This processor is hypothesized to perform most of the cryptography tasks including storing and handing of keys. There is little information about it though. The F00D Processor (named after the
e_machine field of the ELF headers) is likely a custom Toshiba MeP core.
Communication seems to go through some sort of FIFO register.
To write, put the double word into
0xE0000010. Next read
0xE0000010 until it returns 0, which indicates the data was read by the F00D processor.
To read, get a double word from
0xE0000000. If it returns 0, no data is available. Otherwise, acknowledge that the data has been read by putting the same data into
In addition to the 0xE0000000 and 0xE0000010, the communication with F00D seems to happen with other ports too.
|0xE0000014||YES||YES||SMC 0x133, 0x134|
|0xE0000018||YES||YES||SMC 0x133, 0x134|
|0xE000001C||YES||YES||SMC 0x133, 0x134|
|0xE0000054||?||YES||SMC 0x12d, 0x135, 0x13B, Interrupt 0xC8|
|0xE0000058||?||YES||SMC 0x12d, 0x135, 0x13B, Interrupt 0xC8|
|0xE000005C||?||YES||SMC 0x12d, 0x135, 0x13B, Interrupt 0xC8|
A 32-bit command buffer is defined below. The command is sent to the F00D processor with the method listed above.
|Bit End||Bit Start||Name||Description|
|0||0||Valid||Set 1 to indicate command is valid|
There are a total of 14 commands. Below are notes on different commands.
|0x0||Seems to be used to set the 0x100 sized shared buffer. First the physical address of the buffer is written to |
|0x1||May be used to reset F00D processor.|
|0x9||Seems to be used to set a 0x80 sized shared buffer.|
|0xA||Seems to set the SCE encrypted revocation list.|
kprx_auth_sm.self is allowed access to
0x40300000. The address checks is likely done in software. F00D has it's own private 128KB memory from
0x00820000. F00D SELFs are typically loaded to