Changes

Jump to navigation Jump to search
118 bytes added ,  22:07, 30 August 2021
no edit summary
Line 72: Line 72:  
== Asynchronous Handler ==
 
== Asynchronous Handler ==
   −
A timer (<code>TMR00</code>) is set up at the start of the Worker Loop to count in <code>0x7D00</code> cycle intervals. Oddly, the timer interrupt is not configured but <code>INTCSI01</code> is configured. Possibly the reference manual is not correct w.r.t Ernie because the interrupt handler for <code>INTCSI01</code> does not appear to reference the serial interface at all. We will assume this interrupt is the timer's interrupt.
+
A timer (<code>TMR00</code>) is set up at the start of the Worker Loop to count in <code>0x7D00</code> cycle intervals. Oddly, the timer interrupt is not configured but <code>INTCSI01</code> is configured. Possibly the reference manual is not correct with reference to Ernie because the interrupt handler for <code>INTCSI01</code> does not appear to reference the serial interface at all. We will assume this interrupt is the timer's interrupt.
    
A table of software handlers are initialized to 0 at the start of the Worker Loop. Functions can register handlers in this table. Functions can also flag a handler to run at the next timer interrupt. During each timer interrupt, (with interrupt disabled) the firmware will iterate through the handlers and run any function that is flagged (and unflag it).
 
A table of software handlers are initialized to 0 at the start of the Worker Loop. Functions can register handlers in this table. Functions can also flag a handler to run at the next timer interrupt. During each timer interrupt, (with interrupt disabled) the firmware will iterate through the handlers and run any function that is flagged (and unflag it).
Line 80: Line 80:  
When [[Ernie_Firmware#JIG_Enable|JIG is enabled]], commands can be sent through an UART interface by an external agent. An UART RX interrupt will flag asynchronous handler <code>0xB</code>. This handler is registered at the start of the Worker Loop to set flag <code>0x32</code> and return. In the Worker Loop, flag <code>0x32</code> can be handled by states 1, 3, 8, 9. In any of these states, the JIG Handler is called.
 
When [[Ernie_Firmware#JIG_Enable|JIG is enabled]], commands can be sent through an UART interface by an external agent. An UART RX interrupt will flag asynchronous handler <code>0xB</code>. This handler is registered at the start of the Worker Loop to set flag <code>0x32</code> and return. In the Worker Loop, flag <code>0x32</code> can be handled by states 1, 3, 8, 9. In any of these states, the JIG Handler is called.
   −
JIG packets are ASCII encoded hex (each raw byte is 2 ASCII bytes) and end in \r\n. Once decoded into raw bytes, the packet is 2 byte command id, 1 byte unknown, 2 byte length*2 (equal to raw packet length - 7), a payload, and 2 byte checksum.
+
JIG packets are ASCII encoded hex (each raw byte is 2 ASCII bytes) and end in <code>"\r\n"</code>. Once decoded into raw bytes, the packet is 2 byte command id, 1 byte unknown, 2 byte length*2 (equal to raw packet length - 7), a payload, and 2 byte checksum.
    
= Kermit Bootrom JIG Mode =
 
= Kermit Bootrom JIG Mode =
Line 86: Line 86:  
Similarly to the Jigkick battery on PSP, the PS Vita also has a hidden manufacturing/recovery mode in the boot ROM. By convention, we call this "JIG mode". Once a handshake with Kermit boot ROM passes, the PS Vita will boot from an SD card in the gamecard slot instead of from internal eMMC. The payload must be signed by Sony specifically for this mode. There is no vulnerability that allows to bypass the signature check.
 
Similarly to the Jigkick battery on PSP, the PS Vita also has a hidden manufacturing/recovery mode in the boot ROM. By convention, we call this "JIG mode". Once a handshake with Kermit boot ROM passes, the PS Vita will boot from an SD card in the gamecard slot instead of from internal eMMC. The payload must be signed by Sony specifically for this mode. There is no vulnerability that allows to bypass the signature check.
   −
To trigger JIG mode, we have to first enable JIG from the syscon and then do a handshake with Kermit.
+
To trigger JIG mode, we have to first enable JIG from Ernie and then do a handshake with Kermit.
    
See also: [[Enc#Secret_debug_mode]]
 
See also: [[Enc#Secret_debug_mode]]
Line 203: Line 203:  
== Hardware ==
 
== Hardware ==
   −
In theory there needs to be 2 digital pins (UART) and 1 analog pin (JIG enable sense) accessible to the factory agent in order for JIG to work. On the Slim units, it is currently unknown where these pins might be. One theory is that there may be a USB serial hardware inside the TI charging chip. There is only weak evidence for this: the TI chip communicates with Syscon through an I2C interface and we see from pictures of the PCB that the USB data lanes go into and out of the TI chip on the Slim. This is different from the [[SN99057]] on the phat units which routes the USB data lanes in parallel (for charge sensing).
+
In theory there needs to be 2 digital pins (UART) and 1 analog pin (JIG enable sense) accessible to the factory agent in order for JIG to work. On the Slim PS Vita units, it is currently unknown where these pins might be. One theory is that there may be a USB serial hardware inside the Texas Instruments charging chip. There is only weak evidence for this: the Texas Instruments chip communicates with Syscon through an I2C interface and we see from pictures of the PCB that the USB data lanes go into and out of the Texas Instruments chip on the Slim PS Vita. This is different from the [[SN99057]] on the Fat PS Vita units which routes the USB data lanes in parallel (for charge sensing).
    
On the Fat PS Vita units, the [[UDC|multiconnector]] port has UART exposed on pin 6 and 7. Additionally there are pins 11, 12, and 13 that are routed directly to Ernie (seen through PCB delayering). They each have a 100K pull-up resistor to 1.8V.
 
On the Fat PS Vita units, the [[UDC|multiconnector]] port has UART exposed on pin 6 and 7. Additionally there are pins 11, 12, and 13 that are routed directly to Ernie (seen through PCB delayering). They each have a 100K pull-up resistor to 1.8V.
   −
[[File:Multiconnector testpoints.png|thumb|Yellow = UDC pin 12, Cyan = UDC pin 11, Green = UDC pin 6 (RX), Magenta = UDC pin 7 (TX)]]
+
[[File:Multiconnector testpoints.png|thumb|Yellow = UDC pin 12, Cyan = UDC pin 11, Green = UDC pin 6 (Ernie UART RX), Magenta = UDC pin 7 (Ernie UART TX)]]
   −
Since the testpoints for pin 11 and 12 are close to the test points for Ernie UART, one (or both) of these pins could be used for [[Ernie_Firmware#Voltage_Table|voltage sensing]]. Below is an untested theory of what a JIG enable circuit could look like.
+
Since the test points for UDC pins 11 and 12 are close to the test points for Ernie UART, one (or both) of these pins could be used for [[Ernie_Firmware#Voltage_Table|voltage sensing]]. Below is an untested theory of what a JIG enable circuit could look like.
    
[[File:Potential jig circuit.png|thumb|Possible JIG enable circuit with a 160K voltage divider.]]
 
[[File:Potential jig circuit.png|thumb|Possible JIG enable circuit with a 160K voltage divider.]]
5,761

edits

Navigation menu