7. Inter-driver communication – Keychip Commands

The following is the list of all commands supported by hdd.sys and ssd.sys as part of the keychip command IOCTL.

Many of these commands cannot be used through fdd.sys, and this is noted on each command.

7.1 Command `0` - SessionOpen

Utilised by FDD	A7 Command	N2 Command
Yes	1	1

Begin an authentication session with the keychip. This command must always be the first command transmitted.

7.2 Command `1` - SessionClose

Utilised by FDD	A7 Command	N2 Command
No	2	2

Terminate an existing authentication session.

7.3 Command `2` - AuthStart

Utilised by FDD	A7 Command	N2 Command
Yes	3	3,4

Begin authentication against the keychip. The arguments to this command vary depending on which low-level driver is being used.

7.3.1 `ssd.sys`

Default values:

AES Key	`c21c966cbd8b00b9cf4c51bab2c3dfa5`
AES IV	`0b137aab20acc7eea0bbec594957dc6d`
MAC Key	`74935ef7e0181c0661f7bb7118c5512a130a5d19`

Note

The N2 chip is used for Ring and ELEFUN as well. These variants use different default keys; the values here are valid only for Lv3.1 keychips.

7.3.2 `hdd.sys`

Default values:

Public exponent 010001

Public modulus

9fd0a43a697329c54baec33cf07303bb25f4eb0f366b214633d48abf639c1057
55bd87f4071a20e5a139dcf283c86de5e4d13da34a023e21ac1b27a452c49044
97e625c32f6f9762bb80235d11d592965ea6f5839586c3066f2079e70c96055a
fc5a7fc25789b54db0833d3625b8dae173a127a681cce210103bb72fd0205cd3
f024c1bb26e261664d638390f8ef7d512dcf2bc72a826eec413f233788ba1309
264018efdbd8cb748e08917c992a67b7b2c0357e45ab9c9e51cf308efcc0256f
28999b079bbb3adf67d7221a1de8f3f587a1a49662e0dfe6f5fa557351f04779
3fce52641d2c7dc6b0eaba8ae529d1dff4dc793bb82994cb49b6e4efd80f142b

7.4 Command `3` - HmacChange

Utilised by FDD	A7 Command	N2 Command
No	4	7

Change the currently used HMAC authentication key. Payload is the new 20-byte key.

7.5 Command `4` - CKeyChange

Utilised by FDD	A7 Command	N2 Command
No	5	8

Change the currently used AES keys for communication. Payload is the new 16-byte key and the new 16-byte IV.

7.6 Command `5` - LvGet

Utilised by FDD	A7 Command	N2 Command
Yes	6	9

Get the current authentication level. The response is a single byte.

For A7, 2 is the maximum authentication level, for N2 it is 3. This level must be achieved by means of AuthStart before most commands can be used.

7.7 Command `6` - ErrorGet

Utilised by FDD	A7 Command	N2 Command
No	7	11

Get the last error the keychip encountered. The response is a big endian short.

7.8 Command `7` - VerGet

Utilised by FDD	A7 Command	N2 Command
No	8	12

Get the keychip firmware version. The response is a big endian short.

The following are all known firmware versions:

Keychip Type	Version
N2	`0x0104`
N2	`0x0106`
A7	`0x0200`
A7	`0x0201`
A7	`0x0202`
A7	`0x0203`
A7	`0x0204`
A7	`0x0205`
A7	`0x0210`

7.9 Command `8` - KeychipInfoWrite

Utilised by FDD	A7 Command	N2 Command
No	9	13

Write new keychip information. This command is unavailable on shipped keychips. The request is the new 96-byte information.

7.10 Command `9` - KeychipInfoRead

Utilised by FDD	A7 Command	N2 Command
Yes	10	14

Read the keychip information. The response is the 96-byte information blob.

7.11 Command `10` - GkeyWrite

Utilised by FDD	A7 Command	N2 Command
No	11	15

Write new game key. This command is unavailable on shipped keychips. The request is the new 16-byte game key and 16-byte IV.

7.12 Command `11` - GkeyEnc

Utilised by FDD	A7 Command	N2 Command
Yes	12	16

Encrypt data using the game key. The request is a single byte indicating if the encryption state should be reset using the IV, followed by 16-bytes of data to encrypt, and the response is the 16-bytes of data, encrypted.

7.13 Command `12` - GkeyDec

Utilised by FDD	A7 Command	N2 Command
Yes	13	17

Decrypt data using the game key. The request is a single byte indicating if the encryption state should be reset using the IV, followed by 16-bytes of data to encrypt, and the response is the 16-bytes of data, decrypted.

7.14 Command `13` - SFlagWrite

Utilised by FDD	A7 Command	N2 Command
No	14	20

Set the shipping flag on the keychip. This command is unavailable on shipped keychips. There is no request or response payload.

7.15 Command `14` - EepromInit

Utilised by FDD	A7 Command	N2 Command
No	15	21

Reset all internal EEPROM on the keychip. This command is unavailable on shipped keychips. There is no request or response payload.

7.16 Command `15` - LvEnable

Utilised by FDD	A7 Command	N2 Command
No	16	22

Re-enable a keychip that has been locked out due to too many invalid packets. This command is unavailable on shipped keychips. There is no request or response payload.

This command will raise the auth level from -1 to 0.

7.17 Command `16` - PrivateKeyModulusWrite

Utilised by FDD	A7 Command	N2 Command
No	17	N/A

Write the private modulus used for authentication data decryption. This command is unavailable on shipped keychips. The request is the 256-byte modulus.

7.18 Command `17` - PrivateKeyExponentWrite

Utilised by FDD	A7 Command	N2 Command
No	18	N/A

Write the private exponent used for authentication data decryption. This command is unavailable on shipped keychips. The request is the 256-byte exponent.

7.19 Command `18` - UDataWrite

Utilised by FDD	A7 Command	N2 Command
No	19	N/A

Write the udata block on the keychip. This command is unavailable on shipped keychips. The request is the 16-byte udata.

7.20 Command `19` - UDataRead

Utilised by FDD	A7 Command	N2 Command
Yes	20	N/A

Read the udata block on the keychip. The response is the 16-byte udata.

7.21 Command `20` - StorageWrite

Utilised by FDD	A7 Command	N2 Command
Yes	21	N/A

Write to secure storage on the keychip. The request is a big endian uint16 count of bytes, a big endian uint16 offset into storage, and then the data to write.

A maximum of 256 bytes can be written at once, due to hardware limitations.

The A7 keychip supports 10240 bytes of storage, and every written byte must be contained within this region.

7.22 Command `21` - StorageRead

Utilised by FDD	A7 Command	N2 Command
Yes	22	N/A

Write to secure storage on the keychip. The request is a big endian uint16 count of bytes, and a big endian uint16 offset into storage. The response is the requested data.

A maximum of 192 bytes can be read at once, due to hardware limitations.

The A7 keychip supports 10240 bytes of storage, and every read byte must be contained within this region.

7.23 Command `22` - RandomGet

Utilised by FDD	A7 Command	N2 Command
No	23	24

Retrieve a 16-byte random value from the keychip. This value is generated using a cryptographically secure algorithm.

7.24 Command `23` - PlayCountIncrement

Utilised by FDD	A7 Command	N2 Command
Yes	24	18

Increment the play counter on the keychip by one. There is no way to decrement this counter besides EepromInit.

7.25 Command `24` - PlayCountRead

Utilised by FDD	A7 Command	N2 Command
Yes	25	19

Retrieve the current play counter. The response is a big endian uint32.

7.26 Command `25` - TraceDataInfoWrite

Utilised by FDD	A7 Command	N2 Command
Yes	26	Uses EEPROM

Write tracedata metadata to the keychip. The request payload is the new 16-byte metadata.

7.27 Command `26` - TraceDataInfoRead

Utilised by FDD	A7 Command	N2 Command
Yes	27	Uses EEPROM

Retrieve tracedata from the keychip. The response is the 16-byte metadata.

7.28 Command `27` - StorageSizeGet

Utilised by FDD	A7 Command	N2 Command
Yes	28	N/A

Retrieve the maximum size of keychip storage. The response is a big endian uint16.

7.29 Command `28` -

Utilised by FDD	A7 Command	N2 Command
No	N/A	5

7.30 Command `29` -

Utilised by FDD	A7 Command	N2 Command
No	N/A	6

7.31 Command `30` - ALKeyAuthServerWrite

Utilised by FDD	A7 Command	N2 Command
No	29	N/A

Write the server key for Auth 2.0. This command is unavailable on shipped keychips. The request payload is the new 16-byte key.

7.32 Command `31` - ALKeyAuthKeychipWrite

Utilised by FDD	A7 Command	N2 Command
No	30	N/A

Write the keychip key for Auth 2.0. This command is unavailable on shipped keychips. The request payload is the new 16-byte key.

7.33 Command `32` - ALKeyALLNetAuthWrite

Utilised by FDD	A7 Command	N2 Command
No	31	N/A

Write the ALL.Net key for Auth 2.0. This command is unavailable on shipped keychips. The request payload is the new 16-byte key.

7.34 Command `33` - ALKeychipIDWrite

Utilised by FDD	A7 Command	N2 Command
No	32	N/A

Write the keychip ID for Auth 2.0. This command is unavailable on shipped keychips. The request payload is the new 11-byte keychip ID in compressed format.

7.35 Command `34` - ALStart

Utilised by FDD	A7 Command	N2 Command
Yes	33	N/A

Begin Auth 2.0 authentication. The payload for this command should be 64 bytes directly proxied from the Auth 2.0 server.

7.36 Command `35` - ALPacket

Utilised by FDD	A7 Command	N2 Command
Yes	34	N/A

Conclude Auth 2.0 authentication. The payload for this command should be 64 bytes directly proxied from the Auth 2.0 server.

7. Inter-driver communication – Keychip Commands

7.1 Command 0 - SessionOpen

7.2 Command 1 - SessionClose

7.3 Command 2 - AuthStart

7.3.1 ssd.sys

7.3.2 hdd.sys

7.4 Command 3 - HmacChange

7.5 Command 4 - CKeyChange

7.6 Command 5 - LvGet

7.7 Command 6 - ErrorGet

7.8 Command 7 - VerGet

7.9 Command 8 - KeychipInfoWrite

7.10 Command 9 - KeychipInfoRead

7.11 Command 10 - GkeyWrite

7.12 Command 11 - GkeyEnc

7.13 Command 12 - GkeyDec

7.14 Command 13 - SFlagWrite

7.15 Command 14 - EepromInit

7.16 Command 15 - LvEnable

7.17 Command 16 - PrivateKeyModulusWrite

7.18 Command 17 - PrivateKeyExponentWrite

7.19 Command 18 - UDataWrite

7.20 Command 19 - UDataRead

7.21 Command 20 - StorageWrite

7.22 Command 21 - StorageRead

7.23 Command 22 - RandomGet

7.24 Command 23 - PlayCountIncrement

7.25 Command 24 - PlayCountRead

7.26 Command 25 - TraceDataInfoWrite

7.27 Command 26 - TraceDataInfoRead

7.28 Command 27 - StorageSizeGet

7.29 Command 28 -

7.30 Command 29 -

7.31 Command 30 - ALKeyAuthServerWrite

7.32 Command 31 - ALKeyAuthKeychipWrite

7.33 Command 32 - ALKeyALLNetAuthWrite

7.34 Command 33 - ALKeychipIDWrite

7.35 Command 34 - ALStart

7.36 Command 35 - ALPacket