Cmep

This processor is hypothesized to perform most of the cryptography tasks including storing and handing of keys. There is little information about it though. The F00D Processor (named after the  field of the ELF headers) is likely a custom Toshiba MeP core.

Communication
Communication seems to go through some sort of FIFO register.

Write
To write, put the double word into. Next read  until it returns 0, which indicates the data was read by the F00D processor.

Read
To read, get a double word from. If it returns 0, no data is available. Otherwise, acknowledge that the data has been read by putting the same data into.

Protocol
A 32-bit command buffer is defined below. The command is sent to the F00D processor with the method listed above.

Command ID
Below are notes on different commands.

0x0
Seems to be used to set the 0x100 sized shared buffer. First the physical address of the buffer is written to  and then command 0x0 is written.

0x1
May be used to reset F00D processor.

0x9
Seems to be used to set a 0x80 sized shared buffer.

0xA
Seems to set the SCE encrypted revocation list.

Memory
is allowed access to,  ,  , and. The address checks is likely done in software. F00D has it's own private 128KB memory from  to. F00D SELFs are typically loaded to.