Difference between revisions of "Bigmac"

From Vita Development Wiki
Jump to navigation Jump to search
m (6 revisions imported)
 
(5 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
== Bigmac ==
 
== Bigmac ==
  
At 0xE005003C is a 4-byte RNG.
+
See also [[Dmac5]] which is a similar device.
  
There are two channels, one located at 0xE0050000 and another at 0xE0050080.
+
There are two channels, one located at paddr 0xE0050000 and another at 0xE0050080.
  
 
Fields (uint32_t):
 
Fields (uint32_t):
Line 16: Line 16:
 
* 8: status (1 = running, 2 = error)
 
* 8: status (1 = running, 2 = error)
  
Overall seems similar to dmac5: https://wiki.henkaku.xyz/vita/Dmac5 but commands are OR'd with 0x2080.
+
Overall seems similar to [[Dmac5]] but commands are OR'd with 0x2080.
  
AES key is written to 0xE0050200. However, if func&0x80 is true, instead of writing the key it writes keyslot ID to 0xE0050010.
+
At paddr 0xE005003C there is a 4-byte PRNG (Pseudo Random Number Generator).
 +
 
 +
AES key or HMAC key is written to 0xE0050200. However, if func&0x80 is true, instead of writing the key it writes keyslot ID to 0xE0050010.
  
 
=== memcpy ===
 
=== memcpy ===
Line 25: Line 27:
  
 
=== memset ===
 
=== memset ===
 +
 
Function 0xC is memset.
 
Function 0xC is memset.
Memset-value is written to dmac_device+0x104. On 3.60, the memset-value is seen at offset +0x34.
+
Memset-value is written to dmac_device+0x104. On FW 3.60, the memset-value is seen at offset +0x34.
  
 
=== Overwrite keyslot ===
 
=== Overwrite keyslot ===
If you set bit28 in function, dst is keyslot-id instead of physical address.
+
 
This is used to generate random key 0x22 and 0x23 for suspendbuf.
+
If you set bit28 in <code>function</code>, <code>dst</code> is destination keyslot ID instead of destination physical address. This is used to generate random keys 0x22 and 0x23 for suspendbuf.

Latest revision as of 22:04, 2 September 2021

Bigmac

See also Dmac5 which is a similar device.

There are two channels, one located at paddr 0xE0050000 and another at 0xE0050080.

Fields (uint32_t):

  • 0: src
  • 1: dst
  • 2: size
  • 3: function
  • 4: keyslot
  • 5: iv
  • 6: next (for paddr list) -1 to halt
  • 7: start paddr list decrypt (pass paddr of first block)
  • 8: status (1 = running, 2 = error)

Overall seems similar to Dmac5 but commands are OR'd with 0x2080.

At paddr 0xE005003C there is a 4-byte PRNG (Pseudo Random Number Generator).

AES key or HMAC key is written to 0xE0050200. However, if func&0x80 is true, instead of writing the key it writes keyslot ID to 0xE0050010.

memcpy

Function 0x0 is memcpy.

memset

Function 0xC is memset. Memset-value is written to dmac_device+0x104. On FW 3.60, the memset-value is seen at offset +0x34.

Overwrite keyslot

If you set bit28 in function, dst is destination keyslot ID instead of destination physical address. This is used to generate random keys 0x22 and 0x23 for suspendbuf.