Difference between revisions of "Syscon Update"
Jump to navigation
Jump to search
CelesteBlue (talk | contribs) (→0x03) |
CelesteBlue (talk | contribs) (→0x02) |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 39: | Line 39: | ||
| 0x0 || 0x4 || Packet Header | | 0x0 || 0x4 || Packet Header | ||
|- | |- | ||
| − | | 0x4 || 0x4 || | + | | 0x4 || 0x4 || Firmware Version. Version of the Ernie software update. (ex: 0x0100060B -> 1.0.6.11) |
|- | |- | ||
| 0x8 || 0x4 || Hardware Info. PSVita hardware on which this update can be installed. (ex: 0x00723030) | | 0x8 || 0x4 || Hardware Info. PSVita hardware on which this update can be installed. (ex: 0x00723030) | ||
| Line 109: | Line 109: | ||
| 0x0 || 0x4 || Packet Header | | 0x0 || 0x4 || Packet Header | ||
|- | |- | ||
| − | | 0x4 || 0x4 || | + | | 0x4 || 0x4 || Image Size (ex: 0) |
|- | |- | ||
| − | | 0x8 || 0x4 || | + | | 0x8 || 0x4 || Firmware Type (ex: 0, 1, 2) |
|- | |- | ||
| 0xC || 0x4 || Padding | | 0xC || 0x4 || Padding | ||
|} | |} | ||
| − | * | + | * Firmware Type 0 is for NEC 78K0R/Kx3-L. It is supported since at least FW 0.931 (FW 0.902 does not support it) until FW 1.692. It is for some Fat PS Vita prototypes. |
| − | * | + | * Firmware Type 1 is for NEC 78K0R/Kx3. It is supported since about at least FW 0.996. It is for most Fat PS Vitas and for PS TV. |
| − | * | + | * Firmware Type 2 is for Renesas RL78/G13. It is supported since FW 2.50. It is for PS Vita Slim Syscon. |
=== 0x03 === | === 0x03 === | ||
This packet is special because it is not embedded in Syscon Update SPKGs. It is generated in ARM kernel and sent to Syscon with Syscon command 0x1185. | This packet is special because it is not embedded in Syscon Update SPKGs. It is generated in ARM kernel and sent to Syscon with Syscon command 0x1185. | ||
| + | |||
| + | It is not present on FW 0.931. | ||
{| class="wikitable" | {| class="wikitable" | ||
| Line 137: | Line 139: | ||
=== 0x10 === | === 0x10 === | ||
| − | Encrypted | + | Encrypted segment packet. |
| − | + | Segments are concatenated before being AES128CBC encrypted/decrypted. | |
{| class="wikitable" | {| class="wikitable" | ||
| Line 147: | Line 149: | ||
| 0x0 || 0x4 || Packet Header | | 0x0 || 0x4 || Packet Header | ||
|- | |- | ||
| − | | 0x4 || 0x4 || | + | | 0x4 || 0x4 || Segment Number. Must be between 0 and 0x17F. |
|- | |- | ||
| − | | 0x8 || 0x4 || | + | | 0x8 || 0x4 || Size (ex: 0x400 for Renesas RL78/G13 and NEC 78K0R/Kx3, 0x800 for NEC 78K0R/Kx3-L) |
|- | |- | ||
| 0xC || 0x4 || Padding | | 0xC || 0x4 || Padding | ||
| Line 158: | Line 160: | ||
=== 0x20 === | === 0x20 === | ||
| − | + | Hash packet. | |
{| class="wikitable" | {| class="wikitable" | ||
| Line 166: | Line 168: | ||
| 0x0 || 0x4 || Packet Header | | 0x0 || 0x4 || Packet Header | ||
|- | |- | ||
| − | | 0x4 || 0x14 || | + | | 0x4 || 0x14 || Hash. Sha-1 hash of decrypted concatenated segments. |
|} | |} | ||
| Line 173: | Line 175: | ||
* ARM PSVita updater arrives at last step: [[Ernie]] update. | * ARM PSVita updater arrives at last step: [[Ernie]] update. | ||
* ARM PSVita updater decrypts [[Ernie]] update SPKGs til it finds one whose Hardware Info matches. | * ARM PSVita updater decrypts [[Ernie]] update SPKGs til it finds one whose Hardware Info matches. | ||
| − | * ARM PSVita updater sends the encrypted | + | * ARM PSVita updater sends the encrypted segments directly to [[Ernie]] using some command 0x1181. |
| − | * ARM PSVita updater sends the | + | * ARM PSVita updater sends the hash directly to [[Ernie]] using some command 0x1184. |
| − | * [[Ernie]] decrypts concatenated received | + | * [[Ernie]] decrypts concatenated received segments using AES128CBC. |
| − | * [[Ernie]] computes sha1 over the decrypted concatenated data and compares with the received | + | * [[Ernie]] computes sha1 over the decrypted concatenated data and compares with the received hash. |
* [[Ernie]] installs the update using the decrypted data. | * [[Ernie]] installs the update using the decrypted data. | ||
[[Category:Formats]] | [[Category:Formats]] | ||
Revision as of 02:57, 24 August 2021
Structure
Ernie updates are stored in a packet format.
Packet Header
Any update packet has a common header structure.
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x1 | Type (ex: 1, 2, 0x10, 0x20) |
| 0x1 | 0x1 | Header Size (ex: 0x10, 0x18) |
| 0x2 | 0x2 | Size (ex: 0, 0x400, 0x800) |
Packet size varies depending on the hardware revision of Syscon:
Renesas 78K0R/Kx3: 0x800 Renesas 78K0R/Kx3-L: 0x400 Renesas RL78/G13: 0x400
Packet Types
0x01
Version packet.
This packet is update header field.
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x4 | Packet Header |
| 0x4 | 0x4 | Firmware Version. Version of the Ernie software update. (ex: 0x0100060B -> 1.0.6.11) |
| 0x8 | 0x4 | Hardware Info. PSVita hardware on which this update can be installed. (ex: 0x00723030) |
| 0xC | 0x4 | Padding |
Ernie Version and Hardware Info from a few PUPs:
1.80 CEX
0B 06 00 01 00 32 60 00
0B 06 00 01 00 30 60 00
0B 06 00 01 00 20 60 00
0B 06 00 01 00 10 60 00
0B 06 00 01 00 60 40 00
1.81 CEX
0B 06 00 01 00 32 60 00
0B 06 00 01 00 30 60 00
0B 06 00 01 00 20 60 00
0B 06 00 01 00 10 60 00
0B 06 00 01 00 60 40 00
3.15 CEX
11 05 03 01 38 50 80 00
03 06 03 01 30 30 70 00
0D 06 00 01 00 32 60 00
0D 06 00 01 00 30 60 00
0D 06 00 01 00 20 60 00
0B 06 00 01 00 10 60 00
0D 06 00 01 00 60 40 00
3.30 CEX
11 05 03 01 38 50 80 00
01 03 04 01 30 30 72 00
03 06 03 01 30 30 70 00
0D 06 00 01 00 32 60 00
0D 06 00 01 00 30 60 00
0D 06 00 01 00 20 60 00
0B 06 00 01 00 10 60 00
0D 06 00 01 00 60 40 00
1.69 TOOL
06 03 00 01 00 40 41 00
06 03 00 01 00 50 41 00
03 02 09 00 00 50 31 00
06 03 00 01 00 10 41 00
06 03 00 01 00 52 41 00
06 03 00 01 03 26 10 00
06 03 00 01 00 52 31 00
1.80 TOOL
0B 06 00 01 00 10 60 00
0B 06 00 01 00 60 41 00
0B 06 00 01 00 52 41 00
06 03 00 01 03 26 10 000x02
Key revision packet.
This packet embeds the encryption key revision used to decrypt the Syscon update packets.
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x4 | Packet Header |
| 0x4 | 0x4 | Image Size (ex: 0) |
| 0x8 | 0x4 | Firmware Type (ex: 0, 1, 2) |
| 0xC | 0x4 | Padding |
- Firmware Type 0 is for NEC 78K0R/Kx3-L. It is supported since at least FW 0.931 (FW 0.902 does not support it) until FW 1.692. It is for some Fat PS Vita prototypes.
- Firmware Type 1 is for NEC 78K0R/Kx3. It is supported since about at least FW 0.996. It is for most Fat PS Vitas and for PS TV.
- Firmware Type 2 is for Renesas RL78/G13. It is supported since FW 2.50. It is for PS Vita Slim Syscon.
0x03
This packet is special because it is not embedded in Syscon Update SPKGs. It is generated in ARM kernel and sent to Syscon with Syscon command 0x1185.
It is not present on FW 0.931.
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x4 | Packet Header |
| 0x4 | 0x18 | Unknown data |
| 0x1C | 0x4 | Padding |
0x10
Encrypted segment packet.
Segments are concatenated before being AES128CBC encrypted/decrypted.
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x4 | Packet Header |
| 0x4 | 0x4 | Segment Number. Must be between 0 and 0x17F. |
| 0x8 | 0x4 | Size (ex: 0x400 for Renesas RL78/G13 and NEC 78K0R/Kx3, 0x800 for NEC 78K0R/Kx3-L) |
| 0xC | 0x4 | Padding |
| 0x10 | Variable | Encrypted data |
0x20
Hash packet.
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x4 | Packet Header |
| 0x4 | 0x14 | Hash. Sha-1 hash of decrypted concatenated segments. |
Ernie Update steps
- ARM PSVita updater arrives at last step: Ernie update.
- ARM PSVita updater decrypts Ernie update SPKGs til it finds one whose Hardware Info matches.
- ARM PSVita updater sends the encrypted segments directly to Ernie using some command 0x1181.
- ARM PSVita updater sends the hash directly to Ernie using some command 0x1184.
- Ernie decrypts concatenated received segments using AES128CBC.
- Ernie computes sha1 over the decrypted concatenated data and compares with the received hash.
- Ernie installs the update using the decrypted data.