mirror of
https://github.com/shchmue/Lockpick_RCM.git
synced 2024-12-22 20:25:28 +00:00
Add support for 9.0.0, new Sept, and master_key_09
This commit is contained in:
parent
ffc4c4281f
commit
34890f0025
|
@ -35,6 +35,7 @@ static const pkg1_id_t _pkg1_ids[] = {
|
|||
{ "20190208150037", 7 }, //7.0.1
|
||||
{ "20190314172056", 7 }, //8.0.0
|
||||
{ "20190531152432", 8 }, //8.1.0
|
||||
{ "20190809135709", 9 }, //9.0.0
|
||||
{ NULL } //End.
|
||||
};
|
||||
|
||||
|
|
|
@ -39,14 +39,25 @@ static u32 _pkg2_calc_kip1_size(pkg2_kip1_t *kip1)
|
|||
return size;
|
||||
}
|
||||
|
||||
void pkg2_parse_kips(link_t *info, pkg2_hdr_t *pkg2)
|
||||
void pkg2_get_newkern_info(u8 *kern_data)
|
||||
{
|
||||
u32 info_op = *(u32 *)(kern_data + PKG2_NEWKERN_GET_INI1);
|
||||
pkg2_newkern_ini1_val = ((info_op & 0xFFFF) >> 3) + PKG2_NEWKERN_GET_INI1; // Parse ADR and PC.
|
||||
|
||||
pkg2_newkern_ini1_start = *(u32 *)(kern_data + pkg2_newkern_ini1_val);
|
||||
pkg2_newkern_ini1_end = *(u32 *)(kern_data + pkg2_newkern_ini1_val + 0x8);
|
||||
}
|
||||
|
||||
void pkg2_parse_kips(link_t *info, pkg2_hdr_t *pkg2, bool *new_pkg2)
|
||||
{
|
||||
u8 *ptr;
|
||||
// Check for new pkg2 type.
|
||||
if (!pkg2->sec_size[PKG2_SEC_INI1])
|
||||
{
|
||||
u32 kernel_ini1_off = *(u32 *)(pkg2->data + PKG2_NEWKERN_INI1_START);
|
||||
ptr = pkg2->data + kernel_ini1_off;
|
||||
pkg2_get_newkern_info(pkg2->data);
|
||||
|
||||
ptr = pkg2->data + pkg2_newkern_ini1_start;
|
||||
*new_pkg2 = true;
|
||||
}
|
||||
else
|
||||
ptr = pkg2->data + pkg2->sec_size[PKG2_SEC_KERNEL];
|
||||
|
|
|
@ -26,7 +26,11 @@
|
|||
#define PKG2_SEC_KERNEL 0
|
||||
#define PKG2_SEC_INI1 1
|
||||
|
||||
#define PKG2_NEWKERN_INI1_START 0x168
|
||||
#define PKG2_NEWKERN_GET_INI1 0x44
|
||||
|
||||
u32 pkg2_newkern_ini1_val;
|
||||
u32 pkg2_newkern_ini1_start;
|
||||
u32 pkg2_newkern_ini1_end;
|
||||
|
||||
typedef struct _pkg2_hdr_t
|
||||
{
|
||||
|
@ -83,7 +87,7 @@ typedef struct _pkg2_kip1_info_t
|
|||
link_t link;
|
||||
} pkg2_kip1_info_t;
|
||||
|
||||
void pkg2_parse_kips(link_t *info, pkg2_hdr_t *pkg2);
|
||||
void pkg2_parse_kips(link_t *info, pkg2_hdr_t *pkg2, bool *new_pkg2);
|
||||
int pkg2_decompress_kip(pkg2_kip1_info_t* ki, u32 sectsToDecomp);
|
||||
pkg2_hdr_t *pkg2_decrypt(void *data);
|
||||
|
||||
|
|
|
@ -20,6 +20,7 @@
|
|||
#include "../gfx/di.h"
|
||||
#include "../libs/fatfs/ff.h"
|
||||
#include "../mem/heap.h"
|
||||
#include "../soc/hw_init.h"
|
||||
#include "../soc/pmc.h"
|
||||
#include "../soc/t210.h"
|
||||
#include "../storage/nx_emmc.h"
|
||||
|
@ -80,10 +81,17 @@ int reboot_to_sept(const u8 *tsec_fw, const u32 tsec_size, const u32 kb)
|
|||
f_close(&fp);
|
||||
|
||||
// Copy sept-secondary.
|
||||
if ((kb == 7) && f_open(&fp, "sd:/sept/sept-secondary.enc", FA_READ) && f_open(&fp, "sd:/sept/sept-secondary_00.enc", FA_READ))
|
||||
if (kb < KB_FIRMWARE_VERSION_810)
|
||||
{
|
||||
if (f_open(&fp, "sd:/sept/sept-secondary_00.enc", FA_READ))
|
||||
if (f_open(&fp, "sd:/sept/sept-secondary.enc", FA_READ)) // Try the deprecated version.
|
||||
goto error;
|
||||
else if ((kb == 8) && f_open(&fp, "sd:/sept/sept-secondary_01.enc", FA_READ))
|
||||
}
|
||||
else
|
||||
{
|
||||
if (f_open(&fp, "sd:/sept/sept-secondary_01.enc", FA_READ))
|
||||
goto error;
|
||||
}
|
||||
|
||||
if (f_read(&fp, (u8 *)SEPT_STG2_ADDR, f_size(&fp), NULL))
|
||||
{
|
||||
|
@ -123,12 +131,12 @@ int reboot_to_sept(const u8 *tsec_fw, const u32 tsec_size, const u32 kb)
|
|||
PMC(APBDEV_PMC_SCRATCH33) = SEPT_PRI_ADDR;
|
||||
PMC(APBDEV_PMC_SCRATCH40) = 0x6000F208;
|
||||
|
||||
display_end();
|
||||
reconfig_hw_workaround(false, 0);
|
||||
|
||||
(*sept)();
|
||||
|
||||
error:
|
||||
EPRINTF("Sept files not found in sd:/sept!\nPlace appropriate files and try again.");
|
||||
EPRINTF("\nSept files not found in sd:/sept!\nPlace appropriate files and try again.");
|
||||
display_backlight_brightness(100, 1000);
|
||||
|
||||
btn_wait();
|
||||
|
|
|
@ -29,6 +29,7 @@ static const u8 master_kek_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION
|
|||
{0x37, 0x4B, 0x77, 0x29, 0x59, 0xB4, 0x04, 0x30, 0x81, 0xF6, 0xE5, 0x8C, 0x6D, 0x36, 0x17, 0x9A}, //6.2.0
|
||||
{0x9A, 0x3E, 0xA9, 0xAB, 0xFD, 0x56, 0x46, 0x1C, 0x9B, 0xF6, 0x48, 0x7F, 0x5C, 0xFA, 0x09, 0x5C}, //7.0.0
|
||||
{0xDE, 0xDC, 0xE3, 0x39, 0x30, 0x88, 0x16, 0xF8, 0xAE, 0x97, 0xAD, 0xEC, 0x64, 0x2D, 0x41, 0x41}, //8.1.0
|
||||
{0x1A, 0xEC, 0x11, 0x82, 0x2B, 0x32, 0x38, 0x7A, 0x2B, 0xED, 0xBA, 0x01, 0x47, 0x7E, 0x3B, 0x67}, //9.0.0
|
||||
};
|
||||
|
||||
static const u8 mkey_vectors[KB_FIRMWARE_VERSION_MAX+1][0x10] =
|
||||
|
@ -42,6 +43,7 @@ static const u8 mkey_vectors[KB_FIRMWARE_VERSION_MAX+1][0x10] =
|
|||
{0x1E, 0x1E, 0x22, 0xC0, 0x5A, 0x33, 0x3C, 0xB9, 0x0B, 0xA9, 0x03, 0x04, 0xBA, 0xDB, 0x07, 0x57}, /* Master key 05 encrypted with Master key 06. */
|
||||
{0xA4, 0xD4, 0x52, 0x6F, 0xD1, 0xE4, 0x36, 0xAA, 0x9F, 0xCB, 0x61, 0x27, 0x1C, 0x67, 0x65, 0x1F}, /* Master key 06 encrypted with Master key 07. */
|
||||
{0xEA, 0x60, 0xB3, 0xEA, 0xCE, 0x8F, 0x24, 0x46, 0x7D, 0x33, 0x9C, 0xD1, 0xBC, 0x24, 0x98, 0x29}, /* Master key 07 encrypted with Master key 08. */
|
||||
{0x4D, 0xD9, 0x98, 0x42, 0x45, 0x0D, 0xB1, 0x3C, 0x52, 0x0C, 0x9A, 0x44, 0xBB, 0xAD, 0xAF, 0x80}, /* Master key 08 encrypted with Master key 09. */
|
||||
};
|
||||
|
||||
//======================================Keys======================================//
|
||||
|
|
|
@ -100,7 +100,7 @@ void dump_keys() {
|
|||
gfx_clear_grey(0x1B);
|
||||
gfx_con_setpos(0, 0);
|
||||
|
||||
gfx_printf("[%kLo%kck%kpi%kck%k-R%kCM%k v%d.%d.%d%k]\n\n",
|
||||
gfx_printf("[%kLo%kck%kpi%kck%k_R%kCM%k v%d.%d.%d%k]\n\n",
|
||||
colors[0], colors[1], colors[2], colors[3], colors[4], colors[5], 0xFFFF00FF, LP_VER_MJ, LP_VER_MN, LP_VER_BF, 0xFFCCCCCC);
|
||||
|
||||
u32 start_time = get_tmr_ms(),
|
||||
|
@ -140,8 +140,9 @@ void dump_keys() {
|
|||
tsec_ctxt.size = 0x100 + key_data->blob0_size + key_data->blob1_size + key_data->blob2_size + key_data->blob3_size + key_data->blob4_size;
|
||||
|
||||
u32 MAX_KEY = 6;
|
||||
if (pkg1_id->kb >= KB_FIRMWARE_VERSION_620)
|
||||
if (pkg1_id->kb >= KB_FIRMWARE_VERSION_620) {
|
||||
MAX_KEY = pkg1_id->kb + 1;
|
||||
}
|
||||
|
||||
if (pkg1_id->kb >= KB_FIRMWARE_VERSION_700) {
|
||||
if (!f_stat("sd:/sept/payload.bak", NULL)) {
|
||||
|
@ -171,7 +172,7 @@ void dump_keys() {
|
|||
if (!reboot_to_sept((u8 *)tsec_ctxt.fw, tsec_ctxt.size, pkg1_id->kb))
|
||||
goto out_wait;
|
||||
} else {
|
||||
se_aes_key_read(12, master_key[pkg1_id->kb], 0x10);
|
||||
se_aes_key_read(12, master_key[KB_FIRMWARE_VERSION_MAX], 0x10);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -215,12 +216,37 @@ get_tsec: ;
|
|||
se_aes_crypt_block_ecb(8, 0, master_key[6], master_key_source);
|
||||
}
|
||||
|
||||
if (pkg1_id->kb >= KB_FIRMWARE_VERSION_620 && _key_exists(master_key[pkg1_id->kb])) {
|
||||
// derive all lower master keys in the event keyblobs are bad
|
||||
if (pkg1_id->kb >= KB_FIRMWARE_VERSION_620) {
|
||||
// derive all lower master keys in case keyblobs are bad
|
||||
if (_key_exists(master_key[pkg1_id->kb])) {
|
||||
for (u32 i = pkg1_id->kb; i > 0; i--) {
|
||||
se_aes_key_set(8, master_key[i], 0x10);
|
||||
se_aes_crypt_block_ecb(8, 0, master_key[i-1], mkey_vectors[i]);
|
||||
}
|
||||
se_aes_key_set(8, master_key[0], 0x10);
|
||||
se_aes_crypt_block_ecb(8, 0, temp_key, mkey_vectors[0]);
|
||||
if (_key_exists(temp_key)) {
|
||||
EPRINTFARGS("Failed to derive master key. kb = %d", pkg1_id->kb);
|
||||
}
|
||||
} else if (_key_exists(master_key[KB_FIRMWARE_VERSION_MAX])) {
|
||||
// handle sept version differences
|
||||
for (u32 kb = KB_FIRMWARE_VERSION_MAX; kb >= KB_FIRMWARE_VERSION_620; kb--) {
|
||||
for (u32 i = kb; i > 0; i--) {
|
||||
se_aes_key_set(8, master_key[i], 0x10);
|
||||
se_aes_crypt_block_ecb(8, 0, master_key[i-1], mkey_vectors[i]);
|
||||
}
|
||||
se_aes_key_set(8, master_key[0], 0x10);
|
||||
se_aes_crypt_block_ecb(8, 0, temp_key, mkey_vectors[0]);
|
||||
if (!_key_exists(temp_key)) {
|
||||
break;
|
||||
}
|
||||
memcpy(master_key[kb-1], master_key[kb], 0x10);
|
||||
memcpy(master_key[kb], zeros, 0x10);
|
||||
}
|
||||
if (_key_exists(temp_key)) {
|
||||
EPRINTF("Failed to derive master key.");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
u8 *keyblob_block = (u8 *)calloc(NX_EMMC_BLOCKSIZE, 1);
|
||||
|
@ -323,16 +349,22 @@ get_tsec: ;
|
|||
break;
|
||||
}
|
||||
if (pkg2_kb == MAX_KEY) {
|
||||
EPRINTF("Failed to decrypt Package2.");
|
||||
EPRINTF("Failed to derive Package2 key.");
|
||||
goto pkg2_done;
|
||||
} else if (pkg2_kb != pkg1_id->kb)
|
||||
EPRINTF("Warning: Package1-Package2 mismatch.");
|
||||
|
||||
pkg2_hdr = pkg2_decrypt(pkg2);
|
||||
if (!pkg2_hdr) {
|
||||
EPRINTF("Failed to decrypt Package2.");
|
||||
goto pkg2_done;
|
||||
}
|
||||
|
||||
TPRINTFARGS("%kDecrypt pkg2... ", colors[2]);
|
||||
|
||||
LIST_INIT(kip1_info);
|
||||
pkg2_parse_kips(&kip1_info, pkg2_hdr);
|
||||
bool new_pkg2;
|
||||
pkg2_parse_kips(&kip1_info, pkg2_hdr, &new_pkg2);
|
||||
LIST_FOREACH_ENTRY(pkg2_kip1_info_t, ki_tmp, &kip1_info, link) {
|
||||
if(ki_tmp->kip1->tid == 0x0100000000000000ULL) {
|
||||
ki = malloc(sizeof(pkg2_kip1_info_t));
|
||||
|
@ -405,6 +437,11 @@ get_tsec: ;
|
|||
hks_offset_from_end -= 0x6a73;
|
||||
alignment = 8;
|
||||
break;
|
||||
case KB_FIRMWARE_VERSION_900:
|
||||
start_offset = 0x2ec10;
|
||||
hks_offset_from_end -= 0x5573;
|
||||
alignment = 1; // RIP
|
||||
break;
|
||||
}
|
||||
|
||||
if (pkg1_id->kb <= KB_FIRMWARE_VERSION_500) {
|
||||
|
@ -455,6 +492,9 @@ pkg2_done:
|
|||
se_aes_crypt_block_ecb(8, 0, save_mac_key, fs_keys[6]);
|
||||
}
|
||||
|
||||
if (_key_exists(master_key[MAX_KEY])) {
|
||||
MAX_KEY = KB_FIRMWARE_VERSION_MAX + 1;
|
||||
}
|
||||
for (u32 i = 0; i < MAX_KEY; i++) {
|
||||
if (!_key_exists(master_key[i]))
|
||||
continue;
|
||||
|
@ -471,7 +511,10 @@ pkg2_done:
|
|||
|
||||
|
||||
if (!_key_exists(header_key) || !_key_exists(bis_key[2]))
|
||||
{
|
||||
EPRINTF("Missing FS keys. Skipping ES/SSL keys.");
|
||||
goto key_output;
|
||||
}
|
||||
|
||||
se_aes_key_set(4, header_key + 0x00, 0x10);
|
||||
se_aes_key_set(5, header_key + 0x10, 0x10);
|
||||
|
@ -494,7 +537,7 @@ pkg2_done:
|
|||
FIL fp;
|
||||
// sysmodule NCAs only ever have one section (exefs) so 0x600 is sufficient
|
||||
u8 *dec_header = (u8*)malloc(0x600);
|
||||
char path[100] = "emmc:/Contents/registered";
|
||||
char path[100] = "sd:/test/nca1111111111111";//"emmc:/Contents/registered";
|
||||
u32 titles_found = 0, title_limit = 2, read_bytes = 0;
|
||||
if (!memcmp(pkg1_id->id, "2016", 4))
|
||||
title_limit = 1;
|
||||
|
@ -553,6 +596,9 @@ pkg2_done:
|
|||
case KB_FIRMWARE_VERSION_810:
|
||||
start_offset = 0x5563;
|
||||
break;
|
||||
case KB_FIRMWARE_VERSION_900:
|
||||
start_offset = 0x6495;
|
||||
break;
|
||||
}
|
||||
hash_order[2] = 2;
|
||||
if (pkg1_id->kb < KB_FIRMWARE_VERSION_500) {
|
||||
|
@ -604,6 +650,9 @@ pkg2_done:
|
|||
case KB_FIRMWARE_VERSION_810:
|
||||
start_offset = 0x1d437;
|
||||
break;
|
||||
case KB_FIRMWARE_VERSION_900:
|
||||
start_offset = 0x1d807;
|
||||
break;
|
||||
}
|
||||
if (!memcmp(pkg1_id->id, "2016", 4))
|
||||
start_offset = 0x449dc;
|
||||
|
@ -651,7 +700,7 @@ pkg2_done:
|
|||
|
||||
// locate sd seed
|
||||
u8 read_buf[0x20] = {0};
|
||||
for (u32 i = 0; i < f_size(&fp); i += 0x4000) {
|
||||
for (u32 i = 0x8000; i < f_size(&fp); i += 0x4000) {
|
||||
if (f_lseek(&fp, i) || f_read(&fp, read_buf, 0x20, &read_bytes) || read_bytes != 0x20)
|
||||
break;
|
||||
if (!memcmp(temp_key, read_buf, 0x10)) {
|
||||
|
@ -716,6 +765,7 @@ key_output: ;
|
|||
SAVE_KEY("master_kek_source_06", master_kek_sources[0], 0x10);
|
||||
SAVE_KEY("master_kek_source_07", master_kek_sources[1], 0x10);
|
||||
SAVE_KEY("master_kek_source_08", master_kek_sources[2], 0x10);
|
||||
SAVE_KEY("master_kek_source_09", master_kek_sources[3], 0x10);
|
||||
SAVE_KEY_FAMILY("master_key", master_key, MAX_KEY, 0x10);
|
||||
SAVE_KEY("master_key_source", master_key_source, 0x10);
|
||||
SAVE_KEY_FAMILY("package1_key", package1_key, 6, 0x10);
|
||||
|
|
|
@ -35,7 +35,8 @@
|
|||
#define KB_FIRMWARE_VERSION_620 6
|
||||
#define KB_FIRMWARE_VERSION_700 7
|
||||
#define KB_FIRMWARE_VERSION_810 8
|
||||
#define KB_FIRMWARE_VERSION_MAX KB_FIRMWARE_VERSION_810
|
||||
#define KB_FIRMWARE_VERSION_900 9
|
||||
#define KB_FIRMWARE_VERSION_MAX KB_FIRMWARE_VERSION_900
|
||||
|
||||
#define HOS_PKG11_MAGIC 0x31314B50
|
||||
|
||||
|
|
Loading…
Reference in a new issue