mirror of
https://github.com/CTCaer/hekate
synced 2024-12-22 11:21:23 +00:00
hekate/Nyx: remove Sept completely
- remove any reference to sept and parsing of it - completely refactor and simplify keygen - use new Atmo tsec keygen for 7.0.0 and up - simplify all info/tools that depend on hos keygen and bis keys
This commit is contained in:
parent
e9edcfeeb0
commit
f5ec4a3a37
32 changed files with 661 additions and 1722 deletions
|
@ -38,7 +38,6 @@ void set_default_configuration()
|
|||
h_cfg.autoboot = 0;
|
||||
h_cfg.autoboot_list = 0;
|
||||
h_cfg.bootwait = 3;
|
||||
h_cfg.se_keygen_done = 0;
|
||||
h_cfg.backlight = 100;
|
||||
h_cfg.autohosoff = 0;
|
||||
h_cfg.autonogc = 1;
|
||||
|
@ -46,8 +45,6 @@ void set_default_configuration()
|
|||
h_cfg.bootprotect = 0;
|
||||
h_cfg.errors = 0;
|
||||
h_cfg.eks = NULL;
|
||||
h_cfg.sept_run = EMC(EMC_SCRATCH0) & EMC_SEPT_RUN;
|
||||
h_cfg.aes_slots_new = false;
|
||||
h_cfg.rcm_patched = fuse_check_patched_rcm();
|
||||
h_cfg.emummc_force_disable = false;
|
||||
h_cfg.t210b01 = hw_get_chip_id() == GP_HIDREV_MAJOR_T210B01;
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2018-2019 CTCaer
|
||||
* Copyright (c) 2018-2021 CTCaer
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms and conditions of the GNU General Public License,
|
||||
|
@ -33,9 +33,6 @@ typedef struct _hekate_config
|
|||
u32 bootprotect;
|
||||
// Global temporary config.
|
||||
bool t210b01;
|
||||
bool se_keygen_done;
|
||||
bool sept_run;
|
||||
bool aes_slots_new;
|
||||
bool emummc_force_disable;
|
||||
bool rcm_patched;
|
||||
u32 errors;
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
* Copyright (c) 2018 naehrwert
|
||||
* Copyright (c) 2018 CTCaer
|
||||
* Copyright (c) 2018-2021 CTCaer
|
||||
* Copyright (c) 2018 balika011
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
|
|
|
@ -26,7 +26,6 @@
|
|||
#include "../hos/hos.h"
|
||||
#include "../hos/pkg1.h"
|
||||
#include "../hos/pkg2.h"
|
||||
#include "../hos/sept.h"
|
||||
#include <libs/fatfs/ff.h>
|
||||
#include <mem/heap.h>
|
||||
#include <power/max7762x.h>
|
||||
|
@ -90,38 +89,18 @@ void dump_packages12()
|
|||
|
||||
kb = pkg1_id->kb;
|
||||
|
||||
if (!h_cfg.se_keygen_done)
|
||||
{
|
||||
tsec_ctxt.fw = (void *)pkg1 + pkg1_id->tsec_off;
|
||||
tsec_ctxt.pkg1 = (void *)pkg1;
|
||||
tsec_ctxt.pkg11_off = pkg1_id->pkg11_off;
|
||||
tsec_ctxt.secmon_base = pkg1_id->secmon_base;
|
||||
tsec_ctxt.fw = (void *)pkg1 + pkg1_id->tsec_off;
|
||||
tsec_ctxt.pkg1 = (void *)pkg1;
|
||||
tsec_ctxt.pkg11_off = pkg1_id->pkg11_off;
|
||||
tsec_ctxt.secmon_base = pkg1_id->secmon_base;
|
||||
|
||||
if (kb >= KB_FIRMWARE_VERSION_700 && !h_cfg.sept_run)
|
||||
{
|
||||
b_cfg.autoboot = 0;
|
||||
b_cfg.autoboot_list = 0;
|
||||
// Read keyblob.
|
||||
u8 *keyblob = (u8 *)calloc(NX_EMMC_BLOCKSIZE, 1);
|
||||
sdmmc_storage_read(&emmc_storage, 0x180000 / NX_EMMC_BLOCKSIZE + kb, 1, keyblob);
|
||||
|
||||
gfx_printf("sept will run to get the keys.\nThen rerun this option.");
|
||||
btn_wait();
|
||||
|
||||
if (!reboot_to_sept((u8 *)tsec_ctxt.fw, kb, NULL))
|
||||
{
|
||||
gfx_printf("Failed to run sept\n");
|
||||
goto out_free;
|
||||
}
|
||||
}
|
||||
|
||||
// Read keyblob.
|
||||
u8 *keyblob = (u8 *)calloc(NX_EMMC_BLOCKSIZE, 1);
|
||||
sdmmc_storage_read(&emmc_storage, 0x180000 / NX_EMMC_BLOCKSIZE + kb, 1, keyblob);
|
||||
|
||||
// Decrypt.
|
||||
hos_keygen(keyblob, kb, &tsec_ctxt, NULL);
|
||||
if (kb <= KB_FIRMWARE_VERSION_600)
|
||||
h_cfg.se_keygen_done = 1;
|
||||
free(keyblob);
|
||||
}
|
||||
// Decrypt.
|
||||
hos_keygen(keyblob, kb, &tsec_ctxt, false, false);
|
||||
free(keyblob);
|
||||
|
||||
if (kb <= KB_FIRMWARE_VERSION_600)
|
||||
pkg1_decrypt(pkg1_id, pkg1);
|
||||
|
@ -199,8 +178,16 @@ void dump_packages12()
|
|||
pkg2 = malloc(pkg2_size_aligned);
|
||||
nx_emmc_part_read(&emmc_storage, pkg2_part, 0x4000 / NX_EMMC_BLOCKSIZE,
|
||||
pkg2_size_aligned / NX_EMMC_BLOCKSIZE, pkg2);
|
||||
|
||||
#if 0
|
||||
emmcsn_path_impl(path, "/pkg2", "pkg2_encr.bin", &emmc_storage);
|
||||
if (sd_save_to_file(pkg2, pkg2_size_aligned, path))
|
||||
goto out;
|
||||
gfx_puts("\npkg2 dumped to pkg2_encr.bin\n");
|
||||
#endif
|
||||
|
||||
// Decrypt package2 and parse KIP1 blobs in INI1 section.
|
||||
pkg2_hdr_t *pkg2_hdr = pkg2_decrypt(pkg2, kb);
|
||||
pkg2_hdr_t *pkg2_hdr = pkg2_decrypt(pkg2, kb, false);
|
||||
if (!pkg2_hdr)
|
||||
{
|
||||
gfx_printf("Pkg2 decryption failed!\n");
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
* Copyright (c) 2018 naehrwert
|
||||
* Copyright (c) 2018 CTCaer
|
||||
* Copyright (c) 2018-2021 CTCaer
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms and conditions of the GNU General Public License,
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
* Atmosphère Fusée Secondary Storage parser.
|
||||
*
|
||||
* Copyright (c) 2019-2020 CTCaer
|
||||
* Copyright (c) 2019-2021 CTCaer
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms and conditions of the GNU General Public License,
|
||||
|
@ -51,6 +51,7 @@ extern bool is_ipl_updated(void *buf, char *path, bool force);
|
|||
#define CNT_TYPE_KLD 9 // Kernel Loader.
|
||||
#define CNT_TYPE_KRN 10 // Kernel.
|
||||
#define CNT_TYPE_EXF 11 // Exosphere Mariko fatal payload.
|
||||
#define CNT_TYPE_TKG 12 // Tsec Keygen.
|
||||
|
||||
// FSS0 Content Flags.
|
||||
#define CNT_FLAG0_EXPERIMENTAL BIT(0)
|
||||
|
@ -116,33 +117,30 @@ static void _update_r2p(launch_ctxt_t *ctxt, const char *path)
|
|||
free(r2p_path);
|
||||
}
|
||||
|
||||
int parse_fss(launch_ctxt_t *ctxt, const char *path, fss0_sept_t *sept_ctxt)
|
||||
int parse_fss(launch_ctxt_t *ctxt, const char *path)
|
||||
{
|
||||
FIL fp;
|
||||
|
||||
bool stock = false;
|
||||
int sept_used = 0;
|
||||
|
||||
// Skip if stock and Exosphere and warmboot are not needed.
|
||||
if (!sept_ctxt)
|
||||
{
|
||||
bool pkg1_old = ctxt->pkg1_id->kb <= KB_FIRMWARE_VERSION_620;
|
||||
bool emummc_disabled = !emu_cfg.enabled || h_cfg.emummc_force_disable;
|
||||
bool pkg1_old = ctxt->pkg1_id->kb <= KB_FIRMWARE_VERSION_620; // Should check if t210b01?
|
||||
bool emummc_disabled = !emu_cfg.enabled || h_cfg.emummc_force_disable;
|
||||
|
||||
LIST_FOREACH_ENTRY(ini_kv_t, kv, &ctxt->cfg->kvs, link)
|
||||
{
|
||||
if (!strcmp("stock", kv->key))
|
||||
if (kv->val[0] == '1')
|
||||
stock = true;
|
||||
}
|
||||
LIST_FOREACH_ENTRY(ini_kv_t, kv, &ctxt->cfg->kvs, link)
|
||||
{
|
||||
if (!strcmp("stock", kv->key))
|
||||
if (kv->val[0] == '1')
|
||||
stock = true;
|
||||
}
|
||||
|
||||
#ifdef HOS_MARIKO_STOCK_SECMON
|
||||
if (stock && emummc_disabled && (pkg1_old || h_cfg.t210b01))
|
||||
if (stock && emummc_disabled && (pkg1_old || h_cfg.t210b01))
|
||||
return 1;
|
||||
#else
|
||||
if (stock && emummc_disabled && pkg1_old)
|
||||
if (stock && emummc_disabled && pkg1_old)
|
||||
return 1;
|
||||
#endif
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (f_open(&fp, path, FA_READ) != FR_OK)
|
||||
return 0;
|
||||
|
@ -160,16 +158,13 @@ int parse_fss(launch_ctxt_t *ctxt, const char *path, fss0_sept_t *sept_ctxt)
|
|||
if (fss_meta->magic == FSS0_MAGIC)
|
||||
{
|
||||
gfx_printf("Found FSS0, Atmosphere %d.%d.%d-%08x\n"
|
||||
"Max HOS supported: %d.%d.%d\n"
|
||||
"Unpacking and loading components.. ",
|
||||
"Max HOS: %d.%d.%d\n"
|
||||
"Unpacking.. ",
|
||||
fss_meta->version >> 24, (fss_meta->version >> 16) & 0xFF, (fss_meta->version >> 8) & 0xFF, fss_meta->git_rev,
|
||||
fss_meta->hos_ver >> 24, (fss_meta->hos_ver >> 16) & 0xFF, (fss_meta->hos_ver >> 8) & 0xFF);
|
||||
|
||||
if (!sept_ctxt)
|
||||
{
|
||||
ctxt->atmosphere = true;
|
||||
ctxt->fss0_hosver = fss_meta->hos_ver;
|
||||
}
|
||||
ctxt->atmosphere = true;
|
||||
ctxt->fss0_hosver = fss_meta->hos_ver;
|
||||
|
||||
// Parse FSS0 contents.
|
||||
fss_content_t *curr_fss_cnt = (fss_content_t *)(fss + fss_meta->cnt_off);
|
||||
|
@ -186,84 +181,57 @@ int parse_fss(launch_ctxt_t *ctxt, const char *path, fss0_sept_t *sept_ctxt)
|
|||
if ((curr_fss_cnt[i].flags0 & CNT_FLAG0_EXPERIMENTAL) && !ctxt->fss0_experimental)
|
||||
continue;
|
||||
|
||||
// Parse content.
|
||||
if (!sept_ctxt)
|
||||
// Prepare content.
|
||||
switch (curr_fss_cnt[i].type)
|
||||
{
|
||||
// Prepare content context.
|
||||
switch (curr_fss_cnt[i].type)
|
||||
{
|
||||
case CNT_TYPE_KIP:
|
||||
if (stock)
|
||||
continue;
|
||||
merge_kip_t *mkip1 = (merge_kip_t *)malloc(sizeof(merge_kip_t));
|
||||
mkip1->kip1 = content;
|
||||
list_append(&ctxt->kip1_list, &mkip1->link);
|
||||
DPRINTF("Loaded %s.kip1 from FSS0 (size %08X)\n", curr_fss_cnt[i].name, curr_fss_cnt[i].size);
|
||||
break;
|
||||
|
||||
case CNT_TYPE_KRN:
|
||||
if (stock)
|
||||
continue;
|
||||
ctxt->kernel_size = curr_fss_cnt[i].size;
|
||||
ctxt->kernel = content;
|
||||
break;
|
||||
|
||||
case CNT_TYPE_EXO:
|
||||
ctxt->secmon_size = curr_fss_cnt[i].size;
|
||||
ctxt->secmon = content;
|
||||
break;
|
||||
|
||||
case CNT_TYPE_EXF:
|
||||
ctxt->exofatal_size = curr_fss_cnt[i].size;
|
||||
ctxt->exofatal = content;
|
||||
break;
|
||||
|
||||
case CNT_TYPE_WBT:
|
||||
if (h_cfg.t210b01)
|
||||
continue;
|
||||
ctxt->warmboot_size = curr_fss_cnt[i].size;
|
||||
ctxt->warmboot = content;
|
||||
break;
|
||||
|
||||
default:
|
||||
case CNT_TYPE_KIP:
|
||||
if (stock)
|
||||
continue;
|
||||
}
|
||||
merge_kip_t *mkip1 = (merge_kip_t *)malloc(sizeof(merge_kip_t));
|
||||
mkip1->kip1 = content;
|
||||
list_append(&ctxt->kip1_list, &mkip1->link);
|
||||
DPRINTF("Loaded %s.kip1 from FSS0 (size %08X)\n", curr_fss_cnt[i].name, curr_fss_cnt[i].size);
|
||||
break;
|
||||
|
||||
// Load content to launch context.
|
||||
f_lseek(&fp, curr_fss_cnt[i].offset);
|
||||
f_read(&fp, content, curr_fss_cnt[i].size, NULL);
|
||||
}
|
||||
else
|
||||
{
|
||||
// Load sept content directly to launch context.
|
||||
switch (curr_fss_cnt[i].type)
|
||||
{
|
||||
case CNT_TYPE_SP1:
|
||||
f_lseek(&fp, curr_fss_cnt[i].offset);
|
||||
f_read(&fp, sept_ctxt->sept_primary, curr_fss_cnt[i].size, NULL);
|
||||
break;
|
||||
case CNT_TYPE_SP2:
|
||||
if (!memcmp(curr_fss_cnt[i].name, (sept_ctxt->kb < KB_FIRMWARE_VERSION_810) ? "septsecondary00" : "septsecondary01", 15))
|
||||
{
|
||||
f_lseek(&fp, curr_fss_cnt[i].offset);
|
||||
f_read(&fp, sept_ctxt->sept_secondary, curr_fss_cnt[i].size, NULL);
|
||||
sept_used = 1;
|
||||
goto out;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
case CNT_TYPE_KRN:
|
||||
if (stock)
|
||||
continue;
|
||||
ctxt->kernel_size = curr_fss_cnt[i].size;
|
||||
ctxt->kernel = content;
|
||||
break;
|
||||
|
||||
case CNT_TYPE_EXO:
|
||||
ctxt->secmon_size = curr_fss_cnt[i].size;
|
||||
ctxt->secmon = content;
|
||||
break;
|
||||
|
||||
case CNT_TYPE_EXF:
|
||||
ctxt->exofatal_size = curr_fss_cnt[i].size;
|
||||
ctxt->exofatal = content;
|
||||
break;
|
||||
|
||||
case CNT_TYPE_WBT:
|
||||
if (h_cfg.t210b01)
|
||||
continue;
|
||||
ctxt->warmboot_size = curr_fss_cnt[i].size;
|
||||
ctxt->warmboot = content;
|
||||
break;
|
||||
|
||||
default:
|
||||
continue;
|
||||
}
|
||||
|
||||
// Load content to launch context.
|
||||
f_lseek(&fp, curr_fss_cnt[i].offset);
|
||||
f_read(&fp, content, curr_fss_cnt[i].size, NULL);
|
||||
}
|
||||
|
||||
out:
|
||||
gfx_printf("Done!\n");
|
||||
f_close(&fp);
|
||||
|
||||
_update_r2p(ctxt, path);
|
||||
|
||||
return (!sept_ctxt ? 1 : sept_used);
|
||||
return 1;
|
||||
}
|
||||
|
||||
f_close(&fp);
|
||||
|
@ -271,14 +239,3 @@ out:
|
|||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int load_sept_from_ffs0(fss0_sept_t *sept_ctxt)
|
||||
{
|
||||
LIST_FOREACH_ENTRY(ini_kv_t, kv, &sept_ctxt->cfg_sec->kvs, link)
|
||||
{
|
||||
if (!strcmp("fss0", kv->key))
|
||||
return parse_fss(NULL, kv->val, sept_ctxt);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2019 CTCaer
|
||||
* Copyright (c) 2019-2021 CTCaer
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms and conditions of the GNU General Public License,
|
||||
|
@ -19,16 +19,6 @@
|
|||
|
||||
#include "hos.h"
|
||||
|
||||
typedef struct _fss0_sept_t
|
||||
{
|
||||
u32 kb;
|
||||
ini_sec_t *cfg_sec;
|
||||
void *sept_primary;
|
||||
void *sept_secondary;
|
||||
|
||||
} fss0_sept_t;
|
||||
|
||||
int parse_fss(launch_ctxt_t *ctxt, const char *path, fss0_sept_t *sept_ctxt);
|
||||
int load_sept_from_ffs0(fss0_sept_t *sept_ctxt);
|
||||
int parse_fss(launch_ctxt_t *ctxt, const char *path);
|
||||
|
||||
#endif
|
||||
|
|
|
@ -22,7 +22,6 @@
|
|||
|
||||
#include "hos.h"
|
||||
#include "hos_config.h"
|
||||
#include "sept.h"
|
||||
#include "secmon_exo.h"
|
||||
#include "../config.h"
|
||||
#include <display/di.h>
|
||||
|
@ -84,7 +83,7 @@ typedef struct _tsec_keys_t
|
|||
|
||||
typedef struct _kb_keys_t
|
||||
{
|
||||
u8 master_keyseed[SE_KEY_128_SIZE];
|
||||
u8 master_kekseed[SE_KEY_128_SIZE];
|
||||
u8 random_data[0x70];
|
||||
u8 package1_key[SE_KEY_128_SIZE];
|
||||
} kb_keys_t;
|
||||
|
@ -112,12 +111,17 @@ static const u8 cmac_keyseed[SE_KEY_128_SIZE] =
|
|||
static const u8 master_keyseed_retail[SE_KEY_128_SIZE] =
|
||||
{ 0xD8, 0xA2, 0x41, 0x0A, 0xC6, 0xC5, 0x90, 0x01, 0xC6, 0x1D, 0x6A, 0x26, 0x7C, 0x51, 0x3F, 0x3C };
|
||||
|
||||
static const u8 master_keyseed_4xx_5xx_610[SE_KEY_128_SIZE] =
|
||||
static const u8 master_keyseed_4xx[SE_KEY_128_SIZE] =
|
||||
{ 0x2D, 0xC1, 0xF4, 0x8D, 0xF3, 0x5B, 0x69, 0x33, 0x42, 0x10, 0xAC, 0x65, 0xDA, 0x90, 0x46, 0x66 };
|
||||
|
||||
static const u8 master_keyseed_620[SE_KEY_128_SIZE] =
|
||||
static const u8 master_kekseed_620[SE_KEY_128_SIZE] =
|
||||
{ 0x37, 0x4B, 0x77, 0x29, 0x59, 0xB4, 0x04, 0x30, 0x81, 0xF6, 0xE5, 0x8C, 0x6D, 0x36, 0x17, 0x9A };
|
||||
|
||||
//!TODO: Update on mkey changes.
|
||||
static const u8 master_kekseed_t210_max[SE_KEY_128_SIZE] =
|
||||
{ 0x84, 0x67, 0xB6, 0x7F, 0x13, 0x11, 0xAE, 0xE6, 0x58, 0x9B, 0x19, 0xAF, 0x13, 0x6C, 0x80, 0x7A }; // 12.1.0.
|
||||
|
||||
//!TODO: Update on mkey changes.
|
||||
static const u8 master_kekseed_t210b01[][SE_KEY_128_SIZE] = {
|
||||
{ 0x77, 0x60, 0x5A, 0xD2, 0xEE, 0x6E, 0xF8, 0x3C, 0x3F, 0x72, 0xE2, 0x59, 0x9D, 0xAC, 0x5E, 0x56 }, // 6.0.0.
|
||||
{ 0x1E, 0x80, 0xB8, 0x17, 0x3E, 0xC0, 0x60, 0xAA, 0x11, 0xBE, 0x1A, 0x4A, 0xA6, 0x6F, 0xE4, 0xAE }, // 6.2.0.
|
||||
|
@ -131,7 +135,7 @@ static const u8 master_kekseed_t210b01[][SE_KEY_128_SIZE] = {
|
|||
static const u8 console_keyseed[SE_KEY_128_SIZE] =
|
||||
{ 0x4F, 0x02, 0x5F, 0x0E, 0xB6, 0x6D, 0x11, 0x0E, 0xDC, 0x32, 0x7D, 0x41, 0x86, 0xC2, 0xF4, 0x78 };
|
||||
|
||||
static const u8 console_keyseed_4xx_5xx[SE_KEY_128_SIZE] =
|
||||
static const u8 console_keyseed_4xx[SE_KEY_128_SIZE] =
|
||||
{ 0x0C, 0x91, 0x09, 0xDB, 0x93, 0x93, 0x07, 0x81, 0x07, 0x3C, 0xC4, 0x16, 0x22, 0x7C, 0x6C, 0x28 };
|
||||
|
||||
const u8 package2_keyseed[SE_KEY_128_SIZE] =
|
||||
|
@ -214,7 +218,7 @@ bool hos_eks_rw_try(u8 *buf, bool write)
|
|||
return false;
|
||||
}
|
||||
|
||||
void hos_eks_get()
|
||||
static void _hos_eks_get()
|
||||
{
|
||||
// Check if Erista based unit.
|
||||
if (h_cfg.t210b01)
|
||||
|
@ -230,11 +234,10 @@ void hos_eks_get()
|
|||
|
||||
// Decrypt EKS blob.
|
||||
hos_eks_mbr_t *eks = (hos_eks_mbr_t *)(mbr + 0x80);
|
||||
se_aes_crypt_ecb(14, 0, eks, sizeof(hos_eks_mbr_t), eks, sizeof(hos_eks_mbr_t));
|
||||
se_aes_crypt_ecb(14, DECRYPT, eks, sizeof(hos_eks_mbr_t), eks, sizeof(hos_eks_mbr_t));
|
||||
|
||||
// Check if valid and for this unit.
|
||||
if (eks->magic == HOS_EKS_MAGIC &&
|
||||
(eks->lot0 == FUSE(FUSE_OPT_LOT_CODE_0) || eks->lot0 == FUSE(FUSE_PRIVATE_KEY0)))
|
||||
if (eks->magic == HOS_EKS_MAGIC && eks->lot0 == FUSE(FUSE_OPT_LOT_CODE_0))
|
||||
{
|
||||
h_cfg.eks = eks;
|
||||
return;
|
||||
|
@ -245,82 +248,63 @@ out:
|
|||
}
|
||||
}
|
||||
|
||||
void hos_eks_save(u32 kb)
|
||||
static void _hos_eks_save(u32 kb)
|
||||
{
|
||||
// Check if Erista based unit.
|
||||
if (h_cfg.t210b01)
|
||||
return;
|
||||
|
||||
if (kb >= KB_FIRMWARE_VERSION_700)
|
||||
// EKS save. Only for 7.0.0 and up.
|
||||
bool new_eks = false;
|
||||
if (!h_cfg.eks)
|
||||
{
|
||||
u32 key_idx = 0;
|
||||
if (kb >= KB_FIRMWARE_VERSION_810)
|
||||
key_idx = 1;
|
||||
h_cfg.eks = calloc(512 , 1);
|
||||
new_eks = true;
|
||||
}
|
||||
|
||||
bool new_eks = false;
|
||||
if (!h_cfg.eks)
|
||||
// If matching blob doesn't exist, create it.
|
||||
if (h_cfg.eks->enabled < kb)
|
||||
{
|
||||
// Read EKS blob.
|
||||
u8 *mbr = calloc(512 , 1);
|
||||
if (!hos_eks_rw_try(mbr, false))
|
||||
{
|
||||
h_cfg.eks = calloc(512 , 1);
|
||||
new_eks = true;
|
||||
if (new_eks)
|
||||
{
|
||||
free(h_cfg.eks);
|
||||
h_cfg.eks = NULL;
|
||||
}
|
||||
|
||||
goto out;
|
||||
}
|
||||
|
||||
// If matching blob doesn't exist, create it.
|
||||
bool update_eks = key_idx ? (h_cfg.eks->enabled[key_idx] < kb) : !h_cfg.eks->enabled[0];
|
||||
// If old EKS version was found, update it.
|
||||
update_eks |= h_cfg.eks->lot0 != FUSE(FUSE_OPT_LOT_CODE_0);
|
||||
if (update_eks)
|
||||
{
|
||||
// Read EKS blob.
|
||||
u8 *mbr = calloc(512 , 1);
|
||||
if (!hos_eks_rw_try(mbr, false))
|
||||
{
|
||||
if (new_eks)
|
||||
{
|
||||
free(h_cfg.eks);
|
||||
h_cfg.eks = NULL;
|
||||
}
|
||||
// Get keys.
|
||||
u8 *keys = (u8 *)calloc(0x2000, 1);
|
||||
se_get_aes_keys(keys + 0x1000, keys, SE_KEY_128_SIZE);
|
||||
|
||||
goto out;
|
||||
}
|
||||
// Set magic and personalized info.
|
||||
h_cfg.eks->magic = HOS_EKS_MAGIC;
|
||||
h_cfg.eks->enabled = KB_FIRMWARE_VERSION_MAX;
|
||||
h_cfg.eks->lot0 = FUSE(FUSE_OPT_LOT_CODE_0);
|
||||
|
||||
// Get keys.
|
||||
u8 *keys = (u8 *)calloc(0x2000, 1);
|
||||
se_get_aes_keys(keys + 0x1000, keys, SE_KEY_128_SIZE);
|
||||
// Copy new keys.
|
||||
memcpy(h_cfg.eks->tsec, keys + 12 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
|
||||
memcpy(h_cfg.eks->troot, keys + 13 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
|
||||
memcpy(h_cfg.eks->troot_dev, keys + 11 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
|
||||
|
||||
// Set magic and personalized info.
|
||||
h_cfg.eks->magic = HOS_EKS_MAGIC;
|
||||
h_cfg.eks->enabled[key_idx] = kb;
|
||||
h_cfg.eks->lot0 = FUSE(FUSE_OPT_LOT_CODE_0);
|
||||
// Encrypt EKS blob.
|
||||
u8 *eks = calloc(512 , 1);
|
||||
memcpy(eks, h_cfg.eks, sizeof(hos_eks_mbr_t));
|
||||
se_aes_crypt_ecb(14, ENCRYPT, eks, sizeof(hos_eks_mbr_t), eks, sizeof(hos_eks_mbr_t));
|
||||
|
||||
// Copy new keys.
|
||||
memcpy(h_cfg.eks->dkg, keys + 10 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
|
||||
memcpy(h_cfg.eks->dkk, keys + 15 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
|
||||
// Write EKS blob to SD.
|
||||
memcpy(mbr + 0x80, eks, sizeof(hos_eks_mbr_t));
|
||||
hos_eks_rw_try(mbr, true);
|
||||
|
||||
if (!h_cfg.aes_slots_new)
|
||||
{
|
||||
memcpy(h_cfg.eks->keys[key_idx].mkk, keys + 12 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
|
||||
memcpy(h_cfg.eks->keys[key_idx].fdk, keys + 13 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
|
||||
}
|
||||
else // New sept slots.
|
||||
{
|
||||
memcpy(h_cfg.eks->keys[key_idx].mkk, keys + 13 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
|
||||
memcpy(h_cfg.eks->keys[key_idx].fdk, keys + 12 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
|
||||
}
|
||||
|
||||
// Encrypt EKS blob.
|
||||
u8 *eks = calloc(512 , 1);
|
||||
memcpy(eks, h_cfg.eks, sizeof(hos_eks_mbr_t));
|
||||
se_aes_crypt_ecb(14, 1, eks, sizeof(hos_eks_mbr_t), eks, sizeof(hos_eks_mbr_t));
|
||||
|
||||
// Write EKS blob to SD.
|
||||
memcpy(mbr + 0x80, eks, sizeof(hos_eks_mbr_t));
|
||||
hos_eks_rw_try(mbr, true);
|
||||
|
||||
free(eks);
|
||||
free(keys);
|
||||
free(eks);
|
||||
free(keys);
|
||||
out:
|
||||
free(mbr);
|
||||
}
|
||||
free(mbr);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -332,12 +316,8 @@ void hos_eks_clear(u32 kb)
|
|||
|
||||
if (h_cfg.eks && kb >= KB_FIRMWARE_VERSION_700)
|
||||
{
|
||||
u32 key_idx = 0;
|
||||
if (kb >= KB_FIRMWARE_VERSION_810)
|
||||
key_idx = 1;
|
||||
|
||||
// Check if Current Master key is enabled.
|
||||
if (h_cfg.eks->enabled[key_idx])
|
||||
// Check if current Master key is enabled.
|
||||
if (h_cfg.eks->enabled)
|
||||
{
|
||||
// Read EKS blob.
|
||||
u8 *mbr = calloc(512 , 1);
|
||||
|
@ -345,20 +325,17 @@ void hos_eks_clear(u32 kb)
|
|||
goto out;
|
||||
|
||||
// Disable current Master key version.
|
||||
h_cfg.eks->enabled[key_idx] = 0;
|
||||
h_cfg.eks->enabled = 0;
|
||||
|
||||
// Encrypt EKS blob.
|
||||
u8 *eks = calloc(512 , 1);
|
||||
memcpy(eks, h_cfg.eks, sizeof(hos_eks_mbr_t));
|
||||
se_aes_crypt_ecb(14, 1, eks, sizeof(hos_eks_mbr_t), eks, sizeof(hos_eks_mbr_t));
|
||||
se_aes_crypt_ecb(14, ENCRYPT, eks, sizeof(hos_eks_mbr_t), eks, sizeof(hos_eks_mbr_t));
|
||||
|
||||
// Write EKS blob to SD.
|
||||
memcpy(mbr + 0x80, eks, sizeof(hos_eks_mbr_t));
|
||||
hos_eks_rw_try(mbr, true);
|
||||
|
||||
EMC(EMC_SCRATCH0) &= ~EMC_SEPT_RUN;
|
||||
h_cfg.sept_run = false;
|
||||
|
||||
free(eks);
|
||||
out:
|
||||
free(mbr);
|
||||
|
@ -369,7 +346,7 @@ out:
|
|||
int hos_keygen_t210b01(u32 kb)
|
||||
{
|
||||
// Use SBK as Device key 4x unsealer and KEK for mkey in T210B01 units.
|
||||
se_aes_unwrap_key(10, 14, console_keyseed_4xx_5xx);
|
||||
se_aes_unwrap_key(10, 14, console_keyseed_4xx);
|
||||
|
||||
// Derive master key.
|
||||
se_aes_unwrap_key(7, 12, &master_kekseed_t210b01[kb - KB_FIRMWARE_VERSION_600]);
|
||||
|
@ -381,9 +358,12 @@ int hos_keygen_t210b01(u32 kb)
|
|||
return 1;
|
||||
}
|
||||
|
||||
int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt, launch_ctxt_t *hos_ctxt)
|
||||
int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt, bool stock, bool is_exo)
|
||||
{
|
||||
static bool sbk_wiped = false;
|
||||
|
||||
u32 retries = 0;
|
||||
bool use_tsec = false;
|
||||
tsec_keys_t tsec_keys;
|
||||
kb_t *kb_data = (kb_t *)keyblob;
|
||||
|
||||
|
@ -393,76 +373,114 @@ int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt, launch_ctxt_t *hos
|
|||
if (h_cfg.t210b01)
|
||||
return hos_keygen_t210b01(kb);
|
||||
|
||||
if (kb <= KB_FIRMWARE_VERSION_600)
|
||||
tsec_ctxt->size = 0xF00;
|
||||
else if (kb == KB_FIRMWARE_VERSION_620)
|
||||
tsec_ctxt->size = 0x2900;
|
||||
else if (kb == KB_FIRMWARE_VERSION_700)
|
||||
tsec_ctxt->size = 0x3000;
|
||||
else
|
||||
tsec_ctxt->size = 0x3300;
|
||||
// Do Erista keygen.
|
||||
|
||||
// Prepare smmu tsec page for 6.2.0.
|
||||
if (kb == KB_FIRMWARE_VERSION_620)
|
||||
// SBK is wiped. Try to restore it from fuses.
|
||||
if (sbk_wiped)
|
||||
{
|
||||
if (fuse_set_sbk())
|
||||
sbk_wiped = false;
|
||||
else
|
||||
return 1; // Continue with current SE keys.
|
||||
}
|
||||
|
||||
// Use HOS EKS if it exists.
|
||||
_hos_eks_get();
|
||||
|
||||
// Use tsec keygen for old firmware or if EKS keys do not exist for newer.
|
||||
if (kb <= KB_FIRMWARE_VERSION_620 || !h_cfg.eks || (h_cfg.eks && h_cfg.eks->enabled < kb))
|
||||
use_tsec = true;
|
||||
|
||||
if (kb <= KB_FIRMWARE_VERSION_600)
|
||||
{
|
||||
tsec_ctxt->size = 0xF00;
|
||||
tsec_ctxt->type = TSEC_FW_TYPE_OLD;
|
||||
}
|
||||
else if (kb == KB_FIRMWARE_VERSION_620)
|
||||
{
|
||||
tsec_ctxt->size = 0x2900;
|
||||
tsec_ctxt->type = TSEC_FW_TYPE_EMU;
|
||||
|
||||
// Prepare smmu tsec page for 6.2.0.
|
||||
u8 *tsec_paged = (u8 *)page_alloc(3);
|
||||
memcpy(tsec_paged, (void *)tsec_ctxt->fw, tsec_ctxt->size);
|
||||
tsec_ctxt->fw = tsec_paged;
|
||||
}
|
||||
else if (use_tsec) // 7.0.0+
|
||||
{
|
||||
/*
|
||||
* 7.0.0/8.1.0 tsec fw are 0x3000/0x3300.
|
||||
* Unused here because of THK.
|
||||
*/
|
||||
|
||||
// Use custom TSEC Hovi Keygen firmware.
|
||||
tsec_ctxt->fw = sd_file_read("bootloader/sys/thk.bin", NULL);
|
||||
if (!tsec_ctxt->fw)
|
||||
{
|
||||
_hos_crit_error("\nFailed to load thk.bin");
|
||||
return 0;
|
||||
}
|
||||
|
||||
tsec_ctxt->size = 0x1F00;
|
||||
tsec_ctxt->type = TSEC_FW_TYPE_NEW;
|
||||
}
|
||||
else if (h_cfg.eks)
|
||||
{
|
||||
// EKS found. Set TSEC keys.
|
||||
se_aes_key_set(12, h_cfg.eks->tsec, SE_KEY_128_SIZE);
|
||||
se_aes_key_set(13, h_cfg.eks->troot, SE_KEY_128_SIZE);
|
||||
se_aes_key_set(11, h_cfg.eks->troot_dev, SE_KEY_128_SIZE);
|
||||
}
|
||||
|
||||
// Get TSEC key.
|
||||
if (kb <= KB_FIRMWARE_VERSION_620)
|
||||
while (use_tsec && tsec_query(&tsec_keys, tsec_ctxt) < 0)
|
||||
{
|
||||
while (tsec_query(&tsec_keys, kb, tsec_ctxt) < 0)
|
||||
{
|
||||
memset(&tsec_keys, 0x00, 0x20);
|
||||
retries++;
|
||||
memset(&tsec_keys, 0x00, 0x20);
|
||||
retries++;
|
||||
|
||||
// We rely on racing conditions, make sure we cover even the unluckiest cases.
|
||||
if (retries > 15)
|
||||
{
|
||||
_hos_crit_error("\nFailed to get TSEC keys. Please try again.");
|
||||
return 0;
|
||||
}
|
||||
// We rely on racing conditions, make sure we cover even the unluckiest cases.
|
||||
if (retries > 15)
|
||||
{
|
||||
_hos_crit_error("\nFailed to get TSEC keys. Please try again.");
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
if (kb >= KB_FIRMWARE_VERSION_700)
|
||||
{
|
||||
// Use HOS EKS if it exists.
|
||||
u32 key_idx = 0;
|
||||
if (kb >= KB_FIRMWARE_VERSION_810)
|
||||
key_idx = 1;
|
||||
|
||||
if (h_cfg.eks && h_cfg.eks->enabled[key_idx] >= kb)
|
||||
// For 7.0.0 and up, save EKS slot if it doesn't exist.
|
||||
if (use_tsec)
|
||||
{
|
||||
// Set Device keygen key to slot 10.
|
||||
se_aes_key_set(10, h_cfg.eks->dkg, SE_KEY_128_SIZE);
|
||||
// Set Device key to slot 15.
|
||||
se_aes_key_set(15, h_cfg.eks->dkk, SE_KEY_128_SIZE);
|
||||
|
||||
if (!h_cfg.aes_slots_new)
|
||||
{
|
||||
// Set Master key to slot 12.
|
||||
se_aes_key_set(12, h_cfg.eks->keys[key_idx].mkk, SE_KEY_128_SIZE);
|
||||
// Set FW Device key key to slot 13.
|
||||
se_aes_key_set(13, h_cfg.eks->keys[key_idx].fdk, SE_KEY_128_SIZE);
|
||||
// Lock FDK.
|
||||
se_key_acc_ctrl(13, SE_KEY_TBL_DIS_KEYREAD_FLAG | SE_KEY_TBL_DIS_OIVREAD_FLAG | SE_KEY_TBL_DIS_UIVREAD_FLAG);
|
||||
}
|
||||
else // New exosphere.
|
||||
{
|
||||
// Set Master key to slot 13.
|
||||
se_aes_key_set(13, h_cfg.eks->keys[key_idx].mkk, SE_KEY_128_SIZE);
|
||||
// Set FW Device key key to slot 12.
|
||||
se_aes_key_set(12, h_cfg.eks->keys[key_idx].fdk, SE_KEY_128_SIZE);
|
||||
// Lock FDK.
|
||||
se_key_acc_ctrl(12, SE_KEY_TBL_DIS_KEYREAD_FLAG | SE_KEY_TBL_DIS_OIVREAD_FLAG | SE_KEY_TBL_DIS_UIVREAD_FLAG);
|
||||
}
|
||||
_hos_eks_save(kb);
|
||||
free(tsec_ctxt->fw);
|
||||
}
|
||||
|
||||
se_aes_key_clear(8);
|
||||
se_aes_unwrap_key(8, !h_cfg.aes_slots_new ? 12 : 13, package2_keyseed);
|
||||
if (!is_exo)
|
||||
{
|
||||
// Derive Package2 key in secmon compatible way.
|
||||
se_aes_unwrap_key(7, 13, master_kekseed_t210_max);
|
||||
se_aes_unwrap_key(7, 7, master_keyseed_retail);
|
||||
se_aes_unwrap_key(8, 7, package2_keyseed);
|
||||
}
|
||||
else
|
||||
{
|
||||
se_aes_crypt_block_ecb(12, DECRYPT, tsec_keys.tmp, keyblob_keyseeds[0]);
|
||||
se_aes_unwrap_key(15, 14, tsec_keys.tmp);
|
||||
|
||||
// Derive device keys.
|
||||
se_aes_unwrap_key(10, 15, console_keyseed_4xx);
|
||||
se_aes_unwrap_key(15, 15, console_keyseed);
|
||||
|
||||
// Derive master kek.
|
||||
se_aes_unwrap_key(13, 13, master_kekseed_t210_max);
|
||||
|
||||
// Derive device master key and master key.
|
||||
se_aes_unwrap_key(12, 13, master_keyseed_4xx);
|
||||
se_aes_unwrap_key(13, 13, master_keyseed_retail);
|
||||
|
||||
// Package2 key.
|
||||
se_aes_unwrap_key(8, 13, package2_keyseed);
|
||||
}
|
||||
}
|
||||
else if (kb == KB_FIRMWARE_VERSION_620)
|
||||
{
|
||||
|
@ -471,39 +489,33 @@ int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt, launch_ctxt_t *hos
|
|||
// Set TSEC root key.
|
||||
se_aes_key_set(13, tsec_keys.tsec_root, SE_KEY_128_SIZE);
|
||||
|
||||
if (!(emu_cfg.enabled && !h_cfg.emummc_force_disable) && hos_ctxt->stock)
|
||||
if (!is_exo)
|
||||
{
|
||||
// Package2 key.
|
||||
// Derive Package2 key in secmon compatible way.
|
||||
se_aes_key_set(8, tsec_keys.tsec_root, SE_KEY_128_SIZE);
|
||||
se_aes_unwrap_key(8, 8, master_keyseed_620);
|
||||
se_aes_unwrap_key(8, 8, master_kekseed_620);
|
||||
se_aes_unwrap_key(8, 8, master_keyseed_retail);
|
||||
se_aes_unwrap_key(8, 8, package2_keyseed);
|
||||
}
|
||||
else
|
||||
{
|
||||
// Decrypt keyblob and set keyslots
|
||||
se_aes_crypt_block_ecb(12, 0, tsec_keys.tmp, keyblob_keyseeds[0]);
|
||||
// Decrypt keyblob and set keyslots for Exosphere 2.
|
||||
se_aes_crypt_block_ecb(12, DECRYPT, tsec_keys.tmp, keyblob_keyseeds[0]);
|
||||
se_aes_unwrap_key(15, 14, tsec_keys.tmp);
|
||||
se_aes_unwrap_key(10, 15, console_keyseed_4xx_5xx);
|
||||
|
||||
// Derive device keys.
|
||||
se_aes_unwrap_key(10, 15, console_keyseed_4xx);
|
||||
se_aes_unwrap_key(15, 15, console_keyseed);
|
||||
|
||||
se_aes_unwrap_key(13, 13, master_keyseed_620);
|
||||
// Derive master kek.
|
||||
se_aes_unwrap_key(13, 13, master_kekseed_620);
|
||||
|
||||
if (!h_cfg.aes_slots_new)
|
||||
{
|
||||
se_aes_unwrap_key(14, 13, master_keyseed_4xx_5xx_610);
|
||||
se_aes_unwrap_key(12, 13, master_keyseed_retail);
|
||||
}
|
||||
else // New exosphere.
|
||||
{
|
||||
se_aes_unwrap_key(12, 13, master_keyseed_4xx_5xx_610);
|
||||
se_aes_unwrap_key(13, 13, master_keyseed_retail);
|
||||
}
|
||||
// Derive device master key and master key.
|
||||
se_aes_unwrap_key(12, 13, master_keyseed_4xx);
|
||||
se_aes_unwrap_key(13, 13, master_keyseed_retail);
|
||||
|
||||
// Package2 key.
|
||||
se_aes_unwrap_key(8, !h_cfg.aes_slots_new ? 12 : 13, package2_keyseed);
|
||||
|
||||
h_cfg.se_keygen_done = 1;
|
||||
se_aes_unwrap_key(8, 13, package2_keyseed);
|
||||
}
|
||||
}
|
||||
else
|
||||
|
@ -515,13 +527,13 @@ int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt, launch_ctxt_t *hos
|
|||
se_aes_key_set(13, tsec_keys.tsec, SE_KEY_128_SIZE);
|
||||
|
||||
// Derive keyblob keys from TSEC+SBK.
|
||||
se_aes_crypt_block_ecb(13, 0, tsec_keys.tsec, keyblob_keyseeds[0]);
|
||||
se_aes_crypt_block_ecb(13, DECRYPT, tsec_keys.tsec, keyblob_keyseeds[0]);
|
||||
se_aes_unwrap_key(15, 14, tsec_keys.tsec);
|
||||
se_aes_crypt_block_ecb(13, 0, tsec_keys.tsec, keyblob_keyseeds[kb]);
|
||||
se_aes_crypt_block_ecb(13, DECRYPT, tsec_keys.tsec, keyblob_keyseeds[kb]);
|
||||
se_aes_unwrap_key(13, 14, tsec_keys.tsec);
|
||||
|
||||
// Clear SBK.
|
||||
se_aes_key_clear(14);
|
||||
//se_aes_key_clear(14);
|
||||
|
||||
/*
|
||||
// Verify keyblob CMAC.
|
||||
|
@ -532,18 +544,18 @@ int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt, launch_ctxt_t *hos
|
|||
return 0;
|
||||
*/
|
||||
|
||||
se_aes_crypt_block_ecb(13, 0, tsec_keys.tsec, cmac_keyseed);
|
||||
se_aes_crypt_block_ecb(13, DECRYPT, tsec_keys.tsec, cmac_keyseed);
|
||||
se_aes_unwrap_key(11, 13, cmac_keyseed);
|
||||
|
||||
// Decrypt keyblob and set keyslots.
|
||||
se_aes_crypt_ctr(13, &kb_data->keys, sizeof(kb_data->keys), &kb_data->keys, sizeof(kb_data->keys), kb_data->ctr);
|
||||
se_aes_crypt_ctr(13, &kb_data->keys, sizeof(kb_keys_t), &kb_data->keys, sizeof(kb_keys_t), kb_data->ctr);
|
||||
se_aes_key_set(11, kb_data->keys.package1_key, SE_KEY_128_SIZE);
|
||||
se_aes_key_set(12, kb_data->keys.master_keyseed, SE_KEY_128_SIZE);
|
||||
se_aes_key_set(13, kb_data->keys.master_keyseed, SE_KEY_128_SIZE);
|
||||
se_aes_key_set(12, kb_data->keys.master_kekseed, SE_KEY_128_SIZE);
|
||||
se_aes_key_set(13, kb_data->keys.master_kekseed, SE_KEY_128_SIZE);
|
||||
|
||||
se_aes_crypt_block_ecb(12, 0, tsec_keys.tsec, master_keyseed_retail);
|
||||
se_aes_crypt_block_ecb(12, DECRYPT, tsec_keys.tsec, master_keyseed_retail);
|
||||
|
||||
if (!h_cfg.aes_slots_new)
|
||||
if (!is_exo)
|
||||
{
|
||||
switch (kb)
|
||||
{
|
||||
|
@ -554,31 +566,33 @@ int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt, launch_ctxt_t *hos
|
|||
se_aes_unwrap_key(12, 12, master_keyseed_retail);
|
||||
break;
|
||||
case KB_FIRMWARE_VERSION_400:
|
||||
se_aes_unwrap_key(13, 15, console_keyseed_4xx_5xx);
|
||||
se_aes_unwrap_key(13, 15, console_keyseed_4xx);
|
||||
se_aes_unwrap_key(15, 15, console_keyseed);
|
||||
se_aes_unwrap_key(14, 12, master_keyseed_4xx_5xx_610);
|
||||
se_aes_unwrap_key(14, 12, master_keyseed_4xx);
|
||||
se_aes_unwrap_key(12, 12, master_keyseed_retail);
|
||||
sbk_wiped = true;
|
||||
break;
|
||||
case KB_FIRMWARE_VERSION_500:
|
||||
case KB_FIRMWARE_VERSION_600:
|
||||
se_aes_unwrap_key(10, 15, console_keyseed_4xx_5xx);
|
||||
se_aes_unwrap_key(10, 15, console_keyseed_4xx);
|
||||
se_aes_unwrap_key(15, 15, console_keyseed);
|
||||
se_aes_unwrap_key(14, 12, master_keyseed_4xx_5xx_610);
|
||||
se_aes_unwrap_key(14, 12, master_keyseed_4xx);
|
||||
se_aes_unwrap_key(12, 12, master_keyseed_retail);
|
||||
sbk_wiped = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
else // New exosphere.
|
||||
else // Exosphere 2.
|
||||
{
|
||||
se_aes_unwrap_key(10, 15, console_keyseed_4xx_5xx);
|
||||
se_aes_unwrap_key(10, 15, console_keyseed_4xx);
|
||||
se_aes_unwrap_key(15, 15, console_keyseed);
|
||||
se_aes_unwrap_key(13, 12, master_keyseed_retail);
|
||||
se_aes_unwrap_key(12, 12, master_keyseed_4xx_5xx_610);
|
||||
se_aes_unwrap_key(12, 12, master_keyseed_4xx);
|
||||
}
|
||||
|
||||
// Package2 key.
|
||||
se_key_acc_ctrl(8, SE_KEY_TBL_DIS_KEYREAD_FLAG | SE_KEY_TBL_DIS_OIVREAD_FLAG | SE_KEY_TBL_DIS_UIVREAD_FLAG);
|
||||
se_aes_unwrap_key(8, !h_cfg.aes_slots_new ? 12 : 13, package2_keyseed);
|
||||
se_aes_unwrap_key(8, !is_exo ? 12 : 13, package2_keyseed);
|
||||
}
|
||||
|
||||
return 1;
|
||||
|
@ -722,14 +736,12 @@ int hos_launch(ini_sec_t *cfg)
|
|||
u8 kb;
|
||||
u32 secmon_base;
|
||||
u32 warmboot_base;
|
||||
launch_ctxt_t ctxt;
|
||||
bool exo_new = false;
|
||||
tsec_ctxt_t tsec_ctxt;
|
||||
bool is_exo = false;
|
||||
launch_ctxt_t ctxt = {0};
|
||||
tsec_ctxt_t tsec_ctxt = {0};
|
||||
volatile secmon_mailbox_t *secmon_mailbox;
|
||||
|
||||
minerva_change_freq(FREQ_1600);
|
||||
memset(&ctxt, 0, sizeof(launch_ctxt_t));
|
||||
memset(&tsec_ctxt, 0, sizeof(tsec_ctxt_t));
|
||||
list_init(&ctxt.kip1_list);
|
||||
|
||||
ctxt.cfg = cfg;
|
||||
|
@ -780,7 +792,7 @@ int hos_launch(ini_sec_t *cfg)
|
|||
goto error;
|
||||
}
|
||||
|
||||
ctxt.atmosphere = true; // Set atmosphere patching in case of Stock emuMMC and no fss0.
|
||||
ctxt.atmosphere = true; // Set atmosphere patching in case of no fss0.
|
||||
config_kip1patch(&ctxt, "emummc");
|
||||
}
|
||||
else if (!emu_cfg.enabled && ctxt.emummc_forced)
|
||||
|
@ -817,34 +829,22 @@ int hos_launch(ini_sec_t *cfg)
|
|||
|
||||
gfx_puts("Loaded config, pkg1 and keyblob\n");
|
||||
|
||||
// Check if secmon is new exosphere.
|
||||
// Check if secmon is exosphere.
|
||||
if (ctxt.secmon)
|
||||
exo_new = !memcmp((void *)((u8 *)ctxt.secmon + ctxt.secmon_size - 4), "LENY", 4);
|
||||
is_exo = !memcmp((void *)((u8 *)ctxt.secmon + ctxt.secmon_size - 4), "LENY", 4);
|
||||
const pkg1_id_t *pk1_latest = pkg1_get_latest();
|
||||
secmon_base = exo_new ? pk1_latest->secmon_base : ctxt.pkg1_id->secmon_base;
|
||||
warmboot_base = exo_new ? pk1_latest->warmboot_base : ctxt.pkg1_id->warmboot_base;
|
||||
h_cfg.aes_slots_new = exo_new;
|
||||
secmon_base = is_exo ? pk1_latest->secmon_base : ctxt.pkg1_id->secmon_base;
|
||||
warmboot_base = is_exo ? pk1_latest->warmboot_base : ctxt.pkg1_id->warmboot_base;
|
||||
|
||||
// Generate keys.
|
||||
if (!h_cfg.se_keygen_done)
|
||||
{
|
||||
tsec_ctxt.fw = (u8 *)ctxt.pkg1 + ctxt.pkg1_id->tsec_off;
|
||||
tsec_ctxt.pkg1 = ctxt.pkg1;
|
||||
tsec_ctxt.pkg11_off = ctxt.pkg1_id->pkg11_off;
|
||||
tsec_ctxt.secmon_base = secmon_base;
|
||||
tsec_ctxt.fw = (u8 *)ctxt.pkg1 + ctxt.pkg1_id->tsec_off;
|
||||
tsec_ctxt.pkg1 = ctxt.pkg1;
|
||||
tsec_ctxt.pkg11_off = ctxt.pkg1_id->pkg11_off;
|
||||
tsec_ctxt.secmon_base = secmon_base;
|
||||
|
||||
if (kb >= KB_FIRMWARE_VERSION_700 && !h_cfg.sept_run)
|
||||
{
|
||||
_hos_crit_error("Failed to run sept");
|
||||
goto error;
|
||||
}
|
||||
|
||||
if (!hos_keygen(ctxt.keyblob, kb, &tsec_ctxt, &ctxt))
|
||||
goto error;
|
||||
gfx_puts("Generated keys\n");
|
||||
if (kb <= KB_FIRMWARE_VERSION_600)
|
||||
h_cfg.se_keygen_done = 1;
|
||||
}
|
||||
if (!hos_keygen(ctxt.keyblob, kb, &tsec_ctxt, ctxt.stock, is_exo))
|
||||
goto error;
|
||||
gfx_puts("Generated keys\n");
|
||||
|
||||
// Decrypt and unpack package1 if we require parts of it.
|
||||
if (!ctxt.warmboot || !ctxt.secmon)
|
||||
|
@ -870,7 +870,7 @@ int hos_launch(ini_sec_t *cfg)
|
|||
pk1_offset = sizeof(bl_hdr_t210b01_t);
|
||||
|
||||
pkg1_unpack((void *)warmboot_base, &ctxt.warmboot_size,
|
||||
!exo_new ? (void *)ctxt.pkg1_id->secmon_base : NULL, NULL,
|
||||
!is_exo ? (void *)ctxt.pkg1_id->secmon_base : NULL, NULL,
|
||||
ctxt.pkg1_id, ctxt.pkg1 + pk1_offset);
|
||||
|
||||
gfx_puts("Decrypted & unpacked pkg1\n");
|
||||
|
@ -929,19 +929,16 @@ int hos_launch(ini_sec_t *cfg)
|
|||
gfx_puts("Read pkg2\n");
|
||||
|
||||
// Decrypt package2 and parse KIP1 blobs in INI1 section.
|
||||
pkg2_hdr_t *pkg2_hdr = pkg2_decrypt(ctxt.pkg2, kb);
|
||||
pkg2_hdr_t *pkg2_hdr = pkg2_decrypt(ctxt.pkg2, kb, is_exo);
|
||||
if (!pkg2_hdr)
|
||||
{
|
||||
_hos_crit_error("Pkg2 decryption failed!");
|
||||
EPRINTFARGS("Is hekate%s updated?", kb >= KB_FIRMWARE_VERSION_700 ? " or Sept" : "");
|
||||
EPRINTF("Is hekate updated?");
|
||||
|
||||
// Clear EKS slot, in case something went wrong with sept keygen.
|
||||
if (kb >= KB_FIRMWARE_VERSION_700)
|
||||
hos_eks_clear(kb);
|
||||
// Clear EKS slot, in case something went wrong with tsec keygen.
|
||||
hos_eks_clear(kb);
|
||||
goto error;
|
||||
}
|
||||
else if (kb >= KB_FIRMWARE_VERSION_700)
|
||||
hos_eks_save(kb); // Save EKS slot if it doesn't exist.
|
||||
|
||||
LIST_INIT(kip1_info);
|
||||
if (!pkg2_parse_kips(&kip1_info, pkg2_hdr, &ctxt.new_pkg2))
|
||||
|
@ -1056,8 +1053,11 @@ int hos_launch(ini_sec_t *cfg)
|
|||
se_aes_key_clear(8);
|
||||
se_aes_key_clear(11);
|
||||
|
||||
// Finalize per firmware key access. Skip access control if new exosphere.
|
||||
switch (kb | (exo_new << 7))
|
||||
// Clear derived master key in case of Erista and 7.0.0+
|
||||
se_aes_key_clear(9);
|
||||
|
||||
// Finalize per firmware key access. Skip access control if Exosphere 2.
|
||||
switch (kb | (is_exo << 7))
|
||||
{
|
||||
case KB_FIRMWARE_VERSION_100:
|
||||
case KB_FIRMWARE_VERSION_300:
|
||||
|
@ -1079,7 +1079,7 @@ int hos_launch(ini_sec_t *cfg)
|
|||
}
|
||||
|
||||
// Clear BCT area for retail units and copy it over if dev unit.
|
||||
if (kb <= KB_FIRMWARE_VERSION_500 && !exo_new)
|
||||
if (kb <= KB_FIRMWARE_VERSION_500 && !is_exo)
|
||||
{
|
||||
memset((void *)SECMON_BCT_CFG_ADDR, 0, 0x3000);
|
||||
if (fuse_read_hw_state() == FUSE_NX_HW_STATE_DEV)
|
||||
|
@ -1094,19 +1094,19 @@ int hos_launch(ini_sec_t *cfg)
|
|||
free(bootConfigBuf);
|
||||
|
||||
// Config Exosphère if booting full Atmosphère.
|
||||
if (ctxt.atmosphere && ctxt.secmon)
|
||||
config_exosphere(&ctxt, warmboot_base, exo_new);
|
||||
if (is_exo)
|
||||
config_exosphere(&ctxt, warmboot_base);
|
||||
|
||||
// Unmount SD card and eMMC.
|
||||
sd_end();
|
||||
sdmmc_storage_end(&emmc_storage);
|
||||
|
||||
// Finalize MC carveout.
|
||||
if (kb <= KB_FIRMWARE_VERSION_301 && !exo_new)
|
||||
if (kb <= KB_FIRMWARE_VERSION_301 && !is_exo)
|
||||
mc_config_carveout();
|
||||
|
||||
// Lock SE before starting 'SecureMonitor' if < 6.2.0, otherwise lock bootrom and ipatches.
|
||||
_se_lock(kb <= KB_FIRMWARE_VERSION_600 && !exo_new);
|
||||
_se_lock(kb <= KB_FIRMWARE_VERSION_600 && !is_exo);
|
||||
|
||||
// Reset sysctr0 counters.
|
||||
if (kb >= KB_FIRMWARE_VERSION_620)
|
||||
|
@ -1116,7 +1116,7 @@ int hos_launch(ini_sec_t *cfg)
|
|||
//pmc_scratch_lock(PMC_SEC_LOCK_LP0_PARAMS);
|
||||
|
||||
// Set secmon mailbox address and clear it.
|
||||
if (kb >= KB_FIRMWARE_VERSION_700 || exo_new)
|
||||
if (kb >= KB_FIRMWARE_VERSION_700 || is_exo)
|
||||
{
|
||||
memset((void *)SECMON7_MAILBOX_ADDR, 0, 0x200);
|
||||
secmon_mailbox = (secmon_mailbox_t *)(SECMON7_MAILBOX_ADDR + SECMON_STATE_OFFSET);
|
||||
|
@ -1172,6 +1172,6 @@ int hos_launch(ini_sec_t *cfg)
|
|||
|
||||
error:
|
||||
sdmmc_storage_end(&emmc_storage);
|
||||
h_cfg.aes_slots_new = false;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
|
|
@ -39,12 +39,12 @@
|
|||
#define KB_FIRMWARE_VERSION_900 9
|
||||
#define KB_FIRMWARE_VERSION_910 10
|
||||
#define KB_FIRMWARE_VERSION_1210 11
|
||||
#define KB_FIRMWARE_VERSION_MAX KB_FIRMWARE_VERSION_1210
|
||||
#define KB_FIRMWARE_VERSION_MAX KB_FIRMWARE_VERSION_1210 //!TODO: Update on mkey changes.
|
||||
|
||||
#define HOS_PKG11_MAGIC 0x31314B50
|
||||
#define HOS_EKS_MAGIC 0x30534B45
|
||||
#define HOS_EKS_MAGIC 0x31534B45 // EKS1.
|
||||
|
||||
// Use official Mariko secmon when in stock.
|
||||
// Use official Mariko secmon when in stock. Needs access to TZRAM.
|
||||
//#define HOS_MARIKO_STOCK_SECMON
|
||||
|
||||
typedef struct _exo_ctxt_t
|
||||
|
@ -57,32 +57,18 @@ typedef struct _exo_ctxt_t
|
|||
bool *cal0_allow_writes_sys;
|
||||
} exo_ctxt_t;
|
||||
|
||||
typedef struct _hos_eks_keys_t
|
||||
{
|
||||
u8 mkk[SE_KEY_128_SIZE];
|
||||
u8 fdk[SE_KEY_128_SIZE];
|
||||
} hos_eks_keys_t;
|
||||
|
||||
typedef struct _hos_eks_bis_keys_t
|
||||
{
|
||||
u8 crypt[SE_KEY_128_SIZE];
|
||||
u8 tweak[SE_KEY_128_SIZE];
|
||||
} hos_eks_bis_keys_t;
|
||||
|
||||
typedef struct _hos_eks_mbr_t
|
||||
{
|
||||
u32 magic;
|
||||
u8 enabled[5];
|
||||
u8 enabled_bis;
|
||||
u8 rsvd[2];
|
||||
u32 enabled;
|
||||
u32 lot0;
|
||||
u8 dkg[SE_KEY_128_SIZE];
|
||||
u8 dkk[SE_KEY_128_SIZE];
|
||||
hos_eks_keys_t keys[5];
|
||||
hos_eks_bis_keys_t bis_keys[3];
|
||||
u32 rsvd;
|
||||
u8 tsec[SE_KEY_128_SIZE];
|
||||
u8 troot[SE_KEY_128_SIZE];
|
||||
u8 troot_dev[SE_KEY_128_SIZE];
|
||||
} hos_eks_mbr_t;
|
||||
|
||||
static_assert(sizeof(hos_eks_mbr_t) == 304, "HOS EKS size is wrong!");
|
||||
static_assert(sizeof(hos_eks_mbr_t) == 64, "HOS EKS size is wrong!");
|
||||
|
||||
typedef struct _launch_ctxt_t
|
||||
{
|
||||
|
@ -130,10 +116,8 @@ typedef struct _merge_kip_t
|
|||
link_t link;
|
||||
} merge_kip_t;
|
||||
|
||||
void hos_eks_get();
|
||||
void hos_eks_save(u32 kb);
|
||||
void hos_eks_clear(u32 kb);
|
||||
int hos_launch(ini_sec_t *cfg);
|
||||
int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt, launch_ctxt_t *hos_ctxt);
|
||||
int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt, bool stock, bool is_exo);
|
||||
|
||||
#endif
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
* Copyright (c) 2018 naehrwert
|
||||
* Copyright (c) 2018-2020 CTCaer
|
||||
* Copyright (c) 2018-2021 CTCaer
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms and conditions of the GNU General Public License,
|
||||
|
@ -271,7 +271,7 @@ static int _config_fss(launch_ctxt_t *ctxt, const char *value)
|
|||
}
|
||||
}
|
||||
|
||||
return parse_fss(ctxt, value, NULL);
|
||||
return parse_fss(ctxt, value);
|
||||
}
|
||||
|
||||
static int _config_exo_fatal_payload(launch_ctxt_t *ctxt, const char *value)
|
||||
|
|
|
@ -212,7 +212,7 @@ int pkg1_decrypt(const pkg1_id_t *id, u8 *pkg1)
|
|||
// Use BEK for T210B01.
|
||||
// Additionally, skip 0x20 bytes from decryption to maintain the header.
|
||||
se_aes_iv_clear(13);
|
||||
se_aes_crypt_cbc(13, 0, pkg1 + 0x20, oem_hdr->size - 0x20, pkg1 + 0x20, oem_hdr->size - 0x20);
|
||||
se_aes_crypt_cbc(13, DECRYPT, pkg1 + 0x20, oem_hdr->size - 0x20, pkg1 + 0x20, oem_hdr->size - 0x20);
|
||||
}
|
||||
|
||||
// Return if header is valid.
|
||||
|
|
|
@ -673,8 +673,11 @@ const char* pkg2_patch_kips(link_t *info, char* patchNames)
|
|||
return NULL;
|
||||
}
|
||||
|
||||
static const u8 mkey_vector_8xx[][SE_KEY_128_SIZE] =
|
||||
//!TODO: Update on mkey changes.
|
||||
static const u8 mkey_vector_7xx[][SE_KEY_128_SIZE] =
|
||||
{
|
||||
// Master key 7 encrypted with 8. (7.0.0 with 8.1.0)
|
||||
{ 0xEA, 0x60, 0xB3, 0xEA, 0xCE, 0x8F, 0x24, 0x46, 0x7D, 0x33, 0x9C, 0xD1, 0xBC, 0x24, 0x98, 0x29 },
|
||||
// Master key 8 encrypted with 9. (8.1.0 with 9.0.0)
|
||||
{ 0x4D, 0xD9, 0x98, 0x42, 0x45, 0x0D, 0xB1, 0x3C, 0x52, 0x0C, 0x9A, 0x44, 0xBB, 0xAD, 0xAF, 0x80 },
|
||||
// Master key 9 encrypted with 10. (9.0.0 with 9.1.0)
|
||||
|
@ -686,9 +689,8 @@ static const u8 mkey_vector_8xx[][SE_KEY_128_SIZE] =
|
|||
static bool _pkg2_key_unwrap_validate(pkg2_hdr_t *tmp_test, pkg2_hdr_t *hdr, u8 src_slot, u8 *mkey, const u8 *key_seed)
|
||||
{
|
||||
// Decrypt older encrypted mkey.
|
||||
se_aes_crypt_ecb(src_slot, 0, mkey, SE_KEY_128_SIZE, key_seed, SE_KEY_128_SIZE);
|
||||
se_aes_crypt_ecb(src_slot, DECRYPT, mkey, SE_KEY_128_SIZE, key_seed, SE_KEY_128_SIZE);
|
||||
// Set and unwrap pkg2 key.
|
||||
se_aes_key_clear(9);
|
||||
se_aes_key_set(9, mkey, SE_KEY_128_SIZE);
|
||||
se_aes_unwrap_key(9, 9, package2_keyseed);
|
||||
|
||||
|
@ -700,11 +702,13 @@ static bool _pkg2_key_unwrap_validate(pkg2_hdr_t *tmp_test, pkg2_hdr_t *hdr, u8
|
|||
}
|
||||
|
||||
u8 pkg2_keyslot;
|
||||
pkg2_hdr_t *pkg2_decrypt(void *data, u8 kb)
|
||||
bool pkg2_broken_keygen_700;
|
||||
pkg2_hdr_t *pkg2_decrypt(void *data, u8 kb, bool is_exo)
|
||||
{
|
||||
pkg2_hdr_t mkey_test;
|
||||
u8 *pdata = (u8 *)data;
|
||||
pkg2_keyslot = 8;
|
||||
pkg2_broken_keygen_700 = false;
|
||||
|
||||
// Skip signature.
|
||||
pdata += 0x100;
|
||||
|
@ -714,26 +718,28 @@ pkg2_hdr_t *pkg2_decrypt(void *data, u8 kb)
|
|||
// Skip header.
|
||||
pdata += sizeof(pkg2_hdr_t);
|
||||
|
||||
// Check if we need to decrypt with newer mkeys. Valid for sept for 8.1.0 and up.
|
||||
// Check if we need to decrypt with newer mkeys. Valid for THK for 7.0.0 and up.
|
||||
se_aes_crypt_ctr(8, &mkey_test, sizeof(pkg2_hdr_t), hdr, sizeof(pkg2_hdr_t), hdr);
|
||||
|
||||
if (mkey_test.magic == PKG2_MAGIC)
|
||||
goto key_found;
|
||||
|
||||
// Decrypt older pkg2 via new mkeys.
|
||||
if ((kb >= KB_FIRMWARE_VERSION_810) && (kb < KB_FIRMWARE_VERSION_MAX))
|
||||
if ((kb >= KB_FIRMWARE_VERSION_700) && (kb < KB_FIRMWARE_VERSION_MAX))
|
||||
{
|
||||
u8 tmp_mkey[SE_KEY_128_SIZE];
|
||||
u8 decr_slot = !h_cfg.t210b01 ? (!h_cfg.aes_slots_new ? 12 : 13) : 7; // Sept mkey or T210B01 mkey.
|
||||
u8 mkey_seeds_cnt = sizeof(mkey_vector_8xx) / SE_KEY_128_SIZE;
|
||||
u8 decr_slot = (h_cfg.t210b01 || !is_exo) ? 7 : 13; // THK mkey or T210B01 mkey.
|
||||
u8 mkey_seeds_cnt = sizeof(mkey_vector_7xx) / SE_KEY_128_SIZE;
|
||||
u8 mkey_seeds_idx = mkey_seeds_cnt; // Real index + 1.
|
||||
u8 mkey_seeds_min_idx = mkey_seeds_cnt - (KB_FIRMWARE_VERSION_MAX - kb);
|
||||
// Re-encrypt with initial pkg2 key if 7.0.0 and Erista, because of a bug in Exo2.
|
||||
pkg2_broken_keygen_700 = kb == KB_FIRMWARE_VERSION_700 && decr_slot == 13;
|
||||
|
||||
while (mkey_seeds_cnt)
|
||||
{
|
||||
// Decrypt and validate mkey.
|
||||
int res = _pkg2_key_unwrap_validate(&mkey_test, hdr, decr_slot,
|
||||
tmp_mkey, mkey_vector_8xx[mkey_seeds_idx - 1]);
|
||||
tmp_mkey, mkey_vector_7xx[mkey_seeds_idx - 1]);
|
||||
|
||||
if (res)
|
||||
{
|
||||
|
@ -744,23 +750,18 @@ pkg2_hdr_t *pkg2_decrypt(void *data, u8 kb)
|
|||
{
|
||||
// Set current mkey in order to decrypt a lower mkey.
|
||||
mkey_seeds_idx--;
|
||||
se_aes_key_clear(9);
|
||||
se_aes_key_set(9, tmp_mkey, SE_KEY_128_SIZE);
|
||||
|
||||
decr_slot = 9; // Temp key.
|
||||
|
||||
// Check if we tried last key for that pkg2 version.
|
||||
// And start with a lower mkey in case sept is older.
|
||||
// And start with a lower mkey in case mkey is older.
|
||||
if (mkey_seeds_idx == mkey_seeds_min_idx)
|
||||
{
|
||||
mkey_seeds_cnt--;
|
||||
mkey_seeds_idx = mkey_seeds_cnt;
|
||||
decr_slot = !h_cfg.aes_slots_new ? 12 : 13; // Sept mkey.
|
||||
decr_slot = (h_cfg.t210b01 || !is_exo) ? 7 : 13; // THK mkey or T210B01 mkey.
|
||||
}
|
||||
|
||||
// Out of keys. pkg2 is latest or process failed.
|
||||
if (!mkey_seeds_cnt)
|
||||
se_aes_key_clear(9);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -785,6 +786,9 @@ DPRINTF("sec %d has size %08X\n", i, hdr->sec_size[i]);
|
|||
pdata += hdr->sec_size[i];
|
||||
}
|
||||
|
||||
if (pkg2_broken_keygen_700)
|
||||
pkg2_keyslot = 8;
|
||||
|
||||
return hdr;
|
||||
}
|
||||
|
||||
|
@ -826,6 +830,7 @@ void pkg2_build_encrypt(void *dst, void *hos_ctxt, link_t *kips_info)
|
|||
launch_ctxt_t * ctxt = (launch_ctxt_t *)hos_ctxt;
|
||||
u32 kernel_size = ctxt->kernel_size;
|
||||
bool is_meso = *(u32 *)(ctxt->kernel + 4) == ATM_MESOSPHERE;
|
||||
u8 kb = ctxt->pkg1_id->kb;
|
||||
|
||||
// Force new Package2 if Mesosphere.
|
||||
if (is_meso)
|
||||
|
@ -884,15 +889,16 @@ DPRINTF("INI1 encrypted\n");
|
|||
se_calc_sha256_oneshot(&hdr->sec_sha256[0x20 * PKG2_SEC_INI1],
|
||||
(void *)pk2_hash_data, hdr->sec_size[PKG2_SEC_INI1]);
|
||||
|
||||
// Set key version. For Erista 7.0.0, use max because of a bug in Exo2?
|
||||
u8 key_ver = kb ? kb + 1 : 0;
|
||||
if (pkg2_broken_keygen_700)
|
||||
key_ver = KB_FIRMWARE_VERSION_MAX + 1;
|
||||
|
||||
//Encrypt header.
|
||||
u8 key_ver = ctxt->pkg1_id->kb ? ctxt->pkg1_id->kb + 1 : 0;
|
||||
*(u32 *)hdr->ctr = 0x100 + sizeof(pkg2_hdr_t) + kernel_size + ini1_size;
|
||||
hdr->ctr[4] = key_ver;
|
||||
se_aes_crypt_ctr(pkg2_keyslot, hdr, sizeof(pkg2_hdr_t), hdr, sizeof(pkg2_hdr_t), hdr);
|
||||
memset(hdr->ctr, 0 , SE_AES_IV_SIZE);
|
||||
*(u32 *)hdr->ctr = 0x100 + sizeof(pkg2_hdr_t) + kernel_size + ini1_size;
|
||||
hdr->ctr[4] = key_ver;
|
||||
|
||||
if (pkg2_keyslot != 8)
|
||||
se_aes_key_clear(9);
|
||||
}
|
||||
|
|
|
@ -156,7 +156,7 @@ void pkg2_get_ids(kip1_id_t **ids, u32 *entries);
|
|||
const char* pkg2_patch_kips(link_t *info, char* patchNames);
|
||||
|
||||
const pkg2_kernel_id_t *pkg2_identify(u8 *hash);
|
||||
pkg2_hdr_t *pkg2_decrypt(void *data, u8 kb);
|
||||
pkg2_hdr_t *pkg2_decrypt(void *data, u8 kb, bool is_exo);
|
||||
void pkg2_build_encrypt(void *dst, void *hos_ctxt, link_t *kips_info);
|
||||
|
||||
#endif
|
||||
|
|
|
@ -1,278 +0,0 @@
|
|||
/*
|
||||
* Copyright (c) 2019-2021 CTCaer
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms and conditions of the GNU General Public License,
|
||||
* version 2, as published by the Free Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
|
||||
* more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
#include <string.h>
|
||||
|
||||
#include "hos.h"
|
||||
#include "fss.h"
|
||||
#include "sept.h"
|
||||
#include "../config.h"
|
||||
#include <display/di.h>
|
||||
#include <ianos/ianos.h>
|
||||
#include <libs/fatfs/ff.h>
|
||||
#include <mem/heap.h>
|
||||
#include <soc/hw_init.h>
|
||||
#include <soc/pmc.h>
|
||||
#include <soc/t210.h>
|
||||
#include "../storage/emummc.h"
|
||||
#include "../storage/nx_emmc.h"
|
||||
#include <storage/nx_sd.h>
|
||||
#include <storage/sdmmc.h>
|
||||
#include <utils/btn.h>
|
||||
#include <utils/types.h>
|
||||
#include <utils/util.h>
|
||||
|
||||
#include <gfx_utils.h>
|
||||
|
||||
#define RELOC_META_OFF 0x7C
|
||||
#define PATCHED_RELOC_SZ 0x94
|
||||
|
||||
#define WB_RST_ADDR 0x40010ED0
|
||||
#define WB_RST_SIZE 0x30
|
||||
|
||||
u8 warmboot_reboot[] = {
|
||||
0x14, 0x00, 0x9F, 0xE5, // LDR R0, =0x7000E450
|
||||
0x01, 0x10, 0xB0, 0xE3, // MOVS R1, #1
|
||||
0x00, 0x10, 0x80, 0xE5, // STR R1, [R0]
|
||||
0x0C, 0x00, 0x9F, 0xE5, // LDR R0, =0x7000E400
|
||||
0x10, 0x10, 0xB0, 0xE3, // MOVS R1, #0x10
|
||||
0x00, 0x10, 0x80, 0xE5, // STR R1, [R0]
|
||||
0xFE, 0xFF, 0xFF, 0xEA, // LOOP
|
||||
0x50, 0xE4, 0x00, 0x70, // #0x7000E450
|
||||
0x00, 0xE4, 0x00, 0x70 // #0x7000E400
|
||||
};
|
||||
|
||||
#define SEPT_PRI_ADDR 0x4003F000
|
||||
#define SEPT_PRI_ENTRY 0x40010340
|
||||
|
||||
#define SEPT_PK1T_ADDR 0xC0400000
|
||||
#define SEPT_TCSZ_ADDR (SEPT_PK1T_ADDR - 0x4)
|
||||
#define SEPT_STG1_ADDR (SEPT_PK1T_ADDR + 0x2E100)
|
||||
#define SEPT_STG2_ADDR (SEPT_PK1T_ADDR + 0x60E0)
|
||||
#define SEPT_PKG_SZ (0x2F100 + WB_RST_SIZE)
|
||||
|
||||
extern boot_cfg_t b_cfg;
|
||||
extern hekate_config h_cfg;
|
||||
extern const volatile ipl_ver_meta_t ipl_ver;
|
||||
|
||||
extern bool is_ipl_updated(void *buf);
|
||||
extern void reloc_patcher(u32 payload_dst, u32 payload_src, u32 payload_size);
|
||||
|
||||
void check_sept(ini_sec_t *cfg_sec)
|
||||
{
|
||||
if (h_cfg.t210b01)
|
||||
{
|
||||
h_cfg.sept_run = true;
|
||||
return;
|
||||
}
|
||||
|
||||
hos_eks_get();
|
||||
|
||||
// Check if non-hekate payload is used for sept and restore it.
|
||||
if (h_cfg.sept_run)
|
||||
{
|
||||
if (!f_stat("sept/payload.bak", NULL))
|
||||
{
|
||||
f_unlink("sept/payload.bin");
|
||||
f_rename("sept/payload.bak", "sept/payload.bin");
|
||||
}
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
u8 *pkg1 = (u8 *)calloc(1, 0x40000);
|
||||
|
||||
int res = emummc_storage_init_mmc();
|
||||
if (res)
|
||||
{
|
||||
if (res == 2)
|
||||
EPRINTF("Failed to init eMMC.");
|
||||
else
|
||||
EPRINTF("Failed to init emuMMC.");
|
||||
|
||||
goto out_free;
|
||||
}
|
||||
|
||||
emummc_storage_set_mmc_partition(EMMC_BOOT0);
|
||||
|
||||
// Read package1.
|
||||
emummc_storage_read(0x100000 / NX_EMMC_BLOCKSIZE, 0x40000 / NX_EMMC_BLOCKSIZE, pkg1);
|
||||
const pkg1_id_t *pkg1_id = pkg1_identify(pkg1);
|
||||
if (!pkg1_id)
|
||||
{
|
||||
EPRINTF("Unknown pkg1 version.");
|
||||
goto out_free;
|
||||
}
|
||||
|
||||
if (pkg1_id->kb >= KB_FIRMWARE_VERSION_700 && !h_cfg.sept_run)
|
||||
{
|
||||
u32 key_idx = 0;
|
||||
if (pkg1_id->kb >= KB_FIRMWARE_VERSION_810)
|
||||
key_idx = 1;
|
||||
|
||||
if (h_cfg.eks && h_cfg.eks->enabled[key_idx] >= pkg1_id->kb)
|
||||
{
|
||||
h_cfg.sept_run = true;
|
||||
goto out_free;
|
||||
}
|
||||
|
||||
u8 *bct_bldr = (u8 *)calloc(1, 512);
|
||||
sdmmc_storage_read(&emmc_storage, 0x2200 / NX_EMMC_BLOCKSIZE, 1, bct_bldr);
|
||||
u32 bootloader_entrypoint = *(u32 *)&bct_bldr[0x144];
|
||||
free(bct_bldr);
|
||||
if (bootloader_entrypoint > SEPT_PRI_ENTRY)
|
||||
{
|
||||
gfx_con.mute = false;
|
||||
EPRINTF("Failed to run sept\n""Main BCT is improper!\nRun sept with proper BCT at least once\nto cache keys.");
|
||||
gfx_printf("\nPress any key...\n");
|
||||
display_backlight_brightness(h_cfg.backlight, 1000);
|
||||
msleep(500);
|
||||
btn_wait();
|
||||
goto out_free;
|
||||
}
|
||||
|
||||
sdmmc_storage_end(&emmc_storage);
|
||||
reboot_to_sept((u8 *)pkg1 + pkg1_id->tsec_off, pkg1_id->kb, cfg_sec);
|
||||
}
|
||||
|
||||
out_free:
|
||||
free(pkg1);
|
||||
sdmmc_storage_end(&emmc_storage);
|
||||
}
|
||||
|
||||
int reboot_to_sept(const u8 *tsec_fw, u32 kb, ini_sec_t *cfg_sec)
|
||||
{
|
||||
FIL fp;
|
||||
bool fss0_sept_used = false;
|
||||
|
||||
// Copy warmboot reboot code and TSEC fw.
|
||||
u32 tsec_fw_size = 0x3000;
|
||||
if (kb > KB_FIRMWARE_VERSION_700)
|
||||
tsec_fw_size = 0x3300;
|
||||
memcpy((u8 *)(SEPT_PK1T_ADDR - WB_RST_SIZE), (u8 *)warmboot_reboot, sizeof(warmboot_reboot));
|
||||
memcpy((void *)SEPT_PK1T_ADDR, tsec_fw, tsec_fw_size);
|
||||
*(vu32 *)SEPT_TCSZ_ADDR = tsec_fw_size;
|
||||
|
||||
if (cfg_sec)
|
||||
{
|
||||
fss0_sept_t sept_ctxt;
|
||||
sept_ctxt.kb = kb;
|
||||
sept_ctxt.cfg_sec = cfg_sec;
|
||||
sept_ctxt.sept_primary = (void *)SEPT_STG1_ADDR;
|
||||
sept_ctxt.sept_secondary = (void *)SEPT_STG2_ADDR;
|
||||
|
||||
fss0_sept_used = load_sept_from_ffs0(&sept_ctxt);
|
||||
}
|
||||
|
||||
if (!fss0_sept_used)
|
||||
{
|
||||
// Copy sept-primary.
|
||||
if (f_open(&fp, "sept/sept-primary.bin", FA_READ))
|
||||
goto error;
|
||||
|
||||
if (f_read(&fp, (u8 *)SEPT_STG1_ADDR, f_size(&fp), NULL))
|
||||
{
|
||||
f_close(&fp);
|
||||
goto error;
|
||||
}
|
||||
f_close(&fp);
|
||||
|
||||
// Copy sept-secondary.
|
||||
if (kb < KB_FIRMWARE_VERSION_810)
|
||||
{
|
||||
if (f_open(&fp, "sept/sept-secondary_00.enc", FA_READ))
|
||||
goto error;
|
||||
}
|
||||
else
|
||||
{
|
||||
if (f_open(&fp, "sept/sept-secondary_01.enc", FA_READ))
|
||||
goto error;
|
||||
}
|
||||
|
||||
if (f_read(&fp, (u8 *)SEPT_STG2_ADDR, f_size(&fp), NULL))
|
||||
{
|
||||
f_close(&fp);
|
||||
goto error;
|
||||
}
|
||||
f_close(&fp);
|
||||
}
|
||||
|
||||
b_cfg.boot_cfg |= (BOOT_CFG_AUTOBOOT_EN | BOOT_CFG_SEPT_RUN);
|
||||
|
||||
bool update_sept_payload = true;
|
||||
if (!f_open(&fp, "sept/payload.bin", FA_READ | FA_WRITE))
|
||||
{
|
||||
ipl_ver_meta_t tmp_ver;
|
||||
f_lseek(&fp, PATCHED_RELOC_SZ + sizeof(boot_cfg_t));
|
||||
f_read(&fp, &tmp_ver, sizeof(ipl_ver_meta_t), NULL);
|
||||
|
||||
if (tmp_ver.magic == ipl_ver.magic)
|
||||
{
|
||||
if (tmp_ver.version == ipl_ver.version)
|
||||
{
|
||||
// Save auto boot config to sept payload, if any.
|
||||
boot_cfg_t *tmp_cfg = malloc(sizeof(boot_cfg_t));
|
||||
memcpy(tmp_cfg, &b_cfg, sizeof(boot_cfg_t));
|
||||
f_lseek(&fp, PATCHED_RELOC_SZ);
|
||||
f_write(&fp, tmp_cfg, sizeof(boot_cfg_t), NULL);
|
||||
update_sept_payload = false;
|
||||
}
|
||||
|
||||
f_close(&fp);
|
||||
}
|
||||
else
|
||||
{
|
||||
f_close(&fp);
|
||||
f_rename("sept/payload.bin", "sept/payload.bak"); // Backup foreign payload.
|
||||
}
|
||||
}
|
||||
|
||||
if (update_sept_payload)
|
||||
{
|
||||
volatile reloc_meta_t *reloc = (reloc_meta_t *)(IPL_LOAD_ADDR + RELOC_META_OFF);
|
||||
f_mkdir("sept");
|
||||
f_open(&fp, "sept/payload.bin", FA_WRITE | FA_CREATE_ALWAYS);
|
||||
f_write(&fp, (u8 *)reloc->start, reloc->end - reloc->start, NULL);
|
||||
f_close(&fp);
|
||||
}
|
||||
|
||||
sd_end();
|
||||
|
||||
u32 pk1t_sept = SEPT_PK1T_ADDR - (ALIGN(PATCHED_RELOC_SZ, 0x10) + WB_RST_SIZE);
|
||||
|
||||
void (*sept)() = (void *)pk1t_sept;
|
||||
|
||||
reloc_patcher(WB_RST_ADDR, pk1t_sept, SEPT_PKG_SZ);
|
||||
|
||||
// Patch SDRAM init to perform an SVC immediately after second write.
|
||||
PMC(APBDEV_PMC_SCRATCH45) = 0x2E38DFFF;
|
||||
PMC(APBDEV_PMC_SCRATCH46) = 0x6001DC28;
|
||||
// Set SVC handler to jump to sept-primary in IRAM.
|
||||
PMC(APBDEV_PMC_SCRATCH33) = SEPT_PRI_ADDR;
|
||||
PMC(APBDEV_PMC_SCRATCH40) = 0x6000F208;
|
||||
|
||||
hw_reinit_workaround(false, 0);
|
||||
|
||||
(*sept)();
|
||||
|
||||
error:
|
||||
gfx_con.mute = false;
|
||||
EPRINTF("Failed to run sept\n");
|
||||
|
||||
btn_wait();
|
||||
|
||||
return 0;
|
||||
}
|
|
@ -1,25 +0,0 @@
|
|||
/*
|
||||
* Copyright (c) 2019 CTCaer
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms and conditions of the GNU General Public License,
|
||||
* version 2, as published by the Free Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
|
||||
* more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
#ifndef _SEPT_H_
|
||||
#define _SEPT_H_
|
||||
|
||||
#include <utils/types.h>
|
||||
|
||||
void check_sept(ini_sec_t *cfg_sec);
|
||||
int reboot_to_sept(const u8 *tsec_fw, u32 kb, ini_sec_t *cfg_sec);
|
||||
|
||||
#endif
|
|
@ -28,7 +28,6 @@
|
|||
#include "gfx/tui.h"
|
||||
#include "hos/hos.h"
|
||||
#include "hos/secmon_exo.h"
|
||||
#include "hos/sept.h"
|
||||
#include <ianos/ianos.h>
|
||||
#include <libs/compr/blz.h>
|
||||
#include <libs/fatfs/ff.h>
|
||||
|
@ -489,9 +488,6 @@ void ini_list_launcher()
|
|||
goto wrong_emupath;
|
||||
}
|
||||
|
||||
if (cfg_sec && !payload_path)
|
||||
check_sept(cfg_sec);
|
||||
|
||||
if (!cfg_sec)
|
||||
{
|
||||
free(ments);
|
||||
|
@ -630,9 +626,6 @@ void launch_firmware()
|
|||
goto wrong_emupath;
|
||||
}
|
||||
|
||||
if (cfg_sec && !payload_path)
|
||||
check_sept(cfg_sec);
|
||||
|
||||
if (!cfg_sec)
|
||||
{
|
||||
free(ments);
|
||||
|
@ -720,12 +713,6 @@ void nyx_load_run()
|
|||
nyx_str->cfg = 0;
|
||||
if (b_cfg.extra_cfg)
|
||||
{
|
||||
if (b_cfg.extra_cfg & EXTRA_CFG_NYX_SEPT)
|
||||
{
|
||||
b_cfg.extra_cfg &= ~(EXTRA_CFG_NYX_SEPT);
|
||||
nyx_str->cfg |= NYX_CFG_SEPT;
|
||||
nyx_str->cfg |= b_cfg.sept << 24;
|
||||
}
|
||||
if (b_cfg.extra_cfg & EXTRA_CFG_NYX_UMS)
|
||||
{
|
||||
b_cfg.extra_cfg &= ~(EXTRA_CFG_NYX_UMS);
|
||||
|
@ -804,24 +791,6 @@ static void _bootloader_corruption_protect()
|
|||
|
||||
static void _auto_launch_firmware()
|
||||
{
|
||||
if(b_cfg.extra_cfg & EXTRA_CFG_NYX_SEPT)
|
||||
{
|
||||
if (!h_cfg.sept_run)
|
||||
EMC(EMC_SCRATCH0) |= EMC_HEKA_UPD;
|
||||
check_sept(NULL);
|
||||
}
|
||||
|
||||
if (!h_cfg.sept_run)
|
||||
auto_launch_update();
|
||||
|
||||
u8 *BOOTLOGO = NULL;
|
||||
char *payload_path = NULL;
|
||||
char *emummc_path = NULL;
|
||||
u32 btn = 0;
|
||||
bool boot_from_id = (b_cfg.boot_cfg & BOOT_CFG_FROM_ID) && (b_cfg.boot_cfg & BOOT_CFG_AUTOBOOT_EN);
|
||||
if (boot_from_id)
|
||||
b_cfg.id[7] = 0;
|
||||
|
||||
struct _bmp_data
|
||||
{
|
||||
u32 size;
|
||||
|
@ -832,14 +801,19 @@ static void _auto_launch_firmware()
|
|||
u32 pos_y;
|
||||
};
|
||||
|
||||
struct _bmp_data bmpData;
|
||||
bool bootlogoFound = false;
|
||||
char *emummc_path = NULL;
|
||||
char *bootlogoCustomEntry = NULL;
|
||||
ini_sec_t *cfg_sec = NULL;
|
||||
|
||||
auto_launch_update();
|
||||
|
||||
bool boot_from_id = (b_cfg.boot_cfg & BOOT_CFG_FROM_ID) && (b_cfg.boot_cfg & BOOT_CFG_AUTOBOOT_EN);
|
||||
if (boot_from_id)
|
||||
b_cfg.id[7] = 0;
|
||||
|
||||
if (!(b_cfg.boot_cfg & BOOT_CFG_FROM_LAUNCH))
|
||||
gfx_con.mute = true;
|
||||
|
||||
ini_sec_t *cfg_sec = NULL;
|
||||
LIST_INIT(ini_sections);
|
||||
LIST_INIT(ini_list_sections);
|
||||
|
||||
|
@ -883,17 +857,12 @@ static void _auto_launch_firmware()
|
|||
}
|
||||
boot_entry_id++;
|
||||
|
||||
// Override autoboot, otherwise save it for a possbile sept run.
|
||||
// Override autoboot.
|
||||
if (b_cfg.boot_cfg & BOOT_CFG_AUTOBOOT_EN)
|
||||
{
|
||||
h_cfg.autoboot = b_cfg.autoboot;
|
||||
h_cfg.autoboot_list = b_cfg.autoboot_list;
|
||||
}
|
||||
else
|
||||
{
|
||||
b_cfg.autoboot = h_cfg.autoboot;
|
||||
b_cfg.autoboot_list = h_cfg.autoboot_list;
|
||||
}
|
||||
|
||||
// Apply bootloader protection against corruption.
|
||||
_bootloader_corruption_protect();
|
||||
|
@ -983,9 +952,13 @@ skip_list:
|
|||
goto out;
|
||||
|
||||
u8 *bitmap = NULL;
|
||||
if (!(b_cfg.boot_cfg & BOOT_CFG_FROM_LAUNCH) && h_cfg.bootwait && !h_cfg.sept_run)
|
||||
struct _bmp_data bmpData;
|
||||
bool bootlogoFound = false;
|
||||
if (!(b_cfg.boot_cfg & BOOT_CFG_FROM_LAUNCH) && h_cfg.bootwait)
|
||||
{
|
||||
u32 fsize;
|
||||
u8 *BOOTLOGO = NULL;
|
||||
|
||||
if (bootlogoCustomEntry) // Check if user set custom logo path at the boot entry.
|
||||
bitmap = (u8 *)sd_file_read(bootlogoCustomEntry, &fsize);
|
||||
|
||||
|
@ -1035,6 +1008,7 @@ skip_list:
|
|||
{
|
||||
gfx_render_bmp_argb((u32 *)BOOTLOGO, bmpData.size_x, bmpData.size_y,
|
||||
bmpData.pos_x, bmpData.pos_y);
|
||||
free(BOOTLOGO);
|
||||
}
|
||||
else
|
||||
{
|
||||
|
@ -1048,19 +1022,19 @@ skip_list:
|
|||
|
||||
if (b_cfg.boot_cfg & BOOT_CFG_FROM_LAUNCH)
|
||||
display_backlight_brightness(h_cfg.backlight, 0);
|
||||
else if (!h_cfg.sept_run && h_cfg.bootwait)
|
||||
else if (h_cfg.bootwait)
|
||||
display_backlight_brightness(h_cfg.backlight, 1000);
|
||||
|
||||
// Wait before booting. If VOL- is pressed go into bootloader menu.
|
||||
if (!h_cfg.sept_run && !(b_cfg.boot_cfg & BOOT_CFG_FROM_LAUNCH))
|
||||
if (!(b_cfg.boot_cfg & BOOT_CFG_FROM_LAUNCH))
|
||||
{
|
||||
btn = btn_wait_timeout_single(h_cfg.bootwait * 1000, BTN_VOL_DOWN | BTN_SINGLE);
|
||||
u32 btn = btn_wait_timeout_single(h_cfg.bootwait * 1000, BTN_VOL_DOWN | BTN_SINGLE);
|
||||
|
||||
if (btn & BTN_VOL_DOWN)
|
||||
goto out;
|
||||
}
|
||||
|
||||
payload_path = ini_check_payload_section(cfg_sec);
|
||||
char *payload_path = ini_check_payload_section(cfg_sec);
|
||||
|
||||
if (payload_path)
|
||||
{
|
||||
|
@ -1079,7 +1053,6 @@ skip_list:
|
|||
goto wrong_emupath;
|
||||
}
|
||||
|
||||
check_sept(cfg_sec);
|
||||
hos_launch(cfg_sec);
|
||||
|
||||
wrong_emupath:
|
||||
|
@ -1105,7 +1078,6 @@ out:
|
|||
// Clear boot reasons from binary.
|
||||
if (b_cfg.boot_cfg & (BOOT_CFG_FROM_ID | BOOT_CFG_TO_EMUMMC))
|
||||
memset(b_cfg.xt_str, 0, sizeof(b_cfg.xt_str));
|
||||
b_cfg.boot_cfg &= BOOT_CFG_SEPT_RUN;
|
||||
h_cfg.emummc_force_disable = false;
|
||||
|
||||
// L4T: Clear custom boot mode flags from PMC_SCRATCH0.
|
||||
|
|
|
@ -38,7 +38,6 @@ void set_default_configuration()
|
|||
h_cfg.autoboot = 0;
|
||||
h_cfg.autoboot_list = 0;
|
||||
h_cfg.bootwait = 3;
|
||||
h_cfg.se_keygen_done = 0;
|
||||
h_cfg.backlight = 100;
|
||||
h_cfg.autohosoff = 0;
|
||||
h_cfg.autonogc = 1;
|
||||
|
@ -46,10 +45,7 @@ void set_default_configuration()
|
|||
h_cfg.bootprotect = 0;
|
||||
h_cfg.errors = 0;
|
||||
h_cfg.eks = NULL;
|
||||
h_cfg.sept_run = EMC(EMC_SCRATCH0) & EMC_SEPT_RUN;
|
||||
h_cfg.aes_slots_new = false;
|
||||
h_cfg.rcm_patched = fuse_check_patched_rcm();
|
||||
h_cfg.sbk_set = FUSE(FUSE_PRIVATE_KEY0) == 0xFFFFFFFF;
|
||||
h_cfg.emummc_force_disable = false;
|
||||
h_cfg.t210b01 = hw_get_chip_id() == GP_HIDREV_MAJOR_T210B01;
|
||||
|
||||
|
|
|
@ -33,12 +33,8 @@ typedef struct _hekate_config
|
|||
u32 bootprotect;
|
||||
// Global temporary config.
|
||||
bool t210b01;
|
||||
bool se_keygen_done;
|
||||
bool sept_run;
|
||||
bool aes_slots_new;
|
||||
bool emummc_force_disable;
|
||||
bool rcm_patched;
|
||||
bool sbk_set;
|
||||
u32 errors;
|
||||
hos_eks_mbr_t *eks;
|
||||
} hekate_config;
|
||||
|
|
|
@ -23,7 +23,6 @@
|
|||
|
||||
#include "gui.h"
|
||||
#include "fe_emummc_tools.h"
|
||||
#include "../hos/sept.h"
|
||||
#include "../config.h"
|
||||
#include <utils/ini.h>
|
||||
#include <libs/fatfs/diskio.h>
|
||||
|
@ -752,133 +751,18 @@ static int _dump_emummc_raw_part(emmc_tool_gui_t *gui, int active_part, int part
|
|||
return 1;
|
||||
}
|
||||
|
||||
u32 kb = 0;
|
||||
u8 *tsec_fw = NULL;
|
||||
bool sept_error = false;
|
||||
|
||||
static lv_res_t _emummc_raw_check_sept_action(lv_obj_t *btns, const char * txt)
|
||||
{
|
||||
int btn_idx = lv_btnm_get_pressed(btns);
|
||||
|
||||
mbox_action(btns, txt);
|
||||
|
||||
if (btn_idx == 1 && !sept_error)
|
||||
{
|
||||
// Set boot cfg.
|
||||
b_cfg->autoboot = 0;
|
||||
b_cfg->autoboot_list = 0;
|
||||
b_cfg->extra_cfg = EXTRA_CFG_NYX_SEPT;
|
||||
b_cfg->sept = NYX_SEPT_EMUF;
|
||||
|
||||
sd_mount();
|
||||
reboot_to_sept(tsec_fw, kb);
|
||||
}
|
||||
|
||||
return LV_RES_INV;
|
||||
}
|
||||
|
||||
static int _emummc_raw_check_sept(emmc_tool_gui_t *gui, u32 resized_count)
|
||||
static int _emummc_raw_derive_bis_keys(emmc_tool_gui_t *gui, u32 resized_count)
|
||||
{
|
||||
if (!resized_count)
|
||||
return 1;
|
||||
|
||||
bool sept_needed = false;
|
||||
sept_error = false;
|
||||
tsec_fw = NULL;
|
||||
bool error = false;
|
||||
|
||||
char *txt_buf = (char *)malloc(0x4000);
|
||||
txt_buf[0] = 0;
|
||||
|
||||
// Read package1.
|
||||
static const u32 BOOTLOADER_SIZE = 0x40000;
|
||||
static const u32 BOOTLOADER_MAIN_OFFSET = 0x100000;
|
||||
static const u32 BOOTLOADER_BACKUP_OFFSET = 0x140000;
|
||||
static const u32 HOS_KEYBLOBS_OFFSET = 0x180000;
|
||||
|
||||
u32 bootloader_offset = BOOTLOADER_MAIN_OFFSET;
|
||||
u32 pk1_offset = h_cfg.t210b01 ? sizeof(bl_hdr_t210b01_t) : 0; // Skip T210B01 OEM header.
|
||||
u8 *pkg1 = (u8 *)malloc(BOOTLOADER_SIZE);
|
||||
|
||||
sdmmc_storage_set_mmc_partition(&emmc_storage, EMMC_BOOT0);
|
||||
|
||||
try_load:
|
||||
sdmmc_storage_read(&emmc_storage, bootloader_offset / NX_EMMC_BLOCKSIZE, BOOTLOADER_SIZE / NX_EMMC_BLOCKSIZE, pkg1);
|
||||
|
||||
char *build_date = malloc(32);
|
||||
const pkg1_id_t *pkg1_id = pkg1_identify(pkg1 + pk1_offset, build_date);
|
||||
|
||||
s_printf(txt_buf + strlen(txt_buf), "#00DDFF Found pkg1 ('%s')#\n", build_date);
|
||||
free(build_date);
|
||||
|
||||
if (!pkg1_id)
|
||||
{
|
||||
strcat(txt_buf, "#FFDD00 Unknown pkg1 version!#\n");
|
||||
// Try backup bootloader.
|
||||
if (bootloader_offset != BOOTLOADER_BACKUP_OFFSET)
|
||||
{
|
||||
strcat(txt_buf, "Trying backup bootloader...\n");
|
||||
bootloader_offset = BOOTLOADER_BACKUP_OFFSET;
|
||||
goto try_load;
|
||||
}
|
||||
|
||||
sept_error = true;
|
||||
goto out;
|
||||
}
|
||||
|
||||
kb = pkg1_id->kb;
|
||||
|
||||
// Skip if Mariko.
|
||||
if (h_cfg.t210b01)
|
||||
goto bis_derivation;
|
||||
|
||||
tsec_ctxt_t tsec_ctxt;
|
||||
tsec_ctxt.fw = (u8 *)pkg1 + pkg1_id->tsec_off;
|
||||
tsec_ctxt.pkg1 = pkg1;
|
||||
tsec_ctxt.pkg11_off = pkg1_id->pkg11_off;
|
||||
tsec_ctxt.secmon_base = pkg1_id->secmon_base;
|
||||
|
||||
// Get keys.
|
||||
hos_eks_get();
|
||||
if (kb >= KB_FIRMWARE_VERSION_700 && !h_cfg.sept_run)
|
||||
{
|
||||
u32 key_idx = 0;
|
||||
if (kb >= KB_FIRMWARE_VERSION_810)
|
||||
key_idx = 1;
|
||||
|
||||
if (h_cfg.eks && h_cfg.eks->enabled[key_idx] >= kb)
|
||||
h_cfg.sept_run = true;
|
||||
else
|
||||
{
|
||||
// Check that BCT is proper so sept can run.
|
||||
u8 *bct_bldr = (u8 *)calloc(1, 512);
|
||||
sdmmc_storage_read(&emmc_storage, 0x2200 / NX_EMMC_BLOCKSIZE, 1, bct_bldr);
|
||||
u32 bootloader_entrypoint = *(u32 *)&bct_bldr[0x144];
|
||||
free(bct_bldr);
|
||||
if (bootloader_entrypoint > SEPT_PRI_ENTRY)
|
||||
{
|
||||
strcpy(txt_buf, "#FFDD00 Failed to run sept because main BCT is improper!#\n"
|
||||
"#FFDD00 Run sept with proper BCT at least once to cache keys.#\n");
|
||||
sept_error = true;
|
||||
goto out;
|
||||
}
|
||||
|
||||
// Set TSEC fw.
|
||||
tsec_fw = (u8 *)tsec_ctxt.fw;
|
||||
|
||||
sept_needed = true;
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
|
||||
bis_derivation:;
|
||||
// Read the correct keyblob.
|
||||
u8 *keyblob = (u8 *)calloc(NX_EMMC_BLOCKSIZE, 1);
|
||||
sdmmc_storage_read(&emmc_storage, HOS_KEYBLOBS_OFFSET / NX_EMMC_BLOCKSIZE + kb, 1, keyblob);
|
||||
|
||||
// Generate BIS keys
|
||||
hos_bis_keygen(keyblob, kb, &tsec_ctxt);
|
||||
|
||||
free(keyblob);
|
||||
// Generate BIS keys.
|
||||
hos_bis_keygen();
|
||||
|
||||
u8 *cal0_buf = malloc(0x10000);
|
||||
|
||||
|
@ -894,32 +778,25 @@ bis_derivation:;
|
|||
|
||||
nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)cal0_buf;
|
||||
|
||||
// If successful, save BIS keys.
|
||||
// Check keys validity.
|
||||
if (memcmp(&cal0->magic, "CAL0", 4))
|
||||
{
|
||||
hos_bis_keys_clear();
|
||||
hos_eks_bis_clear();
|
||||
// Clear EKS keys.
|
||||
hos_eks_clear(KB_FIRMWARE_VERSION_MAX);
|
||||
|
||||
strcpy(txt_buf, "#FFDD00 BIS keys validation failed!#\n");
|
||||
sept_error = true;
|
||||
error = true;
|
||||
}
|
||||
else
|
||||
hos_eks_bis_save();
|
||||
|
||||
free(cal0_buf);
|
||||
|
||||
out:
|
||||
// Check if sept is not needed.
|
||||
if (!sept_needed)
|
||||
free(pkg1);
|
||||
|
||||
if (sept_needed || sept_error)
|
||||
if (error)
|
||||
{
|
||||
lv_obj_t *dark_bg = lv_obj_create(lv_scr_act(), NULL);
|
||||
lv_obj_set_style(dark_bg, &mbox_darken);
|
||||
lv_obj_set_size(dark_bg, LV_HOR_RES, LV_VER_RES);
|
||||
|
||||
static const char * mbox_btn_map[] = { "\211", "\222Launch", "\222Close", "\211", "" };
|
||||
static const char * mbox_btn_map2[] = { "\211", "\222Close", "\211", "" };
|
||||
static const char * mbox_btn_map[] = { "\211", "\222Close", "\211", "" };
|
||||
lv_obj_t * mbox = lv_mbox_create(dark_bg, NULL);
|
||||
lv_mbox_set_recolor_text(mbox, true);
|
||||
lv_obj_set_width(mbox, LV_HOR_RES / 9 * 5);
|
||||
|
@ -932,18 +809,8 @@ out:
|
|||
lv_label_set_style(lb_desc, &monospace_text);
|
||||
lv_obj_set_width(lb_desc, LV_HOR_RES / 9 * 4);
|
||||
|
||||
if (sept_error)
|
||||
{
|
||||
lv_label_set_text(lb_desc, txt_buf);
|
||||
lv_mbox_add_btns(mbox, mbox_btn_map2, _emummc_raw_check_sept_action);
|
||||
free(pkg1);
|
||||
}
|
||||
else
|
||||
{
|
||||
lv_label_set_text(lb_desc, "Sept needs to launch in order to generate keys\nneeded for emuMMC resizing.\n"
|
||||
"After that enter this menu again.");
|
||||
lv_mbox_add_btns(mbox, mbox_btn_map, _emummc_raw_check_sept_action);
|
||||
}
|
||||
lv_label_set_text(lb_desc, txt_buf);
|
||||
lv_mbox_add_btns(mbox, mbox_btn_map, mbox_action);
|
||||
|
||||
lv_obj_align(mbox, NULL, LV_ALIGN_CENTER, 0, 0);
|
||||
lv_obj_set_top(mbox, true);
|
||||
|
@ -953,7 +820,7 @@ out:
|
|||
return 0;
|
||||
}
|
||||
|
||||
sdmmc_storage_set_mmc_partition(&emmc_storage, EMMC_GPP);
|
||||
free(txt_buf);
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
@ -984,7 +851,7 @@ void dump_emummc_raw(emmc_tool_gui_t *gui, int part_idx, u32 sector_start, u32 r
|
|||
goto out;
|
||||
}
|
||||
|
||||
if (!_emummc_raw_check_sept(gui, resized_count))
|
||||
if (!_emummc_raw_derive_bis_keys(gui, resized_count))
|
||||
{
|
||||
s_printf(gui->txt_buf, "#FFDD00 For formatting USER partition,#\n#FFDD00 BIS keys are needed!#\n");
|
||||
lv_label_ins_text(gui->label_log, LV_LABEL_POS_LAST, gui->txt_buf);
|
||||
|
|
|
@ -1868,7 +1868,7 @@ static void _create_tab_home(lv_theme_t *th, lv_obj_t *parent)
|
|||
label_btn = lv_label_create(btn_emummc, label_btn);
|
||||
s_printf(btn_colored_text, "%s%s", text_color, " "SYMBOL_LIST"#");
|
||||
lv_label_set_text(label_btn, btn_colored_text);
|
||||
lv_btn_set_action(btn_emummc, LV_BTN_ACTION_CLICK,create_win_emummc_tools);
|
||||
lv_btn_set_action(btn_emummc, LV_BTN_ACTION_CLICK, create_win_emummc_tools);
|
||||
lv_btn_set_layout(btn_emummc, LV_LAYOUT_OFF);
|
||||
lv_obj_align(label_btn, NULL, LV_ALIGN_CENTER, 0, -28);
|
||||
lv_obj_set_pos(btn_emummc, 959, 160);
|
||||
|
@ -2208,28 +2208,8 @@ static void _nyx_main_menu(lv_theme_t * th)
|
|||
// Option save button.
|
||||
lv_tabview_set_tab_load_action(tv, _show_hide_save_button);
|
||||
|
||||
// If we rebooted to run sept for dumping, lunch dump immediately.
|
||||
if (nyx_str->cfg & NYX_CFG_SEPT)
|
||||
{
|
||||
u32 type = nyx_str->cfg >> 24;
|
||||
nyx_str->cfg &= ~(NYX_CFG_SEPT | NYX_CFG_EXTRA);
|
||||
|
||||
if (type == NYX_SEPT_DUMP)
|
||||
{
|
||||
lv_task_t *task_run_dump = lv_task_create(sept_run_dump, LV_TASK_ONESHOT, LV_TASK_PRIO_MID, NULL);
|
||||
lv_task_once(task_run_dump);
|
||||
}
|
||||
else if (type == NYX_SEPT_CAL0)
|
||||
{
|
||||
lv_task_t *task_run_cal0 = lv_task_create(sept_run_cal0, LV_TASK_ONESHOT, LV_TASK_PRIO_LOWEST, NULL);
|
||||
lv_task_once(task_run_cal0);
|
||||
}
|
||||
else if (type == NYX_SEPT_EMUF)
|
||||
{
|
||||
// TODO: Maybe automatically relaunch emuMMC creation in the future.
|
||||
}
|
||||
}
|
||||
else if (nyx_str->cfg & NYX_CFG_UMS)
|
||||
// Check if Nyx was launched with a function set.
|
||||
if (nyx_str->cfg & NYX_CFG_UMS)
|
||||
{
|
||||
nyx_str->cfg &= ~(NYX_CFG_UMS);
|
||||
lv_task_t *task_run_ums = lv_task_create(nyx_run_ums, LV_TASK_ONESHOT, LV_TASK_PRIO_MID, (void *)&nyx_str->cfg);
|
||||
|
|
|
@ -24,7 +24,6 @@
|
|||
#include "../hos/pkg1.h"
|
||||
#include "../hos/pkg2.h"
|
||||
#include "../hos/hos.h"
|
||||
#include "../hos/sept.h"
|
||||
#include <libs/fatfs/ff.h>
|
||||
#include <mem/heap.h>
|
||||
#include <sec/se.h>
|
||||
|
|
|
@ -21,7 +21,6 @@
|
|||
#include "../config.h"
|
||||
#include "../hos/hos.h"
|
||||
#include "../hos/pkg1.h"
|
||||
#include "../hos/sept.h"
|
||||
#include <libs/fatfs/ff.h>
|
||||
#include <input/touch.h>
|
||||
#include <mem/emc.h>
|
||||
|
@ -302,108 +301,16 @@ static lv_res_t _create_mbox_cal0(lv_obj_t *btn)
|
|||
|
||||
sd_mount();
|
||||
|
||||
// Read package1.
|
||||
static const u32 BOOTLOADER_SIZE = 0x40000;
|
||||
static const u32 BOOTLOADER_MAIN_OFFSET = 0x100000;
|
||||
static const u32 BOOTLOADER_BACKUP_OFFSET = 0x140000;
|
||||
static const u32 HOS_KEYBLOBS_OFFSET = 0x180000;
|
||||
|
||||
u8 kb = 0;
|
||||
u32 bootloader_offset = BOOTLOADER_MAIN_OFFSET;
|
||||
u32 pk1_offset = h_cfg.t210b01 ? sizeof(bl_hdr_t210b01_t) : 0; // Skip T210B01 OEM header.
|
||||
u8 *pkg1 = (u8 *)malloc(BOOTLOADER_SIZE);
|
||||
|
||||
// Init eMMC.
|
||||
if (!sdmmc_storage_init_mmc(&emmc_storage, &emmc_sdmmc, SDMMC_BUS_WIDTH_8, SDHCI_TIMING_MMC_HS400))
|
||||
{
|
||||
lv_label_set_text(lb_desc, "#FFDD00 Failed to init eMMC!#");
|
||||
|
||||
goto out;
|
||||
}
|
||||
sdmmc_storage_set_mmc_partition(&emmc_storage, EMMC_BOOT0);
|
||||
|
||||
try_load:
|
||||
sdmmc_storage_read(&emmc_storage, bootloader_offset / NX_EMMC_BLOCKSIZE, BOOTLOADER_SIZE / NX_EMMC_BLOCKSIZE, pkg1);
|
||||
|
||||
char *build_date = malloc(32);
|
||||
const pkg1_id_t *pkg1_id = pkg1_identify(pkg1 + pk1_offset, build_date);
|
||||
|
||||
s_printf(txt_buf + strlen(txt_buf), "#00DDFF Found pkg1 ('%s')#\n", build_date);
|
||||
free(build_date);
|
||||
|
||||
if (!pkg1_id)
|
||||
{
|
||||
strcat(txt_buf, "#FFDD00 Unknown pkg1 version!#\n");
|
||||
// Try backup bootloader.
|
||||
if (bootloader_offset != BOOTLOADER_BACKUP_OFFSET)
|
||||
{
|
||||
strcat(txt_buf, "Trying backup bootloader...\n");
|
||||
bootloader_offset = BOOTLOADER_BACKUP_OFFSET;
|
||||
goto try_load;
|
||||
}
|
||||
lv_label_set_text(lb_desc, txt_buf);
|
||||
|
||||
goto out;
|
||||
}
|
||||
|
||||
kb = pkg1_id->kb;
|
||||
|
||||
// Skip if Mariko.
|
||||
if (h_cfg.t210b01)
|
||||
goto t210b01;
|
||||
|
||||
tsec_ctxt_t tsec_ctxt;
|
||||
tsec_ctxt.fw = (u8 *)pkg1 + pkg1_id->tsec_off;
|
||||
tsec_ctxt.pkg1 = pkg1;
|
||||
tsec_ctxt.pkg11_off = pkg1_id->pkg11_off;
|
||||
tsec_ctxt.secmon_base = pkg1_id->secmon_base;
|
||||
|
||||
// Get keys.
|
||||
hos_eks_get();
|
||||
if (kb >= KB_FIRMWARE_VERSION_700 && !h_cfg.sept_run)
|
||||
{
|
||||
u32 key_idx = 0;
|
||||
if (kb >= KB_FIRMWARE_VERSION_810)
|
||||
key_idx = 1;
|
||||
|
||||
if (h_cfg.eks && h_cfg.eks->enabled[key_idx] >= kb)
|
||||
h_cfg.sept_run = true;
|
||||
else
|
||||
{
|
||||
// Check that BCT is proper so sept can run.
|
||||
u8 *bct_bldr = (u8 *)calloc(1, 512);
|
||||
sdmmc_storage_read(&emmc_storage, 0x2200 / NX_EMMC_BLOCKSIZE, 1, bct_bldr);
|
||||
u32 bootloader_entrypoint = *(u32 *)&bct_bldr[0x144];
|
||||
free(bct_bldr);
|
||||
if (bootloader_entrypoint > SEPT_PRI_ENTRY)
|
||||
{
|
||||
lv_label_set_text(lb_desc, "#FFDD00 Main BCT is improper! Failed to run sept.#\n"
|
||||
"#FFDD00 Run sept with proper BCT at least once#\n#FFDD00 to cache keys.#\n");
|
||||
goto out;
|
||||
}
|
||||
|
||||
// Set boot cfg.
|
||||
b_cfg->autoboot = 0;
|
||||
b_cfg->autoboot_list = 0;
|
||||
b_cfg->extra_cfg = EXTRA_CFG_NYX_SEPT;
|
||||
b_cfg->sept = NYX_SEPT_CAL0;
|
||||
|
||||
if (!reboot_to_sept((u8 *)tsec_ctxt.fw, kb))
|
||||
{
|
||||
lv_label_set_text(lb_desc, "#FFDD00 Failed to run sept#\n");
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
t210b01:;
|
||||
// Read the correct keyblob.
|
||||
u8 *keyblob = (u8 *)calloc(NX_EMMC_BLOCKSIZE, 1);
|
||||
sdmmc_storage_read(&emmc_storage, HOS_KEYBLOBS_OFFSET / NX_EMMC_BLOCKSIZE + kb, 1, keyblob);
|
||||
|
||||
// Generate BIS keys
|
||||
hos_bis_keygen(keyblob, kb, &tsec_ctxt);
|
||||
|
||||
free(keyblob);
|
||||
hos_bis_keygen();
|
||||
|
||||
if (!cal0_buf)
|
||||
cal0_buf = malloc(0x10000);
|
||||
|
@ -418,24 +325,23 @@ t210b01:;
|
|||
nx_emmc_bis_end();
|
||||
nx_emmc_gpt_free(&gpt);
|
||||
|
||||
// Clear BIS keys slots and reinstate SBK.
|
||||
// Clear BIS keys slots.
|
||||
hos_bis_keys_clear();
|
||||
|
||||
nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)cal0_buf;
|
||||
|
||||
// If successful, save BIS keys.
|
||||
// Check keys validity.
|
||||
if (memcmp(&cal0->magic, "CAL0", 4))
|
||||
{
|
||||
free(cal0_buf);
|
||||
cal0_buf = NULL;
|
||||
|
||||
hos_eks_bis_clear();
|
||||
// Clear EKS keys.
|
||||
hos_eks_clear(KB_FIRMWARE_VERSION_MAX);
|
||||
|
||||
lv_label_set_text(lb_desc, "#FFDD00 CAL0 is corrupt or wrong keys!#\n");
|
||||
goto out;
|
||||
}
|
||||
else
|
||||
hos_eks_bis_save();
|
||||
|
||||
u32 hash[8];
|
||||
se_calc_sha256_oneshot(hash, (u8 *)cal0 + 0x40, cal0->body_size);
|
||||
|
@ -526,7 +432,6 @@ t210b01:;
|
|||
lv_label_set_text(lb_desc, txt_buf);
|
||||
|
||||
out:
|
||||
free(pkg1);
|
||||
free(txt_buf);
|
||||
sd_unmount();
|
||||
sdmmc_storage_end(&emmc_storage);
|
||||
|
@ -1042,11 +947,6 @@ static lv_res_t _create_window_fuses_info_status(lv_obj_t *btn)
|
|||
return LV_RES_OK;
|
||||
}
|
||||
|
||||
void sept_run_cal0(void *param)
|
||||
{
|
||||
_create_window_fuses_info_status(NULL);
|
||||
}
|
||||
|
||||
static char *ipatches_txt;
|
||||
static void _ipatch_process(u32 offset, u32 value)
|
||||
{
|
||||
|
@ -1098,7 +998,7 @@ static lv_res_t _create_window_tsec_keys_status(lv_obj_t *btn)
|
|||
{
|
||||
u32 retries = 0;
|
||||
|
||||
tsec_ctxt_t tsec_ctxt;
|
||||
tsec_ctxt_t tsec_ctxt = {0};
|
||||
|
||||
lv_obj_t *win = nyx_create_standard_window(SYMBOL_CHIP" TSEC Keys");
|
||||
|
||||
|
@ -1173,28 +1073,35 @@ try_load:
|
|||
tsec_ctxt.secmon_base = pkg1_id->secmon_base;
|
||||
|
||||
if (pkg1_id->kb <= KB_FIRMWARE_VERSION_600)
|
||||
{
|
||||
tsec_ctxt.size = 0xF00;
|
||||
else if (pkg1_id->kb == KB_FIRMWARE_VERSION_620)
|
||||
tsec_ctxt.size = 0x2900;
|
||||
else if (pkg1_id->kb == KB_FIRMWARE_VERSION_700)
|
||||
{
|
||||
tsec_ctxt.size = 0x3000;
|
||||
// Exit after TSEC key generation.
|
||||
*((vu16 *)((u32)tsec_ctxt.fw + 0x2DB5)) = 0x02F8;
|
||||
tsec_ctxt.type = TSEC_FW_TYPE_OLD;
|
||||
}
|
||||
else
|
||||
tsec_ctxt.size = 0x3300;
|
||||
|
||||
if (pkg1_id->kb == KB_FIRMWARE_VERSION_620)
|
||||
else if (pkg1_id->kb == KB_FIRMWARE_VERSION_620)
|
||||
{
|
||||
tsec_ctxt.size = 0x2900;
|
||||
tsec_ctxt.type = TSEC_FW_TYPE_EMU;
|
||||
|
||||
u8 *tsec_paged = (u8 *)page_alloc(3);
|
||||
memcpy(tsec_paged, (void *)tsec_ctxt.fw, tsec_ctxt.size);
|
||||
tsec_ctxt.fw = tsec_paged;
|
||||
}
|
||||
else if (pkg1_id->kb == KB_FIRMWARE_VERSION_700)
|
||||
{
|
||||
tsec_ctxt.size = 0x3000;
|
||||
tsec_ctxt.type = TSEC_FW_TYPE_NEW;
|
||||
// Exit after TSEC key generation.
|
||||
*((vu16 *)((u32)tsec_ctxt.fw + 0x2DB5)) = 0x02F8;
|
||||
}
|
||||
else
|
||||
{
|
||||
tsec_ctxt.size = 0x3300;
|
||||
tsec_ctxt.type = TSEC_FW_TYPE_NEW;
|
||||
}
|
||||
|
||||
int res = 0;
|
||||
|
||||
while (tsec_query((u8 *)tsec_keys, pkg1_id->kb, &tsec_ctxt) < 0)
|
||||
while (tsec_query((u8 *)tsec_keys, &tsec_ctxt) < 0)
|
||||
{
|
||||
memset(tsec_keys, 0x00, 0x20);
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2018-2019 CTCaer
|
||||
* Copyright (c) 2018-2021 CTCaer
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms and conditions of the GNU General Public License,
|
||||
|
@ -19,7 +19,6 @@
|
|||
|
||||
#include <libs/lvgl/lvgl.h>
|
||||
|
||||
void sept_run_cal0(void *param);
|
||||
void create_tab_info(lv_theme_t *th, lv_obj_t *parent);
|
||||
|
||||
#endif
|
||||
|
|
|
@ -28,7 +28,6 @@
|
|||
#include "../hos/pkg1.h"
|
||||
#include "../hos/pkg2.h"
|
||||
#include "../hos/hos.h"
|
||||
#include "../hos/sept.h"
|
||||
#include <input/touch.h>
|
||||
#include <libs/fatfs/ff.h>
|
||||
#include <mem/heap.h>
|
||||
|
@ -1138,62 +1137,19 @@ static lv_res_t _create_window_dump_pk12_tool(lv_obj_t *btn)
|
|||
|
||||
kb = pkg1_id->kb;
|
||||
|
||||
if (!h_cfg.se_keygen_done)
|
||||
{
|
||||
tsec_ctxt_t tsec_ctxt;
|
||||
tsec_ctxt.fw = (void *)(pkg1 + pkg1_id->tsec_off);
|
||||
tsec_ctxt.pkg1 = (void *)pkg1;
|
||||
tsec_ctxt.pkg11_off = pkg1_id->pkg11_off;
|
||||
tsec_ctxt.secmon_base = pkg1_id->secmon_base;
|
||||
tsec_ctxt_t tsec_ctxt = {0};
|
||||
tsec_ctxt.fw = (void *)(pkg1 + pkg1_id->tsec_off);
|
||||
tsec_ctxt.pkg1 = (void *)pkg1;
|
||||
tsec_ctxt.pkg11_off = pkg1_id->pkg11_off;
|
||||
tsec_ctxt.secmon_base = pkg1_id->secmon_base;
|
||||
|
||||
hos_eks_get();
|
||||
// Read keyblob.
|
||||
u8 *keyblob = (u8 *)calloc(NX_EMMC_BLOCKSIZE, 1);
|
||||
sdmmc_storage_read(&emmc_storage, HOS_KEYBLOBS_OFFSET / NX_EMMC_BLOCKSIZE + kb, 1, keyblob);
|
||||
|
||||
if (!h_cfg.t210b01 && kb >= KB_FIRMWARE_VERSION_700 && !h_cfg.sept_run)
|
||||
{
|
||||
u32 key_idx = 0;
|
||||
if (kb >= KB_FIRMWARE_VERSION_810)
|
||||
key_idx = 1;
|
||||
|
||||
if (h_cfg.eks && h_cfg.eks->enabled[key_idx] >= kb)
|
||||
h_cfg.sept_run = true;
|
||||
else
|
||||
{
|
||||
// Check that BCT is proper so sept can run.
|
||||
u8 *bct_bldr = (u8 *)calloc(1, 512);
|
||||
sdmmc_storage_read(&emmc_storage, 0x2200 / NX_EMMC_BLOCKSIZE, 1, bct_bldr);
|
||||
u32 bootloader_entrypoint = *(u32 *)&bct_bldr[0x144];
|
||||
free(bct_bldr);
|
||||
if (bootloader_entrypoint > SEPT_PRI_ENTRY)
|
||||
{
|
||||
lv_label_set_text(lb_desc, "#FFDD00 Failed to run sept because main BCT is improper!#\n"
|
||||
"#FFDD00 Run sept with proper BCT at least once to cache keys.#\n");
|
||||
goto out_free;
|
||||
}
|
||||
|
||||
// Set boot cfg.
|
||||
b_cfg->autoboot = 0;
|
||||
b_cfg->autoboot_list = 0;
|
||||
b_cfg->extra_cfg = EXTRA_CFG_NYX_SEPT;
|
||||
b_cfg->sept = NYX_SEPT_DUMP;
|
||||
|
||||
if (!reboot_to_sept((u8 *)tsec_ctxt.fw, kb))
|
||||
{
|
||||
lv_label_set_text(lb_desc, "#FFDD00 Failed to run sept#\n");
|
||||
goto out_free;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Read keyblob.
|
||||
u8 *keyblob = (u8 *)calloc(NX_EMMC_BLOCKSIZE, 1);
|
||||
sdmmc_storage_read(&emmc_storage, HOS_KEYBLOBS_OFFSET / NX_EMMC_BLOCKSIZE + kb, 1, keyblob);
|
||||
|
||||
// Decrypt.
|
||||
hos_keygen(keyblob, kb, &tsec_ctxt);
|
||||
if (kb <= KB_FIRMWARE_VERSION_600)
|
||||
h_cfg.se_keygen_done = 1;
|
||||
free(keyblob);
|
||||
}
|
||||
// Decrypt.
|
||||
hos_keygen(keyblob, kb, &tsec_ctxt);
|
||||
free(keyblob);
|
||||
|
||||
if (h_cfg.t210b01 || kb <= KB_FIRMWARE_VERSION_600)
|
||||
{
|
||||
|
@ -1316,13 +1272,11 @@ static lv_res_t _create_window_dump_pk12_tool(lv_obj_t *btn)
|
|||
lv_label_set_text(lb_desc, txt_buf);
|
||||
manual_system_maintenance(true);
|
||||
|
||||
// Clear EKS slot, in case something went wrong with sept keygen.
|
||||
// Clear EKS slot, in case something went wrong with tsec keygen.
|
||||
hos_eks_clear(kb);
|
||||
|
||||
goto out;
|
||||
}
|
||||
else if (kb >= KB_FIRMWARE_VERSION_700)
|
||||
hos_eks_save(kb); // Save EKS slot if it doesn't exist.
|
||||
|
||||
// Display info.
|
||||
s_printf(txt_buf + strlen(txt_buf),
|
||||
|
@ -1429,11 +1383,6 @@ out_end:
|
|||
return LV_RES_OK;
|
||||
}
|
||||
|
||||
void sept_run_dump(void *param)
|
||||
{
|
||||
_create_window_dump_pk12_tool(NULL);
|
||||
}
|
||||
|
||||
static void _create_tab_tools_emmc_pkg12(lv_theme_t *th, lv_obj_t *parent)
|
||||
{
|
||||
lv_page_set_scrl_layout(parent, LV_LAYOUT_PRETTY);
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2018-2019 CTCaer
|
||||
* Copyright (c) 2018-2021 CTCaer
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms and conditions of the GNU General Public License,
|
||||
|
@ -23,7 +23,6 @@ extern lv_obj_t *ums_mbox;
|
|||
|
||||
void create_tab_tools(lv_theme_t *th, lv_obj_t *parent);
|
||||
void nyx_run_ums(void *param);
|
||||
void sept_run_dump(void *param);
|
||||
bool get_autorcm_status(bool change);
|
||||
lv_res_t action_ums_sd(lv_obj_t *btn);
|
||||
|
||||
|
|
|
@ -21,7 +21,6 @@
|
|||
#include <string.h>
|
||||
|
||||
#include "hos.h"
|
||||
#include "sept.h"
|
||||
#include "../config.h"
|
||||
#include <display/di.h>
|
||||
#include <gfx_utils.h>
|
||||
|
@ -54,7 +53,7 @@ typedef struct _tsec_keys_t
|
|||
|
||||
typedef struct _kb_keys_t
|
||||
{
|
||||
u8 master_keyseed[SE_KEY_128_SIZE];
|
||||
u8 master_kekseed[SE_KEY_128_SIZE];
|
||||
u8 random_data[0x70];
|
||||
u8 package1_key[SE_KEY_128_SIZE];
|
||||
} kb_keys_t;
|
||||
|
@ -82,12 +81,18 @@ static const u8 cmac_keyseed[SE_KEY_128_SIZE] =
|
|||
static const u8 master_keyseed_retail[SE_KEY_128_SIZE] =
|
||||
{ 0xD8, 0xA2, 0x41, 0x0A, 0xC6, 0xC5, 0x90, 0x01, 0xC6, 0x1D, 0x6A, 0x26, 0x7C, 0x51, 0x3F, 0x3C };
|
||||
|
||||
static const u8 master_keyseed_4xx_5xx_610[SE_KEY_128_SIZE] =
|
||||
{ 0x2D, 0xC1, 0xF4, 0x8D, 0xF3, 0x5B, 0x69, 0x33, 0x42, 0x10, 0xAC, 0x65, 0xDA, 0x90, 0x46, 0x66 };
|
||||
// Unused in this context.
|
||||
//static const u8 master_keyseed_4xx[SE_KEY_128_SIZE] =
|
||||
// { 0x2D, 0xC1, 0xF4, 0x8D, 0xF3, 0x5B, 0x69, 0x33, 0x42, 0x10, 0xAC, 0x65, 0xDA, 0x90, 0x46, 0x66 };
|
||||
|
||||
static const u8 master_keyseed_620[SE_KEY_128_SIZE] =
|
||||
static const u8 master_kekseed_620[SE_KEY_128_SIZE] =
|
||||
{ 0x37, 0x4B, 0x77, 0x29, 0x59, 0xB4, 0x04, 0x30, 0x81, 0xF6, 0xE5, 0x8C, 0x6D, 0x36, 0x17, 0x9A };
|
||||
|
||||
//!TODO: Update on mkey changes.
|
||||
static const u8 master_kekseed_t210_max[SE_KEY_128_SIZE] =
|
||||
{ 0x84, 0x67, 0xB6, 0x7F, 0x13, 0x11, 0xAE, 0xE6, 0x58, 0x9B, 0x19, 0xAF, 0x13, 0x6C, 0x80, 0x7A }; // 12.1.0.
|
||||
|
||||
//!TODO: Update on mkey changes.
|
||||
static const u8 master_kekseed_t210b01[][SE_KEY_128_SIZE] = {
|
||||
{ 0x77, 0x60, 0x5A, 0xD2, 0xEE, 0x6E, 0xF8, 0x3C, 0x3F, 0x72, 0xE2, 0x59, 0x9D, 0xAC, 0x5E, 0x56 }, // 6.0.0.
|
||||
{ 0x1E, 0x80, 0xB8, 0x17, 0x3E, 0xC0, 0x60, 0xAA, 0x11, 0xBE, 0x1A, 0x4A, 0xA6, 0x6F, 0xE4, 0xAE }, // 6.2.0.
|
||||
|
@ -101,12 +106,13 @@ static const u8 master_kekseed_t210b01[][SE_KEY_128_SIZE] = {
|
|||
static const u8 console_keyseed[SE_KEY_128_SIZE] =
|
||||
{ 0x4F, 0x02, 0x5F, 0x0E, 0xB6, 0x6D, 0x11, 0x0E, 0xDC, 0x32, 0x7D, 0x41, 0x86, 0xC2, 0xF4, 0x78 };
|
||||
|
||||
static const u8 console_keyseed_4xx_5xx[SE_KEY_128_SIZE] =
|
||||
static const u8 console_keyseed_4xx[SE_KEY_128_SIZE] =
|
||||
{ 0x0C, 0x91, 0x09, 0xDB, 0x93, 0x93, 0x07, 0x81, 0x07, 0x3C, 0xC4, 0x16, 0x22, 0x7C, 0x6C, 0x28 };
|
||||
|
||||
const u8 package2_keyseed[SE_KEY_128_SIZE] =
|
||||
{ 0xFB, 0x8B, 0x6A, 0x9C, 0x79, 0x00, 0xC8, 0x49, 0xEF, 0xD2, 0x4D, 0x85, 0x4D, 0x30, 0xA0, 0xC7 };
|
||||
|
||||
//!TODO: Update on mkey changes.
|
||||
static const u8 mkey_vectors[KB_FIRMWARE_VERSION_MAX + 1][SE_KEY_128_SIZE] = {
|
||||
{ 0x0C, 0xF0, 0x59, 0xAC, 0x85, 0xF6, 0x26, 0x65, 0xE1, 0xE9, 0x19, 0x55, 0xE6, 0xF2, 0x67, 0x3D }, // Zeroes encrypted with mkey 00.
|
||||
{ 0x29, 0x4C, 0x04, 0xC8, 0xEB, 0x10, 0xED, 0x9D, 0x51, 0x64, 0x97, 0xFB, 0xF3, 0x4D, 0x50, 0xDD }, // Mkey 00 encrypted with mkey 01.
|
||||
|
@ -122,6 +128,7 @@ static const u8 mkey_vectors[KB_FIRMWARE_VERSION_MAX + 1][SE_KEY_128_SIZE] = {
|
|||
{ 0xC1, 0x8D, 0x16, 0xBB, 0x2A, 0xE4, 0x1D, 0xD4, 0xC2, 0xC1, 0xB6, 0x40, 0x94, 0x35, 0x63, 0x98 }, // Mkey 10 encrypted with mkey 11.
|
||||
};
|
||||
|
||||
//!TODO: Update on mkey changes.
|
||||
static const u8 new_console_keyseed[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][SE_KEY_128_SIZE] = {
|
||||
{ 0x8B, 0x4E, 0x1C, 0x22, 0x42, 0x07, 0xC8, 0x73, 0x56, 0x94, 0x08, 0x8B, 0xCC, 0x47, 0x0F, 0x5D }, // 4.x New Device Key Source.
|
||||
{ 0x6C, 0xEF, 0xC6, 0x27, 0x8B, 0xEC, 0x8A, 0x91, 0x99, 0xAB, 0x24, 0xAC, 0x4F, 0x1C, 0x8F, 0x1C }, // 5.x New Device Key Source.
|
||||
|
@ -134,6 +141,7 @@ static const u8 new_console_keyseed[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSIO
|
|||
{ 0xAA, 0xFD, 0xBC, 0xBB, 0x25, 0xC3, 0xA4, 0xEF, 0xE3, 0xEE, 0x58, 0x53, 0xB7, 0xF8, 0xDD, 0xD6 }, // 12.1.0 New Device Key Source.
|
||||
};
|
||||
|
||||
//!TODO: Update on mkey changes.
|
||||
static const u8 new_console_kekseed[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][SE_KEY_128_SIZE] = {
|
||||
{ 0x88, 0x62, 0x34, 0x6E, 0xFA, 0xF7, 0xD8, 0x3F, 0xE1, 0x30, 0x39, 0x50, 0xF0, 0xB7, 0x5D, 0x5D }, // 4.x New Device Keygen Source.
|
||||
{ 0x06, 0x1E, 0x7B, 0xE9, 0x6D, 0x47, 0x8C, 0x77, 0xC5, 0xC8, 0xE7, 0x94, 0x9A, 0xA8, 0x5F, 0x2E }, // 5.x New Device Keygen Source.
|
||||
|
@ -186,7 +194,7 @@ bool hos_eks_rw_try(u8 *buf, bool write)
|
|||
return false;
|
||||
}
|
||||
|
||||
void hos_eks_get()
|
||||
static void _hos_eks_get()
|
||||
{
|
||||
// Check if Erista based unit.
|
||||
if (h_cfg.t210b01)
|
||||
|
@ -202,11 +210,10 @@ void hos_eks_get()
|
|||
|
||||
// Decrypt EKS blob.
|
||||
hos_eks_mbr_t *eks = (hos_eks_mbr_t *)(mbr + 0x80);
|
||||
se_aes_crypt_ecb(14, 0, eks, sizeof(hos_eks_mbr_t), eks, sizeof(hos_eks_mbr_t));
|
||||
se_aes_crypt_ecb(14, DECRYPT, eks, sizeof(hos_eks_mbr_t), eks, sizeof(hos_eks_mbr_t));
|
||||
|
||||
// Check if valid and for this unit.
|
||||
if (eks->magic == HOS_EKS_MAGIC &&
|
||||
(eks->lot0 == FUSE(FUSE_OPT_LOT_CODE_0) || eks->lot0 == FUSE(FUSE_PRIVATE_KEY0)))
|
||||
if (eks->magic == HOS_EKS_MAGIC && eks->lot0 == FUSE(FUSE_OPT_LOT_CODE_0))
|
||||
{
|
||||
h_cfg.eks = eks;
|
||||
return;
|
||||
|
@ -217,133 +224,13 @@ out:
|
|||
}
|
||||
}
|
||||
|
||||
void hos_eks_save(u32 kb)
|
||||
{
|
||||
// Check if Erista based unit.
|
||||
if (h_cfg.t210b01)
|
||||
return;
|
||||
|
||||
if (kb >= KB_FIRMWARE_VERSION_700)
|
||||
{
|
||||
u32 key_idx = 0;
|
||||
if (kb >= KB_FIRMWARE_VERSION_810)
|
||||
key_idx = 1;
|
||||
|
||||
bool new_eks = false;
|
||||
if (!h_cfg.eks)
|
||||
{
|
||||
h_cfg.eks = calloc(512 , 1);
|
||||
new_eks = true;
|
||||
}
|
||||
|
||||
// If matching blob doesn't exist, create it.
|
||||
bool update_eks = key_idx ? (h_cfg.eks->enabled[key_idx] < kb) : !h_cfg.eks->enabled[0];
|
||||
// If old EKS version was found, update it.
|
||||
update_eks |= h_cfg.eks->lot0 != FUSE(FUSE_OPT_LOT_CODE_0);
|
||||
if (update_eks)
|
||||
{
|
||||
// Read EKS blob.
|
||||
u8 *mbr = calloc(512 , 1);
|
||||
if (!hos_eks_rw_try(mbr, false))
|
||||
{
|
||||
if (new_eks)
|
||||
{
|
||||
free(h_cfg.eks);
|
||||
h_cfg.eks = NULL;
|
||||
}
|
||||
|
||||
goto out;
|
||||
}
|
||||
|
||||
// Get keys.
|
||||
u8 *keys = (u8 *)calloc(0x2000, 1);
|
||||
se_get_aes_keys(keys + 0x1000, keys, SE_KEY_128_SIZE);
|
||||
|
||||
// Set magic and personalized info.
|
||||
h_cfg.eks->magic = HOS_EKS_MAGIC;
|
||||
h_cfg.eks->enabled[key_idx] = kb;
|
||||
h_cfg.eks->lot0 = FUSE(FUSE_OPT_LOT_CODE_0);
|
||||
|
||||
// Copy new keys.
|
||||
memcpy(h_cfg.eks->dkg, keys + 10 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
|
||||
memcpy(h_cfg.eks->dkk, keys + 15 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
|
||||
|
||||
if (!h_cfg.aes_slots_new)
|
||||
{
|
||||
memcpy(h_cfg.eks->keys[key_idx].mkk, keys + 12 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
|
||||
memcpy(h_cfg.eks->keys[key_idx].fdk, keys + 13 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
|
||||
}
|
||||
else // New sept slots.
|
||||
{
|
||||
memcpy(h_cfg.eks->keys[key_idx].mkk, keys + 13 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
|
||||
memcpy(h_cfg.eks->keys[key_idx].fdk, keys + 12 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
|
||||
}
|
||||
|
||||
// Encrypt EKS blob.
|
||||
u8 *eks = calloc(512 , 1);
|
||||
memcpy(eks, h_cfg.eks, sizeof(hos_eks_mbr_t));
|
||||
se_aes_crypt_ecb(14, 1, eks, sizeof(hos_eks_mbr_t), eks, sizeof(hos_eks_mbr_t));
|
||||
|
||||
// Write EKS blob to SD.
|
||||
memcpy(mbr + 0x80, eks, sizeof(hos_eks_mbr_t));
|
||||
hos_eks_rw_try(mbr, true);
|
||||
|
||||
free(eks);
|
||||
free(keys);
|
||||
out:
|
||||
free(mbr);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
void hos_eks_clear(u32 kb)
|
||||
{
|
||||
// Check if Erista based unit.
|
||||
if (h_cfg.t210b01)
|
||||
return;
|
||||
|
||||
if (h_cfg.eks && kb >= KB_FIRMWARE_VERSION_700)
|
||||
{
|
||||
u32 key_idx = 0;
|
||||
if (kb >= KB_FIRMWARE_VERSION_810)
|
||||
key_idx = 1;
|
||||
|
||||
// Check if Current Master key is enabled.
|
||||
if (h_cfg.eks->enabled[key_idx])
|
||||
{
|
||||
// Read EKS blob.
|
||||
u8 *mbr = calloc(512 , 1);
|
||||
if (!hos_eks_rw_try(mbr, false))
|
||||
goto out;
|
||||
|
||||
// Disable current Master key version.
|
||||
h_cfg.eks->enabled[key_idx] = 0;
|
||||
|
||||
// Encrypt EKS blob.
|
||||
u8 *eks = calloc(512 , 1);
|
||||
memcpy(eks, h_cfg.eks, sizeof(hos_eks_mbr_t));
|
||||
se_aes_crypt_ecb(14, 1, eks, sizeof(hos_eks_mbr_t), eks, sizeof(hos_eks_mbr_t));
|
||||
|
||||
// Write EKS blob to SD.
|
||||
memcpy(mbr + 0x80, eks, sizeof(hos_eks_mbr_t));
|
||||
hos_eks_rw_try(mbr, true);
|
||||
|
||||
EMC(EMC_SCRATCH0) &= ~EMC_SEPT_RUN;
|
||||
h_cfg.sept_run = false;
|
||||
|
||||
free(eks);
|
||||
out:
|
||||
free(mbr);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
void hos_eks_bis_save()
|
||||
static void _hos_eks_save(u32 kb)
|
||||
{
|
||||
// Check if Erista based unit.
|
||||
if (h_cfg.t210b01)
|
||||
return;
|
||||
|
||||
// EKS save. Only for 7.0.0 and up.
|
||||
bool new_eks = false;
|
||||
if (!h_cfg.eks)
|
||||
{
|
||||
|
@ -352,7 +239,7 @@ void hos_eks_bis_save()
|
|||
}
|
||||
|
||||
// If matching blob doesn't exist, create it.
|
||||
if (!h_cfg.eks->enabled_bis)
|
||||
if (h_cfg.eks->enabled < kb)
|
||||
{
|
||||
// Read EKS blob.
|
||||
u8 *mbr = calloc(512 , 1);
|
||||
|
@ -367,73 +254,75 @@ void hos_eks_bis_save()
|
|||
goto out;
|
||||
}
|
||||
|
||||
// Get keys.
|
||||
u8 *keys = (u8 *)calloc(0x2000, 1);
|
||||
se_get_aes_keys(keys + 0x1000, keys, SE_KEY_128_SIZE);
|
||||
|
||||
// Set magic and personalized info.
|
||||
h_cfg.eks->magic = HOS_EKS_MAGIC;
|
||||
h_cfg.eks->enabled_bis = 1;
|
||||
h_cfg.eks->enabled = KB_FIRMWARE_VERSION_MAX;
|
||||
h_cfg.eks->lot0 = FUSE(FUSE_OPT_LOT_CODE_0);
|
||||
|
||||
// Copy new keys.
|
||||
memcpy(h_cfg.eks->bis_keys[0].crypt, bis_keys + (0 * SE_KEY_128_SIZE), SE_KEY_128_SIZE);
|
||||
memcpy(h_cfg.eks->bis_keys[0].tweak, bis_keys + (1 * SE_KEY_128_SIZE), SE_KEY_128_SIZE);
|
||||
|
||||
memcpy(h_cfg.eks->bis_keys[1].crypt, bis_keys + (2 * SE_KEY_128_SIZE), SE_KEY_128_SIZE);
|
||||
memcpy(h_cfg.eks->bis_keys[1].tweak, bis_keys + (3 * SE_KEY_128_SIZE), SE_KEY_128_SIZE);
|
||||
|
||||
memcpy(h_cfg.eks->bis_keys[2].crypt, bis_keys + (4 * SE_KEY_128_SIZE), SE_KEY_128_SIZE);
|
||||
memcpy(h_cfg.eks->bis_keys[2].tweak, bis_keys + (5 * SE_KEY_128_SIZE), SE_KEY_128_SIZE);
|
||||
memcpy(h_cfg.eks->tsec, keys + 12 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
|
||||
memcpy(h_cfg.eks->troot, keys + 13 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
|
||||
memcpy(h_cfg.eks->troot_dev, keys + 11 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
|
||||
|
||||
// Encrypt EKS blob.
|
||||
u8 *eks = calloc(512 , 1);
|
||||
memcpy(eks, h_cfg.eks, sizeof(hos_eks_mbr_t));
|
||||
se_aes_crypt_ecb(14, 1, eks, sizeof(hos_eks_mbr_t), eks, sizeof(hos_eks_mbr_t));
|
||||
se_aes_crypt_ecb(14, ENCRYPT, eks, sizeof(hos_eks_mbr_t), eks, sizeof(hos_eks_mbr_t));
|
||||
|
||||
// Write EKS blob to SD.
|
||||
memcpy(mbr + 0x80, eks, sizeof(hos_eks_mbr_t));
|
||||
hos_eks_rw_try(mbr, true);
|
||||
|
||||
|
||||
free(eks);
|
||||
free(keys);
|
||||
out:
|
||||
free(mbr);
|
||||
}
|
||||
}
|
||||
|
||||
void hos_eks_bis_clear()
|
||||
void hos_eks_clear(u32 kb)
|
||||
{
|
||||
// Check if Erista based unit.
|
||||
if (h_cfg.t210b01)
|
||||
return;
|
||||
|
||||
// Check if BIS keys are enabled.
|
||||
if (h_cfg.eks && h_cfg.eks->enabled_bis)
|
||||
if (h_cfg.eks && kb >= KB_FIRMWARE_VERSION_700)
|
||||
{
|
||||
// Read EKS blob.
|
||||
u8 *mbr = calloc(512 , 1);
|
||||
if (!hos_eks_rw_try(mbr, false))
|
||||
goto out;
|
||||
// Check if current Master key is enabled.
|
||||
if (h_cfg.eks->enabled)
|
||||
{
|
||||
// Read EKS blob.
|
||||
u8 *mbr = calloc(512 , 1);
|
||||
if (!hos_eks_rw_try(mbr, false))
|
||||
goto out;
|
||||
|
||||
// Disable BIS storage.
|
||||
h_cfg.eks->enabled_bis = 0;
|
||||
// Disable current Master key version.
|
||||
h_cfg.eks->enabled = 0;
|
||||
|
||||
// Encrypt EKS blob.
|
||||
u8 *eks = calloc(512 , 1);
|
||||
memcpy(eks, h_cfg.eks, sizeof(hos_eks_mbr_t));
|
||||
se_aes_crypt_ecb(14, 1, eks, sizeof(hos_eks_mbr_t), eks, sizeof(hos_eks_mbr_t));
|
||||
// Encrypt EKS blob.
|
||||
u8 *eks = calloc(512 , 1);
|
||||
memcpy(eks, h_cfg.eks, sizeof(hos_eks_mbr_t));
|
||||
se_aes_crypt_ecb(14, ENCRYPT, eks, sizeof(hos_eks_mbr_t), eks, sizeof(hos_eks_mbr_t));
|
||||
|
||||
// Write EKS blob to SD.
|
||||
memcpy(mbr + 0x80, eks, sizeof(hos_eks_mbr_t));
|
||||
hos_eks_rw_try(mbr, true);
|
||||
// Write EKS blob to SD.
|
||||
memcpy(mbr + 0x80, eks, sizeof(hos_eks_mbr_t));
|
||||
hos_eks_rw_try(mbr, true);
|
||||
|
||||
free(eks);
|
||||
free(eks);
|
||||
out:
|
||||
free(mbr);
|
||||
free(mbr);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
int hos_keygen_t210b01(u32 kb)
|
||||
{
|
||||
// Use SBK as Device key 4x unsealer and KEK for mkey in T210B01 units.
|
||||
se_aes_unwrap_key(10, 14, console_keyseed_4xx_5xx);
|
||||
se_aes_unwrap_key(10, 14, console_keyseed_4xx);
|
||||
|
||||
// Derive master key.
|
||||
se_aes_unwrap_key(7, 12, &master_kekseed_t210b01[kb - KB_FIRMWARE_VERSION_600]);
|
||||
|
@ -448,6 +337,7 @@ int hos_keygen_t210b01(u32 kb)
|
|||
int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt)
|
||||
{
|
||||
u32 retries = 0;
|
||||
bool use_tsec = false;
|
||||
tsec_keys_t tsec_keys;
|
||||
kb_t *kb_data = (kb_t *)keyblob;
|
||||
|
||||
|
@ -457,63 +347,95 @@ int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt)
|
|||
if (h_cfg.t210b01)
|
||||
return hos_keygen_t210b01(kb);
|
||||
|
||||
if (kb <= KB_FIRMWARE_VERSION_600)
|
||||
tsec_ctxt->size = 0xF00;
|
||||
else if (kb == KB_FIRMWARE_VERSION_620)
|
||||
tsec_ctxt->size = 0x2900;
|
||||
else if (kb == KB_FIRMWARE_VERSION_700)
|
||||
tsec_ctxt->size = 0x3000;
|
||||
else
|
||||
tsec_ctxt->size = 0x3300;
|
||||
// Do Erista keygen.
|
||||
|
||||
// Prepare smmu tsec page for 6.2.0.
|
||||
if (kb == KB_FIRMWARE_VERSION_620)
|
||||
// Use HOS EKS if it exists.
|
||||
_hos_eks_get();
|
||||
|
||||
// Use tsec keygen for old firmware or if EKS keys do not exist for newer.
|
||||
if (kb <= KB_FIRMWARE_VERSION_620 || !h_cfg.eks || (h_cfg.eks && h_cfg.eks->enabled < kb))
|
||||
use_tsec = true;
|
||||
|
||||
if (kb <= KB_FIRMWARE_VERSION_600)
|
||||
{
|
||||
tsec_ctxt->size = 0xF00;
|
||||
tsec_ctxt->type = TSEC_FW_TYPE_OLD;
|
||||
}
|
||||
else if (kb == KB_FIRMWARE_VERSION_620)
|
||||
{
|
||||
tsec_ctxt->size = 0x2900;
|
||||
tsec_ctxt->type = TSEC_FW_TYPE_EMU;
|
||||
|
||||
// Prepare smmu tsec page for 6.2.0.
|
||||
u8 *tsec_paged = (u8 *)page_alloc(3);
|
||||
memcpy(tsec_paged, (void *)tsec_ctxt->fw, tsec_ctxt->size);
|
||||
tsec_ctxt->fw = tsec_paged;
|
||||
}
|
||||
else if (use_tsec) // 7.0.0+
|
||||
{
|
||||
/*
|
||||
* 7.0.0/8.1.0 tsec fw are 0x3000/0x3300.
|
||||
* Unused here because of THK.
|
||||
*/
|
||||
|
||||
// Use custom TSEC Hovi Keygen firmware.
|
||||
tsec_ctxt->fw = sd_file_read("bootloader/sys/thk.bin", NULL);
|
||||
if (!tsec_ctxt->fw)
|
||||
{
|
||||
EPRINTF("\nFailed to load thk.bin");
|
||||
return 0;
|
||||
}
|
||||
|
||||
tsec_ctxt->size = 0x1F00;
|
||||
tsec_ctxt->type = TSEC_FW_TYPE_NEW;
|
||||
}
|
||||
else if (h_cfg.eks)
|
||||
{
|
||||
// EKS found. Set TSEC keys.
|
||||
se_aes_key_set(12, h_cfg.eks->tsec, SE_KEY_128_SIZE);
|
||||
se_aes_key_set(13, h_cfg.eks->troot, SE_KEY_128_SIZE);
|
||||
se_aes_key_set(11, h_cfg.eks->troot_dev, SE_KEY_128_SIZE);
|
||||
}
|
||||
|
||||
// Get TSEC key.
|
||||
if (kb <= KB_FIRMWARE_VERSION_620)
|
||||
while (use_tsec && tsec_query(&tsec_keys, tsec_ctxt) < 0)
|
||||
{
|
||||
while (tsec_query(&tsec_keys, kb, tsec_ctxt) < 0)
|
||||
{
|
||||
memset(&tsec_keys, 0x00, 0x20);
|
||||
retries++;
|
||||
memset(&tsec_keys, 0x00, 0x20);
|
||||
retries++;
|
||||
|
||||
// We rely on racing conditions, make sure we cover even the unluckiest cases.
|
||||
if (retries > 15)
|
||||
{
|
||||
EPRINTF("\nFailed to get TSEC keys. Please try again.\n");
|
||||
return 0;
|
||||
}
|
||||
// We rely on racing conditions, make sure we cover even the unluckiest cases.
|
||||
if (retries > 15)
|
||||
{
|
||||
EPRINTF("\nFailed to get TSEC keys. Please try again.");
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
if (kb >= KB_FIRMWARE_VERSION_700)
|
||||
{
|
||||
// Use HOS EKS if it exists.
|
||||
u32 key_idx = 0;
|
||||
if (kb >= KB_FIRMWARE_VERSION_810)
|
||||
key_idx = 1;
|
||||
|
||||
if (h_cfg.eks && h_cfg.eks->enabled[key_idx] >= kb)
|
||||
// For 7.0.0 and up, save EKS slot if it doesn't exist.
|
||||
if (use_tsec)
|
||||
{
|
||||
// Set Device keygen key to slot 10.
|
||||
se_aes_key_set(10, h_cfg.eks->dkg, SE_KEY_128_SIZE);
|
||||
// Set Master key to slot 12.
|
||||
se_aes_key_set(12, h_cfg.eks->keys[key_idx].mkk, SE_KEY_128_SIZE);
|
||||
// Set FW Device key key to slot 13.
|
||||
se_aes_key_set(13, h_cfg.eks->keys[key_idx].fdk, SE_KEY_128_SIZE);
|
||||
// Set Device key to slot 15.
|
||||
se_aes_key_set(15, h_cfg.eks->dkk, SE_KEY_128_SIZE);
|
||||
_hos_eks_save(kb);
|
||||
free(tsec_ctxt->fw);
|
||||
}
|
||||
else
|
||||
h_cfg.aes_slots_new = se_key_acc_ctrl_get(12) == 0x6A;
|
||||
|
||||
se_aes_key_clear(8);
|
||||
se_aes_unwrap_key(8, !h_cfg.aes_slots_new ? 12 : 13, package2_keyseed);
|
||||
// Decrypt keyblob and set keyslots.
|
||||
se_aes_crypt_block_ecb(12, DECRYPT, tsec_keys.tmp, keyblob_keyseeds[0]);
|
||||
se_aes_unwrap_key(15, 14, tsec_keys.tmp);
|
||||
|
||||
// Derive device keys.
|
||||
se_aes_unwrap_key(10, 15, console_keyseed_4xx);
|
||||
se_aes_unwrap_key(15, 15, console_keyseed);
|
||||
|
||||
// Derive master kek.
|
||||
se_aes_unwrap_key(7, 13, master_kekseed_t210_max);
|
||||
|
||||
// Derive master key.
|
||||
se_aes_unwrap_key(7, 7, master_keyseed_retail);
|
||||
|
||||
// Package2 key.
|
||||
se_aes_unwrap_key(8, 7, package2_keyseed);
|
||||
}
|
||||
else if (kb == KB_FIRMWARE_VERSION_620)
|
||||
{
|
||||
|
@ -522,16 +444,22 @@ int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt)
|
|||
// Set TSEC root key.
|
||||
se_aes_key_set(13, tsec_keys.tsec_root, SE_KEY_128_SIZE);
|
||||
|
||||
// Decrypt keyblob and set keyslots
|
||||
se_aes_crypt_block_ecb(12, 0, tsec_keys.tmp, keyblob_keyseeds[0]);
|
||||
// Decrypt keyblob and set keyslots.
|
||||
se_aes_crypt_block_ecb(12, DECRYPT, tsec_keys.tmp, keyblob_keyseeds[0]);
|
||||
se_aes_unwrap_key(15, 14, tsec_keys.tmp);
|
||||
se_aes_unwrap_key(10, 15, console_keyseed_4xx_5xx);
|
||||
|
||||
// Derive device keys.
|
||||
se_aes_unwrap_key(10, 15, console_keyseed_4xx);
|
||||
se_aes_unwrap_key(15, 15, console_keyseed);
|
||||
|
||||
// Derive master kek.
|
||||
se_aes_unwrap_key(7, 13, master_kekseed_620);
|
||||
|
||||
// Derive master key.
|
||||
se_aes_unwrap_key(7, 7, master_keyseed_retail);
|
||||
|
||||
// Package2 key.
|
||||
se_aes_unwrap_key(8, 13, master_keyseed_620);
|
||||
se_aes_unwrap_key(9, 8, master_keyseed_retail);
|
||||
se_aes_unwrap_key(8, 9, package2_keyseed);
|
||||
se_aes_unwrap_key(8, 7, package2_keyseed);
|
||||
}
|
||||
else
|
||||
{
|
||||
|
@ -539,15 +467,11 @@ int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt)
|
|||
se_aes_key_set(13, tsec_keys.tsec, SE_KEY_128_SIZE);
|
||||
|
||||
// Derive keyblob keys from TSEC+SBK.
|
||||
se_aes_crypt_block_ecb(13, 0, tsec_keys.tsec, keyblob_keyseeds[0]);
|
||||
se_aes_crypt_block_ecb(13, DECRYPT, tsec_keys.tsec, keyblob_keyseeds[0]);
|
||||
se_aes_unwrap_key(15, 14, tsec_keys.tsec);
|
||||
se_aes_crypt_block_ecb(13, 0, tsec_keys.tsec, keyblob_keyseeds[kb]);
|
||||
se_aes_crypt_block_ecb(13, DECRYPT, tsec_keys.tsec, keyblob_keyseeds[kb]);
|
||||
se_aes_unwrap_key(13, 14, tsec_keys.tsec);
|
||||
|
||||
// Clear SBK.
|
||||
if (!h_cfg.sbk_set)
|
||||
se_aes_key_clear(14);
|
||||
|
||||
/*
|
||||
// Verify keyblob CMAC.
|
||||
u8 cmac[SE_KEY_128_SIZE];
|
||||
|
@ -557,16 +481,16 @@ int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt)
|
|||
return 0;
|
||||
*/
|
||||
|
||||
se_aes_crypt_block_ecb(13, 0, tsec_keys.tsec, cmac_keyseed);
|
||||
se_aes_crypt_block_ecb(13, DECRYPT, tsec_keys.tsec, cmac_keyseed);
|
||||
se_aes_unwrap_key(11, 13, cmac_keyseed);
|
||||
|
||||
// Decrypt keyblob and set keyslots.
|
||||
se_aes_crypt_ctr(13, &kb_data->keys, sizeof(kb_data->keys), &kb_data->keys, sizeof(kb_data->keys), kb_data->ctr);
|
||||
se_aes_crypt_ctr(13, &kb_data->keys, sizeof(kb_keys_t), &kb_data->keys, sizeof(kb_keys_t), kb_data->ctr);
|
||||
se_aes_key_set(11, kb_data->keys.package1_key, SE_KEY_128_SIZE);
|
||||
se_aes_key_set(12, kb_data->keys.master_keyseed, SE_KEY_128_SIZE);
|
||||
se_aes_key_set(13, kb_data->keys.master_keyseed, SE_KEY_128_SIZE);
|
||||
se_aes_key_set(12, kb_data->keys.master_kekseed, SE_KEY_128_SIZE);
|
||||
se_aes_key_set(13, kb_data->keys.master_kekseed, SE_KEY_128_SIZE);
|
||||
|
||||
se_aes_crypt_block_ecb(12, 0, tsec_keys.tsec, master_keyseed_retail);
|
||||
se_aes_crypt_block_ecb(12, DECRYPT, tsec_keys.tsec, master_keyseed_retail);
|
||||
|
||||
switch (kb)
|
||||
{
|
||||
|
@ -577,18 +501,16 @@ int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt)
|
|||
se_aes_unwrap_key(12, 12, master_keyseed_retail);
|
||||
break;
|
||||
case KB_FIRMWARE_VERSION_400:
|
||||
se_aes_unwrap_key(13, 15, console_keyseed_4xx_5xx);
|
||||
se_aes_unwrap_key(13, 15, console_keyseed_4xx);
|
||||
se_aes_unwrap_key(15, 15, console_keyseed);
|
||||
if (!h_cfg.sbk_set) // Do not clear SBK if patched. In this context the below key is useless.
|
||||
se_aes_unwrap_key(14, 12, master_keyseed_4xx_5xx_610);
|
||||
//se_aes_unwrap_key(14, 12, master_keyseed_4xx); // In this context it's useless. So don't kill SBK.
|
||||
se_aes_unwrap_key(12, 12, master_keyseed_retail);
|
||||
break;
|
||||
case KB_FIRMWARE_VERSION_500:
|
||||
case KB_FIRMWARE_VERSION_600:
|
||||
se_aes_unwrap_key(10, 15, console_keyseed_4xx_5xx);
|
||||
se_aes_unwrap_key(10, 15, console_keyseed_4xx);
|
||||
se_aes_unwrap_key(15, 15, console_keyseed);
|
||||
if (!h_cfg.sbk_set) // Do not clear SBK if patched. In this context the below key is useless.
|
||||
se_aes_unwrap_key(14, 12, master_keyseed_4xx_5xx_610);
|
||||
//se_aes_unwrap_key(14, 12, master_keyseed_4xx); // In this context it's useless. So don't kill SBK.
|
||||
se_aes_unwrap_key(12, 12, master_keyseed_retail);
|
||||
break;
|
||||
}
|
||||
|
@ -600,32 +522,30 @@ int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt)
|
|||
return 1;
|
||||
}
|
||||
|
||||
static void _hos_validate_sept_mkey(u32 kb)
|
||||
static void _hos_validate_mkey()
|
||||
{
|
||||
u8 tmp_mkey[SE_KEY_128_SIZE];
|
||||
u32 mkey_idx = sizeof(mkey_vectors) / SE_KEY_128_SIZE;
|
||||
u8 mkey_slot = !h_cfg.aes_slots_new ? 12 : 13;
|
||||
do
|
||||
{
|
||||
mkey_idx--;
|
||||
se_aes_crypt_ecb(mkey_slot, 0, tmp_mkey, SE_KEY_128_SIZE, mkey_vectors[mkey_idx], SE_KEY_128_SIZE);
|
||||
se_aes_crypt_ecb(7, DECRYPT, tmp_mkey, SE_KEY_128_SIZE, mkey_vectors[mkey_idx], SE_KEY_128_SIZE);
|
||||
for (u32 idx = 0; idx < mkey_idx; idx++)
|
||||
{
|
||||
se_aes_key_clear(2);
|
||||
se_aes_key_set(2, tmp_mkey, SE_KEY_128_SIZE);
|
||||
se_aes_crypt_ecb(2, 0, tmp_mkey, SE_KEY_128_SIZE, mkey_vectors[mkey_idx - 1 - idx], SE_KEY_128_SIZE);
|
||||
se_aes_crypt_ecb(2, DECRYPT, tmp_mkey, SE_KEY_128_SIZE, mkey_vectors[mkey_idx - 1 - idx], SE_KEY_128_SIZE);
|
||||
}
|
||||
|
||||
if (!memcmp(tmp_mkey, "\x00\x00\x00\x00\x00\x00\x00\x00", 8))
|
||||
{
|
||||
se_aes_key_clear(2);
|
||||
hos_eks_save(kb);
|
||||
return;
|
||||
}
|
||||
} while (mkey_idx - 1);
|
||||
|
||||
se_aes_key_clear(2);
|
||||
hos_eks_clear(kb);
|
||||
hos_eks_clear(KB_FIRMWARE_VERSION_MAX);
|
||||
}
|
||||
|
||||
static void _hos_bis_print_key(u32 idx, u8 *key)
|
||||
|
@ -641,105 +561,90 @@ static void _hos_bis_print_key(u32 idx, u8 *key)
|
|||
gfx_puts("\n");
|
||||
}
|
||||
|
||||
int hos_bis_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt)
|
||||
int hos_bis_keygen()
|
||||
{
|
||||
u32 keygen_rev = 0;
|
||||
u32 console_key_slot = kb >= KB_FIRMWARE_VERSION_400 ? 15 : 13;
|
||||
u32 console_key_slot = 15; // KB_FIRMWARE_VERSION_MAX. Only for Erista.
|
||||
tsec_ctxt_t tsec_ctxt = {0};
|
||||
|
||||
if (!bis_keys)
|
||||
bis_keys = malloc(SE_KEY_128_SIZE * 6);
|
||||
|
||||
if (!h_cfg.eks || !h_cfg.eks->enabled_bis)
|
||||
// Run initial keygen.
|
||||
hos_keygen(NULL, KB_FIRMWARE_VERSION_MAX, &tsec_ctxt);
|
||||
|
||||
// All Mariko use new device keygen. New keygen was introduced in 4.0.0.
|
||||
// We check unconditionally in order to support downgrades.
|
||||
keygen_rev = fuse_read_odm_keygen_rev();
|
||||
|
||||
gfx_printf("Keygen rev: %d\n", keygen_rev);
|
||||
|
||||
if (keygen_rev)
|
||||
{
|
||||
hos_keygen(keyblob, kb, tsec_ctxt);
|
||||
u8 tmp_mkey[SE_KEY_128_SIZE];
|
||||
u32 mkey_idx = sizeof(mkey_vectors) / SE_KEY_128_SIZE;
|
||||
|
||||
// All Mariko use new device keygen. New keygen was introduced in 4.0.0.
|
||||
// We check unconditionally in order to support downgrades.
|
||||
keygen_rev = fuse_read_odm_keygen_rev();
|
||||
// Keygen revision uses bootloader version, which starts from 1.
|
||||
keygen_rev -= (KB_FIRMWARE_VERSION_400 + 1);
|
||||
|
||||
gfx_printf("Keygen rev: %d\n", keygen_rev);
|
||||
|
||||
if (keygen_rev)
|
||||
// Derive mkey 0.
|
||||
do
|
||||
{
|
||||
u8 tmp_mkey[SE_KEY_128_SIZE];
|
||||
u32 mkey_idx = sizeof(mkey_vectors) / SE_KEY_128_SIZE;
|
||||
u8 mkey_slot = kb >= KB_FIRMWARE_VERSION_700 ? (!h_cfg.aes_slots_new ? 12 : 13) : (kb == KB_FIRMWARE_VERSION_620 ? 9 : 12);
|
||||
|
||||
// Keygen revision uses bootloader version, which starts from 1.
|
||||
keygen_rev -= (KB_FIRMWARE_VERSION_400 + 1);
|
||||
|
||||
// Use SBK as Device key 4x unsealer and KEK for mkey in T210B01 units.
|
||||
if (h_cfg.t210b01)
|
||||
mkey_slot = 7;
|
||||
|
||||
// Derive mkey 0.
|
||||
do
|
||||
mkey_idx--;
|
||||
se_aes_crypt_ecb(7, DECRYPT, tmp_mkey, SE_KEY_128_SIZE, mkey_vectors[mkey_idx], SE_KEY_128_SIZE);
|
||||
for (u32 idx = 0; idx < mkey_idx; idx++)
|
||||
{
|
||||
mkey_idx--;
|
||||
se_aes_crypt_ecb(mkey_slot, 0, tmp_mkey, SE_KEY_128_SIZE, mkey_vectors[mkey_idx], SE_KEY_128_SIZE);
|
||||
for (u32 idx = 0; idx < mkey_idx; idx++)
|
||||
{
|
||||
se_aes_key_clear(2);
|
||||
se_aes_key_set(2, tmp_mkey, SE_KEY_128_SIZE);
|
||||
se_aes_crypt_ecb(2, 0, tmp_mkey, SE_KEY_128_SIZE, mkey_vectors[mkey_idx - 1 - idx], SE_KEY_128_SIZE);
|
||||
}
|
||||
} while (memcmp(tmp_mkey, "\x00\x00\x00\x00\x00\x00\x00\x00", 8) != 0 && (mkey_idx - 1));
|
||||
se_aes_key_clear(2);
|
||||
se_aes_key_set(2, tmp_mkey, SE_KEY_128_SIZE);
|
||||
se_aes_crypt_ecb(2, DECRYPT, tmp_mkey, SE_KEY_128_SIZE, mkey_vectors[mkey_idx - 1 - idx], SE_KEY_128_SIZE);
|
||||
}
|
||||
} while (memcmp(tmp_mkey, "\x00\x00\x00\x00\x00\x00\x00\x00", 8) != 0 && (mkey_idx - 1));
|
||||
|
||||
// Derive new device key.
|
||||
se_aes_key_clear(1);
|
||||
se_aes_unwrap_key(1, 10, new_console_keyseed[keygen_rev]); // Uses Device key 4x.
|
||||
se_aes_crypt_ecb(10, 0, tmp_mkey, SE_KEY_128_SIZE, new_console_keyseed[keygen_rev], SE_KEY_128_SIZE); // Uses Device key 4x.
|
||||
se_aes_unwrap_key(1, 2, new_console_kekseed[keygen_rev]); // Uses Master Key 0.
|
||||
se_aes_unwrap_key(1, 1, tmp_mkey);
|
||||
// Derive new device key.
|
||||
se_aes_key_clear(1);
|
||||
se_aes_unwrap_key(1, 10, new_console_keyseed[keygen_rev]); // Uses Device key 4x.
|
||||
se_aes_crypt_ecb(10, DECRYPT, tmp_mkey, SE_KEY_128_SIZE, new_console_keyseed[keygen_rev], SE_KEY_128_SIZE); // Uses Device key 4x.
|
||||
se_aes_unwrap_key(1, 2, new_console_kekseed[keygen_rev]); // Uses Master Key 0.
|
||||
se_aes_unwrap_key(1, 1, tmp_mkey);
|
||||
|
||||
console_key_slot = 1;
|
||||
}
|
||||
|
||||
// Generate generic kek.
|
||||
se_aes_key_clear(2);
|
||||
se_aes_unwrap_key(2, console_key_slot, gen_keyseed_retail);
|
||||
|
||||
// Clear bis keys storage.
|
||||
memset(bis_keys, 0, SE_KEY_128_SIZE * 6);
|
||||
|
||||
// Generate BIS 0 Keys.
|
||||
se_aes_crypt_block_ecb(2, 0, bis_keys + (0 * SE_KEY_128_SIZE), bis_keyseed[0]);
|
||||
se_aes_crypt_block_ecb(2, 0, bis_keys + (1 * SE_KEY_128_SIZE), bis_keyseed[1]);
|
||||
|
||||
// Generate generic kek.
|
||||
se_aes_key_clear(2);
|
||||
se_aes_unwrap_key(2, console_key_slot, gen_kekseed);
|
||||
se_aes_unwrap_key(2, 2, bis_kekseed);
|
||||
se_aes_unwrap_key(2, 2, gen_keyseed);
|
||||
|
||||
// Generate BIS 1 Keys.
|
||||
se_aes_crypt_block_ecb(2, 0, bis_keys + (2 * SE_KEY_128_SIZE), bis_keyseed[2]);
|
||||
se_aes_crypt_block_ecb(2, 0, bis_keys + (3 * SE_KEY_128_SIZE), bis_keyseed[3]);
|
||||
|
||||
// Generate BIS 2/3 Keys.
|
||||
se_aes_crypt_block_ecb(2, 0, bis_keys + (4 * SE_KEY_128_SIZE), bis_keyseed[4]);
|
||||
se_aes_crypt_block_ecb(2, 0, bis_keys + (5 * SE_KEY_128_SIZE), bis_keyseed[5]);
|
||||
|
||||
if (!h_cfg.t210b01 && kb >= KB_FIRMWARE_VERSION_700)
|
||||
_hos_validate_sept_mkey(kb);
|
||||
}
|
||||
else
|
||||
{
|
||||
memcpy(bis_keys + (0 * SE_KEY_128_SIZE), h_cfg.eks->bis_keys[0].crypt, SE_KEY_128_SIZE);
|
||||
memcpy(bis_keys + (1 * SE_KEY_128_SIZE), h_cfg.eks->bis_keys[0].tweak, SE_KEY_128_SIZE);
|
||||
|
||||
memcpy(bis_keys + (2 * SE_KEY_128_SIZE), h_cfg.eks->bis_keys[1].crypt, SE_KEY_128_SIZE);
|
||||
memcpy(bis_keys + (3 * SE_KEY_128_SIZE), h_cfg.eks->bis_keys[1].tweak, SE_KEY_128_SIZE);
|
||||
|
||||
memcpy(bis_keys + (4 * SE_KEY_128_SIZE), h_cfg.eks->bis_keys[2].crypt, SE_KEY_128_SIZE);
|
||||
memcpy(bis_keys + (5 * SE_KEY_128_SIZE), h_cfg.eks->bis_keys[2].tweak, SE_KEY_128_SIZE);
|
||||
console_key_slot = 1;
|
||||
}
|
||||
|
||||
// Generate generic key.
|
||||
se_aes_key_clear(2);
|
||||
se_aes_unwrap_key(2, console_key_slot, gen_keyseed_retail);
|
||||
|
||||
// Clear bis keys storage.
|
||||
memset(bis_keys, 0, SE_KEY_128_SIZE * 6);
|
||||
|
||||
// Generate BIS 0 Keys.
|
||||
se_aes_crypt_block_ecb(2, DECRYPT, bis_keys + (0 * SE_KEY_128_SIZE), bis_keyseed[0]);
|
||||
se_aes_crypt_block_ecb(2, DECRYPT, bis_keys + (1 * SE_KEY_128_SIZE), bis_keyseed[1]);
|
||||
|
||||
// Generate generic kek.
|
||||
se_aes_key_clear(2);
|
||||
se_aes_unwrap_key(2, console_key_slot, gen_kekseed);
|
||||
se_aes_unwrap_key(2, 2, bis_kekseed);
|
||||
se_aes_unwrap_key(2, 2, gen_keyseed);
|
||||
|
||||
// Generate BIS 1 Keys.
|
||||
se_aes_crypt_block_ecb(2, DECRYPT, bis_keys + (2 * SE_KEY_128_SIZE), bis_keyseed[2]);
|
||||
se_aes_crypt_block_ecb(2, DECRYPT, bis_keys + (3 * SE_KEY_128_SIZE), bis_keyseed[3]);
|
||||
|
||||
// Generate BIS 2/3 Keys.
|
||||
se_aes_crypt_block_ecb(2, DECRYPT, bis_keys + (4 * SE_KEY_128_SIZE), bis_keyseed[4]);
|
||||
se_aes_crypt_block_ecb(2, DECRYPT, bis_keys + (5 * SE_KEY_128_SIZE), bis_keyseed[5]);
|
||||
|
||||
// Validate key because KB_FIRMWARE_VERSION_MAX.
|
||||
if (!h_cfg.t210b01)
|
||||
_hos_validate_mkey();
|
||||
|
||||
// Print keys to console.
|
||||
_hos_bis_print_key(0, bis_keys);
|
||||
_hos_bis_print_key(1, bis_keys);
|
||||
_hos_bis_print_key(2, bis_keys);
|
||||
|
||||
// Clear all AES keyslots.
|
||||
// Clear all AES tmp and bis keyslots.
|
||||
for (u32 i = 0; i < 6; i++)
|
||||
se_aes_key_clear(i);
|
||||
|
||||
|
@ -758,27 +663,7 @@ int hos_bis_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt)
|
|||
|
||||
void hos_bis_keys_clear()
|
||||
{
|
||||
// Clear all aes keyslots.
|
||||
// Clear all aes bis keyslots.
|
||||
for (u32 i = 0; i < 6; i++)
|
||||
se_aes_key_clear(i);
|
||||
|
||||
// Check if Erista based unit.
|
||||
if (h_cfg.t210b01)
|
||||
return;
|
||||
|
||||
// Set SBK back.
|
||||
if (!h_cfg.sbk_set)
|
||||
{
|
||||
u32 sbk[4] = {
|
||||
FUSE(FUSE_PRIVATE_KEY0),
|
||||
FUSE(FUSE_PRIVATE_KEY1),
|
||||
FUSE(FUSE_PRIVATE_KEY2),
|
||||
FUSE(FUSE_PRIVATE_KEY3)
|
||||
};
|
||||
// Set SBK to slot 14.
|
||||
se_aes_key_set(14, sbk, SE_KEY_128_SIZE);
|
||||
|
||||
// Lock SBK from being read.
|
||||
se_key_acc_ctrl(14, SE_KEY_TBL_DIS_KEYREAD_FLAG);
|
||||
}
|
||||
}
|
|
@ -42,34 +42,20 @@
|
|||
#define KB_FIRMWARE_VERSION_MAX KB_FIRMWARE_VERSION_1210
|
||||
|
||||
#define HOS_PKG11_MAGIC 0x31314B50
|
||||
#define HOS_EKS_MAGIC 0x30534B45
|
||||
|
||||
typedef struct _hos_eks_keys_t
|
||||
{
|
||||
u8 mkk[SE_KEY_128_SIZE];
|
||||
u8 fdk[SE_KEY_128_SIZE];
|
||||
} hos_eks_keys_t;
|
||||
|
||||
typedef struct _hos_eks_bis_keys_t
|
||||
{
|
||||
u8 crypt[SE_KEY_128_SIZE];
|
||||
u8 tweak[SE_KEY_128_SIZE];
|
||||
} hos_eks_bis_keys_t;
|
||||
#define HOS_EKS_MAGIC 0x31534B45 // EKS1.
|
||||
|
||||
typedef struct _hos_eks_mbr_t
|
||||
{
|
||||
u32 magic;
|
||||
u8 enabled[5];
|
||||
u8 enabled_bis;
|
||||
u8 rsvd[2];
|
||||
u32 enabled;
|
||||
u32 lot0;
|
||||
u8 dkg[SE_KEY_128_SIZE];
|
||||
u8 dkk[SE_KEY_128_SIZE];
|
||||
hos_eks_keys_t keys[5];
|
||||
hos_eks_bis_keys_t bis_keys[3];
|
||||
u32 rsvd;
|
||||
u8 tsec[SE_KEY_128_SIZE];
|
||||
u8 troot[SE_KEY_128_SIZE];
|
||||
u8 troot_dev[SE_KEY_128_SIZE];
|
||||
} hos_eks_mbr_t;
|
||||
|
||||
static_assert(sizeof(hos_eks_mbr_t) == 304, "HOS EKS size is wrong!");
|
||||
static_assert(sizeof(hos_eks_mbr_t) == 64, "HOS EKS size is wrong!");
|
||||
|
||||
typedef struct _launch_ctxt_t
|
||||
{
|
||||
|
@ -95,13 +81,9 @@ typedef struct _launch_ctxt_t
|
|||
ini_sec_t *cfg;
|
||||
} launch_ctxt_t;
|
||||
|
||||
void hos_eks_get();
|
||||
void hos_eks_save(u32 kb);
|
||||
void hos_eks_clear(u32 kb);
|
||||
void hos_eks_bis_save();
|
||||
void hos_eks_bis_clear();
|
||||
int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt);
|
||||
int hos_bis_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt);
|
||||
int hos_bis_keygen();
|
||||
void hos_bis_keys_clear();
|
||||
|
||||
#endif
|
||||
|
|
|
@ -99,7 +99,7 @@ int pkg1_decrypt(const pkg1_id_t *id, u8 *pkg1)
|
|||
// Use BEK for T210B01.
|
||||
// Additionally, skip 0x20 bytes from decryption to maintain the header.
|
||||
se_aes_iv_clear(13);
|
||||
se_aes_crypt_cbc(13, 0, pkg1 + 0x20, oem_hdr->size - 0x20, pkg1 + 0x20, oem_hdr->size - 0x20);
|
||||
se_aes_crypt_cbc(13, DECRYPT, pkg1 + 0x20, oem_hdr->size - 0x20, pkg1 + 0x20, oem_hdr->size - 0x20);
|
||||
}
|
||||
|
||||
// Return if header is valid.
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
* Copyright (c) 2018 naehrwert
|
||||
* Copyright (c) 2018-2020 CTCaer
|
||||
* Copyright (c) 2018-2021 CTCaer
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms and conditions of the GNU General Public License,
|
||||
|
@ -112,8 +112,11 @@ DPRINTF(" kip1 %d:%s @ %08X (%08X)\n", i, kip1->name, (u32)kip1, ki->size);
|
|||
return true;
|
||||
}
|
||||
|
||||
static const u8 mkey_vector_8xx[][SE_KEY_128_SIZE] =
|
||||
//!TODO: Update on mkey changes.
|
||||
static const u8 mkey_vector_7xx[][SE_KEY_128_SIZE] =
|
||||
{
|
||||
// Master key 7 encrypted with 8. (7.0.0 with 8.1.0)
|
||||
{ 0xEA, 0x60, 0xB3, 0xEA, 0xCE, 0x8F, 0x24, 0x46, 0x7D, 0x33, 0x9C, 0xD1, 0xBC, 0x24, 0x98, 0x29 },
|
||||
// Master key 8 encrypted with 9. (8.1.0 with 9.0.0)
|
||||
{ 0x4D, 0xD9, 0x98, 0x42, 0x45, 0x0D, 0xB1, 0x3C, 0x52, 0x0C, 0x9A, 0x44, 0xBB, 0xAD, 0xAF, 0x80 },
|
||||
// Master key 9 encrypted with 10. (9.0.0 with 9.1.0)
|
||||
|
@ -125,9 +128,8 @@ static const u8 mkey_vector_8xx[][SE_KEY_128_SIZE] =
|
|||
static bool _pkg2_key_unwrap_validate(pkg2_hdr_t *tmp_test, pkg2_hdr_t *hdr, u8 src_slot, u8 *mkey, const u8 *key_seed)
|
||||
{
|
||||
// Decrypt older encrypted mkey.
|
||||
se_aes_crypt_ecb(src_slot, 0, mkey, SE_KEY_128_SIZE, key_seed, SE_KEY_128_SIZE);
|
||||
se_aes_crypt_ecb(src_slot, DECRYPT, mkey, SE_KEY_128_SIZE, key_seed, SE_KEY_128_SIZE);
|
||||
// Set and unwrap pkg2 key.
|
||||
se_aes_key_clear(9);
|
||||
se_aes_key_set(9, mkey, SE_KEY_128_SIZE);
|
||||
se_aes_unwrap_key(9, 9, package2_keyseed);
|
||||
|
||||
|
@ -142,7 +144,7 @@ pkg2_hdr_t *pkg2_decrypt(void *data, u8 kb)
|
|||
{
|
||||
pkg2_hdr_t mkey_test;
|
||||
u8 *pdata = (u8 *)data;
|
||||
u8 keyslot = 8;
|
||||
u8 pkg2_keyslot = 8;
|
||||
|
||||
// Skip signature.
|
||||
pdata += 0x100;
|
||||
|
@ -152,18 +154,18 @@ pkg2_hdr_t *pkg2_decrypt(void *data, u8 kb)
|
|||
// Skip header.
|
||||
pdata += sizeof(pkg2_hdr_t);
|
||||
|
||||
// Check if we need to decrypt with newer mkeys. Valid for sept for 8.1.0 and up.
|
||||
// Check if we need to decrypt with newer mkeys. Valid for THK for 7.0.0 and up.
|
||||
se_aes_crypt_ctr(8, &mkey_test, sizeof(pkg2_hdr_t), hdr, sizeof(pkg2_hdr_t), hdr);
|
||||
|
||||
if (mkey_test.magic == PKG2_MAGIC)
|
||||
goto key_found;
|
||||
|
||||
// Decrypt older pkg2 via new mkeys.
|
||||
if ((kb >= KB_FIRMWARE_VERSION_810) && (kb < KB_FIRMWARE_VERSION_MAX))
|
||||
if ((kb >= KB_FIRMWARE_VERSION_700) && (kb < KB_FIRMWARE_VERSION_MAX))
|
||||
{
|
||||
u8 tmp_mkey[SE_KEY_128_SIZE];
|
||||
u8 decr_slot = !h_cfg.t210b01 ? (!h_cfg.aes_slots_new ? 12 : 13) : 7; // Sept mkey or T210B01 mkey.
|
||||
u8 mkey_seeds_cnt = sizeof(mkey_vector_8xx) / SE_KEY_128_SIZE;
|
||||
u8 decr_slot = 7; // THK mkey or T210B01 mkey.
|
||||
u8 mkey_seeds_cnt = sizeof(mkey_vector_7xx) / SE_KEY_128_SIZE;
|
||||
u8 mkey_seeds_idx = mkey_seeds_cnt; // Real index + 1.
|
||||
u8 mkey_seeds_min_idx = mkey_seeds_cnt - (KB_FIRMWARE_VERSION_MAX - kb);
|
||||
|
||||
|
@ -171,41 +173,36 @@ pkg2_hdr_t *pkg2_decrypt(void *data, u8 kb)
|
|||
{
|
||||
// Decrypt and validate mkey.
|
||||
int res = _pkg2_key_unwrap_validate(&mkey_test, hdr, decr_slot,
|
||||
tmp_mkey, mkey_vector_8xx[mkey_seeds_idx - 1]);
|
||||
tmp_mkey, mkey_vector_7xx[mkey_seeds_idx - 1]);
|
||||
|
||||
if (res)
|
||||
{
|
||||
keyslot = 9;
|
||||
pkg2_keyslot = 9;
|
||||
goto key_found;
|
||||
}
|
||||
else
|
||||
{
|
||||
// Set current mkey in order to decrypt a lower mkey.
|
||||
mkey_seeds_idx--;
|
||||
se_aes_key_clear(9);
|
||||
se_aes_key_set(9, tmp_mkey, SE_KEY_128_SIZE);
|
||||
|
||||
decr_slot = 9; // Temp key.
|
||||
|
||||
// Check if we tried last key for that pkg2 version.
|
||||
// And start with a lower mkey in case sept is older.
|
||||
// And start with a lower mkey in case mkey is older.
|
||||
if (mkey_seeds_idx == mkey_seeds_min_idx)
|
||||
{
|
||||
mkey_seeds_cnt--;
|
||||
mkey_seeds_idx = mkey_seeds_cnt;
|
||||
decr_slot = !h_cfg.aes_slots_new ? 12 : 13; // Sept mkey.
|
||||
decr_slot = 7; // THK mkey or T210B01 mkey.
|
||||
}
|
||||
|
||||
// Out of keys. pkg2 is latest or process failed.
|
||||
if (!mkey_seeds_cnt)
|
||||
se_aes_key_clear(9);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
key_found:
|
||||
// Decrypt header.
|
||||
se_aes_crypt_ctr(keyslot, hdr, sizeof(pkg2_hdr_t), hdr, sizeof(pkg2_hdr_t), hdr);
|
||||
se_aes_crypt_ctr(pkg2_keyslot, hdr, sizeof(pkg2_hdr_t), hdr, sizeof(pkg2_hdr_t), hdr);
|
||||
//gfx_hexdump((u32)hdr, hdr, 0x100);
|
||||
|
||||
if (hdr->magic != PKG2_MAGIC)
|
||||
|
@ -217,14 +214,11 @@ DPRINTF("sec %d has size %08X\n", i, hdr->sec_size[i]);
|
|||
if (!hdr->sec_size[i])
|
||||
continue;
|
||||
|
||||
se_aes_crypt_ctr(keyslot, pdata, hdr->sec_size[i], pdata, hdr->sec_size[i], &hdr->sec_ctr[i * SE_AES_IV_SIZE]);
|
||||
se_aes_crypt_ctr(pkg2_keyslot, pdata, hdr->sec_size[i], pdata, hdr->sec_size[i], &hdr->sec_ctr[i * SE_AES_IV_SIZE]);
|
||||
//gfx_hexdump((u32)pdata, pdata, 0x100);
|
||||
|
||||
pdata += hdr->sec_size[i];
|
||||
}
|
||||
|
||||
if (keyslot != 8)
|
||||
se_aes_key_clear(9);
|
||||
|
||||
return hdr;
|
||||
}
|
||||
|
|
|
@ -1,175 +0,0 @@
|
|||
/*
|
||||
* Copyright (c) 2019-2021 CTCaer
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms and conditions of the GNU General Public License,
|
||||
* version 2, as published by the Free Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
|
||||
* more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
#include <string.h>
|
||||
|
||||
#include "hos.h"
|
||||
#include "sept.h"
|
||||
#include "../config.h"
|
||||
#include <display/di.h>
|
||||
#include <ianos/ianos.h>
|
||||
#include <libs/fatfs/ff.h>
|
||||
#include <mem/heap.h>
|
||||
#include <soc/hw_init.h>
|
||||
#include <soc/pmc.h>
|
||||
#include <soc/t210.h>
|
||||
#include "../storage/nx_emmc.h"
|
||||
#include <storage/nx_sd.h>
|
||||
#include <storage/sdmmc.h>
|
||||
#include <utils/btn.h>
|
||||
#include <utils/types.h>
|
||||
#include <utils/util.h>
|
||||
|
||||
#include <gfx_utils.h>
|
||||
|
||||
#define RELOC_META_OFF 0x7C
|
||||
#define PATCHED_RELOC_SZ 0x94
|
||||
|
||||
#define WB_RST_ADDR 0x40010ED0
|
||||
#define WB_RST_SIZE 0x30
|
||||
|
||||
u8 warmboot_reboot[] = {
|
||||
0x14, 0x00, 0x9F, 0xE5, // LDR R0, =0x7000E450
|
||||
0x01, 0x10, 0xB0, 0xE3, // MOVS R1, #1
|
||||
0x00, 0x10, 0x80, 0xE5, // STR R1, [R0]
|
||||
0x0C, 0x00, 0x9F, 0xE5, // LDR R0, =0x7000E400
|
||||
0x10, 0x10, 0xB0, 0xE3, // MOVS R1, #0x10
|
||||
0x00, 0x10, 0x80, 0xE5, // STR R1, [R0]
|
||||
0xFE, 0xFF, 0xFF, 0xEA, // LOOP
|
||||
0x50, 0xE4, 0x00, 0x70, // #0x7000E450
|
||||
0x00, 0xE4, 0x00, 0x70 // #0x7000E400
|
||||
};
|
||||
|
||||
#define SEPT_PRI_ADDR 0x4003F000
|
||||
|
||||
#define SEPT_PK1T_ADDR 0xC0400000
|
||||
#define SEPT_TCSZ_ADDR (SEPT_PK1T_ADDR - 0x4)
|
||||
#define SEPT_STG1_ADDR (SEPT_PK1T_ADDR + 0x2E100)
|
||||
#define SEPT_STG2_ADDR (SEPT_PK1T_ADDR + 0x60E0)
|
||||
#define SEPT_PKG_SZ (0x2F100 + WB_RST_SIZE)
|
||||
|
||||
extern volatile boot_cfg_t *b_cfg;
|
||||
extern hekate_config h_cfg;
|
||||
extern volatile nyx_storage_t *nyx_str;
|
||||
|
||||
extern bool is_ipl_updated(void *buf);
|
||||
extern void reloc_patcher(u32 payload_dst, u32 payload_src, u32 payload_size);
|
||||
|
||||
int reboot_to_sept(const u8 *tsec_fw, u32 kb)
|
||||
{
|
||||
FIL fp;
|
||||
|
||||
// Copy warmboot reboot code and TSEC fw.
|
||||
u32 tsec_fw_size = 0x3000;
|
||||
if (kb > KB_FIRMWARE_VERSION_700)
|
||||
tsec_fw_size = 0x3300;
|
||||
memcpy((u8 *)(SEPT_PK1T_ADDR - WB_RST_SIZE), (u8 *)warmboot_reboot, sizeof(warmboot_reboot));
|
||||
memcpy((void *)SEPT_PK1T_ADDR, tsec_fw, tsec_fw_size);
|
||||
*(vu32 *)SEPT_TCSZ_ADDR = tsec_fw_size;
|
||||
|
||||
// Copy sept-primary.
|
||||
if (f_open(&fp, "sept/sept-primary.bin", FA_READ))
|
||||
goto error;
|
||||
|
||||
if (f_read(&fp, (u8 *)SEPT_STG1_ADDR, f_size(&fp), NULL))
|
||||
{
|
||||
f_close(&fp);
|
||||
goto error;
|
||||
}
|
||||
f_close(&fp);
|
||||
|
||||
// Copy sept-secondary.
|
||||
if (kb < KB_FIRMWARE_VERSION_810)
|
||||
{
|
||||
if (f_open(&fp, "sept/sept-secondary_00.enc", FA_READ))
|
||||
goto error;
|
||||
}
|
||||
else
|
||||
{
|
||||
if (f_open(&fp, "sept/sept-secondary_01.enc", FA_READ))
|
||||
goto error;
|
||||
}
|
||||
|
||||
if (f_read(&fp, (u8 *)SEPT_STG2_ADDR, f_size(&fp), NULL))
|
||||
{
|
||||
f_close(&fp);
|
||||
goto error;
|
||||
}
|
||||
f_close(&fp);
|
||||
|
||||
b_cfg->boot_cfg |= (BOOT_CFG_AUTOBOOT_EN | BOOT_CFG_SEPT_RUN);
|
||||
|
||||
bool update_sept_payload = true;
|
||||
if (!f_open(&fp, "sept/payload.bin", FA_READ | FA_WRITE))
|
||||
{
|
||||
ipl_ver_meta_t tmp_ver;
|
||||
ipl_ver_meta_t heka_ver;
|
||||
f_lseek(&fp, PATCHED_RELOC_SZ + sizeof(boot_cfg_t));
|
||||
f_read(&fp, &tmp_ver, sizeof(ipl_ver_meta_t), NULL);
|
||||
memcpy(&heka_ver, (u8 *)nyx_str->hekate + 0x118, sizeof(ipl_ver_meta_t));
|
||||
|
||||
if (tmp_ver.magic == heka_ver.magic)
|
||||
{
|
||||
if (tmp_ver.version == heka_ver.version)
|
||||
{
|
||||
// Save auto boot config to sept payload, if any.
|
||||
boot_cfg_t *tmp_cfg = malloc(sizeof(boot_cfg_t));
|
||||
memcpy(tmp_cfg, (boot_cfg_t *)b_cfg, sizeof(boot_cfg_t));
|
||||
f_lseek(&fp, PATCHED_RELOC_SZ);
|
||||
f_write(&fp, tmp_cfg, sizeof(boot_cfg_t), NULL);
|
||||
update_sept_payload = false;
|
||||
}
|
||||
|
||||
f_close(&fp);
|
||||
}
|
||||
else
|
||||
{
|
||||
f_close(&fp);
|
||||
f_rename("sept/payload.bin", "sept/payload.bak"); // Backup foreign payload.
|
||||
}
|
||||
}
|
||||
|
||||
if (update_sept_payload)
|
||||
{
|
||||
volatile reloc_meta_t *reloc = (reloc_meta_t *)(nyx_str->hekate + RELOC_META_OFF);
|
||||
f_mkdir("sept");
|
||||
f_open(&fp, "sept/payload.bin", FA_WRITE | FA_CREATE_ALWAYS);
|
||||
f_write(&fp, (u8 *)nyx_str->hekate, reloc->end - reloc->start, NULL);
|
||||
f_close(&fp);
|
||||
}
|
||||
|
||||
sd_end();
|
||||
|
||||
u32 pk1t_sept = SEPT_PK1T_ADDR - (ALIGN(PATCHED_RELOC_SZ, 0x10) + WB_RST_SIZE);
|
||||
|
||||
void (*sept)() = (void *)pk1t_sept;
|
||||
|
||||
reloc_patcher(WB_RST_ADDR, pk1t_sept, SEPT_PKG_SZ);
|
||||
|
||||
// Patch SDRAM init to perform an SVC immediately after second write.
|
||||
PMC(APBDEV_PMC_SCRATCH45) = 0x2E38DFFF;
|
||||
PMC(APBDEV_PMC_SCRATCH46) = 0x6001DC28;
|
||||
// Set SVC handler to jump to sept-primary in IRAM.
|
||||
PMC(APBDEV_PMC_SCRATCH33) = SEPT_PRI_ADDR;
|
||||
PMC(APBDEV_PMC_SCRATCH40) = 0x6000F208;
|
||||
|
||||
hw_reinit_workaround(false, 0);
|
||||
|
||||
(*sept)();
|
||||
|
||||
error:
|
||||
return 0;
|
||||
}
|
|
@ -1,26 +0,0 @@
|
|||
/*
|
||||
* Copyright (c) 2019-2021 CTCaer
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms and conditions of the GNU General Public License,
|
||||
* version 2, as published by the Free Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
|
||||
* more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
#ifndef _SEPT_H_
|
||||
#define _SEPT_H_
|
||||
|
||||
#include <utils/types.h>
|
||||
|
||||
#define SEPT_PRI_ENTRY 0x40010340
|
||||
|
||||
int reboot_to_sept(const u8 *tsec_fw, u32 kb);
|
||||
|
||||
#endif
|
|
@ -87,7 +87,7 @@ static int _nx_aes_xts_crypt_sec(u32 tweak_ks, u32 crypt_ks, u32 enc, u8 *tweak,
|
|||
tweak[i] = sec & 0xFF;
|
||||
sec >>= 8;
|
||||
}
|
||||
if (!se_aes_crypt_block_ecb(tweak_ks, 1, tweak, tweak))
|
||||
if (!se_aes_crypt_block_ecb(tweak_ks, ENCRYPT, tweak, tweak))
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue