CMD

From iQueBrew
Jump to: navigation, search

A content metadata or CMD is a file or structure used to store data about an iQue app, such as encryption keys, its access to secure kernel calls, and its access to various hardware. It is used on its own in SKSA (where SA1 and SA2 both have their own attached CMD) and also contained as part of every ticket.

Format

A CMD consists of two parts: contentDesc, an optional 0x2800-byte long structure containing information about a game such as its save type, title, and thumbnail image; and BbContentMetaDataHead. The former is not used in the content metadata for SAs.

contentDesc

Offset Length Type Information
0x00 0x04 uint32 EEPROM RDRAM location (typically 0x807C0000, 0 if unused)
0x04 0x04 uint32 EEPROM size (either 0x200 or 0x800)
0x08 0x04 uint32 Flash RDRAM location (typically 0x807C0000, 0 if unused)
0x0C 0x04 uint32 Flash size (0x20000 if used)
0x10 0x04 uint32 SRAM RDRAM location (typically 0x807C0000, 0 if unused)
0x14 0x04 uint32 SRAM size (0x8000 if used)
0x18 0x04 uint32 Controller Pak 0 RDRAM location (could be 0x807C0000 or 0x807C0000, 0 if unused)
0x1C 0x04 uint32 Controller Pak 1 RDRAM location (0 if unused)
0x20 0x04 uint32 Controller Pak 2 RDRAM location (0 if unused)
0x24 0x04 uint32 Controller Pak 3 RDRAM location (0 if unused)
0x28 0x04 uint32 Controller Pak size (0x8000 when used)
0x2C 0x04 uint32 Probably osRomBase (always 0xB0000000?)
0x30 0x04 uint32 Probably osTvType (always 1? which is for NTSC)
0x34 0x04 uint32 Probably osMemSize (always 0x400000? for no expansion pak)
0x38 0x04 uint32 Unknown, possibly another libultra boot param
0x3C 0x04 uint32 Unknown, possibly another libultra boot param
0x40 0x03 chars "CAM", unknown purpose
0x43 0x01 byte Number of ".u0x" files for this game?
0x44 0x02 uint16 Thumb image length (can't be more than 0x4000, decompressed size must be exactly 0x1880)
0x46 0x02 uint16 Title image length (can't be more than 0x10000, how exactly would that even fit?)
0x48 Thumb image length bytes DEFLATE-compressed thumb image RGBA5551 (56px * 56px)
0x48 + Thumb image length Title image length bytes DEFLATE-compressed title image RGBA5551 (184px * 24px)
0x48 + Thumb image length + Title image length 0x27B8 - image lengths chars Title name + ISBN

BbContentMetaDataHead

Offset Length Type Description Information
0x2800 0x04 uint32 unusedPadding padding
0x2804 0x04 uint32 caCrlVersion Certificate Authority(?) CRL version
0x2808 0x04 uint32 cpCrlVersion Content Protection(?) CRL version
0x280C 0x04 uint32 size Size (in bytes) of the associated app
0x2810 0x04 uint32 descFlags Seemingly unused/unchecked; bit 0 set if the associated app is SA
0x2814 0x10 uint8[16] commonCmdIv titlekey_iv; IV used to encrypt title key (with common key)
0x2824 0x14 uint8[20] hash SHA-1 hash of the plaintext of the associated app
0x2838 0x10 uint8[16] iv content_iv; IV used to encrypt content
0x2848 0x04 uint32 execFlags Despite the name, only one use/flag is known: if bit 1 is set (the "recrypt flag"), the associated app will be re-encrypted on first launch
0x284C 0x04 uint32 hwAccessRights bitfield, each bit enables access to some MMIO regs new to iQue Player:
  • bits 0-7: new PI stuff
  • bit 0: PI buffer used for aes/NAND read output and PI DMA (1KB at PI_BASE+0x10000)
  • bit 1: NAND flash regs in PI
  • bit 2: memory mapper for old PI dma
  • bit 3: hardware AES-engine in PI
  • bit 4: new PI dma engine, DMAs from/to PI buffer
  • bit 5: new GPIO; power + LED
  • bit 6: external IO bus stuff (debug?)
  • bit 7: new PI error stuff
  • bit 8: enables access to USB regs
  • bit 9: enables access to internal ram used for SK stack

(0x0000 for games except for Animal Forest which is 0x0033, 0x0013 for iQue Club, 0x01F7/0x01B3 for SA)

0x2850 0x04 uint32 secureKernelRights Which secure kernel calls the associated app can use, one bit per syscall: bit 0 allows SKC 0, etc.
0x2854 0x04 uint32 bbid If not zero, can only be run on the specified console (used for SAs, not games)
0x2858 0x40 uint8[64] issuer Certificate used to sign the cmd
0x2898 0x04 uint32 id Content ID of the associated app
0x289C 0x10 uint8[16] key The associated app's title key. It is encrypted once with the common key. If the associated app is not an SA, then it is encrypted again with a key derived using the result of ECDH with the console's private key in the Virage2 and the public key in the app's ticket.
0x28AC 0x100 uint8[256] contentMetaDataSign RSA-2048 signature over all of the above, but before the title key is encrypted a second time.