Game Card: Difference between revisions

From Vita Developer wiki
Jump to navigation Jump to search
No edit summary
No edit summary
 
Line 1: Line 1:
A lot of Rumors have flyed around the Vitas Game Card. Some of them could be proven wrong with the work of '''motoharu''' which he released on Github and is available for everyone. One of thoes said rumors was about the GameCards pinout, which is also linked right down under here.
The PSVita GameCard (cartridges) were reversed by 2 teams: '''Cobra BlackFin Team''' and '''motoharu'''.
 


== Pinout ==
== Pinout ==
{| class="wikitable sortable" style="text-align: center;border:3px dotted #123AAA;"
{| class="wikitable sortable" style="text-align: center;border:3px dotted #123AAA;"
|-
|-
Line 29: Line 31:
|-
|-
| 10 || GND || Ground
| 10 || GND || Ground
|-
|}
|}


== HW Reversing ==
== HW Reversing ==
'''motoharus''' write up is simple to massive and to detailed to retype everything here. Instead we'll link to his [https://github.com/motoharu-gosuto/psvcd '''github''']. We'll also fork his work. So if the site is someday down, call us and we'll fix it.
 
'''motoharu's''' write up is simple and massive and too much detailed to retype everything here. Instead we'll link to his [https://github.com/motoharu-gosuto/psvcd '''github''']. We'll also fork his work so if the site is someday down, call us and we'll fix it.




Line 41: Line 43:


== Partitions ==
== Partitions ==
Game card can embed 1 or 2 partitions mounted as gro0: and optionally grw0:.
gro0: is Read-Only whilst grw0: is Read-Write.


Game card can be accessed with [[SceSdif|SceSdif]] module. It has the following [[Partitions|partitions]]:
Game card can be accessed with [[SceSdif|SceSdif]] module. It has the following [[Partitions|partitions]]:
Line 51: Line 58:
|-
|-
| 0xD || raw || || Some data
| 0xD || raw || || Some data
|-
|}
|}


Line 111: Line 117:




=== packet 1 (cmd56 request)===
=== packet 1 (cmd56 request) ===


{| class="wikitable"
{| class="wikitable"
Line 133: Line 139:
|}
|}


=== packet 2 (cmd56 response)===
=== packet 2 (cmd56 response) ===


{| class="wikitable"
{| class="wikitable"
Line 151: Line 157:
|}
|}


=== packet 3 (cmd56 request)===
=== packet 3 (cmd56 request) ===


{| class="wikitable"
{| class="wikitable"
Line 173: Line 179:
|}
|}


=== packet 4 (cmd56 response)===
=== packet 4 (cmd56 response) ===


{| class="wikitable"
{| class="wikitable"
Line 191: Line 197:
|}
|}


=== packet 5 (cmd56 request)===
=== packet 5 (cmd56 request) ===


{| class="wikitable"
{| class="wikitable"
Line 213: Line 219:
|}
|}


=== packet 6 (cmd56 response)===
=== packet 6 (cmd56 response) ===


{| class="wikitable"
{| class="wikitable"
Line 239: Line 245:
|}
|}


=== packet 7 (cmd56 request)===
=== packet 7 (cmd56 request) ===


{| class="wikitable"
{| class="wikitable"
Line 265: Line 271:
|}
|}


=== packet 8 (cmd56 response)===
=== packet 8 (cmd56 response) ===


{| class="wikitable"
{| class="wikitable"
Line 283: Line 289:
|}
|}


=== packet 9 (cmd56 request)===
=== packet 9 (cmd56 request) ===


{| class="wikitable"
{| class="wikitable"
Line 307: Line 313:
|}
|}


=== packet 10 (cmd56 response)===
=== packet 10 (cmd56 response) ===


{| class="wikitable"
{| class="wikitable"
Line 323: Line 329:
|}
|}


=== packet 11 (cmd56 request)===
=== packet 11 (cmd56 request) ===


{| class="wikitable"
{| class="wikitable"
Line 345: Line 351:
|}
|}


=== packet 12 (cmd56 response)===
=== packet 12 (cmd56 response) ===


{| class="wikitable"
{| class="wikitable"
Line 363: Line 369:
|}
|}


=== packet 13 (cmd56 request)===
=== packet 13 (cmd56 request) ===


{| class="wikitable"
{| class="wikitable"
Line 387: Line 393:
|}
|}


=== packet 14 (cmd56 response)===
=== packet 14 (cmd56 response) ===


{| class="wikitable"
{| class="wikitable"
Line 405: Line 411:
|}
|}


=== packet 15 (cmd56 request)===
=== packet 15 (cmd56 request) ===


{| class="wikitable"
{| class="wikitable"
Line 429: Line 435:
|}
|}


=== packet 16 (cmd56 response)===
=== packet 16 (cmd56 response) ===


{| class="wikitable"
{| class="wikitable"
Line 447: Line 453:
|}
|}


=== packet 17 (cmd56 request)===
=== packet 17 (cmd56 request) ===


{| class="wikitable"
{| class="wikitable"
Line 471: Line 477:
|}
|}


=== packet 18 (cmd56 response)===
=== packet 18 (cmd56 response) ===


{| class="wikitable"
{| class="wikitable"
Line 489: Line 495:
|}
|}


=== packet 19 (cmd56 request)===
=== packet 19 (cmd56 request) ===


{| class="wikitable"
{| class="wikitable"
Line 513: Line 519:
|}
|}


=== packet 20 (cmd56 response)===
=== packet 20 (cmd56 response) ===


{| class="wikitable"
{| class="wikitable"

Latest revision as of 17:34, 3 May 2018

The PSVita GameCard (cartridges) were reversed by 2 teams: Cobra BlackFin Team and motoharu.


Pinout[edit | edit source]

Pinout
Pin Signal Description
1 VCC Voltage
2 GND Ground
3 CLK Clock
4 D3 Data 3
5 D2 Data 2
6 D1 Data 1
7 D0 Data 0
8 INS Detection Pin
9 CMD Command
10 GND Ground

HW Reversing[edit | edit source]

motoharu's write up is simple and massive and too much detailed to retype everything here. Instead we'll link to his github. We'll also fork his work so if the site is someday down, call us and we'll fix it.


Game card is a standard MMC card. Pinout is different, however it complies with MMC card.

File:Gamecard pinout.png

Partitions[edit | edit source]

Game card can embed 1 or 2 partitions mounted as gro0: and optionally grw0:.

gro0: is Read-Only whilst grw0: is Read-Write.


Game card can be accessed with SceSdif module. It has the following partitions:

code type name desc
0x9 exfat gro0 Game Card
0xD raw Some data

Card initialization[edit | edit source]

Card initialization consists of two steps:

  • Standard MMC initialization.
  • Custom CMD56 initialization.

CMD56 is a command that is used to transfer vendor specific data from host to card and back to host.

Second step is crucial and is required to be done before host tries to read any data from the card for example with CMD17.

Standard MMC initialization[edit | edit source]

This step is performed by SceSdif.

Part1: Card identification (SD, MMC, SDIO)

  • 40 00 00 00 00 95 - CMD0 - GO_IDLE_STATE
  • 48 00 00 01 AA 87 - CMD8 - SEND_IF_COND
  • 45 00 00 00 00 5B - CMD5 - IO_SEND_OP_COND
  • 77 00 00 00 00 65 - CMD55 - APP_CMD

Part2: Card initialization

  • 40 00 00 00 00 95 - CMD0 - GO_IDLE_STATE
  • 41 40 FF 80 00 0B - CMD1 - SEND_OP_COND
  • 42 00 00 00 00 4D - CMD2 - ALL_SEND_CID
  • 43 00 01 00 00 7F - CMD3 - SET_RELATIVE_ADDR
  • 49 00 01 00 00 F1 - CMD9 - SEND_CSD
  • 47 00 01 00 00 DD - CMD7 - SELECT_CARD
  • 46 03 AF 01 00 43 - CMD6 - SWITCH (ERASE_GROUP_DEF)
  • 48 00 00 00 00 C3 - CMD8 - SEND_EXT_CSD
  • 50 00 00 02 00 15 - CMD16 - SET_BLOCKLEN
  • 46 03 B9 01 00 2F - CMD6 - SWITCH (HS_TIMING)
  • 46 03 B7 01 00 2D - CMD6 - SWITCH (BUS_WIDTH 4)

Custom CMD56 initialization[edit | edit source]

This step is performed by SceSblGcAuthMgr.

SceSblGcAuthMgr uses SceSblSsSmComm API to send F00D Commands to call Kirk services 1B-20. Game card can be accessed with device index 1

Initialization consists of 20 packets total. There are 10 request and 10 response packets. Each packet is sent or received with CMD56.

  • 78 00 00 00 00 25 - CMD56 (REQUEST)
  • 78 00 00 00 01 37 - CMD56 (RESPONSE)


char key0[0x20] = { 

   0xDD, 0x10, 0x25, 0x44, 0x15, 0x23, 0xFD, 0xC0, 
   0xF9, 0xE9, 0x15, 0x26, 0xDC, 0x2A, 0xE0, 0x84,
   0xA9, 0x03, 0xA2, 0x97, 0xD4, 0xBB, 0xF8, 0x52,
   0xD3, 0xD4, 0x94, 0x2C, 0x89, 0x03, 0xCC, 0x77,

};


packet 1 (cmd56 request)[edit | edit source]

Offset Size Value Description
0x00 0x20 - key0
0x20 0x04 0x31 response code
0x24 0x04 0x03 additional data size
0x28 0x04 0x13 response size
0x2C 0x01 0xC4 command ?
0x2D 0x01 0x00 unknown
0x2E 0x01 0x03 additional data size

packet 2 (cmd56 response)[edit | edit source]

Offset Size Value Description
0x00 0x04 0x31 response code
0x04 0x04 0x00 unknown
0x08 0x02 0x13 size of response
0x0A 0x01 0x00 error code
0x0B 0x10 0x00 packet 2 data

packet 3 (cmd56 request)[edit | edit source]

Offset Size Value Description
0x00 0x20 - key0
0x20 0x04 0x23 response code
0x24 0x04 0x03 additional data size
0x28 0x04 0x05 response size
0x2C 0x01 0xC2 command ?
0x2D 0x01 0x00 unknown
0x2E 0x01 0x03 additional data size

packet 4 (cmd56 response)[edit | edit source]

Offset Size Value Description
0x00 0x04 0x23 response code
0x04 0x04 0x00 unknown
0x08 0x02 0x05 size of response
0x0A 0x01 0x00 error code
0x0B 0x02 0xFF00 initialization state

packet 5 (cmd56 request)[edit | edit source]

Offset Size Value Description
0x00 0x20 - key0
0x20 0x04 0x02 response code
0x24 0x04 0x03 additional data size
0x28 0x04 0x2B response size
0x2C 0x01 0xA1 command ?
0x2D 0x01 0x00 unknown
0x2E 0x01 0x03 additional data size

packet 6 (cmd56 response)[edit | edit source]

Offset Size Value Description
0x00 0x04 0x02 response code
0x04 0x04 0x00 unknown
0x08 0x02 0x2B size of response
0x0A 0x01 0x00 error code
0x0B 0x02 0xE000 unknown
0x0D 0x02 0x01 gc parameter
0x0F 0x02 0x02 unknown
0x11 0x02 0x03 unknown
0x13 0x20 - packet 6 data

packet 7 (cmd56 request)[edit | edit source]

Offset Size Value Description
0x00 0x20 - key0
0x20 0x04 0x03 response code
0x24 0x04 0x15 additional data size
0x28 0x04 0x23 response size
0x2C 0x01 0xA2 command ?
0x2D 0x01 0x00 unknown
0x2E 0x01 0x15 additional data size
0x2F 0x02 0x01 gc parameter (packet 6)
0x31 0x10 - generated chunk (random?)

packet 8 (cmd56 response)[edit | edit source]

Offset Size Value Description
0x00 0x04 0x03 response code
0x04 0x04 0x00 unknown
0x08 0x02 0x23 size of response
0x0A 0x01 0x00 error code
0x0B 0x20 - packet 8 data

packet 9 (cmd56 request)[edit | edit source]

Offset Size Value Description
0x00 0x20 - key0
0x20 0x04 0x05 response code
0x24 0x04 0x33 additional data size
0x28 0x04 0x03 response size
0x2C 0x01 0xA3 command ? (generated with Kirk 1C)
0x2D 0x01 0x00 unknown (generated with Kirk 1C)
0x2E 0x01 0x33 additional data size (generated with Kirk 1C)
0x2F 0x30 - data (generated with Kirk 1C)

packet 10 (cmd56 response)[edit | edit source]

Offset Size Value Description
0x00 0x04 0x05 response code
0x04 0x04 0x00 unknown
0x08 0x02 0x03 size of response
0x0A 0x01 0x00 error code

packet 11 (cmd56 request)[edit | edit source]

Offset Size Value Description
0x00 0x20 - key0
0x20 0x04 0x23 response code
0x24 0x04 0x03 additional data size
0x28 0x04 0x05 response size
0x2C 0x01 0xC2 command ?
0x2D 0x01 0x00 unknown
0x2E 0x01 0x03 additional data size

packet 12 (cmd56 response)[edit | edit source]

Offset Size Value Description
0x00 0x04 0x23 response code
0x04 0x04 0x00 unknown
0x08 0x02 0x05 size of response
0x0A 0x01 0x00 error code
0x0B 0x02 0x00 initialization state

packet 13 (cmd56 request)[edit | edit source]

Offset Size Value Description
0x00 0x20 - key0
0x20 0x04 0x07 response code
0x24 0x04 0x13 additional data size
0x28 0x04 0x43 response size
0x2C 0x01 0xA4 command ?
0x2D 0x01 0x00 unknown
0x2E 0x01 0x13 additional data size
0x2F 0x10 - generated chunk (random?)

packet 14 (cmd56 response)[edit | edit source]

Offset Size Value Description
0x00 0x04 0x07 response code
0x04 0x04 0x00 unknown
0x08 0x02 0x43 size of response
0x0A 0x01 0x00 error code
0x0B 0x40 - packet 14 data

packet 15 (cmd56 request)[edit | edit source]

Offset Size Value Description
0x00 0x20 - key0
0x20 0x04 0x11 response code
0x24 0x04 0x33 additional data size
0x28 0x04 0x43 response size
0x2C 0x01 0xB1 command ? (generated with Kirk 1E)
0x2D 0x01 0x00 unknown (generated with Kirk 1E)
0x2E 0x01 0x33 additional data size (generated with Kirk 1E)
0x2F 0x30 - data (generated with Kirk 1E)

packet 16 (cmd56 response)[edit | edit source]

Offset Size Value Description
0x00 0x04 0x11 response code
0x04 0x04 0x00 unknown
0x08 0x02 0x43 size of response
0x0A 0x01 0x00 error code
0x0B 0x40 - packet 16 data

packet 17 (cmd56 request)[edit | edit source]

Offset Size Value Description
0x00 0x20 - key0
0x20 0x04 0x11 response code
0x24 0x04 0x33 additional data size
0x28 0x04 0x43 response size
0x2C 0x01 0xB1 command ? (generated with Kirk 1E)
0x2D 0x01 0x00 unknown (generated with Kirk 1E)
0x2E 0x01 0x33 additional data size (generated with Kirk 1E)
0x2F 0x30 - data (generated with Kirk 1E)

packet 18 (cmd56 response)[edit | edit source]

Offset Size Value Description
0x00 0x04 0x11 response code
0x04 0x04 0x00 unknown
0x08 0x02 0x43 size of response
0x0A 0x01 0x00 error code
0x0B 0x40 - packet 18 data

packet 19 (cmd56 request)[edit | edit source]

Offset Size Value Description
0x00 0x20 - key0
0x20 0x04 0x19 response code
0x24 0x04 0x13 additional data size
0x28 0x04 0x53 response size
0x2C 0x01 0xC1 command ?
0x2D 0x01 0x00 unknown
0x2E 0x01 0x13 additional data size
0x2F 0x10 - generated chunk (random?)

packet 20 (cmd56 response)[edit | edit source]

Offset Size Value Description
0x00 0x04 0x19 response code
0x04 0x04 0x00 unknown
0x08 0x02 0x53 size of response
0x0A 0x01 0x00 error code
0x0B 0x50 - packet 20 data
Retrieved from "http://www.psdevwiki.com/vita/index.php?title=Game_Card&oldid=6004"