Nintendo Switch Brew

Changes

TSEC (view source)

Revision as of 18:11, 11 August 2020

95 bytes removed ,  18:11, 11 August 2020
no edit summary
Line 3,305: Line 3,305:  
!  Description
 
!  Description
 
|-
 
|-
| 0-1
+
| 0
| TSEC_FALCON_SCTL_SEC_MODE
+
| TSEC_FALCON_SCTL_LSMODE
0: Non-secure
+
|-
1: Light Secure
+
| 1
2: Heavy Secure
+
| TSEC_FALCON_SCTL_HSMODE
 
|-
 
|-
 
| 4-5
 
| 4-5
| Previous security mode
+
| Unknown
0: Non-secure
  −
1: Light Secure
  −
2: Heavy Secure
   
|-
 
|-
 
| 12-13
 
| 12-13
Line 3,860: Line 3,857:  
  0x14: cenc (fuc5 opcode 0xD0)
 
  0x14: cenc (fuc5 opcode 0xD0)
 
  0x15: cdec (fuc5 opcode 0xD4)
 
  0x15: cdec (fuc5 opcode 0xD4)
  0x16: csigauth (fuc5 opcode 0xD8)
+
  0x16: csigcmp (fuc5 opcode 0xD8)
 
  0x17: csigenc (fuc5 opcode 0xDC)
 
  0x17: csigenc (fuc5 opcode 0xDC)
 
  0x18: csigclr (fuc5 opcode 0xE0)
 
  0x18: csigclr (fuc5 opcode 0xE0)
Line 4,148: Line 4,145:  
|-
 
|-
 
| 16
 
| 16
| Forbidden signature operation (csigenc, csigclr or csigauth in NS mode)
+
| Forbidden signature operation (csigcmp, csigenc or csigclr in NS mode)
 
|-
 
|-
 
| 20
 
| 20
| Invalid signature operation (csigauth in HS mode)
+
| Invalid signature operation (csigcmp in HS mode)
 
|-
 
|-
 
| 24
 
| 24
Line 4,982: Line 4,979:     
==== Implementation ====
 
==== Implementation ====
Under certain circumstances, it is possible to observe [[#sigauth|sigauth]] being briefly written to [[#TSEC_SCP_CMD|TSEC_SCP_CMD]] as "csigauth $c4 $c6" while the opcodes in [[#TSEC_SCP_STAT2|TSEC_SCP_STAT2]] are set to "cxsin" and "csigauth", respectively.
+
Under certain circumstances, it is possible to observe [[#sigcmp|sigcmp]] being briefly written to [[#TSEC_SCP_CMD|TSEC_SCP_CMD]] as "csigcmp $c4 $c6" while the opcodes in [[#TSEC_SCP_STAT2|TSEC_SCP_STAT2]] are set to "cxsin" and "csigcmp", respectively.
    
Via [[#TSEC_SCP_DBG0|TSEC_SCP_DBG0]] it can be observed that a 3-sized macro sequence is loaded into cs0 during a secure mode transition.
 
Via [[#TSEC_SCP_DBG0|TSEC_SCP_DBG0]] it can be observed that a 3-sized macro sequence is loaded into cs0 during a secure mode transition.
Line 5,039: Line 5,036:  
| 0x15 || dec || $cX || $cY || <code>$cX = aes_dec(active_key_idx, $cY); ACL(X) = ACL(active_key_idx) & ACL(Y);</code> ||
 
| 0x15 || dec || $cX || $cY || <code>$cX = aes_dec(active_key_idx, $cY); ACL(X) = ACL(active_key_idx) & ACL(Y);</code> ||
 
|-
 
|-
| 0x16 || [[#sigauth|sigauth]] || $cX || $cY || <code>if (hash_verify($cX, $cY)) { has_sig = true; current_sig = $cX; }</code> || ?
+
| 0x16 || [[#sigcmp|sigcmp]] || $cX || $cY || <code>if (hash_verify($cX, $cY)) { has_sig = true; current_sig = $cX; }</code> || ?
 
|-
 
|-
 
| 0x17 || [[#sigclr|sigclr]] || N/A || N/A || <code>has_sig = false;</code> ||
 
| 0x17 || [[#sigclr|sigclr]] || N/A || N/A || <code>has_sig = false;</code> ||
Line 5,046: Line 5,043:  
|}
 
|}
   −
==== sigauth ====
+
==== sigcmp ====
<code>00000000: f5 3c XY d8    csigauth $cY $cX</code>
+
<code>00000000: f5 3c XY d8    csigcmp $cY $cX</code>
    
Takes 2 crypto registers as operands and is automatically executed when jumping to a code region previously uploaded as secret. This instruction does not work in secure mode.
 
Takes 2 crypto registers as operands and is automatically executed when jumping to a code region previously uploaded as secret. This instruction does not work in secure mode.
Retrieved from "https://switchbrew.org/wiki/Special:MobileDiff/9885"