Editing SC Communication
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
[[Category:Software]] | |||
=Introduction= | =Introduction= | ||
* The following information was reverse engineered from | * The following information was reverse engineered from lv0ldr, lv0, lv1, and sc_iso.self. | ||
* Big thanks to graf_chokolo for a large part of the basis of this page, and to Jestero for Syscon Authentication info! | * Big thanks to graf_chokolo for a large part of the basis of this page, and to Jestero for Syscon Authentication info! | ||
Line 15: | Line 16: | ||
! Offset (from start of address space) !! Size !! Description | ! Offset (from start of address space) !! Size !! Description | ||
|- | |- | ||
|0xC000 || 0xFF0 || Syscon packet send area | |0xC000 || 0xFF0 || Syscon packet send area | ||
|- | |- | ||
|0xCFF0 || 0x4 || Syscon packet | |0xCFF0 || 0x4 || Syscon sent packet counter | ||
|- | |- | ||
|0xCFF4 || 0x4 || Syscon packet | |0xCFF4 || 0x4 || Syscon sent packet acknowledge counter | ||
|- | |- | ||
|0xD000 || 0xFF0 || | |0xD000 || 0xFF0 || Syscon packet receive area | ||
|- | |- | ||
|0xDFF0 || 0x4 || | |0xDFF0 || 0x4 || Syscon received packet counter | ||
|- | |- | ||
|0xDFF4 || 0x4 || | |0xDFF4 || 0x4 || Syscon received packet acknowledge counter | ||
|- | |- | ||
|0xE100 || 0x4 || Tells syscon there is a packet to be received | |0xE100 || 0x4 || Tells syscon there is a packet to be received | ||
Line 36: | Line 37: | ||
=Syscon Services= | =Syscon Services= | ||
* To be completed... | * To be completed... | ||
{| class="wikitable FCK__ShowTableBorders" | {| class="wikitable FCK__ShowTableBorders" | ||
Line 67: | Line 43: | ||
! Service ID !! Description | ! Service ID !! Description | ||
|- | |- | ||
| 0x14 || NVS Service - Used for eeprom read/write (Non-Volatile Storage?) | |||
| 0x14 || NVS Service - Used for eeprom read/write | |||
|- | |- | ||
| | | 0x18 || Livelock(?) Service - Checks for permission to use other services | ||
|- | |- | ||
| | | 0x20 || Syscon Debug Output(?) - Used to send a string to syscon. | ||
|- | |- | ||
| | | 0x1F || Authenticated Services | ||
|- | |- | ||
| 0xFF || Syscon Init (Seen in lv0ldr init sequence to syscon: http://www.ps3devwiki.com/wiki/User_talk:JuanNadie) | |||
| 0xFF || Syscon Init (Seen in lv0ldr init sequence to syscon: | |||
|} | |} | ||
=Syscon Packet Headers= | =Syscon Packet Headers= | ||
* Some useful packet headers... | * Some useful packet headers... | ||
{| class="wikitable FCK__ShowTableBorders" | {| class="wikitable FCK__ShowTableBorders" | ||
|- | |- | ||
! What? !! Description || Data | ! What? !! Description || Data | ||
|- | |- | ||
| | | AUTH1 || AUTH1 Header || 0x1F,0x01,0x00,0x00,0x00,0x00,0x80,0x20,0x00,0x00,0x00,0x00,0x00,0x30,0x00,0x30 | ||
|- | |- | ||
| AUTH2 || AUTH2 Header || 0x1F,0x01,0x00,0x01,0x00,0x00,0x80,0x21,0x00,0x00,0x00,0x00,0x00,0x30,0x00,0x30 | |||
|} | |} | ||
Line 167: | Line 90: | ||
struct secure_payload_header { | struct secure_payload_header { | ||
u8 session_id; | u8 session_id; | ||
u8 seq_service_id; //service_ID (Unsecure uses 0xFF, AUTH1 = 0x02, AUTH2 = 0x03, | u8 seq_service_id; //service_ID (Unsecure uses 0xFF, AUTH1 = 0x02, AUTH2 = 0x03, READ/WRITE = 0x04) | ||
u8 packet_type; //0xFF for BE->SC, 0x00 for SC->BE (if success) | u8 packet_type; //0xFF for BE->SC, 0x00 for SC->BE (if success) | ||
u8 magic[0x2]; //0xAD1A | u8 magic[0x2]; //0xAD1A | ||
Line 210: | Line 133: | ||
=== Step 3c - Validate AUTH1 === | === Step 3c - Validate AUTH1 === | ||
First, check the header/footer. | First, check the header/footer. | ||
* | * Calulcate aesOmac over the packet length and compare to omac from syscon. Use sc2be key. | ||
* Decrypt internal packet with sc2be key. Use | * Decrypt internal packet with sc2be key. Use AES128-CBC | ||
* Compare returned session_id and seq_service_id. | * Compare returned session_id and seq_service_id. | ||
* Check secure_payload_buf[0x2] == 0. | * Check secure_payload_buf[0x2] == 0. | ||
Line 259: | Line 182: | ||
=== Step 3e - Validate AUTH2 === | === Step 3e - Validate AUTH2 === | ||
Again, check the header/footer. | Again, check the header/footer. | ||
* | * Calulcate aesOmac over the packet length and compare to omac from syscon. Use sc2be key. | ||
* Decrypt internal packet with sc2be key. Use AES128-CBC | * Decrypt internal packet with sc2be key. Use AES128-CBC | ||
* Compare returned session_id and seq_service_id. | * Compare returned session_id and seq_service_id. | ||
Line 282: | Line 205: | ||
== Step 4 - Profit? == | == Step 4 - Profit? == | ||
You are now authenticated with syscon, and can use privileged commands. Just use the session_key calculated from the AUTH2 reply to encrypt/decrypt responses. | You are now authenticated with syscon, and can use privileged commands. Just use the session_key calculated from the AUTH2 reply to encrypt/decrypt responses. | ||