Changes

Jump to navigation Jump to search
no edit summary
Line 53: Line 53:  
|}
 
|}
   −
This data format is used when passing large buffers of data to [[F00D]]. This is because the memory manager in kernel could allocate contiguous virtual addresses that corresponds to varying physical addresses.
+
This data format is used when passing large buffers of data to [[CMeP]]. This is because the memory manager in kernel could allocate contiguous virtual addresses that corresponds to varying physical addresses.
    
== kprx_auth_sm.self ==
 
== kprx_auth_sm.self ==
Line 65: Line 65:  
Used by [[SceSblAuthMgr#sceSblAuthMgrAuthHeaderForKernel|sceSblAuthMgrAuthHeaderForKernel]].
 
Used by [[SceSblAuthMgr#sceSblAuthMgrAuthHeaderForKernel|sceSblAuthMgrAuthHeaderForKernel]].
   −
Checks the SELF header for decryption. The header is copied to the F00D private memory region first (on 1.69 with 0x1000 sized header, it is at <code>0x00811CC0</code> in F00D memory space.
+
Checks the SELF header for decryption. The header is copied to the cmep private memory region first (on 1.69 with 0x1000 sized header, it is at <code>0x00811CC0</code> in cmep memory space.
    
{| class="wikitable"
 
{| class="wikitable"
Line 72: Line 72:  
| 0x40 || 0x130 || [[SceSblSsSmComm#Types|SceSblSmCommContext130]]
 
| 0x40 || 0x130 || [[SceSblSsSmComm#Types|SceSblSmCommContext130]]
 
|-
 
|-
| 0x170 || 0x4 || Number of paddr list entries for buffer
+
| 0x170 || 0x4 || Number of physical address list entries for buffer
 
|-
 
|-
| 0x174 || 0x4 || Physical address of paddr list
+
| 0x174 || 0x4 || Physical address of physical address list
 
|}
 
|}
   Line 99: Line 99:  
Used by [[SceSblAuthMgr#sceSblAuthMgrAuthSegmentForKernel|sceSblAuthMgrAuthSegmentForKernel]].
 
Used by [[SceSblAuthMgr#sceSblAuthMgrAuthSegmentForKernel|sceSblAuthMgrAuthSegmentForKernel]].
   −
Decrypt a buffer from the SELF corresponding to the program segment number passed in above. The segment is read in <code>0x10000</code> bytes chunks and is decrypted in place (the input buffer will contain the decrypted data). A [[F00D Commands#Physical Address List|paddr list]] is generated from the buffer. The input buffer and output buffer can be the same.
+
Decrypt a buffer from the SELF corresponding to the program segment number passed in above. The segment is read in <code>0x10000</code> bytes chunks and is decrypted in place (the input buffer will contain the decrypted data). A [[F00D Commands#Physical Address List|physical address list]] is generated from the buffer. The input buffer and output buffer can be the same.
    
{| class="wikitable"
 
{| class="wikitable"
Line 105: Line 105:  
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x4 || Number of entries in input paddr list
+
| 0x40 || 0x4 || Number of entries in input physical address list
 
|-
 
|-
| 0x44 || 0x4 || Physical address of the input paddr list
+
| 0x44 || 0x4 || Physical address of the input physical address list
 
|-
 
|-
| 0x48 || 0x4 || Number of entries in output paddr list
+
| 0x48 || 0x4 || Number of entries in output physical address list
 
|-
 
|-
| 0x4C || 0x4 || Physical address of the output paddr list
+
| 0x4C || 0x4 || Physical address of the output physical address list
 
|}
 
|}
   Line 152: Line 152:  
| 0x144 || 0x4 || Key ID
 
| 0x144 || 0x4 || Key ID
 
|-
 
|-
| 0x148 || 0x4 || Slot ID
+
| 0x148 || 0x4 || Dst Slot ID. 0~0x1F.
 
|-
 
|-
 
| 0x14C || 0x4 || Key size & 0xF (Should be 0)
 
| 0x14C || 0x4 || Key size & 0xF (Should be 0)
Line 164: Line 164:  
This function writes zeroes into dmac5 keyring.
 
This function writes zeroes into dmac5 keyring.
   −
=== 0x70001 - sceSblAuthMgrDecBindDataForDriver ===
+
=== 0x70001 - sceSblAuthMgrDecBindData ===
    
Used by [[SceSblAuthMgr#sceSblAuthMgrDecBindDataForDriver|sceSblAuthMgrDecBindDataForDriver]] and [[SceNpDrm]] for gamecard binding data used in conjunction with the RIF license file on the gamecard for deriving the klicensee.
 
Used by [[SceSblAuthMgr#sceSblAuthMgrDecBindDataForDriver|sceSblAuthMgrDecBindDataForDriver]] and [[SceNpDrm]] for gamecard binding data used in conjunction with the RIF license file on the gamecard for deriving the klicensee.
Line 1,409: Line 1,409:  
Decrypt or check QAF Token. Used on 1.03 PDEL.
 
Decrypt or check QAF Token. Used on 1.03 PDEL.
   −
=== 0x1 ===
+
=== 0x1 - Some syscon secure packet stuff ===
   −
=== 0x2 ===
+
=== 0x2 - Some syscon secure packet stuff ===
    
=== 0x3 ===
 
=== 0x3 ===
Line 1,521: Line 1,521:  
This is used by [[SceSblUpdateMgr]] to decrypt update packages extracted from [[PUP]] files.
 
This is used by [[SceSblUpdateMgr]] to decrypt update packages extracted from [[PUP]] files.
   −
<s>Both 0x40002 and 0x50002 reference buffers in the following way: an inner paddr list is generated for the buffer containing the data to encrypt/decrypt, then an outer paddr list is generated for the inner list. That means there's two levels of indirection in the paddr list.</s>
+
<s>Both 0x40002 and 0x50002 reference buffers in the following way: an inner physical address list is generated for the buffer containing the data to encrypt/decrypt, then an outer physical address list is generated for the inner list. That means there's two levels of indirection in the physical address list.</s>
   −
Services with PA Vectors to pass data to F00D decide whether to use normal vectors or deep vectors depending on the flag of the argument.
+
Services with PA Vectors to pass data to cmep decide whether to use normal vectors or deep vectors depending on the flag of the argument.
    
=== 0x10002 - sceSblUsSmAuthPupHeader ===
 
=== 0x10002 - sceSblUsSmAuthPupHeader ===
Line 1,551: Line 1,551:  
Input data size: 0xFC0.
 
Input data size: 0xFC0.
   −
Input data: a packet embedding at least two paddr (or PA vectors): PUP Watermark (0x1000 bytes) and PUP Hash (0x20 bytes).
+
Input data: a packet embedding at least two physical addresses (or PA vectors): PUP Watermark (0x1000 bytes) and PUP Hash (0x20 bytes).
    
=== 0x40002 - sceSblUsSmAuthSpkg ===
 
=== 0x40002 - sceSblUsSmAuthSpkg ===
Line 1,567: Line 1,567:  
| 0x48 || 0x8 || Set to 0x1
 
| 0x48 || 0x8 || Set to 0x1
 
|-
 
|-
| 0x50 || 0x14 || <code>struct paddr_list_req</code> for Paddr list below
+
| 0x50 || 0x14 || <code>struct paddr_list_req</code> for physical address list below
 
|-
 
|-
 
| 0x64 || 0x14 || <code>struct paddr_list_req</code> for pkg buffer
 
| 0x64 || 0x14 || <code>struct paddr_list_req</code> for pkg buffer
 
|-
 
|-
| 0x78 || Variable (max 0xF88(0x1F1 entry)) || Copy of paddr list for pkg buffer (contents described at 0x50)
+
| 0x78 || Variable (max 0xF88(0x1F1 entry)) || Copy of physical address list for pkg buffer (contents described at 0x50)
 
|}
 
|}
   Line 1,588: Line 1,588:  
| 0x48 || 0x8 || Set to 1
 
| 0x48 || 0x8 || Set to 1
 
|-
 
|-
| 0x50 || 0x14 || <code>struct paddr_list_req</code> for paddr list copied to 0x78. Only count field is used.
+
| 0x50 || 0x14 || <code>struct paddr_list_req</code> for physical address list copied to 0x78. Only count field is used.
 
|-
 
|-
| 0x64 || 0x14 || <code>struct paddr_list_req</code> for inner paddr list. Not used.
+
| 0x64 || 0x14 || <code>struct paddr_list_req</code> for inner physical address list. Not used.
 
|-
 
|-
| 0x78 || Variable (max 0xF88(0x1F1 entry)) || outer paddr list / paddr list to paddr list to encrypt
+
| 0x78 || Variable (max 0xF88(0x1F1 entry)) || outer physical address list / physical address list to physical address list to encrypt
 
|}
 
|}
   −
Each inner paddr list is first copied to temporary f00d memory, then they all are checked for validity at once. Maximum size of inner list is 0xff7 (so probably 0xff7 / 8 * 8 = 0xff0). Any lengths higher than that result in <code>SCE_SBL_ERROR_SL_ENOMEM = 0x800f020c</code>.
+
Each inner physical address list is first copied to temporary cmep memory, then they all are checked for validity at once. Maximum size of inner list is 0xff7 (so probably 0xff7 / 8 * 8 = 0xff0). Any lengths higher than that result in <code>SCE_SBL_ERROR_SL_ENOMEM = 0x800f020c</code>.
    
How it works:
 
How it works:
Line 1,601: Line 1,601:  
* first, all inner entries are checked for validity, if something's invalid, bail out <code>SCE_SBL_ERROR_SL_EINVAL 0x800f0216</code>
 
* first, all inner entries are checked for validity, if something's invalid, bail out <code>SCE_SBL_ERROR_SL_EINVAL 0x800f0216</code>
 
* start at last outer entry and move towards the first
 
* start at last outer entry and move towards the first
* if current entry looks valid (length >= 8), proceed to inner paddr encryption
+
* if current entry looks valid (length >= 8), proceed to inner physical address encryption
 
* if no valid entries found, error=<code>SCE_SBL_ERROR_SL_EINVAL 0x800f0216</code>
 
* if no valid entries found, error=<code>SCE_SBL_ERROR_SL_EINVAL 0x800f0216</code>
 
* if multiple valid entries found, error=<code>SCE_SBL_ERROR_SL_EIO 0x800f0205</code> (???) (but the first one found is always encrypted)
 
* if multiple valid entries found, error=<code>SCE_SBL_ERROR_SL_EIO 0x800f0205</code> (???) (but the first one found is always encrypted)
Line 1,608: Line 1,608:  
Bugs(?):
 
Bugs(?):
   −
* encrypting same paddr twice or more times within a single inner paddr list always results in same output, no matter what input was, reproducible with length=0x10 or less
+
* encrypting same physical address twice or more times within a single inner physical address list always results in same output, no matter what input was, reproducible with length=0x10 or less
* sum(inner list sizes) must be <= 0xFF0, but there's no overflow check, a large inner list causes f00d to overwrite memory with data like:
+
* sum(inner list sizes) must be <= 0xFF0, but there's no overflow check, a large inner list causes cmep to overwrite memory with data like:
 
<pre>
 
<pre>
00:00:26 0 // this is paddr 0x1F000000
+
00:00:26 0 // this is physical address 0x1F000000
 
00:00:26 0
 
00:00:26 0
 
00:00:26 0
 
00:00:26 0
Line 1,618: Line 1,618:  
00:00:26 812d40
 
00:00:26 812d40
 
00:00:26 0
 
00:00:26 0
00:00:26 1f000020 // this is paddr 0x1F00001C
+
00:00:26 1f000020 // this is physical address 0x1F00001C
 
00:00:26 0
 
00:00:26 0
 
00:00:26 0
 
00:00:26 0
Line 1,651: Line 1,651:  
The input is plain SNVS sectors read from NVS.
 
The input is plain SNVS sectors read from NVS.
   −
Calculates a XTS Encrypt using the per console keys in keyring slot 0x502, and 0x503 for the tweak and decryption keys. Appears to be intended for up to 0x3E0 bytes in size, but the size in F00D packet +4 derives the XTS size and memcpy.
+
Calculates a XTS Encrypt using the per console keys in keyring slot 0x502, and 0x503 for the tweak and decryption keys. Appears to be intended for up to 0x3E0 bytes in size, but the size in cmep packet +4 derives the XTS size and memcpy.
    
The result is XTS encrypted SNVS sectors.
 
The result is XTS encrypted SNVS sectors.
Line 1,671: Line 1,671:  
The input is XTS encrypted sectors.
 
The input is XTS encrypted sectors.
   −
Calculates a XTS Decrypt using the per console keys in keyring slot 0x502, and 0x503 for the tweak and decryption keys. Appears to be intended for up to 0x3E0 in size, but the size in F00D packet +4 derives the XTS size and memcpy.
+
Calculates a XTS Decrypt using the per console keys in keyring slot 0x502, and 0x503 for the tweak and decryption keys. Appears to be intended for up to 0x3E0 in size, but the size in cmep packet +4 derives the XTS size and memcpy.
    
The result is plain sectors.
 
The result is plain sectors.
Line 1,764: Line 1,764:     
Usage:
 
Usage:
* 1) sceSblSmCommCallFunc(id, 0xB0002, &f00d_resp, data, 0x88);
+
* 1) sceSblSmCommCallFunc(id, 0xB0002, &cmep_resp, data, 0x88);
 
For read:
 
For read:
 
* 2) nvs_read_special(data + 0x28, 0x10, data + 0x58, 0x30)
 
* 2) nvs_read_special(data + 0x28, 0x10, data + 0x58, 0x30)
 
For write:
 
For write:
 
* 2) nvs_write_special(data + 0x28, 0x30, data + 0x58, 0x10);
 
* 2) nvs_write_special(data + 0x28, 0x30, data + 0x58, 0x10);
* 3) sceSblSmCommCallFunc(id, 0xB0002, &f00d_resp, data, 0x88);
+
* 3) sceSblSmCommCallFunc(id, 0xB0002, &cmep_resp, data, 0x88);
    
=== 0xC0002 - sceSblUsSmSnvsEncryptDecryptMgmtData ===
 
=== 0xC0002 - sceSblUsSmSnvsEncryptDecryptMgmtData ===
Line 1,789: Line 1,789:     
Usage:
 
Usage:
* 1) sceSblSmCommCallFunc(id, 0xC0002, &f00d_resp, data, 0x70);
+
* 1) sceSblSmCommCallFunc(id, 0xC0002, &cmep_resp, data, 0x70);
 
For write:
 
For write:
 
* 2) nvs_write_special(data + 0x10, 0x30, data + 0x40, 0x10);
 
* 2) nvs_write_special(data + 0x10, 0x30, data + 0x40, 0x10);
 
For read:
 
For read:
 
* 2) nvs_read_special(data + 0x10, 0x10, data + 0x40, 0x30);
 
* 2) nvs_read_special(data + 0x10, 0x10, data + 0x40, 0x30);
* 3) sceSblSmCommCallFunc(id, 0xC0002, &f00d_resp, data, 0x70);
+
* 3) sceSblSmCommCallFunc(id, 0xC0002, &cmep_resp, data, 0x70);
    
=== 0xD0002 ===
 
=== 0xD0002 ===
   −
Syscon update related. Usage is to proxy encrypted data F00D <=> Syscon.
+
Syscon update related. Usage is to proxy encrypted data Cmep <=> Syscon.
    
Data size is 0x58 bytes.
 
Data size is 0x58 bytes.
Line 1,812: Line 1,812:     
Usage:
 
Usage:
* 1) sceSblSmCommCallFunc(id, 0xD0002, &f00d_resp, data, 0x58);
+
* 1) sceSblSmCommCallFunc(id, 0xD0002, &cmep_resp, data, 0x58);
 
For modes 0, 1 and 3:
 
For modes 0, 1 and 3:
 
* 2) memcpy(data + 8, data + 0x30, 0x28); SceSysconForDriver_4D03754A(data + 8, 0x28, data + 0x30, 0x28);
 
* 2) memcpy(data + 8, data + 0x30, 0x28); SceSysconForDriver_4D03754A(data + 8, 0x28, data + 0x30, 0x28);
* 3) sceSblSmCommCallFunc(id, 0xD0002, &f00d_resp, data, 0x58);
+
* 3) sceSblSmCommCallFunc(id, 0xD0002, &cmep_resp, data, 0x58);
      Line 1,839: Line 1,839:  
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x4 || Paddr of [[SceSblPostSsMgr#Types|SceUtoken]] buffer
+
| 0x40 || 0x4 || Physical address of [[SceSblPostSsMgr#Types|SceUtoken]] buffer
 
|-
 
|-
 
| 0x44 || 0x4 || Size of [[SceSblPostSsMgr#Types|SceUtoken]] buffer (usually 0x800)
 
| 0x44 || 0x4 || Size of [[SceSblPostSsMgr#Types|SceUtoken]] buffer (usually 0x800)
Line 1,855: Line 1,855:  
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x4 || Paddr of [[SceSblPostSsMgr#Types|SceUtoken]] buffer
+
| 0x40 || 0x4 || Physical address of [[SceSblPostSsMgr#Types|SceUtoken]] buffer
 
|-
 
|-
 
| 0x44 || 0x4 || Size of [[SceSblPostSsMgr#Types|SceUtoken]] buffer (usually 0x800)
 
| 0x44 || 0x4 || Size of [[SceSblPostSsMgr#Types|SceUtoken]] buffer (usually 0x800)
6,295

edits

Navigation menu