Skip to content

Instantly share code, notes, and snippets.

@SciresM SciresM/exosphere_600_support.diff Secret
Last active Aug 31, 2018

Embed
What would you like to do?
diff --git a/exosphere/src/bootup.c b/exosphere/src/bootup.c
index a1fd252..e81ff1a 100644
--- a/exosphere/src/bootup.c
+++ b/exosphere/src/bootup.c
@@ -30,6 +30,23 @@
static bool g_has_booted_up = false;
+
+void setup_dram_magic_numbers(void) {
+ /* TODO: Why does these DRAM write occur? */
+ unsigned int target_fw = exosphere_get_target_firmware();
+ if (EXOSPHERE_TARGET_FIRMWARE_400 <= target_fw) {
+ (*(volatile uint32_t *)(0x8005FFFC)) = 0xC0EDBBCC;
+ flush_dcache_range((void *)0x8005FFFC, (void *)0x80060000);
+ if (EXOSPHERE_TARGET_FIRMWARE_600 <= target_fw) {
+ (*(volatile uint32_t *)(0x8005FF00)) = 0x00000083;
+ (*(volatile uint32_t *)(0x8005FF04)) = 0x00000002;
+ (*(volatile uint32_t *)(0x8005FF08)) = 0x00000210;
+ flush_dcache_range((void *)0x8005FF00, (void *)0x8005FF0C);
+ }
+ }
+ __dsb_sy();
+}
+
void bootup_misc_mmio(void) {
/* Initialize Fuse registers. */
fuse_init();
@@ -50,10 +67,8 @@ void bootup_misc_mmio(void) {
se_generate_random_key(KEYSLOT_SWITCH_SRKGENKEY, KEYSLOT_SWITCH_RNGKEY);
se_generate_srk(KEYSLOT_SWITCH_SRKGENKEY);
- /* TODO: Why does this DRAM write occur? */
- if (!g_has_booted_up && exosphere_get_target_firmware() >= EXOSPHERE_TARGET_FIRMWARE_400) {
- /* 4.x writes this magic number into DRAM. Why? */
- (*(volatile uint32_t *)(0x8005FFFC)) = 0xC0EDBBCC;
+ if (!g_has_booted_up && EXOSPHERE_TARGET_FIRMWARE_600 > exosphere_get_target_firmware() && exosphere_get_target_firmware() >= EXOSPHERE_TARGET_FIRMWARE_400) {
+ setup_dram_magic_numbers();
}
/* Todo: What? */
@@ -201,6 +216,9 @@ void bootup_misc_mmio(void) {
}
void setup_4x_mmio(void) {
+ if (exosphere_get_target_firmware() >= EXOSPHERE_TARGET_FIRMWARE_600) {
+ configure_gpu_ucode_carveout();
+ }
/* TODO: What are these MC reg writes? */
MAKE_MC_REG(0x65C) = 0xFFFFF000;
MAKE_MC_REG(0x660) = 0;
diff --git a/exosphere/src/bootup.h b/exosphere/src/bootup.h
index 2f5f0d1..ccbed95 100644
--- a/exosphere/src/bootup.h
+++ b/exosphere/src/bootup.h
@@ -86,6 +86,8 @@ void bootup_misc_mmio(void);
void setup_4x_mmio(void);
+void setup_dram_magic_numbers(void);
+
void setup_current_core_state(void);
void identity_unmap_iram_cd_tzram(void);
diff --git a/exosphere/src/exocfg.h b/exosphere/src/exocfg.h
index f02aa24..45413a9 100644
--- a/exosphere/src/exocfg.h
+++ b/exosphere/src/exocfg.h
@@ -16,9 +16,10 @@
#define EXOSPHERE_TARGET_FIRMWARE_300 3
#define EXOSPHERE_TARGET_FIRMWARE_400 4
#define EXOSPHERE_TARGET_FIRMWARE_500 5
+#define EXOSPHERE_TARGET_FIRMWARE_600 6
/* TODO: What should this be, for release? */
-#define EXOSPHERE_TARGET_FIRMWARE_DEFAULT_FOR_DEBUG EXOSPHERE_TARGET_FIRMWARE_500
+#define EXOSPHERE_TARGET_FIRMWARE_DEFAULT_FOR_DEBUG EXOSPHERE_TARGET_FIRMWARE_600
#define EXOSPHERE_LOOSEN_PACKAGE2_RESTRICTIONS_FOR_DEBUG 1
#define MAILBOX_BASE_PHYS (MMIO_GET_DEVICE_PA(MMIO_DEVID_NXBOOTLOADER_MAILBOX))
diff --git a/exosphere/src/lp0.c b/exosphere/src/lp0.c
index 1dc0f9c..f0ee55e 100644
--- a/exosphere/src/lp0.c
+++ b/exosphere/src/lp0.c
@@ -228,12 +228,13 @@ void save_se_and_power_down_cpu(void) {
/* TODO: uart_log("OYASUMI"); */
}
- __dsb_sy();
-
finalize_powerdown();
}
uint32_t cpu_suspend(uint64_t power_state, uint64_t entrypoint, uint64_t argument) {
+ /* TODO: 6.0.0 introduces heavy deja vu mitigations. */
+ /* Exosphere may want to implement these. */
+
/* Ensure SMC call is to enter deep sleep. */
if ((power_state & 0x17FFF) != 0x1001B) {
return 0xFFFFFFFD;
diff --git a/exosphere/src/masterkey.c b/exosphere/src/masterkey.c
index 4b83da8..6926c99 100644
--- a/exosphere/src/masterkey.c
+++ b/exosphere/src/masterkey.c
@@ -23,6 +23,7 @@ static const uint8_t mkey_vectors_dev[MASTERKEY_REVISION_MAX][0x10] =
{0x97, 0x29, 0xB0, 0x32, 0x43, 0x14, 0x8C, 0xA6, 0x85, 0xE9, 0x5A, 0x94, 0x99, 0x39, 0xAC, 0x5D}, /* Master key 01 encrypted with Master key 02. */
{0x2C, 0xCA, 0x9C, 0x31, 0x1E, 0x07, 0xB0, 0x02, 0x97, 0x0A, 0xD8, 0x03, 0xA2, 0x76, 0x3F, 0xA3}, /* Master key 02 encrypted with Master key 03. */
{0x9B, 0x84, 0x76, 0x14, 0x72, 0x94, 0x52, 0xCB, 0x54, 0x92, 0x9B, 0xC4, 0x8C, 0x5B, 0x0F, 0xBA}, /* Master key 03 encrypted with Master key 04. */
+ {0x78, 0xD5, 0xF1, 0x20, 0x3D, 0x16, 0xE9, 0x30, 0x32, 0x27, 0x34, 0x6F, 0xCF, 0xE0, 0x27, 0xDC}, /* Master key 04 encrypted with Master key 05. */
};
/* Retail unit keys. */
@@ -33,6 +34,7 @@ static const uint8_t mkey_vectors[MASTERKEY_REVISION_MAX][0x10] =
{0xDE, 0xCF, 0xEB, 0xEB, 0x10, 0xAE, 0x74, 0xD8, 0xAD, 0x7C, 0xF4, 0x9E, 0x62, 0xE0, 0xE8, 0x72}, /* Master key 01 encrypted with Master key 02. */
{0x0A, 0x0D, 0xDF, 0x34, 0x22, 0x06, 0x6C, 0xA4, 0xE6, 0xB1, 0xEC, 0x71, 0x85, 0xCA, 0x4E, 0x07}, /* Master key 02 encrypted with Master key 03. */
{0x6E, 0x7D, 0x2D, 0xC3, 0x0F, 0x59, 0xC8, 0xFA, 0x87, 0xA8, 0x2E, 0xD5, 0x89, 0x5E, 0xF3, 0xE9}, /* Master key 03 encrypted with Master key 04. */
+ {0xEB, 0xF5, 0x6F, 0x83, 0x61, 0x9E, 0xF8, 0xFA, 0xE0, 0x87, 0xD7, 0xA1, 0x4E, 0x25, 0x36, 0xEE}, /* Master key 04 encrypted with Master key 05. */
};
bool check_mkey_revision(unsigned int revision, bool is_retail) {
@@ -105,7 +107,7 @@ unsigned int mkey_get_keyslot(unsigned int revision) {
void set_old_devkey(unsigned int revision, const uint8_t *key) {
- if (revision < MASTERKEY_REVISION_400_410 || MASTERKEY_REVISION_500_CURRENT <= revision) {
+ if (revision < MASTERKEY_REVISION_400_410 || MASTERKEY_REVISION_600_CURRENT <= revision) {
generic_panic();
}
@@ -122,7 +124,7 @@ unsigned int devkey_get_keyslot(unsigned int revision) {
}
if (revision >= 1) {
- if (revision == MASTERKEY_REVISION_500_CURRENT) {
+ if (revision == MASTERKEY_REVISION_600_CURRENT) {
return KEYSLOT_SWITCH_DEVICEKEY;
} else {
/* Load into a temp keyslot. */
diff --git a/exosphere/src/masterkey.h b/exosphere/src/masterkey.h
index 5a6a523..9a43454 100644
--- a/exosphere/src/masterkey.h
+++ b/exosphere/src/masterkey.h
@@ -3,14 +3,15 @@
/* This is glue code to enable master key support across versions. */
-/* TODO: Update to 0x6 on release of new master key. */
-#define MASTERKEY_REVISION_MAX 0x5
+/* TODO: Update to 0x7 on release of new master key. */
+#define MASTERKEY_REVISION_MAX 0x6
#define MASTERKEY_REVISION_100_230 0x00
#define MASTERKEY_REVISION_300 0x01
#define MASTERKEY_REVISION_301_302 0x02
#define MASTERKEY_REVISION_400_410 0x03
-#define MASTERKEY_REVISION_500_CURRENT 0x04
+#define MASTERKEY_REVISION_500_510 0x04
+#define MASTERKEY_REVISION_600_CURRENT 0x05
#define MASTERKEY_NUM_NEW_DEVICE_KEYS (MASTERKEY_REVISION_MAX - MASTERKEY_REVISION_400_410)
diff --git a/exosphere/src/mc.c b/exosphere/src/mc.c
index 4a4aed9..080e6d7 100644
--- a/exosphere/src/mc.c
+++ b/exosphere/src/mc.c
@@ -22,40 +22,48 @@ volatile security_carveout_t *get_carveout_by_id(unsigned int carveout) {
return NULL;
}
-void configure_default_carveouts(void) {
- /* Configure Carveout 1 (UNUSED) */
- volatile security_carveout_t *carveout = get_carveout_by_id(1);
- carveout->paddr_low = 0;
+void configure_gpu_ucode_carveout(void) {
+ /* Starting in 6.0.0, Carveout 2 is configured later on. */
+ /* This is a helper function to make this easier... */
+ volatile security_carveout_t *carveout = get_carveout_by_id(2);
+ carveout->paddr_low = 0x80020000;
carveout->paddr_high = 0;
- carveout->size_big_pages = 0;
+ carveout->size_big_pages = 2; /* 0x40000 */
carveout->flags_0 = 0;
carveout->flags_1 = 0;
- carveout->flags_2 = 0;
+ carveout->flags_2 = 0x3000000;
carveout->flags_3 = 0;
- carveout->flags_4 = 0;
+ carveout->flags_4 = 0x300;
carveout->flags_5 = 0;
carveout->flags_6 = 0;
carveout->flags_7 = 0;
carveout->flags_8 = 0;
carveout->flags_9 = 0;
- carveout->allowed_clients = 0x04000006;
+ carveout->allowed_clients = 0x440167E;
+}
- /* Configure Carveout 2 (GPU UCODE) */
- carveout = get_carveout_by_id(2);
- carveout->paddr_low = 0x80020000;
+void configure_default_carveouts(void) {
+ /* Configure Carveout 1 (UNUSED) */
+ volatile security_carveout_t *carveout = get_carveout_by_id(1);
+ carveout->paddr_low = 0;
carveout->paddr_high = 0;
- carveout->size_big_pages = 2; /* 0x40000 */
+ carveout->size_big_pages = 0;
carveout->flags_0 = 0;
carveout->flags_1 = 0;
- carveout->flags_2 = 0x3000000;
+ carveout->flags_2 = 0;
carveout->flags_3 = 0;
- carveout->flags_4 = 0x300;
+ carveout->flags_4 = 0;
carveout->flags_5 = 0;
carveout->flags_6 = 0;
carveout->flags_7 = 0;
carveout->flags_8 = 0;
carveout->flags_9 = 0;
- carveout->allowed_clients = 0x440167E;
+ carveout->allowed_clients = 0x04000006;
+
+ /* Configure Carveout 2 (GPU UCODE) */
+ if (exosphere_get_target_firmware() < EXOSPHERE_TARGET_FIRMWARE_600) {
+ configure_gpu_ucode_carveout();
+ }
/* Configure Carveout 3 (UNUSED GPU) */
carveout = get_carveout_by_id(3);
diff --git a/exosphere/src/mc.h b/exosphere/src/mc.h
index de51417..3e735e3 100644
--- a/exosphere/src/mc.h
+++ b/exosphere/src/mc.h
@@ -50,6 +50,7 @@ typedef struct {
volatile security_carveout_t *get_carveout_by_id(unsigned int carveout);
void configure_default_carveouts(void);
+void configure_gpu_ucode_carveout(void);
void configure_kernel_carveout(unsigned int carveout_id, uint64_t address, uint64_t size);
diff --git a/exosphere/src/package2.c b/exosphere/src/package2.c
index 26db125..78d953c 100644
--- a/exosphere/src/package2.c
+++ b/exosphere/src/package2.c
@@ -22,20 +22,31 @@
extern void *__start_cold_addr;
extern size_t __bin_size;
+
+static const uint8_t new_device_key_sources[MASTERKEY_NUM_NEW_DEVICE_KEYS][0x10] = {
+ {0x8B, 0x4E, 0x1C, 0x22, 0x42, 0x07, 0xC8, 0x73, 0x56, 0x94, 0x08, 0x8B, 0xCC, 0x47, 0x0F, 0x5D}, /* 4.x New Device Key Source. */
+ {0x6C, 0xEF, 0xC6, 0x27, 0x8B, 0xEC, 0x8A, 0x91, 0x99, 0xAB, 0x24, 0xAC, 0x4F, 0x1C, 0x8F, 0x1C}, /* 5.x New Device Key Source. */
+ {0x70, 0x08, 0x1B, 0x97, 0x44, 0x64, 0xF8, 0x91, 0x54, 0x9D, 0xC6, 0x84, 0x8F, 0x1A, 0xB2, 0xE4} /* 6.x New Device Key Source. */
+};
+
+static const uint8_t new_device_keygen_sources[MASTERKEY_NUM_NEW_DEVICE_KEYS][0x10] = {
+ {0x88, 0x62, 0x34, 0x6E, 0xFA, 0xF7, 0xD8, 0x3F, 0xE1, 0x30, 0x39, 0x50, 0xF0, 0xB7, 0x5D, 0x5D}, /* 4.x New Device Keygen Source. */
+ {0x06, 0x1E, 0x7B, 0xE9, 0x6D, 0x47, 0x8C, 0x77, 0xC5, 0xC8, 0xE7, 0x94, 0x9A, 0xA8, 0x5F, 0x2E}, /* 5.x New Device Keygen Source. */
+ {0x99, 0xFA, 0x98, 0xBD, 0x15, 0x1C, 0x72, 0xFD, 0x7D, 0x9A, 0xD5, 0x41, 0x00, 0xFD, 0xB2, 0xEF} /* 6.x New Device Keygen Source. */
+};
+
+static const uint8_t new_device_keygen_sources_dev[MASTERKEY_NUM_NEW_DEVICE_KEYS][0x10] = {
+ {0xD6, 0xBD, 0x9F, 0xC6, 0x18, 0x09, 0xE1, 0x96, 0x20, 0x39, 0x60, 0xD2, 0x89, 0x83, 0x31, 0x34}, /* 4.x New Device Keygen Source. */
+ {0x59, 0x2D, 0x20, 0x69, 0x33, 0xB5, 0x17, 0xBA, 0xCF, 0xB1, 0x4E, 0xFD, 0xE4, 0xC2, 0x7B, 0xA8}, /* 5.x New Device Keygen Source. */
+ {0xF6, 0xD8, 0x59, 0x63, 0x8F, 0x47, 0xCB, 0x4A, 0xD8, 0x74, 0x05, 0x7F, 0x88, 0x92, 0x33, 0xA5} /* 6.x New Device Keygen Source. */
+};
+
static void derive_new_device_keys(unsigned int keygen_keyslot) {
uint8_t work_buffer[0x10];
- static const uint8_t new_device_key_sources[MASTERKEY_NUM_NEW_DEVICE_KEYS][0x10] = {
- {0x8B, 0x4E, 0x1C, 0x22, 0x42, 0x07, 0xC8, 0x73, 0x56, 0x94, 0x08, 0x8B, 0xCC, 0x47, 0x0F, 0x5D}, /* 4.x New Device Key Source. */
- {0x6C, 0xEF, 0xC6, 0x27, 0x8B, 0xEC, 0x8A, 0x91, 0x99, 0xAB, 0x24, 0xAC, 0x4F, 0x1C, 0x8F, 0x1C} /* 5.x New Device Key Source. */
- };
-
- static const uint8_t new_device_keygen_sources[MASTERKEY_NUM_NEW_DEVICE_KEYS][0x10] = {
- {0x88, 0x62, 0x34, 0x6E, 0xFA, 0xF7, 0xD8, 0x3F, 0xE1, 0x30, 0x39, 0x50, 0xF0, 0xB7, 0x5D, 0x5D}, /* 4.x New Device Keygen Source. */
- {0x06, 0x1E, 0x7B, 0xE9, 0x6D, 0x47, 0x8C, 0x77, 0xC5, 0xC8, 0xE7, 0x94, 0x9A, 0xA8, 0x5F, 0x2E} /* 5.x New Device Keygen Source. */
- };
+ bool is_retail = configitem_is_retail();
for (unsigned int revision = 0; revision < MASTERKEY_NUM_NEW_DEVICE_KEYS; revision++) {
se_aes_ecb_decrypt_block(keygen_keyslot, work_buffer, 0x10, new_device_key_sources[revision], 0x10);
- decrypt_data_into_keyslot(KEYSLOT_SWITCH_TEMPKEY, mkey_get_keyslot(0), new_device_keygen_sources[revision], 0x10);
+ decrypt_data_into_keyslot(KEYSLOT_SWITCH_TEMPKEY, mkey_get_keyslot(0), is_retail ? new_device_keygen_sources[revision] : new_device_keygen_sources_dev[revision], 0x10);
if (revision < MASTERKEY_NUM_NEW_DEVICE_KEYS - 1) {
se_aes_ecb_decrypt_block(KEYSLOT_SWITCH_TEMPKEY, work_buffer, 0x10, work_buffer, 0x10);
set_old_devkey(revision + MASTERKEY_REVISION_400_410, work_buffer);
@@ -94,6 +105,7 @@ static void setup_se(void) {
derive_new_device_keys(KEYSLOT_SWITCH_4XNEWDEVICEKEYGENKEY);
break;
case EXOSPHERE_TARGET_FIRMWARE_500:
+ case EXOSPHERE_TARGET_FIRMWARE_600:
derive_new_device_keys(KEYSLOT_SWITCH_5XNEWDEVICEKEYGENKEY);
break;
}
@@ -120,14 +132,18 @@ static void setup_boot_config(void) {
if (configitem_is_retail()) {
bootconfig_clear();
} else {
- flush_dcache_range((uint8_t *)NX_BOOTLOADER_BOOTCONFIG_POINTER, (uint8_t *)NX_BOOTLOADER_BOOTCONFIG_POINTER + sizeof(bootconfig_t));
- bootconfig_load_and_verify((bootconfig_t *)NX_BOOTLOADER_BOOTCONFIG_POINTER);
+ void *bootconfig_ptr = NX_BOOTLOADER_BOOTCONFIG_POINTER;
+ if (exosphere_get_target_firmware() >= EXOSPHERE_TARGET_FIRMWARE_600) {
+ bootconfig_ptr = NX_BOOTLOADER_BOOTCONFIG_POINTER_6X;
+ }
+ flush_dcache_range((uint8_t *)bootconfig_ptr, (uint8_t *)bootconfig_ptr + sizeof(bootconfig_t));
+ bootconfig_load_and_verify((bootconfig_t *)bootconfig_ptr);
}
}
static void package2_crypt_ctr(unsigned int master_key_rev, void *dst, size_t dst_size, const void *src, size_t src_size, const void *ctr, size_t ctr_size) {
/* Derive package2 key. */
- const uint8_t package2_key_source[0x10] = {0xFB, 0x8B, 0x6A, 0x9C, 0x79, 0x00, 0xC8, 0x49, 0xEF, 0xD2, 0x4D, 0x85, 0x4D, 0x30, 0xA0, 0xC7};
+ static const uint8_t package2_key_source[0x10] = {0xFB, 0x8B, 0x6A, 0x9C, 0x79, 0x00, 0xC8, 0x49, 0xEF, 0xD2, 0x4D, 0x85, 0x4D, 0x30, 0xA0, 0xC7};
flush_dcache_range((uint8_t *)dst, (uint8_t *)dst + dst_size);
flush_dcache_range((uint8_t *)src, (uint8_t *)src + src_size);
unsigned int keyslot = mkey_get_keyslot(master_key_rev);
@@ -383,7 +399,22 @@ static void load_package2_sections(package2_meta_t *metadata, uint32_t master_ke
}
static void copy_warmboot_bin_to_dram() {
- uint8_t *warmboot_src = (uint8_t *)0x4003B000;
+ uint8_t *warmboot_src;
+ switch (exosphere_get_target_firmware()) {
+ case EXOSPHERE_TARGET_FIRMWARE_100:
+ case EXOSPHERE_TARGET_FIRMWARE_200:
+ case EXOSPHERE_TARGET_FIRMWARE_300:
+ default:
+ generic_panic();
+ break;
+ case EXOSPHERE_TARGET_FIRMWARE_400:
+ case EXOSPHERE_TARGET_FIRMWARE_500:
+ warmboot_src = (uint8_t *)0x4003B000;
+ break;
+ case EXOSPHERE_TARGET_FIRMWARE_600:
+ warmboot_src = (uint8_t *)0x4003D800;
+ break;
+ }
uint8_t *warmboot_dst = (uint8_t *)0x8000D000;
const size_t warmboot_size = 0x2000;
@@ -432,8 +463,18 @@ void load_package2(coldboot_crt0_reloc_list_t *reloc_list) {
MAKE_REG32(PMC_BASE + 0x054) = 0x8000D000;
MAKE_REG32(PMC_BASE + 0x0A0) &= 0xFFF3FFFF;
MAKE_REG32(PMC_BASE + 0x818) &= 0xFFFFFFFE;
- MAKE_REG32(PMC_BASE + 0x334) |= 0x10;
- MAKE_REG32(PMC_BASE + 0x360) = 6;
+ MAKE_REG32(PMC_BASE + 0x334) |= 0x10;
+ switch (exosphere_get_target_firmware()) {
+ case EXOSPHERE_TARGET_FIRMWARE_400:
+ MAKE_REG32(PMC_BASE + 0x360) = 5;
+ break;
+ case EXOSPHERE_TARGET_FIRMWARE_500:
+ MAKE_REG32(PMC_BASE + 0x360) = 6;
+ break;
+ case EXOSPHERE_TARGET_FIRMWARE_600:
+ MAKE_REG32(PMC_BASE + 0x360) = 0x87;
+ break;
+ }
}
wait(1000);
@@ -449,7 +490,7 @@ void load_package2(coldboot_crt0_reloc_list_t *reloc_list) {
randomcache_init();
/* memclear the initial copy of Exosphere running in IRAM (relocated to TZRAM by earlier code). */
- memset((void *)reloc_list->reloc_base, 0, reloc_list->loaded_bin_size);
+ //memset((void *)reloc_list->reloc_base, 0, reloc_list->loaded_bin_size);
/* Let NX Bootloader know that we're running. */
MAILBOX_NX_BOOTLOADER_IS_SECMON_AWAKE = 1;
@@ -474,6 +515,9 @@ void load_package2(coldboot_crt0_reloc_list_t *reloc_list) {
if (exosphere_get_target_firmware() >= EXOSPHERE_TARGET_FIRMWARE_400) {
sync_with_nx_bootloader(NX_BOOTLOADER_STATE_DRAM_INITIALIZED_4X);
copy_warmboot_bin_to_dram();
+ if (exosphere_get_target_firmware() >= EXOSPHERE_TARGET_FIRMWARE_600) {
+ setup_dram_magic_numbers();
+ }
sync_with_nx_bootloader(NX_BOOTLOADER_STATE_LOADED_PACKAGE2_4X);
} else {
sync_with_nx_bootloader(NX_BOOTLOADER_STATE_LOADED_PACKAGE2);
diff --git a/exosphere/src/package2.h b/exosphere/src/package2.h
index 156ab52..94ddd46 100644
--- a/exosphere/src/package2.h
+++ b/exosphere/src/package2.h
@@ -34,6 +34,7 @@ static inline uintptr_t get_nx_bootloader_mailbox_base(void) {
#define MAILBOX_NX_BOOTLOADER_BOOT_REASON (MAILBOX_NX_BOOTLOADER_BASE + 0xE10ULL)
#define NX_BOOTLOADER_BOOTCONFIG_POINTER ((void *)(0x4003D000ull))
+#define NX_BOOTLOADER_BOOTCONFIG_POINTER_6X ((void *)(0x4003F800ull))
#define NX_BOOTLOADER_PACKAGE2_LOAD_ADDRESS ((void *)(0xA9800000ull))
diff --git a/exosphere/src/smc_api.c b/exosphere/src/smc_api.c
index a0f9607..6d33fd0 100644
--- a/exosphere/src/smc_api.c
+++ b/exosphere/src/smc_api.c
@@ -142,6 +142,7 @@ void set_version_specific_smcs(void) {
/* Do nothing. */
break;
case EXOSPHERE_TARGET_FIRMWARE_500:
+ case EXOSPHERE_TARGET_FIRMWARE_600:
/* No more LoadSecureExpModKey. */
g_smc_user_table[0xE].handler = NULL;
g_smc_user_table[0xC].id = 0xC300D60C;
diff --git a/exosphere/src/smc_user.c b/exosphere/src/smc_user.c
index 4f88365..ee440bb 100644
--- a/exosphere/src/smc_user.c
+++ b/exosphere/src/smc_user.c
@@ -24,6 +24,20 @@ static uint8_t g_imported_exponents[4][0x100];
static uint8_t g_rsausecase_to_cryptousecase[5] = {1, 2, 3, 5, 6};
+static bool is_user_keyslot_valid(unsigned int keyslot) {
+ switch (exosphere_get_target_firmware()) {
+ case EXOSPHERE_TARGET_FIRMWARE_100:
+ case EXOSPHERE_TARGET_FIRMWARE_200:
+ case EXOSPHERE_TARGET_FIRMWARE_300:
+ case EXOSPHERE_TARGET_FIRMWARE_400:
+ case EXOSPHERE_TARGET_FIRMWARE_500:
+ return keyslot <= 3;
+ case EXOSPHERE_TARGET_FIRMWARE_600:
+ default:
+ return keyslot <= 5;
+ }
+}
+
void set_exp_mod_done(bool done) {
g_exp_mod_done = done;
}
@@ -136,7 +150,7 @@ uint32_t user_generate_aes_kek(smc_args_t *args) {
/* 5.0.0+ Bounds checking. */
if (exosphere_get_target_firmware() >= EXOSPHERE_TARGET_FIRMWARE_500) {
if (is_personalized) {
- if (master_key_rev > MASTERKEY_REVISION_500_CURRENT || ((1 << (master_key_rev + 1)) & 0x33) == 0) {
+ if (master_key_rev > MASTERKEY_REVISION_600_CURRENT || ((1 << (master_key_rev + 1)) & 0x73) == 0) {
return 2;
}
if (mask_id > 3 || usecase >= CRYPTOUSECASE_MAX_5X) {
@@ -222,7 +236,7 @@ uint32_t user_load_aes_key(smc_args_t *args) {
uint64_t wrapped_key[2];
uint32_t keyslot = (uint32_t)args->X[1];
- if (keyslot > 3) {
+ if (!is_user_keyslot_valid(keyslot)) {
return 2;
}
@@ -262,6 +276,10 @@ uint32_t crypt_aes_done_handler(void) {
uint32_t user_crypt_aes(smc_args_t *args) {
uint32_t keyslot = args->X[1] & 3;
uint32_t mode = (args->X[1] >> 4) & 3;
+
+ if (exosphere_get_target_firmware() >= EXOSPHERE_TARGET_FIRMWARE_600) {
+ keyslot = args->X[1] & 7;
+ }
uint64_t iv_ctr[2];
iv_ctr[0] = args->X[2];
@@ -271,7 +289,7 @@ uint32_t user_crypt_aes(smc_args_t *args) {
uint32_t out_ll_paddr = (uint32_t)(args->X[5]);
size_t size = args->X[6];
- if (size & 0xF) {
+ if (!is_user_keyslot_valid(keyslot) || size & 0xF) {
return 2;
}
@@ -390,7 +408,7 @@ uint32_t user_compute_cmac(smc_args_t *args) {
upage_ref_t page_ref;
/* Validate keyslot and size. */
- if (keyslot > 3 || args->X[3] > 0x400) {
+ if (!is_user_keyslot_valid(keyslot) || args->X[3] > 0x400) {
return 2;
}
@@ -626,7 +644,16 @@ uint32_t user_unwrap_rsa_oaep_wrapped_titlekey(smc_args_t *args) {
void *user_wrapped_key = (void *)args->X[1];
void *user_modulus = (void *)args->X[2];
- unsigned int master_key_rev = (unsigned int)args->X[7];
+ unsigned int option = (unsigned int)args->X[7];
+ unsigned int master_key_rev;
+ unsigned int titlekey_type;
+ if (exosphere_get_target_firmware() >= EXOSPHERE_TARGET_FIRMWARE_600) {
+ master_key_rev = option & 0x3F;
+ titlekey_type = (option >> 6) & 1;
+ } else {
+ master_key_rev = option;
+ titlekey_type = 0;
+ }
if(master_key_rev > 0) {
master_key_rev -= 1;
@@ -657,6 +684,7 @@ uint32_t user_unwrap_rsa_oaep_wrapped_titlekey(smc_args_t *args) {
tkey_set_expected_label_hash(&args->X[3]);
tkey_set_master_key_rev(master_key_rev);
+ tkey_set_type(titlekey_type);
/* Hardcode RSA keyslot 0. */
set_rsa_keyslot(0, modulus, 0x100, g_imported_exponents[0], 0x100);
@@ -670,7 +698,7 @@ uint32_t user_load_titlekey(smc_args_t *args) {
uint64_t sealed_titlekey[2];
uint32_t keyslot = (uint32_t)args->X[1];
- if (keyslot > 3) {
+ if (!is_user_keyslot_valid(keyslot)) {
return 2;
}
@@ -705,6 +733,7 @@ uint32_t user_unwrap_aes_wrapped_titlekey(smc_args_t *args) {
}
tkey_set_master_key_rev(master_key_rev);
+ tkey_set_type(0);
tkey_aes_unwrap(titlekey, 0x10, aes_wrapped_titlekey, 0x10);
seal_titlekey(sealed_titlekey, 0x10, titlekey, 0x10);
diff --git a/exosphere/src/titlekey.c b/exosphere/src/titlekey.c
index 4c46ed2..7e2d4ea 100644
--- a/exosphere/src/titlekey.c
+++ b/exosphere/src/titlekey.c
@@ -3,6 +3,7 @@
#include "utils.h"
#include "arm.h"
+#include "exocfg.h"
#include "titlekey.h"
#include "masterkey.h"
@@ -10,6 +11,7 @@
static uint64_t g_tkey_expected_label_hash[4];
static unsigned int g_tkey_master_key_rev = MASTERKEY_REVISION_MAX;
+static unsigned int g_tkey_type = 0;
/* Set the expected db prefix. */
void tkey_set_expected_label_hash(uint64_t *label_hash) {
@@ -25,6 +27,17 @@ void tkey_set_master_key_rev(unsigned int master_key_rev) {
g_tkey_master_key_rev = master_key_rev;
}
+static void tkey_validate_type(unsigned int type) {
+ if (type > TITLEKEY_TYPE_MAX || (type > 0 && exosphere_get_target_firmware() < EXOSPHERE_TARGET_FIRMWARE_600)) {
+ generic_panic();
+ }
+}
+
+void tkey_set_type(unsigned int type) {
+ tkey_validate_type(type);
+ g_tkey_type = type;
+}
+
/* Reference for MGF1 can be found here: https://en.wikipedia.org/wiki/Mask_generation_function#MGF1 */
void calculate_mgf1_and_xor(void *masked, size_t masked_size, const void *seed, size_t seed_size) {
uint8_t cur_hash[0x20];
@@ -136,18 +149,19 @@ size_t tkey_rsa_oaep_unwrap(void *dst, size_t dst_size, void *src, size_t src_si
return wrapped_titlekey_size;
}
+static const uint8_t titlekek_sources[TITLEKEY_TYPE_MAX+1][0x10] = {
+ {0x1E, 0xDC, 0x7B, 0x3B, 0x60, 0xE6, 0xB4, 0xD8, 0x78, 0xB8, 0x17, 0x15, 0x98, 0x5E, 0x62, 0x9B},
+ {0x3B, 0x78, 0xF2, 0x61, 0x0F, 0x9D, 0x5A, 0xE2, 0x7B, 0x4E, 0x45, 0xAF, 0xCB, 0x0B, 0x67, 0x4D}
+};
+
void tkey_aes_unwrap(void *dst, size_t dst_size, const void *src, size_t src_size) {
if (g_tkey_master_key_rev >= MASTERKEY_REVISION_MAX || dst_size != 0x10 || src_size != 0x10) {
generic_panic();
}
-
- const uint8_t titlekek_source[0x10] = {
- 0x1E, 0xDC, 0x7B, 0x3B, 0x60, 0xE6, 0xB4, 0xD8, 0x78, 0xB8, 0x17, 0x15, 0x98, 0x5E, 0x62, 0x9B
- };
-
+
/* Generate the appropriate titlekek into keyslot 9. */
unsigned int master_keyslot = mkey_get_keyslot(g_tkey_master_key_rev);
- decrypt_data_into_keyslot(KEYSLOT_SWITCH_TEMPKEY, master_keyslot, titlekek_source, 0x10);
+ decrypt_data_into_keyslot(KEYSLOT_SWITCH_TEMPKEY, master_keyslot, titlekek_sources[g_tkey_type], 0x10);
/* Unwrap the titlekey using the titlekek. */
se_aes_ecb_decrypt_block(KEYSLOT_SWITCH_TEMPKEY, dst, 0x10, src, 0x10);
diff --git a/exosphere/src/titlekey.h b/exosphere/src/titlekey.h
index a74949b..6d19a2d 100644
--- a/exosphere/src/titlekey.h
+++ b/exosphere/src/titlekey.h
@@ -3,8 +3,11 @@
#include <stdint.h>
+#define TITLEKEY_TYPE_MAX 0x1
+
void tkey_set_expected_label_hash(uint64_t *label_hash);
void tkey_set_master_key_rev(unsigned int master_key_rev);
+void tkey_set_type(unsigned int type);
size_t tkey_rsa_oaep_unwrap(void *dst, size_t dst_size, void *src, size_t src_size);
diff --git a/exosphere/src/utils.c b/exosphere/src/utils.c
index 2f60fbf..09d3938 100644
--- a/exosphere/src/utils.c
+++ b/exosphere/src/utils.c
@@ -14,14 +14,15 @@ __attribute__ ((noreturn)) void panic(uint32_t code) {
APBDEV_PMC_SCRATCH200_0 = code;
}
- /* Uncomment for Debugging.
+ /* // Uncomment for Debugging.
uint64_t temp_reg;
MAKE_REG32(MMIO_GET_DEVICE_ADDRESS(MMIO_DEVID_DEBUG_IRAM)) = APBDEV_PMC_SCRATCH200_0;
SAVE_SYSREG64(ESR_EL3, 0x10);
SAVE_SYSREG64(ELR_EL3, 0x18);
SAVE_SYSREG64(FAR_EL3, 0x20);
MAKE_REG32(MMIO_GET_DEVICE_ADDRESS(MMIO_DEVID_RTC_PMC) + 0x450ull) = 0x2;
- MAKE_REG32(MMIO_GET_DEVICE_ADDRESS(MMIO_DEVID_RTC_PMC) + 0x400ull) = 0x10; */
+ MAKE_REG32(MMIO_GET_DEVICE_ADDRESS(MMIO_DEVID_RTC_PMC) + 0x400ull) = 0x10;
+ */
/* TODO: Custom Panic Driver, which displays to screen without rebooting. */
/* For now, just use NX BOOTLOADER's panic. */
@@ -32,7 +33,7 @@ __attribute__ ((noreturn)) void panic(uint32_t code) {
}
__attribute__ ((noreturn)) void generic_panic(void) {
- /* Uncomment for Debugging.
+ /* //Uncomment for Debugging.
uint64_t temp_reg;
do { __asm__ __volatile__ ("mov %0, LR" : "=r"(temp_reg) :: "memory"); } while (false);
MAKE_REG32(MMIO_GET_DEVICE_ADDRESS(MMIO_DEVID_DEBUG_IRAM) + 0x28) = (uint32_t)((temp_reg >> 0) & 0xFFFFFFFFULL);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.