Changes

Jump to navigation Jump to search
1,976 bytes added ,  21:38, 2 September 2021
Line 1: Line 1:  +
== Notes ==
 +
 +
If the Ernie version is less than 0x80300, second_loader refuses to boot.
 +
 +
== Boot type indicator 1 for SLSK ==
 +
 +
This flag is set to cmep keyring 0x50C. It is defined at same time as [[KBL Param#Boot type indicator 1]] and embeds some common information but with different flags.
 +
 +
{| class="wikitable"
 +
|-
 +
! cmep keyring 0x50C !! [[KBL Param#Boot type indicator 1|KBL Param Boot type indicator 1]]
 +
|-
 +
| 0x4 || 0x1
 +
|-
 +
| 0x20 || 0x10000
 +
|-
 +
| 0x100 || 0x20000
 +
|-
 +
| 0x8 || no equivalent
 +
|}
 +
 
== Boot process (3.60) ==
 
== Boot process (3.60) ==
   Line 87: Line 108:  
Model info is retrieved from a global set by syscon command 5. Some checks are performed to determine if the vita is a devkit, if it is then a flag to enable debug LEDs is set. Syscon hw version from command 1 is written to keyslot 0x508 and vita model info is written to keyslot 0x51B.
 
Model info is retrieved from a global set by syscon command 5. Some checks are performed to determine if the vita is a devkit, if it is then a flag to enable debug LEDs is set. Syscon hw version from command 1 is written to keyslot 0x508 and vita model info is written to keyslot 0x51B.
   −
=== TODO ===
+
=== Retrieve boot type from syscon ===
    
<pre>
 
<pre>
Line 105: Line 126:  
   }
 
   }
 
   set_status(68LL);
 
   set_status(68LL);
 +
</pre>
 +
 +
Boot type is retrieved from syscon cmd 0x10, 0xFF14 on cold boot or 0xFF80 on resume boot.
 +
 +
=== TODO ===
 +
 +
<pre>
 
   ret_from_E002_1 = dword_E0020004;
 
   ret_from_E002_1 = dword_E0020004;
 
   ret_from_E002 = ret_from_E002_1;
 
   ret_from_E002 = ret_from_E002_1;
Line 120: Line 148:  
</pre>
 
</pre>
   −
=== TODO ===
+
=== Resume checks ===
    
<pre>
 
<pre>
Line 142: Line 170:  
LABEL_32:
 
LABEL_32:
 
     v20 = 0;
 
     v20 = 0;
     clear_sysroot_801C0C();
+
     clear_kbl_param_801C0C();
 
     goto LBL_123;
 
     goto LBL_123;
 
   }
 
   }
   if ( copy_sysroot_to_0x4001FD00_801C1E() )
+
   if ( copy_kbl_param_to_0x4001FD00_801C1E() )
 
   {
 
   {
 
     is_resume = 1LL;
 
     is_resume = 1LL;
Line 164: Line 192:  
   set_status(84LL);
 
   set_status(84LL);
 
</pre>
 
</pre>
 +
 +
Coldboot/resume is determined from bit 7 of boot_type returned by syscon. Then, something with dram??? If boot type is resume but TZ magic word (0x9E3199B7) isn't present, it changes boot type to coldboot.
 +
 +
If coldboot, KBL Param at 0x1F000100 is cleared, otherwise it's restored from 0x4001FD00. Then, some check on emmc crypto reg??? <code>sub_806B58(0x40000500LL, 0x1000LL);</code>???
    
=== Factory firmware check ===
 
=== Factory firmware check ===
Line 222: Line 254:  
       report_error_808CAA(1LL, 86LL, v24, 0LL);
 
       report_error_808CAA(1LL, 86LL, v24, 0LL);
 
     if ( !v20 )
 
     if ( !v20 )
       syscon_read_cmd_0x1082_ptr_0x4a0_into_sysroot_802346();
+
       syscon_read_cmd_0x1082_ptr_0x4a0_into_kbl_param_802346();
 
     if ( !(_DWORD)is_resume && !v23 )
 
     if ( !(_DWORD)is_resume && !v23 )
 
       dmac_wait_804C16(&ctx);
 
       dmac_wait_804C16(&ctx);
Line 258: Line 290:  
         sub_808B66(1LL);
 
         sub_808B66(1LL);
 
     }
 
     }
     write_sysroot_fields_from_syscon_801FC0();
+
     write_kbl_param_fields_from_syscon_801FC0();
 
     keyring_writeX_80250C(0x510LL, (__int64)line_0x510, 0x20LL);
 
     keyring_writeX_80250C(0x510LL, (__int64)line_0x510, 0x20LL);
 
     memset((__int64)line_0x50A, 0LL, 0x10LL);
 
     memset((__int64)line_0x50A, 0LL, 0x10LL);
Line 282: Line 314:  
     keyring_writeX_80250C(0x50ALL, (__int64)line_0x50A, 0x10LL);
 
     keyring_writeX_80250C(0x50ALL, (__int64)line_0x50A, 0x10LL);
 
     set_status(70LL);
 
     set_status(70LL);
 +
</pre>
 +
 +
=== No-op ===
 +
 +
<pre>
 
     ret = zero_801B0E();
 
     ret = zero_801B0E();
 
     v50 = ret;
 
     v50 = ret;
Line 287: Line 324:  
     {
 
     {
 
       set_status(71LL);
 
       set_status(71LL);
 +
</pre>
 +
 +
=== No-op ===
 +
 +
<pre>
 
       v50 = zero_801B24();
 
       v50 = zero_801B24();
 
       if ( v50 )
 
       if ( v50 )
Line 296: Line 338:  
       }
 
       }
 
       set_status(73LL);
 
       set_status(73LL);
 +
</pre>
 +
 +
=== kbl decryption ===
 +
 +
<pre>
 
       kbl_fw_version = 0;
 
       kbl_fw_version = 0;
 
       if ( (_DWORD)is_resume && (boot_type & 0x7F) != 0x17 )
 
       if ( (_DWORD)is_resume && (boot_type & 0x7F) != 0x17 )
Line 312: Line 359:  
       }
 
       }
 
       set_status(89LL);
 
       set_status(89LL);
 +
</pre>
 +
 +
If resume, ARM exception vectors are copied from TZ memory at 0x40000000 to 0x1F000000 (0x0 alias on ARM). If coldboot, kernel_boot_loader.self is loaded from emmc and decrypted.
 +
 +
=== TODO ===
 +
 +
<pre>
 
       syscon_unk_808C2A();
 
       syscon_unk_808C2A();
 
       print_info_log_800A5E();
 
       print_info_log_800A5E();
Line 319: Line 373:  
       sub_804764((unsigned int)&unk_801888);
 
       sub_804764((unsigned int)&unk_801888);
 
       set_status(78LL);
 
       set_status(78LL);
 +
</pre>
 +
 +
=== Check kbl version integrity ===
 +
 +
<pre>
 
       v8 = set_and_check_current_fw_version_800E74(kbl_fw_version, is_resume);
 
       v8 = set_and_check_current_fw_version_800E74(kbl_fw_version, is_resume);
 
       v50 = v8;
 
       v50 = v8;
Line 334: Line 393:  
       }
 
       }
 
       set_status(94LL);
 
       set_status(94LL);
 +
</pre>
 +
 +
??? If coldboot, makes sure that kbl version from SELF matches this second_loader version. Also writes current version to keyslots 0x50E and 0x518. ???
 +
 +
=== Check kbl fw version vs factory version ===
 +
 +
<pre>
 
       if ( (_DWORD)is_resume || kbl_fw_version >= a3 )
 
       if ( (_DWORD)is_resume || kbl_fw_version >= a3 )
 
       {
 
       {
 
         set_status(90LL);
 
         set_status(90LL);
         write_sysroot_801C36((__int64)line_0x510, (__int64)line_0x50A, boot_type, is_resume, a3);
+
</pre>
 +
 
 +
If coldboot, make sure that kbl version is not lower than factory firmware version.
 +
 
 +
=== Write KBL Param fields ===
 +
 
 +
<pre>
 +
         write_kbl_param_801C36((__int64)line_0x510, (__int64)line_0x50A, boot_type, is_resume, a3);
 
         set_status(96LL);
 
         set_status(96LL);
 +
 +
</pre>
 +
 +
Writes most of KBL Param fields ???
 +
 +
=== TODO ===
 +
 +
<pre>
 
         v29 = reads_pervasivevid_calls_syscon_0x88E_80899C(seven);
 
         v29 = reads_pervasivevid_calls_syscon_0x88E_80899C(seven);
 
         v50 = v29;
 
         v50 = v29;
 
         if ( (_DWORD)v29 )
 
         if ( (_DWORD)v29 )
           report_error_808CAA(1LL, 0x4CLL, v29, 0LL);
+
           report_error_808CAA(1LL, 76LL, v29, 0LL);
         set_status(0x4CLL);
+
         set_status(76LL);
 +
</pre>
 +
 
 +
=== Prepares to start ARM ===
 +
 
 +
<pre>
 
         v8 = prepare_to_start_arm_80878A(seven, *(unsigned int *)(unsigned int)&dword_80C698, 0LL);
 
         v8 = prepare_to_start_arm_80878A(seven, *(unsigned int *)(unsigned int)&dword_80C698, 0LL);
 
         v50 = v8;
 
         v50 = v8;
 
         if ( (_DWORD)v8 )
 
         if ( (_DWORD)v8 )
 
         {
 
         {
           v9 = 0x4CLL;
+
           v9 = 76LL;
 
           goto LABEL_21;
 
           goto LABEL_21;
 
         }
 
         }
 
         v30 = some_line;
 
         v30 = some_line;
 
         set_status(80LL);
 
         set_status(80LL);
 +
</pre>
 +
 +
Some dance with ARM clock/pervasive stuff ???
 +
 +
=== TODO ===
 +
 +
<pre>
 
         read_line32_8003E8(0x602LL, (__int64)some_line);
 
         read_line32_8003E8(0x602LL, (__int64)some_line);
 
         v31 = 0xE0020100LL;
 
         v31 = 0xE0020100LL;
Line 423: Line 516:  
</pre>
 
</pre>
   −
== eeprom protection ==
+
== Keyrings protection ==
 
  −
On 0.995 and 3.60 the following lines are protected after starting arm: 0x0-0x7F, 0x140-0x17F, 0x200-0x203, 0x206-0x20D, 0x344-0x353, 0x400-0x47F, 0x502-0x57F, 0x700-0x77F
     −
The protection it sets is 0x1C1F (so f00d read disabled).
+
On FWs 0.995-3.60 the following keyrings are protected with flag 0x1C1F (so cmep read disabled) after starting ARM: 0x0-0x7F, 0x140-0x17F, 0x200-0x203, 0x206-0x20D, 0x344-0x353, 0x400-0x47F, 0x502-0x57F, 0x700-0x77F.
    
== Bypassing version checks ==
 
== Bypassing version checks ==
   −
memeprom line 0x50B offset 0x4 bit 1 set = ignore version mismatch errors. This line itself is set from SNVS 0xD2 block 0. Alternatively set version to 0xDEADBEEF to skip.
+
Cmep keyring 0x50B (mgmt data) offset 0x4 bit 1 set = ignore version mismatch errors. This keyring itself is set from reading SNVS block 0 using Syscon command 0xD2. Alternatively set version to 0xDEADBEEF to skip version checks.
    
== Session key/coredump encryption ==
 
== Session key/coredump encryption ==
   −
0x20 random bytes are generated and written to keyslot 0x51A. Then, the buffer is encrypted with aes128-cbc using coredump_key and coredump_iv. The result is copied to sysroot buffer +0x100 (0x1F000200)
+
0x20 random bytes are generated and written to keyslot 0x51A. Then, the buffer is encrypted with aes128-cbc using coredump_key and coredump_iv. The result is copied to KBL Param +0x100 (0x1F000200)
5,720

edits

Navigation menu