Difference between revisions of "SKSA"

From iQueBrew
Jump to navigation Jump to search
m
(Some corrections; this page should really be cleaned up, and ideally a page for each of SK, SA1, and SA2 should be created.)
 
(10 intermediate revisions by 5 users not shown)
Line 1: Line 1:
'''SKSA''' (Secure Kernel / System App) is the "Upgradable Operating System" of the iQue Player, the main software that runs on the device.
+
'''SKSA''' (Secure Kernel / System App) is the "Upgradeable Operating System" of the iQue Player, the main software that runs on the device.
  
 
== Parts ==
 
== Parts ==
As the name implies it consists of two parts: a "secure kernel", and a "system app". In later SKSAs the system-app area may also be divided into two sections: SA1 and SA2.
+
As the name implies it consists of two parts: a [[secure kernel]], and a [[system app]]. In later SKSAs the system-app area may also be divided into two sections: SA1 and SA2.
  
* '''Secure Kernel''': the 'boot1' of the iQue. Doesn't ever seem to change between SKSA versions, so might be similar to the Wii boot1 where the hash of it is checked against a stored hash in the CPU. Probably only stored in NAND as it's cheaper than storing in CPU.
+
* '''Secure Kernel''': the 'boot1' of the iQue. Doesn't ever seem to change between SKSA versions, so might be similar to the Wii boot1; the hash of it is checked against a stored hash in [[Virage2]].
  
* '''System App 1''': Consists of a [[Ticket|ticket]], followed by the actual SA1 data. Most SA1s are just the iQue Menu, though some seem to be factory/graphics tests. SA1 seems to be responsible for handling USB comms too.
+
* '''System App 1''': Consists of a [[CMD|contentDesc-less CMD]], followed by the actual SA1 data. Most SA1s are just the [[iQue Menu]], though some seem to be [[Factory Tests|factory/graphics tests]]. SA1 is responsible for handling USB communications in the two most recent SKSA versions.
  
* '''System App 2''': Also has a ticket, followed by SA2 data. Unknown purpose, in SKSAs that have an SA2 the SA1 size is greatly reduced compared to single-SA SKSAs, assumably they moved some data from SA1 into this, but it seems like dual-SA SA1s can run without needing the corresponding SA2?
+
* '''System App 2''': Also has a CMD, followed by SA2 data. Unknown purpose, in SKSAs that have an SA2 the SA1 size is greatly reduced compared to single-SA SKSAs, presumably they moved some data from SA1 into this, but it seems like dual-SA SA1s can run without needing the corresponding SA2. SA2 contains the iQue Menu in the two most recent SKSA versions.
  
 
== Format ==
 
== Format ==
The format of the SKSA is simple: a 64KiB SK, followed by SA1 (ticket + data), optionally followed by SA2 (ticket + data):
+
The format of the SKSA is simple: a 64KiB SK, followed by SA1 (CMD + data), optionally followed by SA2 (CMD + data):
 
{| class="wikitable"
 
{| class="wikitable"
 
|-
 
|-
Line 26: Line 26:
 
| 0x10000
 
| 0x10000
 
| 0x4000
 
| 0x4000
| ticket
+
| CMD
| SA1 ticket
+
| SA1 CMD
 
|-
 
|-
 
| 0x14000
 
| 0x14000
| (sa1ticket.ContentSize)
+
| sa1CMD.ContentSize
 
| encrypted bytes
 
| encrypted bytes
 
| SA1 data
 
| SA1 data
 
|-
 
|-
| 0x14000 + sa1ticket.ContentSize
+
| 0x14000 + sa1CMD.ContentSize
 
| 0x4000
 
| 0x4000
| ticket
+
| CMD
| SA2 ticket
+
| SA2 CMD
 
|-
 
|-
| 0x18000 + sa1ticket.ContentSize
+
| 0x18000 + sa1CMD.ContentSize
| sa2ticket.ContentSize
+
| sa2CMD.ContentSize
 
| encrypted bytes
 
| encrypted bytes
 
| SA2 data
 
| SA2 data
Line 50: Line 50:
 
See [https://github.com/emoose/iQueTool/blob/master/iQueTool/Files/iQueNand.cs#L207 SetSKSAData in iQueTool] for an example on how the blocks are transformed, or see [https://github.com/emoose/iQueTool/blob/master/iQueTool/Files/iQueNand.cs#L506 GenerateSpareData] for how the SAData in the spare is set.
 
See [https://github.com/emoose/iQueTool/blob/master/iQueTool/Files/iQueNand.cs#L207 SetSKSAData in iQueTool] for an example on how the blocks are transformed, or see [https://github.com/emoose/iQueTool/blob/master/iQueTool/Files/iQueNand.cs#L506 GenerateSpareData] for how the SAData in the spare is set.
  
The [[BBFS]] FAT table also sets the SKSA blocks to 0xfffd (reserved), to ensure that no files will overwrite them.
+
The [[NAND#BBFS|BBFS]] FAT table also sets the SKSA blocks to 0xfffd (reserved), to ensure that no files will overwrite them.
  
 
== Testing ==
 
== Testing ==
 
A spreadsheet of the different SKSAs that have been tested (whether it boots, what happens when it boots, etc) is available [https://docs.google.com/spreadsheets/d/13wb-jwPEJ9HV2-XUbaLr3VVkGXTrX2LEf6cGce7WdU8/edit?usp=sharing here].
 
A spreadsheet of the different SKSAs that have been tested (whether it boots, what happens when it boots, etc) is available [https://docs.google.com/spreadsheets/d/13wb-jwPEJ9HV2-XUbaLr3VVkGXTrX2LEf6cGce7WdU8/edit?usp=sharing here].
 +
 +
== [http://www.ique.com/products/Player_upgrade.htm Official update log] ==
 +
===Jan 2004 update===
 +
 +
Added Settings(管理) menu and "i-Timer" Smart Clock, allowing parents to set time limit on gaming and allowing games to use real-world time.
 +
 +
===Sept 2004 update===
 +
 +
Added [[iQue@Home]] support to the console.
 +
 +
This update is most likely corresponds to the SKSA version 1095 as it is the first version to have [[iQue@Home]] USB support.
 +
 +
[[Category:File_formats]]

Latest revision as of 11:49, 6 February 2019

SKSA (Secure Kernel / System App) is the "Upgradeable Operating System" of the iQue Player, the main software that runs on the device.

Parts

As the name implies it consists of two parts: a secure kernel, and a system app. In later SKSAs the system-app area may also be divided into two sections: SA1 and SA2.

  • Secure Kernel: the 'boot1' of the iQue. Doesn't ever seem to change between SKSA versions, so might be similar to the Wii boot1; the hash of it is checked against a stored hash in Virage2.
  • System App 2: Also has a CMD, followed by SA2 data. Unknown purpose, in SKSAs that have an SA2 the SA1 size is greatly reduced compared to single-SA SKSAs, presumably they moved some data from SA1 into this, but it seems like dual-SA SA1s can run without needing the corresponding SA2. SA2 contains the iQue Menu in the two most recent SKSA versions.

Format

The format of the SKSA is simple: a 64KiB SK, followed by SA1 (CMD + data), optionally followed by SA2 (CMD + data):

Offset Length Type Information
0x0 0x10000 encrypted bytes Secure Kernel
0x10000 0x4000 CMD SA1 CMD
0x14000 sa1CMD.ContentSize encrypted bytes SA1 data
0x14000 + sa1CMD.ContentSize 0x4000 CMD SA2 CMD
0x18000 + sa1CMD.ContentSize sa2CMD.ContentSize encrypted bytes SA2 data

NAND format

On NAND the format is slightly changed however: instead of storing the SA1 & SA2 data exactly as stored in the cached SKSA, the data is instead reversed in 0x4000 byte blocks (though tickets are unaffected). The NAND spare data is used to store pointers for these blocks, to allow for skipping any bad blocks in the SKSA area.

See SetSKSAData in iQueTool for an example on how the blocks are transformed, or see GenerateSpareData for how the SAData in the spare is set.

The BBFS FAT table also sets the SKSA blocks to 0xfffd (reserved), to ensure that no files will overwrite them.

Testing

A spreadsheet of the different SKSAs that have been tested (whether it boots, what happens when it boots, etc) is available here.

Official update log

Jan 2004 update

Added Settings(管理) menu and "i-Timer" Smart Clock, allowing parents to set time limit on gaming and allowing games to use real-world time.

Sept 2004 update

Added iQue@Home support to the console.

This update is most likely corresponds to the SKSA version 1095 as it is the first version to have iQue@Home USB support.