Difference between revisions of "F00D Keyring Regs"

From Vita Development Wiki
Jump to navigation Jump to search
(36 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 +
= 0xE0000000: Cmep/ARM =
  
= Cmep/ARM =
+
== 0xE0000000: MailboxCmepToArm ==
  
== 0xE0000000: MailboxCmepToArm ==
 
 
Response to ARM is written here.
 
Response to ARM is written here.
  
 
== 0xE0000010: MailboxArmToCmep ==
 
== 0xE0000010: MailboxArmToCmep ==
 +
 
Request from ARM is written here.
 
Request from ARM is written here.
  
 
== 0xE0000020: MailboxCmepToDebugger ==
 
== 0xE0000020: MailboxCmepToDebugger ==
Size: 2* u32.
+
 
 +
Size: 2 * DOWORD.
  
 
== 0xE0000028: MailboxDebuggerToCmep ==
 
== 0xE0000028: MailboxDebuggerToCmep ==
Size: 2* u32.
+
 
 +
Size: 2 * DWORD.
  
 
== 0xE0000060: MailboxDebuggerToCmep2 ==
 
== 0xE0000060: MailboxDebuggerToCmep2 ==
Size: 2* u32.
 
  
= Cmep controller =
+
Size: 2 * DWORD.
 +
 
 +
= 0xE0010000: Cmep controller =
 +
 
 +
{| class="wikitable"
 +
|-
 +
! Address !! Length !! Description
 +
|-
 +
| 0xE0010000 || 4 || TZ sets it to 1 then 0 and it appears cmep resets.
 +
|-
 +
| 0xE0010004 || 4 || Read by second_loader, checked against mask (& 5) and (& 8). Read by TZ after setting reset, checked if flag 0x80000000 is set. Ex: 0x80000005. Writing values to it from cmep does nothing.
 +
|}
  
 
== 0xE0010000: CmepReset ==
 
== 0xE0010000: CmepReset ==
 +
 
     Bit0: Hangs. ARM uses this to reset the cMeP subsystem.
 
     Bit0: Hangs. ARM uses this to reset the cMeP subsystem.
  
 
== 0xE0010004: CmepStatus ==
 
== 0xE0010004: CmepStatus ==
 +
 
     Bit31:  IsCmepAlive
 
     Bit31:  IsCmepAlive
 
     Bit0-2: ?
 
     Bit0-2: ?
Line 30: Line 45:
  
 
== 0xE0010010: Unknown ==
 
== 0xE0010010: Unknown ==
 +
 
Reads back 0x7FF. Then hangs after delay.
 
Reads back 0x7FF. Then hangs after delay.
  
     Bit5: Disables Key* registers, and KeyRingDirectAccess
+
     Bit5: Disables Key* registers, and Cmep KeyRings.
  
 
No bit appears to disable Rsa* registers, or Bigmac*.
 
No bit appears to disable Rsa* registers, or Bigmac*.
  
    0xE0020000: 0F 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00
+
= 0xE0020000: Cmep 0xE0020000 =
    0xE0020010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  
= Cmep 0xE0020000 =
+
{| class="wikitable"
 +
|-
 +
! Address !! Length !! Description
 +
|-
 +
| 0xE0020000 || 4 || second_loader sets it to 0x30003 after ?clearing keys?. secure_kernel sets it to 0x2000F.
 +
|-
 +
| 0xE0020004 || 4 || ? Error code ?. Read by second_loader, checked against 0x8000001F. Also set to ?0? by second_loader when setting 0x30003 at 0xE0020000.
 +
|-
 +
| 0xE0020020 || 4 || Checked for 0 by second_loader. May be a kind of timer or working state.
 +
|-
 +
| 0xE0020040 || 0x10 || [[ReadAs|Read As]]
 +
|-
 +
| 0xE0020100 || 0x20 || Per-console 256-bit key from keyring 0x602 is copied here by second_loader.
 +
|}
 +
 
 +
== 0xE0020000 flags ==
  
== 0xE0020000: Unknown ==
 
 
     Bit0: Reboot when cleared.
 
     Bit0: Reboot when cleared.
     Bit1: Hang when cleared. Unrecoverable
+
     Bit1: Makes first_loader load secure_kernel. Hang when cleared and unrecoverable.
 
     Bit2: No hang when cleared.
 
     Bit2: No hang when cleared.
 
     Bit3: No hang when cleared.
 
     Bit3: No hang when cleared.
     Bit4:
+
     Bit4: ?
     Bit5:
+
     Bit5: ?
     Bit16: No hang when cleared.
+
     Bit16: Allows ARM to reset cmep. No hang when cleared.
     Bit17:
+
     Bit17: ?
 +
 
 +
= 0xE0030000: Bigmac Keyring controller =
  
== 0xE0020004: Unknown ==
+
This device is mapped to ScePervasiveResetReg at offset 0x190 for controlling reset and enabling mask writing.
second_loader writes 0x30003 followed by 0 here, after clearing keys.
 
  
== E0020020: Unknown ==
+
<source lang="C">
 +
typedef struct BigmacKeyringControllerRegs { // physical address 0xE0030000
 +
SceUInt32 keyring_new_value[8];
 +
SceUInt32 keyring_set_value_trigger;
 +
SceUInt32 keyring_clear_flags;
 +
SceUInt32 keyring_query_flags_request;
 +
SceUInt32 keyring_query_flags_response;
 +
} BigmacKeyringControllerRegs;
 +
</source>
  
<s>rsa_expmod() reads and writes back this register before reading the result of the RSA operation.</s>
+
== 0xE0030000: KeyringNewValue ==
  
May be a kind of timer.
+
Size: 8 * DWORD.
  
Or working state.
+
== 0xE0030020: KeyringSetValueTrigger ==
  
= Keyring controller =
+
Write value to a keyring. Requires the keyring to be enabled and WriteByCmepAllowed flag to be set.
  
Currently there is no known way to re setting protection in any way (slot_prot |= or_protect)
+
Write a keyring to this address, and the Bigmac Keyring Controller will write value from physical address 0xE0030000 to the keyring.
  
<pre>
+
== 0xE0030024: KeyringClearFlags ==
  +0x00 = EEP_DATA0
 
  +0x04 = EEP_DATA1
 
  +0x08 = EEP_DATA2
 
  +0x0C = EEP_DATA3
 
  +0x10 = EEP_DATA4
 
  +0x14 = EEP_DATA5
 
  +0x18 = EEP_DATA6
 
  +0x1C = EEP_DATA7
 
  +0x20 = EEP_LINE
 
  +0x24 = EEP_SET_PROTECTION
 
  +0x28 = EEP_GET_PROTECTION_REQ
 
  +0x2C = EEP_GET_PROTECTION_RESP
 
</pre>
 
  
Writing <code>line_id</code> to <code>EEP_LINE</code> will trigger writing the <code>EEP_DATA</code> registers into said line.
+
Note that there is no known way to set some keyrings flags in any way (doing keyring_flags |= or_flags), even though the opposite (clearing flags) is doable for some flags.
  
Writing <code>((prot<<16)|line_id)</code> to <code>EEP_SET_PROTECTION</code> protects a line. prot is a bit mask, 0x1000 makes reads from f00d return 0.
+
Writing <code>((flags_mask<<16)|keyring_id)</code> to <code>keyring_clear_flags</code> clear flags for this keyring.
  
Writing <code>line_id</code> to <code>EEP_GET_PROTECTION_REQ</code> returns current prot in <code>EEP_GET_PROTECTION_RESP</code>.
+
    Bit0-15:  KeyringId
 +
    Bit16-31: KeyringClearFlagsMask
  
This device is mapped to ScePervasiveResetReg +0x190 for controlling reset and enabling mask writing.
+
== 0xE0030028: KeyringQueryFlags ==
  
<source>
+
Writing <code>keyring_id</code> to <code>keyring_query_flags_request</code> returns current flags in <code>keyring_query_flags_response</code>.
  
/*
+
    Bit0-15: KeyringId
* Protection
 
*
 
* 0x00000001 : Slot exist
 
* 0x00000002 : Slot enabled
 
* 0x00000004 : Unknown
 
* 0x00010000 : Allow enc
 
* 0x00020000 : Allow dec
 
* more ...
 
*/
 
typedef struct SceBigmacKeyringController { // 0xE0030000
 
uint32_t data[0x8];
 
/*
 
* Write data to slot. Needed have the 0x800 protection (direct write)
 
* If the slot is disabled, enable it
 
*/
 
int slot_id;
 
  
/*
+
== 0xE003002C: KeyringQueryFlagsResponse ==
* Clear slot protection
 
*
 
* Mask      | Description
 
* 0x0000FFFF : Target slot id
 
* 0xFFFF0000 : Clear protection
 
*/
 
int slot_protection;
 
  
/*
+
    Bit Mask value    Clearable  Description
* if((slot_protect_resp & 2) != 0) enabled else disabled
+
    0  (0x0000 0001): N/A      | KeyringExists
*/
+
    1  (0x0000 0002): N/A      | KeyringEnabled. You cannot use the keyring if this is not set.
int slot_protect_chk;
+
    2  (0x0000 0004): N/A      | Unknown
int slot_protect_resp;
+
    16 (0x0001 0000): Clearable | AesEncryptAllowed (CTR+CBC+ECB, any key size)
} SceBigmacKeyringController;
+
    17 (0x0002 0000): Clearable | AesDecryptAllowed (CTR+CBC+ECB, any key size)
</source>
+
    18 (0x0004 0000): Clearable | ShaHmacAllowed (SHA1+SHA256)
 +
    19 (0x0008 0000): Clearable | AesCmacAllowed
 +
    20 (0x0010 0000): Clearable | Master keyring can target memory.
 +
    21 (0x0020 0000): Fixed    | IsMaster. Master keyring can target slave keyring (based on Mask Group below).
 +
    22 (0x0040 0000): Fixed    | MemberOfGroup0. Keyring Pairing Lock Mask Group 0 (master keyrings 0x204-0x205 and slave keyrings 0-7).
 +
    23 (0x0080 0000): Fixed    | MemberOfGroup1. Keyring Pairing Lock Mask Group 1 (master keyrings 0x206-0x20D and slave keyrings 8-0xF).
 +
    24 (0x0100 0000): Fixed    | MemberOfGroup2. Keyring Pairing Lock Mask Group 2 (master keyrings 0x340-0x343 and slave keyrings 0x10-0x1F).
 +
    25 (0x0200 0000): Fixed    | MemberOfGroup3. Keyring Pairing Lock Mask Group 3 (master keyrings 0x344-0x353 and slave keyrings 0x20-0x2F).
 +
    26 (0x0400 0000): Clearable | ?WriteByBigmacAllowed?. ?Locked keyring can target cmep memory.?
 +
    27 (0x0800 0000): Clearable | WriteByCmepAllowed. Can be written directly by cmep.
 +
    28 (0x1000 0000): Clearable | ReadByCmepAllowed. Can be read directly by cmep.
  
== 0xE0030000-0xE003001F: KeySetValue ==
+
A normal keyring is a keyring that do not belong to any group (bit21-25 are all zeroes). It can be written by slaves of groups, and also by normal non-keyring operations. They can write to ?a normal keyring or to external memory?.
Size: 8x u32.
 
  
== 0xE0030020: KeySetValueTrigger ==
+
A master keyring can only write into a slave keyring belonging to the same group(s) as itself. A master keyring cannot write into a non-slave keyring or external memory.
  
Write keyslot here, and it will write value written above to it.
+
A slave keyring can write to a normal keyring or to external memory, but not to a master keyring.
  
If the slot is not enabled, enable it (needed some protect. if not have protect, cannot enable that slot)
+
VULN!! If a keyring has AesDecryptAllowed flag, it is possible to encrypt arbitrary AES blocks without AesEncryptAllowed flag by using AES CTR mode.
  
== 0xE0030024: KeySetProtect ==
+
= SceBignum controller =
    Bit0-15:  KeyslotNumber
 
    Bit16-31: KeyslotClearFlags
 
  
== 0xE0030028: KeyQueryProtect ==
+
== 0xE0040000 ==
    Bit0-15: KeyslotNumber
 
  
== 0xE003002C: KeyQueryProtectResult ==
+
0x1000 config * 0x10 = 0x10000-bytes
    Bit0: SlotExists
 
    Bit1: SlotEnabled. You cannot use a key if this is not set.
 
    Bit2: Unknown
 
    Bit16:  Clearable  | AesEncryptAllowed (CTR+CBC+ECB, any key size)
 
    Bit17:  Clearable  | AesDecryptAllowed (CTR+CBC+ECB, any key size)
 
    Bit18:  Clearable  | ShaHmacAllowed (SHA1+SHA256)
 
    Bit19:  Clearable  | AesCmacAllowed
 
    Bit20:  Clearable  | EmmcCryptoAllowed (qualified guess!)
 
    Bit21:  Fixed      | IsMaster
 
    Bit22:  Fixed      | MemberOfGroup0
 
    Bit23:  Fixed      | MemberOfGroup1
 
    Bit24:  Fixed      | MemberOfGroup2
 
    Bit25:  Fixed      | MemberOfGroup3
 
    Bit26:  Clearable  | SetByBigmacAllowed
 
    Bit27:  Clearable  | SetByKeyringAllowed
 
    Bit28:  Clearable  | GetByKeyringAllowed
 
  
A master key can only write into a slave keyslot belonging to the same group(s) as itself.
+
= Bigmac Crypto Controller =
  
A master key cannot write into a non-slave keyslot or external memory.
+
<source lang="C">
 +
// base: 0xE0050000 (channel0), 0xE0050080 (channel1)
 +
typedef struct BigmacOp {
 +
const void *src;
 +
union {
 +
void *dst;
 +
SceUInt32 dst_keyring_id;
 +
};
 +
SceSize len;
 +
int func; // operation
  
Normal keyslots are keyslots that don't belong to any group (bit21-25 are all zeroes). They can be written by slaves of groups, and also by normal non-keyslot operations.
+
SceUInt32 work_keyring_id;
 +
void *iv;
 +
void *next;
 +
int ready; // Writing 1 here starts the operation.
  
A slave can write output to a normal keyslot or to external memory.
+
int status;
 +
int res; // Set when invalid keyring (0xFFF). Bit18: Set when keyring is not allowed to perform operation.
 +
} BigmacOp;
 +
</source>
  
VULN!! If you have AesDecryptAllowed, you can encrypt arbitrary AES blocks without AesEncryptAllowed. Use CTR mode.
+
When Keyring is set to src, only slots with the 0x1000 flag can be targeted. Selecting a slot that does not have 0x1000 will only read zeros.
  
= SceBignum controller =
+
== 0xE005000C: Bigmac crypto controller function ==
  
== 0xE0040108: RsaSignatureBuffer ==
+
There is usage of higher bits in the commands that do not seem to have much affect. For the encryption examples, 0xC002000 is also set on the command upper bits.
Size: 0x100 bytes.
 
  
== 0xE0040400: RsaModulusBuffer ==
+
  Bits    Mask Value  Description
Size: 0x100 bytes.
+
  0~ 1 | 0x00000003 | The func index
 +
      2 | 0x00000004 | RNG
 +
  3~ 5 | 0x00000038 | The algo index
 +
  6    | 0x00000040 | DES (Probably)
 +
  7    | 0x00000080 | Using external key (A key placed at 0xE0050200 is used instead of the key in the keyring)
 +
  8~ 9 | 0x00000300 | Keysize. 0x000:64-bits 0x100:128-bits 0x200:192-bits 0x300:256-bits
 +
  10~11 | 0x00000C00 | Hash transform flags. 0x400:hashUpdate 0x800:hashFinalize 0xC00:Probably a fusion of hashUpdate and hashFinalize?
 +
    12 | 0x00001000 | Unknown. Used by SceDmacMemcpy/SceDmacMemset.
 +
    13 | 0x00002000 | Unknown. Some common option.
 +
  14~23 | 0x00FFC000 | Unknown
 +
  24~25 | 0x03000000 | Some address callback. Used by SceDmacMemcpy/SceDmacMemset. If settting it, called SceSysrootForDriver_EE934615. Setting this bit within AES, Triggered hang.
 +
  26~27 | 0x0C000000 | Unknown
 +
  28    | 0x10000000 | Dst is keyring
 +
  29~31 | 0xE0000000 | Unknown
  
== 0xE0040800: RsaControl ==
+
Func list
In u32's.
 
  
== 0xE0040800: RsaStatus ==
+
func + RNG = bzero?
    Bit31: Busy
 
  
== 0xE0040808: RsaExponent ==
+
    Index  Real Value  Description
 +
        0 | 0x00000000 | Memcpy (Also Bigmac too?)
 +
        1 | 0x00000001 | AesEncrypt
 +
        2 | 0x00000002 | AesDecrypt
 +
        3 | 0x00000003 | Secure Hash Algorithm
  
= SceBigmac controller =
+
Algo list
  
 
<source lang="C">
 
<source lang="C">
// base:0xE0050000(channel0), 0xE0050080(channel1)
+
Index  Func  Real Value  Description
typedef struct SceBigmacOp {
+
    0 |    1 | 0x00000001 | AesEcbEncrypt
const void *src;
+
    1 |    1 | 0x00000009 | AesCbcEncrypt
union {
+
    2 |    1 | 0x00000011 | AesCtrEncrypt (encrypt context)
void *dst;
+
    3 |    1 | 0x00000019 | AesCbcEncrypt
int slot_id;
+
    4 |    1 | 0x00000021 | AesCtrEncrypt (encrypt context)
};
+
    5 |    1 | 0x00000029 | AesEcbEncrypt
SceSize len;
+
    6 |    1 | 0x00000031 | AesEcbEncrypt
int func; // BigmacOp
+
    7 |    1 | 0x00000039 | Hang on Bigmac
 +
 
 +
    0 |    2 | 0x00000002 | AesEcbDecrypt
 +
    1 |    2 | 0x0000000A | AesCbcDecrypt
 +
    2 |    2 | 0x00000012 | AesCtrDecrypt (decrypt context)
 +
    3 |    2 | 0x0000001A | AesCbcDecrypt
 +
    4 |    2 | 0x00000022 | AesCtrDecrypt (decrypt context)
 +
    5 |    2 | 0x0000002A | AesEcbDecrypt
 +
    6 |    2 | 0x00000032 | AesEcbDecrypt
 +
    7 |    2 | 0x0000003A | Hang on Bigmac
  
int key_slot;
+
    0 |    3 | 0x00000003 | SHA1
void *iv;
+
    1 |    3 | 0x0000000B | SHA224
void *next;
+
    2 |    3 | 0x00000013 | SHA256
int ready; // Writing 1 here starts bigmac operation.
+
    3 |    3 | 0x0000001B | !!! HANG !!!
 +
    4 |    3 | 0x00000023 | HmacSha1
 +
    5 |    3 | 0x0000002B | HmacSha224
 +
    6 |    3 | 0x00000033 | HmacSha256
 +
    7 |    3 | 0x0000003B | AesCmac/AES-CBC-MAC-64 (CMAC, OMAC1)
  
int status;
+
    0 |  RNG | 0x00000004 | RNG
int res; // Set when invalid keyslot (0xFFF). Bit18: Set when keyslot is not allowed to perform operation.
+
    1 |  RNG | 0x0000000C | Memset (ch is written to MacDevice +0x104. On FW 3.60, the ch is seen at offset +0x34.)
} SceBigmacOp;
+
    2 |  RNG | 0x00000014 | Memset
 +
    3 |  RNG | 0x0000001C | Memset
 +
    4 |  RNG | 0x00000024 | Memset
 +
    5 |  RNG | 0x0000002C | Memset
 +
    6 |  RNG | 0x00000034 | Memset
 +
    7 |  RNG | 0x0000003C | Memset
 
</source>
 
</source>
  
== 0xE005000C: BigmacOp ==
+
DES algos
Unlike for Dmac5, DES is not supported for Bigmac.
+
 
 +
Unlike for [[Dmac5]], DES is not supported for keyring Controller.
 +
 
 +
DES is DMAC only. If running on Bigmac, it triggered hang up. (this is true?)
 +
 
 +
It's 3DES if keysize is 128 or 192
  
But many of the commands are same. (see [[Dmac5]])
+
If DES + SHA, DES bit is ignored (Execute SHA command).
  
   Bit0-6: Algorithm
+
   Algo   Func   Real Value   Description
   0x00 = Zeroes?
+
    0 |    0 | 0x00000040 | Unknown
   0x01 = AesEcbEncrypt
+
    0 |    1 | 0x00000041 | DesEcbEncrypt
   0x02 = AesEcbDecrypt
+
    0 |    2 | 0x00000042 | DesEcbDecrypt
  0x03 = Sha1
+
    1 |    1 | 0x00000049 | DesCbcEncrypt
  0x04 = Rng
+
    1 |    2 | 0x0000004A | DesCbcDecrypt
  0x05 = Zeroes
+
    4 |    1 | 0x00000061 | Unknown. hang up on bigmac. (DES + AesCtrEncrypt)
  0x06 = Zeroes
+
    // If you have more found, add that to here
  0x07 = Zeroes
 
  0x09 = AesCbcEncrypt
 
  0x0A = AesCbcDecrypt
 
  0x0B = Sha224
 
  0x0C = memset
 
  0x0D = Zeroes
 
  0x0E = Zeroes
 
  0x0F = Zeroes
 
  0x10 = AesCtr
 
  0x11 = AesCtrEncrypt
 
  0x12 = AesCtrDecrypt
 
  0x13 = Sha256
 
  0x1B = !!! HANG !!!
 
  0x23 = HmacSha1, keylength=32 bytes
 
  0x2B = !!! HANG !!!
 
  0x33 = HmacSha256, keylength=32 bytes
 
  0x3B = AesCmac
 
  0x41  = !!! HANG !!! (DES-64-ECB encrypt in DMAC5)
 
  0x43 = <0x03>
 
  0x4B = <0x0b>
 
  0x53 = <0x13>
 
  0x61  = !!! HANG !!!
 
  0x7B = <0x3b>
 
  0x141 = !!! HANG !!!
 
  
     Bit7:   UseExternalKey
+
Keysize algos
     Bit8-10: KeySize (0=64bit, 1=128bit, 2=192bit, 3=256bit)
+
  Algo  Func  Keysize  Real Value  Description
            (Applies only to AesEcb, AesCbc, AesCmac)
+
    0 |    1 |    128 | 0x00000101 | Aes128EcbEncrypt
     Bit11:  Nothing noticable for AesEcbEncrypt
+
    0 |    2 |     128 | 0x00000102 | Aes128EcbDecrypt
     Bit12:  Nothing noticable for AesEcbEncrypt
+
    0 |   1 |    192 | 0x00000201 | Aes192EcbEncrypt
     Bit24:  Causes hang
+
    0 |    2 |     192 | 0x00000202 | Aes192EcbDecrypt
     Bit25:  Causes hang
+
    0 |    1 |    256 | 0x00000301 | Aes256EcbEncrypt
     Bit28:  IsDstKeyslot
+
    0 |    2 |    256 | 0x00000302 | Aes256EcbDecrypt
 +
    1 |    1 |    128 | 0x00000109 | Aes128CbcEncrypt
 +
    1 |    2 |    128 | 0x0000010A | Aes128CbcDecrypt
 +
    1 |    1 |    192 | 0x00000209 | Aes192CbcEncrypt
 +
    1 |    2 |    192 | 0x0000020A | Aes192CbcDecrypt
 +
    1 |    1 |     256 | 0x00000309 | Aes256CbcEncrypt
 +
    1 |    2 |     256 | 0x0000030A | Aes256CbcDecrypt
 +
    7 |    3 |     128 | 0x0000013B | Aes128Cmac/AES-CBC-MAC-128 (CMAC, OMAC1)
 +
    7 |    3 |     192 | 0x0000023B | Aes192Cmac/AES-CBC-MAC-192 (CMAC, OMAC1)
 +
    7 |    3 |     256 | 0x0000033B | Aes256Cmac/AES-CBC-MAC-256 (CMAC, OMAC1)
  
The following are known to be able to write keyslots:
+
The following are known to be able to write keyrings:
 
   * AesEcbEncrypt/Decrypt:
 
   * AesEcbEncrypt/Decrypt:
 
       Size is rounded up to multiple of 4.
 
       Size is rounded up to multiple of 4.
 
       If size > 16, size = 16.
 
       If size > 16, size = 16.
 
+
     
 
       Read |size| bytes from |src| into HW state.
 
       Read |size| bytes from |src| into HW state.
 
       The remaining 16-|size| bytes of state *ARE KEPT FROM RESULT OF PREVIOUS AES OPERATION*.
 
       The remaining 16-|size| bytes of state *ARE KEPT FROM RESULT OF PREVIOUS AES OPERATION*.
       VULN! This allows key recovery of all slave keyslots during boot.
+
       VULN! This allows key recovery of all slave keyrings during boot.
 
+
     
       The key written to keyslot is always 16 bytes long, padded with 00's.
+
       The key written to keyring is always 16 bytes long, padded with 00's.
 
+
     
 
   * AesCbcEncrypt/Decrypt: Size is rounded up to multiple of 4.  
 
   * AesCbcEncrypt/Decrypt: Size is rounded up to multiple of 4.  
 
   * AesCtrEncrypt/Decrypt: Size is rounded up to multiple of 4.
 
   * AesCtrEncrypt/Decrypt: Size is rounded up to multiple of 4.
   * AesCmac                Puts the 16 byte hash into keyslot.
+
   * AesCmac                Puts the 16 byte hash into keyring.
 
                           Bytes 16-31 are *FORCED* 0.
 
                           Bytes 16-31 are *FORCED* 0.
   * Sha1:                  Puts the 20 byte hash into keyslot.
+
   * Sha1:                  Puts the 20 byte hash into keyring.
 
                           Bytes 20-31 are *FORCED* 0.
 
                           Bytes 20-31 are *FORCED* 0.
   * Sha224:                Puts the 28 byte hash into keyslot.
+
   * Sha224:                Puts the 28 byte hash into keyring.
 
                           Bytes 28-31 are *FORCED* 0.
 
                           Bytes 28-31 are *FORCED* 0.
   * Sha256:                Puts the 32 byte hash into keyslot.
+
   * Sha256:                Puts the 32 byte hash into keyring.
 
   * HmacSha1              Probably same as Sha1.
 
   * HmacSha1              Probably same as Sha1.
 
   * HmacSha256            Probably same as Sha256.
 
   * HmacSha256            Probably same as Sha256.
 
   * Rng
 
   * Rng
  
AesCtrEncrypt when having a keyslot dst, still reads from src.
+
AesCtrEncrypt when having a keyring dst, still reads from src.
  
 
VULN! Any SHA with length==0 produces an output of all zeroes!
 
VULN! Any SHA with length==0 produces an output of all zeroes!
  
== 0xE005003C: BigmacRng ==
+
== 0xE0050024: Status ==
Reads a random value.
 
  
== 0xE0050100: Bigmac unknown 0x100 ==
+
  Bit  Mask Value  Description
 +
  0 | 0x00000001 | Busy
 +
  15 | 0x00008000 | Some error status
 +
  16 | 0x00010000 | Some error status
 +
  17 | 0x00020000 | Some error status
 +
  18 | 0x00040000 | Not allowed operation
  
== 0xE0050200: BigmacExternalKey ==
+
== 0xE005003C: Bigmac Rng ==
Size: 0x20 bytes
 
  
VULN! Allows partial overwrite. However when using keyslot crypto, this key remains unaffected. Thus it cannot be used to recover keyslot keys.
+
Reads a random value.
  
= SceBigmac Keyring =
+
== 0xE0050100: Bigmac unknown 0x100 data ==
  
== 0xE0058000: KeyRingDirectAccess ==
+
== 0xE0050200: Bigmac External Key ==
Size: 0x10000 bytes.
 
  
Key slots
+
Size: 0x20 bytes
  
0x000-0x07F:
+
VULN! Allows partial overwrite. However when using keyring crypto, this key remains unaffected thus it cannot be used to recover keyring keys.
    Initial state: Empty keyslots.
 
    0x000-0x007: Empty group0 slave keyslots, for AES decryption only.
 
    0x008-0x00F: Empty group1 slave keyslots, any algo.
 
    0x010-0x01F: Empty group2 slave keyslots, for AES decryption only.
 
    0x020-0x02F: Empty group3 slave keyslots, any algo.
 
    0x030-0x07F: Empty normal keyslots, any algo.
 
  
0x100-0x17F:
+
= Bigmac Key Ring Base =
    Initial state: Empty keyslots.
 
    0x100-0x17F: Empty normal keyslots, any algo.
 
  
0x200-0x217:
+
See [[F00D Key Ring Base]].
    Initial state: Filled in, key material.
 
    0x200-0x203: AES decryption-only keys (for memory buffers).
 
    0x204-0x205: Master keys (for group0), any algo.
 
    0x206-0x20D: Master keys (for group1), any algo.
 
    0x20E-0x20F: Emmc keys, fully protected.
 
    0x210-0x217: General purpose keys (for memory buffers).
 
  
0x300-0x3FF:
+
All keyrings flags are reset when CMeP is reset.
    Initial state: Filled in, key material.
 
    0x300-0x33F: AES decryption-only keys (for memory buffers).
 
    0x340-0x343: Master keys (for group2), any algo.
 
    0x344-0x353: Master keys (for group3), any algo.
 
    0x354-0x3FF: General purpose keys (for memory buffers).
 
  
0x400-0x47F:
+
  Keyrings lock list
    Initial state: Empty data storage, read-write from keyring.
+
    Location        Keyring      Clear    When
 +
    first_loader |        0xA | 0x1C1F | decrypt_enc_body
 +
                          0x20 | 0x1C1F | update_slsk_metadata_keys
 +
                          0x207 | 0x1C1F | remove_slsk_personalization
 +
                    0x208~0x20D | 0x1C1F | update_slsk_metadata_keys
 +
                          0x20F | 0x1C0F | Setting eMMC key
 +
                          0x501 | 0x0800 | update_bigmac_key_0x501
 +
                    0x700~0x7FF | 0x1000 | slsk_header_rsa_check
 +
                    Any keyring | 0x1C1F | disable_bigmac_keys_by_header
 +
    second_loader |      0x20E | 0x1FEF | Setting eMMC key
 +
    secure_kernel |        0x8 | 0x1FFE | on tzs comm
 +
                      0x2~  0x7 | 0x1FFF | on tzs comm
 +
                      0x9~  0xF | 0x1FFF | on tzs comm
 +
                    0x11~ 0x21 | 0x1FFF | on tzs comm
 +
                    0x25~ 0x2F | 0x1FFF | on tzs comm
 +
                    0x35~ 0x7F | 0x1FFF | on tzs comm
 +
                    0x101~0x17F | 0x1FFF | on tzs comm
 +
                    0x200~0x203 | 0x1FFF | on tzs comm
 +
                    0x206~0x20D | 0x1FFF | on tzs comm
 +
                    0x20E~0x20F | 0x1FEF | on tzs comm
 +
                    0x210~0x211 | 0x1FFF | on tzs comm
 +
                    0x214~0x215 | 0x1FFF | on tzs comm
 +
                          0x217 | 0x1FFF | on tzs comm
 +
                    0x300~0x33F | 0x1FFF | on tzs comm
 +
                    0x341~0x344 | 0x1FFF | on tzs comm
 +
                    0x349~0x3FF | 0x1FFF | on tzs comm
 +
                    0x400~0x47F | 0x1FFF | on tzs comm
 +
                          0x50E | 0x0800 | on tzs comm
 +
                    0x51C~0x57F | 0x1FFF | on tzs comm
 +
                    0x605~0x607 | 0x1FFF | on tzs comm
 +
                    0x700~0x7FF | 0x1FFF | on tzs comm
  
0x500-0x57F:
+
== 0xE0058000: Bigmac KeyRings ==
    Initial state: Empty data storage, read-write from keyring.
 
  
0x600-0x607:
+
Size: 0x10000 bytes.
    Initial state: Filled in data, read-only. Keyring only.
 
    0x603: u32 BootromFlags.
 
      Bit0-15: HasRsaRevocationKey. This is set to 0xFFFF.
 
      Bit16:  UseAlternativeEmmcClock
 
  
0x700-0x77F:
+
= 0xE0070000: SceEmmcController =
    Initial state: Filled in data, read-only. Keyring only.
 
    0x700-0x708: RsaRevocationKey0
 
    0x708-0x710: RsaRevocationKey1
 
    0x710-0x718: RsaRevocationKey2
 
    0x718-0x720: RsaRevocationKey3
 
    0x720-0x728: RsaRevocationKey4
 
    0x728-0x730: RsaRevocationKey5
 
    ...
 
    0x778-0x780: RsaRevocationKey15
 
  
= SceEmmcController =
+
{| class="wikitable"
 +
|-
 +
! Address !! Length !! Description
 +
|-
 +
| 0xE0070000 || 4 || Ex: 1. Set to 0, then 1 after writing to 0xE0070008.
 +
|-
 +
| 0xE0070008 || 4 || Set to 0x020E020F in second_loader. ?eMMC related?
 +
|-
 +
| 0xE007000C || 4 || Ex: 2.
 +
|-
 +
| 0xE0070014 || 4 || Set to 6 under some condition in second_loader.
 +
|}
  
 
== 0xE0070000: EmmcCrypto Toggle/Status? ==
 
== 0xE0070000: EmmcCrypto Toggle/Status? ==
  
Toggle : Set to 1.
+
Toggle: Set to 1.
  
Status : enabled emmc enc/dec?
+
Status: enabled emmc enc/dec?
  
 
== 0xE0070004: EmmcCrypto avalaible status ==
 
== 0xE0070004: EmmcCrypto avalaible status ==
  
bit0(& 1) : Not available -> second_loader throw error.
+
bit0(& 1): Not available -> second_loader throws error.
  
 
== 0xE0070008: EmmcCrypto keyset ==
 
== 0xE0070008: EmmcCrypto keyset ==
  
1.69-3.73 : 0x20E and 0x20F.
+
Read value example: 0x20E and 0x20F (FW 1.69-3.73).
  
 
write only.
 
write only.
Line 377: Line 417:
 
== 0xE00CC000: Unknown ==
 
== 0xE00CC000: Unknown ==
  
Unknown, Read value example: 0x10006331
+
Unknown. Read value example: 0x10006331
  
 
== 0xE00CC014: Unknown ==
 
== 0xE00CC014: Unknown ==
  
Unknown, Read value example: 0x300000
+
Unknown. Read value example: 0x300000
  
 
== 0xE00CC070: Unknown ==
 
== 0xE00CC070: Unknown ==
  
Unknown, Read value example: 1
+
Unknown. Read value example: 1
  
 
== 0xE00CC078: Unknown ==
 
== 0xE00CC078: Unknown ==
  
Unknown, Read value example: 0x300
+
Unknown. Read value example: 0x300
  
  
 
[[Category:Keyring]]
 
[[Category:Keyring]]

Revision as of 06:27, 28 February 2022

0xE0000000: Cmep/ARM

0xE0000000: MailboxCmepToArm

Response to ARM is written here.

0xE0000010: MailboxArmToCmep

Request from ARM is written here.

0xE0000020: MailboxCmepToDebugger

Size: 2 * DOWORD.

0xE0000028: MailboxDebuggerToCmep

Size: 2 * DWORD.

0xE0000060: MailboxDebuggerToCmep2

Size: 2 * DWORD.

0xE0010000: Cmep controller

Address Length Description
0xE0010000 4 TZ sets it to 1 then 0 and it appears cmep resets.
0xE0010004 4 Read by second_loader, checked against mask (& 5) and (& 8). Read by TZ after setting reset, checked if flag 0x80000000 is set. Ex: 0x80000005. Writing values to it from cmep does nothing.

0xE0010000: CmepReset

   Bit0: Hangs. ARM uses this to reset the cMeP subsystem.

0xE0010004: CmepStatus

   Bit31:  IsCmepAlive
   Bit0-2: ?
   0xE0010000: 00 00 00 00 05 00 00 80 00 00 00 00 00 00 00 00
   0xE0010010: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0xE0010010: Unknown

Reads back 0x7FF. Then hangs after delay.

   Bit5: Disables Key* registers, and Cmep KeyRings.

No bit appears to disable Rsa* registers, or Bigmac*.

0xE0020000: Cmep 0xE0020000

Address Length Description
0xE0020000 4 second_loader sets it to 0x30003 after ?clearing keys?. secure_kernel sets it to 0x2000F.
0xE0020004 4 ? Error code ?. Read by second_loader, checked against 0x8000001F. Also set to ?0? by second_loader when setting 0x30003 at 0xE0020000.
0xE0020020 4 Checked for 0 by second_loader. May be a kind of timer or working state.
0xE0020040 0x10 Read As
0xE0020100 0x20 Per-console 256-bit key from keyring 0x602 is copied here by second_loader.

0xE0020000 flags

   Bit0: Reboot when cleared.
   Bit1: Makes first_loader load secure_kernel. Hang when cleared and unrecoverable.
   Bit2: No hang when cleared.
   Bit3: No hang when cleared.
   Bit4: ?
   Bit5: ?
   Bit16: Allows ARM to reset cmep. No hang when cleared.
   Bit17: ?

0xE0030000: Bigmac Keyring controller

This device is mapped to ScePervasiveResetReg at offset 0x190 for controlling reset and enabling mask writing.

typedef struct BigmacKeyringControllerRegs { // physical address 0xE0030000
	SceUInt32 keyring_new_value[8];
	SceUInt32 keyring_set_value_trigger;
	SceUInt32 keyring_clear_flags;
	SceUInt32 keyring_query_flags_request;
	SceUInt32 keyring_query_flags_response;
} BigmacKeyringControllerRegs;

0xE0030000: KeyringNewValue

Size: 8 * DWORD.

0xE0030020: KeyringSetValueTrigger

Write value to a keyring. Requires the keyring to be enabled and WriteByCmepAllowed flag to be set.

Write a keyring to this address, and the Bigmac Keyring Controller will write value from physical address 0xE0030000 to the keyring.

0xE0030024: KeyringClearFlags

Note that there is no known way to set some keyrings flags in any way (doing keyring_flags |= or_flags), even though the opposite (clearing flags) is doable for some flags.

Writing ((flags_mask<<16)|keyring_id) to keyring_clear_flags clear flags for this keyring.

   Bit0-15:  KeyringId
   Bit16-31: KeyringClearFlagsMask

0xE0030028: KeyringQueryFlags

Writing keyring_id to keyring_query_flags_request returns current flags in keyring_query_flags_response.

   Bit0-15: KeyringId

0xE003002C: KeyringQueryFlagsResponse

   Bit Mask value    Clearable   Description
   0  (0x0000 0001): N/A       | KeyringExists
   1  (0x0000 0002): N/A       | KeyringEnabled. You cannot use the keyring if this is not set.
   2  (0x0000 0004): N/A       | Unknown
   16 (0x0001 0000): Clearable | AesEncryptAllowed (CTR+CBC+ECB, any key size)
   17 (0x0002 0000): Clearable | AesDecryptAllowed (CTR+CBC+ECB, any key size)
   18 (0x0004 0000): Clearable | ShaHmacAllowed (SHA1+SHA256)
   19 (0x0008 0000): Clearable | AesCmacAllowed
   20 (0x0010 0000): Clearable | Master keyring can target memory.
   21 (0x0020 0000): Fixed     | IsMaster. Master keyring can target slave keyring (based on Mask Group below).
   22 (0x0040 0000): Fixed     | MemberOfGroup0. Keyring Pairing Lock Mask Group 0 (master keyrings 0x204-0x205 and slave keyrings 0-7).
   23 (0x0080 0000): Fixed     | MemberOfGroup1. Keyring Pairing Lock Mask Group 1 (master keyrings 0x206-0x20D and slave keyrings 8-0xF).
   24 (0x0100 0000): Fixed     | MemberOfGroup2. Keyring Pairing Lock Mask Group 2 (master keyrings 0x340-0x343 and slave keyrings 0x10-0x1F).
   25 (0x0200 0000): Fixed     | MemberOfGroup3. Keyring Pairing Lock Mask Group 3 (master keyrings 0x344-0x353 and slave keyrings 0x20-0x2F).
   26 (0x0400 0000): Clearable | ?WriteByBigmacAllowed?. ?Locked keyring can target cmep memory.?
   27 (0x0800 0000): Clearable | WriteByCmepAllowed. Can be written directly by cmep.
   28 (0x1000 0000): Clearable | ReadByCmepAllowed. Can be read directly by cmep.

A normal keyring is a keyring that do not belong to any group (bit21-25 are all zeroes). It can be written by slaves of groups, and also by normal non-keyring operations. They can write to ?a normal keyring or to external memory?.

A master keyring can only write into a slave keyring belonging to the same group(s) as itself. A master keyring cannot write into a non-slave keyring or external memory.

A slave keyring can write to a normal keyring or to external memory, but not to a master keyring.

VULN!! If a keyring has AesDecryptAllowed flag, it is possible to encrypt arbitrary AES blocks without AesEncryptAllowed flag by using AES CTR mode.

SceBignum controller

0xE0040000

0x1000 config * 0x10 = 0x10000-bytes

Bigmac Crypto Controller

// base: 0xE0050000 (channel0), 0xE0050080 (channel1)
typedef struct BigmacOp {
	const void *src;
	union {
		void *dst;
		SceUInt32 dst_keyring_id;
	};
	SceSize len;
	int func; // operation

	SceUInt32 work_keyring_id;
	void *iv;
	void *next;
	int ready; // Writing 1 here starts the operation.

	int status;
	int res; // Set when invalid keyring (0xFFF). Bit18: Set when keyring is not allowed to perform operation.
} BigmacOp;

When Keyring is set to src, only slots with the 0x1000 flag can be targeted. Selecting a slot that does not have 0x1000 will only read zeros.

0xE005000C: Bigmac crypto controller function

There is usage of higher bits in the commands that do not seem to have much affect. For the encryption examples, 0xC002000 is also set on the command upper bits.

 Bits    Mask Value   Description
  0~ 1 | 0x00000003 | The func index
     2 | 0x00000004 | RNG
  3~ 5 | 0x00000038 | The algo index
  6    | 0x00000040 | DES (Probably)
  7    | 0x00000080 | Using external key (A key placed at 0xE0050200 is used instead of the key in the keyring)
  8~ 9 | 0x00000300 | Keysize. 0x000:64-bits 0x100:128-bits 0x200:192-bits 0x300:256-bits
 10~11 | 0x00000C00 | Hash transform flags. 0x400:hashUpdate 0x800:hashFinalize 0xC00:Probably a fusion of hashUpdate and hashFinalize?
    12 | 0x00001000 | Unknown. Used by SceDmacMemcpy/SceDmacMemset.
    13 | 0x00002000 | Unknown. Some common option.
 14~23 | 0x00FFC000 | Unknown
 24~25 | 0x03000000 | Some address callback. Used by SceDmacMemcpy/SceDmacMemset. If settting it, called SceSysrootForDriver_EE934615. Setting this bit within AES, Triggered hang.
 26~27 | 0x0C000000 | Unknown
 28    | 0x10000000 | Dst is keyring
 29~31 | 0xE0000000 | Unknown

Func list

func + RNG = bzero?

   Index   Real Value   Description
       0 | 0x00000000 | Memcpy (Also Bigmac too?)
       1 | 0x00000001 | AesEncrypt
       2 | 0x00000002 | AesDecrypt
       3 | 0x00000003 | Secure Hash Algorithm

Algo list

Index   Func   Real Value   Description
    0 |    1 | 0x00000001 | AesEcbEncrypt
    1 |    1 | 0x00000009 | AesCbcEncrypt
    2 |    1 | 0x00000011 | AesCtrEncrypt (encrypt context)
    3 |    1 | 0x00000019 | AesCbcEncrypt
    4 |    1 | 0x00000021 | AesCtrEncrypt (encrypt context)
    5 |    1 | 0x00000029 | AesEcbEncrypt
    6 |    1 | 0x00000031 | AesEcbEncrypt
    7 |    1 | 0x00000039 | Hang on Bigmac

    0 |    2 | 0x00000002 | AesEcbDecrypt
    1 |    2 | 0x0000000A | AesCbcDecrypt
    2 |    2 | 0x00000012 | AesCtrDecrypt (decrypt context)
    3 |    2 | 0x0000001A | AesCbcDecrypt
    4 |    2 | 0x00000022 | AesCtrDecrypt (decrypt context)
    5 |    2 | 0x0000002A | AesEcbDecrypt
    6 |    2 | 0x00000032 | AesEcbDecrypt
    7 |    2 | 0x0000003A | Hang on Bigmac

    0 |    3 | 0x00000003 | SHA1
    1 |    3 | 0x0000000B | SHA224
    2 |    3 | 0x00000013 | SHA256
    3 |    3 | 0x0000001B | !!! HANG !!!
    4 |    3 | 0x00000023 | HmacSha1
    5 |    3 | 0x0000002B | HmacSha224
    6 |    3 | 0x00000033 | HmacSha256
    7 |    3 | 0x0000003B | AesCmac/AES-CBC-MAC-64 (CMAC, OMAC1)

    0 |  RNG | 0x00000004 | RNG
    1 |  RNG | 0x0000000C | Memset (ch is written to MacDevice +0x104. On FW 3.60, the ch is seen at offset +0x34.)
    2 |  RNG | 0x00000014 | Memset
    3 |  RNG | 0x0000001C | Memset
    4 |  RNG | 0x00000024 | Memset
    5 |  RNG | 0x0000002C | Memset
    6 |  RNG | 0x00000034 | Memset
    7 |  RNG | 0x0000003C | Memset

DES algos

Unlike for Dmac5, DES is not supported for keyring Controller.

DES is DMAC only. If running on Bigmac, it triggered hang up. (this is true?)

It's 3DES if keysize is 128 or 192

If DES + SHA, DES bit is ignored (Execute SHA command).

 Algo   Func   Real Value   Description
    0 |    0 | 0x00000040 | Unknown
    0 |    1 | 0x00000041 | DesEcbEncrypt
    0 |    2 | 0x00000042 | DesEcbDecrypt
    1 |    1 | 0x00000049 | DesCbcEncrypt
    1 |    2 | 0x0000004A | DesCbcDecrypt
    4 |    1 | 0x00000061 | Unknown. hang up on bigmac. (DES + AesCtrEncrypt)
    // If you have more found, add that to here

Keysize algos

 Algo   Func   Keysize   Real Value   Description
    0 |    1 |     128 | 0x00000101 | Aes128EcbEncrypt
    0 |    2 |     128 | 0x00000102 | Aes128EcbDecrypt
    0 |    1 |     192 | 0x00000201 | Aes192EcbEncrypt
    0 |    2 |     192 | 0x00000202 | Aes192EcbDecrypt
    0 |    1 |     256 | 0x00000301 | Aes256EcbEncrypt
    0 |    2 |     256 | 0x00000302 | Aes256EcbDecrypt
    1 |    1 |     128 | 0x00000109 | Aes128CbcEncrypt
    1 |    2 |     128 | 0x0000010A | Aes128CbcDecrypt
    1 |    1 |     192 | 0x00000209 | Aes192CbcEncrypt
    1 |    2 |     192 | 0x0000020A | Aes192CbcDecrypt
    1 |    1 |     256 | 0x00000309 | Aes256CbcEncrypt
    1 |    2 |     256 | 0x0000030A | Aes256CbcDecrypt
    7 |    3 |     128 | 0x0000013B | Aes128Cmac/AES-CBC-MAC-128 (CMAC, OMAC1)
    7 |    3 |     192 | 0x0000023B | Aes192Cmac/AES-CBC-MAC-192 (CMAC, OMAC1)
    7 |    3 |     256 | 0x0000033B | Aes256Cmac/AES-CBC-MAC-256 (CMAC, OMAC1)

The following are known to be able to write keyrings:

 * AesEcbEncrypt/Decrypt:
     Size is rounded up to multiple of 4.
     If size > 16, size = 16.
     
     Read |size| bytes from |src| into HW state.
     The remaining 16-|size| bytes of state *ARE KEPT FROM RESULT OF PREVIOUS AES OPERATION*.
     VULN! This allows key recovery of all slave keyrings during boot.
     
     The key written to keyring is always 16 bytes long, padded with 00's.
     
 * AesCbcEncrypt/Decrypt: Size is rounded up to multiple of 4. 
 * AesCtrEncrypt/Decrypt: Size is rounded up to multiple of 4.
 * AesCmac                Puts the 16 byte hash into keyring.
                          Bytes 16-31 are *FORCED* 0.
 * Sha1:                  Puts the 20 byte hash into keyring.
                          Bytes 20-31 are *FORCED* 0.
 * Sha224:                Puts the 28 byte hash into keyring.
                          Bytes 28-31 are *FORCED* 0.
 * Sha256:                Puts the 32 byte hash into keyring.
 * HmacSha1               Probably same as Sha1.
 * HmacSha256             Probably same as Sha256.
 * Rng

AesCtrEncrypt when having a keyring dst, still reads from src.

VULN! Any SHA with length==0 produces an output of all zeroes!

0xE0050024: Status

 Bit  Mask Value   Description
  0 | 0x00000001 | Busy
 15 | 0x00008000 | Some error status
 16 | 0x00010000 | Some error status
 17 | 0x00020000 | Some error status
 18 | 0x00040000 | Not allowed operation

0xE005003C: Bigmac Rng

Reads a random value.

0xE0050100: Bigmac unknown 0x100 data

0xE0050200: Bigmac External Key

Size: 0x20 bytes

VULN! Allows partial overwrite. However when using keyring crypto, this key remains unaffected thus it cannot be used to recover keyring keys.

Bigmac Key Ring Base

See F00D Key Ring Base.

All keyrings flags are reset when CMeP is reset.

 Keyrings lock list
   Location        Keyring       Clear    When
    first_loader |         0xA | 0x1C1F | decrypt_enc_body
                          0x20 | 0x1C1F | update_slsk_metadata_keys
                         0x207 | 0x1C1F | remove_slsk_personalization
                   0x208~0x20D | 0x1C1F | update_slsk_metadata_keys
                         0x20F | 0x1C0F | Setting eMMC key
                         0x501 | 0x0800 | update_bigmac_key_0x501
                   0x700~0x7FF | 0x1000 | slsk_header_rsa_check
                   Any keyring | 0x1C1F | disable_bigmac_keys_by_header
   second_loader |       0x20E | 0x1FEF | Setting eMMC key
   secure_kernel |         0x8 | 0x1FFE | on tzs comm
                     0x2~  0x7 | 0x1FFF | on tzs comm
                     0x9~  0xF | 0x1FFF | on tzs comm
                    0x11~ 0x21 | 0x1FFF | on tzs comm
                    0x25~ 0x2F | 0x1FFF | on tzs comm
                    0x35~ 0x7F | 0x1FFF | on tzs comm
                   0x101~0x17F | 0x1FFF | on tzs comm
                   0x200~0x203 | 0x1FFF | on tzs comm
                   0x206~0x20D | 0x1FFF | on tzs comm
                   0x20E~0x20F | 0x1FEF | on tzs comm
                   0x210~0x211 | 0x1FFF | on tzs comm
                   0x214~0x215 | 0x1FFF | on tzs comm
                         0x217 | 0x1FFF | on tzs comm
                   0x300~0x33F | 0x1FFF | on tzs comm
                   0x341~0x344 | 0x1FFF | on tzs comm
                   0x349~0x3FF | 0x1FFF | on tzs comm
                   0x400~0x47F | 0x1FFF | on tzs comm
                         0x50E | 0x0800 | on tzs comm
                   0x51C~0x57F | 0x1FFF | on tzs comm
                   0x605~0x607 | 0x1FFF | on tzs comm
                   0x700~0x7FF | 0x1FFF | on tzs comm

0xE0058000: Bigmac KeyRings

Size: 0x10000 bytes.

0xE0070000: SceEmmcController

Address Length Description
0xE0070000 4 Ex: 1. Set to 0, then 1 after writing to 0xE0070008.
0xE0070008 4 Set to 0x020E020F in second_loader. ?eMMC related?
0xE007000C 4 Ex: 2.
0xE0070014 4 Set to 6 under some condition in second_loader.

0xE0070000: EmmcCrypto Toggle/Status?

Toggle: Set to 1.

Status: enabled emmc enc/dec?

0xE0070004: EmmcCrypto avalaible status

bit0(& 1): Not available -> second_loader throws error.

0xE0070008: EmmcCrypto keyset

Read value example: 0x20E and 0x20F (FW 1.69-3.73).

write only.

0xE007000C: Unknown

Read value example: 2

0xE00C0000

0xE00CC000: Unknown

Unknown. Read value example: 0x10006331

0xE00CC014: Unknown

Unknown. Read value example: 0x300000

0xE00CC070: Unknown

Unknown. Read value example: 1

0xE00CC078: Unknown

Unknown. Read value example: 0x300