SceSblSsMgr

Ernie NVS
Not every part is readable from non-secure kernel: some sectors are part of SNVS (Secure NVS) which means they are XTS encrypted and must be accessed through a Secure handshake. See SNVS.

On FW 3.60, NVS size is 0xB60 bytes:
 * Area from 0 to 0x3FF cannot be read using sceSblSsNvsReadForKernel nor written using sceSblSsNvsWriteForKernel. This area is handled by Secure Modules.
 * Area from 0x400 to 0x75F is handled by NS Kernel SceSblSsMgr.
 * Area from 0x760 to 0xB5F seems to be unused.

sceSblNvsReadDataForKernel
Previous name was sceSblSsMgrGetSysconDataForKernel and sceSblSsMgrNvsReadDataForKernel.

Calls sceSysconNvsReadDataForDriver.

Trying to read at offset 0-0x3FF: error 0x8025023C (cannot read SNVS using this function, need to use new protocols, to be documented).

Trying to read at offset > 0xB5F: error 0x80250001 (out of range).

sceSblNvsWriteDataForKernel
Previous name was sceSblSsMgrSetSysconDataForKernel and sceSblSsMgrNvsWriteDataForKernel.

Calls sceSysconNvsWriteDataForDriver.

return_ffffffff
From 0.990 to 3.60, all it does is return -1; // 0xFFFFFFFF.

get_qaf_token
On 0.990, only returns -1.

SceSblSsMgrForDriver
Cryptographic functions in this module typically have 3 variations:
 * 1) Use   - meaning that the key that you provide is used directly for encryption/decryption.
 * 2) Use   - meaning that you have to use sceSblAuthMgrSetDmac5KeyForKernel function to set the key into a specific slot. In this case you select a key from F00D by  . It will be encrypted by F00D and placed into the slot selected by.
 * 3) Use   - meaning that the call to sceSblAuthMgrSetDmac5KeyForKernel will happen internally. In this case the key from F00D is also selected by   and encrypted by F00D. It is then placed into one of the available slots. Default slot range is 0xC-0x17.

sceSblRngPseudoRandomNumberForDriver
Temp name was sceSblSsMgrGetRandomNumberForDriver.

sceSblRngGenuineRandomNumberForDriver
Temp name was sceSblSsMgrGetRandomDataForDriver.

Generates random data of length 0x40 bytes by doing: sceSblDmac5RndForDriver(dest, 0x40, 1);

Used in SceKrm, SceSblGcAuthMgr.

sceSblDmac5RndForDriver
Temp name was sceSblSsMgrGetRandomDataCropForDriver.

Generates random data of length by executing Dmac5 command 0x4.

Data is then cropped to fit the size in pOutputBuffer.

Used in SceMsif.

sceSblDmac5AesEcbEncForDriver
Temp name was sceSblSsMgrAESECBEncryptForDriver.

Executes Dmac5 command 0x1.

Used in ScePfsMgr.

sceSblDmac5AesEcbDecForDriver
Temp name was sceSblSsMgrAESECBDecryptForDriver.

Executes Dmac5 command 0x2.

Used in ScePfsMgr.

sceSblDmac5AesEcbEncNPForDriver
Temp name was sceSblSsMgrAESECBEncryptWithKeygenForDriver.

Executes Dmac5 command 0x1.

Used in ScePfsMgr.

sceSblDmac5AesEcbDecNPForDriver
Temp name was sceSblSsMgrAESECBDecryptWithKeygenForDriver.

Executes Dmac5 command 0x2.

no usages found

sceSblDmac5AesEcbEncWithKeyslotForDriver
Executes Dmac5 command 0x1.

Used in SceSblMgKeyMgr.

sceSblDmac5AesEcbDecWithKeyslotForDriver
Executes Dmac5 command 0x2.

Used in SceSblMgKeyMgr.

sceSblDmac5DesEcbEncWithKeyslotForDriver
Temp name was sceSblSsMgrDES64ECBEncryptForDriver.

This also implements 3DES. Chosen function depends on key size.


 * for 64 - DES
 * for 128 - not tested. assuming 3DES with K1 = K3.
 * for 192 - 3DES

Executes Dmac5 command 0x41.

Used in SceSblMgKeyMgr.

sceSblDmac5DesEcbDecWithKeyslotForDriver
Temp name was sceSblSsMgrDES64ECBDecryptForDriver.

This also implements 3DES. Chosen function depends on key size.


 * for 64 - DES
 * for 128 - not tested. assuming 3DES with K1 = K3.
 * for 192 - 3DES

Executes Dmac5 command 0x42.

Used in SceSblMgKeyMgr.

sceSblDmac5DesCbcEncWithKeyslotForDriver
Temp name was sceSblSsMgrDES64CBCEncryptForDriver.

This also probably implements 3DES. Chosen function depends on key size.


 * for 0x40 - DES
 * for 0x80 - not tested. assuming 3DES with K1 = K3.
 * for 0xC0 - 3DES

Executes Dmac5 command 0x49.

no usages found

sceSblDmac5DesCbcDecWithKeyslotForDriver
Temp name was sceSblSsMgrDES64CBCDecryptForDriver.

This also probably implements 3DES. Chosen function depends on key size.


 * for 0x40 - DES
 * for 0x80 - not tested. assuming 3DES with K1 = K3.
 * for 0xC0 - 3DES

Executes Dmac5 command 0x4A.

no usages found

sceSblDmac5AesCbcEncForDriver
Temp name was sceSblSsMgrAESCBCEncryptForDriver.

Executes Dmac5 command 0x9.

Used in ScePfsMgr.

sceSblDmac5AesCbcDecForDriver
SCE maybe made a typo: sceSblDmac5AEsCbcDecForDriver.

Temp name was sceSblSsMgrAESCBCDecryptForDriver.

Executes Dmac5 command 0xA.

Used in ScePfsMgr.

sceSblDmac5AesCbcEncNPForDriver
Temp name was sceSblSsMgrAESCBCEncryptWithKeygenForDriver.

Executes Dmac5 command 0x9.

Used in ScePfsMgr.

sceSblDmac5AesCbcDecNPForDriver
Temp name was sceSblSsMgrAESCBCDecryptWithKeygenForDriver.

Executes Dmac5 command 0xA.

Used in ScePfsMgr.

sceSblDmac5AesCtrEncForDriver
Temp name was sceSblSsMgrAESCTREncryptForDriver.

Executes Dmac5 command 0x21.

Used in SceNpDrm.

This function can also be used for decryption since CTR is symmetric function.

sceSblDmac5AesCtrDecForDriver
Temp name was sceSblSsMgrAESCTRDecryptForDriver.

Executes Dmac5 command 0x22.

no usages found

this function can also be used for encryption since CTR is symmetric function

sceSblDmac5Sha1ForDriver
Executes Dmac5 command 0x3.

Used in ScePfsMgr.

sceSblDmac5Sha1HmacTransformForDriver
Temp name was sceSblSsMgrHMACSHA1ForDriver.

Executes Dmac5 command 0x23.

Used in ScePfsMgr.

Key size is always 256 bits.

sceSblDmac5Sha1HmacNPForDriver
Temp name was sceSblSsMgrHMACSHA1WithKeygenForDriver.

Executes Dmac5 command 0x23.

no usages found

key_size is always 256 bits

sceSblDmac5Sha256HmacForDriver
Temp name was sceSblSsMgrHMACSHA256ForDriver.

Executes Dmac5 command 0x33.

no usages found

sceSblDmac5AesCmacForDriver
Temp name was sceSblSsMgrAESCMACForDriver.

Executes Dmac5 command 0x3B.

Used in ScePfsMgr.

sceSblDmac5AesCmacNPForDriver
Temp name was sceSblSsMgrAESCMACWithKeygenForDriver.

Executes Dmac5 command 0x3B.

Used in ScePfsMgr.

sceSblDmac5AesCmacWithKeyslotForDriver
Executes Dmac5 command 0x3B.

no usages found

sceSblSsMgrExecuteDmac5HashCommandForDriver
Executes Dmac5 commands related to hash functions.

Used in SceNpDrm.

sceSblSsEncryptWithPortabilityForDriver
derived from

Strangely it does not communicate with encdec_w_portability_sm command 0x1000A. That's because anyway this SM command is not implemented in release FWs.

sceSblSsDecryptWithPortabilityForDriver
derived from

For example, decrypts or derives AES key that is used in msif to decrypt static sha224 table.

Executes F00D encdec_w_portability_sm command 0x2000A.

sceSblSsGetNvsDataForDriver
derived from

Calls sceSysconNvsReadDataForDriver.

sceSblSsSetNvsDataForDriver
derived from

Calls sceSysconNvsWriteDataForDriver.

sceSblAimgrGetVisibleIdForDriver
Temp name was sceSblSsMgrGetVisibleIdForDriver, sceSblSsMgrGetFuseIdForDriver.

Derived from.

Executes F00D aimgr_sm command 0x3.

sceSblAimgrGetConsoleIdForDriver
Temp name was sceSblSsMgrGetConsoleIdForDriver.

This function obtains Console Id by executing F00D aimgr_sm command 0x1.

sceSblAimgrGetOpenPsIdForDriver
Temp name was sceSblSsMgrGetOpenPsIdForDriver.

This function returns information from a static buffer that is initialized on module_start.

OpenPsId comes from kbl_param->openpsid using SceSysmem.

sceSblAimgrGetPscodeForDriver
Temp name was sceSblSsMgrGetPscodeForDriver.

Derived from.

This function returns information from a static buffer that is initialized on module_start.

PsCode comes from kbl_param->pscode using SceSysmem.

sceSblAimgrGetPscode2ForDriver
Temp name was sceSblSsMgrGetPscode2ForDriver.

Derived from

Executes F00D aimgr_sm command 0x4.

sceSblSsCreatePassPhraseForDriver
Executes F00D aimgr_sm command 0x5.

derived from

sceSblSsInfraAllocatePARangeVectorForDriver
Does some initialization.

Used by SceSblUpdateMgr.

SceSblSsMgrForDriver_C38D0CEA
Does some cleanup.

Used by SceSblUpdateMgr.

sceSblSsMemsetForDriver
Used by SceSblPostSsMgr.

SceSblSsMgr
This library exists on 1.69 but doesn't exist on 3.60.

sceSblQafMgrGetQafToken
On 3.60 returns 0x80010058 (SCE_ERROR_ERRNO_ENOSYS).

sceSblQafManagerSetQafTokenForUser
On 3.60 returns 0x80010058 (SCE_ERROR_ERRNO_ENOSYS).

sceSblQafManagerDeleteQafTokenForUser
On 3.60 returns 0x80010058 (SCE_ERROR_ERRNO_ENOSYS).

sceSblQafManagerGetQafNameForUser
Wrapper to sceSblQafManagerGetQafNameForKernel.

sceSblQafMgrIsAllowMinimumDebugMenuDisplay
return sysroot_buffer->qa_flags[0xF] & 1;

sceSblQafMgrIsAllowLimitedDebugMenuDisplay
return (sysroot_buffer->qa_flags[6] >> 1) & 1;

sceSblQafMgrIsAllowAllDebugMenuDisplay
return (sysroot_buffer->qa_flags[0xC] >> 1) & 1;

sceSblQafManagerIsAllowKernelDebugForUser
return sysroot_buffer->qa_flags[0xD] & 1;

sceSblQafMgrIsAllowForceUpdate
return (sysroot_buffer->qa_flags[0xF] >> 1) & 1;

sceSblQafMgrIsAllowNpFullTest
return (sysroot_buffer->qa_flags[6] >> 1) & 1;

sceSblQafMgrIsAllowNonQAPup
return sysroot_buffer->qa_flags[0xF] & 1;

sceSblQafMgrIsAllowScreenShotAlways
return (sysroot_buffer->qa_flags[6] >> 1) & 1;

sceSblQafMgrIsAllowRemoteSysmoduleLoad
return (sysroot_buffer->qa_flags[0xD] >> 1) & 1;

sceSblRngGenuineRandomNumber
Temp name was sceSblSsMgrGetRandomData.

Calls sceSblRngGenuineRandomNumberForDriver.

sceSblDmac5HashTransform
This function can execute the following dmac5 commands:
 * 0x3B: CMAC-AES (length 0x10)
 * 0x03: SHA1 (length 0x14)
 * 0x23: HMAC-SHA1 (length 0x14)
 * 0x13: SHA256 (length 0x20)
 * 0x33: HMAC-SHA256 (length 0x20)

sceSblDmac5EncDecKeyGen
This function is also named  or   in

sceSblDmac5HmacKeyGen
This function is named  in SceSysLibTrace but is also called   in.