1
0
Fork 0
mirror of https://github.com/CTCaer/hekate.git synced 2024-11-26 11:42:09 +00:00

More unfattening (like always)

This commit is contained in:
Kostas Missos 2018-07-10 16:59:03 +03:00
parent 9401897f93
commit bc67798f43
3 changed files with 39 additions and 53 deletions

View file

@ -84,7 +84,7 @@ typedef struct _merge_kip_t
#define KB_FIRMWARE_VERSION_500 4
#define KB_FIRMWARE_VERSION_MAX KB_FIRMWARE_VERSION_500
// Exosphère magic "XBC0"
// Exosphère magic "XBC0".
#define MAGIC_EXOSPHERE 0x30434258
static const u8 keyblob_keyseeds[][0x10] = {
@ -122,12 +122,12 @@ static void _se_lock()
for (u32 i = 0; i < 2; i++)
se_rsa_acc_ctrl(i, 1);
SE(0x4) = 0; //Make this reg secure only.
SE(SE_KEY_TABLE_ACCESS_LOCK_OFFSET) = 0; //Make all key access regs secure only.
SE(SE_RSA_KEYTABLE_ACCESS_LOCK_OFFSET) = 0; //Make all rsa access regs secure only.
SE(SE_SECURITY_0) &= 0xFFFFFFFB; //Make access lock regs secure only.
SE(0x4) = 0; // Make this reg secure only.
SE(SE_KEY_TABLE_ACCESS_LOCK_OFFSET) = 0; // Make all key access regs secure only.
SE(SE_RSA_KEYTABLE_ACCESS_LOCK_OFFSET) = 0; // Make all RSA access regs secure only.
SE(SE_SECURITY_0) &= 0xFFFFFFFB; // Make access lock regs secure only.
//This is useful for documenting the bits in the SE config registers, so we can keep it around.
// This is useful for documenting the bits in the SE config registers, so we can keep it around.
/*gfx_printf(&gfx_con, "SE(SE_SECURITY_0) = %08X\n", SE(SE_SECURITY_0));
gfx_printf(&gfx_con, "SE(0x4) = %08X\n", SE(0x4));
gfx_printf(&gfx_con, "SE(SE_KEY_TABLE_ACCESS_LOCK_OFFSET) = %08X\n", SE(SE_KEY_TABLE_ACCESS_LOCK_OFFSET));
@ -151,19 +151,19 @@ int keygen(u8 *keyblob, u32 kb, void *tsec_fw)
se_key_acc_ctrl(13, 0x15);
se_key_acc_ctrl(14, 0x15);
//Get TSEC key.
// Get TSEC key.
if (tsec_query(tmp, 1, tsec_fw) < 0)
return 0;
se_aes_key_set(13, tmp, 0x10);
//Derive keyblob keys from TSEC+SBK.
// Derive keyblob keys from TSEC+SBK.
se_aes_crypt_block_ecb(13, 0, tmp, keyblob_keyseeds[0]);
se_aes_unwrap_key(15, 14, tmp);
se_aes_crypt_block_ecb(13, 0, tmp, keyblob_keyseeds[kb]);
se_aes_unwrap_key(13, 14, tmp);
//Clear SBK.
// Clear SBK.
se_aes_key_clear(14);
//TODO: verify keyblob CMAC.
@ -175,7 +175,7 @@ int keygen(u8 *keyblob, u32 kb, void *tsec_fw)
se_aes_crypt_block_ecb(13, 0, tmp, cmac_keyseed);
se_aes_unwrap_key(11, 13, cmac_keyseed);
//Decrypt keyblob and set keyslots.
// Decrypt keyblob and set keyslots.
se_aes_crypt_ctr(13, keyblob + 0x20, 0x90, keyblob + 0x20, 0x90, keyblob + 0x10);
se_aes_key_set(11, keyblob + 0x20 + 0x80, 0x10); //Package1 key.
se_aes_key_set(12, keyblob + 0x20, 0x10);
@ -205,7 +205,7 @@ int keygen(u8 *keyblob, u32 kb, void *tsec_fw)
break;
}
//Package2 key.
// Package2 key.
se_key_acc_ctrl(8, 0x15);
se_aes_unwrap_key(8, 12, key8_keyseed);
@ -219,7 +219,7 @@ static void _copy_bootconfig()
sdmmc_storage_init_mmc(&storage, &sdmmc, SDMMC_4, SDMMC_BUS_WIDTH_8, 4);
//Read BCT.
// Read BCT.
u8 *buf = (u8 *)0x4003D000;
sdmmc_storage_set_mmc_partition(&storage, 1);
sdmmc_storage_read(&storage, 0, 0x3000 / NX_EMMC_BLOCKSIZE, buf);
@ -237,19 +237,19 @@ static int _read_emmc_pkg1(launch_ctxt_t *ctxt)
sdmmc_storage_init_mmc(&storage, &sdmmc, SDMMC_4, SDMMC_BUS_WIDTH_8, 4);
//Read package1.
// Read package1.
ctxt->pkg1 = (u8 *)malloc(0x40000);
sdmmc_storage_set_mmc_partition(&storage, 1);
sdmmc_storage_read(&storage, 0x100000 / NX_EMMC_BLOCKSIZE, 0x40000 / NX_EMMC_BLOCKSIZE, ctxt->pkg1);
ctxt->pkg1_id = pkg1_identify(ctxt->pkg1);
if (!ctxt->pkg1_id)
{
gfx_printf(&gfx_con, "%kCould not identify package1,\nVersion (= '%s').%k\n", 0xFFFF0000, (char *)ctxt->pkg1 + 0x10, 0xFFCCCCCC);
gfx_printf(&gfx_con, "%kUnknown package1,\nVersion (= '%s').%k\n", 0xFFFF0000, (char *)ctxt->pkg1 + 0x10, 0xFFCCCCCC);
goto out;
}
gfx_printf(&gfx_con, "Identified package1 ('%s'),\nKeyblob version %d\n\n", (char *)(ctxt->pkg1 + 0x10), ctxt->pkg1_id->kb);
//Read the correct keyblob.
// Read the correct keyblob.
ctxt->keyblob = (u8 *)calloc(NX_EMMC_BLOCKSIZE, 1);
sdmmc_storage_read(&storage, 0x180000 / NX_EMMC_BLOCKSIZE + ctxt->pkg1_id->kb, 1, ctxt->keyblob);
@ -269,16 +269,16 @@ static int _read_emmc_pkg2(launch_ctxt_t *ctxt)
sdmmc_storage_init_mmc(&storage, &sdmmc, SDMMC_4, SDMMC_BUS_WIDTH_8, 4);
sdmmc_storage_set_mmc_partition(&storage, 0);
//Parse eMMC GPT.
// Parse eMMC GPT.
LIST_INIT(gpt);
nx_emmc_gpt_parse(&gpt, &storage);
DPRINTF("Parsed GPT\n");
//Find package2 partition.
// Find package2 partition.
emmc_part_t *pkg2_part = nx_emmc_part_find(&gpt, "BCPKG2-1-Normal-Main");
if (!pkg2_part)
goto out;
//Read in package2 header and get package2 real size.
// Read in package2 header and get package2 real size.
//TODO: implement memalign for DMA buffers.
u8 *tmp = (u8 *)malloc(NX_EMMC_BLOCKSIZE);
nx_emmc_part_read(&storage, pkg2_part, 0x4000 / NX_EMMC_BLOCKSIZE, 1, tmp);

View file

@ -99,7 +99,7 @@ int sd_mount()
}
else
{
EPRINTFARGS("Failed to mount SD card (FatFS Error %d).\n(make sure that a FAT type partition exists)", res);
EPRINTFARGS("Failed to mount SD card (FatFS Error %d).\nMake sure that a FAT partition exists..", res);
}
}
@ -390,12 +390,9 @@ void print_fuseinfo()
{
if (sd_mount())
{
char fuseFilename[23];
f_mkdir("Backup");
f_mkdir("Backup/Dumps");
memcpy(fuseFilename, "Backup/Dumps/fuses.bin", 23);
if (!sd_save_to_file((u8 *)0x7000F900, 0x2FC, fuseFilename))
if (!sd_save_to_file((u8 *)0x7000F900, 0x2FC, "Backup/Dumps/fuses.bin"))
gfx_puts(&gfx_con, "\nDone!\n");
sd_unmount();
}
@ -423,12 +420,9 @@ void print_kfuseinfo()
{
if (sd_mount())
{
char kfuseFilename[24];
f_mkdir("Backup");
f_mkdir("Backup/Dumps");
memcpy(kfuseFilename, "Backup/Dumps/kfuses.bin", 24);
if (!sd_save_to_file((u8 *)buf, KFUSE_NUM_WORDS * 4, kfuseFilename))
if (!sd_save_to_file((u8 *)buf, KFUSE_NUM_WORDS * 4, "Backup/Dumps/kfuses.bin"))
gfx_puts(&gfx_con, "\nDone!\n");
sd_unmount();
}
@ -457,7 +451,7 @@ void print_mmc_info()
u16 card_type;
u32 speed;
gfx_printf(&gfx_con, "%kCard IDentification:%k\n", 0xFF00DDFF, 0xFFCCCCCC);
gfx_printf(&gfx_con, "%kCID:%k\n", 0xFF00DDFF, 0xFFCCCCCC);
switch (storage.csd.mmca_vsn)
{
case 0: /* MMC v1.0 - v1.2 */
@ -500,7 +494,7 @@ void print_mmc_info()
EPRINTF("Unknown CSD structure.");
else
{
gfx_printf(&gfx_con, "%kExtended Card-Specific Data V1.%d:%k\n",
gfx_printf(&gfx_con, "%kExtended CSD V1.%d:%k\n",
0xFF00DDFF, storage.ext_csd.ext_struct, 0xFFCCCCCC);
card_type = storage.ext_csd.card_type;
u8 card_type_support[96];
@ -664,7 +658,7 @@ void print_tsec_key()
const pkg1_id_t *pkg1_id = pkg1_identify(pkg1);
if (!pkg1_id)
{
EPRINTFARGS("Could not identify package1 version\nto read TSEC firmware (= '%s').",
EPRINTFARGS("Unknown package1 version for reading\nTSEC firmware (= '%s').",
(char *)pkg1 + 0x10);
goto out_wait;
}
@ -693,20 +687,15 @@ void print_tsec_key()
{
if (sd_mount())
{
char tsec_keyFilename[26];
f_mkdir("Backup");
f_mkdir("Backup/Dumps");
memcpy(tsec_keyFilename, "Backup/Dumps/tsec_key.bin", 26);
if (!sd_save_to_file(keys, 0x10 * 3, tsec_keyFilename))
if (!sd_save_to_file(keys, 0x10 * 3, "Backup/Dumps/tsec_key.bin"))
gfx_puts(&gfx_con, "\nDone!\n");
sd_unmount();
}
}
else
{
goto out;
}
out_wait:;
btn_wait();
@ -1556,7 +1545,7 @@ void dump_packages12()
if (!pkg1_id)
{
gfx_con.fntsz = 8;
EPRINTFARGS("Could not identify package1 version to read TSEC firmware (= '%s').", (char *)pkg1 + 0x10);
EPRINTFARGS("Unknown package1 version for reading\nTSEC firmware (= '%s').", (char *)pkg1 + 0x10);
goto out;
}
@ -1610,23 +1599,23 @@ void dump_packages12()
goto out;
gfx_puts(&gfx_con, "Warmboot dumped to warmboot.bin\n\n\n");
// Dump package2.1
// Dump package2.1.
sdmmc_storage_set_mmc_partition(&storage, 0);
//Parse eMMC GPT.
// Parse eMMC GPT.
LIST_INIT(gpt);
nx_emmc_gpt_parse(&gpt, &storage);
//Find package2 partition.
// Find package2 partition.
emmc_part_t *pkg2_part = nx_emmc_part_find(&gpt, "BCPKG2-1-Normal-Main");
if (!pkg2_part)
goto out;
//Read in package2 header and get package2 real size.
// Read in package2 header and get package2 real size.
u8 *tmp = (u8 *)malloc(NX_EMMC_BLOCKSIZE);
nx_emmc_part_read(&storage, pkg2_part, 0x4000 / NX_EMMC_BLOCKSIZE, 1, tmp);
u32 *hdr_pkg2_raw = (u32 *)(tmp + 0x100);
u32 pkg2_size = hdr_pkg2_raw[0] ^ hdr_pkg2_raw[2] ^ hdr_pkg2_raw[3];
free(tmp);
//Read in package2.
// Read in package2.
u32 pkg2_size_aligned = ALIGN(pkg2_size, NX_EMMC_BLOCKSIZE);
pkg2 = malloc(pkg2_size_aligned);
nx_emmc_part_read(&storage, pkg2_part, 0x4000 / NX_EMMC_BLOCKSIZE,
@ -2234,12 +2223,9 @@ void print_battery_info()
{
if (sd_mount())
{
char fuelFilename[28];
f_mkdir("Backup");
f_mkdir("Backup/Dumps");
memcpy(fuelFilename, "Backup/Dumps/fuel_gauge.bin", 28);
if (sd_save_to_file((u8 *)buf, 0x200, fuelFilename))
if (sd_save_to_file((u8 *)buf, 0x200, "Backup/Dumps/fuel_gauge.bin"))
EPRINTF("\nError creating fuel.bin file.");
else
gfx_puts(&gfx_con, "\nDone!\n");

View file

@ -296,15 +296,15 @@ pkg2_hdr_t *pkg2_decrypt(void *data)
{
u8 *pdata = (u8 *)data;
//Skip signature.
// Skip signature.
pdata += 0x100;
pkg2_hdr_t *hdr = (pkg2_hdr_t *)pdata;
//Skip header.
// Skip header.
pdata += sizeof(pkg2_hdr_t);
//Decrypt header.
// Decrypt header.
se_aes_crypt_ctr(8, hdr, sizeof(pkg2_hdr_t), hdr, sizeof(pkg2_hdr_t), hdr);
//gfx_hexdump(&gfx_con, (u32)hdr, hdr, 0x100);
@ -330,11 +330,11 @@ void pkg2_build_encrypt(void *dst, void *kernel, u32 kernel_size, link_t *kips_i
{
u8 *pdst = (u8 *)dst;
//Signature.
// Signature.
memset(pdst, 0, 0x100);
pdst += 0x100;
//Header.
// Header.
pkg2_hdr_t *hdr = (pkg2_hdr_t *)pdst;
memset(hdr, 0, sizeof(pkg2_hdr_t));
pdst += sizeof(pkg2_hdr_t);
@ -342,7 +342,7 @@ void pkg2_build_encrypt(void *dst, void *kernel, u32 kernel_size, link_t *kips_i
hdr->base = 0x10000000;
DPRINTF("kernel @ %08X (%08X)\n", (u32)kernel, kernel_size);
//Kernel.
// Kernel.
memcpy(pdst, kernel, kernel_size);
hdr->sec_size[PKG2_SEC_KERNEL] = kernel_size;
hdr->sec_off[PKG2_SEC_KERNEL] = 0x10000000;
@ -350,7 +350,7 @@ DPRINTF("kernel @ %08X (%08X)\n", (u32)kernel, kernel_size);
pdst += kernel_size;
DPRINTF("kernel encrypted\n");
//INI1.
// INI1.
u32 ini1_size = sizeof(pkg2_ini1_t);
pkg2_ini1_t *ini1 = (pkg2_ini1_t *)pdst;
memset(ini1, 0, sizeof(pkg2_ini1_t));