Editing SC Communication
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
[[Category:Software]] | |||
=Introduction= | =Introduction= | ||
* The following information was reverse engineered from | * The following information was reverse engineered from lv0ldr, lv0, lv1, and sc_iso.self. | ||
* Big thanks to graf_chokolo for a large part of the basis of this page, and to Jestero for Syscon Authentication info! | * Big thanks to graf_chokolo for a large part of the basis of this page, and to Jestero for Syscon Authentication info! | ||
Line 15: | Line 16: | ||
! Offset (from start of address space) !! Size !! Description | ! Offset (from start of address space) !! Size !! Description | ||
|- | |- | ||
|0xC000 || 0xFF0 || Syscon packet send area | |0xC000 || 0xFF0 || Syscon packet send area | ||
|- | |- | ||
|0xCFF0 || 0x4 || Syscon packet | |0xCFF0 || 0x4 || Syscon sent packet counter | ||
|- | |- | ||
|0xCFF4 || 0x4 || Syscon packet | |0xCFF4 || 0x4 || Syscon sent packet acknowledge counter | ||
|- | |- | ||
|0xD000 || 0xFF0 || | |0xD000 || 0xFF0 || Syscon packet receive area | ||
|- | |- | ||
|0xDFF0 || 0x4 || | |0xDFF0 || 0x4 || Syscon received packet counter | ||
|- | |- | ||
|0xDFF4 || 0x4 || | |0xDFF4 || 0x4 || Syscon received packet acknowledge counter | ||
|- | |- | ||
|0xE100 || 0x4 || Tells syscon there is a packet to be received | |0xE100 || 0x4 || Tells syscon there is a packet to be received | ||
Line 36: | Line 37: | ||
=Syscon Services= | =Syscon Services= | ||
* To be completed... | * To be completed... | ||
{| class="wikitable FCK__ShowTableBorders" | {| class="wikitable FCK__ShowTableBorders" | ||
Line 67: | Line 43: | ||
! Service ID !! Description | ! Service ID !! Description | ||
|- | |- | ||
| 0x14 || NVS Service - Used for eeprom read/write (Non-Volatile Storage?) | |||
| 0x14 || NVS Service - Used for eeprom read/write | |||
|- | |- | ||
| | | 0x18 || Livelock(?) Service - Checks for permission to use other services | ||
|- | |- | ||
| | | 0x20 || Syscon Debug Output(?) - Used to send a string to syscon. | ||
|- | |- | ||
| 0x1F || | | 0x1F || Authenticated Services | ||
|- | |- | ||
| 0xFF || Syscon Init (Seen in lv0ldr init sequence to syscon: http://www.ps3devwiki.com/wiki/User_talk:JuanNadie) | |||
| 0xFF || Syscon Init (Seen in lv0ldr init sequence to syscon: | |||
|} | |} | ||
Line 115: | Line 57: | ||
* Some useful packet headers... | * Some useful packet headers... | ||
* If the header is shorter than 0x10, you must add your own size. | * If the header is shorter than 0x10, you must add your own size. | ||
{| class="wikitable FCK__ShowTableBorders" | {| class="wikitable FCK__ShowTableBorders" | ||
Line 121: | Line 62: | ||
! What? !! Description || Data || Notes | ! What? !! Description || Data || Notes | ||
|- | |- | ||
| AUTH1 || AUTH1 Header || 0x1F, 0x01, 0x00, 0x00, 0x00, 0x00, 0x80, 0x20, 0x00, 0x00, 0x00, 0x00,<br>0x00, 0x30, 0x00, 0x30 || | | AUTH1 || AUTH1 Header || 0x1F, 0x01, 0x00, 0x00, 0x00, 0x00, 0x80, 0x20, 0x00, 0x00, 0x00, 0x00,<br>0x00, 0x30, 0x00, 0x30 || | ||
|- | |- | ||
| AUTH2 || AUTH2 Header || 0x1F, 0x01, 0x00, 0x01, 0x00, 0x00, 0x80, 0x21, 0x00, 0x00, 0x00, 0x00,<br>0x00, 0x30, 0x00, 0x30 || | | AUTH2 || AUTH2 Header || 0x1F, 0x01, 0x00, 0x01, 0x00, 0x00, 0x80, 0x21, 0x00, 0x00, 0x00, 0x00,<br>0x00, 0x30, 0x00, 0x30 || | ||
|- | |- | ||
| Debug Output || Sends string to Syscon TTY || 0x20, 0x01, 0x00, 0x07, 0x00, 0x00, 0x80, 0x28, 0x00, 0x00, 0x00, 0x00<br>|| Start message with 0x00. Will print as much as packet length. | | Debug Output || Sends string to Syscon TTY || 0x20, 0x01, 0x00, 0x07, 0x00, 0x00, 0x80, 0x28, 0x00, 0x00, 0x00, 0x00<br>|| Start message with 0x00. Will print as much as packet length. | ||
|} | |} | ||
Line 167: | Line 93: | ||
struct secure_payload_header { | struct secure_payload_header { | ||
u8 session_id; | u8 session_id; | ||
u8 seq_service_id; //service_ID (Unsecure uses 0xFF, AUTH1 = 0x02, AUTH2 = 0x03, | u8 seq_service_id; //service_ID (Unsecure uses 0xFF, AUTH1 = 0x02, AUTH2 = 0x03, READ/WRITE = 0x04) | ||
u8 packet_type; //0xFF for BE->SC, 0x00 for SC->BE (if success) | u8 packet_type; //0xFF for BE->SC, 0x00 for SC->BE (if success) | ||
u8 magic[0x2]; //0xAD1A | u8 magic[0x2]; //0xAD1A | ||
Line 282: | Line 208: | ||
== Step 4 - Profit? == | == Step 4 - Profit? == | ||
You are now authenticated with syscon, and can use privileged commands. Just use the session_key calculated from the AUTH2 reply to encrypt/decrypt responses. | You are now authenticated with syscon, and can use privileged commands. Just use the session_key calculated from the AUTH2 reply to encrypt/decrypt responses. | ||