SCECAF File Format: Difference between revisions
CelesteBlue (talk | contribs) No edit summary |
|||
(15 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
[[Category:Software]]<noinclude>[[Category:Main]]</noinclude> | [[Category:Software]]<noinclude>[[Category:Main]]</noinclude> | ||
Files from coredumps or crash reports are in SCECAF format when encrypted. The file names will be either crash_report.caf or a coredump with a filetype of .spsp2dmp. All data is in little endian format. | |||
Files | |||
== SCECAF Container File Structure == | |||
== | === Header === | ||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
! Offset !! | ! Offset !! Size !! Description | ||
|- | |- | ||
| 0x0 || 0x8 || | | 0x0 || 0x8 || <code>0x5343454341460000</code> Magic "SCECAF\0\0" | ||
|- | |- | ||
| 0x8 || 0x8 || | | 0x8 || 0x8 || Type (?1: PS4?, 2: PSVita) | ||
|- | |- | ||
| 0x10 || 0x8 || | | 0x10 || 0x8 || HMAC Key ID (always 1) | ||
|- | |- | ||
| 0x18 || 0x8 || | | 0x18 || 0x8 || Number of sections | ||
|- | |- | ||
| 0x20 || 0x8 || | | 0x20 || 0x8 || Size of Header | ||
|- | |- | ||
| 0x28 || 0x8 || | | 0x28 || 0x8 || Total Sections Size | ||
|- | |||
|} | |||
=== Section Meta Block === | |||
{| class="wikitable" | |||
|- | |||
! Offset !! Size !! Description | |||
|- | |||
| 0x0 || 0x8 || Section ID (starts with 0) | |||
|- | |||
| 0x8 || 0x8 || Section Start Offset | |||
|- | |||
| 0x10 || 0x8 || Section Length | |||
|- | |- | ||
| | | 0x18 || 0x8 || HMAC Key ID (Always 1) | ||
|- | |- | ||
| | | 0x20 || 0x8 || Encryption Key ID (Always 2) | ||
|- | |||
| 0x28 || 0x10 || Encryption IV | |||
|- | |||
| 0x38 || 0x8 || Filler | |||
|- | |- | ||
|} | |} | ||
== | === Section Hash Block === | ||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
! Offset !! | ! Offset !! Size !! Description | ||
|- | |- | ||
| 0x0 || 0x8 || | | 0x0 || 0x8 || Section ID (starts with 0) | ||
|- | |- | ||
| 0x8 || | | 0x8 || 0x20 || HMAC Hash | ||
|- | |- | ||
| | | 0x28 || 0x8 || Filler | ||
|- | |- | ||
| | |} | ||
=== Header Hash Block === | |||
{| class="wikitable" | |||
|- | |- | ||
! Offset !! Size !! Description | |||
|- | |- | ||
| | | 0x0 || 0x20 || HMAC Hash | ||
|- | |- | ||
|} | |} | ||
=== Sections === | |||
Sections are data (normally Gzipped ELF core or CPAD padding) that are encrypted. The encryption is AES 128 in CBC. The IV comes from the Section Meta Header and the key is one of the 4 keys listed in the [[Keys#Coredump_Keys]] page for Coredumps. The HMAC is the SCE-Modified HMAC SHA256. The HMAC Key is one of the 3 listed on the [[Keys#Coredump_Keys]] page as well. The current theory is which key is specified in the section meta header, though since there are no sample that vary, it is just a guess. | |||
== Kernel Coredump Encrypted ELF == | |||
On firmwares 2.12 and greater, a SceKernelProcess coredump can be created when a critical error (such as a DABT or PABT) occurs in a syscall or kernel thread. The data is encrypted and compressed prior to being wrapped in the SCECAF container. | |||
=== Process === | |||
# The exception handler in the kernel calls SMC 0x122 with the arguments (Error type, TTBR0, VBAR, SysRoot VA) | |||
# TrustZone Configures Pervasive Device and SceGrab device - need why still | |||
# Reset SceDmac5Reg Device | |||
# Create a SceCrashDumpHeader at PA 0x58000000 on retail and 0x60000000 on devkit | |||
# Map SceCrashDumpZero to start of DRAM at PA 0x40000000 | |||
# Configure SceDmac5Reg and loop through all of VRAM at PA 0x20000000 in 0x1000 byte chunks | |||
# Configure SceDmac5Reg and loop through all of DRAM at PA 0x40200000 in 0x10000 byte chunks | |||
# Call SMC 0x11A to initial a reboot in requested coredump mode | |||
# Upon reboot, coredump handler will create a SCECAF container of the data in 0x58000000 or 0x60000000 | |||
= Location = | |||
SCECAF files are used for coredump files. They can be found in ux0:data. | |||
Example : | |||
<source> | |||
ux0:data/crash_report.caf | |||
ux0:data/psp2core-SceVideoPlayer.spsp2dmp | |||
</source> |
Latest revision as of 23:19, 8 March 2021
Files from coredumps or crash reports are in SCECAF format when encrypted. The file names will be either crash_report.caf or a coredump with a filetype of .spsp2dmp. All data is in little endian format.
SCECAF Container File Structure[edit | edit source]
Header[edit | edit source]
Offset | Size | Description |
---|---|---|
0x0 | 0x8 | 0x5343454341460000 Magic "SCECAF\0\0"
|
0x8 | 0x8 | Type (?1: PS4?, 2: PSVita) |
0x10 | 0x8 | HMAC Key ID (always 1) |
0x18 | 0x8 | Number of sections |
0x20 | 0x8 | Size of Header |
0x28 | 0x8 | Total Sections Size |
Section Meta Block[edit | edit source]
Offset | Size | Description |
---|---|---|
0x0 | 0x8 | Section ID (starts with 0) |
0x8 | 0x8 | Section Start Offset |
0x10 | 0x8 | Section Length |
0x18 | 0x8 | HMAC Key ID (Always 1) |
0x20 | 0x8 | Encryption Key ID (Always 2) |
0x28 | 0x10 | Encryption IV |
0x38 | 0x8 | Filler |
Section Hash Block[edit | edit source]
Offset | Size | Description |
---|---|---|
0x0 | 0x8 | Section ID (starts with 0) |
0x8 | 0x20 | HMAC Hash |
0x28 | 0x8 | Filler |
Header Hash Block[edit | edit source]
Offset | Size | Description |
---|---|---|
0x0 | 0x20 | HMAC Hash |
Sections[edit | edit source]
Sections are data (normally Gzipped ELF core or CPAD padding) that are encrypted. The encryption is AES 128 in CBC. The IV comes from the Section Meta Header and the key is one of the 4 keys listed in the Keys#Coredump_Keys page for Coredumps. The HMAC is the SCE-Modified HMAC SHA256. The HMAC Key is one of the 3 listed on the Keys#Coredump_Keys page as well. The current theory is which key is specified in the section meta header, though since there are no sample that vary, it is just a guess.
Kernel Coredump Encrypted ELF[edit | edit source]
On firmwares 2.12 and greater, a SceKernelProcess coredump can be created when a critical error (such as a DABT or PABT) occurs in a syscall or kernel thread. The data is encrypted and compressed prior to being wrapped in the SCECAF container.
Process[edit | edit source]
- The exception handler in the kernel calls SMC 0x122 with the arguments (Error type, TTBR0, VBAR, SysRoot VA)
- TrustZone Configures Pervasive Device and SceGrab device - need why still
- Reset SceDmac5Reg Device
- Create a SceCrashDumpHeader at PA 0x58000000 on retail and 0x60000000 on devkit
- Map SceCrashDumpZero to start of DRAM at PA 0x40000000
- Configure SceDmac5Reg and loop through all of VRAM at PA 0x20000000 in 0x1000 byte chunks
- Configure SceDmac5Reg and loop through all of DRAM at PA 0x40200000 in 0x10000 byte chunks
- Call SMC 0x11A to initial a reboot in requested coredump mode
- Upon reboot, coredump handler will create a SCECAF container of the data in 0x58000000 or 0x60000000
Location[edit | edit source]
SCECAF files are used for coredump files. They can be found in ux0:data.
Example :
ux0:data/crash_report.caf
ux0:data/psp2core-SceVideoPlayer.spsp2dmp