Skip to content
Permalink
Browse files

fix 'isCustom' functions; other QoL shit

  • Loading branch information...
Reisyukaku committed Mar 17, 2019
1 parent 822886d commit 0041ff650703eb62d45982efffcbe1ab3e90faa8
Showing with 197 additions and 188 deletions.
  1. +39 −38 src/bootloader.c
  2. +22 −22 src/firmware.c
  3. +1 −1 src/firmware.h
  4. +12 −4 src/package.c
  5. +69 −69 src/secmon.c
  6. +54 −54 src/sept.c
@@ -88,18 +88,18 @@ int keygen(u8 *keyblob, u32 fwVer, void * pkg1, pk11_offs * offs) {

print("Copied, emulaing tsec\n");
}
if (fwVer < KB_FIRMWARE_VERSION_700) {
int retries = 0;
int ret = tsec_query(tmp, fwVer, &tsec_ctxt);
while (ret < 0)
{
print("Failed to keygen, retrying\n");
memset(tmp, 0x00, 0x20);
if (++retries > 3)
return 0;
ret = tsec_query(tmp, fwVer, &tsec_ctxt);
}
}
if (fwVer < KB_FIRMWARE_VERSION_700) {
int retries = 0;
int ret = tsec_query(tmp, fwVer, &tsec_ctxt);
while (ret < 0)
{
print("Failed to keygen, retrying\n");
memset(tmp, 0x00, 0x20);
if (++retries > 3)
return 0;
ret = tsec_query(tmp, fwVer, &tsec_ctxt);
}
}

if(fwVer == KB_FIRMWARE_VERSION_620) {
// Set TSEC key.
@@ -119,33 +119,33 @@ int keygen(u8 *keyblob, u32 fwVer, void * pkg1, pk11_offs * offs) {
se_aes_unwrap_key(8, 8, pk21_keyseed);
} else if (fwVer < KB_FIRMWARE_VERSION_620) {
se_key_acc_ctrl(13, 0x15);
se_key_acc_ctrl(14, 0x15);
se_key_acc_ctrl(14, 0x15);

// Set TSEC key.
se_aes_key_set(13, tmp, 0x10);
// Set TSEC key.
se_aes_key_set(13, tmp, 0x10);

// Derive keyblob keys from TSEC+SBK.
se_aes_crypt_block_ecb(13, 0, tmp, keyblob_keyseeds[0]);
se_aes_unwrap_key(15, 14, tmp);
se_aes_crypt_block_ecb(13, 0, tmp, keyblob_keyseeds[fwVer]);
se_aes_unwrap_key(13, 14, tmp);
// Derive keyblob keys from TSEC+SBK.
se_aes_crypt_block_ecb(13, 0, tmp, keyblob_keyseeds[0]);
se_aes_unwrap_key(15, 14, tmp);
se_aes_crypt_block_ecb(13, 0, tmp, keyblob_keyseeds[fwVer]);
se_aes_unwrap_key(13, 14, tmp);

// Clear SBK.
se_aes_key_clear(14);
// Clear SBK.
se_aes_key_clear(14);

se_aes_crypt_block_ecb(13, 0, tmp, cmac_keyseed);
se_aes_unwrap_key(11, 13, cmac_keyseed);
se_aes_crypt_block_ecb(13, 0, tmp, cmac_keyseed);
se_aes_unwrap_key(11, 13, cmac_keyseed);

// Decrypt keyblob and set keyslots.
se_aes_crypt_ctr(13, keyblob + 0x20, 0x90, keyblob + 0x20, 0x90, keyblob + 0x10);
se_aes_key_set(11, keyblob + 0x20 + 0x80, 0x10); // Package1 key.
se_aes_key_set(12, keyblob + 0x20, 0x10);
se_aes_key_set(13, keyblob + 0x20, 0x10);
// Decrypt keyblob and set keyslots.
se_aes_crypt_ctr(13, keyblob + 0x20, 0x90, keyblob + 0x20, 0x90, keyblob + 0x10);
se_aes_key_set(11, keyblob + 0x20 + 0x80, 0x10); // Package1 key.
se_aes_key_set(12, keyblob + 0x20, 0x10);
se_aes_key_set(13, keyblob + 0x20, 0x10);

se_aes_crypt_block_ecb(12, 0, tmp, pre400_master_keyseed);
se_aes_crypt_block_ecb(12, 0, tmp, pre400_master_keyseed);

switch (fwVer)
{
switch (fwVer)
{
case KB_FIRMWARE_VERSION_200:
case KB_FIRMWARE_VERSION_300:
case KB_FIRMWARE_VERSION_301:
@@ -165,11 +165,11 @@ int keygen(u8 *keyblob, u32 fwVer, void * pkg1, pk11_offs * offs) {
se_aes_unwrap_key(14, 12, pre620_master_keyseed);
se_aes_unwrap_key(12, 12, pre400_master_keyseed);
break;
}
}

// Package2 key.
se_key_acc_ctrl(8, 0x15);
se_aes_unwrap_key(8, 12, pk21_keyseed);
// Package2 key.
se_key_acc_ctrl(8, 0x15);
se_aes_unwrap_key(8, 12, pk21_keyseed);
}

return 1;
@@ -324,8 +324,9 @@ void setup() {
}

void bootloader() {
if (has_keygen_ran())
return;
if (has_keygen_ran())
return;

mbist_workaround();
clock_enable_se();

@@ -66,12 +66,12 @@ u8 loadFirm() {

// Read package1.
u8 *pkg1ldr = ReadPackage1Ldr(&storage);
memcpy(id, pkg1ldr + 0x10, 14);
memcpy(id, pkg1ldr + 0x10, 14);

// Decrypt package1 and setup warmboot.
print("Decrypting Package1...\n");
u8 *pkg11 = pkg1ldr + pk11Offs->pkg11_off;
// Generate keys
if(pk11Offs->kb < KB_FIRMWARE_VERSION_700) {
u8 *keyblob = (u8 *)malloc(NX_EMMC_BLOCKSIZE);
@@ -83,24 +83,24 @@ u8 loadFirm() {
if(pk11Offs->kb < KB_FIRMWARE_VERSION_620)
se_aes_crypt_ctr(11, pkg11 + 0x20, pkg11_size, pkg11 + 0x20, pkg11_size, pkg11 + 0x10);
}
else {
if(!has_keygen_ran())
reboot_to_sept(pkg1ldr + pk11Offs->tsec_off);
else
se_aes_unwrap_key(8, 12, pk21_keyseed);
}

print("Unpacking pkg1\n");
pkg1_unpack(pk11Offs, (u32)pkg11);
else {
if(!has_keygen_ran())
reboot_to_sept(pkg1ldr + pk11Offs->tsec_off);
else
se_aes_unwrap_key(8, 12, pk21_keyseed);
}

print("Unpacking pkg1\n");
pkg1_unpack(pk11Offs, (u32)pkg11);

if (!hasCustomWb() && !hasCustomSecmon() && pk11Offs->kb >= KB_FIRMWARE_VERSION_700) {
error("Missing warmboot.bin or secmon.bin. These are needed to boot on firmware version 7.0 onwards.\n");
}
if (!hasCustomWb() && !hasCustomSecmon() && pk11Offs->kb >= KB_FIRMWARE_VERSION_700) {
error("Missing warmboot.bin or secmon.bin. These are needed to boot on firmware version 7.0 onwards.\n");
}
PMC(APBDEV_PMC_SCRATCH1) = pk11Offs->warmboot_base;
free(pkg1ldr);

//Read package2
size_t pkg2_size = 0;
size_t pkg2_size = 0;
u8 *pkg2 = ReadPackage2(&storage);

// Unpack Package2.
@@ -163,8 +163,8 @@ void launch() {
se_key_acc_ctrl(15, 0xFF);
}

if (hasCustomSecmon())
config_exosphere(id, pk11Offs->kb, (void *)pk11Offs->warmboot_base);
if (hasCustomSecmon())
config_exosphere(id, pk11Offs->kb, (void *)pk11Offs->warmboot_base);

if(pk11Offs->kb < KB_FIRMWARE_VERSION_620){
SE_lock();
@@ -187,7 +187,7 @@ void launch() {
SYSCTR0(SYSCTR0_COUNTERID11) = 0;
}

// Start boot process now that pk21 is loaded.
// Start boot process now that pk21 is loaded.
if (pk11Offs->kb >= KB_FIRMWARE_VERSION_700) {
*BOOT_STATE_ADDR7X = (pk11Offs->kb < KB_FIRMWARE_VERSION_400 ? BOOT_PKG2_LOADED : BOOT_PKG2_LOADED_4X);
*SECMON_STATE_ADDR7X = 0;
@@ -208,10 +208,10 @@ void launch() {
usleep(1);

// Signal to finish boot process.
if (pk11Offs->kb < KB_FIRMWARE_VERSION_700)
*BOOT_STATE_ADDR = (pk11Offs->kb < KB_FIRMWARE_VERSION_400 ? BOOT_DONE : BOOT_DONE_4X);
else
*BOOT_STATE_ADDR7X = BOOT_DONE_4X;
if (pk11Offs->kb < KB_FIRMWARE_VERSION_700)
*BOOT_STATE_ADDR = (pk11Offs->kb < KB_FIRMWARE_VERSION_400 ? BOOT_DONE : BOOT_DONE_4X);
else
*BOOT_STATE_ADDR7X = BOOT_DONE_4X;

// Halt ourselves in waitevent state.
while (1) FLOW_CTLR(0x4) = 0x50000000;
@@ -21,7 +21,7 @@
#define BOOT_STATE_ADDR (vu32 *)0x40002EF8
#define SECMON_STATE_ADDR (vu32 *)0x40002EFC
#define BOOT_STATE_ADDR7X (vu32 *)0x400000F8
#define SECMON_STATE_ADDR7X (vu32 *)(0x400000F8 + 4)
#define SECMON_STATE_ADDR7X (vu32 *)(0x400000F8 + 4)

#define BOOT_PKG2_LOADED 2
#define BOOT_DONE 3
@@ -144,6 +144,10 @@ bool hasCustomWb() {
ret = true;
fclose();
}
if(fopen("/ReiNX/lp0fw.bin", "rb") != 0) {
ret = true;
fclose();
}
return ret;
}

@@ -153,6 +157,10 @@ bool hasCustomSecmon() {
ret = true;
fclose();
}
if(fopen("/ReiNX/exosphere.bin", "rb") != 0) {
ret = true;
fclose();
}
return ret;
}

@@ -167,7 +175,7 @@ bool hasCustomKern() {

void buildFirmwarePackage(u8 *kernel, u32 kernel_size, link_t *kips_info) {
u8 *pdst = (u8 *)0xA9800000;
bool hasCustSecmon = hasCustomSecmon();
bool hasCustSecmon = hasCustomSecmon();

// Signature.
memset(pdst, 0, 0x100);
@@ -187,7 +195,7 @@ void buildFirmwarePackage(u8 *kernel, u32 kernel_size, link_t *kips_info) {
memcpy(pdst, extKern == NULL ? kernel : extKern, extKern == NULL ? kernel_size : extSize);
hdr->sec_size[PKG2_SEC_KERNEL] = kernel_size;
hdr->sec_off[PKG2_SEC_KERNEL] = 0x10000000;
if(!hasCustSecmon)
if(!hasCustSecmon)
se_aes_crypt_ctr(8, pdst, kernel_size, pdst, kernel_size, &hdr->sec_ctr[PKG2_SEC_KERNEL * 0x10]);
pdst += kernel_size;

@@ -207,13 +215,13 @@ void buildFirmwarePackage(u8 *kernel, u32 kernel_size, link_t *kips_info) {
ini1->size = ini1_size;
hdr->sec_size[PKG2_SEC_INI1] = ini1_size;
hdr->sec_off[PKG2_SEC_INI1] = 0x14080000;
if (!hasCustSecmon)
if (!hasCustSecmon)
se_aes_crypt_ctr(8, ini1, ini1_size, ini1, ini1_size, &hdr->sec_ctr[PKG2_SEC_INI1 * 0x10]);

// Encrypt header.
*(u32 *)hdr->ctr = 0x100 + sizeof(pkg2_hdr_t) + kernel_size + ini1_size;
if (!hasCustSecmon)
se_aes_crypt_ctr(8, hdr, sizeof(pkg2_hdr_t), hdr, sizeof(pkg2_hdr_t), hdr);
se_aes_crypt_ctr(8, hdr, sizeof(pkg2_hdr_t), hdr, sizeof(pkg2_hdr_t), hdr);
memset(hdr->ctr, 0 , 0x10);
*(u32 *)hdr->ctr = 0x100 + sizeof(pkg2_hdr_t) + kernel_size + ini1_size;
}
Oops, something went wrong.

0 comments on commit 0041ff6

Please sign in to comment.
You can’t perform that action at this time.