mirrors/Incognito_RCM
1
0
Fork 0
mirror of https://github.com/Scandal-UK/Incognito_RCM.git synced 2024-11-22 20:06:42 +00:00
Code Issues Releases Activity

decryption working, generic read function todo

Browse source
This commit is contained in:
jimzrt 2019-09-23 21:40:31 +02:00
parent 2a3b4c0ec3
commit 463d889655
4 changed files with 258 additions and 641 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

888
source/keys/keys.c
View file

@ -23,7 +23,7 @@
#include "../hos/pkg1.h"
#include "../hos/pkg2.h"
#include "../hos/sept.h"
#include "../libs/fatfs/ff.h"
//#include "../libs/fatfs/ff.h"
#include "../mem/heap.h"
#include "../mem/mc.h"
#include "../mem/sdram.h"
@ -57,6 +57,7 @@ extern hekate_config h_cfg;
u32 _key_count = 0;
sdmmc_storage_t storage;
emmc_part_t *system_part;
emmc_part_t *prodinfo_part;
u32 start_time, end_time;
#define TPRINTF(text) \
@ -74,37 +75,37 @@ static u8 temp_key[0x10],
bis_key[4][0x20] = {0},
device_key[0x10] = {0},
new_device_key[0x10] = {0},
sd_seed[0x10] = {0},
// sd_seed[0x10] = {0},
// FS-related keys
fs_keys[10][0x20] = {0},
header_key[0x20] = {0},
save_mac_key[0x10] = {0},
// fs_keys[10][0x20] = {0},
// header_key[0x20] = {0},
// save_mac_key[0x10] = {0},
// other sysmodule sources
es_keys[3][0x10] = {0},
eticket_rsa_kek[0x10] = {0},
ssl_keys[2][0x10] = {0},
ssl_rsa_kek[0x10] = {0},
// es_keys[3][0x10] = {0},
// eticket_rsa_kek[0x10] = {0},
// ssl_keys[2][0x10] = {0},
// ssl_rsa_kek[0x10] = {0},
// keyblob-derived families
keyblob[KB_FIRMWARE_VERSION_600+1][0x90] = {0},
keyblob_key[KB_FIRMWARE_VERSION_600+1][0x10] = {0},
keyblob_mac_key[KB_FIRMWARE_VERSION_600+1][0x10] = {0},
package1_key[KB_FIRMWARE_VERSION_600+1][0x10] = {0},
// master key-derived families
key_area_key[3][KB_FIRMWARE_VERSION_MAX+1][0x10] = {0},
// key_area_key[3][KB_FIRMWARE_VERSION_MAX+1][0x10] = {0},
master_kek[KB_FIRMWARE_VERSION_MAX+1][0x10] = {0},
master_key[KB_FIRMWARE_VERSION_MAX+1][0x10] = {0},
package2_key[KB_FIRMWARE_VERSION_MAX+1][0x10] = {0},
titlekek[KB_FIRMWARE_VERSION_MAX+1][0x10] = {0};
master_key[KB_FIRMWARE_VERSION_MAX+1][0x10] = {0};
// package2_key[KB_FIRMWARE_VERSION_MAX+1][0x10] = {0},
// titlekek[KB_FIRMWARE_VERSION_MAX+1][0x10] = {0};
// key functions
static bool _key_exists(const void *data) { return memcmp(data, zeros, 0x10); };
static void _save_key(const char *name, const void *data, const u32 len, char *outbuf);
static void _save_key_family(const char *name, const void *data, const u32 num_keys, const u32 len, char *outbuf);
// static void _save_key(const char *name, const void *data, const u32 len, char *outbuf);
// static void _save_key_family(const char *name, const void *data, const u32 num_keys, const u32 len, char *outbuf);
static void _generate_kek(u32 ks, const void *key_source, void *master_key, const void *kek_seed, const void *key_seed);
// nca functions
static void *_nca_process(u32 hk_ks1, u32 hk_ks2, FIL *fp, u32 key_offset, u32 len);
static u32 _nca_fread_ctr(u32 ks, FIL *fp, void *buffer, u32 offset, u32 len, u8 *ctr);
static void _update_ctr(u8 *ctr, u32 ofs);
//static void *_nca_process(u32 hk_ks1, u32 hk_ks2, FIL *fp, u32 key_offset, u32 len);
//static u32 _nca_fread_ctr(u32 ks, FIL *fp, void *buffer, u32 offset, u32 len, u8 *ctr);
//static void _update_ctr(u8 *ctr, u32 ofs);
void dump_keys() {
display_backlight_brightness(100, 1000);
@ -158,41 +159,41 @@ void dump_keys() {
}
if (pkg1_id->kb >= KB_FIRMWARE_VERSION_700) {
sd_mount();
if (!f_stat("sd:/sept/payload.bak", NULL)) {
f_unlink("sd:/sept/payload.bin");
f_rename("sd:/sept/payload.bak", "sd:/sept/payload.bin");
}
// sd_mount();
// if (!f_stat("sd:/sept/payload.bak", NULL)) {
// f_unlink("sd:/sept/payload.bin");
// f_rename("sd:/sept/payload.bak", "sd:/sept/payload.bin");
// }
if (!h_cfg.sept_run) {
// bundle lp0 fw for sept instead of loading it from SD as hekate does
sdram_lp0_save_params(sdram_get_params_patched());
FIL fp;
if (f_stat("sd:/sept", NULL)) {
EPRINTF("On firmware 7.x+ but Sept missing.\nSkipping new key derivation...");
goto get_tsec;
}
// backup post-reboot payload
if (!f_stat("sd:/sept/payload.bin", NULL))
f_rename("sd:/sept/payload.bin", "sd:/sept/payload.bak");
// write self to payload.bin to run again when sept finishes
f_open(&fp, "sd:/sept/payload.bin", FA_CREATE_NEW | FA_WRITE);
u32 payload_size = *(u32 *)(IPL_LOAD_ADDR + 0x84) - IPL_LOAD_ADDR;
f_write(&fp, (u8 *)IPL_LOAD_ADDR, payload_size, NULL);
f_close(&fp);
gfx_printf("%k\nFirmware 7.x or higher detected.\n%kRenamed /sept/payload.bin", colors[(color_idx) % 6], colors[(color_idx + 1) % 6]);
color_idx += 2;
gfx_printf("\n%k to /sept/payload.bak\n%kCopied self to /sept/payload.bin", colors[(color_idx) % 6], colors[(color_idx + 1) % 6]);
color_idx += 2;
sdmmc_storage_end(&storage);
if (!reboot_to_sept((u8 *)tsec_ctxt.fw, tsec_ctxt.size, pkg1_id->kb))
goto out_wait;
} else {
// if (!h_cfg.sept_run) {
// // bundle lp0 fw for sept instead of loading it from SD as hekate does
// sdram_lp0_save_params(sdram_get_params_patched());
// FIL fp;
// if (f_stat("sd:/sept", NULL)) {
// EPRINTF("On firmware 7.x+ but Sept missing.\nSkipping new key derivation...");
// goto get_tsec;
// }
// // backup post-reboot payload
// if (!f_stat("sd:/sept/payload.bin", NULL))
// f_rename("sd:/sept/payload.bin", "sd:/sept/payload.bak");
// // write self to payload.bin to run again when sept finishes
// f_open(&fp, "sd:/sept/payload.bin", FA_CREATE_NEW | FA_WRITE);
// u32 payload_size = *(u32 *)(IPL_LOAD_ADDR + 0x84) - IPL_LOAD_ADDR;
// f_write(&fp, (u8 *)IPL_LOAD_ADDR, payload_size, NULL);
// f_close(&fp);
// gfx_printf("%k\nFirmware 7.x or higher detected.\n%kRenamed /sept/payload.bin", colors[(color_idx) % 6], colors[(color_idx + 1) % 6]);
// color_idx += 2;
// gfx_printf("\n%k to /sept/payload.bak\n%kCopied self to /sept/payload.bin", colors[(color_idx) % 6], colors[(color_idx + 1) % 6]);
// color_idx += 2;
// sdmmc_storage_end(&storage);
// if (!reboot_to_sept((u8 *)tsec_ctxt.fw, tsec_ctxt.size, pkg1_id->kb))
// goto out_wait;
// } else {
se_aes_key_read(12, master_key[KB_FIRMWARE_VERSION_MAX], 0x10);
}
// }
}
get_tsec: ;
//get_tsec: ;
u8 tsec_keys[0x10 * 2] = {0};
if (pkg1_id->kb == KB_FIRMWARE_VERSION_620) {
@ -338,8 +339,8 @@ get_tsec: ;
}
// Dump package2.
u8 *pkg2 = NULL;
pkg2_kip1_info_t *ki = NULL;
// u8 *pkg2 = NULL;
// pkg2_kip1_info_t *ki = NULL;
emummc_storage_set_mmc_partition(&storage, 0);
// Parse eMMC GPT.
@ -347,540 +348,127 @@ get_tsec: ;
nx_emmc_gpt_parse(&gpt, &storage);
// Find package2 partition.
emmc_part_t *pkg2_part = nx_emmc_part_find(&gpt, "PRODINFO");
if (!pkg2_part) {
prodinfo_part = nx_emmc_part_find(&gpt, "PRODINFO");
if (!prodinfo_part) {
EPRINTF("Failed to locate PRODINFO.");
goto pkg2_done;
goto dismount;
}
// Read in package2 header and get package2 real size.
u8 *tmp = (u8 *)malloc(NX_EMMC_BLOCKSIZE);
u8 *tmp_copy = (u8 *)malloc(NX_EMMC_BLOCKSIZE);
nx_emmc_part_read(&storage, pkg2_part, 0, 1, tmp);
memcpy(tmp_copy, tmp, NX_EMMC_BLOCKSIZE);
gfx_hexdump(0, tmp, NX_EMMC_BLOCKSIZE);
aes_xtsn_decrypt(tmp_copy, NX_EMMC_BLOCKSIZE, bis_key[0], bis_key[0] + 0x10, pkg2_part->lba_end, pkg2_part->lba_start, NX_EMMC_BLOCKSIZE);
gfx_hexdump(0, tmp_copy, NX_EMMC_BLOCKSIZE);
memcpy(tmp_copy, tmp, NX_EMMC_BLOCKSIZE);
// u8 *tmp_copy = (u8 *)malloc(NX_EMMC_BLOCKSIZE*2);
DRESULT read_res;
read_res = disk_read_mod (tmp_copy, 0, 1, &storage, pkg2_part, 9);
switch (read_res)
{
case RES_OK:
WPRINTF("Successful!");
break; /* 0: Successful */
case RES_ERROR:
WPRINTF("R/W Error!");
break; /* 1: R/W Error */
case RES_WRPRT:
WPRINTF("Write Protected!");
break; /* 2: Write Protected */
case RES_NOTRDY:
WPRINTF("Not Ready!");
break; /* 3: Not Ready */
case RES_PARERR:
WPRINTF("Invalid Parameter!");
break; /* 4: Invalid Parameter */
// nx_emmc_part_read(&storage, prodinfo_part, 0, 2, tmp);
// memcpy(tmp_copy, tmp, NX_EMMC_BLOCKSIZE*2);
// gfx_hexdump(0, tmp + 0x250, 0x18);
// aes_xtsn_decrypt(tmp_copy, NX_EMMC_BLOCKSIZE*2, bis_key[0], bis_key[0] + 0x10, pkg2_part->lba_end, pkg2_part->lba_start, NX_EMMC_BLOCKSIZE);
default:
WPRINTF("No Idea!");
break;
}
gfx_hexdump(0, tmp_copy, NX_EMMC_BLOCKSIZE);
memcpy(tmp_copy, tmp, NX_EMMC_BLOCKSIZE);
// gfx_hexdump(0, tmp_copy + 0x250, 0x18);
// memcpy(tmp_copy, tmp, NX_EMMC_BLOCKSIZE*2);
// XTS_AES128(tmp_copy, tmp, NX_EMMC_BLOCKSIZE, bis_key[0], DEC);
// gfx_hexdump(0, tmp_copy, NX_EMMC_BLOCKSIZE);
se_aes_key_set(8, bis_key[0] + 0x00, 0x10);
se_aes_key_set(9, bis_key[0] + 0x10, 0x10);
free(tmp);
free(tmp_copy);
goto pkg2_done;
u32 *hdr_pkg2_raw = (u32 *)(tmp + 0x100);
u32 pkg2_size = hdr_pkg2_raw[0] ^ hdr_pkg2_raw[2] ^ hdr_pkg2_raw[3];
free(tmp);
if (pkg2_size > 0x7FC000) {
EPRINTF("Invalid Package2 header.");
goto pkg2_done;
}
// Read in package2.
u32 pkg2_size_aligned = ALIGN(pkg2_size, NX_EMMC_BLOCKSIZE);
pkg2 = malloc(pkg2_size_aligned);
nx_emmc_part_read(&storage, pkg2_part, 0x4000 / NX_EMMC_BLOCKSIZE, pkg2_size_aligned / NX_EMMC_BLOCKSIZE, pkg2);
// Decrypt package2 and parse KIP1 blobs in INI1 section. Try all available key generations in case of pkg1/pkg2 mismatch.
pkg2_hdr_t *pkg2_hdr;
pkg2_hdr_t hdr;
u32 pkg2_kb;
for (pkg2_kb = 0; pkg2_kb < MAX_KEY; pkg2_kb++) {
se_aes_key_set(8, master_key[pkg2_kb], 0x10);
se_aes_unwrap_key(8, 8, package2_key_source);
memcpy(&hdr, pkg2 + 0x100, sizeof(pkg2_hdr_t));
se_aes_crypt_ctr(8, &hdr, sizeof(pkg2_hdr_t), &hdr, sizeof(pkg2_hdr_t), &hdr);
if (hdr.magic == PKG2_MAGIC)
break;
}
if (pkg2_kb == MAX_KEY) {
EPRINTF("Failed to derive Package2 key.");
goto pkg2_done;
} else if (pkg2_kb != pkg1_id->kb)
EPRINTFARGS("Warning! Package1-Package2 mismatch: %d, %d", pkg1_id->kb, pkg2_kb);
pkg2_hdr = pkg2_decrypt(pkg2);
if (!pkg2_hdr) {
EPRINTF("Failed to decrypt Package2.");
goto pkg2_done;
}
TPRINTFARGS("%kDecrypt pkg2... ", colors[(color_idx++) % 6]);
LIST_INIT(kip1_info);
bool new_pkg2;
pkg2_parse_kips(&kip1_info, pkg2_hdr, &new_pkg2);
LIST_FOREACH_ENTRY(pkg2_kip1_info_t, ki_tmp, &kip1_info, link) {
if(ki_tmp->kip1->tid == 0x0100000000000000ULL) {
ki = malloc(sizeof(pkg2_kip1_info_t));
memcpy(ki, ki_tmp, sizeof(pkg2_kip1_info_t));
break;
}
}
LIST_FOREACH_SAFE(iter, &kip1_info)
free(CONTAINER_OF(iter, pkg2_kip1_info_t, link));
if (!ki) {
EPRINTF("Failed to parse INI1.");
goto pkg2_done;
}
pkg2_decompress_kip(ki, 2 | 4); // we only need .rodata and .data
TPRINTFARGS("%kDecompress FS...", colors[(color_idx++) % 6]);
u8 hash_index = 0, hash_max = 9, hash_order[10],
key_lengths[10] = {0x10, 0x20, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x20, 0x20};
u32 start_offset = 0, hks_offset_from_end = ki->kip1->sections[2].size_decomp, alignment = 1;
// the FS keys appear in different orders
if (!memcmp(pkg1_id->id, "2016", 4)) {
// 1.0.0 doesn't have SD keys at all
hash_max = 6;
// the first key isn't aligned with the rest
memcpy(fs_keys[2], ki->kip1->data + ki->kip1->sections[0].size_comp + 0x1ae0e, 0x10);
hash_index = 1;
start_offset = 0x1b517;
hks_offset_from_end = 0x125bc2;
alignment = 0x10;
u8 temp[7] = {2, 3, 4, 0, 5, 6, 1};
memcpy(hash_order, temp, 7);
} else {
// 2.0.0 - 8.0.0
alignment = 0x40;
switch (pkg1_id->kb) {
case KB_FIRMWARE_VERSION_100_200:
start_offset = 0x1d226;
alignment = 0x10;
hks_offset_from_end -= 0x26fe;
break;
case KB_FIRMWARE_VERSION_300:
start_offset = 0x1ffa6;
hks_offset_from_end -= 0x298b;
break;
case KB_FIRMWARE_VERSION_301:
start_offset = 0x20026;
hks_offset_from_end -= 0x29ab;
break;
case KB_FIRMWARE_VERSION_400:
start_offset = 0x1c64c;
hks_offset_from_end -= 0x37eb;
break;
case KB_FIRMWARE_VERSION_500:
start_offset = 0x1f3b4;
hks_offset_from_end -= 0x465b;
alignment = 0x20;
break;
case KB_FIRMWARE_VERSION_600:
case KB_FIRMWARE_VERSION_620:
start_offset = 0x27350;
hks_offset_from_end = 0x17ff5;
alignment = 8;
break;
case KB_FIRMWARE_VERSION_700:
case KB_FIRMWARE_VERSION_810:
start_offset = 0x29c50;
hks_offset_from_end -= 0x6a73;
alignment = 8;
break;
case KB_FIRMWARE_VERSION_900:
start_offset = 0x2ec10;
hks_offset_from_end -= 0x5573;
alignment = 1; // RIP
break;
}
if (pkg1_id->kb <= KB_FIRMWARE_VERSION_500) {
u8 temp[10] = {2, 3, 4, 0, 5, 7, 9, 8, 6, 1};
memcpy(hash_order, temp, 10);
} else {
u8 temp[10] = {6, 5, 7, 2, 3, 4, 0, 9, 8, 1};
memcpy(hash_order, temp, 10);
}
}
u8 temp_hash[0x20];
for (u32 i = ki->kip1->sections[0].size_comp + start_offset; i < ki->size - 0x20; ) {
se_calc_sha256(temp_hash, ki->kip1->data + i, key_lengths[hash_order[hash_index]]);
if (!memcmp(temp_hash, fs_hashes_sha256[hash_order[hash_index]], 0x20)) {
memcpy(fs_keys[hash_order[hash_index]], ki->kip1->data + i, key_lengths[hash_order[hash_index]]);
/*if (hash_index == hash_max) {
TPRINTFARGS("%d: %x end -%x", hash_index, (*(ki->kip1->data + i)), ki->size - i);
} else {
TPRINTFARGS("%d: %x rodata +%x", hash_index, (*(ki->kip1->data + i)), i - ki->kip1->sections[0].size_comp);
}*/
i += key_lengths[hash_order[hash_index]];
if (hash_index == hash_max - 1) {
i = ki->size - hks_offset_from_end;
} else if (hash_index == hash_max) {
break;
}
hash_index++;
} else {
i += alignment;
}
}
pkg2_done:
free(pkg2);
free(ki);
TPRINTFARGS("%kFS keys... ", colors[(color_idx++) % 6]);
if (_key_exists(fs_keys[0]) && _key_exists(fs_keys[1]) && _key_exists(master_key[0])) {
_generate_kek(8, fs_keys[0], master_key[0], aes_kek_generation_source, aes_key_generation_source);
se_aes_crypt_block_ecb(8, 0, header_key + 0x00, fs_keys[1] + 0x00);
se_aes_crypt_block_ecb(8, 0, header_key + 0x10, fs_keys[1] + 0x10);
}
if (_key_exists(fs_keys[5]) && _key_exists(fs_keys[6]) && _key_exists(device_key)) {
_generate_kek(8, fs_keys[5], device_key, aes_kek_generation_source, NULL);
se_aes_crypt_block_ecb(8, 0, save_mac_key, fs_keys[6]);
}
if (_key_exists(master_key[MAX_KEY])) {
MAX_KEY = KB_FIRMWARE_VERSION_MAX + 1;
}
for (u32 i = 0; i < MAX_KEY; i++) {
if (!_key_exists(master_key[i]))
continue;
if (_key_exists(fs_keys[2]) && _key_exists(fs_keys[3]) && _key_exists(fs_keys[4])) {
for (u32 j = 0; j < 3; j++) {
_generate_kek(8, fs_keys[2 + j], master_key[i], aes_kek_generation_source, NULL);
se_aes_crypt_block_ecb(8, 0, key_area_key[j][i], aes_key_generation_source);
}
}
se_aes_key_set(8, master_key[i], 0x10);
se_aes_crypt_block_ecb(8, 0, package2_key[i], package2_key_source);
se_aes_crypt_block_ecb(8, 0, titlekek[i], titlekek_source);
}
readData(0x180, 0x100);
// free(tmp_copy);
if (!_key_exists(header_key) || !_key_exists(bis_key[2]))
{
EPRINTF("Missing FS keys. Skipping ES/SSL keys.");
goto key_output;
}
se_aes_key_set(4, header_key + 0x00, 0x10);
se_aes_key_set(5, header_key + 0x10, 0x10);
se_aes_key_set(8, bis_key[2] + 0x00, 0x10);
se_aes_key_set(9, bis_key[2] + 0x10, 0x10);
system_part = nx_emmc_part_find(&gpt, "SYSTEM");
if (!system_part) {
EPRINTF("Failed to locate System partition.");
goto key_output;
}
__attribute__ ((aligned (16))) FATFS emmc_fs;
if (f_mount(&emmc_fs, "emmc:", 1)) {
EPRINTF("Mount failed.");
goto key_output;
}
// pkg2_done:
// // free(pkg2);
// // free(ki);
DIR dir;
FILINFO fno;
FIL fp;
// sysmodule NCAs only ever have one section (exefs) so 0x600 is sufficient
u8 *dec_header = (u8*)malloc(0x600);
char path[100] = "emmc:/Contents/registered";
u32 titles_found = 0, title_limit = 2, read_bytes = 0;
if (!memcmp(pkg1_id->id, "2016", 4))
title_limit = 1;
u8 *temp_file = NULL;
// TPRINTFARGS("%kFS keys... ", colors[(color_idx++) % 6]);
if (f_opendir(&dir, path)) {
EPRINTF("Failed to open System:/Contents/registered.");
goto dismount;
}
// prepopulate /Contents/registered in decrypted sector cache
while (!f_readdir(&dir, &fno) && fno.fname[0]) {}
f_closedir(&dir);
// // DIR dir;
// // FILINFO fno;
// // FIL fp;
if (f_opendir(&dir, path)) {
EPRINTF("Failed to open System:/Contents/registered.");
goto dismount;
}
// // f_closedir(&dir);
path[25] = '/';
start_offset = 0;
// // f_close(&fp);
while (!f_readdir(&dir, &fno) && fno.fname[0] && titles_found < title_limit) {
memcpy(path + 26, fno.fname, 36);
path[62] = 0;
if (fno.fattrib & AM_DIR)
memcpy(path + 62, "/00", 4);
if (f_open(&fp, path, FA_READ | FA_OPEN_EXISTING)) continue;
if (f_lseek(&fp, 0x200) || f_read(&fp, dec_header, 32, &read_bytes) || read_bytes != 32) {
f_close(&fp);
continue;
}
se_aes_xts_crypt(5, 4, 0, 1, dec_header + 0x200, dec_header, 32, 1);
// es doesn't contain es key sources on 1.0.0
if (memcmp(pkg1_id->id, "2016", 4) && *(u32*)(dec_header + 0x210) == 0x33 && dec_header[0x205] == 0) {
// es (offset 0x210 is lower half of titleid, 0x205 == 0 means it's program nca, not meta)
switch (pkg1_id->kb) {
case KB_FIRMWARE_VERSION_100_200:
start_offset = 0x557b;
break;
case KB_FIRMWARE_VERSION_300:
case KB_FIRMWARE_VERSION_301:
start_offset = 0x552d;
break;
case KB_FIRMWARE_VERSION_400:
start_offset = 0x5382;
break;
case KB_FIRMWARE_VERSION_500:
start_offset = 0x5a63;
break;
case KB_FIRMWARE_VERSION_600:
case KB_FIRMWARE_VERSION_620:
start_offset = 0x5674;
break;
case KB_FIRMWARE_VERSION_700:
case KB_FIRMWARE_VERSION_810:
start_offset = 0x5563;
break;
case KB_FIRMWARE_VERSION_900:
start_offset = 0x6495;
break;
}
hash_order[2] = 2;
if (pkg1_id->kb < KB_FIRMWARE_VERSION_500) {
hash_order[0] = 0;
hash_order[1] = 1;
} else {
hash_order[0] = 1;
hash_order[1] = 0;
}
hash_index = 0;
// decrypt only what is needed to locate needed keys
temp_file = (u8*)_nca_process(5, 4, &fp, start_offset, 0xc0);
for (u32 i = 0; i <= 0xb0; ) {
se_calc_sha256(temp_hash, temp_file + i, 0x10);
if (!memcmp(temp_hash, es_hashes_sha256[hash_order[hash_index]], 0x10)) {
memcpy(es_keys[hash_order[hash_index]], temp_file + i, 0x10);
hash_index++;
if (hash_index == 3)
break;
i += 0x10;
} else {
i++;
}
}
free(temp_file);
temp_file = NULL;
titles_found++;
} else if (*(u32*)(dec_header + 0x210) == 0x24 && dec_header[0x205] == 0) {
// ssl
switch (pkg1_id->kb) {
case KB_FIRMWARE_VERSION_100_200:
start_offset = 0x3d41a;
break;
case KB_FIRMWARE_VERSION_300:
case KB_FIRMWARE_VERSION_301:
start_offset = 0x3cb81;
break;
case KB_FIRMWARE_VERSION_400:
start_offset = 0x3711c;
break;
case KB_FIRMWARE_VERSION_500:
start_offset = 0x37901;
break;
case KB_FIRMWARE_VERSION_600:
case KB_FIRMWARE_VERSION_620:
start_offset = 0x1d5be;
break;
case KB_FIRMWARE_VERSION_700:
case KB_FIRMWARE_VERSION_810:
start_offset = 0x1d437;
break;
case KB_FIRMWARE_VERSION_900:
start_offset = 0x1d807;
break;
}
if (!memcmp(pkg1_id->id, "2016", 4))
start_offset = 0x449dc;
temp_file = (u8*)_nca_process(5, 4, &fp, start_offset, 0x70);
for (u32 i = 0; i <= 0x60; i++) {
se_calc_sha256(temp_hash, temp_file + i, 0x10);
if (!memcmp(temp_hash, ssl_hashes_sha256[1], 0x10)) {
memcpy(ssl_keys[1], temp_file + i, 0x10);
// only get ssl_rsa_kek_source_x from SSL on 1.0.0
// we get it from ES on every other firmware
// and it's located oddly distant from ssl_rsa_kek_source_y on >= 6.0.0
if (!memcmp(pkg1_id->id, "2016", 4)) {
se_calc_sha256(temp_hash, temp_file + i + 0x10, 0x10);
if (!memcmp(temp_hash, ssl_hashes_sha256[0], 0x10))
memcpy(es_keys[2], temp_file + i + 0x10, 0x10);
}
break;
}
}
free(temp_file);
temp_file = NULL;
titles_found++;
}
f_close(&fp);
}
f_closedir(&dir);
free(dec_header);
if (memcmp(pkg1_id->id, "2016", 4)) {
TPRINTFARGS("%kES & SSL keys...", colors[(color_idx++) % 6]);
} else {
TPRINTFARGS("%kSSL keys... ", colors[(color_idx++) % 6]);
}
if (f_open(&fp, "sd:/Nintendo/Contents/private", FA_READ | FA_OPEN_EXISTING)) {
EPRINTF("Unable to locate SD seed. Skipping.");
goto dismount;
}
// get sd seed verification vector
if (f_read(&fp, temp_key, 0x10, &read_bytes) || read_bytes != 0x10) {
EPRINTF("Unable to locate SD seed. Skipping.");
f_close(&fp);
goto dismount;
}
f_close(&fp);
if (f_open(&fp, "emmc:/save/8000000000000043", FA_READ | FA_OPEN_EXISTING)) {
EPRINTF("Failed to open ns_appman save.\nSkipping SD seed.");
goto dismount;
}
// locate sd seed
u8 read_buf[0x20] = {0};
for (u32 i = 0x8000; i < f_size(&fp); i += 0x4000) {
if (f_lseek(&fp, i) || f_read(&fp, read_buf, 0x20, &read_bytes) || read_bytes != 0x20)
break;
if (!memcmp(temp_key, read_buf, 0x10)) {
memcpy(sd_seed, read_buf + 0x10, 0x10);
break;
}
}
f_close(&fp);
TPRINTFARGS("%kSD Seed... ", colors[(color_idx++) % 6]);
// TPRINTFARGS("%kSD Seed... ", colors[(color_idx++) % 6]);
dismount:
f_mount(NULL, "emmc:", 1);
nx_emmc_gpt_free(&gpt);
emummc_storage_end(&storage);
// derive eticket_rsa_kek and ssl_rsa_kek
if (_key_exists(es_keys[0]) && _key_exists(es_keys[1]) && _key_exists(master_key[0])) {
for (u32 i = 0; i < 0x10; i++)
temp_key[i] = aes_kek_generation_source[i] ^ aes_kek_seed_03[i];
_generate_kek(8, es_keys[1], master_key[0], temp_key, NULL);
se_aes_crypt_block_ecb(8, 0, eticket_rsa_kek, es_keys[0]);
}
if (_key_exists(ssl_keys[1]) && _key_exists(es_keys[2]) && _key_exists(master_key[0])) {
for (u32 i = 0; i < 0x10; i++)
temp_key[i] = aes_kek_generation_source[i] ^ aes_kek_seed_01[i];
_generate_kek(8, es_keys[2], master_key[0], temp_key, NULL);
se_aes_crypt_block_ecb(8, 0, ssl_rsa_kek, ssl_keys[1]);
}
key_output: ;
__attribute__ ((aligned (16))) char text_buffer[0x3000] = {0};
//key_output: ;
// __attribute__ ((aligned (16))) char text_buffer[0x3000] = {0};
SAVE_KEY("aes_kek_generation_source", aes_kek_generation_source, 0x10);
SAVE_KEY("aes_key_generation_source", aes_key_generation_source, 0x10);
SAVE_KEY("bis_kek_source", bis_kek_source, 0x10);
SAVE_KEY_FAMILY("bis_key", bis_key, 4, 0x20);
SAVE_KEY_FAMILY("bis_key_source", bis_key_source, 3, 0x20);
SAVE_KEY("device_key", device_key, 0x10);
SAVE_KEY("eticket_rsa_kek", eticket_rsa_kek, 0x10);
SAVE_KEY("eticket_rsa_kek_source", es_keys[0], 0x10);
SAVE_KEY("eticket_rsa_kekek_source", es_keys[1], 0x10);
SAVE_KEY("header_kek_source", fs_keys[0], 0x10);
SAVE_KEY("header_key", header_key, 0x20);
SAVE_KEY("header_key_source", fs_keys[1], 0x20);
SAVE_KEY_FAMILY("key_area_key_application", key_area_key[0], MAX_KEY, 0x10);
SAVE_KEY("key_area_key_application_source", fs_keys[2], 0x10);
SAVE_KEY_FAMILY("key_area_key_ocean", key_area_key[1], MAX_KEY, 0x10);
SAVE_KEY("key_area_key_ocean_source", fs_keys[3], 0x10);
SAVE_KEY_FAMILY("key_area_key_system", key_area_key[2], MAX_KEY, 0x10);
SAVE_KEY("key_area_key_system_source", fs_keys[4], 0x10);
SAVE_KEY_FAMILY("keyblob", keyblob, 6, 0x90);
SAVE_KEY_FAMILY("keyblob_key", keyblob_key, 6, 0x10);
SAVE_KEY_FAMILY("keyblob_key_source", keyblob_key_source, 6, 0x10);
SAVE_KEY_FAMILY("keyblob_mac_key", keyblob_mac_key, 6, 0x10);
SAVE_KEY("keyblob_mac_key_source", keyblob_mac_key_source, 0x10);
SAVE_KEY_FAMILY("master_kek", master_kek, MAX_KEY, 0x10);
SAVE_KEY("master_kek_source_06", master_kek_sources[0], 0x10);
SAVE_KEY("master_kek_source_07", master_kek_sources[1], 0x10);
SAVE_KEY("master_kek_source_08", master_kek_sources[2], 0x10);
SAVE_KEY("master_kek_source_09", master_kek_sources[3], 0x10);
SAVE_KEY_FAMILY("master_key", master_key, MAX_KEY, 0x10);
SAVE_KEY("master_key_source", master_key_source, 0x10);
SAVE_KEY_FAMILY("package1_key", package1_key, 6, 0x10);
SAVE_KEY_FAMILY("package2_key", package2_key, MAX_KEY, 0x10);
SAVE_KEY("package2_key_source", package2_key_source, 0x10);
SAVE_KEY("per_console_key_source", per_console_key_source, 0x10);
SAVE_KEY("retail_specific_aes_key_source", retail_specific_aes_key_source, 0x10);
for (u32 i = 0; i < 0x10; i++)
temp_key[i] = aes_kek_generation_source[i] ^ aes_kek_seed_03[i];
SAVE_KEY("rsa_oaep_kek_generation_source", temp_key, 0x10);
for (u32 i = 0; i < 0x10; i++)
temp_key[i] = aes_kek_generation_source[i] ^ aes_kek_seed_01[i];
SAVE_KEY("rsa_private_kek_generation_source", temp_key, 0x10);
SAVE_KEY("save_mac_kek_source", fs_keys[5], 0x10);
SAVE_KEY("save_mac_key", save_mac_key, 0x10);
SAVE_KEY("save_mac_key_source", fs_keys[6], 0x10);
SAVE_KEY("sd_card_kek_source", fs_keys[7], 0x10);
SAVE_KEY("sd_card_nca_key_source", fs_keys[8], 0x20);
SAVE_KEY("sd_card_save_key_source", fs_keys[9], 0x20);
SAVE_KEY("sd_seed", sd_seed, 0x10);
SAVE_KEY("secure_boot_key", sbk, 0x10);
SAVE_KEY("ssl_rsa_kek", ssl_rsa_kek, 0x10);
SAVE_KEY("ssl_rsa_kek_source_x", es_keys[2], 0x10);
SAVE_KEY("ssl_rsa_kek_source_y", ssl_keys[1], 0x10);
SAVE_KEY_FAMILY("titlekek", titlekek, MAX_KEY, 0x10);
SAVE_KEY("titlekek_source", titlekek_source, 0x10);
SAVE_KEY("tsec_key", tsec_keys, 0x10);
if (pkg1_id->kb == KB_FIRMWARE_VERSION_620)
SAVE_KEY("tsec_root_key", tsec_keys + 0x10, 0x10);
// SAVE_KEY("aes_kek_generation_source", aes_kek_generation_source, 0x10);
// SAVE_KEY("aes_key_generation_source", aes_key_generation_source, 0x10);
// SAVE_KEY("bis_kek_source", bis_kek_source, 0x10);
// SAVE_KEY_FAMILY("bis_key", bis_key, 4, 0x20);
// SAVE_KEY_FAMILY("bis_key_source", bis_key_source, 3, 0x20);
// SAVE_KEY("device_key", device_key, 0x10);
// SAVE_KEY("eticket_rsa_kek", eticket_rsa_kek, 0x10);
// SAVE_KEY("eticket_rsa_kek_source", es_keys[0], 0x10);
// SAVE_KEY("eticket_rsa_kekek_source", es_keys[1], 0x10);
// SAVE_KEY("header_kek_source", fs_keys[0], 0x10);
// SAVE_KEY("header_key", header_key, 0x20);
// SAVE_KEY("header_key_source", fs_keys[1], 0x20);
// SAVE_KEY_FAMILY("key_area_key_application", key_area_key[0], MAX_KEY, 0x10);
// SAVE_KEY("key_area_key_application_source", fs_keys[2], 0x10);
// SAVE_KEY_FAMILY("key_area_key_ocean", key_area_key[1], MAX_KEY, 0x10);
// SAVE_KEY("key_area_key_ocean_source", fs_keys[3], 0x10);
// SAVE_KEY_FAMILY("key_area_key_system", key_area_key[2], MAX_KEY, 0x10);
// SAVE_KEY("key_area_key_system_source", fs_keys[4], 0x10);
// SAVE_KEY_FAMILY("keyblob", keyblob, 6, 0x90);
// SAVE_KEY_FAMILY("keyblob_key", keyblob_key, 6, 0x10);
// SAVE_KEY_FAMILY("keyblob_key_source", keyblob_key_source, 6, 0x10);
// SAVE_KEY_FAMILY("keyblob_mac_key", keyblob_mac_key, 6, 0x10);
// SAVE_KEY("keyblob_mac_key_source", keyblob_mac_key_source, 0x10);
// SAVE_KEY_FAMILY("master_kek", master_kek, MAX_KEY, 0x10);
// SAVE_KEY("master_kek_source_06", master_kek_sources[0], 0x10);
// SAVE_KEY("master_kek_source_07", master_kek_sources[1], 0x10);
// SAVE_KEY("master_kek_source_08", master_kek_sources[2], 0x10);
// SAVE_KEY("master_kek_source_09", master_kek_sources[3], 0x10);
// SAVE_KEY_FAMILY("master_key", master_key, MAX_KEY, 0x10);
// SAVE_KEY("master_key_source", master_key_source, 0x10);
// SAVE_KEY_FAMILY("package1_key", package1_key, 6, 0x10);
// SAVE_KEY_FAMILY("package2_key", package2_key, MAX_KEY, 0x10);
// SAVE_KEY("package2_key_source", package2_key_source, 0x10);
// SAVE_KEY("per_console_key_source", per_console_key_source, 0x10);
// SAVE_KEY("retail_specific_aes_key_source", retail_specific_aes_key_source, 0x10);
// for (u32 i = 0; i < 0x10; i++)
// temp_key[i] = aes_kek_generation_source[i] ^ aes_kek_seed_03[i];
// SAVE_KEY("rsa_oaep_kek_generation_source", temp_key, 0x10);
// for (u32 i = 0; i < 0x10; i++)
// temp_key[i] = aes_kek_generation_source[i] ^ aes_kek_seed_01[i];
// SAVE_KEY("rsa_private_kek_generation_source", temp_key, 0x10);
// SAVE_KEY("save_mac_kek_source", fs_keys[5], 0x10);
// SAVE_KEY("save_mac_key", save_mac_key, 0x10);
// SAVE_KEY("save_mac_key_source", fs_keys[6], 0x10);
// SAVE_KEY("sd_card_kek_source", fs_keys[7], 0x10);
// SAVE_KEY("sd_card_nca_key_source", fs_keys[8], 0x20);
// SAVE_KEY("sd_card_save_key_source", fs_keys[9], 0x20);
// SAVE_KEY("sd_seed", sd_seed, 0x10);
// SAVE_KEY("secure_boot_key", sbk, 0x10);
// SAVE_KEY("ssl_rsa_kek", ssl_rsa_kek, 0x10);
// SAVE_KEY("ssl_rsa_kek_source_x", es_keys[2], 0x10);
// SAVE_KEY("ssl_rsa_kek_source_y", ssl_keys[1], 0x10);
// SAVE_KEY_FAMILY("titlekek", titlekek, MAX_KEY, 0x10);
// SAVE_KEY("titlekek_source", titlekek_source, 0x10);
// SAVE_KEY("tsec_key", tsec_keys, 0x10);
// if (pkg1_id->kb == KB_FIRMWARE_VERSION_620)
// SAVE_KEY("tsec_root_key", tsec_keys + 0x10, 0x10);
//gfx_con.fntsz = 8; gfx_puts(text_buffer); gfx_con.fntsz = 16;
@ -890,43 +478,43 @@ key_output: ;
gfx_printf("\n%kLockpick totally done in %d us", colors[(color_idx++) % 6], end_time - begin_time);
gfx_printf("\n%kFound through master_key_%02x\n", colors[(color_idx++) % 6], MAX_KEY - 1);
f_mkdir("sd:/switch");
char keyfile_path[30] = "sd:/switch/";
if (!(fuse_read_odm(4) & 3))
sprintf(&keyfile_path[11], "prod.keys");
else
sprintf(&keyfile_path[11], "dev.keys");
if (sd_mount() && !sd_save_to_file(text_buffer, strlen(text_buffer), keyfile_path) && !f_stat(keyfile_path, &fno)) {
gfx_printf("%kWrote %d bytes to %s\n", colors[(color_idx++) % 6], (u32)fno.fsize, keyfile_path);
} else
EPRINTF("Failed to save keys to SD.");
// f_mkdir("sd:/switch");
// char keyfile_path[30] = "sd:/switch/";
// if (!(fuse_read_odm(4) & 3))
// sprintf(&keyfile_path[11], "prod.keys");
// else
// sprintf(&keyfile_path[11], "dev.keys");
// if (sd_mount() && !sd_save_to_file(text_buffer, strlen(text_buffer), keyfile_path) && !f_stat(keyfile_path, &fno)) {
// gfx_printf("%kWrote %d bytes to %s\n", colors[(color_idx++) % 6], (u32)fno.fsize, keyfile_path);
// } else
// EPRINTF("Failed to save keys to SD.");
h_cfg.emummc_force_disable = emummc_load_cfg();
out_wait:
sd_unmount();
// sd_unmount();
gfx_printf("\n%kPress any key to return to the main menu.", colors[(color_idx) % 6], colors[(color_idx + 1) % 6], colors[(color_idx + 2) % 6]);
btn_wait();
}
static void _save_key(const char *name, const void *data, const u32 len, char *outbuf) {
if (!_key_exists(data))
return;
u32 pos = strlen(outbuf);
pos += sprintf(&outbuf[pos], "%s = ", name);
for (u32 i = 0; i < len; i++)
pos += sprintf(&outbuf[pos], "%02x", *(u8*)(data + i));
sprintf(&outbuf[pos], "\n");
_key_count++;
}
// static void _save_key(const char *name, const void *data, const u32 len, char *outbuf) {
// if (!_key_exists(data))
// return;
// u32 pos = strlen(outbuf);
// pos += sprintf(&outbuf[pos], "%s = ", name);
// for (u32 i = 0; i < len; i++)
// pos += sprintf(&outbuf[pos], "%02x", *(u8*)(data + i));
// sprintf(&outbuf[pos], "\n");
// _key_count++;
// }
static void _save_key_family(const char *name, const void *data, const u32 num_keys, const u32 len, char *outbuf) {
char temp_name[0x40] = {0};
for (u32 i = 0; i < num_keys; i++) {
sprintf(temp_name, "%s_%02x", name, i);
_save_key(temp_name, data + i * len, len, outbuf);
}
}
// static void _save_key_family(const char *name, const void *data, const u32 num_keys, const u32 len, char *outbuf) {
// char temp_name[0x40] = {0};
// for (u32 i = 0; i < num_keys; i++) {
// sprintf(temp_name, "%s_%02x", name, i);
// _save_key(temp_name, data + i * len, len, outbuf);
// }
// }
static void _generate_kek(u32 ks, const void *key_source, void *master_key, const void *kek_seed, const void *key_seed) {
if (!_key_exists(key_source) || !_key_exists(master_key) || !_key_exists(kek_seed))
@ -946,61 +534,89 @@ static inline u32 _read_le_u32(const void *buffer, u32 offset) {
(*(u8*)(buffer + offset + 3) << 0x18);
}
static void *_nca_process(u32 hk_ks1, u32 hk_ks2, FIL *fp, u32 key_offset, u32 len) {
u32 read_bytes = 0, crypt_offset, read_size, num_files, string_table_size, rodata_offset;
// static void *_nca_process(u32 hk_ks1, u32 hk_ks2, FIL *fp, u32 key_offset, u32 len) {
// u32 read_bytes = 0, crypt_offset, read_size, num_files, string_table_size, rodata_offset;
u8 *temp_file = (u8*)malloc(0x400),
ctr[0x10] = {0};
if (f_lseek(fp, 0x200) || f_read(fp, temp_file, 0x400, &read_bytes) || read_bytes != 0x400)
return NULL;
se_aes_xts_crypt(hk_ks1, hk_ks2, 0, 1, temp_file, temp_file, 0x200, 2);
// both 1.x and 2.x use master_key_00
temp_file[0x20] -= temp_file[0x20] ? 1 : 0;
// decrypt key area and load decrypted key area key
se_aes_key_set(7, key_area_key[temp_file[7]][temp_file[0x20]], 0x10);
se_aes_crypt_block_ecb(7, 0, temp_file + 0x120, temp_file + 0x120);
se_aes_key_set(2, temp_file + 0x120, 0x10);
for (u32 i = 0; i < 8; i++)
ctr[i] = temp_file[0x347 - i];
crypt_offset = _read_le_u32(temp_file, 0x40) * 0x200 + _read_le_u32(temp_file, 0x240);
read_size = 0x10;
_nca_fread_ctr(2, fp, temp_file, crypt_offset, read_size, ctr);
num_files = _read_le_u32(temp_file, 4);
string_table_size = _read_le_u32(temp_file, 8);
if (!memcmp(temp_file + 0x10 + num_files * 0x18, "main.npdm", 9))
crypt_offset += _read_le_u32(temp_file, 0x18);
crypt_offset += 0x10 + num_files * 0x18 + string_table_size;
read_size = 0x40;
_nca_fread_ctr(2, fp, temp_file, crypt_offset, read_size, ctr);
rodata_offset = _read_le_u32(temp_file, 0x20);
// u8 *temp_file = (u8*)malloc(0x400),
// ctr[0x10] = {0};
// if (f_lseek(fp, 0x200) || f_read(fp, temp_file, 0x400, &read_bytes) || read_bytes != 0x400)
// return NULL;
// se_aes_xts_crypt(hk_ks1, hk_ks2, 0, 1, temp_file, temp_file, 0x200, 2);
// // both 1.x and 2.x use master_key_00
// temp_file[0x20] -= temp_file[0x20] ? 1 : 0;
// // decrypt key area and load decrypted key area key
// se_aes_key_set(7, key_area_key[temp_file[7]][temp_file[0x20]], 0x10);
// se_aes_crypt_block_ecb(7, 0, temp_file + 0x120, temp_file + 0x120);
// se_aes_key_set(2, temp_file + 0x120, 0x10);
// for (u32 i = 0; i < 8; i++)
// ctr[i] = temp_file[0x347 - i];
// crypt_offset = _read_le_u32(temp_file, 0x40) * 0x200 + _read_le_u32(temp_file, 0x240);
// read_size = 0x10;
// _nca_fread_ctr(2, fp, temp_file, crypt_offset, read_size, ctr);
// num_files = _read_le_u32(temp_file, 4);
// string_table_size = _read_le_u32(temp_file, 8);
// if (!memcmp(temp_file + 0x10 + num_files * 0x18, "main.npdm", 9))
// crypt_offset += _read_le_u32(temp_file, 0x18);
// crypt_offset += 0x10 + num_files * 0x18 + string_table_size;
// read_size = 0x40;
// _nca_fread_ctr(2, fp, temp_file, crypt_offset, read_size, ctr);
// rodata_offset = _read_le_u32(temp_file, 0x20);
void *buf = malloc(len);
_nca_fread_ctr(2, fp, buf, crypt_offset + rodata_offset + key_offset, len, ctr);
free(temp_file);
// void *buf = malloc(len);
// _nca_fread_ctr(2, fp, buf, crypt_offset + rodata_offset + key_offset, len, ctr);
// free(temp_file);
return buf;
}
// return buf;
// }
static u32 _nca_fread_ctr(u32 ks, FIL *fp, void *buffer, u32 offset, u32 len, u8 *ctr) {
u32 br;
if (f_lseek(fp, offset) || f_read(fp, buffer, len, &br) || br != len)
return 0;
_update_ctr(ctr, offset);
// static u32 _nca_fread_ctr(u32 ks, FIL *fp, void *buffer, u32 offset, u32 len, u8 *ctr) {
// u32 br;
// if (f_lseek(fp, offset) || f_read(fp, buffer, len, &br) || br != len)
// return 0;
// _update_ctr(ctr, offset);
if (offset % 0x10) {
u8 *temp = (u8*)malloc(ALIGN(br + offset % 0x10, 0x10));
memcpy(temp + offset % 0x10, buffer, br);
se_aes_crypt_ctr(ks, temp, ALIGN(br + offset % 0x10, 0x10), temp, ALIGN(br + offset % 0x10, 0x10), ctr);
memcpy(buffer, temp + offset % 0x10, br);
free(temp);
return br;
// if (offset % 0x10) {
// u8 *temp = (u8*)malloc(ALIGN(br + offset % 0x10, 0x10));
// memcpy(temp + offset % 0x10, buffer, br);
// se_aes_crypt_ctr(ks, temp, ALIGN(br + offset % 0x10, 0x10), temp, ALIGN(br + offset % 0x10, 0x10), ctr);
// memcpy(buffer, temp + offset % 0x10, br);
// free(temp);
// return br;
// }
// se_aes_crypt_ctr(ks, buffer, br, buffer, br, ctr);
// return br;
// }
// static void _update_ctr(u8 *ctr, u32 ofs) {
// ofs >>= 4;
// for (u32 i = 0; i < 4; i++, ofs >>= 8)
// ctr[0x10-i-1] = (u8)(ofs & 0xff);
// }
bool readData(u64 offset, u64 length)
{
u64 sector = (offset / NX_EMMC_BLOCKSIZE);
u64 newOffset = (offset % NX_EMMC_BLOCKSIZE);
bool needMultipleSectors = newOffset + length > NX_EMMC_BLOCKSIZE;
u8 *tmp = (u8 *)malloc(NX_EMMC_BLOCKSIZE);
disk_read_mod(tmp, sector, 1, &storage, prodinfo_part);
if (!needTwoSectors)
{
gfx_hexdump(0, tmp + newOffset, length);
}
else
{
u64 newLength = (newOffset + length) - NX_EMMC_BLOCKSIZE;
gfx_hexdump(0, tmp + newOffset, newLength);
disk_read_mod(tmp, sector + 1, 1, &storage, prodinfo_part);
gfx_hexdump(0, tmp, length - newLength);
}
se_aes_crypt_ctr(ks, buffer, br, buffer, br, ctr);
return br;
}
static void _update_ctr(u8 *ctr, u32 ofs) {
ofs >>= 4;
for (u32 i = 0; i < 4; i++, ofs >>= 8)
ctr[0x10-i-1] = (u8)(ofs & 0xff);
}
free(tmp);
return true;
}

3
source/keys/keys.h
View file

@ -17,6 +17,9 @@
#ifndef _KEYS_H_
#define _KEYS_H_
#include "../utils/types.h"
void dump_keys();
bool readData(u64 offset, u64 length);
#endif

6
source/libs/fatfs/diskio.c
View file

@ -133,9 +133,7 @@ DRESULT disk_read_mod (
DWORD sector, /* Start sector in LBA */
UINT count, /* Number of sectors to read */
sdmmc_storage_t *storage,
emmc_part_t *partition,
u32 hiKey
)
emmc_part_t *partition)
{
@ -178,7 +176,7 @@ DRESULT disk_read_mod (
}
// fatfs will never pull more than a cluster
_emmc_xts(hiKey, hiKey - 1, 0, tweak, regen_tweak, tweak_exp, prev_cluster, buff, buff, count * 0x200);
_emmc_xts(9, 8, 0, tweak, regen_tweak, tweak_exp, prev_cluster, buff, buff, count * 0x200);
if (cache_sector) {
memcpy(sector_cache[s].cached_sector, buff, 0x200);
memcpy(sector_cache[s].tweak, tweak, 0x10);

2
source/libs/fatfs/diskio.h
View file

@ -33,7 +33,7 @@ typedef enum {
DSTATUS disk_initialize (BYTE pdrv);
DSTATUS disk_status (BYTE pdrv);
DRESULT disk_read (BYTE pdrv, BYTE* buff, DWORD sector, UINT count);
DRESULT disk_read_mod (BYTE *buff, DWORD sector, UINT count, sdmmc_storage_t *storage, emmc_part_t *partition, u32 hiKey);
DRESULT disk_read_mod (BYTE *buff, DWORD sector, UINT count, sdmmc_storage_t *storage, emmc_part_t *partition);
DRESULT disk_write (BYTE pdrv, const BYTE* buff, DWORD sector, UINT count);
DRESULT disk_ioctl (BYTE pdrv, BYTE cmd, void* buff);