Changes

Jump to navigation Jump to search
1,258 bytes added ,  14:25, 25 May 2020
Line 204: Line 204:  
   It reads three times, if first read != 0x20, second != 0x30, third != 0x31 then it writes 6 to 0xE0070014.
 
   It reads three times, if first read != 0x20, second != 0x30, third != 0x31 then it writes 6 to 0xE0070014.
   −
=== 0xF01: GetEncryptedInfoBlk ===
+
=== 0xF01: GetSKSO ===
  It encrypts a block of size 0x80 with key=eeprom_blk_515, and hardcoded iv from .data.
     −
  Block looks like this:
+
This command was not existing on FW 1.05.
    +0x00: Magic (0xACB4ACB1)
  −
    +0x04: One
  −
    +0x08: Random (read from 0xE005003C)
  −
    +0x0C: Zero
  −
    +0x10: EEPROM sector 0x511
  −
    +0x30: EEPROM sector 0x512
  −
    +0x50: EEPROM sector 0x517
  −
    +0x70: AES-256-CMAC using key from EEPROM sector 0x514.
     −
  It memcpys this encrypted info-blk size 0x80 to 0x4001FF00.
+
Temp name was GetEncryptedInfoBlk.
  Then it programs (u32)1, followed by zeroes, to EEPROM sector 0x516.
     −
After processing, 0xFFFFFFFF is written to 0xE0000010.
+
This command setups an encrypted SKSO then copies it to paddr 0x4001FF00.
 +
 
 +
<source lang="C">
 +
typedef struct SceSKSOData_169 {
 +
    char data_0x511[0x20]; // Comes from Bigmac keyslot 0x511
 +
    char data_0x512[0x20]; // Comes from Bigmac keyslot 0x512
 +
    char data_0x517[0x20]; // Comes from Bigmac keyslot 0x517
 +
} SceSKSO_169;
 +
 
 +
typedef struct SceSKSOData_360 {
 +
    char data_0x511[0x20]; // Comes from Bigmac keyslot 0x511
 +
    char data_0x512[0x20]; // Comes from Bigmac keyslot 0x512
 +
    char data_0x517[0x20]; // Comes from Bigmac keyslot 0x517
 +
    char data_0x519[0x20]; // Comes from Bigmac keyslot 0x519
 +
} SceSKSO_360;
 +
 
 +
typedef struct SceSKSOHeader {
 +
    SceInt32 magic; // Magic (0xACB4ACB1 = -0x534B534F -> "SKSO")
 +
    SceInt32 unk_one; // Always 1
 +
    SceUInt32 random; // Pseudo random number (read from 0xE005003C)
 +
    SceInt32 zero_or_padding; // Always 0
 +
} SceSKSOHeader;
 +
 
 +
typedef struct SceSKSO_169 {
 +
    SceSKSOHeader header;
 +
    SceSKSOData_169 data;
 +
    char cmac_hash[0x10]; // AES256CMAC hash using keyslot 0x514 as key
 +
} SceSKSO_169;
 +
 
 +
typedef struct SceSKSO_360 {
 +
    SceSKSOHeader header;
 +
    SceSKSOData_360 data;
 +
    char cmac_hash[0x10]; // AES256CMAC hash using keyslot 0x514 as key
 +
} SceSKSO_360;
 +
</source>
 +
 
 +
This command does:
 +
* It generates SKSO header.
 +
* It generates SKSO data by reading keyslots 0x511, 0x512, 0x517 (and 0x519 on newer FWs).
 +
* It appends a AES256CMAC hash of header+data using keyslot 0x514 as key.
 +
* It AES-128-CBC encrypts a block of size 0xA0 with key coming from keyslot 0x515, and hardcoded IV from .data.
 +
* It memcpys the encrypted SKSO to paddr 0x4001FF00.
 +
* It writes (u32)1, followed by zeroes, to Bigmac keyslot 0x516. That's a sort of status.
 +
 
 +
 
 +
 
 +
After processing, -1 is written to 0xE0000010.
 
Then comes the real switch.
 
Then comes the real switch.
 
This one gives different func-ptrs.
 
This one gives different func-ptrs.
6,295

edits

Navigation menu