From ed2e0f462d90d83c3e5f61da20692d50be3aafaa Mon Sep 17 00:00:00 2001 From: jakcron Date: Sun, 18 Mar 2018 17:08:42 +0800 Subject: [PATCH] Update NCA code --- lib/libnx/include/nx/NcaHeader.h | 42 ++++----- lib/libnx/source/NcaHeader.cpp | 86 +++++++++++------- programs/ncatool/source/main.cpp | 147 +++++++++++++++++++++++++++---- 3 files changed, 201 insertions(+), 74 deletions(-) diff --git a/lib/libnx/include/nx/NcaHeader.h b/lib/libnx/include/nx/NcaHeader.h index 4c11b50..e3a9175 100644 --- a/lib/libnx/include/nx/NcaHeader.h +++ b/lib/libnx/include/nx/NcaHeader.h @@ -34,18 +34,11 @@ namespace nx TYPE_DATA, }; - enum EncryptionType + enum KeyBankIndex { - CRYPT_AUTO, - CRYPT_NONE, - CRYPT_AESCTR = 3 - }; - - enum EncryptionKeyIndex - { - KEY_UNUSED_0, - KEY_UNUSED_1, - KEY_DEFAULT, + KEY_AESXTS_0, + KEY_AESXTS_1, + KEY_AESCTR, KEY_UNUSED_3, }; @@ -53,14 +46,12 @@ namespace nx { u64 offset; u64 size; - EncryptionType enc_type; crypto::sha::sSha256Hash hash; const sSection& operator=(const sSection& other) { offset = other.offset; size = other.size; - enc_type = other.enc_type; hash = other.hash; return *this; @@ -70,7 +61,6 @@ namespace nx { return (offset == other.offset) \ && (size == other.size) \ - && (enc_type == other.enc_type) \ && (hash == other.hash); } @@ -100,14 +90,16 @@ namespace nx // variables void clear(); + FormatVersion getFormatVersion() const; + void setFormatVersion(FormatVersion ver); DistributionType getDistributionType() const; void setDistributionType(DistributionType type); ContentType getContentType() const; void setContentType(ContentType type); - EncryptionType getEncryptionType() const; - void setEncryptionType(EncryptionType type); - EncryptionKeyIndex getKeyIndex() const; - void setKeyIndex(EncryptionKeyIndex index); + byte_t getCryptoType() const; + void setCryptoType(byte_t type); + byte_t getKaekIndex() const; + void setKaekIndex(byte_t index); u64 getNcaSize() const; void setNcaSize(u64 size); u64 getProgramId() const; @@ -123,7 +115,8 @@ namespace nx private: const std::string kModuleName = "NCA_HEADER"; - const std::string kNcaSig = "NCA2"; + const std::string kNca2Sig = "NCA2"; + const std::string kNca3Sig = "NCA3"; static const size_t kSectionNum = 4; static const size_t kAesKeyNum = 4; static const u32 kDefaultSdkAddonVersion = 721920; @@ -142,13 +135,15 @@ namespace nx char signature[4]; byte_t distribution_type; byte_t content_type; - byte_t key_generation; + byte_t crypto_type; // KeyGeneration byte_t key_area_encryption_key_index; le_uint64_t nca_size; le_uint64_t program_id; le_uint32_t content_index; le_uint32_t sdk_addon_version; - byte_t reserved_2[0x20]; + byte_t crypto_type_2; + byte_t reserved_2[0xf]; + byte_t rights_id[0x10]; struct sNcaSection { le_uint32_t start; // block units @@ -166,10 +161,11 @@ namespace nx fnd::MemoryBlob mBinaryBlob; // data + FormatVersion mFormatVersion; DistributionType mDistributionType; ContentType mContentType; - EncryptionType mEncryptionType; - EncryptionKeyIndex mKeyIndex; + byte_t mCryptoType; + byte_t mKaekIndex; u64 mNcaSize; u64 mProgramId; u32 mContentIndex; diff --git a/lib/libnx/source/NcaHeader.cpp b/lib/libnx/source/NcaHeader.cpp index 9b2d19a..f60ab89 100644 --- a/lib/libnx/source/NcaHeader.cpp +++ b/lib/libnx/source/NcaHeader.cpp @@ -8,15 +8,27 @@ void NcaHeader::exportBinary() mBinaryBlob.alloc(sizeof(sNcaHeader)); sNcaHeader* hdr = (sNcaHeader*)mBinaryBlob.getBytes(); - strncpy(hdr->signature, kNcaSig.c_str(), 4); + + switch(mFormatVersion) + { + case (NCA2_FORMAT): + strncpy(hdr->signature, kNca2Sig.c_str(), 4); + break; + case (NCA3_FORMAT): + strncpy(hdr->signature, kNca3Sig.c_str(), 4); + break; + default: + throw fnd::Exception(kModuleName, "Unsupported format version"); + } hdr->distribution_type = mDistributionType; hdr->content_type = mContentType; - hdr->key_generation = mEncryptionType; - hdr->key_area_encryption_key_index = mKeyIndex; + hdr->crypto_type = mCryptoType; + hdr->key_area_encryption_key_index = mKaekIndex; hdr->nca_size = mNcaSize; hdr->program_id = mProgramId; hdr->content_index = mContentIndex; hdr->sdk_addon_version = mSdkAddonVersion; + hdr->crypto_type_2 = 0; // TODO: properly reconstruct NCA layout? atm in hands of user @@ -51,15 +63,23 @@ void NcaHeader::importBinary(const u8 * bytes, size_t len) sNcaHeader* hdr = (sNcaHeader*)mBinaryBlob.getBytes(); - if (memcmp(hdr->signature, kNcaSig.c_str(), 4) != 0) + if (memcmp(hdr->signature, kNca2Sig.c_str(), 4) == 0) + { + mFormatVersion = NCA2_FORMAT; + } + else if (memcmp(hdr->signature, kNca3Sig.c_str(), 4) == 0) + { + mFormatVersion = NCA3_FORMAT; + } + else { throw fnd::Exception(kModuleName, "NCA header corrupt"); } mDistributionType = (DistributionType)hdr->distribution_type; mContentType = (ContentType)hdr->content_type; - mEncryptionType = (EncryptionType)hdr->key_generation; - mKeyIndex = (EncryptionKeyIndex)hdr->key_area_encryption_key_index; + mCryptoType = MAX(hdr->crypto_type, hdr->crypto_type_2); + mKaekIndex = hdr->key_area_encryption_key_index; mNcaSize = *hdr->nca_size; mProgramId = *hdr->program_id; mContentIndex = *hdr->content_index; @@ -73,21 +93,8 @@ void NcaHeader::importBinary(const u8 * bytes, size_t len) // skip sections that don't exist if (*hdr->section[section].start == 0 && *hdr->section[section].end == 0) continue; - EncryptionType encType = mEncryptionType; - if (encType == CRYPT_AUTO) - { - if (mContentType == TYPE_PROGRAM && section == SECTION_LOGO) - { - encType = CRYPT_NONE; - } - else - { - encType = CRYPT_AESCTR; - } - } - // add high level struct - mSections.addElement({ blockNumToSize(*hdr->section[section].start), blockNumToSize(hdr->section[section].end.get() - hdr->section[section].start.get()), encType, hdr->section_hash[section] }); + mSections.addElement({ blockNumToSize(*hdr->section[section].start), blockNumToSize(hdr->section[section].end.get() - hdr->section[section].start.get()), hdr->section_hash[section] }); } for (size_t i = 0; i < kAesKeyNum; i++) @@ -98,10 +105,11 @@ void NcaHeader::importBinary(const u8 * bytes, size_t len) void nx::NcaHeader::clear() { + mFormatVersion = NCA3_FORMAT; mDistributionType = DIST_DOWNLOAD; mContentType = TYPE_PROGRAM; - mEncryptionType = CRYPT_AUTO; - mKeyIndex = KEY_DEFAULT; + mCryptoType = 0; + mKaekIndex = 0; mNcaSize = 0; mProgramId = 0; mContentIndex = 0; @@ -110,6 +118,16 @@ void nx::NcaHeader::clear() mEncAesKeys.clear(); } +nx::NcaHeader::FormatVersion nx::NcaHeader::getFormatVersion() const +{ + return mFormatVersion; +} + +void nx::NcaHeader::setFormatVersion(FormatVersion version) +{ + mFormatVersion = version; +} + nx::NcaHeader::DistributionType nx::NcaHeader::getDistributionType() const { return mDistributionType; @@ -130,24 +148,24 @@ void nx::NcaHeader::setContentType(ContentType type) mContentType = type; } -nx::NcaHeader::EncryptionType nx::NcaHeader::getEncryptionType() const +byte_t nx::NcaHeader::getCryptoType() const { - return mEncryptionType; + return mCryptoType; } -void nx::NcaHeader::setEncryptionType(EncryptionType type) +void nx::NcaHeader::setCryptoType(byte_t type) { - mEncryptionType = type; + mCryptoType = type; } -nx::NcaHeader::EncryptionKeyIndex nx::NcaHeader::getKeyIndex() const +byte_t nx::NcaHeader::getKaekIndex() const { - return mKeyIndex; + return mKaekIndex; } -void nx::NcaHeader::setKeyIndex(EncryptionKeyIndex index) +void nx::NcaHeader::setKaekIndex(byte_t index) { - mKeyIndex = index; + mKaekIndex = index; } u64 NcaHeader::getNcaSize() const @@ -233,8 +251,8 @@ bool NcaHeader::isEqual(const NcaHeader & other) const { return (mDistributionType == other.mDistributionType) \ && (mContentType == other.mContentType) \ - && (mEncryptionType == other.mEncryptionType) \ - && (mKeyIndex == other.mKeyIndex) \ + && (mCryptoType == other.mCryptoType) \ + && (mKaekIndex == other.mKaekIndex) \ && (mNcaSize == other.mNcaSize) \ && (mProgramId == other.mProgramId) \ && (mContentIndex == other.mContentIndex) \ @@ -254,8 +272,8 @@ void NcaHeader::copyFrom(const NcaHeader & other) mBinaryBlob.clear(); mDistributionType = other.mDistributionType; mContentType = other.mContentType; - mEncryptionType = other.mEncryptionType; - mKeyIndex = other.mKeyIndex; + mCryptoType = other.mCryptoType; + mKaekIndex = other.mKaekIndex; mNcaSize = other.mNcaSize; mProgramId = other.mProgramId; mContentIndex = other.mContentIndex; diff --git a/programs/ncatool/source/main.cpp b/programs/ncatool/source/main.cpp index f6bb365..c54d26e 100644 --- a/programs/ncatool/source/main.cpp +++ b/programs/ncatool/source/main.cpp @@ -13,6 +13,7 @@ const size_t kNcaSectorSize = nx::NcaHeader::kBlockSize; +inline size_t sectorToOffset(size_t sector_index) { return sector_index * kNcaSectorSize; } void initNcaCtr(u8 ctr[crypto::aes::kAesBlockSize], u32 generation) { @@ -39,6 +40,25 @@ void xorData(const u8* a, const u8* b, u8* out, size_t len) } } +void decryptNcaHeader(byte_t header[0xc00], const u8* key1, const u8* key2) +{ + byte_t tweak[crypto::aes::kAesBlockSize]; + + // decrypt main header + byte_t raw_hdr[kNcaSectorSize]; + nx::NcaHeader hdr; + crypto::aes::AesXtsMakeTweak(tweak, 1); + crypto::aes::AesXtsDecryptSector(header + sectorToOffset(1), kNcaSectorSize, key1, key2, tweak, raw_hdr); + hdr.importBinary(raw_hdr, kNcaSectorSize); + + // decrypt whole header + for (size_t i = 0; i < 6; i++) + { + crypto::aes::AesXtsMakeTweak(tweak, (i > 1 && hdr.getFormatVersion() == nx::NcaHeader::NCA2_FORMAT)? 0 : i); + crypto::aes::AesXtsDecryptSector(header + sectorToOffset(i), kNcaSectorSize, key1, key2, tweak, header + sectorToOffset(i)); + } +} + void decryptNcaSectorXts(const fnd::MemoryBlob& nca, u8 out[kNcaSectorSize], size_t sector, const u8* key1, const u8* key2) { u8 tweak[crypto::aes::kAesBlockSize]; @@ -97,6 +117,12 @@ void dumpHxdStyleSector(u8* out, size_t len) */ } +std::string kFormatVersionStr[] +{ + "NCA2", + "NCA3" +}; + std::string kDistributionTypeStr[] { "Download", @@ -116,10 +142,54 @@ std::string kEncryptionTypeStr[] { "Auto", "None", - "UNKNOWN_2", - "AesCtr" + "AesXts", + "AesCtr", + "BKTR" }; +std::string kHashTypeStr[] +{ + "Auto", + "UNKNOWN_1", + "HierarchicalSha256", + "HierarchicalIntegrity" +}; + +std::string kFormatTypeStr[] +{ + "RomFs", + "PartitionFs" +}; + +std::string kKaekIndexStr[] +{ + "Application", + "Ocean", + "System" +}; + +enum EncryptionType +{ + CRYPT_AUTO, + CRYPT_NONE, + CRYPT_AESXTS, + CRYPT_AESCTR, + CRYPT_BKTR +}; + +#pragma pack(push,1) +struct sNcaFsHeader +{ + le_uint16_t version; // usually 0x0002 + byte_t format_type; // RomFs(0x00), PartitionFs(0x01) + byte_t hash_type; // HashTypeAuto(0x00), HashTypeHierarchicalSha256(0x02), HashTypeHierarchicalIntegrity(0x03).RomFs uses (0x03) this is forced, PartitionFs uses (0x02). + byte_t encryption_type; // EncryptionTypeAuto(0x00), EncryptionTypeNone(0x01), EncryptionTypeAesCtr(0x03) + byte_t reserved[3]; +}; +#pragma pack(pop) + + + int main(int argc, char** argv) { if (argc < 2) @@ -133,25 +203,45 @@ int main(int argc, char** argv) fnd::MemoryBlob nca; fnd::io::readFile(argv[1], nca); - u8 sector[kNcaSectorSize]; + decryptNcaHeader(nca.getBytes(), crypto::aes::nx::dev::nca_header_key[0], crypto::aes::nx::dev::nca_header_key[1]); + //dumpHxdStyleSector(nca.getBytes(), 0xc00); + + //u8 sector[kNcaSectorSize]; // nca test if (argc == 2 || argc == 3) { - decryptNcaSectorXts(nca, sector, 1, crypto::aes::nx::dev::nca_header_key[0], crypto::aes::nx::dev::nca_header_key[1]); + //decryptNcaSectorXts(nca, sector, 1, crypto::aes::nx::dev::nca_header_key[0], crypto::aes::nx::dev::nca_header_key[1]); nx::NcaHeader hdr; - hdr.importBinary(sector, kNcaSectorSize); + hdr.importBinary(nca.getBytes() + sectorToOffset(1), kNcaSectorSize); printf("[NCA Header]\n"); + printf(" Format Type: %s\n", kFormatVersionStr[hdr.getFormatVersion()].c_str()); printf(" Dist. Type: %s\n", kDistributionTypeStr[hdr.getDistributionType()].c_str()); printf(" Type: %s\n", kContentTypeStr[hdr.getContentType()].c_str()); - printf(" Enc. Type: %s\n", kEncryptionTypeStr[hdr.getEncryptionType()].c_str()); - printf(" KeyIndex: %d\n", hdr.getKeyIndex()); + printf(" Crypto Type: %d\n", hdr.getCryptoType()); + printf(" Kaek Index: %s (%d)\n", kKaekIndexStr[hdr.getKaekIndex()].c_str(), hdr.getKaekIndex()); printf(" Size: 0x%" PRIx64 "\n", hdr.getNcaSize()); printf(" ProgID: 0x%016" PRIx64 "\n", hdr.getProgramId()); printf(" Content. Idx: %" PRIu32 "\n", hdr.getContentIndex()); - printf(" SdkAddon Ver.: v%" PRIu32 "\n", hdr.getSdkAddonVersion()); + uint32_t ver = hdr.getSdkAddonVersion(); + printf(" SdkAddon Ver.: v%d.%d.%d.%d (v%" PRIu32 ")\n", (ver>>24 & 0xff),(ver>>16 & 0xff),(ver>>8 & 0xff),(ver>>0 & 0xff), ver); + printf(" Encrypted Key Area:\n"); + for (size_t i = 0; i < hdr.getEncAesKeys().getSize(); i++) + { + printf(" %lu: ", i); + hexDump(hdr.getEncAesKeys()[i].key, crypto::aes::kAes128KeySize); + printf("\n"); + /* + byte_t key[crypto::aes::kAes128KeySize]; + crypto::aes::AesEcbDecrypt(hdr.getEncAesKeys()[i].key, crypto::aes::kAes128KeySize, crypto::aes::nx::dev::key_area_encryption_key_0, key); + printf(" dec: ", i); + hexDump(key, crypto::aes::kAes128KeySize); + printf("\n"); + */ + } + printf(" Sections:\n"); for (size_t i = 0; i < hdr.getSections().getSize(); i++) { @@ -161,19 +251,41 @@ int main(int argc, char** argv) //printf(" End Blk: %" PRId32 "\n", section.end_blk); printf(" Offset: 0x%" PRIx64 "\n", section.offset); printf(" Size: 0x%" PRIx64 "\n", section.size); - printf(" Enc. Type: %s\n", kEncryptionTypeStr[section.enc_type].c_str()); + + + size_t sector_index = 1 + (hdr.getSections().getSize() - i); + + byte_t hash[crypto::sha::kSha256HashLen]; + crypto::sha::Sha256(nca.getBytes() + sectorToOffset(sector_index), kNcaSectorSize, hash); + if (section.hash.compare(hash) == false) + { + //throw fnd::Exception("ncatool", "NcaFsHeader has bad sha256 hash"); + } + + const sNcaFsHeader* fsHdr = (const sNcaFsHeader*)(nca.getBytes() + sectorToOffset(sector_index)); + printf(" FsHeader:\n"); + printf(" Version: 0x%d\n", fsHdr->version.get()); + printf(" Format Type: %s\n", kFormatTypeStr[fsHdr->format_type].c_str()); + printf(" Hash Type: %s\n", kHashTypeStr[fsHdr->hash_type].c_str()); + printf(" Enc. Type: %s\n", kEncryptionTypeStr[fsHdr->encryption_type].c_str()); + /* printf(" Hash: "); hexDump(section.hash.bytes, crypto::sha::kSha256HashLen); printf("\n"); - } - printf(" Encrypted Body Keys:\n"); - for (size_t i = 0; i < hdr.getEncAesKeys().getSize(); i++) - { - printf(" %lu: ", i); - hexDump(hdr.getEncAesKeys()[i].key, crypto::aes::kAes128KeySize); + byte_t hash[crypto::sha::kSha256HashLen]; + crypto::sha::Sha256(nca.getBytes() + sectorToOffset(sector_index), kNcaSectorSize, hash); + printf(" Hash: "); + hexDump(hash, crypto::sha::kSha256HashLen); printf("\n"); - } + */ + //dumpHxdStyleSector(nca.getBytes() + sectorToOffset(sector_index), 0x10); + } + + + + +#ifdef USE_OLD_CODE if (argc == 3) { #ifdef _WIN32 @@ -203,7 +315,8 @@ int main(int argc, char** argv) dumpNcaSector(sect); } } - +#endif + } } catch (const fnd::Exception& e) { printf("%s\n",e.what());