Storage Manager: Difference between revisions
Jump to navigation
Jump to search
Line 94: | Line 94: | ||
|- | |- | ||
| 0x5012 | | 0x5012 | ||
| | | Retrieve "X-I-5-Passphrase" | ||
| | | | ||
| | | |
Revision as of 01:54, 11 December 2017
Storage Manager communicates with devices /dev/encdec0 and /dev/rbd0 from LPAR 1
Lv2 Kernel usage e.g. by:
syscall 864 and syscall SYS_SS_MEDIA_ID (note: inside ss_server1.fself embedded in Lv1.self)
*2nd value from Repository_Nodes bus1.id is used by Storage Manager *Storage Manager executes SPU module sb_iso_spu_module.self *Storage Manager communicates with sb_iso_spu_module.self through a shared DMA memory buffer and SPU MBox *EID4 data is passed to sb_iso_spu_module.self module.
0x5000 - Storage Manager
Packet ID | Description | Lv1 Parameter Usage | Lv2Syscall Parameter | notes |
---|---|---|---|---|
0x5001 | Set Encdec Key | |||
0x5002 | Set/Delete ATA (Encdec) Key | |||
0x5003 | Get Random Number | |||
0x5004 | Authenticate BD Drive | |||
0x5005 | Authenticate PS2 Disc | |||
0x5006 | Get Secure Firmware Version | |||
0x5007 | Authenticate PS3 Game | |||
0x5008 | HW mc | |||
0x5009 | HW me auth header | |||
0x500A | HW me dec block | |||
0x5010 | Set Encdec Key for PS2 | |||
0x5011 | ||||
0x5012 | Retrieve "X-I-5-Passphrase" |
SB Isolation DMA Buffer Header
struct sb_iso_header { u32 seqno; u32 mbmsg; u32 cmd; u32 cmd_size; u8 cmd_data[0]; }
- seqno has values 0x03 to 0x08. It is incremented when sending and receiving data from the spu.
0x5001 - Set Encdec Key
- This service allows you to set ENCDEC keys with index 0xC - 0xF
- By patching HV process 6 it would be possible to set default ENCDEC key (used for HDD encryption) to a value different from the default one !!! It means we could encrypt our HDDs with a key we want !!!
- The service accepts 2 parameters: a key (max 24 bytes) and a key length (in bits)
- Valid key length values: 0x40, 0x80 and 0xC0
- The service returns the ENCDEC key index used for the key
- ENCDEC supports upto 16 keys !!!
- Storage Manager in HV process 6 has a bit mask of size 2 bytes which indicates which keys are used currently.
Per default, keys with index 0x0 - 0xB are not free. But we could patch it also.
0x5002 - Set/Delete ATA (Encdec) Key
- Sets/Deletes ATA (Encdec) Key
- The service has only one parameter of size 8 bytes: 0x100 - Set ATA Key and 0x110 - Delete ATA Key.
- This service is used e.g. by System Manager in HV Process 9 during LPAR booting.
- SPM doesn't allow GameOS to use this service.
- 3 possible key lengths: 0x40, 0x80 and 0xC0
- This service communicates with /dev/encdec0 device.
- The service uses ENCDEC device commands EdecKgen1 (0x81), EdecKgen2 (0x82), EdecKset (0x83) and EdecKgenFlash (0x84).
- This service communicates also with /dev/rbd0 device.
- I guess that the ATA key is stored encrypted in EID4 data.
- This service is used by LPAR Manager in HV Process 9 during LPAR 2 loading.
- I tested this service on Linux with ps3dm-utils and after deleting ATA key the sectors on VFLASH or HDD were NOT decrypted by HV
- After setting ATA key again, the sectors were encrypted/decrypted by HV again
- Deleting an ENCDEC key is nothing more than setting key with all bytes set to 0x0 !!!
- On old PS3s which didn't use HDD for VFLASH, HV uses 2 ENCDEC keys, one for HDD (key index 1) and one for VFLASH (key index 0). On new PS3s which use HDD for VFLASH, only one ENCDEC key is used (key index 1).
Service Parameter Table
Service Parameter | Description |
---|---|
0xC - 0xF | Delete Encdec Key |
0x10* | Set ATA Key (index 1) |
0x11* | Delete ATA Key (index 1) |
0x5003 - Get Random Number
- I have got access to Get Random Number service through DM and tested it with PSGroove
- The service returns 192-bit random numbers
- It has no input parameters except those in SS packet header
- Storage Manager communicates with device /dev/encdec0.
- This service is used e.g. by USB Dongle Authenticator to generate the body of a challenge or by GameOS to generate hardware random numbers.
0x5004 - Authenticate BD Drive
- Used by LPAR Manager in HV Process 9 during LPAR 2 loading and unloading.
- Used by SLL Load GOS service (0x14004) in HV Process 3 during PS2EMU loading and by SLL Unload GOS service (0x14005) during PS2EMU unloading.
- The service expects one additional parameter.
- The service is used during loading of LPAR 2 to authenticate BD drive and during unloading LPAR 2 to reset BD drive.
- The service uses isolated SPU module sv_iso_spu_module.self for BD drive authentication.
- The service communicates with LPAR 1 device /dev/rbd0 through ATAPI interface.
Service Parameter Table
Service Parameter | Description |
---|---|
0x00 0x01 | (unknown, ignore/skip) |
0x02 | Used by SLL service 0x14004 during PS2EMU loading |
0x04 | cleans key |
0x0D | |
0x1E | Used by SLL service 0x14005 during PS2EMU unloading |
0x29 | Reset BD Drive + cleans key |
0x2B | Stop BD Drive |
0x46 | Authenticate BD Drive |
0x52 | Authenticate PS2 Disc Insert (policy check) (cellSsDrvPs2DiscInsert) |
0x5A | (only gets PSCode ) |
0x8D | Check Device File |
0x5005 - PS2 Disc Authenticate
0x5006 - Get Version
- By default not accessible from GameOS. But it can be enabled by patching Dispatcher Manager.
0x5007 - Control BD Drive
- Used by GameOS to authenticate discs and for BD emulation.
Service Parameter Table
Service Parameter | Description |
---|---|
0x0D | HW_ps3_disc_auth (cellSsDrvAuthDiscPs3) |
0x3F | HW_ps3_disc_auth (disc id), do auth, get profile etc. |
0x41 | HW_ps3_hdd_game_auth |
0x43 | HW_ps3_disc_change (cellSsDrvAuthDiscChange) |
0x46 | HW_ps3_disc_auth, get disc hash key |
0x4B | HW_ps3_disc_auth (media id?) |
0x51 | HW_ps3_disc_auth |
0x52 | HW_ps3_disc_auth |
0x53 | HW_ps3_disc_change (cellSsDrvPs3DiscInsert) |
0xA3 | HW_disc_auth_emu |
0xA5 | HW_disc_auth_emu, set disc mode 2 |
0xA7 | HW_disc_auth_emu |
0xAA | HW_disc_auth_emu, memset given buffer |
0x5008 - HW mc
Service Parameter Table
Service Parameter | Description |
---|---|
0x01 | mc_auth_1 (get?) |
0x02 | mc_auth_2 (clean?) |