From 362ee3cdb09279b2b274dcf67d70bf818ea24f4c Mon Sep 17 00:00:00 2001 From: Michael Scire Date: Mon, 5 Aug 2019 19:34:59 -0700 Subject: [PATCH] autobackup: dump bis keys (closes #583). --- stratosphere/ams_mitm/source/amsmitm_main.cpp | 4 + stratosphere/ams_mitm/source/utils.cpp | 116 ++++++++++++++---- stratosphere/spl/source/spl_main.cpp | 2 +- 3 files changed, 94 insertions(+), 28 deletions(-) diff --git a/stratosphere/ams_mitm/source/amsmitm_main.cpp b/stratosphere/ams_mitm/source/amsmitm_main.cpp index a5775efd8..5d12ef9d5 100644 --- a/stratosphere/ams_mitm/source/amsmitm_main.cpp +++ b/stratosphere/ams_mitm/source/amsmitm_main.cpp @@ -76,6 +76,7 @@ void __appInit(void) { R_ASSERT(fsInitialize()); R_ASSERT(pmdmntInitialize()); R_ASSERT(pminfoInitialize()); + R_ASSERT(splFsInitialize()); }); CheckAtmosphereVersion(CURRENT_ATMOSPHERE_VERSION); @@ -83,6 +84,9 @@ void __appInit(void) { void __appExit(void) { /* Cleanup services. */ + splFsExit(); + pminfoExit(); + pmdmntExit(); fsExit(); } diff --git a/stratosphere/ams_mitm/source/utils.cpp b/stratosphere/ams_mitm/source/utils.cpp index 86f7fc280..9873beb20 100644 --- a/stratosphere/ams_mitm/source/utils.cpp +++ b/stratosphere/ams_mitm/source/utils.cpp @@ -16,6 +16,7 @@ #include #include +#include #include #include #include @@ -61,7 +62,8 @@ static char g_config_ini_data[0x800]; /* Backup file for CAL0 partition. */ static constexpr size_t ProdinfoSize = 0x8000; -static FsFile g_cal0_file = {0}; +static FsFile g_cal0_file = {}; +static FsFile g_bis_key_file = {}; static u8 g_cal0_storage_backup[ProdinfoSize]; static u8 g_cal0_backup[ProdinfoSize]; @@ -106,40 +108,100 @@ void Utils::InitializeThreadFunc(void *args) { char serial_number[0x40] = {0}; memcpy(serial_number, g_cal0_storage_backup + 0x250, 0x18); + /* Automatically backup PRODINFO. */ + { + char prodinfo_backup_path[FS_MAX_PATH] = {0}; + if (strlen(serial_number) > 0) { + snprintf(prodinfo_backup_path, sizeof(prodinfo_backup_path) - 1, "/atmosphere/automatic_backups/%s_PRODINFO.bin", serial_number); + } else { + snprintf(prodinfo_backup_path, sizeof(prodinfo_backup_path) - 1, "/atmosphere/automatic_backups/PRODINFO.bin"); + } - char prodinfo_backup_path[FS_MAX_PATH] = {0}; - if (strlen(serial_number) > 0) { - snprintf(prodinfo_backup_path, sizeof(prodinfo_backup_path) - 1, "/atmosphere/automatic_backups/%s_PRODINFO.bin", serial_number); - } else { - snprintf(prodinfo_backup_path, sizeof(prodinfo_backup_path) - 1, "/atmosphere/automatic_backups/PRODINFO.bin"); + fsFsCreateFile(&g_sd_filesystem, prodinfo_backup_path, ProdinfoSize, 0); + if (R_SUCCEEDED(fsFsOpenFile(&g_sd_filesystem, prodinfo_backup_path, FS_OPEN_READ | FS_OPEN_WRITE, &g_cal0_file))) { + bool has_auto_backup = false; + size_t read = 0; + if (R_SUCCEEDED(fsFileRead(&g_cal0_file, 0, g_cal0_backup, sizeof(g_cal0_backup), FS_READOPTION_NONE, &read)) && read == sizeof(g_cal0_backup)) { + bool is_cal0_valid = true; + is_cal0_valid &= memcmp(g_cal0_backup, "CAL0", 4) == 0; + is_cal0_valid &= memcmp(g_cal0_backup + 0x250, serial_number, 0x18) == 0; + u32 cal0_size = ((u32 *)g_cal0_backup)[2]; + is_cal0_valid &= cal0_size + 0x40 <= ProdinfoSize; + if (is_cal0_valid) { + u8 calc_hash[0x20]; + sha256CalculateHash(calc_hash, g_cal0_backup + 0x40, cal0_size); + is_cal0_valid &= memcmp(calc_hash, g_cal0_backup + 0x20, sizeof(calc_hash)) == 0; + } + has_auto_backup = is_cal0_valid; + } + + if (!has_auto_backup) { + fsFileSetSize(&g_cal0_file, ProdinfoSize); + fsFileWrite(&g_cal0_file, 0, g_cal0_storage_backup, ProdinfoSize, FS_WRITEOPTION_FLUSH); + } + + /* NOTE: g_cal0_file is intentionally not closed here. This prevents any other process from opening it. */ + memset(g_cal0_storage_backup, 0, sizeof(g_cal0_storage_backup)); + memset(g_cal0_backup, 0, sizeof(g_cal0_backup)); + } } - fsFsCreateFile(&g_sd_filesystem, prodinfo_backup_path, ProdinfoSize, 0); - if (R_SUCCEEDED(fsFsOpenFile(&g_sd_filesystem, prodinfo_backup_path, FS_OPEN_READ | FS_OPEN_WRITE, &g_cal0_file))) { - bool has_auto_backup = false; - size_t read = 0; - if (R_SUCCEEDED(fsFileRead(&g_cal0_file, 0, g_cal0_backup, sizeof(g_cal0_backup), FS_READOPTION_NONE, &read)) && read == sizeof(g_cal0_backup)) { - bool is_cal0_valid = true; - is_cal0_valid &= memcmp(g_cal0_backup, "CAL0", 4) == 0; - is_cal0_valid &= memcmp(g_cal0_backup + 0x250, serial_number, 0x18) == 0; - u32 cal0_size = ((u32 *)g_cal0_backup)[2]; - is_cal0_valid &= cal0_size + 0x40 <= ProdinfoSize; - if (is_cal0_valid) { - u8 calc_hash[0x20]; - sha256CalculateHash(calc_hash, g_cal0_backup + 0x40, cal0_size); - is_cal0_valid &= memcmp(calc_hash, g_cal0_backup + 0x20, sizeof(calc_hash)) == 0; + /* Automatically backup BIS keys. */ + { + static constexpr u8 const BisKeySources[4][2][0x10] = { + { + {0xF8, 0x3F, 0x38, 0x6E, 0x2C, 0xD2, 0xCA, 0x32, 0xA8, 0x9A, 0xB9, 0xAA, 0x29, 0xBF, 0xC7, 0x48}, + {0x7D, 0x92, 0xB0, 0x3A, 0xA8, 0xBF, 0xDE, 0xE1, 0xA7, 0x4C, 0x3B, 0x6E, 0x35, 0xCB, 0x71, 0x06} + }, + { + {0x41, 0x00, 0x30, 0x49, 0xDD, 0xCC, 0xC0, 0x65, 0x64, 0x7A, 0x7E, 0xB4, 0x1E, 0xED, 0x9C, 0x5F}, + {0x44, 0x42, 0x4E, 0xDA, 0xB4, 0x9D, 0xFC, 0xD9, 0x87, 0x77, 0x24, 0x9A, 0xDC, 0x9F, 0x7C, 0xA4} + }, + { + {0x52, 0xC2, 0xE9, 0xEB, 0x09, 0xE3, 0xEE, 0x29, 0x32, 0xA1, 0x0C, 0x1F, 0xB6, 0xA0, 0x92, 0x6C}, + {0x4D, 0x12, 0xE1, 0x4B, 0x2A, 0x47, 0x4C, 0x1C, 0x09, 0xCB, 0x03, 0x59, 0xF0, 0x15, 0xF4, 0xE4} + }, + { + {0x52, 0xC2, 0xE9, 0xEB, 0x09, 0xE3, 0xEE, 0x29, 0x32, 0xA1, 0x0C, 0x1F, 0xB6, 0xA0, 0x92, 0x6C}, + {0x4D, 0x12, 0xE1, 0x4B, 0x2A, 0x47, 0x4C, 0x1C, 0x09, 0xCB, 0x03, 0x59, 0xF0, 0x15, 0xF4, 0xE4} + } + }; + u8 bis_keys[4][2][0x10] = {}; + + /* TODO: Clean this up in ams_mitm refactor. */ + for (size_t partition = 0; partition < 4; partition++) { + if (partition == 0) { + for (size_t i = 0; i < 2; i++) { + R_ASSERT(splFsGenerateSpecificAesKey(BisKeySources[partition][i], 0, i, bis_keys[partition][i])); + } + } else { + static constexpr u8 const BisKekSource[0x10] = { + 0x34, 0xC1, 0xA0, 0xC4, 0x82, 0x58, 0xF8, 0xB4, 0xFA, 0x9E, 0x5E, 0x6A, 0xDA, 0xFC, 0x7E, 0x4F, + }; + + const u32 option = (partition == 3 && sts::spl::IsRecoveryBoot()) ? 0x4 : 0x1; + + u8 access_key[0x10]; + R_ASSERT(splCryptoGenerateAesKek(BisKekSource, 0, option, access_key)); + for (size_t i = 0; i < 2; i++) { + R_ASSERT(splCryptoGenerateAesKey(access_key, BisKeySources[partition][i], bis_keys[partition][i])); + } } - has_auto_backup = is_cal0_valid; } - if (!has_auto_backup) { - fsFileSetSize(&g_cal0_file, ProdinfoSize); - fsFileWrite(&g_cal0_file, 0, g_cal0_storage_backup, ProdinfoSize, FS_WRITEOPTION_FLUSH); + char bis_key_backup_path[FS_MAX_PATH] = {0}; + if (strlen(serial_number) > 0) { + snprintf(bis_key_backup_path, sizeof(bis_key_backup_path) - 1, "/atmosphere/automatic_backups/%s_BISKEYS.bin", serial_number); + } else { + snprintf(bis_key_backup_path, sizeof(bis_key_backup_path) - 1, "/atmosphere/automatic_backups/BISKEYS.bin"); } - /* NOTE: g_cal0_file is intentionally not closed here. This prevents any other process from opening it. */ - memset(g_cal0_storage_backup, 0, sizeof(g_cal0_storage_backup)); - memset(g_cal0_backup, 0, sizeof(g_cal0_backup)); + fsFsCreateFile(&g_sd_filesystem, bis_key_backup_path, sizeof(bis_keys), 0); + if (R_SUCCEEDED(fsFsOpenFile(&g_sd_filesystem, bis_key_backup_path, FS_OPEN_READ | FS_OPEN_WRITE, &g_bis_key_file))) { + fsFileSetSize(&g_bis_key_file, sizeof(bis_keys)); + fsFileWrite(&g_bis_key_file, 0, bis_keys, sizeof(bis_keys), FS_WRITEOPTION_FLUSH); + /* NOTE: g_bis_key_file is intentionally not closed here. This prevents any other process from opening it. */ + } } } diff --git a/stratosphere/spl/source/spl_main.cpp b/stratosphere/spl/source/spl_main.cpp index ca2ad5ce0..b3a9b22f9 100644 --- a/stratosphere/spl/source/spl_main.cpp +++ b/stratosphere/spl/source/spl_main.cpp @@ -104,7 +104,7 @@ int main(int argc, char **argv) s_server_manager.AddWaitable(new ServiceServer("spl:mig", 6)); s_server_manager.AddWaitable(new ServiceServer("spl:ssl", 2)); s_server_manager.AddWaitable(new ServiceServer("spl:es", 2)); - s_server_manager.AddWaitable(new ServiceServer("spl:fs", 2)); + s_server_manager.AddWaitable(new ServiceServer("spl:fs", 3)); if (GetRuntimeFirmwareVersion() >= FirmwareVersion_500) { s_server_manager.AddWaitable(new ServiceServer("spl:manu", 1)); }