Storage Manager

From PS3 Developer wiki
Jump to: navigation, search

Storage Manager communicates with devices /dev/encdec0 and /dev/rbd0 from LPAR 1

Lv2 Kernel usage e.g. by:

syscall 864 and syscall SYS_SS_MEDIA_ID 
(note: inside ss_server1.fself embedded in Lv1.self)
*2nd value from Repository_Nodes  bus1.id is used by Storage Manager 
*Storage Manager executes SPU module sb_iso_spu_module.self 
*Storage Manager communicates with sb_iso_spu_module.self through a shared DMA memory buffer and SPU MBox 
*EID4 data is passed to sb_iso_spu_module.self module.

0x5000 - Security Hardware Framework[edit]

Packet ID Description Lv1 Parameter Usage Lv2Syscall Parameter notes
0x5001 Set Encdec Key
0x5002 Set/Delete ATA (Encdec) Key
0x5003 Get Random Number
0x5004 Authenticate BD Drive (cellSsDrvAuthDrive) Userland access
0x5005 Authenticate PS2 Disc
0x5006 Get Secure Firmware Version
0x5007 Authenticate PS3 Game (cellSsDrvAuthDiscPs3) Userland access
0x5008 HW mc Userland access
0x5009 HW me auth header
0x500A HW me dec block
0x5010 Set Encdec Key for PS2
0x5011 Retrieve M1m for bdv (Bluray Disc Voucher) Userland access
0x5012 Retrieve "X-I-5-Passphrase" NPpp (Network Product passphrase) Userland access


SB Isolation DMA Buffer Header[edit]

struct sb_iso_header
{
    u32 seqno;
    u32 mbmsg;
    u32 cmd;
    u32 cmd_size;
    u8 cmd_data[0];
}
  • seqno has values 0x03 to 0x08. It is incremented when sending and receiving data from the spu.

0x5001 - Set Encdec Key[edit]

  • This service allows you to set ENCDEC keys with index 0xC - 0xF
  • By patching HV process 6 it would be possible to set default ENCDEC key (used for HDD encryption) to a value different from the default one !!! It means we could encrypt our HDDs with a key we want !!!
  • The service accepts 2 parameters: a key (max 24 bytes) and a key length (in bits)
  • Valid key length values: 0x40, 0x80 and 0xC0
  • The service returns the ENCDEC key index used for the key
  • ENCDEC supports upto 16 keys !!!
  • Storage Manager in HV process 6 has a bit mask of size 2 bytes which indicates which keys are used currently.

Per default, keys with index 0x0 - 0xB are not free. But we could patch it also.

0x5002 - Set/Delete ATA (Encdec) Key[edit]

  • Sets/Deletes ATA (Encdec) Key
  • The service has only one parameter of size 8 bytes: 0x100 - Set ATA Key and 0x110 - Delete ATA Key.
  • This service is used e.g. by System Manager in HV Process 9 during LPAR booting.
  • SPM doesn't allow GameOS to use this service.
  • 3 possible key lengths: 0x40, 0x80 and 0xC0
  • This service communicates with /dev/encdec0 device.
  • The service uses ENCDEC device commands EdecKgen1 (0x81), EdecKgen2 (0x82), EdecKset (0x83) and EdecKgenFlash (0x84).
  • This service communicates also with /dev/rbd0 device.
  • I guess that the ATA key is stored encrypted in EID4 data.
  • This service is used by LPAR Manager in HV Process 9 during LPAR 2 loading.
  • I tested this service on Linux with ps3dm-utils and after deleting ATA key the sectors on VFLASH or HDD were NOT decrypted by HV
  • After setting ATA key again, the sectors were encrypted/decrypted by HV again
  • Deleting an ENCDEC key is nothing more than setting key with all bytes set to 0x0 !!!
  • On old PS3s which didn't use HDD for VFLASH, HV uses 2 ENCDEC keys, one for HDD (key index 1) and one for VFLASH (key index 0). On new PS3s which use HDD for VFLASH, only one ENCDEC key is used (key index 1).

Service Parameter Table[edit]

Service Parameter Description
0xC - 0xF Delete Encdec Key
0x10* Set ATA Key (index 1)
0x11* Delete ATA Key (index 1)

0x5003 - Get Random Number[edit]

  • I have got access to Get Random Number service through DM and tested it with PSGroove
  • The service returns 192-bit random numbers
  • It has no input parameters except those in SS packet header
  • Storage Manager communicates with device /dev/encdec0.
  • This service is used e.g. by USB Dongle Authenticator to generate the body of a challenge or by GameOS to generate hardware random numbers.

0x5004 - Authenticate BD Drive[edit]

  • Used by LPAR Manager in HV Process 9 during LPAR 2 loading and unloading.
  • Used by SLL Load GOS service (0x14004) in HV Process 3 during PS2EMU loading and by SLL Unload GOS service (0x14005) during PS2EMU unloading.
  • The service expects one additional parameter.
  • The service is used during loading of LPAR 2 to authenticate BD drive and during unloading LPAR 2 to reset BD drive.
  • The service uses isolated SPU module sv_iso_spu_module.self for BD drive authentication.
  • The service communicates with LPAR 1 device /dev/rbd0 through ATAPI interface.

Service Parameter Table[edit]

Service Parameter Description
0x00 0x01 (unknown, ignore/skip)
0x02 Used by SLL service 0x14004 during PS2EMU loading
0x04 cleans key
0x0D Used by cellSsGamediscSetup
0x1E Used by SLL service 0x14005 during PS2EMU unloading
0x29 Reset BD Drive + cleans key (aka cellSsGamediscSetupClear)
0x2B Stop BD Drive
0x46 Authenticate BD Drive
0x52 Authenticate PS2 Disc Insert (policy check) (cellSsDrvPs2DiscInsert)
0x5A (only gets PSCode )
0x8D Check Device File

0x5005 - PS2 Disc Authenticate[edit]

0x5006 - Get Version[edit]

  • By default not accessible from GameOS. But it can be enabled by patching Dispatcher Manager.

0x5007 - Control BD Drive[edit]

  • Used by GameOS to authenticate discs and for BD emulation.

Service Parameter Table[edit]

Service Parameter Description
0x0D HW_ps3_disc_auth (cellSsDrvAuthDiscPs3)
0x3F HW_ps3_disc_auth (disc id), do auth, get profile etc.
0x41 HW_ps3_hdd_game_auth
0x43 HW_ps3_disc_change (cellSsDrvAuthDiscChange)
0x46 HW_ps3_disc_auth, get disc hash key
0x4B HW_ps3_disc_auth (media id?)
0x51 HW_ps3_disc_auth
0x52 HW_ps3_disc_auth
0x53 HW_ps3_disc_change (cellSsDrvPs3DiscInsert)
0xA3 HW_disc_auth_emu
0xA5 HW_disc_auth_emu, set disc mode 2
0xA7 HW_disc_auth_emu
0xAA HW_disc_auth_emu, memset given buffer

0x5008 - HW mc[edit]

Service Parameter Table[edit]

Service Parameter Description
0x01 mc_auth_1 (get?)
0x02 mc_auth_2 (clean?)

0x5011 - Retrieve "M1m"[edit]

https://paste.ubuntu.com/p/7PvZjF6BY4/

0x5012 - Retrieve "X-I-5-Passphrase"[edit]

https://paste.ubuntu.com/p/bb6gjF9Cxm/