mirrors/hekate
1
0
Fork 0
mirror of https://github.com/CTCaer/hekate.git synced 2024-11-22 18:06:40 +00:00
Code Issues Releases Activity

hekate/Nyx: remove Sept completely

Browse source 
- remove any reference to sept and parsing of it
- completely refactor and simplify keygen
- use new Atmo tsec keygen for 7.0.0 and up
- simplify all info/tools that depend on hos keygen and bis keys
This commit is contained in:
CTCaer 2021-08-28 17:53:14 +03:00
parent e9edcfeeb0
commit f5ec4a3a37
32 changed files with 661 additions and 1722 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
bootloader/config.c
View file

@ -38,7 +38,6 @@ void set_default_configuration()
h_cfg.autoboot = 0;
h_cfg.autoboot_list = 0;
h_cfg.bootwait = 3;
h_cfg.se_keygen_done = 0;
h_cfg.backlight = 100;
h_cfg.autohosoff = 0;
h_cfg.autonogc = 1;
@ -46,8 +45,6 @@ void set_default_configuration()
h_cfg.bootprotect = 0;
h_cfg.errors = 0;
h_cfg.eks = NULL;
h_cfg.sept_run = EMC(EMC_SCRATCH0) & EMC_SEPT_RUN;
h_cfg.aes_slots_new = false;
h_cfg.rcm_patched = fuse_check_patched_rcm();
h_cfg.emummc_force_disable = false;
h_cfg.t210b01 = hw_get_chip_id() == GP_HIDREV_MAJOR_T210B01;

5
bootloader/config.h
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018-2019 CTCaer
* Copyright (c) 2018-2021 CTCaer
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
@ -33,9 +33,6 @@ typedef struct _hekate_config
u32 bootprotect;
// Global temporary config.
bool t210b01;
bool se_keygen_done;
bool sept_run;
bool aes_slots_new;
bool emummc_force_disable;
bool rcm_patched;
u32 errors;

2
bootloader/frontend/fe_info.h
View file

@ -1,6 +1,6 @@
/*
* Copyright (c) 2018 naehrwert
* Copyright (c) 2018 CTCaer
* Copyright (c) 2018-2021 CTCaer
* Copyright (c) 2018 balika011
*
* This program is free software; you can redistribute it and/or modify it

33
bootloader/frontend/fe_tools.c
View file

@ -26,7 +26,6 @@
#include "../hos/hos.h"
#include "../hos/pkg1.h"
#include "../hos/pkg2.h"
#include "../hos/sept.h"
#include <libs/fatfs/ff.h>
#include <mem/heap.h>
#include <power/max7762x.h>
@ -90,38 +89,18 @@ void dump_packages12()
kb = pkg1_id->kb;
if (!h_cfg.se_keygen_done)
{
tsec_ctxt.fw = (void *)pkg1 + pkg1_id->tsec_off;
tsec_ctxt.pkg1 = (void *)pkg1;
tsec_ctxt.pkg11_off = pkg1_id->pkg11_off;
tsec_ctxt.secmon_base = pkg1_id->secmon_base;
if (kb >= KB_FIRMWARE_VERSION_700 && !h_cfg.sept_run)
{
b_cfg.autoboot = 0;
b_cfg.autoboot_list = 0;
gfx_printf("sept will run to get the keys.\nThen rerun this option.");
btn_wait();
if (!reboot_to_sept((u8 *)tsec_ctxt.fw, kb, NULL))
{
gfx_printf("Failed to run sept\n");
goto out_free;
}
}
// Read keyblob.
u8 *keyblob = (u8 *)calloc(NX_EMMC_BLOCKSIZE, 1);
sdmmc_storage_read(&emmc_storage, 0x180000 / NX_EMMC_BLOCKSIZE + kb, 1, keyblob);
// Decrypt.
hos_keygen(keyblob, kb, &tsec_ctxt, NULL);
if (kb <= KB_FIRMWARE_VERSION_600)
h_cfg.se_keygen_done = 1;
hos_keygen(keyblob, kb, &tsec_ctxt, false, false);
free(keyblob);
}
if (kb <= KB_FIRMWARE_VERSION_600)
pkg1_decrypt(pkg1_id, pkg1);
@ -199,8 +178,16 @@ void dump_packages12()
pkg2 = malloc(pkg2_size_aligned);
nx_emmc_part_read(&emmc_storage, pkg2_part, 0x4000 / NX_EMMC_BLOCKSIZE,
pkg2_size_aligned / NX_EMMC_BLOCKSIZE, pkg2);
#if 0
emmcsn_path_impl(path, "/pkg2", "pkg2_encr.bin", &emmc_storage);
if (sd_save_to_file(pkg2, pkg2_size_aligned, path))
goto out;
gfx_puts("\npkg2 dumped to pkg2_encr.bin\n");
#endif
// Decrypt package2 and parse KIP1 blobs in INI1 section.
pkg2_hdr_t *pkg2_hdr = pkg2_decrypt(pkg2, kb);
pkg2_hdr_t *pkg2_hdr = pkg2_decrypt(pkg2, kb, false);
if (!pkg2_hdr)
{
gfx_printf("Pkg2 decryption failed!\n");

2
bootloader/frontend/fe_tools.h
View file

@ -1,6 +1,6 @@
/*
* Copyright (c) 2018 naehrwert
* Copyright (c) 2018 CTCaer
* Copyright (c) 2018-2021 CTCaer
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,

63
bootloader/hos/fss.c
View file

@ -1,7 +1,7 @@
/*
* Atmosphère Fusée Secondary Storage parser.
*
* Copyright (c) 2019-2020 CTCaer
* Copyright (c) 2019-2021 CTCaer
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
@ -51,6 +51,7 @@ extern bool is_ipl_updated(void *buf, char *path, bool force);
#define CNT_TYPE_KLD 9 // Kernel Loader.
#define CNT_TYPE_KRN 10 // Kernel.
#define CNT_TYPE_EXF 11 // Exosphere Mariko fatal payload.
#define CNT_TYPE_TKG 12 // Tsec Keygen.
// FSS0 Content Flags.
#define CNT_FLAG0_EXPERIMENTAL BIT(0)
@ -116,17 +117,14 @@ static void _update_r2p(launch_ctxt_t *ctxt, const char *path)
free(r2p_path);
}
int parse_fss(launch_ctxt_t *ctxt, const char *path, fss0_sept_t *sept_ctxt)
int parse_fss(launch_ctxt_t *ctxt, const char *path)
{
FIL fp;
bool stock = false;
int sept_used = 0;
// Skip if stock and Exosphere and warmboot are not needed.
if (!sept_ctxt)
{
bool pkg1_old = ctxt->pkg1_id->kb <= KB_FIRMWARE_VERSION_620;
bool pkg1_old = ctxt->pkg1_id->kb <= KB_FIRMWARE_VERSION_620; // Should check if t210b01?
bool emummc_disabled = !emu_cfg.enabled || h_cfg.emummc_force_disable;
LIST_FOREACH_ENTRY(ini_kv_t, kv, &ctxt->cfg->kvs, link)
@ -138,11 +136,11 @@ int parse_fss(launch_ctxt_t *ctxt, const char *path, fss0_sept_t *sept_ctxt)
#ifdef HOS_MARIKO_STOCK_SECMON
if (stock && emummc_disabled && (pkg1_old || h_cfg.t210b01))
return 1;
#else
if (stock && emummc_disabled && pkg1_old)
#endif
return 1;
}
#endif
if (f_open(&fp, path, FA_READ) != FR_OK)
return 0;
@ -160,16 +158,13 @@ int parse_fss(launch_ctxt_t *ctxt, const char *path, fss0_sept_t *sept_ctxt)
if (fss_meta->magic == FSS0_MAGIC)
{
gfx_printf("Found FSS0, Atmosphere %d.%d.%d-%08x\n"
"Max HOS supported: %d.%d.%d\n"
"Unpacking and loading components.. ",
"Max HOS: %d.%d.%d\n"
"Unpacking.. ",
fss_meta->version >> 24, (fss_meta->version >> 16) & 0xFF, (fss_meta->version >> 8) & 0xFF, fss_meta->git_rev,
fss_meta->hos_ver >> 24, (fss_meta->hos_ver >> 16) & 0xFF, (fss_meta->hos_ver >> 8) & 0xFF);
if (!sept_ctxt)
{
ctxt->atmosphere = true;
ctxt->fss0_hosver = fss_meta->hos_ver;
}
// Parse FSS0 contents.
fss_content_t *curr_fss_cnt = (fss_content_t *)(fss + fss_meta->cnt_off);
@ -186,10 +181,7 @@ int parse_fss(launch_ctxt_t *ctxt, const char *path, fss0_sept_t *sept_ctxt)
if ((curr_fss_cnt[i].flags0 & CNT_FLAG0_EXPERIMENTAL) && !ctxt->fss0_experimental)
continue;
// Parse content.
if (!sept_ctxt)
{
// Prepare content context.
// Prepare content.
switch (curr_fss_cnt[i].type)
{
case CNT_TYPE_KIP:
@ -233,37 +225,13 @@ int parse_fss(launch_ctxt_t *ctxt, const char *path, fss0_sept_t *sept_ctxt)
f_lseek(&fp, curr_fss_cnt[i].offset);
f_read(&fp, content, curr_fss_cnt[i].size, NULL);
}
else
{
// Load sept content directly to launch context.
switch (curr_fss_cnt[i].type)
{
case CNT_TYPE_SP1:
f_lseek(&fp, curr_fss_cnt[i].offset);
f_read(&fp, sept_ctxt->sept_primary, curr_fss_cnt[i].size, NULL);
break;
case CNT_TYPE_SP2:
if (!memcmp(curr_fss_cnt[i].name, (sept_ctxt->kb < KB_FIRMWARE_VERSION_810) ? "septsecondary00" : "septsecondary01", 15))
{
f_lseek(&fp, curr_fss_cnt[i].offset);
f_read(&fp, sept_ctxt->sept_secondary, curr_fss_cnt[i].size, NULL);
sept_used = 1;
goto out;
}
break;
default:
break;
}
}
}
out:
gfx_printf("Done!\n");
f_close(&fp);
_update_r2p(ctxt, path);
return (!sept_ctxt ? 1 : sept_used);
return 1;
}
f_close(&fp);
@ -271,14 +239,3 @@ out:
return 0;
}
int load_sept_from_ffs0(fss0_sept_t *sept_ctxt)
{
LIST_FOREACH_ENTRY(ini_kv_t, kv, &sept_ctxt->cfg_sec->kvs, link)
{
if (!strcmp("fss0", kv->key))
return parse_fss(NULL, kv->val, sept_ctxt);
}
return 0;
}

14
bootloader/hos/fss.h
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2019 CTCaer
* Copyright (c) 2019-2021 CTCaer
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
@ -19,16 +19,6 @@
#include "hos.h"
typedef struct _fss0_sept_t
{
u32 kb;
ini_sec_t *cfg_sec;
void *sept_primary;
void *sept_secondary;
} fss0_sept_t;
int parse_fss(launch_ctxt_t *ctxt, const char *path, fss0_sept_t *sept_ctxt);
int load_sept_from_ffs0(fss0_sept_t *sept_ctxt);
int parse_fss(launch_ctxt_t *ctxt, const char *path);
#endif

336
bootloader/hos/hos.c
View file

@ -22,7 +22,6 @@
#include "hos.h"
#include "hos_config.h"
#include "sept.h"
#include "secmon_exo.h"
#include "../config.h"
#include <display/di.h>
@ -84,7 +83,7 @@ typedef struct _tsec_keys_t
typedef struct _kb_keys_t
{
u8 master_keyseed[SE_KEY_128_SIZE];
u8 master_kekseed[SE_KEY_128_SIZE];
u8 random_data[0x70];
u8 package1_key[SE_KEY_128_SIZE];
} kb_keys_t;
@ -112,12 +111,17 @@ static const u8 cmac_keyseed[SE_KEY_128_SIZE] =
static const u8 master_keyseed_retail[SE_KEY_128_SIZE] =
{ 0xD8, 0xA2, 0x41, 0x0A, 0xC6, 0xC5, 0x90, 0x01, 0xC6, 0x1D, 0x6A, 0x26, 0x7C, 0x51, 0x3F, 0x3C };
static const u8 master_keyseed_4xx_5xx_610[SE_KEY_128_SIZE] =
static const u8 master_keyseed_4xx[SE_KEY_128_SIZE] =
{ 0x2D, 0xC1, 0xF4, 0x8D, 0xF3, 0x5B, 0x69, 0x33, 0x42, 0x10, 0xAC, 0x65, 0xDA, 0x90, 0x46, 0x66 };
static const u8 master_keyseed_620[SE_KEY_128_SIZE] =
static const u8 master_kekseed_620[SE_KEY_128_SIZE] =
{ 0x37, 0x4B, 0x77, 0x29, 0x59, 0xB4, 0x04, 0x30, 0x81, 0xF6, 0xE5, 0x8C, 0x6D, 0x36, 0x17, 0x9A };
//!TODO: Update on mkey changes.
static const u8 master_kekseed_t210_max[SE_KEY_128_SIZE] =
{ 0x84, 0x67, 0xB6, 0x7F, 0x13, 0x11, 0xAE, 0xE6, 0x58, 0x9B, 0x19, 0xAF, 0x13, 0x6C, 0x80, 0x7A }; // 12.1.0.
//!TODO: Update on mkey changes.
static const u8 master_kekseed_t210b01[][SE_KEY_128_SIZE] = {
{ 0x77, 0x60, 0x5A, 0xD2, 0xEE, 0x6E, 0xF8, 0x3C, 0x3F, 0x72, 0xE2, 0x59, 0x9D, 0xAC, 0x5E, 0x56 }, // 6.0.0.
{ 0x1E, 0x80, 0xB8, 0x17, 0x3E, 0xC0, 0x60, 0xAA, 0x11, 0xBE, 0x1A, 0x4A, 0xA6, 0x6F, 0xE4, 0xAE }, // 6.2.0.
@ -131,7 +135,7 @@ static const u8 master_kekseed_t210b01[][SE_KEY_128_SIZE] = {
static const u8 console_keyseed[SE_KEY_128_SIZE] =
{ 0x4F, 0x02, 0x5F, 0x0E, 0xB6, 0x6D, 0x11, 0x0E, 0xDC, 0x32, 0x7D, 0x41, 0x86, 0xC2, 0xF4, 0x78 };
static const u8 console_keyseed_4xx_5xx[SE_KEY_128_SIZE] =
static const u8 console_keyseed_4xx[SE_KEY_128_SIZE] =
{ 0x0C, 0x91, 0x09, 0xDB, 0x93, 0x93, 0x07, 0x81, 0x07, 0x3C, 0xC4, 0x16, 0x22, 0x7C, 0x6C, 0x28 };
const u8 package2_keyseed[SE_KEY_128_SIZE] =
@ -214,7 +218,7 @@ bool hos_eks_rw_try(u8 *buf, bool write)
return false;
}
void hos_eks_get()
static void _hos_eks_get()
{
// Check if Erista based unit.
if (h_cfg.t210b01)
@ -230,11 +234,10 @@ void hos_eks_get()
// Decrypt EKS blob.
hos_eks_mbr_t *eks = (hos_eks_mbr_t *)(mbr + 0x80);
se_aes_crypt_ecb(14, 0, eks, sizeof(hos_eks_mbr_t), eks, sizeof(hos_eks_mbr_t));
se_aes_crypt_ecb(14, DECRYPT, eks, sizeof(hos_eks_mbr_t), eks, sizeof(hos_eks_mbr_t));
// Check if valid and for this unit.
if (eks->magic == HOS_EKS_MAGIC &&
(eks->lot0 == FUSE(FUSE_OPT_LOT_CODE_0) || eks->lot0 == FUSE(FUSE_PRIVATE_KEY0)))
if (eks->magic == HOS_EKS_MAGIC && eks->lot0 == FUSE(FUSE_OPT_LOT_CODE_0))
{
h_cfg.eks = eks;
return;
@ -245,18 +248,13 @@ out:
}
}
void hos_eks_save(u32 kb)
static void _hos_eks_save(u32 kb)
{
// Check if Erista based unit.
if (h_cfg.t210b01)
return;
if (kb >= KB_FIRMWARE_VERSION_700)
{
u32 key_idx = 0;
if (kb >= KB_FIRMWARE_VERSION_810)
key_idx = 1;
// EKS save. Only for 7.0.0 and up.
bool new_eks = false;
if (!h_cfg.eks)
{
@ -265,10 +263,7 @@ void hos_eks_save(u32 kb)
}
// If matching blob doesn't exist, create it.
bool update_eks = key_idx ? (h_cfg.eks->enabled[key_idx] < kb) : !h_cfg.eks->enabled[0];
// If old EKS version was found, update it.
update_eks |= h_cfg.eks->lot0 != FUSE(FUSE_OPT_LOT_CODE_0);
if (update_eks)
if (h_cfg.eks->enabled < kb)
{
// Read EKS blob.
u8 *mbr = calloc(512 , 1);
@ -289,28 +284,18 @@ void hos_eks_save(u32 kb)
// Set magic and personalized info.
h_cfg.eks->magic = HOS_EKS_MAGIC;
h_cfg.eks->enabled[key_idx] = kb;
h_cfg.eks->enabled = KB_FIRMWARE_VERSION_MAX;
h_cfg.eks->lot0 = FUSE(FUSE_OPT_LOT_CODE_0);
// Copy new keys.
memcpy(h_cfg.eks->dkg, keys + 10 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
memcpy(h_cfg.eks->dkk, keys + 15 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
if (!h_cfg.aes_slots_new)
{
memcpy(h_cfg.eks->keys[key_idx].mkk, keys + 12 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
memcpy(h_cfg.eks->keys[key_idx].fdk, keys + 13 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
}
else // New sept slots.
{
memcpy(h_cfg.eks->keys[key_idx].mkk, keys + 13 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
memcpy(h_cfg.eks->keys[key_idx].fdk, keys + 12 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
}
memcpy(h_cfg.eks->tsec, keys + 12 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
memcpy(h_cfg.eks->troot, keys + 13 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
memcpy(h_cfg.eks->troot_dev, keys + 11 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
// Encrypt EKS blob.
u8 *eks = calloc(512 , 1);
memcpy(eks, h_cfg.eks, sizeof(hos_eks_mbr_t));
se_aes_crypt_ecb(14, 1, eks, sizeof(hos_eks_mbr_t), eks, sizeof(hos_eks_mbr_t));
se_aes_crypt_ecb(14, ENCRYPT, eks, sizeof(hos_eks_mbr_t), eks, sizeof(hos_eks_mbr_t));
// Write EKS blob to SD.
memcpy(mbr + 0x80, eks, sizeof(hos_eks_mbr_t));
@ -321,7 +306,6 @@ void hos_eks_save(u32 kb)
out:
free(mbr);
}
}
}
void hos_eks_clear(u32 kb)
@ -332,12 +316,8 @@ void hos_eks_clear(u32 kb)
if (h_cfg.eks && kb >= KB_FIRMWARE_VERSION_700)
{
u32 key_idx = 0;
if (kb >= KB_FIRMWARE_VERSION_810)
key_idx = 1;
// Check if Current Master key is enabled.
if (h_cfg.eks->enabled[key_idx])
// Check if current Master key is enabled.
if (h_cfg.eks->enabled)
{
// Read EKS blob.
u8 *mbr = calloc(512 , 1);
@ -345,20 +325,17 @@ void hos_eks_clear(u32 kb)
goto out;
// Disable current Master key version.
h_cfg.eks->enabled[key_idx] = 0;
h_cfg.eks->enabled = 0;
// Encrypt EKS blob.
u8 *eks = calloc(512 , 1);
memcpy(eks, h_cfg.eks, sizeof(hos_eks_mbr_t));
se_aes_crypt_ecb(14, 1, eks, sizeof(hos_eks_mbr_t), eks, sizeof(hos_eks_mbr_t));
se_aes_crypt_ecb(14, ENCRYPT, eks, sizeof(hos_eks_mbr_t), eks, sizeof(hos_eks_mbr_t));
// Write EKS blob to SD.
memcpy(mbr + 0x80, eks, sizeof(hos_eks_mbr_t));
hos_eks_rw_try(mbr, true);
EMC(EMC_SCRATCH0) &= ~EMC_SEPT_RUN;
h_cfg.sept_run = false;
free(eks);
out:
free(mbr);
@ -369,7 +346,7 @@ out:
int hos_keygen_t210b01(u32 kb)
{
// Use SBK as Device key 4x unsealer and KEK for mkey in T210B01 units.
se_aes_unwrap_key(10, 14, console_keyseed_4xx_5xx);
se_aes_unwrap_key(10, 14, console_keyseed_4xx);
// Derive master key.
se_aes_unwrap_key(7, 12, &master_kekseed_t210b01[kb - KB_FIRMWARE_VERSION_600]);
@ -381,9 +358,12 @@ int hos_keygen_t210b01(u32 kb)
return 1;
}
int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt, launch_ctxt_t *hos_ctxt)
int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt, bool stock, bool is_exo)
{
static bool sbk_wiped = false;
u32 retries = 0;
bool use_tsec = false;
tsec_keys_t tsec_keys;
kb_t *kb_data = (kb_t *)keyblob;
@ -393,27 +373,67 @@ int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt, launch_ctxt_t *hos
if (h_cfg.t210b01)
return hos_keygen_t210b01(kb);
if (kb <= KB_FIRMWARE_VERSION_600)
tsec_ctxt->size = 0xF00;
else if (kb == KB_FIRMWARE_VERSION_620)
tsec_ctxt->size = 0x2900;
else if (kb == KB_FIRMWARE_VERSION_700)
tsec_ctxt->size = 0x3000;
// Do Erista keygen.
// SBK is wiped. Try to restore it from fuses.
if (sbk_wiped)
{
if (fuse_set_sbk())
sbk_wiped = false;
else
tsec_ctxt->size = 0x3300;
return 1; // Continue with current SE keys.
}
// Use HOS EKS if it exists.
_hos_eks_get();
// Use tsec keygen for old firmware or if EKS keys do not exist for newer.
if (kb <= KB_FIRMWARE_VERSION_620 || !h_cfg.eks || (h_cfg.eks && h_cfg.eks->enabled < kb))
use_tsec = true;
if (kb <= KB_FIRMWARE_VERSION_600)
{
tsec_ctxt->size = 0xF00;
tsec_ctxt->type = TSEC_FW_TYPE_OLD;
}
else if (kb == KB_FIRMWARE_VERSION_620)
{
tsec_ctxt->size = 0x2900;
tsec_ctxt->type = TSEC_FW_TYPE_EMU;
// Prepare smmu tsec page for 6.2.0.
if (kb == KB_FIRMWARE_VERSION_620)
{
u8 *tsec_paged = (u8 *)page_alloc(3);
memcpy(tsec_paged, (void *)tsec_ctxt->fw, tsec_ctxt->size);
tsec_ctxt->fw = tsec_paged;
}
else if (use_tsec) // 7.0.0+
{
/*
* 7.0.0/8.1.0 tsec fw are 0x3000/0x3300.
* Unused here because of THK.
*/
// Use custom TSEC Hovi Keygen firmware.
tsec_ctxt->fw = sd_file_read("bootloader/sys/thk.bin", NULL);
if (!tsec_ctxt->fw)
{
_hos_crit_error("\nFailed to load thk.bin");
return 0;
}
tsec_ctxt->size = 0x1F00;
tsec_ctxt->type = TSEC_FW_TYPE_NEW;
}
else if (h_cfg.eks)
{
// EKS found. Set TSEC keys.
se_aes_key_set(12, h_cfg.eks->tsec, SE_KEY_128_SIZE);
se_aes_key_set(13, h_cfg.eks->troot, SE_KEY_128_SIZE);
se_aes_key_set(11, h_cfg.eks->troot_dev, SE_KEY_128_SIZE);
}
// Get TSEC key.
if (kb <= KB_FIRMWARE_VERSION_620)
{
while (tsec_query(&tsec_keys, kb, tsec_ctxt) < 0)
while (use_tsec && tsec_query(&tsec_keys, tsec_ctxt) < 0)
{
memset(&tsec_keys, 0x00, 0x20);
retries++;
@ -425,44 +445,42 @@ int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt, launch_ctxt_t *hos
return 0;
}
}
}
if (kb >= KB_FIRMWARE_VERSION_700)
{
// Use HOS EKS if it exists.
u32 key_idx = 0;
if (kb >= KB_FIRMWARE_VERSION_810)
key_idx = 1;
if (h_cfg.eks && h_cfg.eks->enabled[key_idx] >= kb)
// For 7.0.0 and up, save EKS slot if it doesn't exist.
if (use_tsec)
{
// Set Device keygen key to slot 10.
se_aes_key_set(10, h_cfg.eks->dkg, SE_KEY_128_SIZE);
// Set Device key to slot 15.
se_aes_key_set(15, h_cfg.eks->dkk, SE_KEY_128_SIZE);
if (!h_cfg.aes_slots_new)
{
// Set Master key to slot 12.
se_aes_key_set(12, h_cfg.eks->keys[key_idx].mkk, SE_KEY_128_SIZE);
// Set FW Device key key to slot 13.
se_aes_key_set(13, h_cfg.eks->keys[key_idx].fdk, SE_KEY_128_SIZE);
// Lock FDK.
se_key_acc_ctrl(13, SE_KEY_TBL_DIS_KEYREAD_FLAG | SE_KEY_TBL_DIS_OIVREAD_FLAG | SE_KEY_TBL_DIS_UIVREAD_FLAG);
}
else // New exosphere.
{
// Set Master key to slot 13.
se_aes_key_set(13, h_cfg.eks->keys[key_idx].mkk, SE_KEY_128_SIZE);
// Set FW Device key key to slot 12.
se_aes_key_set(12, h_cfg.eks->keys[key_idx].fdk, SE_KEY_128_SIZE);
// Lock FDK.
se_key_acc_ctrl(12, SE_KEY_TBL_DIS_KEYREAD_FLAG | SE_KEY_TBL_DIS_OIVREAD_FLAG | SE_KEY_TBL_DIS_UIVREAD_FLAG);
}
_hos_eks_save(kb);
free(tsec_ctxt->fw);
}
se_aes_key_clear(8);
se_aes_unwrap_key(8, !h_cfg.aes_slots_new ? 12 : 13, package2_keyseed);
if (!is_exo)
{
// Derive Package2 key in secmon compatible way.
se_aes_unwrap_key(7, 13, master_kekseed_t210_max);
se_aes_unwrap_key(7, 7, master_keyseed_retail);
se_aes_unwrap_key(8, 7, package2_keyseed);
}
else
{
se_aes_crypt_block_ecb(12, DECRYPT, tsec_keys.tmp, keyblob_keyseeds[0]);
se_aes_unwrap_key(15, 14, tsec_keys.tmp);
// Derive device keys.
se_aes_unwrap_key(10, 15, console_keyseed_4xx);
se_aes_unwrap_key(15, 15, console_keyseed);
// Derive master kek.
se_aes_unwrap_key(13, 13, master_kekseed_t210_max);
// Derive device master key and master key.
se_aes_unwrap_key(12, 13, master_keyseed_4xx);
se_aes_unwrap_key(13, 13, master_keyseed_retail);
// Package2 key.
se_aes_unwrap_key(8, 13, package2_keyseed);
}
}
else if (kb == KB_FIRMWARE_VERSION_620)
{
@ -471,39 +489,33 @@ int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt, launch_ctxt_t *hos
// Set TSEC root key.
se_aes_key_set(13, tsec_keys.tsec_root, SE_KEY_128_SIZE);
if (!(emu_cfg.enabled && !h_cfg.emummc_force_disable) && hos_ctxt->stock)
if (!is_exo)
{
// Package2 key.
// Derive Package2 key in secmon compatible way.
se_aes_key_set(8, tsec_keys.tsec_root, SE_KEY_128_SIZE);
se_aes_unwrap_key(8, 8, master_keyseed_620);
se_aes_unwrap_key(8, 8, master_kekseed_620);
se_aes_unwrap_key(8, 8, master_keyseed_retail);
se_aes_unwrap_key(8, 8, package2_keyseed);
}
else
{
// Decrypt keyblob and set keyslots
se_aes_crypt_block_ecb(12, 0, tsec_keys.tmp, keyblob_keyseeds[0]);
// Decrypt keyblob and set keyslots for Exosphere 2.
se_aes_crypt_block_ecb(12, DECRYPT, tsec_keys.tmp, keyblob_keyseeds[0]);
se_aes_unwrap_key(15, 14, tsec_keys.tmp);
se_aes_unwrap_key(10, 15, console_keyseed_4xx_5xx);
// Derive device keys.
se_aes_unwrap_key(10, 15, console_keyseed_4xx);
se_aes_unwrap_key(15, 15, console_keyseed);
se_aes_unwrap_key(13, 13, master_keyseed_620);
// Derive master kek.
se_aes_unwrap_key(13, 13, master_kekseed_620);
if (!h_cfg.aes_slots_new)
{
se_aes_unwrap_key(14, 13, master_keyseed_4xx_5xx_610);
se_aes_unwrap_key(12, 13, master_keyseed_retail);
}
else // New exosphere.
{
se_aes_unwrap_key(12, 13, master_keyseed_4xx_5xx_610);
// Derive device master key and master key.
se_aes_unwrap_key(12, 13, master_keyseed_4xx);
se_aes_unwrap_key(13, 13, master_keyseed_retail);
}
// Package2 key.
se_aes_unwrap_key(8, !h_cfg.aes_slots_new ? 12 : 13, package2_keyseed);
h_cfg.se_keygen_done = 1;
se_aes_unwrap_key(8, 13, package2_keyseed);
}
}
else
@ -515,13 +527,13 @@ int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt, launch_ctxt_t *hos
se_aes_key_set(13, tsec_keys.tsec, SE_KEY_128_SIZE);
// Derive keyblob keys from TSEC+SBK.
se_aes_crypt_block_ecb(13, 0, tsec_keys.tsec, keyblob_keyseeds[0]);
se_aes_crypt_block_ecb(13, DECRYPT, tsec_keys.tsec, keyblob_keyseeds[0]);
se_aes_unwrap_key(15, 14, tsec_keys.tsec);
se_aes_crypt_block_ecb(13, 0, tsec_keys.tsec, keyblob_keyseeds[kb]);
se_aes_crypt_block_ecb(13, DECRYPT, tsec_keys.tsec, keyblob_keyseeds[kb]);
se_aes_unwrap_key(13, 14, tsec_keys.tsec);
// Clear SBK.
se_aes_key_clear(14);
//se_aes_key_clear(14);
/*
// Verify keyblob CMAC.
@ -532,18 +544,18 @@ int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt, launch_ctxt_t *hos
return 0;
*/
se_aes_crypt_block_ecb(13, 0, tsec_keys.tsec, cmac_keyseed);
se_aes_crypt_block_ecb(13, DECRYPT, tsec_keys.tsec, cmac_keyseed);
se_aes_unwrap_key(11, 13, cmac_keyseed);
// Decrypt keyblob and set keyslots.
se_aes_crypt_ctr(13, &kb_data->keys, sizeof(kb_data->keys), &kb_data->keys, sizeof(kb_data->keys), kb_data->ctr);
se_aes_crypt_ctr(13, &kb_data->keys, sizeof(kb_keys_t), &kb_data->keys, sizeof(kb_keys_t), kb_data->ctr);
se_aes_key_set(11, kb_data->keys.package1_key, SE_KEY_128_SIZE);
se_aes_key_set(12, kb_data->keys.master_keyseed, SE_KEY_128_SIZE);
se_aes_key_set(13, kb_data->keys.master_keyseed, SE_KEY_128_SIZE);
se_aes_key_set(12, kb_data->keys.master_kekseed, SE_KEY_128_SIZE);
se_aes_key_set(13, kb_data->keys.master_kekseed, SE_KEY_128_SIZE);
se_aes_crypt_block_ecb(12, 0, tsec_keys.tsec, master_keyseed_retail);
se_aes_crypt_block_ecb(12, DECRYPT, tsec_keys.tsec, master_keyseed_retail);
if (!h_cfg.aes_slots_new)
if (!is_exo)
{
switch (kb)
{
@ -554,31 +566,33 @@ int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt, launch_ctxt_t *hos
se_aes_unwrap_key(12, 12, master_keyseed_retail);
break;
case KB_FIRMWARE_VERSION_400:
se_aes_unwrap_key(13, 15, console_keyseed_4xx_5xx);
se_aes_unwrap_key(13, 15, console_keyseed_4xx);
se_aes_unwrap_key(15, 15, console_keyseed);
se_aes_unwrap_key(14, 12, master_keyseed_4xx_5xx_610);
se_aes_unwrap_key(14, 12, master_keyseed_4xx);
se_aes_unwrap_key(12, 12, master_keyseed_retail);
sbk_wiped = true;
break;
case KB_FIRMWARE_VERSION_500:
case KB_FIRMWARE_VERSION_600:
se_aes_unwrap_key(10, 15, console_keyseed_4xx_5xx);
se_aes_unwrap_key(10, 15, console_keyseed_4xx);
se_aes_unwrap_key(15, 15, console_keyseed);
se_aes_unwrap_key(14, 12, master_keyseed_4xx_5xx_610);
se_aes_unwrap_key(14, 12, master_keyseed_4xx);
se_aes_unwrap_key(12, 12, master_keyseed_retail);
sbk_wiped = true;
break;
}
}
else // New exosphere.
else // Exosphere 2.
{
se_aes_unwrap_key(10, 15, console_keyseed_4xx_5xx);
se_aes_unwrap_key(10, 15, console_keyseed_4xx);
se_aes_unwrap_key(15, 15, console_keyseed);
se_aes_unwrap_key(13, 12, master_keyseed_retail);
se_aes_unwrap_key(12, 12, master_keyseed_4xx_5xx_610);
se_aes_unwrap_key(12, 12, master_keyseed_4xx);
}
// Package2 key.
se_key_acc_ctrl(8, SE_KEY_TBL_DIS_KEYREAD_FLAG | SE_KEY_TBL_DIS_OIVREAD_FLAG | SE_KEY_TBL_DIS_UIVREAD_FLAG);
se_aes_unwrap_key(8, !h_cfg.aes_slots_new ? 12 : 13, package2_keyseed);
se_aes_unwrap_key(8, !is_exo ? 12 : 13, package2_keyseed);
}
return 1;
@ -722,14 +736,12 @@ int hos_launch(ini_sec_t *cfg)
u8 kb;
u32 secmon_base;
u32 warmboot_base;
launch_ctxt_t ctxt;
bool exo_new = false;
tsec_ctxt_t tsec_ctxt;
bool is_exo = false;
launch_ctxt_t ctxt = {0};
tsec_ctxt_t tsec_ctxt = {0};
volatile secmon_mailbox_t *secmon_mailbox;
minerva_change_freq(FREQ_1600);
memset(&ctxt, 0, sizeof(launch_ctxt_t));
memset(&tsec_ctxt, 0, sizeof(tsec_ctxt_t));
list_init(&ctxt.kip1_list);
ctxt.cfg = cfg;
@ -780,7 +792,7 @@ int hos_launch(ini_sec_t *cfg)
goto error;
}
ctxt.atmosphere = true; // Set atmosphere patching in case of Stock emuMMC and no fss0.
ctxt.atmosphere = true; // Set atmosphere patching in case of no fss0.
config_kip1patch(&ctxt, "emummc");
}
else if (!emu_cfg.enabled && ctxt.emummc_forced)
@ -817,34 +829,22 @@ int hos_launch(ini_sec_t *cfg)
gfx_puts("Loaded config, pkg1 and keyblob\n");
// Check if secmon is new exosphere.
// Check if secmon is exosphere.
if (ctxt.secmon)
exo_new = !memcmp((void *)((u8 *)ctxt.secmon + ctxt.secmon_size - 4), "LENY", 4);
is_exo = !memcmp((void *)((u8 *)ctxt.secmon + ctxt.secmon_size - 4), "LENY", 4);
const pkg1_id_t *pk1_latest = pkg1_get_latest();
secmon_base = exo_new ? pk1_latest->secmon_base : ctxt.pkg1_id->secmon_base;
warmboot_base = exo_new ? pk1_latest->warmboot_base : ctxt.pkg1_id->warmboot_base;
h_cfg.aes_slots_new = exo_new;
secmon_base = is_exo ? pk1_latest->secmon_base : ctxt.pkg1_id->secmon_base;
warmboot_base = is_exo ? pk1_latest->warmboot_base : ctxt.pkg1_id->warmboot_base;
// Generate keys.
if (!h_cfg.se_keygen_done)
{
tsec_ctxt.fw = (u8 *)ctxt.pkg1 + ctxt.pkg1_id->tsec_off;
tsec_ctxt.pkg1 = ctxt.pkg1;
tsec_ctxt.pkg11_off = ctxt.pkg1_id->pkg11_off;
tsec_ctxt.secmon_base = secmon_base;
if (kb >= KB_FIRMWARE_VERSION_700 && !h_cfg.sept_run)
{
_hos_crit_error("Failed to run sept");
goto error;
}
if (!hos_keygen(ctxt.keyblob, kb, &tsec_ctxt, &ctxt))
if (!hos_keygen(ctxt.keyblob, kb, &tsec_ctxt, ctxt.stock, is_exo))
goto error;
gfx_puts("Generated keys\n");
if (kb <= KB_FIRMWARE_VERSION_600)
h_cfg.se_keygen_done = 1;
}
// Decrypt and unpack package1 if we require parts of it.
if (!ctxt.warmboot || !ctxt.secmon)
@ -870,7 +870,7 @@ int hos_launch(ini_sec_t *cfg)
pk1_offset = sizeof(bl_hdr_t210b01_t);
pkg1_unpack((void *)warmboot_base, &ctxt.warmboot_size,
!exo_new ? (void *)ctxt.pkg1_id->secmon_base : NULL, NULL,
!is_exo ? (void *)ctxt.pkg1_id->secmon_base : NULL, NULL,
ctxt.pkg1_id, ctxt.pkg1 + pk1_offset);
gfx_puts("Decrypted & unpacked pkg1\n");
@ -929,19 +929,16 @@ int hos_launch(ini_sec_t *cfg)
gfx_puts("Read pkg2\n");
// Decrypt package2 and parse KIP1 blobs in INI1 section.
pkg2_hdr_t *pkg2_hdr = pkg2_decrypt(ctxt.pkg2, kb);
pkg2_hdr_t *pkg2_hdr = pkg2_decrypt(ctxt.pkg2, kb, is_exo);
if (!pkg2_hdr)
{
_hos_crit_error("Pkg2 decryption failed!");
EPRINTFARGS("Is hekate%s updated?", kb >= KB_FIRMWARE_VERSION_700 ? " or Sept" : "");
EPRINTF("Is hekate updated?");
// Clear EKS slot, in case something went wrong with sept keygen.
if (kb >= KB_FIRMWARE_VERSION_700)
// Clear EKS slot, in case something went wrong with tsec keygen.
hos_eks_clear(kb);
goto error;
}
else if (kb >= KB_FIRMWARE_VERSION_700)
hos_eks_save(kb); // Save EKS slot if it doesn't exist.
LIST_INIT(kip1_info);
if (!pkg2_parse_kips(&kip1_info, pkg2_hdr, &ctxt.new_pkg2))
@ -1056,8 +1053,11 @@ int hos_launch(ini_sec_t *cfg)
se_aes_key_clear(8);
se_aes_key_clear(11);
// Finalize per firmware key access. Skip access control if new exosphere.
switch (kb | (exo_new << 7))
// Clear derived master key in case of Erista and 7.0.0+
se_aes_key_clear(9);
// Finalize per firmware key access. Skip access control if Exosphere 2.
switch (kb | (is_exo << 7))
{
case KB_FIRMWARE_VERSION_100:
case KB_FIRMWARE_VERSION_300:
@ -1079,7 +1079,7 @@ int hos_launch(ini_sec_t *cfg)
}
// Clear BCT area for retail units and copy it over if dev unit.
if (kb <= KB_FIRMWARE_VERSION_500 && !exo_new)
if (kb <= KB_FIRMWARE_VERSION_500 && !is_exo)
{
memset((void *)SECMON_BCT_CFG_ADDR, 0, 0x3000);
if (fuse_read_hw_state() == FUSE_NX_HW_STATE_DEV)
@ -1094,19 +1094,19 @@ int hos_launch(ini_sec_t *cfg)
free(bootConfigBuf);
// Config Exosphère if booting full Atmosphère.
if (ctxt.atmosphere && ctxt.secmon)
config_exosphere(&ctxt, warmboot_base, exo_new);
if (is_exo)
config_exosphere(&ctxt, warmboot_base);
// Unmount SD card and eMMC.
sd_end();
sdmmc_storage_end(&emmc_storage);
// Finalize MC carveout.
if (kb <= KB_FIRMWARE_VERSION_301 && !exo_new)
if (kb <= KB_FIRMWARE_VERSION_301 && !is_exo)
mc_config_carveout();
// Lock SE before starting 'SecureMonitor' if < 6.2.0, otherwise lock bootrom and ipatches.
_se_lock(kb <= KB_FIRMWARE_VERSION_600 && !exo_new);
_se_lock(kb <= KB_FIRMWARE_VERSION_600 && !is_exo);
// Reset sysctr0 counters.
if (kb >= KB_FIRMWARE_VERSION_620)
@ -1116,7 +1116,7 @@ int hos_launch(ini_sec_t *cfg)
//pmc_scratch_lock(PMC_SEC_LOCK_LP0_PARAMS);
// Set secmon mailbox address and clear it.
if (kb >= KB_FIRMWARE_VERSION_700 || exo_new)
if (kb >= KB_FIRMWARE_VERSION_700 || is_exo)
{
memset((void *)SECMON7_MAILBOX_ADDR, 0, 0x200);
secmon_mailbox = (secmon_mailbox_t *)(SECMON7_MAILBOX_ADDR + SECMON_STATE_OFFSET);
@ -1172,6 +1172,6 @@ int hos_launch(ini_sec_t *cfg)
error:
sdmmc_storage_end(&emmc_storage);
h_cfg.aes_slots_new = false;
return 0;
}

36
bootloader/hos/hos.h
View file

@ -39,12 +39,12 @@
#define KB_FIRMWARE_VERSION_900 9
#define KB_FIRMWARE_VERSION_910 10
#define KB_FIRMWARE_VERSION_1210 11
#define KB_FIRMWARE_VERSION_MAX KB_FIRMWARE_VERSION_1210
#define KB_FIRMWARE_VERSION_MAX KB_FIRMWARE_VERSION_1210 //!TODO: Update on mkey changes.
#define HOS_PKG11_MAGIC 0x31314B50
#define HOS_EKS_MAGIC 0x30534B45
#define HOS_EKS_MAGIC 0x31534B45 // EKS1.
// Use official Mariko secmon when in stock.
// Use official Mariko secmon when in stock. Needs access to TZRAM.
//#define HOS_MARIKO_STOCK_SECMON
typedef struct _exo_ctxt_t
@ -57,32 +57,18 @@ typedef struct _exo_ctxt_t
bool *cal0_allow_writes_sys;
} exo_ctxt_t;
typedef struct _hos_eks_keys_t
{
u8 mkk[SE_KEY_128_SIZE];
u8 fdk[SE_KEY_128_SIZE];
} hos_eks_keys_t;
typedef struct _hos_eks_bis_keys_t
{
u8 crypt[SE_KEY_128_SIZE];
u8 tweak[SE_KEY_128_SIZE];
} hos_eks_bis_keys_t;
typedef struct _hos_eks_mbr_t
{
u32 magic;
u8 enabled[5];
u8 enabled_bis;
u8 rsvd[2];
u32 enabled;
u32 lot0;
u8 dkg[SE_KEY_128_SIZE];
u8 dkk[SE_KEY_128_SIZE];
hos_eks_keys_t keys[5];
hos_eks_bis_keys_t bis_keys[3];
u32 rsvd;
u8 tsec[SE_KEY_128_SIZE];
u8 troot[SE_KEY_128_SIZE];
u8 troot_dev[SE_KEY_128_SIZE];
} hos_eks_mbr_t;
static_assert(sizeof(hos_eks_mbr_t) == 304, "HOS EKS size is wrong!");
static_assert(sizeof(hos_eks_mbr_t) == 64, "HOS EKS size is wrong!");
typedef struct _launch_ctxt_t
{
@ -130,10 +116,8 @@ typedef struct _merge_kip_t
link_t link;
} merge_kip_t;
void hos_eks_get();
void hos_eks_save(u32 kb);
void hos_eks_clear(u32 kb);
int hos_launch(ini_sec_t *cfg);
int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt, launch_ctxt_t *hos_ctxt);
int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt, bool stock, bool is_exo);
#endif

4
bootloader/hos/hos_config.c
View file

@ -1,6 +1,6 @@
/*
* Copyright (c) 2018 naehrwert
* Copyright (c) 2018-2020 CTCaer
* Copyright (c) 2018-2021 CTCaer
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
@ -271,7 +271,7 @@ static int _config_fss(launch_ctxt_t *ctxt, const char *value)
}
}
return parse_fss(ctxt, value, NULL);
return parse_fss(ctxt, value);
}
static int _config_exo_fatal_payload(launch_ctxt_t *ctxt, const char *value)

2
bootloader/hos/pkg1.c
View file

@ -212,7 +212,7 @@ int pkg1_decrypt(const pkg1_id_t *id, u8 *pkg1)
// Use BEK for T210B01.
// Additionally, skip 0x20 bytes from decryption to maintain the header.
se_aes_iv_clear(13);
se_aes_crypt_cbc(13, 0, pkg1 + 0x20, oem_hdr->size - 0x20, pkg1 + 0x20, oem_hdr->size - 0x20);
se_aes_crypt_cbc(13, DECRYPT, pkg1 + 0x20, oem_hdr->size - 0x20, pkg1 + 0x20, oem_hdr->size - 0x20);
}
// Return if header is valid.

46
bootloader/hos/pkg2.c
View file

@ -673,8 +673,11 @@ const char* pkg2_patch_kips(link_t *info, char* patchNames)
return NULL;
}
static const u8 mkey_vector_8xx[][SE_KEY_128_SIZE] =
//!TODO: Update on mkey changes.
static const u8 mkey_vector_7xx[][SE_KEY_128_SIZE] =
{
// Master key 7 encrypted with 8. (7.0.0 with 8.1.0)
{ 0xEA, 0x60, 0xB3, 0xEA, 0xCE, 0x8F, 0x24, 0x46, 0x7D, 0x33, 0x9C, 0xD1, 0xBC, 0x24, 0x98, 0x29 },
// Master key 8 encrypted with 9. (8.1.0 with 9.0.0)
{ 0x4D, 0xD9, 0x98, 0x42, 0x45, 0x0D, 0xB1, 0x3C, 0x52, 0x0C, 0x9A, 0x44, 0xBB, 0xAD, 0xAF, 0x80 },
// Master key 9 encrypted with 10. (9.0.0 with 9.1.0)
@ -686,9 +689,8 @@ static const u8 mkey_vector_8xx[][SE_KEY_128_SIZE] =
static bool _pkg2_key_unwrap_validate(pkg2_hdr_t *tmp_test, pkg2_hdr_t *hdr, u8 src_slot, u8 *mkey, const u8 *key_seed)
{
// Decrypt older encrypted mkey.
se_aes_crypt_ecb(src_slot, 0, mkey, SE_KEY_128_SIZE, key_seed, SE_KEY_128_SIZE);
se_aes_crypt_ecb(src_slot, DECRYPT, mkey, SE_KEY_128_SIZE, key_seed, SE_KEY_128_SIZE);
// Set and unwrap pkg2 key.
se_aes_key_clear(9);
se_aes_key_set(9, mkey, SE_KEY_128_SIZE);
se_aes_unwrap_key(9, 9, package2_keyseed);
@ -700,11 +702,13 @@ static bool _pkg2_key_unwrap_validate(pkg2_hdr_t *tmp_test, pkg2_hdr_t *hdr, u8
}
u8 pkg2_keyslot;
pkg2_hdr_t *pkg2_decrypt(void *data, u8 kb)
bool pkg2_broken_keygen_700;
pkg2_hdr_t *pkg2_decrypt(void *data, u8 kb, bool is_exo)
{
pkg2_hdr_t mkey_test;
u8 *pdata = (u8 *)data;
pkg2_keyslot = 8;
pkg2_broken_keygen_700 = false;
// Skip signature.
pdata += 0x100;
@ -714,26 +718,28 @@ pkg2_hdr_t *pkg2_decrypt(void *data, u8 kb)
// Skip header.
pdata += sizeof(pkg2_hdr_t);
// Check if we need to decrypt with newer mkeys. Valid for sept for 8.1.0 and up.
// Check if we need to decrypt with newer mkeys. Valid for THK for 7.0.0 and up.
se_aes_crypt_ctr(8, &mkey_test, sizeof(pkg2_hdr_t), hdr, sizeof(pkg2_hdr_t), hdr);
if (mkey_test.magic == PKG2_MAGIC)
goto key_found;
// Decrypt older pkg2 via new mkeys.
if ((kb >= KB_FIRMWARE_VERSION_810) && (kb < KB_FIRMWARE_VERSION_MAX))
if ((kb >= KB_FIRMWARE_VERSION_700) && (kb < KB_FIRMWARE_VERSION_MAX))
{
u8 tmp_mkey[SE_KEY_128_SIZE];
u8 decr_slot = !h_cfg.t210b01 ? (!h_cfg.aes_slots_new ? 12 : 13) : 7; // Sept mkey or T210B01 mkey.
u8 mkey_seeds_cnt = sizeof(mkey_vector_8xx) / SE_KEY_128_SIZE;
u8 decr_slot = (h_cfg.t210b01 || !is_exo) ? 7 : 13; // THK mkey or T210B01 mkey.
u8 mkey_seeds_cnt = sizeof(mkey_vector_7xx) / SE_KEY_128_SIZE;
u8 mkey_seeds_idx = mkey_seeds_cnt; // Real index + 1.
u8 mkey_seeds_min_idx = mkey_seeds_cnt - (KB_FIRMWARE_VERSION_MAX - kb);
// Re-encrypt with initial pkg2 key if 7.0.0 and Erista, because of a bug in Exo2.
pkg2_broken_keygen_700 = kb == KB_FIRMWARE_VERSION_700 && decr_slot == 13;
while (mkey_seeds_cnt)
{
// Decrypt and validate mkey.
int res = _pkg2_key_unwrap_validate(&mkey_test, hdr, decr_slot,
tmp_mkey, mkey_vector_8xx[mkey_seeds_idx - 1]);
tmp_mkey, mkey_vector_7xx[mkey_seeds_idx - 1]);
if (res)
{
@ -744,23 +750,18 @@ pkg2_hdr_t *pkg2_decrypt(void *data, u8 kb)
{
// Set current mkey in order to decrypt a lower mkey.
mkey_seeds_idx--;
se_aes_key_clear(9);
se_aes_key_set(9, tmp_mkey, SE_KEY_128_SIZE);
decr_slot = 9; // Temp key.
// Check if we tried last key for that pkg2 version.
// And start with a lower mkey in case sept is older.
// And start with a lower mkey in case mkey is older.
if (mkey_seeds_idx == mkey_seeds_min_idx)
{
mkey_seeds_cnt--;
mkey_seeds_idx = mkey_seeds_cnt;
decr_slot = !h_cfg.aes_slots_new ? 12 : 13; // Sept mkey.
decr_slot = (h_cfg.t210b01 || !is_exo) ? 7 : 13; // THK mkey or T210B01 mkey.
}
// Out of keys. pkg2 is latest or process failed.
if (!mkey_seeds_cnt)
se_aes_key_clear(9);
}
}
}
@ -785,6 +786,9 @@ DPRINTF("sec %d has size %08X\n", i, hdr->sec_size[i]);
pdata += hdr->sec_size[i];
}
if (pkg2_broken_keygen_700)
pkg2_keyslot = 8;
return hdr;
}
@ -826,6 +830,7 @@ void pkg2_build_encrypt(void *dst, void *hos_ctxt, link_t *kips_info)
launch_ctxt_t * ctxt = (launch_ctxt_t *)hos_ctxt;
u32 kernel_size = ctxt->kernel_size;
bool is_meso = *(u32 *)(ctxt->kernel + 4) == ATM_MESOSPHERE;
u8 kb = ctxt->pkg1_id->kb;
// Force new Package2 if Mesosphere.
if (is_meso)
@ -884,15 +889,16 @@ DPRINTF("INI1 encrypted\n");
se_calc_sha256_oneshot(&hdr->sec_sha256[0x20 * PKG2_SEC_INI1],
(void *)pk2_hash_data, hdr->sec_size[PKG2_SEC_INI1]);
// Set key version. For Erista 7.0.0, use max because of a bug in Exo2?
u8 key_ver = kb ? kb + 1 : 0;
if (pkg2_broken_keygen_700)
key_ver = KB_FIRMWARE_VERSION_MAX + 1;
//Encrypt header.
u8 key_ver = ctxt->pkg1_id->kb ? ctxt->pkg1_id->kb + 1 : 0;
*(u32 *)hdr->ctr = 0x100 + sizeof(pkg2_hdr_t) + kernel_size + ini1_size;
hdr->ctr[4] = key_ver;
se_aes_crypt_ctr(pkg2_keyslot, hdr, sizeof(pkg2_hdr_t), hdr, sizeof(pkg2_hdr_t), hdr);
memset(hdr->ctr, 0 , SE_AES_IV_SIZE);
*(u32 *)hdr->ctr = 0x100 + sizeof(pkg2_hdr_t) + kernel_size + ini1_size;
hdr->ctr[4] = key_ver;
if (pkg2_keyslot != 8)
se_aes_key_clear(9);
}

2
bootloader/hos/pkg2.h
View file

@ -156,7 +156,7 @@ void pkg2_get_ids(kip1_id_t **ids, u32 *entries);
const char* pkg2_patch_kips(link_t *info, char* patchNames);
const pkg2_kernel_id_t *pkg2_identify(u8 *hash);
pkg2_hdr_t *pkg2_decrypt(void *data, u8 kb);
pkg2_hdr_t *pkg2_decrypt(void *data, u8 kb, bool is_exo);
void pkg2_build_encrypt(void *dst, void *hos_ctxt, link_t *kips_info);
#endif

278
bootloader/hos/sept.c
View file

@ -1,278 +0,0 @@
/*
* Copyright (c) 2019-2021 CTCaer
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
* version 2, as published by the Free Software Foundation.
*
* This program is distributed in the hope it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <string.h>
#include "hos.h"
#include "fss.h"
#include "sept.h"
#include "../config.h"
#include <display/di.h>
#include <ianos/ianos.h>
#include <libs/fatfs/ff.h>
#include <mem/heap.h>
#include <soc/hw_init.h>
#include <soc/pmc.h>
#include <soc/t210.h>
#include "../storage/emummc.h"
#include "../storage/nx_emmc.h"
#include <storage/nx_sd.h>
#include <storage/sdmmc.h>
#include <utils/btn.h>
#include <utils/types.h>
#include <utils/util.h>
#include <gfx_utils.h>
#define RELOC_META_OFF 0x7C
#define PATCHED_RELOC_SZ 0x94
#define WB_RST_ADDR 0x40010ED0
#define WB_RST_SIZE 0x30
u8 warmboot_reboot[] = {
0x14, 0x00, 0x9F, 0xE5, // LDR R0, =0x7000E450
0x01, 0x10, 0xB0, 0xE3, // MOVS R1, #1
0x00, 0x10, 0x80, 0xE5, // STR R1, [R0]
0x0C, 0x00, 0x9F, 0xE5, // LDR R0, =0x7000E400
0x10, 0x10, 0xB0, 0xE3, // MOVS R1, #0x10
0x00, 0x10, 0x80, 0xE5, // STR R1, [R0]
0xFE, 0xFF, 0xFF, 0xEA, // LOOP
0x50, 0xE4, 0x00, 0x70, // #0x7000E450
0x00, 0xE4, 0x00, 0x70 // #0x7000E400
};
#define SEPT_PRI_ADDR 0x4003F000
#define SEPT_PRI_ENTRY 0x40010340
#define SEPT_PK1T_ADDR 0xC0400000
#define SEPT_TCSZ_ADDR (SEPT_PK1T_ADDR - 0x4)
#define SEPT_STG1_ADDR (SEPT_PK1T_ADDR + 0x2E100)
#define SEPT_STG2_ADDR (SEPT_PK1T_ADDR + 0x60E0)
#define SEPT_PKG_SZ (0x2F100 + WB_RST_SIZE)
extern boot_cfg_t b_cfg;
extern hekate_config h_cfg;
extern const volatile ipl_ver_meta_t ipl_ver;
extern bool is_ipl_updated(void *buf);
extern void reloc_patcher(u32 payload_dst, u32 payload_src, u32 payload_size);
void check_sept(ini_sec_t *cfg_sec)
{
if (h_cfg.t210b01)
{
h_cfg.sept_run = true;
return;
}
hos_eks_get();
// Check if non-hekate payload is used for sept and restore it.
if (h_cfg.sept_run)
{
if (!f_stat("sept/payload.bak", NULL))
{
f_unlink("sept/payload.bin");
f_rename("sept/payload.bak", "sept/payload.bin");
}
return;
}
u8 *pkg1 = (u8 *)calloc(1, 0x40000);
int res = emummc_storage_init_mmc();
if (res)
{
if (res == 2)
EPRINTF("Failed to init eMMC.");
else
EPRINTF("Failed to init emuMMC.");
goto out_free;
}
emummc_storage_set_mmc_partition(EMMC_BOOT0);
// Read package1.
emummc_storage_read(0x100000 / NX_EMMC_BLOCKSIZE, 0x40000 / NX_EMMC_BLOCKSIZE, pkg1);
const pkg1_id_t *pkg1_id = pkg1_identify(pkg1);
if (!pkg1_id)
{
EPRINTF("Unknown pkg1 version.");
goto out_free;
}
if (pkg1_id->kb >= KB_FIRMWARE_VERSION_700 && !h_cfg.sept_run)
{
u32 key_idx = 0;
if (pkg1_id->kb >= KB_FIRMWARE_VERSION_810)
key_idx = 1;
if (h_cfg.eks && h_cfg.eks->enabled[key_idx] >= pkg1_id->kb)
{
h_cfg.sept_run = true;
goto out_free;
}
u8 *bct_bldr = (u8 *)calloc(1, 512);
sdmmc_storage_read(&emmc_storage, 0x2200 / NX_EMMC_BLOCKSIZE, 1, bct_bldr);
u32 bootloader_entrypoint = *(u32 *)&bct_bldr[0x144];
free(bct_bldr);
if (bootloader_entrypoint > SEPT_PRI_ENTRY)
{
gfx_con.mute = false;
EPRINTF("Failed to run sept\n""Main BCT is improper!\nRun sept with proper BCT at least once\nto cache keys.");
gfx_printf("\nPress any key...\n");
display_backlight_brightness(h_cfg.backlight, 1000);
msleep(500);
btn_wait();
goto out_free;
}
sdmmc_storage_end(&emmc_storage);
reboot_to_sept((u8 *)pkg1 + pkg1_id->tsec_off, pkg1_id->kb, cfg_sec);
}
out_free:
free(pkg1);
sdmmc_storage_end(&emmc_storage);
}
int reboot_to_sept(const u8 *tsec_fw, u32 kb, ini_sec_t *cfg_sec)
{
FIL fp;
bool fss0_sept_used = false;
// Copy warmboot reboot code and TSEC fw.
u32 tsec_fw_size = 0x3000;
if (kb > KB_FIRMWARE_VERSION_700)
tsec_fw_size = 0x3300;
memcpy((u8 *)(SEPT_PK1T_ADDR - WB_RST_SIZE), (u8 *)warmboot_reboot, sizeof(warmboot_reboot));
memcpy((void *)SEPT_PK1T_ADDR, tsec_fw, tsec_fw_size);
*(vu32 *)SEPT_TCSZ_ADDR = tsec_fw_size;
if (cfg_sec)
{
fss0_sept_t sept_ctxt;
sept_ctxt.kb = kb;
sept_ctxt.cfg_sec = cfg_sec;
sept_ctxt.sept_primary = (void *)SEPT_STG1_ADDR;
sept_ctxt.sept_secondary = (void *)SEPT_STG2_ADDR;
fss0_sept_used = load_sept_from_ffs0(&sept_ctxt);
}
if (!fss0_sept_used)
{
// Copy sept-primary.
if (f_open(&fp, "sept/sept-primary.bin", FA_READ))
goto error;
if (f_read(&fp, (u8 *)SEPT_STG1_ADDR, f_size(&fp), NULL))
{
f_close(&fp);
goto error;
}
f_close(&fp);
// Copy sept-secondary.
if (kb < KB_FIRMWARE_VERSION_810)
{
if (f_open(&fp, "sept/sept-secondary_00.enc", FA_READ))
goto error;
}
else
{
if (f_open(&fp, "sept/sept-secondary_01.enc", FA_READ))
goto error;
}
if (f_read(&fp, (u8 *)SEPT_STG2_ADDR, f_size(&fp), NULL))
{
f_close(&fp);
goto error;
}
f_close(&fp);
}
b_cfg.boot_cfg |= (BOOT_CFG_AUTOBOOT_EN | BOOT_CFG_SEPT_RUN);
bool update_sept_payload = true;
if (!f_open(&fp, "sept/payload.bin", FA_READ | FA_WRITE))
{
ipl_ver_meta_t tmp_ver;
f_lseek(&fp, PATCHED_RELOC_SZ + sizeof(boot_cfg_t));
f_read(&fp, &tmp_ver, sizeof(ipl_ver_meta_t), NULL);
if (tmp_ver.magic == ipl_ver.magic)
{
if (tmp_ver.version == ipl_ver.version)
{
// Save auto boot config to sept payload, if any.
boot_cfg_t *tmp_cfg = malloc(sizeof(boot_cfg_t));
memcpy(tmp_cfg, &b_cfg, sizeof(boot_cfg_t));
f_lseek(&fp, PATCHED_RELOC_SZ);
f_write(&fp, tmp_cfg, sizeof(boot_cfg_t), NULL);
update_sept_payload = false;
}
f_close(&fp);
}
else
{
f_close(&fp);
f_rename("sept/payload.bin", "sept/payload.bak"); // Backup foreign payload.
}
}
if (update_sept_payload)
{
volatile reloc_meta_t *reloc = (reloc_meta_t *)(IPL_LOAD_ADDR + RELOC_META_OFF);
f_mkdir("sept");
f_open(&fp, "sept/payload.bin", FA_WRITE | FA_CREATE_ALWAYS);
f_write(&fp, (u8 *)reloc->start, reloc->end - reloc->start, NULL);
f_close(&fp);
}
sd_end();
u32 pk1t_sept = SEPT_PK1T_ADDR - (ALIGN(PATCHED_RELOC_SZ, 0x10) + WB_RST_SIZE);
void (*sept)() = (void *)pk1t_sept;
reloc_patcher(WB_RST_ADDR, pk1t_sept, SEPT_PKG_SZ);
// Patch SDRAM init to perform an SVC immediately after second write.
PMC(APBDEV_PMC_SCRATCH45) = 0x2E38DFFF;
PMC(APBDEV_PMC_SCRATCH46) = 0x6001DC28;
// Set SVC handler to jump to sept-primary in IRAM.
PMC(APBDEV_PMC_SCRATCH33) = SEPT_PRI_ADDR;
PMC(APBDEV_PMC_SCRATCH40) = 0x6000F208;
hw_reinit_workaround(false, 0);
(*sept)();
error:
gfx_con.mute = false;
EPRINTF("Failed to run sept\n");
btn_wait();
return 0;
}

25
bootloader/hos/sept.h
View file

@ -1,25 +0,0 @@
/*
* Copyright (c) 2019 CTCaer
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
* version 2, as published by the Free Software Foundation.
*
* This program is distributed in the hope it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef _SEPT_H_
#define _SEPT_H_
#include <utils/types.h>
void check_sept(ini_sec_t *cfg_sec);
int reboot_to_sept(const u8 *tsec_fw, u32 kb, ini_sec_t *cfg_sec);
#endif

66
bootloader/main.c
View file

@ -28,7 +28,6 @@
#include "gfx/tui.h"
#include "hos/hos.h"
#include "hos/secmon_exo.h"
#include "hos/sept.h"
#include <ianos/ianos.h>
#include <libs/compr/blz.h>
#include <libs/fatfs/ff.h>
@ -489,9 +488,6 @@ void ini_list_launcher()
goto wrong_emupath;
}
if (cfg_sec && !payload_path)
check_sept(cfg_sec);
if (!cfg_sec)
{
free(ments);
@ -630,9 +626,6 @@ void launch_firmware()
goto wrong_emupath;
}
if (cfg_sec && !payload_path)
check_sept(cfg_sec);
if (!cfg_sec)
{
free(ments);
@ -720,12 +713,6 @@ void nyx_load_run()
nyx_str->cfg = 0;
if (b_cfg.extra_cfg)
{
if (b_cfg.extra_cfg & EXTRA_CFG_NYX_SEPT)
{
b_cfg.extra_cfg &= ~(EXTRA_CFG_NYX_SEPT);
nyx_str->cfg |= NYX_CFG_SEPT;
nyx_str->cfg |= b_cfg.sept << 24;
}
if (b_cfg.extra_cfg & EXTRA_CFG_NYX_UMS)
{
b_cfg.extra_cfg &= ~(EXTRA_CFG_NYX_UMS);
@ -804,24 +791,6 @@ static void _bootloader_corruption_protect()
static void _auto_launch_firmware()
{
if(b_cfg.extra_cfg & EXTRA_CFG_NYX_SEPT)
{
if (!h_cfg.sept_run)
EMC(EMC_SCRATCH0) |= EMC_HEKA_UPD;
check_sept(NULL);
}
if (!h_cfg.sept_run)
auto_launch_update();
u8 *BOOTLOGO = NULL;
char *payload_path = NULL;
char *emummc_path = NULL;
u32 btn = 0;
bool boot_from_id = (b_cfg.boot_cfg & BOOT_CFG_FROM_ID) && (b_cfg.boot_cfg & BOOT_CFG_AUTOBOOT_EN);
if (boot_from_id)
b_cfg.id[7] = 0;
struct _bmp_data
{
u32 size;
@ -832,14 +801,19 @@ static void _auto_launch_firmware()
u32 pos_y;
};
struct _bmp_data bmpData;
bool bootlogoFound = false;
char *emummc_path = NULL;
char *bootlogoCustomEntry = NULL;
ini_sec_t *cfg_sec = NULL;
auto_launch_update();
bool boot_from_id = (b_cfg.boot_cfg & BOOT_CFG_FROM_ID) && (b_cfg.boot_cfg & BOOT_CFG_AUTOBOOT_EN);
if (boot_from_id)
b_cfg.id[7] = 0;
if (!(b_cfg.boot_cfg & BOOT_CFG_FROM_LAUNCH))
gfx_con.mute = true;
ini_sec_t *cfg_sec = NULL;
LIST_INIT(ini_sections);
LIST_INIT(ini_list_sections);
@ -883,17 +857,12 @@ static void _auto_launch_firmware()
}
boot_entry_id++;
// Override autoboot, otherwise save it for a possbile sept run.
// Override autoboot.
if (b_cfg.boot_cfg & BOOT_CFG_AUTOBOOT_EN)
{
h_cfg.autoboot = b_cfg.autoboot;
h_cfg.autoboot_list = b_cfg.autoboot_list;
}
else
{
b_cfg.autoboot = h_cfg.autoboot;
b_cfg.autoboot_list = h_cfg.autoboot_list;
}
// Apply bootloader protection against corruption.
_bootloader_corruption_protect();
@ -983,9 +952,13 @@ skip_list:
goto out;
u8 *bitmap = NULL;
if (!(b_cfg.boot_cfg & BOOT_CFG_FROM_LAUNCH) && h_cfg.bootwait && !h_cfg.sept_run)
struct _bmp_data bmpData;
bool bootlogoFound = false;
if (!(b_cfg.boot_cfg & BOOT_CFG_FROM_LAUNCH) && h_cfg.bootwait)
{
u32 fsize;
u8 *BOOTLOGO = NULL;
if (bootlogoCustomEntry) // Check if user set custom logo path at the boot entry.
bitmap = (u8 *)sd_file_read(bootlogoCustomEntry, &fsize);
@ -1035,6 +1008,7 @@ skip_list:
{
gfx_render_bmp_argb((u32 *)BOOTLOGO, bmpData.size_x, bmpData.size_y,
bmpData.pos_x, bmpData.pos_y);
free(BOOTLOGO);
}
else
{
@ -1048,19 +1022,19 @@ skip_list:
if (b_cfg.boot_cfg & BOOT_CFG_FROM_LAUNCH)
display_backlight_brightness(h_cfg.backlight, 0);
else if (!h_cfg.sept_run && h_cfg.bootwait)
else if (h_cfg.bootwait)
display_backlight_brightness(h_cfg.backlight, 1000);
// Wait before booting. If VOL- is pressed go into bootloader menu.
if (!h_cfg.sept_run && !(b_cfg.boot_cfg & BOOT_CFG_FROM_LAUNCH))
if (!(b_cfg.boot_cfg & BOOT_CFG_FROM_LAUNCH))
{
btn = btn_wait_timeout_single(h_cfg.bootwait * 1000, BTN_VOL_DOWN | BTN_SINGLE);
u32 btn = btn_wait_timeout_single(h_cfg.bootwait * 1000, BTN_VOL_DOWN | BTN_SINGLE);
if (btn & BTN_VOL_DOWN)
goto out;
}
payload_path = ini_check_payload_section(cfg_sec);
char *payload_path = ini_check_payload_section(cfg_sec);
if (payload_path)
{
@ -1079,7 +1053,6 @@ skip_list:
goto wrong_emupath;
}
check_sept(cfg_sec);
hos_launch(cfg_sec);
wrong_emupath:
@ -1105,7 +1078,6 @@ out:
// Clear boot reasons from binary.
if (b_cfg.boot_cfg & (BOOT_CFG_FROM_ID | BOOT_CFG_TO_EMUMMC))
memset(b_cfg.xt_str, 0, sizeof(b_cfg.xt_str));
b_cfg.boot_cfg &= BOOT_CFG_SEPT_RUN;
h_cfg.emummc_force_disable = false;
// L4T: Clear custom boot mode flags from PMC_SCRATCH0.

4
nyx/nyx_gui/config.c
View file

@ -38,7 +38,6 @@ void set_default_configuration()
h_cfg.autoboot = 0;
h_cfg.autoboot_list = 0;
h_cfg.bootwait = 3;
h_cfg.se_keygen_done = 0;
h_cfg.backlight = 100;
h_cfg.autohosoff = 0;
h_cfg.autonogc = 1;
@ -46,10 +45,7 @@ void set_default_configuration()
h_cfg.bootprotect = 0;
h_cfg.errors = 0;
h_cfg.eks = NULL;
h_cfg.sept_run = EMC(EMC_SCRATCH0) & EMC_SEPT_RUN;
h_cfg.aes_slots_new = false;
h_cfg.rcm_patched = fuse_check_patched_rcm();
h_cfg.sbk_set = FUSE(FUSE_PRIVATE_KEY0) == 0xFFFFFFFF;
h_cfg.emummc_force_disable = false;
h_cfg.t210b01 = hw_get_chip_id() == GP_HIDREV_MAJOR_T210B01;

4
nyx/nyx_gui/config.h
View file

@ -33,12 +33,8 @@ typedef struct _hekate_config
u32 bootprotect;
// Global temporary config.
bool t210b01;
bool se_keygen_done;
bool sept_run;
bool aes_slots_new;
bool emummc_force_disable;
bool rcm_patched;
bool sbk_set;
u32 errors;
hos_eks_mbr_t *eks;
} hekate_config;

161
nyx/nyx_gui/frontend/fe_emummc_tools.c
View file

@ -23,7 +23,6 @@
#include "gui.h"
#include "fe_emummc_tools.h"
#include "../hos/sept.h"
#include "../config.h"
#include <utils/ini.h>
#include <libs/fatfs/diskio.h>
@ -752,133 +751,18 @@ static int _dump_emummc_raw_part(emmc_tool_gui_t *gui, int active_part, int part
return 1;
}
u32 kb = 0;
u8 *tsec_fw = NULL;
bool sept_error = false;
static lv_res_t _emummc_raw_check_sept_action(lv_obj_t *btns, const char * txt)
{
int btn_idx = lv_btnm_get_pressed(btns);
mbox_action(btns, txt);
if (btn_idx == 1 && !sept_error)
{
// Set boot cfg.
b_cfg->autoboot = 0;
b_cfg->autoboot_list = 0;
b_cfg->extra_cfg = EXTRA_CFG_NYX_SEPT;
b_cfg->sept = NYX_SEPT_EMUF;
sd_mount();
reboot_to_sept(tsec_fw, kb);
}
return LV_RES_INV;
}
static int _emummc_raw_check_sept(emmc_tool_gui_t *gui, u32 resized_count)
static int _emummc_raw_derive_bis_keys(emmc_tool_gui_t *gui, u32 resized_count)
{
if (!resized_count)
return 1;
bool sept_needed = false;
sept_error = false;
tsec_fw = NULL;
bool error = false;
char *txt_buf = (char *)malloc(0x4000);
txt_buf[0] = 0;
// Read package1.
static const u32 BOOTLOADER_SIZE = 0x40000;
static const u32 BOOTLOADER_MAIN_OFFSET = 0x100000;
static const u32 BOOTLOADER_BACKUP_OFFSET = 0x140000;
static const u32 HOS_KEYBLOBS_OFFSET = 0x180000;
u32 bootloader_offset = BOOTLOADER_MAIN_OFFSET;
u32 pk1_offset = h_cfg.t210b01 ? sizeof(bl_hdr_t210b01_t) : 0; // Skip T210B01 OEM header.
u8 *pkg1 = (u8 *)malloc(BOOTLOADER_SIZE);
sdmmc_storage_set_mmc_partition(&emmc_storage, EMMC_BOOT0);
try_load:
sdmmc_storage_read(&emmc_storage, bootloader_offset / NX_EMMC_BLOCKSIZE, BOOTLOADER_SIZE / NX_EMMC_BLOCKSIZE, pkg1);
char *build_date = malloc(32);
const pkg1_id_t *pkg1_id = pkg1_identify(pkg1 + pk1_offset, build_date);
s_printf(txt_buf + strlen(txt_buf), "#00DDFF Found pkg1 ('%s')#\n", build_date);
free(build_date);
if (!pkg1_id)
{
strcat(txt_buf, "#FFDD00 Unknown pkg1 version!#\n");
// Try backup bootloader.
if (bootloader_offset != BOOTLOADER_BACKUP_OFFSET)
{
strcat(txt_buf, "Trying backup bootloader...\n");
bootloader_offset = BOOTLOADER_BACKUP_OFFSET;
goto try_load;
}
sept_error = true;
goto out;
}
kb = pkg1_id->kb;
// Skip if Mariko.
if (h_cfg.t210b01)
goto bis_derivation;
tsec_ctxt_t tsec_ctxt;
tsec_ctxt.fw = (u8 *)pkg1 + pkg1_id->tsec_off;
tsec_ctxt.pkg1 = pkg1;
tsec_ctxt.pkg11_off = pkg1_id->pkg11_off;
tsec_ctxt.secmon_base = pkg1_id->secmon_base;
// Get keys.
hos_eks_get();
if (kb >= KB_FIRMWARE_VERSION_700 && !h_cfg.sept_run)
{
u32 key_idx = 0;
if (kb >= KB_FIRMWARE_VERSION_810)
key_idx = 1;
if (h_cfg.eks && h_cfg.eks->enabled[key_idx] >= kb)
h_cfg.sept_run = true;
else
{
// Check that BCT is proper so sept can run.
u8 *bct_bldr = (u8 *)calloc(1, 512);
sdmmc_storage_read(&emmc_storage, 0x2200 / NX_EMMC_BLOCKSIZE, 1, bct_bldr);
u32 bootloader_entrypoint = *(u32 *)&bct_bldr[0x144];
free(bct_bldr);
if (bootloader_entrypoint > SEPT_PRI_ENTRY)
{
strcpy(txt_buf, "#FFDD00 Failed to run sept because main BCT is improper!#\n"
"#FFDD00 Run sept with proper BCT at least once to cache keys.#\n");
sept_error = true;
goto out;
}
// Set TSEC fw.
tsec_fw = (u8 *)tsec_ctxt.fw;
sept_needed = true;
goto out;
}
}
bis_derivation:;
// Read the correct keyblob.
u8 *keyblob = (u8 *)calloc(NX_EMMC_BLOCKSIZE, 1);
sdmmc_storage_read(&emmc_storage, HOS_KEYBLOBS_OFFSET / NX_EMMC_BLOCKSIZE + kb, 1, keyblob);
// Generate BIS keys
hos_bis_keygen(keyblob, kb, &tsec_ctxt);
free(keyblob);
// Generate BIS keys.
hos_bis_keygen();
u8 *cal0_buf = malloc(0x10000);
@ -894,32 +778,25 @@ bis_derivation:;
nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)cal0_buf;
// If successful, save BIS keys.
// Check keys validity.
if (memcmp(&cal0->magic, "CAL0", 4))
{
hos_bis_keys_clear();
hos_eks_bis_clear();
// Clear EKS keys.
hos_eks_clear(KB_FIRMWARE_VERSION_MAX);
strcpy(txt_buf, "#FFDD00 BIS keys validation failed!#\n");
sept_error = true;
error = true;
}
else
hos_eks_bis_save();
free(cal0_buf);
out:
// Check if sept is not needed.
if (!sept_needed)
free(pkg1);
if (sept_needed || sept_error)
if (error)
{
lv_obj_t *dark_bg = lv_obj_create(lv_scr_act(), NULL);
lv_obj_set_style(dark_bg, &mbox_darken);
lv_obj_set_size(dark_bg, LV_HOR_RES, LV_VER_RES);
static const char * mbox_btn_map[] = { "\211", "\222Launch", "\222Close", "\211", "" };
static const char * mbox_btn_map2[] = { "\211", "\222Close", "\211", "" };
static const char * mbox_btn_map[] = { "\211", "\222Close", "\211", "" };
lv_obj_t * mbox = lv_mbox_create(dark_bg, NULL);
lv_mbox_set_recolor_text(mbox, true);
lv_obj_set_width(mbox, LV_HOR_RES / 9 * 5);
@ -932,18 +809,8 @@ out:
lv_label_set_style(lb_desc, &monospace_text);
lv_obj_set_width(lb_desc, LV_HOR_RES / 9 * 4);
if (sept_error)
{
lv_label_set_text(lb_desc, txt_buf);
lv_mbox_add_btns(mbox, mbox_btn_map2, _emummc_raw_check_sept_action);
free(pkg1);
}
else
{
lv_label_set_text(lb_desc, "Sept needs to launch in order to generate keys\nneeded for emuMMC resizing.\n"
"After that enter this menu again.");
lv_mbox_add_btns(mbox, mbox_btn_map, _emummc_raw_check_sept_action);
}
lv_mbox_add_btns(mbox, mbox_btn_map, mbox_action);
lv_obj_align(mbox, NULL, LV_ALIGN_CENTER, 0, 0);
lv_obj_set_top(mbox, true);
@ -953,7 +820,7 @@ out:
return 0;
}
sdmmc_storage_set_mmc_partition(&emmc_storage, EMMC_GPP);
free(txt_buf);
return 1;
}
@ -984,7 +851,7 @@ void dump_emummc_raw(emmc_tool_gui_t *gui, int part_idx, u32 sector_start, u32 r
goto out;
}
if (!_emummc_raw_check_sept(gui, resized_count))
if (!_emummc_raw_derive_bis_keys(gui, resized_count))
{
s_printf(gui->txt_buf, "#FFDD00 For formatting USER partition,#\n#FFDD00 BIS keys are needed!#\n");
lv_label_ins_text(gui->label_log, LV_LABEL_POS_LAST, gui->txt_buf);

26
nyx/nyx_gui/frontend/gui.c
View file

@ -1868,7 +1868,7 @@ static void _create_tab_home(lv_theme_t *th, lv_obj_t *parent)
label_btn = lv_label_create(btn_emummc, label_btn);
s_printf(btn_colored_text, "%s%s", text_color, " "SYMBOL_LIST"#");
lv_label_set_text(label_btn, btn_colored_text);
lv_btn_set_action(btn_emummc, LV_BTN_ACTION_CLICK,create_win_emummc_tools);
lv_btn_set_action(btn_emummc, LV_BTN_ACTION_CLICK, create_win_emummc_tools);
lv_btn_set_layout(btn_emummc, LV_LAYOUT_OFF);
lv_obj_align(label_btn, NULL, LV_ALIGN_CENTER, 0, -28);
lv_obj_set_pos(btn_emummc, 959, 160);
@ -2208,28 +2208,8 @@ static void _nyx_main_menu(lv_theme_t * th)
// Option save button.
lv_tabview_set_tab_load_action(tv, _show_hide_save_button);
// If we rebooted to run sept for dumping, lunch dump immediately.
if (nyx_str->cfg & NYX_CFG_SEPT)
{
u32 type = nyx_str->cfg >> 24;
nyx_str->cfg &= ~(NYX_CFG_SEPT | NYX_CFG_EXTRA);
if (type == NYX_SEPT_DUMP)
{
lv_task_t *task_run_dump = lv_task_create(sept_run_dump, LV_TASK_ONESHOT, LV_TASK_PRIO_MID, NULL);
lv_task_once(task_run_dump);
}
else if (type == NYX_SEPT_CAL0)
{
lv_task_t *task_run_cal0 = lv_task_create(sept_run_cal0, LV_TASK_ONESHOT, LV_TASK_PRIO_LOWEST, NULL);
lv_task_once(task_run_cal0);
}
else if (type == NYX_SEPT_EMUF)
{
// TODO: Maybe automatically relaunch emuMMC creation in the future.
}
}
else if (nyx_str->cfg & NYX_CFG_UMS)
// Check if Nyx was launched with a function set.
if (nyx_str->cfg & NYX_CFG_UMS)
{
nyx_str->cfg &= ~(NYX_CFG_UMS);
lv_task_t *task_run_ums = lv_task_create(nyx_run_ums, LV_TASK_ONESHOT, LV_TASK_PRIO_MID, (void *)&nyx_str->cfg);

1
nyx/nyx_gui/frontend/gui_emmc_tools.c
View file

@ -24,7 +24,6 @@
#include "../hos/pkg1.h"
#include "../hos/pkg2.h"
#include "../hos/hos.h"
#include "../hos/sept.h"
#include <libs/fatfs/ff.h>
#include <mem/heap.h>
#include <sec/se.h>

145
nyx/nyx_gui/frontend/gui_info.c
View file

@ -21,7 +21,6 @@
#include "../config.h"
#include "../hos/hos.h"
#include "../hos/pkg1.h"
#include "../hos/sept.h"
#include <libs/fatfs/ff.h>
#include <input/touch.h>
#include <mem/emc.h>
@ -302,108 +301,16 @@ static lv_res_t _create_mbox_cal0(lv_obj_t *btn)
sd_mount();
// Read package1.
static const u32 BOOTLOADER_SIZE = 0x40000;
static const u32 BOOTLOADER_MAIN_OFFSET = 0x100000;
static const u32 BOOTLOADER_BACKUP_OFFSET = 0x140000;
static const u32 HOS_KEYBLOBS_OFFSET = 0x180000;
u8 kb = 0;
u32 bootloader_offset = BOOTLOADER_MAIN_OFFSET;
u32 pk1_offset = h_cfg.t210b01 ? sizeof(bl_hdr_t210b01_t) : 0; // Skip T210B01 OEM header.
u8 *pkg1 = (u8 *)malloc(BOOTLOADER_SIZE);
// Init eMMC.
if (!sdmmc_storage_init_mmc(&emmc_storage, &emmc_sdmmc, SDMMC_BUS_WIDTH_8, SDHCI_TIMING_MMC_HS400))
{
lv_label_set_text(lb_desc, "#FFDD00 Failed to init eMMC!#");
goto out;
}
sdmmc_storage_set_mmc_partition(&emmc_storage, EMMC_BOOT0);
try_load:
sdmmc_storage_read(&emmc_storage, bootloader_offset / NX_EMMC_BLOCKSIZE, BOOTLOADER_SIZE / NX_EMMC_BLOCKSIZE, pkg1);
char *build_date = malloc(32);
const pkg1_id_t *pkg1_id = pkg1_identify(pkg1 + pk1_offset, build_date);
s_printf(txt_buf + strlen(txt_buf), "#00DDFF Found pkg1 ('%s')#\n", build_date);
free(build_date);
if (!pkg1_id)
{
strcat(txt_buf, "#FFDD00 Unknown pkg1 version!#\n");
// Try backup bootloader.
if (bootloader_offset != BOOTLOADER_BACKUP_OFFSET)
{
strcat(txt_buf, "Trying backup bootloader...\n");
bootloader_offset = BOOTLOADER_BACKUP_OFFSET;
goto try_load;
}
lv_label_set_text(lb_desc, txt_buf);
goto out;
}
kb = pkg1_id->kb;
// Skip if Mariko.
if (h_cfg.t210b01)
goto t210b01;
tsec_ctxt_t tsec_ctxt;
tsec_ctxt.fw = (u8 *)pkg1 + pkg1_id->tsec_off;
tsec_ctxt.pkg1 = pkg1;
tsec_ctxt.pkg11_off = pkg1_id->pkg11_off;
tsec_ctxt.secmon_base = pkg1_id->secmon_base;
// Get keys.
hos_eks_get();
if (kb >= KB_FIRMWARE_VERSION_700 && !h_cfg.sept_run)
{
u32 key_idx = 0;
if (kb >= KB_FIRMWARE_VERSION_810)
key_idx = 1;
if (h_cfg.eks && h_cfg.eks->enabled[key_idx] >= kb)
h_cfg.sept_run = true;
else
{
// Check that BCT is proper so sept can run.
u8 *bct_bldr = (u8 *)calloc(1, 512);
sdmmc_storage_read(&emmc_storage, 0x2200 / NX_EMMC_BLOCKSIZE, 1, bct_bldr);
u32 bootloader_entrypoint = *(u32 *)&bct_bldr[0x144];
free(bct_bldr);
if (bootloader_entrypoint > SEPT_PRI_ENTRY)
{
lv_label_set_text(lb_desc, "#FFDD00 Main BCT is improper! Failed to run sept.#\n"
"#FFDD00 Run sept with proper BCT at least once#\n#FFDD00 to cache keys.#\n");
goto out;
}
// Set boot cfg.
b_cfg->autoboot = 0;
b_cfg->autoboot_list = 0;
b_cfg->extra_cfg = EXTRA_CFG_NYX_SEPT;
b_cfg->sept = NYX_SEPT_CAL0;
if (!reboot_to_sept((u8 *)tsec_ctxt.fw, kb))
{
lv_label_set_text(lb_desc, "#FFDD00 Failed to run sept#\n");
goto out;
}
}
}
t210b01:;
// Read the correct keyblob.
u8 *keyblob = (u8 *)calloc(NX_EMMC_BLOCKSIZE, 1);
sdmmc_storage_read(&emmc_storage, HOS_KEYBLOBS_OFFSET / NX_EMMC_BLOCKSIZE + kb, 1, keyblob);
// Generate BIS keys
hos_bis_keygen(keyblob, kb, &tsec_ctxt);
free(keyblob);
hos_bis_keygen();
if (!cal0_buf)
cal0_buf = malloc(0x10000);
@ -418,24 +325,23 @@ t210b01:;
nx_emmc_bis_end();
nx_emmc_gpt_free(&gpt);
// Clear BIS keys slots and reinstate SBK.
// Clear BIS keys slots.
hos_bis_keys_clear();
nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)cal0_buf;
// If successful, save BIS keys.
// Check keys validity.
if (memcmp(&cal0->magic, "CAL0", 4))
{
free(cal0_buf);
cal0_buf = NULL;
hos_eks_bis_clear();
// Clear EKS keys.
hos_eks_clear(KB_FIRMWARE_VERSION_MAX);
lv_label_set_text(lb_desc, "#FFDD00 CAL0 is corrupt or wrong keys!#\n");
goto out;
}
else
hos_eks_bis_save();
u32 hash[8];
se_calc_sha256_oneshot(hash, (u8 *)cal0 + 0x40, cal0->body_size);
@ -526,7 +432,6 @@ t210b01:;
lv_label_set_text(lb_desc, txt_buf);
out:
free(pkg1);
free(txt_buf);
sd_unmount();
sdmmc_storage_end(&emmc_storage);
@ -1042,11 +947,6 @@ static lv_res_t _create_window_fuses_info_status(lv_obj_t *btn)
return LV_RES_OK;
}
void sept_run_cal0(void *param)
{
_create_window_fuses_info_status(NULL);
}
static char *ipatches_txt;
static void _ipatch_process(u32 offset, u32 value)
{
@ -1098,7 +998,7 @@ static lv_res_t _create_window_tsec_keys_status(lv_obj_t *btn)
{
u32 retries = 0;
tsec_ctxt_t tsec_ctxt;
tsec_ctxt_t tsec_ctxt = {0};
lv_obj_t *win = nyx_create_standard_window(SYMBOL_CHIP" TSEC Keys");
@ -1173,28 +1073,35 @@ try_load:
tsec_ctxt.secmon_base = pkg1_id->secmon_base;
if (pkg1_id->kb <= KB_FIRMWARE_VERSION_600)
{
tsec_ctxt.size = 0xF00;
else if (pkg1_id->kb == KB_FIRMWARE_VERSION_620)
tsec_ctxt.size = 0x2900;
else if (pkg1_id->kb == KB_FIRMWARE_VERSION_700)
{
tsec_ctxt.size = 0x3000;
// Exit after TSEC key generation.
*((vu16 *)((u32)tsec_ctxt.fw + 0x2DB5)) = 0x02F8;
tsec_ctxt.type = TSEC_FW_TYPE_OLD;
}
else
tsec_ctxt.size = 0x3300;
if (pkg1_id->kb == KB_FIRMWARE_VERSION_620)
else if (pkg1_id->kb == KB_FIRMWARE_VERSION_620)
{
tsec_ctxt.size = 0x2900;
tsec_ctxt.type = TSEC_FW_TYPE_EMU;
u8 *tsec_paged = (u8 *)page_alloc(3);
memcpy(tsec_paged, (void *)tsec_ctxt.fw, tsec_ctxt.size);
tsec_ctxt.fw = tsec_paged;
}
else if (pkg1_id->kb == KB_FIRMWARE_VERSION_700)
{
tsec_ctxt.size = 0x3000;
tsec_ctxt.type = TSEC_FW_TYPE_NEW;
// Exit after TSEC key generation.
*((vu16 *)((u32)tsec_ctxt.fw + 0x2DB5)) = 0x02F8;
}
else
{
tsec_ctxt.size = 0x3300;
tsec_ctxt.type = TSEC_FW_TYPE_NEW;
}
int res = 0;
while (tsec_query((u8 *)tsec_keys, pkg1_id->kb, &tsec_ctxt) < 0)
while (tsec_query((u8 *)tsec_keys, &tsec_ctxt) < 0)
{
memset(tsec_keys, 0x00, 0x20);

3
nyx/nyx_gui/frontend/gui_info.h
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018-2019 CTCaer
* Copyright (c) 2018-2021 CTCaer
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
@ -19,7 +19,6 @@
#include <libs/lvgl/lvgl.h>
void sept_run_cal0(void *param);
void create_tab_info(lv_theme_t *th, lv_obj_t *parent);
#endif

55
nyx/nyx_gui/frontend/gui_tools.c
View file

@ -28,7 +28,6 @@
#include "../hos/pkg1.h"
#include "../hos/pkg2.h"
#include "../hos/hos.h"
#include "../hos/sept.h"
#include <input/touch.h>
#include <libs/fatfs/ff.h>
#include <mem/heap.h>
@ -1138,62 +1137,19 @@ static lv_res_t _create_window_dump_pk12_tool(lv_obj_t *btn)
kb = pkg1_id->kb;
if (!h_cfg.se_keygen_done)
{
tsec_ctxt_t tsec_ctxt;
tsec_ctxt_t tsec_ctxt = {0};
tsec_ctxt.fw = (void *)(pkg1 + pkg1_id->tsec_off);
tsec_ctxt.pkg1 = (void *)pkg1;
tsec_ctxt.pkg11_off = pkg1_id->pkg11_off;
tsec_ctxt.secmon_base = pkg1_id->secmon_base;
hos_eks_get();
if (!h_cfg.t210b01 && kb >= KB_FIRMWARE_VERSION_700 && !h_cfg.sept_run)
{
u32 key_idx = 0;
if (kb >= KB_FIRMWARE_VERSION_810)
key_idx = 1;
if (h_cfg.eks && h_cfg.eks->enabled[key_idx] >= kb)
h_cfg.sept_run = true;
else
{
// Check that BCT is proper so sept can run.
u8 *bct_bldr = (u8 *)calloc(1, 512);
sdmmc_storage_read(&emmc_storage, 0x2200 / NX_EMMC_BLOCKSIZE, 1, bct_bldr);
u32 bootloader_entrypoint = *(u32 *)&bct_bldr[0x144];
free(bct_bldr);
if (bootloader_entrypoint > SEPT_PRI_ENTRY)
{
lv_label_set_text(lb_desc, "#FFDD00 Failed to run sept because main BCT is improper!#\n"
"#FFDD00 Run sept with proper BCT at least once to cache keys.#\n");
goto out_free;
}
// Set boot cfg.
b_cfg->autoboot = 0;
b_cfg->autoboot_list = 0;
b_cfg->extra_cfg = EXTRA_CFG_NYX_SEPT;
b_cfg->sept = NYX_SEPT_DUMP;
if (!reboot_to_sept((u8 *)tsec_ctxt.fw, kb))
{
lv_label_set_text(lb_desc, "#FFDD00 Failed to run sept#\n");
goto out_free;
}
}
}
// Read keyblob.
u8 *keyblob = (u8 *)calloc(NX_EMMC_BLOCKSIZE, 1);
sdmmc_storage_read(&emmc_storage, HOS_KEYBLOBS_OFFSET / NX_EMMC_BLOCKSIZE + kb, 1, keyblob);
// Decrypt.
hos_keygen(keyblob, kb, &tsec_ctxt);
if (kb <= KB_FIRMWARE_VERSION_600)
h_cfg.se_keygen_done = 1;
free(keyblob);
}
if (h_cfg.t210b01 || kb <= KB_FIRMWARE_VERSION_600)
{
@ -1316,13 +1272,11 @@ static lv_res_t _create_window_dump_pk12_tool(lv_obj_t *btn)
lv_label_set_text(lb_desc, txt_buf);
manual_system_maintenance(true);
// Clear EKS slot, in case something went wrong with sept keygen.
// Clear EKS slot, in case something went wrong with tsec keygen.
hos_eks_clear(kb);
goto out;
}
else if (kb >= KB_FIRMWARE_VERSION_700)
hos_eks_save(kb); // Save EKS slot if it doesn't exist.
// Display info.
s_printf(txt_buf + strlen(txt_buf),
@ -1429,11 +1383,6 @@ out_end:
return LV_RES_OK;
}
void sept_run_dump(void *param)
{
_create_window_dump_pk12_tool(NULL);
}
static void _create_tab_tools_emmc_pkg12(lv_theme_t *th, lv_obj_t *parent)
{
lv_page_set_scrl_layout(parent, LV_LAYOUT_PRETTY);

3
nyx/nyx_gui/frontend/gui_tools.h
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018-2019 CTCaer
* Copyright (c) 2018-2021 CTCaer
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
@ -23,7 +23,6 @@ extern lv_obj_t *ums_mbox;
void create_tab_tools(lv_theme_t *th, lv_obj_t *parent);
void nyx_run_ums(void *param);
void sept_run_dump(void *param);
bool get_autorcm_status(bool change);
lv_res_t action_ums_sd(lv_obj_t *btn);

397
nyx/nyx_gui/hos/hos.c
View file

@ -21,7 +21,6 @@
#include <string.h>
#include "hos.h"
#include "sept.h"
#include "../config.h"
#include <display/di.h>
#include <gfx_utils.h>
@ -54,7 +53,7 @@ typedef struct _tsec_keys_t
typedef struct _kb_keys_t
{
u8 master_keyseed[SE_KEY_128_SIZE];
u8 master_kekseed[SE_KEY_128_SIZE];
u8 random_data[0x70];
u8 package1_key[SE_KEY_128_SIZE];
} kb_keys_t;
@ -82,12 +81,18 @@ static const u8 cmac_keyseed[SE_KEY_128_SIZE] =
static const u8 master_keyseed_retail[SE_KEY_128_SIZE] =
{ 0xD8, 0xA2, 0x41, 0x0A, 0xC6, 0xC5, 0x90, 0x01, 0xC6, 0x1D, 0x6A, 0x26, 0x7C, 0x51, 0x3F, 0x3C };
static const u8 master_keyseed_4xx_5xx_610[SE_KEY_128_SIZE] =
{ 0x2D, 0xC1, 0xF4, 0x8D, 0xF3, 0x5B, 0x69, 0x33, 0x42, 0x10, 0xAC, 0x65, 0xDA, 0x90, 0x46, 0x66 };
// Unused in this context.
//static const u8 master_keyseed_4xx[SE_KEY_128_SIZE] =
// { 0x2D, 0xC1, 0xF4, 0x8D, 0xF3, 0x5B, 0x69, 0x33, 0x42, 0x10, 0xAC, 0x65, 0xDA, 0x90, 0x46, 0x66 };
static const u8 master_keyseed_620[SE_KEY_128_SIZE] =
static const u8 master_kekseed_620[SE_KEY_128_SIZE] =
{ 0x37, 0x4B, 0x77, 0x29, 0x59, 0xB4, 0x04, 0x30, 0x81, 0xF6, 0xE5, 0x8C, 0x6D, 0x36, 0x17, 0x9A };
//!TODO: Update on mkey changes.
static const u8 master_kekseed_t210_max[SE_KEY_128_SIZE] =
{ 0x84, 0x67, 0xB6, 0x7F, 0x13, 0x11, 0xAE, 0xE6, 0x58, 0x9B, 0x19, 0xAF, 0x13, 0x6C, 0x80, 0x7A }; // 12.1.0.
//!TODO: Update on mkey changes.
static const u8 master_kekseed_t210b01[][SE_KEY_128_SIZE] = {
{ 0x77, 0x60, 0x5A, 0xD2, 0xEE, 0x6E, 0xF8, 0x3C, 0x3F, 0x72, 0xE2, 0x59, 0x9D, 0xAC, 0x5E, 0x56 }, // 6.0.0.
{ 0x1E, 0x80, 0xB8, 0x17, 0x3E, 0xC0, 0x60, 0xAA, 0x11, 0xBE, 0x1A, 0x4A, 0xA6, 0x6F, 0xE4, 0xAE }, // 6.2.0.
@ -101,12 +106,13 @@ static const u8 master_kekseed_t210b01[][SE_KEY_128_SIZE] = {
static const u8 console_keyseed[SE_KEY_128_SIZE] =
{ 0x4F, 0x02, 0x5F, 0x0E, 0xB6, 0x6D, 0x11, 0x0E, 0xDC, 0x32, 0x7D, 0x41, 0x86, 0xC2, 0xF4, 0x78 };
static const u8 console_keyseed_4xx_5xx[SE_KEY_128_SIZE] =
static const u8 console_keyseed_4xx[SE_KEY_128_SIZE] =
{ 0x0C, 0x91, 0x09, 0xDB, 0x93, 0x93, 0x07, 0x81, 0x07, 0x3C, 0xC4, 0x16, 0x22, 0x7C, 0x6C, 0x28 };
const u8 package2_keyseed[SE_KEY_128_SIZE] =
{ 0xFB, 0x8B, 0x6A, 0x9C, 0x79, 0x00, 0xC8, 0x49, 0xEF, 0xD2, 0x4D, 0x85, 0x4D, 0x30, 0xA0, 0xC7 };
//!TODO: Update on mkey changes.
static const u8 mkey_vectors[KB_FIRMWARE_VERSION_MAX + 1][SE_KEY_128_SIZE] = {
{ 0x0C, 0xF0, 0x59, 0xAC, 0x85, 0xF6, 0x26, 0x65, 0xE1, 0xE9, 0x19, 0x55, 0xE6, 0xF2, 0x67, 0x3D }, // Zeroes encrypted with mkey 00.
{ 0x29, 0x4C, 0x04, 0xC8, 0xEB, 0x10, 0xED, 0x9D, 0x51, 0x64, 0x97, 0xFB, 0xF3, 0x4D, 0x50, 0xDD }, // Mkey 00 encrypted with mkey 01.
@ -122,6 +128,7 @@ static const u8 mkey_vectors[KB_FIRMWARE_VERSION_MAX + 1][SE_KEY_128_SIZE] = {
{ 0xC1, 0x8D, 0x16, 0xBB, 0x2A, 0xE4, 0x1D, 0xD4, 0xC2, 0xC1, 0xB6, 0x40, 0x94, 0x35, 0x63, 0x98 }, // Mkey 10 encrypted with mkey 11.
};
//!TODO: Update on mkey changes.
static const u8 new_console_keyseed[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][SE_KEY_128_SIZE] = {
{ 0x8B, 0x4E, 0x1C, 0x22, 0x42, 0x07, 0xC8, 0x73, 0x56, 0x94, 0x08, 0x8B, 0xCC, 0x47, 0x0F, 0x5D }, // 4.x New Device Key Source.
{ 0x6C, 0xEF, 0xC6, 0x27, 0x8B, 0xEC, 0x8A, 0x91, 0x99, 0xAB, 0x24, 0xAC, 0x4F, 0x1C, 0x8F, 0x1C }, // 5.x New Device Key Source.
@ -134,6 +141,7 @@ static const u8 new_console_keyseed[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSIO
{ 0xAA, 0xFD, 0xBC, 0xBB, 0x25, 0xC3, 0xA4, 0xEF, 0xE3, 0xEE, 0x58, 0x53, 0xB7, 0xF8, 0xDD, 0xD6 }, // 12.1.0 New Device Key Source.
};
//!TODO: Update on mkey changes.
static const u8 new_console_kekseed[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][SE_KEY_128_SIZE] = {
{ 0x88, 0x62, 0x34, 0x6E, 0xFA, 0xF7, 0xD8, 0x3F, 0xE1, 0x30, 0x39, 0x50, 0xF0, 0xB7, 0x5D, 0x5D }, // 4.x New Device Keygen Source.
{ 0x06, 0x1E, 0x7B, 0xE9, 0x6D, 0x47, 0x8C, 0x77, 0xC5, 0xC8, 0xE7, 0x94, 0x9A, 0xA8, 0x5F, 0x2E }, // 5.x New Device Keygen Source.
@ -186,7 +194,7 @@ bool hos_eks_rw_try(u8 *buf, bool write)
return false;
}
void hos_eks_get()
static void _hos_eks_get()
{
// Check if Erista based unit.
if (h_cfg.t210b01)
@ -202,11 +210,10 @@ void hos_eks_get()
// Decrypt EKS blob.
hos_eks_mbr_t *eks = (hos_eks_mbr_t *)(mbr + 0x80);
se_aes_crypt_ecb(14, 0, eks, sizeof(hos_eks_mbr_t), eks, sizeof(hos_eks_mbr_t));
se_aes_crypt_ecb(14, DECRYPT, eks, sizeof(hos_eks_mbr_t), eks, sizeof(hos_eks_mbr_t));
// Check if valid and for this unit.
if (eks->magic == HOS_EKS_MAGIC &&
(eks->lot0 == FUSE(FUSE_OPT_LOT_CODE_0) || eks->lot0 == FUSE(FUSE_PRIVATE_KEY0)))
if (eks->magic == HOS_EKS_MAGIC && eks->lot0 == FUSE(FUSE_OPT_LOT_CODE_0))
{
h_cfg.eks = eks;
return;
@ -217,18 +224,13 @@ out:
}
}
void hos_eks_save(u32 kb)
static void _hos_eks_save(u32 kb)
{
// Check if Erista based unit.
if (h_cfg.t210b01)
return;
if (kb >= KB_FIRMWARE_VERSION_700)
{
u32 key_idx = 0;
if (kb >= KB_FIRMWARE_VERSION_810)
key_idx = 1;
// EKS save. Only for 7.0.0 and up.
bool new_eks = false;
if (!h_cfg.eks)
{
@ -237,10 +239,7 @@ void hos_eks_save(u32 kb)
}
// If matching blob doesn't exist, create it.
bool update_eks = key_idx ? (h_cfg.eks->enabled[key_idx] < kb) : !h_cfg.eks->enabled[0];
// If old EKS version was found, update it.
update_eks |= h_cfg.eks->lot0 != FUSE(FUSE_OPT_LOT_CODE_0);
if (update_eks)
if (h_cfg.eks->enabled < kb)
{
// Read EKS blob.
u8 *mbr = calloc(512 , 1);
@ -261,28 +260,18 @@ void hos_eks_save(u32 kb)
// Set magic and personalized info.
h_cfg.eks->magic = HOS_EKS_MAGIC;
h_cfg.eks->enabled[key_idx] = kb;
h_cfg.eks->enabled = KB_FIRMWARE_VERSION_MAX;
h_cfg.eks->lot0 = FUSE(FUSE_OPT_LOT_CODE_0);
// Copy new keys.
memcpy(h_cfg.eks->dkg, keys + 10 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
memcpy(h_cfg.eks->dkk, keys + 15 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
if (!h_cfg.aes_slots_new)
{
memcpy(h_cfg.eks->keys[key_idx].mkk, keys + 12 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
memcpy(h_cfg.eks->keys[key_idx].fdk, keys + 13 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
}
else // New sept slots.
{
memcpy(h_cfg.eks->keys[key_idx].mkk, keys + 13 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
memcpy(h_cfg.eks->keys[key_idx].fdk, keys + 12 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
}
memcpy(h_cfg.eks->tsec, keys + 12 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
memcpy(h_cfg.eks->troot, keys + 13 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
memcpy(h_cfg.eks->troot_dev, keys + 11 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
// Encrypt EKS blob.
u8 *eks = calloc(512 , 1);
memcpy(eks, h_cfg.eks, sizeof(hos_eks_mbr_t));
se_aes_crypt_ecb(14, 1, eks, sizeof(hos_eks_mbr_t), eks, sizeof(hos_eks_mbr_t));
se_aes_crypt_ecb(14, ENCRYPT, eks, sizeof(hos_eks_mbr_t), eks, sizeof(hos_eks_mbr_t));
// Write EKS blob to SD.
memcpy(mbr + 0x80, eks, sizeof(hos_eks_mbr_t));
@ -293,7 +282,6 @@ void hos_eks_save(u32 kb)
out:
free(mbr);
}
}
}
void hos_eks_clear(u32 kb)
@ -304,12 +292,8 @@ void hos_eks_clear(u32 kb)
if (h_cfg.eks && kb >= KB_FIRMWARE_VERSION_700)
{
u32 key_idx = 0;
if (kb >= KB_FIRMWARE_VERSION_810)
key_idx = 1;
// Check if Current Master key is enabled.
if (h_cfg.eks->enabled[key_idx])
// Check if current Master key is enabled.
if (h_cfg.eks->enabled)
{
// Read EKS blob.
u8 *mbr = calloc(512 , 1);
@ -317,108 +301,12 @@ void hos_eks_clear(u32 kb)
goto out;
// Disable current Master key version.
h_cfg.eks->enabled[key_idx] = 0;
h_cfg.eks->enabled = 0;
// Encrypt EKS blob.
u8 *eks = calloc(512 , 1);
memcpy(eks, h_cfg.eks, sizeof(hos_eks_mbr_t));
se_aes_crypt_ecb(14, 1, eks, sizeof(hos_eks_mbr_t), eks, sizeof(hos_eks_mbr_t));
// Write EKS blob to SD.
memcpy(mbr + 0x80, eks, sizeof(hos_eks_mbr_t));
hos_eks_rw_try(mbr, true);
EMC(EMC_SCRATCH0) &= ~EMC_SEPT_RUN;
h_cfg.sept_run = false;
free(eks);
out:
free(mbr);
}
}
}
void hos_eks_bis_save()
{
// Check if Erista based unit.
if (h_cfg.t210b01)
return;
bool new_eks = false;
if (!h_cfg.eks)
{
h_cfg.eks = calloc(512 , 1);
new_eks = true;
}
// If matching blob doesn't exist, create it.
if (!h_cfg.eks->enabled_bis)
{
// Read EKS blob.
u8 *mbr = calloc(512 , 1);
if (!hos_eks_rw_try(mbr, false))
{
if (new_eks)
{
free(h_cfg.eks);
h_cfg.eks = NULL;
}
goto out;
}
// Set magic and personalized info.
h_cfg.eks->magic = HOS_EKS_MAGIC;
h_cfg.eks->enabled_bis = 1;
h_cfg.eks->lot0 = FUSE(FUSE_OPT_LOT_CODE_0);
// Copy new keys.
memcpy(h_cfg.eks->bis_keys[0].crypt, bis_keys + (0 * SE_KEY_128_SIZE), SE_KEY_128_SIZE);
memcpy(h_cfg.eks->bis_keys[0].tweak, bis_keys + (1 * SE_KEY_128_SIZE), SE_KEY_128_SIZE);
memcpy(h_cfg.eks->bis_keys[1].crypt, bis_keys + (2 * SE_KEY_128_SIZE), SE_KEY_128_SIZE);
memcpy(h_cfg.eks->bis_keys[1].tweak, bis_keys + (3 * SE_KEY_128_SIZE), SE_KEY_128_SIZE);
memcpy(h_cfg.eks->bis_keys[2].crypt, bis_keys + (4 * SE_KEY_128_SIZE), SE_KEY_128_SIZE);
memcpy(h_cfg.eks->bis_keys[2].tweak, bis_keys + (5 * SE_KEY_128_SIZE), SE_KEY_128_SIZE);
// Encrypt EKS blob.
u8 *eks = calloc(512 , 1);
memcpy(eks, h_cfg.eks, sizeof(hos_eks_mbr_t));
se_aes_crypt_ecb(14, 1, eks, sizeof(hos_eks_mbr_t), eks, sizeof(hos_eks_mbr_t));
// Write EKS blob to SD.
memcpy(mbr + 0x80, eks, sizeof(hos_eks_mbr_t));
hos_eks_rw_try(mbr, true);
free(eks);
out:
free(mbr);
}
}
void hos_eks_bis_clear()
{
// Check if Erista based unit.
if (h_cfg.t210b01)
return;
// Check if BIS keys are enabled.
if (h_cfg.eks && h_cfg.eks->enabled_bis)
{
// Read EKS blob.
u8 *mbr = calloc(512 , 1);
if (!hos_eks_rw_try(mbr, false))
goto out;
// Disable BIS storage.
h_cfg.eks->enabled_bis = 0;
// Encrypt EKS blob.
u8 *eks = calloc(512 , 1);
memcpy(eks, h_cfg.eks, sizeof(hos_eks_mbr_t));
se_aes_crypt_ecb(14, 1, eks, sizeof(hos_eks_mbr_t), eks, sizeof(hos_eks_mbr_t));
se_aes_crypt_ecb(14, ENCRYPT, eks, sizeof(hos_eks_mbr_t), eks, sizeof(hos_eks_mbr_t));
// Write EKS blob to SD.
memcpy(mbr + 0x80, eks, sizeof(hos_eks_mbr_t));
@ -428,12 +316,13 @@ void hos_eks_bis_clear()
out:
free(mbr);
}
}
}
int hos_keygen_t210b01(u32 kb)
{
// Use SBK as Device key 4x unsealer and KEK for mkey in T210B01 units.
se_aes_unwrap_key(10, 14, console_keyseed_4xx_5xx);
se_aes_unwrap_key(10, 14, console_keyseed_4xx);
// Derive master key.
se_aes_unwrap_key(7, 12, &master_kekseed_t210b01[kb - KB_FIRMWARE_VERSION_600]);
@ -448,6 +337,7 @@ int hos_keygen_t210b01(u32 kb)
int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt)
{
u32 retries = 0;
bool use_tsec = false;
tsec_keys_t tsec_keys;
kb_t *kb_data = (kb_t *)keyblob;
@ -457,27 +347,58 @@ int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt)
if (h_cfg.t210b01)
return hos_keygen_t210b01(kb);
// Do Erista keygen.
// Use HOS EKS if it exists.
_hos_eks_get();
// Use tsec keygen for old firmware or if EKS keys do not exist for newer.
if (kb <= KB_FIRMWARE_VERSION_620 || !h_cfg.eks || (h_cfg.eks && h_cfg.eks->enabled < kb))
use_tsec = true;
if (kb <= KB_FIRMWARE_VERSION_600)
{
tsec_ctxt->size = 0xF00;
tsec_ctxt->type = TSEC_FW_TYPE_OLD;
}
else if (kb == KB_FIRMWARE_VERSION_620)
{
tsec_ctxt->size = 0x2900;
else if (kb == KB_FIRMWARE_VERSION_700)
tsec_ctxt->size = 0x3000;
else
tsec_ctxt->size = 0x3300;
tsec_ctxt->type = TSEC_FW_TYPE_EMU;
// Prepare smmu tsec page for 6.2.0.
if (kb == KB_FIRMWARE_VERSION_620)
{
u8 *tsec_paged = (u8 *)page_alloc(3);
memcpy(tsec_paged, (void *)tsec_ctxt->fw, tsec_ctxt->size);
tsec_ctxt->fw = tsec_paged;
}
else if (use_tsec) // 7.0.0+
{
/*
* 7.0.0/8.1.0 tsec fw are 0x3000/0x3300.
* Unused here because of THK.
*/
// Use custom TSEC Hovi Keygen firmware.
tsec_ctxt->fw = sd_file_read("bootloader/sys/thk.bin", NULL);
if (!tsec_ctxt->fw)
{
EPRINTF("\nFailed to load thk.bin");
return 0;
}
tsec_ctxt->size = 0x1F00;
tsec_ctxt->type = TSEC_FW_TYPE_NEW;
}
else if (h_cfg.eks)
{
// EKS found. Set TSEC keys.
se_aes_key_set(12, h_cfg.eks->tsec, SE_KEY_128_SIZE);
se_aes_key_set(13, h_cfg.eks->troot, SE_KEY_128_SIZE);
se_aes_key_set(11, h_cfg.eks->troot_dev, SE_KEY_128_SIZE);
}
// Get TSEC key.
if (kb <= KB_FIRMWARE_VERSION_620)
{
while (tsec_query(&tsec_keys, kb, tsec_ctxt) < 0)
while (use_tsec && tsec_query(&tsec_keys, tsec_ctxt) < 0)
{
memset(&tsec_keys, 0x00, 0x20);
retries++;
@ -485,35 +406,36 @@ int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt)
// We rely on racing conditions, make sure we cover even the unluckiest cases.
if (retries > 15)
{
EPRINTF("\nFailed to get TSEC keys. Please try again.\n");
EPRINTF("\nFailed to get TSEC keys. Please try again.");
return 0;
}
}
}
if (kb >= KB_FIRMWARE_VERSION_700)
{
// Use HOS EKS if it exists.
u32 key_idx = 0;
if (kb >= KB_FIRMWARE_VERSION_810)
key_idx = 1;
if (h_cfg.eks && h_cfg.eks->enabled[key_idx] >= kb)
// For 7.0.0 and up, save EKS slot if it doesn't exist.
if (use_tsec)
{
// Set Device keygen key to slot 10.
se_aes_key_set(10, h_cfg.eks->dkg, SE_KEY_128_SIZE);
// Set Master key to slot 12.
se_aes_key_set(12, h_cfg.eks->keys[key_idx].mkk, SE_KEY_128_SIZE);
// Set FW Device key key to slot 13.
se_aes_key_set(13, h_cfg.eks->keys[key_idx].fdk, SE_KEY_128_SIZE);
// Set Device key to slot 15.
se_aes_key_set(15, h_cfg.eks->dkk, SE_KEY_128_SIZE);
_hos_eks_save(kb);
free(tsec_ctxt->fw);
}
else
h_cfg.aes_slots_new = se_key_acc_ctrl_get(12) == 0x6A;
se_aes_key_clear(8);
se_aes_unwrap_key(8, !h_cfg.aes_slots_new ? 12 : 13, package2_keyseed);
// Decrypt keyblob and set keyslots.
se_aes_crypt_block_ecb(12, DECRYPT, tsec_keys.tmp, keyblob_keyseeds[0]);
se_aes_unwrap_key(15, 14, tsec_keys.tmp);
// Derive device keys.
se_aes_unwrap_key(10, 15, console_keyseed_4xx);
se_aes_unwrap_key(15, 15, console_keyseed);
// Derive master kek.
se_aes_unwrap_key(7, 13, master_kekseed_t210_max);
// Derive master key.
se_aes_unwrap_key(7, 7, master_keyseed_retail);
// Package2 key.
se_aes_unwrap_key(8, 7, package2_keyseed);
}
else if (kb == KB_FIRMWARE_VERSION_620)
{
@ -522,16 +444,22 @@ int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt)
// Set TSEC root key.
se_aes_key_set(13, tsec_keys.tsec_root, SE_KEY_128_SIZE);
// Decrypt keyblob and set keyslots
se_aes_crypt_block_ecb(12, 0, tsec_keys.tmp, keyblob_keyseeds[0]);
// Decrypt keyblob and set keyslots.
se_aes_crypt_block_ecb(12, DECRYPT, tsec_keys.tmp, keyblob_keyseeds[0]);
se_aes_unwrap_key(15, 14, tsec_keys.tmp);
se_aes_unwrap_key(10, 15, console_keyseed_4xx_5xx);
// Derive device keys.
se_aes_unwrap_key(10, 15, console_keyseed_4xx);
se_aes_unwrap_key(15, 15, console_keyseed);
// Derive master kek.
se_aes_unwrap_key(7, 13, master_kekseed_620);
// Derive master key.
se_aes_unwrap_key(7, 7, master_keyseed_retail);
// Package2 key.
se_aes_unwrap_key(8, 13, master_keyseed_620);
se_aes_unwrap_key(9, 8, master_keyseed_retail);
se_aes_unwrap_key(8, 9, package2_keyseed);
se_aes_unwrap_key(8, 7, package2_keyseed);
}
else
{
@ -539,15 +467,11 @@ int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt)
se_aes_key_set(13, tsec_keys.tsec, SE_KEY_128_SIZE);
// Derive keyblob keys from TSEC+SBK.
se_aes_crypt_block_ecb(13, 0, tsec_keys.tsec, keyblob_keyseeds[0]);
se_aes_crypt_block_ecb(13, DECRYPT, tsec_keys.tsec, keyblob_keyseeds[0]);
se_aes_unwrap_key(15, 14, tsec_keys.tsec);
se_aes_crypt_block_ecb(13, 0, tsec_keys.tsec, keyblob_keyseeds[kb]);
se_aes_crypt_block_ecb(13, DECRYPT, tsec_keys.tsec, keyblob_keyseeds[kb]);
se_aes_unwrap_key(13, 14, tsec_keys.tsec);
// Clear SBK.
if (!h_cfg.sbk_set)
se_aes_key_clear(14);
/*
// Verify keyblob CMAC.
u8 cmac[SE_KEY_128_SIZE];
@ -557,16 +481,16 @@ int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt)
return 0;
*/
se_aes_crypt_block_ecb(13, 0, tsec_keys.tsec, cmac_keyseed);
se_aes_crypt_block_ecb(13, DECRYPT, tsec_keys.tsec, cmac_keyseed);
se_aes_unwrap_key(11, 13, cmac_keyseed);
// Decrypt keyblob and set keyslots.
se_aes_crypt_ctr(13, &kb_data->keys, sizeof(kb_data->keys), &kb_data->keys, sizeof(kb_data->keys), kb_data->ctr);
se_aes_crypt_ctr(13, &kb_data->keys, sizeof(kb_keys_t), &kb_data->keys, sizeof(kb_keys_t), kb_data->ctr);
se_aes_key_set(11, kb_data->keys.package1_key, SE_KEY_128_SIZE);
se_aes_key_set(12, kb_data->keys.master_keyseed, SE_KEY_128_SIZE);
se_aes_key_set(13, kb_data->keys.master_keyseed, SE_KEY_128_SIZE);
se_aes_key_set(12, kb_data->keys.master_kekseed, SE_KEY_128_SIZE);
se_aes_key_set(13, kb_data->keys.master_kekseed, SE_KEY_128_SIZE);
se_aes_crypt_block_ecb(12, 0, tsec_keys.tsec, master_keyseed_retail);
se_aes_crypt_block_ecb(12, DECRYPT, tsec_keys.tsec, master_keyseed_retail);
switch (kb)
{
@ -577,18 +501,16 @@ int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt)
se_aes_unwrap_key(12, 12, master_keyseed_retail);
break;
case KB_FIRMWARE_VERSION_400:
se_aes_unwrap_key(13, 15, console_keyseed_4xx_5xx);
se_aes_unwrap_key(13, 15, console_keyseed_4xx);
se_aes_unwrap_key(15, 15, console_keyseed);
if (!h_cfg.sbk_set) // Do not clear SBK if patched. In this context the below key is useless.
se_aes_unwrap_key(14, 12, master_keyseed_4xx_5xx_610);
//se_aes_unwrap_key(14, 12, master_keyseed_4xx); // In this context it's useless. So don't kill SBK.
se_aes_unwrap_key(12, 12, master_keyseed_retail);
break;
case KB_FIRMWARE_VERSION_500:
case KB_FIRMWARE_VERSION_600:
se_aes_unwrap_key(10, 15, console_keyseed_4xx_5xx);
se_aes_unwrap_key(10, 15, console_keyseed_4xx);
se_aes_unwrap_key(15, 15, console_keyseed);
if (!h_cfg.sbk_set) // Do not clear SBK if patched. In this context the below key is useless.
se_aes_unwrap_key(14, 12, master_keyseed_4xx_5xx_610);
//se_aes_unwrap_key(14, 12, master_keyseed_4xx); // In this context it's useless. So don't kill SBK.
se_aes_unwrap_key(12, 12, master_keyseed_retail);
break;
}
@ -600,32 +522,30 @@ int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt)
return 1;
}
static void _hos_validate_sept_mkey(u32 kb)
static void _hos_validate_mkey()
{
u8 tmp_mkey[SE_KEY_128_SIZE];
u32 mkey_idx = sizeof(mkey_vectors) / SE_KEY_128_SIZE;
u8 mkey_slot = !h_cfg.aes_slots_new ? 12 : 13;
do
{
mkey_idx--;
se_aes_crypt_ecb(mkey_slot, 0, tmp_mkey, SE_KEY_128_SIZE, mkey_vectors[mkey_idx], SE_KEY_128_SIZE);
se_aes_crypt_ecb(7, DECRYPT, tmp_mkey, SE_KEY_128_SIZE, mkey_vectors[mkey_idx], SE_KEY_128_SIZE);
for (u32 idx = 0; idx < mkey_idx; idx++)
{
se_aes_key_clear(2);
se_aes_key_set(2, tmp_mkey, SE_KEY_128_SIZE);
se_aes_crypt_ecb(2, 0, tmp_mkey, SE_KEY_128_SIZE, mkey_vectors[mkey_idx - 1 - idx], SE_KEY_128_SIZE);
se_aes_crypt_ecb(2, DECRYPT, tmp_mkey, SE_KEY_128_SIZE, mkey_vectors[mkey_idx - 1 - idx], SE_KEY_128_SIZE);
}
if (!memcmp(tmp_mkey, "\x00\x00\x00\x00\x00\x00\x00\x00", 8))
{
se_aes_key_clear(2);
hos_eks_save(kb);
return;
}
} while (mkey_idx - 1);
se_aes_key_clear(2);
hos_eks_clear(kb);
hos_eks_clear(KB_FIRMWARE_VERSION_MAX);
}
static void _hos_bis_print_key(u32 idx, u8 *key)
@ -641,17 +561,17 @@ static void _hos_bis_print_key(u32 idx, u8 *key)
gfx_puts("\n");
}
int hos_bis_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt)
int hos_bis_keygen()
{
u32 keygen_rev = 0;
u32 console_key_slot = kb >= KB_FIRMWARE_VERSION_400 ? 15 : 13;
u32 console_key_slot = 15; // KB_FIRMWARE_VERSION_MAX. Only for Erista.
tsec_ctxt_t tsec_ctxt = {0};
if (!bis_keys)
bis_keys = malloc(SE_KEY_128_SIZE * 6);
if (!h_cfg.eks || !h_cfg.eks->enabled_bis)
{
hos_keygen(keyblob, kb, tsec_ctxt);
// Run initial keygen.
hos_keygen(NULL, KB_FIRMWARE_VERSION_MAX, &tsec_ctxt);
// All Mariko use new device keygen. New keygen was introduced in 4.0.0.
// We check unconditionally in order to support downgrades.
@ -663,39 +583,34 @@ int hos_bis_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt)
{
u8 tmp_mkey[SE_KEY_128_SIZE];
u32 mkey_idx = sizeof(mkey_vectors) / SE_KEY_128_SIZE;
u8 mkey_slot = kb >= KB_FIRMWARE_VERSION_700 ? (!h_cfg.aes_slots_new ? 12 : 13) : (kb == KB_FIRMWARE_VERSION_620 ? 9 : 12);
// Keygen revision uses bootloader version, which starts from 1.
keygen_rev -= (KB_FIRMWARE_VERSION_400 + 1);
// Use SBK as Device key 4x unsealer and KEK for mkey in T210B01 units.
if (h_cfg.t210b01)
mkey_slot = 7;
// Derive mkey 0.
do
{
mkey_idx--;
se_aes_crypt_ecb(mkey_slot, 0, tmp_mkey, SE_KEY_128_SIZE, mkey_vectors[mkey_idx], SE_KEY_128_SIZE);
se_aes_crypt_ecb(7, DECRYPT, tmp_mkey, SE_KEY_128_SIZE, mkey_vectors[mkey_idx], SE_KEY_128_SIZE);
for (u32 idx = 0; idx < mkey_idx; idx++)
{
se_aes_key_clear(2);
se_aes_key_set(2, tmp_mkey, SE_KEY_128_SIZE);
se_aes_crypt_ecb(2, 0, tmp_mkey, SE_KEY_128_SIZE, mkey_vectors[mkey_idx - 1 - idx], SE_KEY_128_SIZE);
se_aes_crypt_ecb(2, DECRYPT, tmp_mkey, SE_KEY_128_SIZE, mkey_vectors[mkey_idx - 1 - idx], SE_KEY_128_SIZE);
}
} while (memcmp(tmp_mkey, "\x00\x00\x00\x00\x00\x00\x00\x00", 8) != 0 && (mkey_idx - 1));
// Derive new device key.
se_aes_key_clear(1);
se_aes_unwrap_key(1, 10, new_console_keyseed[keygen_rev]); // Uses Device key 4x.
se_aes_crypt_ecb(10, 0, tmp_mkey, SE_KEY_128_SIZE, new_console_keyseed[keygen_rev], SE_KEY_128_SIZE); // Uses Device key 4x.
se_aes_crypt_ecb(10, DECRYPT, tmp_mkey, SE_KEY_128_SIZE, new_console_keyseed[keygen_rev], SE_KEY_128_SIZE); // Uses Device key 4x.
se_aes_unwrap_key(1, 2, new_console_kekseed[keygen_rev]); // Uses Master Key 0.
se_aes_unwrap_key(1, 1, tmp_mkey);
console_key_slot = 1;
}
// Generate generic kek.
// Generate generic key.
se_aes_key_clear(2);
se_aes_unwrap_key(2, console_key_slot, gen_keyseed_retail);
@ -703,8 +618,8 @@ int hos_bis_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt)
memset(bis_keys, 0, SE_KEY_128_SIZE * 6);
// Generate BIS 0 Keys.
se_aes_crypt_block_ecb(2, 0, bis_keys + (0 * SE_KEY_128_SIZE), bis_keyseed[0]);
se_aes_crypt_block_ecb(2, 0, bis_keys + (1 * SE_KEY_128_SIZE), bis_keyseed[1]);
se_aes_crypt_block_ecb(2, DECRYPT, bis_keys + (0 * SE_KEY_128_SIZE), bis_keyseed[0]);
se_aes_crypt_block_ecb(2, DECRYPT, bis_keys + (1 * SE_KEY_128_SIZE), bis_keyseed[1]);
// Generate generic kek.
se_aes_key_clear(2);
@ -713,33 +628,23 @@ int hos_bis_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt)
se_aes_unwrap_key(2, 2, gen_keyseed);
// Generate BIS 1 Keys.
se_aes_crypt_block_ecb(2, 0, bis_keys + (2 * SE_KEY_128_SIZE), bis_keyseed[2]);
se_aes_crypt_block_ecb(2, 0, bis_keys + (3 * SE_KEY_128_SIZE), bis_keyseed[3]);
se_aes_crypt_block_ecb(2, DECRYPT, bis_keys + (2 * SE_KEY_128_SIZE), bis_keyseed[2]);
se_aes_crypt_block_ecb(2, DECRYPT, bis_keys + (3 * SE_KEY_128_SIZE), bis_keyseed[3]);
// Generate BIS 2/3 Keys.
se_aes_crypt_block_ecb(2, 0, bis_keys + (4 * SE_KEY_128_SIZE), bis_keyseed[4]);
se_aes_crypt_block_ecb(2, 0, bis_keys + (5 * SE_KEY_128_SIZE), bis_keyseed[5]);
se_aes_crypt_block_ecb(2, DECRYPT, bis_keys + (4 * SE_KEY_128_SIZE), bis_keyseed[4]);
se_aes_crypt_block_ecb(2, DECRYPT, bis_keys + (5 * SE_KEY_128_SIZE), bis_keyseed[5]);
if (!h_cfg.t210b01 && kb >= KB_FIRMWARE_VERSION_700)
_hos_validate_sept_mkey(kb);
}
else
{
memcpy(bis_keys + (0 * SE_KEY_128_SIZE), h_cfg.eks->bis_keys[0].crypt, SE_KEY_128_SIZE);
memcpy(bis_keys + (1 * SE_KEY_128_SIZE), h_cfg.eks->bis_keys[0].tweak, SE_KEY_128_SIZE);
memcpy(bis_keys + (2 * SE_KEY_128_SIZE), h_cfg.eks->bis_keys[1].crypt, SE_KEY_128_SIZE);
memcpy(bis_keys + (3 * SE_KEY_128_SIZE), h_cfg.eks->bis_keys[1].tweak, SE_KEY_128_SIZE);
memcpy(bis_keys + (4 * SE_KEY_128_SIZE), h_cfg.eks->bis_keys[2].crypt, SE_KEY_128_SIZE);
memcpy(bis_keys + (5 * SE_KEY_128_SIZE), h_cfg.eks->bis_keys[2].tweak, SE_KEY_128_SIZE);
}
// Validate key because KB_FIRMWARE_VERSION_MAX.
if (!h_cfg.t210b01)
_hos_validate_mkey();
// Print keys to console.
_hos_bis_print_key(0, bis_keys);
_hos_bis_print_key(1, bis_keys);
_hos_bis_print_key(2, bis_keys);
// Clear all AES keyslots.
// Clear all AES tmp and bis keyslots.
for (u32 i = 0; i < 6; i++)
se_aes_key_clear(i);
@ -758,27 +663,7 @@ int hos_bis_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt)
void hos_bis_keys_clear()
{
// Clear all aes keyslots.
// Clear all aes bis keyslots.
for (u32 i = 0; i < 6; i++)
se_aes_key_clear(i);
// Check if Erista based unit.
if (h_cfg.t210b01)
return;
// Set SBK back.
if (!h_cfg.sbk_set)
{
u32 sbk[4] = {
FUSE(FUSE_PRIVATE_KEY0),
FUSE(FUSE_PRIVATE_KEY1),
FUSE(FUSE_PRIVATE_KEY2),
FUSE(FUSE_PRIVATE_KEY3)
};
// Set SBK to slot 14.
se_aes_key_set(14, sbk, SE_KEY_128_SIZE);
// Lock SBK from being read.
se_key_acc_ctrl(14, SE_KEY_TBL_DIS_KEYREAD_FLAG);
}
}

34
nyx/nyx_gui/hos/hos.h
View file

@ -42,34 +42,20 @@
#define KB_FIRMWARE_VERSION_MAX KB_FIRMWARE_VERSION_1210
#define HOS_PKG11_MAGIC 0x31314B50
#define HOS_EKS_MAGIC 0x30534B45
typedef struct _hos_eks_keys_t
{
u8 mkk[SE_KEY_128_SIZE];
u8 fdk[SE_KEY_128_SIZE];
} hos_eks_keys_t;
typedef struct _hos_eks_bis_keys_t
{
u8 crypt[SE_KEY_128_SIZE];
u8 tweak[SE_KEY_128_SIZE];
} hos_eks_bis_keys_t;
#define HOS_EKS_MAGIC 0x31534B45 // EKS1.
typedef struct _hos_eks_mbr_t
{
u32 magic;
u8 enabled[5];
u8 enabled_bis;
u8 rsvd[2];
u32 enabled;
u32 lot0;
u8 dkg[SE_KEY_128_SIZE];
u8 dkk[SE_KEY_128_SIZE];
hos_eks_keys_t keys[5];
hos_eks_bis_keys_t bis_keys[3];
u32 rsvd;
u8 tsec[SE_KEY_128_SIZE];
u8 troot[SE_KEY_128_SIZE];
u8 troot_dev[SE_KEY_128_SIZE];
} hos_eks_mbr_t;
static_assert(sizeof(hos_eks_mbr_t) == 304, "HOS EKS size is wrong!");
static_assert(sizeof(hos_eks_mbr_t) == 64, "HOS EKS size is wrong!");
typedef struct _launch_ctxt_t
{
@ -95,13 +81,9 @@ typedef struct _launch_ctxt_t
ini_sec_t *cfg;
} launch_ctxt_t;
void hos_eks_get();
void hos_eks_save(u32 kb);
void hos_eks_clear(u32 kb);
void hos_eks_bis_save();
void hos_eks_bis_clear();
int hos_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt);
int hos_bis_keygen(void *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt);
int hos_bis_keygen();
void hos_bis_keys_clear();
#endif

2
nyx/nyx_gui/hos/pkg1.c
View file

@ -99,7 +99,7 @@ int pkg1_decrypt(const pkg1_id_t *id, u8 *pkg1)
// Use BEK for T210B01.
// Additionally, skip 0x20 bytes from decryption to maintain the header.
se_aes_iv_clear(13);
se_aes_crypt_cbc(13, 0, pkg1 + 0x20, oem_hdr->size - 0x20, pkg1 + 0x20, oem_hdr->size - 0x20);
se_aes_crypt_cbc(13, DECRYPT, pkg1 + 0x20, oem_hdr->size - 0x20, pkg1 + 0x20, oem_hdr->size - 0x20);
}
// Return if header is valid.

40
nyx/nyx_gui/hos/pkg2.c
View file

@ -1,6 +1,6 @@
/*
* Copyright (c) 2018 naehrwert
* Copyright (c) 2018-2020 CTCaer
* Copyright (c) 2018-2021 CTCaer
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
@ -112,8 +112,11 @@ DPRINTF(" kip1 %d:%s @ %08X (%08X)\n", i, kip1->name, (u32)kip1, ki->size);
return true;
}
static const u8 mkey_vector_8xx[][SE_KEY_128_SIZE] =
//!TODO: Update on mkey changes.
static const u8 mkey_vector_7xx[][SE_KEY_128_SIZE] =
{
// Master key 7 encrypted with 8. (7.0.0 with 8.1.0)
{ 0xEA, 0x60, 0xB3, 0xEA, 0xCE, 0x8F, 0x24, 0x46, 0x7D, 0x33, 0x9C, 0xD1, 0xBC, 0x24, 0x98, 0x29 },
// Master key 8 encrypted with 9. (8.1.0 with 9.0.0)
{ 0x4D, 0xD9, 0x98, 0x42, 0x45, 0x0D, 0xB1, 0x3C, 0x52, 0x0C, 0x9A, 0x44, 0xBB, 0xAD, 0xAF, 0x80 },
// Master key 9 encrypted with 10. (9.0.0 with 9.1.0)
@ -125,9 +128,8 @@ static const u8 mkey_vector_8xx[][SE_KEY_128_SIZE] =
static bool _pkg2_key_unwrap_validate(pkg2_hdr_t *tmp_test, pkg2_hdr_t *hdr, u8 src_slot, u8 *mkey, const u8 *key_seed)
{
// Decrypt older encrypted mkey.
se_aes_crypt_ecb(src_slot, 0, mkey, SE_KEY_128_SIZE, key_seed, SE_KEY_128_SIZE);
se_aes_crypt_ecb(src_slot, DECRYPT, mkey, SE_KEY_128_SIZE, key_seed, SE_KEY_128_SIZE);
// Set and unwrap pkg2 key.
se_aes_key_clear(9);
se_aes_key_set(9, mkey, SE_KEY_128_SIZE);
se_aes_unwrap_key(9, 9, package2_keyseed);
@ -142,7 +144,7 @@ pkg2_hdr_t *pkg2_decrypt(void *data, u8 kb)
{
pkg2_hdr_t mkey_test;
u8 *pdata = (u8 *)data;
u8 keyslot = 8;
u8 pkg2_keyslot = 8;
// Skip signature.
pdata += 0x100;
@ -152,18 +154,18 @@ pkg2_hdr_t *pkg2_decrypt(void *data, u8 kb)
// Skip header.
pdata += sizeof(pkg2_hdr_t);
// Check if we need to decrypt with newer mkeys. Valid for sept for 8.1.0 and up.
// Check if we need to decrypt with newer mkeys. Valid for THK for 7.0.0 and up.
se_aes_crypt_ctr(8, &mkey_test, sizeof(pkg2_hdr_t), hdr, sizeof(pkg2_hdr_t), hdr);
if (mkey_test.magic == PKG2_MAGIC)
goto key_found;
// Decrypt older pkg2 via new mkeys.
if ((kb >= KB_FIRMWARE_VERSION_810) && (kb < KB_FIRMWARE_VERSION_MAX))
if ((kb >= KB_FIRMWARE_VERSION_700) && (kb < KB_FIRMWARE_VERSION_MAX))
{
u8 tmp_mkey[SE_KEY_128_SIZE];
u8 decr_slot = !h_cfg.t210b01 ? (!h_cfg.aes_slots_new ? 12 : 13) : 7; // Sept mkey or T210B01 mkey.
u8 mkey_seeds_cnt = sizeof(mkey_vector_8xx) / SE_KEY_128_SIZE;
u8 decr_slot = 7; // THK mkey or T210B01 mkey.
u8 mkey_seeds_cnt = sizeof(mkey_vector_7xx) / SE_KEY_128_SIZE;
u8 mkey_seeds_idx = mkey_seeds_cnt; // Real index + 1.
u8 mkey_seeds_min_idx = mkey_seeds_cnt - (KB_FIRMWARE_VERSION_MAX - kb);
@ -171,41 +173,36 @@ pkg2_hdr_t *pkg2_decrypt(void *data, u8 kb)
{
// Decrypt and validate mkey.
int res = _pkg2_key_unwrap_validate(&mkey_test, hdr, decr_slot,
tmp_mkey, mkey_vector_8xx[mkey_seeds_idx - 1]);
tmp_mkey, mkey_vector_7xx[mkey_seeds_idx - 1]);
if (res)
{
keyslot = 9;
pkg2_keyslot = 9;
goto key_found;
}
else
{
// Set current mkey in order to decrypt a lower mkey.
mkey_seeds_idx--;
se_aes_key_clear(9);
se_aes_key_set(9, tmp_mkey, SE_KEY_128_SIZE);
decr_slot = 9; // Temp key.
// Check if we tried last key for that pkg2 version.
// And start with a lower mkey in case sept is older.
// And start with a lower mkey in case mkey is older.
if (mkey_seeds_idx == mkey_seeds_min_idx)
{
mkey_seeds_cnt--;
mkey_seeds_idx = mkey_seeds_cnt;
decr_slot = !h_cfg.aes_slots_new ? 12 : 13; // Sept mkey.
decr_slot = 7; // THK mkey or T210B01 mkey.
}
// Out of keys. pkg2 is latest or process failed.
if (!mkey_seeds_cnt)
se_aes_key_clear(9);
}
}
}
key_found:
// Decrypt header.
se_aes_crypt_ctr(keyslot, hdr, sizeof(pkg2_hdr_t), hdr, sizeof(pkg2_hdr_t), hdr);
se_aes_crypt_ctr(pkg2_keyslot, hdr, sizeof(pkg2_hdr_t), hdr, sizeof(pkg2_hdr_t), hdr);
//gfx_hexdump((u32)hdr, hdr, 0x100);
if (hdr->magic != PKG2_MAGIC)
@ -217,14 +214,11 @@ DPRINTF("sec %d has size %08X\n", i, hdr->sec_size[i]);
if (!hdr->sec_size[i])
continue;
se_aes_crypt_ctr(keyslot, pdata, hdr->sec_size[i], pdata, hdr->sec_size[i], &hdr->sec_ctr[i * SE_AES_IV_SIZE]);
se_aes_crypt_ctr(pkg2_keyslot, pdata, hdr->sec_size[i], pdata, hdr->sec_size[i], &hdr->sec_ctr[i * SE_AES_IV_SIZE]);
//gfx_hexdump((u32)pdata, pdata, 0x100);
pdata += hdr->sec_size[i];
}
if (keyslot != 8)
se_aes_key_clear(9);
return hdr;
}

175
nyx/nyx_gui/hos/sept.c
View file

@ -1,175 +0,0 @@
/*
* Copyright (c) 2019-2021 CTCaer
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
* version 2, as published by the Free Software Foundation.
*
* This program is distributed in the hope it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <string.h>
#include "hos.h"
#include "sept.h"
#include "../config.h"
#include <display/di.h>
#include <ianos/ianos.h>
#include <libs/fatfs/ff.h>
#include <mem/heap.h>
#include <soc/hw_init.h>
#include <soc/pmc.h>
#include <soc/t210.h>
#include "../storage/nx_emmc.h"
#include <storage/nx_sd.h>
#include <storage/sdmmc.h>
#include <utils/btn.h>
#include <utils/types.h>
#include <utils/util.h>
#include <gfx_utils.h>
#define RELOC_META_OFF 0x7C
#define PATCHED_RELOC_SZ 0x94
#define WB_RST_ADDR 0x40010ED0
#define WB_RST_SIZE 0x30
u8 warmboot_reboot[] = {
0x14, 0x00, 0x9F, 0xE5, // LDR R0, =0x7000E450
0x01, 0x10, 0xB0, 0xE3, // MOVS R1, #1
0x00, 0x10, 0x80, 0xE5, // STR R1, [R0]
0x0C, 0x00, 0x9F, 0xE5, // LDR R0, =0x7000E400
0x10, 0x10, 0xB0, 0xE3, // MOVS R1, #0x10
0x00, 0x10, 0x80, 0xE5, // STR R1, [R0]
0xFE, 0xFF, 0xFF, 0xEA, // LOOP
0x50, 0xE4, 0x00, 0x70, // #0x7000E450
0x00, 0xE4, 0x00, 0x70 // #0x7000E400
};
#define SEPT_PRI_ADDR 0x4003F000
#define SEPT_PK1T_ADDR 0xC0400000
#define SEPT_TCSZ_ADDR (SEPT_PK1T_ADDR - 0x4)
#define SEPT_STG1_ADDR (SEPT_PK1T_ADDR + 0x2E100)
#define SEPT_STG2_ADDR (SEPT_PK1T_ADDR + 0x60E0)
#define SEPT_PKG_SZ (0x2F100 + WB_RST_SIZE)
extern volatile boot_cfg_t *b_cfg;
extern hekate_config h_cfg;
extern volatile nyx_storage_t *nyx_str;
extern bool is_ipl_updated(void *buf);
extern void reloc_patcher(u32 payload_dst, u32 payload_src, u32 payload_size);
int reboot_to_sept(const u8 *tsec_fw, u32 kb)
{
FIL fp;
// Copy warmboot reboot code and TSEC fw.
u32 tsec_fw_size = 0x3000;
if (kb > KB_FIRMWARE_VERSION_700)
tsec_fw_size = 0x3300;
memcpy((u8 *)(SEPT_PK1T_ADDR - WB_RST_SIZE), (u8 *)warmboot_reboot, sizeof(warmboot_reboot));
memcpy((void *)SEPT_PK1T_ADDR, tsec_fw, tsec_fw_size);
*(vu32 *)SEPT_TCSZ_ADDR = tsec_fw_size;
// Copy sept-primary.
if (f_open(&fp, "sept/sept-primary.bin", FA_READ))
goto error;
if (f_read(&fp, (u8 *)SEPT_STG1_ADDR, f_size(&fp), NULL))
{
f_close(&fp);
goto error;
}
f_close(&fp);
// Copy sept-secondary.
if (kb < KB_FIRMWARE_VERSION_810)
{
if (f_open(&fp, "sept/sept-secondary_00.enc", FA_READ))
goto error;
}
else
{
if (f_open(&fp, "sept/sept-secondary_01.enc", FA_READ))
goto error;
}
if (f_read(&fp, (u8 *)SEPT_STG2_ADDR, f_size(&fp), NULL))
{
f_close(&fp);
goto error;
}
f_close(&fp);
b_cfg->boot_cfg |= (BOOT_CFG_AUTOBOOT_EN | BOOT_CFG_SEPT_RUN);
bool update_sept_payload = true;
if (!f_open(&fp, "sept/payload.bin", FA_READ | FA_WRITE))
{
ipl_ver_meta_t tmp_ver;
ipl_ver_meta_t heka_ver;
f_lseek(&fp, PATCHED_RELOC_SZ + sizeof(boot_cfg_t));
f_read(&fp, &tmp_ver, sizeof(ipl_ver_meta_t), NULL);
memcpy(&heka_ver, (u8 *)nyx_str->hekate + 0x118, sizeof(ipl_ver_meta_t));
if (tmp_ver.magic == heka_ver.magic)
{
if (tmp_ver.version == heka_ver.version)
{
// Save auto boot config to sept payload, if any.
boot_cfg_t *tmp_cfg = malloc(sizeof(boot_cfg_t));
memcpy(tmp_cfg, (boot_cfg_t *)b_cfg, sizeof(boot_cfg_t));
f_lseek(&fp, PATCHED_RELOC_SZ);
f_write(&fp, tmp_cfg, sizeof(boot_cfg_t), NULL);
update_sept_payload = false;
}
f_close(&fp);
}
else
{
f_close(&fp);
f_rename("sept/payload.bin", "sept/payload.bak"); // Backup foreign payload.
}
}
if (update_sept_payload)
{
volatile reloc_meta_t *reloc = (reloc_meta_t *)(nyx_str->hekate + RELOC_META_OFF);
f_mkdir("sept");
f_open(&fp, "sept/payload.bin", FA_WRITE | FA_CREATE_ALWAYS);
f_write(&fp, (u8 *)nyx_str->hekate, reloc->end - reloc->start, NULL);
f_close(&fp);
}
sd_end();
u32 pk1t_sept = SEPT_PK1T_ADDR - (ALIGN(PATCHED_RELOC_SZ, 0x10) + WB_RST_SIZE);
void (*sept)() = (void *)pk1t_sept;
reloc_patcher(WB_RST_ADDR, pk1t_sept, SEPT_PKG_SZ);
// Patch SDRAM init to perform an SVC immediately after second write.
PMC(APBDEV_PMC_SCRATCH45) = 0x2E38DFFF;
PMC(APBDEV_PMC_SCRATCH46) = 0x6001DC28;
// Set SVC handler to jump to sept-primary in IRAM.
PMC(APBDEV_PMC_SCRATCH33) = SEPT_PRI_ADDR;
PMC(APBDEV_PMC_SCRATCH40) = 0x6000F208;
hw_reinit_workaround(false, 0);
(*sept)();
error:
return 0;
}

26
nyx/nyx_gui/hos/sept.h
View file

@ -1,26 +0,0 @@
/*
* Copyright (c) 2019-2021 CTCaer
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
* version 2, as published by the Free Software Foundation.
*
* This program is distributed in the hope it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef _SEPT_H_
#define _SEPT_H_
#include <utils/types.h>
#define SEPT_PRI_ENTRY 0x40010340
int reboot_to_sept(const u8 *tsec_fw, u32 kb);
#endif

2
nyx/nyx_gui/storage/nx_emmc_bis.c
View file

@ -87,7 +87,7 @@ static int _nx_aes_xts_crypt_sec(u32 tweak_ks, u32 crypt_ks, u32 enc, u8 *tweak,
tweak[i] = sec & 0xFF;
sec >>= 8;
}
if (!se_aes_crypt_block_ecb(tweak_ks, 1, tweak, tweak))
if (!se_aes_crypt_block_ecb(tweak_ks, ENCRYPT, tweak, tweak))
return 0;
}