Secure Loader: Difference between revisions

From PS4 Developer wiki
Jump to navigation Jump to search
No edit summary
No edit summary
 
(15 intermediate revisions by 2 users not shown)
Line 1: Line 1:
SAMU IPL, codenamed as 80000001, is the main loader of the Secure Kernel (80010001) <br>
The PS4 Secure Loader is the Initial Program Loader running on the [[AMD SAMU]] processor. It is [[Codenames|codenamed]] as 80000001. The PS4 Secure Loader is likely the main loader of the [[Secure Kernel]] (80010001) and of the Kernel (80010002).
The header contained in it contains the following information:


= Header Info =
See also the [https://www.psdevwiki.com/ps5/Secure_Loader PS5 Secure Loader].
 
= Structure =
 
== Header ==


{| class="wikitable"
{| class="wikitable"
Line 13: Line 16:
| 0x8 || 4 || Entry Point || Little Endian (0x100)
| 0x8 || 4 || Entry Point || Little Endian (0x100)
|-
|-
| 0xC || 4 || Payload Size || Little Endian (e.g 0x232D0)
| 0xC || 4 || Body Size || Little Endian (e.g 0x232D0)
|-
|-
| 0x10 || 0x10 || Padding || Zeroes
| 0x10 || 0x10 || Padding || Zeroes
|-
|-
| 0x20 || 0x20 || SHA256 of the decrypted payload || Verified from 0x280 to 0x23550  
| 0x20 || 0x20 || SHA256 of the decrypted body || Verified from 0x280 to 0x23550  
|-
|-
| 0x40 || 0xE0 || Padding || Ascii Zeroes
| 0x40 || 0xE0 || Padding || ASCII zeroes
|-
|-
| 0x120 || 0x20 || Revision Nonce || (Likely) SHA256 of the IPL's revision, from this point onward, SAM IPL is encrypted with two layers of CBC crypto
| 0x120 || 0x20 || Revision Nonce || (Likely) SHA256 of the IPL's revision, from this point onward, IPL is encrypted with two layers of AES-CBC crypto
|-
|-
| 0x140 || 0x40 || Metadata ||
| 0x140 || 0x40 || MetaData ||
|-
|-
| 0x180 || 0x100 || RSA Header Signature || Verified with rsa modulus from SAMU BootROM from 0 to 0x180
| 0x180 || 0x100 || RSA2048 Header Signature || Verified with RSA modulus from SAMU BootROM from 0 to 0x180
|-
|-
| 0x280 || 0x232D0 || Payload ||
| 0x280 || 0x232D0 || Body ||
|-
|-
| 0x23550 || 0x100 || RSA Footer Signature || Verified from header + body (somewhere else, likely PUP SM Manager)
| 0x23550 || 0x100 || RSA Footer Signature || Verified from header + body (somewhere else, likely PUP SM Manager)
|-
|}
|}


= MetaData Info =  
== MetaData ==


{| class="wikitable"
{| class="wikitable"
! Offset !! Size !! Description !! Notes
! Offset !! Size !! Description !! Notes
|-
|-
| 0x0 || 0x20 || MetaData Body || Contains Keyslot Keys
| 0x0 || 0x20 || MetaData Body || Contains KeyRings
|-
| 0x20 || 0x20 || HDR + MetaData SHA256HMAC || SHA256 of hdr plus metadata (HMAC)
|-
|-
| 0x20 || 0x20 || MetaData Digest || HMAC-SHA256 digest of (header plus metadata)
|}
|}


= MetaData Body =
== MetaData Body ==


{| class="wikitable"
{| class="wikitable"
! Offset !! Size !! Description !! Notes
! Offset !! Size !! Description !! Notes
|-
|-
| 0x0 || 0x20 || KeySlot 1 ||  
| 0x0 || 0x20 || KeyRing 1 ||  
|-
|}
|}


= Revision Nonce Collection =
= Revision Nonce Collection =


* TODO
{| class="wikitable"
! Revision !! Hash !! Versions Supported !! Notes
|-
| 0x4 || N.A || All ||
|-
| 0x23 || {{hex| 60 CF 88 21 68 52 47 93 8B 6C 81 23 AE D2 A8 B0 B8 EF 9D 39 D9 AE B2 72 7A 0C 64 FD 81 01 18 E7}} || All ||
|-
| 0x26 || {{hex| A5 26 93 8F 00 64 97 41 4F 3F 4E FE 25 EE F0 A3 0F 74 85 43 C9 5A 0A 3E 51 9B 08 BD 62 96 EA 77}} || All || 
|-
| 0x27 || {{hex| 86 52 B2 B9 C7 5B DB C7 78 A2 9F 1C DE 20 38 7C CE 8D F7 44 5A 5F CC A1 A3 56 25 93 3E 0D 9B A1}} || All || Present in Internal Pro 3.70
|-
| 0x2D || {{hex| 7A E1 C8 43 B3 7E 82 B2 56 56 FD 6A 2F 3B 01 5C 19 4A 40 0D FB 38 71 42 8B CB 6B D8 83 F6 FB FE}} || All || 
|-
| 0x31 || {{hex| 56 14 59 FD 36 A1 DF A7 DE A6 13 46 D7 BF B6 69 E5 94 18 8D 4F F7 B5 2B BE C0 F8 16 E9 29 23 81}} || All || 
|-
| 0x32 || {{hex| 3B 52 5F 89 9F CA 97 C6 54 65 1F 8A A0 0E 3C 3D 60 14 EE F7 68 9F 54 E3 B9 78 51 A7 CA 32 A7 D4}} || All ||
|}

Latest revision as of 12:44, 30 October 2024

The PS4 Secure Loader is the Initial Program Loader running on the AMD SAMU processor. It is codenamed as 80000001. The PS4 Secure Loader is likely the main loader of the Secure Kernel (80010001) and of the Kernel (80010002).

See also the PS5 Secure Loader.

Structure[edit | edit source]

Header[edit | edit source]

Offset Size Description Notes
0x0 4 Magic 5E D7 9A 0B
0x4 4 Header Size Little Endian (0x280)
0x8 4 Entry Point Little Endian (0x100)
0xC 4 Body Size Little Endian (e.g 0x232D0)
0x10 0x10 Padding Zeroes
0x20 0x20 SHA256 of the decrypted body Verified from 0x280 to 0x23550
0x40 0xE0 Padding ASCII zeroes
0x120 0x20 Revision Nonce (Likely) SHA256 of the IPL's revision, from this point onward, IPL is encrypted with two layers of AES-CBC crypto
0x140 0x40 MetaData
0x180 0x100 RSA2048 Header Signature Verified with RSA modulus from SAMU BootROM from 0 to 0x180
0x280 0x232D0 Body
0x23550 0x100 RSA Footer Signature Verified from header + body (somewhere else, likely PUP SM Manager)

MetaData[edit | edit source]

Offset Size Description Notes
0x0 0x20 MetaData Body Contains KeyRings
0x20 0x20 MetaData Digest HMAC-SHA256 digest of (header plus metadata)

MetaData Body[edit | edit source]

Offset Size Description Notes
0x0 0x20 KeyRing 1

Revision Nonce Collection[edit | edit source]

Revision Hash Versions Supported Notes
0x4 N.A All
0x23 60 CF 88 21 68 52 47 93 8B 6C 81 23 AE D2 A8 B0 B8 EF 9D 39 D9 AE B2 72 7A 0C 64 FD 81 01 18 E7 All
0x26 A5 26 93 8F 00 64 97 41 4F 3F 4E FE 25 EE F0 A3 0F 74 85 43 C9 5A 0A 3E 51 9B 08 BD 62 96 EA 77 All
0x27 86 52 B2 B9 C7 5B DB C7 78 A2 9F 1C DE 20 38 7C CE 8D F7 44 5A 5F CC A1 A3 56 25 93 3E 0D 9B A1 All Present in Internal Pro 3.70
0x2D 7A E1 C8 43 B3 7E 82 B2 56 56 FD 6A 2F 3B 01 5C 19 4A 40 0D FB 38 71 42 8B CB 6B D8 83 F6 FB FE All
0x31 56 14 59 FD 36 A1 DF A7 DE A6 13 46 D7 BF B6 69 E5 94 18 8D 4F F7 B5 2B BE C0 F8 16 E9 29 23 81 All
0x32 3B 52 5F 89 9F CA 97 C6 54 65 1F 8A A0 0E 3C 3D 60 14 EE F7 68 9F 54 E3 B9 78 51 A7 CA 32 A7 D4 All