From d6105b95e1044a7871fff92938d6c351444e6222 Mon Sep 17 00:00:00 2001 From: shchmue Date: Fri, 27 Sep 2019 16:30:44 -0600 Subject: [PATCH] Add key generation to menu and fix repeat dump bug --- source/keys/keys.c | 83 ++++++++++++++++++++------------------ source/libs/fatfs/diskio.c | 8 +++- source/main.c | 41 +++++++++++++++++-- 3 files changed, 88 insertions(+), 44 deletions(-) diff --git a/source/keys/keys.c b/source/keys/keys.c index 2af24cd..d70e642 100644 --- a/source/keys/keys.c +++ b/source/keys/keys.c @@ -52,6 +52,8 @@ extern int sd_save_to_file(void *buf, u32 size, const char *filename); extern hekate_config h_cfg; +extern bool clear_sector_cache; + u32 _key_count = 0, _titlekey_count = 0; u32 color_idx = 0; sdmmc_storage_t storage; @@ -73,39 +75,13 @@ u32 start_time, end_time; #define SAVE_KEY(name, src, len) _save_key(name, src, len, text_buffer) #define SAVE_KEY_FAMILY(name, src, start, count, len) _save_key_family(name, src, start, count, len, text_buffer) -static u8 temp_key[0x10], - bis_key[4][0x20] = {0}, - device_key[0x10] = {0}, - new_device_key[0x10] = {0}, - sd_seed[0x10] = {0}, - // FS-related keys - fs_keys[10][0x20] = {0}, - header_key[0x20] = {0}, - save_mac_key[0x10] = {0}, - // other sysmodule sources - es_keys[3][0x10] = {0}, - eticket_rsa_kek[0x10] = {0}, - ssl_keys[2][0x10] = {0}, - ssl_rsa_kek[0x10] = {0}, - // keyblob-derived families - keyblob[KB_FIRMWARE_VERSION_600+1][0x90] = {0}, - keyblob_key[KB_FIRMWARE_VERSION_600+1][0x10] = {0}, - keyblob_mac_key[KB_FIRMWARE_VERSION_600+1][0x10] = {0}, - package1_key[KB_FIRMWARE_VERSION_600+1][0x10] = {0}, - // master key-derived families - key_area_key[3][KB_FIRMWARE_VERSION_MAX+1][0x10] = {0}, - master_kek[KB_FIRMWARE_VERSION_MAX+1][0x10] = {0}, - master_key[KB_FIRMWARE_VERSION_MAX+1][0x10] = {0}, - package2_key[KB_FIRMWARE_VERSION_MAX+1][0x10] = {0}, - titlekek[KB_FIRMWARE_VERSION_MAX+1][0x10] = {0}; - // key functions static bool _key_exists(const void *data) { return memcmp(data, zeros, 0x10); }; static void _save_key(const char *name, const void *data, u32 len, char *outbuf); static void _save_key_family(const char *name, const void *data, u32 start_key, u32 num_keys, u32 len, char *outbuf); static void _generate_kek(u32 ks, const void *key_source, void *master_key, const void *kek_seed, const void *key_seed); // nca functions -static void *_nca_process(u32 hk_ks1, u32 hk_ks2, FIL *fp, u32 key_offset, u32 len); +static void *_nca_process(u32 hk_ks1, u32 hk_ks2, FIL *fp, u32 key_offset, u32 len, const u8 key_area_key[3][KB_FIRMWARE_VERSION_MAX+1][0x10]); static u32 _nca_fread_ctr(u32 ks, FIL *fp, void *buffer, u32 offset, u32 len, u8 *ctr); static void _update_ctr(u8 *ctr, u32 ofs); // titlekey functions @@ -113,6 +89,32 @@ static bool _test_key_pair(const void *E, const void *D, const void *N); static void _mgf1_xor(void *masked, u32 masked_size, const void *seed, u32 seed_size); void dump_keys() { + u8 temp_key[0x10], + bis_key[4][0x20] = {0}, + device_key[0x10] = {0}, + new_device_key[0x10] = {0}, + sd_seed[0x10] = {0}, + // FS-related keys + fs_keys[10][0x20] = {0}, + header_key[0x20] = {0}, + save_mac_key[0x10] = {0}, + // other sysmodule sources + es_keys[3][0x10] = {0}, + eticket_rsa_kek[0x10] = {0}, + ssl_keys[0x10] = {0}, + ssl_rsa_kek[0x10] = {0}, + // keyblob-derived families + keyblob[KB_FIRMWARE_VERSION_600+1][0x90] = {0}, + keyblob_key[KB_FIRMWARE_VERSION_600+1][0x10] = {0}, + keyblob_mac_key[KB_FIRMWARE_VERSION_600+1][0x10] = {0}, + package1_key[KB_FIRMWARE_VERSION_600+1][0x10] = {0}, + // master key-derived families + key_area_key[3][KB_FIRMWARE_VERSION_MAX+1][0x10] = {0}, + master_kek[KB_FIRMWARE_VERSION_MAX+1][0x10] = {0}, + master_key[KB_FIRMWARE_VERSION_MAX+1][0x10] = {0}, + package2_key[KB_FIRMWARE_VERSION_MAX+1][0x10] = {0}, + titlekek[KB_FIRMWARE_VERSION_MAX+1][0x10] = {0}; + display_backlight_brightness(h_cfg.backlight, 1000); gfx_clear_partial_grey(0x1B, 0, 1256); gfx_con_setpos(0, 0); @@ -122,6 +124,10 @@ void dump_keys() { tui_sbar(true); + _key_count = 0; + _titlekey_count = 0; + color_idx = 0; + start_time = get_tmr_us(); u32 begin_time = get_tmr_us(); u32 retries = 0; @@ -575,7 +581,7 @@ pkg2_done: } __attribute__ ((aligned (16))) FATFS emmc_fs; if (f_mount(&emmc_fs, "emmc:", 1)) { - EPRINTF("Mount Unable."); + EPRINTF("Unable to mount system partition."); goto key_output; } @@ -657,7 +663,7 @@ pkg2_done: } hash_index = 0; // decrypt only what is needed to locate needed keys - temp_file = (u8*)_nca_process(5, 4, &fp, start_offset, 0xc0); + temp_file = (u8*)_nca_process(5, 4, &fp, start_offset, 0xc0, key_area_key); for (u32 i = 0; i <= 0xb0; ) { se_calc_sha256(temp_hash, temp_file + i, 0x10); if (!memcmp(temp_hash, es_hashes_sha256[hash_order[hash_index]], 0x10)) { @@ -703,11 +709,11 @@ pkg2_done: } if (!memcmp(pkg1_id->id, "2016", 4)) start_offset = 0x449dc; - temp_file = (u8*)_nca_process(5, 4, &fp, start_offset, 0x70); + temp_file = (u8*)_nca_process(5, 4, &fp, start_offset, 0x70, key_area_key); for (u32 i = 0; i <= 0x60; i++) { se_calc_sha256(temp_hash, temp_file + i, 0x10); if (!memcmp(temp_hash, ssl_hashes_sha256[1], 0x10)) { - memcpy(ssl_keys[1], temp_file + i, 0x10); + memcpy(ssl_keys, temp_file + i, 0x10); // only get ssl_rsa_kek_source_x from SSL on 1.0.0 // we get it from ES on every other firmware // and it's located oddly distant from ssl_rsa_kek_source_y on >= 6.0.0 @@ -735,11 +741,11 @@ pkg2_done: _generate_kek(7, es_keys[1], master_key[0], temp_key, NULL); se_aes_crypt_block_ecb(7, 0, eticket_rsa_kek, es_keys[0]); } - if (_key_exists(ssl_keys[1]) && _key_exists(es_keys[2]) && _key_exists(master_key[0])) { + if (_key_exists(ssl_keys) && _key_exists(es_keys[2]) && _key_exists(master_key[0])) { for (u32 i = 0; i < 0x10; i++) temp_key[i] = aes_kek_generation_source[i] ^ aes_kek_seed_01[i]; _generate_kek(7, es_keys[2], master_key[0], temp_key, NULL); - se_aes_crypt_block_ecb(7, 0, ssl_rsa_kek, ssl_keys[1]); + se_aes_crypt_block_ecb(7, 0, ssl_rsa_kek, ssl_keys); } if (memcmp(pkg1_id->id, "2016", 4)) { @@ -786,7 +792,7 @@ get_titlekeys: gfx_printf("%k Minerva not found!\n This may take up to a minute...\n", colors[(color_idx++) % 6]); gfx_printf(" For better performance, download Hekate\n and put bootloader/sys/libsys_minerva.bso\n on SD.\n"); } - gfx_printf("%kTitlekeys... ", colors[(color_idx++) % 6]); + gfx_printf("%kTitlekeys... ", colors[color_idx % 6]); u32 save_x = gfx_con.x, save_y = gfx_con.y; gfx_printf("\n"); @@ -949,8 +955,8 @@ get_titlekeys: dismount: f_mount(NULL, "emmc:", 1); + clear_sector_cache = true; nx_emmc_gpt_free(&gpt); - emummc_storage_end(&storage); key_output: ; char *text_buffer = (char *)malloc(_titlekey_count * 68 < 0x3000 ? 0x3000 : _titlekey_count * 68 + 1); @@ -1003,7 +1009,7 @@ key_output: ; SAVE_KEY("secure_boot_key", sbk, 0x10); SAVE_KEY("ssl_rsa_kek", ssl_rsa_kek, 0x10); SAVE_KEY("ssl_rsa_kek_source_x", es_keys[2], 0x10); - SAVE_KEY("ssl_rsa_kek_source_y", ssl_keys[1], 0x10); + SAVE_KEY("ssl_rsa_kek_source_y", ssl_keys, 0x10); SAVE_KEY_FAMILY("titlekek", titlekek, 0, MAX_KEY, 0x10); SAVE_KEY("titlekek_source", titlekek_source, 0x10); SAVE_KEY("tsec_key", tsec_keys, 0x10); @@ -1014,7 +1020,6 @@ key_output: ; end_time = get_tmr_us(); gfx_printf("\n%k Found %d keys.\n\n", colors[(color_idx++) % 6], _key_count); - _key_count = 0; gfx_printf("%kLockpick totally done in %d us\n\n", colors[(color_idx++) % 6], end_time - begin_time); gfx_printf("%kFound through master_key_%02x.\n\n", colors[(color_idx++) % 6], MAX_KEY - 1); @@ -1051,7 +1056,7 @@ key_output: ; out_wait: h_cfg.emummc_force_disable = emummc_load_cfg(); - sd_unmount(); + emummc_storage_end(&storage); gfx_printf("\n%kPress any key to return to the main menu.", colors[(color_idx) % 6], colors[(color_idx + 1) % 6], colors[(color_idx + 2) % 6]); btn_wait(); } @@ -1093,7 +1098,7 @@ static inline u32 _read_le_u32(const void *buffer, u32 offset) { (*(u8*)(buffer + offset + 3) << 0x18); } -static void *_nca_process(u32 hk_ks1, u32 hk_ks2, FIL *fp, u32 key_offset, u32 len) { +static void *_nca_process(u32 hk_ks1, u32 hk_ks2, FIL *fp, u32 key_offset, u32 len, const u8 key_area_key[3][KB_FIRMWARE_VERSION_MAX+1][0x10]) { u32 read_bytes = 0, crypt_offset, read_size, num_files, string_table_size, rodata_offset; u8 *temp_file = (u8*)malloc(0x400), diff --git a/source/libs/fatfs/diskio.c b/source/libs/fatfs/diskio.c index 5f48faa..e820c6a 100644 --- a/source/libs/fatfs/diskio.c +++ b/source/libs/fatfs/diskio.c @@ -46,8 +46,9 @@ typedef struct { } sector_cache_t; #define MAX_SEC_CACHE_ENTRIES 64 -static sector_cache_t *sector_cache; +static sector_cache_t *sector_cache = NULL; static u32 secindex = 0; +bool clear_sector_cache = false; DSTATUS disk_status ( BYTE pdrv /* Physical drive number to identify the drive */ @@ -152,8 +153,11 @@ DRESULT disk_read ( u32 tweak_exp = 0; bool regen_tweak = true, cache_sector = false; - if (secindex == 0) { + if (secindex == 0 || clear_sector_cache) { + free(sector_cache); sector_cache = (sector_cache_t *)malloc(sizeof(sector_cache_t) * MAX_SEC_CACHE_ENTRIES); + clear_sector_cache = false; + secindex = 0; } u32 s = 0; diff --git a/source/main.c b/source/main.c index 26a84a4..97a5755 100644 --- a/source/main.c +++ b/source/main.c @@ -22,6 +22,7 @@ #include "gfx/di.h" #include "gfx/gfx.h" #include "gfx/tui.h" +#include "hos/pkg1.h" #include "libs/fatfs/ff.h" #include "mem/heap.h" #include "mem/minerva.h" @@ -30,6 +31,7 @@ #include "soc/bpmp.h" #include "soc/hw_init.h" #include "storage/emummc.h" +#include "storage/nx_emmc.h" #include "storage/sdmmc.h" #include "utils/sprintf.h" #include "utils/util.h" @@ -166,8 +168,8 @@ void dump_emunand() } ment_t ment_top[] = { - MDEF_HANDLER("Dump keys from SysNAND", dump_sysnand, COLOR_RED), - MDEF_HANDLER("Dump keys from emuMMC", dump_emunand, COLOR_ORANGE), + MDEF_HANDLER("Dump from SysNAND | Key generation: unk", dump_sysnand, COLOR_RED), + MDEF_HANDLER("Dump from EmuNAND | Key generation: unk", dump_emunand, COLOR_ORANGE), MDEF_CAPTION("---------------", COLOR_YELLOW), MDEF_HANDLER("Reboot (Normal)", reboot_normal, COLOR_GREEN), MDEF_HANDLER("Reboot (RCM)", reboot_rcm, COLOR_BLUE), @@ -177,7 +179,38 @@ ment_t ment_top[] = { menu_t menu_top = { ment_top, NULL, 0, 0 }; -#define IPL_STACK_TOP 0x90010000//0x4003F000 +void _get_key_generations(char *sysnand_label, char *emunand_label) { + sdmmc_t sdmmc; + sdmmc_storage_t storage; + sdmmc_storage_init_mmc(&storage, &sdmmc, SDMMC_4, SDMMC_BUS_WIDTH_8, 4); + u8 *pkg1 = (u8 *)malloc(NX_EMMC_BLOCKSIZE); + sdmmc_storage_set_mmc_partition(&storage, 1); + sdmmc_storage_read(&storage, 0x100000 / NX_EMMC_BLOCKSIZE, 1, pkg1); + const pkg1_id_t *pkg1_id = pkg1_identify(pkg1); + sdmmc_storage_end(&storage); + + if (pkg1_id) + sprintf(sysnand_label + 36, "% 3d", pkg1_id->kb); + ment_top[0].caption = sysnand_label; + if (h_cfg.emummc_force_disable) { + free(pkg1); + return; + } + + emummc_storage_init_mmc(&storage, &sdmmc); + memset(pkg1, 0, NX_EMMC_BLOCKSIZE); + emummc_storage_set_mmc_partition(&storage, 1); + emummc_storage_read(&storage, 0x100000 / NX_EMMC_BLOCKSIZE, 1, pkg1); + pkg1_id = pkg1_identify(pkg1); + emummc_storage_end(&storage); + + if (pkg1_id) + sprintf(emunand_label + 36, "% 3d", pkg1_id->kb); + free(pkg1); + ment_top[1].caption = emunand_label; +} + +#define IPL_STACK_TOP 0x90010000 #define IPL_HEAP_START 0x90020000 extern void pivot_stack(u32 stack_top); @@ -218,6 +251,8 @@ void ipl_main() ment_top[1].handler = NULL; } + _get_key_generations((char *)ment_top[0].caption, (char *)ment_top[1].caption); + while (true) tui_do_menu(&menu_top);