Changes

741 bytes removed ,  20:42, 4 January 2021
no edit summary
Line 57: Line 57:     
= ASIC commands =
 
= ASIC commands =
The Gamecard ASIC supports a total of 19 operation commands. These commands are passed to the ASIC using the [[#WriteOperation]] MMC command.
+
The Gamecard ASIC supports a total of 20 operation commands. These commands are passed to the ASIC using the [[#WriteOperation]] MMC command.
    
Additional data buffers are then read/written using standard MMC read/write commands.
 
Additional data buffers are then read/written using standard MMC read/write commands.
Line 67: Line 67:  
|-
 
|-
 
| 0x01
 
| 0x01
| [[#SetUserAsicFirmware]]
+
| [[#SendFirmware]]
 
|-
 
|-
 
| 0x02
 
| 0x02
| [[#GetAsicCert]]
+
| [[#ReceiveCertificate]]
 
|-
 
|-
 
| 0x03
 
| 0x03
| [[#SetEmmcEmbeddedSocCertificate]]
+
| [[#SendSocCertificate]]
 
|-
 
|-
 
| 0x04
 
| 0x04
| [[#GetAsicEncryptedMessage]]
+
| [[#ReceiveRandomValue]]
 
|-
 
|-
 
| 0x05
 
| 0x05
| [[#SetLibraryEncryptedMessage]]
+
| [[#SendRandomValue]]
 
|-
 
|-
 
| 0x06
 
| 0x06
| [[#GetAsicAuthenticationData]]
+
| [[#ReceiveDeviceChallenge]]
 
|-
 
|-
 
| 0x07
 
| 0x07
| [[#SetAsicAuthenticationDataHash]]
+
| [[#RespondDeviceChallenge]]
 
|-
 
|-
 
| 0x08
 
| 0x08
| [[#SetLibraryAuthenticationData]]
+
| [[#SendHostChallenge]]
 
|-
 
|-
 
| 0x09
 
| 0x09
| [[#GetLibraryAuthenticationDataHash]]
+
| [[#ReceiveChallengeResponse]]
 
|-
 
|-
 
| 0x0A
 
| 0x0A
| [[#EnterSecureAsicMode]]
+
| [[#ChangeModeToSecure]]
 
|-
 
|-
 
| 0x0B
 
| 0x0B
| [[#WriteAsicRegister]]
+
| [[#WriteRegister]]
 
|-
 
|-
 
| 0x0C
 
| 0x0C
| [[#ReadAsicRegister]]
+
| [[#ReadRegister]]
 
|-
 
|-
 
| 0x0D
 
| 0x0D
| [[#ChangeDebugMode]]
+
| [[#ChangeGcModeToDebug]]
 
|-
 
|-
 
| 0x0E
 
| 0x0E
Line 109: Line 109:  
|-
 
|-
 
| 0x0F
 
| 0x0F
| [[#GetCardKeyArea]]
+
| [[#ChangeGcModeToSecure]]
 
|-
 
|-
 
| 0x10
 
| 0x10
Line 121: Line 121:  
|-
 
|-
 
| 0x13
 
| 0x13
| [[#GetRmaInformation]]
+
| [[#ReadRmaInformation]]
 
|-
 
|-
 
| 0x14
 
| 0x14
Line 127: Line 127:  
|}
 
|}
   −
== SetUserAsicFirmware ==
+
== SendFirmware ==
 
Signals the Gamecard ASIC to receive a 0x7800 byte sized buffer containing the [[#User firmware|ASIC's user firmware]].
 
Signals the Gamecard ASIC to receive a 0x7800 byte sized buffer containing the [[#User firmware|ASIC's user firmware]].
   −
== GetAsicCert ==
+
== ReceiveCertificate ==
 
Signals the Gamecard ASIC to send a 0x400 byte sized buffer containing the ASIC's certificate.
 
Signals the Gamecard ASIC to send a 0x400 byte sized buffer containing the ASIC's certificate.
   −
== SetEmmcEmbeddedSocCertificate ==
+
== SendSocCertificate ==
 
Signals the Gamecard ASIC to receive a 0x400 byte sized buffer containing the certificate from [[Settings_services#GetGameCardCertificate|GetGameCardCertificate]].
 
Signals the Gamecard ASIC to receive a 0x400 byte sized buffer containing the certificate from [[Settings_services#GetGameCardCertificate|GetGameCardCertificate]].
   −
== GetAsicEncryptedMessage ==
+
== ReceiveRandomValue ==
 
Signals the Gamecard ASIC to send a 0x100 byte sized buffer containing a RSA-OAEP encrypted message to be decrypted by the host library. The decrypted message will be used to generate a common AES-128 (CBC and CTR) key and IV/CTR shared between the ASIC and the host library.
 
Signals the Gamecard ASIC to send a 0x100 byte sized buffer containing a RSA-OAEP encrypted message to be decrypted by the host library. The decrypted message will be used to generate a common AES-128 (CBC and CTR) key and IV/CTR shared between the ASIC and the host library.
   −
== SetLibraryEncryptedMessage ==
+
== SendRandomValue ==
 
Signals the Gamecard ASIC to receive a 0x100 byte sized buffer containing a RSA-OAEP encrypted message to be decrypted by the ASIC. The decrypted message will be used to generate a common AES-128 (CBC and CTR) key and IV/CTR shared between the ASIC and the host library.
 
Signals the Gamecard ASIC to receive a 0x100 byte sized buffer containing a RSA-OAEP encrypted message to be decrypted by the ASIC. The decrypted message will be used to generate a common AES-128 (CBC and CTR) key and IV/CTR shared between the ASIC and the host library.
   −
== GetAsicAuthenticationData ==
+
== ReceiveDeviceChallenge ==
 
Signals the Gamecard ASIC to send a 0x20 byte sized buffer containing AES-128-CBC encrypted authentication data to be decrypted and hashed by the host library.
 
Signals the Gamecard ASIC to send a 0x20 byte sized buffer containing AES-128-CBC encrypted authentication data to be decrypted and hashed by the host library.
   −
== SetAsicAuthenticationDataHash ==
+
== RespondDeviceChallenge ==
 
Signals the Gamecard ASIC to receive a 0x20 byte sized buffer containing the AES-128-CBC encrypted hash of the ASIC authentication data.
 
Signals the Gamecard ASIC to receive a 0x20 byte sized buffer containing the AES-128-CBC encrypted hash of the ASIC authentication data.
   −
== SetLibraryAuthenticationData ==
+
== SendHostChallenge ==
 
Signals the Gamecard ASIC to receive a 0x20 byte sized buffer containing AES-128-CBC encrypted authentication data to be decrypted and hashed by the ASIC.
 
Signals the Gamecard ASIC to receive a 0x20 byte sized buffer containing AES-128-CBC encrypted authentication data to be decrypted and hashed by the ASIC.
   −
== GetLibraryAuthenticationDataHash ==
+
== ReceiveChallengeResponse ==
 
Signals the Gamecard ASIC to send a 0x20 byte sized buffer containing the AES-128-CBC encrypted hash of the library authentication data.
 
Signals the Gamecard ASIC to send a 0x20 byte sized buffer containing the AES-128-CBC encrypted hash of the library authentication data.
   −
== EnterSecureAsicMode ==
+
== ChangeModeToSecure ==
 
Signals the Gamecard ASIC to enter secure mode. In secure mode, all communication with the Gamecard ASIC must be AES-128-CTR encrypted.
 
Signals the Gamecard ASIC to enter secure mode. In secure mode, all communication with the Gamecard ASIC must be AES-128-CTR encrypted.
   −
== WriteAsicRegister ==
+
== WriteRegister ==
 
Signals the Gamecard ASIC to write an internal register. The register value is passed in the first word of a 0x200 byte sized buffer while the register index is passed in the actual [[#OperationBuffer]] as follows.
 
Signals the Gamecard ASIC to write an internal register. The register value is passed in the first word of a 0x200 byte sized buffer while the register index is passed in the actual [[#OperationBuffer]] as follows.
   Line 187: Line 187:  
|}
 
|}
   −
== ReadAsicRegister ==
+
== ReadRegister ==
 
Signals the Gamecard ASIC to send a 0x30 byte sized buffer containing the values of all ASIC registers as follows.
 
Signals the Gamecard ASIC to send a 0x30 byte sized buffer containing the values of all ASIC registers as follows.
   Line 245: Line 245:  
|}
 
|}
   −
== ChangeDebugMode ==
+
== ChangeGcModeToDebug ==
 
Signals the Gamecard ASIC to change into debug mode and send a 0x200 byte sized buffer containing information on the current Gamecard.
 
Signals the Gamecard ASIC to change into debug mode and send a 0x200 byte sized buffer containing information on the current Gamecard.
   Line 270: Line 270:  
|}
 
|}
   −
== GetCardKeyArea ==
+
== ChangeGcModeToSecure ==
 
Signals the Gamecard ASIC to send a 0x800 byte sized buffer containing the current Gamecard's key area sectors as follows.
 
Signals the Gamecard ASIC to send a 0x800 byte sized buffer containing the current Gamecard's key area sectors as follows.
   Line 363: Line 363:  
|}
 
|}
   −
== GetRmaInformation ==
+
== ReadRmaInformation ==
 
Signals the Gamecard ASIC to send a 0x200 byte sized buffer containing information on the Gamecard ASIC. This is called by [[Filesystem_services#IDeviceOperator|GetGameCardAsicInfo]].
 
Signals the Gamecard ASIC to send a 0x200 byte sized buffer containing information on the Gamecard ASIC. This is called by [[Filesystem_services#IDeviceOperator|GetGameCardAsicInfo]].
   Line 399: Line 399:  
|-
 
|-
 
| 0x10
 
| 0x10
| [[#ReadId1Normal, ReadId1Secure, ReadId1Writer|#ReadId1Writer]]
+
| [[#ReadId1|ReadId1Write]]
 
|-
 
|-
 
| 0x11
 
| 0x11
| [[#ReadId2Normal, ReadId2Secure, ReadId2Writer|#ReadId2Writer]]
+
| [[#ReadId2|ReadId2Write]]
 
|-
 
|-
 
| 0x12
 
| 0x12
| [[#ReadId3Normal, ReadId3Secure, ReadId3Writer|#ReadId3Writer]]
+
| [[#ReadId3|ReadId3Write]]
 
|-
 
|-
 
| 0x15
 
| 0x15
| [[#ReadCrc]]
+
| [[#ReadCrc|ReadCrc]]
 
|-
 
|-
 
| 0x16
 
| 0x16
| [[#WritePage, WritePageSecure|#WritePage]]
+
| [[#WritePage|WritePage]]
 
|-
 
|-
 
| 0x18
 
| 0x18
| [[#Erase]]
+
| [[#Erase|Erase]]
 
|-
 
|-
 
| 0x19
 
| 0x19
| [[#ReadDevParam]]
+
| [[#ReadParameter|ReadParameter]]
 
|-
 
|-
 
| 0x20
 
| 0x20
| [[#WriteDevParam]]
+
| [[#WriteParameter|WriteParameter]]
 
|-
 
|-
 
| 0x21
 
| 0x21
| [[#ReadPage, ReadPageSecure|#ReadPageSecure]]
+
| [[#ReadPage|ReadPageSecure]]
 
|-
 
|-
 
| 0x28
 
| 0x28
| [[#ReadId2Normal, ReadId2Secure, ReadId2Writer|#ReadId2Normal]]
+
| [[#ReadId2|ReadId2]]
 
|-
 
|-
 
| 0x2E
 
| 0x2E
| [2.0.0+] [[#UnlockForceErase]]
+
| [2.0.0+] [[#ChangeDebugDirect|ChangeDebugDirect]]
 
|-
 
|-
 
| 0x30
 
| 0x30
| [[#ReadId3Normal, ReadId3Secure, ReadId3Writer|#ReadId3Secure]]
+
| [[#ReadId3|ReadId3Secure]]
 
|-
 
|-
 
| 0x39
 
| 0x39
| [[#SetKey]]
+
| [[#SetKey|SetKey]]
 
|-
 
|-
 
| 0x56
 
| 0x56
| [[#ReadId1Normal, ReadId1Secure, ReadId1Writer|#ReadId1Normal]]
+
| [[#ReadId1|ReadId1]]
 
|-
 
|-
 
| 0x83
 
| 0x83
| [[#WritePage, WritePageSecure|#WritePageSecure]]
+
| [[#WritePage|WritePageSecure]]
 
|-
 
|-
 
| 0x5B
 
| 0x5B
| [[#ReadPage, ReadPageSecure|#ReadPage]]
+
| [[#ReadPage|ReadPage]]
 
|-
 
|-
 
| 0x67
 
| 0x67
| [[#ReadId1Normal, ReadId1Secure, ReadId1Writer|#ReadId1Secure]]
+
| [[#ReadId1|ReadId1Secure]]
 
|-
 
|-
 
| 0xA5
 
| 0xA5
| [[#ReadId3Normal, ReadId3Secure, ReadId3Writer|#ReadId3Normal]]
+
| [[#ReadId3|ReadId3]]
 
|-
 
|-
 
| 0xB8
 
| 0xB8
| [[#Refresh]]
+
| [[#Refresh|Refresh]]
 
|-
 
|-
 
| 0xC4
 
| 0xC4
| [[#ReadId2Normal, ReadId2Secure, ReadId2Writer|#ReadId2Secure]]
+
| [[#ReadId2|ReadId2Secure]]
 
|-
 
|-
 
| 0xE0
 
| 0xE0
Line 465: Line 465:  
|}
 
|}
   −
== ReadId1Normal, ReadId1Secure, ReadId1Writer ==
+
== ReadId1 ==
 
Returns the Gamecard ID1 under one of the valid [[#Gamecard modes|Gamecard modes]].
 
Returns the Gamecard ID1 under one of the valid [[#Gamecard modes|Gamecard modes]].
   Line 521: Line 521:  
|}
 
|}
   −
== ReadId2Normal, ReadId2Secure, ReadId2Writer ==
+
== ReadId2 ==
 
Returns the Gamecard ID2 under one of the valid [[#Gamecard modes|Gamecard modes]].
 
Returns the Gamecard ID2 under one of the valid [[#Gamecard modes|Gamecard modes]].
   Line 577: Line 577:  
|}
 
|}
   −
== ReadId3Normal, ReadId3Secure, ReadId3Writer ==
+
== ReadId3 ==
 
Returns the Gamecard ID3 under one of the valid [[#Gamecard modes|Gamecard modes]].
 
Returns the Gamecard ID3 under one of the valid [[#Gamecard modes|Gamecard modes]].
   Line 685: Line 685:  
|}
 
|}
   −
== WritePage, WritePageSecure ==
+
== WritePage ==
 
Writes Gamecard pages. This command is only available in [[#Gamecard modes|Write]] and [[#Gamecard modes|Secure]] modes.
 
Writes Gamecard pages. This command is only available in [[#Gamecard modes|Write]] and [[#Gamecard modes|Secure]] modes.
   Line 737: Line 737:  
|}
 
|}
   −
== ReadPage, ReadPageSecure ==
+
== ReadPage ==
 
Reads Gamecard pages. This command is only available in [[#Gamecard modes|Normal]] and [[#Gamecard modes|Secure]] modes.
 
Reads Gamecard pages. This command is only available in [[#Gamecard modes|Normal]] and [[#Gamecard modes|Secure]] modes.
   Line 845: Line 845:  
|}
 
|}
   −
== ReadDevParam ==
+
== ReadParameter ==
 
Reads a development Gamecard's parameters. This command is only available in [[#Gamecard modes|Write]] mode.
 
Reads a development Gamecard's parameters. This command is only available in [[#Gamecard modes|Write]] mode.
   Line 901: Line 901:  
|}
 
|}
   −
== WriteDevParam ==
+
== WriteParameter ==
 
Writes a development Gamecard's parameters. This command is only available in [[#Gamecard modes|Write]] mode.
 
Writes a development Gamecard's parameters. This command is only available in [[#Gamecard modes|Write]] mode.
   Line 1,069: Line 1,069:  
|}
 
|}
   −
== UnlockForceErase ==
+
== ChangeDebugDirect ==
 
Used by [[Filesystem_services#OpenGameCardStorage|OpenGameCardStorage]]. This command is only available in [[#Gamecard modes|Normal]] mode.
 
Used by [[Filesystem_services#OpenGameCardStorage|OpenGameCardStorage]]. This command is only available in [[#Gamecard modes|Normal]] mode.
   Line 1,217: Line 1,217:  
Depending on it's purpose, multiple user firmware blobs exist.
 
Depending on it's purpose, multiple user firmware blobs exist.
   −
=== FwRead ===
+
=== ReadFw ===
 
Code for reading retail Gamecards. Only the normal and secure [[#Gamecard modes|Gamecard modes]] are supported.
 
Code for reading retail Gamecards. Only the normal and secure [[#Gamecard modes|Gamecard modes]] are supported.
   Line 1,224: Line 1,224:  
[4.0.0+] This firmware blob was updated to provide support for new Gamecards.
 
[4.0.0+] This firmware blob was updated to provide support for new Gamecards.
   −
=== FwWriter ===
+
[9.0.0+] This firmware blob was updated.
 +
 
 +
[11.0.0+] This firmware blob was updated.
 +
 
 +
=== WriterFw ===
 
Code for writing development Gamecards. Only the normal and write [[#Gamecard modes|Gamecard modes]] are supported.
 
Code for writing development Gamecards. Only the normal and write [[#Gamecard modes|Gamecard modes]] are supported.
    
Found inside [[Filesystem_services|FS]].
 
Found inside [[Filesystem_services|FS]].
   −
=== FwReadDev ===
+
=== ReadDevFw ===
 
Code for reading development Gamecards. Development Gamecards use common [[Gamecard_Format#Initial_Data|initial data]] which justifies the need for a specialized read firmware.
 
Code for reading development Gamecards. Development Gamecards use common [[Gamecard_Format#Initial_Data|initial data]] which justifies the need for a specialized read firmware.
    
Found inside [[Filesystem_services|FS]].
 
Found inside [[Filesystem_services|FS]].
   −
=== FwDebug ===
+
=== RmaFw ===
Code for calling [[#GetRmaInformation]]. Must be passed as an argument for [[Filesystem_services#IDeviceOperator|GetGameCardAsicInfo]].
+
Code for calling [[#ReadRmaInformation]]. Must be passed as an argument for [[Filesystem_services#IDeviceOperator|GetGameCardAsicInfo]].
    
Never observed (possibly factory only).
 
Never observed (possibly factory only).
Line 1,241: Line 1,245:  
== Anti-downgrade ==
 
== Anti-downgrade ==
 
Loading an user firmware blob with a certain version field will lock the Gamecard ASIC to only allow running firmware blobs with the same or higher version number. Therefore, it is speculated that the Gamecard ASIC contains some sort of non-volatile memory bank which could be used for this purpose (among others).
 
Loading an user firmware blob with a certain version field will lock the Gamecard ASIC to only allow running firmware blobs with the same or higher version number. Therefore, it is speculated that the Gamecard ASIC contains some sort of non-volatile memory bank which could be used for this purpose (among others).
  −
The [[#FwWriter|FwWriter]] and [[#FwReadDev|FwReadDev]] blobs' version is always 0, but [[#FwRead|FwRead]] blob's version is either 1 or 3 ([4.0.0+]). This effectively locks retail consoles from using the development firmware blobs.