Difference between revisions of "Package2"
m (Detailed RSA signature more) |
(→KIP1) |
||
(49 intermediate revisions by 9 users not shown) | |||
Line 12: | Line 12: | ||
| 0x0 | | 0x0 | ||
| 0x100 | | 0x100 | ||
− | | RSA-2048 signature (PKCS#1 v2.1 RSASSA-PSS-VERIFY with SHA256) | + | | [[#Public Keys|RSA-2048]] signature (PKCS#1 v2.1 RSASSA-PSS-VERIFY with SHA256) |
|- | |- | ||
| 0x100 | | 0x100 | ||
Line 40: | Line 40: | ||
| 0x0 | | 0x0 | ||
| 0x10 | | 0x10 | ||
− | | | + | | Header's CTR, official code copies the pre-decryption CTR over the decrypted result. Also used as metadata. |
|- | |- | ||
| 0x10 | | 0x10 | ||
Line 64: | Line 64: | ||
| 0x54 | | 0x54 | ||
| 0x4 | | 0x4 | ||
− | | | + | | Base offset |
|- | |- | ||
| 0x58 | | 0x58 | ||
| 0x4 | | 0x4 | ||
− | | | + | | Always 0 |
|- | |- | ||
| 0x5C | | 0x5C | ||
− | | | + | | 0x1 |
− | | | + | | Package2 version. Must be >= {minimum valid package2 version} constant in TZ. |
+ | |- | ||
+ | | 0x5D | ||
+ | | 0x1 | ||
+ | | Bootloader version. Must be <= {current bootloader version} constant in TZ. | ||
|- | |- | ||
| 0x5E | | 0x5E | ||
| 0x2 | | 0x2 | ||
− | | | + | | Padding |
|- | |- | ||
| 0x60 | | 0x60 | ||
Line 96: | Line 100: | ||
| 0x70 | | 0x70 | ||
| 0x4 | | 0x4 | ||
− | | | + | | Section 0 offset |
|- | |- | ||
| 0x74 | | 0x74 | ||
| 0x4 | | 0x4 | ||
− | | | + | | Section 1 offset |
|- | |- | ||
| 0x78 | | 0x78 | ||
| 0x4 | | 0x4 | ||
− | | | + | | Section 2 offset |
|- | |- | ||
| 0x7C | | 0x7C | ||
| 0x4 | | 0x4 | ||
− | | | + | | Section 3 offset |
|- | |- | ||
| 0x80 | | 0x80 | ||
Line 128: | Line 132: | ||
Each section follows each other immediately and is encrypted with the same key used for encrypting the header. | Each section follows each other immediately and is encrypted with the same key used for encrypting the header. | ||
+ | The section offsets are relative to a base, which is typically 0x80000000 pointing to the base of DRAM. | ||
+ | |||
+ | Before being decrypted, the encrypted header's CTR additionally encodes metadata used to validate package2's contents as follows: | ||
+ | * Size of the entire package2 with the raw header = ctr_word2 ^ ctr_word3 ^ ctr_word0 | ||
+ | * Key generation = ((ctr_word1 ^ (ctr_word1 >> 16)) & 0xFF) ^ (ctr_word1 >> 24) | ||
+ | |||
+ | In [4.0.0], the key generation must be less or equal to 4. | ||
== Section 0 == | == Section 0 == | ||
Line 134: | Line 145: | ||
== Section 1 == | == Section 1 == | ||
When decrypted, this section contains the built-in system modules encapsulated in a custom format. | When decrypted, this section contains the built-in system modules encapsulated in a custom format. | ||
+ | |||
+ | Note: On firmware [[8.0.0]] INI1 is contained within the Kernel and section 1 is empty with NULL SHA256 to match. | ||
=== INI1 === | === INI1 === | ||
Line 139: | Line 152: | ||
|- | |- | ||
! Offset | ! Offset | ||
− | ! | + | ! Size |
! Description | ! Description | ||
|- | |- | ||
| 0x0 | | 0x0 | ||
− | | | + | | 0x4 |
| Magic "INI1" | | Magic "INI1" | ||
|- | |- | ||
| 0x4 | | 0x4 | ||
− | | | + | | 0x4 |
| Size | | Size | ||
|- | |- | ||
| 0x8 | | 0x8 | ||
− | | | + | | 0x4 |
− | | | + | | Number of KIPs (Must be lower than 0x51) |
|- | |- | ||
| 0xC | | 0xC | ||
− | | | + | | 0x4 |
− | | | + | | Reserved |
|} | |} | ||
==== KIP1 ==== | ==== KIP1 ==== | ||
− | |||
− | |||
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
|- | |- | ||
! Offset | ! Offset | ||
− | ! | + | ! Size |
! Description | ! Description | ||
|- | |- | ||
| 0x0 | | 0x0 | ||
− | | | + | | 0x4 |
| Magic "KIP1" | | Magic "KIP1" | ||
|- | |- | ||
| 0x4 | | 0x4 | ||
− | | | + | | 0xC |
| Name | | Name | ||
|- | |- | ||
| 0x10 | | 0x10 | ||
− | | | + | | 0x8 |
− | | | + | | Program ID |
|- | |- | ||
| 0x18 | | 0x18 | ||
− | | | + | | 0x4 |
− | | | + | | Version |
|- | |- | ||
| 0x1C | | 0x1C | ||
− | | | + | | 0x1 |
− | | Flags | + | | Main Thread Priority |
+ | |- | ||
+ | | 0x1D | ||
+ | | 0x1 | ||
+ | | Main Thread Core Number | ||
+ | |- | ||
+ | | 0x1E | ||
+ | | 0x1 | ||
+ | | Reserved | ||
+ | |- | ||
+ | | 0x1F | ||
+ | | 0x1 | ||
+ | | Flags (bit0=TextCompress, bit1=RoCompress, bit2=DataCompress, bit3=Is64BitInstruction, bit4=ProcessAddressSpace64Bit, bit5=[2.0.0+] UseSecureMemory) | ||
|- | |- | ||
| 0x20 | | 0x20 | ||
− | | [[# | + | | 0xC |
− | | | + | | Text [[#Segment_Header|Segment Header]] |
+ | |- | ||
+ | | 0x2C | ||
+ | | 0x4 | ||
+ | | Main Thread Affinity Mask | ||
+ | |- | ||
+ | | 0x30 | ||
+ | | 0xC | ||
+ | | Ro [[#Segment_Header|Segment Header]] | ||
+ | |- | ||
+ | | 0x3C | ||
+ | | 0x4 | ||
+ | | Main Thread Stack Size | ||
+ | |- | ||
+ | | 0x40 | ||
+ | | 0xC | ||
+ | | Data [[#Segment_Header|Segment Header]] | ||
+ | |- | ||
+ | | 0x4C | ||
+ | | 0x4 | ||
+ | | Reserved | ||
|- | |- | ||
| 0x50 | | 0x50 | ||
− | | | + | | 0xC |
− | | | + | | Bss [[#Segment_Header|Segment Header]] |
+ | |- | ||
+ | | 0x5C | ||
+ | | 0x24 | ||
+ | | Reserved | ||
|- | |- | ||
− | | | + | | 0x80 |
− | | | + | | 0x80 |
− | + | | [[NPDM#KernelCapability|Kernel Capability Data]] | |
|} | |} | ||
− | ===== | + | ===== Segment Header ===== |
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
|- | |- | ||
! Offset | ! Offset | ||
− | ! | + | ! Size |
! Description | ! Description | ||
|- | |- | ||
| 0x0 | | 0x0 | ||
− | | | + | | 0x4 |
− | | | + | | Offset |
|- | |- | ||
| 0x4 | | 0x4 | ||
− | | | + | | 0x4 |
− | | | + | | Size |
|- | |- | ||
| 0x8 | | 0x8 | ||
− | | | + | | 0x4 |
− | + | | Compressed/Binary Size | |
− | |||
− | |||
− | |||
− | | | ||
|} | |} | ||
+ | |||
+ | Compressed/Binary size can be 0 or lower than expected, this is the case for BSS for example. | ||
===== Compression ===== | ===== Compression ===== | ||
− | The compression used here is BLZ, with a modified footer since 3ds. The footer is now 0xC bytes instead of 0x8, and has the form u32 compressed_data_len; u32 | + | The compression used here is BLZ, with a modified footer since 3ds. The footer is now 0xC bytes instead of 0x8, and has the form u32 compressed_data_len; u32 footer_size; u32 additional_len_when_uncompressed; |
== Section 2 == | == Section 2 == | ||
Line 238: | Line 283: | ||
|- | |- | ||
! System version | ! System version | ||
− | ! | + | ! Bootloader current version |
− | + | ! Package2 minimum valid version | |
− | ! Package2 version | + | |- |
+ | | [[1.0.0]] | ||
+ | | 0x1 | ||
+ | | 0x4 | ||
|- | |- | ||
| [[2.0.0]] | | [[2.0.0]] | ||
+ | | 0x2 | ||
+ | | 0x5 | ||
+ | |- | ||
+ | | [[3.0.0]] | ||
| 0x3 | | 0x3 | ||
+ | | 0x6 | ||
+ | |- | ||
+ | | [[3.0.2]] | ||
| 0x4 | | 0x4 | ||
− | | | + | | 0x7 |
+ | |- | ||
+ | | [[4.0.0]] | ||
+ | | 0x5 | ||
+ | | 0x8 | ||
+ | |- | ||
+ | | [[5.0.0]] | ||
+ | | 0x6 | ||
+ | | 0x9 | ||
+ | |- | ||
+ | | [[6.0.0]] | ||
+ | | 0x7 | ||
+ | | 0xA | ||
+ | |- | ||
+ | | [[6.2.0]] | ||
+ | | 0x8 | ||
+ | | 0xB | ||
+ | |- | ||
+ | | [[7.0.0]] | ||
+ | | 0x9 | ||
+ | | 0xC | ||
+ | |- | ||
+ | | [[8.1.0]] | ||
+ | | 0xA | ||
+ | | 0xD | ||
+ | |- | ||
+ | | [[9.0.0]] | ||
+ | | 0xB | ||
+ | | 0xE | ||
+ | |- | ||
+ | | [[9.1.0]] | ||
+ | | 0xC | ||
+ | | 0xF | ||
+ | |- | ||
+ | | [[10.0.0]] | ||
+ | | 0xD | ||
+ | | 0x10 | ||
+ | |- | ||
+ | | [[11.0.0]] | ||
+ | | 0xE | ||
+ | | 0x11 | ||
+ | |- | ||
+ | | [[12.0.2]] | ||
+ | | 0xF | ||
+ | | 0x12 | ||
+ | |- | ||
+ | | [[12.1.0]] | ||
+ | | 0xF | ||
+ | | 0x13 | ||
+ | |- | ||
+ | | [[13.0.0]] | ||
+ | | 0xF | ||
+ | | 0x14 | ||
|} | |} | ||
+ | |||
+ | = Public Keys = | ||
+ | |||
+ | === Exponent === | ||
+ | 0x10001 | ||
+ | |||
+ | === Retail Modulus === | ||
+ | 8D 13 A7 77 6A E5 DC C0 3B 25 D0 58 E4 20 69 59 | ||
+ | 55 4B AB 70 40 08 28 07 A8 A7 FD 0F 31 2E 11 FE | ||
+ | 47 A0 F9 9D DF 80 DB 86 5A 27 89 CD 97 6C 85 C5 | ||
+ | 6C 39 7F 41 F2 FF 24 20 C3 95 A6 F7 9D 4A 45 74 | ||
+ | 8B 5D 28 8A C6 99 35 68 85 A5 64 32 80 9F D3 48 | ||
+ | 39 A2 1D 24 67 69 DF 75 AC 12 B5 BD C3 29 90 BE | ||
+ | 37 E4 A0 80 9A BE 36 BF 1F 2C AB 2B AD F5 97 32 | ||
+ | 9A 42 9D 09 8B 08 F0 63 47 A3 E9 1B 36 D8 2D 8A | ||
+ | D7 E1 54 11 95 E4 45 88 69 8A 2B 35 CE D0 A5 0B | ||
+ | D5 5D AC DB AF 11 4D CA B8 1E E7 01 9E F4 46 A3 | ||
+ | 8A 94 6D 76 BD 8A C8 3B D2 31 58 0C 79 A8 26 E9 | ||
+ | D1 79 9C CB D4 2B 6A 4F C6 CC CF 90 A7 B9 98 47 | ||
+ | FD FA 4C 6C 6F 81 87 3B CA B8 50 F6 3E 39 5D 4D | ||
+ | 97 3F 0F 35 39 53 FB FA CD AB A8 7A 62 9A 3F F2 | ||
+ | 09 27 96 3F 07 9A 91 F7 16 BF C6 3A 82 5A 4B CF | ||
+ | 49 50 95 8C 55 80 7E 39 B1 48 05 1E 21 C7 24 4F | ||
+ | |||
+ | === Debug Modulus === | ||
+ | B3 65 54 FB 0A B0 1E 85 A7 F6 CF 91 8E BA 96 99 | ||
+ | 0D 8B 91 69 2A EE 01 20 4F 34 5C 2C 4F 4E 37 C7 | ||
+ | F1 0B D4 CD A1 7F 93 F1 33 59 CE B1 E9 DD 26 E6 | ||
+ | F3 BB 77 87 46 7A D6 4E 47 4A D1 41 B7 79 4A 38 | ||
+ | 06 6E CF 61 8F CD C1 40 0B FA 26 DC C0 34 51 83 | ||
+ | D9 3B 11 54 3B 96 27 32 9A 95 BE 1E 68 11 50 A0 | ||
+ | 6B 10 A8 83 8B F5 FC BC 90 84 7A 5A 5C 43 52 E6 | ||
+ | C8 26 E9 FE 06 A0 8B 53 0F AF 1E C4 1C 0B CF 50 | ||
+ | 1A A4 F3 5C FB F0 97 E4 DE 32 0A 9F E3 5A AA B7 | ||
+ | 44 7F 5C 33 60 B9 0F 22 2D 33 2A E9 69 79 31 42 | ||
+ | 8F E4 3A 13 8B E7 26 BD 08 87 6C A6 F2 73 F6 8E | ||
+ | A7 F2 FE FB 6C 28 66 0D BD D7 EB 42 A8 78 E6 B8 | ||
+ | 6B AE C7 A9 E2 40 6E 89 20 82 25 8E 3C 6A 60 D7 | ||
+ | F3 56 8E EC 8D 51 8A 63 3C 04 78 23 0E 90 0C B4 | ||
+ | E7 86 3B 4F 8E 13 09 47 32 0E 04 B8 4D 5B B0 46 | ||
+ | 71 B0 5C F4 AD 63 4F C5 E2 AC 1E C4 33 96 09 7B |
Latest revision as of 23:51, 21 September 2023
Present in the firmware package titles (0100000000000819, 010000000000081A, 010000000000081B and 010000000000081C) and installed into eMMC storage's BCPKG2 partitions, "package2" contains the Switch kernel and the built-in system modules.
Format
Package2 is distributed in an already encrypted format. Therefore, it's not additionally encrypted when installed into the flash filesystem.
Offset | Size | Description |
---|---|---|
0x0 | 0x100 | RSA-2048 signature (PKCS#1 v2.1 RSASSA-PSS-VERIFY with SHA256) |
0x100 | 0x100 | Encrypted header |
0x200 | Variable | Encrypted body |
Encryption
Package2's contents are AES-CTR encrypted with a key known only by TrustZone.
The encrypted header's CTR is stored as it's first 0x10 bytes (offset 0x100). The encrypted body is divided in up to 4 sections, each one with a CTR stored inside the decrypted header.
Header
When decrypted, package2's header is as follows.
Offset | Size | Description |
---|---|---|
0x0 | 0x10 | Header's CTR, official code copies the pre-decryption CTR over the decrypted result. Also used as metadata. |
0x10 | 0x10 | Section 0 CTR |
0x20 | 0x10 | Section 1 CTR |
0x30 | 0x10 | Section 2 CTR |
0x40 | 0x10 | Section 3 CTR |
0x50 | 0x4 | Magic "PK21" |
0x54 | 0x4 | Base offset |
0x58 | 0x4 | Always 0 |
0x5C | 0x1 | Package2 version. Must be >= {minimum valid package2 version} constant in TZ. |
0x5D | 0x1 | Bootloader version. Must be <= {current bootloader version} constant in TZ. |
0x5E | 0x2 | Padding |
0x60 | 0x4 | Section 0 size |
0x64 | 0x4 | Section 1 size |
0x68 | 0x4 | Section 2 size |
0x6C | 0x4 | Section 3 size |
0x70 | 0x4 | Section 0 offset |
0x74 | 0x4 | Section 1 offset |
0x78 | 0x4 | Section 2 offset |
0x7C | 0x4 | Section 3 offset |
0x80 | 0x20 | SHA-256 hash over encrypted section 0 |
0xA0 | 0x20 | SHA-256 hash over encrypted section 1 |
0xC0 | 0x20 | SHA-256 hash over encrypted section 2 |
0xE0 | 0x20 | SHA-256 hash over encrypted section 3 |
Each section follows each other immediately and is encrypted with the same key used for encrypting the header. The section offsets are relative to a base, which is typically 0x80000000 pointing to the base of DRAM.
Before being decrypted, the encrypted header's CTR additionally encodes metadata used to validate package2's contents as follows:
- Size of the entire package2 with the raw header = ctr_word2 ^ ctr_word3 ^ ctr_word0
- Key generation = ((ctr_word1 ^ (ctr_word1 >> 16)) & 0xFF) ^ (ctr_word1 >> 24)
In [4.0.0], the key generation must be less or equal to 4.
Section 0
When decrypted, this section contains the plaintext Switch kernel binary.
Section 1
When decrypted, this section contains the built-in system modules encapsulated in a custom format.
Note: On firmware 8.0.0 INI1 is contained within the Kernel and section 1 is empty with NULL SHA256 to match.
INI1
Offset | Size | Description |
---|---|---|
0x0 | 0x4 | Magic "INI1" |
0x4 | 0x4 | Size |
0x8 | 0x4 | Number of KIPs (Must be lower than 0x51) |
0xC | 0x4 | Reserved |
KIP1
Offset | Size | Description |
---|---|---|
0x0 | 0x4 | Magic "KIP1" |
0x4 | 0xC | Name |
0x10 | 0x8 | Program ID |
0x18 | 0x4 | Version |
0x1C | 0x1 | Main Thread Priority |
0x1D | 0x1 | Main Thread Core Number |
0x1E | 0x1 | Reserved |
0x1F | 0x1 | Flags (bit0=TextCompress, bit1=RoCompress, bit2=DataCompress, bit3=Is64BitInstruction, bit4=ProcessAddressSpace64Bit, bit5=[2.0.0+] UseSecureMemory) |
0x20 | 0xC | Text Segment Header |
0x2C | 0x4 | Main Thread Affinity Mask |
0x30 | 0xC | Ro Segment Header |
0x3C | 0x4 | Main Thread Stack Size |
0x40 | 0xC | Data Segment Header |
0x4C | 0x4 | Reserved |
0x50 | 0xC | Bss Segment Header |
0x5C | 0x24 | Reserved |
0x80 | 0x80 | Kernel Capability Data |
Segment Header
Offset | Size | Description |
---|---|---|
0x0 | 0x4 | Offset |
0x4 | 0x4 | Size |
0x8 | 0x4 | Compressed/Binary Size |
Compressed/Binary size can be 0 or lower than expected, this is the case for BSS for example.
Compression
The compression used here is BLZ, with a modified footer since 3ds. The footer is now 0xC bytes instead of 0x8, and has the form u32 compressed_data_len; u32 footer_size; u32 additional_len_when_uncompressed;
Section 2
This section has a valid CTR and SHA-256 hash (over NULL) stored in the package2's header, but it's size is always 0. Likely reserved for future expansion.
Section 3
This section is not present (CTR and SHA-256 hash in package2's header are NULL). Likely reserved for future expansion.
Versions
System version | Bootloader current version | Package2 minimum valid version |
---|---|---|
1.0.0 | 0x1 | 0x4 |
2.0.0 | 0x2 | 0x5 |
3.0.0 | 0x3 | 0x6 |
3.0.2 | 0x4 | 0x7 |
4.0.0 | 0x5 | 0x8 |
5.0.0 | 0x6 | 0x9 |
6.0.0 | 0x7 | 0xA |
6.2.0 | 0x8 | 0xB |
7.0.0 | 0x9 | 0xC |
8.1.0 | 0xA | 0xD |
9.0.0 | 0xB | 0xE |
9.1.0 | 0xC | 0xF |
10.0.0 | 0xD | 0x10 |
11.0.0 | 0xE | 0x11 |
12.0.2 | 0xF | 0x12 |
12.1.0 | 0xF | 0x13 |
13.0.0 | 0xF | 0x14 |
Public Keys
Exponent
0x10001
Retail Modulus
8D 13 A7 77 6A E5 DC C0 3B 25 D0 58 E4 20 69 59 55 4B AB 70 40 08 28 07 A8 A7 FD 0F 31 2E 11 FE 47 A0 F9 9D DF 80 DB 86 5A 27 89 CD 97 6C 85 C5 6C 39 7F 41 F2 FF 24 20 C3 95 A6 F7 9D 4A 45 74 8B 5D 28 8A C6 99 35 68 85 A5 64 32 80 9F D3 48 39 A2 1D 24 67 69 DF 75 AC 12 B5 BD C3 29 90 BE 37 E4 A0 80 9A BE 36 BF 1F 2C AB 2B AD F5 97 32 9A 42 9D 09 8B 08 F0 63 47 A3 E9 1B 36 D8 2D 8A D7 E1 54 11 95 E4 45 88 69 8A 2B 35 CE D0 A5 0B D5 5D AC DB AF 11 4D CA B8 1E E7 01 9E F4 46 A3 8A 94 6D 76 BD 8A C8 3B D2 31 58 0C 79 A8 26 E9 D1 79 9C CB D4 2B 6A 4F C6 CC CF 90 A7 B9 98 47 FD FA 4C 6C 6F 81 87 3B CA B8 50 F6 3E 39 5D 4D 97 3F 0F 35 39 53 FB FA CD AB A8 7A 62 9A 3F F2 09 27 96 3F 07 9A 91 F7 16 BF C6 3A 82 5A 4B CF 49 50 95 8C 55 80 7E 39 B1 48 05 1E 21 C7 24 4F
Debug Modulus
B3 65 54 FB 0A B0 1E 85 A7 F6 CF 91 8E BA 96 99 0D 8B 91 69 2A EE 01 20 4F 34 5C 2C 4F 4E 37 C7 F1 0B D4 CD A1 7F 93 F1 33 59 CE B1 E9 DD 26 E6 F3 BB 77 87 46 7A D6 4E 47 4A D1 41 B7 79 4A 38 06 6E CF 61 8F CD C1 40 0B FA 26 DC C0 34 51 83 D9 3B 11 54 3B 96 27 32 9A 95 BE 1E 68 11 50 A0 6B 10 A8 83 8B F5 FC BC 90 84 7A 5A 5C 43 52 E6 C8 26 E9 FE 06 A0 8B 53 0F AF 1E C4 1C 0B CF 50 1A A4 F3 5C FB F0 97 E4 DE 32 0A 9F E3 5A AA B7 44 7F 5C 33 60 B9 0F 22 2D 33 2A E9 69 79 31 42 8F E4 3A 13 8B E7 26 BD 08 87 6C A6 F2 73 F6 8E A7 F2 FE FB 6C 28 66 0D BD D7 EB 42 A8 78 E6 B8 6B AE C7 A9 E2 40 6E 89 20 82 25 8E 3C 6A 60 D7 F3 56 8E EC 8D 51 8A 63 3C 04 78 23 0E 90 0C B4 E7 86 3B 4F 8E 13 09 47 32 0E 04 B8 4D 5B B0 46 71 B0 5C F4 AD 63 4F C5 E2 AC 1E C4 33 96 09 7B