Difference between revisions of "Cmep Key Ring Base"
Jump to navigation
Jump to search
| Line 53: | Line 53: | ||
| 0x212-0x213 || 3|| 0x001F || ? || ? | | 0x212-0x213 || 3|| 0x001F || ? || ? | ||
|- | |- | ||
| − | | 0x214-0x215 || 3|| 0x0000 || ? || ? | + | | 0x214 || 3|| 0x0000 || ? || Used to derive keyslots 0x514, 0x515 in second_loader |
| + | |- | ||
| + | | 0x215 || 3|| 0x0000 || ? || ? | ||
|- | |- | ||
| 0x216 || 3|| 0x001F || ? || Derive 0x502-0x504 by encrypting data in second_loader. | | 0x216 || 3|| 0x001F || ? || Derive 0x502-0x504 by encrypting data in second_loader. | ||
Revision as of 05:41, 22 June 2018
Address = 0xE0058000 + 32 * Slot
Key Ring Slots 0xE0058000
| Slot | Mode | Protection | Per-console | Description |
|---|---|---|---|---|
| 0 | 3 | 0x0442 | ? | ? |
| 1 | 1 | 0x0442 | ? | ? |
| 2-7 | 1 | 0x0040 | ? | ? |
| 8 | 3 | 0x0081 | Yes. | enp per-console key |
| 9 | 1 | 0x0080 | ? | ? |
| 0xA-0xF | 3 | 0x0080 | ? | ? |
| 0x10 | 1 | 0x0502 | ? | supports decryption only |
| 0x11-0x1F | 1 | 0x0100 | ? | ? |
| 0x20 | 3 | 0x0200 | ? | ? |
| 0x21-0x24 | 1 | 0x061F | ? | supports encryption and decryption |
| 0x25-0x2F | 1 | 0x0200 | ? | ? |
| 0x30-0x34 | 1 | 0x041F | ? | ? |
| 0x35-0x7F | 1 | 0x0000 | ? | ? |
| 0x80-0xFF | 0 | 0x0000 | ? | ? |
| 0x100 | 1 | 0x041F | ? | ? |
| 0x101-0x17F | 1 | 0x0000 | ? | ? |
| 0x180-0x1FF | 0 | 0x0000 | ? | ? |
| 0x200-0x203 | 3 | 0x0000 | ? | ? |
| 0x204-0x205 | 3 | 0x006F | ? | ? |
| 0x206-0x20D | 3 | 0x00A0 | ? | ? |
| 0x20E-0x20F | 3 | 0x0010 | ? | Maybe per-console emmc crypto keys? Protected by second_loader. |
| 0x210-0x211 | 3 | 0x0000 | ? | ? |
| 0x212-0x213 | 3 | 0x001F | ? | ? |
| 0x214 | 3 | 0x0000 | ? | Used to derive keyslots 0x514, 0x515 in second_loader |
| 0x215 | 3 | 0x0000 | ? | ? |
| 0x216 | 3 | 0x001F | ? | Derive 0x502-0x504 by encrypting data in second_loader. |
| 0x217 | 3 | 0x0000 | ? | ? |
| 0x218-0x2FF | 0 | 0x0000 | ? | ? |
| 0x300-0x33F | 3 | 0x0000 | ? | ? |
| 0x340 | 3 | 0x012F | ? | Used to decrypt keys into the 0x10 key slot |
| 0x341-0x343 | 3 | 0x0120 | ? | ? |
| 0x344 | 3 | 0x0220 | ? | ? |
| 0x345-0x348 | 3 | 0x022F | ? | Used to decrypt keys into one of the 0x21-0x24 key slot |
| 0x349-0x353 | 3 | 0x0220 | ? | ? |
| 0x354-0x3FF | 3 | 0x0000 | ? | ? |
| 0x400-0x47F | 1 | 0x0000 | ? | ? |
| 0x480-0x4FF | 0 | 0x0000 | ? | ? |
| 0x500 | 1 | 0x1800 | ? | ? |
| 0x501 | 7 | 0x1000 | ? | Downgrade protection? Set to 4 on 1.692, 0 on 1.05. |
| 0x502-0x504 | 3 | 0x1800 | Yes | Related to Ernie SNVS |
| 0x505 | 1 | 0x0000 | ? | ? |
| 0x506 | 3 | 0x1800 | ? | ? |
| 0x507 | 3 | 0x1800 | No | ? |
| 0x508 | 3 | 0x1800 | No | Ernie HW version (from syscon cmd 0x1). Set to 0x100060D on 1.692, 0x100010A on 1.05, 0x0100010B on 1.50 |
| 0x509 | 3 | 0x1800 | Yes | IDPS of unit |
| 0x50A | 3 | 0x1800 | ? | Byte15bit0,byte14bit0,byte14bit1,byte11bit4: Revocation related. Byte13bit0: Enable F00D debug prints. |
| 0x50B | 3 | 0x1800 | ? | From 0xD2 SNVS block 0, 8 bytes |
| 0x50C | 3 | 0x1800 | No | Flags. Set to 1 on 1.692 and newer, 0 on older |
| 0x50D | 3 | 0x1800 | Yes | OpenPSID |
| 0x50E | 3 | 0x1800 | Yes | Current firmware version. Comes from SNVS. |
| 0x50F | 3 | 0x1800 | Yes | Factory firmware version. Comes from idstorage. |
| 0x510 | 3 | 0x1800 | Yes | Some bit flags, comes from syscon cmd 0x90 offset 0xE0 |
| 0x511 | 3 | 0x1800 | Yes | Unique per boot session id, Syscon shared 0xD0 session key |
| 0x512 | 7 | 0x1800 | Yes | Tick count? Used in Syscon encrypted communication. Set to a random value when session key is set. |
| 0x513 | 3 | 0x1800 | No | DRAM size. Set to 0x20000000 on retail, 0x40000000 on devkit. |
| 0x514 | 3 | 0x1800 | No? | F00d-cmd F01 AES-256-CMAC key. Protected on 1.05. |
| 0x515 | 3 | 0x1800 | No? | F00d-cmd F01 AES-256-CBC key. Protected on 1.05. |
| 0x516 | 3 | 0x1800 | ? | F00d-cmd F01 writes (u32)1 here when exporting the infoblk. Next time main() executes this flag is cleared. |
| 0x517 | 3 | 0x1800 | When initializing the EEPROM, this is zeroed if 0x50D has bit8 clear (on 1.692). | |
| 0x518 | 3 | 0x1800 | No | Another current FW version (3.60+?) Comes from SNVS. |
| 0x519 | 3 | 0x1800 | No | 00s |
| 0x51A | 3 | 0x1800 | Yes | Randomized 0x20 byte key unique every boot/reboot/resume used for kernel coredump encryption |
| 0x51B | 3 | 0x1800 | No | Some kind of model info 0x406000 on retail and 0x416000 on devkit |
| 0x51C-0x57F | 1 | 0x0000 | ? | ? |
| 0x580-0x5FF | 0 | 0x0000 | ? | ? |
| 0x600-0x602 | 3 | 0x1000 | Yes | ? |
| 0x603 | 3 | 0x1000 | No | ? |
| 0x604 | 3 | 0x1000 | No | ? |
| 0x605-0x607 | 3 | 0x0000 | ? | ? |
| 0x608-0x6FF | 0 | 0x0000 | ? | ? |
| 0x700-0x7FF | 3 | 0x0000 | ? | ? |