SAMU IPL, codenamed as 80000001, is the main loader of the Secure Kernel (80010001)
The header contained in it contains the following information:
Offset |
Size |
Description |
Notes
|
0x0 |
4 |
Magic |
5E D7 9A 0B
|
0x4 |
4 |
Header Size |
Little Endian (0x280)
|
0x8 |
4 |
Entry Point |
Little Endian (0x100)
|
0xC |
4 |
Payload Size |
Little Endian (e.g 0x232D0)
|
0x10 |
0x10 |
Padding |
Zeroes
|
0x20 |
0x20 |
SHA256 of the decrypted payload |
Verified from 0x280 to 0x23550
|
0x40 |
0xE0 |
Padding |
Ascii Zeroes
|
0x120 |
0x20 |
Revision Nonce |
(Likely) SHA256 of the IPL's revision, from this point onward, SAM IPL is encrypted with two layers of CBC crypto
|
0x140 |
0x40 |
Metadata |
|
0x180 |
0x100 |
RSA Header Signature |
Verified with rsa modulus from SAMU BootROM from 0 to 0x180
|
0x280 |
0x232D0 |
Payload |
|
0x23550 |
0x100 |
RSA Footer Signature |
Verified from header + body (somewhere else, likely PUP SM Manager)
|
MetaData Info
Offset |
Size |
Description |
Notes
|
0x0 |
0x20 |
MetaData Body |
Contains Keyslot Keys
|
0x20 |
0x20 |
HDR + MetaData SHA256HMAC |
SHA256 of hdr plus metadata (HMAC)
|
MetaData Body
Offset |
Size |
Description |
Notes
|
0x0 |
0x20 |
KeySlot 1 |
|
Revision Nonce Collection
Hash |
Versions Supported |
Notes
|
7A E1 C8 43 B3 7E 82 B2 56 56 FD 6A 2F 3B 01 5C 19 4A 40 0D FB 38 71 42 8B CB 6B D8 83 F6 FB FE |
???5.01-5.05??? |
Revision 0x2D
|