2018-05-05 22:55:40 +01:00
|
|
|
#include <stdio.h>
|
2018-05-05 23:45:30 +01:00
|
|
|
#include <stdlib.h>
|
2018-04-12 01:19:01 +01:00
|
|
|
#include "utils.h"
|
2018-04-12 03:29:35 +01:00
|
|
|
#include "masterkey.h"
|
2018-04-12 04:56:11 +01:00
|
|
|
#include "stratosphere.h"
|
2018-04-12 01:19:01 +01:00
|
|
|
#include "package2.h"
|
2018-04-12 03:29:35 +01:00
|
|
|
#include "kip.h"
|
2018-04-12 01:19:01 +01:00
|
|
|
#include "se.h"
|
2018-04-12 03:29:35 +01:00
|
|
|
|
2018-05-18 23:54:38 +01:00
|
|
|
#define u8 uint8_t
|
|
|
|
#define u32 uint32_t
|
|
|
|
#include "thermosphere_bin.h"
|
|
|
|
#undef u8
|
|
|
|
#undef u32
|
|
|
|
|
2018-05-08 23:19:51 +01:00
|
|
|
static void package2_decrypt(package2_header_t *package2);
|
2018-05-21 17:18:12 +01:00
|
|
|
static size_t package2_get_src_section(void **section, package2_header_t *package2, unsigned int id);
|
2018-05-08 23:19:51 +01:00
|
|
|
static size_t package2_get_thermosphere(void **thermosphere);
|
|
|
|
static void package2_patch_kernel(void *kernel, size_t kernel_size);
|
2018-05-15 15:09:06 +01:00
|
|
|
static ini1_header_t *package2_rebuild_ini1(ini1_header_t *ini1, uint32_t target_firmware);
|
2018-05-21 17:18:12 +01:00
|
|
|
static void package2_append_section(unsigned int id, package2_header_t *package2, void *data, size_t size);
|
2018-05-08 23:19:51 +01:00
|
|
|
static void package2_fixup_header_and_section_hashes(package2_header_t *package2, size_t size);
|
|
|
|
|
2018-05-21 17:18:12 +01:00
|
|
|
static inline size_t align_to_4(size_t s) {
|
2018-05-21 17:42:42 +01:00
|
|
|
return ((s + 3) >> 2) << 2;
|
2018-05-21 17:18:12 +01:00
|
|
|
}
|
|
|
|
|
2018-05-15 15:09:06 +01:00
|
|
|
void package2_rebuild_and_copy(package2_header_t *package2, uint32_t target_firmware) {
|
2018-05-08 23:19:51 +01:00
|
|
|
package2_header_t *rebuilt_package2;
|
|
|
|
size_t rebuilt_package2_size;
|
|
|
|
void *kernel;
|
|
|
|
size_t kernel_size;
|
|
|
|
void *thermosphere;
|
|
|
|
size_t thermosphere_size;
|
2018-05-21 17:18:12 +01:00
|
|
|
ini1_header_t *orig_ini1, *rebuilt_ini1;
|
2018-05-08 23:19:51 +01:00
|
|
|
|
|
|
|
/* First things first: Decrypt Package2 in place. */
|
|
|
|
package2_decrypt(package2);
|
2018-05-17 23:24:06 +01:00
|
|
|
printf("Decrypted package2!\n");
|
2018-05-21 17:18:12 +01:00
|
|
|
|
|
|
|
kernel_size = package2_get_src_section(&kernel, package2, PACKAGE2_SECTION_KERNEL);
|
2018-05-08 23:19:51 +01:00
|
|
|
|
|
|
|
/* Modify Package2 to add an additional thermosphere section. */
|
|
|
|
thermosphere_size = package2_get_thermosphere(&thermosphere);
|
2018-05-05 23:45:30 +01:00
|
|
|
|
2018-05-08 23:19:51 +01:00
|
|
|
if (thermosphere_size != 0 && package2->metadata.section_sizes[PACKAGE2_SECTION_UNUSED] != 0) {
|
2018-05-20 15:18:48 +01:00
|
|
|
fatal_error(u8"Error: Package2 has no unused section for Thermosphère!\n");
|
2018-05-05 23:45:30 +01:00
|
|
|
}
|
|
|
|
|
2018-05-08 23:19:51 +01:00
|
|
|
/* Perform any patches we want to the NX kernel. */
|
|
|
|
package2_patch_kernel(kernel, kernel_size);
|
|
|
|
|
2018-05-17 23:24:06 +01:00
|
|
|
printf("Rebuilding the INI1 section...\n");
|
2018-05-21 17:18:12 +01:00
|
|
|
package2_get_src_section((void *)&orig_ini1, package2, PACKAGE2_SECTION_INI1);
|
2018-05-08 23:19:51 +01:00
|
|
|
/* Perform any patches to the INI1, rebuilding it (This is where our built-in sysmodules will be added.) */
|
2018-05-21 17:18:12 +01:00
|
|
|
rebuilt_ini1 = package2_rebuild_ini1(orig_ini1, target_firmware);
|
2018-05-17 23:24:06 +01:00
|
|
|
printf("Rebuilt INI1...\n");
|
2018-05-05 22:55:40 +01:00
|
|
|
|
2018-05-08 23:19:51 +01:00
|
|
|
/* Allocate the rebuilt package2. */
|
2018-05-21 17:18:12 +01:00
|
|
|
rebuilt_package2_size = sizeof(package2_header_t) + kernel_size + align_to_4(thermosphere_size) + align_to_4(rebuilt_ini1->size);
|
2018-05-05 22:55:40 +01:00
|
|
|
|
2018-05-08 23:19:51 +01:00
|
|
|
if (rebuilt_package2_size > PACKAGE2_SIZE_MAX) {
|
2018-05-20 15:18:48 +01:00
|
|
|
fatal_error("rebuilt package2 is too big!\n");
|
2018-05-08 23:19:51 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
rebuilt_package2 = (package2_header_t *)malloc(rebuilt_package2_size);
|
|
|
|
if (rebuilt_package2 == NULL) {
|
2018-05-20 15:18:48 +01:00
|
|
|
fatal_error("package2_rebuild: out of memory!\n");
|
2018-05-08 23:19:51 +01:00
|
|
|
}
|
2018-05-05 22:55:40 +01:00
|
|
|
|
2018-05-08 23:19:51 +01:00
|
|
|
/* Rebuild package2. */
|
|
|
|
memcpy(rebuilt_package2, package2, sizeof(package2_header_t));
|
|
|
|
package2_append_section(PACKAGE2_SECTION_KERNEL, rebuilt_package2, kernel, kernel_size);
|
|
|
|
package2_append_section(PACKAGE2_SECTION_INI1, rebuilt_package2, rebuilt_ini1, rebuilt_ini1->size);
|
|
|
|
package2_append_section(PACKAGE2_SECTION_UNUSED, rebuilt_package2, thermosphere, thermosphere_size);
|
2018-05-05 22:55:40 +01:00
|
|
|
|
2018-04-12 01:19:01 +01:00
|
|
|
/* Fix all necessary data in the header to accomodate for the new patches. */
|
2018-05-08 23:19:51 +01:00
|
|
|
package2_fixup_header_and_section_hashes(rebuilt_package2, rebuilt_package2_size);
|
2018-05-05 22:55:40 +01:00
|
|
|
|
2018-04-12 03:29:35 +01:00
|
|
|
/* Relocate Package2. */
|
2018-05-21 17:18:12 +01:00
|
|
|
memcpy(NX_BOOTLOADER_PACKAGE2_LOAD_ADDRESS, rebuilt_package2, rebuilt_package2_size);
|
2018-05-08 23:19:51 +01:00
|
|
|
|
|
|
|
/* We're done. */
|
|
|
|
free(rebuilt_ini1);
|
|
|
|
free(rebuilt_package2);
|
2018-04-12 03:29:35 +01:00
|
|
|
}
|
|
|
|
|
2018-05-08 23:19:51 +01:00
|
|
|
|
2018-04-12 03:29:35 +01:00
|
|
|
static void package2_crypt_ctr(unsigned int master_key_rev, void *dst, size_t dst_size, const void *src, size_t src_size, const void *ctr, size_t ctr_size) {
|
|
|
|
/* Derive package2 key. */
|
2018-05-17 15:11:10 +01:00
|
|
|
const uint8_t __attribute__((aligned(16))) package2_key_source[0x10] = {
|
|
|
|
0xFB, 0x8B, 0x6A, 0x9C, 0x79, 0x00, 0xC8, 0x49, 0xEF, 0xD2, 0x4D, 0x85, 0x4D, 0x30, 0xA0, 0xC7
|
|
|
|
};
|
2018-04-12 03:29:35 +01:00
|
|
|
unsigned int keyslot = mkey_get_keyslot(master_key_rev);
|
|
|
|
decrypt_data_into_keyslot(KEYSLOT_SWITCH_PACKAGE2KEY, keyslot, package2_key_source, 0x10);
|
|
|
|
|
|
|
|
/* Perform Encryption. */
|
|
|
|
se_aes_ctr_crypt(KEYSLOT_SWITCH_PACKAGE2KEY, dst, dst_size, src, src_size, ctr, ctr_size);
|
|
|
|
}
|
|
|
|
|
2018-05-08 23:19:51 +01:00
|
|
|
static bool package2_validate_metadata(package2_meta_t *metadata) {
|
2018-05-17 15:11:10 +01:00
|
|
|
package2_header_t *package2 = (package2_header_t *)((uint8_t *)metadata - offsetof(package2_header_t, metadata));
|
2018-04-12 03:29:35 +01:00
|
|
|
if (metadata->magic != MAGIC_PK21) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Package2 size, version number is stored XORed in header CTR. */
|
|
|
|
/* Nintendo, what the fuck? */
|
2018-05-17 14:56:02 +01:00
|
|
|
uint32_t package_size = package2_meta_get_size(metadata);
|
|
|
|
uint8_t header_version = package2_meta_get_header_version(metadata);
|
2018-04-12 03:29:35 +01:00
|
|
|
|
|
|
|
/* Ensure package isn't too big or too small. */
|
2018-05-17 14:56:02 +01:00
|
|
|
if (package_size <= sizeof(package2_header_t) || package_size > PACKAGE2_SIZE_MAX) {
|
2018-04-12 03:29:35 +01:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Validate that we're working with a header we know how to handle. */
|
|
|
|
if (header_version > MASTERKEY_REVISION_MAX) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Require aligned entrypoint. */
|
|
|
|
if (metadata->entrypoint & 3) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Validate section size sanity. */
|
|
|
|
if (metadata->section_sizes[0] + metadata->section_sizes[1] + metadata->section_sizes[2] + sizeof(package2_header_t) != package_size) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
bool entrypoint_found = false;
|
|
|
|
|
|
|
|
/* Header has space for 4 sections, but only 3 are validated/potentially loaded on hardware. */
|
|
|
|
size_t cur_section_offset = 0;
|
|
|
|
for (unsigned int section = 0; section < PACKAGE2_SECTION_MAX; section++) {
|
|
|
|
/* Validate section size alignment. */
|
|
|
|
if (metadata->section_sizes[section] & 3) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Validate section does not overflow. */
|
|
|
|
if (check_32bit_additive_overflow(metadata->section_offsets[section], metadata->section_sizes[section])) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Check for entrypoint presence. */
|
|
|
|
uint32_t section_end = metadata->section_offsets[section] + metadata->section_sizes[section];
|
|
|
|
if (metadata->section_offsets[section] <= metadata->entrypoint && metadata->entrypoint < section_end) {
|
|
|
|
entrypoint_found = true;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Ensure no overlap with later sections. */
|
|
|
|
for (unsigned int later_section = section + 1; later_section < PACKAGE2_SECTION_MAX; later_section++) {
|
|
|
|
uint32_t later_section_end = metadata->section_offsets[later_section] + metadata->section_sizes[later_section];
|
|
|
|
if (overlaps(metadata->section_offsets[section], section_end, metadata->section_offsets[later_section], later_section_end)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Validate section hashes. */
|
2018-05-23 17:45:53 +01:00
|
|
|
if (metadata->section_sizes[section]) {
|
2018-05-17 15:11:10 +01:00
|
|
|
void *section_data = package2->data + cur_section_offset;
|
2018-04-12 03:29:35 +01:00
|
|
|
uint8_t calculated_hash[0x20];
|
|
|
|
se_calculate_sha256(calculated_hash, section_data, metadata->section_sizes[section]);
|
|
|
|
if (memcmp(calculated_hash, metadata->section_hashes[section], sizeof(metadata->section_hashes[section])) != 0) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
cur_section_offset += metadata->section_sizes[section];
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Ensure that entrypoint is present in one of our sections. */
|
|
|
|
if (!entrypoint_found) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Perform version checks. */
|
|
|
|
/* We will be compatible with all package2s released before current, but not newer ones. */
|
|
|
|
if (metadata->version_max >= PACKAGE2_MINVER_THEORETICAL && metadata->version_min < PACKAGE2_MAXVER_500_CURRENT) {
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
return false;
|
2018-04-12 01:19:01 +01:00
|
|
|
}
|
|
|
|
|
2018-05-08 23:19:51 +01:00
|
|
|
static uint32_t package2_decrypt_and_validate_header(package2_header_t *header, bool is_plaintext) {
|
2018-04-12 03:29:35 +01:00
|
|
|
package2_meta_t metadata;
|
|
|
|
|
|
|
|
/* TODO: Also accept plaintext package2 based on bootconfig. */
|
2018-05-05 22:55:40 +01:00
|
|
|
|
2018-04-12 03:29:35 +01:00
|
|
|
if (!is_plaintext) {
|
|
|
|
uint32_t mkey_rev;
|
|
|
|
|
|
|
|
/* Try to decrypt for all possible master keys. */
|
|
|
|
for (mkey_rev = 0; mkey_rev <= mkey_get_revision(); mkey_rev++) {
|
|
|
|
package2_crypt_ctr(mkey_rev, &metadata, sizeof(package2_meta_t), &header->metadata, sizeof(package2_meta_t), header->metadata.ctr, sizeof(header->metadata.ctr));
|
|
|
|
/* Copy the ctr (which stores information) into the decrypted metadata. */
|
|
|
|
memcpy(metadata.ctr, header->metadata.ctr, sizeof(header->metadata.ctr));
|
|
|
|
/* See if this is the correct key. */
|
2018-05-08 23:19:51 +01:00
|
|
|
if (package2_validate_metadata(&metadata)) {
|
2018-04-12 03:29:35 +01:00
|
|
|
header->metadata = metadata;
|
|
|
|
return mkey_rev;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Ensure we successfully decrypted the header. */
|
2018-05-05 22:55:40 +01:00
|
|
|
if (mkey_rev > mkey_get_revision()) {
|
2018-05-20 15:18:48 +01:00
|
|
|
fatal_error("failed to decrypt the Package2 header (master key revision %u)!\n", mkey_get_revision());
|
2018-04-12 03:29:35 +01:00
|
|
|
}
|
2018-05-08 23:19:51 +01:00
|
|
|
} else if (!package2_validate_metadata(&header->metadata)) {
|
2018-05-20 15:18:48 +01:00
|
|
|
fatal_error("Failed to validate the Package2 header!\n");
|
2018-04-12 03:29:35 +01:00
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
2018-04-12 01:19:01 +01:00
|
|
|
|
2018-05-08 23:19:51 +01:00
|
|
|
static void package2_decrypt(package2_header_t *package2) {
|
|
|
|
bool is_package2_plaintext = package2->signature[0];
|
|
|
|
is_package2_plaintext &= memcmp(package2->signature, package2->signature + 1, sizeof(package2->signature) - 1) == 0;
|
|
|
|
is_package2_plaintext &= package2->metadata.magic == MAGIC_PK21;
|
2018-05-05 22:55:40 +01:00
|
|
|
|
2018-05-08 23:19:51 +01:00
|
|
|
uint32_t pk21_mkey_revision = package2_decrypt_and_validate_header(package2, is_package2_plaintext);
|
2018-05-05 22:55:40 +01:00
|
|
|
|
2018-04-12 03:29:35 +01:00
|
|
|
size_t cur_section_offset = 0;
|
|
|
|
/* Copy each section to its appropriate location, decrypting if necessary. */
|
|
|
|
for (unsigned int section = 0; section < PACKAGE2_SECTION_MAX; section++) {
|
2018-05-08 23:19:51 +01:00
|
|
|
if (package2->metadata.section_sizes[section] == 0) {
|
2018-04-12 03:29:35 +01:00
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2018-05-17 15:11:10 +01:00
|
|
|
void *src_start = package2->data + cur_section_offset;
|
2018-05-08 23:19:51 +01:00
|
|
|
void *dst_start = src_start;
|
|
|
|
size_t size = (size_t)package2->metadata.section_sizes[section];
|
2018-04-12 03:29:35 +01:00
|
|
|
|
|
|
|
if (is_package2_plaintext&& size != 0) {
|
|
|
|
memcpy(dst_start, src_start, size);
|
|
|
|
} else if (size != 0) {
|
2018-05-08 23:19:51 +01:00
|
|
|
package2_crypt_ctr(pk21_mkey_revision, dst_start, size, src_start, size, package2->metadata.section_ctrs[section], 0x10);
|
2018-04-12 03:29:35 +01:00
|
|
|
}
|
|
|
|
cur_section_offset += size;
|
|
|
|
}
|
2018-05-05 22:55:40 +01:00
|
|
|
|
2018-04-12 03:29:35 +01:00
|
|
|
/* Clear the signature, to signal that this is a plaintext, unsigned package2. */
|
2018-05-08 23:19:51 +01:00
|
|
|
memset(package2->signature, 0, sizeof(package2->signature));
|
2018-04-12 01:19:01 +01:00
|
|
|
}
|
|
|
|
|
2018-05-21 17:18:12 +01:00
|
|
|
static size_t package2_get_src_section(void **section, package2_header_t *package2, unsigned int id) {
|
|
|
|
uint8_t *data = package2->data;
|
|
|
|
for (unsigned int i = 0; i < id; i++) {
|
|
|
|
data += package2->metadata.section_sizes[i];
|
|
|
|
}
|
|
|
|
|
|
|
|
(*section) = data;
|
|
|
|
return package2->metadata.section_sizes[id];
|
|
|
|
}
|
|
|
|
|
2018-05-08 23:19:51 +01:00
|
|
|
static size_t package2_get_thermosphere(void **thermosphere) {
|
2018-05-15 15:09:06 +01:00
|
|
|
/*extern const uint8_t thermosphere_bin[];
|
|
|
|
extern const uint32_t thermosphere_bin_size;*/
|
|
|
|
/* TODO: enable when tested. */
|
2018-05-08 23:19:51 +01:00
|
|
|
(*thermosphere) = NULL;
|
|
|
|
return 0;
|
2018-04-12 01:19:01 +01:00
|
|
|
}
|
|
|
|
|
2018-05-08 23:19:51 +01:00
|
|
|
static void package2_patch_kernel(void *kernel, size_t size) {
|
|
|
|
(void)kernel;
|
|
|
|
(void)size;
|
2018-04-12 03:29:35 +01:00
|
|
|
/* TODO: What kind of patching do we want to try to do here? */
|
2018-04-12 01:19:01 +01:00
|
|
|
}
|
|
|
|
|
2018-04-12 04:56:11 +01:00
|
|
|
|
2018-05-15 15:09:06 +01:00
|
|
|
static ini1_header_t *package2_rebuild_ini1(ini1_header_t *ini1, uint32_t target_firmware) {
|
2018-04-12 04:56:11 +01:00
|
|
|
/* TODO: Do we want to support loading another INI from sd:/whatever/INI1.bin? */
|
|
|
|
ini1_header_t *inis_to_merge[STRATOSPHERE_INI1_MAX] = {0};
|
2018-05-08 17:46:54 +01:00
|
|
|
ini1_header_t *merged;
|
|
|
|
|
2018-05-15 15:09:06 +01:00
|
|
|
inis_to_merge[STRATOSPHERE_INI1_EMBEDDED] = stratosphere_get_ini1(target_firmware);
|
2018-05-08 23:19:51 +01:00
|
|
|
inis_to_merge[STRATOSPHERE_INI1_PACKAGE2] = ini1;
|
2018-04-12 04:56:11 +01:00
|
|
|
|
|
|
|
/* Merge all of the INI1s. */
|
2018-05-08 17:46:54 +01:00
|
|
|
merged = stratosphere_merge_inis(inis_to_merge, STRATOSPHERE_INI1_MAX);
|
|
|
|
|
2018-05-08 23:19:51 +01:00
|
|
|
/* Free temporary buffer. */
|
2018-05-08 17:46:54 +01:00
|
|
|
stratosphere_free_ini1();
|
2018-05-08 23:19:51 +01:00
|
|
|
|
|
|
|
return merged;
|
2018-04-12 01:19:01 +01:00
|
|
|
}
|
|
|
|
|
2018-05-21 17:18:12 +01:00
|
|
|
static void package2_append_section(unsigned int id, package2_header_t *package2, void *data, size_t size) {
|
|
|
|
/* This function must be called in ascending order of id. */
|
|
|
|
/* We assume that the loading address doesn't need to be changed. */
|
|
|
|
uint8_t *dst = package2->data;
|
|
|
|
for (unsigned int i = 0; i < id; i++) {
|
|
|
|
dst += package2->metadata.section_sizes[i];
|
|
|
|
}
|
2018-05-08 23:19:51 +01:00
|
|
|
|
2018-05-21 17:18:12 +01:00
|
|
|
memcpy(dst, data, size);
|
|
|
|
package2->metadata.section_sizes[id] = align_to_4(size);
|
2018-05-08 23:19:51 +01:00
|
|
|
}
|
2018-05-05 22:55:40 +01:00
|
|
|
|
2018-05-08 23:19:51 +01:00
|
|
|
static void package2_fixup_header_and_section_hashes(package2_header_t *package2, size_t size) {
|
2018-05-21 17:18:12 +01:00
|
|
|
uint8_t *data = package2->data;
|
|
|
|
|
2018-04-12 03:29:35 +01:00
|
|
|
for (unsigned int section = 0; section < PACKAGE2_SECTION_MAX; section++) {
|
2018-05-21 17:18:12 +01:00
|
|
|
size_t sz = (size_t)package2->metadata.section_sizes[section];
|
|
|
|
if (sz == 0) {
|
2018-04-12 03:29:35 +01:00
|
|
|
continue;
|
|
|
|
}
|
2018-05-05 22:55:40 +01:00
|
|
|
|
2018-04-12 03:29:35 +01:00
|
|
|
/* Fix up the hash. */
|
2018-05-21 17:18:12 +01:00
|
|
|
se_calculate_sha256(package2->metadata.section_hashes[section], data, sz);
|
|
|
|
data += sz;
|
2018-04-12 03:29:35 +01:00
|
|
|
}
|
2018-05-05 22:55:40 +01:00
|
|
|
|
2018-04-12 03:29:35 +01:00
|
|
|
/* Fix up the size in XOR'd CTR. */
|
2018-05-08 23:19:51 +01:00
|
|
|
uint32_t package_size = package2->metadata.ctr_dwords[0] ^ package2->metadata.ctr_dwords[2] ^ package2->metadata.ctr_dwords[3];
|
|
|
|
package2->metadata.ctr_dwords[3] ^= (package_size ^ size);
|
2018-05-05 22:55:40 +01:00
|
|
|
}
|