2015-08-21 20:11:23 +02:00
|
|
|
// From http://github.com/b1l1s/ctr
|
|
|
|
|
|
|
|
|
|
#include "crypto.h"
|
|
|
|
|
#include "memory.h"
|
|
|
|
|
#include "fatfs/sdmmc/sdmmc.h"
|
|
|
|
|
|
|
|
|
|
/****************************************************************
|
|
|
|
|
* Crypto Libs
|
|
|
|
|
****************************************************************/
|
|
|
|
|
|
|
|
|
|
/* original version by megazig */
|
|
|
|
|
|
|
|
|
|
#ifndef __thumb__
|
|
|
|
|
#define BSWAP32(x) {\
|
|
|
|
|
__asm__\
|
|
|
|
|
(\
|
|
|
|
|
"eor r1, %1, %1, ror #16\n\t"\
|
|
|
|
|
"bic r1, r1, #0xFF0000\n\t"\
|
|
|
|
|
"mov %0, %1, ror #8\n\t"\
|
|
|
|
|
"eor %0, %0, r1, lsr #8\n\t"\
|
|
|
|
|
:"=r"(x)\
|
|
|
|
|
:"0"(x)\
|
|
|
|
|
:"r1"\
|
|
|
|
|
);\
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
#define ADD_u128_u32(u128_0, u128_1, u128_2, u128_3, u32_0) {\
|
|
|
|
|
__asm__\
|
|
|
|
|
(\
|
|
|
|
|
"adds %0, %4\n\t"\
|
|
|
|
|
"addcss %1, %1, #1\n\t"\
|
|
|
|
|
"addcss %2, %2, #1\n\t"\
|
|
|
|
|
"addcs %3, %3, #1\n\t"\
|
|
|
|
|
: "+r"(u128_0), "+r"(u128_1), "+r"(u128_2), "+r"(u128_3)\
|
|
|
|
|
: "r"(u32_0)\
|
|
|
|
|
: "cc"\
|
|
|
|
|
);\
|
|
|
|
|
}
|
|
|
|
|
#else
|
|
|
|
|
#define BSWAP32(x) {x = __builtin_bswap32(x);}
|
|
|
|
|
|
|
|
|
|
#define ADD_u128_u32(u128_0, u128_1, u128_2, u128_3, u32_0) {\
|
|
|
|
|
__asm__\
|
|
|
|
|
(\
|
|
|
|
|
"mov r4, #0\n\t"\
|
|
|
|
|
"add %0, %0, %4\n\t"\
|
|
|
|
|
"adc %1, %1, r4\n\t"\
|
|
|
|
|
"adc %2, %2, r4\n\t"\
|
|
|
|
|
"adc %3, %3, r4\n\t"\
|
|
|
|
|
: "+r"(u128_0), "+r"(u128_1), "+r"(u128_2), "+r"(u128_3)\
|
|
|
|
|
: "r"(u32_0)\
|
|
|
|
|
: "cc", "r4"\
|
|
|
|
|
);\
|
|
|
|
|
}
|
|
|
|
|
#endif /*__thumb__*/
|
|
|
|
|
|
|
|
|
|
void aes_setkey(u8 keyslot, const void* key, u32 keyType, u32 mode)
|
|
|
|
|
{
|
|
|
|
|
if(keyslot <= 0x03) return; // Ignore TWL keys for now
|
2016-03-06 18:29:47 +01:00
|
|
|
u32 * key32 = (u32 *)key;
|
2015-08-21 20:11:23 +02:00
|
|
|
*REG_AESCNT = (*REG_AESCNT & ~(AES_CNT_INPUT_ENDIAN | AES_CNT_INPUT_ORDER)) | mode;
|
|
|
|
|
*REG_AESKEYCNT = (*REG_AESKEYCNT >> 6 << 6) | keyslot | AES_KEYCNT_WRITE;
|
|
|
|
|
|
|
|
|
|
REG_AESKEYFIFO[keyType] = key32[0];
|
|
|
|
|
REG_AESKEYFIFO[keyType] = key32[1];
|
|
|
|
|
REG_AESKEYFIFO[keyType] = key32[2];
|
|
|
|
|
REG_AESKEYFIFO[keyType] = key32[3];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void aes_use_keyslot(u8 keyslot)
|
|
|
|
|
{
|
|
|
|
|
if(keyslot > 0x3F)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
*REG_AESKEYSEL = keyslot;
|
|
|
|
|
*REG_AESCNT = *REG_AESCNT | 0x04000000; /* mystery bit */
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void aes_setiv(const void* iv, u32 mode)
|
|
|
|
|
{
|
2016-03-06 18:29:47 +01:00
|
|
|
const u32 *iv32 = (const u32 *)iv;
|
2015-08-21 20:11:23 +02:00
|
|
|
*REG_AESCNT = (*REG_AESCNT & ~(AES_CNT_INPUT_ENDIAN | AES_CNT_INPUT_ORDER)) | mode;
|
|
|
|
|
|
|
|
|
|
// Word order for IV can't be changed in REG_AESCNT and always default to reversed
|
|
|
|
|
if(mode & AES_INPUT_NORMAL)
|
|
|
|
|
{
|
|
|
|
|
REG_AESCTR[0] = iv32[3];
|
|
|
|
|
REG_AESCTR[1] = iv32[2];
|
|
|
|
|
REG_AESCTR[2] = iv32[1];
|
|
|
|
|
REG_AESCTR[3] = iv32[0];
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
REG_AESCTR[0] = iv32[0];
|
|
|
|
|
REG_AESCTR[1] = iv32[1];
|
|
|
|
|
REG_AESCTR[2] = iv32[2];
|
|
|
|
|
REG_AESCTR[3] = iv32[3];
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2016-03-06 18:29:47 +01:00
|
|
|
void aes_advctr(void *ctr, u32 val, u32 mode)
|
2015-08-21 20:11:23 +02:00
|
|
|
{
|
2016-03-06 18:29:47 +01:00
|
|
|
u32 *ctr32 = (u32*)ctr;
|
2015-08-21 20:11:23 +02:00
|
|
|
|
|
|
|
|
int i;
|
|
|
|
|
if(mode & AES_INPUT_BE)
|
|
|
|
|
{
|
|
|
|
|
for(i = 0; i < 4; ++i) // Endian swap
|
|
|
|
|
BSWAP32(ctr32[i]);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if(mode & AES_INPUT_NORMAL)
|
|
|
|
|
{
|
|
|
|
|
ADD_u128_u32(ctr32[3], ctr32[2], ctr32[1], ctr32[0], val);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
ADD_u128_u32(ctr32[0], ctr32[1], ctr32[2], ctr32[3], val);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if(mode & AES_INPUT_BE)
|
|
|
|
|
{
|
|
|
|
|
for(i = 0; i < 4; ++i) // Endian swap
|
|
|
|
|
BSWAP32(ctr32[i]);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2016-03-06 18:29:47 +01:00
|
|
|
void aes_change_ctrmode(void *ctr, u32 fromMode, u32 toMode)
|
2015-08-21 20:11:23 +02:00
|
|
|
{
|
2016-03-06 18:29:47 +01:00
|
|
|
u32 *ctr32 = (u32 *)ctr;
|
2015-08-21 20:11:23 +02:00
|
|
|
int i;
|
|
|
|
|
if((fromMode ^ toMode) & AES_CNT_INPUT_ENDIAN)
|
|
|
|
|
{
|
|
|
|
|
for(i = 0; i < 4; ++i)
|
|
|
|
|
BSWAP32(ctr32[i]);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if((fromMode ^ toMode) & AES_CNT_INPUT_ORDER)
|
|
|
|
|
{
|
|
|
|
|
u32 temp = ctr32[0];
|
|
|
|
|
ctr32[0] = ctr32[3];
|
|
|
|
|
ctr32[3] = temp;
|
|
|
|
|
|
|
|
|
|
temp = ctr32[1];
|
|
|
|
|
ctr32[1] = ctr32[2];
|
|
|
|
|
ctr32[2] = temp;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2016-03-06 18:29:47 +01:00
|
|
|
void aes_batch(void *dst, const void *src, u32 blockCount)
|
2015-08-21 20:11:23 +02:00
|
|
|
{
|
|
|
|
|
*REG_AESBLKCNT = blockCount << 16;
|
|
|
|
|
*REG_AESCNT |= AES_CNT_START;
|
|
|
|
|
|
2016-03-06 18:29:47 +01:00
|
|
|
const u32 *src32 = (const u32 *)src;
|
|
|
|
|
u32 *dst32 = (u32 *)dst;
|
2015-08-21 20:11:23 +02:00
|
|
|
|
|
|
|
|
u32 wbc = blockCount;
|
|
|
|
|
u32 rbc = blockCount;
|
|
|
|
|
|
|
|
|
|
while(rbc)
|
|
|
|
|
{
|
|
|
|
|
if(wbc && ((*REG_AESCNT & 0x1F) <= 0xC)) // There's space for at least 4 ints
|
|
|
|
|
{
|
|
|
|
|
*REG_AESWRFIFO = *src32++;
|
|
|
|
|
*REG_AESWRFIFO = *src32++;
|
|
|
|
|
*REG_AESWRFIFO = *src32++;
|
|
|
|
|
*REG_AESWRFIFO = *src32++;
|
|
|
|
|
wbc--;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if(rbc && ((*REG_AESCNT & (0x1F << 0x5)) >= (0x4 << 0x5))) // At least 4 ints available for read
|
|
|
|
|
{
|
|
|
|
|
*dst32++ = *REG_AESRDFIFO;
|
|
|
|
|
*dst32++ = *REG_AESRDFIFO;
|
|
|
|
|
*dst32++ = *REG_AESRDFIFO;
|
|
|
|
|
*dst32++ = *REG_AESRDFIFO;
|
|
|
|
|
rbc--;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2016-03-06 18:29:47 +01:00
|
|
|
void aes(void *dst, const void *src, u32 blockCount, void *iv, u32 mode, u32 ivMode)
|
2015-08-21 20:11:23 +02:00
|
|
|
{
|
|
|
|
|
*REG_AESCNT = mode |
|
|
|
|
|
AES_CNT_INPUT_ORDER | AES_CNT_OUTPUT_ORDER |
|
|
|
|
|
AES_CNT_INPUT_ENDIAN | AES_CNT_OUTPUT_ENDIAN |
|
|
|
|
|
AES_CNT_FLUSH_READ | AES_CNT_FLUSH_WRITE;
|
|
|
|
|
|
|
|
|
|
u32 blocks;
|
|
|
|
|
while(blockCount != 0)
|
|
|
|
|
{
|
|
|
|
|
if((mode & AES_ALL_MODES) != AES_ECB_ENCRYPT_MODE
|
|
|
|
|
&& (mode & AES_ALL_MODES) != AES_ECB_DECRYPT_MODE)
|
|
|
|
|
aes_setiv(iv, ivMode);
|
|
|
|
|
|
|
|
|
|
blocks = (blockCount >= 0xFFFF) ? 0xFFFF : blockCount;
|
|
|
|
|
|
|
|
|
|
// Save the last block for the next decryption CBC batch's iv
|
|
|
|
|
if((mode & AES_ALL_MODES) == AES_CBC_DECRYPT_MODE)
|
|
|
|
|
{
|
|
|
|
|
memcpy(iv, src + (blocks - 1) * AES_BLOCK_SIZE, AES_BLOCK_SIZE);
|
|
|
|
|
aes_change_ctrmode(iv, AES_INPUT_BE | AES_INPUT_NORMAL, ivMode);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Process the current batch
|
|
|
|
|
aes_batch(dst, src, blocks);
|
|
|
|
|
|
|
|
|
|
// Save the last block for the next encryption CBC batch's iv
|
|
|
|
|
if((mode & AES_ALL_MODES) == AES_CBC_ENCRYPT_MODE)
|
|
|
|
|
{
|
|
|
|
|
memcpy(iv, dst + (blocks - 1) * AES_BLOCK_SIZE, AES_BLOCK_SIZE);
|
|
|
|
|
aes_change_ctrmode(iv, AES_INPUT_BE | AES_INPUT_NORMAL, ivMode);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Advance counter for CTR mode
|
|
|
|
|
else if((mode & AES_ALL_MODES) == AES_CTR_MODE)
|
|
|
|
|
aes_advctr(iv, blocks, ivMode);
|
|
|
|
|
|
|
|
|
|
src += blocks * AES_BLOCK_SIZE;
|
|
|
|
|
dst += blocks * AES_BLOCK_SIZE;
|
|
|
|
|
blockCount -= blocks;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/****************************************************************
|
|
|
|
|
* Nand/FIRM Crypto stuff
|
|
|
|
|
****************************************************************/
|
2016-02-08 03:37:03 +01:00
|
|
|
|
2016-03-06 16:24:42 +01:00
|
|
|
//Nand key#2 (0x12C10)
|
2016-03-06 23:52:14 +01:00
|
|
|
const u8 key2[0x10] = {
|
2016-03-06 16:24:42 +01:00
|
|
|
0x42, 0x3F, 0x81, 0x7A, 0x23, 0x52, 0x58, 0x31, 0x6E, 0x75, 0x8E, 0x3A, 0x39, 0x43, 0x2E, 0xD0
|
|
|
|
|
};
|
|
|
|
|
|
2016-02-08 03:37:03 +01:00
|
|
|
//Get Nand CTR key
|
2016-03-06 18:29:47 +01:00
|
|
|
void getNandCTR(u8 *buf, u32 console){
|
|
|
|
|
u8 *addr = (console ? (u8 *)0x080D8BBC : (u8 *)0x080D797C) + 0x0F;
|
2016-03-06 16:24:42 +01:00
|
|
|
for(u8 keyLen = 0x10; keyLen; keyLen--)
|
|
|
|
|
*(buf++) = *(addr--);
|
2016-02-08 03:37:03 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//Read firm0 from NAND and write to buffer
|
2016-03-06 18:29:47 +01:00
|
|
|
void nandFirm0(u8 *outbuf, u32 size, u32 console){
|
2016-02-08 03:37:03 +01:00
|
|
|
u8 CTR[0x10];
|
|
|
|
|
getNandCTR(CTR, console);
|
|
|
|
|
aes_advctr(CTR, 0x0B130000/0x10, AES_INPUT_BE | AES_INPUT_NORMAL);
|
|
|
|
|
sdmmc_nand_readsectors(0x0B130000 / 0x200, size / 0x200, outbuf);
|
|
|
|
|
aes_use_keyslot(0x06);
|
|
|
|
|
aes(outbuf, outbuf, size / AES_BLOCK_SIZE, CTR, AES_CTR_MODE, AES_INPUT_BE | AES_INPUT_NORMAL);
|
|
|
|
|
}
|
2015-08-21 20:11:23 +02:00
|
|
|
|
2016-03-04 23:43:22 +01:00
|
|
|
//Decrypts the N3DS arm9bin
|
2016-03-06 19:05:41 +01:00
|
|
|
void decArm9Bin(u8 *armHdr, u32 mode){
|
2016-02-08 03:37:03 +01:00
|
|
|
|
2016-02-06 00:54:24 +01:00
|
|
|
//Firm keys
|
2015-08-21 20:11:23 +02:00
|
|
|
u8 keyY[0x10];
|
|
|
|
|
u8 CTR[0x10];
|
2016-03-05 15:35:06 +01:00
|
|
|
u8 slot = mode ? 0x16 : 0x15;
|
2016-03-04 23:43:22 +01:00
|
|
|
|
2016-02-06 00:54:24 +01:00
|
|
|
//Setup keys needed for arm9bin decryption
|
2016-03-05 00:41:42 +01:00
|
|
|
memcpy(keyY, armHdr+0x10, 0x10);
|
|
|
|
|
memcpy(CTR, armHdr+0x20, 0x10);
|
2016-03-06 03:41:07 +01:00
|
|
|
u32 size = 0;
|
|
|
|
|
//http://stackoverflow.com/questions/12791077/atoi-implementation-in-c
|
|
|
|
|
for(u8 *tmp = armHdr+0x30; *tmp; tmp++)
|
|
|
|
|
size = (size<<3)+(size<<1)+(*tmp)-'0';
|
2016-01-16 13:57:56 +01:00
|
|
|
|
2016-02-08 03:37:03 +01:00
|
|
|
if(mode){
|
2016-03-06 03:41:07 +01:00
|
|
|
u8 keyX[0x10];
|
|
|
|
|
|
2016-02-08 03:37:03 +01:00
|
|
|
//Set 0x11 to key2 for the arm9bin and misc keys
|
2016-03-05 00:41:42 +01:00
|
|
|
aes_setkey(0x11, key2, AES_KEYNORMAL, AES_INPUT_BE | AES_INPUT_NORMAL);
|
2016-02-08 03:37:03 +01:00
|
|
|
aes_use_keyslot(0x11);
|
2016-03-05 00:41:42 +01:00
|
|
|
aes(keyX, armHdr+0x60, 1, NULL, AES_ECB_DECRYPT_MODE, 0);
|
|
|
|
|
aes_setkey(slot, keyX, AES_KEYX, AES_INPUT_BE | AES_INPUT_NORMAL);
|
2016-02-08 03:37:03 +01:00
|
|
|
}
|
|
|
|
|
|
2016-03-05 00:41:42 +01:00
|
|
|
aes_setkey(slot, keyY, AES_KEYY, AES_INPUT_BE | AES_INPUT_NORMAL);
|
|
|
|
|
aes_setiv(CTR, AES_INPUT_BE | AES_INPUT_NORMAL);
|
2015-08-21 20:11:23 +02:00
|
|
|
aes_use_keyslot(slot);
|
2016-03-04 23:43:22 +01:00
|
|
|
|
2016-01-16 13:57:56 +01:00
|
|
|
//Decrypt arm9bin
|
2016-03-05 00:41:42 +01:00
|
|
|
aes(armHdr+0x800, armHdr+0x800, size/AES_BLOCK_SIZE, CTR, AES_CTR_MODE, AES_INPUT_BE | AES_INPUT_NORMAL);
|
2016-03-04 23:43:22 +01:00
|
|
|
}
|
2016-02-08 03:37:03 +01:00
|
|
|
|
2016-03-04 23:43:22 +01:00
|
|
|
//Sets the N3DS 9.6 KeyXs
|
2016-03-06 19:05:41 +01:00
|
|
|
void setKeyXs(u8 *armHdr){
|
2016-03-04 23:43:22 +01:00
|
|
|
|
2016-03-06 19:05:41 +01:00
|
|
|
u8 *keyData = armHdr+0x89814;
|
|
|
|
|
u8 *decKey = keyData+0x10;
|
2016-03-06 16:24:42 +01:00
|
|
|
|
2016-03-04 23:43:22 +01:00
|
|
|
//Set keys 0x19..0x1F keyXs
|
2016-03-05 00:41:42 +01:00
|
|
|
aes_setkey(0x11, key2, AES_KEYNORMAL, AES_INPUT_BE | AES_INPUT_NORMAL);
|
2016-03-04 23:43:22 +01:00
|
|
|
aes_use_keyslot(0x11);
|
2016-03-05 15:35:06 +01:00
|
|
|
for(u8 slot = 0x19; slot < 0x20; slot++){
|
2016-03-05 00:41:42 +01:00
|
|
|
aes(decKey, keyData, 1, NULL, AES_ECB_DECRYPT_MODE, 0);
|
|
|
|
|
aes_setkey(slot, decKey, AES_KEYX, AES_INPUT_BE | AES_INPUT_NORMAL);
|
2016-03-06 19:05:41 +01:00
|
|
|
*(keyData+0xF) += 1;
|
2016-01-13 21:16:03 +01:00
|
|
|
}
|
2015-08-21 20:11:23 +02:00
|
|
|
}
|
