Difference between revisions of "Syscon Update"
Jump to navigation
Jump to search
(→0x10) |
CelesteBlue (talk | contribs) |
||
| (12 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
| − | + | = Structure = | |
| − | + | [[Ernie]] firmware updates are stored in a packet format. | |
| − | + | == Packet Header == | |
| + | |||
| + | Any Syscon firmware update packet has a common 4-byte header structure. | ||
{| class="wikitable" | {| class="wikitable" | ||
| Line 9: | Line 11: | ||
! Offset !! Size !! Description | ! Offset !! Size !! Description | ||
|- | |- | ||
| − | | 0x0 || 0x1 || | + | | 0x0 || 0x1 || Type (ex: 1, 2, 3, 0x10, 0x20) |
|- | |- | ||
| − | | 0x1 || 0x1 || | + | | 0x1 || 0x1 || Data offset (ex: 0x10, 0x18) |
|- | |- | ||
| − | | 0x2 || | + | | 0x2 || 0x2 || Data size (ex: 0, 0x20, 0x400, 0x800) |
| − | |||
| − | |||
|} | |} | ||
| + | |||
| + | Data size varies with the packet type and also with the hardware revision of Syscon: | ||
| + | <pre> | ||
| + | Renesas 78K0R/Kx3: 0x800 | ||
| + | Renesas 78K0R/Kx3-L: 0x400 | ||
| + | Renesas RL78/G13: 0x400 | ||
| + | </pre> | ||
| + | |||
| + | == Packet Types == | ||
=== 0x01 === | === 0x01 === | ||
| − | This packet | + | Version packet. |
| + | |||
| + | This packet is update SPKG header field. | ||
{| class="wikitable" | {| class="wikitable" | ||
| Line 28: | Line 39: | ||
| 0x0 || 0x4 || Packet Header | | 0x0 || 0x4 || Packet Header | ||
|- | |- | ||
| − | | 0x4 || 0x4 || | + | | 0x4 || 0x4 || Firmware Version. Version of the Ernie software update. (ex: 0x0100060B -> 1.0.6.11) |
|- | |- | ||
| − | | 0x8 || 0x4 || | + | | 0x8 || 0x4 || Hardware Info. PS Vita hardware on which this update can be installed. (ex: 0x00723030) |
|- | |- | ||
| − | | 0xC || 0x4 || | + | | 0xC || 0x4 || Padding |
|} | |} | ||
| − | + | Ernie Version and Hardware Info from a few PUP files: | |
<source> | <source> | ||
| − | 3. | + | 1.80 CEX |
| + | 0B 06 00 01 00 32 60 00 | ||
| + | 0B 06 00 01 00 30 60 00 | ||
| + | 0B 06 00 01 00 20 60 00 | ||
| + | 0B 06 00 01 00 10 60 00 | ||
| + | 0B 06 00 01 00 60 40 00 | ||
| + | |||
| + | 1.81 CEX | ||
| + | 0B 06 00 01 00 32 60 00 | ||
| + | 0B 06 00 01 00 30 60 00 | ||
| + | 0B 06 00 01 00 20 60 00 | ||
| + | 0B 06 00 01 00 10 60 00 | ||
| + | 0B 06 00 01 00 60 40 00 | ||
| + | |||
| + | 3.15 CEX | ||
11 05 03 01 38 50 80 00 | 11 05 03 01 38 50 80 00 | ||
| − | |||
03 06 03 01 30 30 70 00 | 03 06 03 01 30 30 70 00 | ||
0D 06 00 01 00 32 60 00 | 0D 06 00 01 00 32 60 00 | ||
| Line 47: | Line 71: | ||
0D 06 00 01 00 60 40 00 | 0D 06 00 01 00 60 40 00 | ||
| − | 3. | + | 3.30 CEX |
11 05 03 01 38 50 80 00 | 11 05 03 01 38 50 80 00 | ||
| + | 01 03 04 01 30 30 72 00 | ||
03 06 03 01 30 30 70 00 | 03 06 03 01 30 30 70 00 | ||
0D 06 00 01 00 32 60 00 | 0D 06 00 01 00 32 60 00 | ||
| Line 56: | Line 81: | ||
0D 06 00 01 00 60 40 00 | 0D 06 00 01 00 60 40 00 | ||
| − | + | 1.69 TOOL | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | 1.69 | ||
06 03 00 01 00 40 41 00 | 06 03 00 01 00 40 41 00 | ||
06 03 00 01 00 50 41 00 | 06 03 00 01 00 50 41 00 | ||
| Line 85: | Line 89: | ||
06 03 00 01 03 26 10 00 | 06 03 00 01 03 26 10 00 | ||
06 03 00 01 00 52 31 00 | 06 03 00 01 00 52 31 00 | ||
| + | |||
| + | 1.80 TOOL | ||
| + | 0B 06 00 01 00 10 60 00 | ||
| + | 0B 06 00 01 00 60 41 00 | ||
| + | 0B 06 00 01 00 52 41 00 | ||
| + | 06 03 00 01 03 26 10 00 | ||
</source> | </source> | ||
=== 0x02 === | === 0x02 === | ||
| − | This packet | + | Key revision packet. |
| + | |||
| + | This packet embeds the encryption key revision used to decrypt the Syscon update packets. | ||
{| class="wikitable" | {| class="wikitable" | ||
| Line 97: | Line 109: | ||
| 0x0 || 0x4 || Packet Header | | 0x0 || 0x4 || Packet Header | ||
|- | |- | ||
| − | | 0x4 || 0x4 || | + | | 0x4 || 0x4 || Image Size (ex: 0) |
|- | |- | ||
| − | | 0x8 || 0x4 || | + | | 0x8 || 0x4 || Firmware Type (ex: 0, 1, 2) |
|- | |- | ||
| − | | 0xC || 0x4 || | + | | 0xC || 0x4 || Padding |
|} | |} | ||
| + | |||
| + | * Firmware Type 0 is for NEC 78K0R/Kx3-L. It is supported since at least System Software version 0.931.010 (System Software version 0.902 does not support it) til System Software version 1.692.000. It is for some PS Vita prototypes. | ||
| + | * Firmware Type 1 is for NEC 78K0R/Kx3. It is supported since System Software version 1.000.041. It is for most PS Vita Fat models and for PS TV. | ||
| + | * Firmware Type 2 is for Renesas RL78/G13. It is supported since System Software version 2.500.071. It is for PS Vita Slim Syscon. | ||
=== 0x03 === | === 0x03 === | ||
| + | |||
| + | Signature packet. | ||
| + | |||
| + | This packet is special because it is not embedded in Syscon Update SPKGs. It is sent to Syscon using [[SceSyscon#sceSysconUpdaterCheckSignatureForDriver]]. | ||
| + | |||
| + | It is not supported on FWs 0.931.010-0.940 but supported on 0.996.090-3.740.011. | ||
| + | |||
| + | Steps: | ||
| + | * sceSysconUpdaterCheckSignatureForDriver(signature, 0x18); | ||
| + | * sceSysconUpdaterSetRunModeForDriver(runMode); | ||
{| class="wikitable" | {| class="wikitable" | ||
| Line 112: | Line 138: | ||
| 0x0 || 0x4 || Packet Header | | 0x0 || 0x4 || Packet Header | ||
|- | |- | ||
| − | | 0x4 || 0x1C || | + | | 0x4 || 0x18 || Signature |
| + | |- | ||
| + | | 0x1C || 0x4 || Padding | ||
|} | |} | ||
=== 0x10 === | === 0x10 === | ||
| − | + | Segment packet. | |
| + | |||
| + | Segment packet is broken into chunks before being sent. Chunks are concatenated before being AES128CBC encrypted/decrypted. | ||
| + | |||
| + | Steps: | ||
| + | * sceSysconUpdaterCalcChecksum(data, size, &checksum); // compute segment checksum | ||
| + | * sceSysconUpdaterSetSegment(segment_no); // send segment number | ||
| + | * If Ernie DL version <= 0x1700, max_chunk_size = 0x10 else max_chunk_size = 0x40. | ||
| + | * For each chunk, SendProgramData(data, offset, chunk_size & 0xff); // send segment by chunks | ||
| + | * sceSysconUpdaterExecProgramming(checksum); // send segment checksum | ||
{| class="wikitable" | {| class="wikitable" | ||
| Line 125: | Line 162: | ||
| 0x0 || 0x4 || Packet Header | | 0x0 || 0x4 || Packet Header | ||
|- | |- | ||
| − | | 0x4 || 0x4 || | + | | 0x4 || 0x4 || Segment Number. Must be between 0 and 0x17F. |
|- | |- | ||
| − | | 0x8 || 0x4 || | + | | 0x8 || 0x4 || Size (ex: 0x400 for Renesas RL78/G13 and NEC 78K0R/Kx3, 0x800 for NEC 78K0R/Kx3-L) |
|- | |- | ||
| − | | 0xC || 0x4 || | + | | 0xC || 0x4 || Padding |
|- | |- | ||
| − | | 0x10 || Variable || | + | | 0x10 || Variable || Encrypted data |
|} | |} | ||
=== 0x20 === | === 0x20 === | ||
| + | |||
| + | Checksum packet. | ||
| + | |||
| + | Checksum is sent from ARM to Syscon using [[SceSyscon#sceSysconUpdaterExecFinalizeForDriver]]. | ||
| + | |||
| + | Steps: | ||
| + | * sceSysconUpdaterExecFinalize(checksum, 0x14); | ||
{| class="wikitable" | {| class="wikitable" | ||
| Line 142: | Line 186: | ||
| 0x0 || 0x4 || Packet Header | | 0x0 || 0x4 || Packet Header | ||
|- | |- | ||
| − | | 0x4 || 0x14 || | + | | 0x4 || 0x14 || Checksum. Sha-1 hash of decrypted concatenated segments. |
| + | |} | ||
| + | |||
| + | = Ernie Updater Run Modes = | ||
| + | |||
| + | {| class="wikitable" | ||
| + | |- | ||
| + | ! Runmode !! Supported System Software version !! Context !! Comments | ||
| + | |- | ||
| + | | 0x9a54 || 0.931.010-3.740.011 || [[PUP#Package Header|SPKG Type]] 8 -> runModeFlag = 0 || After setting this runMode, you need to execute handshake if (ernie_DL_version & 0xffffff) >= 0x3600. | ||
| + | |- | ||
| + | | 0x72ba || 0.931.010-3.740.011 || ?runModeFlag = 1? || This Run Mode is set after not before executing sceSysconUpdater functions. | ||
| + | |- | ||
| + | | 0x3665 || 0.996.090-3.740.011 || [[PUP#Package Header|SPKG Type]] 0x14 -> runModeFlag = 2 || | ||
| + | |- | ||
| + | | 0xc5e7 || 0.996.090-3.740.011 || [[PUP#Package Header|SPKG Type]] 0x19 -> runModeFlag = 3 || | ||
| + | |- | ||
| + | | 0x152e || 3.600.011-3.740.011 || unknown || Seen in Ernie firmware shipped with System Software version 3.600.011 but not in ARM update_mgr.skprx. | ||
|} | |} | ||
| + | |||
| + | == Remarks == | ||
| + | |||
| + | * If runModeFlag is 1 or if runMode is 0x72ba, sceSysconUpdaterSetRunMode is called after not before executing other sceSysconUpdater functions. This is also what happens after calling [[SceSyscon#sceSysconUpdaterCheckSignatureForDriver]]. | ||
| + | |||
| + | On ARM update_mgr.skprx shipped with System Software version 0.996.090: | ||
| + | * Only run mode 0x9a54 is used as only [[PUP#Package Header|SPKG Type]] 8 is supported concerning Syscon firmware update. | ||
| + | |||
| + | On ARM update_mgr.skprx shipped with System Software version 3.60: | ||
| + | * runModeFlag can be 0, 2 or 3. runModeFlag is checked for value 1 but this value 1 is never set. | ||
| + | |||
| + | On Ernie firmware shipped with System Software version 3.60: | ||
| + | * Only updater run mode 0x72BA seems to be actually useful. | ||
| + | * Modes 0x9A54 and 0x152E are recognized but just make the function return without doing anything. | ||
| + | * Mode 0xC5E7 is not recognized by Ernie firmware shipped with System Software version 3.60, although it is present on ARM side. | ||
| + | |||
| + | = Ernie Update steps = | ||
| + | |||
| + | * ARM PS Vita updater arrives at last step: [[Ernie]] update. | ||
| + | * ARM PS Vita updater decrypts [[Ernie]] update SPKGs til it finds one whose Hardware Info matches. | ||
| + | |||
| + | * ARM PS Vita updater sends run mode 0x9a54 to [[Ernie]] using Syscon command 0x1183 (sceSysconUpdaterSetRunModeForDriver). | ||
| + | * If (ernie_DL_version & 0xffffff) >= 0x3600, a handshake is done using Syscon command 0xD0 (SceSysconForDriver_4D03754A) through [[update_service_sm]] function [[Secure_Modules_Functions#0xD0002|0xD0002]]. | ||
| + | |||
| + | * ARM PS Vita updater sends signature to [[Ernie]] ([[SceSyscon#sceSysconUpdaterCheckSignatureForDriver]]). | ||
| + | * ARM PS Vita updater sends run mode to [[Ernie]] using Syscon command 0x1183 (sceSysconUpdaterSetRunModeForDriver). | ||
| + | |||
| + | * ARM PS Vita updater sends if needed a new run mode to [[Ernie]] using Syscon command 0x1183 (sceSysconUpdaterSetRunModeForDriver). | ||
| + | |||
| + | * ARM PS Vita updater computes sha1 checksum over the decrypted concatenated data (sceSysconUpdaterCalcChecksumForDriver). | ||
| + | * ARM PS Vita updater sends the encrypted segment number directly to [[Ernie]] using Syscon command 0x1180 (sceSysconUpdaterSetSegmentForDriver). | ||
| + | * ARM PS Vita updater sends the encrypted segment chunks directly to [[Ernie]] using Syscon command 0x1181 (sceSysconUpdaterSendProgramDataForDriver / sceSysconUpdaterSendProgramData2ForDriver). | ||
| + | * ARM PS Vita updater sends the segment checksum directly to [[Ernie]] using Syscon command 0x1182 (sceSysconUpdaterExecFinalizeForDriver). | ||
| + | |||
| + | * ARM PS Vita updater sends the total checksum directly to [[Ernie]] using Syscon command 0x1184 (sceSysconUpdaterExecFinalizeForDriver). | ||
| + | * [[Ernie]] decrypts concatenated received segments using AES128CBC. | ||
| + | * [[Ernie]] computes sha1 checksum over the decrypted concatenated data and compares with the received checksum. | ||
| + | * [[Ernie]] installs the update using the decrypted data. | ||
| + | |||
[[Category:Formats]] | [[Category:Formats]] | ||
Latest revision as of 20:06, 6 January 2024
Structure
Ernie firmware updates are stored in a packet format.
Packet Header
Any Syscon firmware update packet has a common 4-byte header structure.
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x1 | Type (ex: 1, 2, 3, 0x10, 0x20) |
| 0x1 | 0x1 | Data offset (ex: 0x10, 0x18) |
| 0x2 | 0x2 | Data size (ex: 0, 0x20, 0x400, 0x800) |
Data size varies with the packet type and also with the hardware revision of Syscon:
Renesas 78K0R/Kx3: 0x800 Renesas 78K0R/Kx3-L: 0x400 Renesas RL78/G13: 0x400
Packet Types
0x01
Version packet.
This packet is update SPKG header field.
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x4 | Packet Header |
| 0x4 | 0x4 | Firmware Version. Version of the Ernie software update. (ex: 0x0100060B -> 1.0.6.11) |
| 0x8 | 0x4 | Hardware Info. PS Vita hardware on which this update can be installed. (ex: 0x00723030) |
| 0xC | 0x4 | Padding |
Ernie Version and Hardware Info from a few PUP files:
1.80 CEX
0B 06 00 01 00 32 60 00
0B 06 00 01 00 30 60 00
0B 06 00 01 00 20 60 00
0B 06 00 01 00 10 60 00
0B 06 00 01 00 60 40 00
1.81 CEX
0B 06 00 01 00 32 60 00
0B 06 00 01 00 30 60 00
0B 06 00 01 00 20 60 00
0B 06 00 01 00 10 60 00
0B 06 00 01 00 60 40 00
3.15 CEX
11 05 03 01 38 50 80 00
03 06 03 01 30 30 70 00
0D 06 00 01 00 32 60 00
0D 06 00 01 00 30 60 00
0D 06 00 01 00 20 60 00
0B 06 00 01 00 10 60 00
0D 06 00 01 00 60 40 00
3.30 CEX
11 05 03 01 38 50 80 00
01 03 04 01 30 30 72 00
03 06 03 01 30 30 70 00
0D 06 00 01 00 32 60 00
0D 06 00 01 00 30 60 00
0D 06 00 01 00 20 60 00
0B 06 00 01 00 10 60 00
0D 06 00 01 00 60 40 00
1.69 TOOL
06 03 00 01 00 40 41 00
06 03 00 01 00 50 41 00
03 02 09 00 00 50 31 00
06 03 00 01 00 10 41 00
06 03 00 01 00 52 41 00
06 03 00 01 03 26 10 00
06 03 00 01 00 52 31 00
1.80 TOOL
0B 06 00 01 00 10 60 00
0B 06 00 01 00 60 41 00
0B 06 00 01 00 52 41 00
06 03 00 01 03 26 10 000x02
Key revision packet.
This packet embeds the encryption key revision used to decrypt the Syscon update packets.
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x4 | Packet Header |
| 0x4 | 0x4 | Image Size (ex: 0) |
| 0x8 | 0x4 | Firmware Type (ex: 0, 1, 2) |
| 0xC | 0x4 | Padding |
- Firmware Type 0 is for NEC 78K0R/Kx3-L. It is supported since at least System Software version 0.931.010 (System Software version 0.902 does not support it) til System Software version 1.692.000. It is for some PS Vita prototypes.
- Firmware Type 1 is for NEC 78K0R/Kx3. It is supported since System Software version 1.000.041. It is for most PS Vita Fat models and for PS TV.
- Firmware Type 2 is for Renesas RL78/G13. It is supported since System Software version 2.500.071. It is for PS Vita Slim Syscon.
0x03
Signature packet.
This packet is special because it is not embedded in Syscon Update SPKGs. It is sent to Syscon using SceSyscon#sceSysconUpdaterCheckSignatureForDriver.
It is not supported on FWs 0.931.010-0.940 but supported on 0.996.090-3.740.011.
Steps:
- sceSysconUpdaterCheckSignatureForDriver(signature, 0x18);
- sceSysconUpdaterSetRunModeForDriver(runMode);
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x4 | Packet Header |
| 0x4 | 0x18 | Signature |
| 0x1C | 0x4 | Padding |
0x10
Segment packet.
Segment packet is broken into chunks before being sent. Chunks are concatenated before being AES128CBC encrypted/decrypted.
Steps:
- sceSysconUpdaterCalcChecksum(data, size, &checksum); // compute segment checksum
- sceSysconUpdaterSetSegment(segment_no); // send segment number
- If Ernie DL version <= 0x1700, max_chunk_size = 0x10 else max_chunk_size = 0x40.
- For each chunk, SendProgramData(data, offset, chunk_size & 0xff); // send segment by chunks
- sceSysconUpdaterExecProgramming(checksum); // send segment checksum
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x4 | Packet Header |
| 0x4 | 0x4 | Segment Number. Must be between 0 and 0x17F. |
| 0x8 | 0x4 | Size (ex: 0x400 for Renesas RL78/G13 and NEC 78K0R/Kx3, 0x800 for NEC 78K0R/Kx3-L) |
| 0xC | 0x4 | Padding |
| 0x10 | Variable | Encrypted data |
0x20
Checksum packet.
Checksum is sent from ARM to Syscon using SceSyscon#sceSysconUpdaterExecFinalizeForDriver.
Steps:
- sceSysconUpdaterExecFinalize(checksum, 0x14);
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x4 | Packet Header |
| 0x4 | 0x14 | Checksum. Sha-1 hash of decrypted concatenated segments. |
Ernie Updater Run Modes
| Runmode | Supported System Software version | Context | Comments |
|---|---|---|---|
| 0x9a54 | 0.931.010-3.740.011 | SPKG Type 8 -> runModeFlag = 0 | After setting this runMode, you need to execute handshake if (ernie_DL_version & 0xffffff) >= 0x3600. |
| 0x72ba | 0.931.010-3.740.011 | ?runModeFlag = 1? | This Run Mode is set after not before executing sceSysconUpdater functions. |
| 0x3665 | 0.996.090-3.740.011 | SPKG Type 0x14 -> runModeFlag = 2 | |
| 0xc5e7 | 0.996.090-3.740.011 | SPKG Type 0x19 -> runModeFlag = 3 | |
| 0x152e | 3.600.011-3.740.011 | unknown | Seen in Ernie firmware shipped with System Software version 3.600.011 but not in ARM update_mgr.skprx. |
Remarks
- If runModeFlag is 1 or if runMode is 0x72ba, sceSysconUpdaterSetRunMode is called after not before executing other sceSysconUpdater functions. This is also what happens after calling SceSyscon#sceSysconUpdaterCheckSignatureForDriver.
On ARM update_mgr.skprx shipped with System Software version 0.996.090:
- Only run mode 0x9a54 is used as only SPKG Type 8 is supported concerning Syscon firmware update.
On ARM update_mgr.skprx shipped with System Software version 3.60:
- runModeFlag can be 0, 2 or 3. runModeFlag is checked for value 1 but this value 1 is never set.
On Ernie firmware shipped with System Software version 3.60:
- Only updater run mode 0x72BA seems to be actually useful.
- Modes 0x9A54 and 0x152E are recognized but just make the function return without doing anything.
- Mode 0xC5E7 is not recognized by Ernie firmware shipped with System Software version 3.60, although it is present on ARM side.
Ernie Update steps
- ARM PS Vita updater arrives at last step: Ernie update.
- ARM PS Vita updater decrypts Ernie update SPKGs til it finds one whose Hardware Info matches.
- ARM PS Vita updater sends run mode 0x9a54 to Ernie using Syscon command 0x1183 (sceSysconUpdaterSetRunModeForDriver).
- If (ernie_DL_version & 0xffffff) >= 0x3600, a handshake is done using Syscon command 0xD0 (SceSysconForDriver_4D03754A) through update_service_sm function 0xD0002.
- ARM PS Vita updater sends signature to Ernie (SceSyscon#sceSysconUpdaterCheckSignatureForDriver).
- ARM PS Vita updater sends run mode to Ernie using Syscon command 0x1183 (sceSysconUpdaterSetRunModeForDriver).
- ARM PS Vita updater sends if needed a new run mode to Ernie using Syscon command 0x1183 (sceSysconUpdaterSetRunModeForDriver).
- ARM PS Vita updater computes sha1 checksum over the decrypted concatenated data (sceSysconUpdaterCalcChecksumForDriver).
- ARM PS Vita updater sends the encrypted segment number directly to Ernie using Syscon command 0x1180 (sceSysconUpdaterSetSegmentForDriver).
- ARM PS Vita updater sends the encrypted segment chunks directly to Ernie using Syscon command 0x1181 (sceSysconUpdaterSendProgramDataForDriver / sceSysconUpdaterSendProgramData2ForDriver).
- ARM PS Vita updater sends the segment checksum directly to Ernie using Syscon command 0x1182 (sceSysconUpdaterExecFinalizeForDriver).
- ARM PS Vita updater sends the total checksum directly to Ernie using Syscon command 0x1184 (sceSysconUpdaterExecFinalizeForDriver).
- Ernie decrypts concatenated received segments using AES128CBC.
- Ernie computes sha1 checksum over the decrypted concatenated data and compares with the received checksum.
- Ernie installs the update using the decrypted data.