SceSblSsMgr

TODO

 * study command flags
 * check if mask_enable is a SceBool and if so change type.
 * check which keyrings are allowed per function, and if key_id are per keyring index.
 * create enum for keyrings indexes
 * check IV usage

sceSblNvsReadDataForKernel
Temp name was sceSblSsMgrNvsReadDataForKernel.

Calls SceSyscon.

Trying to read at offset 0-0x3FF: error 0x8025023C (cannot read SNVS using this function, need to use SNVS protocol).

Trying to read at offset > 0xB5F: error 0x80250001 (out of range).

Trying to read at ((offset & 7) != 0): error 0x80250001 (non aligned).

sceSblNvsWriteDataForKernel
Temp name was sceSblSsMgrNvsWriteDataForKernel.

Calls sceSysconNvsWriteDataForDriver.

sceSblPmMgrGetProductModeForKernel
Temp name was scePmMgrGetProductModeForKernel.

From FWs 0.990 to 3.60, it is simply a redirect to SceSysmem.

SceSblSsMgrForDriver
Cryptographic functions in this module typically have 3 variations:
 * 1) Use   - meaning that the key that you provide is used directly for encryption/decryption.
 * 2) Use   - meaning that you have to use sceSblAuthMgrSetDmac5KeyForKernel function to set the key into a specific keyring. In this case you select a key from cmep by  . It will be encrypted by cmep and placed into the keyring selected by.
 * 3) Use   - meaning that the call to sceSblAuthMgrSetDmac5KeyForKernel will happen internally. In this case the key from cmep is also selected by   and encrypted by cmep. It is then placed into one of the available keyrings. Default keyring range is 0xC-0x17.

sceSblRngPseudoRandomNumberForDriver
Temp name was sceSblSsMgrGetRandomNumberForDriver.

Gets the pseudo-random number calculated within SceSblSsMgr.

The base seed is (DMAC5 RNG + HMAC-SHA1) * 2. System Time is also used for one of them.

sceSblRngGenuineRandomNumberForDriver
Temp name was sceSblSsMgrGetRandomDataForDriver.

Generates random data of length 0x40 bytes by doing: sceSblDmac5RndForDriver(dest, 0x40, 1);

Used in SceKrm, SceSblGcAuthMgr.

SceSblSsMgrForDriver_8C31A8FD
A guessed name is sceSblDmac5...Op...ForDriver.

Uses _sceSblDmac5AllocOp.

SceSblSsMgrForDriver_CAB891D3
A guessed name is sceSblDmac5...Op...ForDriver.

Uses _sceSblDmac5AllocOp.

_sceSblDmac5DirectCryptForDriver
This is a guessed name.

Uses _sceSblDmac5DirectCrypt.

SceSblSsMgrForDriver_A87E82A4
A guessed name is sceSblDmac5...ForDriver.

Uses _sceSblDmac5DirectCrypt.

SceSblSsMgrForDriver_465D1526
A guessed name is sceSblDmac5...ForDriver.

Uses _sceSblDmac5DirectCrypt.

sceSblDmac5RndForDriver
Temp name was sceSblSsMgrGetRandomDataCropForDriver.

Generates random data by executing Dmac5 command 0x4.

Data is then cropped to fit the size in pOutputBuffer.

Used in SceMsif.

sceSblDmac5AesEcbEncForDriver
Temp name was sceSblSsMgrAESECBEncryptForDriver.

Executes Dmac5 command 0x1.

Used in ScePfsMgr.

sceSblDmac5AesEcbDecForDriver
Temp name was sceSblSsMgrAESECBDecryptForDriver.

Executes Dmac5 command 0x2.

Used in ScePfsMgr.

sceSblDmac5AesEcbEncNPForDriver
Temp name was sceSblSsMgrAESECBEncryptWithKeygenForDriver.

Executes Dmac5 command 0x1.

Used in ScePfsMgr.

sceSblDmac5AesEcbDecNPForDriver
Temp name was sceSblSsMgrAESECBDecryptWithKeygenForDriver.

Executes Dmac5 command 0x2.

no usages found

sceSblDmac5AesEcbEncWithDmac5KeyForDriver
Temp name was sceSblDmac5AesEcbEncWithKeyslotForDriver.

Executes Dmac5 command 0x1.

Used in SceSblMgKeyMgr.

sceSblDmac5AesEcbDecWithDmac5KeyForDriver
Temp name was sceSblDmac5AesEcbDecWithKeyslotForDriver.

Executes Dmac5 command 0x2.

Used in SceSblMgKeyMgr.

sceSblDmac5DesEcbEncWithDmac5KeyForDriver
Temp name was sceSblDmac5DesEcbEncWithKeyslotForDriver, sceSblSsMgrDES64ECBEncryptForDriver.

This also implements 3DES. Chosen function depends on key size.


 * for 64 - DES
 * for 128 - not tested. assuming 3DES with K1 = K3.
 * for 192 - 3DES

Executes Dmac5 command 0x41.

Used in SceSblMgKeyMgr.

sceSblDmac5DesEcbDecWithDmac5KeyForDriver
Temp name was sceSblDmac5DesEcbDecWithKeyslotForDriver, sceSblSsMgrDES64ECBDecryptForDriver.

This also implements 3DES. Chosen function depends on key size.


 * for 64 - DES
 * for 128 - not tested. assuming 3DES with K1 = K3.
 * for 192 - 3DES

Executes Dmac5 command 0x42.

Used in SceSblMgKeyMgr.

sceSblDmac5DesCbcEncWithDmac5KeyForDriver
Temp name was sceSblDmac5DesCbcEncWithKeyslotForDriver, sceSblSsMgrDES64CBCEncryptForDriver.

This also probably implements 3DES. Chosen function depends on key size.


 * for 0x40 - DES
 * for 0x80 - not tested. assuming 3DES with K1 = K3.
 * for 0xC0 - 3DES

Executes Dmac5 command 0x49.

no usages found

sceSblDmac5DesCbcDecWithDmac5KeyForDriver
Temp name was sceSblDmac5DesCbcDecWithKeyslotForDriver, sceSblSsMgrDES64CBCDecryptForDriver.

This also probably implements 3DES. Chosen function depends on key size.


 * for 0x40 - DES
 * for 0x80 - not tested. assuming 3DES with K1 = K3.
 * for 0xC0 - 3DES

Executes Dmac5 command 0x4A.

no usages found

sceSblDmac5AesCbcEncForDriver
Temp name was sceSblSsMgrAESCBCEncryptForDriver.

Executes Dmac5 command 0x9.

Used in ScePfsMgr.

sceSblDmac5AesCbcDecForDriver
The official name maybe contains a typo: sceSblDmac5AEsCbcDecForDriver.

Temp name was sceSblSsMgrAESCBCDecryptForDriver.

Executes Dmac5 command 0xA.

Used in ScePfsMgr.

sceSblDmac5AesCbcEncNPForDriver
Temp name was sceSblSsMgrAESCBCEncryptWithKeygenForDriver.

Executes Dmac5 command 0x9.

Used in ScePfsMgr.

sceSblDmac5AesCbcDecNPForDriver
Temp name was sceSblSsMgrAESCBCDecryptWithKeygenForDriver.

Executes Dmac5 command 0xA.

Used in ScePfsMgr.

sceSblDmac5AesCtrEncForDriver
Temp name was sceSblSsMgrAESCTREncryptForDriver.

Executes Dmac5 command 0x21.

Used in SceNpDrm.

This function can also be used for decryption since AES CTR is a symmetric function.

sceSblDmac5AesCtrDecForDriver
Temp name was sceSblSsMgrAESCTRDecryptForDriver.

Executes Dmac5 command 0x22.

no usages found

This function can also be used for encryption since AES CTR is a symmetric function.

sceSblDmac5Sha1ForDriver
Executes Dmac5 command 0x3. Used in ScePfsMgr.

sceSblDmac5Sha1HmacTransformForDriver
Temp name was sceSblSsMgrHMACSHA1ForDriver.

Executes Dmac5 command 0x23. Used in ScePfsMgr.

Key size is always 256-bits.

sceSblDmac5Sha1HmacNPForDriver
Temp name was sceSblSsMgrHMACSHA1WithKeygenForDriver.

Executes Dmac5 command 0x23. no usages found.

sceSblDmac5Sha256HmacForDriver
Temp name was sceSblSsMgrHMACSHA256ForDriver.

Executes Dmac5 command 0x33. no usages found.

sceSblDmac5AesCmacForDriver
Temp name was sceSblSsMgrAESCMACForDriver.

Executes Dmac5 command 0x3B. Used in ScePfsMgr.

sceSblDmac5AesCmacNPForDriver
Temp name was sceSblSsMgrAESCMACWithKeygenForDriver.

Executes Dmac5 command 0x3B. Used in ScePfsMgr.

sceSblDmac5AesCmacWithDmac5KeyForDriver
Temp name was sceSblDmac5AesCmacWithKeyslotForDriver.

Executes Dmac5 command 0x3B.

no usages found

sceSblSsMgrExecuteDmac5HashCommandForDriver
Executes Dmac5 commands related to hash functions.

Used in SceNpDrm.

sceSblSsEncryptWithPortabilityForDriver
derived from

Strangely it does not communicate with encdec_w_portability_sm command 0x1000A. That is because anyway this SM command is not implemented in release System Software.

sceSblSsDecryptWithPortabilityForDriver
derived from

For example, decrypts or derives AES key that is used in msif to decrypt static sha224 table.

Executes encdec_w_portability_sm command 0x2000A.

sceSblSsGetNvsDataForDriver
derived from

Calls sceSysconNvsReadDataForDriver.

sceSblSsSetNvsDataForDriver
derived from

Calls sceSysconNvsWriteDataForDriver.

sceSblAimgrGetVisibleIdForDriver
Temp name was sceSblSsMgrGetVisibleIdForDriver, sceSblSsMgrGetFuseIdForDriver.

Derived from.

Obtains the console's Visible ID by executing aimgr_sm command 0x3.

sceSblAimgrGetConsoleIdForDriver
Temp name was sceSblSsMgrGetConsoleIdForDriver.

Obtains Console ID by executing aimgr_sm command 0x1.

sceSblAimgrGetOpenPsIdForDriver
Temp name was sceSblSsMgrGetOpenPsIdForDriver.

This function returns information from a static buffer that is initialized on module_start.

OpenPsId comes from kbl_param->openpsid using SceSysmem.

sceSblAimgrGetPscodeForDriver
Temp name was sceSblSsMgrGetPscodeForDriver.

Derived from.

This function returns information from a static buffer that is initialized on module_start.

PsCode comes from kbl_param->pscode using SceSysmem.

sceSblAimgrGetPscode2ForDriver
Temp name was sceSblSsMgrGetPscode2ForDriver.

Derived from

Obtains the console's Ps Code by executing aimgr_sm command 0x4.

sceSblSsCreatePassPhraseForDriver
derived from

Obtains the PassPhrase by executing aimgr_sm command 0x5.

sceSblSsInfraAllocatePARangeVectorForDriver
Used by SceSblUpdateMgr.

sceSblSsInfraFreePARangeVectorForDriver
Used by SceSblUpdateMgr.

sceSblSsMemsetForDriver
Used by SceSblPostSsMgr.

sceSblSsCrepoInitializeForDriver
Initializes Crash Report key ring. Returns 0 on success.

Calls the _sceSblSsCrepoGetKeyRing subroutine to initialize the Crepo key ring. The Crepo key ring is then cached in memory from the result of decrypt with portability.

sceSblSsCrepoGetKeyForDriver
This is a guessed name.

Uses Crepo Key Ring.

sceSblSsCrepoGetKeyInfoByIdxForDriver
This is a guessed name.

Gets 0x10 bytes of data from the cached Crepo Key Ring.

sceSblSsCrepoStopForDriver
This is a guessed name.

Clears Crash Report key ring. Always return 0.

sceSblSsCloudDataGetEncDecCryptHandleForDriver
This is a guessed name.

Gets the entire Cloud Data Key Ring.

Used in SceAppMgr.

sceSblSsCloudDataGetSignCryptHandleForDriver
This is a guessed name.

Used in SceAppMgr and SceAppMgr.

sceSblSsCloudDataStopForDriver
This is a guessed name.

Clears Cloud Data Key Ring.

sceSblSsGenerateAppKeyForDriver
This name was derived from SceVshBridge.

SceSblSsMgr
This library exists on FW 1.69 but does not exist on FW 3.60.

sceSblQafMgrGetQafToken
On 3.60 returns 0x80010058 (SCE_ERROR_ERRNO_ENOSYS).

sceSblQafManagerSetQafTokenForUser
On 3.60 returns 0x80010058 (SCE_ERROR_ERRNO_ENOSYS).

sceSblQafManagerDeleteQafTokenForUser
On 3.60 returns 0x80010058 (SCE_ERROR_ERRNO_ENOSYS).

sceSblQafManagerGetQafNameForUser
Wrapper to sceSblQafManagerGetQafNameForKernel.

sceSblQafMgrIsAllowMinimumDebugMenuDisplay
return pKblParam->qa_flags[0xF] & 1;

sceSblQafMgrIsAllowLimitedDebugMenuDisplay
return (pKblParam->qa_flags[6] >> 1) & 1;

sceSblQafMgrIsAllowAllDebugMenuDisplay
return (pKblParam->qa_flags[0xC] >> 1) & 1;

sceSblQafManagerIsAllowKernelDebugForUser
return pKblParam->qa_flags[0xD] & 1;

sceSblQafMgrIsAllowForceUpdate
return (pKblParam->qa_flags[0xF] >> 1) & 1;

sceSblQafMgrIsAllowNpFullTest
return (pKblParam->qa_flags[6] >> 1) & 1;

sceSblQafMgrIsAllowNonQAPup
return pKblParam->qa_flags[0xF] & 1;

sceSblQafMgrIsAllowScreenShotAlways
return (pKblParam->qa_flags[6] >> 1) & 1;

sceSblQafMgrIsAllowRemoteSysmoduleLoad
return (pKblParam->qa_flags[0xD] >> 1) & 1;

sceSblRngGenuineRandomNumber
Temp name was sceSblSsMgrGetRandomData.

Calls.

sceSblRngPseudoRandomNumber
Calls.

_sceKernelGetRandomNumber
Calls.

sceSblDmac5EncDecKeyGen
official:

AesCbcEncrypt command to  in SceGameDataPlugin.

AesCbcDecrypt command to  in SceGameDataPlugin.

theory:

AesCtrEncrypt command to.

sceSblDmac5HashTransform
Support to Sha1/Sha224/Sha256 only.

sceSblDmac5HmacKeyGen
This function is named  in SceSysLibTrace.

HmacSha256 command to  in SceGameDataPlugin (official name).

Theory:

HmacSha1 command to.

HmacSha224 command to.