KBL Param

The sysroot buffer is a  sized buffer passed to the secure kernel bootloader in the scratch space and contains all sorts of flags and system parameters. This buffer is copied to the secure kernel, the non-secure kernel loader, and the non-secure kernel and is used by many functions to check for features that are enabled for the system.

QA flags
In the following table bytes are counted from left to right and bits from left to right too.

To check: Byte 0xF bit 7, byte 0xE bit 7, byte 0xE bit 6, byte 0xB bit 3: Revocation related.

The data below contains QA Flags captured (at 0x20 in sysroot buffer) from a System Debugger unit (SD DEM):

Boot flags

 * at 0x30: 0xFF - not update mode
 * at 0x33: 0xFF - not safe mode
 * at 0x35: FF on FAT - no internal storage or on PSTV or SLIM - internal storage enabled, FE on PSTV or SLIM - internal storage disabled

Hardware Info
Data returned by Ernie.


 * 00 60 41 00: PDEL-1XXX
 * 00 60 40 00: PCH-10XX / PTEL-1XXX
 * 02 60 40 00: PCH-11XX
 * 38 22 82 00: PCH-2XXX model revision 0x18
 * 30 30 70 00: VTE-XXXX

First byte

 * 00 -> FAT WIFI
 * 02 -> FAT 3G. This is what SceBbmc checks.
 * 30 -> PSTV model revision 0x18
 * 38 -> SLIM

Experimental point of view
- No AC connected + No POWER Button pressed: 0x0 ex: rebooting by software PSVita when AC is not connected

- No AC connected + POWER Button pressed: 0x4 ex: booting PSVita by pressing POWER button when AC is not connected

- AC connected + No POWER Button pressed: 0x8 ex: rebooting by software PSVita when AC is connected ex: autobooting PSTV/IDU PSVita by pluging AC

- AC connected + POWER Button pressed: 0xC ex: powering off by software PSTV then booting it by pressing POWER button ex: booting PSVita by pressing POWER button when AC is connected

Wakeup factor

 * 14 FF 00 00
 * 04 FF 00 00 after normal reboot
 * 04 00 00 00
 * 00 FF 00 00
 * 80 after suspend

DIP Switches
DIP switches area embeds two parts: Communication Processor information as 32-bit integers, followed by DIP switches represented by bitflags.

DIP Switches bit flags resolving
DIP Switches bit flags are numbered from right to left. Thus, we have to use an algorithm to convert bit number to offset and bit.

To convert the bit number to the offset and bit:,.

CP Information
Bits  is a 32-bit integer of the current time on the CP clock. This is duplicated in bits.

Bits  is a 16-bit integer of the CP version and bits   is a 16-bit integer of the CP board ID. All integers are little-endian. On non-devkits, these fields are zeroes.

Bits  are also usable as general purpose switches exposed with ,  , and   but they do not change anything in hardware (only cached values are overwritten). According to SDK only DIP switches 0-63 are accessible from userland.

User flags
Bits  does not seem to be used in the kernel.

SDK (SCE) flags
Bits  are used for DevKit Boot Parameters.

Shell flags
Bits  are used for SceShell flags.

Debug control flags
Bits  are for various debug options.

System control flags
Bits  are used for various system options.

if ((System control flags & 1) != 0) { // not allow load QA flag } else { // allow load QA flag }

if ((System control flags & 2) != 0) { // clear qa flags // (SceQafMgrForDriver_382C71E8, SceQafMgrForDriver_52B4E164, sceSblQafMgrIsAllowHost0Access and sceSblQafMgrIsAllowDecryptedBootConfigLoad functions will return false) }

Hardware flags

 * all zeroes on most cases
 * 47 02, 07 00 on a Slim