SC Communication: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
m (0x1F)
m (→‎Syscon Authentication: Steps 1 and 2.)
Line 53: Line 53:


=Syscon Authentication=
=Syscon Authentication=
To be completed...
- An IV of 0x00 is used for most AES steps.
 
== Step 1 - Generate Individual Seeds ==
Encrypt sc_iso metadata seeds w/ eid root key / iv.
 
<pre>aes256cbc_enc(eid_root_erk, eid_root_riv, sc_module_seeds, 0x40, sc_module_seeds);</pre>
 
== Step 2 - Generate SC_ISO encrypted keys ==
Encrypt the encrypted sc_key_seeds.
 
<pre>
indiv_key = sc_module_seeds + 0x20;
for (int i = 0; i < 0x100; i += 0x10)
    aes256cbc_enc(indiv_key, zero_iv, key_seeds + i, 0x10, enc_key_seeds + i);
</pre>
 
== Step 3 - Authenticate with Syscon ==
To be continued...

Revision as of 23:37, 21 January 2013

Introduction

  • The following information was reverse engineered from lv0ldr, lv0, lv1, and sc_iso.self.
  • Big thanks to graf_chokolo for a large part of the basis of this page, and to Jestero for Syscon Authentication info!

Overview of Syscon Communication

  • Syscon lives at the mmio space of 0x24000080000.
  • Communication occurs through mmio read/writes.

List of known offsets in Syscon:

Offset (from start of address space) Size Description
0xC000 0xFF0 Syscon packet send area
0xCFF0 0x4 Syscon sent packet counter
0xCFF4 0x4 Syscon sent packet acknowledge counter
0xD000 0xFF0 Syscon packet receive area
0xDFF0 0x4 Syscon received packet counter
0xDFF4 0x4 Syscon received packet acknowledge counter
0xE100 0x4 Tells syscon there is a packet to be received

Quick explanation of the packet counters:

  • There are two counters that are incremented by each side (Cell / Syscon).
  • 0xCFF0 and 0xDFF0 are incremented by the sending side (Syscon for 0xCFF0, Cell for 0xDFF0)
  • 0xCFF4 and 0xDFF4 are incremented by the receiving side (Cell for 0xCFF4, Syscon for 0xDFF4)

Syscon Services

  • To be completed...
Service ID Description
0x14 NVS Service - Used for eeprom read/write (Non-Volatile Storage?)
0x18 Livelock(?) Service - Checks for permission to use other services
0x1F Authenticated Services
0xFF Syscon Init (Seen in lv0ldr init sequence to syscon: http://www.ps3devwiki.com/wiki/User_talk:JuanNadie)

Syscon Authentication

- An IV of 0x00 is used for most AES steps.

Step 1 - Generate Individual Seeds

Encrypt sc_iso metadata seeds w/ eid root key / iv.

aes256cbc_enc(eid_root_erk, eid_root_riv, sc_module_seeds, 0x40, sc_module_seeds);

Step 2 - Generate SC_ISO encrypted keys

Encrypt the encrypted sc_key_seeds.

indiv_key = sc_module_seeds + 0x20;
for (int i = 0; i < 0x100; i += 0x10)
    aes256cbc_enc(indiv_key, zero_iv, key_seeds + i, 0x10, enc_key_seeds + i);

Step 3 - Authenticate with Syscon

To be continued...