SceSblSsMgr

NVS Areas
Refered as Ernie NVS. Not every part is readable from non-secure kernel: some sectors return error, and some sectors are part of SNVS (Secure NVS) which means they are encrypted.

On FW 3.60, NVS size is 0xB60 bytes:
 * Area from 0 to 0x3FF cannot be read using sceSblSsNvsReadForKernel nor written using sceSblSsNvsWriteForKernel. This area is handled by Secure Modules.
 * Area from 0x400 to 0x75F is handled by NS Kernel SceSblSsMgr.
 * Area from 0x760 to 0xB5F seems to be unused.

sceSblNvsReadDataForKernel
Previous name was sceSblSsMgrGetSysconDataForKernel and sceSblSsMgrNvsReadDataForKernel.

Calls sceSysconNvsReadDataForDriver.

Trying to read at offset 0-0x3FF: error 0x8025023C (cannot read SNVS using this function, need to use new protocols, to be documented).

Trying to read at offset > 0xB5F: error 0x80250001 (out of range).

sceSblNvsWriteDataForKernel
Previous name was sceSblSsMgrSetSysconDataForKernel and sceSblSsMgrNvsWriteDataForKernel.

Calls sceSysconNvsWriteDataForDriver.

return_ffffffff
From 0.990 to 3.60, all it does is return -1; // 0xFFFFFFFF.

get_qaf_token
On 0.990, only returns -1.

SceSblSsMgrForDriver
Cryptographic functions in this module typically have 3 variations:
 * 1) Use   - meaning that the key that you provide is used directly for encryption/decryption.
 * 2) Use   - meaning that you have to use sceSblAuthMgrSetDmac5KeyForKernel function to set the key into a specific slot.
 * 3) * Note that in this case you select a key from F00D by . It will be encrypted by F00D and placed into the slot selected by.
 * 4) Use   - meaning that the call to sceSblAuthMgrSetDmac5KeyForKernel will happen internally.
 * 5) * In this case the key from F00D is also selected by  and encrypted by F00D. It is then placed into one of the available slots. Default slot range is 0xC-0x17.

sceSblRngPseudoRandomNumberForDriver
Temp name was sceSblSsMgrGetRandomNumberForDriver.

sceSblRngGenuineRandomNumberForDriver
Temp name was sceSblSsMgrGetRandomDataForDriver.

Generates random data of length 0x40 bytes by doing: sceSblDmac5RndForDriver(dest, 0x40, 1);

Used in SceKrm, SceSblGcAuthMgr.

sceSblDmac5RndForDriver
Temp name was sceSblSsMgrGetRandomDataCropForDriver.

Generates random data of length by executing Dmac5 command 0x04.

Data is then cropped to fit the size in outputBuffer.

Used by SceMsif.

sceSblDmac5AesEcbEncForDriver
Temp name was sceSblSsMgrAESECBEncryptForDriver.

Executes Dmac5 command 0x01.

Used in ScePfsMgr.

sceSblDmac5AesEcbDecForDriver
Temp name was sceSblSsMgrAESECBDecryptForDriver.

Executes Dmac5 command 0x02.

Used by ScePfsMgr.

sceSblDmac5AesEcbEncNPForDriver
Temp name was sceSblSsMgrAESECBEncryptWithKeygenForDriver.

Executes Dmac5 command 0x1.

Used in ScePfsMgr.

sceSblDmac5AesEcbDecNPForDriver
Temp name was sceSblSsMgrAESECBDecryptWithKeygenForDriver.

Executes Dmac5 command 0x02.

no usages found

sceSblDmac5AesEcbEncWithKeyslotForDriver
Executes Dmac5 command 0x01

used in SceSblMgKeyMgr

sceSblDmac5AesEcbDecWithKeyslotForDriver
Executes Dmac5 command 0x02.

used by SceSblMgKeyMgr

sceSblDmac5DesEcbEncWithKeyslotForDriver
Temp name was sceSblSsMgrDES64ECBEncryptForDriver.

This also implements 3DES. Chosen function depends on key size.


 * for 64 - DES
 * for 128 - not tested. assuming 3DES with K1 = K3.
 * for 192 - 3DES

Executes Dmac5 command 0x41.

Used in SceSblMgKeyMgr.

sceSblDmac5DesEcbDecWithKeyslotForDriver
Temp name was sceSblSsMgrDES64ECBDecryptForDriver.

This also implements 3DES. Chosen function depends on key size.


 * for 64 - DES
 * for 128 - not tested. assuming 3DES with K1 = K3.
 * for 192 - 3DES

Executes Dmac5 command 0x42.

Used in SceSblMgKeyMgr.

sceSblDmac5DesCbcEncWithKeyslotForDriver
Temp name was sceSblSsMgrDES64CBCEncryptForDriver.

This also probably implements 3DES. Chosen function depends on key size.


 * for 0x40 - DES
 * for 0x80 - not tested. assuming 3DES with K1 = K3.
 * for 0xC0 - 3DES

Executes Dmac5 command 0x49.

no usages found

sceSblDmac5DesCbcDecWithKeyslotForDriver
Temp name was sceSblSsMgrDES64CBCDecryptForDriver.

This also probably implements 3DES. Chosen function depends on key size.


 * for 0x40 - DES
 * for 0x80 - not tested. assuming 3DES with K1 = K3.
 * for 0xC0 - 3DES

Executes Dmac5 command 0x4A.

no usages found

sceSblDmac5AesCbcEncForDriver
Temp name was sceSblSsMgrAESCBCEncryptForDriver.

Executes Dmac5 command 0x9.

Used by ScePfsMgr.

sceSblDmac5AesCbcDecForDriver
SCE maybe made a typo: sceSblDmac5AEsCbcDecForDriver.

Temp name was sceSblSsMgrAESCBCDecryptForDriver.

Executes Dmac5 command 0xA.

Used by ScePfsMgr.

sceSblDmac5AesCbcEncNPForDriver
Temp name was sceSblSsMgrAESCBCEncryptWithKeygenForDriver.

Executes Dmac5 command 0x9.

Used by ScePfsMgr.

sceSblDmac5AesCbcDecNPForDriver
Temp name was sceSblSsMgrAESCBCDecryptWithKeygenForDriver.

Executes Dmac5 command 0xA.

Used by ScePfsMgr.

sceSblDmac5AesCtrEncForDriver
Temp name was sceSblSsMgrAESCTREncryptForDriver.

Executes Dmac5 command 0x21.

Used by SceNpDrm.

This function can also be used for decryption since CTR is symmetric function.

sceSblDmac5AesCtrDecForDriver
Temp name was sceSblSsMgrAESCTRDecryptForDriver.

Executes Dmac5 command 0x22.

no usages found

this function can also be used for encryption since CTR is symmetric function

sceSblDmac5Sha1ForDriver
Executes Dmac5 command 0x03.

Used by ScePfsMgr.

sceSblDmac5Sha1HmacTransformForDriver
Temp name was sceSblSsMgrHMACSHA1ForDriver.

Executes Dmac5 command 0x23.

Used by ScePfsMgr.

Key size is always 256 bits.

sceSblDmac5Sha1HmacNPForDriver
Temp name was sceSblSsMgrHMACSHA1WithKeygenForDriver.

Executes Dmac5 command 0x23

no usages found

key_size is always 256 bits

sceSblDmac5Sha256HmacForDriver
Temp name was sceSblSsMgrHMACSHA256ForDriver.

Executes Dmac5 command 0x33.

no usages found

sceSblDmac5AesCmacForDriver
Temp name was sceSblSsMgrAESCMACForDriver.

Executes Dmac5 command 0x3B.

Used in ScePfsMgr.

sceSblDmac5AesCmacNPForDriver
Temp name was sceSblSsMgrAESCMACWithKeygenForDriver.

Executes Dmac5 command 0x3B.

Used in ScePfsMgr.

sceSblDmac5AesCmacWithKeyslotForDriver
Executes Dmac5 command 0x3B.

no usages found

sceSblSsMgrExecuteDmac5HashCommandForDriver
Executes Dmac5 commands related to hash functions.

Used by SceNpDrm.

sceSblSsEncryptWithPortabilityForDriver
derived from

strangely enough does not use communication with F00D through command 0x1000A from encdec_w_portability_sm.self

sceSblSsDecryptWithPortabilityForDriver
derived from

Decrypts or derives AES key that is used in msif to decrypt static sha224 table.

Communication with F00D is done with command 0x2000A from encdec_w_portability_sm.self.

sceSblSsGetNvsDataForDriver
derived from

Calls sceSysconNvsReadDataForDriver.

sceSblSsSetNvsDataForDriver
derived from

Calls sceSysconNvsWriteDataForDriver.

sceSblAimgrGetVisibleIdForDriver
Temp name was sceSblSsMgrGetVisibleIdForDriver, or sceSblSsMgrGetFuseIdForDriver.

Derived from.

Executes F00D aimgr_sm.self command 0x3.

sceSblAimgrGetConsoleIdForDriver
Temp name was sceSblSsMgrGetConsoleIdForDriver.

This function obtains Console Id by executing aimgr_sm.self F00D command 0x1.

sceSblAimgrGetOpenPsIdForDriver
Temp name was sceSblSsMgrGetOpenPsIdForDriver.

This function returns information from a static buffer that is initialized on module_start.

Read OpenPsId from sysroot_buffer+0x70 using sceKernelSysrootGetKblParamForKernel.

sceSblAimgrGetPscodeForDriver
Temp name was sceSblSsMgrGetPscodeForDriver.

Derived from.

This function returns information from a static buffer that is initialized on module_start.

Read PsCode from sysroot_buffer+0xA0 using sceKernelSysrootGetKblParamForKernel.

sceSblAimgrGetPscode2ForDriver
Temp name was sceSblSsMgrGetPscode2ForDriver.

Executes F00D aimgr_sm.self command 0x4.

derived from

sceSblSsCreatePassPhraseForDriver
executes F00D aimgr_sm.self command 0x5

derived from

sceSblSsInfraAllocatePARangeVectorForDriver
Used by SceSblUpdateMgr - does some initialization

unk_c38d0cea
Used by SceSblUpdateMgr - does some cleanup

sceSblSsMemsetForDriver
Used by SceSblPostSsMgr.

sceSblPmMgrSetProductModeForDriver
Known values: call it with product_mode 1 then reboot.

SceSblSsMgr
This library exists on 1.69 but doesn't exist on 3.60.

sceSblQafMgrGetQafToken
On 3.60 returns 0x80010058 (SCE_ERROR_ERRNO_ENOSYS).

sceSblQafManagerSetQafTokenForUser
On 3.60 returns 0x80010058 (SCE_ERROR_ERRNO_ENOSYS).

sceSblQafManagerDeleteQafTokenForUser
On 3.60 returns 0x80010058 (SCE_ERROR_ERRNO_ENOSYS).

sceSblQafManagerGetQafNameForUser
Wrapper to sceSblQafManagerGetQafNameForKernel.

sceSblQafMgrIsAllowMinimumDebugMenuDisplay
return sysroot_buffer->qa_flags[0xF] & 1;

sceSblQafMgrIsAllowLimitedDebugMenuDisplay
return (sysroot_buffer->qa_flags[6] >> 1) & 1;

sceSblQafMgrIsAllowAllDebugMenuDisplay
return (sysroot_buffer->qa_flags[0xC] >> 1) & 1;

sceSblQafManagerIsAllowKernelDebugForUser
return sysroot_buffer->qa_flags[0xD] & 1;

sceSblQafMgrIsAllowForceUpdate
return (sysroot_buffer->qa_flags[0xF] >> 1) & 1;

sceSblQafMgrIsAllowNpFullTest
return (sysroot_buffer->qa_flags[6] >> 1) & 1;

sceSblQafMgrIsAllowNonQAPup
return sysroot_buffer->qa_flags[0xF] & 1;

sceSblQafMgrIsAllowScreenShotAlways
return (sysroot_buffer->qa_flags[6] >> 1) & 1;

sceSblQafMgrIsAllowRemoteSysmoduleLoad
return (sysroot_buffer->qa_flags[0xD] >> 1) & 1;

sceSblRngGenuineRandomNumber
Temp name was sceSblSsMgrGetRandomData.

Calls sceSblRngGenuineRandomNumberForDriver.

sceSblDmac5HashTransform
This function can execute the following dmac5 commands:
 * 0x3B: CMAC-AES (length 0x10)
 * 0x03: SHA1 (length 0x14)
 * 0x23: HMAC-SHA1 (length 0x14)
 * 0x13: SHA256 (length 0x20)
 * 0x33: HMAC-SHA256 (length 0x20)

sceSblDmac5EncDecKeyGen
This function is also named  or   in

sceSblDmac5HmacKeyGen
This function is named  in SceSysLibTrace but is also called   in.