SC Manager

From PS3 Developer wiki
Jump to navigation Jump to search
  • SC Manager cannot be accessed directly by using DM unfortunately (DM discards all requests) but it's used by other services that are accessable through DM
  • E.g. Update_Manager services "Read EEPROM" and "Write EEPROM" send requests to SC Manager services "Read EEPROM" and "Write EEPROM"
  • SC Manager runs sc_iso.self
  • With full HV rights you could patch Dispatcher Manager and enable access to SC Manager from GameOS.


0x9000 - SC Manager

Packet ID Description
0x9001 Get SRH
0x9002 Set SRH
0x9003 Encrypt
0x9004 Decrypt
0x9005 Init For VTRM
0x9006 Get Region Data
0x9007 Set Region Data
0x9008 Set RTC
0x9009 Get Time
0x900A Set Time
0x900B Read EPROM
0x900C Write EPROM
0x900D Init For Updater
0x900E Get SC Status
0x9011 SC Binary Patch
0x9012 SC RTC Factory
0x9013 Correct RTC Factory
0x9014 Set SC Status
0x9015 Backup Root Info
0x9016 Restore Root Info
0x9017
0x9018

0x9001 - SC Get SRH

struct ss_sc_mgr_get_srh
{
    u8 field0[20];
    u8 res1[4];
    u8 field18[20];
    u8 res2[4];
};

0x9003 - SC Encrypt

  • There are 5 different types/kinds of encryption: 1 - 5.
struct ss_sc_mgr_encrypt
{
    u32 type;               /* 1 - 5 */
    u8 res[4];
    u8 field8[16];
    u8 field18[16];
    u64 field28;
};

0x9004 - SC Decrypt

  • There are 5 different types/kinds of decryption: 1 - 5.
  • Virtual TRM Decrypt Master (0x200E) service uses e.g. decryption type 4.

0x9006 - SC Get Region Data

  • This service expects an ID. The valid range of ID is 0 - 15.
  • E.g. Update Manager uses this service to retrieve hash and version of some SELFs and firmwares, e.g. lv0 and lv1.
struct ss_sc_mgr_get_region_data
{
    u64 id;
    u64 data_size;    /* max 0x30 bytes */
    u8 data[0];
};

Update Package Type - ID Mapping Table

Update Package Type ID
1 0
2 2
3 4
4 6
5 7
6 8

0x9007 - SC Set Region Data

  • This service expects an ID. The valid range of ID is 0 - 15.
  • E.g. Update Manager uses this service to store hash and version of some SELFs and firmwares, e.g. lv0 and lv1.
struct ss_sc_mgr_set_region_data
{
    u64 id;
    u64 data_size;    /* max 0x30 bytes */
    u8 data[0];
};

0x900B - SC Read EPROM

  • There are 2 ways to access SC EPROM: NVS Service and Device Access Service.
  • NVS Service uses Block ID and Block Offset.
  • Not all EPROM offsets can be accessed through SC Manager.
struct ss_sc_mgr_read_eprom
{
    u32 offset;
    u8 res1[4];
    u32 nread;               /* max 0x100 bytes */
    u8 res2[4];
    u64 buf_size;
    u8 buf[0];
    /* here follows buf */
};

EPROM Offset - Block ID and Block Offset Mapping Table (NVS Service)

EPROM Offset Block ID Block Offset Notes
0x48000 - 0x480FF 0x00 0x48000 - 0x480FF
0x48800 - 0x488FF 0x01 0x48800 - 0x488FF
0x48C00 - 0x48CFF 0x02 0x48C00 - 0x48CFF
0x48D00 - 0x48DFF 0x03 0x48D00 - 0x48DFF
0x2F00 - 0x2FFF 0x10 0x2F00 - 0x2FFF "Industry Area" aka OS Version Area
0x3000 - 0x30FF 0x20 0x3000 - 0x30FF "CS Area"
All other offsets Invalid Invalid

0x900C - SC Write EPROM

struct ss_sc_mgr_write_eprom
{
    u32 offset;
    u8 res1[4];
    u32 nwrite;
    u8 res2[4];
    u64 buf_size;
    u8 buf[0];
    /* here follows buf */
};

0x900E - SC Get Status

Here is what the service returned on my fat PS3: 

0x00 0x00 0x00 0x03 0x00 0x00 0x00 0x00 0xC0 0x00 0x00 0xFF 0x00 0x00 0x00 0x00

So, version is 0x00000003 and mode is 0xC00000FF. 

struct ss_sc_mgr_get_sc_status
{
    u32 version;
    u8 res1[4];
    u32 mode;
    u8 res2[4];
};

0x9011 - SC Binary Patch

  • This service is used by Update Manager to send a new SC firmware version to SYSCON.

SC Isolation DMA Buffer Header

struct sc_iso_header
{
    u32 seqno;
    u32 mbmsg;
    u32 cmd;
    u32 cmd_size;
    u8 cmd_data[0];
};


General
Hypervisor
Services
Plugin
Interfaces
ap_plugin · audioplayer_plugin · audiop_plugin_dummy · audiop_plugin_mini · auth_plugin · autodownload_plugin · autoupdateconf_plugin · avc_plugin · avc_util · avc2_game_plugin · avc2_game_video_plugin · avc2_text_plugin · bdp_disccheck_plugin · bdp_plugin · bdp_storage_plugin · campaign_plugin · category_setting_plugin · comboplay_plugin · custom_render_plugin · data_copy_plugin · deviceconf_plugin · dlna_plugin · download_plugin · dtcpip_util · edy_plugin · esehttp · eseibrd · eseidle · eselock · eula_cddb_plugin · eula_hcopy_plugin · eula_net_plugin · explore_plugin · explore_plugin_ft · explore_plugin_game · explore_plugin_np · filecopy_plugin · friendim_plugin · friendml_plugin · friendtrophy_plugin · game_ext_plugin · game_indicator_plugin · game_plugin · gamedata_plugin · gamelib_plugin · gameupdate_plugin · hknw_plugin · idle_plugin · impose_plugin · kensaku_plugin · msgdialog_plugin · mtpinitiator_plugin · musicbrowser_plugin · nas_plugin · netconf_plugin · newstore_plugin · np_eula_plugin · np_matching_plugin · np_multisignin_plugin · np_sns_plugin · npsignin_plugin · np_trophy_ingame · np_trophy_plugin · osk · oskfullkeypanel · oskpanel · pesm_plugin · photo_network_sharing_plugin · photolist_plugin · photoviewer_plugin · playlist_plugin · poweroff_plugin · premo_plugin · premo_game_plugin · print_plugin · profile_plugin · ps3_savedata_plugin · ps3_savedata_plugin_game · ps3_savedata_plugin_psp · rec_plugin · regcam_plugin · remotedownload_plugin · sacd_plugin · scenefolder_plugin · screenshot_plugin · software_update_plugin · soundvisualizer_plugin · strviewer_plugin · sysconf_plugin · system_plugin · thumthum_plugin · upload_util · user_info_plugin · user_plugin · videodownloader_plugin · videoeditor_plugin · videoplayer_util · videoplayer_plugin · vmc_savedata_plugin · wboard_plugin · webbrowser_plugin · webbrowser_service · webrender_plugin · xai_plugin · xmb_ingame · xmb_plugin
Emulation
Extended
features
Online
Hardware
SC
CELL
RAM
SB
HDD
BD
Tools
Strings
files
dumps
Reference
Keys & Seeds
Retrieved from "http://www.psdevwiki.com/ps3/index.php?title=SC_Manager&oldid=27289"