Address = 0xE0058000 + 32 * Slot
Permission bits
Bit |
Function
|
0 |
accessible for bigmac encrypt
|
1 |
accessible for bigmac decrypt
|
4 |
bigmac destination is allowed to be memory(?)
|
Key Ring Slots 0xE0058000
Slot |
Mode |
Protection |
Per-console |
Description
|
0 |
3 |
0x0442 |
? |
?
|
1 |
1 |
0x0442 |
? |
?
|
2-7 |
1 |
0x0040 |
? |
?
|
8 |
3 |
0x0081 |
Yes. |
enp per-console key
|
9 |
1 |
0x0080 |
? |
?
|
0xA-0xF |
3 |
0x0080 |
? |
?
|
0x10 |
1 |
0x0502 |
? |
supports decryption only
|
0x11-0x1F |
1 |
0x0100 |
? |
?
|
0x20 |
3 |
0x0200 |
? |
?
|
0x21-0x24 |
1 |
0x061F |
? |
supports encryption and decryption
|
0x25-0x2F |
1 |
0x0200 |
? |
?
|
0x30-0x34 |
1 |
0x041F |
? |
?
|
0x35-0x7F |
1 |
0x0000 |
? |
?
|
0x80-0xFF |
0 |
0x0000 |
? |
?
|
0x100 |
1 |
0x041F |
? |
?
|
0x101-0x17F |
1 |
0x0000 |
? |
?
|
0x180-0x1FF |
0 |
0x0000 |
? |
?
|
0x200-0x203 |
3 |
0x0000 |
? |
?
|
0x204-0x205 |
3 |
0x006F |
? |
?
|
0x206 |
3 |
0x00A0 |
? |
Used to derive key used to decrypt personalized layer over enc. Should be per-console.
|
0x207 |
3 |
0x00A0 |
? |
Used instead of the above key when secret debug mode is set. (Possibly non-per-console?)
|
0x208-0x20D |
3 |
0x00A0 |
? |
6 keys used to decrypt enc metadata, which one is used depends on key revision in enc header
|
0x20E-0x20F |
3 |
0x0010 |
? |
Maybe per-console emmc crypto keys? Protected by second_loader.
|
0x210-0x211 |
3 |
0x0000 |
? |
?
|
0x212 |
3 |
0x001F |
? |
?
|
0x213 |
3 |
0x001F |
? |
Used to derive SMI keys, which are used for factory fw decryption. Per-console.
|
0x214 |
3 |
0x0000 |
? |
Used to derive keyslots 0x514, 0x515 in second_loader
|
0x215 |
3 |
0x0000 |
? |
?
|
0x216 |
3 |
0x001F |
? |
Derive 0x502-0x504 by encrypting data in second_loader.
|
0x217 |
3 |
0x0000 |
? |
?
|
0x218-0x2FF |
0 |
0x0000 |
? |
?
|
0x300-0x33F |
3 |
0x0000 |
? |
?
|
0x340 |
3 |
0x012F |
? |
Used to decrypt keys into the 0x10 key slot
|
0x341-0x343 |
3 |
0x0120 |
? |
?
|
0x344 |
3 |
0x0220 |
? |
?
|
0x345-0x348 |
3 |
0x022F |
? |
Used to decrypt keys into one of the 0x21-0x24 key slot
|
0x349-0x353 |
3 |
0x0220 |
? |
?
|
0x354-0x3FF |
3 |
0x0000 |
? |
?
|
0x400-0x47F |
1 |
0x0000 |
? |
?
|
0x480-0x4FF |
0 |
0x0000 |
? |
?
|
0x500 |
1 |
0x1800 |
? |
?
|
0x501 |
7 |
0x1000 |
? |
Downgrade protection? Set to 4 on 1.692, 0 on 1.05.
|
0x502-0x504 |
3 |
0x1800 |
Yes |
Related to Ernie SNVS
|
0x505 |
1 |
0x0000 |
? |
?
|
0x506 |
3 |
0x1800 |
? |
?
|
0x507 |
3 |
0x1800 |
No |
?
|
0x508 |
3 |
0x1800 |
No |
Ernie HW version (from syscon cmd 0x1). Set to 0x100060D on 1.692, 0x100010A on 1.05, 0x0100010B on 1.50
|
0x509 |
3 |
0x1800 |
Yes |
IDPS of unit (console id)
|
0x50A |
3 |
0x1800 |
? |
Byte15bit0,byte14bit0,byte14bit1,byte11bit4: Revocation related. Byte13bit0: Enable F00D debug prints.
|
0x50B |
3 |
0x1800 |
? |
From 0xD2 SNVS block 0, 8 bytes
|
0x50C |
3 |
0x1800 |
No |
Flags. Set to 1 on 1.692 and newer, 0 on older
|
0x50D |
3 |
0x1800 |
Yes |
OpenPSID
|
0x50E |
3 |
0x1800 |
Yes |
Current firmware version. Comes from SNVS.
|
0x50F |
3 |
0x1800 |
Yes |
Factory firmware version. Comes from idstorage.
|
0x510 |
3 |
0x1800 |
Yes |
Some bit flags, comes from syscon cmd 0x90 offset 0xE0
|
0x511 |
3 |
0x1800 |
Yes |
Unique per boot session id, Syscon shared 0xD0 session key
|
0x512 |
7 |
0x1800 |
Yes |
Tick count? Used in Syscon encrypted communication. Set to a random value when session key is set.
|
0x513 |
3 |
0x1800 |
No |
DRAM size. Set to 0x20000000 on retail, 0x40000000 on devkit.
|
0x514 |
3 |
0x1800 |
No? |
F00d-cmd F01 AES-256-CMAC key. Protected on 1.05.
|
0x515 |
3 |
0x1800 |
No? |
F00d-cmd F01 AES-256-CBC key. Protected on 1.05.
|
0x516 |
3 |
0x1800 |
? |
F00d-cmd F01 writes (u32)1 here when exporting the infoblk. Next time main() executes this flag is cleared.
|
0x517 |
3 |
0x1800 |
|
When initializing the EEPROM, this is zeroed if 0x50D has bit8 clear (on 1.692).
|
0x518 |
3 |
0x1800 |
No |
Another current FW version (3.60+?) Comes from SNVS.
|
0x519 |
3 |
0x1800 |
No |
00s
|
0x51A |
3 |
0x1800 |
Yes |
Randomized 0x20 byte key unique every boot/reboot/resume used for kernel coredump encryption
|
0x51B |
3 |
0x1800 |
No |
Some kind of model info 0x406000 on retail and 0x416000 on devkit, obtained from syscon command 5
|
0x51C-0x57F |
1 |
0x0000 |
? |
?
|
0x580-0x5FF |
0 |
0x0000 |
? |
?
|
0x600 |
3 |
0x1000 |
Yes |
aimgr_sm.self cmd 0x3 return, VisibleId/FuseId
|
0x601 |
3 |
0x1000 |
Yes |
?
|
0x602 |
3 |
0x1000 |
Yes |
?
|
0x603 |
3 |
0x1000 |
No |
?
|
0x604 |
3 |
0x1000 |
No |
?
|
0x605-0x607 |
3 |
0x0000 |
? |
?
|
0x608-0x6FF |
0 |
0x0000 |
? |
?
|
0x700-0x7FF |
3 |
0x0000 |
? |
?
|