Bigmac

From Vita Development Wiki

Revision as of 22:01, 6 January 2019 by Yifan Lu (talk | contribs) (6 revisions imported)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to navigation Jump to search

Bigmac

At 0xE005003C is a 4-byte RNG.

There are two channels, one located at 0xE0050000 and another at 0xE0050080.

Fields (uint32_t):

0: src
1: dst
2: size
3: function
4: keyslot
5: iv
6: next (for paddr list) -1 to halt
7: start paddr list decrypt (pass paddr of first block)
8: status (1 = running, 2 = error)

Overall seems similar to dmac5: https://wiki.henkaku.xyz/vita/Dmac5 but commands are OR'd with 0x2080.

AES key is written to 0xE0050200. However, if func&0x80 is true, instead of writing the key it writes keyslot ID to 0xE0050010.

memcpy

Function 0x0 is memcpy.

memset

Function 0xC is memset. Memset-value is written to dmac_device+0x104. On 3.60, the memset-value is seen at offset +0x34.

Overwrite keyslot

If you set bit28 in function, dst is keyslot-id instead of physical address. This is used to generate random key 0x22 and 0x23 for suspendbuf.

Retrieved from "http://wiki.henkaku.xyz/vita/index.php?title=Bigmac&oldid=9791"

Please enable JavaScript to pass antispam protection!
Here are the instructions how to enable JavaScript in your web browser http://www.enable-javascript.com.
Antispam by CleanTalk.