Add support for 9.0.0, new Sept, and master_key_09

source/hos/pkg1.c

@@ -35,6 +35,7 @@ static const pkg1_id_t _pkg1_ids[] = {
 	{ "20190208150037", 7 }, //7.0.1
 	{ "20190314172056", 7 }, //8.0.0
 	{ "20190531152432", 8 }, //8.1.0
+	{ "20190809135709", 9 }, //9.0.0
 	{ NULL } //End.
 };
 

source/hos/pkg2.c

@@ -39,14 +39,25 @@ static u32 _pkg2_calc_kip1_size(pkg2_kip1_t *kip1)
 	return size;
 }
 
-void pkg2_parse_kips(link_t *info, pkg2_hdr_t *pkg2)
+void pkg2_get_newkern_info(u8 *kern_data)
+{
+	u32 info_op = *(u32 *)(kern_data + PKG2_NEWKERN_GET_INI1);
+	pkg2_newkern_ini1_val = ((info_op & 0xFFFF) >> 3) + PKG2_NEWKERN_GET_INI1; // Parse ADR and PC.
+
+	pkg2_newkern_ini1_start = *(u32 *)(kern_data + pkg2_newkern_ini1_val);
+	pkg2_newkern_ini1_end   = *(u32 *)(kern_data + pkg2_newkern_ini1_val + 0x8);
+}
+
+void pkg2_parse_kips(link_t *info, pkg2_hdr_t *pkg2, bool *new_pkg2)
 {
 	u8 *ptr;
 	// Check for new pkg2 type.
 	if (!pkg2->sec_size[PKG2_SEC_INI1])
 	{
-		u32 kernel_ini1_off = *(u32 *)(pkg2->data + PKG2_NEWKERN_INI1_START);
+		pkg2_get_newkern_info(pkg2->data);
-		ptr = pkg2->data + kernel_ini1_off;
+
+		ptr = pkg2->data + pkg2_newkern_ini1_start;
+		*new_pkg2 = true;
 	}
 	else
 		ptr = pkg2->data + pkg2->sec_size[PKG2_SEC_KERNEL];

source/hos/pkg2.h

@@ -26,7 +26,11 @@
 #define PKG2_SEC_KERNEL 0
 #define PKG2_SEC_INI1 1
 
-#define PKG2_NEWKERN_INI1_START 0x168
+#define PKG2_NEWKERN_GET_INI1 0x44
+
+u32 pkg2_newkern_ini1_val;
+u32 pkg2_newkern_ini1_start;
+u32 pkg2_newkern_ini1_end;
 
 typedef struct _pkg2_hdr_t
 {
@@ -83,7 +87,7 @@ typedef struct _pkg2_kip1_info_t
 	link_t link;
 } pkg2_kip1_info_t;
 
-void pkg2_parse_kips(link_t *info, pkg2_hdr_t *pkg2);
+void pkg2_parse_kips(link_t *info, pkg2_hdr_t *pkg2, bool *new_pkg2);
 int pkg2_decompress_kip(pkg2_kip1_info_t* ki, u32 sectsToDecomp);
 pkg2_hdr_t *pkg2_decrypt(void *data);
 

source/hos/sept.c

@@ -20,6 +20,7 @@
 #include "../gfx/di.h"
 #include "../libs/fatfs/ff.h"
 #include "../mem/heap.h"
+#include "../soc/hw_init.h"
 #include "../soc/pmc.h"
 #include "../soc/t210.h"
 #include "../storage/nx_emmc.h"
@@ -80,10 +81,17 @@ int reboot_to_sept(const u8 *tsec_fw, const u32 tsec_size, const u32 kb)
 	f_close(&fp);
 
 	// Copy sept-secondary.
-	if ((kb == 7) && f_open(&fp, "sd:/sept/sept-secondary.enc", FA_READ) && f_open(&fp, "sd:/sept/sept-secondary_00.enc", FA_READ))
+	if (kb < KB_FIRMWARE_VERSION_810)
+	{
+		if (f_open(&fp, "sd:/sept/sept-secondary_00.enc", FA_READ))
+			if (f_open(&fp, "sd:/sept/sept-secondary.enc", FA_READ)) // Try the deprecated version.
 				goto error;
-	else if ((kb == 8) && f_open(&fp, "sd:/sept/sept-secondary_01.enc", FA_READ))
+	}
+	else
+	{
+		if (f_open(&fp, "sd:/sept/sept-secondary_01.enc", FA_READ))
 			goto error;
+	}
 
 	if (f_read(&fp, (u8 *)SEPT_STG2_ADDR, f_size(&fp), NULL))
 	{
@@ -123,12 +131,12 @@ int reboot_to_sept(const u8 *tsec_fw, const u32 tsec_size, const u32 kb)
 	PMC(APBDEV_PMC_SCRATCH33) = SEPT_PRI_ADDR;
 	PMC(APBDEV_PMC_SCRATCH40) = 0x6000F208;
 
-	display_end();
+	reconfig_hw_workaround(false, 0);
 
 	(*sept)();
 
 error:
-	EPRINTF("Sept files not found in sd:/sept!\nPlace appropriate files and try again.");
+	EPRINTF("\nSept files not found in sd:/sept!\nPlace appropriate files and try again.");
 	display_backlight_brightness(100, 1000);
 
 	btn_wait();

source/keys/key_sources.inl

@@ -29,6 +29,7 @@ static const u8 master_kek_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION
     {0x37, 0x4B, 0x77, 0x29, 0x59, 0xB4, 0x04, 0x30, 0x81, 0xF6, 0xE5, 0x8C, 0x6D, 0x36, 0x17, 0x9A}, //6.2.0
     {0x9A, 0x3E, 0xA9, 0xAB, 0xFD, 0x56, 0x46, 0x1C, 0x9B, 0xF6, 0x48, 0x7F, 0x5C, 0xFA, 0x09, 0x5C}, //7.0.0
     {0xDE, 0xDC, 0xE3, 0x39, 0x30, 0x88, 0x16, 0xF8, 0xAE, 0x97, 0xAD, 0xEC, 0x64, 0x2D, 0x41, 0x41}, //8.1.0
+    {0x1A, 0xEC, 0x11, 0x82, 0x2B, 0x32, 0x38, 0x7A, 0x2B, 0xED, 0xBA, 0x01, 0x47, 0x7E, 0x3B, 0x67}, //9.0.0
 };
 
 static const u8 mkey_vectors[KB_FIRMWARE_VERSION_MAX+1][0x10] =
@@ -42,6 +43,7 @@ static const u8 mkey_vectors[KB_FIRMWARE_VERSION_MAX+1][0x10] =
     {0x1E, 0x1E, 0x22, 0xC0, 0x5A, 0x33, 0x3C, 0xB9, 0x0B, 0xA9, 0x03, 0x04, 0xBA, 0xDB, 0x07, 0x57}, /* Master key 05 encrypted with Master key 06. */
     {0xA4, 0xD4, 0x52, 0x6F, 0xD1, 0xE4, 0x36, 0xAA, 0x9F, 0xCB, 0x61, 0x27, 0x1C, 0x67, 0x65, 0x1F}, /* Master key 06 encrypted with Master key 07. */
     {0xEA, 0x60, 0xB3, 0xEA, 0xCE, 0x8F, 0x24, 0x46, 0x7D, 0x33, 0x9C, 0xD1, 0xBC, 0x24, 0x98, 0x29}, /* Master key 07 encrypted with Master key 08. */
+    {0x4D, 0xD9, 0x98, 0x42, 0x45, 0x0D, 0xB1, 0x3C, 0x52, 0x0C, 0x9A, 0x44, 0xBB, 0xAD, 0xAF, 0x80}, /* Master key 08 encrypted with Master key 09. */
 };
 
 //======================================Keys======================================//

source/keys/keys.c

@@ -100,7 +100,7 @@ void dump_keys() {
     gfx_clear_grey(0x1B);
     gfx_con_setpos(0, 0);
 
-    gfx_printf("[%kLo%kck%kpi%kck%k-R%kCM%k v%d.%d.%d%k]\n\n",
+    gfx_printf("[%kLo%kck%kpi%kck%k_R%kCM%k v%d.%d.%d%k]\n\n",
         colors[0], colors[1], colors[2], colors[3], colors[4], colors[5], 0xFFFF00FF, LP_VER_MJ, LP_VER_MN, LP_VER_BF, 0xFFCCCCCC);
 
     u32 start_time = get_tmr_ms(),
@@ -140,8 +140,9 @@ void dump_keys() {
     tsec_ctxt.size = 0x100 + key_data->blob0_size + key_data->blob1_size + key_data->blob2_size + key_data->blob3_size + key_data->blob4_size;
 
     u32 MAX_KEY = 6;
-    if (pkg1_id->kb >= KB_FIRMWARE_VERSION_620)
+    if (pkg1_id->kb >= KB_FIRMWARE_VERSION_620) {
         MAX_KEY = pkg1_id->kb + 1;
+    }
 
     if (pkg1_id->kb >= KB_FIRMWARE_VERSION_700) {
         if (!f_stat("sd:/sept/payload.bak", NULL)) {
@@ -171,7 +172,7 @@ void dump_keys() {
             if (!reboot_to_sept((u8 *)tsec_ctxt.fw, tsec_ctxt.size, pkg1_id->kb))
                 goto out_wait;
         } else {
-            se_aes_key_read(12, master_key[pkg1_id->kb], 0x10);
+            se_aes_key_read(12, master_key[KB_FIRMWARE_VERSION_MAX], 0x10);
         }
     }
 
@@ -215,12 +216,37 @@ get_tsec: ;
         se_aes_crypt_block_ecb(8, 0, master_key[6], master_key_source);
     }
 
-    if (pkg1_id->kb >= KB_FIRMWARE_VERSION_620 && _key_exists(master_key[pkg1_id->kb])) {
+    if (pkg1_id->kb >= KB_FIRMWARE_VERSION_620) {
-        // derive all lower master keys in the event keyblobs are bad
+        // derive all lower master keys in case keyblobs are bad
+        if (_key_exists(master_key[pkg1_id->kb])) {
             for (u32 i = pkg1_id->kb; i > 0; i--) {
                 se_aes_key_set(8, master_key[i], 0x10);
                 se_aes_crypt_block_ecb(8, 0, master_key[i-1], mkey_vectors[i]);
             }
+            se_aes_key_set(8, master_key[0], 0x10);
+            se_aes_crypt_block_ecb(8, 0, temp_key, mkey_vectors[0]);
+            if (_key_exists(temp_key)) {
+                EPRINTFARGS("Failed to derive master key. kb = %d", pkg1_id->kb);
+            }
+        } else if (_key_exists(master_key[KB_FIRMWARE_VERSION_MAX])) {
+            // handle sept version differences
+            for (u32 kb = KB_FIRMWARE_VERSION_MAX; kb >= KB_FIRMWARE_VERSION_620; kb--) {
+                for (u32 i = kb; i > 0; i--) {
+                    se_aes_key_set(8, master_key[i], 0x10);
+                    se_aes_crypt_block_ecb(8, 0, master_key[i-1], mkey_vectors[i]);
+                }
+                se_aes_key_set(8, master_key[0], 0x10);
+                se_aes_crypt_block_ecb(8, 0, temp_key, mkey_vectors[0]);
+                if (!_key_exists(temp_key)) {
+                    break;
+                }
+                memcpy(master_key[kb-1], master_key[kb], 0x10);
+                memcpy(master_key[kb], zeros, 0x10);
+            }
+            if (_key_exists(temp_key)) {
+                EPRINTF("Failed to derive master key.");
+            }
+        }
     }
 
     u8 *keyblob_block = (u8 *)calloc(NX_EMMC_BLOCKSIZE, 1);
@@ -323,16 +349,22 @@ get_tsec: ;
             break;
     }
     if (pkg2_kb == MAX_KEY) {
-        EPRINTF("Failed to decrypt Package2.");
+        EPRINTF("Failed to derive Package2 key.");
         goto pkg2_done;
     } else if (pkg2_kb != pkg1_id->kb)
         EPRINTF("Warning: Package1-Package2 mismatch.");
+
     pkg2_hdr = pkg2_decrypt(pkg2);
+    if (!pkg2_hdr) {
+        EPRINTF("Failed to decrypt Package2.");
+        goto pkg2_done;
+    }
 
     TPRINTFARGS("%kDecrypt pkg2... ", colors[2]);
 
     LIST_INIT(kip1_info);
-    pkg2_parse_kips(&kip1_info, pkg2_hdr);
+    bool new_pkg2;
+    pkg2_parse_kips(&kip1_info, pkg2_hdr, &new_pkg2);
     LIST_FOREACH_ENTRY(pkg2_kip1_info_t, ki_tmp, &kip1_info, link) {
         if(ki_tmp->kip1->tid == 0x0100000000000000ULL) {
             ki = malloc(sizeof(pkg2_kip1_info_t));
@@ -405,6 +437,11 @@ get_tsec: ;
             hks_offset_from_end -= 0x6a73;
             alignment = 8;
             break;
+        case KB_FIRMWARE_VERSION_900:
+            start_offset = 0x2ec10;
+            hks_offset_from_end -= 0x5573;
+            alignment = 1; // RIP
+            break;
         }
 
         if (pkg1_id->kb <= KB_FIRMWARE_VERSION_500) {
@@ -455,6 +492,9 @@ pkg2_done:
         se_aes_crypt_block_ecb(8, 0, save_mac_key, fs_keys[6]);
     }
 
+    if (_key_exists(master_key[MAX_KEY])) {
+        MAX_KEY = KB_FIRMWARE_VERSION_MAX + 1;
+    }
     for (u32 i = 0; i < MAX_KEY; i++) {
         if (!_key_exists(master_key[i]))
             continue;
@@ -471,7 +511,10 @@ pkg2_done:
 
 
     if (!_key_exists(header_key) || !_key_exists(bis_key[2]))
+    {
+        EPRINTF("Missing FS keys. Skipping ES/SSL keys.");
         goto key_output;
+    }
 
     se_aes_key_set(4, header_key + 0x00, 0x10);
     se_aes_key_set(5, header_key + 0x10, 0x10);
@@ -494,7 +537,7 @@ pkg2_done:
     FIL fp;
     // sysmodule NCAs only ever have one section (exefs) so 0x600 is sufficient
     u8 *dec_header = (u8*)malloc(0x600);
-    char path[100] = "emmc:/Contents/registered";
+    char path[100] = "sd:/test/nca1111111111111";//"emmc:/Contents/registered";
     u32 titles_found = 0, title_limit = 2, read_bytes = 0;
     if (!memcmp(pkg1_id->id, "2016", 4))
         title_limit = 1;
@@ -553,6 +596,9 @@ pkg2_done:
             case KB_FIRMWARE_VERSION_810:
                 start_offset = 0x5563;
                 break;
+            case KB_FIRMWARE_VERSION_900:
+                start_offset = 0x6495;
+                break;
             }
             hash_order[2] = 2;
             if (pkg1_id->kb < KB_FIRMWARE_VERSION_500) {
@@ -604,6 +650,9 @@ pkg2_done:
             case KB_FIRMWARE_VERSION_810:
                 start_offset = 0x1d437;
                 break;
+            case KB_FIRMWARE_VERSION_900:
+                start_offset = 0x1d807;
+                break;
             }
             if (!memcmp(pkg1_id->id, "2016", 4))
                 start_offset = 0x449dc;
@@ -651,7 +700,7 @@ pkg2_done:
 
     // locate sd seed
     u8 read_buf[0x20] = {0};
-    for (u32 i = 0; i < f_size(&fp); i += 0x4000) {
+    for (u32 i = 0x8000; i < f_size(&fp); i += 0x4000) {
         if (f_lseek(&fp, i) || f_read(&fp, read_buf, 0x20, &read_bytes) || read_bytes != 0x20)
             break;
         if (!memcmp(temp_key, read_buf, 0x10)) {
@@ -716,6 +765,7 @@ key_output: ;
     SAVE_KEY("master_kek_source_06", master_kek_sources[0], 0x10);
     SAVE_KEY("master_kek_source_07", master_kek_sources[1], 0x10);
     SAVE_KEY("master_kek_source_08", master_kek_sources[2], 0x10);
+    SAVE_KEY("master_kek_source_09", master_kek_sources[3], 0x10);
     SAVE_KEY_FAMILY("master_key", master_key, MAX_KEY, 0x10);
     SAVE_KEY("master_key_source", master_key_source, 0x10);
     SAVE_KEY_FAMILY("package1_key", package1_key, 6, 0x10);

source/utils/types.h

@@ -35,7 +35,8 @@
 #define KB_FIRMWARE_VERSION_620 6
 #define KB_FIRMWARE_VERSION_700 7
 #define KB_FIRMWARE_VERSION_810 8
-#define KB_FIRMWARE_VERSION_MAX KB_FIRMWARE_VERSION_810
+#define KB_FIRMWARE_VERSION_900 9
+#define KB_FIRMWARE_VERSION_MAX KB_FIRMWARE_VERSION_900
 
 #define HOS_PKG11_MAGIC 0x31314B50