SC Manager
Jump to navigation
Jump to search
- SC Manager cannot be accessed directly by using DM unfortunately (DM discards all requests) but it's used by other services that are accessable through DM
- E.g. Update_Manager services "Read EEPROM" and "Write EEPROM" send requests to SC Manager services "Read EEPROM" and "Write EEPROM"
- SC Manager runs sc_iso.self
- With full HV rights you could patch Dispatcher Manager and enable access to SC Manager from GameOS.
0x9000 - SC Manager
| Packet ID | Description |
|---|---|
| 0x9001 | Get SRH |
| 0x9002 | Set SRH |
| 0x9003 | Encrypt |
| 0x9004 | Decrypt |
| 0x9005 | Init For VTRM |
| 0x9006 | Get Region Data |
| 0x9007 | Set Region Data |
| 0x9008 | Set RTC |
| 0x9009 | Get Time |
| 0x900A | Set Time |
| 0x900B | Read EPROM |
| 0x900C | Write EPROM |
| 0x900D | Init For Updater |
| 0x900E | Get SC Status |
| 0x9011 | SC Binary Patch |
| 0x9012 | SC RTC Factory |
| 0x9013 | Correct RTC Factory |
| 0x9014 | Set SC Status |
| 0x9015 | Backup Root Info |
| 0x9016 | Restore Root Info |
| 0x9017 | PMode Srv Generate Challenge |
| 0x9018 | PMode Srv Verify Response |
0x9001 - SC Get SRH
struct ss_sc_mgr_get_srh
{
u8 field0[20];
u8 res1[4];
u8 field18[20];
u8 res2[4];
};
0x9003 - SC Encrypt
- There are 5 different types/kinds of encryption: 1 - 5.
struct ss_sc_mgr_encrypt
{
u32 type; /* 1 - 5 */
u8 res[4];
u8 field8[16];
u8 field18[16];
u64 field28;
};
0x9004 - SC Decrypt
- There are 5 different types/kinds of decryption: 1 - 5.
- Virtual TRM Decrypt Master (0x200E) service uses e.g. decryption type 4.
0x9006 - SC Get Region Data
- This service expects an ID. The valid range of ID is 0 - 15.
- E.g. Update Manager uses this service to retrieve hash and version of some SELFs and firmwares, e.g. lv0 and lv1.
struct ss_sc_mgr_get_region_data
{
u64 id;
u64 data_size; /* max 0x30 bytes */
u8 data[0];
};
Update Package Type - ID Mapping Table
| Update Package Type | ID |
|---|---|
| 1 | 0 |
| 2 | 2 |
| 3 | 4 |
| 4 | 6 |
| 5 | 7 |
| 6 | 8 |
0x9007 - SC Set Region Data
- This service expects an ID. The valid range of ID is 0 - 15.
- E.g. Update Manager uses this service to store hash and version of some SELFs and firmwares, e.g. lv0 and lv1.
struct ss_sc_mgr_set_region_data
{
u64 id;
u64 data_size; /* max 0x30 bytes */
u8 data[0];
};
0x900B - SC Read EPROM
- There are 2 ways to access SC EPROM: NVS Service and Device Access Service.
- NVS Service uses Block ID and Block Offset.
- Not all EPROM offsets can be accessed through SC Manager.
struct ss_sc_mgr_read_eprom
{
u32 offset;
u8 res1[4];
u32 nread; /* max 0x100 bytes */
u8 res2[4];
u64 buf_size;
u8 buf[0];
/* here follows buf */
};
EPROM Offset - Block ID and Block Offset Mapping Table (NVS Service)
| EPROM Offset | Block ID | Block Offset | Notes |
|---|---|---|---|
| 0x48000 - 0x480FF | 0x00 | 0x48000 - 0x480FF | |
| 0x48800 - 0x488FF | 0x01 | 0x48800 - 0x488FF | |
| 0x48C00 - 0x48CFF | 0x02 | 0x48C00 - 0x48CFF | |
| 0x48D00 - 0x48DFF | 0x03 | 0x48D00 - 0x48DFF | |
| 0x2F00 - 0x2FFF | 0x10 | 0x2F00 - 0x2FFF | "Industry Area" aka OS Version Area |
| 0x3000 - 0x30FF | 0x20 | 0x3000 - 0x30FF | "CS Area" |
| All other offsets | Invalid | Invalid |
0x900C - SC Write EPROM
struct ss_sc_mgr_write_eprom
{
u32 offset;
u8 res1[4];
u32 nwrite;
u8 res2[4];
u64 buf_size;
u8 buf[0];
/* here follows buf */
};
0x900E - SC Get Status
Here is what the service returned on my fat PS3:
0x00 0x00 0x00 0x03 0x00 0x00 0x00 0x00 0xC0 0x00 0x00 0xFF 0x00 0x00 0x00 0x00
So, version is 0x00000003 and mode is 0xC00000FF.
struct ss_sc_mgr_get_sc_status
{
u32 version;
u8 res1[4];
u32 mode;
u8 res2[4];
};
mode[3] == 0xFF (SC_INIT_FLAG_NON_PRODUCT_MODE) clrlwi mode, 24 != 0 (SC_INIT_FLAG_NEED_PERSONALIZE)
0x9011 - SC Binary Patch
- This service is used by Update Manager to send a new SC firmware version to SYSCON.
SC Isolation DMA Buffer Header
struct sc_iso_header
{
u32 seqno;
u32 mbmsg;
u32 cmd;
u32 cmd_size;
u8 cmd_data[0];
};
