Changes

Jump to navigation Jump to search
2,684 bytes added ,  02:41, 15 October 2021
Line 1: Line 1: −
From https://gitlab.com/plutooo/vita-bootrom/blob/master/io.txt
     −
== Key slots ==
+
= Cmep/ARM =
0x000-0x07F:
  −
    Initial state: Empty keyslots.
  −
    0x000-0x007: Empty group0 slave keyslots, for AES decryption only.
  −
    0x008-0x00F: Empty group1 slave keyslots, any algo.
  −
    0x010-0x01F: Empty group2 slave keyslots, for AES decryption only.
  −
    0x020-0x02F: Empty group3 slave keyslots, any algo.
  −
    0x030-0x07F: Empty normal keyslots, any algo.
     −
0x100-0x17F:
+
== 0xE0000000: MailboxCmepToArm ==
    Initial state: Empty keyslots.
  −
    0x100-0x17F: Empty normal keyslots, any algo.
  −
 
  −
0x200-0x217:
  −
    Initial state: Filled in, key material.
  −
    0x200-0x203: AES decryption-only keys (for memory buffers).
  −
    0x204-0x205: Master keys (for group0), any algo.
  −
    0x206-0x20D: Master keys (for group1), any algo.
  −
    0x20E-0x20F: Emmc keys, fully protected.
  −
    0x210-0x217: General purpose keys (for memory buffers).
  −
 
  −
0x300-0x3FF:
  −
    Initial state: Filled in, key material.
  −
    0x300-0x33F: AES decryption-only keys (for memory buffers).
  −
    0x340-0x343: Master keys (for group2), any algo.
  −
    0x344-0x353: Master keys (for group3), any algo.
  −
    0x354-0x3FF: General purpose keys (for memory buffers).
  −
 
  −
0x400-0x47F:
  −
    Initial state: Empty data storage, read-write from keyring.
  −
 
  −
0x500-0x57F:
  −
    Initial state: Empty data storage, read-write from keyring.
  −
 
  −
0x600-0x607:
  −
    Initial state: Filled in data, read-only. Keyring only.
  −
    0x603: u32 BootromFlags.
  −
      Bit0-15: HasRsaRevocationKey. This is set to 0xFFFF.
  −
      Bit16:  UseAlternativeEmmcClock
  −
 
  −
0x700-0x77F:
  −
    Initial state: Filled in data, read-only. Keyring only.
  −
    0x700-0x708: RsaRevocationKey0
  −
    0x708-0x710: RsaRevocationKey1
  −
    0x710-0x718: RsaRevocationKey2
  −
    0x718-0x720: RsaRevocationKey3
  −
    0x720-0x728: RsaRevocationKey4
  −
    0x728-0x730: RsaRevocationKey5
  −
    ...
  −
    0x778-0x780: RsaRevocationKey15
  −
 
  −
== E0000000: MailboxFoodToArm ==
   
Response to ARM is written here.
 
Response to ARM is written here.
   −
== E0000010: MailboxArmToFood ==
+
== 0xE0000010: MailboxArmToCmep ==
 
Request from ARM is written here.
 
Request from ARM is written here.
   −
== E0000020: MailboxFoodToDebugger ==
+
== 0xE0000020: MailboxCmepToDebugger ==
Size: 2x u32.
+
Size: 2* u32.
   −
== E0000028: MailboxDebuggerToFood ==
+
== 0xE0000028: MailboxDebuggerToCmep ==
Size: 2x u32.
+
Size: 2* u32.
   −
== E0000060: MailboxDebuggerToFood2 ==
+
== 0xE0000060: MailboxDebuggerToCmep2 ==
Size: 2x u32.
+
Size: 2* u32.
   −
== E0010000: FootReset ==
+
= Cmep controller =
    Bit0: Hangs. ARM uses this to reset the F00D subsystem.
     −
== E0010004: FoodStatus ==
+
== 0xE0010000: CmepReset ==
     Bit31:  IsFoodAlive
+
    Bit0: Hangs. ARM uses this to reset the cMeP subsystem.
 +
 
 +
== 0xE0010004: CmepStatus ==
 +
     Bit31:  IsCmepAlive
 
     Bit0-2: ?
 
     Bit0-2: ?
   Line 77: Line 29:  
     0xE0010010: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
     0xE0010010: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   −
== E0010010 ==
+
== 0xE0010010: Unknown ==
 
Reads back 0x7FF. Then hangs after delay.
 
Reads back 0x7FF. Then hangs after delay.
   Line 87: Line 39:  
     0xE0020010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
     0xE0020010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   −
== E0020000 ==
+
= Cmep 0xE0020000 =
 +
 
 +
== 0xE0020000: Unknown ==
 
     Bit0: Reboot when cleared.
 
     Bit0: Reboot when cleared.
 
     Bit1: Hang when cleared. Unrecoverable
 
     Bit1: Hang when cleared. Unrecoverable
Line 97: Line 51:  
     Bit17:
 
     Bit17:
   −
== E0020004: ? ==
+
== 0xE0020004: Unknown ==
 
second_loader writes 0x30003 followed by 0 here, after clearing keys.
 
second_loader writes 0x30003 followed by 0 here, after clearing keys.
   −
== E0020020: ? ==
+
== E0020020: Unknown ==
rsa_expmod() reads and writes back this register before reading the result of the RSA operation.
+
 
 +
<s>rsa_expmod() reads and writes back this register before reading the result of the RSA operation.</s>
 +
 
 +
May be a kind of timer.
 +
 
 +
Or working state.
 +
 
 +
= Keyring controller =
 +
 
 +
Currently there is no known way to re setting protection in any way (slot_prot |= or_protect)
 +
 
 +
<pre>
 +
  +0x00 = EEP_DATA0
 +
  +0x04 = EEP_DATA1
 +
  +0x08 = EEP_DATA2
 +
  +0x0C = EEP_DATA3
 +
  +0x10 = EEP_DATA4
 +
  +0x14 = EEP_DATA5
 +
  +0x18 = EEP_DATA6
 +
  +0x1C = EEP_DATA7
 +
  +0x20 = EEP_LINE
 +
  +0x24 = EEP_SET_PROTECTION
 +
  +0x28 = EEP_GET_PROTECTION_REQ
 +
  +0x2C = EEP_GET_PROTECTION_RESP
 +
</pre>
 +
 
 +
Writing <code>line_id</code> to <code>EEP_LINE</code> will trigger writing the <code>EEP_DATA</code> registers into said line.
 +
 
 +
Writing <code>((prot<<16)|line_id)</code> to <code>EEP_SET_PROTECTION</code> protects a line. prot is a bit mask, 0x1000 makes reads from f00d return 0.
 +
 
 +
Writing <code>line_id</code> to <code>EEP_GET_PROTECTION_REQ</code> returns current prot in <code>EEP_GET_PROTECTION_RESP</code>.
 +
 
 +
This device is mapped to ScePervasiveResetReg +0x190 for controlling reset and enabling mask writing.
 +
 
 +
<source>
   −
== E0030000: KeySetValue ==
+
/*
 +
* Protection
 +
*
 +
* 0x00000001 : Slot exist
 +
* 0x00000002 : Slot enabled
 +
* 0x00000004 : Unknown
 +
* 0x00010000 : Allow enc
 +
* 0x00020000 : Allow dec
 +
* more ...
 +
*/
 +
typedef struct SceBigmacKeyringController { // 0xE0030000
 +
uint32_t data[0x8];
 +
/*
 +
* Write data to slot. Needed have the 0x800 protection (direct write)
 +
* If the slot is disabled, enable it
 +
*/
 +
int slot_id;
 +
 
 +
/*
 +
* Clear slot protection
 +
*
 +
* Mask      | Description
 +
* 0x0000FFFF : Target slot id
 +
* 0xFFFF0000 : Clear protection
 +
*/
 +
int slot_protection;
 +
 
 +
/*
 +
* if((slot_protect_resp & 2) != 0) enabled else disabled
 +
*/
 +
int slot_protect_chk;
 +
int slot_protect_resp;
 +
} SceBigmacKeyringController;
 +
</source>
 +
 
 +
== 0xE0030000-0xE003001F: KeySetValue ==
 
Size: 8x u32.
 
Size: 8x u32.
   −
== E0030020: KeySetValueTrigger ==
+
== 0xE0030020: KeySetValueTrigger ==
 +
 
 
Write keyslot here, and it will write value written above to it.
 
Write keyslot here, and it will write value written above to it.
   −
== E0030024: KeySetProtect ==
+
If the slot is not enabled, enable it (needed some protect. if not have protect, cannot enable that slot)
 +
 
 +
== 0xE0030024: KeySetProtect ==
 
     Bit0-15:  KeyslotNumber
 
     Bit0-15:  KeyslotNumber
 
     Bit16-31: KeyslotClearFlags
 
     Bit16-31: KeyslotClearFlags
   −
== E0030028: KeyQueryProtect ==
+
== 0xE0030028: KeyQueryProtect ==
 
     Bit0-15: KeyslotNumber
 
     Bit0-15: KeyslotNumber
   −
== E003002C: KeyQueryProtectResult ==
+
== 0xE003002C: KeyQueryProtectResult ==
 
     Bit0: SlotExists
 
     Bit0: SlotExists
     Bit1: HasBeenWrittenOnce. You cannot use a key if this is not set.
+
     Bit1: SlotEnabled. You cannot use a key if this is not set.
     Bit2: HasBeenWrittenMoreThanOnce
+
     Bit2: Unknown
 
     Bit16:  Clearable  | AesEncryptAllowed (CTR+CBC+ECB, any key size)
 
     Bit16:  Clearable  | AesEncryptAllowed (CTR+CBC+ECB, any key size)
 
     Bit17:  Clearable  | AesDecryptAllowed (CTR+CBC+ECB, any key size)
 
     Bit17:  Clearable  | AesDecryptAllowed (CTR+CBC+ECB, any key size)
Line 144: Line 170:  
VULN!! If you have AesDecryptAllowed, you can encrypt arbitrary AES blocks without AesEncryptAllowed. Use CTR mode.
 
VULN!! If you have AesDecryptAllowed, you can encrypt arbitrary AES blocks without AesEncryptAllowed. Use CTR mode.
    +
= SceBignum controller =
   −
== E0040108 RsaSignatureBuffer ==
+
== 0xE0040108: RsaSignatureBuffer ==
 
Size: 0x100 bytes.
 
Size: 0x100 bytes.
   −
== E0040400 RsaModulusBuffer ==
+
== 0xE0040400: RsaModulusBuffer ==
 
Size: 0x100 bytes.
 
Size: 0x100 bytes.
   −
== E0040800 RsaControl ==
+
== 0xE0040800: RsaControl ==
 
In u32's.
 
In u32's.
   −
== E0040800 RsaStatus ==
+
== 0xE0040800: RsaStatus ==
 
     Bit31: Busy
 
     Bit31: Busy
   −
== E0040808 RsaExponent ==
+
== 0xE0040808: RsaExponent ==
   −
== E0050000 BigmacSrc ==
+
= SceBigmac controller =
   −
== E0050004 BigmacDst ==
+
<source lang="C">
 +
// base:0xE0050000(channel0), 0xE0050080(channel1)
 +
typedef struct SceBigmacOp {
 +
const void *src;
 +
union {
 +
void *dst;
 +
int slot_id;
 +
};
 +
SceSize len;
 +
int func; // BigmacOp
   −
== E0050008 BigmacSize ==
+
int key_slot;
 +
void *iv;
 +
void *next;
 +
int ready; // Writing 1 here starts bigmac operation.
   −
== E005000C BigmacOp ==
+
int status;
Unlike Dmac5, DES is not supported for Bigmac.
+
int res; // Set when invalid keyslot (0xFFF). Bit18: Set when keyslot is not allowed to perform operation.
 +
} SceBigmacOp;
 +
</source>
 +
 
 +
== 0xE005000C: BigmacOp ==
 +
Unlike for Dmac5, DES is not supported for Bigmac.
    
   Bit0-6: Algorithm
 
   Bit0-6: Algorithm
 
   0x00 = Zeroes?
 
   0x00 = Zeroes?
 
   0x01 = AesEcbEncrypt
 
   0x01 = AesEcbEncrypt
  0x11 = AesCtrEncrypt
  −
  0x21 = AesCtrDecrypt
  −
  0x41  = !!! HANG !!!
  −
  0x61  = !!! HANG !!!
  −
  0x141 = !!! HANG !!!
   
   0x02 = AesEcbDecrypt
 
   0x02 = AesEcbDecrypt
 
   0x03 = Sha1
 
   0x03 = Sha1
 +
  0x04 = Rng
 +
  0x05 = Zeroes
 +
  0x06 = Zeroes
 +
  0x07 = Zeroes
 +
  0x09 = AesCbcEncrypt
 +
  0x0A = AesCbcDecrypt
 +
  0x0B = Sha224
 +
  0x0C = memset
 +
  0x0D = Zeroes
 +
  0x0E = Zeroes
 +
  0x0F = Zeroes
 +
  0x10 = AesCtr
 +
  0x11 = AesCtrEncrypt
 +
  0x12 = AesCtrDecrypt
 
   0x13 = Sha256
 
   0x13 = Sha256
 +
  0x1B = !!! HANG !!!
 
   0x23 = HmacSha1, keylength=32 bytes
 
   0x23 = HmacSha1, keylength=32 bytes
 +
  0x2B = !!! HANG !!!
 
   0x33 = HmacSha256, keylength=32 bytes
 
   0x33 = HmacSha256, keylength=32 bytes
 +
  0x3B = AesCmac
 +
  0x41  = !!! HANG !!!
 
   0x43 = <0x03>
 
   0x43 = <0x03>
 +
  0x4B = <0x0b>
 
   0x53 = <0x13>
 
   0x53 = <0x13>
   0x04 = Rng
+
   0x61  = !!! HANG !!!
  0x05 = Zeroes
+
   0x7B = <0x3b>
  0x06 = Zeroes
+
  0x141 = !!! HANG !!!
  0x07 = Zeroes
  −
  0x09 = AesCbcEncrypt
  −
  0x0a = AesCbcEncrypt
  −
  0x0b = Sha224
  −
  0x1b = !!! HANG !!!
  −
   0x2b = !!! HANG !!!
  −
  0x3b = AesCmac
  −
  0x4b = <0x0b>
  −
  0x7b = <0x3b>
  −
  0x0c = Zeroes
  −
  0x0d = Zeroes
  −
  0x0e = Zeroes
  −
  0x0f = Zeroes
      
     Bit7:    UseExternalKey
 
     Bit7:    UseExternalKey
Line 237: Line 282:  
VULN! Any SHA with length==0 produces an output of all zeroes!
 
VULN! Any SHA with length==0 produces an output of all zeroes!
   −
== E005001C BigmacTrigger ==
+
== 0xE005003C: BigmacRng ==
Writing 1 here starts bigmac operation.
  −
 
  −
== E0050024 BigmacStatus ==
  −
Set when invalid keyslot (0xFFF).
  −
 
  −
    Bit18: Set when keyslot is not allowed to perform operation.
  −
 
  −
== E005003C BigmacRng ==
   
Reads a random value.
 
Reads a random value.
   −
== E0050200 BigmacExternalKey ==
+
== 0xE0050200: BigmacExternalKey ==
 
Size: 0x20 bytes
 
Size: 0x20 bytes
    
VULN! Allows partial overwrite. However when using keyslot crypto, this key remains unaffected. Thus it cannot be used to recover keyslot keys.
 
VULN! Allows partial overwrite. However when using keyslot crypto, this key remains unaffected. Thus it cannot be used to recover keyslot keys.
   −
== E0058000 KeyRingDirectAccess ==
+
= SceBigmac Keyring =
 +
 
 +
== 0xE0058000: KeyRingDirectAccess ==
 
Size: 0x10000 bytes.
 
Size: 0x10000 bytes.
   −
== E0070000 EmmcCryptoToggle? ==
+
Key slots
Set to 1.
+
 
 +
0x000-0x07F:
 +
    Initial state: Empty keyslots.
 +
    0x000-0x007: Empty group0 slave keyslots, for AES decryption only.
 +
    0x008-0x00F: Empty group1 slave keyslots, any algo.
 +
    0x010-0x01F: Empty group2 slave keyslots, for AES decryption only.
 +
    0x020-0x02F: Empty group3 slave keyslots, any algo.
 +
    0x030-0x07F: Empty normal keyslots, any algo.
 +
 
 +
0x100-0x17F:
 +
    Initial state: Empty keyslots.
 +
    0x100-0x17F: Empty normal keyslots, any algo.
 +
 
 +
0x200-0x217:
 +
    Initial state: Filled in, key material.
 +
    0x200-0x203: AES decryption-only keys (for memory buffers).
 +
    0x204-0x205: Master keys (for group0), any algo.
 +
    0x206-0x20D: Master keys (for group1), any algo.
 +
    0x20E-0x20F: Emmc keys, fully protected.
 +
    0x210-0x217: General purpose keys (for memory buffers).
 +
 
 +
0x300-0x3FF:
 +
    Initial state: Filled in, key material.
 +
    0x300-0x33F: AES decryption-only keys (for memory buffers).
 +
    0x340-0x343: Master keys (for group2), any algo.
 +
    0x344-0x353: Master keys (for group3), any algo.
 +
    0x354-0x3FF: General purpose keys (for memory buffers).
 +
 
 +
0x400-0x47F:
 +
    Initial state: Empty data storage, read-write from keyring.
 +
 
 +
0x500-0x57F:
 +
    Initial state: Empty data storage, read-write from keyring.
 +
 
 +
0x600-0x607:
 +
    Initial state: Filled in data, read-only. Keyring only.
 +
    0x603: u32 BootromFlags.
 +
      Bit0-15: HasRsaRevocationKey. This is set to 0xFFFF.
 +
      Bit16:  UseAlternativeEmmcClock
 +
 
 +
0x700-0x77F:
 +
    Initial state: Filled in data, read-only. Keyring only.
 +
    0x700-0x708: RsaRevocationKey0
 +
    0x708-0x710: RsaRevocationKey1
 +
    0x710-0x718: RsaRevocationKey2
 +
    0x718-0x720: RsaRevocationKey3
 +
    0x720-0x728: RsaRevocationKey4
 +
    0x728-0x730: RsaRevocationKey5
 +
    ...
 +
    0x778-0x780: RsaRevocationKey15
 +
 
 +
= SceEmmcController =
 +
 
 +
== 0xE0070000: EmmcCrypto Toggle/Status? ==
 +
 
 +
Toggle : Set to 1.
 +
 
 +
Status : enabled emmc enc/dec?
 +
 
 +
== 0xE0070004: EmmcCrypto avalaible status ==
 +
 
 +
bit0(& 1) : Not available -> second_loader throw error.
 +
 
 +
== 0xE0070008: EmmcCrypto keyset ==
 +
 
 +
1.69-3.73 : 0x20E and 0x20F.
 +
 
 +
write only.
 +
 
 +
== 0xE007000C: Unknown ==
 +
 
 +
Read value example: 2
 +
 
 +
= 0xE00C0000 =
 +
 
 +
== 0xE00CC000: Unknown ==
 +
 
 +
Unknown, Read value example: 0x10006331
 +
 
 +
== 0xE00CC014: Unknown ==
 +
 
 +
Unknown, Read value example: 0x300000
 +
 
 +
== 0xE00CC070: Unknown ==
 +
 
 +
Unknown, Read value example: 1
 +
 
 +
== 0xE00CC078: Unknown ==
 +
 
 +
Unknown, Read value example: 0x300
 +
 
    
[[Category:Keyring]]
 
[[Category:Keyring]]

Navigation menu