Game Card

The PSVita GameCard (cartridges) were reversed by 2 teams: Cobra BlackFin Team and motoharu.

HW Reversing
motoharu's write up is simple and massive and too much detailed to retype everything here. Instead we'll link to his github. We'll also fork his work so if the site is someday down, call us and we'll fix it.

Game card is a standard MMC card. Pinout is different, however it complies with MMC card.



Partitions
Game card can embed 1 or 2 partitions mounted as gro0: and optionally grw0:.

gro0: is Read-Only whilst grw0: is Read-Write.

Game card can be accessed with SceSdif module. It has the following partitions:

Card initialization
Card initialization consists of two steps:
 * Standard MMC initialization.
 * Custom CMD56 initialization.

CMD56 is a command that is used to transfer vendor specific data from host to card and back to host.

Second step is crucial and is required to be done before host tries to read any data from the card for example with CMD17.

Standard MMC initialization
This step is performed by SceSdif.

Part1: Card identification (SD, MMC, SDIO)
 * 40 00 00 00 00 95 - CMD0 - GO_IDLE_STATE
 * 48 00 00 01 AA 87 - CMD8 - SEND_IF_COND
 * 45 00 00 00 00 5B - CMD5 - IO_SEND_OP_COND
 * 77 00 00 00 00 65 - CMD55 - APP_CMD

Part2: Card initialization
 * 40 00 00 00 00 95 - CMD0 - GO_IDLE_STATE
 * 41 40 FF 80 00 0B - CMD1 - SEND_OP_COND
 * 42 00 00 00 00 4D - CMD2 - ALL_SEND_CID
 * 43 00 01 00 00 7F - CMD3 - SET_RELATIVE_ADDR
 * 49 00 01 00 00 F1 - CMD9 - SEND_CSD
 * 47 00 01 00 00 DD - CMD7 - SELECT_CARD
 * 46 03 AF 01 00 43 - CMD6 - SWITCH (ERASE_GROUP_DEF)
 * 48 00 00 00 00 C3 - CMD8 - SEND_EXT_CSD
 * 50 00 00 02 00 15 - CMD16 - SET_BLOCKLEN
 * 46 03 B9 01 00 2F - CMD6 - SWITCH (HS_TIMING)
 * 46 03 B7 01 00 2D - CMD6 - SWITCH (BUS_WIDTH 4)

Custom CMD56 initialization
This step is performed by SceSblGcAuthMgr.

SceSblGcAuthMgr uses SceSblSsSmComm API to send F00D Commands to call Kirk services 1B-20. Game card can be accessed with device index 1

Initialization consists of 20 packets total. There are 10 request and 10 response packets. Each packet is sent or received with CMD56.


 * 78 00 00 00 00 25 - CMD56 (REQUEST)
 * 78 00 00 00 01 37 - CMD56 (RESPONSE)

char key0[0x20] = {   0xDD, 0x10, 0x25, 0x44, 0x15, 0x23, 0xFD, 0xC0, 0xF9, 0xE9, 0x15, 0x26, 0xDC, 0x2A, 0xE0, 0x84, 0xA9, 0x03, 0xA2, 0x97, 0xD4, 0xBB, 0xF8, 0x52, 0xD3, 0xD4, 0x94, 0x2C, 0x89, 0x03, 0xCC, 0x77, };