SC Communication: Difference between revisions
Jump to navigation
Jump to search
m (0x1F) |
m (→Syscon Authentication: Steps 1 and 2.) |
||
| Line 53: | Line 53: | ||
=Syscon Authentication= | =Syscon Authentication= | ||
To be | - An IV of 0x00 is used for most AES steps. | ||
== Step 1 - Generate Individual Seeds == | |||
Encrypt sc_iso metadata seeds w/ eid root key / iv. | |||
<pre>aes256cbc_enc(eid_root_erk, eid_root_riv, sc_module_seeds, 0x40, sc_module_seeds);</pre> | |||
== Step 2 - Generate SC_ISO encrypted keys == | |||
Encrypt the encrypted sc_key_seeds. | |||
<pre> | |||
indiv_key = sc_module_seeds + 0x20; | |||
for (int i = 0; i < 0x100; i += 0x10) | |||
aes256cbc_enc(indiv_key, zero_iv, key_seeds + i, 0x10, enc_key_seeds + i); | |||
</pre> | |||
== Step 3 - Authenticate with Syscon == | |||
To be continued... | |||
Revision as of 23:37, 21 January 2013
Introduction
- The following information was reverse engineered from lv0ldr, lv0, lv1, and sc_iso.self.
- Big thanks to graf_chokolo for a large part of the basis of this page, and to Jestero for Syscon Authentication info!
Overview of Syscon Communication
- Syscon lives at the mmio space of 0x24000080000.
- Communication occurs through mmio read/writes.
List of known offsets in Syscon:
| Offset (from start of address space) | Size | Description |
|---|---|---|
| 0xC000 | 0xFF0 | Syscon packet send area |
| 0xCFF0 | 0x4 | Syscon sent packet counter |
| 0xCFF4 | 0x4 | Syscon sent packet acknowledge counter |
| 0xD000 | 0xFF0 | Syscon packet receive area |
| 0xDFF0 | 0x4 | Syscon received packet counter |
| 0xDFF4 | 0x4 | Syscon received packet acknowledge counter |
| 0xE100 | 0x4 | Tells syscon there is a packet to be received |
Quick explanation of the packet counters:
- There are two counters that are incremented by each side (Cell / Syscon).
- 0xCFF0 and 0xDFF0 are incremented by the sending side (Syscon for 0xCFF0, Cell for 0xDFF0)
- 0xCFF4 and 0xDFF4 are incremented by the receiving side (Cell for 0xCFF4, Syscon for 0xDFF4)
Syscon Services
- To be completed...
| Service ID | Description |
|---|---|
| 0x14 | NVS Service - Used for eeprom read/write (Non-Volatile Storage?) |
| 0x18 | Livelock(?) Service - Checks for permission to use other services |
| 0x1F | Authenticated Services |
| 0xFF | Syscon Init (Seen in lv0ldr init sequence to syscon: http://www.ps3devwiki.com/wiki/User_talk:JuanNadie) |
Syscon Authentication
- An IV of 0x00 is used for most AES steps.
Step 1 - Generate Individual Seeds
Encrypt sc_iso metadata seeds w/ eid root key / iv.
aes256cbc_enc(eid_root_erk, eid_root_riv, sc_module_seeds, 0x40, sc_module_seeds);
Step 2 - Generate SC_ISO encrypted keys
Encrypt the encrypted sc_key_seeds.
indiv_key = sc_module_seeds + 0x20;
for (int i = 0; i < 0x100; i += 0x10)
aes256cbc_enc(indiv_key, zero_iv, key_seeds + i, 0x10, enc_key_seeds + i);
Step 3 - Authenticate with Syscon
To be continued...