mirror of
https://github.com/shchmue/Lockpick_RCM.git
synced 2025-01-01 08:05:28 +03:00
Find tsecfw size and offset firmware-agnostically
This commit is contained in:
parent
1bc5c2a667
commit
f612ee2a8c
@ -23,17 +23,17 @@
|
|||||||
#include "../sec/se.h"
|
#include "../sec/se.h"
|
||||||
|
|
||||||
static const pkg1_id_t _pkg1_ids[] = {
|
static const pkg1_id_t _pkg1_ids[] = {
|
||||||
{ "20161121183008", 0, 0x1900, 0x3FE0, 0x4002B020 }, //1.0.0
|
{ "20161121183008", 0 }, //1.0.0
|
||||||
{ "20170210155124", 0, 0x1900, 0x3FE0, 0x4002D000 }, //2.0.0 - 2.3.0
|
{ "20170210155124", 0 }, //2.0.0 - 2.3.0
|
||||||
{ "20170519101410", 1, 0x1A00, 0x3FE0, 0x4002D000 }, //3.0.0
|
{ "20170519101410", 1 }, //3.0.0
|
||||||
{ "20170710161758", 2, 0x1A00, 0x3FE0, 0x4002D000 }, //3.0.1 - 3.0.2
|
{ "20170710161758", 2 }, //3.0.1 - 3.0.2
|
||||||
{ "20170921172629", 3, 0x1800, 0x3FE0, 0x4002B000 }, //4.0.0 - 4.1.0
|
{ "20170921172629", 3 }, //4.0.0 - 4.1.0
|
||||||
{ "20180220163747", 4, 0x1900, 0x3FE0, 0x4002B000 }, //5.0.0 - 5.1.0
|
{ "20180220163747", 4 }, //5.0.0 - 5.1.0
|
||||||
{ "20180802162753", 5, 0x1900, 0x3FE0, 0x4002B000 }, //6.0.0 - 6.1.0
|
{ "20180802162753", 5 }, //6.0.0 - 6.1.0
|
||||||
{ "20181107105733", 6, 0x0E00, 0x6FE0, 0x4002B000 }, //6.2.0
|
{ "20181107105733", 6 }, //6.2.0
|
||||||
{ "20181218175730", 7, 0x0F00, 0x6FE0, 0x40030000 }, //7.0.0
|
{ "20181218175730", 7 }, //7.0.0
|
||||||
{ "20190208150037", 7, 0x0F00, 0x6FE0, 0x40030000 }, //7.0.1
|
{ "20190208150037", 7 }, //7.0.1
|
||||||
{ "20190314172056", 7, 0x0E00, 0x6FE0, 0x40030000 }, //8.0.0
|
{ "20190314172056", 7 }, //8.0.0
|
||||||
{ NULL } //End.
|
{ NULL } //End.
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -23,9 +23,6 @@ typedef struct _pkg1_id_t
|
|||||||
{
|
{
|
||||||
const char *id;
|
const char *id;
|
||||||
u32 kb;
|
u32 kb;
|
||||||
u32 tsec_off;
|
|
||||||
u32 pkg11_off;
|
|
||||||
u32 secmon_base;
|
|
||||||
} pkg1_id_t;
|
} pkg1_id_t;
|
||||||
|
|
||||||
const pkg1_id_t *pkg1_identify(u8 *pkg1);
|
const pkg1_id_t *pkg1_identify(u8 *pkg1);
|
||||||
|
@ -252,6 +252,19 @@ void dump_keys() {
|
|||||||
goto out_wait;
|
goto out_wait;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bool found_tsec_fw = false;
|
||||||
|
for (const u32 *pos = (const u32 *)pkg1; (u8 *)pos < pkg1 + 0x40000; pos += 0x100 / sizeof(u32)) {
|
||||||
|
if (*pos == 0xCF42004D) {
|
||||||
|
tsec_ctxt.fw = (u8 *)pos;
|
||||||
|
found_tsec_fw = true;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (!found_tsec_fw) {
|
||||||
|
EPRINTF("Failed to locate TSEC firmware.");
|
||||||
|
goto out_wait;
|
||||||
|
}
|
||||||
|
|
||||||
u32 MAX_KEY = 6;
|
u32 MAX_KEY = 6;
|
||||||
if (pkg1_id->kb >= KB_FIRMWARE_VERSION_620)
|
if (pkg1_id->kb >= KB_FIRMWARE_VERSION_620)
|
||||||
MAX_KEY = pkg1_id->kb + 1;
|
MAX_KEY = pkg1_id->kb + 1;
|
||||||
@ -281,7 +294,7 @@ void dump_keys() {
|
|||||||
gfx_printf("%kFirmware 7.x or higher detected.\n%kRenamed /sept/payload.bin", colors[0], colors[1]);
|
gfx_printf("%kFirmware 7.x or higher detected.\n%kRenamed /sept/payload.bin", colors[0], colors[1]);
|
||||||
gfx_printf("\n%k to /sept/payload.bak\n%kCopied self to /sept/payload.bin",colors[2], colors[3]);
|
gfx_printf("\n%k to /sept/payload.bak\n%kCopied self to /sept/payload.bin",colors[2], colors[3]);
|
||||||
sdmmc_storage_end(&storage);
|
sdmmc_storage_end(&storage);
|
||||||
if (!reboot_to_sept((u8 *)pkg1 + pkg1_id->tsec_off))
|
if (!reboot_to_sept((u8 *)tsec_ctxt.fw))
|
||||||
goto out_wait;
|
goto out_wait;
|
||||||
} else {
|
} else {
|
||||||
se_aes_key_read(12, master_key[pkg1_id->kb], 0x10);
|
se_aes_key_read(12, master_key[pkg1_id->kb], 0x10);
|
||||||
@ -291,17 +304,10 @@ void dump_keys() {
|
|||||||
get_tsec: ;
|
get_tsec: ;
|
||||||
u8 tsec_keys[0x10 * 2] = {0};
|
u8 tsec_keys[0x10 * 2] = {0};
|
||||||
|
|
||||||
tsec_ctxt.fw = (u8 *)pkg1 + pkg1_id->tsec_off;
|
tsec_key_data_t *key_data = (tsec_key_data_t *)(tsec_ctxt.fw + TSEC_KEY_DATA_ADDR);
|
||||||
tsec_ctxt.pkg1 = pkg1;
|
tsec_ctxt.pkg1 = pkg1;
|
||||||
tsec_ctxt.pkg11_off = pkg1_id->pkg11_off;
|
tsec_ctxt.size = 0x100 + key_data->blob0_size + key_data->blob1_size + key_data->blob2_size + key_data->blob3_size + key_data->blob4_size;
|
||||||
tsec_ctxt.secmon_base = pkg1_id->secmon_base;
|
if (pkg1_id->kb >= KB_FIRMWARE_VERSION_700) {
|
||||||
|
|
||||||
if (pkg1_id->kb <= KB_FIRMWARE_VERSION_600)
|
|
||||||
tsec_ctxt.size = 0xF00;
|
|
||||||
else if (pkg1_id->kb == KB_FIRMWARE_VERSION_620)
|
|
||||||
tsec_ctxt.size = 0x2900;
|
|
||||||
else {
|
|
||||||
tsec_ctxt.size = 0x3000;
|
|
||||||
// Exit after TSEC key generation.
|
// Exit after TSEC key generation.
|
||||||
*((vu16 *)((u32)tsec_ctxt.fw + 0x2DB5)) = 0x02F8;
|
*((vu16 *)((u32)tsec_ctxt.fw + 0x2DB5)) = 0x02F8;
|
||||||
}
|
}
|
||||||
|
@ -49,7 +49,7 @@ bool sd_mount()
|
|||||||
else
|
else
|
||||||
{
|
{
|
||||||
int res = 0;
|
int res = 0;
|
||||||
res = f_mount(&sd_fs, "", 1);
|
res = f_mount(&sd_fs, "sd:", 1);
|
||||||
if (res == FR_OK)
|
if (res == FR_OK)
|
||||||
{
|
{
|
||||||
sd_mounted = 1;
|
sd_mounted = 1;
|
||||||
@ -68,7 +68,7 @@ void sd_unmount()
|
|||||||
{
|
{
|
||||||
if (sd_mounted)
|
if (sd_mounted)
|
||||||
{
|
{
|
||||||
f_mount(NULL, "", 1);
|
f_mount(NULL, "sd:", 1);
|
||||||
sdmmc_storage_end(&sd_storage);
|
sdmmc_storage_end(&sd_storage);
|
||||||
sd_mounted = false;
|
sd_mounted = false;
|
||||||
}
|
}
|
||||||
|
@ -118,7 +118,7 @@ int tsec_query(u8 *tsec_keys, u8 kb, tsec_ctxt_t *tsec_ctxt)
|
|||||||
{
|
{
|
||||||
// Init SMMU translation for TSEC.
|
// Init SMMU translation for TSEC.
|
||||||
pdir = smmu_init_for_tsec();
|
pdir = smmu_init_for_tsec();
|
||||||
smmu_init(tsec_ctxt->secmon_base);
|
smmu_init(0x4002B000);
|
||||||
// Enable SMMU
|
// Enable SMMU
|
||||||
if (!smmu_is_used())
|
if (!smmu_is_used())
|
||||||
smmu_enable();
|
smmu_enable();
|
||||||
@ -161,7 +161,7 @@ int tsec_query(u8 *tsec_keys, u8 kb, tsec_ctxt_t *tsec_ctxt)
|
|||||||
iram = page_alloc(0x30);
|
iram = page_alloc(0x30);
|
||||||
memcpy(iram, tsec_ctxt->pkg1, 0x30000);
|
memcpy(iram, tsec_ctxt->pkg1, 0x30000);
|
||||||
// PKG1.1 magic offset.
|
// PKG1.1 magic offset.
|
||||||
pkg11_magic_off = (u32 *)(iram + ((tsec_ctxt->pkg11_off + 0x20) / 4));
|
pkg11_magic_off = (u32 *)(iram + (0x7000 / 4));
|
||||||
smmu_map(pdir, 0x40010000, (u32)iram, 0x30, _READABLE | _WRITABLE | _NONSECURE);
|
smmu_map(pdir, 0x40010000, (u32)iram, 0x30, _READABLE | _WRITABLE | _NONSECURE);
|
||||||
|
|
||||||
// Exception vectors
|
// Exception vectors
|
||||||
|
@ -20,15 +20,31 @@
|
|||||||
|
|
||||||
#include "../utils/types.h"
|
#include "../utils/types.h"
|
||||||
|
|
||||||
|
#define TSEC_KEY_DATA_ADDR 0x300
|
||||||
|
|
||||||
typedef struct _tsec_ctxt_t
|
typedef struct _tsec_ctxt_t
|
||||||
{
|
{
|
||||||
void *fw;
|
void *fw;
|
||||||
u32 size;
|
u32 size;
|
||||||
void *pkg1;
|
void *pkg1;
|
||||||
u32 pkg11_off;
|
|
||||||
u32 secmon_base;
|
|
||||||
} tsec_ctxt_t;
|
} tsec_ctxt_t;
|
||||||
|
|
||||||
|
typedef struct _tsec_key_data_t
|
||||||
|
{
|
||||||
|
u8 debug_key[0x10];
|
||||||
|
u8 blob0_auth_hash[0x10];
|
||||||
|
u8 blob1_auth_hash[0x10];
|
||||||
|
u8 blob2_auth_hash[0x10];
|
||||||
|
u8 blob2_aes_iv[0x10];
|
||||||
|
u8 hovi_eks_seed[0x10];
|
||||||
|
u8 hovi_common_seed[0x10];
|
||||||
|
u32 blob0_size;
|
||||||
|
u32 blob1_size;
|
||||||
|
u32 blob2_size;
|
||||||
|
u32 blob3_size;
|
||||||
|
u32 blob4_size;
|
||||||
|
} tsec_key_data_t;
|
||||||
|
|
||||||
int tsec_query(u8 *tsec_keys, u8 kb, tsec_ctxt_t *tsec_ctxt);
|
int tsec_query(u8 *tsec_keys, u8 kb, tsec_ctxt_t *tsec_ctxt);
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
Loading…
Reference in New Issue
Block a user