mirror of
https://github.com/Scandal-UK/Incognito_RCM.git
synced 2024-11-26 05:42:25 +00:00
1053 lines
29 KiB
C
1053 lines
29 KiB
C
/*
|
|
* Copyright (c) 2019 shchmue
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
* under the terms and conditions of the GNU General Public License,
|
|
* version 2, as published by the Free Software Foundation.
|
|
*
|
|
* This program is distributed in the hope it will be useful, but WITHOUT
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
|
|
* more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#include "incognito.h"
|
|
|
|
#include "../config/config.h"
|
|
#include "../gfx/di.h"
|
|
#include "../gfx/gfx.h"
|
|
#include "../gfx/tui.h"
|
|
#include "../hos/hos.h"
|
|
#include "../hos/pkg1.h"
|
|
#include "../hos/pkg2.h"
|
|
#include "../hos/sept.h"
|
|
#include "../libs/fatfs/ff.h"
|
|
#include "../mem/heap.h"
|
|
#include "../mem/mc.h"
|
|
#include "../mem/sdram.h"
|
|
#include "../sec/se.h"
|
|
#include "../sec/se_t210.h"
|
|
#include "../sec/tsec.h"
|
|
#include "../soc/fuse.h"
|
|
#include "../soc/smmu.h"
|
|
#include "../soc/t210.h"
|
|
#include "../storage/emummc.h"
|
|
#include "../storage/nx_emmc.h"
|
|
#include "../storage/sdmmc.h"
|
|
#include "../utils/btn.h"
|
|
#include "../utils/list.h"
|
|
#include "../utils/sprintf.h"
|
|
#include "../utils/util.h"
|
|
|
|
#include "key_sources.inl"
|
|
|
|
#include "io/io.h"
|
|
#include <string.h>
|
|
|
|
#define RETRY_COUNT 5
|
|
#define RETRY(exp) \
|
|
({ \
|
|
u8 _attemptc_ = RETRY_COUNT; \
|
|
bool _resultb_ = false; \
|
|
while (_attemptc_--) \
|
|
{ \
|
|
if ((_resultb_ = exp)) \
|
|
break; \
|
|
gfx_printf("%kretry %d/%d...\n", COLOR_RED, RETRY_COUNT - _attemptc_, RETRY_COUNT); \
|
|
} \
|
|
_resultb_; \
|
|
})
|
|
|
|
extern bool sd_mount();
|
|
extern void sd_unmount();
|
|
extern int sd_save_to_file(void *buf, u32 size, const char *filename);
|
|
|
|
extern hekate_config h_cfg;
|
|
|
|
u32 _key_count = 0;
|
|
sdmmc_storage_t storage;
|
|
sdmmc_t sdmmc;
|
|
emmc_part_t *system_part;
|
|
emmc_part_t *prodinfo_part;
|
|
|
|
#define SECTORS_IN_CLUSTER 32
|
|
#define PRODINFO_SIZE 0x3FBC00
|
|
|
|
#define BACKUP_NAME_EMUNAND "sd:/prodinfo_emunand.bin"
|
|
#define BACKUP_NAME_SYSNAND "sd:/prodinfo_sysnand.bin"
|
|
|
|
static u8 temp_key[0x10],
|
|
bis_key[4][0x20] = {0},
|
|
device_key[0x10] = {0},
|
|
device_key_4x[0x10] = {0},
|
|
keyblob[KB_FIRMWARE_VERSION_600 + 1][0x90] = {0},
|
|
keyblob_key[KB_FIRMWARE_VERSION_600 + 1][0x10] = {0},
|
|
keyblob_mac_key[KB_FIRMWARE_VERSION_600 + 1][0x10] = {0},
|
|
package1_key[KB_FIRMWARE_VERSION_600 + 1][0x10] = {0},
|
|
// master key-derived families
|
|
master_kek[KB_FIRMWARE_VERSION_MAX + 1][0x10] = {0},
|
|
master_key[KB_FIRMWARE_VERSION_MAX + 1][0x10] = {0};
|
|
|
|
LIST_INIT(gpt);
|
|
|
|
// key functions
|
|
static int _key_exists(const void *data) { return memcmp(data, zeros, 0x10) != 0; };
|
|
static void _generate_kek(u32 ks, const void *key_source, void *master_key, const void *kek_seed, const void *key_seed);
|
|
static void _get_device_key(u32 ks, void *out_device_key, u32 revision, const void *device_key, const void *master_key);
|
|
|
|
unsigned int crc_16_table[16] = {
|
|
0x0000, 0xCC01, 0xD801, 0x1400, 0xF001, 0x3C00, 0x2800, 0xE401,
|
|
0xA001, 0x6C00, 0x7800, 0xB401, 0x5000, 0x9C01, 0x8801, 0x4400 };
|
|
|
|
unsigned short int get_crc_16 (const char *p, int n) {
|
|
unsigned short int crc = 0x55AA;
|
|
int r;
|
|
|
|
while (n-- > 0) {
|
|
r = crc_16_table[crc & 0xF];
|
|
crc = (crc >> 4) & 0x0FFF;
|
|
crc = crc ^ r ^ crc_16_table[*p & 0xF];
|
|
|
|
r = crc_16_table[crc & 0xF];
|
|
crc = (crc >> 4) & 0x0FFF;
|
|
crc = crc ^ r ^ crc_16_table[(*p >> 4) & 0xF];
|
|
|
|
p++;
|
|
}
|
|
|
|
return(crc);
|
|
}
|
|
|
|
u16 calculateCrc(u32 offset, u32 size, u8 *blob)
|
|
{
|
|
const char buffer[size + 1];
|
|
if (blob == NULL)
|
|
readData((u8 *)buffer, offset, size, NULL);
|
|
else
|
|
memcpy((u8 *)buffer, blob + offset, size);
|
|
|
|
return get_crc_16(buffer, size);
|
|
}
|
|
|
|
u16 readCrc(u32 offset, u8 *blob)
|
|
{
|
|
u16 buffer;
|
|
if (blob == NULL)
|
|
readData((u8 *)&buffer, offset, sizeof(u16), NULL);
|
|
else
|
|
memcpy((u8 *)&buffer, blob + offset, sizeof(u16));
|
|
|
|
return buffer;
|
|
}
|
|
|
|
bool validateCrc(u32 offset, u32 size, u8 *blob)
|
|
{
|
|
return calculateCrc(offset, size, blob) == readCrc(offset + size, blob);
|
|
}
|
|
|
|
bool calculateAndWriteCrc(u32 offset, u32 size)
|
|
{
|
|
u16 crcValue = calculateCrc(offset, size, NULL);
|
|
u8 crc[2] = { crcValue & 0xff, crcValue >> 8 }; // bytes of u16
|
|
return writeData(crc, offset + size, sizeof(u16), NULL);
|
|
}
|
|
|
|
void validateChecksums(u8 *blob)
|
|
{
|
|
if (!validateCrc(0x0250, 0x1E, blob))
|
|
gfx_printf("%kWarning - invalid serial crc\n", COLOR_RED);
|
|
|
|
if (!validateCrc(0x0480, 0x18E, blob))
|
|
gfx_printf("%kWarning - invalid ECC-B233 crc...\n", COLOR_RED);
|
|
|
|
if (!validateCrc(0x3AE0, 0x13E, blob))
|
|
gfx_printf("%kWarning - invalid ext SSL key crc...\n", COLOR_RED);
|
|
|
|
if (!validateCrc(0x35A0, 0x07E, blob))
|
|
gfx_printf("%kWarning - invalid ECDSA cert crc...\n", COLOR_RED);
|
|
|
|
if (!validateCrc(0x36A0, 0x09E, blob))
|
|
gfx_printf("%kWarning - invalid ECQV-BLS cert crc...\n", COLOR_RED);
|
|
}
|
|
|
|
bool dump_keys()
|
|
{
|
|
display_backlight_brightness(100, 1000);
|
|
gfx_clear_partial_grey(0x1B, 0, 1256);
|
|
gfx_con_setpos(0, 0);
|
|
|
|
gfx_print_header();
|
|
|
|
gfx_printf("%kGetting bis_keys...\n", COLOR_YELLOW);
|
|
|
|
u32 retries = 0;
|
|
|
|
tsec_ctxt_t tsec_ctxt;
|
|
|
|
if (emummc_storage_init_mmc(&storage, &sdmmc) == 2)
|
|
{
|
|
EPRINTF("Unable to init MMC.");
|
|
return false;
|
|
}
|
|
|
|
// Read package1.
|
|
u8 *pkg1 = (u8 *)malloc(0x40000);
|
|
emummc_storage_set_mmc_partition(&storage, EMMC_BOOT0);
|
|
emummc_storage_read(&storage, 0x100000 / NX_EMMC_BLOCKSIZE, 0x40000 / NX_EMMC_BLOCKSIZE, pkg1);
|
|
const pkg1_id_t *pkg1_id = pkg1_identify(pkg1);
|
|
if (!pkg1_id)
|
|
{
|
|
EPRINTF("Unknown pkg1 version.\n Make sure you have the latest Incognito_RCM.\n If a new firmware version just came out,\n Incognito_RCM must be updated.\n Check Github for new release.");
|
|
free(pkg1);
|
|
return false;
|
|
}
|
|
|
|
bool found_tsec_fw = false;
|
|
for (const u32 *pos = (const u32 *)pkg1; (u8 *)pos < pkg1 + 0x40000; pos += 0x100 / sizeof(u32))
|
|
{
|
|
if (*pos == 0xCF42004D)
|
|
{
|
|
tsec_ctxt.fw = (u8 *)pos;
|
|
found_tsec_fw = true;
|
|
break;
|
|
}
|
|
}
|
|
if (!found_tsec_fw)
|
|
{
|
|
EPRINTF("Failed to locate TSEC firmware.");
|
|
free(pkg1);
|
|
return false;
|
|
}
|
|
|
|
tsec_key_data_t *key_data = (tsec_key_data_t *)(tsec_ctxt.fw + TSEC_KEY_DATA_ADDR);
|
|
tsec_ctxt.pkg1 = pkg1;
|
|
tsec_ctxt.size = 0x100 + key_data->blob0_size + key_data->blob1_size + key_data->blob2_size + key_data->blob3_size + key_data->blob4_size;
|
|
|
|
// u32 MAX_KEY = 6;
|
|
// if (pkg1_id->kb >= KB_FIRMWARE_VERSION_620)
|
|
// {
|
|
// MAX_KEY = pkg1_id->kb + 1;
|
|
// }
|
|
|
|
if (pkg1_id->kb >= KB_FIRMWARE_VERSION_700)
|
|
{
|
|
se_aes_key_read(se_key_acc_ctrl_get(12) == 0x6A ? 13 : 12, master_key[KB_FIRMWARE_VERSION_MAX], 0x10);
|
|
}
|
|
|
|
//get_tsec: ;
|
|
u8 tsec_keys[0x10 * 2] = {0};
|
|
|
|
if (pkg1_id->kb == KB_FIRMWARE_VERSION_620)
|
|
{
|
|
u8 *tsec_paged = (u8 *)page_alloc(3);
|
|
memcpy(tsec_paged, (void *)tsec_ctxt.fw, tsec_ctxt.size);
|
|
tsec_ctxt.fw = tsec_paged;
|
|
}
|
|
|
|
int res = 0;
|
|
|
|
mc_disable_ahb_redirect();
|
|
|
|
while (tsec_query(tsec_keys, pkg1_id->kb, &tsec_ctxt) < 0)
|
|
{
|
|
memset(tsec_keys, 0x00, 0x20);
|
|
retries++;
|
|
if (retries > 15)
|
|
{
|
|
res = -1;
|
|
break;
|
|
}
|
|
}
|
|
free(pkg1);
|
|
|
|
mc_enable_ahb_redirect();
|
|
|
|
if (res < 0)
|
|
{
|
|
EPRINTFARGS("ERROR %x dumping TSEC.\n", res);
|
|
return false;
|
|
}
|
|
|
|
// Master key derivation
|
|
if (pkg1_id->kb == KB_FIRMWARE_VERSION_620 && _key_exists(tsec_keys + 0x10))
|
|
{
|
|
se_aes_key_set(8, tsec_keys + 0x10, 0x10); // mkek6 = unwrap(mkeks6, tsecroot)
|
|
se_aes_crypt_block_ecb(8, 0, master_kek[6], master_kek_sources[0]);
|
|
se_aes_key_set(8, master_kek[6], 0x10); // mkey = unwrap(mkek, mks)
|
|
se_aes_crypt_block_ecb(8, 0, master_key[6], master_key_source);
|
|
}
|
|
|
|
u8 *keyblob_block = (u8 *)calloc(NX_EMMC_BLOCKSIZE, 1);
|
|
u8 keyblob_mac[0x10] = {0};
|
|
u32 sbk[4] = {FUSE(FUSE_PRIVATE_KEY0), FUSE(FUSE_PRIVATE_KEY1),
|
|
FUSE(FUSE_PRIVATE_KEY2), FUSE(FUSE_PRIVATE_KEY3)};
|
|
se_aes_key_set(8, tsec_keys, 0x10);
|
|
se_aes_key_set(9, sbk, 0x10);
|
|
for (u32 i = 0; i <= KB_FIRMWARE_VERSION_600; i++)
|
|
{
|
|
se_aes_crypt_block_ecb(8, 0, keyblob_key[i], keyblob_key_source[i]); // temp = unwrap(kbks, tsec)
|
|
se_aes_crypt_block_ecb(9, 0, keyblob_key[i], keyblob_key[i]); // kbk = unwrap(temp, sbk)
|
|
se_aes_key_set(7, keyblob_key[i], 0x10);
|
|
se_aes_crypt_block_ecb(7, 0, keyblob_mac_key[i], keyblob_mac_key_source); // kbm = unwrap(kbms, kbk)
|
|
if (i == 0)
|
|
{
|
|
se_aes_crypt_block_ecb(7, 0, device_key, per_console_key_source); // devkey = unwrap(pcks, kbk0)
|
|
se_aes_crypt_block_ecb(7, 0, device_key_4x, per_console_key_source_4x);
|
|
}
|
|
|
|
// verify keyblob is not corrupt
|
|
emummc_storage_read(&storage, 0x180000 / NX_EMMC_BLOCKSIZE + i, 1, keyblob_block);
|
|
se_aes_key_set(3, keyblob_mac_key[i], 0x10);
|
|
se_aes_cmac(3, keyblob_mac, 0x10, keyblob_block + 0x10, 0xa0);
|
|
if (memcmp(keyblob_block, keyblob_mac, 0x10) != 0)
|
|
{
|
|
EPRINTFARGS("Keyblob %x corrupt.", i);
|
|
// gfx_hexdump(i, keyblob_block, 0x10);
|
|
// gfx_hexdump(i, keyblob_mac, 0x10);
|
|
continue;
|
|
}
|
|
|
|
// decrypt keyblobs
|
|
se_aes_key_set(2, keyblob_key[i], 0x10);
|
|
se_aes_crypt_ctr(2, keyblob[i], 0x90, keyblob_block + 0x20, 0x90, keyblob_block + 0x10);
|
|
|
|
memcpy(package1_key[i], keyblob[i] + 0x80, 0x10);
|
|
memcpy(master_kek[i], keyblob[i], 0x10);
|
|
se_aes_key_set(7, master_kek[i], 0x10);
|
|
se_aes_crypt_block_ecb(7, 0, master_key[i], master_key_source);
|
|
}
|
|
free(keyblob_block);
|
|
|
|
u32 key_generation = 0;
|
|
if (pkg1_id->kb >= KB_FIRMWARE_VERSION_500)
|
|
{
|
|
if ((fuse_read_odm(4) & 0x800) && fuse_read_odm(0) == 0x8E61ECAE && fuse_read_odm(1) == 0xF2BA3BB2)
|
|
{
|
|
key_generation = fuse_read_odm(2) & 0x1F;
|
|
if (key_generation)
|
|
key_generation--;
|
|
}
|
|
}
|
|
if (_key_exists(device_key))
|
|
{
|
|
if (key_generation)
|
|
{
|
|
_get_device_key(8, temp_key, key_generation, device_key_4x, master_key[0]);
|
|
}
|
|
else
|
|
memcpy(temp_key, device_key, 0x10);
|
|
se_aes_key_set(8, temp_key, 0x10);
|
|
se_aes_unwrap_key(8, 8, retail_specific_aes_key_source); // kek = unwrap(rsaks, devkey)
|
|
se_aes_crypt_block_ecb(8, 0, bis_key[0] + 0x00, bis_key_source[0] + 0x00); // bkey = unwrap(bkeys, kek)
|
|
se_aes_crypt_block_ecb(8, 0, bis_key[0] + 0x10, bis_key_source[0] + 0x10);
|
|
// kek = generate_kek(bkeks, devkey, aeskek, aeskey)
|
|
_generate_kek(8, bis_kek_source, temp_key, aes_kek_generation_source, aes_key_generation_source);
|
|
se_aes_crypt_block_ecb(8, 0, bis_key[1] + 0x00, bis_key_source[1] + 0x00); // bkey = unwrap(bkeys, kek)
|
|
se_aes_crypt_block_ecb(8, 0, bis_key[1] + 0x10, bis_key_source[1] + 0x10);
|
|
se_aes_crypt_block_ecb(8, 0, bis_key[2] + 0x00, bis_key_source[2] + 0x00);
|
|
se_aes_crypt_block_ecb(8, 0, bis_key[2] + 0x10, bis_key_source[2] + 0x10);
|
|
memcpy(bis_key[3], bis_key[2], 0x20);
|
|
}
|
|
|
|
emummc_storage_set_mmc_partition(&storage, EMMC_GPP);
|
|
// Parse eMMC GPT.
|
|
|
|
nx_emmc_gpt_parse(&gpt, &storage);
|
|
|
|
// Find PRODINFO partition.
|
|
prodinfo_part = nx_emmc_part_find(&gpt, "PRODINFO");
|
|
if (!prodinfo_part)
|
|
{
|
|
EPRINTF("Failed to locate PRODINFO.");
|
|
return false;
|
|
}
|
|
|
|
se_aes_key_set(8, bis_key[0] + 0x00, 0x10);
|
|
se_aes_key_set(9, bis_key[0] + 0x10, 0x10);
|
|
|
|
gfx_printf("%kGot keys!\n%kValidate...", COLOR_GREEN, COLOR_YELLOW);
|
|
const char magic[4] = "CAL0";
|
|
char buffer[4];
|
|
readData((u8 *)buffer, 0, 4, NULL);
|
|
if (memcmp(magic, buffer, 4) == 0)
|
|
{
|
|
gfx_printf("%kOK!\n", COLOR_GREEN);
|
|
}
|
|
else
|
|
{
|
|
gfx_printf("%kError!\n", COLOR_RED);
|
|
return false;
|
|
}
|
|
|
|
char serial[15];
|
|
readData((u8 *)serial, 0x250, 14, NULL);
|
|
|
|
gfx_printf("%kCurrent serial: [%s]\n\n", COLOR_BLUE, serial);
|
|
|
|
return true;
|
|
}
|
|
|
|
bool erase(u32 offset, u32 length)
|
|
{
|
|
u8 *tmp = (u8 *)calloc(length, sizeof(u8));
|
|
bool result = writeData(tmp, offset, length, NULL);
|
|
free(tmp);
|
|
return result;
|
|
}
|
|
|
|
bool writeSerial()
|
|
{
|
|
const char *junkSerial;
|
|
if (isSysNAND())
|
|
{
|
|
junkSerial = "XAW00000000000";
|
|
}
|
|
else
|
|
{
|
|
junkSerial = "XAW00000000001";
|
|
}
|
|
|
|
const u32 serialOffset = 0x250;
|
|
if (!writeData((u8 *)junkSerial, serialOffset, 14, NULL))
|
|
return false;
|
|
|
|
return calculateAndWriteCrc(serialOffset, 0x1E);
|
|
}
|
|
|
|
bool incognito()
|
|
{
|
|
gfx_printf("%kChecking if backup exists...\n", COLOR_YELLOW);
|
|
if (!checkBackupExists())
|
|
{
|
|
gfx_printf("%kI'm sorry Dave, I'm afraid I can't do that..\n%kWill make a backup first...\n", COLOR_RED, COLOR_YELLOW);
|
|
if (!backupProdinfo())
|
|
return false;
|
|
}
|
|
|
|
validateChecksums(NULL);
|
|
|
|
gfx_printf("%kWriting fake serial...\n", COLOR_YELLOW);
|
|
if (!writeSerial())
|
|
return false;
|
|
/*
|
|
gfx_printf("%kErasing ECC-B233 device cert...\n", COLOR_YELLOW);
|
|
if (!erase(0x0480, 0x180))
|
|
return false;
|
|
|
|
if (!calculateAndWriteCrc(0x0480, 0x18E)) // whatever I do here, it crashes Atmos..?
|
|
return false;
|
|
*/
|
|
gfx_printf("%kErasing SSL cert...\n", COLOR_YELLOW);
|
|
if (!erase(0x0AE0, 0x800))
|
|
return false;
|
|
|
|
gfx_printf("%kErasing extended SSL key...\n", COLOR_YELLOW);
|
|
if (!erase(0x3AE0, 0x130))
|
|
return false;
|
|
|
|
gfx_printf("%kWriting checksum...\n", COLOR_YELLOW);
|
|
if (!calculateAndWriteCrc(0x3AE0, 0x13E))
|
|
return false;
|
|
|
|
gfx_printf("%kErasing Amiibo ECDSA cert...\n", COLOR_YELLOW);
|
|
if (!erase(0x35A0, 0x070))
|
|
return false;
|
|
|
|
gfx_printf("%kWriting checksum...\n", COLOR_YELLOW);
|
|
if (!calculateAndWriteCrc(0x35A0, 0x07E))
|
|
return false;
|
|
|
|
gfx_printf("%kErasing Amiibo ECQV-BLS root cert...\n", COLOR_YELLOW);
|
|
if (!erase(0x36A0, 0x090))
|
|
return false;
|
|
|
|
gfx_printf("%kWriting checksum...\n", COLOR_YELLOW);
|
|
if (!calculateAndWriteCrc(0x36A0, 0x09E))
|
|
return false;
|
|
|
|
gfx_printf("%kErasing RSA-2048 extended device key...\n", COLOR_YELLOW);
|
|
if (!erase(0x3D70, 0x240)) // seems empty & unused!
|
|
return false;
|
|
|
|
gfx_printf("%kErasing RSA-2048 device certificate...\n", COLOR_YELLOW);
|
|
if (!erase(0x3FC0, 0x240)) // seems empty & unused!
|
|
return false;
|
|
|
|
gfx_printf("%kWriting SSL cert hash...\n", COLOR_YELLOW);
|
|
if (!writeClientCertHash())
|
|
return false;
|
|
|
|
gfx_printf("%kWriting body hash...\n", COLOR_YELLOW);
|
|
if (!writeCal0Hash())
|
|
return false;
|
|
|
|
gfx_printf("\n%kIncognito done!\n", COLOR_GREEN);
|
|
return true;
|
|
}
|
|
|
|
u32 divideCeil(u32 x, u32 y)
|
|
{
|
|
return 1 + ((x - 1) / y);
|
|
}
|
|
|
|
void cleanUp()
|
|
{
|
|
|
|
h_cfg.emummc_force_disable = emummc_load_cfg();
|
|
//nx_emmc_gpt_free(&gpt);
|
|
//emummc_storage_end(&storage);
|
|
}
|
|
|
|
static void _generate_kek(u32 ks, const void *key_source, void *master_key, const void *kek_seed, const void *key_seed)
|
|
{
|
|
if (!_key_exists(key_source) || !_key_exists(master_key) || !_key_exists(kek_seed))
|
|
return;
|
|
|
|
se_aes_key_set(ks, master_key, 0x10);
|
|
se_aes_unwrap_key(ks, ks, kek_seed);
|
|
se_aes_unwrap_key(ks, ks, key_source);
|
|
if (key_seed && _key_exists(key_seed))
|
|
se_aes_unwrap_key(ks, ks, key_seed);
|
|
}
|
|
|
|
static void _get_device_key(u32 ks, void *out_device_key, u32 revision, const void *device_key, const void *master_key) {
|
|
if (revision < KB_FIRMWARE_VERSION_400)
|
|
memcpy(out_device_key, device_key, 0x10);
|
|
|
|
revision -= KB_FIRMWARE_VERSION_400;
|
|
u8 temp_key[0x10] = {0};
|
|
se_aes_key_set(ks, device_key, 0x10);
|
|
se_aes_crypt_ecb(ks, 0, temp_key, 0x10, new_device_key_sources[revision], 0x10);
|
|
se_aes_key_set(ks, master_key, 0x10);
|
|
se_aes_unwrap_key(ks, ks, new_device_keygen_sources[revision]);
|
|
se_aes_crypt_ecb(ks, 0, out_device_key, 0x10, temp_key, 0x10);
|
|
}
|
|
|
|
static inline u32 _read_le_u32(const void *buffer, u32 offset)
|
|
{
|
|
return (*(u8 *)(buffer + offset + 0)) |
|
|
(*(u8 *)(buffer + offset + 1) << 0x08) |
|
|
(*(u8 *)(buffer + offset + 2) << 0x10) |
|
|
(*(u8 *)(buffer + offset + 3) << 0x18);
|
|
}
|
|
|
|
bool readData(u8 *buffer, u32 offset, u32 length, void (*progress_callback)(u32, u32))
|
|
{
|
|
if (progress_callback != NULL)
|
|
{
|
|
(*progress_callback)(0, length);
|
|
}
|
|
bool result = false;
|
|
u32 sector = (offset / NX_EMMC_BLOCKSIZE);
|
|
u32 newOffset = (offset % NX_EMMC_BLOCKSIZE);
|
|
|
|
u32 sectorCount = divideCeil(newOffset + length, NX_EMMC_BLOCKSIZE);
|
|
|
|
u8 *tmp = (u8 *)malloc(sectorCount * NX_EMMC_BLOCKSIZE);
|
|
|
|
u32 clusterOffset = sector % SECTORS_IN_CLUSTER;
|
|
u32 sectorOffset = 0;
|
|
while (clusterOffset + sectorCount > SECTORS_IN_CLUSTER)
|
|
{
|
|
u32 sectorsToRead = SECTORS_IN_CLUSTER - clusterOffset;
|
|
if (!RETRY(prodinfo_read(tmp + (sectorOffset * NX_EMMC_BLOCKSIZE), sector, sectorsToRead)))
|
|
goto out;
|
|
|
|
sector += sectorsToRead;
|
|
sectorCount -= sectorsToRead;
|
|
clusterOffset = 0;
|
|
sectorOffset += sectorsToRead;
|
|
if (progress_callback != NULL)
|
|
{
|
|
(*progress_callback)(sectorOffset * NX_EMMC_BLOCKSIZE, length);
|
|
}
|
|
}
|
|
if (sectorCount == 0)
|
|
goto done;
|
|
|
|
if (!RETRY(prodinfo_read(tmp + (sectorOffset * NX_EMMC_BLOCKSIZE), sector, sectorCount)))
|
|
goto out;
|
|
|
|
memcpy(buffer, tmp + newOffset, length);
|
|
done:
|
|
result = true;
|
|
if (progress_callback != NULL)
|
|
{
|
|
(*progress_callback)(length, length);
|
|
}
|
|
out:
|
|
free(tmp);
|
|
return result;
|
|
}
|
|
|
|
bool writeData(u8 *buffer, u32 offset, u32 length, void (*progress_callback)(u32, u32))
|
|
{
|
|
if (progress_callback != NULL)
|
|
{
|
|
(*progress_callback)(0, length);
|
|
}
|
|
bool result = false;
|
|
|
|
u32 initialLength = length;
|
|
|
|
u8 *tmp_sec = (u8 *)malloc(NX_EMMC_BLOCKSIZE);
|
|
u8 *tmp = NULL;
|
|
|
|
u32 sector = (offset / NX_EMMC_BLOCKSIZE);
|
|
u32 newOffset = (offset % NX_EMMC_BLOCKSIZE);
|
|
|
|
// if there is a sector offset, read involved sector, write data to it with offset and write back whole sector to be sector aligned
|
|
if (newOffset > 0)
|
|
{
|
|
u32 bytesToRead = NX_EMMC_BLOCKSIZE - newOffset;
|
|
u32 bytesToWrite;
|
|
if (length >= bytesToRead)
|
|
{
|
|
bytesToWrite = bytesToRead;
|
|
}
|
|
else
|
|
{
|
|
bytesToWrite = length;
|
|
}
|
|
if (!RETRY(prodinfo_read(tmp_sec, sector, 1)))
|
|
goto out;
|
|
|
|
memcpy(tmp_sec + newOffset, buffer, bytesToWrite);
|
|
if (!RETRY(prodinfo_write(tmp_sec, sector, 1)))
|
|
goto out;
|
|
|
|
sector++;
|
|
length -= bytesToWrite;
|
|
newOffset = bytesToWrite;
|
|
|
|
if (progress_callback != NULL)
|
|
{
|
|
(*progress_callback)(initialLength - length, initialLength);
|
|
}
|
|
// are we done?
|
|
if (length == 0)
|
|
goto done;
|
|
}
|
|
|
|
// write whole sectors in chunks while being cluster aligned
|
|
u32 sectorCount = length / NX_EMMC_BLOCKSIZE;
|
|
tmp = (u8 *)malloc(sectorCount * NX_EMMC_BLOCKSIZE);
|
|
|
|
u32 clusterOffset = sector % SECTORS_IN_CLUSTER;
|
|
u32 sectorOffset = 0;
|
|
while (clusterOffset + sectorCount >= SECTORS_IN_CLUSTER)
|
|
{
|
|
u32 sectorsToRead = SECTORS_IN_CLUSTER - clusterOffset;
|
|
if (!RETRY(prodinfo_write(buffer + newOffset + (sectorOffset * NX_EMMC_BLOCKSIZE), sector, sectorsToRead)))
|
|
goto out;
|
|
|
|
sector += sectorsToRead;
|
|
sectorOffset += sectorsToRead;
|
|
sectorCount -= sectorsToRead;
|
|
clusterOffset = 0;
|
|
length -= sectorsToRead * NX_EMMC_BLOCKSIZE;
|
|
|
|
if (progress_callback != NULL)
|
|
{
|
|
(*progress_callback)(initialLength - length, initialLength);
|
|
}
|
|
}
|
|
|
|
// write remaining sectors
|
|
if (sectorCount > 0)
|
|
{
|
|
if (!RETRY(prodinfo_write(buffer + newOffset + (sectorOffset * NX_EMMC_BLOCKSIZE), sector, sectorCount)))
|
|
goto out;
|
|
|
|
length -= sectorCount * NX_EMMC_BLOCKSIZE;
|
|
sector += sectorCount;
|
|
sectorOffset += sectorCount;
|
|
|
|
if (progress_callback != NULL)
|
|
{
|
|
(*progress_callback)(initialLength - length, initialLength);
|
|
}
|
|
}
|
|
|
|
// if there is data remaining that is smaller than a sector, read that sector, write remaining data to it and write back whole sector
|
|
if (length == 0)
|
|
goto done;
|
|
|
|
if (length > NX_EMMC_BLOCKSIZE)
|
|
{
|
|
gfx_printf("%kERROR, ERRO! Length is %d!\n", COLOR_RED, length);
|
|
goto out;
|
|
}
|
|
|
|
if (!RETRY(prodinfo_read(tmp_sec, sector, 1)))
|
|
goto out;
|
|
|
|
memcpy(tmp_sec, buffer + newOffset + (sectorOffset * NX_EMMC_BLOCKSIZE), length);
|
|
if (!RETRY(prodinfo_write(tmp_sec, sector, 1)))
|
|
goto out;
|
|
|
|
done:
|
|
result = true;
|
|
if (progress_callback != NULL)
|
|
{
|
|
(*progress_callback)(initialLength, initialLength);
|
|
}
|
|
out:
|
|
free(tmp_sec);
|
|
free(tmp);
|
|
return result;
|
|
}
|
|
|
|
bool writeHash(u32 hashOffset, u32 offset, u32 sz)
|
|
{
|
|
bool result = false;
|
|
u8 *buffer = (u8 *)malloc(sz);
|
|
if (!readData(buffer, offset, sz, NULL))
|
|
{
|
|
goto out;
|
|
}
|
|
u8 hash[0x20];
|
|
se_calc_sha256(hash, buffer, sz);
|
|
|
|
if (!writeData(hash, hashOffset, 0x20, NULL))
|
|
{
|
|
goto out;
|
|
}
|
|
result = true;
|
|
out:
|
|
free(buffer);
|
|
return result;
|
|
}
|
|
|
|
#ifdef DEBUG
|
|
void screenshot(const char *filename)
|
|
{
|
|
sd_mount();
|
|
|
|
FIL fp;
|
|
if (f_open(&fp, filename, FA_CREATE_ALWAYS | FA_WRITE) != FR_OK)
|
|
{
|
|
gfx_printf("\n%kCannot write image!\n", COLOR_RED);
|
|
return;
|
|
}
|
|
u32 size;
|
|
u8 *buffer = gfx_bmp_screenshot(&size);
|
|
|
|
f_write(&fp, buffer, size, NULL);
|
|
f_close(&fp);
|
|
free(buffer);
|
|
}
|
|
#endif
|
|
|
|
bool verifyHash(u32 hashOffset, u32 offset, u32 sz, u8 *blob)
|
|
{
|
|
bool result = false;
|
|
u8 *buffer = (u8 *)malloc(sz);
|
|
if (blob == NULL)
|
|
{
|
|
if (!readData(buffer, offset, sz, NULL))
|
|
goto out;
|
|
}
|
|
else
|
|
{
|
|
memcpy(buffer, blob + offset, sz);
|
|
}
|
|
u8 hash1[0x20];
|
|
se_calc_sha256(hash1, buffer, sz);
|
|
|
|
u8 hash2[0x20];
|
|
|
|
if (blob == NULL)
|
|
{
|
|
if (!readData(hash2, hashOffset, 0x20, NULL))
|
|
goto out;
|
|
}
|
|
else
|
|
{
|
|
memcpy(hash2, blob + hashOffset, 0x20);
|
|
}
|
|
|
|
if (memcmp(hash1, hash2, 0x20) != 0)
|
|
{
|
|
EPRINTF("error: hash verification failed\n");
|
|
// gfx_hexdump(0, hash1, 0x20);
|
|
// gfx_hexdump(0, hash2, 0x20);
|
|
goto out;
|
|
}
|
|
|
|
result = true;
|
|
out:
|
|
free(buffer);
|
|
return result;
|
|
}
|
|
|
|
s32 getClientCertSize(u8 *blob)
|
|
{
|
|
s32 buffer;
|
|
if (blob == NULL)
|
|
{
|
|
if (!RETRY(readData((u8 *)&buffer, 0x0AD0, sizeof(buffer), NULL)))
|
|
{
|
|
return -1;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
memcpy(&buffer, blob + 0x0AD0, sizeof(buffer));
|
|
}
|
|
return buffer;
|
|
}
|
|
|
|
s32 getCalibrationDataSize(u8 *blob)
|
|
{
|
|
s32 buffer;
|
|
if (blob == NULL)
|
|
{
|
|
if (!RETRY(readData((u8 *)&buffer, 0x08, sizeof(buffer), NULL)))
|
|
{
|
|
return -1;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
memcpy(&buffer, blob + 0x08, sizeof(buffer));
|
|
}
|
|
|
|
return buffer;
|
|
}
|
|
|
|
bool writeCal0Hash()
|
|
{
|
|
s32 calibrationSize = getCalibrationDataSize(NULL);
|
|
if (calibrationSize == -1)
|
|
return false;
|
|
|
|
return writeHash(0x20, 0x40, calibrationSize);
|
|
}
|
|
|
|
bool writeClientCertHash()
|
|
{
|
|
s32 certSize = getClientCertSize(NULL);
|
|
if (certSize == -1)
|
|
return false;
|
|
|
|
return writeHash(0x12E0, 0xAE0, certSize);
|
|
}
|
|
|
|
bool verifyCal0Hash(u8 *blob)
|
|
{
|
|
s32 calibrationSize = getCalibrationDataSize(blob);
|
|
if (calibrationSize == -1)
|
|
return false;
|
|
|
|
return verifyHash(0x20, 0x40, calibrationSize, blob);
|
|
}
|
|
|
|
bool verifyClientCertHash(u8 *blob)
|
|
{
|
|
s32 certSize = getClientCertSize(blob);
|
|
if (certSize == -1)
|
|
return false;
|
|
|
|
return verifyHash(0x12E0, 0xAE0, certSize, blob);
|
|
}
|
|
|
|
bool verifyProdinfo(u8 *blob)
|
|
{
|
|
gfx_printf("%kVerifying client cert hash and CAL0 hash%s...\n", COLOR_YELLOW, blob != NULL ? "\nfrom backup" : "");
|
|
|
|
if (verifyClientCertHash(blob) && verifyCal0Hash(blob))
|
|
{
|
|
validateChecksums(blob);
|
|
|
|
char serial[15] = "";
|
|
if (blob == NULL)
|
|
{
|
|
readData((u8 *)serial, 0x250, 14, NULL);
|
|
}
|
|
else
|
|
{
|
|
memcpy(serial, blob + 0x250, 14);
|
|
}
|
|
|
|
gfx_printf("%kVerification successful!\n%kSerial:%s\n", COLOR_GREEN, COLOR_BLUE, serial);
|
|
return true;
|
|
}
|
|
gfx_printf("%kVerification not successful!\n", COLOR_RED);
|
|
return false;
|
|
}
|
|
|
|
void print_progress(u32 count, u32 max)
|
|
{
|
|
tui_pbar(0, gfx_con.y + 1, (int)(count * 100 / (float)max), COLOR_BLUE, COLOR_ORANGE);
|
|
}
|
|
|
|
// bool getLastBackup()
|
|
// {
|
|
// DIR dir;
|
|
// //char* path = "sd:/incognito";
|
|
// char path[255];
|
|
// strcpy(path, "sd:/incognito");
|
|
// FILINFO fno;
|
|
// FRESULT res;
|
|
|
|
// res = f_opendir(&dir, path); /* Open the directory */
|
|
// if (res == FR_OK)
|
|
// {
|
|
// for (;;)
|
|
// {
|
|
// res = f_readdir(&dir, &fno); /* Read a directory item */
|
|
// if (res != FR_OK || fno.fname[0] == 0)
|
|
// break; /* Break on error or end of dir */
|
|
// if ((fno.fattrib & AM_DIR) == 0)
|
|
// { /* It is not a directory */
|
|
// gfx_printf("%s/%s\n", path, fno.fname);
|
|
// }
|
|
// }
|
|
// f_closedir(&dir);
|
|
// }
|
|
|
|
// return res;
|
|
// }
|
|
|
|
bool isSysNAND()
|
|
{
|
|
return (!emu_cfg.enabled || h_cfg.emummc_force_disable);
|
|
}
|
|
|
|
bool checkBackupExists()
|
|
{
|
|
char *name;
|
|
if (isSysNAND())
|
|
{
|
|
name = BACKUP_NAME_SYSNAND;
|
|
}
|
|
else
|
|
{
|
|
name = BACKUP_NAME_EMUNAND;
|
|
}
|
|
return f_stat(name, NULL) == FR_OK;
|
|
}
|
|
|
|
bool backupProdinfo()
|
|
{
|
|
bool result = false;
|
|
char *name;
|
|
if (isSysNAND())
|
|
{
|
|
name = BACKUP_NAME_SYSNAND;
|
|
}
|
|
else
|
|
{
|
|
name = BACKUP_NAME_EMUNAND;
|
|
}
|
|
|
|
gfx_printf("%kBacking up %s...\n", COLOR_YELLOW, name);
|
|
if (checkBackupExists())
|
|
{
|
|
gfx_printf("%kBackup already exists!\nWill rename old backup.\n", COLOR_ORANGE);
|
|
u32 filenameSuffix = 0;
|
|
char newName[255];
|
|
do
|
|
{
|
|
sprintf(newName, "%s.%d", name, filenameSuffix);
|
|
filenameSuffix++;
|
|
} while (f_stat(newName, NULL) == FR_OK);
|
|
f_rename(name, newName);
|
|
gfx_printf("%kOld backup renamed to:\n%s\n", COLOR_YELLOW, newName);
|
|
}
|
|
|
|
FIL fp;
|
|
if (f_open(&fp, name, FA_CREATE_ALWAYS | FA_WRITE) != FR_OK)
|
|
{
|
|
gfx_printf("\n%kCannot write to %s!\n", COLOR_RED, name);
|
|
return false;
|
|
}
|
|
|
|
u8 *bufferNX = (u8 *)malloc(PRODINFO_SIZE);
|
|
gfx_printf("%kReading from NAND...\n", COLOR_YELLOW);
|
|
if (!readData(bufferNX, 0, PRODINFO_SIZE, print_progress))
|
|
{
|
|
gfx_printf("\n%kError reading from NAND!\n", COLOR_RED);
|
|
goto out;
|
|
}
|
|
gfx_putc('\n');
|
|
if (!verifyProdinfo(bufferNX))
|
|
{
|
|
goto out;
|
|
}
|
|
gfx_printf("%k\nWriting to file...\n", COLOR_YELLOW);
|
|
u32 bytesWritten;
|
|
if (f_write(&fp, bufferNX, PRODINFO_SIZE, &bytesWritten) != FR_OK || bytesWritten != PRODINFO_SIZE)
|
|
{
|
|
gfx_printf("\n%kError writing to file!\nPlease try again. If this doesn't work, you don't have a working backup!\n", COLOR_RED);
|
|
goto out;
|
|
}
|
|
f_sync(&fp);
|
|
|
|
result = true;
|
|
gfx_printf("\n%kBackup to %s done!\n", COLOR_GREEN, name);
|
|
|
|
out:
|
|
f_close(&fp);
|
|
free(bufferNX);
|
|
|
|
return result;
|
|
}
|
|
|
|
bool restoreProdinfo()
|
|
{
|
|
bool result = false;
|
|
sd_mount();
|
|
|
|
const char *name;
|
|
if (isSysNAND())
|
|
{
|
|
name = BACKUP_NAME_SYSNAND;
|
|
}
|
|
else
|
|
{
|
|
name = BACKUP_NAME_EMUNAND;
|
|
}
|
|
|
|
gfx_printf("%kRestoring from %s...\n", COLOR_YELLOW, name);
|
|
|
|
FIL fp;
|
|
if (f_open(&fp, name, FA_READ) != FR_OK)
|
|
{
|
|
gfx_printf("\n%kCannot open %s!\n", COLOR_RED, name);
|
|
return false;
|
|
}
|
|
|
|
u8 *bufferNX = (u8 *)malloc(PRODINFO_SIZE);
|
|
u32 bytesRead;
|
|
gfx_printf("%kReading from file...\n", COLOR_YELLOW);
|
|
if (f_read(&fp, bufferNX, PRODINFO_SIZE, &bytesRead) != FR_OK || bytesRead != PRODINFO_SIZE)
|
|
{
|
|
gfx_printf("\n%kError reading from file!\n", COLOR_RED);
|
|
goto out;
|
|
}
|
|
if (!verifyProdinfo(bufferNX))
|
|
{
|
|
goto out;
|
|
}
|
|
gfx_printf("%kWriting to NAND...\n", COLOR_YELLOW);
|
|
if (!writeData(bufferNX, 0, PRODINFO_SIZE, print_progress))
|
|
{
|
|
gfx_printf("\n%kError writing to NAND!\nThis is bad. Try again, because your switch probably won't boot.\n"
|
|
"If you see this error again, you should restore via NAND backup in hekate.\n",
|
|
COLOR_RED);
|
|
goto out;
|
|
}
|
|
|
|
result = true;
|
|
gfx_printf("\n%kRestore from %s done!\n\n", COLOR_GREEN, name);
|
|
out:
|
|
f_close(&fp);
|
|
free(bufferNX);
|
|
|
|
return result;
|
|
}
|