Introduction[edit | edit source]

• The following information was reverse engineered from lv0ldr, lv0, lv1.self, and Iso module sc_iso.self.
• Big thanks to graf_chokolo for a large part of the basis of this page, and to Jestero for Syscon Authentication info!

Overview of Syscon Communication[edit | edit source]

• Syscon lives at the mmio space of 0x24000080000.
• Communication occurs through mmio read/writes.

List of known offsets in Syscon:

Quick explanation of the packet counters:

• There are two counters that are incremented by each side (Cell / Syscon).
• 0xCFF0 and 0xDFF0 are incremented by the sending side (Syscon for 0xCFF0, Cell for 0xDFF0)
• 0xCFF4 and 0xDFF4 are incremented by the receiving side (Cell for 0xCFF4, Syscon for 0xDFF4)

Syscon Services[edit | edit source]

• To be completed... (see Discussion page for examples)

03 SERV_SDA         (not available on Sherwood)
10 SERV_DEVPM
11 SERV_THERM
12 SERV_SETCFG
13 SERV_SYSPM
14 SERV_NVS
15 SERV_SIRCS       (not available on Sherwood)
16 SERV_NOTIF
17 SERV_INTR_NOTIF  (not available on Sherwood)
18 SERV_VERS
1B SERV_LIVELOCK
1C SERV_OSWDT
1E SERV_DIAG        (not available on Sherwood)
1F SERV_SECU
20 SERV_CONSOLE
2D SERV_PATCH
30 SERV_HDMI
40 SERV_LS
50 SERV_STORAGE     (not available on Sherwood)

F1 CC_CGMS_191F8
F2 SERV_LS_DATA_23EBC

Syscon Packet Headers[edit | edit source]

• Some useful packet headers...
• If the header is shorter than 0x10, you must add your own size.
• If greater than 0x10, it's a full packet ;)

Syscon Authentication[edit | edit source]

- An IV of 0x00 is used for most AES steps.

Step 1 - Generate Individual Seeds[edit | edit source]

Encrypt sc_iso metadata seeds w/ eid root key / iv.

aes256cbc_enc(eid_root_erk, eid_root_riv, sc_module_seeds, 0x40, sc_module_seeds);

Step 2 - Generate SC_ISO encrypted keys[edit | edit source]

Encrypt the sc_key_seeds.

indiv_key = sc_module_seeds + 0x20;
for (int i = 0; i < 0x100; i += 0x10)
    aes256cbc_enc(indiv_key, zero_iv, key_seeds + i, 0x10, enc_key_seeds + i);

Step 3 - Authenticate with Syscon[edit | edit source]

Pick a session_id. Must be <= 7.

Step 3a - Secure Packet Header[edit | edit source]

struct secure_payload_header {
    u8 session_id;
    u8 seq_service_id;  //service_ID (Unsecure uses 0xFF, AUTH1 = 0x02, AUTH2 = 0x03, READ_DATA = 0x04, WRITE_DATA = 0x05)
    u8 packet_type;     //0xFF for BE->SC, 0x00 for SC->BE (if success)
    u8 magic[0x2];      //0xAD1A
    u8 prng_random[0xB] //Random shit for padding
};

Step 3b - AUTH 1 to SC[edit | edit source]

uint8_t random_shit[0x10];
auth_key_1_0x01 = enc_key_seeds + (session_id * (0x10*2));
auth_key_2_0x01 = enc_key_seeds + (session_id * (0x10*2) + 0x10);

//generating random payload for auth1
rnd_gen(random_shit, 0x10);

//create auth1 random data
aes128cbc_enc(auth_key_1_0x01, zero_iv, random_shit, 0x10, secure_payload_buf + 0x10);

//length = 0x20
//Create secure header/footer
// create header: 5 bytes + random stuff (0xb)
payload_header->session_id = session_id;
payload_header->seq_service_id = seq_service_id++; // starts at 0
payload_header->packet_type = 0xFF;
payload_header->magic[0] = 0xAD;
payload_header->magic[1] = 0x1A;
rnd_gen((u8*) &payload_header->prng_random, 0x0B);
    
//encrypt payload
aes128cbc_enc(be2sc_key, zero_iv, secure_payload_buf, length, secure_payload_buf);

// create footer: omac1 of the whole packet
aesOmac1Mode(secure_payload_buf + length, secure_payload_buf, length, be2sc_key, sizeof(be2sc_key)*8);

//Set regular header
memcpy(sc_packet, auth1_pkt_header, 0x10);

//Send packet. 0x40 Bytes

Step 3c - Validate AUTH1[edit | edit source]

First, check the header/footer.

• Calculate AES OMAC over the packet length and compare to OMAC from syscon. Use sc2be key.
• Decrypt internal packet with sc2be key. Use AES128CBC
• Compare returned session_id and seq_service_id.
• Check secure_payload_buf[0x2] == 0.

Then check the AUTH1 response

// decrypt secure_payload
for (i = 0x0; i < 0x20; i += 0x10)
    aes128cbc(auth_key_2_0x01, zero_iv, secure_payload_buf + 0x10 + i, 0x10, secure_payload_buf + 0x10 + i);
    
// check if challange returned from syscon is correct
res = memcmp(secure_payload_buf + 0x10, random_shit, 0x10);
if (res != 0)
    return -1;
    
// save the new challange needed for AUTH2
memcpy(auth_challenge, secure_payload_buf + 0x20, 0x10);

Step 3d - AUTH2 to SC[edit | edit source]

//AUTH2 Challenge Payload
aes128cbc_enc(auth_key_1_0x01, zero_iv, auth_challenge, 0x10, secure_payload_buf + 0x10);

//length = 0x20
//Create secure header/footer
// create header: 5 bytes + random stuff (0xb)
payload_header->session_id = session_id;
payload_header->seq_service_id = seq_service_id++; // starts at 0
payload_header->packet_type = 0xFF;
payload_header->magic[0] = 0xAD;
payload_header->magic[1] = 0x1A;
rnd_gen((u8*) &payload_header->prng_random, 0x0B);
    
//encrypt payload
aes128cbc_enc(be2sc_key, zero_iv, secure_payload_buf, length, secure_payload_buf);

// create footer: omac1 of the whole packet
aesOmac1Mode(secure_payload_buf + length, secure_payload_buf, length, be2sc_key, sizeof(be2sc_key)*8);

//Set regular header
memcpy(sc_packet, auth2_pkt_header, 0x10);

//Put packet - 0x40 packet length

Step 3e - Validate AUTH2[edit | edit source]

Again, check the header/footer.

• Calculate AES OMAC over the packet length and compare to OMAC from syscon. Use sc2be key.
• Decrypt internal packet with sc2be key. Use AES128-CBC
• Compare returned session_id and seq_service_id.
• Check secure_payload_buf[0x2] == 0.

// encrypt random_shit using auth_challenge (returned from AUTH1 reply) as key and 0 IV
aes128cbc_enc(auth_challenge, zero_iv, random_shit, 0x10, session_key);

// encrypt result in place with session_key_create[0x10 * sess_id] and IV 0 (result will be the session_key)
aes128cbc_enc(session_key_create + (session_id * 0x10), zero_iv, session_key, 0x10, session_key);

// use the session_key to decrypt auth2_payload in place (0x10)
aes128cbc(session_key, zero_iv, secure_payload_buf + 0x10, 0x10, secure_payload_buf + 0x10);
    
// compare the result with a 0x10 zero string
res = memcmp(secure_payload_buf + 0x10, zero_iv, 0x10);

//res == 0x0 is good.

Step 4 - Profit?[edit | edit source]

You are now authenticated with syscon, and can use privileged commands. Just use the session_key calculated from the AUTH2 reply to encrypt/decrypt responses.

Some Samples from DYN-001 Syscon SPI SC Comms[edit | edit source]

• https://mega.nz/#!2w00VAjK!u10PD2b0G-MqwUZTBD4Nv_by36QNn8P-jVIUxq0pLDM (dead link)

00 70 0B 93 FF DC CF 43 97 68 49 06 71 32 27 C1 
E8 9F D1 73 DA 4D FA A2 7C 6F 24 F7 BD 95 37 EC 
F9 17 5B BB DB 32 E8 82 55 3F 51 23 F1 71 E6 88

v e Reverse engineering General Bluedisk EID0 reDRM · Boot Order · Boot Memory Type · Bugs & Vulnerabilities · Dumping Bootldr · Dumping Metldr · Files on the PS3 · KaKaRoTo_Kind_of_´Jailbreak´ · PS3Cobra Payload Reverse Engineering · PS3UserCheat · QA Flagging · ReDRM / Piracy dongles · Revoke List · RSOD Fix‎ · rtcalarm.dat · Whitelisting · VTRM Hypervisor Hypervisor Reverse Engineering · Repository Nodes Services Appliance Information Manager · AV Manager · Dispatcher Manager · Factory Data Manager · Indi Info Manager · SB Manager · SC Manager · Secure LPAR Loader · Secure Profile Loader · Secure RTC Manager · Security Policy Manager · Storage Manager · Update Manager · Updater Frontend · USB Dongle Authenticator · User Token Manager · Virtual TRM Manager Plugin Interfaces ap_plugin · audioplayer_plugin · audiop_plugin_dummy · audiop_plugin_mini · auth_plugin · autodownload_plugin · autoupdateconf_plugin · avc_plugin · avc_util · avc2_game_plugin · avc2_game_video_plugin · avc2_text_plugin · bdp_disccheck_plugin · bdp_plugin · bdp_storage_plugin · campaign_plugin · category_setting_plugin · comboplay_plugin · custom_render_plugin · data_copy_plugin · deviceconf_plugin · dlna_plugin · download_plugin · dtcpip_util · edy_plugin · esehttp · eseibrd · eseidle · eselock · eula_cddb_plugin · eula_hcopy_plugin · eula_net_plugin · explore_plugin · explore_plugin_ft · explore_plugin_game · explore_plugin_np · filecopy_plugin · friendim_plugin · friendml_plugin · friendtrophy_plugin · game_ext_plugin · game_indicator_plugin · game_plugin · gamedata_plugin · gamelib_plugin · gameupdate_plugin · hknw_plugin · idle_plugin · impose_plugin · kensaku_plugin · msgdialog_plugin · mtpinitiator_plugin · musicbrowser_plugin · nas_plugin · netconf_plugin · newstore_plugin · np_eula_plugin · np_matching_plugin · np_multisignin_plugin · np_sns_plugin · npsignin_plugin · np_trophy_ingame · np_trophy_plugin · osk · oskfullkeypanel · oskpanel · pesm_plugin · photo_network_sharing_plugin · photolist_plugin · photoviewer_plugin · playlist_plugin · poweroff_plugin · premo_plugin · premo_game_plugin · print_plugin · profile_plugin · ps3_savedata_plugin · ps3_savedata_plugin_game · ps3_savedata_plugin_psp · rec_plugin · regcam_plugin · remotedownload_plugin · sacd_plugin · scenefolder_plugin · screenshot_plugin · software_update_plugin · soundvisualizer_plugin · strviewer_plugin · sysconf_plugin · system_plugin · thumthum_plugin · upload_util · user_info_plugin · user_plugin · videodownloader_plugin · videoeditor_plugin · videoplayer_util · videoplayer_plugin · vmc_savedata_plugin · wboard_plugin · webbrowser_plugin · webbrowser_service · webrender_plugin · xai_plugin · xmb_ingame · xmb_plugin Emulation PS1 Emulation · PS2 Emulation · PSP Emulation Extended features Printer support · Remote Play · String Viewer · Web Browser · XMB In-game background music · PS3 and PSVita Cross Functions · Widgets · Life with PlayStation · PlayView · XMB Manuals Online Consoleban · Environments · Online Connections · PSN · PSN Handshake Signup · X-I-5-Ticket Hardware SC SC Communication · SC EEPROM · Remarry Syscon · Syscon Thermal Configs · Syscon SPI CELL Cell Configuration Ring · CELL Reset Exploit · CellBE Hardware Implementation Registers · Unlocking the 8th SPE · SPU Isolated Modules Reverse Engineering · SPU LS Overflow Exploit RAM XDR Configuration · Rambus Registers SB ENCDEC Device Reverse Engineering HDD HDD Encryption BD Bluray disc · Basic Bluray disc authentication procedure · BD Drive Reverse Engineering · Disc Identification/Serialization Data · ODE · Remarry Bluray Drive Tools IDA pro disassembler and debugger · CCAPI · 0x000EAEB0 · Ps3.xml · Nids.txt · Nids all.txt · Unknown nids.txt · Fnids.idh Strings files emer_init · aim spu module‎ · lv1‎ · hdd_copy · eurus_fw · lv0 · factory data mngr dumps lv2 dump (Rebug 4.46) · lv1 dump (Rebug 4.46) · bootldr dump (2.70) · Network Loading of lv1ldr and above executables Reference Archaic · Drk_notes · Canaries Keys & Seeds Keys · Per Console Keys · Fail Keys · Seeds · ECDSA binaries · AES binaries · DES binaries · Cryptography Tricks