Devices: Difference between revisions
No edit summary |
(Add some a53io ioctls) |
||
Line 334: | Line 334: | ||
! IOCTL # !! Name !! Notes | ! IOCTL # !! Name !! Notes | ||
|- | |- | ||
| 0x80046101 || | | 0x80046101 || NAND_A53IO_OPEN || Exposes NAND groups for reading | ||
|- | |- | ||
| | | 0x80046102 || NAND_A53IO_CLOSE || Closes off NAND groups | ||
|- | |- | ||
| 0x80046105 || | | 0x80046103 || NAND_A53IO_SETUP_FLASH_DEVICE || - | ||
|- | |||
| 0x80046104 || NAND_A53IO_DISABLE_CONTROLLER || Disables A53 controller (warning: this will put the console in a bad state) | |||
|- | |||
| 0x80046105 || NAND_A53IO_FORMAT_NVM || Formats NVMe | |||
|- | |- | ||
| 0x80186111 || BFS_A53IO_READ_DEVICE? || - | | 0x80186111 || BFS_A53IO_READ_DEVICE? || - |
Revision as of 22:23, 22 August 2023
Note for ioctls: * indicates name is assumed from RE and may not be accurate.
Device Listing
Note: only unique devices are listed. Benign devices like /dev/null are omitted for brevity's sake.
Path | Device Name | Notes |
---|---|---|
/dev/a53{io,mm,mmsys} | A53 Input/Output, Memory Management (sys) | See MP4 section |
/dev/ajm{i} | Audio Job Manager | - |
/dev/auditpipe | - | - |
/dev/authmgr | Authentication Manager | - |
/dev/az{1,ctl} | - | Audio-related |
/dev/bar | Backup and Restore | Used by shellcore for backup and recovery |
/dev/bfs/ctl | - | - |
/dev/bluetooth_hid | - | - |
/dev/bt | - | - |
/dev/camera | Camera | - |
/dev/cloudsd | Cloud SaveData | - |
/dev/console | Console | Usermode logging |
/dev/crepo | Crash Report | Used for crash reporting service (coredump, gpudump, shellcore) |
/dev/ctrlp{_sync} | - | Used by libScePad (controller) |
/dev/dbggc{_control} | Debug GPU? | - |
/dev/deci_coredump | Debug Com. Interface (DECI) coredump | - |
/dev/deci_mp4_ioc | DECI I/O Control? | - |
/dev/deci_mp4_mmc | - | - |
/dev/deci_std{in,out,err} | DECI Input/Output/Error | - |
/dev/deci_tty* | DECI Terminals | - |
/dev/devctl | - | - |
/dev/diag | - | - |
/dev/dipsw | Dip Switch | - |
/dev/dldbg | Dynamic Library Debug | - |
/dev/dmem{0,1,2} | - | - |
/dev/dngl | - | - |
/dev/duid | Disc Unique ID | - |
/dev/encdec | EncDec | - |
/dev/envelope | Envelope Format Crypto | - |
/dev/evlg{0,1} | Event Log | Intended to be used with read syscall |
/dev/exthdd | External HDD | - |
/dev/fcram | - | - |
/dev/fsctrl | - | - |
/dev/fttrm | - | Used by bluray app |
/dev/gbase | - | - |
/dev/gc | GPU command | - |
/dev/geom.ctl | - | - |
/dev/gic | - | - |
/dev/gsched_bds.ctl | - | - |
/dev/hdmi | HDMI | - |
/dev/hid | - | - |
/dev/hmd2_* | VR 2? | - |
/dev/hmd_* | VR | - |
/dev/iccnvs{0,1,2,4,6} | ICC_NVS (sectors) | Location of Sectors 0, 1, 2, 4 and 6 of sflash0 non volatile storage |
/dev/icc_configuration | ICC Config | - |
/dev/icc_crash_report | ICC Crash Report | - |
/dev/icc_device_power | ICC Device Power | - |
/dev/icc_fan | ICC Fan | - |
/dev/icc_floyd | ICC TPM? | SNVS Storage Device |
/dev/icc_indicator | ICC LED | - |
/dev/icc_nvs | ICC NVS | - |
/dev/icc_power | ICC Power | - |
/dev/icc_sc_config | ICC Syscon? Config | - |
/dev/icc_thermal | ICC Thermal | - |
/dev/klog | Kernel Log | Read syscall on this device can be used to get kernel log if privileged |
/dev/kmbp | - | - |
/dev/lvdctl | Layered Vnode Device Control | - |
/dev/lvd{0,1} | Layered Vnode Device | - |
/dev/m2.ctl | m.2 NVMe Control? | - |
/dev/manuauth | Manufacturer Auth | - |
/dev/mbus | Event bus | - |
/dev/mbus_av | Event bus (audio video?) | - |
/dev/md0 | Kernel Md0 | Main System modules are located here for Kernel (Not System Modules!) |
/dev/md2 | - | - |
/dev/mdctl | - | - |
/dev/metadbg | - | - |
/dev/mp1 | System Management Unit (SMU) | Power management, thermals, etc. (see mp1 section) |
/dev/mp3 | Trusted Execution Environment (TEE) | See mp3 section |
/dev/mp4/dump{_for_decid} | A53 (mdbg?) | See mp4 section |
/dev/notification{0-9} | Notification | - |
/dev/npdrm | Network Product Digital Rights Management interface | - |
/dev/nsfsctl | Namespace Filesystem (NSFS) Control | - |
/dev/nsid1.ctl | - | - |
/dev/otpaccess | One-Time Programmable Access? | - |
/dev/pfsctldev | Playstation Filesystem (PFS) Control | - |
/dev/pfsmgr | PFS Manager | Used for trophies, savegames, keystone |
/dev/playgo_emu_param{1,2,3} | PlayGo emulator params | - |
/dev/pltauth{0,1} | Platform Authentication (PSN) | - |
/dev/pup_update0 | PUP Update | - |
/dev/qafutkn | QA flag / Utoken | - |
/dev/rnps | React Native PS | PSN related |
/dev/rootparam | Root Param | Used by shellcore for verifying root param sfo/json |
/dev/s3da | 3D Audio | - |
/dev/sbl_secreg | SBL Secure Region | - |
/dev/sbl_srv | SBL Service | Used exclusively by playready |
/dev/scanin | - | - |
/dev/sce_zlib{_sys} | zlib | zlib (de)compression |
/dev/sc_fw_update0 | (syscon?) firmware update | - |
/dev/sflash0 | SPI flash | 2MB. Has EMC firmware and (non-secure) NVS. |
/dev/srtc | Secure Real Time Clock | - |
/dev/ssd0.* | Internal SSD partitions | - |
/dev/sshot | Screenshot | - |
/dev/transactionid.ctl | - | - |
/dev/ufssuspend | - | - |
/dev/usbctl | USB control | - |
/dev/uvd_{dec/enc/bgt} | Unified Video Decoder? | - |
/dev/wlanbt | Wireless LAN + Bluetooth | - |
/dev/xpt0 | XPT Transport Interface | CAM Transport Layer |
Platform Security Processor Core (PSP) (MP0)
- All the fun things are here
- Named SMU PSP as well
- Named ASP as well (AMD Secure Processor)
System Management Unit (SMU) (MP1)
MP1 (System Management Unit or "SMU") is an xtensa CPU responsible for power management, clock management, sampling sensor data, and other power/thermal-related tasks. The /dev/mp1 device can be used to issue commands to it. Below are known commands.
IOCTL # | Name | Notes |
---|---|---|
0x4068AE01 | MP1_IOCTL_GET_CLK | Get clock frequency |
0x8004AE17 | MP1_IOCTL_SET_GFXCLK | Set graphics clock frequency |
0xC004AE18 | MP1_IOCTL_REQUEST_MODE_SWITCH | - |
0x8008AE1D | MP1_IOCTL_SET_COREPSTATE | Set core power state? |
0xC00CAE1E | MP1_IOCTL_GET_COREPSTATE | Get core power state? |
Sensor Fusion Processor (SFP) (MP2)
- doesn't exist on ps5
- mainly for mobiles
Trusted Execution Environment (TEE) (MP3)
MP3 consists of the Trusted Execution Environment (TEE) running on the AMD Platform Security Processor (PSP/SP). Its primary function is Digital Rights Management (DRM) via PlayReady SL3000. In userspace, the libSceTEEClient library is used for interfacing with it, which internally uses /dev/mp3 to load secure binaries (sbins) and establish sessions. Below are known commands.
IOCTL # | Name | Notes |
---|---|---|
0xC010B403 | TEE_IOC_INVOKE | Invoke commands |
0xC010B408 | TEE_IOC_DLM_GET_DEBUG_TOKEN | - |
0xC028B409 | TEE_IOC_DLM_START_TA_DEBUG | - |
0xC110B40A | TEE_IOC_DLM_FETCH_DEBUG_STRING | - |
0x8008B40B | TEE_IOC_DLM_STOP_TA_DEBUG | - |
0x8008B40B | TEE_IOC_INIT_ASD | - |
0xC038B40C | TEE_SHM_REGISTER | - |
0xC004B40E | TEE_SHM_RELEASE | - |
0xC004B40F | TEE_SET_TIMEOUT | - |
A53MM/A53IO (MP4)
MP4, which consists of /dev/a53mm, /dev/a53mmsys, and /dev/a53io, is used for various tasks, and its overall purpose is not fully understood. Some of the things it includes are debugging (mdbg), video encode/decode, and other various memory-management related things. Below are known commands.
a53mm
IOCTL # | Name | Notes |
---|---|---|
0xC004AC01 | - | - |
0xC030AC02 | A53MM_GIVE_DIRECT_MEM_TO_MAPPER | - |
0xC030AC03 | A53MM_CALL_INDIRECT_BUFFER | - |
0xC050AC05 | A53MM_MAPPER_VIRTUAL_QUERY | - |
0xC038AC06 | A53MM_GET_PARAM * | - |
0xC018AC07 | - | - |
0xC004AC08 | - | - |
0xC018AC09 | - | - |
0xC010AC0A | - | - |
0xC018AC0B | A53MM_MAPPER_QUERY_PA | - |
0xC004AC0D | A53MM_WAIT_COMMAND_BUFFER_COMPLETION | - |
0xC018AC0E | A53MM_INTERNAL_LOCK_UNLOCK_MAPPER_MEMORY | - |
0xC018AC0F | - | - |
0xC018AC10 | A53MM_GET_USAGE_STATS_DATA | - |
0xC004AC11 | A53MM_SET_PAGE_TABLE_POOL_OCCUPANCY_THRESHOLD | - |
0xC018AC12 | A53MM_INTERNAL_TEST_PAGE_MIGRATION | - |
0xC004AC13 | - | - |
a53mmsys
IOCTL # | Name | Notes |
---|---|---|
0xc020b501 | A53MMSYS_INTERNAL_LOCK_UNLOCK_MAPPER_MEMORY | - |
0xc028b502 | - | - |
0xc050b503 | - | - |
0xc010b504 | - | - |
0xc028b505 | A53MMSYS_MAPPER_GET_INDIRECT_BUFFER_INFO | - |
0xc020b506 | - | - |
0xc018b507 | - | - |
0xc018b508 | A53MMSYS_DEBUG_MAPPER_QUERY_DMEM_OFFSET | - |
0xc020b50a | - | - |
0xc010b50b | A53MMSYS_DEBUG_GET_AMPR_COUNTER_INFO | - |
a53io
IOCTL # | Name | Notes |
---|---|---|
0x80046101 | NAND_A53IO_OPEN | Exposes NAND groups for reading |
0x80046102 | NAND_A53IO_CLOSE | Closes off NAND groups |
0x80046103 | NAND_A53IO_SETUP_FLASH_DEVICE | - |
0x80046104 | NAND_A53IO_DISABLE_CONTROLLER | Disables A53 controller (warning: this will put the console in a bad state) |
0x80046105 | NAND_A53IO_FORMAT_NVM | Formats NVMe |
0x80186111 | BFS_A53IO_READ_DEVICE? | - |
0xC03861A1 | BFS_A53IO_READ_BLOCK | - |
0xC03861A2 | BFS_A53IO_WRITE_BLOCK | - |
0xC01061C1 | BFS_A53IO_CREATE_RESERVED_LBA | - |
0xC01061C2 | BFS_A53IO_DELETE_RESERVED_LBA | - |
0xC00C61C5 | ???? | Related to delete logical partitions |
0xC01061C8 | ???? | Related to delete logical partitions |
0xC02061CA | ???? | Related to delete logical partitions |
Backup and Restore
Backup and Restore (BAR) is used by shellcore via /dev/bar. Below are known commands.
IOCTL # | Name | Notes |
---|---|---|
0xC0684201 | BAR_CREATE_CONTEXT | - |
0xC0684202 | BAR_DESTROY_CONTEXT * | - |
0xC0684203 | BAR_INIT_CONTEXT | - |
0xC0684204 | BAR_UPDATE_AAD | - |
0xC0684205 | BAR_UPDATE_ENCRYPT | - |
0xC0684206 | BAR_UPDATE_DECRYPT | - |
0xC0684207 | BAR_FINISH_ENCRYPT | - |
0xC0684208 | BAR_FINISH_DECRYPT | - |
Disc UID
Disc UID (/dev/duid) has its own library (libSceDiscId). It's unknown what this is used for at present. It has 2 known ioctls.
IOCTL # | Name | Notes |
---|---|---|
0xC0104401 | DISC_ID_GET | - |
0xC0104402 | DISC_ID_GET2 | - |
Dynamic Library Debug
Dynamic Lib Debug (/dev/dldbg) is used by the library for debugging syscore. Given the name, it's likely used for debugging sprx libs. Below are known commands.
IOCTL # | Name | Notes |
---|---|---|
0x80084401 | DLDBG_STOP_ON_DL_LOAD | - |
0x80084402 | DLDBG_NO_STOP_ON_DL_LOAD | - |
0xC0084403 | DLDBG_GET_DL_LOAD_FLAG | - |
FTTRM
FTTRM's full purpose is unknown, but it's likely DRM-related. It's used by the Bluray app (BdmvPlayerCore, BdvdPlayerCore, UHDBdPlayerCore) via /dev/fttrm. There are only 2 known commands.
IOCTL # | Name | Notes |
---|---|---|
0xC0185301 | FTTRM_READ_SECTOR | - |
0xC0185302 | FTTRM_WRITE_SECTOR | - |
ICC Floyd (TPM)
The /dev/icc_floyd is for interacting with the floyd Trusted Platform Module (TPM) over ICC. It only has one known command.
IOCTL # | Name | Notes |
---|---|---|
0x400EB701 | ICC_FLOYD_GET_VERSION | - |
0xC010440E | FLOYD_UPDATE_FW | - |
Manufacturer Authorization
The /dev/manuauth device seems to be for manufacturer authorization or authentication. It's used in various updaters. Below are known commands.
IOCTL # | Name | Notes |
---|---|---|
0x40184D01 | MANUAUTH_LOAD_SM | Loads the secure module |
0x40184D02 | MANUAUTH_UNLOAD_SM | Unloads the secure module |
0xC0184D03 | MANUAUTH_SET_MANU_MODE | Sets manufacturer mode |
Namespace Filesystem Control
The Namespace Filesystem (NSFS) is used by Virtual Shell (Vsh) and shellcore. It's critical to processes running on the system. Below are known commands.
IOCTL # | Name | Notes |
---|---|---|
0xC0406E00 | NSFS_CREATE_REDIRECT | - |
0xC0406E01 | NSFS_DELETE_REDIRECT | - |
0xC0186E02 | NSFS_GET_REDIRECT_STATS | - |
0xC0206E03 | NSFS_ADD_OVERLAY_TO_NAMESPACE | - |
0xC0186E04 | NSFS_SET_GLOBAL_EXCLUDE | - |
PFS Control
Playstation Filesystem (PFS) Control and /dev/pfsctldev is used internally for VSH. Below are known commands.
IOCTL # | Name | Notes |
---|---|---|
0x8030B001 | DEVPFSCTL_FORMAT | - |
0xC0E0B006 | DEVPFSCTL_GETFSSTAT | - |
0xC040B008 | DEVPFSCTL_MOUNT | - |
0xC038B009 | DEVPFSCTL_UNMOUNT | - |
0xC028B00A | DEVPFSCTL_GETEVENT | - |
0xC030B00B | DEVPFSCTL_EVENTCOMP | - |
0xC020B00C | DEVPFSCTL_CANCELEVENT | - |
0xC020B00D | DEVPFSCTL_REGEVENT | - |
0xC020B00E | DEVPFSCTL_DEREGEVENT | - |
0x8004B00F | DEVPFSCTL_SYSPOWEREVENT | - |
0xC008B074 | DEVPFSCTL_FSCK | - |
PFS Manager
PFS Manager (/dev/pfsmgr) is used by shellcore. It handles trophy related tasks, savedata, and keystone verification. Below are known commands.
IOCTL # | Name | Notes |
---|---|---|
0xC1185001 | - | - |
0xC1185002 | - | - |
0xC1185003 | - | - |
0xC4085004 | - | - |
0x40845301 | - | - trophy related |
0xC0845302 | - | - savedata related |
0x40845303 | - | - savedata related |
0xC0845304 | - | - ??? |
0xC0845305 | - | - ??? |
0xC0A84B01 | - | - ??? |
0xC0A84B02 | PFSMGR_VERIFY_KEYSTONE | - |
PUP Updater
The /dev/pup_update0 device is used to perform firmware updates.
IOCTL # | Name | Notes |
---|---|---|
0xC0104401 | PUP_UPDATER_VERIFY_BLS_HEADER | - |
0xC0184402 | PUP_UPDATER_DECRYPT_HEADER | - |
0xC0184403 | PUP_UPDATER_VERIFY_ADDITIONAL_SIGN | - |
0xC0184404 | PUP_UPDATER_VERIFY_WATERMARK | - |
0xC0184405 | PUP_UPDATER_DECRYPT_SEGMENT | - |
0xC0284406 | PUP_UPDATER_DECRYPT_SEGMENT_BLOCK | - |
0x20004407 | PUP_UPDATER_UPDATE_SNVS | - |
0xC0104408 | PUP_UPDATER_GEN_CHALLENGE | - |
0xC018440A | PUP_UPDATER_READ_NAND_GROUP | - |
0xC018440B | PUP_UPDATER_WRITE_NAND_GROUP | - |
0xC010440C | PUP_UPDATER_IDENTIFY_NAND_CONTROLLER | - |
0xC004440D | PUP_UPDATER_IS_FW_OPERATIONAL | - |
0xC010440E | PUP_UPDATER_FLOYD_UPDATE_FW | - |
0xC001440F | PUP_UPDATER_GET_XTS_KEY_NUM | - |
0xC0104410 | PUP_UPDATER_VERIFY_RESPONSE | - |
Root Param
Root Param is used by shellcore to verify root param sfos (for PS4) or jsons (for PS5, aka PPR for ProsPeRo). Below are known commands.
IOCTL # | Name | Notes |
---|---|---|
0xC0305201 | ROOTPARAM_VERIFY_PS4_ROOT_PARAM | - |
0xC0305202 | ROOTPARAM_VERIFY_PPR_ROOT_PARAM | - |
0xC0305203 | ROOTPARAM_RESUME_FROM_STANDBY | - |
CAM Transport Layer
CAM (Common Access Method) storage subsystem provides a method for implementing drivers to control various known storage devices. Attaches any devices it finds to the appropriate drivers.
IOCTL # | Name | Notes |
---|---|---|
0xC4E01902 | - | related to cam_send_ccb |
0xC4E01903 | CAMGETPASSTHRU | related to cam_lookup_pass |
Wireless LAN + Bluetooth
WLAN and Bluetooth functionality is reachable via /dev/wlanbt. Below are known commands.
IOCTL # | Name | Notes |
---|---|---|
0x40047400 | WLANBT_GET_DEVICE_ID | - |