Difference between revisions of "Cmep Key Ring Base"
Jump to navigation
Jump to search
| Line 45: | Line 45: | ||
| 0x11-0x1F || 1 || 0x0100 || ? || ? | | 0x11-0x1F || 1 || 0x0100 || ? || ? | ||
|- | |- | ||
| − | | 0x20 || 3 || 0x0200 || ? || | + | | 0x20 || 3 || 0x0200 || ? || Derived from 0x344, used for hmac-sha256 over enc files |
|- | |- | ||
| 0x21-0x24 || 1 || 0x061F || ? || supports encryption and decryption | | 0x21-0x24 || 1 || 0x061F || ? || supports encryption and decryption | ||
| Line 97: | Line 97: | ||
| 0x341-0x343 || 3 || 0x0120 || ? || ? | | 0x341-0x343 || 3 || 0x0120 || ? || ? | ||
|- | |- | ||
| − | | 0x344 || 3 || 0x0220 || ? || | + | | 0x344 || 3 || 0x0220 || ? || Used to derive key 0x20 in brom. |
|- | |- | ||
| 0x345-0x348 || 3 || 0x022F || ? || Used to decrypt keys into one of the 0x21-0x24 key slot | | 0x345-0x348 || 3 || 0x022F || ? || Used to decrypt keys into one of the 0x21-0x24 key slot | ||
Revision as of 19:27, 3 August 2018
Address = 0xE0058000 + 32 * Slot
Permission bits
| Bit | Function |
|---|---|
| 0x01 | accessible for bigmac encrypt |
| 0x02 | accessible for bigmac decrypt |
| 0x10 | ? |
| 0x20 | crypto operation supports a keyslot dst |
| 0x80 | related to bootrom functionality. If set then permissions for this slot can be reset |
| 0x400 | dst can be memory |
| 0x800 | can be written directly by f00d (?) |
| 0x1000 | can be read directly by f00d |
Key Ring Slots 0xE0058000
| Slot | Mode | Protection | Per-console | Description |
|---|---|---|---|---|
| 0 | 3 | 0x0442 | ? | ? |
| 1 | 1 | 0x0442 | ? | ? |
| 2-7 | 1 | 0x0040 | ? | ? |
| 8 | 3 | 0x0081 | Yes. | enp per-console key |
| 9 | 1 | 0x0080 | ? | ? |
| 0xA-0xF | 3 | 0x0080 | ? | ? |
| 0x10 | 1 | 0x0502 | ? | supports decryption only |
| 0x11-0x1F | 1 | 0x0100 | ? | ? |
| 0x20 | 3 | 0x0200 | ? | Derived from 0x344, used for hmac-sha256 over enc files |
| 0x21-0x24 | 1 | 0x061F | ? | supports encryption and decryption |
| 0x25-0x2F | 1 | 0x0200 | ? | ? |
| 0x30-0x34 | 1 | 0x041F | ? | ? |
| 0x35-0x7F | 1 | 0x0000 | ? | ? |
| 0x80-0xFF | 0 | 0x0000 | ? | ? |
| 0x100 | 1 | 0x041F | ? | ? |
| 0x101-0x17F | 1 | 0x0000 | ? | ? |
| 0x180-0x1FF | 0 | 0x0000 | ? | ? |
| 0x200-0x203 | 3 | 0x0000 | ? | ? |
| 0x204-0x205 | 3 | 0x006F | ? | ? |
| 0x206 | 3 | 0x00A0 | ? | Used to derive key used to decrypt personalized layer over enc. Should be per-console. |
| 0x207 | 3 | 0x00A0 | ? | Used instead of the above key when secret debug mode is set. (Possibly non-per-console?) |
| 0x208-0x20D | 3 | 0x00A0 | ? | 6 keys used to decrypt enc metadata, which one is used depends on key revision in enc header |
| 0x20E-0x20F | 3 | 0x0010 | ? | Maybe per-console emmc crypto keys? Protected by second_loader. |
| 0x210-0x211 | 3 | 0x0000 | ? | ? |
| 0x212 | 3 | 0x001F | ? | ? |
| 0x213 | 3 | 0x001F | ? | Used to derive SMI keys, which are used for factory fw decryption. Per-console. |
| 0x214 | 3 | 0x0000 | ? | Used to derive keyslots 0x514, 0x515 in second_loader |
| 0x215 | 3 | 0x0000 | ? | ? |
| 0x216 | 3 | 0x001F | ? | Derive 0x502-0x504 by encrypting data in second_loader. |
| 0x217 | 3 | 0x0000 | ? | ? |
| 0x218-0x2FF | 0 | 0x0000 | ? | ? |
| 0x300-0x33F | 3 | 0x0000 | ? | ? |
| 0x340 | 3 | 0x012F | ? | Used to decrypt keys into the 0x10 key slot |
| 0x341-0x343 | 3 | 0x0120 | ? | ? |
| 0x344 | 3 | 0x0220 | ? | Used to derive key 0x20 in brom. |
| 0x345-0x348 | 3 | 0x022F | ? | Used to decrypt keys into one of the 0x21-0x24 key slot |
| 0x349-0x353 | 3 | 0x0220 | ? | ? |
| 0x354-0x3FF | 3 | 0x0000 | ? | ? |
| 0x400-0x47F | 1 | 0x0000 | ? | ? |
| 0x480-0x4FF | 0 | 0x0000 | ? | ? |
| 0x500 | 1 | 0x1800 | ? | ? |
| 0x501 | 7 | 0x1000 | ? | Downgrade protection? Set to 4 on 1.692, 0 on 1.05. |
| 0x502-0x504 | 3 | 0x1800 | Yes | Related to Ernie SNVS |
| 0x505 | 1 | 0x0000 | ? | ? |
| 0x506 | 3 | 0x1800 | ? | ? |
| 0x507 | 3 | 0x1800 | No | ? |
| 0x508 | 3 | 0x1800 | No | Ernie HW version (from syscon cmd 0x1). Set to 0x100060D on 1.692, 0x100010A on 1.05, 0x0100010B on 1.50 |
| 0x509 | 3 | 0x1800 | Yes | IDPS of unit (console id) |
| 0x50A | 3 | 0x1800 | ? | Byte15bit0,byte14bit0,byte14bit1,byte11bit4: Revocation related. Byte13bit0: Enable F00D debug prints. |
| 0x50B | 3 | 0x1800 | ? | From 0xD2 SNVS block 0, 8 bytes |
| 0x50C | 3 | 0x1800 | No | Flags. Set to 1 on 1.692 and newer, 0 on older |
| 0x50D | 3 | 0x1800 | Yes | OpenPSID |
| 0x50E | 3 | 0x1800 | Yes | Current firmware version. Comes from SNVS. |
| 0x50F | 3 | 0x1800 | Yes | Factory firmware version. Comes from idstorage. |
| 0x510 | 3 | 0x1800 | Yes | Some bit flags, comes from syscon cmd 0x90 offset 0xE0 |
| 0x511 | 3 | 0x1800 | Yes | Unique per boot session id, Syscon shared 0xD0 session key |
| 0x512 | 7 | 0x1800 | Yes | Tick count? Used in Syscon encrypted communication. Set to a random value when session key is set. |
| 0x513 | 3 | 0x1800 | No | DRAM size. Set to 0x20000000 on retail, 0x40000000 on devkit. |
| 0x514 | 3 | 0x1800 | No? | F00d-cmd F01 AES-256-CMAC key. Protected on 1.05. |
| 0x515 | 3 | 0x1800 | No? | F00d-cmd F01 AES-256-CBC key. Protected on 1.05. |
| 0x516 | 3 | 0x1800 | ? | F00d-cmd F01 writes (u32)1 here when exporting the infoblk. Next time main() executes this flag is cleared. |
| 0x517 | 3 | 0x1800 | When initializing the EEPROM, this is zeroed if 0x50D has bit8 clear (on 1.692). | |
| 0x518 | 3 | 0x1800 | No | Another current FW version (3.60+?) Comes from SNVS. |
| 0x519 | 3 | 0x1800 | No | 00s |
| 0x51A | 3 | 0x1800 | Yes | Randomized 0x20 byte key unique every boot/reboot/resume used for kernel coredump encryption |
| 0x51B | 3 | 0x1800 | No | Some kind of model info 0x406000 on retail and 0x416000 on devkit, obtained from syscon command 5 |
| 0x51C-0x57F | 1 | 0x0000 | ? | ? |
| 0x580-0x5FF | 0 | 0x0000 | ? | ? |
| 0x600 | 3 | 0x1000 | Yes | aimgr_sm.self cmd 0x3 return, VisibleId/FuseId
|
| 0x601 | 3 | 0x1000 | Yes | ? |
| 0x602 | 3 | 0x1000 | Yes | ? |
| 0x603 | 3 | 0x1000 | No | ? |
| 0x604 | 3 | 0x1000 | No | ? |
| 0x605-0x607 | 3 | 0x0000 | ? | ? |
| 0x608-0x6FF | 0 | 0x0000 | ? | ? |
| 0x700-0x77F | 3 | 0x0000 | ? | 16 public RSA keys for enc, which one is used depends on public key revision from enc header. |
| 0x780-0x7FF | 3 | 0x0000 | ? | ? |