From Vita Development Wiki
Revision as of 14:12, 19 October 2017 by Proxima (talk | contribs) (Functions)
Jump to navigation Jump to search

This device, located at physical address 0xE0410000, provides a few cryptographic functions.


In all code samples, device is a volatile uint32_t* pointing to paddr 0xE0410000.

First, reset the device if it's in use:

if (device[9] & 1) {
    device[7] = 0;
    while (device[9] & 1) {}

Then submit your commands. Each command must end with a commit:

#define COMMIT_WAIT device[10] = device[10]; device[7] = 1; while(device[9] & 1){};

device[0] = src_pa; // source addr
device[1] = dst_pa; // destination addr
device[2] = 0x10; // data size
device[3] = 0xC002309; // function index
device[4] = slot; // key slot number
device[5] = iv; // AES IV, where applicable, this will be updated by some functions
// device[8] = 0; // uncomment this and vita will crash after operation
// device[11] = 0xE070; // unknown, unused?
// device[12] = 0x700070; // unknown, unused?


Key slots

It uses the keyring device SceSblDMAC5DmacKRBase for the cryptographic key material. The keyring is at physical address 0xE04E0000. The keyring configuration is set during secure boot. Keyring offset +0x400 is used to configure non-secure kernel accessibility. On boot, it defaults to 0x200000FF, which indicates key slots 0-7 and slot 0x1D can by directly used by non-secure kernel. The +0x400 register is only available in secure mode.

There are 0x20 key slots, from 0x0 to 0x1F.

Key slots 0x0-0x7 and 0x1D can be modified directly using dmac5keyring.

Key slot 0x1C seems to be related to memory card.


The first byte of the function code indicates which function to use and the second byte the key size.

2nd byte Key size
0 64 and less
1 128
2 192
3 256 and 512

The following functions are available:

  • 0x301: AES-256-ECB encrypt
  • 0x302: AES-256-ECB decrypt
  • 0x201: AES-192-ECB encrypt
  • 0x202: AES-192-ECB decrypt
  • 0x101: AES-128-ECB encrypt
  • 0x102: AES-128-ECB decrypt
  • 0x309: AES-256-CBC encrypt
  • 0x30a: AES-256-CBC decrypt
  • 0x209: AES-192-CBC encrypt
  • 0x20a: AES-192-CBC decrypt
  • 0x109: AES-128-CBC encrypt
  • 0x10a: AES-128-CBC decrypt
  • 0x4: Random Number Generator
  • 0x3: SHA1
  • 0x13: SHA256
  • 0x23: HMAC-SHA1
  • 0x33: HMAC-SHA256
  • 0x3B: CMAC-AES
  • 0x21: AES-128-CTR encrypt
  • 0x22: AES-128-CTR decrypt (identical to encrypt)
  • 0x41: DES-64-ECB encrypt
  • 0x42: DES-64-ECB decrypt
  • 0x49: DES-64-CBC encrypt
  • 0x4A: DES-64-CBC decrypt
  • probably there are more
  • There is usage of higher bits in the commands that don't seem to have much affect. For the encryption examples, 0xC002000 is also set on the command upper bits