From f612ee2a8c6f524481c9692bb79b03a9cd7eb6f6 Mon Sep 17 00:00:00 2001 From: shchmue Date: Sat, 11 May 2019 21:03:24 -0400 Subject: [PATCH] Find tsecfw size and offset firmware-agnostically --- source/hos/pkg1.c | 22 +++++++++++----------- source/hos/pkg1.h | 3 --- source/keys/keys.c | 28 +++++++++++++++++----------- source/main.c | 4 ++-- source/sec/tsec.c | 4 ++-- source/sec/tsec.h | 20 ++++++++++++++++++-- 6 files changed, 50 insertions(+), 31 deletions(-) diff --git a/source/hos/pkg1.c b/source/hos/pkg1.c index e9db707..21c7e60 100644 --- a/source/hos/pkg1.c +++ b/source/hos/pkg1.c @@ -23,17 +23,17 @@ #include "../sec/se.h" static const pkg1_id_t _pkg1_ids[] = { - { "20161121183008", 0, 0x1900, 0x3FE0, 0x4002B020 }, //1.0.0 - { "20170210155124", 0, 0x1900, 0x3FE0, 0x4002D000 }, //2.0.0 - 2.3.0 - { "20170519101410", 1, 0x1A00, 0x3FE0, 0x4002D000 }, //3.0.0 - { "20170710161758", 2, 0x1A00, 0x3FE0, 0x4002D000 }, //3.0.1 - 3.0.2 - { "20170921172629", 3, 0x1800, 0x3FE0, 0x4002B000 }, //4.0.0 - 4.1.0 - { "20180220163747", 4, 0x1900, 0x3FE0, 0x4002B000 }, //5.0.0 - 5.1.0 - { "20180802162753", 5, 0x1900, 0x3FE0, 0x4002B000 }, //6.0.0 - 6.1.0 - { "20181107105733", 6, 0x0E00, 0x6FE0, 0x4002B000 }, //6.2.0 - { "20181218175730", 7, 0x0F00, 0x6FE0, 0x40030000 }, //7.0.0 - { "20190208150037", 7, 0x0F00, 0x6FE0, 0x40030000 }, //7.0.1 - { "20190314172056", 7, 0x0E00, 0x6FE0, 0x40030000 }, //8.0.0 + { "20161121183008", 0 }, //1.0.0 + { "20170210155124", 0 }, //2.0.0 - 2.3.0 + { "20170519101410", 1 }, //3.0.0 + { "20170710161758", 2 }, //3.0.1 - 3.0.2 + { "20170921172629", 3 }, //4.0.0 - 4.1.0 + { "20180220163747", 4 }, //5.0.0 - 5.1.0 + { "20180802162753", 5 }, //6.0.0 - 6.1.0 + { "20181107105733", 6 }, //6.2.0 + { "20181218175730", 7 }, //7.0.0 + { "20190208150037", 7 }, //7.0.1 + { "20190314172056", 7 }, //8.0.0 { NULL } //End. }; diff --git a/source/hos/pkg1.h b/source/hos/pkg1.h index 769568e..c0be0ac 100644 --- a/source/hos/pkg1.h +++ b/source/hos/pkg1.h @@ -23,9 +23,6 @@ typedef struct _pkg1_id_t { const char *id; u32 kb; - u32 tsec_off; - u32 pkg11_off; - u32 secmon_base; } pkg1_id_t; const pkg1_id_t *pkg1_identify(u8 *pkg1); diff --git a/source/keys/keys.c b/source/keys/keys.c index 31e1292..336ae54 100644 --- a/source/keys/keys.c +++ b/source/keys/keys.c @@ -252,6 +252,19 @@ void dump_keys() { goto out_wait; } + bool found_tsec_fw = false; + for (const u32 *pos = (const u32 *)pkg1; (u8 *)pos < pkg1 + 0x40000; pos += 0x100 / sizeof(u32)) { + if (*pos == 0xCF42004D) { + tsec_ctxt.fw = (u8 *)pos; + found_tsec_fw = true; + break; + } + } + if (!found_tsec_fw) { + EPRINTF("Failed to locate TSEC firmware."); + goto out_wait; + } + u32 MAX_KEY = 6; if (pkg1_id->kb >= KB_FIRMWARE_VERSION_620) MAX_KEY = pkg1_id->kb + 1; @@ -281,7 +294,7 @@ void dump_keys() { gfx_printf("%kFirmware 7.x or higher detected.\n%kRenamed /sept/payload.bin", colors[0], colors[1]); gfx_printf("\n%k to /sept/payload.bak\n%kCopied self to /sept/payload.bin",colors[2], colors[3]); sdmmc_storage_end(&storage); - if (!reboot_to_sept((u8 *)pkg1 + pkg1_id->tsec_off)) + if (!reboot_to_sept((u8 *)tsec_ctxt.fw)) goto out_wait; } else { se_aes_key_read(12, master_key[pkg1_id->kb], 0x10); @@ -291,17 +304,10 @@ void dump_keys() { get_tsec: ; u8 tsec_keys[0x10 * 2] = {0}; - tsec_ctxt.fw = (u8 *)pkg1 + pkg1_id->tsec_off; + tsec_key_data_t *key_data = (tsec_key_data_t *)(tsec_ctxt.fw + TSEC_KEY_DATA_ADDR); tsec_ctxt.pkg1 = pkg1; - tsec_ctxt.pkg11_off = pkg1_id->pkg11_off; - tsec_ctxt.secmon_base = pkg1_id->secmon_base; - - if (pkg1_id->kb <= KB_FIRMWARE_VERSION_600) - tsec_ctxt.size = 0xF00; - else if (pkg1_id->kb == KB_FIRMWARE_VERSION_620) - tsec_ctxt.size = 0x2900; - else { - tsec_ctxt.size = 0x3000; + tsec_ctxt.size = 0x100 + key_data->blob0_size + key_data->blob1_size + key_data->blob2_size + key_data->blob3_size + key_data->blob4_size; + if (pkg1_id->kb >= KB_FIRMWARE_VERSION_700) { // Exit after TSEC key generation. *((vu16 *)((u32)tsec_ctxt.fw + 0x2DB5)) = 0x02F8; } diff --git a/source/main.c b/source/main.c index 3076551..6af4703 100644 --- a/source/main.c +++ b/source/main.c @@ -49,7 +49,7 @@ bool sd_mount() else { int res = 0; - res = f_mount(&sd_fs, "", 1); + res = f_mount(&sd_fs, "sd:", 1); if (res == FR_OK) { sd_mounted = 1; @@ -68,7 +68,7 @@ void sd_unmount() { if (sd_mounted) { - f_mount(NULL, "", 1); + f_mount(NULL, "sd:", 1); sdmmc_storage_end(&sd_storage); sd_mounted = false; } diff --git a/source/sec/tsec.c b/source/sec/tsec.c index 9f8d28e..9916882 100644 --- a/source/sec/tsec.c +++ b/source/sec/tsec.c @@ -118,7 +118,7 @@ int tsec_query(u8 *tsec_keys, u8 kb, tsec_ctxt_t *tsec_ctxt) { // Init SMMU translation for TSEC. pdir = smmu_init_for_tsec(); - smmu_init(tsec_ctxt->secmon_base); + smmu_init(0x4002B000); // Enable SMMU if (!smmu_is_used()) smmu_enable(); @@ -161,7 +161,7 @@ int tsec_query(u8 *tsec_keys, u8 kb, tsec_ctxt_t *tsec_ctxt) iram = page_alloc(0x30); memcpy(iram, tsec_ctxt->pkg1, 0x30000); // PKG1.1 magic offset. - pkg11_magic_off = (u32 *)(iram + ((tsec_ctxt->pkg11_off + 0x20) / 4)); + pkg11_magic_off = (u32 *)(iram + (0x7000 / 4)); smmu_map(pdir, 0x40010000, (u32)iram, 0x30, _READABLE | _WRITABLE | _NONSECURE); // Exception vectors diff --git a/source/sec/tsec.h b/source/sec/tsec.h index 45d994c..5d15fb5 100644 --- a/source/sec/tsec.h +++ b/source/sec/tsec.h @@ -20,15 +20,31 @@ #include "../utils/types.h" +#define TSEC_KEY_DATA_ADDR 0x300 + typedef struct _tsec_ctxt_t { void *fw; u32 size; void *pkg1; - u32 pkg11_off; - u32 secmon_base; } tsec_ctxt_t; +typedef struct _tsec_key_data_t +{ + u8 debug_key[0x10]; + u8 blob0_auth_hash[0x10]; + u8 blob1_auth_hash[0x10]; + u8 blob2_auth_hash[0x10]; + u8 blob2_aes_iv[0x10]; + u8 hovi_eks_seed[0x10]; + u8 hovi_common_seed[0x10]; + u32 blob0_size; + u32 blob1_size; + u32 blob2_size; + u32 blob3_size; + u32 blob4_size; +} tsec_key_data_t; + int tsec_query(u8 *tsec_keys, u8 kb, tsec_ctxt_t *tsec_ctxt); #endif