Fuses: Difference between revisions
Documenting Mariko ipatches |
No edit summary |
||
| (7 intermediate revisions by 2 users not shown) | |||
| Line 3,730: | Line 3,730: | ||
==== IROM patch 6 ==== | ==== IROM patch 6 ==== | ||
This patch sanitizes the crypto context right before receiving a RCM message. | This patch sanitizes the crypto context right before receiving a RCM message. | ||
<syntaxhighlight lang="c"> | |||
u32 FUSE_PRIVATEKEYDISABLE = 0x7000F828; | |||
u32 SE1_CRYPTO_KEYTABLE_ADDR = 0x7001231C; | |||
u32 SE2_CRYPTO_KEYTABLE_ADDR = 0x7041231C; | |||
u32 SE1_CRYPTO_KEYTABLE_DATA = 0x70012320; | |||
u32 SE2_CRYPTO_KEYTABLE_DATA = 0x70412320; | |||
// Hide the private key fuses | |||
*(u32 *)FUSE_PRIVATEKEYDISABLE = 0x1; | |||
u32 crypto_keytable_val = 0xE0; | |||
// Clear SE1/SE2 keyslot 0xE (contains the SBK) | |||
for (int i = 0; i < 0x7; i++) { | |||
*(u32 *)SE1_CRYPTO_KEYTABLE_ADDR = crypto_keytable_val; | |||
*(u32 *)SE1_CRYPTO_KEYTABLE_DATA = 0; | |||
*(u32 *)SE2_CRYPTO_KEYTABLE_ADDR = crypto_keytable_val; | |||
*(u32 *)SE2_CRYPTO_KEYTABLE_DATA = 0; | |||
crypto_keytable_val++; | |||
} | |||
crypto_keytable_val = 0xF0; | |||
// Clear SE1/SE2 keyslot 0xF (contains the SSK) | |||
for (int i = 0; i < 0x07; i++) { | |||
*(u32 *)SE1_CRYPTO_KEYTABLE_ADDR = crypto_keytable_val; | |||
*(u32 *)SE1_CRYPTO_KEYTABLE_DATA = 0; | |||
*(u32 *)SE2_CRYPTO_KEYTABLE_ADDR = crypto_keytable_val; | |||
*(u32 *)SE2_CRYPTO_KEYTABLE_DATA = 0; | |||
crypto_keytable_val++; | |||
} | |||
crypto_keytable_val = 0xC0; | |||
// Clear SE1/SE2 keyslot 0xC (contains the KEK) | |||
for (int i = 0; i < 0x7; i++) { | |||
*(u32 *)SE1_CRYPTO_KEYTABLE_ADDR = crypto_keytable_val; | |||
*(u32 *)SE1_CRYPTO_KEYTABLE_DATA = 0; | |||
*(u32 *)SE2_CRYPTO_KEYTABLE_ADDR = crypto_keytable_val; | |||
*(u32 *)SE2_CRYPTO_KEYTABLE_DATA = 0; | |||
crypto_keytable_val++; | |||
} | |||
u8 se_instance = 0; // SE1 | |||
u8 se_src_key_slot = 0xD; | |||
u8 se_src_key_size = 0; // 128 bits | |||
u8 se_dst_key_slot = 0xD; | |||
u8 se_dst_key_size = 0; // 128 bits | |||
u8 *se_src_key_data = 0x40004164; | |||
// Overwrite SE1 keyslot 0xD (contains the BEK) | |||
se_decrypt_key_into_key_slot(se_instance, se_src_key_slot, se_src_key_size, se_dst_key_slot, se_dst_key_size, se_src_key_data); | |||
se_instance = 1; // SE2 | |||
// Overwrite SE2 keyslot 0xD (contains the BEK) | |||
se_decrypt_key_into_key_slot(se_instance, se_src_key_slot, se_src_key_size, se_dst_key_slot, se_dst_key_size, se_src_key_data); | |||
/* | |||
Untranslated instructions: | |||
LDR R0, =0x4000FC20 | |||
MOV R8, R0 | |||
*/ | |||
return; | |||
</syntaxhighlight> | |||
==== IROM patch 7 ==== | ==== IROM patch 7 ==== | ||
| Line 3,824: | Line 3,892: | ||
| 17.0.0-18.1.0 | | 17.0.0-18.1.0 | ||
| 19 | | 19 | ||
| 1 | |||
|- | |||
| 19.0.0-19.0.1 | |||
| 20 | |||
| 1 | |||
|- | |||
| 20.0.0-20.1.5 | |||
| 21 | |||
| 1 | | 1 | ||
|} | |} | ||