Storage Manager
Jump to navigation
Jump to search
Storage Manager communicates with devices /dev/encdec0 and /dev/rbd0 from LPAR 1 .
Lv2 Kernel usage e.g. by:
syscall 864 and syscall SYS_SS_MEDIA_ID (note: inside ss_server1.fself embedded in Lv1.self)
*2nd value from Repository_Nodes bus1.id is used by Storage Manager *Storage Manager executes SPU module sb_iso_spu_module.self *Storage Manager communicates with sb_iso_spu_module.self through a shared DMA memory buffer and SPU MBox *EID4 data is passed to sb_iso_spu_module.self module.
0x5000 - Security Hardware Framework[edit | edit source]
Packet ID | Description | Lv1 Parameter Usage | Lv2Syscall Parameter | notes |
---|---|---|---|---|
0x5001 | Set Encdec Key | |||
0x5002 | Set/Delete ATA (Encdec) Key | |||
0x5003 | Get Random Number | |||
0x5004 | Authenticate BD Drive (cellSsDrvAuthDrive) | Usermode access | ||
0x5005 | Authenticate PS2 Disc | |||
0x5006 | Get Secure Firmware Version | |||
0x5007 | Authenticate PS3 Game (cellSsDrvAuthDiscPs3) | Usermode access | ||
0x5008 | HW mc | Usermode access | ||
0x5009 | HW me auth header | |||
0x500A | HW me dec block | |||
0x5010 | Set Encdec Key for PS2 | |||
0x5011 | Retrieve M1m for bdv (Bluray Disc Voucher) | Usermode access | ||
0x5012 | Retrieve "X-I-5-Passphrase" NPpp (Network Product passphrase) | Usermode access |
SB Isolation DMA Buffer Header[edit | edit source]
struct sb_iso_header { u32 seqno; u32 mbmsg; u32 cmd; u32 cmd_size; u8 cmd_data[0]; }
- seqno has values 0x03 to 0x08. It is incremented when sending and receiving data from the spu.
0x5001 - Set Encdec Key[edit | edit source]
- This service allows you to set ENCDEC keys with index 0xC - 0xF
- By patching HV process 6 it would be possible to set default ENCDEC key (used for HDD encryption) to a value different from the default one !!! It means we could encrypt our HDDs with a key we want !!!
- The service accepts 2 parameters: a key (max 24 bytes) and a key length (in bits)
- Valid key length values: 0x40, 0x80 and 0xC0
- The service returns the ENCDEC key index used for the key
- ENCDEC supports upto 16 keys !!!
- Storage Manager in HV process 6 has a bit mask of size 2 bytes which indicates which keys are used currently.
Per default, keys with index 0x0 - 0xB are not free. But we could patch it also.
0x5002 - Set/Delete ATA (Encdec) Key[edit | edit source]
- Sets/Deletes ATA (Encdec) Key
- The service has only one parameter of size 8 bytes: 0x100 - Set ATA Key and 0x110 - Delete ATA Key.
- This service is used e.g. by System Manager in HV Process 9 during LPAR booting.
- SPM doesn't allow GameOS to use this service.
- 3 possible key lengths: 0x40, 0x80 and 0xC0
- This service communicates with /dev/encdec0 device.
- The service uses ENCDEC device commands EdecKgen1 (0x81), EdecKgen2 (0x82), EdecKset (0x83) and EdecKgenFlash (0x84).
- This service communicates also with /dev/rbd0 device.
- I guess that the ATA key is stored encrypted in EID4 data.
- This service is used by LPAR Manager in HV Process 9 during LPAR 2 loading.
- I tested this service on Linux with ps3dm-utils and after deleting ATA key the sectors on VFLASH or HDD were NOT decrypted by HV
- After setting ATA key again, the sectors were encrypted/decrypted by HV again
- Deleting an ENCDEC key is nothing more than setting key with all bytes set to 0x0 !!!
- On old PS3s which didn't use HDD for VFLASH, HV uses 2 ENCDEC keys, one for HDD (key index 1) and one for VFLASH (key index 0). On new PS3s which use HDD for VFLASH, only one ENCDEC key is used (key index 1).
Service Parameter Table[edit | edit source]
Service Parameter | Description |
---|---|
0xC - 0xF | Delete Encdec Key |
0x10* | Set ATA Key (index 1) |
0x11* | Delete ATA Key (index 1) |
0x5003 - Get Random Number[edit | edit source]
- I have got access to Get Random Number service through DM and tested it with PSGroove
- The service returns 192-bit random numbers
- It has no input parameters except those in SS packet header
- Storage Manager communicates with device /dev/encdec0.
- This service is used e.g. by USB Dongle Authenticator to generate the body of a challenge or by GameOS to generate hardware random numbers.
0x5004 - Authenticate BD Drive[edit | edit source]
- Used by LPAR Manager in HV Process 9 during LPAR 2 loading and unloading.
- Used by SLL Load GOS service (0x14004) in HV Process 3 during PS2EMU loading and by SLL Unload GOS service (0x14005) during PS2EMU unloading.
- The service expects one additional parameter.
- The service is used during loading of LPAR 2 to authenticate BD drive and during unloading LPAR 2 to reset BD drive.
- The service uses isolated SPU module sv_iso_spu_module.self for BD drive authentication.
- The service communicates with LPAR 1 device /dev/rbd0 through ATAPI interface.
Service Parameter Table[edit | edit source]
Service Parameter | Description |
---|---|
0x00 0x01 | (unknown, ignore/skip) |
0x02 | Used by SLL service 0x14004 during PS2EMU loading |
0x04 | cleans key |
0x0D | Used by cellSsGamediscSetup |
0x1E | Used by SLL service 0x14005 during PS2EMU unloading |
0x29 | Reset BD Drive + cleans key (aka cellSsGamediscSetupClear) |
0x2B | Stop BD Drive |
0x46 | Authenticate BD Drive |
0x52 | Authenticate PS2 Disc Insert (policy check) (cellSsDrvPs2DiscInsert) |
0x5A | (only gets PSCode) |
0x8D | Check Device File |
0x5005 - PS2 Disc Authenticate[edit | edit source]
0x5006 - Get Version[edit | edit source]
- By default not accessible from GameOS but can be enabled by patching Dispatcher Manager.
0x5007 - Control BD Drive[edit | edit source]
- Used by GameOS to authenticate discs and for BD emulation.
Service Parameter Table[edit | edit source]
Service Parameter | Description |
---|---|
0x0D | HW_ps3_disc_auth (cellSsDrvAuthDiscPs3) |
0x3F | HW_ps3_disc_auth (disc id), do auth, get profile etc. |
0x41 | HW_ps3_hdd_game_auth |
0x43 | HW_ps3_disc_change (cellSsDrvAuthDiscChange) |
0x46 | HW_ps3_disc_auth, get disc hash key (cellSsDrvGetDiscId) |
0x4B | HW_ps3_disc_auth (media id?) |
0x51 | HW_ps3_disc_auth |
0x52 | HW_ps3_disc_auth |
0x53 | HW_ps3_disc_change (cellSsDrvPs3DiscInsert) |
0xA3 | HW_disc_auth_emu |
0xA5 | HW_disc_auth_emu, set disc mode 2 |
0xA7 | HW_disc_auth_emu |
0xAA | HW_disc_auth_emu, memset given buffer |
0x5008 - HW mc[edit | edit source]
Service Parameter Table[edit | edit source]
Service Parameter | Description |
---|---|
0x01 | mc_auth_1 (get?) |
0x02 | mc_auth_2 (clean?) |
0x5011 - Retrieve "M1m"[edit | edit source]
https://paste.ubuntu.com/p/7PvZjF6BY4/
0x5012 - Retrieve "X-I-5-Passphrase"[edit | edit source]
https://paste.ubuntu.com/p/bb6gjF9Cxm/