Difference between revisions of "KBL Param"

From Vita Development Wiki
Jump to navigation Jump to search
(26 intermediate revisions by 3 users not shown)
Line 50: Line 50:
 
| 0xB0 || 0x10 || Session ID
 
| 0xB0 || 0x10 || Session ID
 
|-
 
|-
| 0xC0 || 0x4 || unk
+
| 0xC0 || 0x4 || Unknown, comes from syscon cmd 3
 
|-
 
|-
 
| 0xC4 || 0x4 || [[Sysroot#Wakeup factor|Wakeup factor]]
 
| 0xC4 || 0x4 || [[Sysroot#Wakeup factor|Wakeup factor]]
 
|-
 
|-
| 0xC8 || 0x4 || unk (?Device model dependant?) (ex: 0x40, 0x60, 0x64, 0x3D2, 0xC001C0)
+
| 0xC8 || 0x4 || Unknown, comes from syscon cmd 0x800 (?Device model dependant?) (ex: 0x40, 0x60, 0x64, 0x3D2, 0xC001C0)
 
|-
 
|-
| 0xCC || 0x4 || unk (0x74FFFFFF on coldboot, 0x74FFBFFF on warmboot)
+
| 0xCC || 0x4 || Unknown, comes from syscon cmd 0x100 (0x74FFFFFF on coldboot, 0x74FFBFFF on warmboot, 0x36AFFFXX triggers SetProductMode on 0.940)
 
|-
 
|-
| 0xD0 || 0x4 || [[Suspend|Saved context]] paddr
+
| 0xD0 || 0x4 || [[Suspend|Saved context]] paddr, comes from syscon cmd 0x90 offset 0xC
 
|-
 
|-
| 0xD4 || 0x4 || [[Sysroot#Hardware info|Hardware info]]
+
| 0xD4 || 0x4 || [[Sysroot#Hardware Info|Hardware Info]]
 
|-
 
|-
 
| 0xD8 || 0x4 || [[Sysroot#Boot type indicator 2|Boot type indicator 2]]
 
| 0xD8 || 0x4 || [[Sysroot#Boot type indicator 2|Boot type indicator 2]]
Line 66: Line 66:
 
| 0xDC || 0xC || unk
 
| 0xDC || 0xC || unk
 
|-
 
|-
| 0xE8 || 0x10 || [[Sysroot#Hardware flags|Hardware flags]]
+
| 0xE8 || 0x10 || [[Sysroot#Hardware flags|Hardware flags]], comes from syscon cmd 6
 
|-
 
|-
 
| 0xF8 || 0x4 || BootLoader Revision
 
| 0xF8 || 0x4 || BootLoader Revision
Line 86: Line 86:
 
|}
 
|}
  
=== Boot flags ===
+
The data below contains QA Flags captured (at 0x20 in sysroot buffer) from a system debugger (SD DEM):
 +
<source>
 +
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 +
00000020  33 00 00 00 00 00 07 05 73 01 00 01 06 03 03 01  3.......s.......
 +
</source>
 +
 
 +
== Boot flags ==
  
 
{| class="wikitable"
 
{| class="wikitable"
Line 104: Line 110:
  
 
*00 60 41 00: PDEL-1XXX
 
*00 60 41 00: PDEL-1XXX
*00 60 40 00: PCH-10XX / PTEL-1XXXX
+
*00 60 40 00: PCH-10XX / PTEL-1XXX
 
*02 60 40 00: PCH-11XX
 
*02 60 40 00: PCH-11XX
 
*38 22 82 00: PCH-2XXX model revision 0x18
 
*38 22 82 00: PCH-2XXX model revision 0x18
Line 181: Line 187:
 
! Offset !! Size !! Description
 
! Offset !! Size !! Description
 
|-
 
|-
| 0x40 || 0x4 || DevKit CP timestamp 1
+
| 0x40 || 0x4 || CP Timestamp 1 (ex: 0x4AD86AB3 -> 16/10/2009 14:44:35)
 
|-
 
|-
| 0x44 || 0x2 || DevKit CP Version
+
| 0x44 || 0x2 || CP Version (ex:0x1301 => 1301 on PDEL-100x)
 
|-
 
|-
| 0x46 || 0x2 || DevKit CP Build ID
+
| 0x46 || 0x2 || CP Board ID (3 on DEM-300xH, 4 on PDEL-100x)
 
|-
 
|-
| 0x48 || 0x4 || DevKit CP timestamp 2 (strangely also set on Retail and TesKit)
+
| 0x48 || 0x4 || CP Timestamp 2 (identical as 1)
 
|-
 
|-
| 0x4C || 0x4 || ASLR Seed
+
| 0x4C || 0x4 || ASLR Seed (?USER flags?) (also set on Retail and TestKit) (ex: 0x00000000 on a DEM-300xH)
 
|-
 
|-
| 0x50 || 0x4 || DevKit Boot Parameters (ex: 0x80000000 or 0x80000001 or 0x80000003 or 0x81000000 or 0x81000001 OR 0x0 or 0x2 in release mode)
+
| 0x50 || 0x4 || SDK(SCE) flags (ex: 0x80000000 or 0x80000001 or 0x80000003 or 0x81000000 or 0x81000001 OR 0x0 or 0x2 in release mode)
 
|-
 
|-
| 0x54 || 0x4 || DevKit Shell flags
+
| 0x54 || 0x4 || SHELL flags (ex: 0x00000000 on a DEM-300xH)
 
|-
 
|-
| 0x58 || 0x4 || DevKit Debug flags (ex: 0x1453E7 dev mode, 0x080002 release mode)
+
| 0x58 || 0x4 || Debug control flags (ex: 0x000413e7 on a DEM-300xH, 0x1453E7 dev mode, 0x080002 release mode)
 
|-
 
|-
| 0x5C || 0x4 || DevKit System flags 3 (ex: 0x20000010 dev mode, 0x20000000 release mode)
+
| 0x5C || 0x4 || System control flags (ex: 0x2000001c on a DEM-300xH, 0x20000010 dev mode, 0x20000000 release mode)
 
|}
 
|}
  
=== DIP Switches Bit flags resolving ===
+
=== DIP Switches bit flags resolving ===
  
 
DIP Switches bit flags are numbered from right to left. Thus, we have to use an algorithm to convert bit number to offset and bit.
 
DIP Switches bit flags are numbered from right to left. Thus, we have to use an algorithm to convert bit number to offset and bit.
Line 206: Line 212:
 
To convert the bit number to the offset and bit: <code>offset = 0x40 + (bit_num / 32) * 4</code>, <code>bit = 1 << (bit_num % 32)</code>.
 
To convert the bit number to the offset and bit: <code>offset = 0x40 + (bit_num / 32) * 4</code>, <code>bit = 1 << (bit_num % 32)</code>.
  
=== CP Information ===
+
==== CP Information ====
 
 
Bits <code>0-31</code> is a 32-bit integer of the current time on the DevKit CP clock. This is duplicated in bits <code>64-95</code>.
 
  
Bits <code>32-47</code> is a 16-bit integer of the CP version and bits <code>48-63</code> is a 16-bit integer of the CP build ID. All integers are little-endian.<br />On non-devkits, these fields are zeroes. Bits <code>0-63</code> are also usable as general purpose switches exposed with <code>sceKernelSetDipsw</code>, <code>sceKernelClearDipsw</code>, and <code>sceKernelCheckDipsw</code> but they do not change anything in hardware (only cached values are overwritten).
+
Bits <code>0-31</code> is a 32-bit integer of the current time on the CP clock. This is duplicated in bits <code>64-95</code>.
  
==== User Flags ====
+
Bits <code>32-47</code> is a 16-bit integer of the CP version and bits <code>48-63</code> is a 16-bit integer of the CP board ID. All integers are little-endian.<br />On non-devkits, these fields are zeroes. Bits <code>0-63</code> are also usable as general purpose switches exposed with <code>sceKernelSetDipsw</code>, <code>sceKernelClearDipsw</code>, and <code>sceKernelCheckDipsw</code> but they do not change anything in hardware (only cached values are overwritten).
  
 +
==== User flags ====
 
Bits <code>96-127</code> does not seem to be used in the kernel.
 
Bits <code>96-127</code> does not seem to be used in the kernel.
  
==== DevKit Boot Parameters ====
+
==== SDK (SCE) flags ====
 
+
Bits <code>128-159</code> are used to store DevKit Boot Parameters.
Bits <code>128-159</code> are used to store DevKit flags.
 
  
 
{| class="wikitable"
 
{| class="wikitable"
 
! Bit !! Description
 
! Bit !! Description
 +
|-
 +
| 128 || Extended game memory (Memory Size): On: 1 - Off: 0
 +
|-
 +
| 129 || ?Release Mode Console?: On: 1 - Off: 0
 
|-
 
|-
 
| 152 || PS TV Emulation: On: 1 - Off: 0
 
| 152 || PS TV Emulation: On: 1 - Off: 0
Line 228: Line 236:
 
|-
 
|-
 
| 168 || Memory Size: Console Size: 1 - Development Tool Size: 0
 
| 168 || Memory Size: Console Size: 1 - Development Tool Size: 0
 +
|-
 +
| 184 || Extra TTY: On: 1 - Off: 0
 +
|-
 +
| 185 || System Boot Time Notifications: On: 1 - Off: 0
 +
|-
 +
| 199 || Allows stdio ("tty0:"): On: 1 - Off: 0
 +
|-
 +
| 210 || ?
 +
|-
 +
| 212 || ?
 +
|-
 +
| 251 || ?
 +
|-
 +
| 252 || ? Used in SceSblFwLoader.
 
|}
 
|}
  
==== Shell Flags ====
+
==== Shell flags ====
 
 
 
Bits <code>160-191</code> are used for [[SceShell]] flags.
 
Bits <code>160-191</code> are used for [[SceShell]] flags.
  
Line 238: Line 259:
 
|}
 
|}
  
==== Debug Flags ====
+
==== Debug control flags ====
 
Bits <code>192-223</code> are for various debugging options.
 
Bits <code>192-223</code> are for various debugging options.
  
 
{| class="wikitable"
 
{| class="wikitable"
 
! Bit !! Description
 
! Bit !! Description
 +
|-
 +
| 194 || Enable Cp (if disabled it disables Cpup and UsbDbg)
 +
|-
 +
| 195 || nouse_dbgusb (if enabled, SceUsbDbg doesn't init)
 
|-
 
|-
 
| 197 || Enable kernel console logging
 
| 197 || Enable kernel console logging
Line 249: Line 274:
 
|}
 
|}
  
==== System Flags ====
+
==== System control flags ====
 
Bits <code>224-255</code> are used for various system options.
 
Bits <code>224-255</code> are used for various system options.
  
Line 255: Line 280:
 
! Bit !! Description
 
! Bit !! Description
 
|-
 
|-
| 229
+
| 224 || Allows loading sd0:psp2-config.txt
| HDCP related?
+
|-
 +
| 229 || HDCP related?
 
|}
 
|}
  
Line 284: Line 310:
 
   uint16_t version;
 
   uint16_t version;
 
   uint16_t size;
 
   uint16_t size;
   uint32_t fw_version;
+
   uint32_t current_fw_version;
 
   uint32_t factory_fw_version;
 
   uint32_t factory_fw_version;
 
   uint8_t unk_C[0x14];
 
   uint8_t unk_C[0x14];

Revision as of 22:45, 4 March 2019

The sysroot buffer is a 0x100 or 0x200 sized buffer passed to the secure kernel bootloader in the scratch space and contains all sorts of flags and system parameters. This buffer is copied to the secure kernel, the non-secure kernel loader, and the non-secure kernel and is used by many functions to check for features that are enabled for the system.

Offset Size Description
0x0 0x2 Version (usually 1)
0x2 0x2 Sysroot size (0x100 or 0x200)
0x4 0x4 Current Firmware Version
0x8 0x4 Factory Firmware Version
0xC 0x14 unk
0x20 0x10 QA flags
0x30 0x10 Boot flags
0x40 0x20 DIP Switches
0x60 0x4 DRAM base paddr (0x40000000)
0x64 0x4 DRAM size (0x20000000 on retail and testkit, 0x40000000 on DevKit)
0x68 0x4 unk
0x6C 0x4 Boot type indicator 1 (0x20000 on resume - no boot logo, 0x1 on boot - boot logo, 0x4 manufacturing mode)
0x70 0x10 OpenPsId
0x80 0x4 secure_kernel.enp raw data paddr (optional)
0x84 0x4 secure_kernel.enp size (optional)
0x88 0x8 unk
0x90 0x4 kprx_auth_sm.self raw data paddr
0x94 0x4 kprx_auth_sm.self size
0x98 0x4 prog_rvk.srvk raw data paddr
0x9C 0x4 prog_rvk.srvk size
0xA0 0x8 PSCode
0xA8 0x8 unk
0xB0 0x10 Session ID
0xC0 0x4 Unknown, comes from syscon cmd 3
0xC4 0x4 Wakeup factor
0xC8 0x4 Unknown, comes from syscon cmd 0x800 (?Device model dependant?) (ex: 0x40, 0x60, 0x64, 0x3D2, 0xC001C0)
0xCC 0x4 Unknown, comes from syscon cmd 0x100 (0x74FFFFFF on coldboot, 0x74FFBFFF on warmboot, 0x36AFFFXX triggers SetProductMode on 0.940)
0xD0 0x4 Saved context paddr, comes from syscon cmd 0x90 offset 0xC
0xD4 0x4 Hardware Info
0xD8 0x4 Boot type indicator 2
0xDC 0xC unk
0xE8 0x10 Hardware flags, comes from syscon cmd 6
0xF8 0x4 BootLoader Revision
0xFC 0x4 Sysroot Magic value (0xCBAC03AA)
0x100 0x20 Encrypted Session Key (FW 2.12+)

QA flags

Bit Description
0x2C + bit 29 Set to skip version checks in system updates
0x2D + bit 30 Checked by SceAppMgr. Dictates if you can pass arguments to sceAppMgrLaunchAppByPathForDriver

The data below contains QA Flags captured (at 0x20 in sysroot buffer) from a system debugger (SD DEM): 

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000020  33 00 00 00 00 00 07 05 73 01 00 01 06 03 03 01  3.......s.......

Boot flags

Bit Description
47 use internal storage
  • at 0x30: 0xFF - not update mode
  • at 0x33: 0xFF - not safe mode
  • at 0x35: FF on FAT - no internal storage or on PSTV or SLIM - internal storage enabled, FE on PSTV or SLIM - internal storage disabled

Hardware Info

Data is returned by SceSyscon.

  • 00 60 41 00: PDEL-1XXX
  • 00 60 40 00: PCH-10XX / PTEL-1XXX
  • 02 60 40 00: PCH-11XX
  • 38 22 82 00: PCH-2XXX model revision 0x18
  • 30 30 70 00: VTE-XXXX

Bit flags

Bit Description
2 PSTV Slim
3 PSTV Slim
4 Slim
6 3G Modem
9 Fat
10 always set
11 PSTV
16 Slim
17 PSTV Fat
18 PSTV
19 PSTV
22 Slim
23 ?Communication Processor?

Boot type indicator 2

Experimental point of view

- No AC connected + No POWER Button pressed: 0x0
ex: rebooting by software PSVita when AC is not connected

- No AC connected + POWER Button pressed: 0x4
ex: booting PSVita by pressing POWER button when AC is not connected

- AC connected + No POWER Button pressed: 0x8
ex: rebooting by software PSVita when AC is connected
ex: autobooting PSTV/IDU PSVita by pluging AC

- AC connected + POWER Button pressed: 0xC
ex: powering off by software PSTV then booting it by pressing POWER button
ex: booting PSVita by pressing POWER button when AC is connected

Bit flags point of view

Bit Description
0 AC: connected: 1 - disconnected: 0 (note that PSTV always has AC connected)
1 POWER button: pressed: 1 - not pressed: 0

Wakeup factor

  • 14 FF 00 00
  • 04 FF 00 00 after normal reboot
  • 04 00 00 00
  • 00 FF 00 00
  • 80 after suspend

DIP Switches

Offset Size Description
0x40 0x4 CP Timestamp 1 (ex: 0x4AD86AB3 -> 16/10/2009 14:44:35)
0x44 0x2 CP Version (ex:0x1301 => 1301 on PDEL-100x)
0x46 0x2 CP Board ID (3 on DEM-300xH, 4 on PDEL-100x)
0x48 0x4 CP Timestamp 2 (identical as 1)
0x4C 0x4 ASLR Seed (?USER flags?) (also set on Retail and TestKit) (ex: 0x00000000 on a DEM-300xH)
0x50 0x4 SDK(SCE) flags (ex: 0x80000000 or 0x80000001 or 0x80000003 or 0x81000000 or 0x81000001 OR 0x0 or 0x2 in release mode)
0x54 0x4 SHELL flags (ex: 0x00000000 on a DEM-300xH)
0x58 0x4 Debug control flags (ex: 0x000413e7 on a DEM-300xH, 0x1453E7 dev mode, 0x080002 release mode)
0x5C 0x4 System control flags (ex: 0x2000001c on a DEM-300xH, 0x20000010 dev mode, 0x20000000 release mode)

DIP Switches bit flags resolving

DIP Switches bit flags are numbered from right to left. Thus, we have to use an algorithm to convert bit number to offset and bit.

To convert the bit number to the offset and bit: offset = 0x40 + (bit_num / 32) * 4, bit = 1 << (bit_num % 32).

CP Information

Bits 0-31 is a 32-bit integer of the current time on the CP clock. This is duplicated in bits 64-95.

Bits 32-47 is a 16-bit integer of the CP version and bits 48-63 is a 16-bit integer of the CP board ID. All integers are little-endian.
On non-devkits, these fields are zeroes. Bits 0-63 are also usable as general purpose switches exposed with sceKernelSetDipsw, sceKernelClearDipsw, and sceKernelCheckDipsw but they do not change anything in hardware (only cached values are overwritten).

User flags

Bits 96-127 does not seem to be used in the kernel.

SDK (SCE) flags

Bits 128-159 are used to store DevKit Boot Parameters.

Bit Description
128 Extended game memory (Memory Size): On: 1 - Off: 0
129 ?Release Mode Console?: On: 1 - Off: 0
152 PS TV Emulation: On: 1 - Off: 0
159 Release Check Mode: Development Mode: 1 - Release Mode: 0
168 Memory Size: Console Size: 1 - Development Tool Size: 0
184 Extra TTY: On: 1 - Off: 0
185 System Boot Time Notifications: On: 1 - Off: 0
199 Allows stdio ("tty0:"): On: 1 - Off: 0
210 ?
212 ?
251 ?
252 ? Used in SceSblFwLoader.

Shell flags

Bits 160-191 are used for SceShell flags.

Bit Description

Debug control flags

Bits 192-223 are for various debugging options.

Bit Description
194 Enable Cp (if disabled it disables Cpup and UsbDbg)
195 nouse_dbgusb (if enabled, SceUsbDbg doesn't init)
197 Enable kernel console logging
211 Enable user UART console logging

System control flags

Bits 224-255 are used for various system options.

Bit Description
224 Allows loading sd0:psp2-config.txt
229 HDCP related?

Hardware flags

Bit Description
1 IC Connexant: 1 - yes, 2 - no
5 unk
6 unk
7 unk
14 unk
  • all zeroes on most cases
  • 47 02 on a Slim

Types

typedef struct SceBootArgs {
  uint16_t version;
  uint16_t size;
  uint32_t current_fw_version;
  uint32_t factory_fw_version;
  uint8_t unk_C[0x14];
  uint8_t qa_flags[0x10];
  uint8_t boot_flags[0x10];
  uint32_t devkit_cp_timestamp_1;
  uint16_t devkit_cp_version;
  uint16_t devkit_cp_build_id;
  uint32_t devkit_cp_timestamp_2;
  uint32_t aslr_seed;
  uint32_t devkit_boot_parameters;
  uint32_t unk_54;
  uint32_t devkit_unk_flags;
  uint32_t devkit_flags_3;
  uint32_t dram_base;
  uint32_t dram_size;
  uint32_t unk_68;
  uint32_t boot_type_indicator_1;
  uint8_t openpsid[0x10];
  uint32_t secure_kernel_enp_addr;
  uint32_t secure_kernel_enp_size;
  uint8_t unk_88[0x8];
  uint32_t kprx_auth_sm_self_addr;
  uint32_t kprx_auth_sm_self_size;
  uint32_t prog_rvk_srvk_addr;
  uint32_t prog_rvk_srvk_size;
  uint8_t pscode[0x8];
  uint8_t unk_A8[0x8];
  uint8_t session_id[0x10];
  uint32_t unk_C0;
  uint32_t wakeup_factor;
  uint32_t unk_C8;
  uint32_t unk_CC;
  uint32_t resume_context_addr;
  uint32_t hardware_info;
  uint32_t boot_type_indicator_2;
  uint8_t unk_DC[0xC];
  uint8_t hardware_flags[0x10];
  uint32_t bootldr_revision;
  uint32_t magic;
  uint8_t session_key[0x20];
  uint8_t unused[0xE0];
} __attribute__((packed)) SceBootArgs;
Retrieved from "http://wiki.henkaku.xyz/vita/index.php?title=KBL_Param&oldid=11209"