User Token Manager

From PS3 Developer wiki

Jump to navigation Jump to search

0x25000 - User Token Manager[edit | edit source]

note: inside ss_server1.fself
User Token Manager service is accessed by GameOS syscall 877

Packet ID	Description	Lv1 Parameter Usage	Lv2Syscall Parameter	notes
0x25001	Encrypt User Token
0x25002	Decrypt User Token
0x25003 (Lv2)	Decrypt User Token		uint8_t out[0xC50], uint64_t size (0xC50)
0x25004 (Lv2)
0x25005 (Lv2)	Encrypt User Token		uint8 out[0xC50], uint64_t size (0xC50)
0x25006 (Lv2)	Retrieve Level 2 Syscall Table		0, uint8 out[size], uint64_t size (0x2000)

User Token[edit | edit source]

Before User Token Manager encrypts a received user token it checks it's format.
User Tokens are processed by spu_utoken_processor.self
Before User Token is processed, User Token Manager reads IDPS by sending SS requests to Indi Info Manager (packet ids 0x17001 and 0x17002). Indi Info Manager runs in HV Process 5.
First 0x10 bytes of the User Token are always unencrypted. Encrypted data offset: 0x10. Encrypted data size: 0xC40.

User Token Format[edit | edit source]

stuct user_token_attr
{
    uint32_t type;                                 /* 0x00000001, value != 0x00000001 means attribute list ends here */
    uint32_t size;                                 /* 8 + sizeof(data) */
    /* data follows here, size of data may be 0 */
}

struct user_token
{
    uint32_t magic;                                /* 0x73757400 = "sut\0" */
    uint32_t format_version;                       /* 0x00000001 */
    uint64_t size;
    uint8_t idps[16];
    uint64_t expire_date;
    uint64_t capability;
    union
    {
        stuct user_token_attr attrs[0];
        uint8_t dummy[3072];
    } attrs;
    /* 0xC30 */
    uint8_t digest[20];
}

Reverse engineering

General

Bluedisk EID0 reDRM · Boot Order · Boot Memory Type · Bugs & Vulnerabilities · Dumping Bootldr · Dumping Metldr · Files on the PS3 · KaKaRoTo_Kind_of_´Jailbreak´ · PS3Cobra Payload Reverse Engineering · PS3UserCheat · QA Flagging · ReDRM / Piracy dongles · Revoke List · RSOD Fix‎ · rtcalarm.dat · Whitelisting · VTRM

Hypervisor

Hypervisor Reverse Engineering · Repository Nodes

Services

Appliance Information Manager · AV Manager · Dispatcher Manager · Factory Data Manager · Indi Info Manager · SB Manager · SC Manager · Secure LPAR Loader · Secure Profile Loader · Secure RTC Manager · Security Policy Manager · Storage Manager · Update Manager · Updater Frontend · USB Dongle Authenticator · User Token Manager · Virtual TRM Manager

Plugin
Interfaces

ap_plugin · audioplayer_plugin · audiop_plugin_dummy · audiop_plugin_mini · auth_plugin · autodownload_plugin · autoupdateconf_plugin · avc_plugin · avc_util · avc2_game_plugin · avc2_game_video_plugin · avc2_text_plugin · bdp_disccheck_plugin · bdp_plugin · bdp_storage_plugin · campaign_plugin · category_setting_plugin · comboplay_plugin · custom_render_plugin · data_copy_plugin · deviceconf_plugin · dlna_plugin · download_plugin · dtcpip_util · edy_plugin · esehttp · eseibrd · eseidle · eselock · eula_cddb_plugin · eula_hcopy_plugin · eula_net_plugin · explore_plugin · explore_plugin_ft · explore_plugin_game · explore_plugin_np · filecopy_plugin · friendim_plugin · friendml_plugin · friendtrophy_plugin · game_ext_plugin · game_indicator_plugin · game_plugin · gamedata_plugin · gamelib_plugin · gameupdate_plugin · hknw_plugin · idle_plugin · impose_plugin · kensaku_plugin · msgdialog_plugin · mtpinitiator_plugin · musicbrowser_plugin · nas_plugin · netconf_plugin · newstore_plugin · np_eula_plugin · np_matching_plugin · np_multisignin_plugin · np_sns_plugin · npsignin_plugin · np_trophy_ingame · np_trophy_plugin · osk · oskfullkeypanel · oskpanel · pesm_plugin · photo_network_sharing_plugin · photolist_plugin · photoviewer_plugin · playlist_plugin · poweroff_plugin · premo_plugin · premo_game_plugin · print_plugin · profile_plugin · ps3_savedata_plugin · ps3_savedata_plugin_game · ps3_savedata_plugin_psp · rec_plugin · regcam_plugin · remotedownload_plugin · sacd_plugin · scenefolder_plugin · screenshot_plugin · software_update_plugin · soundvisualizer_plugin · strviewer_plugin · sysconf_plugin · system_plugin · thumthum_plugin · upload_util · user_info_plugin · user_plugin · videodownloader_plugin · videoeditor_plugin · videoplayer_util · videoplayer_plugin · vmc_savedata_plugin · wboard_plugin · webbrowser_plugin · webbrowser_service · webrender_plugin · xai_plugin · xmb_ingame · xmb_plugin

PS1 Emulation · PS2 Emulation · PSP Emulation

Extended
features

Printer support · Remote Play · String Viewer · Web Browser · XMB In-game background music · PS3 and PSVita Cross Functions · Widgets · Life with PlayStation · PlayView · XMB Manuals

Online

Consoleban · Environments · Online Connections · PSN · PSN Handshake Signup · X-I-5-Ticket

Hardware

SC

SC Communication · SC EEPROM · Remarry Syscon · Syscon Thermal Configs · Syscon SPI

CELL

Cell Configuration Ring · CELL Reset Exploit · CellBE Hardware Implementation Registers · Unlocking the 8th SPE · SPU Isolated Modules Reverse Engineering · SPU LS Overflow Exploit

RAM

XDR Configuration · Rambus Registers

SB

ENCDEC Device Reverse Engineering

HDD

BD

Bluray disc · Basic Bluray disc authentication procedure · BD Drive Reverse Engineering · Disc Identification/Serialization Data · ODE · Remarry Bluray Drive

Tools

IDA pro disassembler and debugger · CCAPI · 0x000EAEB0 · Ps3.xml · Nids.txt · Nids all.txt · Unknown nids.txt · Fnids.idh

Strings

files

emer_init · aim spu module‎ · lv1‎ · hdd_copy · eurus_fw · lv0 · factory data mngr

dumps

lv2 dump (Rebug 4.46) · lv1 dump (Rebug 4.46) · bootldr dump (2.70) · Network Loading of lv1ldr and above executables

Reference

Archaic · Drk_notes · Canaries

Keys & Seeds

Keys · Per Console Keys · Fail Keys · Seeds · ECDSA binaries · AES binaries · DES binaries · Cryptography Tricks

Retrieved from "http://www.psdevwiki.com/ps3/index.php?title=User_Token_Manager&oldid=64374"

Cookies help us deliver our services. By using our services, you agree to our use of cookies.