SAMU IPL, codenamed as 80000001, is the main loader of the Secure Kernel (80010001)
The header contained in it contains the following information:
| Offset |
Size |
Description |
Notes
|
| 0x0 |
4 |
Magic |
5E D7 9A 0B
|
| 0x4 |
4 |
Header Size |
Little Endian (0x280)
|
| 0x8 |
4 |
Entry Point |
Little Endian (0x100)
|
| 0xC |
4 |
Payload Size |
Little Endian (e.g 0x232D0)
|
| 0x10 |
0x10 |
Padding |
Zeroes
|
| 0x20 |
0x20 |
SHA256 of the decrypted payload |
Verified from 0x280 to 0x23550
|
| 0x40 |
0xE0 |
Padding |
Ascii Zeroes
|
| 0x120 |
0x20 |
Revision Nonce |
(Likely) SHA256 of the IPL's revision, from this point onward, SAM IPL is encrypted with two layers of CBC crypto
|
| 0x140 |
0x40 |
Metadata |
|
| 0x180 |
0x100 |
RSA Header Signature |
Verified with rsa modulus from SAMU BootROM from 0 to 0x180
|
| 0x280 |
0x232D0 |
Payload |
|
| 0x23550 |
0x100 |
RSA Footer Signature |
Verified from header + body (somewhere else, likely PUP SM Manager)
|
MetaData Info
| Offset |
Size |
Description |
Notes
|
| 0x0 |
0x20 |
MetaData Body |
Contains Keyslot Keys
|
| 0x20 |
0x20 |
HDR + MetaData SHA256HMAC |
SHA256 of hdr plus metadata (HMAC)
|
MetaData Body
| Offset |
Size |
Description |
Notes
|
| 0x0 |
0x20 |
KeySlot 1 |
|
Revision Nonce Collection
| Hash |
Versions Supported |
Notes
|
60 CF 88 21 68 52 47 93 8B 6C 81 23 AE D2 A8 B0 B8 EF 9D 39 D9 AE B2 72 7A 0C 64 FD 81 01 18 E7 |
???2.50-5.05??? |
Revision 0x23
|
A5 26 93 8F 00 64 97 41 4F 3F 4E FE 25 EE F0 A3 0F 74 85 43 C9 5A 0A 3E 51 9B 08 BD 62 96 EA 77 |
???5.05??? |
Revision 0x26
|
86 52 B2 B9 C7 5B DB C7 78 A2 9F 1C DE 20 38 7C CE 8D F7 44 5A 5F CC A1 A3 56 25 93 3E 0D 9B A1 |
???5.05??? |
Revision 0x27
|
7A E1 C8 43 B3 7E 82 B2 56 56 FD 6A 2F 3B 01 5C 19 4A 40 0D FB 38 71 42 8B CB 6B D8 83 F6 FB FE |
???5.01-5.05??? |
Revision 0x2D
|