mirror of
https://github.com/modmii/YAWM-ModMii-Edition.git
synced 2024-11-21 15:49:19 +01:00
Fix tickets using the vWii common key (#9)
* had to download libogc's aes driver, hoping this works
This commit is contained in:
parent
abd5f48be9
commit
cb2351b877
125
source/aes.c
Normal file
125
source/aes.c
Normal file
@ -0,0 +1,125 @@
|
||||
/*-------------------------------------------------------------
|
||||
|
||||
aes.c -- AES Engine
|
||||
|
||||
Copyright (C) 2022
|
||||
GaryOderNichts
|
||||
Joris 'DacoTaco' Vermeylen info@dacotaco.com
|
||||
|
||||
This software is provided 'as-is', without any express or implied
|
||||
warranty. In no event will the authors be held liable for any
|
||||
damages arising from the use of this software.
|
||||
|
||||
Permission is granted to anyone to use this software for any
|
||||
purpose, including commercial applications, and to alter it and
|
||||
redistribute it freely, subject to the following restrictions:
|
||||
|
||||
1. The origin of this software must not be misrepresented; you
|
||||
must not claim that you wrote the original software. If you use
|
||||
this software in a product, an acknowledgment in the product
|
||||
documentation would be appreciated but is not required.
|
||||
|
||||
2. Altered source versions must be plainly marked as such, and
|
||||
must not be misrepresented as being the original software.
|
||||
|
||||
3. This notice may not be removed or altered from any source
|
||||
distribution.
|
||||
|
||||
-------------------------------------------------------------*/
|
||||
#if defined(HW_RVL)
|
||||
|
||||
#include <string.h>
|
||||
#include <gctypes.h>
|
||||
#include <gcutil.h>
|
||||
#include <ogc/ipc.h>
|
||||
|
||||
#include "aes.h"
|
||||
|
||||
#define AES_HEAPSIZE 0x200
|
||||
|
||||
#define AES_IOCTLV_ENCRYPT 2
|
||||
#define AES_IOCTLV_DECRYPT 3
|
||||
|
||||
static s32 __aes_fd = -1;
|
||||
static s32 __aes_hid = -1;
|
||||
|
||||
static s32 AES_ExecuteCommand(s32 command, const void* key, u32 key_size, void* iv, u32 iv_size, const void* in_data, void* out_data, u32 data_size)
|
||||
{
|
||||
if ((((u32)in_data | (u32)out_data) & 0xF) != 0)
|
||||
return -4;
|
||||
|
||||
if (key_size != 16 || iv_size != 16 || (data_size & 15) != 0)
|
||||
return -4;
|
||||
|
||||
ioctlv* params = (ioctlv*)iosAlloc(__aes_hid, sizeof(ioctlv) * 4);
|
||||
if (!params)
|
||||
return -1;
|
||||
|
||||
s32 ret = -1;
|
||||
for (u32 i = 0; i < data_size; i += AES_BLOCK_SIZE) {
|
||||
u32 size = i+AES_BLOCK_SIZE >= data_size
|
||||
? data_size - i
|
||||
: AES_BLOCK_SIZE;
|
||||
|
||||
params[0].data = (void*)((u32)in_data + i);
|
||||
params[0].len = size;
|
||||
params[1].data = (void*) key;
|
||||
params[1].len = key_size;
|
||||
params[2].data = (void*)((u32)out_data + i);
|
||||
params[2].len = size;
|
||||
params[3].data = iv;
|
||||
params[3].len = iv_size;
|
||||
|
||||
ret = IOS_Ioctlv(__aes_fd, command, 2, 2, params);
|
||||
if (ret < 0)
|
||||
break;
|
||||
}
|
||||
|
||||
iosFree(__aes_hid, params);
|
||||
return ret;
|
||||
}
|
||||
|
||||
s32 AES_Init(void)
|
||||
{
|
||||
if (__aes_fd >= 0)
|
||||
return -1;
|
||||
|
||||
__aes_fd = IOS_Open("/dev/aes", 0);
|
||||
if (__aes_fd < 0)
|
||||
return __aes_fd;
|
||||
|
||||
//only create heap if it wasn't created yet.
|
||||
//its never disposed, so only create once.
|
||||
if(__aes_hid < 0)
|
||||
__aes_hid = iosCreateHeap(AES_HEAPSIZE);
|
||||
|
||||
if (__aes_hid < 0) {
|
||||
AES_Close();
|
||||
return __aes_hid;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
s32 AES_Close(void)
|
||||
{
|
||||
if (__aes_fd < 0)
|
||||
return -1;
|
||||
|
||||
IOS_Close(__aes_fd);
|
||||
__aes_fd = -1;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
s32 AES_Encrypt(const void* key, u32 key_size, void* iv, u32 iv_size, const void* in_data, void* out_data, u32 data_size)
|
||||
{
|
||||
return AES_ExecuteCommand(AES_IOCTLV_ENCRYPT, key, key_size, iv, iv_size, in_data, out_data, data_size);
|
||||
}
|
||||
|
||||
s32 AES_Decrypt(const void* key, u32 key_size, void* iv, u32 iv_size, const void* in_data, void* out_data, u32 data_size)
|
||||
{
|
||||
return AES_ExecuteCommand(AES_IOCTLV_DECRYPT, key, key_size, iv, iv_size, in_data, out_data, data_size);
|
||||
}
|
||||
|
||||
#endif
|
53
source/aes.h
Normal file
53
source/aes.h
Normal file
@ -0,0 +1,53 @@
|
||||
/*-------------------------------------------------------------
|
||||
|
||||
aes.h -- AES Engine
|
||||
|
||||
Copyright (C) 2022
|
||||
GaryOderNichts
|
||||
Joris 'DacoTaco' Vermeylen info@dacotaco.com
|
||||
|
||||
This software is provided 'as-is', without any express or implied
|
||||
warranty. In no event will the authors be held liable for any
|
||||
damages arising from the use of this software.
|
||||
|
||||
Permission is granted to anyone to use this software for any
|
||||
purpose, including commercial applications, and to alter it and
|
||||
redistribute it freely, subject to the following restrictions:
|
||||
|
||||
1. The origin of this software must not be misrepresented; you
|
||||
must not claim that you wrote the original software. If you use
|
||||
this software in a product, an acknowledgment in the product
|
||||
documentation would be appreciated but is not required.
|
||||
|
||||
2. Altered source versions must be plainly marked as such, and
|
||||
must not be misrepresented as being the original software.
|
||||
|
||||
3. This notice may not be removed or altered from any source
|
||||
distribution.
|
||||
|
||||
-------------------------------------------------------------*/
|
||||
|
||||
|
||||
#ifndef __AES_H___
|
||||
#define __AES_H___
|
||||
|
||||
#if defined(HW_RVL)
|
||||
#include <gctypes.h>
|
||||
#include <gcutil.h>
|
||||
|
||||
#define AES_BLOCK_SIZE 0x10000
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif /* __cplusplus */
|
||||
|
||||
s32 AES_Init(void);
|
||||
s32 AES_Close(void);
|
||||
s32 AES_Decrypt(const void* key, u32 key_size, void* iv, u32 iv_size, const void* in_data, void* out_data, u32 data_size);
|
||||
s32 AES_Encrypt(const void* key, u32 key_size, void* iv, u32 iv_size, const void* in_data, void* out_data, u32 data_size);
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif /* __cplusplus */
|
||||
#endif
|
||||
#endif
|
106
source/wad.c
106
source/wad.c
@ -2,11 +2,13 @@
|
||||
#include <string.h>
|
||||
#include <ogcsys.h>
|
||||
#include <ogc/pad.h>
|
||||
#include <ogc/es.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "sys.h"
|
||||
#include "title.h"
|
||||
#include "utils.h"
|
||||
#include "aes.h"
|
||||
#include "video.h"
|
||||
#include "wad.h"
|
||||
#include "wpad.h"
|
||||
@ -93,58 +95,58 @@ static inline void DecEncTxtBuffer(char* buffer)
|
||||
|
||||
u64 get_title_ios(u64 title) {
|
||||
s32 ret, fd;
|
||||
static char filepath[256] ATTRIBUTE_ALIGN(32);
|
||||
|
||||
static char filepath[256] ATTRIBUTE_ALIGN(32);
|
||||
|
||||
// Check to see if title exists
|
||||
if (ES_GetDataDir(title, filepath) >= 0 ) {
|
||||
u32 tmd_size = 0;
|
||||
static u8 tmd_buf[MAX_SIGNED_TMD_SIZE] ATTRIBUTE_ALIGN(32);
|
||||
|
||||
|
||||
ret = ES_GetStoredTMDSize(title, &tmd_size);
|
||||
if (ret < 0){
|
||||
// If we fail to use the ES function, try reading manually
|
||||
// This is a workaround added since some IOS (like 21) don't like our
|
||||
// call to ES_GetStoredTMDSize
|
||||
|
||||
|
||||
//printf("Error! ES_GetStoredTMDSize: %d\n", ret);
|
||||
|
||||
|
||||
sprintf(filepath, "/title/%08x/%08x/content/title.tmd", TITLE_UPPER(title), TITLE_LOWER(title));
|
||||
|
||||
|
||||
ret = ISFS_Open(filepath, ISFS_OPEN_READ);
|
||||
if (ret <= 0)
|
||||
{
|
||||
//printf("Error! ISFS_Open (ret = %d)\n", ret);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
fd = ret;
|
||||
|
||||
|
||||
ret = ISFS_Seek(fd, 0x184, 0);
|
||||
if (ret < 0)
|
||||
{
|
||||
//printf("Error! ISFS_Seek (ret = %d)\n", ret);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
ret = ISFS_Read(fd,tmd_buf,8);
|
||||
if (ret < 0)
|
||||
{
|
||||
//printf("Error! ISFS_Read (ret = %d)\n", ret);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
ret = ISFS_Close(fd);
|
||||
if (ret < 0)
|
||||
{
|
||||
//printf("Error! ISFS_Close (ret = %d)\n", ret);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
return be64(tmd_buf);
|
||||
|
||||
|
||||
} else {
|
||||
// Normal versions of IOS won't have a problem, so we do things the "right" way.
|
||||
|
||||
|
||||
// Some of this code adapted from bushing's title_lister.c
|
||||
signed_blob *s_tmd = (signed_blob *)tmd_buf;
|
||||
ret = ES_GetStoredTMD(title, s_tmd, tmd_size);
|
||||
@ -155,9 +157,9 @@ u64 get_title_ios(u64 title) {
|
||||
tmd *t = SIGNATURE_PAYLOAD(s_tmd);
|
||||
return t->sys_version;
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -171,7 +173,7 @@ static bool GetRegionFromTXT(char* region)
|
||||
return false;
|
||||
|
||||
DecEncTxtBuffer(buffer);
|
||||
|
||||
|
||||
char* current = strstr(buffer, "AREA");
|
||||
|
||||
if(current)
|
||||
@ -182,7 +184,7 @@ static bool GetRegionFromTXT(char* region)
|
||||
if (start && end)
|
||||
{
|
||||
start++;
|
||||
|
||||
|
||||
if (!strncmp(start, "JPN", 3))
|
||||
*region = 'J';
|
||||
else if (!strncmp(start, "USA", 3))
|
||||
@ -191,12 +193,12 @@ static bool GetRegionFromTXT(char* region)
|
||||
*region = 'E';
|
||||
else if (!strncmp(start, "KOR", 3))
|
||||
*region = 'K';
|
||||
|
||||
|
||||
if (*region != 0)
|
||||
{
|
||||
free(buffer);
|
||||
return true;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
else
|
||||
@ -232,7 +234,7 @@ s32 GetSysMenuRegion(u16* version, char* region)
|
||||
bool VersionIsOriginal(u16 version)
|
||||
{
|
||||
s32 i;
|
||||
|
||||
|
||||
for (i = 0; i < VersionListSize; i++)
|
||||
{
|
||||
if (VersionList[i] == version)
|
||||
@ -286,7 +288,7 @@ static u32 GetSysMenuBootContent(void)
|
||||
return 0;
|
||||
}
|
||||
|
||||
ret = ES_GetStoredTMD(0x100000002LL, (u8*)s_tmd, size);
|
||||
ret = ES_GetStoredTMD(0x100000002LL, s_tmd, size);
|
||||
if (ret < 0)
|
||||
{
|
||||
printf("Error! ES_GetStoredTMD failed (ret=%i)\n", ret);
|
||||
@ -326,7 +328,7 @@ bool GetSysMenuExecPath(char path[ISFS_MAXPATH], bool mainDOL)
|
||||
bool IsPriiloaderInstalled()
|
||||
{
|
||||
char path[ISFS_MAXPATH] ATTRIBUTE_ALIGN(0x20);
|
||||
|
||||
|
||||
if (!GetSysMenuExecPath(path, true))
|
||||
return false;
|
||||
|
||||
@ -339,7 +341,7 @@ bool IsPriiloaderInstalled()
|
||||
static bool BackUpPriiloader()
|
||||
{
|
||||
char path[ISFS_MAXPATH] ATTRIBUTE_ALIGN(0x20);
|
||||
|
||||
|
||||
if (!GetSysMenuExecPath(path, false))
|
||||
return false;
|
||||
|
||||
@ -350,7 +352,7 @@ static bool BackUpPriiloader()
|
||||
printf("Error! NANDBackUpFile: Failed! (Error: %d)\n", ret);
|
||||
return false;
|
||||
}
|
||||
|
||||
|
||||
ret = NANDGetFileSize("/tmp/priiload.app", &gPriiloaderSize);
|
||||
|
||||
return (gPriiloaderSize == size);
|
||||
@ -403,7 +405,7 @@ static bool RestorePriiloader()
|
||||
|
||||
static void PrintCleanupResult(s32 result)
|
||||
{
|
||||
|
||||
|
||||
if (result < 0)
|
||||
{
|
||||
switch (result)
|
||||
@ -446,9 +448,9 @@ static void CleanupPriiloaderLeftOvers(bool retain)
|
||||
printf("\r\t\t>> File: main.bin...");
|
||||
PrintCleanupResult(NANDDeleteFile("/title/00000001/00000002/data/main.bin"));
|
||||
}
|
||||
|
||||
|
||||
printf("\n\t\tRemoving Priiloader hacks...\n");
|
||||
|
||||
|
||||
printf("\r\t\t>> File: hacks_s.ini...");
|
||||
PrintCleanupResult(NANDDeleteFile("/title/00000001/00000002/data/hacks_s.ini"));
|
||||
printf("\r\t\t>> File: hacks.ini...");
|
||||
@ -462,7 +464,7 @@ static void CleanupPriiloaderLeftOvers(bool retain)
|
||||
{
|
||||
printf("\n\t\tPriiloader hacks will be reset!\n");
|
||||
printf("\t\tRemember to set them again.\n");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static bool CompareHashes(bool priiloader)
|
||||
@ -488,7 +490,7 @@ static bool CompareHashes(bool priiloader)
|
||||
free(dataA);
|
||||
return false;
|
||||
}
|
||||
|
||||
|
||||
bool ret = (sizeA == sizeB) && !CompareHash(dataA, sizeA, dataB, sizeB);
|
||||
|
||||
free(dataA);
|
||||
@ -550,17 +552,51 @@ out:
|
||||
return ret;
|
||||
}
|
||||
|
||||
void __Wad_FixTicket(signed_blob *p_tik)
|
||||
{
|
||||
u8 *data = (u8 *)p_tik;
|
||||
u8 *ckey = data + 0x1F1;
|
||||
static const aeskey
|
||||
WiiCommonKey = { 0xeb, 0xe4, 0x2a, 0x22, 0x5e, 0x85, 0x93, 0xe4, 0x48, 0xd9, 0xc5, 0x45, 0x73, 0x81, 0xaa, 0xf7 },
|
||||
vWiiCommonKey = { 0x30, 0xbf, 0xc7, 0x6e, 0x7c, 0x19, 0xaf, 0xbb, 0x23, 0x16, 0x33, 0x30, 0xce, 0xd7, 0xc2, 0x8d };
|
||||
|
||||
void __Wad_FixTicket(signed_blob *s_tik)
|
||||
{
|
||||
tik* p_tik = SIGNATURE_PAYLOAD(s_tik);
|
||||
u8 *ckey = ((u8*)s_tik) + 0x1F1;
|
||||
|
||||
/*
|
||||
* Alright. I'd hate to pull this off on signed tickets using the vWii common key.
|
||||
* But this already does it, just without re-crypting the title key. So let's do it.
|
||||
*/
|
||||
bool fixKey = *ckey == 2;
|
||||
if (*ckey > 1) {
|
||||
/* Set common key */
|
||||
*ckey = 0;
|
||||
|
||||
/* Fix tickets using vWii Common Key */
|
||||
if (fixKey)
|
||||
{
|
||||
__attribute__((aligned(0x10)))
|
||||
static unsigned char keybuf[0x10], iv[0x10];
|
||||
|
||||
u8* titlekey = p_tik->cipher_title_key;
|
||||
u64* titleid = &p_tik->titleid;
|
||||
|
||||
memcpy(keybuf, titlekey, sizeof(keybuf));
|
||||
memcpy(iv, titleid, sizeof(u64));
|
||||
memset(iv + 8, 0, sizeof(iv) - 8);
|
||||
|
||||
AES_Init();
|
||||
AES_Decrypt(vWiiCommonKey, 0x10, iv, 0x10, keybuf, keybuf, sizeof(keybuf));
|
||||
|
||||
memcpy(iv, titleid, sizeof(u64));
|
||||
memset(iv + 8, 0, sizeof(iv) - 8);
|
||||
|
||||
AES_Encrypt(WiiCommonKey, 0x10, iv, 0x10, keybuf, keybuf, sizeof(keybuf));
|
||||
|
||||
memcpy(titlekey, keybuf, sizeof(keybuf));
|
||||
AES_Close();
|
||||
}
|
||||
|
||||
/* Fakesign ticket */
|
||||
Title_FakesignTik(p_tik);
|
||||
Title_FakesignTik(s_tik);
|
||||
}
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user