Changes

Jump to navigation Jump to search
1,537 bytes added ,  09:05, 30 May 2021
Line 178: Line 178:  
Removed on FW 2.10.
 
Removed on FW 2.10.
   −
Verify SceKitActivationData derived from AFV.
+
Verify SceKitActivationData read from sd0:/act.dat.
   −
Uses "internal" keys (?internal kits maybe? Not used on PDEL kernel).
+
Uses different keys (AES256CBC and AES256CMAC) than check_activation_code_2.
 +
 
 +
Used only on TOOL rev 3.
    
{| class="wikitable"
 
{| class="wikitable"
Line 186: Line 188:  
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x80 || Input: [[SceSblSsMgr|SceKitActivationData]]
+
| 0x0 || 0x80 || Input: [[SceSblSsMgr|SceKitActivationData]]
 
|}
 
|}
   Line 193: Line 195:  
Removed on FW 2.10.
 
Removed on FW 2.10.
   −
Same as command 1 but uses different keys (AES256CBC and AES256CMAC).
+
Verify SceKitActivationData read from sd0:VITA.ACT.
 +
 
 +
Uses different keys (AES256CBC and AES256CMAC) than check_activation_code_1.
 +
 
 +
Used on any Kit other than TOOL rev 3 (uses command 1), TEST, TOOL rev 4, Manufacturing Mode and QA flagged (bypasses activation).
 +
 
 +
{| class="wikitable"
 +
|-
 +
! Offset !! Size !! Description
 +
|-
 +
| 0x0 || 0x80 || Input: [[SceSblSsMgr|SceKitActivationData]]
 +
|}
    
=== 0x4 - check_nvs_cmac ===
 
=== 0x4 - check_nvs_cmac ===
Line 199: Line 212:  
Not present on FW 0.931.
 
Not present on FW 0.931.
   −
Verify NVS activation data authenticity by comparing with stored CMAC.
+
Verify NVS activation data authenticity using CMAC.
    
{| class="wikitable"
 
{| class="wikitable"
Line 205: Line 218:  
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x20 || Input: [[SceSblSsMgr|SceNVSKitActivationData]]
+
| 0x0 || 0x20 || Input: [[SceSblSsMgr|SceNVSKitActivationData]]
 
|}
 
|}
   Line 218: Line 231:  
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x4 || Magic "act\0"
+
| 0x0 || 0x4 || Magic "act\0"
 
|-
 
|-
| 0x44 || 0x4 || Issue number
+
| 0x4 || 0x4 || Issue number
 
|-
 
|-
| 0x48 || 0x4 || Start validity time unix timestamp
+
| 0x8 || 0x4 || Start validity time unix timestamp
 
|-
 
|-
| 0x4C || 0x4 || End validity time unix timestamp
+
| 0xC || 0x4 || End validity time unix timestamp
 
|-
 
|-
| 0x50 || 0x10 || Output: CMAC of the 0x10 input bytes
+
| 0x10 || 0x10 || Output: CMAC of the 0x10 input bytes
 
|}
 
|}
   Line 239: Line 252:  
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x10 || [[SceSblSsMgr|SceNVSKitActivationData]] without CMAC
+
| 0x0 || 0x10 || [[SceSblSsMgr|SceNVSKitActivationData]] without CMAC
 
|-
 
|-
| 0x50 || 0x20 || [[SceSblSsMgr|SceNVSKitActivationData]]
+
| 0x10 || 0x20 || [[SceSblSsMgr|SceNVSKitActivationData]]
 
|}
 
|}
   Line 254: Line 267:  
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x80 || Input: [[SceSblSsMgr#|SceKitActivationData]] (new activation data)
+
| 0x0 || 0x80 || Input: [[SceSblSsMgr#|SceKitActivationData]] (new activation data)
 
|-
 
|-
| 0xC0 || 0x100 || Input: RSA signature over new activation data
+
| 0x80 || 0x100 || Input: RSA signature over new activation data
 
|-
 
|-
| 0x1C0 || 0x80 || Input: [[SceSblSsMgr|SceKitActivationData]] (previous activation data)
+
| 0x180 || 0x80 || Input: [[SceSblSsMgr|SceKitActivationData]] (previous activation data)
 
|-
 
|-
| 0x240 || 0x100 || Input: RSA signature over previous activation data
+
| 0x200 || 0x100 || Input: RSA signature over previous activation data
 
|-
 
|-
| 0x340 || 0x20 || Output: [[SceSblSsMgr|SceNVSKitActivationData]]
+
| 0x300 || 0x20 || Output: [[SceSblSsMgr|SceNVSKitActivationData]]
 
|}
 
|}
   Line 275: Line 288:  
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x4 || Input: Previous return value
+
| 0x0 || 0x4 || Input: Previous return value
 
|-
 
|-
| 0x44 || 0x4 || Input: Current time
+
| 0x4 || 0x4 || Input: Current time
 
|-
 
|-
| 0x48 || 0x4 || Output: License Status
+
| 0x8 || 0x4 || Output: License Status
 
|-
 
|-
| 0x4C || 0x4 || Output: Expire Date
+
| 0xC || 0x4 || Output: Expire Date
 
|-
 
|-
| 0x50 || 0x8 || Reserved
+
| 0x10 || 0x8 || Reserved
 
|-
 
|-
| 0x58 || 0x20 || Input: [[SceSblSsMgr|SceNVSKitActivationData]] (read from NVS offset 0x520)
+
| 0x18 || 0x20 || Input: [[SceSblSsMgr|SceNVSKitActivationData]] (read from NVS offset 0x520)
 
|-
 
|-
| 0x78 || 0x80 || Input: [[SceSblSsMgr|SceKitActivationData]] (read from tm0:activate/act.dat)
+
| 0x38 || 0x80 || Input: [[SceSblSsMgr|SceKitActivationData]] (read from tm0:activate/act.dat)
 
|-
 
|-
| 0xF8 || 0x100 || Input: RSA signature over activation data (read from tm0:activate/actsig.dat)
+
| 0xB8 || 0x100 || Input: RSA signature over activation data (read from tm0:activate/actsig.dat)
 
|}
 
|}
   Line 319: Line 332:     
=== 0x5 - CreatePassPhrase ===
 
=== 0x5 - CreatePassPhrase ===
 +
 +
Creates NP passphrase (per-console and per NP account).
    
Used in [[SceSblSsMgr#sceSblSsCreatePassPhraseForDriver|sceSblSsCreatePassPhraseForDriver]].
 
Used in [[SceSblSsMgr#sceSblSsCreatePassPhraseForDriver|sceSblSsCreatePassPhraseForDriver]].
 +
 +
Input size is 0x220 bytes.
 +
 +
{| class="wikitable"
 +
|-
 +
! Offset !! Size !! Description
 +
|-
 +
| 0x40 || 0x8 || Secure Tick
 +
|-
 +
| 0x48 || 0x4 || Unknown. Maybe version or reserved. ex: 0.
 +
|-
 +
| 0x4C || 0x4 || Arguments size in userland (0x18 bytes)
 +
|-
 +
| 0x50 || 0x10 || NP Account ID in ASCII
 +
|-
 +
| 0x60 || 0x200 || IdStorage leaf 0x44 (contains PS Vita IDPS Certificate)
 +
|}
 +
 +
Output size is 0x220 bytes.
 +
 +
{| class="wikitable"
 +
|-
 +
! Offset !! Size !! Description
 +
|-
 +
| 0x40 || 0x8 || Secure Tick
 +
|-
 +
| 0x48 || 0x4 || Unknown. Maybe version or reserved. ex: 0.
 +
|-
 +
| 0x4C || 0x4 || Arguments size in userland (0x18 bytes)
 +
|-
 +
| 0x50 || 0x10 || NP Account ID in ASCII
 +
|-
 +
| 0x60 || 0x200 || NP PassPhrase
 +
|}
    
== compat_sm.self ==
 
== compat_sm.self ==
Line 460: Line 509:     
=== 0x1000B ===
 
=== 0x1000B ===
 +
 +
Execute kirk commands.
    
This is one of the variable sized buffers that can be placed inside [[F00D_Commands#Request_Buffer|Request_Buffer]].
 
This is one of the variable sized buffers that can be placed inside [[F00D_Commands#Request_Buffer|Request_Buffer]].
Line 1,468: Line 1,519:  
== update_service_sm.self ==
 
== update_service_sm.self ==
   −
This is used by [[SceSblUpdateMgr]] to decrypt update packages extracted from [[PUP]] files. Both 0x40002 and 0x50002 reference buffers in the following way: an inner paddr list is generated for the buffer containing the data to encrypt/decrypt, then an outer paddr list is generated for the inner list. That means there's two levels of indirection in the paddr list.
+
This is used by [[SceSblUpdateMgr]] to decrypt update packages extracted from [[PUP]] files.
 +
 
 +
<s>Both 0x40002 and 0x50002 reference buffers in the following way: an inner paddr list is generated for the buffer containing the data to encrypt/decrypt, then an outer paddr list is generated for the inner list. That means there's two levels of indirection in the paddr list.</s>
 +
 
 +
Services with PA Vectors to pass data to F00D decide whether to use normal vectors or deep vectors depending on the flag of the argument.
    
=== 0x10002 - sceSblUsSmAuthPupHeader ===
 
=== 0x10002 - sceSblUsSmAuthPupHeader ===
Line 1,474: Line 1,529:  
SCE_SBL_SM_COMM_FID_SM_AUTH_PUP_HEADER.
 
SCE_SBL_SM_COMM_FID_SM_AUTH_PUP_HEADER.
   −
Verify PUP header.
+
Verify PUP header (with hash check).
   −
Input data size: 0xFF0.
+
Input data size: 0xFC0.
   −
Input: PA vector of the PUP header including the PUP Hash (size: 0x80 + segment_num * 0x60 + 0x20)
+
Input: PA vector of the PUP header including the PUP Hash (size: 0x80 + segment_num * 0x20 + segment_num * 0x40 + 0x20)
    
=== 0x20002 - sceSblUsSmAuthPupSegment ===
 
=== 0x20002 - sceSblUsSmAuthPupSegment ===
Line 1,486: Line 1,541:  
Verify PUP segment.
 
Verify PUP segment.
   −
Input data size: 0xFF0.
+
Input data size: 0xFC0.
    
=== 0x30002 - sceSblUsSmAuthPupWatermark ===
 
=== 0x30002 - sceSblUsSmAuthPupWatermark ===
Line 1,494: Line 1,549:  
Verify PUP watermark.
 
Verify PUP watermark.
   −
Input data size: 0xFF0.
+
Input data size: 0xFC0.
    
Input data: a packet embedding at least two paddr (or PA vectors): PUP Watermark (0x1000 bytes) and PUP Hash (0x20 bytes).
 
Input data: a packet embedding at least two paddr (or PA vectors): PUP Watermark (0x1000 bytes) and PUP Hash (0x20 bytes).
Line 1,761: Line 1,816:  
* 2) memcpy(data + 8, data + 0x30, 0x28); SceSysconForDriver_4D03754A(data + 8, 0x28, data + 0x30, 0x28);
 
* 2) memcpy(data + 8, data + 0x30, 0x28); SceSysconForDriver_4D03754A(data + 8, 0x28, data + 0x30, 0x28);
 
* 3) sceSblSmCommCallFunc(id, 0xD0002, &f00d_resp, data, 0x58);
 
* 3) sceSblSmCommCallFunc(id, 0xD0002, &f00d_resp, data, 0x58);
 +
 +
 +
Mode
 +
 +
0 - Do init 0x28 buffer.
 +
 +
1 - Do bigmac unknown crypto with some blob.
 +
 +
2 - Do bigmac unknown crypto with some blob.
 +
 +
3 - Do bigmac unknown crypto with some blob.
 +
 +
4 - Do some working. And reset syscon ticket count with Bigmac PRNG (Keyslot 0x512).
    
== utoken_sm.self ==
 
== utoken_sm.self ==

Navigation menu