NAND set_encryption_seed NID (last remaining sceNand nid)

Sometimes it’s the most obvious names that are the hardest to guess (as was also the case with sceSysconBatteryReadNVM):

0x0BEE8F36 sceNandSetScramble

That finally completes the sceNand lib !!

This is used to set the encryption seed for lfat decryption (on 3.00+) and for idstorage (on slim). After correctly setting the seed, all (per-page) reads to the nand will be read decrypted (otherwise raw reads to the nand will just return rubbish).

So, how to calculate the correct seed? For slim idstorage area it is pretty straightforward:

  1. u32 magic;
  2. u32 buf[4];
  3. u32 sha[5];
  5. buf[0] = *(vu32*)(0xBC100090);
  6. buf[1] = *(vu32*)(0xBC100094);
  7. buf[2] = *(vu32*)(0xBC100090)<<1;
  8. buf[3] = 0xD41D8CD9;
  10. sceKernelUtilsSha1Digest((u8*)buf, sizeof(buf), (u8*)sha);
  12. magic = (sha[0] ^ sha[3]) + sha[2];
  14. sceNandSetScramble(magic);

The 64bits stored at hardware register 0xBC100090 is unique for every psp (it is some sort of id or serial). Hence why nand dumps are also unique between psps (for 3.00 onwards).

For lfat area, things get slightly more complicated to derive the correct seed however is still based on the unique 0xBC100090 register. Maybe will come later then we’ll finally have a logical restore for slims (instead of a relatively dangerous physical restore).

Leave a Reply