 2.10.
 
Introduced in FW 2.10.
   −
Check if current activation is valid. Extended activation check with signature. This is ran on boot.
+
Check if Kit Activation Data is valid and not expired. Extended activation check with signature. This command is ran on boot.
    
{| class="wikitable"
 
{| class="wikitable"
Line 262: Line 288:  
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x4 || Unknown
+
| 0x0 || 0x4 || Input: Previous return value
 +
|-
 +
| 0x4 || 0x4 || Input: Current time
 
|-
 
|-
| 0x44 || 0x4 || Current time
+
| 0x8 || 0x4 || Output: License Status
 
|-
 
|-
| 0x48 || 0x8 || Some return value
+
| 0xC || 0x4 || Output: Expire Date
 
|-
 
|-
| 0x50 || 0x8 || Unknown
+
| 0x10 || 0x8 || Reserved
 
|-
 
|-
| 0x58 || 0x20 || SceKitNVSActivationData (same as command 0x4)
+
| 0x18 || 0x20 || Input: [[SceSblSsMgr|SceNVSKitActivationData]] (read from NVS offset 0x520)
 
|-
 
|-
| 0x78 || 0x80 || AFV data
+
| 0x38 || 0x80 || Input: [[SceSblSsMgr|SceKitActivationData]] (read from tm0:activate/act.dat)
 
|-
 
|-
| 0xF8 || 0x100 || RSA signature over activation data
+
| 0xB8 || 0x100 || Input: RSA signature over activation data (read from tm0:activate/actsig.dat)
 
|}
 
|}
   Line 303: Line 331:  
Used in [[SceSblSsMgr#sceSblAimgrGetPscode2ForDriver|sceSblAimgrGetPscode2ForDriver]].
 
Used in [[SceSblSsMgr#sceSblAimgrGetPscode2ForDriver|sceSblAimgrGetPscode2ForDriver]].
   −
=== 0x5 - GetPassPhrase ===
+
=== 0x5 - CreatePassPhrase ===
 +
 
 +
Creates NP passphrase (per-console and per NP account).
    
Used in [[SceSblSsMgr#sceSblSsCreatePassPhraseForDriver|sceSblSsCreatePassPhraseForDriver]].
 
Used in [[SceSblSsMgr#sceSblSsCreatePassPhraseForDriver|sceSblSsCreatePassPhraseForDriver]].
   −
== compat_sm.self ==
+
Input size is 0x220 bytes.
 
  −
Compat SM functions only works on DEX and CEX units, or on units in Manufacturing Mode or with a certain QA Flag. This is why most DevKit units don't have access to PSPEmu.
  −
 
  −
=== 0x10006 - sceCompatSecLoadSCBootCode ===
  −
 
  −
Load Secure CPU Boot Code. PSP main CPU (Tachyon codename) is an Allegrex 32-bit little-endian RISC CPU with FPU and VFPU, 1 ~ 333MHz, MIPS III-based.
  −
 
  −
Called on init and before resume of PSP.
      
{| class="wikitable"
 
{| class="wikitable"
Line 321: Line 343:  
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x4 || Boot/resume cookie. Pass 0 when cold booting, <code>resume_handler ^ magic</code> when resuming
+
| 0x40 || 0x8 || Secure Tick
 +
|-
 +
| 0x48 || 0x4 || Unknown. Maybe version or reserved. ex: 0.
 +
|-
 +
| 0x4C || 0x4 || Arguments size in userland (0x18 bytes)
 +
|-
 +
| 0x50 || 0x10 || NP Account ID in ASCII
 
|-
 
|-
| 0x44 || 0x4 || Set to 0 (unused)
+
| 0x60 || 0x200 || IdStorage leaf 0x44 (contains PS Vita IDPS Certificate)
 
|}
 
|}
   −
On FW 3.73 (simplified):
+
Output size is 0x220 bytes.
   −
<source lang="C">
+
{| class="wikitable"
*(u32 *)SceSonyRegbus_e8000004 = 4;
+
|-
syncm();
+
! Offset !! Size !! Description
memcpy(SceCompatSharedSram_e8100000, g_pre_ipl, 0x1000);  // PRE-IPL
+
|-
memcpy(SceCompatSharedSram_e8100fc0, g_challenge, 0x40);  // Challenge (IPL XOR key)
+
| 0x40 || 0x8 || Secure Tick
memcpy(SceCompatSharedSram_e8100fbc, &cookie, 4);        // Boot/resume cookie
+
|-
syncm();
+
| 0x48 || 0x4 || Unknown. Maybe version or reserved. ex: 0.
*(u32 *)SceSonyRegbus_e8000004 = 0;
+
|-
</source>
+
| 0x4C || 0x4 || Arguments size in userland (0x18 bytes)
 +
|-
 +
| 0x50 || 0x10 || NP Account ID in ASCII
 +
|-
 +
| 0x60 || 0x200 || NP PassPhrase
 +
|}
   −
If an error occurs during SCBootCode loading:
+
== compat_sm.self ==
   −
<source lang="c">
+
Compat SM functions only works on DEX and CEX units, or on units in Manufacturing Mode or with a certain QA Flag. This is why most DevKit units don't have access to PSPEmu.
memset(SceCompatSharedSram_e8100000, 0, 0x1000); // PRE-IPL
  −
syncm();
  −
*(u32 *)SceSonyRegbus_e8000004 = 10;
  −
</source>
     −
The cookie, which represents the address where PRE-IPL will jump to when resuming, is passed by MIPS to ARM (written to <code>0xBFC001FC</code>) just before suspending, and it is calculated the same way as [https://github.com/mathieulh/Utopia_PSP/blob/master/371_main.bin.c#L409 on actual PSP], only that using <source lang="c">u8 data[] = { 0x12, 0x34, 0x56, 0x78, 0x9a, 0x00, 0xde, 0xf0 };</source> as input to the SHA1, instead of the MAC address.
+
=== 0x10006 - sceCompatSecLoadSCBootCode ===
   −
=== 0x20006 - sceCompatSecSetSSRAMAcl ===
+
Load Secure CPU Boot Code. PSP main CPU (Tachyon codename) is an Allegrex 32-bit little-endian RISC CPU with FPU and VFPU, 1 ~ 333MHz, MIPS III-based.
   −
Set Shared Static Random Access Memory Access-control list.
+
Called on init and before resume of PSP.
 
  −
Removed since FW 3.50 and replaced by command 0x30006.
      
{| class="wikitable"
 
{| class="wikitable"
Line 358: Line 385:  
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x4 || Set to 0
+
| 0x40 || 0x4 || Boot/resume cookie. Pass 0 when cold booting, <code>resume_handler ^ magic</code> when resuming
|-
  −
| 0x44 || 0x4 || Set to 0
   
|-
 
|-
 +
| 0x44 || 0x4 || Set to 0 (unused)
 
|}
 
|}
   −
=== 0x30006 - sceCompatSecSetSSRAMAcl2 ===
+
On FW 3.73 (simplified):
   −
Set Shared Static Random Access Memory Access-control list 2.
+
<source lang="C">
 +
*(u32 *)SceSonyRegbus_e8000004 = 4;
 +
syncm();
 +
memcpy(SceCompatSharedSram_e8100000, g_pre_ipl, 0x1000);  // PRE-IPL
 +
memcpy(SceCompatSharedSram_e8100fc0, g_challenge, 0x40);  // Challenge (IPL XOR key)
 +
memcpy(SceCompatSharedSram_e8100fbc, &cookie, 4);        // Boot/resume cookie
 +
syncm();
 +
*(u32 *)SceSonyRegbus_e8000004 = 0;
 +
</source>
   −
Appeared on FW 3.50 as replacement for command 0x20006. This change is related to the huge memory management improvement since FW 3.50. See [https://www.neogaf.com/threads/ps-vita-system-software-3-50-adds-30-more-memory-for-game-use.1028194/ PSVita System software 3.50 adds 30% more memory for game use].
+
If an error occurs during SCBootCode loading:
   −
{| class="wikitable"
+
<source lang="c">
|-
+
memset(SceCompatSharedSram_e8100000, 0, 0x1000); // PRE-IPL
! Offset !! Size !! Description
  −
|-
  −
| 0x40 || 0x4 || Unused
  −
|-
  −
|}
  −
 
  −
On 3.73-CEX (simplified):
  −
<source lang="c">
  −
*(u32 *)SceSonyRegbus_e8000004 = 4;
  −
syncm();
  −
ret = memcmp(SceCompatSharedSram_e8100fc0, g_challenge_result, 0x40); // Check challenge output
  −
if (ret == 0) {
  −
    // Success!!
  −
}
   
syncm();
 
syncm();
 
*(u32 *)SceSonyRegbus_e8000004 = 10;
 
*(u32 *)SceSonyRegbus_e8000004 = 10;
 
</source>
 
</source>
   −
== encdec_w_portability_sm.self ==
+
The cookie, which represents the address where PRE-IPL will jump to when resuming, is passed by MIPS to ARM (written to <code>0xBFC001FC</code>) just before suspending, and it is calculated the same way as [https://github.com/mathieulh/Utopia_PSP/blob/master/371_main.bin.c#L409 on actual PSP], only that using <source lang="c">u8 data[] = { 0x12, 0x34, 0x56, 0x78, 0x9a, 0x00, 0xde, 0xf0 };</source> as input to the SHA1, instead of the MAC address.
   −
This seems to be used to do some kind of key derivation. May also be used as a general purpose encryption engine.
+
=== 0x20006 - sceCompatSecSetSSRAMAcl ===
   −
=== 0x1000A - EncryptWithPortability ===
+
Set Shared Static Random Access Memory Access-control list.
   −
Encrypt data. Actually it always returns <code>0x800F1725</code>, so it does nothing and is never used.
+
Removed since FW 3.50 and replaced by command 0x30006.
    
{| class="wikitable"
 
{| class="wikitable"
Line 402: Line 422:  
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x4 || Key ID (max 0xA)
+
| 0x40 || 0x4 || Set to 0
 
|-
 
|-
| 0x44 || 0x4 || Output Length
+
| 0x44 || 0x4 || Set to 0
 
|-
 
|-
| 0x48 || 0x20 || Output
+
|}
|-
+
 
| 0x68 || 0x4 || Input Length (max 0x20)
+
=== 0x30006 - sceCompatSecSetSSRAMAcl2 ===
|-
  −
| 0x6C || 0x20 || Input
  −
|-
  −
| 0x8C || 0x10 || IV
  −
|}
     −
=== 0x2000A - DecryptWithPortability ===
+
Set Shared Static Random Access Memory Access-control list 2.
   −
Used by [[SceSblSsMgr#sceSblSsDecryptWithPortabilityForDriver|sceSblSsDecryptWithPortabilityForDriver]].
+
Appeared on FW 3.50 as replacement for command 0x20006. This change is related to the huge memory management improvement since FW 3.50. See [https://www.neogaf.com/threads/ps-vita-system-software-3-50-adds-30-more-memory-for-game-use.1028194/ PSVita System software 3.50 adds 30% more memory for game use].
 
  −
Decrypt data by using AES-256-CBC with an internal key selected by <code>key_id</code>.
      
{| class="wikitable"
 
{| class="wikitable"
Line 425: Line 438:  
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x4 || Key ID (1 - 20)
+
| 0x40 || 0x4 || Unused
|-
  −
| 0x44 || 0x4 || Input Length (max 0x20)
  −
|-
  −
| 0x48 || 0x20 || Input
  −
|-
  −
| 0x68 || 0x4 || Output Length (must match Input Length)
  −
|-
  −
| 0x6C || 0x20 || Output
   
|-
 
|-
| 0x8C || 0x10 || IV
   
|}
 
|}
   −
Return value of 0x800f0002 means invalid service ID. For encdec_w_portability_sm, only commmands 0x1000A and 0x2000A are supported.
+
On 3.73-CEX (simplified):
 +
<source lang="c">
 +
*(u32 *)SceSonyRegbus_e8000004 = 4;
 +
syncm();
 +
ret = memcmp(SceCompatSharedSram_e8100fc0, g_challenge_result, 0x40); // Check challenge output
 +
if (ret == 0) {
 +
    // Success!!
 +
}
 +
syncm();
 +
*(u32 *)SceSonyRegbus_e8000004 = 10;
 +
</source>
   −
Return value of 0x800f1716 means invalid argument such as invalid key ID. Valid key IDs are only 1-20.
+
== encdec_w_portability_sm.self ==
   −
== gcauthmgr_sm.self ==
+
This seems to be used to do some kind of key derivation. May also be used as a general purpose encryption engine.
   −
=== 0x1000B ===
+
=== 0x1000A - EncryptWithPortability ===
   −
This is one of variable sized buffers that can be placed inside [[F00D_Commands#Request_Buffer|Request_Buffer]]
+
Encrypt data. Actually it always returns <code>0x800F1725</code>, so it does nothing and is never used.
 
  −
Type definition is located here [[SceSblSsSmComm#sceSblSmCommCallFuncForKernel|sm_comm_context]]
      
{| class="wikitable"
 
{| class="wikitable"
Line 454: Line 466:  
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x4 || Set to 1
+
| 0x40 || 0x4 || Key ID (max 0xA)
 
|-
 
|-
| 0x44 || 0x4 || Command (0x4, 0x7, 0xC etc.)
+
| 0x44 || 0x4 || Output Length
 
|-
 
|-
| 0x48 || 0x800 || Data Buffer (Input/Output)
+
| 0x48 || 0x20 || Output
 
|-
 
|-
| 0x848 || 0x4 || Key ID (different meaning for different commands. usually used to select one of specific static keys)
+
| 0x68 || 0x4 || Input Length (max 0x20)
 
|-
 
|-
| 0x84C || 0x4 || Data Buffer Length - Input/Written - Output
+
| 0x6C || 0x20 || Input
|-
  −
| 0x850 || 0x4 || Set to 0
   
|-
 
|-
 +
| 0x8C || 0x10 || IV
 
|}
 
|}
   −
Supported GC commands and structures
+
=== 0x2000A - DecryptWithPortability ===
   −
==== 0x4 - kirk_encrypt ====
+
Used by [[SceSblSsMgr#sceSblSsDecryptWithPortabilityForDriver|sceSblSsDecryptWithPortabilityForDriver]].
   −
Original PSP Kirk 4 service for encrypting data.
+
Decrypt data by using AES-256-CBC with an internal key selected by <code>key_id</code>.
   −
Does not use any specific data structure in <code>Data Buffer</code>.
+
{| class="wikitable"
 +
|-
 +
! Offset !! Size !! Description
 +
|-
 +
| 0x40 || 0x4 || Key ID (1 - 20)
 +
|-
 +
| 0x44 || 0x4 || Input Length (max 0x20)
 +
|-
 +
| 0x48 || 0x20 || Input
 +
|-
 +
| 0x68 || 0x4 || Output Length (must match Input Length)
 +
|-
 +
| 0x6C || 0x20 || Output
 +
|-
 +
| 0x8C || 0x10 || IV
 +
|}
   −
Just encrypts data located in <code>Data Buffer</code>.
+
Return value of 0x800f0002 means invalid service ID. For encdec_w_portability_sm, only commmands 0x1000A and 0x2000A are supported.
   −
Uses one set of keys.
+
Return value of 0x800f1716 means invalid argument such as invalid key ID. Valid key IDs are only 1-20.
   −
Available <code>Key ID</code> values are (key is encrypted with key from keyslot 0x345 and put into keyslot 0x21): 0x02, 0x03, 0x04, 0x05, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x38, 0x39, 0x3A, 0x80, 0x81, 0x82, 0x83
+
== gcauthmgr_sm.self ==
   −
Special <code>Key ID</code> 0x100 is available. Uses keys from keyslots 0x601 and 0x602.
+
=== 0x1000B ===
   −
Key 0x601 is scrambled and used as seed.
+
Execute kirk commands.
   −
Key 0x602 is scrambled and used as key.
+
This is one of the variable sized buffers that can be placed inside [[F00D_Commands#Request_Buffer|Request_Buffer]].
   −
seed is aes cbc encrypted with key to produce resulting key.
+
Response value returned to Kernel comes from [[F00D_Commands#Request_Buffer|Request Buffer]] at offset 8.
   −
==== 0x7 - kirk_decrypt ====
+
<source lang="C">
 +
// gc_param is generated by game card and has value 0x01
 +
typedef struct SceSblSmCommGcData { // size is 0x814
 +
int unk_0; // 1
 +
int command;
 +
char data[0x800];
 +
int key_id;
 +
int size;
 +
int unk_810; // 0
 +
} SceSblSmCommGcData;
 +
</source>
   −
Original PSP Kirk 7 service for decrypting data
+
{| class="wikitable"
 +
|-
 +
! Offset !! Size !! Description
 +
|-
 +
| 0x40 || 0x4 || Set to 1
 +
|-
 +
| 0x44 || 0x4 || Command (0x4, 0x7, 0xC etc.)
 +
|-
 +
| 0x48 || 0x800 || Data Buffer (Input/Output)
 +
|-
 +
| 0x848 || 0x4 || Key ID (different meaning for different commands. usually used to select one of specific static keys)
 +
|-
 +
| 0x84C || 0x4 || Data Buffer Length - Input/Written - Output
 +
|-
 +
| 0x850 || 0x4 || Set to 0
 +
|}
   −
Does not use any specific data structure in <code>Data Buffer</code>.
+
Following are the supported "KIRK" commands.
   −
Just decrypts data located in <code>Data Buffer</code>.
+
==== 0x4 - encrypt_with_portability ====
   −
Uses two sets of keys.
+
Original PSP Kirk 4 service for encrypting data.
   −
Available key ids are (key is encrypted with key from keyslot 0x345 and put into keyslot 0x21): 0x02, 0x03, 0x04, 0x05, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x38, 0x39, 0x3A, 0x80, 0x81, 0x82, 0x83
+
Does not use any specific data structure in <code>Data Buffer</code>.
   −
Available <code>Key ID</code> values are (key is encrypted with key from keyslot 0x340 and put into keyslot 0x10): 0x44, 0x53, 0x57, 0x63, 0x64, 0x68, 0xC0, 0xC1, 0xC2, 0xC3
+
Just encrypts data located in <code>Data Buffer</code>.
 +
 
 +
Uses one set of keys.
 +
 
 +
Available <code>Key ID</code> values are (key is encrypted with key from keyslot 0x345 and put into keyslot 0x21): 0x02, 0x03, 0x04, 0x05, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x38, 0x39, 0x3A, 0x80, 0x81, 0x82, 0x83.
 +
 
 +
Special <code>Key ID</code> 0x100 is available. Uses keys from keyslots 0x601 and 0x602.
 +
 
 +
Key 0x601 is scrambled and used as seed.
 +
 
 +
Key 0x602 is scrambled and used as key.
 +
 
 +
seed is aes cbc encrypted with key to produce resulting key.
 +
 
 +
==== 0x7 - decrypt_with_portability ====
 +
 
 +
Original PSP Kirk 7 service for decrypting data.
 +
 
 +
Does not use any specific data structure in <code>Data Buffer</code>.
 +
 
 +
Just decrypts data located in <code>Data Buffer</code>.
 +
 
 +
Uses two sets of keys.
 +
 
 +
Available key ids are (key is encrypted with key from keyslot 0x345 and put into keyslot 0x21): 0x02, 0x03, 0x04, 0x05, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x38, 0x39, 0x3A, 0x80, 0x81, 0x82, 0x83.
 +
 
 +
Available <code>Key ID</code> values are (key is encrypted with key from keyslot 0x340 and put into keyslot 0x10): 0x44, 0x53, 0x57, 0x63, 0x64, 0x68, 0xC0, 0xC1, 0xC2, 0xC3.
    
Special <code>Key ID</code> 0x100 is available. Uses keys from keyslots 0x601 and 0x602 (will be documented later).
 
Special <code>Key ID</code> 0x100 is available. Uses keys from keyslots 0x601 and 0x602 (will be documented later).
Line 512: Line 589:  
seed is aes cbc encrypted with key to produce resulting key.
 
seed is aes cbc encrypted with key to produce resulting key.
   −
==== 0xC - kirk_ecc160_generate_keys ====
+
==== 0xC - ecc160_generate_keys ====
    
Original PSP Kirk 0xC service for Generating a 160bit ECC private/public keypair. Call with an empty buffer of length 0x3C. The structure below is the return structure.
 
Original PSP Kirk 0xC service for Generating a 160bit ECC private/public keypair. Call with an empty buffer of length 0x3C. The structure below is the return structure.
Line 539: Line 616:  
|}
 
|}
   −
==== 0xD - kirk_ecc160_multiply ====
+
==== 0xD - ecc160_multiply ====
    
Original PSP Kirk 0xD service for multiplying a 160bit ECC curve point with a value. Call with a multiplier, x and y point value.
 
Original PSP Kirk 0xD service for multiplying a 160bit ECC curve point with a value. Call with a multiplier, x and y point value.
Line 567: Line 644:  
|}
 
|}
   −
==== 0xE - kirk_ecc160_generate_random ====
+
==== 0xE - ecc160_prngen ====
   −
Original PSP Kirk 0xE service for 160bit Random number generation. Call with an empty buffer, the result structure is below.
+
Original PSP Kirk 0xE service for 160bit Random number generation. Call with an empty buffer.
   −
Output:
   
{| class="wikitable"
 
{| class="wikitable"
 
|-
 
|-
 
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x0|| 0x14 || Cryptographic Random Number
+
| 0x0|| 0x14 || Output: Pseudo Random Number
 
|-
 
|-
 
|}
 
|}
   −
==== 0x10 - kirk_ecc160_sign ====
+
==== 0x10 - ecc160_sig_gen ====
    
Original PSP Kirk 0x10 service for 160bit ECC signing.
 
Original PSP Kirk 0x10 service for 160bit ECC signing.
Line 599: Line 675:  
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x0|| 0x20 || Encrypted private key (see kirk-engine implementation for fuse_id process for encryption)
+
| 0x0|| 0x20 || Encrypted private key
 
|-
 
|-
| 0x20|| 0x14 || SHA1 hash of the content you want signed
+
| 0x20|| 0x14 || SHA1 hash of the content to sign
 
|-
 
|-
 
|}
 
|}
Line 616: Line 692:  
|}
 
|}
   −
==== 0x11 - kirk_ecc160_verify ====
+
==== 0x11 - ecc160_sig_verify ====
    
Original PSP Kirk 0x11 service for 160bit ECC signature verification. Call with the below structure, then function will return pass or fail.
 
Original PSP Kirk 0x11 service for 160bit ECC signature verification. Call with the below structure, then function will return pass or fail.
Line 631: Line 707:  
| 0x14|| 0x14 || Public Key Y component
 
| 0x14|| 0x14 || Public Key Y component
 
|-
 
|-
| 0x28|| 0x14 || SHA1 hash of the content that is signed
+
| 0x28|| 0x14 || SHA1 hash of the signed content
 
|-
 
|-
 
| 0x3C|| 0x14 || ECC Signature R component
 
| 0x3C|| 0x14 || ECC Signature R component
Line 640: Line 716:  
No output.
 
No output.
   −
==== 0x12 - verify_cmac_signature ====
+
==== 0x12 - cert_verify ====
    
This function checks that CMAC of <code>Message</code> equals <code>Encrypted CMAC value</code>.
 
This function checks that CMAC of <code>Message</code> equals <code>Encrypted CMAC value</code>.
Line 661: Line 737:  
|}
 
|}
   −
==== 0x14 - kirk_ecc224_generate_keys ====
+
==== 0x14 - ecc224_generate_keys ====
   −
New Vita Kirk 0x14 service for Generating a 224bit ECC private/public keypair. Call with an empty buffer of length 0x54. The structure below is the return structure.
+
New Vita Kirk 0x14 service for generating a 224bit ECC private/public keypair. Call with an empty buffer of length 0x54. The structure below is the return structure.
    
Private key <code>dA</code> is obtained by:
 
Private key <code>dA</code> is obtained by:
Line 688: Line 764:  
|}
 
|}
   −
==== 0x15 - kirk_ecc224_multiply ====
+
==== 0x15 - ecc224_multiply ====
    
New Vita Kirk 0x15 service for multiplying a 224bit ECC curve point with a value. Call with a multiplier, x and y point value.
 
New Vita Kirk 0x15 service for multiplying a 224bit ECC curve point with a value. Call with a multiplier, x and y point value.
Line 716: Line 792:  
|}
 
|}
   −
==== 0x16 - kirk_ecc224_generate_random ====
+
==== 0x16 - ecc224_prngen ====
   −
New Vita Kirk 0x16 service for 224bit Random number generation. Call with an empty buffer, the result structure is below.
+
New Vita Kirk 0x16 service for 224bit Random number generation. Call with an empty buffer.
   −
Output:
   
{| class="wikitable"
 
{| class="wikitable"
 
|-
 
|-
 
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x0|| 0x1C || Cryptographic Random Number
+
| 0x0|| 0x1C || Output: Pseudo Random Number
 
|-
 
|-
 
|}
 
|}
   −
==== 0x17 - kirk_ecc224_sign ====
+
==== 0x17 - ecc224_sig_gen ====
    
New Vita Kirk 0x17 service for 224bit ECC signing.
 
New Vita Kirk 0x17 service for 224bit ECC signing.
Line 765: Line 840:  
|}
 
|}
   −
==== 0x18 - kirk_ecc224_verify ====
+
==== 0x18 - ecc224_sig_verify ====
    
New Vita Kirk 0x18 service for 224bit ECDSA signature verification. Call with the below structure, then function will return pass or fail.
 
New Vita Kirk 0x18 service for 224bit ECDSA signature verification. Call with the below structure, then function will return pass or fail.
Line 786: Line 861:  
|}
 
|}
   −
==== 0x19 - verify_cmac_signature ====
+
==== 0x19 - cert_verify_new ====
    
This function checks that CMAC of <code>Message</code> equals <code>Encrypted CMAC value</code>.
 
This function checks that CMAC of <code>Message</code> equals <code>Encrypted CMAC value</code>.
Line 796: Line 871:  
Key in keyslot 0x0 is derived using key from keyslot 0x204 with static seed value.
 
Key in keyslot 0x0 is derived using key from keyslot 0x204 with static seed value.
   −
This function is related to IdStorage somehow.
+
This function is used to verify PSVita new IdStorage Certificates.
    
Input:
 
Input:
Line 803: Line 878:  
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x0|| 0xD8 || Message
+
| 0x0|| 0xE8 || Input: Certificate
|-
  −
| 0xD8|| 0x10 || Encrypted CMAC value
  −
|-
   
|}
 
|}
   Line 825: Line 897:  
- this way we know that card knows how to properly encrypt.
 
- this way we know that card knows how to properly encrypt.
   −
- kirk service 1B will decrypt packet 8 with key_id and master_key
+
- Kirk service 1B will decrypt packet 8 with key_id and master_key
    
- then it will verify challenge0
 
- then it will verify challenge0
Line 1,049: Line 1,121:  
|}
 
|}
   −
==== 0x21 - kirk_ecc160_sign ====
+
==== 0x21 - ecc160_hmac_sha256_sig_gen ====
    
New Vita Kirk 0x21 service for 160bit ECC signing.  
 
New Vita Kirk 0x21 service for 160bit ECC signing.  
Line 1,070: Line 1,142:  
| 0x0|| 0x20 || unknown, must be zeroes
 
| 0x0|| 0x20 || unknown, must be zeroes
 
|-
 
|-
| 0x20|| 0x14 || message hash
+
| 0x20|| 0x14 || Message hash
 
|-
 
|-
 
|}
 
|}
Line 1,085: Line 1,157:  
|}
 
|}
   −
==== 0x22 - kirk_ecc224_sign_sceebootpbp ====
+
==== 0x22 - ecc224_sceebootpbp_sig_gen ====
    
New Vita Kirk 0x22 service for 224bit ECC signing.  
 
New Vita Kirk 0x22 service for 224bit ECC signing.  
Line 1,126: Line 1,198:     
New Vita Kirk 0x23 service.
 
New Vita Kirk 0x23 service.
 +
 +
It encrypts the plain message with AES128CBC, static key and null IV, then calculates the AES128CMAC of the encrypted message with another static key.
    
Input:
 
Input:
Line 1,132: Line 1,206:  
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x0|| 0x10 || Message
+
| 0x0|| 0x10 || Plain message
 
|-
 
|-
 
|}
 
|}
Line 1,141: Line 1,215:  
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x0|| 0x10 || Encrypted Message
+
| 0x0|| 0x10 || Encrypted message
 
|-
 
|-
| 0x10|| 0x10 || Encrypted Message CMAC
+
| 0x10|| 0x10 || Encrypted message CMAC
 
|-
 
|-
 
|}
 
|}
Line 1,151: Line 1,225:  
[[SceSblPostSsMgr#sceSblPmMgrAuthEtoIForDriver|sceSblPmMgrAuthEtoIForDriver]] uses "sd0:sm/pm_sm_sd.self" whilst other PmSm functions use "os0:sm/pm_sm.self".
 
[[SceSblPostSsMgr#sceSblPmMgrAuthEtoIForDriver|sceSblPmMgrAuthEtoIForDriver]] uses "sd0:sm/pm_sm_sd.self" whilst other PmSm functions use "os0:sm/pm_sm.self".
   −
Services 9 and 0xA appeared on 1.03 (maybe 1.00). They are not present on 0.990 and earlier.
+
Services 8, 9 and 0xA appeared on FW 1.03 (maybe 1.00). They are not present on FW 0.990 and earlier.
 +
 
 +
Keyset must be between 0-0xC on FW 0.931.
    
=== 0x1 - get_product_mode ===
 
=== 0x1 - get_product_mode ===
Line 1,157: Line 1,233:  
Used by sceSblPmMgrGetProductModeFromNVS.
 
Used by sceSblPmMgrGetProductModeFromNVS.
   −
Data size is 0x28 bytes. (0x20 bytes used)
+
Data size is 0x28 bytes.
    
Input: 0x20 buffer read from NVS at offset 0.
 
Input: 0x20 buffer read from NVS at offset 0.
Line 1,164: Line 1,240:  
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x4 || Output: product mode
+
| 0x40 || 0x4 || Output: Product Mode
 
|-
 
|-
| 0x44 || 0x4 || zeroed
+
| 0x44 || 0x4 || Reserved
 
|-
 
|-
| 0x48 || 0x20 || input only: NVS data read at offset 0
+
| 0x48 || 0x20 || Input: NVS block read at offset 0
 
|}
 
|}
   Line 1,175: Line 1,251:  
Used by sceSblPmMgrSetProductMode.
 
Used by sceSblPmMgrSetProductMode.
   −
Data size is 0x28 bytes. (0x20 bytes used)
+
Data size is 0x28 bytes.
    
Input: 0x20 bytes buffer read from NVS at offset 0, to which is written the new product mode to set.
 
Input: 0x20 bytes buffer read from NVS at offset 0, to which is written the new product mode to set.
Line 1,184: Line 1,260:  
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x4 || new product mode
+
| 0x40 || 0x4 || Input: Product Mode
 +
|-
 +
| 0x44 || 0x4 || Reserved
 
|-
 
|-
| 0x44 || 0x1C || output only
+
| 0x48 || 0x20 || Input and output: NVS block read/written at offset 0
 
|}
 
|}
    
=== 0x3 - gen_req_hello ===
 
=== 0x3 - gen_req_hello ===
   −
Input: 0x30 bytes buffer.
+
This command gets the Ernie secure packet for the first JIG auth command.
   −
This is the first JIG auth command. The 0x28 buffer content is for the first time set by this service.
+
Data size is 0x30 bytes.
    
{| class="wikitable"
 
{| class="wikitable"
 
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x4 || arg1 (6 or 14)
+
| 0x40 || 0x4 || Input: keyset (6, 14)
 
|-
 
|-
| 0x44 || 0x4 || arg2 (1 when arg1 in [4, 6, 12]; 2 when arg1 in [14]; otherwise undefined)
+
| 0x44 || 0x4 || Input: keyset_rev (1 when keyset in [4, 6, 12]; 2 when keyset in [14]; otherwise undefined)
 
|-
 
|-
| 0x48 || 0x28 || output only
+
| 0x48 || 0x28 || Output: Ernie secure packet
 
|}
 
|}
    
=== 0x4 - gen_challenge ===
 
=== 0x4 - gen_challenge ===
   −
Input: 0x30 bytes buffer.
+
Data size is 0x30 bytes.
    
{| class="wikitable"
 
{| class="wikitable"
 
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x4 || arg1 (6 or 14)
+
| 0x40 || 0x4 || Input: keyset (6, 14)
 
|-
 
|-
| 0x44 || 0x4 || arg2 (1 when arg1 in [4, 6, 12]; 2 when arg1 in [14]; otherwise undefined)
+
| 0x44 || 0x4 || Input: keyset_rev (1 when keyset in [4, 6, 12]; 2 when keyset in [14]; otherwise undefined)
 
|-
 
|-
| 0x48 || 0x28 || input and output
+
| 0x48 || 0x28 || Input and output: Ernie secure packet
 
|}
 
|}
    
=== 0x5 - check_response ===
 
=== 0x5 - check_response ===
   −
Input: 0x30 bytes buffer.
+
Returns 0 on success.
   −
Returns 0 on success, doesn't modify the input buffer.
+
Data size is 0x30 bytes.
    
{| class="wikitable"
 
{| class="wikitable"
 
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x4 || arg1 (6 or 14)
+
| 0x40 || 0x4 || input: keyset (6, 14)
 
|-
 
|-
| 0x44 || 0x4 || arg2 (1 when arg1 in [4, 6, 12]; 2 when arg1 in [14]; otherwise undefined)
+
| 0x44 || 0x4 || input: keyset_rev (1 when keyset in [4, 6, 12]; 2 when arg1 in [14]; otherwise undefined)
 
|-
 
|-
| 0x48 || 0x28 || input only
+
| 0x48 || 0x28 || input: Ernie secure packet
 
|}
 
|}
    
=== 0x6 - gen_req_result ===
 
=== 0x6 - gen_req_result ===
   −
Input: 0x30 bytes buffer.
+
Encrypts Ernie secure packet for step 4 with the chosen keyset.
 +
 
 +
Data size is 0x30 bytes.
    
{| class="wikitable"
 
{| class="wikitable"
 
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x4 || arg1 (6 or 14)
+
| 0x40 || 0x4 || Input: keyset (4, 6 on FW 0.931-3.60)
 
|-
 
|-
| 0x44 || 0x4 || arg2 (1 when arg1 in [4, 6, 12]; 2 when arg1 in [14]; otherwise undefined)
+
| 0x44 || 0x4 || Input: keyset_rev (1 when keyset in [4, 6, 12]; 2 when keyset in [14]; otherwise undefined)
 
|-
 
|-
| 0x48 || 0x28 || input and output
+
| 0x48 || 0x28 || Input and output: Ernie secure packet
 
|}
 
|}
    
=== 0x7 - check_result ===
 
=== 0x7 - check_result ===
   −
Input: 0x30 bytes buffer.
+
Returns 0 on success.
   −
Returns 0 on success, doesn't modify the input buffer.
+
Data size is 0x30 bytes.
    
{| class="wikitable"
 
{| class="wikitable"
 
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x4 || arg1 (6 or 14)
+
| 0x40 || 0x4 || Input: keyset (4, 6, 14)
 
|-
 
|-
| 0x44 || 0x4 || arg2 (1 when arg1 in [4, 6, 12]; 2 when arg in [14]; otherwise undefined)
+
| 0x44 || 0x4 || Input: keyset_rev (1 when keyset in [4, 6, 12]; 2 when keyset in [14]; otherwise undefined)
 
|-
 
|-
| 0x48 || 0x28 || input only
+
| 0x48 || 0x28 || Input: Ernie secure packet
 
|}
 
|}
   −
=== 0x8 ===
+
=== 0x8 - run_pm_command ===
 +
 
 +
Not present in old FWs.
   −
Used on 1.03+ by sceSblPmMgrGetProductModeFromNVS.
+
Used on FW 1.03+ by sceSblPmMgrGetProductModeFromNVS.
   −
Input: 0x70 bytes buffer.
+
Data size is 0x70 bytes.
    
{| class="wikitable"
 
{| class="wikitable"
 
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x4 || new product mode
+
| 0x40 || 0x4 || Input: Command (0: gen_get_mgmt_data_req, 1: get_mgmt_data, 3: decrypt_response, 4: set_product_mode, 5: set_product_mode_off, 7: set_sd_mode_off)
 
|-
 
|-
| 0x44 || 0x4 || 0
+
| 0x44 || 0x4 || Reserved
 
|-
 
|-
| 0x48 || 0x4 || out1: current product mode
+
| 0x48 || 0x4 || Input and output: product mode
 
|-
 
|-
| 0x4C || 0x4 || out2
+
| 0x4C || 0x4 || Input and output: unknown Mgmt Data
 
|-
 
|-
| 0x50 || 0x60 || unk
+
| 0x50 || 0x30 || Input and output: Ernie secure packet for setting Product Mode
 +
|-
 +
| 0x80 || 0x30 || Input and output: Ernie secure packet for getting Product mode
 
|}
 
|}
    
=== 0x9 - gen_jig_message ===
 
=== 0x9 - gen_jig_message ===
   −
Only on 1.03+.
+
Only on FW 1.03+.
   −
Input: 0x10C bytes buffer.
+
Data size is 0x10C bytes.
    
{| class="wikitable"
 
{| class="wikitable"
 
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x4 || arg1: flag.
+
| 0x40 || 0x4 || Input: keyset_flag (0x48 for keyset 4, 0x49 for keyset 12)
 
|-
 
|-
| 0x44 || 0x4 || arg2
+
| 0x44 || 0x4 || Reserved
 
|-
 
|-
| 0x48 || 0x104 || output
+
| 0x48 || 0x104 || Output: jig_message
 
|}
 
|}
    
=== 0xA - check_jig_response ===
 
=== 0xA - check_jig_response ===
   −
Only on 1.03+.
+
Only on FW 1.03+.
 +
 
 +
Returns 0 on success.
   −
Input: 0x10C bytes buffer.
+
Data size is 0x10C bytes.
    
{| class="wikitable"
 
{| class="wikitable"
 
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x4 || arg1: flag.
+
| 0x40 || 0x4 || Input: keyset_flag (0x48 for keyset 4, 0x49 for keyset 12)
 
|-
 
|-
| 0x44 || 0x4 || arg2
+
| 0x44 || 0x4 || Reserved
 
|-
 
|-
| 0x48 || 0x104 || input
+
| 0x48 || 0x104 || Input: jig_response
 
|}
 
|}
   Line 1,433: Line 1,519:  
== update_service_sm.self ==
 
== update_service_sm.self ==
   −
This is used by [[SceSblUpdateMgr]] to decrypt update packages extracted from [[PUP]] files. Both 0x40002 and 0x50002 reference buffers in the following way: an inner paddr list is generated for the buffer containing the data to encrypt/decrypt, then an outer paddr list is generated for the inner list. That means there's two levels of indirection in the paddr list.
+
This is used by [[SceSblUpdateMgr]] to decrypt update packages extracted from [[PUP]] files.
 +
 
 +
<s>Both 0x40002 and 0x50002 reference buffers in the following way: an inner paddr list is generated for the buffer containing the data to encrypt/decrypt, then an outer paddr list is generated for the inner list. That means there's two levels of indirection in the paddr list.</s>
 +
 
 +
Services with PA Vectors to pass data to F00D decide whether to use normal vectors or deep vectors depending on the flag of the argument.
    
=== 0x10002 - sceSblUsSmAuthPupHeader ===
 
=== 0x10002 - sceSblUsSmAuthPupHeader ===
Line 1,439: Line 1,529:  
SCE_SBL_SM_COMM_FID_SM_AUTH_PUP_HEADER.
 
SCE_SBL_SM_COMM_FID_SM_AUTH_PUP_HEADER.
   −
Verify PUP header.
+
Verify PUP header (with hash check).
   −
Input data size: 0xFF0.
+
Input data size: 0xFC0.
   −
Input: PA vector of the PUP header including the PUP Hash (size: 0x80 + segment_num * 0x60 + 0x20)
+
Input: PA vector of the PUP header including the PUP Hash (size: 0x80 + segment_num * 0x20 + segment_num * 0x40 + 0x20)
    
=== 0x20002 - sceSblUsSmAuthPupSegment ===
 
=== 0x20002 - sceSblUsSmAuthPupSegment ===
Line 1,451: Line 1,541:  
Verify PUP segment.
 
Verify PUP segment.
   −
Input data size: 0xFF0.
+
Input data size: 0xFC0.
    
=== 0x30002 - sceSblUsSmAuthPupWatermark ===
 
=== 0x30002 - sceSblUsSmAuthPupWatermark ===
Line 1,459: Line 1,549:  
Verify PUP watermark.
 
Verify PUP watermark.
   −
Input data size: 0xFF0.
+
Input data size: 0xFC0.
    
Input data: a packet embedding at least two paddr (or PA vectors): PUP Watermark (0x1000 bytes) and PUP Hash (0x20 bytes).
 
Input data: a packet embedding at least two paddr (or PA vectors): PUP Watermark (0x1000 bytes) and PUP Hash (0x20 bytes).
Line 1,692: Line 1,782:  
   int sector_count; // always 0 (Mgmt Data)
 
   int sector_count; // always 0 (Mgmt Data)
 
   int status; // not set for read, set for write
 
   int status; // not set for read, set for write
   int flags; // not set for read, set for write
+
   int flags; // not set for read, set for write
   char unk_10[0x30]; // output: input for nvs_read_special or nvs_write_special
+
   char unk_10[0x30]; // output: input for nvs_read_special or nvs_write_special
   char unk_40[0x30]; // input: output for nvs_read_special or nvs_write_special
+
   char unk_40[0x30]; // input: output for nvs_read_special or nvs_write_special
} data;
+
} data;
</source>
+
</source>
 +
 
 +
Usage:
 +
* 1) sceSblSmCommCallFunc(id, 0xC0002, &f00d_resp, data, 0x70);
 +
For write:
 +
* 2) nvs_write_special(data + 0x10, 0x30, data + 0x40, 0x10);
 +
For read:
 +
* 2) nvs_read_special(data + 0x10, 0x10, data + 0x40, 0x30);
 +
* 3) sceSblSmCommCallFunc(id, 0xC0002, &f00d_resp, data, 0x70);
 +
 
 +
=== 0xD0002 ===
 +
 
 +
Syscon update related. Usage is to proxy encrypted data F00D <=> Syscon.
 +
 
 +
Data size is 0x58 bytes.
 +
 
 +
<source lang="C">
 +
typedef struct data { // Size is 0x58 bytes on FW 3.60
 +
  int mode; // ex: 0, 1, 2, 3, 4
 +
  int unk_4; // Maybe unused
 +
  char unk_8[0x28]; // input: syscon command 0xD2 output
 +
  char unk_30[0x28]; // output: syscon command 0xD2 input
 +
} data;
 +
</source>
 +
 
 +
Usage:
 +
* 1) sceSblSmCommCallFunc(id, 0xD0002, &f00d_resp, data, 0x58);
 +
For modes 0, 1 and 3:
 +
* 2) memcpy(data + 8, data + 0x30, 0x28); SceSysconForDriver_4D03754A(data + 8, 0x28, data + 0x30, 0x28);
 +
* 3) sceSblSmCommCallFunc(id, 0xD0002, &f00d_resp, data, 0x58);
 +
 
   −
Usage:
+
Mode
* 1) sceSblSmCommCallFunc(id, 0xC0002, &f00d_resp, data, 0x70);
  −
For write:
  −
* 2) nvs_write_special(data + 0x10, 0x30, data + 0x40, 0x10);
  −
For read:
  −
* 2) nvs_read_special(data + 0x10, 0x10, data + 0x40, 0x30);
  −
* 3) sceSblSmCommCallFunc(id, 0xC0002, &f00d_resp, data, 0x70);
     −
=== 0xD0002 ===
+
0 - Do init 0x28 buffer.
   −
Syscon update related. Usage is to proxy encrypted data F00D <=> Syscon.
+
1 - Do bigmac unknown crypto with some blob.
   −
Data size is 0x58 bytes.
+
2 - Do bigmac unknown crypto with some blob.
   −
<source lang="C">
+
3 - Do bigmac unknown crypto with some blob.
typedef struct data { // Size is 0x58 bytes on FW 3.60
  −
  int mode; // ex: 0, 1, 2, 3, 4
  −
  int unk_4; // Maybe unused
  −
  char unk_8[0x28]; // input: syscon command 0xD2 output
  −
  char unk_30[0x28]; // output: syscon command 0xD2 input
  −
} data;
  −
</source>
     −
Usage:
+
4 - Do some working. And reset syscon ticket count with Bigmac PRNG (Keyslot 0x512).
* 1) sceSblSmCommCallFunc(id, 0xD0002, &f00d_resp, data, 0x58);
  −
For modes 0, 1 and 3:
  −
* 2) memcpy(data + 8, data + 0x30, 0x28); SceSysconForDriver_4D03754A(data + 8, 0x28, data + 0x30, 0x28);
  −
* 3) sceSblSmCommCallFunc(id, 0xD0002, &f00d_resp, data, 0x58);
      
== utoken_sm.self ==
 
== utoken_sm.self ==
Line 1,765: Line 1,868:  
Magic Gate Key Manager secure module.
 
Magic Gate Key Manager secure module.
    +
Present on 0.931-3.73. Commands are almost the same on any FW, only KEY_31 varies.
 +
0
 
These commands are used to set keys (as seen on FWs from 0.940 to 3.60) to [[Dmac5|DMAC5]] registers in NS memory. These keys are used in to do encryption stuff with AES-ECB and TripleDES-ECB algorithms through [[Dmac5|DMAC5]].
 
These commands are used to set keys (as seen on FWs from 0.940 to 3.60) to [[Dmac5|DMAC5]] registers in NS memory. These keys are used in to do encryption stuff with AES-ECB and TripleDES-ECB algorithms through [[Dmac5|DMAC5]].
   Line 1,785: Line 1,890:  
<source lang="C">
 
<source lang="C">
 
memset(buffer, 0, 0x20);
 
memset(buffer, 0, 0x20);
memcpy(buffer, KEY_1, 0x10);
+
memcpy(buffer, KEY_31, 0x10);
 
bigmac_memcpy(0xE04E0000 + 0x1F * 0x20, buffer, 0x20);
 
bigmac_memcpy(0xE04E0000 + 0x1F * 0x20, buffer, 0x20);
 
</source>
 
</source>
Line 1,794: Line 1,899:  
memset(buffer, 0, 0x20);
 
memset(buffer, 0, 0x20);
 
memcpy(buffer, pOpenPsId, 0x10);
 
memcpy(buffer, pOpenPsId, 0x10);
memcpy(buffer + 0x10, KEY_2, 0x10);
+
memcpy(buffer + 0x10, KEY_30_SEED, 0x10);
 
bigmac_sha256(buffer, buffer, 0x20);
 
bigmac_sha256(buffer, buffer, 0x20);
 
bigmac_memcpy(0xE04E0000 + 0x1E * 0x20, buffer, 0x20);
 
bigmac_memcpy(0xE04E0000 + 0x1E * 0x20, buffer, 0x20);

Navigation menu