Difference between revisions of "Virage2"

From iQueBrew
Jump to navigation Jump to search
(Created page with "OTP is stored somewhere inside a console chip (maybe inside the "big" NEC chip) and seems to be called "virage2" inside SDK code. OTP can be dumped together with bootROM using...")
 
(Fixed ECC public/private key lengths and offsets)
 
(12 intermediate revisions by 5 users not shown)
Line 1: Line 1:
OTP is stored somewhere inside a console chip (maybe inside the "big" NEC chip) and seems to be called "virage2" inside SDK code. OTP can be dumped together with bootROM using a patched .rec file able to launch a modified .sta save file.
+
Virage2 is a 16K EEPROM bank located inside the SoC that can only be read in secure mode (mapped at <tt>0xBFCA0000</tt>).
  
 
{| class="wikitable"
 
{| class="wikitable"
Line 8: Line 8:
 
! Note
 
! Note
 
|-
 
|-
| 0x00 || 0x14 || SK Hash || common
+
| 0x00 || 0x14 || skHash || Secure Kernel hash
 
|-
 
|-
| 0x14 || 0x10  || ROM Patch || common
+
| 0x14 || 0x40 || romPatch || ROM patch bitmap (4 x 0x10)
 
|-
 
|-
| 0x24 || 0x10  || ROM Patch || common
+
| 0x54 || 0x40 || publicKey || Per-console ECC public key
 
|-
 
|-
| 0x34 || 0x10  || ROM Patch || common
+
| 0x94 || 0x04 || bbId || Per-console ID
 
|-
 
|-
| 0x44 || 0x10  || ROM Patch || common
+
| 0x98 || 0x20 || privateKey || Per-console ECC private key
 
|-
 
|-
| 0x54 || 0x20  || EccPublicKey || per-console
+
| 0xB8 || 0x10 || bootAppKey || Common key
 
|-
 
|-
| 0x74 || 0x04  || bbId || per-console
+
| 0xC8 || 0x10 || recryptListKey || Per-console key
 
|-
 
|-
| 0x78 || 0x40  || EccPrivateKey || per-console
+
| 0xD8 || 0x10 || appStateKey || Per-console key
 
|-
 
|-
| 0xB8 || 0x10 || bootAppKey - COMMON KEY || common
+
| 0xE8 || 0x10 || selfMsgKey || Per-console key
 
|-
 
|-
| 0xC8 || 0x10  || recryptListKey || per-console
+
| 0xF8 || 0x04 || csumAdjust || Per-console checksum adjustment
 
|-
 
|-
| 0xD8 || 0x10  || appStateKey || per-console
+
| 0xFC || 0x04 || jtagEnable || JTAG status field
|-
 
| 0xE8 || 0x10  || selfMsgKey || per-console
 
|-
 
| 0xF8 || 0x04  || csumAdjust || per-console
 
|-
 
| 0xFC || 0x04 || jtagEnable || common
 

Latest revision as of 14:01, 2 June 2018

Virage2 is a 16K EEPROM bank located inside the SoC that can only be read in secure mode (mapped at 0xBFCA0000).

Offset Size Description Note
0x00 0x14 skHash Secure Kernel hash
0x14 0x40 romPatch ROM patch bitmap (4 x 0x10)
0x54 0x40 publicKey Per-console ECC public key
0x94 0x04 bbId Per-console ID
0x98 0x20 privateKey Per-console ECC private key
0xB8 0x10 bootAppKey Common key
0xC8 0x10 recryptListKey Per-console key
0xD8 0x10 appStateKey Per-console key
0xE8 0x10 selfMsgKey Per-console key
0xF8 0x04 csumAdjust Per-console checksum adjustment
0xFC 0x04 jtagEnable JTAG status field
Retrieved from "http://www.iquebrew.org/index.php?title=Virage2&oldid=866"