Nintendo Switch Brew

Changes

Fuses (view source)

Revision as of 20:25, 23 July 2024

2,119 bytes added ,  23 July
no edit summary
Line 3,730: Line 3,730:  
==== IROM patch 6 ====
 
==== IROM patch 6 ====
 
This patch sanitizes the crypto context right before receiving a RCM message.
 
This patch sanitizes the crypto context right before receiving a RCM message.
 +
 +
<syntaxhighlight lang="c">
 +
u32 FUSE_PRIVATEKEYDISABLE = 0x7000F828;
 +
u32 SE1_CRYPTO_KEYTABLE_ADDR = 0x7001231C;
 +
u32 SE2_CRYPTO_KEYTABLE_ADDR = 0x7041231C;
 +
u32 SE1_CRYPTO_KEYTABLE_DATA = 0x70012320;
 +
u32 SE2_CRYPTO_KEYTABLE_DATA = 0x70412320;
 +
 +
// Hide the private key fuses
 +
*(u32 *)FUSE_PRIVATEKEYDISABLE = 0x1;
 +
 +
u32 crypto_keytable_val = 0xE0;
 +
 +
// Clear SE1/SE2 keyslot 0xE (contains the SBK)
 +
for (int i = 0; i < 0x7; i++) {
 +
    *(u32 *)SE1_CRYPTO_KEYTABLE_ADDR = crypto_keytable_val;
 +
    *(u32 *)SE1_CRYPTO_KEYTABLE_DATA = 0;
 +
    *(u32 *)SE2_CRYPTO_KEYTABLE_ADDR = crypto_keytable_val;
 +
    *(u32 *)SE2_CRYPTO_KEYTABLE_DATA = 0;
 +
    crypto_keytable_val++;
 +
}
 +
 +
crypto_keytable_val = 0xF0;
 +
 +
// Clear SE1/SE2 keyslot 0xF (contains the SSK)
 +
for (int i = 0; i < 0x07; i++) {
 +
    *(u32 *)SE1_CRYPTO_KEYTABLE_ADDR = crypto_keytable_val;
 +
    *(u32 *)SE1_CRYPTO_KEYTABLE_DATA = 0;
 +
    *(u32 *)SE2_CRYPTO_KEYTABLE_ADDR = crypto_keytable_val;
 +
    *(u32 *)SE2_CRYPTO_KEYTABLE_DATA = 0;
 +
    crypto_keytable_val++;
 +
}
 +
 +
crypto_keytable_val = 0xC0;
 +
 +
// Clear SE1/SE2 keyslot 0xC (contains the KEK)
 +
for (int i = 0; i < 0x7; i++) {
 +
    *(u32 *)SE1_CRYPTO_KEYTABLE_ADDR = crypto_keytable_val;
 +
    *(u32 *)SE1_CRYPTO_KEYTABLE_DATA = 0;
 +
    *(u32 *)SE2_CRYPTO_KEYTABLE_ADDR = crypto_keytable_val;
 +
    *(u32 *)SE2_CRYPTO_KEYTABLE_DATA = 0;
 +
    crypto_keytable_val++;
 +
}
 +
 +
u8 se_instance = 0;          // SE1
 +
u8 se_src_key_slot = 0xD;
 +
u8 se_src_key_size = 0;      // 128 bits
 +
u8 se_dst_key_slot = 0xD;
 +
u8 se_dst_key_size = 0;      // 128 bits
 +
u8 *se_src_key_data = 0x40004164;
 +
 +
// Overwrite SE1 keyslot 0xD (contains the BEK)
 +
se_decrypt_key_into_key_slot(se_instance, se_src_key_slot, se_src_key_size, se_dst_key_slot, se_dst_key_size, se_src_key_data);
 +
 +
se_instance = 1;            // SE2
 +
 +
// Overwrite SE2 keyslot 0xD (contains the BEK)
 +
se_decrypt_key_into_key_slot(se_instance, se_src_key_slot, se_src_key_size, se_dst_key_slot, se_dst_key_size, se_src_key_data);
 +
 +
/*
 +
    Untranslated instructions:
 +
 +
    LDR    R0, =0x4000FC20
 +
    MOV    R8, R0
 +
*/
 +
 +
return;
 +
</syntaxhighlight>
    
==== IROM patch 7 ====
 
==== IROM patch 7 ====
Retrieved from "https://switchbrew.org/wiki/Special:MobileDiff/12862"