Editing SC Communication

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
[[Category:Software]]
=Introduction=
=Introduction=


* The following information was reverse engineered from [[lv0ldr]], [[lv0]], [[Hypervisor_Reverse_Engineering#System_Controller_.28SC_or_SYSCON.29|lv1]].[[SC_Manager|self]], and [[Iso module]] sc_iso.self.
* The following information was reverse engineered from lv0ldr, lv0, lv1, and sc_iso.self.
* Big thanks to graf_chokolo for a large part of the basis of this page, and to Jestero for Syscon Authentication info!
* Big thanks to graf_chokolo for a large part of the basis of this page, and to Jestero for Syscon Authentication info!


Line 15: Line 16:
! Offset (from start of address space) !! Size !! Description
! Offset (from start of address space) !! Size !! Description
|-
|-
|0xC000 || 0xFF0 || Syscon packet send area (Cell reads from here)
|0xC000 || 0xFF0 || Syscon packet send area
|-
|-
|0xCFF0 || 0x4  || Syscon packet TX counter
|0xCFF0 || 0x4  || Syscon sent packet counter
|-
|-
|0xCFF4 || 0x4  || Syscon packet RX counter
|0xCFF4 || 0x4  || Syscon sent packet acknowledge counter
|-
|-
|0xD000 || 0xFF0 || Cell packet send area
|0xD000 || 0xFF0 || Syscon packet receive area
|-
|-
|0xDFF0 || 0x4  || Cell packet TX counter
|0xDFF0 || 0x4  || Syscon received packet counter
|-
|-
|0xDFF4 || 0x4  || Cell packet RX counter
|0xDFF4 || 0x4  || Syscon received packet acknowledge counter
|-
|-
|0xE100 || 0x4  || Tells syscon there is a packet to be received
|0xE100 || 0x4  || Tells syscon there is a packet to be received
Line 36: Line 37:


=Syscon Services=
=Syscon Services=
* To be completed... (see {{talk}} page for examples)
* To be completed...
 
<pre>
03 SERV_SDA        (not available on Sherwood)
10 SERV_DEVPM
11 SERV_THERM
12 SERV_SETCFG
13 SERV_SYSPM
14 SERV_NVS
15 SERV_SIRCS      (not available on Sherwood)
16 SERV_NOTIF
17 SERV_INTR_NOTIF  (not available on Sherwood)
18 SERV_VERS
1B SERV_LIVELOCK
1C SERV_OSWDT
1E SERV_DIAG        (not available on Sherwood)
1F SERV_SECU
20 SERV_CONSOLE
2D SERV_PATCH
30 SERV_HDMI
40 SERV_LS
50 SERV_STORAGE    (not available on Sherwood)
 
F1 CC_CGMS_191F8
F2 SERV_LS_DATA_23EBC
</pre>


{| class="wikitable FCK__ShowTableBorders"
{| class="wikitable FCK__ShowTableBorders"
Line 67: Line 43:
! Service ID !! Description
! Service ID !! Description
|-
|-
| 0x03 || Device Access Service - Used for eeprom read/write.
| 0x14 || NVS Service - Used for eeprom read/write (Non-Volatile Storage?)
|-
| 0x10 || Device Power Service (PS2 PCI Bus Power On/Off)
|-
| 0x11 || Time Zone Presence, Temperature, Thermal Alert Mode,
|-
| 0x12 || Config Info Service (BE Count, Error Log....)
|-
| 0x13 || Power Service - Controls system power and related info. (Power Up/Power Button Mode, Wake Source, RTC too.)
|-
| 0x14 || NVS Service - Used for eeprom read/write. See: [[SC Manager#0x900B - SC Read EPROM]]
|-
| 0x15 || Serial Infrared Remote Control System
|-
| 0x16 || Notification / (LED / Buzzer) Service - Controls the lights on the console and the ring buzzer.
|-
| 0x17 || Interrupt Notification Service
|-
| 0x18 || Version Service - Versioning related (SC Type/Major-,Minor Version)
|-
| 0x1B || Livelock(?) Service - Checks for permission to use other services.
|-
| 0x1C || Operating System Watch Dog Timer
|-
| 0x1E || Diag Service
|-
|-
| 0x20 || Syscon Console Output - Used to send a string to syscon.
| 0x18 || Livelock(?) Service - Checks for permission to use other services
|-
|-
| 0x2D || Syscon Patch Service
| 0x1F || Authenticated Services
|-
|-
| 0x30 || A/V Service / HDMI Service
| 0xFF || Syscon Init (Seen in lv0ldr init sequence to syscon: http://www.ps3devwiki.com/wiki/User_talk:JuanNadie)
|-
| 0x40 || LabStation (Fun Stuff)
|-
| 0x50 || Storage Service
|-
| 0x1F || Secure Services. (sc_secure_service)
|-
| 0xF1 || Copy Generation Management System Configuration
|-
| 0xF2 || LabStation Data (More FunStuff)
|-
| 0xFF || Syscon Init (Seen in lv0ldr init sequence to syscon: [[User_talk:JuanNadie]])
|}
|}


=Syscon Packet Headers=
=Syscon Packet Headers=
* Some useful packet headers...
* Some useful packet headers...
* If the header is shorter than 0x10, you must add your own size.
* If greater than 0x10, it's a full packet ;)


{| class="wikitable FCK__ShowTableBorders"
{| class="wikitable FCK__ShowTableBorders"
|-
|-
! What? !! Description || Data || Notes
! What? !! Description || Data
|-
| AUTH1 || AUTH1 Header || 0x1F, 0x01, 0x00, 0x00, 0x00, 0x00, 0x80, 0x20, 0x00, 0x00, 0x00, 0x00,<br>0x00, 0x30, 0x00, 0x30 || On AUTH1 UART SC Packets it's instead 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
|-
| AUTH2 || AUTH2 Header || 0x1F, 0x01, 0x00, 0x01, 0x00, 0x00, 0x80, 0x21, 0x00, 0x00, 0x00, 0x00,<br>0x00, 0x30, 0x00, 0x30 || On AUTH2 UART SC Packets it's instead 0x10, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
|-
| Debug Output || Sends string to Syscon TTY || 0x20, 0x01, 0x00, 0x07, 0x00, 0x00, 0x80, 0x28, 0x00, 0x00, 0x00, 0x00<br>|| Start message with 0x00. Will print as much as packet length.
|-
| Triple Beep || || 0x16, 0x01, 0x16, 0x20, 0x00, 0x00, 0x80, 0x4D, 0x00, 0x00, 0x00, 0x01,<br>0x00, 0x08, 0x00, 0x08,<br>0x20, 0x29, 0x0A, 0x00, 0x00, 0x00, 0x01, 0xB6||
|-
|-
| Shutdown || || 0x13, 0x01, 0x00, 0x0D, 0x00, 0x00, 0x80, 0x21, 0x00, 0x00, 0x00, 0x00,<br>0x00, 0x04, 0x00, 0x04,<br>0x11, 0x00, 0x00, 0x00|| Will not gracefully shut down HD.
| AUTH1 || AUTH1 Header || 0x1F,0x01,0x00,0x00,0x00,0x00,0x80,0x20,0x00,0x00,0x00,0x00,0x00,0x30,0x00,0x30
|-
| Soft Restart || || 0x13, 0x01, 0x00, 0x0D, 0x00, 0x00, 0x80, 0x21, 0x00, 0x00, 0x00, 0x00,<br>0x00, 0x04, 0x00, 0x04,<br>0x11, 0x00, 0x00, 0x01|| Restarts, but doesn't kill power between boots.
|-
| Hard Restart || || 0x13, 0x01, 0x00, 0x0D, 0x00, 0x00, 0x80, 0x21, 0x00, 0x00, 0x00, 0x00,<br>0x00, 0x04, 0x00, 0x04,<br>0x11, 0x00, 0x00, 0x02|| Restarts, but kills power between boots.
|-
| Panic || || 0x13, 0x01, 0x00, 0x0D, 0x00, 0x00, 0x80, 0x21, 0x00, 0x00, 0x00, 0x00,<br>0x00, 0x04, 0x00, 0x04,<br>0x11, 0x00, 0x00, 0x03|| Shuts down, beeps, and kills power LED until power button pressed, or power removed.
|-
| Set Wake Up Source to Restart after Shutdown (Patch) || || 0x13, 0x01, 0x13, 0x12, 0x00, 0x00, 0x80, 0x39, 0x00, 0x00, 0x00, 0x01, 0x00, 0x08, 0x00, 0x08, 0x12, 0x00, 0x00, 0x00, 0x80, 0x00, 0x02, 0x74 || Sets Wake Up Source to Wake Up after Shutdown
|-
| Shutdown Some Syscon Services Responsible for Patch  || || 0x13, 0x01, 0x00, 0x00, 0x00, 0x00, 0x80, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x04, 0x11, 0x00, 0x00, 0x09 || Shutdown Some Syscon Services Responsible for Patch
|-
|-
| AUTH2 || AUTH2 Header || 0x1F,0x01,0x00,0x01,0x00,0x00,0x80,0x21,0x00,0x00,0x00,0x00,0x00,0x30,0x00,0x30
|}
|}


Line 167: Line 88:
struct secure_payload_header {
struct secure_payload_header {
     u8 session_id;
     u8 session_id;
     u8 seq_service_id;  //service_ID (Unsecure uses 0xFF, AUTH1 = 0x02, AUTH2 = 0x03, READ_DATA = 0x04, WRITE_DATA = 0x05)
     u8 seq_service_id;  //service_ID (Unsecure uses 0xFF, AUTH1 = 0x02, AUTH2 = 0x03, READ/WRITE = 0x04)
     u8 packet_type;    //0xFF for BE->SC, 0x00 for SC->BE (if success)
     u8 packet_type;    //0xFF for BE->SC, 0x00 for SC->BE (if success)
     u8 magic[0x2];      //0xAD1A
     u8 magic[0x2];      //0xAD1A
Line 210: Line 131:
=== Step 3c - Validate AUTH1 ===
=== Step 3c - Validate AUTH1 ===
First, check the header/footer.
First, check the header/footer.
* Calculate AES [http://en.wikipedia.org/wiki/One-key_MAC OMAC] over the packet length and compare to [http://en.wikipedia.org/wiki/One-key_MAC OMAC] from syscon. Use sc2be key.
* Calulcate aesOmac over the packet length and compare to omac from syscon. Use sc2be key.
* Decrypt internal packet with sc2be key. Use AES128CBC
* Decrypt internal packet with sc2be key. Use AES128-CBC
* Compare returned session_id and seq_service_id.
* Compare returned session_id and seq_service_id.
* Check secure_payload_buf[0x2] == 0.
* Check secure_payload_buf[0x2] == 0.
Line 259: Line 180:
=== Step 3e - Validate AUTH2 ===
=== Step 3e - Validate AUTH2 ===
Again, check the header/footer.
Again, check the header/footer.
* Calculate AES [http://en.wikipedia.org/wiki/One-key_MAC OMAC] over the packet length and compare to [http://en.wikipedia.org/wiki/One-key_MAC OMAC] from syscon. Use sc2be key.
* Calulcate aesOmac over the packet length and compare to omac from syscon. Use sc2be key.
* Decrypt internal packet with sc2be key. Use AES128-CBC
* Decrypt internal packet with sc2be key. Use AES128-CBC
* Compare returned session_id and seq_service_id.
* Compare returned session_id and seq_service_id.
Line 282: Line 203:
== Step 4 - Profit? ==
== Step 4 - Profit? ==
You are now authenticated with syscon, and can use privileged commands. Just use the session_key calculated from the AUTH2 reply to encrypt/decrypt responses.
You are now authenticated with syscon, and can use privileged commands. Just use the session_key calculated from the AUTH2 reply to encrypt/decrypt responses.
= Some Samples from DYN-001 Syscon SPI SC Comms =
* https://mega.nz/#!2w00VAjK!u10PD2b0G-MqwUZTBD4Nv_by36QNn8P-jVIUxq0pLDM (dead link)
<pre>
00 70 0B 93 FF DC CF 43 97 68 49 06 71 32 27 C1
E8 9F D1 73 DA 4D FA A2 7C 6F 24 F7 BD 95 37 EC
F9 17 5B BB DB 32 E8 82 55 3F 51 23 F1 71 E6 88
</pre>
{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude>
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)