2,846
edits
Changes
Jump to navigation
Jump to search
Line 3,704:
Line 3,704: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Documenting Mariko ipatches
return;
return;
</syntaxhighlight>
</syntaxhighlight>
==== IROM patch 1 ====
This patch stubs the function responsible for disabling read access for the SE AES keyslots.
Due to a programming mistake, when loading the OEM AES keys the aforementioned function would be called with the wrong arguments. The patch prevents this by simply stubbing the function altogether, which is only acceptable because the Mariko's SE hardware already boots with keyslot reading permanently disabled.
==== IROM patch 2 ====
This patch forces the function responsible for checking if SE context atomic save is enabled (by checking a fuse) to always return true.
Some Mariko units have been found to not have the relevant fuse bit (bit 7 in [[#FUSE_BOOT_SECURITY_INFO|FUSE_BOOT_SECURITY_INFO]]) burned, so the patch serves as a workaround for this.
==== IROM patch 3 ====
This patch forces a jump to the same routine used by [[#IROM_patch_0_2|IROM patch 0]] if loading a bootloader failed.
By setting all IRAM memory from 0x4000FC20 to 0x40040000 to 0xEAFFFFFE, a bootloader that somehow failed validation is effectively erased from memory.
==== IROM patch 4 ====
This patch stores a stack cookie (value 0x5A55F0E1) after a RCM message is received and before it's validated.
==== IROM patch 5 ====
This patch checks the stack cookie stored by [[#IROM_patch_4_2|IROM patch 4]] right after a RCM message is validated.
If the stack cookie's value is still 0x5A55F0E1, the bootrom jumps to a panic. If it changed to anything other than 0, the same routine used by [[#IROM_patch_0_2|IROM patch 0]] is called. Presumably, this is an attempt at mitigating fault injection attacks against skipping the validation of RCM messages.
==== IROM patch 6 ====
This patch sanitizes the crypto context right before receiving a RCM message.
==== IROM patch 7 ====
This patch doubles the maximum value passed to the function responsible for generating random numbers with the SE. These values are then used for randomizing the duration of wait loops scattered around the bootrom.
==== IROM patch 8 ====
This patch forces memcpy to always fall outside of current stack limits.
==== IROM patch 9 ====
This patch forces TZRAM to be cleared on any boot type (instead of clearing it only on coldboot).
= Anti-downgrade =
= Anti-downgrade =