6. Skip to content

6. Inter-driver communication – Keychip Commands

The following is the list of all commands supported by hdd.sys and ssd.sys as part of the keychip command IOCTL.

Many of these commands cannot be used through fdd.sys, and this is noted on each command.

6.1 Command 0 - SessionOpen

Utilised by FDD A7 Command N2 Command
Yes 1 1

Begin an authentication session with the keychip. This command must always be the first command transmitted.

6.2 Command 1 - SessionClose

Utilised by FDD A7 Command N2 Command
No 2 2

Terminate an existing authentication session.

6.3 Command 2 - AuthStart

Utilised by FDD A7 Command N2 Command
Yes 3 3,4

Begin authentication against the keychip. The arguments to this command vary depending on which low-level driver is being used.

6.3.1 ssd.sys

16 bytes16 bytes20 bytesAES KeyAES IVHMAC Key

Default values:

AES Key c21c966cbd8b00b9cf4c51bab2c3dfa5
AES IV 0b137aab20acc7eea0bbec594957dc6d
MAC Key 74935ef7e0181c0661f7bb7118c5512a130a5d19
Note

The N2 chip is used for Ring and ELEFUN as well. These variants use different default keys; the values here are valid only for Lv3.1 keychips.

6.3.2 hdd.sys

3 bytes256 bytesPublic exponentPublic modulus

Default values:

Public exponent010001
Public modulus
9fd0a43a697329c54baec33cf07303bb25f4eb0f366b214633d48abf639c1057
55bd87f4071a20e5a139dcf283c86de5e4d13da34a023e21ac1b27a452c49044
97e625c32f6f9762bb80235d11d592965ea6f5839586c3066f2079e70c96055a
fc5a7fc25789b54db0833d3625b8dae173a127a681cce210103bb72fd0205cd3
f024c1bb26e261664d638390f8ef7d512dcf2bc72a826eec413f233788ba1309
264018efdbd8cb748e08917c992a67b7b2c0357e45ab9c9e51cf308efcc0256f
28999b079bbb3adf67d7221a1de8f3f587a1a49662e0dfe6f5fa557351f04779
3fce52641d2c7dc6b0eaba8ae529d1dff4dc793bb82994cb49b6e4efd80f142b

6.4 Command 3 - HmacChange

Utilised by FDD A7 Command N2 Command
No 4 7

Change the currently used HMAC authentication key. Payload is the new 20-byte key.

6.5 Command 4 - CKeyChange

Utilised by FDD A7 Command N2 Command
No 5 8

Change the currently used AES keys for communication. Payload is the new 16-byte key and the new 16-byte IV.

6.6 Command 5 - LvGet

Utilised by FDD A7 Command N2 Command
Yes 6 9

Get the current authentication level. The response is a single byte.

For A7, 2 is the maximum authentication level, for N2 it is 3. This level must be achieved by means of AuthStart before most commands can be used.

6.7 Command 6 - ErrorGet

Utilised by FDD A7 Command N2 Command
No 7 11

Get the last error the keychip encountered. The response is a big endian short.

6.8 Command 7 - VerGet

Utilised by FDD A7 Command N2 Command
No 8 12

Get the keychip firmware version. The response is a big endian short.

The following are all known firmware versions:

Keychip Type Version
N2 0x0104
N2 0x0106
A7 0x0200
A7 0x0201
A7 0x0202
A7 0x0203
A7 0x0204
A7 0x0205
A7 0x0210

6.9 Command 8 - KeychipInfoWrite

Utilised by FDD A7 Command N2 Command
No 9 13

Write new keychip information. This command is unavailable on shipped keychips. The request is the new 96-byte information.

6.10 Command 9 - KeychipInfoRead

Utilised by FDD A7 Command N2 Command
Yes 10 14

Read the keychip information. The response is the 96-byte information blob.

0123456789101112131415FormattypeKeychip IDGame IDHardware IDSystemFlagsModelTypeRegionIPv4SubnetIPv6 SubnetOpt KeyOpt IVBillingModeReservedCRC32

6.11 Command 10 - GkeyWrite

Utilised by FDD A7 Command N2 Command
No 11 15

Write new game key. This command is unavailable on shipped keychips. The request is the new 16-byte game key and 16-byte IV.

6.12 Command 11 - GkeyEnc

Utilised by FDD A7 Command N2 Command
Yes 12 16

Encrypt data using the game key. The request is a single byte indicating if the encryption state should be reset using the IV, followed by 16-bytes of data to encrypt, and the response is the 16-bytes of data, encrypted.

6.13 Command 12 - GkeyDec

Utilised by FDD A7 Command N2 Command
Yes 13 17

Decrypt data using the game key. The request is a single byte indicating if the encryption state should be reset using the IV, followed by 16-bytes of data to encrypt, and the response is the 16-bytes of data, decrypted.

6.14 Command 13 - SFlagWrite

Utilised by FDD A7 Command N2 Command
No 14 20

Set the shipping flag on the keychip. This command is unavailable on shipped keychips. There is no request or response payload.

6.15 Command 14 - EepromInit

Utilised by FDD A7 Command N2 Command
No 15 21

Reset all internal EEPROM on the keychip. This command is unavailable on shipped keychips. There is no request or response payload.

6.16 Command 15 - LvEnable

Utilised by FDD A7 Command N2 Command
No 16 22

Re-enable a keychip that has been locked out due to too many invalid packets. This command is unavailable on shipped keychips. There is no request or response payload.

This command will raise the auth level from -1 to 0.

6.17 Command 16 - PrivateKeyModulusWrite

Utilised by FDD A7 Command N2 Command
No 17 N/A

Write the private modulus used for authentication data decryption. This command is unavailable on shipped keychips. The request is the 256-byte modulus.

6.18 Command 17 - PrivateKeyExponentWrite

Utilised by FDD A7 Command N2 Command
No 18 N/A

Write the private exponent used for authentication data decryption. This command is unavailable on shipped keychips. The request is the 256-byte exponent.

6.19 Command 18 - UDataWrite

Utilised by FDD A7 Command N2 Command
No 19 N/A

Write the udata block on the keychip. This command is unavailable on shipped keychips. The request is the 16-byte udata.

6.20 Command 19 - UDataRead

Utilised by FDD A7 Command N2 Command
Yes 20 N/A

Read the udata block on the keychip. The response is the 16-byte udata.

6.21 Command 20 - StorageWrite

Utilised by FDD A7 Command N2 Command
Yes 21 N/A

Write to secure storage on the keychip. The request is a big endian uint16 count of bytes, a big endian uint16 offset into storage, and then the data to write.

A maximum of 256 bytes can be written at once, due to hardware limitations.

The A7 keychip supports 10240 bytes of storage, and every written byte must be contained within this region.

6.22 Command 21 - StorageRead

Utilised by FDD A7 Command N2 Command
Yes 22 N/A

Write to secure storage on the keychip. The request is a big endian uint16 count of bytes, and a big endian uint16 offset into storage. The response is the requested data.

A maximum of 192 bytes can be read at once, due to hardware limitations.

The A7 keychip supports 10240 bytes of storage, and every read byte must be contained within this region.

6.23 Command 22 - RandomGet

Utilised by FDD A7 Command N2 Command
No 23 24

Retrieve a 16-byte random value from the keychip. This value is generated using a cryptographically secure algorithm.

6.24 Command 23 - PlayCountIncrement

Utilised by FDD A7 Command N2 Command
Yes 24 18

Increment the play counter on the keychip by one. There is no way to decrement this counter besides EepromInit.

6.25 Command 24 - PlayCountRead

Utilised by FDD A7 Command N2 Command
Yes 25 19

Retrieve the current play counter. The response is a big endian uint32.

6.26 Command 25 - TraceDataInfoWrite

Utilised by FDD A7 Command N2 Command
Yes 26 Uses EEPROM

Write tracedata metadata to the keychip. The request payload is the new 16-byte metadata.

6.27 Command 26 - TraceDataInfoRead

Utilised by FDD A7 Command N2 Command
Yes 27 Uses EEPROM

Retrieve tracedata from the keychip. The response is the 16-byte metadata.

6.28 Command 27 - StorageSizeGet

Utilised by FDD A7 Command N2 Command
Yes 28 N/A

Retrieve the maximum size of keychip storage. The response is a big endian uint16.

6.29 Command 28 -

Utilised by FDD A7 Command N2 Command
No N/A 5

6.30 Command 29 -

Utilised by FDD A7 Command N2 Command
No N/A 6

6.31 Command 30 - ALKeyAuthServerWrite

Utilised by FDD A7 Command N2 Command
No 29 N/A

Write the server key for Auth 2.0. This command is unavailable on shipped keychips. The request payload is the new 16-byte key.

6.32 Command 31 - ALKeyAuthKeychipWrite

Utilised by FDD A7 Command N2 Command
No 30 N/A

Write the keychip key for Auth 2.0. This command is unavailable on shipped keychips. The request payload is the new 16-byte key.

6.33 Command 32 - ALKeyALLNetAuthWrite

Utilised by FDD A7 Command N2 Command
No 31 N/A

Write the ALL.Net key for Auth 2.0. This command is unavailable on shipped keychips. The request payload is the new 16-byte key.

6.34 Command 33 - ALKeychipIDWrite

Utilised by FDD A7 Command N2 Command
No 32 N/A

Write the keychip ID for Auth 2.0. This command is unavailable on shipped keychips. The request payload is the new 11-byte keychip ID in compressed format.

6.35 Command 34 - ALStart

Utilised by FDD A7 Command N2 Command
Yes 33 N/A

Begin Auth 2.0 authentication. The payload for this command should be 64 bytes directly proxied from the Auth 2.0 server.

6.36 Command 35 - ALPacket

Utilised by FDD A7 Command N2 Command
Yes 34 N/A

Conclude Auth 2.0 authentication. The payload for this command should be 64 bytes directly proxied from the Auth 2.0 server.