Skip to content
Permalink
Browse files

Added 7.0 kernel offsets; added read tsecfw from sd

  • Loading branch information...
Reisyukaku committed Feb 13, 2019
1 parent 80095f2 commit 76fe8d463950df174bd01c8f7c45bab91dfa4595
Showing with 38 additions and 27 deletions.
  1. +12 −2 src/bootloader.c
  2. +1 −0 src/bootloader.h
  3. +7 −1 src/firmware.c
  4. +1 −0 src/hwinit/gfx.h
  5. +6 −6 src/hwinit/tsec.c
  6. +0 −14 src/hwinit/util.c
  7. +7 −0 src/package.c
  8. +4 −4 src/package.h
@@ -68,15 +68,23 @@ int keygen(u8 *keyblob, u32 fwVer, void * pkg1, pk11_offs * offs) {
tsec_ctxt.pkg1 = pkg1;
tsec_ctxt.pkg11_off = offs->pkg11_off;
tsec_ctxt.secmon_base = offs->secmon_base;
tsec_ctxt.size = sp ? 0x2900 : 0xF00;
if(fwVer <= KB_FIRMWARE_VERSION_620) tsec_ctxt.size = 0xF00;
if(fwVer == KB_FIRMWARE_VERSION_620) tsec_ctxt.size = 0x2900;
if(fwVer >= KB_FIRMWARE_VERSION_700) tsec_ctxt.size = 0x3000;

se_key_acc_ctrl(0xE, 0x15);
se_key_acc_ctrl(0xD, 0x15);

if (sp) {
print("Going to emulate TSEC\nSize: 0x%x\nLoc: 0x%x\nOff: 0x%x\n", tsec_ctxt.size, tsec_ctxt.fw-tsec_ctxt.pkg1, tsec_ctxt.pkg11_off);
u8 *tsec_paged = (u8 *)page_alloc(3);
memcpy(tsec_paged, (void *)tsec_ctxt.fw, tsec_ctxt.size);
if(fopen("/ReiNX/tsecfw.bin", "rb")) {
fread(tsec_paged, 1, fsize());
fclose();
}else{
memcpy(tsec_paged, (void *)tsec_ctxt.fw, tsec_ctxt.size);
}

print("Copied, emulaing tsec\n");
}

@@ -305,9 +313,11 @@ void setup() {
sdram_lp0_save_params(sdram_get_params());

// Check if power off from HOS and shutdown
#ifdef RCMSHUTDOWN
if (i2c_recv_byte(I2C_5, MAX77620_I2C_ADDR, MAX77620_REG_IRQTOP) & MAX77620_IRQ_TOP_RTC_MASK) {
i2c_send_byte(I2C_5, MAX77620_I2C_ADDR, MAX77620_REG_ONOFFCNFG1, MAX77620_ONOFFCNFG1_PWR_OFF);
}
#endif

}

@@ -15,6 +15,7 @@
*/

#pragma once
#include "fs.h"
#include "package.h"

// TODO: Maybe find these with memsearch
@@ -456,12 +456,14 @@ void launch() {
}

void firmware() {
//Init display
display_init();
gfx_init_ctxt(&gfx_ctxt, display_init_framebuffer(), 1280, 720, 768);
gfx_clear_color(&gfx_ctxt, 0xFF000000);
gfx_clear_color(&gfx_ctxt, BLACK);
gfx_con_init(&gfx_con, &gfx_ctxt);
gfx_con_setcol(&gfx_con, DEFAULT_TEXT_COL, 0, 0);

//Mount SD
if (!sdMount()) {
error("Failed to init SD card!\n");
print("Press POWER to power off, or any other key to continue without SD.\n");
@@ -470,6 +472,7 @@ void firmware() {
btn_wait();
}

//Chainload ReiNX if applicable
if(PMC(APBDEV_PMC_SCRATCH49) != 69 && fopen("/ReiNX.bin", "rb")) {
fread((void*)PAYLOAD_ADDR, fsize(), 1);
fclose();
@@ -483,6 +486,7 @@ void firmware() {
SYSREG(AHB_AHB_SPARE_REG) = (volatile vu32)0xFFFFFF9F;
PMC(APBDEV_PMC_SCRATCH49) = 0;

//Chainload recovery if applicable
if(btn_read() & BTN_VOL_UP){
if(fopen("/ReiNX/Recovery.bin", "rb") != 0) {
fread((void*)PAYLOAD_ADDR, fsize(), 1);
@@ -503,12 +507,14 @@ void firmware() {
}
}

//Determine if booting in verbose mode
if (btn_read() & BTN_VOL_DOWN) {
print("%kWelcome to ReiNX %s!\n%k", WHITE, VERSION, DEFAULT_TEXT_COL);
} else if (drawSplash()) {
gfx_con.mute = 1;
}

//Setup cfw
loadFirm();
launch();
}
@@ -27,6 +27,7 @@
#define YELLOW 0xFF00FFFF
#define ORANGE 0xFF3891FF
#define WHITE 0xFFFFFFFF
#define BLACK 0xFF000000

static const u8 _gfx_font[] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // Char 032 ( )
@@ -35,7 +35,6 @@ extern gfx_con_t gfx_con; */
static int _tsec_dma_wait_idle()
{
u32 timeout = get_tmr_ms() + 10000;

while (!(TSEC(TSEC_DMATRFCMD) & TSEC_DMATRFCMD_IDLE))
if (get_tmr_ms() > timeout)
return 0;
@@ -61,7 +60,6 @@ static int _tsec_dma_pa_to_internal_100(int not_imem, int i_offset, int pa_offse

int tsec_query(u8 *tsec_keys, u8 kb, tsec_ctxt_t *tsec_ctxt)
{
print("TSEC KB : %d\n", kb);
int res = 0;
u8 *fwbuf = NULL;
u32 *pdir, *car, *fuse, *pmc, *flowctrl, *se, *mc, *iram, *evec;
@@ -96,7 +94,7 @@ int tsec_query(u8 *tsec_keys, u8 kb, tsec_ctxt_t *tsec_ctxt)
else{
void * temp = malloc(0x3000);
temp = (void *)ALIGN((u32)temp, 0x100);
memcpy(temp, tsec_ctxt->fw, 0x2900);
memcpy(temp, tsec_ctxt->fw, tsec_ctxt->size);
tsec_ctxt->fw = temp;
TSEC(TSEC_DMATRFBASE) = (u32)tsec_ctxt->fw >> 8;
free(temp);
@@ -119,7 +117,7 @@ int tsec_query(u8 *tsec_keys, u8 kb, tsec_ctxt_t *tsec_ctxt)
pdir = smmu_init_for_tsec();
print("initing secmon base\n");
smmu_init(tsec_ctxt->secmon_base);
print("enalbling smmu\n");
print("enabling smmu\n");
// Enable SMMU
if (!smmu_is_used())
smmu_enable();
@@ -169,12 +167,13 @@ int tsec_query(u8 *tsec_keys, u8 kb, tsec_ctxt_t *tsec_ctxt)
}
print("Executing TSEC\n");
//Execute firmware.

HOST1X(0x3300) = 0x34C2E1DA;
TSEC(TSEC_STATUS) = 0;
TSEC(TSEC_BOOTKEYVER) = 1;
TSEC(TSEC_BOOTVEC) = 0;
TSEC(TSEC_CPUCTL) = TSEC_CPUCTL_STARTCPU;

if (kb <= KB_FIRMWARE_VERSION_600)
{
if (!_tsec_dma_wait_idle())
@@ -183,12 +182,13 @@ int tsec_query(u8 *tsec_keys, u8 kb, tsec_ctxt_t *tsec_ctxt)
goto out_free;
}
u32 timeout = get_tmr_ms() + 2000;
while (!TSEC(TSEC_STATUS))
while (!TSEC(TSEC_STATUS)){
if (get_tmr_ms() > timeout)
{
res = -4;
goto out_free;
}
}
if (TSEC(TSEC_STATUS) != 0xB0B0B0B0)
{
res = -5;
@@ -75,18 +75,4 @@ uPtr getFreeSpace(void *start, size_t space, size_t searchSize) {
}
}
return 0;
}

#define CRC32C_POLY 0x82F63B78
u32 crc32c(const void *buf, u32 len)
{
const u8 *cbuf = (const u8 *)buf;
u32 crc = 0xFFFFFFFF;
while (len--)
{
crc ^= *cbuf++;
for (int i = 0; i < 8; i++)
crc = crc & 1 ? (crc >> 1) ^ CRC32C_POLY : crc >> 1;
}
return ~crc;
}
@@ -297,6 +297,9 @@ u32 *getSndPayload(u32 id, size_t *size) {
case 6:
*size = sizeof(PRC_ID_SND_600);
ret = PRC_ID_SND_600;
case 7:
*size = sizeof(PRC_ID_SND_700);
ret = PRC_ID_SND_700;
break;
}
return ret;
@@ -333,6 +336,10 @@ u32 *getRcvPayload(u32 id, size_t *size) {
*size = sizeof(PRC_ID_RCV_600);
ret = PRC_ID_RCV_600;
break;
case 7:
*size = sizeof(PRC_ID_RCV_700);
ret = PRC_ID_RCV_700;
break;
}
return ret;
}
@@ -306,10 +306,10 @@ static const KernelMeta kernelInfo[] = {
{ //7.0.0
{0xA2, 0x5E, 0x47, 0x0C, 0x8E, 0x6D, 0x2F, 0xD7, 0x5D, 0xAD, 0x24, 0xD7, 0xD8, 0x24, 0x34, 0xFB,
0xCD, 0x77, 0xBB, 0xE6, 0x66, 0x03, 0xCB, 0xAF, 0xAB, 0x85, 0x45, 0xA0, 0x91, 0xAF, 0x34, 0x25},
0,
0,
0,
0,
0x49E5C,
0x581B0,
0x2D044,
0x2B23C,
0x10,
0x10
},

0 comments on commit 76fe8d4

Please sign in to comment.
You can’t perform that action at this time.