F00D Processor (Toshiba MeP)
This microcontroller perform most of the cryptography tasks including storing and handing of keys. There is little information about it though. The F00D Microcontroller (named after the e_machine field of the ELF headers) is an HSM .
Communication[edit | edit source]
Communication seems to go through some sort of FIFO register.
Write[edit | edit source]
To write, put the double word into 0xE0000010. Next read 0xE0000010 until it returns 0, which indicates the data was read by the F00D micro.
Read[edit | edit source]
To read, get a double word from 0xE0000000. If it returns 0, no data is available. Otherwise, acknowledge that the data has been read by putting the same data into 0xE0000000.
Protocol[edit | edit source]
A 32-bit command buffer is defined below. The command is sent to the F00D micro with the method listed above.
| Bit End | Bit Start | Name | Description |
|---|---|---|---|
| 31 | 23 | ? | ? |
| 22 | 22 | ? | ? |
| 21 | 21 | ? | ? |
| 20 | 18 | flag? | ? |
| 17 | 13 | ? | Always 0 |
| 12 | 8 | ID | Command ID |
| 7 | 1 | ? | Always 0 |
| 0 | 0 | Valid | Set 1 to indicate command is valid |
Command ID[edit | edit source]
Below are notes on different commands.
0x0[edit | edit source]
Seems to be used to set the 0x100 sized shared buffer. First the physical address of the buffer is written to 0xE0000010 and then command 0x0 is written.
0x1[edit | edit source]
May be used to reset F00D micro.
0x9[edit | edit source]
Seems to be used to set a 0x80 sized shared buffer.
0xA[edit | edit source]
Seems to set the SCE encrypted revocation list.
Memory[edit | edit source]
kprx_auth_sm.self is allowed access to 0x1F000000, 0x1F840000, 0x20000000, and 0x40300000. The address checks is likely done in software. F00D has it's own private 128KB memory from 0x00800000 to 0x00820000. F00D SELFs are typically loaded to 0x0080B000.