/* * Copyright (c) 2021 scandal_uk * * This program is free software; you can redistribute it and/or modify it * under the terms and conditions of the GNU General Public License, * version 2, as published by the Free Software Foundation. * * This program is distributed in the hope it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . */ #include "incognito.h" #include "../config.h" #include #include #include "../gfx/tui.h" #include "../hos/pkg1.h" #include "../hos/pkg2.h" #include "../hos/sept.h" #include #include #include #include #include #include #include #include #include #include #include "../storage/emummc.h" #include "../storage/nx_emmc.h" #include "../storage/nx_emmc_bis.h" #include #include #include #include #include #include "key_sources.inl" #include "io/io.h" #include #define RETRY_COUNT 5 #define RETRY(exp) \ ({ \ u8 _attemptc_ = RETRY_COUNT; \ bool _resultb_ = false; \ while (_attemptc_--) \ { \ if ((_resultb_ = exp)) \ break; \ gfx_printf("%kretry %d/%d...\n", COLOR_RED, RETRY_COUNT - _attemptc_, RETRY_COUNT); \ } \ _resultb_; \ }) extern bool sd_mount(); extern void sd_unmount(); extern int sd_save_to_file(void *buf, u32 size, const char *filename); extern hekate_config h_cfg; sdmmc_storage_t storage; sdmmc_t sdmmc; emmc_part_t *system_part; emmc_part_t *prodinfo_part; #define SECTORS_IN_CLUSTER 32 #define PRODINFO_SIZE 0x3FBC00 #define BACKUP_NAME_EMUNAND "sd:/prodinfo_emunand.bin" #define BACKUP_NAME_SYSNAND "sd:/prodinfo_sysnand.bin" static u8 temp_key[0x10], bis_key[4][0x20] = {0}, device_key[0x10] = {0}, device_key_4x[0x10] = {0}, // FS-related keys header_key[0x20] = {0}, // keyblob-derived families keyblob_key[KB_FIRMWARE_VERSION_600 + 1][0x10] = {0}, keyblob_mac_key[KB_FIRMWARE_VERSION_600 + 1][0x10] = {0}, package1_key[KB_FIRMWARE_VERSION_600 + 1][0x10] = {0}, // master key-derived families master_kek[KB_FIRMWARE_VERSION_MAX + 1][0x10] = {0}, master_key[KB_FIRMWARE_VERSION_MAX + 1][0x10] = {0}; keyblob_t keyblob[KB_FIRMWARE_VERSION_600 + 1] = {0}; LIST_INIT(gpt); // key functions static int _key_exists(const void *data) { return memcmp(data, zeros, 0x10) != 0; }; static void _generate_kek(u32 ks, const void *key_source, void *master_key, const void *kek_seed, const void *key_seed); static void _get_device_key(u32 ks, void *out_device_key, u32 revision, const void *device_key, const void *master_key); static ALWAYS_INLINE u8 *_find_tsec_fw(const u8 *pkg1) { const u32 tsec_fw_align = 0x100; const u32 tsec_fw_first_instruction = 0xCF42004D; for (const u32 *pos = (const u32 *)pkg1; (u8 *)pos < pkg1 + PKG1_MAX_SIZE; pos += tsec_fw_align / sizeof(u32)) if (*pos == tsec_fw_first_instruction) return (u8 *)pos; return NULL; } static ALWAYS_INLINE u32 _get_tsec_fw_size(tsec_key_data_t *key_data) { return key_data->blob0_size + sizeof(tsec_key_data_t) + key_data->blob1_size + key_data->blob2_size + key_data->blob3_size + key_data->blob4_size; } unsigned int crc_16_table[16] = { 0x0000, 0xCC01, 0xD801, 0x1400, 0xF001, 0x3C00, 0x2800, 0xE401, 0xA001, 0x6C00, 0x7800, 0xB401, 0x5000, 0x9C01, 0x8801, 0x4400 }; unsigned short int get_crc_16 (const char *p, int n) { unsigned short int crc = 0x55AA; int r; while (n-- > 0) { r = crc_16_table[crc & 0xF]; crc = (crc >> 4) & 0x0FFF; crc = crc ^ r ^ crc_16_table[*p & 0xF]; r = crc_16_table[crc & 0xF]; crc = (crc >> 4) & 0x0FFF; crc = crc ^ r ^ crc_16_table[(*p >> 4) & 0xF]; p++; } return(crc); } u16 calculateCrc(u32 offset, u32 size, u8 *blob) { const char buffer[size + 1]; if (blob == NULL) readData((u8 *)buffer, offset, size, NULL); else memcpy((u8 *)buffer, blob + offset, size); return get_crc_16(buffer, size); } u16 readCrc(u32 offset, u8 *blob) { u16 buffer; if (blob == NULL) readData((u8 *)&buffer, offset, sizeof(u16), NULL); else memcpy((u8 *)&buffer, blob + offset, sizeof(u16)); return buffer; } bool validateCrc(u32 offset, u32 size, u8 *blob) { return calculateCrc(offset, size, blob) == readCrc(offset + size, blob); } bool calculateAndWriteCrc(u32 offset, u32 size) { u16 crcValue = calculateCrc(offset, size, NULL); u8 crc[2] = { crcValue & 0xff, crcValue >> 8 }; // bytes of u16 return writeData(crc, offset + size, sizeof(u16), NULL); } void validateChecksums(u8 *blob) { if (!validateCrc(0x0250, 0x1E, blob)) gfx_printf("%kWarning - invalid serial crc\n", COLOR_RED); if (!validateCrc(0x0480, 0x18E, blob)) gfx_printf("%kWarning - invalid ECC-B233 crc...\n", COLOR_RED); if (!validateCrc(0x3AE0, 0x13E, blob)) gfx_printf("%kWarning - invalid ext SSL key crc...\n", COLOR_RED); if (!validateCrc(0x35A0, 0x07E, blob)) gfx_printf("%kWarning - invalid ECDSA cert crc...\n", COLOR_RED); if (!validateCrc(0x36A0, 0x09E, blob)) gfx_printf("%kWarning - invalid ECQV-BLS cert crc...\n", COLOR_RED); } bool dump_keys() { display_backlight_brightness(100, 1000); gfx_clear_partial_grey(0x1B, 0, 1256); gfx_con_setpos(0, 0); gfx_print_header(); gfx_printf("%kGetting bis_keys...\n", COLOR_YELLOW); u32 retries = 0; tsec_ctxt_t tsec_ctxt; if (emummc_storage_init_mmc(&storage, &sdmmc) == 2) { EPRINTF("Unable to init MMC."); return false; } // Read package1. u8 *pkg1 = (u8 *)malloc(PKG1_MAX_SIZE); if (!emummc_storage_set_mmc_partition(&storage, EMMC_BOOT0)) { EPRINTF("Unable to set partition."); return false; } if (!emummc_storage_read(&emmc_storage, PKG1_OFFSET / NX_EMMC_BLOCKSIZE, PKG1_MAX_SIZE / NX_EMMC_BLOCKSIZE, pkg1)) { EPRINTF("Unable to read pkg1."); return false; } const pkg1_id_t *pkg1_id = pkg1_identify(pkg1); if (!pkg1_id) { EPRINTF("Unknown pkg1 version.\n Make sure you have the latest Incognito_RCM.\n If a new firmware version just came out,\n Incognito_RCM must be updated.\n Check Github for new release."); free(pkg1); return false; } tsec_ctxt.fw = _find_tsec_fw(pkg1); if (!tsec_ctxt.fw) { EPRINTF("Failed to locate TSEC firmware."); free(pkg1); return false; } tsec_ctxt.pkg1 = pkg1; tsec_ctxt.size = _get_tsec_fw_size((tsec_key_data_t *)(tsec_ctxt.fw + TSEC_KEY_DATA_OFFSET)); if (tsec_ctxt.size > PKG1_MAX_SIZE) { EPRINTF("Unexpected TSEC firmware size."); return false; } if (pkg1_id->kb >= KB_FIRMWARE_VERSION_700) { se_aes_key_read(se_key_acc_ctrl_get(12) == 0x6A ? 13 : 12, master_key[KB_FIRMWARE_VERSION_MAX], 0x10); } //get_tsec: ; u8 tsec_keys[0x10 * 2] = {0}; if (pkg1_id->kb == KB_FIRMWARE_VERSION_620) { u8 *tsec_paged = (u8 *)page_alloc(3); memcpy(tsec_paged, (void *)tsec_ctxt.fw, tsec_ctxt.size); tsec_ctxt.fw = tsec_paged; } int res = 0; mc_disable_ahb_redirect(); while (tsec_query(tsec_keys, pkg1_id->kb, &tsec_ctxt) < 0) { memset(tsec_keys, 0x00, 0x20); retries++; if (retries > 15) { res = -1; break; } } free(pkg1); mc_enable_ahb_redirect(); if (res < 0) { EPRINTFARGS("ERROR %x dumping TSEC.\n", res); return false; } // Master key derivation // on firmware 6.2.0 only, tsec_query delivers the tsec_root_key if (pkg1_id->kb == KB_FIRMWARE_VERSION_620 && _key_exists(tsec_keys + 0x10)) { se_aes_key_set(8, tsec_keys + 0x10, 0x10); // mkek6 = unwrap(mkeks6, tsecroot) se_aes_crypt_block_ecb(8, 0, master_kek[6], master_kek_sources[0]); se_aes_key_set(8, master_kek[6], 0x10); // mkey = unwrap(mkek, mks) se_aes_crypt_block_ecb(8, 0, master_key[6], master_key_source); } u8 *keyblob_block = (u8 *)calloc(KB_FIRMWARE_VERSION_600 + 1, NX_EMMC_BLOCKSIZE); encrypted_keyblob_t *current_keyblob = (encrypted_keyblob_t *)keyblob_block; u8 keyblob_mac[0x10] = {0}; u32 sbk[4] = {FUSE(FUSE_PRIVATE_KEY0), FUSE(FUSE_PRIVATE_KEY1), FUSE(FUSE_PRIVATE_KEY2), FUSE(FUSE_PRIVATE_KEY3)}; se_aes_key_set(8, tsec_keys, sizeof(tsec_keys) / 2); se_aes_key_set(9, sbk, sizeof(sbk)); if (!emummc_storage_read(&storage, KEYBLOB_OFFSET / NX_EMMC_BLOCKSIZE, KB_FIRMWARE_VERSION_600 + 1, keyblob_block)) { EPRINTF("Unable to read keyblob."); } for (u32 i = 0; i <= KB_FIRMWARE_VERSION_600; i++, current_keyblob++) { se_aes_crypt_block_ecb(8, 0, keyblob_key[i], keyblob_key_source[i]); // temp = unwrap(kbks, tsec) se_aes_crypt_block_ecb(9, 0, keyblob_key[i], keyblob_key[i]); // kbk = unwrap(temp, sbk) se_aes_key_set(7, keyblob_key[i], sizeof(keyblob_key[i])); se_aes_crypt_block_ecb(7, 0, keyblob_mac_key[i], keyblob_mac_key_source); // kbm = unwrap(kbms, kbk) if (i == 0) { se_aes_crypt_block_ecb(7, 0, device_key, per_console_key_source); // devkey = unwrap(pcks, kbk0) se_aes_crypt_block_ecb(7, 0, device_key_4x, device_master_key_source_kek_source); } // verify keyblob is not corrupt se_aes_key_set(10, keyblob_mac_key[i], sizeof(keyblob_mac_key[i])); se_aes_cmac(10, keyblob_mac, sizeof(keyblob_mac), current_keyblob->iv, sizeof(current_keyblob->iv) + sizeof(keyblob_t)); if (memcmp(current_keyblob, keyblob_mac, sizeof(keyblob_mac)) != 0) { EPRINTFARGS("Keyblob %x corrupt.", i); continue; } // decrypt keyblobs se_aes_key_set(6, keyblob_key[i], sizeof(keyblob_key[i])); se_aes_crypt_ctr(6, &keyblob[i], sizeof(keyblob_t), ¤t_keyblob->key_data, sizeof(keyblob_t), current_keyblob->iv); memcpy(package1_key[i], keyblob[i].package1_key, sizeof(package1_key[i])); memcpy(master_kek[i], keyblob[i].master_kek, sizeof(master_kek[i])); se_aes_key_set(7, master_kek[i], sizeof(master_kek[i])); se_aes_crypt_block_ecb(7, 0, master_key[i], master_key_source); } free(keyblob_block); /* key = unwrap(source, wrapped_key): key_set(ks, wrapped_key), block_ecb(ks, 0, key, source) -> final key in key */ u32 key_generation = fuse_read_odm_keygen_rev(); if (key_generation) key_generation--; if (_key_exists(device_key)) { if (key_generation) { _get_device_key(8, temp_key, key_generation, device_key_4x, master_key[0]); } else memcpy(temp_key, device_key, 0x10); se_aes_key_set(8, temp_key, 0x10); se_aes_unwrap_key(8, 8, retail_specific_aes_key_source); // kek = unwrap(rsaks, devkey) se_aes_crypt_block_ecb(8, 0, bis_key[0] + 0x00, bis_key_source[0] + 0x00); // bkey = unwrap(bkeys, kek) se_aes_crypt_block_ecb(8, 0, bis_key[0] + 0x10, bis_key_source[0] + 0x10); // kek = generate_kek(bkeks, devkey, aeskek, aeskey) _generate_kek(8, bis_kek_source, temp_key, aes_kek_generation_source, aes_key_generation_source); se_aes_crypt_block_ecb(8, 0, bis_key[1] + 0x00, bis_key_source[1] + 0x00); // bkey = unwrap(bkeys, kek) se_aes_crypt_block_ecb(8, 0, bis_key[1] + 0x10, bis_key_source[1] + 0x10); se_aes_crypt_block_ecb(8, 0, bis_key[2] + 0x00, bis_key_source[2] + 0x00); se_aes_crypt_block_ecb(8, 0, bis_key[2] + 0x10, bis_key_source[2] + 0x10); memcpy(bis_key[3], bis_key[2], 0x20); } // Set BIS keys. se_aes_key_set(8, bis_key[0] + 0x00, AES_128_KEY_SIZE); se_aes_key_set(9, bis_key[0] + 0x10, AES_128_KEY_SIZE); if (!emummc_storage_set_mmc_partition(&storage, EMMC_GPP)) { EPRINTF("Unable to set partition."); return false; } // Parse eMMC GPT. LIST_INIT(gpt); nx_emmc_gpt_parse(&gpt, &storage); // Find PRODINFO partition. prodinfo_part = nx_emmc_part_find(&gpt, "PRODINFO"); if (!prodinfo_part) { EPRINTF("Unable to locate PRODINFO partition."); return false; } gfx_printf("%kGot keys!\n%kValidate...", COLOR_GREEN, COLOR_YELLOW); const char magic[4] = "CAL0"; char buffer[4]; readData((u8 *)buffer, 0, 4, NULL); if (memcmp(magic, buffer, 4) == 0) { gfx_printf("%kOK!\n", COLOR_GREEN); } else { gfx_printf("%kError!\n", COLOR_RED); return false; } char serial[15]; readData((u8 *)serial, 0x250, 14, NULL); gfx_printf("%kCurrent serial: [%s]\n\n", COLOR_BLUE, serial); return true; } bool erase(u32 offset, u32 length) { u8 *tmp = (u8 *)calloc(length, sizeof(u8)); bool result = writeData(tmp, offset, length, NULL); free(tmp); return result; } bool writeSerial() { const char *junkSerial; if (isSysNAND()) { junkSerial = "XAW00000000000"; } else { junkSerial = "XAW00000000001"; } const u32 serialOffset = 0x250; if (!writeData((u8 *)junkSerial, serialOffset, 14, NULL)) return false; return calculateAndWriteCrc(serialOffset, 0x1E); } bool incognito() { gfx_printf("%kChecking if backup exists...\n", COLOR_YELLOW); if (!checkBackupExists()) { gfx_printf("%kI'm sorry Dave, I'm afraid I can't do that..\n%kWill make a backup first...\n", COLOR_RED, COLOR_YELLOW); if (!backupProdinfo()) return false; } validateChecksums(NULL); gfx_printf("%kWriting fake serial...\n", COLOR_YELLOW); if (!writeSerial()) return false; /* gfx_printf("%kErasing ECC-B233 device cert...\n", COLOR_YELLOW); if (!erase(0x0480, 0x180)) return false; if (!calculateAndWriteCrc(0x0480, 0x18E)) // whatever I do here, it crashes Atmos..? return false; */ gfx_printf("%kErasing SSL cert...\n", COLOR_YELLOW); if (!erase(0x0AE0, 0x800)) return false; gfx_printf("%kErasing extended SSL key...\n", COLOR_YELLOW); if (!erase(0x3AE0, 0x130)) return false; gfx_printf("%kWriting checksum...\n", COLOR_YELLOW); if (!calculateAndWriteCrc(0x3AE0, 0x13E)) return false; gfx_printf("%kErasing Amiibo ECDSA cert...\n", COLOR_YELLOW); if (!erase(0x35A0, 0x070)) return false; gfx_printf("%kWriting checksum...\n", COLOR_YELLOW); if (!calculateAndWriteCrc(0x35A0, 0x07E)) return false; gfx_printf("%kErasing Amiibo ECQV-BLS root cert...\n", COLOR_YELLOW); if (!erase(0x36A0, 0x090)) return false; gfx_printf("%kWriting checksum...\n", COLOR_YELLOW); if (!calculateAndWriteCrc(0x36A0, 0x09E)) return false; gfx_printf("%kErasing RSA-2048 extended device key...\n", COLOR_YELLOW); if (!erase(0x3D70, 0x240)) // seems empty & unused! return false; gfx_printf("%kErasing RSA-2048 device certificate...\n", COLOR_YELLOW); if (!erase(0x3FC0, 0x240)) // seems empty & unused! return false; gfx_printf("%kWriting SSL cert hash...\n", COLOR_YELLOW); if (!writeClientCertHash()) return false; gfx_printf("%kWriting body hash...\n", COLOR_YELLOW); if (!writeCal0Hash()) return false; gfx_printf("\n%kIncognito done!\n", COLOR_GREEN); return true; } u32 divideCeil(u32 x, u32 y) { return 1 + ((x - 1) / y); } void cleanUp() { h_cfg.emummc_force_disable = emu_cfg.sector == 0 && !emu_cfg.path; //nx_emmc_gpt_free(&gpt); //emummc_storage_end(&storage); } static void _generate_kek(u32 ks, const void *key_source, void *master_key, const void *kek_seed, const void *key_seed) { if (!_key_exists(key_source) || !_key_exists(master_key) || !_key_exists(kek_seed)) return; se_aes_key_set(ks, master_key, 0x10); se_aes_unwrap_key(ks, ks, kek_seed); se_aes_unwrap_key(ks, ks, key_source); if (key_seed && _key_exists(key_seed)) se_aes_unwrap_key(ks, ks, key_seed); } static void _get_device_key(u32 ks, void *out_device_key, u32 revision, const void *device_key, const void *master_key) { if (revision < KB_FIRMWARE_VERSION_400) memcpy(out_device_key, device_key, 0x10); revision -= KB_FIRMWARE_VERSION_400; u8 temp_key[0x10] = {0}; se_aes_key_set(ks, device_key, 0x10); se_aes_crypt_ecb(ks, 0, temp_key, 0x10, device_master_key_source_sources[revision], 0x10); se_aes_key_set(ks, master_key, 0x10); se_aes_unwrap_key(ks, ks, device_master_kek_sources[revision]); se_aes_crypt_ecb(ks, 0, out_device_key, 0x10, temp_key, 0x10); } bool readData(u8 *buffer, u32 offset, u32 length, void (*progress_callback)(u32, u32)) { if (progress_callback != NULL) { (*progress_callback)(0, length); } bool result = false; u32 sector = (offset / NX_EMMC_BLOCKSIZE); u32 newOffset = (offset % NX_EMMC_BLOCKSIZE); u32 sectorCount = divideCeil(newOffset + length, NX_EMMC_BLOCKSIZE); u8 *tmp = (u8 *)malloc(sectorCount * NX_EMMC_BLOCKSIZE); u32 clusterOffset = sector % SECTORS_IN_CLUSTER; u32 sectorOffset = 0; while (clusterOffset + sectorCount > SECTORS_IN_CLUSTER) { u32 sectorsToRead = SECTORS_IN_CLUSTER - clusterOffset; if (!RETRY(prodinfo_read(tmp + (sectorOffset * NX_EMMC_BLOCKSIZE), sector, sectorsToRead))) goto out; sector += sectorsToRead; sectorCount -= sectorsToRead; clusterOffset = 0; sectorOffset += sectorsToRead; if (progress_callback != NULL) { (*progress_callback)(sectorOffset * NX_EMMC_BLOCKSIZE, length); } } if (sectorCount == 0) goto done; if (!RETRY(prodinfo_read(tmp + (sectorOffset * NX_EMMC_BLOCKSIZE), sector, sectorCount))) goto out; memcpy(buffer, tmp + newOffset, length); done: result = true; if (progress_callback != NULL) { (*progress_callback)(length, length); } out: free(tmp); return result; } bool writeData(u8 *buffer, u32 offset, u32 length, void (*progress_callback)(u32, u32)) { if (progress_callback != NULL) { (*progress_callback)(0, length); } bool result = false; u32 initialLength = length; u8 *tmp_sec = (u8 *)malloc(NX_EMMC_BLOCKSIZE); u8 *tmp = NULL; u32 sector = (offset / NX_EMMC_BLOCKSIZE); u32 newOffset = (offset % NX_EMMC_BLOCKSIZE); // if there is a sector offset, read involved sector, write data to it with offset and write back whole sector to be sector aligned if (newOffset > 0) { u32 bytesToRead = NX_EMMC_BLOCKSIZE - newOffset; u32 bytesToWrite; if (length >= bytesToRead) { bytesToWrite = bytesToRead; } else { bytesToWrite = length; } if (!RETRY(prodinfo_read(tmp_sec, sector, 1))) goto out; memcpy(tmp_sec + newOffset, buffer, bytesToWrite); if (!RETRY(prodinfo_write(tmp_sec, sector, 1))) goto out; sector++; length -= bytesToWrite; newOffset = bytesToWrite; if (progress_callback != NULL) { (*progress_callback)(initialLength - length, initialLength); } // are we done? if (length == 0) goto done; } // write whole sectors in chunks while being cluster aligned u32 sectorCount = length / NX_EMMC_BLOCKSIZE; tmp = (u8 *)malloc(sectorCount * NX_EMMC_BLOCKSIZE); u32 clusterOffset = sector % SECTORS_IN_CLUSTER; u32 sectorOffset = 0; while (clusterOffset + sectorCount >= SECTORS_IN_CLUSTER) { u32 sectorsToRead = SECTORS_IN_CLUSTER - clusterOffset; if (!RETRY(prodinfo_write(buffer + newOffset + (sectorOffset * NX_EMMC_BLOCKSIZE), sector, sectorsToRead))) goto out; sector += sectorsToRead; sectorOffset += sectorsToRead; sectorCount -= sectorsToRead; clusterOffset = 0; length -= sectorsToRead * NX_EMMC_BLOCKSIZE; if (progress_callback != NULL) { (*progress_callback)(initialLength - length, initialLength); } } // write remaining sectors if (sectorCount > 0) { if (!RETRY(prodinfo_write(buffer + newOffset + (sectorOffset * NX_EMMC_BLOCKSIZE), sector, sectorCount))) goto out; length -= sectorCount * NX_EMMC_BLOCKSIZE; sector += sectorCount; sectorOffset += sectorCount; if (progress_callback != NULL) { (*progress_callback)(initialLength - length, initialLength); } } // if there is data remaining that is smaller than a sector, read that sector, write remaining data to it and write back whole sector if (length == 0) goto done; if (length > NX_EMMC_BLOCKSIZE) { gfx_printf("%kERROR, ERRO! Length is %d!\n", COLOR_RED, length); goto out; } if (!RETRY(prodinfo_read(tmp_sec, sector, 1))) goto out; memcpy(tmp_sec, buffer + newOffset + (sectorOffset * NX_EMMC_BLOCKSIZE), length); if (!RETRY(prodinfo_write(tmp_sec, sector, 1))) goto out; done: result = true; if (progress_callback != NULL) { (*progress_callback)(initialLength, initialLength); } out: free(tmp_sec); free(tmp); return result; } bool writeHash(u32 hashOffset, u32 offset, u32 sz) { bool result = false; u8 *buffer = (u8 *)malloc(sz); if (!readData(buffer, offset, sz, NULL)) { goto out; } u8 hash[0x20]; se_calc_sha256(hash, buffer, sz); if (!writeData(hash, hashOffset, 0x20, NULL)) { goto out; } result = true; out: free(buffer); return result; } #ifdef DEBUG void screenshot(const char *filename) { sd_mount(); FIL fp; if (f_open(&fp, filename, FA_CREATE_ALWAYS | FA_WRITE) != FR_OK) { gfx_printf("\n%kCannot write image!\n", COLOR_RED); return; } u32 size; u8 *buffer = gfx_bmp_screenshot(&size); f_write(&fp, buffer, size, NULL); f_close(&fp); free(buffer); } #endif bool verifyHash(u32 hashOffset, u32 offset, u32 sz, u8 *blob) { bool result = false; u8 *buffer = (u8 *)malloc(sz); if (blob == NULL) { if (!readData(buffer, offset, sz, NULL)) goto out; } else { memcpy(buffer, blob + offset, sz); } u8 hash1[0x20]; se_calc_sha256(hash1, buffer, sz); u8 hash2[0x20]; if (blob == NULL) { if (!readData(hash2, hashOffset, 0x20, NULL)) goto out; } else { memcpy(hash2, blob + hashOffset, 0x20); } if (memcmp(hash1, hash2, 0x20) != 0) { EPRINTF("error: hash verification failed\n"); // gfx_hexdump(0, hash1, 0x20); // gfx_hexdump(0, hash2, 0x20); goto out; } result = true; out: free(buffer); return result; } s32 getClientCertSize(u8 *blob) { s32 buffer; if (blob == NULL) { if (!RETRY(readData((u8 *)&buffer, 0x0AD0, sizeof(buffer), NULL))) { return -1; } } else { memcpy(&buffer, blob + 0x0AD0, sizeof(buffer)); } return buffer; } s32 getCalibrationDataSize(u8 *blob) { s32 buffer; if (blob == NULL) { if (!RETRY(readData((u8 *)&buffer, 0x08, sizeof(buffer), NULL))) { return -1; } } else { memcpy(&buffer, blob + 0x08, sizeof(buffer)); } return buffer; } bool writeCal0Hash() { s32 calibrationSize = getCalibrationDataSize(NULL); if (calibrationSize == -1) return false; return writeHash(0x20, 0x40, calibrationSize); } bool writeClientCertHash() { s32 certSize = getClientCertSize(NULL); if (certSize == -1) return false; return writeHash(0x12E0, 0xAE0, certSize); } bool verifyCal0Hash(u8 *blob) { s32 calibrationSize = getCalibrationDataSize(blob); if (calibrationSize == -1) return false; return verifyHash(0x20, 0x40, calibrationSize, blob); } bool verifyClientCertHash(u8 *blob) { s32 certSize = getClientCertSize(blob); if (certSize == -1) return false; return verifyHash(0x12E0, 0xAE0, certSize, blob); } bool verifyProdinfo(u8 *blob) { gfx_printf("%kVerifying client cert hash and CAL0 hash%s...\n", COLOR_YELLOW, blob != NULL ? "\nfrom backup" : ""); if (verifyClientCertHash(blob) && verifyCal0Hash(blob)) { validateChecksums(blob); char serial[15] = ""; if (blob == NULL) { readData((u8 *)serial, 0x250, 14, NULL); } else { memcpy(serial, blob + 0x250, 14); } gfx_printf("%kVerification successful!\n%kSerial:%s\n", COLOR_GREEN, COLOR_BLUE, serial); return true; } gfx_printf("%kVerification not successful!\n", COLOR_RED); return false; } void print_progress(u32 count, u32 max) { tui_pbar(0, gfx_con.y + 1, (int)(count * 100 / (float)max), COLOR_BLUE, COLOR_ORANGE); } bool isSysNAND() { return (!emu_cfg.enabled || h_cfg.emummc_force_disable); } bool checkBackupExists() { char *name; if (isSysNAND()) { name = BACKUP_NAME_SYSNAND; } else { name = BACKUP_NAME_EMUNAND; } return f_stat(name, NULL) == FR_OK; } bool backupProdinfo() { bool result = false; char *name; if (isSysNAND()) { name = BACKUP_NAME_SYSNAND; } else { name = BACKUP_NAME_EMUNAND; } gfx_printf("%kBacking up %s...\n", COLOR_YELLOW, name); if (checkBackupExists()) { gfx_printf("%kBackup already exists!\nWill rename old backup.\n", COLOR_ORANGE); u32 filenameSuffix = 0; char newName[255]; do { sprintf(newName, "%s.%d", name, filenameSuffix); filenameSuffix++; } while (f_stat(newName, NULL) == FR_OK); f_rename(name, newName); gfx_printf("%kOld backup renamed to:\n%s\n", COLOR_YELLOW, newName); } FIL fp; if (f_open(&fp, name, FA_CREATE_ALWAYS | FA_WRITE) != FR_OK) { gfx_printf("\n%kCannot write to %s!\n", COLOR_RED, name); return false; } u8 *bufferNX = (u8 *)malloc(PRODINFO_SIZE); gfx_printf("%kReading from NAND...\n", COLOR_YELLOW); if (!readData(bufferNX, 0, PRODINFO_SIZE, print_progress)) { gfx_printf("\n%kError reading from NAND!\n", COLOR_RED); goto out; } gfx_putc('\n'); if (!verifyProdinfo(bufferNX)) { goto out; } gfx_printf("%k\nWriting to file...\n", COLOR_YELLOW); u32 bytesWritten; if (f_write(&fp, bufferNX, PRODINFO_SIZE, &bytesWritten) != FR_OK || bytesWritten != PRODINFO_SIZE) { gfx_printf("\n%kError writing to file!\nPlease try again. If this doesn't work, you don't have a working backup!\n", COLOR_RED); goto out; } f_sync(&fp); result = true; gfx_printf("\n%kBackup to %s done!\n", COLOR_GREEN, name); out: f_close(&fp); free(bufferNX); return result; } bool restoreProdinfo() { bool result = false; sd_mount(); const char *name; if (isSysNAND()) { name = BACKUP_NAME_SYSNAND; } else { name = BACKUP_NAME_EMUNAND; } gfx_printf("%kRestoring from %s...\n", COLOR_YELLOW, name); FIL fp; if (f_open(&fp, name, FA_READ) != FR_OK) { gfx_printf("\n%kCannot open %s!\n", COLOR_RED, name); return false; } u8 *bufferNX = (u8 *)malloc(PRODINFO_SIZE); u32 bytesRead; gfx_printf("%kReading from file...\n", COLOR_YELLOW); if (f_read(&fp, bufferNX, PRODINFO_SIZE, &bytesRead) != FR_OK || bytesRead != PRODINFO_SIZE) { gfx_printf("\n%kError reading from file!\n", COLOR_RED); goto out; } if (!verifyProdinfo(bufferNX)) { goto out; } gfx_printf("%kWriting to NAND...\n", COLOR_YELLOW); if (!writeData(bufferNX, 0, PRODINFO_SIZE, print_progress)) { gfx_printf("\n%kError writing to NAND!\nThis is bad. Try again, because your switch probably won't boot.\n" "If you see this error again, you should restore via NAND backup in hekate.\n", COLOR_RED); goto out; } result = true; gfx_printf("\n%kRestore from %s done!\n\n", COLOR_GREEN, name); out: f_close(&fp); free(bufferNX); return result; }