Nintendo Switch Brew

Changes

TSEC Firmware (view source)

Revision as of 18:55, 21 February 2019

3,180 bytes added ,  18:55, 21 February 2019
no edit summary
Line 1,289: Line 1,289:     
==== exec_secboot ====
 
==== exec_secboot ====
 +
This is the signed and encrypted portion of the [[#SecureBoot|SecureBoot]] payload.
 +
<pre>
 +
    // Recover the transfer base address from the stack
 +
    u32 xfer_ext_base_addr = *(u32 *)scratch_data_addr;
 +
 +
    // Return the TLB entry that covers the virtual address
 +
    u32 tlb_entry = vtlb(xfer_ext_base_addr);
 +
   
 +
    // Clear Falcon CPU control
 +
    *(u32 *)FALCON_CPUCTL = 0;
 +
   
 +
    // Halt if the external page is marked as secret
 +
    if ((tlb_entry & 0x4000000) != 0)
 +
        exit();
 +
   
 +
    // Read data segment size from IO space
 +
    u32 data_seg_size = *(u32 *)FALCON_HWCFG;
 +
    data_seg_size >>= 0x01;
 +
    data_seg_size &= 0xFF00;
 +
 +
    // Set the stack pointer
 +
    $sp = data_seg_size;
 +
   
 +
    // Fill all DMEM with a pointer to a trap function (just exits 3 times)
 +
    for (int i = 0; i < data_seg_size; i += 0x04) {
 +
        *(u32 *)i = (u32)trap_func();
 +
    }
 +
 +
    // Initialize the TRNG and generate random data in DMEM
 +
    init_rnd();
 +
   
 +
    // Issue a randomized delay and return a random value
 +
    u32 rnd_val = rnd_delay(0xFF);
 +
 +
    // Load the TSEC key from SOR1 registers into DMEM
 +
    sor1_get_key();
 +
 +
    // Initialize CAR registers
 +
    car_init();
 +
 +
    // Check certain CAR, PMC and FUSE registers
 +
    test_car_pmc_fuse();
 +
 +
    // Ensure CLK_RST_CONTROLLER_CLK_SOURCE_TSEC_0 is 0x02
 +
    test_clk_source_tsec();
 +
 +
    // Set FLOW_MODE_WAITEVENT in FLOW_CTLR_HALT_COP_EVENTS_0
 +
    halt_bpmp();
 +
 +
    // Initialize the CCPLEX
 +
    ccplex_init();
 +
 +
    // Check certain CAR, PMC and FUSE registers
 +
    test_car_pmc_fuse();
 +
 +
    bool is_se_ready = false;
 +
 +
    // Wait for SE to be ready
 +
    while (!is_se_ready)
 +
        is_se_ready = check_se_status();
 +
   
 +
    // Test MC_IRAM_BOM and MC_IRAM_TOM
 +
    u32 mc_iram_aperture_res = test_mc_iram_aperture();
 +
 +
    if (mc_iram_aperture_res != 0xAAAAAAAA)
 +
    {
 +
        // Clear the entire DMEM region
 +
        clear_dmem();
 +
       
 +
        // Halt 5 times for no good reason
 +
        exit();
 +
        exit();
 +
        exit();
 +
        exit();
 +
        exit();
 +
    }
 +
   
 +
    // Ensure FUSE_SKU_INFO is 0x83
 +
    test_fuse_sku_info();
 +
 +
    // Write TSEC key to SE keyslot 0x0C
 +
    se_set_keyslot_12();
 +
 +
    // Write TSEC root key to SE keyslot 0x0D
 +
    se_set_keyslot_13();
 +
 +
    // Decrypt Package1
 +
    decrypt_pk11();
 +
 +
    // Check certain CAR, PMC and FUSE registers
 +
    test_car_pmc_fuse();
 +
 +
    // Parse Package1 header and return entry address
 +
    u32 entry_addr = parse_pk11();
 +
 +
    // Set the exception vectors
 +
    set_excp_vec(entry_addr);
 +
 +
    // Fill the top 0x500 bytes in DMEM with a pointer to trap function (just exits)
 +
    for (int i = 0; i < 0x500; i += 0x04) {
 +
        *(u32 *)i = (u32)trap_func();
 +
    }
 +
 +
    // Clear all crypto registers
 +
    cxor($c0, $c0);
 +
    cxor($c1, $c1);
 +
    cxor($c2, $c2);
 +
    cxor($c3, $c3);
 +
    cxor($c4, $c4);
 +
    cxor($c5, $c5);
 +
    cxor($c6, $c6);
 +
    cxor($c7, $c7);
 +
   
 +
    // Take SCP out of lockdown
 +
    unlock_scp();
 +
 +
    // Clear FLOW_CTLR_HALT_COP_EVENTS_0
 +
    resume_bpmp();
 +
 +
    // Clear the entire DMEM region
 +
    clear_dmem();
 +
       
 +
    // Halt 5 times for no good reason
 +
    exit();
 +
    exit();
 +
    exit();
 +
    exit();
 +
    exit();
 +
 +
    return;
 +
</pre>
 +
 +
[7.0.0+]
    
== Key data ==
 
== Key data ==
Retrieved from "https://switchbrew.org/wiki/Special:MobileDiff/6272"