Difference between revisions of "Cmep Key Ring Base"

Revision as of 17:34, 2 February 2019

Address = 0xE0058000 + 32 * Slot

Permission bits

If a key slot is not locked, it can target f00d memory or unlocked keyslot

Bit	Function
0x01	Encryption operation allowed
0x02	Decryption operation allowed
0x04	? operation allowed
0x08	? operation allowed
0x10	?
0x20	Master Keyslot can target user keyslot (based on Mask Group below)
0x40	Keyslot Pairing Lock Mask Group 0(Master slots 0x204-0x205 and user slots 0-7)
0x80	Keyslot Pairing Lock Mask Group 1(Master slots 0x206-0x20D and user slots 8-0xF)
0x100	Keyslot Pairing Lock Mask Group 2 (Master slots 0x340-0x343 and user slots 0x10-0x1F)
0x200	Keyslot Pairing Lock Mask Group 3 (Master slots 0x344-0x353 and user slots 0x20-0x2F)
0x400	Locked Keyslot can target f00d memory
0x800	can be written directly by f00d
0x1000	can be read directly by f00d

Key Ring Slots 0xE0058000

Slot	Initial Valid	Initial Protection	Protection (1.69)	Ever Valid (1.69)	Per Console? (1.69)	Set By?	Description
0	N	0x0442	0x0442	Y	?	?	?
1	N	0x0442	0x0442	N	?	?	?
2-7	N	0x0442	0x0040	N	?	?	?
8	N	0x049F	0x0081	Y	Y	first_loader (0x206/0x207)	SLSK per-console key (encrypt)
9	N	0x049F	0x0080	N	?	first_loader (0x206/0x207)	SLSK per-console key (decrypt)
0xA	N	0x049F	0x0080	Y	N	first_loader (0x208-0x20D)	SLSK metadata key
0xB-0xF	N	0x049F	0x0080	Y	N	first_loader (0x208-0x20D)	?
0x10	N	0x0502	0x0502	N	?	?	supports decryption only
0x11-0x1F	N	0x0502	0x0100	N	?	?	?
0x20	N	0x061F	0x0200	Y	?	first_loader (0x344)	Derived from 0x344, used for hmac-sha256 over enc files
0x21-0x24	N	0x061F	0x061F	N	?	?	supports encryption and decryption
0x25-0x2F	N	0x061F	0x0200	N	?	?	?
0x30-0x34	N	0x041F	0x041F	N	?	?	?
0x35-0x7F	N	0x041F	0x0000	N	?	?	?
0x80-0xFF	X	0x0000	0x0000	X	?	?	Not used
0x100	N	0x041F	0x041F	N	?	?	?
0x101-0x17F	N	0x041F	0x0000	N	?	?	?
0x180-0x1FF	X	0x0000	0x0000	X	?	?	Not used
0x200-0x203	Y	0x0002	0x0000	Y	?	?	?
0x204-0x205	Y	0x006F	0x006F	Y	Y	?	?
0x206	Y	0x00AF	0x00A0	Y	?	?	Used to derive key used to decrypt personalized layer over enc. Should be per-console.
0x207	Y	0x00AF	0x00A0	Y	?	?	Used instead of the above key when secret debug mode is set. (Possibly non-per-console?)
0x208-0x20D	Y	0x00AF	0x00A0	Y	?	?	6 keys used to decrypt enc metadata, which one is used depends on key revision in enc header
0x20E-0x20F	Y	?	0x0010	Y	?	?	Maybe per-console emmc crypto keys? Protected by second_loader.
0x210-0x211	Y	0x001F	0x0000	Y	?	?	?
0x212	Y	0x001F	0x001F	Y	?	?	?
0x213	Y	0x001F	0x001F	Y	?	?	Used to derive SMI keys, which are used for factory fw decryption. Per-console.
0x214	Y	0x001F	0x0000	Y	?	?	Used to derive keyslots 0x514, 0x515 in second_loader
0x215	Y	0x001F	0x0000	Y	?	?	?
0x216	Y	0x001F	0x001F	Y	?	?	Derive 0x502-0x504 by encrypting data in second_loader.
0x217	Y	0x001F	0x0000	Y	?	?	?
0x218-0x2FF	X	0x0000	0x0000	X	?	?	Not used
0x300-0x33F	Y	0x0002	0x0000	Y	?	?	?
0x340	Y	0x012F	0x012F	Y	?	?	Used to decrypt keys into the 0x10 key slot
0x341-0x343	Y	0x012F	0x0120	Y	?	?	?
0x344	Y	0x022F	0x0220	Y	?	?	Used to derive key 0x20 in brom.
0x345-0x348	Y	0x022F	0x022F	Y	?	?	Used to decrypt keys into one of the 0x21-0x24 key slot
0x349-0x353	Y	0x022F	0x0220	Y	?	?	?
0x354-0x3FF	Y	0x001F	0x0000	Y	?	?	?
0x400-0x47F	N	0x1800	0x0000	N	?	?	?
0x480-0x4FF	X	0x0000	0x0000	X	?	?	Not used
0x500	N	0x1800	0x1800	N	?	?	?
0x501	N	0x1800	0x1000	Y	N	first_loader	Used by bootrom first_loader to figure out whether to load from eMMC or ARM comms after reset
0x502-0x504	N	0x1800	0x1800	Y	Y	?	Related to Ernie SNVS
0x505	N	0x1800	0x0000	N	?	?	?
0x506	N	0x1800	0x1800	Y	?	?	?
0x507	N	0x1800	0x1800	Y	N	?	?
0x508	N	0x1800	0x1800	Y	N	?	Ernie HW version (from syscon cmd 0x1). Set to 0x100060D on 1.692, 0x100010A on 1.05, 0x0100010B on 1.50
0x509	N	0x1800	0x1800	Y	Y	?	IDPS of unit (console id)
0x50A	N	0x1800	0x1800	Y	?	?	Byte15bit0,byte14bit0,byte14bit1,byte11bit4: Revocation related. Byte13bit0: Enable F00D debug prints.
0x50B	N	0x1800	0x1800	Y	?	?	From 0xD2 SNVS block 0, 8 bytes
0x50C	N	0x1800	0x1800	Y	N	?	Flags. Set to 1 on 1.692 and newer, 0 on older
0x50D	N	0x1800	0x1800	Y	Y	?	OpenPSID
0x50E	N	0x1800	0x1800	Y	Y	?	Current firmware version. Comes from SNVS.
0x50F	N	0x1800	0x1800	Y	Y	?	Factory firmware version. Comes from idstorage.
0x510	N	0x1800	0x1800	Y	Y	?	Some bit flags, comes from syscon cmd 0x90 offset 0xE0
0x511	N	0x1800	0x1800	Y	Y	?	Unique per boot session id, Syscon shared 0xD0 session key
0x512	N	0x1800	0x1800	Y	Y	?	Tick count? Used in Syscon encrypted communication. Set to a random value when session key is set.
0x513	N	0x1800	0x1800	Y	N	?	DRAM size. Set to 0x20000000 on retail, 0x40000000 on devkit.
0x514	N	0x1800	0x1800	Y	N?	?	F00d-cmd F01 AES-256-CMAC key. Protected on 1.05.
0x515	N	0x1800	0x1800	Y	N?	?	F00d-cmd F01 AES-256-CBC key. Protected on 1.05.
0x516	N	0x1800	0x1800	Y	?	?	F00d-cmd F01 writes (u32)1 here when exporting the infoblk. Next time main() executes this flag is cleared.
0x517	N	0x1800	0x1800	Y	?	?	When initializing the EEPROM, this is zeroed if 0x50D has bit8 clear (on 1.692).
0x518	N	0x1800	0x1800	Y	N	?	Another current FW version (3.60+?) Comes from SNVS.
0x519	N	0x1800	0x1800	Y	N	?	00s
0x51A	N	0x1800	0x1800	Y	Y	?	Randomized 0x20 byte key unique every boot/reboot/resume used for kernel coredump encryption
0x51B	N	0x1800	0x1800	Y	N	?	Some kind of model info 0x406000 on retail and 0x416000 on devkit, obtained from syscon command 5
0x51C-0x57F	N	0x1800	0x0000	N	?	?	?
0x580-0x5FF	X	0x0000	0x0000	X	?	?	Not used
0x600	Y	0x1000	0x1000	Y	Y	?	`aimgr_sm.self` cmd 0x3 return, VisibleId/FuseId
0x601	Y	0x1000	0x1000	Y	Y	?	?
0x602	Y	0x1000	0x1000	Y	Y	?	?
0x603	Y	0x1000	0x1000	Y	N	?	?
0x604	Y	0x1000	0x1000	Y	N	?	?
0x605-0x607	Y	0x1000	0x0000	Y	?	?	?
0x608-0x6FF	X	0x0000	0x0000	X	?	?	Not used
0x700-0x7FF	Y	0x1000	0x0000	Y	N	?	16 public RSA keys for enc, which one is used depends on public key revision from enc header.

@@ Line 2: / Line 2: @@
 === Permission bits ===
+If a key slot is not locked, it can target f00d memory or unlocked keyslot
 {| class="wikitable"
 |-
 ! Bit           !! Function
 |-
-| 0            || accessible for bigmac encrypt
+| 0x01         || Encryption operation allowed
+|-
+| 0x02         || Decryption operation allowed
+|-
+| 0x04         || ? operation allowed
+|-
+| 0x08         || ? operation allowed
+|-
+| 0x10         || ?
+|-
+| 0x20        || Master Keyslot can target user keyslot (based on Mask Group below)
+|-
+| 0x40         || Keyslot Pairing Lock Mask Group 0(Master slots 0x204-0x205 and user slots 0-7)
+|-
+| 0x80         || Keyslot Pairing Lock Mask Group 1(Master slots 0x206-0x20D and user slots 8-0xF)
+|-
+| 0x100         || Keyslot Pairing Lock Mask Group 2 (Master slots 0x340-0x343 and user slots 0x10-0x1F)
+|-
+| 0x200         || Keyslot Pairing Lock Mask Group 3 (Master slots 0x344-0x353 and user slots 0x20-0x2F)
+|-
+| 0x400        || Locked Keyslot can target f00d memory
 |-
-| 1            || accessible for bigmac decrypt
+| 0x800        || can be written directly by f00d
 |-
-| 4            || bigmac destination is allowed to be memory(?)
+| 0x1000       || can be read directly by f00d
 |}
@@ Line 17: / Line 39: @@
 {| class="wikitable"
 |-
-! Slot           !! Mode !! Protection  !! Per-console !! Description
+! Slot           !! Initial Valid !! Initial Protection !! Protection (1.69)  !! Ever Valid (1.69) !! Per Console? (1.69) !! Set By? !! Description
 |-
-| 0            || 3 || 0x0442      || ?           || ?
+| 0            || N || 0x0442 || 0x0442      || Y || ? || ?           || ?
 |-
-| 1            || 1 || 0x0442      || ?           || ?
+| 1            || N || 0x0442 || 0x0442      || N || ? ||  ?           || ?
 |-
-| 2-7          || 1 || 0x0040      || ?           || ?
+| 2-7          || N || 0x0442 || 0x0040      || N || ? ||  ?           || ?
 |-
-| 8            || 3 || 0x0081      || Yes.        || enp per-console key
+| 8            || N || 0x049F || 0x0081      || Y || Y ||  first_loader (0x206/0x207)        || SLSK per-console key (encrypt)
 |-
-| 9          || 1 || 0x0080      || ?           || ?
+| 9          || N || 0x049F || 0x0080      || N || ? ||  first_loader (0x206/0x207)           || SLSK per-console key (decrypt)
 |-
-| 0xA-0xF         || 3 || 0x0080      || ?           || ?
+| 0xA        || N || 0x049F || 0x0080      || Y || N ||  first_loader (0x208-0x20D)           || SLSK metadata key
 |-
-| 0x10           || 1 || 0x0502      || ?           || supports decryption only
+| 0xB-0xF        || N || 0x049F || 0x0080      || Y || N ||  first_loader (0x208-0x20D)           || ?
 |-
-| 0x11-0x1F      || 1     || 0x0100      || ?           || ?
+| 0x10           || N || 0x0502 || 0x0502      || N || ? ||  ?           || supports decryption only
 |-
-| 0x20           || 3 || 0x0200      || ?           || ?
+| 0x11-0x1F      || N     || 0x0502 || 0x0100      || N || ? ||  ?           || ?
 |-
-| 0x21-0x24      || 1 || 0x061F      || ?           || supports encryption and decryption
+| 0x20           || N || 0x061F || 0x0200      || Y || ? ||  first_loader (0x344)           || Derived from 0x344, used for hmac-sha256 over enc files
 |-
-| 0x25-0x2F     || 1  || 0x0200      || ?           || ?
+| 0x21-0x24      || N || 0x061F || 0x061F      || N || ? ||  ?           || supports encryption and decryption
 |-
-| 0x30-0x34      || 1 || 0x041F      || ?           || ?
+| 0x25-0x2F     || N  || 0x061F || 0x0200      || N || ? ||  ?           || ?
 |-
-| 0x35-0x7F      || 1 || 0x0000      || ?           || ?
+| 0x30-0x34      || N || 0x041F || 0x041F      || N || ? ||  ?           || ?
 |-
-| 0x80-0xFF      || 0 || 0x0000      || ?           || ?
+| 0x35-0x7F      || N || 0x041F || 0x0000      || N || ? ||  ?           || ?
 |-
-| 0x100          || 1 || 0x041F      || ?           || ?
+| 0x80-0xFF      || X || 0x0000 || 0x0000      || X || ? ||  ?           || Not used
 |-
-| 0x101-0x17F   || 1  || 0x0000      || ?           || ?
+| 0x100          || N || 0x041F || 0x041F      || N  || ? ||  ?           || ?
 |-
-| 0x180-0x1FF   || 0  || 0x0000      || ?           || ?
+| 0x101-0x17F   || N || 0x041F || 0x0000      || N || ? ||  ?           || ?
 |-
-| 0x200-0x203    || 3 || 0x0000      || ?           || ?
+| 0x180-0x1FF   || X  || 0x0000 || 0x0000      || X || ? ||  ?           || Not used
 |-
-| 0x204-0x205    || 3 || 0x006F      || ?           || ?
+| 0x200-0x203    || Y || 0x0002 || 0x0000      || Y || ? ||  ?           || ?
 |-
-| 0x206          || 3 || 0x00A0      || ?           || Used to derive key used to decrypt personalized layer over enc. Should be per-console.
+| 0x204-0x205    || Y || 0x006F || 0x006F      || Y || Y ||  ?           || ?
 |-
-| 0x207          || 3 || 0x00A0      || ?           || Used instead of the above key when secret debug mode is set. (Possibly non-per-console?)
+| 0x206          || Y || 0x00AF || 0x00A0      || Y || ? ||  ?           || Used to derive key used to decrypt personalized layer over enc. Should be per-console.
 |-
-| 0x208-0x20D    || 3 || 0x00A0      || ?           || 6 keys used to decrypt enc metadata, which one is used depends on key revision in enc header
+| 0x207          || Y || 0x00AF || 0x00A0      || Y || ? ||  ?           || Used instead of the above key when secret debug mode is set. (Possibly non-per-console?)
 |-
-| 0x20E-0x20F    || 3 || 0x0010      || ?           || Maybe per-console emmc crypto keys? Protected by second_loader.
+| 0x208-0x20D    || Y || 0x00AF || 0x00A0      || Y || ? ||  ?           || 6 keys used to decrypt enc metadata, which one is used depends on key revision in enc header
 |-
-| 0x210-0x211    || 3 || 0x0000      || ?           || ?
+| 0x20E-0x20F    || Y || ? || 0x0010      || Y || ? ||  ?           || Maybe per-console emmc crypto keys? Protected by second_loader.
 |-
-| 0x212    || 3|| 0x001F      || ?           || ?
+| 0x210-0x211    || Y || 0x001F || 0x0000      || Y || ? ||  ?           || ?
 |-
-| 0x213    || 3|| 0x001F      || ?           || Used to derive SMI keys, which are used for factory fw decryption. Per-console.
+| 0x212    || Y|| 0x001F || 0x001F      || Y || ? ||  ?           || ?
 |-
-| 0x214    || 3|| 0x0000      || ?           || Used to derive keyslots 0x514, 0x515 in second_loader
+| 0x213    || Y|| 0x001F || 0x001F      || Y || ? ||  ?           || Used to derive SMI keys, which are used for factory fw decryption. Per-console.
 |-
-| 0x215    || 3|| 0x0000      || ?           || ?
+| 0x214    || Y|| 0x001F || 0x0000      || Y || ? ||  ?           || Used to derive keyslots 0x514, 0x515 in second_loader
 |-
-| 0x216          || 3|| 0x001F      || ?           || Derive 0x502-0x504 by encrypting data in second_loader.
+| 0x215    || Y|| 0x001F || 0x0000      || Y || ? ||  ?           || ?
 |-
-| 0x217          || 3 || 0x0000      || ?           || ?
+| 0x216          || Y|| 0x001F || 0x001F      || Y || ? ||  ?           || Derive 0x502-0x504 by encrypting data in second_loader.
 |-
-| 0x218-0x2FF    || 0 || 0x0000      || ?           || ?
+| 0x217          || Y || 0x001F || 0x0000      || Y || ? ||  ?           || ?
 |-
-| 0x300-0x33F    || 3 || 0x0000      || ?           || ?
+| 0x218-0x2FF    || X || 0x0000 || 0x0000      || X || ? ||  ?           || Not used
 |-
-| 0x340          || 3 || 0x012F      || ?           || Used to decrypt keys into the 0x10 key slot
+| 0x300-0x33F    || Y || 0x0002 || 0x0000      || Y || ? ||  ?           || ?
 |-
-| 0x341-0x343    || 3 || 0x0120      || ?           || ?
+| 0x340          || Y || 0x012F || 0x012F      || Y || ? ||  ?           || Used to decrypt keys into the 0x10 key slot
 |-
-| 0x344          || 3 || 0x0220      || ?           || ?
+| 0x341-0x343    || Y || 0x012F || 0x0120      || Y || ? ||  ?           || ?
 |-
-| 0x345-0x348    || 3 || 0x022F      || ?           || Used to decrypt keys into one of the 0x21-0x24 key slot
+| 0x344          || Y || 0x022F || 0x0220      || Y || ? ||  ?           || Used to derive key 0x20 in brom.
 |-
-| 0x349-0x353    || 3 || 0x0220      || ?           || ?
+| 0x345-0x348    || Y || 0x022F || 0x022F      || Y || ? ||  ?           || Used to decrypt keys into one of the 0x21-0x24 key slot
 |-
-| 0x354-0x3FF    || 3 || 0x0000      || ?           || ?
+| 0x349-0x353    || Y || 0x022F ||0x0220      || Y || ? ||  ?           || ?
 |-
-| 0x400-0x47F    || 1 || 0x0000      || ?           || ?
+| 0x354-0x3FF    || Y || 0x001F || 0x0000      || Y || ? ||  ?           || ?
 |-
-| 0x480-0x4FF    || 0 || 0x0000      || ?           || ?
+| 0x400-0x47F    || N || 0x1800 || 0x0000      || N || ? ||  ?           || ?
 |-
-| 0x500          || 1 || 0x1800      || ?           || ?
+| 0x480-0x4FF    || X || 0x0000 || 0x0000      || X || ? ||  ?           || Not used
 |-
-| 0x501          || 7 || 0x1000      || ?           || Downgrade protection? Set to 4 on 1.692, 0 on 1.05.
+| 0x500          || N || 0x1800 || 0x1800      || N || ? ||  ?           || ?
 |-
-| 0x502-0x504    || 3 || 0x1800      || Yes         || Related to Ernie SNVS
+| 0x501          || N || 0x1800 || 0x1000      || Y || N ||  first_loader          || Used by bootrom first_loader to figure out whether to load from eMMC or ARM comms after reset
 |-
-| 0x505          || 1 || 0x0000      || ?           || ?
+| 0x502-0x504    || N || 0x1800 || 0x1800      || Y || Y ||  ?         || Related to Ernie SNVS
 |-
-| 0x506          || 3 || 0x1800      || ?           || ?
+| 0x505          || N || 0x1800 || 0x0000      || N || ? ||  ?           || ?
 |-
-| 0x507          || 3 || 0x1800      || No          || ?
+| 0x506          || N || 0x1800 || 0x1800      || Y || ? ||  ?           || ?
 |-
-| 0x508          || 3 || 0x1800      || No          || Ernie HW version (from syscon cmd 0x1). Set to 0x100060D on 1.692, 0x100010A on 1.05, 0x0100010B on 1.50
+| 0x507          || N || 0x1800 || 0x1800      || Y || N ||  ?          || ?
 |-
-| 0x509          || 3 || 0x1800      || Yes         || IDPS of unit (console id)
+| 0x508          || N || 0x1800 || 0x1800      || Y || N ||  ?          || Ernie HW version (from syscon cmd 0x1). Set to 0x100060D on 1.692, 0x100010A on 1.05, 0x0100010B on 1.50
 |-
-| 0x50A          || 3 || 0x1800      || ?           || Byte15bit0,byte14bit0,byte14bit1,byte11bit4: Revocation related. Byte13bit0: Enable F00D debug prints.
+| 0x509          || N || 0x1800 || 0x1800      || Y || Y ||  ?         || IDPS of unit (console id)
 |-
-| 0x50B          || 3 || 0x1800      || ?           || From 0xD2 SNVS block 0, 8 bytes
+| 0x50A          || N || 0x1800 || 0x1800      || Y || ? ||  ?           || Byte15bit0,byte14bit0,byte14bit1,byte11bit4: Revocation related. Byte13bit0: Enable F00D debug prints.
 |-
-| 0x50C          || 3 || 0x1800      || No          || Flags. Set to 1 on 1.692 and newer, 0 on older
+| 0x50B          || N || 0x1800 || 0x1800      || Y || ? ||  ?           || From 0xD2 SNVS block 0, 8 bytes
 |-
-| 0x50D          || 3 || 0x1800      || Yes         || OpenPSID
+| 0x50C          || N || 0x1800 || 0x1800      || Y || N ||  ?          || Flags. Set to 1 on 1.692 and newer, 0 on older
 |-
-| 0x50E          || 3 || 0x1800      || Yes         || Current firmware version. Comes from SNVS.
+| 0x50D          || N || 0x1800 || 0x1800      || Y || Y ||  ?         || OpenPSID
 |-
-| 0x50F          || 3 || 0x1800      || Yes         || Factory firmware version. Comes from idstorage.
+| 0x50E          || N || 0x1800 || 0x1800      || Y || Y ||  ?         || Current firmware version. Comes from SNVS.
 |-
-| 0x510          || 3 || 0x1800      || Yes         || Some bit flags, comes from syscon cmd 0x90 offset 0xE0
+| 0x50F          || N || 0x1800 || 0x1800      || Y || Y ||  ?         || Factory firmware version. Comes from idstorage.
 |-
-| 0x511          || 3 || 0x1800      || Yes           || Unique per boot session id, Syscon shared 0xD0 session key
+| 0x510          || N || 0x1800 || 0x1800      || Y || Y ||  ?         || Some bit flags, comes from syscon cmd 0x90 offset 0xE0
 |-
-| 0x512          || 7 || 0x1800      || Yes         || Tick count? Used in Syscon encrypted communication. Set to a random value when session key is set.
+| 0x511          || N || 0x1800 || 0x1800      || Y || Y ||  ?           || Unique per boot session id, Syscon shared 0xD0 session key
 |-
-| 0x513          || 3 || 0x1800      || No          || DRAM size. Set to 0x20000000 on retail, 0x40000000 on devkit.
+| 0x512          || N || 0x1800 || 0x1800      || Y || Y ||  ?         || Tick count? Used in Syscon encrypted communication. Set to a random value when session key is set.
 |-
-| 0x514         || 3  || 0x1800      || No?         || F00d-cmd F01 AES-256-CMAC key. Protected on 1.05.
+| 0x513          || N || 0x1800 || 0x1800      || Y || N ||  ?          || DRAM size. Set to 0x20000000 on retail, 0x40000000 on devkit.
 |-
-| 0x515          || 3 || 0x1800      || No?         || F00d-cmd F01 AES-256-CBC key. Protected on 1.05.
+| 0x514         || N  || 0x1800 || 0x1800      || Y || N? ||   ?         || F00d-cmd F01 AES-256-CMAC key. Protected on 1.05.
 |-
-| 0x516          || 3 || 0x1800      || ?           || F00d-cmd F01 writes (u32)1 here when exporting the infoblk. Next time main() executes this flag is cleared.
+| 0x515          || N || 0x1800 || 0x1800      || Y || N? ||  ?         || F00d-cmd F01 AES-256-CBC key. Protected on 1.05.
 |-
-| 0x517          || 3 || 0x1800      ||             || When initializing the EEPROM, this is zeroed if 0x50D has bit8 clear (on 1.692).
+| 0x516          || N || 0x1800 || 0x1800      || Y || ? ||  ?           || F00d-cmd F01 writes (u32)1 here when exporting the infoblk. Next time main() executes this flag is cleared.
 |-
-| 0x518          || 3 || 0x1800      || No           || Another current FW version (3.60+?) Comes from SNVS.
+| 0x517          || N || 0x1800 || 0x1800      || Y || ? ||  ?            || When initializing the EEPROM, this is zeroed if 0x50D has bit8 clear (on 1.692).
 |-
-| 0x519          || 3 || 0x1800      || No           || 00s
+| 0x518          || N || 0x1800 || 0x1800      || Y || N ||  ?           || Another current FW version (3.60+?) Comes from SNVS.
 |-
-| 0x51A          || 3 || 0x1800      || Yes           || Randomized 0x20 byte key unique every boot/reboot/resume used for kernel coredump encryption
+| 0x519          || N || 0x1800 || 0x1800      || Y || N ||  ?           || 00s
 |-
-| 0x51B          || 3 || 0x1800      || No           || Some kind of model info 0x406000 on retail and 0x416000 on devkit, obtained from syscon command 5
+| 0x51A          || N || 0x1800 || 0x1800      || Y || Y ||  ?           || Randomized 0x20 byte key unique every boot/reboot/resume used for kernel coredump encryption
 |-
-| 0x51C-0x57F    || 1 || 0x0000      || ?           || ?
+| 0x51B          || N || 0x1800 || 0x1800      || Y || N ||  ?           || Some kind of model info 0x406000 on retail and 0x416000 on devkit, obtained from syscon command 5
 |-
-| 0x580-0x5FF    || 0 || 0x0000      || ?           || ?
+| 0x51C-0x57F    || N || 0x1800 || 0x0000      || N || ? ||  ?           || ?
 |-
-| 0x600   || 3 || 0x1000      || Yes         || <code>aimgr_sm.self</code> cmd 0x3 return, VisibleId/FuseId
+| 0x580-0x5FF    || X || 0x0000  || 0x0000      || X || ? ||  ?           || Not used
 |-
-| 0x601   || 3 || 0x1000      || Yes         || ?
+| 0x600   || Y || 0x1000 || 0x1000      || Y || Y ||  ?         || <code>aimgr_sm.self</code> cmd 0x3 return, VisibleId/FuseId
 |-
-| 0x602   || 3 || 0x1000      || Yes         || ?
+| 0x601   || Y || 0x1000 || 0x1000      || Y || Y ||  ?         || ?
 |-
-| 0x603          || 3 || 0x1000      || No          || ?
+| 0x602   || Y || 0x1000 || 0x1000      || Y || Y ||  ?         || ?
 |-
-| 0x604          || 3 || 0x1000      || No          || ?
+| 0x603          || Y || 0x1000 || 0x1000      || Y || N ||  ?          || ?
 |-
-| 0x605-0x607    || 3 || 0x0000      || ?           || ?
+| 0x604          || Y || 0x1000 || 0x1000      || Y || N ||  ?          || ?
 |-
-| 0x608-0x6FF    || 0 || 0x0000      || ?           || ?
+| 0x605-0x607    || Y || 0x1000 || 0x0000      || Y || ? ||  ?           || ?
 |-
-| 0x700-0x77F    || 3 || 0x0000      || ?           || 16 public RSA keys for enc, which one is used depends on public key revision from enc header.
+| 0x608-0x6FF    || X || 0x0000 || 0x0000      || X || ? ||  ?           || Not used
 |-
-| 0x780-0x7FF    || 3 || 0x0000      || ?           || ?
+| 0x700-0x7FF    || Y || 0x1000 || 0x0000      || Y || N ||  ?           || 16 public RSA keys for enc, which one is used depends on public key revision from enc header.
 |}

Difference between revisions of "Cmep Key Ring Base"

Revision as of 17:34, 2 February 2019

Permission bits

Key Ring Slots 0xE0058000

Navigation menu

Search